You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Dmitri <dm...@SirDrinkalot.rm-f.net> on 2002/06/19 16:34:17 UTC

chunked encoding bug fix (Apache 1.3)

The issue described in this advisory [CAN-2002-0392] is fixed in 1.3.26.
However, I could find no bug associated with this issue in Apache Bugzilla.
I would like to know whether this change is documented somewhere outside
CVS.  As far as I understand, the changes included backporting chunked
encoding handling (http_protocol.c: 1.316 -> 1.317), and using ap_strtol()
instead of strtol().  Is that all?  I need this because I would just like
to apply this fix to my local apache source tree, which is version 1.3.20.

Please let me know if this is a sensible thing to do.

Thanks,
  - Dmitri.

Re: chunked encoding bug fix (Apache 1.3)

Posted by Dmitri <dm...@SirDrinkalot.rm-f.net>.

On Wed, Jun 19, 2002 at 11:19:40AM -0400, Cliff Woolley wrote:
> No, there's much more to it than that.  Several patches went in to several
> files, including http_protocol.c and several files in the proxy, possibly
> others.  Anyway, it's much safer just to upgrade to 1.3.26.
> 
> --Cliff

OK, thanks!

- Dmitri.

Re: chunked encoding bug fix (Apache 1.3)

Posted by Cliff Woolley <jw...@virginia.edu>.

On Wed, 19 Jun 2002, Dmitri wrote:

> The issue described in this advisory [CAN-2002-0392] is fixed in 1.3.26.
> However, I could find no bug associated with this issue in Apache Bugzilla.

Nobody ever submitted a bug report about it.  The bug database is not
meant to handle security issues, and it says so in big letters.  :-)

> I would like to know whether this change is documented somewhere outside
> CVS.

Not on any public channels, no.

> As far as I understand, the changes included backporting chunked
> encoding handling (http_protocol.c: 1.316 -> 1.317), and using
> ap_strtol() instead of strtol().  Is that all?  I need this because I
> would just like to apply this fix to my local apache source tree, which
> is version 1.3.20.

No, there's much more to it than that.  Several patches went in to several
files, including http_protocol.c and several files in the proxy, possibly
others.  Anyway, it's much safer just to upgrade to 1.3.26.

--Cliff