Fix the CHANGES to reflect when things were really fixed. Also remove the security...

author Paul Querna <pquerna@apache.org>

Fri, 8 Jul 2005 16:06:22 +0000 (16:06 +0000)

committer Paul Querna <pquerna@apache.org>

Fri, 8 Jul 2005 16:06:22 +0000 (16:06 +0000)
author Paul Querna <pquerna@apache.org>
Fri, 8 Jul 2005 16:06:22 +0000 (16:06 +0000)
committer Paul Querna <pquerna@apache.org>
Fri, 8 Jul 2005 16:06:22 +0000 (16:06 +0000)
diff --git a/CHANGES b/CHANGES

index e00b3f9c0e4a9c2ce43e2d66e51220c06a30d82d..ec81621686bf45a1f4a19b9ef9e9383e7d060e34 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -20,11 +20,15 @@ Changes with Apache 2.1.7
  
  Changes with Apache 2.1.6
  
+  *) SECURITY: CAN-2005-2088
+     core: If a request contains both Transfer-Encoding and a Content-Length,
+     remove the Content-Length, stopping some HTTP Request smuggling attacks.
+     [Paul Querna]
+
    *) Fix htdbm password validation for records which included comments.
       [Eric Covener <covener gmail.com>]
  
-  *) SECURITY: CAN-2005-2088
-     proxy HTTP: If a response contains both Transfer-Encoding and a 
+  *) proxy HTTP: If a response contains both Transfer-Encoding and a 
       Content-Length, remove the Content-Length and don't reuse the
       connection, stopping some HTTP Request smuggling attacks.
       [Jeff Trawick]
@@ -34,11 +38,6 @@ Changes with Apache 2.1.6
  
  Changes with Apache 2.1.5
  
-  *) SECURITY: CAN-2005-2088
-     core: If a request contains both Transfer-Encoding and a Content-Length,
-     remove the Content-Length, stopping some HTTP Request smuggling attacks.
-     [Paul Querna]
-
    *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 
       'SSLEngine on' command. [Paul Querna]
author	Paul Querna <pquerna@apache.org>
	Fri, 8 Jul 2005 16:06:22 +0000 (16:06 +0000)
committer	Paul Querna <pquerna@apache.org>
	Fri, 8 Jul 2005 16:06:22 +0000 (16:06 +0000)