security

Checkout Tools
  • last updated 2 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Remove a stray fixme.

Missing date and affects

Another mistake

Actually these were fixed in 2.4.41

Fix mistake in html

Merge new vulnerability info

Fix the vulnerable versions to match our announcement for CVE-2019-0196

Update with latest batch of vulnerabilities
Missing update to vulns-xml

Add notes for CVE-2018-11763
Remove affects 2.4.30 as that was an unreleased version (noticed by Tomas Hoger)

Add missing details for CVE-2016-4975 which was mitigated by other changes

We got some questions about http/2 support, clarify

add 2.3.34 vulns that were fixed
Since 2.4.30 was never released we really ought to show that 2.4.33 which was the first release

with these fixes was the fixed version

Add suggested text from wrowe

We want to create the 1.3 and 2.0 vuln pages again as this info is lost otherwise, but with a big

flashing "don't use this" warning

Make it more explicit that while this page was correct as of EOL, it's no longer being updated.

Update the vulnerability XML to have one CVE per issue which means altering the

way we specify which issues are affected and merging the descriptions and vulnerable

versions. This will allow us to reuse the XML to generate our mailing list announcements

and Mitre JSON submission and be future proof to work for future major parallel releases.

Also cleanup the httpd xml a little replacing any dead links, upgrading links to https from

http.

We still generate the 2.2 page (and should generate the 2.0 and 1.3 legacy ones too) so

note in big letters that it's unsupported now

There is no level medium so align to our published defined levels, and fix a couple of older bad indexes into the severity level
Match vulnerabilites' release date with doap's.
  1. … 1 more file in changeset.
Update security vulnerabitities' page for 2.4.30-33.
Prepare to announce, mirrors are long synced
  1. … 3 more files in changeset.
Correct link
Record CVE-2017-9798
vulns page: replace obsolete <a> anchor with id

HTML5 browsers now complain about the anchor idiom (both the empty <a/>

tag and the use of the obsolete name attribute). Now that we have a

header element, give that an id instead.

several small improvements to security page markup

primarily whitespace fixes

wrap data/affected versions in a table to differentiate

Submitted by: Hank Ibell

Committed by: covener

  1. … 1 more file in changeset.
copy markup fix from r1803119 to 2.2 entry

Clean up odd nesting effects observed in Chrome

Clean up odd nesting effects observed in Chrome
Touch to force regen of html