You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2012/01/30 22:54:10 UTC
1.3 patches for recent security issues (funny or not, depending on
your situation)
Notes to the general public:
* This is not necessarily a complete list, depending on your idea of "recent".
* These are not official patches.
* These do not match any vetted commits to the source tree.
* No official release of these or other fixes to 1.3 is planned.
CVE-2011-3368/CVE-2011-4317:
http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch
CVE-2011-3607:
N/A
CVE-2012-0021:
N/A
CVE-2012-0031:
N/A
CVE-2012-0053:
http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
Re: 1.3 patches for recent security issues (funny or not, depending
on your situation)
Posted by Jeff Trawick <tr...@gmail.com>.
On Mon, Jan 30, 2012 at 5:07 PM, William A. Rowe Jr.
<wr...@rowe-clan.net> wrote:
> On 1/30/2012 3:54 PM, Jeff Trawick wrote:
>> Notes to the general public:
>> * This is not necessarily a complete list, depending on your idea of "recent".
>> * These are not official patches.
>> * These do not match any vetted commits to the source tree.
>> * No official release of these or other fixes to 1.3 is planned.
>>
>> CVE-2011-3368/CVE-2011-4317:
>> http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch
>>
>> CVE-2012-0053:
>> http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
>
> Perhaps update security.xml for these? They can be deposited into the
> appropriate patches/apply_to_1.3.42/ - and we should probably clean out
> all the other apply_to_1.3 patches from www.a.o (still, on archive.a.o).
I'll get security.xml updated. CVE-2011-3368 is already mentioned,
but someone else should reach the same conclusion as me that only
these other CVEs need to be added. (4317 is tricky as it explicitly
covers the stuff not fixed by the 3368 fix, but there was no 3368 fix
for 1.3... and then there's the HTTP/0.9 fun with
2.0+original-3368-patch.)
The patches need some reviews before uploading.
Re: 1.3 patches for recent security issues (funny or not, depending
on your situation)
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On 1/30/2012 3:54 PM, Jeff Trawick wrote:
> Notes to the general public:
> * This is not necessarily a complete list, depending on your idea of "recent".
> * These are not official patches.
> * These do not match any vetted commits to the source tree.
> * No official release of these or other fixes to 1.3 is planned.
>
> CVE-2011-3368/CVE-2011-4317:
> http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch
>
> CVE-2012-0053:
> http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
Perhaps update security.xml for these? They can be deposited into the
appropriate patches/apply_to_1.3.42/ - and we should probably clean out
all the other apply_to_1.3 patches from www.a.o (still, on archive.a.o).