From c998a9d10fe300f4d2b4f2cc7ef82df190563711 Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Tue, 20 Sep 2005 18:38:02 +0000 Subject: [PATCH] Sync to 2.0.x changes git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@290519 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/CHANGES b/CHANGES index 01f25b9d7c..eed683db65 100644 --- a/CHANGES +++ b/CHANGES @@ -115,19 +115,6 @@ Changes with Apache 2.1.7 based on the proxy status. (minor MMN bump) [Brian Akins , Ian Holsman] - *) SECURITY: CAN-2005-2088 - proxy: Correctly handle the Transfer-Encoding and Content-Length - headers. Discard the request Content-Length whenever T-E: chunked - is used, always passing one of either C-L or T-E: chunked whenever - the request includes a request body. Resolves an entire class of - proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] - - *) Added TraceEnable [on|off|extended] per-server directive to alter - the behavior of the TRACE method. This addresses a flaw in proxy - conformance to RFC 2616 - previously the proxy server would accept - a TRACE request body although the RFC prohibited it. The default - remains 'TraceEnable on'. [William Rowe] - *) Add additional SSLSessionCache option, 'nonenotnull', which is similar to 'none' (disabling any external shared cache) but forces OpenSSL to provide a non-null session ID. [Jim Jagielski] @@ -860,6 +847,19 @@ Changes with Apache 2.1.1 Changes with Apache 2.0.55 + *) SECURITY: CAN-2005-2088 (cve.mitre.org) + proxy: Correctly handle the Transfer-Encoding and Content-Length + headers. Discard the request Content-Length whenever T-E: chunked + is used, always passing one of either C-L or T-E: chunked whenever + the request includes a request body. Resolves an entire class of + proxy HTTP Request Splitting/Spoofing attacks. [William Rowe] + + *) Added TraceEnable [on|off|extended] per-server directive to alter + the behavior of the TRACE method. This addresses a flaw in proxy + conformance to RFC 2616 - previously the proxy server would accept + a TRACE request body although the RFC prohibited it. The default + remains 'TraceEnable on'. [William Rowe] + *) Add ap_log_cerror() for logging messages associated with particular client connections. [Jeff Trawick] -- 2.40.0