Consistently format SECURITY entries.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/APACHE_2_0_BRANCH@105735 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 61 insertions, 56 deletions

diff --git a/CHANGES b/CHANGES
index ab5e8ff9a1..79a9516e97 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,6 @@
 Changes with Apache 2.0.53
 
-  *) SECURITY: CAN-2004-0942 (cve.mitre.org):
+  *) SECURITY: CAN-2004-0942 (cve.mitre.org)
      Fix for memory consumption DoS in handling of MIME folded request
      headers.  [Joe Orton]
 
@@ -726,13 +726,15 @@ Changes with Apache 2.0.49
 
 Changes with Apache 2.0.48
 
-  *) SECURITY [CAN-2003-0789]: mod_cgid: Resolve some mishandling of
-     the AF_UNIX socket used to communicate with the cgid daemon and
-     the CGI script.  [Jeff Trawick]
+  *) SECURITY: CAN-2003-0789 (cve.mitre.org)
+     mod_cgid: Resolve some mishandling of the AF_UNIX socket used to
+     communicate with the cgid daemon and the CGI script.
+     [Jeff Trawick]
 
-  *) SECURITY [CAN-2003-0542]: Fix buffer overflows in mod_alias and 
-     mod_rewrite which occurred if one configured a regular expression 
-     with more than 9 captures.  [André Malo]
+  *) SECURITY: CAN-2003-0542 (cve.mitre.org)
+     Fix buffer overflows in mod_alias and mod_rewrite which occurred
+     if one configured a regular expression with more than 9 captures.
+     [André Malo]
 
   *) mod_include: fix segfault which occured if the filename was not
      set, for example, when processing some error conditions.
@@ -883,21 +885,22 @@ Changes with Apache 2.0.48
 
 Changes with Apache 2.0.47
 
-  *) SECURITY [CAN-2003-0192]: Fixed a bug whereby certain sequences
-     of per-directory renegotiations and the SSLCipherSuite directive
-     being used to upgrade from a weak ciphersuite to a strong one
-     could result in the weak ciphersuite being used in place of the
-     strong one.  [Ben Laurie]
+  *) SECURITY: CAN-2003-0192 (cve.mitre.org)
+     Fixed a bug whereby certain sequences of per-directory
+     renegotiations and the SSLCipherSuite directive being used to
+     upgrade from a weak ciphersuite to a strong one could result in
+     the weak ciphersuite being used in place of the strong one.  
+     [Ben Laurie]
 
-  *) SECURITY [CAN-2003-0253]: Fixed a bug in prefork MPM causing
-     temporary denial of service when accept() on a rarely accessed port
-     returns certain errors.  Reported by Saheed Akhtar
-     <S.Akhtar talis.com>.  [Jeff Trawick]
+  *) SECURITY: CAN-2003-0253 (cve.mitre.org)
+     Fixed a bug in prefork MPM causing temporary denial of service
+     when accept() on a rarely accessed port returns certain errors.
+     Reported by Saheed Akhtar <S.Akhtar talis.com>.  [Jeff Trawick]
 
-  *) SECURITY [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
-     of service when target host is IPv6 but proxy server can't create
-     IPv6 socket.  Fixed by the reporter.  [Yoshioka Tsuneo
-     <tsuneo.yoshioka f-secure.com>]
+  *) SECURITY: CAN-2003-0254 (cve.mitre.org)
+     Fixed a bug in ftp proxy causing denial of service when target
+     host is IPv6 but proxy server can't create IPv6 socket.  Fixed by
+     the reporter.  [Yoshioka Tsuneo <tsuneo.yoshioka f-secure.com>]
 
   *) SECURITY [VU#379828] Prevent the server from crashing when entering
      infinite loops. The new LimitInternalRecursion directive configures
@@ -929,16 +932,17 @@ Changes with Apache 2.0.47
 
 Changes with Apache 2.0.46
 
-  *) SECURITY [CAN-2003-0245]: Fixed a bug causing apr_pvsprintf() to crash 
-     by sending an overly long string.  This can be triggered remotely 
-     through mod_dav, mod_ssl, and other mechanisms.  Reported by David
-     Endler <DEndler iDefense.com>.
-     [Joe Orton <jorton redhat.com>]
+  *) SECURITY: CAN-2003-0245 (cve.mitre.org)
+     Fixed a bug causing apr_pvsprintf() to crash by sending an overly
+     long string.  This can be triggered remotely through mod_dav,
+     mod_ssl, and other mechanisms.
+     Reported by David Endler <DEndler iDefense.com>.  [Joe Orton]
 
