** NOTE: the vendor states "This mitigation has been assigned the identifier

CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. **

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1778007 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index b109fe1c12072d4d5bb723e3085b6cc86f6a2685..bdfffe218dc4e2f690c023edde5c6fd2d8a9cf86 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -41,10 +41,6 @@ Changes with Apache 2.4.24 (not released)
      [Naveen Tiwari <naveen.tiwari@asu.edu> and CDF/SEFCOM at Arizona State
      University, Stefan Eissing]
 
-  *) SECURITY: CVE-2016-5387 (cve.mitre.org)
-     core: Mitigate [f]cgi "httpoxy" issues.
-     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
-
   *) SECURITY: CVE-2016-2161 (cve.mitre.org)
      mod_auth_digest: Prevent segfaults during client entry allocation when
      the shared memory space is exhausted.
@@ -66,6 +62,9 @@ Changes with Apache 2.4.24 (not released)
      pollution by malicious clients, upstream servers or faulty modules.
      [Stefan Fritsch, Eric Covener, Yann Ylavic]
 
+  *) core: Mitigate [f]cgi CVE-2016-5387 "httpoxy" issues.
+     [Dominic Scheirlinck <dominic vendhq.com>, Yann Ylavic]
+
   *) mod_rewrite: Limit runaway memory use by short circuiting some kinds of
      looping RewriteRules when the local path significantly exceeds 
      LimitRequestLine.  PR 60478. [Jeff Wheelhouse <apache wheelhouse.org>]