dgaudet 98/01/19 17:50:44
Modified: . STATUS
src CHANGES
Log:
Notes on Marc's security patches from 1.2.5.
Revision Changes Path
1.104 +3 -0 apachen/STATUS
Index: STATUS
===================================================================
RCS file: /export/home/cvs/apachen/STATUS,v
retrieving revision 1.103
retrieving revision 1.104
diff -u -r1.103 -r1.104
--- STATUS 1998/01/20 00:52:58 1.103
+++ STATUS 1998/01/20 01:50:40 1.104
@@ -90,6 +90,7 @@
* general/1666: Apache uses a case sensitive match for "Basic" auth
scheme
* mod_rewrite/1684: RewriteLog directive does the equivalent of
"HostnameLookups on"
* protocol/1683: The Connection header may contain multiple close tokens
+ * some of Marc's 1.2.5 security patches (minus proxy fixes)
Available Patches:
@@ -176,6 +177,8 @@
Status: Jim'll look into it
* os_ abstract is_only_below() in mod_include.c
+
+ * proxy security fixes from 1.2.5 need to be brought forward
Closed issues:
1.570 +11 -0 apachen/src/CHANGES
Index: CHANGES
===================================================================
RCS file: /export/home/cvs/apachen/src/CHANGES,v
retrieving revision 1.569
retrieving revision 1.570
diff -u -r1.569 -r1.570
--- CHANGES 1998/01/20 00:33:10 1.569
+++ CHANGES 1998/01/20 01:50:42 1.570
@@ -1,5 +1,16 @@
Changes with Apache 1.3b4
+ *) SECURITY: Fix a possible buffer overflow in logresolve. This is
+ only an issue on systems without a MAXDNAME define or where
+ the resolver returns domain names longer than MAXDNAME. [Marc Slemko]
+
+ *) SECURITY: Eliminate possible buffer overflow in cfg_getline, which
+ is used to read various types of files such as htaccess and
+ htpasswd files. [Marc Slemko]
+
+ *) SECURITY: Ensure that the buffer returned by ht_time is always
+ properly null terminated. [Marc Slemko]
+
*) The "Connection" header could be sent back with multiple "close"
tokens. Not an error, but a waste.
[EMAIL PROTECTED] PR#1683
