From: William A. Rowe Jr <wrowe@apache.org>
Date: Tue, 13 Dec 2016 17:21:30 +0000 (+0000)
Subject: Document CHANGES
X-Git-Tag: 2.4.24~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cbf37b5663633e4d0c54b1475a08394313d151ff;p=thirdparty%2Fapache%2Fhttpd.git

Document CHANGES

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1774065 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 388c6d1abd8..6f6b7cb4dec 100644
--- a/CHANGES
+++ b/CHANGES
@@ -22,6 +22,17 @@ Changes with Apache 2.4.24
      MAC (SipHash) to prevent deciphering or tampering with a padding
      oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
 
+  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
+     Enforce HTTP request grammar corresponding to RFC7230 for request lines
+     and request headers, to prevent response splitting and cache pollution by
+     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
+
+  *) Validate HTTP response header grammar defined by RFC7230, resulting
+     in a 500 error in the event that invalid response header contents are
+     detected when serving the response, to avoid response splitting and cache
+     pollution by malicious clients, upstream servers or faulty modules.
+     [Stefan Fritsch, Eric Covener, Yann Ylavic]
+
   *) mod_socache_memcache: Provide memcache stats to mod_status.
      [Jim Jagielski]
 
@@ -40,9 +51,6 @@ Changes with Apache 2.4.24
      'parent-first' instead of 'none', as per documentation.  PR 60419
      [Christophe Jaillet]
 
-  *) Enforce http request grammer corresponding to RFC7230 for request lines
-     and request headers [William Rowe, Stefan Fritsch]
-
   *) core: New directive HttpProtocolOptions to control httpd enforcement
      of various RFC7230 requirements. [Stefan Fritsch, William Rowe]