Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 98115 invoked from network); 4 Sep 2007 12:00:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 4 Sep 2007 12:00:14 -0000 Received: (qmail 56519 invoked by uid 500); 4 Sep 2007 12:00:06 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 56458 invoked by uid 500); 4 Sep 2007 12:00:06 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 56447 invoked by uid 99); 4 Sep 2007 12:00:06 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Sep 2007 05:00:06 -0700 X-ASF-Spam-Status: No, hits=-100.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Sep 2007 11:59:59 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 6854B1A9832; Tue, 4 Sep 2007 04:59:39 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r572638 - /httpd/httpd/branches/2.2.x/CHANGES Date: Tue, 04 Sep 2007 11:59:39 -0000 To: cvs@httpd.apache.org From: jim@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20070904115939.6854B1A9832@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: jim Date: Tue Sep 4 04:59:38 2007 New Revision: 572638 URL: http://svn.apache.org/viewvc?rev=572638&view=rev Log: Update CHANGES. Move security items to the top, note that there was "no" 2.2.5. Modified: httpd/httpd/branches/2.2.x/CHANGES Modified: httpd/httpd/branches/2.2.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=572638&r1=572637&r2=572638&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Tue Sep 4 04:59:38 2007 @@ -1,6 +1,31 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.6 + *) SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + [Davi Arnaut, Nick Kew] + + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + [Niklas Edmundsson ] + + *) SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + [Joe Orton, Jim Jagielski] + + *) SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset "detection". Reported by Stefan Esser. [Joe Orton] + + *) SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + [Davi Arnaut ] + *) mod_info: mod_info outputs invalid XHTML 1.0 transitional. PR 42847 [Rici Lake ] @@ -66,8 +91,9 @@ *) mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the - content-type and charset of the generated page. - [Jim Jagielski] + content-type and charset of the generated page and is therefore + a viable workaround for buggy browsers affected by CVE-2007-4465 + (cve.mitre.org). [Jim Jagielski] *) log core: ensure we use a special pool for stderr logging, so that the stderr channel remains valid from the time plog is destroyed, @@ -133,33 +159,6 @@ improper merging of the cache lock in vhost config PR 43164 [Eric Covener] -Changes with Apache 2.2.5 - - *) SECURITY: CVE-2007-3847 (cve.mitre.org) - mod_proxy: Prevent reading past the end of a buffer when parsing - date-related headers. PR 41144. - [Davi Arnaut, Nick Kew] - - *) SECURITY: CVE-2007-1863 (cve.mitre.org) - mod_cache: Prevent a segmentation fault if attributes are listed in a - Cache-Control header without any value. - [Niklas Edmundsson ] - - *) SECURITY: CVE-2007-3304 (cve.mitre.org) - prefork, worker, event MPMs: Ensure that the parent process cannot - be forced to kill processes outside its process group. - [Joe Orton, Jim Jagielski] - - *) SECURITY: CVE-2006-5752 (cve.mitre.org) - mod_status: Fix a possible XSS attack against a site with a public - server-status page and ExtendedStatus enabled, for browsers which - perform charset "detection". Reported by Stefan Esser. [Joe Orton] - - *) SECURITY: CVE-2007-1862 (cve.mitre.org) - mod_mem_cache: Copy headers into longer lived storage; header names and - values could previously point to cleaned up storage. PR 41551. - [Davi Arnaut ] - *) ApacheMonitor: Fix Windows Vista detection. [Mladen Turk] *) mod_deflate: fix protocol handling in deflate input filter @@ -272,6 +271,8 @@ *) Win32: Makefile.win will now build with MS VC 8 (Visual Studio 2005) including embedding the .manifest information into each binary. [William Rowe] + +There was no Apache 2.2.5 Changes with Apache 2.2.4