httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <>
Subject Re: svn commit: r1374178 - /httpd/httpd/branches/2.2.x/STATUS
Date Fri, 17 Aug 2012 18:10:44 GMT
On 17.08.2012 19:22, William A. Rowe Jr. wrote:
> This list is frankly too long to consider for a T&R today, which will happen
> later this afternoon or early evening as I mentioned several days ago.
> Rainer, can you draw our attention to the backports most critical to closing
> any security issues present in 2.2, so we can give those proper review?

I'm only aware of one security issue in 2.2.22, which AFAIR was rated as 
low impact: mod_negotiation: Escape filenames in variant list to prevent 
a possible XSS for a site where untrusted users can upload files to a 
location with MultiViews enabled.
SECURITY: CVE-2012-2687 (

My personal preference amongst the rest: the AllowAnyURI patch. Without 
it many sites using forward proxy and mod_rewrite fail currently.

For everything else I'm undecided.

Note that here are about additional 40 patches in the queue which do 
*not* backport any features but are mostly small fixes which have 
already been applied to trunk and 2.4 but never to 2.2. I'm not saying 
they need to go into 2.2.23 just wanting to give the whole picture.

I plan to review them over the next days and propose the ones that fit 
well into 2.2. We can have another 2.2. in a few months so that the 
backports get some time to settle. The reason I want to propose them 
soon is that some of us recently reviewed them for 2.4 so a 2.2 review 
might be easier soon.



View raw message