You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/09/20 20:37:43 UTC

svn commit: r290518 - /httpd/httpd/branches/2.2.x/CHANGES

Author: wrowe
Date: Tue Sep 20 11:37:35 2005
New Revision: 290518

URL: http://svn.apache.org/viewcvs?rev=290518&view=rev
Log:

  Sync to 2.0.x/CHANGES

Modified:
    httpd/httpd/branches/2.2.x/CHANGES

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=290518&r1=290517&r2=290518&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Tue Sep 20 11:37:35 2005
@@ -97,19 +97,6 @@
      based on the proxy status. (minor MMN bump)
      [Brian Akins <bakins turner.com>, Ian Holsman]
 
-  *) SECURITY: CAN-2005-2088
-     proxy: Correctly handle the Transfer-Encoding and Content-Length
-     headers.  Discard the request Content-Length whenever T-E: chunked
-     is used, always passing one of either C-L or T-E: chunked whenever 
-     the request includes a request body.  Resolves an entire class of
-     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]
-
-  *) Added TraceEnable [on|off|extended] per-server directive to alter
-     the behavior of the TRACE method.  This addresses a flaw in proxy
-     conformance to RFC 2616 - previously the proxy server would accept
-     a TRACE request body although the RFC prohibited it.  The default
-     remains 'TraceEnable on'.  [William Rowe]
-
   *) Add additional SSLSessionCache option, 'nonenotnull', which is
      similar to 'none' (disabling any external shared cache) but forces
      OpenSSL to provide a non-null session ID.  [Jim Jagielski]
@@ -841,6 +828,19 @@
    Apache 2.0.xx tree as documented, and except as noted, below.]
 
 Changes with Apache 2.0.55
+
+  *) SECURITY: CAN-2005-2088 (cve.mitre.org)
+     proxy: Correctly handle the Transfer-Encoding and Content-Length
+     headers.  Discard the request Content-Length whenever T-E: chunked
+     is used, always passing one of either C-L or T-E: chunked whenever 
+     the request includes a request body.  Resolves an entire class of
+     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]
+
+  *) Added TraceEnable [on|off|extended] per-server directive to alter
+     the behavior of the TRACE method.  This addresses a flaw in proxy
+     conformance to RFC 2616 - previously the proxy server would accept
+     a TRACE request body although the RFC prohibited it.  The default
+     remains 'TraceEnable on'.  [William Rowe]
 
   *) Add ap_log_cerror() for logging messages associated with particular
      client connections.  [Jeff Trawick]