From: Eric Covener <covener@apache.org>
Date: Fri, 18 Jul 2014 01:00:08 +0000 (+0000)
Subject: add patch/proposal for CVE-2013-5704 trailers thing
X-Git-Tag: 2.2.28~28
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e570447fd4de55af6f633eb54342f476fa691e5;p=thirdparty%2Fapache%2Fhttpd.git

add patch/proposal for CVE-2013-5704 trailers thing



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1611522 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index f87e26faff3..9ce51e6f18d 100644
--- a/STATUS
+++ b/STATUS
@@ -103,6 +103,19 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ New proposals should be added at the end of the list ]
 
+
+  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+     core: HTTP trailers could be used to replace HTTP headers
+     late during request processing, potentially undoing or
+     otherwise confusing modules that examined or modified
+     request headers earlier.  Adds "MergeTrailers" directive to restore
+     legacy behavior. 
+     trunk patch: http://svn.apache.org/r1610814 
+                  http://svn.apache.org/r1610686 (mod_log_config ^XX support) 
+                  http://svn.apache.org/r1610707 (mod_log_cofnig ^XX support)
+     2.2.x patch:  http://people.apache.org/~covener/patches/httpd-2.2.x-trailers.diff
+     +1: covener
+    
    * mod_proxy: Don't reuse a SSL backend connection whose SNI differs. PR 55782.
                 This may happen when ProxyPreserveHost is on and the proxy-worker
                 handles connections to different Hosts.