From: Ruediger Pluem <rpluem@apache.org>
Date: Fri, 28 Dec 2007 16:31:17 +0000 (+0000)
Subject: * Add two proposals.
X-Git-Tag: 2.0.62~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2796ab41b657cfeeb8573e4c430e5d1093de4033;p=thirdparty%2Fapache%2Fhttpd.git

* Add two proposals.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@607283 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index be4f9b05333..2e66505d211 100644
--- a/STATUS
+++ b/STATUS
@@ -113,6 +113,24 @@ CURRENT RELEASE NOTES:
 RELEASE SHOWSTOPPERS:
 
 
+ * Various modules: Add explicit charset to the output of various modules to
+   work around possible cross-site scripting flaws affecting web browsers that
+   do not derive the response character set as required by RFC2616.
+    Trunk version of patch:
+       http://svn.apache.org/viewvc?rev=606693&view=rev
+       http://svn.apache.org/viewvc?rev=607276&view=rev
+    Backport version for 2.2.x of patch:
+       http://people.apache.org/~rpluem/patches/utf7_fix_2.0.x.diff
+    +1: rpluem,
+
+ * mod_status: Ensure refresh parameter is numeric to prevent a possible XSS
+   attack caused by redirecting to other URLs.
+    Trunk version of patch:
+       http://svn.apache.org/viewvc?rev=607282&view=rev
+    Backport version for 2.2.x of patch:
+       http://awe.com/e8f6ad05238f8/CVE-2007-6388-httpd-2.x.patch
+    +1: rpluem,
+
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]