From: William A. Rowe Jr <wrowe@apache.org>
Date: Sat, 6 Mar 2010 01:59:50 +0000 (+0000)
Subject: Sync Changelog
X-Git-Tag: 2.3.6~393
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=070999265e227ae3574baef707578effb570b190;p=thirdparty%2Fapache%2Fhttpd.git

Sync Changelog

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@919690 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 4a6f327fa1f..5a5405668ae 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,14 @@
 
 Changes with Apache 2.3.7
 
+  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+     and offer unsafe legacy renegotiation with clients which do not yet
+     support the new secure renegotiation protocol, RFC 5746.
+     [Joe Orton, and with thanks to the OpenSSL Team]
+
   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
      mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
      by rejecting any client-initiated renegotiations. Forcibly disable