Sync Changelog

author William A. Rowe Jr <wrowe@apache.org>

Sat, 6 Mar 2010 01:59:50 +0000 (01:59 +0000)

committer William A. Rowe Jr <wrowe@apache.org>

Sat, 6 Mar 2010 01:59:50 +0000 (01:59 +0000)
author William A. Rowe Jr <wrowe@apache.org>
Sat, 6 Mar 2010 01:59:50 +0000 (01:59 +0000)
committer William A. Rowe Jr <wrowe@apache.org>
Sat, 6 Mar 2010 01:59:50 +0000 (01:59 +0000)
diff --git a/CHANGES b/CHANGES

index 4a6f327fa1f90f6ad3f5957f18b7efda24f8784f..5a5405668aea5d32a82c588bfdf17fdb06c5766a 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,14 @@
  
  Changes with Apache 2.3.7
  
+  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+     and offer unsafe legacy renegotiation with clients which do not yet
+     support the new secure renegotiation protocol, RFC 5746.
+     [Joe Orton, and with thanks to the OpenSSL Team]
+
    *) SECURITY: CVE-2009-3555 (cve.mitre.org)
       mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
       by rejecting any client-initiated renegotiations. Forcibly disable
author	William A. Rowe Jr <wrowe@apache.org>
	Sat, 6 Mar 2010 01:59:50 +0000 (01:59 +0000)
committer	William A. Rowe Jr <wrowe@apache.org>
	Sat, 6 Mar 2010 01:59:50 +0000 (01:59 +0000)