httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r290519 - /httpd/httpd/trunk/CHANGES
Date Tue, 20 Sep 2005 18:38:04 GMT
Author: wrowe
Date: Tue Sep 20 11:38:02 2005
New Revision: 290519

URL: http://svn.apache.org/viewcvs?rev=290519&view=rev
Log:

  Sync to 2.0.x changes

Modified:
    httpd/httpd/trunk/CHANGES

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=290519&r1=290518&r2=290519&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Tue Sep 20 11:38:02 2005
@@ -115,19 +115,6 @@
      based on the proxy status. (minor MMN bump)
      [Brian Akins <bakins turner.com>, Ian Holsman]
 
-  *) SECURITY: CAN-2005-2088
-     proxy: Correctly handle the Transfer-Encoding and Content-Length
-     headers.  Discard the request Content-Length whenever T-E: chunked
-     is used, always passing one of either C-L or T-E: chunked whenever 
-     the request includes a request body.  Resolves an entire class of
-     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]
-
-  *) Added TraceEnable [on|off|extended] per-server directive to alter
-     the behavior of the TRACE method.  This addresses a flaw in proxy
-     conformance to RFC 2616 - previously the proxy server would accept
-     a TRACE request body although the RFC prohibited it.  The default
-     remains 'TraceEnable on'.  [William Rowe]
-
   *) Add additional SSLSessionCache option, 'nonenotnull', which is
      similar to 'none' (disabling any external shared cache) but forces
      OpenSSL to provide a non-null session ID.  [Jim Jagielski]
@@ -859,6 +846,19 @@
    Apache 2.0.xx tree as documented, and except as noted, below.]
 
 Changes with Apache 2.0.55
+
+  *) SECURITY: CAN-2005-2088 (cve.mitre.org)
+     proxy: Correctly handle the Transfer-Encoding and Content-Length
+     headers.  Discard the request Content-Length whenever T-E: chunked
+     is used, always passing one of either C-L or T-E: chunked whenever 
+     the request includes a request body.  Resolves an entire class of
+     proxy HTTP Request Splitting/Spoofing attacks.  [William Rowe]
+
+  *) Added TraceEnable [on|off|extended] per-server directive to alter
+     the behavior of the TRACE method.  This addresses a flaw in proxy
+     conformance to RFC 2616 - previously the proxy server would accept
+     a TRACE request body although the RFC prohibited it.  The default
+     remains 'TraceEnable on'.  [William Rowe]
 
   *) Add ap_log_cerror() for logging messages associated with particular
      client connections.  [Jeff Trawick]



Mime
View raw message