From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 5 Dec 2016 23:50:17 +0000 (+0000)
Subject: Propose mod_session_crypto fix for CVE-2016-0736.
X-Git-Tag: 2.4.24~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=581ca625ff785136de8afe5a5d712d626974cbc3;p=thirdparty%2Fapache%2Fhttpd.git

Propose mod_session_crypto fix for CVE-2016-0736.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772814 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 03c54ae2c85..9bcf6fa6f04 100644
--- a/STATUS
+++ b/STATUS
@@ -149,7 +149,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      jailletc36: compatibility note missing in the XML file
      jim:        Will address during commit
 
-
   *) mod_lua: Fix default value of LuaInherit directive. It should be 
      'parent-first' instead of 'none', as per documentation.  PR 60419
      trunk patch: http://svn.apache.org/r1772489
@@ -157,6 +156,16 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works
      +1: jailletc36, jim
 
+  *) SECURITY: CVE-2016-0736 (cve.mitre.org)
+     mod_session_crypto: Authenticate the session data/cookie with a
+     MAC (SipHash) to prevent deciphering or tampering from a padding
+     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]
+     trunk patch: http://svn.apache.org/r1772812
+                  http://svn.apache.org/r1772813
+     2.4.x patch: trunk works (modulo CHANGES)
+     +1: ylavic
+
+
 PATCHES/ISSUES THAT ARE BEING WORKED
   [ New entried should be added at the START of the list ]