You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2010/03/06 02:59:50 UTC

svn commit: r919690 - /httpd/httpd/trunk/CHANGES

Author: wrowe
Date: Sat Mar  6 01:59:50 2010
New Revision: 919690

URL: http://svn.apache.org/viewvc?rev=919690&view=rev
Log:
Sync Changelog

Modified:
    httpd/httpd/trunk/CHANGES

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=919690&r1=919689&r2=919690&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Mar  6 01:59:50 2010
@@ -3,6 +3,14 @@
 Changes with Apache 2.3.7
 
   *) SECURITY: CVE-2009-3555 (cve.mitre.org)
+     mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+     attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+     the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+     and offer unsafe legacy renegotiation with clients which do not yet
+     support the new secure renegotiation protocol, RFC 5746.
+     [Joe Orton, and with thanks to the OpenSSL Team]
+
+  *) SECURITY: CVE-2009-3555 (cve.mitre.org)
      mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
      by rejecting any client-initiated renegotiations. Forcibly disable
      keepalive for the connection if there is any buffered data readable. Any