From: William A. Rowe Jr <wrowe@apache.org>
Date: Wed, 26 Jun 2013 17:28:06 +0000 (+0000)
Subject: Note related risk at the end of the SECURITY CHANGES list for 2.0.65
X-Git-Tag: 2.0.65~13
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=222df331d804e0a615fb0c18bc39ba1f7a853b9b;p=thirdparty%2Fapache%2Fhttpd.git

Note related risk at the end of the SECURITY CHANGES list for 2.0.65

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1497013 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 8839da479d1..d4d5f3e084c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -28,6 +28,12 @@ Changes with Apache 2.0.65
      is enabled, could allow local users to gain privileges via a .htaccess
      file. [Stefan Fritsch, Greg Ames]
 
+       NOTE: it remains possible to exhaust all memory using a carefully
+       crafted .htaccess rule, which will not be addressed in 2.0; enabling 
+       processing of .htaccess files authored by untrusted users is the root
+       of such security risks.  Upgrade to httpd 2.2.25 or later to limit
+       this specific risk.
+
   *) core: Add MaxRanges directive to control the number of ranges permitted
      before returning the entire resource, with a default limit of 200.
      [Eric Covener, Rainer Jung]