Document CHANGES

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1774065 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/CHANGES b/CHANGES
index 388c6d1abd869bf7c02496cd8a8607ed208969a6..6f6b7cb4dec080209d3b5c069cbc6e8fc314a854 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -22,6 +22,17 @@ Changes with Apache 2.4.24
      MAC (SipHash) to prevent deciphering or tampering with a padding
      oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
 
+  *) SECURITY: CVE-2016-8743 (cve.mitre.org)
+     Enforce HTTP request grammar corresponding to RFC7230 for request lines
+     and request headers, to prevent response splitting and cache pollution by
+     malicious clients or downstream proxies. [William Rowe, Stefan Fritsch]
+
+  *) Validate HTTP response header grammar defined by RFC7230, resulting
+     in a 500 error in the event that invalid response header contents are
+     detected when serving the response, to avoid response splitting and cache
+     pollution by malicious clients, upstream servers or faulty modules.
+     [Stefan Fritsch, Eric Covener, Yann Ylavic]
+
   *) mod_socache_memcache: Provide memcache stats to mod_status.
      [Jim Jagielski]
 
@@ -40,9 +51,6 @@ Changes with Apache 2.4.24
      'parent-first' instead of 'none', as per documentation.  PR 60419
      [Christophe Jaillet]
 
-  *) Enforce http request grammer corresponding to RFC7230 for request lines
-     and request headers [William Rowe, Stefan Fritsch]
-
   *) core: New directive HttpProtocolOptions to control httpd enforcement
      of various RFC7230 requirements. [Stefan Fritsch, William Rowe]