mod_session_crypto: follow up to r1772812: CHANGES entry.

author Yann Ylavic <ylavic@apache.org>

Mon, 5 Dec 2016 23:46:40 +0000 (23:46 +0000)

committer Yann Ylavic <ylavic@apache.org>

Mon, 5 Dec 2016 23:46:40 +0000 (23:46 +0000)
author Yann Ylavic <ylavic@apache.org>
Mon, 5 Dec 2016 23:46:40 +0000 (23:46 +0000)
committer Yann Ylavic <ylavic@apache.org>
Mon, 5 Dec 2016 23:46:40 +0000 (23:46 +0000)
diff --git a/CHANGES b/CHANGES

index 8811eea4982fb0f7f0ed2d44f0fe1534bb4ff58e..51904675ff90e672c47296fd86f7edb52270435c 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                           -*- coding: utf-8 -*-
  Changes with Apache 2.5.0
  
+  *) SECURITY: CVE-2016-0736 (cve.mitre.org)
+     mod_session_crypto: Authenticate the session data/cookie with a
+     MAC (SipHash) to prevent deciphering or tampering with a padding
+     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
+
    *) mod_lua: Fix default value of LuaInherit directive. It should be 
       'parent-first' instead of 'none', as per documentation.  PR 60419
       [Christophe Jaillet]
author	Yann Ylavic <ylavic@apache.org>
	Mon, 5 Dec 2016 23:46:40 +0000 (23:46 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Mon, 5 Dec 2016 23:46:40 +0000 (23:46 +0000)