On 9/9/2011 9:07 AM, [email protected] wrote: > > Modified: httpd/httpd/branches/2.0.x/CHANGES > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?rev=1167184&r1=1167183&r2=1167184&view=diff > ============================================================================== > --- httpd/httpd/branches/2.0.x/CHANGES [utf-8] (original) > +++ httpd/httpd/branches/2.0.x/CHANGES [utf-8] Fri Sep 9 14:07:38 2011 > @@ -1,6 +1,12 @@ > -*- coding: utf-8 > -*- > Changes with Apache 2.0.65 > > + *) SECURITY: CVE-2011-3192 (cve.mitre.org) > + core: Fix handling of byte-range requests to use less memory, to avoid > + denial of service. If the sum of all ranges in a request is larger than > + the original file, ignore the ranges and send the complete file. > + PR 51714. [Jeff Trawick, Stefan Fritsch, Jim Jagielski, Ruediger Pluem, > + Eric Covener]
We should add <lowprio20 gmail.com> to that list, who authored the fix to the regression.
