You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by jo...@apache.org on 2014/07/14 21:36:38 UTC

svn commit: r1610495 - /httpd/httpd/branches/2.4.x/CHANGES

Author: jorton
Date: Mon Jul 14 19:36:38 2014
New Revision: 1610495

URL: http://svn.apache.org/r1610495
Log:
Note CVE name for mod_cache crasher fixed in 2.4.7.

This issue affected httpd versions 2.4.5 and 2.4.6 only.

Modified:
    httpd/httpd/branches/2.4.x/CHANGES

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1610495&r1=1610494&r2=1610495&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jul 14 19:36:38 2014
@@ -347,6 +347,11 @@ Changes with Apache 2.4.8
 
 Changes with Apache 2.4.7
 
+  *) SECURITY: CVE-2013-4352 (cve.mitre.org)
+     mod_cache: Fix a NULL pointer deference which allowed untrusted
+     origin servers to crash mod_cache in a forward proxy
+     configuration.  [Graham Leggett]
+
   *) APR 1.5.0 or later is now required for the event MPM.
   
   *) slotmem_shm: Error detection. [Jim Jagielski]
@@ -458,9 +463,6 @@ Changes with Apache 2.4.7
      will or will not be persisted and whether settings are inherited.
      [Daniel Ruggeri, Jim Jagielski]
 
-  *) mod_cache: Avoid a crash with strcmp() when the hostname is not provided.
-     [Graham Leggett]
-
   *) core: Add util_fcgi.h and associated definitions and support
      routines for FastCGI, based largely on mod_proxy_fcgi.
      [Jeff Trawick]