httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m..@apache.org
Subject svn commit: r326456 - /httpd/httpd/branches/2.2.x/CHANGES
Date Wed, 19 Oct 2005 08:16:42 GMT
Author: mjc
Date: Wed Oct 19 01:16:37 2005
New Revision: 326456

URL: http://svn.apache.org/viewcvs?rev=326456&view=rev
Log:
Today a one-time change happens to all CAN- names as they are
renamed to CVE-.  Make this change to our changelog

Modified:
    httpd/httpd/branches/2.2.x/CHANGES

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.2.x/CHANGES?rev=326456&r1=326455&r2=326456&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Oct 19 01:16:37 2005
@@ -45,7 +45,7 @@
   *) mod_proxy_balancer: mod_proxy_balancer does not handle sticky sessions
      with tomcat correctly. PR36507. [Ruediger Pluem]
 
-  *) SECURITY: CAN-2005-2970 (cve.mitre.org)
+  *) SECURITY: CVE-2005-2970 (cve.mitre.org)
      worker MPM: Fix a memory leak which can occur after an aborted
      connection in some limited circumstances.  [Greg Ames]
 
@@ -78,7 +78,7 @@
      listening ports upon graceful restart or stop. PR 28167. 
      [Colm MacCarthaigh, Brian Pinkerton <bp thinkpink.com>]
 
-  *) SECURITY: CAN-2005-2700 (cve.mitre.org)
+  *) SECURITY: CVE-2005-2700 (cve.mitre.org)
      mod_ssl: Fix a security issue where "SSLVerifyClient" was not
      enforced in per-location context if "SSLVerifyClient optional"
      was configured in the vhost configuration.  [Joe Orton]
@@ -111,7 +111,7 @@
 
 Changes with Apache 2.1.7
 
-  *) SECURITY: CAN-2005-2491 (cve.mitre.org): 
+  *) SECURITY: CVE-2005-2491 (cve.mitre.org): 
      Fix integer overflows in PCRE in quantifier parsing which could
      be triggered by a local user through use of a carefully-crafted 
      regex in an .htaccess file.  [Philip Hazel]
@@ -897,7 +897,7 @@
 
 Changes with Apache 2.0.55
 
-  *) SECURITY: CAN-2005-2088 (cve.mitre.org)
+  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
      proxy: Correctly handle the Transfer-Encoding and Content-Length
      headers.  Discard the request Content-Length whenever T-E: chunked
      is used, always passing one of either C-L or T-E: chunked whenever 
@@ -935,7 +935,7 @@
      (or if it didn't succeed) for non-authoritative cases.
      [Jim Jagielski]
 
-  *) SECURITY: CAN-2005-2728 (cve.mitre.org)
+  *) SECURITY: CVE-2005-2728 (cve.mitre.org)
      Fix cases where the byterange filter would buffer responses
      into memory.  PR 29962.  [Joe Orton]
 
@@ -953,7 +953,7 @@
 
   *) mod_ssl: Fix build with OpenSSL 0.9.8.  PR 35757.  [William Rowe]
 
-  *) SECURITY: CAN-2005-2088 (cve.mitre.org)
+  *) SECURITY: CVE-2005-2088 (cve.mitre.org)
      core: If a request contains both Transfer-Encoding and Content-Length
      headers, remove the Content-Length, mitigating some HTTP Request 
      Splitting/Spoofing attacks.  [Paul Querna, Joe Orton]
@@ -966,7 +966,7 @@
   *) Prevent hangs of child processes when writing to piped loggers at
      the time of graceful restart.  PR 26467.  [Jeff Trawick]
 
-  *) SECURITY: CAN-2005-1268 (cve.mitre.org)
+  *) SECURITY: CVE-2005-1268 (cve.mitre.org)
      mod_ssl: Fix off-by-one overflow whilst printing CRL information
      at "LogLevel debug" which could be triggered if configured 
      to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]
@@ -1006,7 +1006,7 @@
      slow to exit.  [Joe Orton, Jeff Trawick]
 
   *) Remove formatting characters from ap_log_error() calls.  These
-     were escaped as fallout from CAN-2003-0020.
+     were escaped as fallout from CVE-2003-0020.
      [Eric Covener <ecovener gmail.com>]
 
   *) mod_ssl: If SSLUsername is used, set r->user earlier.  PR 31418.
@@ -1095,11 +1095,11 @@
      specified matches the value of the user object. PR 31913
      [Ryan Morgan <rmorgan pobox.com>]
 
-  *) SECURITY: CAN-2004-0942 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0942 (cve.mitre.org)
      Fix for memory consumption DoS in handling of MIME folded request
      headers.  [Joe Orton]
 
