From 4c441af01e280d0393b955bdcf4215dbec07a2c8 Mon Sep 17 00:00:00 2001 From: Christophe Jaillet Date: Tue, 14 Oct 2014 08:56:57 +0000 Subject: [PATCH] Keep SECURITY entries at the top git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1631685 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index a7d33c6c5e..3aa52eaa15 100644 --- a/CHANGES +++ b/CHANGES @@ -6,6 +6,13 @@ Changes with Apache 2.4.11 mod_cache: Avoid a crash when Content-Type has an empty value. PR 56924. [Mark Montague , Jan Kaluza] + *) SECURITY: CVE-2013-5704 (cve.mitre.org) + core: HTTP trailers could be used to replace HTTP headers + late during request processing, potentially undoing or + otherwise confusing modules that examined or modified + request headers earlier. Adds "MergeTrailers" directive to restore + legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] + *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with the wrong credentials when a backend connection is reused. [Eric Covener] @@ -37,13 +44,6 @@ Changes with Apache 2.4.11 "ProxyErrorOverride On" hang until proxy timeout. PR53420 [Rainer Jung] - *) SECURITY: CVE-2013-5704 (cve.mitre.org) - core: HTTP trailers could be used to replace HTTP headers - late during request processing, potentially undoing or - otherwise confusing modules that examined or modified - request headers earlier. Adds "MergeTrailers" directive to restore - legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] - *) mod_log_config: Allow three character log formats to be registered. For backwards compatibility, the first character of a three-character format must be the '^' (caret) character. [Eric Covener] -- 2.40.0