From: William A. Rowe Jr <wrowe@apache.org>
Date: Mon, 18 Feb 2013 20:21:11 +0000 (+0000)
Subject: Clarify changes to show the assignment of CVE-2012-3499 and
X-Git-Tag: 2.2.24~7
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ebcbb0ed0544643dc708df96be738904a4c72d62;p=thirdparty%2Fapache%2Fhttpd.git

Clarify changes to show the assignment of CVE-2012-3499 and
CVE-2012-4558.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1447462 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index cca5491a66a..57b563b2ce7 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,9 +1,14 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.24
 
-  *) mod_status, mod_info, mod_proxy_ftp, mod_proxy_balancer, mod_imagemap,
-     mod_ldap: Improve escaping of hostname and URIs HTML output.
-     [Jim Jagielski, Stefan Fritsch]
+  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+     Various XSS flaws due to unescaped hostnames and URIs HTML output in
+     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+     Niels Heinen <heinenn google com>]
 
   *) mod_ssl: Send the error message for speaking http to an https port using
      HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when