You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2010/03/06 02:59:50 UTC
svn commit: r919690 - /httpd/httpd/trunk/CHANGES
Author: wrowe
Date: Sat Mar 6 01:59:50 2010
New Revision: 919690
URL: http://svn.apache.org/viewvc?rev=919690&view=rev
Log:
Sync Changelog
Modified:
httpd/httpd/trunk/CHANGES
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=919690&r1=919689&r2=919690&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Mar 6 01:59:50 2010
@@ -3,6 +3,14 @@
Changes with Apache 2.3.7
*) SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+ attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+ the 'SSLInsecureRenegotiation' directive to reopen this vulnerability
+ and offer unsafe legacy renegotiation with clients which do not yet
+ support the new secure renegotiation protocol, RFC 5746.
+ [Joe Orton, and with thanks to the OpenSSL Team]
+
+ *) SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any