You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ji...@apache.org on 2011/10/05 20:42:28 UTC

svn commit: r1179375 - /httpd/httpd/branches/2.0.x/STATUS

Author: jim
Date: Wed Oct  5 18:42:28 2011
New Revision: 1179375

URL: http://svn.apache.org/viewvc?rev=1179375&view=rev
Log:
Add these as showstoppers...

Modified:
    httpd/httpd/branches/2.0.x/STATUS

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=1179375&r1=1179374&r2=1179375&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Wed Oct  5 18:42:28 2011
@@ -114,10 +114,27 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
+  * SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+    reverse proxy configurations by strictly validating the request-URI.
+    Trunk patch: http://svn.apache.org/viewvc?rev=1179239&view=rev
+    2.2.x patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
+    +1: jim
+
+  * byterange: Range of '0-' returns 206.
+    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1175980
+                 http://svn.apache.org/viewvc?view=revision&revision=1175992
+    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177080
+    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177081
+    2.0.x patch: http://people.apache.org/~jim/patches/2.0-byterange0-.txt
+    +1: jim, rjung
+    rjung: You might want to add the "special case: 0- ..." comment from the
+           2.2 patch. I'm fine either way.
+
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
+
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new
@@ -155,16 +172,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     Revert r1002174 in test framework, once this is fixed.
     +1: rjung, wrowe
 
-  * byterange: Range of '0-' returns 206.
-    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1175980
-                 http://svn.apache.org/viewvc?view=revision&revision=1175992
-    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177080
-    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177081
-    2.0.x patch: http://people.apache.org/~jim/patches/2.0-byterange0-.txt
-    +1: jim, rjung
-    rjung: You might want to add the "special case: 0- ..." comment from the
-           2.2 patch. I'm fine either way.
-
   * byterange: Backport MaxRanges configuration directive and
     ap_set_accept_ranges() utility function.
     Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1162584