-  *) SECURITY [CAN-2003-0189]: Fixed a denial-of-service vulnerability
-     affecting basic authentication on Unix platforms related to
-     thread-safety in apr_password_validate().  The problem was reported
-     by John Hughes <john.hughes entegrity.com>.
+  *) SECURITY: CAN-2003-0189 (cve.mitre.org)
+     Fixed a denial-of-service vulnerability affecting basic
+     authentication on Unix platforms related to thread-safety in
+     apr_password_validate().
+     Reported by John Hughes <john.hughes entegrity.com>.
 
   *) Fix for mod_dav.  Call the 'can_be_activity' callback, if provided,
      when a MKACTIVITY request comes in.
@@ -1066,10 +1070,11 @@ Changes with Apache 2.0.46
   *) Fixed a segfault when multiple ProxyBlock directives were used.
      PR: 19023 [Sami Tikka <sami.tikka f-secure.com>]
 
-  *) SECURITY [CAN-2003-0134] OS2: Fix a Denial of Service vulnerability 
-     identified and reported by Robert Howard <rihoward rawbw.com> that 
-     where device names faulted the running OS2 worker process.
-     The fix is actually in APR 0.9.4.  [Brian Havard]
+  *) SECURITY: CAN-2003-0134 (cve.mitre.org)
+     OS2: Fix a Denial of Service vulnerability identified and
+     reported by Robert Howard <rihoward rawbw.com> that where device
+     names faulted the running OS2 worker process.  The fix is
+     actually in APR 0.9.4.  [Brian Havard]
 
   *) Forward port: Escape special characters (especially control
      characters) in mod_log_config to make a clear distinction between
@@ -1087,11 +1092,12 @@ Changes with Apache 2.0.45
   *) Fix possible segfaults under obscure error conditions within the
      cgid daemon.  [Jeff Trawick, William Rowe]
 
-  *) SECURITY [CAN-2003-0132]: Close a Denial of Service vulnerability
-     identified by David Endler <DEndler iDefense.com> on all platforms.
-     An unlimited stream of newlines were acceptable between requests
-     where each <lf> would allocate an 80 byte buffer, leading very
-     quickly to memory exahustion.  [Brian Pane]
+  *) SECURITY: CAN-2003-0132 (cve.mitre.org)
+     Close a Denial of Service vulnerability identified by David
+     Endler <DEndler iDefense.com> on all platforms.  An unlimited
+     stream of newlines were acceptable between requests where each
+     <lf> would allocate an 80 byte buffer, leading very quickly to
+     memory exahustion.  [Brian Pane]
 
   *) Added an rpm build script.
      [Graham Leggett, Joe Orton <jorton redhat.com>]
@@ -1535,14 +1541,14 @@ Changes with Apache 2.0.44
 
 Changes with Apache 2.0.43
 
-  *) SECURITY [CVE-2002-0840]: HTML-escape the address produced by 
-     ap_server_signature() against this cross-site scripting 
-     vulnerability exposed by the directive 'UseCanonicalName Off'.  
-     Also HTML-escape the SERVER_NAME environment variable for CGI 
-     and SSI requests.  It's safe to escape as only the '<', '>', 
-     and '&' characters are affected, which won't appear in a valid 
-     hostname.  Reported by Matthew Murphy <mattmurphy kc.rr.com>.
-     [Brian Pane]
+  *) SECURITY: CVE-2002-0840 (cve.mitre.org)
+     HTML-escape the address produced by ap_server_signature() against
+     this cross-site scripting vulnerability exposed by the directive
+     'UseCanonicalName Off'.  Also HTML-escape the SERVER_NAME
+     environment variable for CGI and SSI requests.  It's safe to
+     escape as only the '<', '>', and '&' characters are affected,
+     which won't appear in a valid hostname.  Reported by Matthew
+     Murphy <mattmurphy kc.rr.com>.  [Brian Pane]
 
