Note security implication

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1501413 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index a8a08c5bc051b4789d458cc1bc4294c646b50712..7c632c80eb33f4c6230690da6699b72ed748688c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,13 @@
 
 Changes with Apache 2.4.5
 
+  *) SECURITY: CVE-2013-1896 (cve.mitre.org)
+     mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
+     the source href (sent as part of the request body as XML) pointing to a
+     URI that is not configured for DAV will trigger a segfault. [Ben Reser
+     <ben reser.org>]
+
+
   *) mod_proxy: Fix seg-faults when using the global pool on threaded
      MPMs [Thomas Eckert <thomas.r.w.eckert gmail.com>, Graham Leggett,
      Jim Jagielski]
@@ -104,11 +111,6 @@ Changes with Apache 2.4.5
   *) mod_dav: Improve error handling in dav_method_put(), add new
      dav_join_error() function.  PR 54145.  [Ben Reser <ben reser.org>]
 
-  *) mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with
-     the source href (sent as part of the request body as XML) pointing to a
-     URI that is not configured for DAV will trigger a segfault. [Ben Reser
-     <ben reser.org>]
-
   *) mod_dav: Do not fail PROPPATCH when prop namespace is not known.
      PR 52559 [Diego Santa Cruz <diego.santaCruz spinetix.com>]