You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by tr...@apache.org on 2010/03/05 20:31:21 UTC

svn commit: r919552 - /httpd/httpd/trunk/CHANGES

Author: trawick
Date: Fri Mar  5 19:31:21 2010
New Revision: 919552

URL: http://svn.apache.org/viewvc?rev=919552&view=rev
Log:
try to get bug fix entries for future 2.3.7 alpha caught up with 2.2.15
where appropriate

Modified:
    httpd/httpd/trunk/CHANGES

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=919552&r1=919551&r2=919552&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Mar  5 19:31:21 2010
@@ -2,11 +2,35 @@
 
 Changes with Apache 2.3.7
 
+  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+     mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
+     by rejecting any client-initiated renegotiations. Forcibly disable
+     keepalive for the connection if there is any buffered data readable. Any
+     configuration which requires renegotiation for per-directory/location
+     access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
+     [Joe Orton, Ruediger Pluem, Hartmut Keil <Hartmut.Keil adnovum.ch>]
+
+  *) SECURITY: CVE-2010-0408 (cve.mitre.org)
+     mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
+     when request headers indicate a request body is incoming; not a case of
+     HTTP_INTERNAL_SERVER_ERROR.  [Niku Toivola <niku.toivola sulake.com>]
+
   *) SECURITY: CVE-2010-0425 (cve.mitre.org)
      mod_isapi: Do not unload an isapi .dll module until the request
      processing is completed, avoiding orphaned callback pointers.
      [Brett Gervasoni <brettg senseofsecurity.com>, Jeff Trawick]
 
+  *) mod_proxy_ajp: Really regard the operation a success, when the client
+     aborted the connection. In addition adjust the log message if the client
+     aborted the connection. [Ruediger Pluem]
+
+  *) mod_ssl: Add the 'SSLInsecureRenegotiation' directive, which
+     allows insecure renegotiation with clients which do not yet
+     support the secure renegotiation protocol.  [Joe Orton]
+
+  *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs
+     is configured for client cert auth. PR 46952.  [Joe Orton]
+
   *) core: Only log a 408 if it is no keepalive timeout. PR 39785
      [Ruediger Pluem,  Mark Montague <markmont umich.edu>]
 
@@ -78,10 +102,10 @@
   *) mod_log_config: Add the R option to log the handler used within the
      request. [Christian Folini <christian.folini netnea com>]
 
-  *) Allow fine control over the removal of Last-Modified and ETag headers
-     within the INCLUDES filter, making it possible to cache responses if
-     desired. Fix the default value of the SSIAccessEnable directive.
-     [Graham Leggett]
+  *) mod_include: Allow fine control over the removal of Last-Modified and
+     ETag headers within the INCLUDES filter, making it possible to cache
+     responses if desired. Fix the default value of the SSIAccessEnable
+     directive.  [Graham Leggett]
 
   *) Add new UnDefine directive to undefine a variable. PR 35350.
      [Stefan Fritsch]