You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2016/12/13 17:21:30 UTC
svn commit: r1774065 - /httpd/httpd/branches/2.4.x/CHANGES
Author: wrowe
Date: Tue Dec 13 17:21:30 2016
New Revision: 1774065
URL: http://svn.apache.org/viewvc?rev=1774065&view=rev
Log:
Document CHANGES
Modified:
httpd/httpd/branches/2.4.x/CHANGES
Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1774065&r1=1774064&r2=1774065&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Tue Dec 13 17:21:30 2016
@@ -22,6 +22,17 @@ Changes with Apache 2.4.24
MAC (SipHash) to prevent deciphering or tampering with a padding
oracle attack. [Yann Ylavic, Colm MacCarthaigh]
+ *) SECURITY: CVE-2016-8743 (cve.mitre.org)
+ Enforce HTTP request grammar corresponding to RFC7230 for request lines
+ and request headers, to prevent response splitting and cache pollution by
+ malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
+
+ *) Validate HTTP response header grammar defined by RFC7230, resulting
+ in a 500 error in the event that invalid response header contents are
+ detected when serving the response, to avoid response splitting and cache
+ pollution by malicious clients, upstream servers or faulty modules.
+ [Stefan Fritsch, Eric Covener, Yann Ylavic]
+
*) mod_socache_memcache: Provide memcache stats to mod_status.
[Jim Jagielski]
@@ -40,9 +51,6 @@ Changes with Apache 2.4.24
'parent-first' instead of 'none', as per documentation. PR 60419
[Christophe Jaillet]
- *) Enforce http request grammer corresponding to RFC7230 for request lines
- and request headers [William Rowe, Stefan Fritsch]
-
*) core: New directive HttpProtocolOptions to control httpd enforcement
of various RFC7230 requirements. [Stefan Fritsch, William Rowe]