From: William A. Rowe Jr Date: Fri, 27 Jan 2012 15:35:01 +0000 (+0000) Subject: Load up on SECURITY showstoppers to a final 2.0.65 tag; everything missing X-Git-Tag: 2.0.65~93 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=68c62a149157bdfddad7beaab1047177f1a4def2;p=thirdparty%2Fapache%2Fhttpd.git Load up on SECURITY showstoppers to a final 2.0.65 tag; everything missing from 2.0 CHANGES so far. Current 2.0 fixes may need further review as already noted in STATUS git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1236717 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 05d250e9d99..12631fa7290 100644 --- a/STATUS +++ b/STATUS @@ -125,6 +125,36 @@ RELEASE SHOWSTOPPERS: * Backport jorton's work on backstopping unrooted URI's (regex protection) and any mod_rewrite example corrections. + *) SECURITY: CVE-2010-2068 (cve.mitre.org) + mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection + for platforms Windows, Netware and OS2. PR: 49417. [Rainer Jung] + + *) SECURITY: CVE-2011-3348 (cve.mitre.org) + mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not + recognized. [Jean-Frederic Clere] + + *) SECURITY: CVE-2011-3607 (cve.mitre.org) + Fix integer overflow in ap_pregsub() which, when the mod_setenvif module + is enabled, could allow local users to gain privileges via a .htaccess + file. [Stefan Fritsch, Greg Ames] + + *) SECURITY: CVE-2011-4317 (cve.mitre.org) + Resolve additional cases of URL rewriting with ProxyPassMatch or + RewriteRule, where particular request-URIs could result in undesired + backend network exposure in some configurations. + [Joe Orton] + + *) SECURITY: CVE-2012-0031 (cve.mitre.org) + Fix scoreboard issue which could allow an unprivileged child process + could cause the parent to crash at shutdown rather than terminate + cleanly. [Joe Orton] + + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + [Eric Covener] + + PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ]