You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2015/06/09 22:25:54 UTC

svn commit: r1684519 - /httpd/httpd/branches/2.2.x/STATUS

Author: wrowe
Date: Tue Jun  9 20:25:53 2015
New Revision: 1684519

URL: http://svn.apache.org/r1684519
Log:
Offer a showstopper for 2.2.30 requiring one more reviewer/vote

Modified:
    httpd/httpd/branches/2.2.x/STATUS

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1684519&r1=1684518&r2=1684519&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Tue Jun  9 20:25:53 2015
@@ -97,6 +97,26 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
+  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+     core: Fix chunk header parsing defect.
+     Remove apr_brigade_flatten(), buffering and duplicated code from
+     the HTTP_IN filter, parse chunks in a single pass with zero copy.
+     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+     authorized characters.  [Graham Leggett, Yann Ylavic]
+  Submitted by: graham, ylavic
+  Reviewed by: ylavic, wrowe, jim
+  Backports: 1484852, 1684513
+  Reported by: RÃ©gis Leroy
+
+  trunk
+    https://svn.apache.org/r1484852
+    https://svn.apache.org/r1684513
+  2.4.x branch
+    https://svn.apache.org/r1684515
+  2.2.x branch
+    https://svn.apache.org/repos/private/pmc/httpd/SECURITY/http_filter_chunked/httpd-2.2.x-ap_http_filter-chunked-v5.patch
+  +1: ylavic, wrowe
+  jim notes: test framework errors due to 413->400 error change [test adjusted]
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]