Return-Path: <apache-cvs-owner-apache-cvs-archive=hyperreal.org@apache.org>
Delivered-To: apache-cvs-archive@hyperreal.org
Received: (qmail 29809 invoked by uid 6000); 20 Jan 1998 01:50:46 -0000
Received: (qmail 29796 invoked by alias); 20 Jan 1998 01:50:45 -0000
Delivered-To: apachen-cvs@hyperreal.org
Received: (qmail 29793 invoked by uid 143); 20 Jan 1998 01:50:44 -0000
Date: 20 Jan 1998 01:50:44 -0000
Message-ID: <19980120015044.29792.qmail@hyperreal.org>
From: dgaudet@hyperreal.org
To: apachen-cvs@hyperreal.org
Subject: cvs commit: apachen/src CHANGES
Sender: apache-cvs-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

dgaudet     98/01/19 17:50:44

  Modified:    .        STATUS
               src      CHANGES
  Log:
  Notes on Marc's security patches from 1.2.5.
  
  Revision  Changes    Path
  1.104     +3 -0      apachen/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /export/home/cvs/apachen/STATUS,v
  retrieving revision 1.103
  retrieving revision 1.104
  diff -u -r1.103 -r1.104
  --- STATUS	1998/01/20 00:52:58	1.103
  +++ STATUS	1998/01/20 01:50:40	1.104
  @@ -90,6 +90,7 @@
       * general/1666: Apache uses a case sensitive match for "Basic" auth scheme
       * mod_rewrite/1684: RewriteLog directive does the equivalent of "HostnameLookups on"
       * protocol/1683: The Connection header may contain multiple close tokens
  +    * some of Marc's 1.2.5 security patches (minus proxy fixes)
   
   Available Patches:
   
  @@ -176,6 +177,8 @@
   	Status: Jim'll look into it
       
       * os_ abstract is_only_below() in mod_include.c
  +
  +    * proxy security fixes from 1.2.5 need to be brought forward
   
   Closed issues:
   
  
  
  
  1.570     +11 -0     apachen/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /export/home/cvs/apachen/src/CHANGES,v
  retrieving revision 1.569
  retrieving revision 1.570
  diff -u -r1.569 -r1.570
  --- CHANGES	1998/01/20 00:33:10	1.569
  +++ CHANGES	1998/01/20 01:50:42	1.570
  @@ -1,5 +1,16 @@
   Changes with Apache 1.3b4
   
  +  *) SECURITY: Fix a possible buffer overflow in logresolve.  This is
  +     only an issue on systems without a MAXDNAME define or where
  +     the resolver returns domain names longer than MAXDNAME.  [Marc Slemko]
  +
  +  *) SECURITY: Eliminate possible buffer overflow in cfg_getline, which
  +     is used to read various types of files such as htaccess and
  +     htpasswd files.  [Marc Slemko]
  +  
  +  *) SECURITY: Ensure that the buffer returned by ht_time is always
  +     properly null terminated.  [Marc Slemko]
  +
     *) The "Connection" header could be sent back with multiple "close"
        tokens.  Not an error, but a waste.
        [Ronald.Tschalaer@psi.ch] PR#1683