Security release needed for 2.0

[Mark J Cox <ma...@awe.com>]

We've a few security issues fixed recently that haven't made it out into 
releases from the ASF, but have made it out into releases from the various 
OS vendors.  One issue is "important" severity, and public now for 10 
days.

I don't watch this list much, are there other things holding up a release?  
If so we ought to consider doing a 2.0.55 with just fixes for these issues
over 2.0.54:

CAN-2005-2700 important: SSLVerifyClient bypass

	A flaw in the mod_ssl handling of the "SSLVerifyClient"  
	directive. This flaw would occur if a virtual host has been
	configured using "SSLVerifyClient optional" and further a
	directive "SSLVerifyClient required" is set for a specific
	location.  For servers configured in this fashion, an attacker may
	be able to access resources that should otherwise be protected, by
	not supplying a client certificate when connecting.
	public=20050830
	[*** needs committing]

CAN-2005-2728 moderate: Byterange filter DoS

	A flaw in the byterange filter would cause some responses to be
	buffered into memory. If a server has a dynamic resource such as a
	CGI script or PHP script which generates a large amount of data,
	an attacker could send carefully crafted requests in order to
	consume resources, potentially leading to a Denial of Service.
	public=20050707
	[committed]

CAN-2005-2088 moderate: HTTP Request Spoofing

	A flaw occured when using the Apache server as a HTTP proxy. A
	remote attacker could send a HTTP request with both a
	"Transfer-Encoding:  chunked" header and a Content-Length header,
	causing Apache to incorrectly handle and forward the body of the
	request in a way that causes the receiving server to process it as
	a separate HTTP request.  This could allow the bypass of web
	application firewall protection or lead to cross-site scripting
	(XSS) attacks.
	public=20050611
	[committed]

CAN-2005-1268 low: Malicious CRL off-by-one

	An off-by-one stack overflow was discovered in the mod_ssl CRL
	verification callback. In order to exploit this issue the Apache
	server would need to be configured to use a malicious certificate
	revocation list (CRL)
	public=200506085~
	[committed]

CAN-2005-2491 low: PCRE overflow

	An integer overflow flaw was found in PCRE, a Perl-compatible
	regular expression library included within httpd.  A local user
	who has the ability to create .htaccess files could create a
	maliciously crafted regular expression in such as way that they
	could gain the privileges of a httpd child.
	public=20050801
	[*** needs committing]

Re: Security release needed for 2.0

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

> CAN-2005-2088 moderate: HTTP Request Spoofing
> 
> 	A flaw occured when using the Apache server as a HTTP proxy. A
> 	remote attacker could send a HTTP request with both a
> 	"Transfer-Encoding:  chunked" header and a Content-Length header,
> 	causing Apache to incorrectly handle and forward the body of the
> 	request in a way that causes the receiving server to process it as
> 	a separate HTTP request.  This could allow the bypass of web
> 	application firewall protection or lead to cross-site scripting
> 	(XSS) attacks.
> 	public=20050611
> 	[committed]

Actually this isn't complete as the proxy body handling patch
illustrates.  There is a gross hack in the core, but that's only
triggered at the initial acceptance of the request headers, and
is subject to 'mutation' by *any* module or filter in the processing
chain.  The backport of mod_http_proxy.c needs review, if you are
voulenteering.

Also our TRACE implementation in proxy allows request bodies in 2.0.x,
while I'm not aware of a direct implication, it's unfair to blame client
exploits when we violated the RFC in the first place.

See STATUS/showstoppers.

I see no reason not to ship 2.0.55 complete once the last security
patches have been applied.  In fact, I'll RM a candidate 2.0 tarball
on Sunday if these showstoppers have been reviewed.

Thanks for joining the small chorus, Mark!

Bill