From: William A. Rowe Jr Date: Tue, 20 Sep 2005 18:38:02 +0000 (+0000) Subject: Sync to 2.0.x changes X-Git-Tag: 2.3.0~2979 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c998a9d10fe300f4d2b4f2cc7ef82df190563711;p=thirdparty%2Fapache%2Fhttpd.git Sync to 2.0.x changes git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@290519 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 01f25b9d7c8..eed683db65e 100644 --- a/CHANGES +++ b/CHANGES @@ -115,19 +115,6 @@ Changes with Apache 2.1.7 based on the proxy status. (minor MMN bump) [Brian Akins , Ian Holsman] - *) SECURITY: CAN-2005-2088 - proxy: Correctly handle the Transfer-Encoding and Content-Length - headers. Discard the request Content-Length whenever T-E: chunked - is used, always passing one of either C-L or T-E: chunked whenever - the request includes a request body. Resolves an entire class of - proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] - - *) Added TraceEnable [on|off|extended] per-server directive to alter - the behavior of the TRACE method. This addresses a flaw in proxy - conformance to RFC 2616 - previously the proxy server would accept - a TRACE request body although the RFC prohibited it. The default - remains 'TraceEnable on'. [William Rowe] - *) Add additional SSLSessionCache option, 'nonenotnull', which is similar to 'none' (disabling any external shared cache) but forces OpenSSL to provide a non-null session ID. [Jim Jagielski] @@ -860,6 +847,19 @@ Changes with Apache 2.1.1 Changes with Apache 2.0.55 + *) SECURITY: CAN-2005-2088 (cve.mitre.org) + proxy: Correctly handle the Transfer-Encoding and Content-Length + headers. Discard the request Content-Length whenever T-E: chunked + is used, always passing one of either C-L or T-E: chunked whenever + the request includes a request body. Resolves an entire class of + proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] + + *) Added TraceEnable [on|off|extended] per-server directive to alter + the behavior of the TRACE method. This addresses a flaw in proxy + conformance to RFC 2616 - previously the proxy server would accept + a TRACE request body although the RFC prohibited it. The default + remains 'TraceEnable on'. [William Rowe] + *) Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick]