From 25ed0a80d7c0db286348df706cf2b090cabd6598 Mon Sep 17 00:00:00 2001 From: Jim Jagielski Date: Tue, 4 Sep 2007 12:01:32 +0000 Subject: [PATCH] Move all sec issues to top and note that 2.0.60 never existed :) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@572640 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 42 +++++++++++++++++++++--------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/CHANGES b/CHANGES index 100898d42a3..011991be234 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,25 @@ -*- coding: utf-8 -*- Changes with Apache 2.0.61 + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent segmentation fault if a Cache-Control header has + no value. [Niklas Edmundsson ] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset "detection". Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, until the time the open_logs hook is called again. [William Rowe] @@ -36,27 +55,6 @@ Changes with Apache 2.0.61 *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] -Changes with Apache 2.0.60 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent segmentation fault if a Cache-Control header has - no value. [Niklas Edmundsson ] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset "detection". Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - *) mod_so: Solve dev's confusion by reporting expected/seen module magic signatures when failing with a 'garbled' message, and solve user's confusion by pointing out 'perhaps compiled for a different @@ -100,6 +98,8 @@ Changes with Apache 2.0.60 employed to report their HTTP status result code. PR 16637 30033 28089. [Matt Lewandowsky , William Rowe] +There was no 2.0.60 + Changes with Apache 2.0.59 *) SECURITY: CVE-2006-3747 (cve.mitre.org) -- 2.47.2