From: Mark J. Cox Date: Wed, 19 Oct 2005 08:16:37 +0000 (+0000) Subject: Today a one-time change happens to all CAN- names as they are X-Git-Tag: 2.1.9~30 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b341cc61e721ce72b9158ef430bc9630f9c88641;p=thirdparty%2Fapache%2Fhttpd.git Today a one-time change happens to all CAN- names as they are renamed to CVE-. Make this change to our changelog git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@326456 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 80a921114d5..037f038c884 100644 --- a/CHANGES +++ b/CHANGES @@ -45,7 +45,7 @@ Changes with Apache 2.1.9 *) mod_proxy_balancer: mod_proxy_balancer does not handle sticky sessions with tomcat correctly. PR36507. [Ruediger Pluem] - *) SECURITY: CAN-2005-2970 (cve.mitre.org) + *) SECURITY: CVE-2005-2970 (cve.mitre.org) worker MPM: Fix a memory leak which can occur after an aborted connection in some limited circumstances. [Greg Ames] @@ -78,7 +78,7 @@ Changes with Apache 2.1.8 listening ports upon graceful restart or stop. PR 28167. [Colm MacCarthaigh, Brian Pinkerton ] - *) SECURITY: CAN-2005-2700 (cve.mitre.org) + *) SECURITY: CVE-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. [Joe Orton] @@ -111,7 +111,7 @@ Changes with Apache 2.1.8 Changes with Apache 2.1.7 - *) SECURITY: CAN-2005-2491 (cve.mitre.org): + *) SECURITY: CVE-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel] @@ -897,7 +897,7 @@ Changes with Apache 2.0.56 Changes with Apache 2.0.55 - *) SECURITY: CAN-2005-2088 (cve.mitre.org) + *) SECURITY: CVE-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked whenever @@ -935,7 +935,7 @@ Changes with Apache 2.0.55 (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski] - *) SECURITY: CAN-2005-2728 (cve.mitre.org) + *) SECURITY: CVE-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. PR 29962. [Joe Orton] @@ -953,7 +953,7 @@ Changes with Apache 2.0.55 *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe] - *) SECURITY: CAN-2005-2088 (cve.mitre.org) + *) SECURITY: CVE-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. [Paul Querna, Joe Orton] @@ -966,7 +966,7 @@ Changes with Apache 2.0.55 *) Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick] - *) SECURITY: CAN-2005-1268 (cve.mitre.org) + *) SECURITY: CVE-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ] @@ -1006,7 +1006,7 @@ Changes with Apache 2.0.54 slow to exit. [Joe Orton, Jeff Trawick] *) Remove formatting characters from ap_log_error() calls. These - were escaped as fallout from CAN-2003-0020. + were escaped as fallout from CVE-2003-0020. [Eric Covener ] *) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418. @@ -1095,11 +1095,11 @@ Changes with Apache 2.0.53 specified matches the value of the user object. PR 31913 [Ryan Morgan ] - *) SECURITY: CAN-2004-0942 (cve.mitre.org) + *) SECURITY: CVE-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] - *) SECURITY: CAN-2004-0885 (cve.mitre.org) + *) SECURITY: CVE-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. PR 31505. [Hartmut Keil , Joe Orton] @@ -1141,7 +1141,7 @@ Changes with Apache 2.0.53 is causing a potential problem with the LDAP shared memory cache. PR 31431 [Graham Leggett] - *) SECURITY: CAN-2004-1834 (cve.mitre.org) + *) SECURITY: CVE-2004-1834 (cve.mitre.org) mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] *) Fix the re-linking issue when purging elements from the LDAP cache @@ -1164,7 +1164,7 @@ Changes with Apache 2.0.52 *) Fix a segfault in the LDAP cache when it is configured switched off. [Jess Holle ] - *) SECURITY: CAN-2004-0811 (cve.mitre.org) + *) SECURITY: