Return-Path: Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 82310 invoked by uid 500); 3 Jun 2003 10:44:32 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 82282 invoked by uid 500); 3 Jun 2003 10:44:31 -0000 Delivered-To: apmail-httpd-2.0-cvs@apache.org Date: 3 Jun 2003 10:44:31 -0000 Message-ID: <20030603104431.24128.qmail@icarus.apache.org> From: mjc@apache.org To: httpd-2.0-cvs@apache.org Subject: cvs commit: httpd-2.0 CHANGES X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N mjc 2003/06/03 03:44:30 Modified: . CHANGES Log: Apply missing security fix CHANGELOG entries to head Revision Changes Path 1.1193 +11 -0 httpd-2.0/CHANGES Index: CHANGES =================================================================== RCS file: /home/cvs/httpd-2.0/CHANGES,v retrieving revision 1.1192 retrieving revision 1.1193 diff -u -r1.1192 -r1.1193 --- CHANGES 1 Jun 2003 15:10:29 -0000 1.1192 +++ CHANGES 3 Jun 2003 10:44:29 -0000 1.1193 @@ -143,6 +143,17 @@ Changes with Apache 2.0.46 + *) SECURITY [CAN-2003-0245]: Fixed a bug causing apr_pvsprintf() to crash + by sending an overly long string. This can be triggered remotely + through mod_dav, mod_ssl, and other mechanisms. Reported by David + Endler . + [Joe Orton ] + + *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability + affecting basic authentication on Unix platforms related to + thread-safety in apr_password_validate(). The problem was reported + by John Hughes . + *) Fix for mod_dav. Call the 'can_be_activity' callback, if provided, when a MKACTIVITY request comes in. [Ben Collins-Sussman ]