You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2014/03/18 21:45:06 UTC
svn commit: r4745 - in /release/httpd: CHANGES_2.2 CHANGES_2.2.27
httpd-2.2.27.tar.bz2 httpd-2.2.27.tar.bz2.asc httpd-2.2.27.tar.bz2.md5
httpd-2.2.27.tar.bz2.sha1 httpd-2.2.27.tar.gz httpd-2.2.27.tar.gz.asc
httpd-2.2.27.tar.gz.md5 httpd-2.2.27.tar.gz.sha1
Author: wrowe
Date: Tue Mar 18 20:45:06 2014
New Revision: 4745
Log:
Prepare to flood mirrors
Added:
release/httpd/CHANGES_2.2.27
- copied unchanged from r4744, dev/httpd/CHANGES_2.2.27
release/httpd/httpd-2.2.27.tar.bz2
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.bz2
release/httpd/httpd-2.2.27.tar.bz2.asc
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.bz2.asc
release/httpd/httpd-2.2.27.tar.bz2.md5
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.bz2.md5
release/httpd/httpd-2.2.27.tar.bz2.sha1
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.bz2.sha1
release/httpd/httpd-2.2.27.tar.gz
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.gz
release/httpd/httpd-2.2.27.tar.gz.asc
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.gz.asc
release/httpd/httpd-2.2.27.tar.gz.md5
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.gz.md5
release/httpd/httpd-2.2.27.tar.gz.sha1
- copied unchanged from r4744, dev/httpd/httpd-2.2.27.tar.gz.sha1
Modified:
release/httpd/CHANGES_2.2
Modified: release/httpd/CHANGES_2.2
==============================================================================
--- release/httpd/CHANGES_2.2 (original)
+++ release/httpd/CHANGES_2.2 Tue Mar 18 20:45:06 2014
@@ -1,4 +1,39 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.2.27
+
+ *) SECURITY: CVE-2014-0098 (cve.mitre.org)
+ Clean up cookie logging with fewer redundant string parsing passes.
+ Log only cookies with a value assignment. Prevents segfaults when
+ logging truncated cookies.
+ [William Rowe, Ruediger Pluem, Jim Jagielski]
+
+ *) SECURITY: CVE-2013-6438 (cve.mitre.org)
+ mod_dav: Keep track of length of cdata properly when removing
+ leading spaces. Eliminates a potential denial of service from
+ specifically crafted DAV WRITE requests
+ [Amin Tora <Amin.Tora neustar.biz>]
+
+ *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
+ TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski]
+
+ *) mod_proxy_http: Core dumped under high load. PR 50335.
+ [Jan Kaluza <jkaluza redhat.com>]
+
+ *) proxy_util: NULL terminate the right buffer in 'send_http_connect'.
+ [Christophe Jaillet]
+
+ *) mod_proxy: Remove (never documented) <Proxy ~ wildcard-url> syntax which
+ is equivalent to <ProxyMatch wildcard-url>. [Christophe Jaillet]
+
+ *) mod_ldap: Fix a potential memory leak or corruption. PR 54936.
+ [Zhenbo Xu <zhenbo1987 gmail com>]
+
+ *) mod_ssl: Do not perform SNI / Host header comparison in case of a
+ forward proxy request. [Ruediger Pluem]
+
+ *) mod_rewrite: Add mod_rewrite.h to the headers installed on Windows.
+ PR46679 [Bob Ionescu]
+
Changes with Apache 2.2.26
*) mod_dav: dav_resource->uri treated as unencoded. This was an
@@ -994,6 +1029,8 @@ Changes with Apache 2.2.10
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
+ *) mod_authz_host: Add support for env=!envvar [Jim Jagielski]
+
*) Allow for smax to be 0 for balancer members so that all idle
connections are able to be dropped should they exceed ttl.
PR 43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,