CVE-2004-0811 (cve.mitre.org) Fix merging of the Satisfy directive, which was applied to the surrounding context and could allow access despite configured authentication. PR 31315. [Rici Lake ] @@ -1186,15 +1186,15 @@ Changes with Apache 2.0.52 Changes with Apache 2.0.51 - *) SECURITY: CAN-2004-0786 (cve.mitre.org) + *) SECURITY: CVE-2004-0786 (cve.mitre.org) Fix an input validation issue in apr-util which could be triggered by malformed IPv6 literal addresses. [Joe Orton] - *) SECURITY: CAN-2004-0747 (cve.mitre.org) + *) SECURITY: CVE-2004-0747 (cve.mitre.org) Fix buffer overflow in expansion of environment variables in configuration file parsing. [André Malo] - *) SECURITY: CAN-2004-0809 (cve.mitre.org) + *) SECURITY: CVE-2004-0809 (cve.mitre.org) mod_dav_fs: Fix a segfault in the handling of an indirect lock refresh. PR 31183. [Joe Orton] @@ -1216,7 +1216,7 @@ Changes with Apache 2.0.51 server shutdown on these code paths. [Bill Stoddard] - *) SECURITY: CAN-2004-0751 (cve.mitre.org) + *) SECURITY: CVE-2004-0751 (cve.mitre.org) mod_ssl: Fix a segfault in the SSL input filter which could be triggered if using "speculative" mode, for instance by a proxy request to an SSL server. PR 30134. [Joe Orton] @@ -1269,7 +1269,7 @@ Changes with Apache 2.0.51 *) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz] - *) SECURITY: CAN-2004-0748 (cve.mitre.org) + *) SECURITY: CVE-2004-0748 (cve.mitre.org) mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton] *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb. @@ -1357,7 +1357,7 @@ Changes with Apache 2.0.51 Changes with Apache 2.0.50 - *) SECURITY: CAN-2004-0493 (cve.mitre.org) + *) SECURITY: CVE-2004-0493 (cve.mitre.org) Close a denial of service vulnerability identified by Georgi Guninski which could lead to memory exhaustion with certain input data. [Jeff Trawick] @@ -1387,7 +1387,7 @@ Changes with Apache 2.0.50 *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes] - *) SECURITY: CAN-2004-0488 (cve.mitre.org) + *) SECURITY: CVE-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton] @@ -1534,7 +1534,7 @@ Changes with Apache 2.0.50 Changes with Apache 2.0.49 - *) SECURITY: CAN-2004-0174 (cve.mitre.org) + *) SECURITY: CVE-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until @@ -1818,12 +1818,12 @@ Changes with Apache 2.0.49 Changes with Apache 2.0.48 - *) SECURITY: CAN-2003-0789 (cve.mitre.org) + *) SECURITY: CVE-2003-0789 (cve.mitre.org) mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] - *) SECURITY: CAN-2003-0542 (cve.mitre.org) + *) SECURITY: CVE-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo] @@ -1977,19 +1977,19 @@ Changes with Apache 2.0.48 Changes with Apache 2.0.47 - *) SECURITY: CAN-2003-0192 (cve.mitre.org) + *) SECURITY: CVE-2003-0192 (cve.mitre.org) Fixed a bug whereby certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [Ben Laurie] - *) SECURITY: CAN-2003-0253 (cve.mitre.org) + *) SECURITY: CVE-2003-0253 (cve.mitre.org) Fixed a bug in prefork MPM causing temporary denial of service when accept() on a rarely accessed port returns certain errors. Reported by Saheed Akhtar . [Jeff Trawick] - *) SECURITY: CAN-2003-0254 (cve.mitre.org) + *) SECURITY: CVE-2003-0254 (cve.mitre.org) Fixed a bug in ftp proxy causing denial of service when target host is IPv6 but proxy server can't create IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo ] @@ -2024,13 +2024,13 @@ Changes with Apache 2.0.47 Changes with Apache 2.0.46 - *) SECURITY: CAN-2003-0245 (cve.mitre.org) + *) SECURITY: CVE-2003-0245 (cve.mitre.org) Fixed a bug causing apr_pvsprintf() to