diff options
author | William A. Rowe Jr <wrowe@apache.org> | 2003-04-11 20:22:20 +0000 |
---|---|---|
committer | William A. Rowe Jr <wrowe@apache.org> | 2003-04-11 20:22:20 +0000 |
commit | c1dbb62b88fc92dd14c983f5c3619067e07fc73a (patch) | |
tree | febb36e9de6df3c9caf43ebaf0b3497e5741286b /CHANGES | |
parent | 098a8c8a7f5b1e39386bdbb67783af278338bcef (diff) | |
download | httpd-c1dbb62b88fc92dd14c983f5c3619067e07fc73a.tar.gz |
Time for disclosure details
If anyone sees credit-where-credit-is-due that I've missed, please
add those individuals.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@99331 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'CHANGES')
-rw-r--r-- | CHANGES | 15 |
1 files changed, 11 insertions, 4 deletions
@@ -1,5 +1,10 @@ Changes with Apache 2.0.46 + *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability + identified and reported by Robert Howard <rihoward@rawbw.com> that + where device names faulted the running OS2 worker process. + The fix is actually in APR 0.9.4. [Brian Havard] + *) Forward port: Escape special characters (especially control characters) in mod_log_config to make a clear distinction between client-supplied strings (with special characters) and server-side @@ -18,7 +23,9 @@ Changes with Apache 2.0.45 *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability identified by David Endler <DEndler@iDefense.com> on all platforms. - Details embargoed until their announcement on 8 April 2003. + An unlimited stream of newlines were acceptable between requests + where each <lf> would allocate an 80 byte buffer, leading very + quickly to memory exahustion. [Brian Pane] *) Added an rpm build script. [Graham Leggett, Joe Orton <jorton@redhat.com>] @@ -26,9 +33,9 @@ Changes with Apache 2.0.45 *) Simpler, faster code path for request header scanning [Brian Pane] *) SECURITY: Eliminated leaks of several file descriptors to child - processes, such as CGI scripts. This fix depends on the latest - APR library release 0.9.2, which is distributed with the httpd - source tarball for Apache 2.0.45. PR 17206 + processes, such as CGI scripts. This fix depends on the APR library + release 0.9.2 or later (0.9.3 was distributed with the httpd + source tarball for Apache 2.0.45.) PR 17206 [Christian Kratzer <ck@cksoft.de>, Bjoern A. Zeeb <bz@zabbadoz.net>] *) Fix path handling of mod_rewrite, especially on non-unix systems. |