add patch/proposal for CVE-2013-5704 trailers thing

author Eric Covener <covener@apache.org>

Fri, 18 Jul 2014 01:00:08 +0000 (01:00 +0000)

committer Eric Covener <covener@apache.org>

Fri, 18 Jul 2014 01:00:08 +0000 (01:00 +0000)
author Eric Covener <covener@apache.org>
Fri, 18 Jul 2014 01:00:08 +0000 (01:00 +0000)
committer Eric Covener <covener@apache.org>
Fri, 18 Jul 2014 01:00:08 +0000 (01:00 +0000)
diff --git a/STATUS b/STATUS

index f87e26faff35f56512ace04189a8061783ed0c95..9ce51e6f18d2148d1bb0e4b92cdfa987f9a53dfd 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -103,6 +103,19 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
  PATCHES PROPOSED TO BACKPORT FROM TRUNK:
    [ New proposals should be added at the end of the list ]
  
+
+  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+     core: HTTP trailers could be used to replace HTTP headers
+     late during request processing, potentially undoing or
+     otherwise confusing modules that examined or modified
+     request headers earlier.  Adds "MergeTrailers" directive to restore
+     legacy behavior. 
+     trunk patch: http://svn.apache.org/r1610814 
+                  http://svn.apache.org/r1610686 (mod_log_config ^XX support) 
+                  http://svn.apache.org/r1610707 (mod_log_cofnig ^XX support)
+     2.2.x patch:  http://people.apache.org/~covener/patches/httpd-2.2.x-trailers.diff
+     +1: covener
+    
     * mod_proxy: Don't reuse a SSL backend connection whose SNI differs. PR 55782.
                  This may happen when ProxyPreserveHost is on and the proxy-worker
                  handles connections to different Hosts.
author	Eric Covener <covener@apache.org>
	Fri, 18 Jul 2014 01:00:08 +0000 (01:00 +0000)
committer	Eric Covener <covener@apache.org>
	Fri, 18 Jul 2014 01:00:08 +0000 (01:00 +0000)