You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2004/09/02 11:49:10 UTC

cvs commit: httpd-2.0 CHANGES

mjc         2004/09/02 02:49:09

  Modified:    .        CHANGES
  Log:
  CAN to CVE promotions from CVE version 20040901
  
  Revision  Changes    Path
  1.1581    +5 -5      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.1580
  retrieving revision 1.1581
  diff -u -r1.1580 -r1.1581
  --- CHANGES	1 Sep 2004 17:21:52 -0000	1.1580
  +++ CHANGES	2 Sep 2004 09:49:09 -0000	1.1581
  @@ -774,7 +774,7 @@
     *) mod_ssl: Send the Close Alert message to the peer before closing
        the SSL session.  PR 27428.  [Madhusudan Mathihalli, Joe Orton]
   
  -  *) SECURITY: CAN-2004-0113 (cve.mitre.org)
  +  *) SECURITY: CVE-2004-0113 (cve.mitre.org)
        mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling.
        PR 27106.  [Joe Orton]
   
  @@ -946,7 +946,7 @@
     *) mod_dav: Return a WWW-auth header for MOVE/COPY requests where
        the destination resource gives a 401.  PR 15571.  [Joe Orton]
   
  -  *) SECURITY: CAN-2003-0020 (cve.mitre.org)
  +  *) SECURITY: CVE-2003-0020 (cve.mitre.org)
        Escape arbitrary data before writing into the errorlog. Unescaped
        errorlogs are still possible using the compile time switch
        "-DAP_UNSAFE_ERROR_LOG_UNESCAPED".  [Geoffrey Young, Andr� Malo]
  @@ -1834,7 +1834,7 @@
   
   Changes with Apache 2.0.43
   
  -  *) SECURITY [CAN-2002-0840]: HTML-escape the address produced by 
  +  *) SECURITY [CVE-2002-0840]: HTML-escape the address produced by 
        ap_server_signature() against this cross-site scripting 
        vulnerability exposed by the directive 'UseCanonicalName Off'.  
        Also HTML-escape the SERVER_NAME environment variable for CGI 
  @@ -1857,7 +1857,7 @@
        could lead to an infinite loop.  PR 12705  
        [Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]
   
  -  *) SECURITY [CAN-2002-1156] (cve.mitre.org):
  +  *) SECURITY [CVE-2002-1156] (cve.mitre.org):
        Fix the exposure of CGI source when a POST request is sent to 
        a location where both DAV and CGI are enabled. [Ryan Bloom]
   
  @@ -8819,7 +8819,7 @@
        run-time configurable using the ExtendedStatus directive.
        [Jim Jagielski]
   
  -  *) SECURITY [CAN-1999-1199] (cve.mitre.org): 
  +  *) SECURITY [CVE-1999-1199] (cve.mitre.org): 
        Eliminate O(n^2) space DoS attacks (and other O(n^2)
        cpu time attacks) in header parsing.  Add ap_overlap_tables(),
        a function which can be used to perform bulk update operations