Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 85780 invoked by uid 500); 19 Jun 2002 15:22:16 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 85733 invoked from network); 19 Jun 2002 15:22:15 -0000 Date: Wed, 19 Jun 2002 11:19:40 -0400 (EDT) From: Cliff Woolley X-X-Sender: root@deepthought.cs.virginia.edu To: dev@httpd.apache.org Subject: Re: chunked encoding bug fix (Apache 1.3) In-Reply-To: <20020619073417.A25774@SirDrinkalot.rm-f.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N On Wed, 19 Jun 2002, Dmitri wrote: > The issue described in this advisory [CAN-2002-0392] is fixed in 1.3.26. > However, I could find no bug associated with this issue in Apache Bugzilla. Nobody ever submitted a bug report about it. The bug database is not meant to handle security issues, and it says so in big letters. :-) > I would like to know whether this change is documented somewhere outside > CVS. Not on any public channels, no. > As far as I understand, the changes included backporting chunked > encoding handling (http_protocol.c: 1.316 -> 1.317), and using > ap_strtol() instead of strtol(). Is that all? I need this because I > would just like to apply this fix to my local apache source tree, which > is version 1.3.20. No, there's much more to it than that. Several patches went in to several files, including http_protocol.c and several files in the proxy, possibly others. Anyway, it's much safer just to upgrade to 1.3.26. --Cliff