From: William A. Rowe Jr Date: Wed, 25 Jan 2012 21:27:27 +0000 (+0000) Subject: Alphanum order makes more sense here for end users to follow X-Git-Tag: 2.2.22~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f2a9c2002d9e582d84313ce9d52d7b2f0a3ce286;p=thirdparty%2Fapache%2Fhttpd.git Alphanum order makes more sense here for end users to follow git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235957 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 0997785aaa7..c773283489a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,22 +1,6 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.22 - *) SECURITY: CVE-2012-0053 (cve.mitre.org) - Fix an issue in error responses that could expose "httpOnly" cookies - when no custom ErrorDocument is specified for status code 400. - [Eric Covener] - - *) SECURITY: CVE-2012-0031 (cve.mitre.org) - Fix scoreboard issue which could allow an unprivileged child process - could cause the parent to crash at shutdown rather than terminate - cleanly. [Joe Orton] - - *) SECURITY: CVE-2011-4317 (cve.mitre.org) - Resolve additional cases of URL rewriting with ProxyPassMatch or - RewriteRule, where particular request-URIs could result in undesired - backend network exposure in some configurations. - [Joe Orton] - *) SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in @@ -27,12 +11,28 @@ Changes with Apache 2.2.22 is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] + *) SECURITY: CVE-2011-4317 (cve.mitre.org) + Resolve additional cases of URL rewriting with ProxyPassMatch or + RewriteRule, where particular request-URIs could result in undesired + backend network exposure in some configurations. + [Joe Orton] + *) SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. [Rainer Canavan ] + *) SECURITY: CVE-2012-0031 (cve.mitre.org) + Fix scoreboard issue which could allow an unprivileged child process + could cause the parent to crash at shutdown rather than terminate + cleanly. [Joe Orton] + + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + [Eric Covener] + *) mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. [Jean-Frederic Clere]