From 89edea4952bbb387b229f913fca2ea059abbb471 Mon Sep 17 00:00:00 2001 From: "Mark J. Cox" Date: Wed, 19 Oct 2005 08:12:00 +0000 Subject: [PATCH] Today a one-time change happens to all CAN- names as they are renamed to CVE-. Make this change to our changelog. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@326454 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 72 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/CHANGES b/CHANGES index d966c343b7..e5f7add455 100644 --- a/CHANGES +++ b/CHANGES @@ -52,7 +52,7 @@ Changes with Apache 2.1.9 trigger POLL_ERR or POLL_HUP on a terminated connection. PR 36951. [Jeff Trawick, Ruediger Pluem] - *) SECURITY: CAN-2005-2970 (cve.mitre.org) + *) SECURITY: CVE-2005-2970 (cve.mitre.org) worker MPM: Fix a memory leak which can occur after an aborted connection in some limited circumstances. [Greg Ames] @@ -85,7 +85,7 @@ Changes with Apache 2.1.8 listening ports upon graceful restart or stop. PR 28167. [Colm MacCarthaigh, Brian Pinkerton ] - *) SECURITY: CAN-2005-2700 (cve.mitre.org) + *) SECURITY: CVE-2005-2700 (cve.mitre.org) mod_ssl: Fix a security issue where "SSLVerifyClient" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the vhost configuration. [Joe Orton] @@ -118,7 +118,7 @@ Changes with Apache 2.1.8 Changes with Apache 2.1.7 - *) SECURITY: CAN-2005-2491 (cve.mitre.org): + *) SECURITY: CVE-2005-2491 (cve.mitre.org): Fix integer overflows in PCRE in quantifier parsing which could be triggered by a local user through use of a carefully-crafted regex in an .htaccess file. [Philip Hazel] @@ -904,7 +904,7 @@ Changes with Apache 2.0.56 Changes with Apache 2.0.55 - *) SECURITY: CAN-2005-2088 (cve.mitre.org) + *) SECURITY: CVE-2005-2088 (cve.mitre.org) proxy: Correctly handle the Transfer-Encoding and Content-Length headers. Discard the request Content-Length whenever T-E: chunked is used, always passing one of either C-L or T-E: chunked whenever @@ -942,7 +942,7 @@ Changes with Apache 2.0.55 (or if it didn't succeed) for non-authoritative cases. [Jim Jagielski] - *) SECURITY: CAN-2005-2728 (cve.mitre.org) + *) SECURITY: CVE-2005-2728 (cve.mitre.org) Fix cases where the byterange filter would buffer responses into memory. PR 29962. [Joe Orton] @@ -960,7 +960,7 @@ Changes with Apache 2.0.55 *) mod_ssl: Fix build with OpenSSL 0.9.8. PR 35757. [William Rowe] - *) SECURITY: CAN-2005-2088 (cve.mitre.org) + *) SECURITY: CVE-2005-2088 (cve.mitre.org) core: If a request contains both Transfer-Encoding and Content-Length headers, remove the Content-Length, mitigating some HTTP Request Splitting/Spoofing attacks. [Paul Querna, Joe Orton] @@ -973,7 +973,7 @@ Changes with Apache 2.0.55 *) Prevent hangs of child processes when writing to piped loggers at the time of graceful restart. PR 26467. [Jeff Trawick] - *) SECURITY: CAN-2005-1268 (cve.mitre.org) + *) SECURITY: CVE-2005-1268 (cve.mitre.org) mod_ssl: Fix off-by-one overflow whilst printing CRL information at "LogLevel debug" which could be triggered if configured to use a "malicious" CRL. PR 35081. [Marc Stern ] @@ -1013,7 +1013,7 @@ Changes with Apache 2.0.54 slow to exit. [Joe Orton, Jeff Trawick] *) Remove formatting characters from ap_log_error() calls. These - were escaped as fallout from CAN-2003-0020. + were escaped as fallout from CVE-2003-0020. [Eric Covener ] *) mod_ssl: If SSLUsername is used, set r->user earlier. PR 31418. @@ -1102,11 +1102,11 @@ Changes with Apache 2.0.53 specified matches the value of the user object. PR 31913 [Ryan Morgan ] - *) SECURITY: CAN-2004-0942 (cve.mitre.org) + *) SECURITY: CVE-2004-0942 (cve.mitre.org) Fix for memory consumption DoS in handling of MIME folded request headers. [Joe Orton] - *) SECURITY: CAN-2004-0885 (cve.mitre.org) + *) SECURITY: CVE-2004-0885 (cve.mitre.org) mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be bypassed during an SSL renegotiation. PR 31505. [Hartmut Keil , Joe Orton] @@ -1148,7 +1148,7 @@ Changes with Apache 2.0.53 is causing a potential problem with the LDAP shared memory cache. PR 31431 [Graham Leggett] - *) SECURITY: CAN-2004-1834 (cve.mitre.org) + *) SECURITY: CVE-2004-1834 (cve.mitre.org) mod_disk_cache: Do not store hop-by-hop headers. [Justin Erenkrantz] *) Fix the re-linking issue when purging elements from the LDAP cache @@ -1171,7 +1171,7 @@ Changes with Apache 2.0.52 *) Fix a segfault in the LDAP cache when it is configured switched off. [Jess Holle ] - *) SECURITY: CAN-2004-0811 (cve.mitre.org) + *) SECURITY: CVE-2004-0811 (cve.mitre.org) Fix merging of the Satisfy directive, which was applied to the surrounding context and could allow access despite configured authentication. PR 31315. [Rici Lake ] @@ -1193,15 +1193,15 @@ Changes with Apache 2.0.52 Changes with Apache 2.0.51 - *) SECURITY: CAN-2004-0786 (cve.mitre.org) + *) SECURITY: CVE-2004-0786 (cve.mitre.org) Fix an input validation issue in apr-util which could be triggered by malformed IPv6 literal addresses. [Joe Orton] - *) SECURITY: CAN-2004-0747 (cve.mitre.org) + *) SECURITY: CVE-2004-0747 (cve.mitre.org) Fix buffer overflow in expansion of environment variables in configuration file parsing. [André Malo] - *) SECURITY: CAN-2004-0809 (cve.mitre.org) + *) SECURITY: CVE-2004-0809 (cve.mitre.org) mod_dav_fs: Fix a segfault in the handling of an indirect lock refresh. PR 31183. [Joe Orton] @@ -1223,7 +1223,7 @@ Changes with Apache 2.0.51 server shutdown on these code paths. [Bill Stoddard] - *) SECURITY: CAN-2004-0751 (cve.mitre.org) + *) SECURITY: CVE-2004-0751 (cve.mitre.org) mod_ssl: Fix a segfault in the SSL input filter which could be triggered if using "speculative" mode, for instance by a proxy request to an SSL server. PR 30134. [Joe Orton] @@ -1276,7 +1276,7 @@ Changes with Apache 2.0.51 *) mod_ssl: Build on RHEL 3. PR 18989. [Justin Erenkrantz] - *) SECURITY: CAN-2004-0748 (cve.mitre.org) + *) SECURITY: CVE-2004-0748 (cve.mitre.org) mod_ssl: Fix a potential infinite loop. PR 29964. [Joe Orton] *) mod_ssl: Avoid startup failure after unclean shutdown if using shmcb. @@ -1364,7 +1364,7 @@ Changes with Apache 2.0.51 Changes with Apache 2.0.50 - *) SECURITY: CAN-2004-0493 (cve.mitre.org) + *) SECURITY: CVE-2004-0493 (cve.mitre.org) Close a denial of service vulnerability identified by Georgi Guninski which could lead to memory exhaustion with certain input data. [Jeff Trawick] @@ -1394,7 +1394,7 @@ Changes with Apache 2.0.50 *) util_ldap: allow relative paths for LDAPTrustedCA to be resolved against ServerRoot PR#26602 [Brad Nicholes] - *) SECURITY: CAN-2004-0488 (cve.mitre.org) + *) SECURITY: CVE-2004-0488 (cve.mitre.org) mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for a (trusted) client certificate subject DN which exceeds 6K in length. [Joe Orton] @@ -1541,7 +1541,7 @@ Changes with Apache 2.0.50 Changes with Apache 2.0.49 - *) SECURITY: CAN-2004-0174 (cve.mitre.org) + *) SECURITY: CVE-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until @@ -1825,12 +1825,12 @@ Changes with Apache 2.0.49 Changes with Apache 2.0.48 - *) SECURITY: CAN-2003-0789 (cve.mitre.org) + *) SECURITY: CVE-2003-0789 (cve.mitre.org) mod_cgid: Resolve some mishandling of the AF_UNIX socket used to communicate with the cgid daemon and the CGI script. [Jeff Trawick] - *) SECURITY: CAN-2003-0542 (cve.mitre.org) + *) SECURITY: CVE-2003-0542 (cve.mitre.org) Fix buffer overflows in mod_alias and mod_rewrite which occurred if one configured a regular expression with more than 9 captures. [André Malo] @@ -1984,19 +1984,19 @@ Changes with Apache 2.0.48 Changes with Apache 2.0.47 - *) SECURITY: CAN-2003-0192 (cve.mitre.org) + *) SECURITY: CVE-2003-0192 (cve.mitre.org) Fixed a bug whereby certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. [Ben Laurie] - *) SECURITY: CAN-2003-0253 (cve.mitre.org) + *) SECURITY: CVE-2003-0253 (cve.mitre.org) Fixed a bug in prefork MPM causing temporary denial of service when accept() on a rarely accessed port returns certain errors. Reported by Saheed Akhtar . [Jeff Trawick] - *) SECURITY: CAN-2003-0254 (cve.mitre.org) + *) SECURITY: CVE-2003-0254 (cve.mitre.org) Fixed a bug in ftp proxy causing denial of service when target host is IPv6 but proxy server can't create IPv6 socket. Fixed by the reporter. [Yoshioka Tsuneo ] @@ -2031,13 +2031,13 @@ Changes with Apache 2.0.47 Changes with Apache 2.0.46 - *) SECURITY: CAN-2003-0245 (cve.mitre.org) + *) SECURITY: CVE-2003-0245 (cve.mitre.org) Fixed a bug causing apr_pvsprintf() to crash by sending an overly long string. This can be triggered remotely through mod_dav, mod_ssl, and other mechanisms. Reported by David Endler . [Joe Orton] - *) SECURITY: CAN-2003-0189 (cve.mitre.org) + *) SECURITY: CVE-2003-0189 (cve.mitre.org) Fixed a denial-of-service vulnerability affecting basic authentication on Unix platforms related to thread-safety in apr_password_validate(). @@ -2169,13 +2169,13 @@ Changes with Apache 2.0.46 *) Fixed a segfault when multiple ProxyBlock directives were used. PR: 19023 [Sami Tikka ] - *) SECURITY: CAN-2003-0134 (cve.mitre.org) + *) SECURITY: CVE-2003-0134 (cve.mitre.org) OS2: Fix a Denial of Service vulnerability identified and reported by Robert Howard that where device names faulted the running OS2 worker process. The fix is actually in APR 0.9.4. [Brian Havard] - *) SECURITY: CAN-2003-0083 (cve.mitre.org) + *) SECURITY: CVE-2003-0083 (cve.mitre.org) Forward port: Escape special characters (especially control characters) in mod_log_config to make a clear distinction between client-supplied strings (with special characters) and server-side @@ -2192,7 +2192,7 @@ Changes with Apache 2.0.45 *) Fix possible segfaults under obscure error conditions within the cgid daemon. [Jeff Trawick, William Rowe] - *) SECURITY: CAN-2003-0132 (cve.mitre.org) + *) SECURITY: CVE-2003-0132 (cve.mitre.org) Close a Denial of Service vulnerability identified by David Endler on all platforms. An unlimited stream of newlines were acceptable between requests where each @@ -2699,7 +2699,7 @@ Changes with Apache 2.0.43 Changes with Apache 2.0.42 - *) SECURITY: CAN-2002-1593 (cve.mitre.org) [CERT VU#406121] + *) SECURITY: CVE-2002-1593 (cve.mitre.org) [CERT VU#406121] mod_dav: Check for versioning hooks before using them. [Greg Stein] @@ -2843,7 +2843,7 @@ Changes with Apache 2.0.41 Changes with Apache 2.0.40 - *) SECURITY: CAN-2002-0661 (cve.mitre.org) + *) SECURITY: CVE-2002-0661 (cve.mitre.org) Close a very significant security hole that applies only to the Win32, OS2 and Netware platforms. Unix was not affected, Cygwin may be affected. Certain URIs will bypass security @@ -2855,7 +2855,7 @@ Changes with Apache 2.0.40 Reported by Auriemma Luigi . [Brad Nicholes] - *) SECURITY: CAN-2002-0654 (cve.mitre.org) + *) SECURITY: CVE-2002-0654 (cve.mitre.org) Close a path-revealing exposure in multiview type map negotiation (such as the default error documents) where the module would report the full path of the typemapped .var file when @@ -2863,7 +2863,7 @@ Changes with Apache 2.0.40 negotiation. Reported by Auriemma Luigi . [William Rowe] - *) SECURITY: CAN-2002-0654 (cve.mitre.org) + *) SECURITY: CVE-2002-0654 (cve.mitre.org) Close a path-revealing exposure in cgi/cgid when we fail to invoke a script. The modules would report "couldn't create child process /path-to-script/script.pl" revealing the full path @@ -3427,7 +3427,7 @@ Changes with Apache 2.0.36 *) Fix AcceptPathInfo. PR 8234 [Cliff Woolley] - *) SECURITY: CAN-2002-1592 (cve.mitre.org) [CERT VU#165803] + *) SECURITY: CVE-2002-1592 (cve.mitre.org) [CERT VU#165803] Added the APLOG_TOCLIENT flag to ap_log_rerror() to explicitly tell the server that warning messages should be sent to the client in addition to being recorded in the error log. @@ -7214,7 +7214,7 @@ Changes with Apache 2.0a5 container is VirtualHost or Directory or whatever. [Jeff Trawick] - *) SECURITY: CAN-2000-1204 (cve.mitre.org) + *) SECURITY: CVE-2000-1204 (cve.mitre.org) Prevent the source code for CGIs from being revealed when using mod_vhost_alias and the CGI directory is under the document root and a user makes a request like http://www.example.com//cgi-bin/cgi -- 2.40.0