From: Jeff Trawick <trawick@apache.org>
Date: Wed, 25 Jan 2012 20:06:07 +0000 (+0000)
Subject: Add reference to CVE-2012-0021, quoting the 2.3.x version in which
X-Git-Tag: 2.4.1~94
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e8490ab0b5bec789021bae51c63ab9e173ee975a;p=apache

Add reference to CVE-2012-0021, quoting the 2.3.x version in which
the problem was introduced.

(following r1235875 which DidTRT for 2.2.x/CHANGES)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1235894 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index aa469c67f3..a84bc59d07 100644
--- a/CHANGES
+++ b/CHANGES
@@ -24,8 +24,11 @@ Changes with Apache 2.4.0
 
   *) mod_ssl: Fix compilation with xlc on AIX. PR 52394. [Stefan Fritsch]
 
-  *) mod_log_config: Fix segfault when trying to log a nameless, valueless
-     cookie. PR 52256. [Rainer Canavan <rainer-apache 7val com>]
+  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+     string is in use and a client sends a nameless, valueless cookie, causing
+     a denial of service. The issue existed since version 2.2.17 and 2.3.3.
+     PR 52256.  [Stefan Fritsch]
 
   *) mod_ssl: when compiled against OpenSSL 1.0.1 or later, allow explicit
      control of TLSv1.1 and TLSv1.2 through the SSLProtocol directive.