-  *) SECURITY: CAN-2004-0885 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0885 (cve.mitre.org)
      mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
      bypassed during an SSL renegotiation.  PR 31505.  
      [Hartmut Keil <Hartmut.Keil adnovum.ch>, Joe Orton]
@@ -1141,7 +1141,7 @@
      is causing a potential problem with the LDAP shared memory cache.
      PR 31431 [Graham Leggett]
 
-  *) SECURITY: CAN-2004-1834 (cve.mitre.org)
+  *) SECURITY: CVE-2004-1834 (cve.mitre.org)
      mod_disk_cache: Do not store hop-by-hop headers.  [Justin Erenkrantz]
 
   *) Fix the re-linking issue when purging elements from the LDAP cache
@@ -1164,7 +1164,7 @@
   *) Fix a segfault in the LDAP cache when it is configured switched
      off. [Jess Holle <jessh ptc.com>]
 
-  *) SECURITY: CAN-2004-0811 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0811 (cve.mitre.org)
      Fix merging of the Satisfy directive, which was applied to
      the surrounding context and could allow access despite configured
      authentication.  PR 31315.  [Rici Lake <rici ricilake.net>]
@@ -1186,15 +1186,15 @@
 
 Changes with Apache 2.0.51
 
-  *) SECURITY: CAN-2004-0786 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0786 (cve.mitre.org)
      Fix an input validation issue in apr-util which could be
      triggered by malformed IPv6 literal addresses.  [Joe Orton]
 
-  *) SECURITY: CAN-2004-0747 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0747 (cve.mitre.org)
      Fix buffer overflow in expansion of environment variables in
      configuration file parsing.  [André Malo]
 
-  *) SECURITY: CAN-2004-0809 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0809 (cve.mitre.org)
      mod_dav_fs: Fix a segfault in the handling of an indirect lock
      refresh.  PR 31183.  [Joe Orton]
 
@@ -1216,7 +1216,7 @@
      server shutdown on these code paths.
      [Bill Stoddard]
 
-  *) SECURITY: CAN-2004-0751 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0751 (cve.mitre.org)
      mod_ssl: Fix a segfault in the SSL input filter which could be
      triggered if using "speculative" mode, for instance by a 
      proxy request to an SSL server.  PR 30134.  [Joe Orton]
@@ -1269,7 +1269,7 @@
 
   *) mod_ssl: Build on RHEL 3.  PR 18989.  [Justin Erenkrantz]
 
-  *) SECURITY: CAN-2004-0748 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0748 (cve.mitre.org)
      mod_ssl: Fix a potential infinite loop.  PR 29964.  [Joe Orton]
 
   *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb.
@@ -1357,7 +1357,7 @@
  
 Changes with Apache 2.0.50
 
-  *) SECURITY: CAN-2004-0493 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0493 (cve.mitre.org)
      Close a denial of service vulnerability identified by Georgi
      Guninski which could lead to memory exhaustion with certain
      input data.  [Jeff Trawick]
@@ -1387,7 +1387,7 @@
   *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved
      against ServerRoot PR#26602 [Brad Nicholes]
        
-  *) SECURITY: CAN-2004-0488 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0488 (cve.mitre.org)
      mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a
      (trusted) client certificate subject DN which exceeds 6K in length.
      [Joe Orton]
@@ -1534,7 +1534,7 @@
 
 Changes with Apache 2.0.49
 
-  *) SECURITY: CAN-2004-0174 (cve.mitre.org)
+  *) SECURITY: CVE-2004-0174 (cve.mitre.org)
      Fix starvation issue on listening sockets where a short-lived
      connection on a rarely-accessed listening socket will cause a
      child to hold the accept mutex and block out new connections until
@@ -1818,12 +1818,12 @@
 
 Changes with Apache 2.0.48
 
-  *) SECURITY: CAN-2003-0789 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0789 (cve.mitre.org)
      mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
      communicate with the cgid daemon and the CGI script.
      [Jeff Trawick]
 
-  *) SECURITY: CAN-2003-0542 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0542 (cve.mitre.org)
      Fix buffer overflows in mod_alias and mod_rewrite which occurred
      if one configured a regular expression with more than 9 captures.
      [André Malo]
@@ -1977,19 +1977,19 @@
 
 Changes with Apache 2.0.47
 
-  *) SECURITY: CAN-2003-0192 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0192 (cve.mitre.org)
      Fixed a bug whereby certain sequences of per-directory
      renegotiations and the SSLCipherSuite directive being used to
      upgrade from a weak ciphersuite to a strong one could result in
      the weak ciphersuite being used in place of the strong one.  
      [Ben Laurie]
 
-  *) SECURITY: CAN-2003-0253 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0253 (cve.mitre.org)
      Fixed a bug in prefork MPM causing temporary denial of service
      when accept() on a rarely accessed port returns certain errors.
      Reported by Saheed Akhtar <S.Akhtar talis.com>.  [Jeff Trawick]
 
