From 4696fa0456cb5d405db5035fd2402d71641da09c Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Sat, 24 Mar 2018 11:41:56 +0000 Subject: [PATCH] add security: prefix consistently bump CVE's to top of each release git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1827634 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/CHANGES b/CHANGES index b3c8a68f96..e7d0ea79ea 100644 --- a/CHANGES +++ b/CHANGES @@ -75,7 +75,7 @@ Changes with Apache 2.4.30 (not released) Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled [Eric Covener, Luca Toscano, Yann Ylavic] - *) CVE-2018-1283 (cve.mitre.org) + *) SECURITY: CVE-2018-1283 (cve.mitre.org) mod_session: CGI-like applications that intend to read from mod_session's 'SessionEnv ON' could be fooled into reading user-supplied data instead. [Yann Ylavic] @@ -84,19 +84,12 @@ Changes with Apache 2.4.30 (not released) mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data. [Ruediger Pluem] - *) CVE-2018-1301 (cve.mitre.org) + *) SECURITY: CVE-2018-1301 (cve.mitre.org) core: Possible crash with excessively long HTTP request headers. Impractical to exploit with a production build and production LogLevel. [Yann Ylavic] - *) mod_authnz_ldap: Fix language long names detection as short name. - [Yann Ylavic] - - *) mod_proxy: Worker schemes and hostnames which are too large are no - longer fatal errors; it is logged and the truncated values are stored. - [Jim Jagielski] - - *) CVE-2017-15715 (cve.mitre.org) + *) SECURITY: CVE-2017-15715 (cve.mitre.org) core: Configure the regular expression engine to match '$' to the end of the input string only, excluding matching the end of any embedded newline characters. Behavior can be changed with new directive @@ -108,6 +101,15 @@ Changes with Apache 2.4.30 (not released) may cause problems if used with round robin load balancers. PR 54637 [Stefan Fritsch] + *) mod_proxy: Worker schemes and hostnames which are too large are no + longer fatal errors; it is logged and the truncated values are stored. + [Jim Jagielski] + + + *) CVE-2018-1302 (cve.mitre.org) + mod_http2: Potential crash w/ mod_http2. + [Stefan Eissing] + *) mod_proxy: Allow setting options to globally defined balancer from ProxyPass used in VirtualHost. Balancers are now merged using the new merge_balancers method which merges the balancers options. [Jan Kaluza] @@ -123,10 +125,6 @@ Changes with Apache 2.4.30 (not released) *) mod_proxy, mod_ssl: Handle SSLProxy* directives in sections, allowing per backend TLS configuration. [Yann Ylavic] - *) CVE-2018-1302 (cve.mitre.org) - mod_http2: Potential crash w/ mod_http2. - [Stefan Eissing] - *) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris, Jim Jagielski] -- 2.40.0