restore SECURITY to top

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1636006 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index e0c5b3c1461347f480766accad9968f6d4209825..f89bb8806aa9264998b5ded0eff7af9f1244fa73 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,17 @@
 
 Changes with Apache 2.4.11
 
+  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+     mod_cache: Avoid a crash when Content-Type has an empty value.
+     PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
+
+  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+     core: HTTP trailers could be used to replace HTTP headers
+     late during request processing, potentially undoing or
+     otherwise confusing modules that examined or modified
+     request headers earlier.  Adds "MergeTrailers" directive to restore
+     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+
   *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC 
      systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
 
@@ -35,17 +46,6 @@ Changes with Apache 2.4.11
 
   *) mod_dav: Set r->status_line in dav_error_response. PR 55426.
 
-  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
-     mod_cache: Avoid a crash when Content-Type has an empty value.
-     PR 56924.  [Mark Montague <mark catseye.org>, Jan Kaluza]
-
-  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
-     core: HTTP trailers could be used to replace HTTP headers
-     late during request processing, potentially undoing or
-     otherwise confusing modules that examined or modified
-     request headers earlier.  Adds "MergeTrailers" directive to restore
-     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
-
   *) mod_proxy_http: Avoid (unlikely) access to freed memory. [Yann Ylavic]
 
   *) http_protocol: fix logic in ap_method_list_(add|remove) in order: