httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject cvs commit: apache-1.3/src CHANGES
Date Mon, 08 Oct 2001 19:34:39 GMT
mjc         01/10/08 12:34:39

  Modified:    .        Announcement
               src      CHANGES
  Add CVE candidate names to the announcement mail and changes file to allow
  them to be cross-referenced with other security publications easily
  Revision  Changes    Path
  1.77      +6 -2      apache-1.3/Announcement
  Index: Announcement
  RCS file: /home/cvs/apache-1.3/Announcement,v
  retrieving revision 1.76
  retrieving revision 1.77
  diff -u -r1.76 -r1.77
  --- Announcement	2001/10/06 22:01:09	1.76
  +++ Announcement	2001/10/08 19:34:38	1.77
  @@ -75,14 +75,18 @@
        * A vulnerability was found in the Win32 port of Apache 1.3.20.  A
          client submitting a very long URI could cause a directory listing
          to be returned rather than the default index page. A 403 Forbidden
  -       will now be returned
  +       will now be returned.  CAN-2001-0729
        * A vulnerability was found in the split-logfile support program. A
          request with a specially crafted Host: header could allow any file
          with a .log extension on the system to be written to. PR#7848
  +       CAN-2001-0730
        * A vulnerability was found when Multiviews are used to negotiate
          the directory index. In some configurations, requesting a URI with
          a QUERY_STRING of M=D could return a directory listing rather than
  -       the expected index page.
  +       the expected index page.  CAN-2001-0731
  +     The security issues above have been assigned standardized names, CAN- 
  +     by the Common Vulnerabilities and Exposures project (
     New features
  1.1730    +10 -5     apache-1.3/src/CHANGES
  Index: CHANGES
  RCS file: /home/cvs/apache-1.3/src/CHANGES,v
  retrieving revision 1.1729
  retrieving revision 1.1730
  diff -u -r1.1729 -r1.1730
  --- CHANGES	2001/10/08 16:45:33	1.1729
  +++ CHANGES	2001/10/08 19:34:38	1.1730
  @@ -58,7 +58,9 @@
        than the negotiated index.html variant that was configured and
        expected.  The work around for this problem (for pre 1.3.21
        releases) is to disable Indexes or Multiviews in the affected
  -     directories. [Bill Stoddard, Bill Rowe]
  +     directories.  The Common Vulnerabilities and Exposures project
  +     ( has assigned the name CAN-2001-0731 to this issue.
  +     [Bill Stoddard, Bill Rowe]
     *) Enabled Win32/OS2/Netware file paths (not / rooted, but c:/ rooted)
        as arguments for mod_vhost_alias'es directives.  [William Rowe]
  @@ -78,8 +80,9 @@
        by using many slashes. Now a 403 FORBIDDEN is returned. This
        problem was similar to and in the same area as the problem
        reported and fixed by Martin Kraemer in 1.3.18, only the scope
  -     is much narrower and is specific to Windows.
  -     [Bill Stoddard]
  +     is much narrower and is specific to Windows.  The Common 
  +     Vulnerabilities and Exposures project ( has assigned the 
  +     name CAN-2001-0729 to this issue.  [Bill Stoddard]
     *) Update the mime.types file to the registered media types as
        of 2001-09-25, and add xsl, so, dll extensions [Mark Cox]
  @@ -166,8 +169,10 @@
        "/" or "\" are present in the virtual host name.  This prevents
        the possible use of specially crafted virtual host names in
        some configurations to allow writing to any .log file on the
  -     system.  [Daniel Matuschek <>,
  -     Marc Slemko]  PR#7848
  +     system.  The Common Vulnerabilities and Exposures project 
  +     ( has assigned the name CAN-2001-0730 to this issue.
  +     [Daniel Matuschek <>,
  +     Marc Slemko] PR#7848
     *) Added a directive: "AcceptFilter <on|off>". To control BSD 
        acccept filters when at compile time SO_ACCEPT_FILTER is 

View raw message