Note changes

author Jim Jagielski <jim@apache.org>

Thu, 13 Mar 2014 12:43:43 +0000 (12:43 +0000)

committer Jim Jagielski <jim@apache.org>

Thu, 13 Mar 2014 12:43:43 +0000 (12:43 +0000)
author Jim Jagielski <jim@apache.org>
Thu, 13 Mar 2014 12:43:43 +0000 (12:43 +0000)
committer Jim Jagielski <jim@apache.org>
Thu, 13 Mar 2014 12:43:43 +0000 (12:43 +0000)
diff --git a/CHANGES b/CHANGES

index 3c9f35501bb89c065e9935c70d01ddaee3ea0ed5..75625765c6181a935a8140b9b8dfee86a0c3fb7c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,9 @@
  
  Changes with Apache 2.4.9
  
+  *) mod_ssl: Work around a bug in some older versions of OpenSSL that
+     would cause a crash in SSL_get_certificate for servers where the
+     certificate hadn't been sent. [Stephen Henson]
  
  Changes with Apache 2.4.8
  
@@ -11,6 +14,12 @@ Changes with Apache 2.4.8
       logging truncated cookies.
       [William Rowe, Ruediger Pluem, Jim Jagielski]
  
+ *) SECURITY: CVE-2013-6438 (cve.mitre.org)
+    mod_dav: Keep track of length of cdata properly when removing
+    leading spaces. Eliminates a potential denial of service from
+    specifically crafted DAV WRITE requests
+    [Amin Tora <Amin.Tora neustar.biz>]
+
    *) core: draft-ietf-httpbis-p1-messaging-23 corrections regarding
       TE/CL conflicts. [Yann Ylavic <ylavic.dev gmail com>, Jim Jagielski]
author	Jim Jagielski <jim@apache.org>
	Thu, 13 Mar 2014 12:43:43 +0000 (12:43 +0000)
committer	Jim Jagielski <jim@apache.org>
	Thu, 13 Mar 2014 12:43:43 +0000 (12:43 +0000)