   *) Fix a core dump in mod_cache when it attemtped to store uncopyable
      buckets. This happened, for instance, when a file to be cached
@@ -1558,7 +1564,7 @@ Changes with Apache 2.0.43
      could lead to an infinite loop.  PR 12705  
      [Amund Elstad <amund.elstad ergo.no>, Jeff Trawick]
 
-  *) SECURITY [CVE-2002-1156] (cve.mitre.org):
+  *) SECURITY: CVE-2002-1156 (cve.mitre.org)
      Fix the exposure of CGI source when a POST request is sent to 
      a location where both DAV and CGI are enabled. [Ryan Bloom]
 
@@ -1736,7 +1742,7 @@ Changes with Apache 2.0.41
 
 Changes with Apache 2.0.40
 
-  *) SECURITY [CAN-2002-0661] (cve.mitre.org): 
+  *) SECURITY: CAN-2002-0661 (cve.mitre.org) 
      Close a very significant security hole that 
      applies only to the Win32, OS2 and Netware platforms.  Unix was not 
      affected, Cygwin may be affected.  Certain URIs will bypass security
@@ -1748,7 +1754,7 @@ Changes with Apache 2.0.40
      Reported by Auriemma Luigi <bugtest sitoverde.com>.
      [Brad Nicholes]
 
-  *) SECURITY [CAN-2002-0654] (cve.mitre.org):
+  *) SECURITY: CAN-2002-0654 (cve.mitre.org)
      Close a path-revealing exposure in multiview type
      map negotiation (such as the default error documents) where the
      module would report the full path of the typemapped .var file when
@@ -1756,7 +1762,7 @@ Changes with Apache 2.0.40
      negotiation.  Reported by Auriemma Luigi <bugtest sitoverde.com>.
      [William Rowe]
 
-  *) SECURITY [CAN-2002-0654] (cve.mitre.org):
+  *) SECURITY: CAN-2002-0654 (cve.mitre.org)
      Close a path-revealing exposure in cgi/cgid when we 
      fail to invoke a script.  The modules would report "couldn't create 
      child process /path-to-script/script.pl" revealing the full path
@@ -2065,7 +2071,7 @@ Changes with Apache 2.0.37
      the pipes and spawning functionality working.
      [Brad Nicholes]
 
-  *) SECURITY [CVE-2002-0392] (cve.mitre.org) [CERT VU#944335]:
+  *) SECURITY: CVE-2002-0392 (cve.mitre.org) [CERT VU#944335]
      Detect overflow when reading the hex bytes forming a chunk line.
      [Aaron Bannert]
 
@@ -5716,7 +5722,7 @@ Changes with Apache 2.0a7
      multiple places and allows for an SSL module to be added much
      simpler. [Ryan Bloom]
 
-  *) SECURITY [CVE-2000-0913] (cve.mitre.org):
+  *) SECURITY: CVE-2000-0913 (cve.mitre.org)
      Fix a security problem that affects certain configurations of
      mod_rewrite. If the result of a RewriteRule is a filename that
      contains expansion specifiers, especially regexp backreferences
@@ -6106,7 +6112,7 @@ Changes with Apache 2.0a5
      container is VirtualHost or Directory or whatever.
      [Jeff Trawick]
 
-  *) SECURITY [CAN-2000-1204] (cve.mitre.org):
+  *) SECURITY: CAN-2000-1204 (cve.mitre.org)
      Prevent the source code for CGIs from being revealed when 
      using mod_vhost_alias and the CGI directory is under the document root
      and a user makes a request like http://www.example.com//cgi-bin/cgi
@@ -8520,12 +8526,11 @@ Changes with Apache 1.3.2
      run-time configurable using the ExtendedStatus directive.
      [Jim Jagielski]
 
-  *) SECURITY [CVE-1999-1199] (cve.mitre.org): 
+  *) SECURITY: CVE-1999-1199 (cve.mitre.org) 
      Eliminate O(n^2) space DoS attacks (and other O(n^2)
      cpu time attacks) in header parsing.  Add ap_overlap_tables(),
      a function which can be used to perform bulk update operations
-     on tables in a more efficient manner.
-     [Dean Gaudet]
+     on tables in a more efficient manner.  [Dean Gaudet]
 
   *) SECURITY: Added compile-time and configurable limits for
      various aspects of reading a client request to avoid some simple