You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe Jr." <wr...@rowe-clan.net> on 2011/09/09 16:13:26 UTC
Re: svn commit: r1167184 [2/3] - in /httpd/httpd/branches/2.0.x:
CHANGES STATUS modules/http/http_protocol.c
On 9/9/2011 9:07 AM, jim@apache.org wrote:
>
> Modified: httpd/httpd/branches/2.0.x/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1167184&r1=1167183&r2=1167184&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original)
> +++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Fri Sep 9 14:07:38 2011
> @@ -1,6 +1,12 @@
> -*- coding: utf-8 -*-
> Changes with Apache 2.0.65
>
> + *) SECURITY: CVE-2011-3192 (cve.mitre.org)
> + core: Fix handling of byte-range requests to use less memory, to avoid
> + denial of service. If the sum of all ranges in a request is larger than
> + the original file, ignore the ranges and send the complete file.
> + PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem,
> + Eric Covener]
We should add <lowprio20 gmail.com> to that list, who authored the fix to the
regression.