You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/09/20 20:37:43 UTC
svn commit: r290518 - /httpd/httpd/branches/2.2.x/CHANGES
Author: wrowe
Date: Tue Sep 20 11:37:35 2005
New Revision: 290518
URL: http://svn.apache.org/viewcvs?rev=290518&view=rev
Log:
Sync to 2.0.x/CHANGES
Modified:
httpd/httpd/branches/2.2.x/CHANGES
Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=290518&r1=290517&r2=290518&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Tue Sep 20 11:37:35 2005
@@ -97,19 +97,6 @@
based on the proxy status. (minor MMN bump)
[Brian Akins <bakins turner.com>, Ian Holsman]
- *) SECURITY: CAN-2005-2088
- proxy: Correctly handle the Transfer-Encoding and Content-Length
- headers. Discard the request Content-Length whenever T-E: chunked
- is used, always passing one of either C-L or T-E: chunked whenever
- the request includes a request body. Resolves an entire class of
- proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
-
- *) Added TraceEnable [on|off|extended] per-server directive to alter
- the behavior of the TRACE method. This addresses a flaw in proxy
- conformance to RFC 2616 - previously the proxy server would accept
- a TRACE request body although the RFC prohibited it. The default
- remains 'TraceEnable on'. [William Rowe]
-
*) Add additional SSLSessionCache option, 'nonenotnull', which is
similar to 'none' (disabling any external shared cache) but forces
OpenSSL to provide a non-null session ID. [Jim Jagielski]
@@ -841,6 +828,19 @@
Apache 2.0.xx tree as documented, and except as noted, below.]
Changes with Apache 2.0.55
+
+ *) SECURITY: CAN-2005-2088 (cve.mitre.org)
+ proxy: Correctly handle the Transfer-Encoding and Content-Length
+ headers. Discard the request Content-Length whenever T-E: chunked
+ is used, always passing one of either C-L or T-E: chunked whenever
+ the request includes a request body. Resolves an entire class of
+ proxy HTTP Request Splitting/Spoofing attacks. [William Rowe]
+
+ *) Added TraceEnable [on|off|extended] per-server directive to alter
+ the behavior of the TRACE method. This addresses a flaw in proxy
+ conformance to RFC 2616 - previously the proxy server would accept
+ a TRACE request body although the RFC prohibited it. The default
+ remains 'TraceEnable on'. [William Rowe]
*) Add ap_log_cerror() for logging messages associated with particular
client connections. [Jeff Trawick]