Propose mod_session_crypto fix for CVE-2016-0736.

author Yann Ylavic <ylavic@apache.org>

Mon, 5 Dec 2016 23:50:17 +0000 (23:50 +0000)

committer Yann Ylavic <ylavic@apache.org>

Mon, 5 Dec 2016 23:50:17 +0000 (23:50 +0000)
author Yann Ylavic <ylavic@apache.org>
Mon, 5 Dec 2016 23:50:17 +0000 (23:50 +0000)
committer Yann Ylavic <ylavic@apache.org>
Mon, 5 Dec 2016 23:50:17 +0000 (23:50 +0000)
diff --git a/STATUS b/STATUS

index 03c54ae2c8524dc7ac452b68564db63cc1a1a0fc..9bcf6fa6f0487254f7f366f7f7fb2ec990fcc837 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -149,7 +149,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
       jailletc36: compatibility note missing in the XML file
       jim:        Will address during commit
  
-
    *) mod_lua: Fix default value of LuaInherit directive. It should be 
       'parent-first' instead of 'none', as per documentation.  PR 60419
       trunk patch: http://svn.apache.org/r1772489
@@ -157,6 +156,16 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
       2.4.x patch: trunk works
       +1: jailletc36, jim
  
+  *) SECURITY: CVE-2016-0736 (cve.mitre.org)
+     mod_session_crypto: Authenticate the session data/cookie with a
+     MAC (SipHash) to prevent deciphering or tampering from a padding
+     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
+     trunk patch: http://svn.apache.org/r1772812
+                  http://svn.apache.org/r1772813
+     2.4.x patch: trunk works (modulo CHANGES)
+     +1: ylavic
+
+
  PATCHES/ISSUES THAT ARE BEING WORKED
    [ New entried should be added at the START of the list ]
author	Yann Ylavic <ylavic@apache.org>
	Mon, 5 Dec 2016 23:50:17 +0000 (23:50 +0000)
committer	Yann Ylavic <ylavic@apache.org>
	Mon, 5 Dec 2016 23:50:17 +0000 (23:50 +0000)