httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From traw...@apache.org
Subject svn commit: r1233920 - /httpd/httpd/branches/2.2.x/STATUS
Date Fri, 20 Jan 2012 14:21:28 GMT
Author: trawick
Date: Fri Jan 20 14:21:28 2012
New Revision: 1233920

URL: http://svn.apache.org/viewvc?rev=1233920&view=rev
Log:
alternative solution for CVE-2011-4317

Modified:
    httpd/httpd/branches/2.2.x/STATUS

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1233920&r1=1233919&r2=1233920&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Fri Jan 20 14:21:28 2012
@@ -150,9 +150,12 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
            should be much faster than a callout to strcmp.
     wrowe: Shouldn't this all simply be handled with an error result from
            apr_uri_parse?
-    trawick: leaning towards (b) with wrowe's tweak above, to let other mods
-           decide whether to handle odd URIs with core hook failing it if it got
-           that far
+    trawick: valid URIs can be used to exploit this, so apr_uri_parse() won't help
+
+    Plan (b) from mail discussion above
+      Adds trunk revision 1233604
+      2.2.x patch: http://people.apache.org/~trawick/CVE-2011-4317-2.2.x.txt
+    +1: trawick
 
   * mod_proxy: cure size_t abuse part 1, backport relevant bits of r1227856,
     Specifically normalizes ap_proxy_string_read so that the prototype



Mime
View raw message