httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: svn commit: r1610674 - in /httpd/httpd/trunk: include/ap_mmn.h include/httpd.h modules/proxy/mod_proxy_http.c modules/proxy/proxy_util.c server/util.c
Date Tue, 15 Jul 2014 12:38:20 GMT
On Tue, Jul 15, 2014 at 12:27:00PM -0000, jorton@apache.org wrote:
> Author: jorton
> Date: Tue Jul 15 12:27:00 2014
> New Revision: 1610674
> 
> URL: http://svn.apache.org/r1610674
> Log:
> SECURITY (CVE-2014-0117): Fix a crash in mod_proxy.  In a reverse
> proxy configuration, a remote attacker could send a carefully crafted
> request which could crash a server process, resulting in denial of
> service.

Backporting this to 2.4.x is non-trivial since trunk has diverged from 
2.4.x via at least this change to how r->headers_in is handled:

http://svn.apache.org/viewvc?view=revision&revision=1588527

I am not sure how/whether that impacts the backport.

We have a simpler version of the crasher fix which doesn't add strict 
interpretation of the Connection header - I am going to propose that for 
2.4.x.  If somebody wants to propose a backport of r1610674 for 2.4.x 
please jump to it ASAP!

Regards, Joe

Mime
View raw message