httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: apply_to_2.2.21 -- please review
Date Wed, 18 Jan 2012 15:04:16 GMT
On Wed, Jan 18, 2012 at 8:43 AM, Jeff Trawick <trawick@gmail.com> wrote:
> On Tue, Jan 17, 2012 at 10:46 AM, Eric Covener <covener@gmail.com> wrote:
>> I've collected the 3 backported security fixes pending for 2.2.22 and
>> tried to emulate apply_to_2.3.5/CVE-2010-2068-r953418.patch.
>>
>> http://people.apache.org/~covener/patches/apply_to_2.2.21/
>>
>> The text is a lot more brief and just written in one off-the-cuff
>> pass.  I made sure they all apply together and are taken from svn diff
>> of the rev as applied to 2.2.x.
>>
>> Since these are all in the CHANGES, I guess this could have been dev@.
>
> yes (moved there now)

+1 to the patches for CVE-2012-0053 and CVE-2011-3607

I suspect the fix for CVE-2011-3368 will be changed before 2.2.22 is
released.  While the CVE-2011-3368 patch is fine for what it promises
to fix, I'd like to see the follow-on vulnerability fix concluded in
the next 24 hours and one fix for both posted.  (+1 for the
CVE-2011-3368 if we can't get our act together.)

I'd like to see some semicolons changed to colons.  Examples:

# CVE-2012-0053; Scoreboard issue which could allow an unprivileged child
# Further details organized by httpd release may be available from;

(apply to all three descriptions)

Mime
View raw message