Propose safety backport.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1678595 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 9c7ef2f2fa3cafe9f106022dee32842a10f90bc3..6b623d51bc6801abd69d673ff6efed0e2c956633 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -230,6 +230,16 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      2.4.x patch: http://people.apache.org/~jailletc36/PR52831.patch
      +1: jailletc36, ylavic
 
+   * core: Avoid potential use of uninitialized (NULL) request data in
+     request line error path.
+     trunk patch: http://svn.apache.org/r1664205
+     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-read_request_line.patch
+     2.2.x patch: trunk works (module CHANGES)
+     +1: ylavic
+     ylavic: this is CVE-2015-0253 wrt 2.4.13, although 2.2.x is not
+             vulnerable per se (no ErrorDocument handling from early
+             request line parser), better be safe than sorry.
+
 PATCHES/ISSUES THAT ARE STALLED
 
    * mod_proxy_balancer: Always initialize the shared parameters of a load