From: Jim Jagielski <jim@apache.org>
Date: Mon, 18 Feb 2013 19:37:43 +0000 (+0000)
Subject: Note that these are/were CVEs
X-Git-Tag: 2.4.4~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2648834a1c04c3a3f13d1cc019b2c2b72c8af8f4;p=apache

Note that these are/were CVEs


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1447449 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index c56d8da11c..67fdc52d33 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,15 @@
 
 Changes with Apache 2.4.4
 
+  *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+     Various XSS flaws due to unescaped hostnames and URIs HTML output in
+     mod_info, mod_status, mod_impagemap, mod_proxy_balancer, and mod_proxy_ftp.
+     [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+
+  *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+     XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+     Niels Heinen <heinenn google com>]
+
   *) mod_dir: Add support for the value 'disabled' in FallbackResource.
      [Vincent Deffontaines]
      
@@ -116,10 +125,6 @@ Changes with Apache 2.4.4
      unless new option 'RewriteOptions MergeBase' is configured.
      PR 53963. [Eric Covener]
 
-  *) mod_status, mod_info, mod_proxy_ftp, mod_proxy_balancer, mod_imagemap,
-     mod_ldap: Improve escaping of hostname and URIs HTML output.
-     [Jim Jagielski, Stefan Fritsch]
-
   *) mod_header: Allow for exposure of loadavg and server load using new 
      format specifiers %l, %i, %b [Jim Jagielski]