You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2007/12/28 17:02:05 UTC
svn commit: r607276 - /httpd/httpd/trunk/CHANGES
Author: rpluem
Date: Fri Dec 28 08:01:52 2007
New Revision: 607276
URL: http://svn.apache.org/viewvc?rev=607276&view=rev
Log:
* Fix CHANGES wording for r606693.
Modified:
httpd/httpd/trunk/CHANGES
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=607276&r1=607275&r2=607276&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Dec 28 08:01:52 2007
@@ -12,21 +12,10 @@
*) mod_deflate: Transform ETag when transforming the entity.
PR 39727 [Henrik Nordstrom <hno squid-cache.org>, Nick Kew]
- *) mod_ldap: Set character set for status page to ISO-8859-1 to avoid
- UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
-
- *) mod_proxy_balancer: Set character set for balancer manager to ISO-8859-1
- to avoid UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
-
- *) mod_proxy_ftp: Set character set for generated FTP directory listing to
- ISO-8859-1 to avoid UTF-7 XSS vulnerabilities of certain browsers.
- [Joe Orton]
-
- *) mod_info: Set character set for info page to ISO-8859-1 to avoid
- UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
-
- *) mod_dav: Set character set for error pages to ISO-8859-1 to avoid
- UTF-7 XSS vulnerabilities of certain browsers. [Joe Orton]
+ *) Add explicit charset to the output of various modules to work around
+ possible cross-site scripting flaws affecting web browsers that do not
+ derive the response character set as required by RFC2616. One of these
+ reported by SecurityReason [Joe Orton]
*) mod_ssl: Added server name indication support (RFC 4366).
PR 34607. [Kaspar Brand <asfbugz velox.ch>]