From 6bcf43ddb4ec201de15f76620f7d794c289fc6b0 Mon Sep 17 00:00:00 2001 From: Paul Querna Date: Fri, 8 Jul 2005 16:06:22 +0000 Subject: [PATCH] Fix the CHANGES to reflect when things were really fixed. Also remove the security tag from the proxy change, as suggested by Joe. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@209832 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index e00b3f9c0e..ec81621686 100644 --- a/CHANGES +++ b/CHANGES @@ -20,11 +20,15 @@ Changes with Apache 2.1.7 Changes with Apache 2.1.6 + *) SECURITY: CAN-2005-2088 + core: If a request contains both Transfer-Encoding and a Content-Length, + remove the Content-Length, stopping some HTTP Request smuggling attacks. + [Paul Querna] + *) Fix htdbm password validation for records which included comments. [Eric Covener ] - *) SECURITY: CAN-2005-2088 - proxy HTTP: If a response contains both Transfer-Encoding and a + *) proxy HTTP: If a response contains both Transfer-Encoding and a Content-Length, remove the Content-Length and don't reuse the connection, stopping some HTTP Request smuggling attacks. [Jeff Trawick] @@ -34,11 +38,6 @@ Changes with Apache 2.1.6 Changes with Apache 2.1.5 - *) SECURITY: CAN-2005-2088 - core: If a request contains both Transfer-Encoding and a Content-Length, - remove the Content-Length, stopping some HTTP Request smuggling attacks. - [Paul Querna] - *) mod_ssl: Setting the Protocol to 'https' can replace the use of the 'SSLEngine on' command. [Paul Querna] -- 2.40.0