You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by pq...@apache.org on 2005/07/08 11:35:58 UTC

svn commit: r209723 - /httpd/httpd/trunk/CHANGES

Author: pquerna
Date: Fri Jul  8 02:35:56 2005
New Revision: 209723

URL: http://svn.apache.org/viewcvs?rev=209723&view=rev
Log:
The request smuggling issue did get assigned CAN-2005-2088.

Modified:
    httpd/httpd/trunk/CHANGES

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=209723&r1=209722&r2=209723&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES (original)
+++ httpd/httpd/trunk/CHANGES Fri Jul  8 02:35:56 2005
@@ -19,7 +19,7 @@
   *) Fix htdbm password validation for records which included comments.
      [Eric Covener <covener gmail.com>]
 
-  *) SECURITY: 
+  *) SECURITY: CAN-2005-2088
      proxy HTTP: If a response contains both Transfer-Encoding and a 
      Content-Length, remove the Content-Length and don't reuse the
      connection, stopping some HTTP Request smuggling attacks.
@@ -30,7 +30,7 @@
 
 Changes with Apache 2.1.5
 
-  *) SECURITY: 
+  *) SECURITY: CAN-2005-2088
      core: If a request contains both Transfer-Encoding and a Content-Length,
      remove the Content-Length, stopping some HTTP Request smuggling attacks.
      [Paul Querna]

Re: svn commit: r209723 - /httpd/httpd/trunk/CHANGES

Posted by Joe Orton <jo...@redhat.com>.

On Fri, Jul 08, 2005 at 09:35:58AM -0000, Paul Querna wrote:
> Author: pquerna
> Date: Fri Jul  8 02:35:56 2005
> New Revision: 209723
> 
> URL: http://svn.apache.org/viewcvs?rev=209723&view=rev
> Log:
> The request smuggling issue did get assigned CAN-2005-2088.

Ah, I was just about to commit a different change to clear this up.

CAN-2005-2088 only refers to the fix for the specific *request* handling 
issue highlighted in the watchfire report.  No CVE name has been 
assigned for fix for response handling in the proxy since there is no 
real security issue there in httpd.  (nobody has demonstrated one, 
anyway; it would probably require a separate CVE name)

The changes in 2.1.5 did not actually fix CAN-2005-2088, however.  So we 
could move that CHANGES entry from the 2.1.5 section to the 2.1.6 
section to clarify this.

The security references should be removed from the "proxy HTTP: ..." 
entry completely, I think, certainly the CVE reference must be.

joe

> 
> Modified:
>     httpd/httpd/trunk/CHANGES
> 
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=209723&r1=209722&r2=209723&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES (original)
> +++ httpd/httpd/trunk/CHANGES Fri Jul  8 02:35:56 2005
> @@ -19,7 +19,7 @@
>    *) Fix htdbm password validation for records which included comments.
>       [Eric Covener <covener gmail.com>]
>  
> -  *) SECURITY: 
> +  *) SECURITY: CAN-2005-2088
>       proxy HTTP: If a response contains both Transfer-Encoding and a 
>       Content-Length, remove the Content-Length and don't reuse the
>       connection, stopping some HTTP Request smuggling attacks.
> @@ -30,7 +30,7 @@
>  
>  Changes with Apache 2.1.5
>  
> -  *) SECURITY: 
> +  *) SECURITY: CAN-2005-2088
>       core: If a request contains both Transfer-Encoding and a Content-Length,
>       remove the Content-Length, stopping some HTTP Request smuggling attacks.
>       [Paul Querna]
>