Please don't remove that altogether. The proper name of the entire class of vulnerabilities (of which Splitting and Spoofing are a subset) is HTTP Response Splitting.
At 01:16 PM 7/8/2005, [EMAIL PROTECTED] wrote: >Author: jorton >Date: Fri Jul 8 11:16:49 2005 >New Revision: 209854 > >URL: http://svn.apache.org/viewcvs?rev=209854&view=rev >Log: >Don't talk about request smuggling in the response handling fix. > >Modified: > httpd/httpd/trunk/CHANGES > >Modified: httpd/httpd/trunk/CHANGES >URL: >http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=209854&r1=209853&r2=209854&view=diff >============================================================================== >--- httpd/httpd/trunk/CHANGES (original) >+++ httpd/httpd/trunk/CHANGES Fri Jul 8 11:16:49 2005 >@@ -30,8 +30,7 @@ > > *) proxy HTTP: If a response contains both Transfer-Encoding and a > Content-Length, remove the Content-Length and don't reuse the >- connection, stopping some HTTP Request smuggling attacks. >- [Jeff Trawick] >+ connection. [Jeff Trawick] > > *) mod_cgid: Fix buffer overflow processing ScriptSock directive. > [Steve Kemp <steve steve.org.uk>] >@@ -122,7 +121,7 @@ > > *) mod_deflate: Merge the Vary header, isntead of Setting it. Fixes > applications that send the Vary Header themselves, and also apply >- mod_defalte as an output filter. [Paul Querna] >+ mod_deflate as an output filter. [Paul Querna] > > *) Change the default (when not present in the config file) setting > for UseCanonicalName to Off.
