httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: svn commit: r1374178 - /httpd/httpd/branches/2.2.x/STATUS
Date Fri, 17 Aug 2012 22:57:36 GMT
On 8/17/2012 1:10 PM, Rainer Jung wrote:
> On 17.08.2012 19:22, William A. Rowe Jr. wrote:
>> This list is frankly too long to consider for a T&R today, which will happen
>> later this afternoon or early evening as I mentioned several days ago.
>>
>> Rainer, can you draw our attention to the backports most critical to closing
>> any security issues present in 2.2, so we can give those proper review?
> 
> I'm only aware of one security issue in 2.2.22, which AFAIR was rated as low impact:
> mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site
> where untrusted users can upload files to a location with MultiViews enabled.
> SECURITY: CVE-2012-2687 (cve.mitre.org)
> 
> My personal preference amongst the rest: the AllowAnyURI patch. Without it many sites
> using forward proxy and mod_rewrite fail currently.

I'm OK with this fix, there are some users impacted who did use enough caution
in their rewrite rules in the first place.

But it still needs one more pair of eyeballs; since I'm waiting on review of
the TLSv1.1/TLSv1.2 protocol switch patch, I can give this a bit more time
before I T&R tomorrow by midday.

> For everything else I'm undecided.
> 
> Note that here are about additional 40 patches in the queue which do *not* backport any
> features but are mostly small fixes which have already been applied to trunk and 2.4
but
> never to 2.2. I'm not saying they need to go into 2.2.23 just wanting to give the whole
> picture.
> 
> I plan to review them over the next days and propose the ones that fit well into 2.2.
We
> can have another 2.2. in a few months so that the backports get some time to settle.
The
> reason I want to propose them soon is that some of us recently reviewed them for 2.4
so a
> 2.2 review might be easier soon.

Understood, and I'm happy to help make that happen in the next 6-12 weeks, rather
than letting these sit for another six months (again).

Bill


Mime
View raw message