From: Eric Covener Date: Sat, 1 Nov 2014 18:01:31 +0000 (+0000) Subject: restore SECURITY to top X-Git-Tag: 2.4.11~198 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6187f028d9c8f69f405691f4d7843d950798eec9;p=apache restore SECURITY to top git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1636006 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e0c5b3c146..f89bb8806a 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,17 @@ Changes with Apache 2.4.11 + *) SECURITY: CVE-2014-3581 (cve.mitre.org) + mod_cache: Avoid a crash when Content-Type has an empty value. + PR 56924. [Mark Montague , Jan Kaluza] + + *) SECURITY: CVE-2013-5704 (cve.mitre.org) + core: HTTP trailers could be used to replace HTTP headers + late during request processing, potentially undoing or + otherwise confusing modules that examined or modified + request headers earlier. Adds "MergeTrailers" directive to restore + legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] + *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC systems. PR 57092 [Edward Lu ] @@ -35,17 +46,6 @@ Changes with Apache 2.4.11 *) mod_dav: Set r->status_line in dav_error_response. PR 55426. - *) SECURITY: CVE-2014-3581 (cve.mitre.org) - mod_cache: Avoid a crash when Content-Type has an empty value. - PR 56924. [Mark Montague , Jan Kaluza] - - *) SECURITY: CVE-2013-5704 (cve.mitre.org) - core: HTTP trailers could be used to replace HTTP headers - late during request processing, potentially undoing or - otherwise confusing modules that examined or modified - request headers earlier. Adds "MergeTrailers" directive to restore - legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] - *) mod_proxy_http: Avoid (unlikely) access to freed memory. [Yann Ylavic] *) http_protocol: fix logic in ap_method_list_(add|remove) in order: