add security: prefix consistently

bump CVE's to top of each release

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827634 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b3c8a68f969c9427761ad6641ddc5a48e7f2bebc..e7d0ea79eaa2aea1d90a8b21ce7fcfe63f0a57ae 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -75,7 +75,7 @@ Changes with Apache 2.4.30 (not released)
      Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
      [Eric Covener, Luca Toscano, Yann Ylavic]
 
-  *) CVE-2018-1283 (cve.mitre.org)
+  *) SECURITY: CVE-2018-1283 (cve.mitre.org)
      mod_session: CGI-like applications that intend to read from mod_session's 
      'SessionEnv ON' could be fooled into reading user-supplied data instead.
      [Yann Ylavic]
@@ -84,19 +84,12 @@ Changes with Apache 2.4.30 (not released)
      mod_cache_socache: Fix request headers parsing to avoid a possible crash
      with specially crafted input data.  [Ruediger Pluem]
 
-  *) CVE-2018-1301 (cve.mitre.org)
+  *) SECURITY: CVE-2018-1301 (cve.mitre.org)
      core: Possible crash with excessively long HTTP request headers. 
      Impractical to exploit with a production build and production LogLevel.
      [Yann Ylavic]
 
-  *) mod_authnz_ldap: Fix language long names detection as short name.
-     [Yann Ylavic]
-
-  *) mod_proxy: Worker schemes and hostnames which are too large are no
-     longer fatal errors; it is logged and the truncated values are stored.
-     [Jim Jagielski]
-
-  *) CVE-2017-15715 (cve.mitre.org)
+  *) SECURITY: CVE-2017-15715 (cve.mitre.org)
      core: Configure the regular expression engine to match '$' to the end of
      the input string only, excluding matching the end of any embedded 
      newline characters. Behavior can be changed with new directive 
@@ -108,6 +101,15 @@ Changes with Apache 2.4.30 (not released)
      may cause problems if used with round robin load balancers. PR 54637
      [Stefan Fritsch]
 
+  *) mod_proxy: Worker schemes and hostnames which are too large are no
+     longer fatal errors; it is logged and the truncated values are stored.
+     [Jim Jagielski]
+
+
+  *) CVE-2018-1302 (cve.mitre.org)
+     mod_http2: Potential crash w/ mod_http2.
+     [Stefan Eissing]
+
   *) mod_proxy: Allow setting options to globally defined balancer from
      ProxyPass used in VirtualHost. Balancers are now merged using the new
      merge_balancers method which merges the balancers options.  [Jan Kaluza]
@@ -123,10 +125,6 @@ Changes with Apache 2.4.30 (not released)
 
   *) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
      allowing per backend TLS configuration.  [Yann Ylavic]
-  *) CVE-2018-1302 (cve.mitre.org)
-     mod_http2: Potential crash w/ mod_http2.
-     [Stefan Eissing]
-
 
   *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
      Jim Jagielski]