httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stodd...@apache.org
Subject cvs commit: apache-1.3/src CHANGES
Date Tue, 02 Oct 2001 19:35:31 GMT
stoddard    01/10/02 12:35:31

  Modified:    src      CHANGES
  Log:
  For the recent mod_negotiation patch
  
  Revision  Changes    Path
  1.1717    +8 -0      apache-1.3/src/CHANGES
  
  Index: CHANGES
  ===================================================================
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1716
  retrieving revision 1.1717
  diff -u -r1.1716 -r1.1717
  --- CHANGES	2001/10/02 17:26:29	1.1716
  +++ CHANGES	2001/10/02 19:35:30	1.1717
  @@ -1,4 +1,12 @@
   Changes with Apache 1.3.21
  +  *) Security: Close autoindex /?M=D directory listing hole reported
  +     in bugtraq id 3009.  In some configurations where multiviews and 
  +     indexes are enabled for a directory, requesting URI /?M=D could
  +     result in a directory listing being returned to the client rather
  +     than the negotiated index.html variant that was configured and
  +     expected.  The work around for this problem (for pre 1.3.21
  +     releases) is to disable Indexes or Multiviews in the affected
  +     directories. [Bill Stoddard, Bill Rowe]
   
     *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted)
        as arguments for mod_vhost_alias'es directives.  [William Rowe]
  
  
  

Mime
View raw message