From 671fe792ccad54ccae2acd9854484a4df6af6041 Mon Sep 17 00:00:00 2001 From: Eric Covener Date: Tue, 6 Sep 2011 18:45:33 +0000 Subject: [PATCH] bump SECURITY issue to top of in-development 2.3.15 section. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1165779 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/CHANGES b/CHANGES index 308d4ed9c3..e0e54475d5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,12 @@ -*- coding: utf-8 -*- Changes with Apache 2.3.15 + *) SECURITY: CVE-2011-3192 (cve.mitre.org) + core: Fix handling of byte-range requests to use less memory, to avoid + denial of service. If the sum of all ranges in a request is larger than + the original file, ignore the ranges and send the complete file. + PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] + *) mod_ssl: revamp CRL-based revocation checking when validating certificates of clients or proxied servers. Completely delegate CRL processing to OpenSSL, and add a new [Proxy]CARevocationCheck @@ -9,12 +15,6 @@ Changes with Apache 2.3.15 *) Fix a regression in the CVE-2011-3192 byterange fix. PR 51748. [low_priority ] - *) SECURITY: CVE-2011-3192 (cve.mitre.org) - core: Fix handling of byte-range requests to use less memory, to avoid - denial of service. If the sum of all ranges in a request is larger than - the original file, ignore the ranges and send the complete file. - PR 51714. [Stefan Fritsch, Jim Jagielski, Ruediger Pluem, Eric Covener] - *) core: Add MaxRanges directive to control the number of ranges permitted before returning the entire resource, with a default limit of 200. [Eric Covener] -- 2.40.0