-  *) SECURITY: CAN-2003-0254 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0254 (cve.mitre.org)
      Fixed a bug in ftp proxy causing denial of service when target
      host is IPv6 but proxy server can't create IPv6 socket.  Fixed by
      the reporter.  [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]
@@ -2024,13 +2024,13 @@
 
 Changes with Apache 2.0.46
 
-  *) SECURITY: CAN-2003-0245 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0245 (cve.mitre.org)
      Fixed a bug causing apr_pvsprintf() to crash by sending an overly
      long string.  This can be triggered remotely through mod_dav,
      mod_ssl, and other mechanisms.
      Reported by David Endler <DEndler iDefense.com>.  [Joe Orton]
 
-  *) SECURITY: CAN-2003-0189 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0189 (cve.mitre.org)
      Fixed a denial-of-service vulnerability affecting basic
      authentication on Unix platforms related to thread-safety in
      apr_password_validate().
@@ -2162,13 +2162,13 @@
   *) Fixed a segfault when multiple ProxyBlock directives were used.
      PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
 
-  *) SECURITY: CAN-2003-0134 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0134 (cve.mitre.org)
      OS2: Fix a Denial of Service vulnerability identified and
      reported by Robert Howard <rihoward rawbw.com> that where device
      names faulted the running OS2 worker process.  The fix is
      actually in APR 0.9.4.  [Brian Havard]
 
-  *) SECURITY: CAN-2003-0083 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0083 (cve.mitre.org)
      Forward port: Escape special characters (especially control
      characters) in mod_log_config to make a clear distinction between
      client-supplied strings (with special characters) and server-side
@@ -2185,7 +2185,7 @@
   *) Fix possible segfaults under obscure error conditions within the
      cgid daemon.  [Jeff Trawick, William Rowe]
 
-  *) SECURITY: CAN-2003-0132 (cve.mitre.org)
+  *) SECURITY: CVE-2003-0132 (cve.mitre.org)
      Close a Denial of Service vulnerability identified by David
      Endler <DEndler iDefense.com> on all platforms.  An unlimited
      stream of newlines were acceptable between requests where each
@@ -2692,7 +2692,7 @@
 
 Changes with Apache 2.0.42
 
-  *) SECURITY: CAN-2002-1593 (cve.mitre.org) [CERT VU#406121]
+  *) SECURITY: CVE-2002-1593 (cve.mitre.org) [CERT VU#406121]
      mod_dav: Check for versioning hooks before using them.
      [Greg Stein]
 
@@ -2836,7 +2836,7 @@
 
 Changes with Apache 2.0.40
 
-  *) SECURITY: CAN-2002-0661 (cve.mitre.org) 
+  *) SECURITY: CVE-2002-0661 (cve.mitre.org) 
      Close a very significant security hole that 
      applies only to the Win32, OS2 and Netware platforms.  Unix was not 
      affected, Cygwin may be affected.  Certain URIs will bypass security
@@ -2848,7 +2848,7 @@
      Reported by Auriemma Luigi <bugtest sitoverde.com>.
      [Brad Nicholes]
 
-  *) SECURITY: CAN-2002-0654 (cve.mitre.org)
+  *) SECURITY: CVE-2002-0654 (cve.mitre.org)
      Close a path-revealing exposure in multiview type
      map negotiation (such as the default error documents) where the
      module would report the full path of the typemapped .var file when
@@ -2856,7 +2856,7 @@
      negotiation.  Reported by Auriemma Luigi <bugtest sitoverde.com>.
      [William Rowe]
 
-  *) SECURITY: CAN-2002-0654 (cve.mitre.org)
+  *) SECURITY: CVE-2002-0654 (cve.mitre.org)
      Close a path-revealing exposure in cgi/cgid when we 
      fail to invoke a script.  The modules would report "couldn't create 
      child process /path-to-script/script.pl" revealing the full path
@@ -3420,7 +3420,7 @@
 
   *) Fix AcceptPathInfo. PR 8234  [Cliff Woolley]
 
-  *) SECURITY: CAN-2002-1592 (cve.mitre.org) [CERT VU#165803]
+  *) SECURITY: CVE-2002-1592 (cve.mitre.org) [CERT VU#165803]
      Added the APLOG_TOCLIENT flag to ap_log_rerror() to
      explicitly tell the server that warning messages should be sent 
      to the client in addition to being recorded in the error log. 
@@ -7207,7 +7207,7 @@
      container is VirtualHost or Directory or whatever.
      [Jeff Trawick]
 
-  *) SECURITY: CAN-2000-1204 (cve.mitre.org)
+  *) SECURITY: CVE-2000-1204 (cve.mitre.org)
      Prevent the source code for CGIs from being revealed when 
      using mod_vhost_alias and the CGI directory is under the document root
      and a user makes a request like http://www.example.com//cgi-bin/cgi



Mime
View raw message