Return-Path: X-Original-To: apmail-httpd-cvs-archive@www.apache.org Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 1035D922B for ; Wed, 25 Jan 2012 21:27:50 +0000 (UTC) Received: (qmail 5304 invoked by uid 500); 25 Jan 2012 21:27:49 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 5234 invoked by uid 500); 25 Jan 2012 21:27:49 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 5227 invoked by uid 99); 25 Jan 2012 21:27:49 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jan 2012 21:27:49 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 25 Jan 2012 21:27:48 +0000 Received: from eris.apache.org (localhost [127.0.0.1]) by eris.apache.org (Postfix) with ESMTP id C72A223888CD; Wed, 25 Jan 2012 21:27:27 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1235957 - /httpd/httpd/branches/2.2.x/CHANGES Date: Wed, 25 Jan 2012 21:27:27 -0000 To: cvs@httpd.apache.org From: wrowe@apache.org X-Mailer: svnmailer-1.0.8-patched Message-Id: <20120125212727.C72A223888CD@eris.apache.org> Author: wrowe Date: Wed Jan 25 21:27:27 2012 New Revision: 1235957 URL: http://svn.apache.org/viewvc?rev=1235957&view=rev Log: Alphanum order makes more sense here for end users to follow Modified: httpd/httpd/branches/2.2.x/CHANGES Modified: httpd/httpd/branches/2.2.x/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1235957&r1=1235956&r2=1235957&view=diff ============================================================================== --- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original) +++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Wed Jan 25 21:27:27 2012 @@ -1,22 +1,6 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.22 - *) SECURITY: CVE-2012-0053 (cve.mitre.org) - Fix an issue in error responses that could expose "httpOnly" cookies - when no custom ErrorDocument is specified for status code 400. - [Eric Covener] - - *) SECURITY: CVE-2012-0031 (cve.mitre.org) - Fix scoreboard issue which could allow an unprivileged child process - could cause the parent to crash at shutdown rather than terminate - cleanly. [Joe Orton] - - *) SECURITY: CVE-2011-4317 (cve.mitre.org) - Resolve additional cases of URL rewriting with ProxyPassMatch or - RewriteRule, where particular request-URIs could result in undesired - backend network exposure in some configurations. - [Joe Orton] - *) SECURITY: CVE-2011-3368 (cve.mitre.org) Reject requests where the request-URI does not match the HTTP specification, preventing unexpected expansion of target URLs in @@ -27,12 +11,28 @@ Changes with Apache 2.2.22 is enabled, could allow local users to gain privileges via a .htaccess file. [Stefan Fritsch, Greg Ames] + *) SECURITY: CVE-2011-4317 (cve.mitre.org) + Resolve additional cases of URL rewriting with ProxyPassMatch or + RewriteRule, where particular request-URIs could result in undesired + backend network exposure in some configurations. + [Joe Orton] + *) SECURITY: CVE-2012-0021 (cve.mitre.org) mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format string is in use and a client sends a nameless, valueless cookie, causing a denial of service. The issue existed since version 2.2.17. PR 52256. [Rainer Canavan ] + *) SECURITY: CVE-2012-0031 (cve.mitre.org) + Fix scoreboard issue which could allow an unprivileged child process + could cause the parent to crash at shutdown rather than terminate + cleanly. [Joe Orton] + + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + [Eric Covener] + *) mod_proxy_ajp: Try to prevent a single long request from marking a worker in error. [Jean-Frederic Clere]