You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by yl...@apache.org on 2017/09/18 21:54:16 UTC

svn commit: r1808787 - /httpd/httpd/branches/2.4.x/CHANGES

Author: ylavic
Date: Mon Sep 18 21:54:15 2017
New Revision: 1808787

URL: http://svn.apache.org/viewvc?rev=1808787&view=rev
Log:
CVE-2017-9798 disclosed, amend CHANGES entry for
https://svn.apache.org/r1807754


Modified:
    httpd/httpd/branches/2.4.x/CHANGES

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1808787&r1=1808786&r2=1808787&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Sep 18 21:54:15 2017
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.4.28
 
+  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+     Corrupted or freed memory access. <Limit[Except]> must now be used in the
+     main configuration file (httpd.conf) to register HTTP methods before the
+     .htaccess files.  [Yann Ylavic]
+
   *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
      PR 61142.
 
@@ -13,9 +18,6 @@ Changes with Apache 2.4.28
 
   *) build: allow configuration without APR sources.  [Jacob Champion]
 
-  *) core: Disallow Methods' registration at runtime (.htaccess), they may be
-     used only if registered at init time (httpd.conf).  [Yann Ylavic]
-
   *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
      [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
       Yann Ylavic]