You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2015/06/09 22:25:54 UTC
svn commit: r1684519 - /httpd/httpd/branches/2.2.x/STATUS
Author: wrowe
Date: Tue Jun 9 20:25:53 2015
New Revision: 1684519
URL: http://svn.apache.org/r1684519
Log:
Offer a showstopper for 2.2.30 requiring one more reviewer/vote
Modified:
httpd/httpd/branches/2.2.x/STATUS
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1684519&r1=1684518&r2=1684519&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Tue Jun 9 20:25:53 2015
@@ -97,6 +97,26 @@ CURRENT RELEASE NOTES:
RELEASE SHOWSTOPPERS:
+ *) SECURITY: CVE-2015-3183 (cve.mitre.org)
+ core: Fix chunk header parsing defect.
+ Remove apr_brigade_flatten(), buffering and duplicated code from
+ the HTTP_IN filter, parse chunks in a single pass with zero copy.
+ Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
+ authorized characters. [Graham Leggett, Yann Ylavic]
+ Submitted by: graham, ylavic
+ Reviewed by: ylavic, wrowe, jim
+ Backports: 1484852, 1684513
+ Reported by: Régis Leroy
+
+ trunk
+ https://svn.apache.org/r1484852
+ https://svn.apache.org/r1684513
+ 2.4.x branch
+ https://svn.apache.org/r1684515
+ 2.2.x branch
+ https://svn.apache.org/repos/private/pmc/httpd/SECURITY/http_filter_chunked/httpd-2.2.x-ap_http_filter-chunked-v5.patch
+ +1: ylavic, wrowe
+ jim notes: test framework errors due to 413->400 error change [test adjusted]
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]