From 2f1267897fd5050750b93859e865382bff95c9c7 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 18 Sep 2017 21:54:15 +0000
Subject: [PATCH] CVE-2017-9798 disclosed, amend CHANGES entry for
 https://svn.apache.org/r1807754

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1808787 13f79535-47bb-0310-9956-ffa450edef68
---
 CHANGES | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index b2b6bada88b..109b338b7c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.28
 
+  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+     Corrupted or freed memory access. <Limit[Except]> must now be used in the
+     main configuration file (httpd.conf) to register HTTP methods before the
+     .htaccess files.  [Yann Ylavic]
+
   *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
      PR 61142.
 
@@ -13,9 +18,6 @@ Changes with Apache 2.4.28
 
   *) build: allow configuration without APR sources.  [Jacob Champion]
 
-  *) core: Disallow Methods' registration at runtime (.htaccess), they may be
-     used only if registered at init time (httpd.conf).  [Yann Ylavic]
-
   *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
      [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
       Yann Ylavic]
-- 
2.47.2