crash by sending an overly long string. This can be triggered remotely through mod_dav, mod_ssl, and other mechanisms. Reported by David Endler . [Joe Orton] - *) SECURITY: CAN-2003-0189 (cve.mitre.org) + *) SECURITY: CVE-2003-0189 (cve.mitre.org) Fixed a denial-of-service vulnerability affecting basic authentication on Unix platforms related to thread-safety in apr_password_validate(). @@ -2162,13 +2162,13 @@ Changes with Apache 2.0.46 *) Fixed a segfault when multiple ProxyBlock directives were used. PR: 19023 [Sami Tikka ] - *) SECURITY: CAN-2003-0134 (cve.mitre.org) + *) SECURITY: CVE-2003-0134 (cve.mitre.org) OS2: Fix a Denial of Service vulnerability identified and reported by Robert Howard that where device names faulted the running OS2 worker process. The fix is actually in APR 0.9.4. [Brian Havard] - *) SECURITY: CAN-2003-0083 (cve.mitre.org) + *) SECURITY: CVE-2003-0083 (cve.mitre.org) Forward port: Escape special characters (especially control characters) in mod_log_config to make a clear distinction between client-supplied strings (with special characters) and server-side @@ -2185,7 +2185,7 @@ Changes with Apache 2.0.45 *) Fix possible segfaults under obscure error conditions within the cgid daemon. [Jeff Trawick, William Rowe] - *) SECURITY: CAN-2003-0132 (cve.mitre.org) + *) SECURITY: CVE-2003-0132 (cve.mitre.org) Close a Denial of Service vulnerability identified by David Endler on all platforms. An unlimited stream of newlines were acceptable between requests where each @@ -2692,7 +2692,7 @@ Changes with Apache 2.0.43 Changes with Apache 2.0.42 - *) SECURITY: CAN-2002-1593 (cve.mitre.org) [CERT VU#406121] + *) SECURITY: CVE-2002-1593 (cve.mitre.org) [CERT VU#406121] mod_dav: Check for versioning hooks before using them. [Greg Stein] @@ -2836,7 +2836,7 @@ Changes with Apache 2.0.41 Changes with Apache 2.0.40 - *) SECURITY: CAN-2002-0661 (cve.mitre.org) + *) SECURITY: CVE-2002-0661 (cve.mitre.org) Close a very significant security hole that applies only to the Win32, OS2 and Netware platforms. Unix was not affected, Cygwin may be affected. Certain URIs will bypass security @@ -2848,7 +2848,7 @@ Changes with Apache 2.0.40 Reported by Auriemma Luigi . [Brad Nicholes] - *) SECURITY: CAN-2002-0654 (cve.mitre.org) + *) SECURITY: CVE-2002-0654 (cve.mitre.org) Close a path-revealing exposure in multiview type map negotiation (such as the default error documents) where the module would report the full path of the typemapped .var file when @@ -2856,7 +2856,7 @@ Changes with Apache 2.0.40 negotiation. Reported by Auriemma Luigi . [William Rowe] - *) SECURITY: CAN-2002-0654 (cve.mitre.org) + *) SECURITY: CVE-2002-0654 (cve.mitre.org) Close a path-revealing exposure in cgi/cgid when we fail to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path @@ -3420,7 +3420,7 @@ Changes with Apache 2.0.36 *) Fix AcceptPathInfo. PR 8234 [Cliff Woolley] - *) SECURITY: CAN-2002-1592 (cve.mitre.org) [CERT VU#165803] + *) SECURITY: CVE-2002-1592 (cve.mitre.org) [CERT VU#165803] Added the APLOG_TOCLIENT flag to ap_log_rerror() to explicitly tell the server that warning messages should be sent to the client in addition to being recorded in the error log. @@ -7207,7 +7207,7 @@ Changes with Apache 2.0a5 container is VirtualHost or Directory or whatever. [Jeff Trawick] - *) SECURITY: CAN-2000-1204 (cve.mitre.org) + *) SECURITY: CVE-2000-1204 (cve.mitre.org) Prevent the source code for CGIs from being revealed when using mod_vhost_alias and the CGI directory is under the document root and a user makes a request like http://www.example.com//cgi-bin/cgi