httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r1778007 - in /httpd/httpd/branches: 2.2.x/CHANGES 2.4.x/CHANGES
Date Mon, 09 Jan 2017 16:23:52 GMT
Author: wrowe
Date: Mon Jan  9 16:23:51 2017
New Revision: 1778007

URL: http://svn.apache.org/viewvc?rev=1778007&view=rev
Log:
** NOTE: the vendor states "This mitigation has been assigned the identifier 
CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. **


Modified:
    httpd/httpd/branches/2.2.x/CHANGES
    httpd/httpd/branches/2.4.x/CHANGES

Modified: httpd/httpd/branches/2.2.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?rev=1778007&r1=1778006&r2=1778007&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.2.x/CHANGES [utf-8] Mon Jan  9 16:23:51 2017
@@ -6,19 +6,15 @@ Changes with Apache 2.2.32
      and request headers, to prevent response splitting and cache pollution by
      malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
 
-  *) mod_proxy: Use the correct server name for SNI in case the backend
-     SSL connection itself is established via a proxy server.
-     PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
-
-  *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues.
-     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
-
   *) Validate HTTP response header grammar defined by RFC7230, resulting
      in a 500 error in the event that invalid response header contents are
      detected when serving the response, to avoid response splitting and cache
      pollution by malicious clients, upstream servers or faulty modules.
      [Stefan Fritsch, Eric Covener, Yann Ylavic]
 
+  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
   *) core: Avoid a possible truncation of the faulty header included in the
      HTML response when LimitRequestFieldSize is reached.  [Yann Ylavic]
 
@@ -40,18 +36,22 @@ Changes with Apache 2.2.32
   *) core: New directive RegisterHttpMethod for registering non-standard
      HTTP methods. [Stefan Fritsch]
 
+  *) core: Limit to ten the number of tolerated empty lines between request.
+     [Yann Ylavic]
+
+  *) core: reject NULLs in request line or request headers.
+     PR 43039 [Nick Kew]
+
+  *) mod_proxy: Use the correct server name for SNI in case the backend
+     SSL connection itself is established via a proxy server.
+     PR 57139 [Szabolcs Gyurko <szabolcs gyurko.org>]
+
   *) Fix potential rejection of valid MaxMemFree and ThreadStackSize
      directives.  [Mike Rumph <mike.rumph oracle.com>]
 
   *) mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3.
      [Kaspar Brand]
 
-  *) core: Limit to ten the number of tolerated empty lines between request.
-     [Yann Ylavic]
-
-  *) Core: reject NULLs in request line or request headers.
-     PR 43039 [Nick Kew]
-
   *) mod_proxy: Correctly consider error response codes by the backend when
      processing failonstatus. PR 59869 [Ruediger Pluem]
 

Modified: httpd/httpd/branches/2.4.x/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/CHANGES?rev=1778007&r1=1778006&r2=1778007&view=diff
==============================================================================
--- httpd/httpd/branches/2.4.x/CHANGES [utf-8] (original)
+++ httpd/httpd/branches/2.4.x/CHANGES [utf-8] Mon Jan  9 16:23:51 2017
@@ -41,10 +41,6 @@ Changes with Apache 2.4.24 (not released
      [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
      University, Stefan Eissing]
 
-  *) SECURITY: CVE-2016-5387 (cve.mitre.org)
-     core: Mitigate [f]cgi "httpoxy" issues.
-     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
-
   *) SECURITY: CVE-2016-2161 (cve.mitre.org)
      mod_auth_digest: Prevent segfaults during client entry allocation when
      the shared memory space is exhausted.
@@ -66,6 +62,9 @@ Changes with Apache 2.4.24 (not released
      pollution by malicious clients, upstream servers or faulty modules.
      [Stefan Fritsch, Eric Covener, Yann Ylavic]
 
+  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
   *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
      looping RewriteRules when the local path significantly exceeds 
      LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]



Mime
View raw message