You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2013/02/18 21:21:12 UTC

svn commit: r1447462 - /httpd/httpd/branches/2.2.x/CHANGES

Author: wrowe
Date: Mon Feb 18 20:21:11 2013
New Revision: 1447462

URL: http://svn.apache.org/r1447462
Log:
Clarify changes

Modified:
    httpd/httpd/branches/2.2.x/CHANGES

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1447462&r1=1447461&r2=1447462&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Feb 18 20:21:11 2013
@@ -1,9 +1,14 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.2.24
 
-  *) mod_status, mod_info, mod_proxy_ftp, mod_proxy_balancer, mod_imagemap,
-     mod_ldap: Improve escaping of hostname and URIs HTML output.
-     [Jim Jagielski, Stefan Fritsch]
+  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+     Various XSS flaws due to unescaped hostnames and URIs HTML output in
+     mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+     Niels Heinen <heinenn google com>]
 
   *) mod_ssl: Send the error message for speaking http to an https port using
      HTTP/1.0 instead of HTTP/0.9, and omit the link that may be wrong when