You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dmitri <dm...@SirDrinkalot.rm-f.net> on 2002/06/19 16:34:17 UTC
chunked encoding bug fix (Apache 1.3)
The issue described in this advisory [CAN-2002-0392] is fixed in 1.3.26.
However, I could find no bug associated with this issue in Apache Bugzilla.
I would like to know whether this change is documented somewhere outside
CVS. As far as I understand, the changes included backporting chunked
encoding handling (http_protocol.c: 1.316 -> 1.317), and using ap_strtol()
instead of strtol(). Is that all? I need this because I would just like
to apply this fix to my local apache source tree, which is version 1.3.20.
Please let me know if this is a sensible thing to do.
Thanks,
- Dmitri.
Re: chunked encoding bug fix (Apache 1.3)
Posted by Dmitri <dm...@SirDrinkalot.rm-f.net>.
On Wed, Jun 19, 2002 at 11:19:40AM -0400, Cliff Woolley wrote:
> No, there's much more to it than that. Several patches went in to several
> files, including http_protocol.c and several files in the proxy, possibly
> others. Anyway, it's much safer just to upgrade to 1.3.26.
>
> --Cliff
OK, thanks!
- Dmitri.
Re: chunked encoding bug fix (Apache 1.3)
Posted by Cliff Woolley <jw...@virginia.edu>.
On Wed, 19 Jun 2002, Dmitri wrote:
> The issue described in this advisory [CAN-2002-0392] is fixed in 1.3.26.
> However, I could find no bug associated with this issue in Apache Bugzilla.
Nobody ever submitted a bug report about it. The bug database is not
meant to handle security issues, and it says so in big letters. :-)
> I would like to know whether this change is documented somewhere outside
> CVS.
Not on any public channels, no.
> As far as I understand, the changes included backporting chunked
> encoding handling (http_protocol.c: 1.316 -> 1.317), and using
> ap_strtol() instead of strtol(). Is that all? I need this because I
> would just like to apply this fix to my local apache source tree, which
> is version 1.3.20.
No, there's much more to it than that. Several patches went in to several
files, including http_protocol.c and several files in the proxy, possibly
others. Anyway, it's much safer just to upgrade to 1.3.26.
--Cliff