You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mj...@apache.org on 2002/07/01 14:36:51 UTC

cvs commit: httpd-2.0 CHANGES

mjc         2002/07/01 05:36:51

  Modified:    .        CHANGES
  Log:
  Make security notes consistant with apache-1.3/src/CHANGES
  
  Revision  Changes    Path
  1.855     +9 -7      httpd-2.0/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/httpd-2.0/CHANGES,v
  retrieving revision 1.854
  retrieving revision 1.855
  diff -u -r1.854 -r1.855
  --- CHANGES	28 Jun 2002 08:40:23 -0000	1.854
  +++ CHANGES	1 Jul 2002 12:36:50 -0000	1.855
  @@ -3603,7 +3603,7 @@
        so that the lookup can depend on the requested URI etc.
        PR #6671 [Tony Finch]
   
  -  *) Tighten up the syntax checking of Host: headers to fix a
  +  *) SECURITY: Tighten up the syntax checking of Host: headers to fix a
        security bug in some mass virtual hosting configurations
        that can allow a remote attacker to retrieve some files
        on the system that should be inaccessible. [Tony Finch]
  @@ -3862,7 +3862,8 @@
        multiple places and allows for an SSL module to be added much
        simpler. [Ryan Bloom]
   
  -  *) Fix a security problem that affects certain configurations of
  +  *) SECURITY: CVE-2000-0913 (cve.mitre.org)
  +     Fix a security problem that affects certain configurations of
        mod_rewrite. If the result of a RewriteRule is a filename that
        contains expansion specifiers, especially regexp backreferences
        $0..$9 and %0..%9, then it may be possible for an attacker to
  @@ -4251,8 +4252,8 @@
        container is VirtualHost or Directory or whatever.
        [Jeff Trawick]
   
  -  *) Prevent the source code for CGIs from being revealed when using
  -     mod_vhost_alias and the CGI directory is under the document root
  +  *) SECURITY: Prevent the source code for CGIs from being revealed when 
  +     using mod_vhost_alias and the CGI directory is under the document root
        and a user makes a request like http://www.example.com//cgi-bin/cgi
        as reported in <ne...@ernani.logica.co.uk>
        [Tony Finch]
  @@ -4832,8 +4833,8 @@
   
     *) port mod_rewrite to 2.0. [Paul J. Reder <re...@raleigh.ibm.com>]
   
  -  *) More rigorous checking of Host: headers to fix security problems
  -     with mass name-based virtual hosting (whether using mod_rewrite
  +  *) SECURITY: More rigorous checking of Host: headers to fix security 
  +     problems with mass name-based virtual hosting (whether using mod_rewrite
        or mod_vhost_alias).
        [Ben Hyde, Tony Finch]
     
  @@ -6667,7 +6668,8 @@
     *) SECURITY: Eliminate O(n^2) space DoS attacks (and other O(n^2)
        cpu time attacks) in header parsing.  Add ap_overlap_tables(),
        a function which can be used to perform bulk update operations
  -     on tables in a more efficient manner.  [Dean Gaudet]
  +     on tables in a more efficient manner.  CAN-1999-1199 (cve.mitre.org)
  +     [Dean Gaudet]
   
     *) SECURITY: Added compile-time and configurable limits for
        various aspects of reading a client request to avoid some simple