From: Paul Querna Date: Fri, 8 Jul 2005 16:06:22 +0000 (+0000) Subject: Fix the CHANGES to reflect when things were really fixed. Also remove the security... X-Git-Tag: 2.1.7~34 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6bcf43ddb4ec201de15f76620f7d794c289fc6b0;p=apache Fix the CHANGES to reflect when things were really fixed. Also remove the security tag from the proxy change, as suggested by Joe. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@209832 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index e00b3f9c0e..ec81621686 100644 --- a/CHANGES +++ b/CHANGES @@ -20,11 +20,15 @@ Changes with Apache 2.1.7 Changes with Apache 2.1.6 + *) SECURITY: CAN-2005-2088 + core: If a request contains both Transfer-Encoding and a Content-Length, + remove the Content-Length, stopping some HTTP Request smuggling attacks. + [Paul Querna] + *) Fix htdbm password validation for records which included comments. [Eric Covener ] - *) SECURITY: CAN-2005-2088 - proxy HTTP: If a response contains both Transfer-Encoding and a + *) proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, stopping some HTTP Request smuggling attacks. [Jeff Trawick] @@ -34,11 +38,6 @@ Changes with Apache 2.1.6 Changes with Apache 2.1.5 - *) SECURITY: CAN-2005-2088 - core: If a request contains both Transfer-Encoding and a Content-Length, - remove the Content-Length, stopping some HTTP Request smuggling attacks. - [Paul Querna] - *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 'SSLEngine on' command. [Paul Querna]