Apply missing security fix CHANGELOG entries to head

author Mark J. Cox <mjc@apache.org>

Tue, 3 Jun 2003 10:44:29 +0000 (10:44 +0000)

committer Mark J. Cox <mjc@apache.org>

Tue, 3 Jun 2003 10:44:29 +0000 (10:44 +0000)
author Mark J. Cox <mjc@apache.org>
Tue, 3 Jun 2003 10:44:29 +0000 (10:44 +0000)
committer Mark J. Cox <mjc@apache.org>
Tue, 3 Jun 2003 10:44:29 +0000 (10:44 +0000)
diff --git a/CHANGES b/CHANGES

index 8c8247421470181e988b57d0a4c26b8e031739ad..c16e33ba2b43c9ce0500dd7db9edd971abc26518 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -143,6 +143,17 @@ Changes with Apache 2.0.47
  
  Changes with Apache 2.0.46
  
+  *) SECURITY [CAN-2003-0245]: Fixed a bug causing apr_pvsprintf() to crash 
+     by sending an overly long string.  This can be triggered remotely 
+     through mod_dav, mod_ssl, and other mechanisms.  Reported by David
+     Endler <DEndler@iDefense.com>.
+     [Joe Orton <jorton@redhat.com>]
+
+  *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
+     affecting basic authentication on Unix platforms related to
+     thread-safety in apr_password_validate().  The problem was reported
+     by John Hughes <john.hughes@entegrity.com>.
+
    *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
       when a MKACTIVITY request comes in.
       [Ben Collins-Sussman <sussman@collab.net>]
author	Mark J. Cox <mjc@apache.org>
	Tue, 3 Jun 2003 10:44:29 +0000 (10:44 +0000)
committer	Mark J. Cox <mjc@apache.org>
	Tue, 3 Jun 2003 10:44:29 +0000 (10:44 +0000)