propose backporting a few security fixes to the 2.0.x branch

I haven't properly reviewed/tested these yet myself, but I'd guess
that some among us may be in a good position to review.  (And I
should get to it eventually.)

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943603 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/STATUS b/STATUS
index 59403266235a58ac3d73ffbbf87d21b78785a4ee..d5a20a83f75bcd02bab366bbd4958780bd13c96b 100644 (file)
--- a/STATUS
+++ b/STATUS
@@ -202,6 +202,27 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     with some offset and fuzz.
     +1: rjung
 
+  * mod_proxy_ftp, CVE-2009-3094, NULL pointer dereference on error paths
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?view=revision&revision=814844
+    Backport:
+      http://people.apache.org/~trawick/CVE-2009-3094-2.0.txt
+    +1:
+
+  * mod_proxy_ftp, CVE-2009-3095, sanity check authn credentials
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?view=revision&revision=814847
+    Backport:
+      http://people.apache.org/~trawick/CVE-2009-3095-2.0.txt
+    +1:
+
+  * core output filter, CVE-2009-1891, consuming CPU after client disconnects
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?view=revision&revision=791454
+    Dan's patch posted last year for 2.0.x:
+      http://people.apache.org/~trawick/CVE-2009-1891-2.0-poirier.txt
+    +1:
+
 PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
 
     *) mod_headers: Support {...}s tag for SSL variable lookup.