You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by co...@apache.org on 2014/07/18 03:00:08 UTC
svn commit: r1611522 - /httpd/httpd/branches/2.2.x/STATUS
Author: covener
Date: Fri Jul 18 01:00:08 2014
New Revision: 1611522
URL: http://svn.apache.org/r1611522
Log:
add patch/proposal for CVE-2013-5704 trailers thing
Modified:
httpd/httpd/branches/2.2.x/STATUS
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1611522&r1=1611521&r2=1611522&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Jul 18 01:00:08 2014
@@ -103,6 +103,19 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
[ New proposals should be added at the end of the list ]
+
+ *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+ core: HTTP trailers could be used to replace HTTP headers
+ late during request processing, potentially undoing or
+ otherwise confusing modules that examined or modified
+ request headers earlier. Adds "MergeTrailers" directive to restore
+ legacy behavior.
+ trunk patch: http://svn.apache.org/r1610814
+ http://svn.apache.org/r1610686 (mod_log_config ^XX support)
+ http://svn.apache.org/r1610707 (mod_log_cofnig ^XX support)
+ 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-trailers.diff
+ +1: covener
+
* mod_proxy: Don't reuse a SSL backend connection whose SNI differs. PR 55782.
This may happen when ProxyPreserveHost is on and the proxy-worker
handles connections to different Hosts.
Re: svn commit: r1611522 - /httpd/httpd/branches/2.2.x/STATUS
Posted by Eric Covener <co...@gmail.com>.
thank you! proposal updated
On Fri, Jul 18, 2014 at 4:47 AM, Ruediger Pluem <rp...@apache.org> wrote:
>
>
> covener@apache.org wrote:
>> Author: covener
>> Date: Fri Jul 18 01:00:08 2014
>> New Revision: 1611522
>>
>> URL: http://svn.apache.org/r1611522
>> Log:
>>
>> add patch/proposal for CVE-2013-5704 trailers thing
>>
>>
>> Modified:
>> httpd/httpd/branches/2.2.x/STATUS
>>
>> Modified: httpd/httpd/branches/2.2.x/STATUS
>> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1611522&r1=1611521&r2=1611522&view=diff
>> ==============================================================================
>> --- httpd/httpd/branches/2.2.x/STATUS (original)
>> +++ httpd/httpd/branches/2.2.x/STATUS Fri Jul 18 01:00:08 2014
>> @@ -103,6 +103,19 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
>> [ New proposals should be added at the end of the list ]
>>
>> +
>> + *) SECURITY: CVE-2013-5704 (cve.mitre.org)
>> + core: HTTP trailers could be used to replace HTTP headers
>> + late during request processing, potentially undoing or
>> + otherwise confusing modules that examined or modified
>> + request headers earlier. Adds "MergeTrailers" directive to restore
>> + legacy behavior.
>> + trunk patch: http://svn.apache.org/r1610814
>> + http://svn.apache.org/r1610686 (mod_log_config ^XX support)
>> + http://svn.apache.org/r1610707 (mod_log_cofnig ^XX support)
>> + 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-trailers.diff
>> + +1: covener
>
>
> + if (!apr_is_empty_table(rp->trailers_in)) {
> + apr_table_do(add_trailers, rp->trailers_out,
> + rp->trailers_in, NULL);
> + apr_table_clear(rp->trailers_in);
> + }
> +
>
> I guess that should be r->trailers_out instead of rp->trailers_out.
>
>
> Regards
>
> RĂ¼diger
--
Eric Covener
covener@gmail.com
Re: svn commit: r1611522 - /httpd/httpd/branches/2.2.x/STATUS
Posted by Ruediger Pluem <rp...@apache.org>.
covener@apache.org wrote:
> Author: covener
> Date: Fri Jul 18 01:00:08 2014
> New Revision: 1611522
>
> URL: http://svn.apache.org/r1611522
> Log:
>
> add patch/proposal for CVE-2013-5704 trailers thing
>
>
> Modified:
> httpd/httpd/branches/2.2.x/STATUS
>
> Modified: httpd/httpd/branches/2.2.x/STATUS
> URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1611522&r1=1611521&r2=1611522&view=diff
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/STATUS (original)
> +++ httpd/httpd/branches/2.2.x/STATUS Fri Jul 18 01:00:08 2014
> @@ -103,6 +103,19 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
> PATCHES PROPOSED TO BACKPORT FROM TRUNK:
> [ New proposals should be added at the end of the list ]
>
> +
> + *) SECURITY: CVE-2013-5704 (cve.mitre.org)
> + core: HTTP trailers could be used to replace HTTP headers
> + late during request processing, potentially undoing or
> + otherwise confusing modules that examined or modified
> + request headers earlier. Adds "MergeTrailers" directive to restore
> + legacy behavior.
> + trunk patch: http://svn.apache.org/r1610814
> + http://svn.apache.org/r1610686 (mod_log_config ^XX support)
> + http://svn.apache.org/r1610707 (mod_log_cofnig ^XX support)
> + 2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-trailers.diff
> + +1: covener
+ if (!apr_is_empty_table(rp->trailers_in)) {
+ apr_table_do(add_trailers, rp->trailers_out,
+ rp->trailers_in, NULL);
+ apr_table_clear(rp->trailers_in);
+ }
+
I guess that should be r->trailers_out instead of rp->trailers_out.
Regards
RĂ¼diger