From: Jim Jagielski Date: Tue, 4 Sep 2007 11:59:38 +0000 (+0000) Subject: Update CHANGES. Move security items to the top, note that X-Git-Tag: 2.2.6~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb898cb2274026a9848db675f8925458870a708b;p=thirdparty%2Fapache%2Fhttpd.git Update CHANGES. Move security items to the top, note that there was "no" 2.2.5. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@572638 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 47a2873565e..bf04c9f8c7d 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,31 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + [Niklas Edmundsson ] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset "detection". Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + [Davi Arnaut ] + *) mod_info: mod_info outputs invalid XHTML 1.0 transitional. PR 42847 [Rici Lake ] @@ -66,8 +91,9 @@ Changes with Apache 2.2.6 *) mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the - content-type and charset of the generated page. - [Jim Jagielski] + content-type and charset of the generated page and is therefore + a viable workaround for buggy browsers affected by CVE-2007-4465 + (cve.mitre.org). [Jim Jagielski] *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, @@ -133,33 +159,6 @@ Changes with Apache 2.2.6 improper merging of the cache lock in vhost config PR 43164 [Eric Covener] -Changes with Apache 2.2.5 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson ] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset "detection". Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut ] - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] *) mod_deflate: fix protocol handling in deflate input filter @@ -273,6 +272,8 @@ Changes with Apache 2.2.5 including embedding the .manifest information into each binary. [William Rowe] +There was no Apache 2.2.5 + Changes with Apache 2.2.4 *) mod_isapi: Correctly present SERVER_PORT_SECURE.