From: Mike Rumph <mrumph@apache.org>
Date: Thu, 21 Aug 2014 15:35:43 +0000 (+0000)
Subject: Comment on possible trailers CVE delay.
X-Git-Tag: 2.2.28~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6dc5586d98a41d095818a95696a463d7dbd195b0;p=thirdparty%2Fapache%2Fhttpd.git

Comment on possible trailers CVE delay.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1619446 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 3037ef64466..d5724c8db1e 100644
--- a/STATUS
+++ b/STATUS
@@ -111,7 +111,10 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.2.x patch:  http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff
      +1: covener, wrowe, rpluem
      covener: Since this was not released yet in 2.4.x, maybe it's better to cut 2.2.28 w/o it?
-    
+     mrumph:  Delaying a nonCVE fix would be reasonable to maintain backward compatibility.
+              But for a CVE that has already been made public,
+              wouldn't it make more sense to make the fix available as quickly as possible?
+     
    * mod_deflate: Fix reentrance in output and input filters (buffering of
                   incomplete Zlib header or validation bytes). PR 46146.
      trunk patch: https://svn.apache.org/r1572655