From 5a41a0e7bbb37c12f2dec42811f54980754e7937 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Mon, 5 Dec 2016 23:46:40 +0000 Subject: [PATCH] mod_session_crypto: follow up to r1772812: CHANGES entry. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1772813 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/CHANGES b/CHANGES index 8811eea498..51904675ff 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,11 @@ -*- coding: utf-8 -*- Changes with Apache 2.5.0 + *) SECURITY: CVE-2016-0736 (cve.mitre.org) + mod_session_crypto: Authenticate the session data/cookie with a + MAC (SipHash) to prevent deciphering or tampering with a padding + oracle attack. [Yann Ylavic, Colm MacCarthaigh] + *) mod_lua: Fix default value of LuaInherit directive. It should be 'parent-first' instead of 'none', as per documentation. PR 60419 [Christophe Jaillet] -- 2.50.1