From: Yann Ylavic <ylavic@apache.org>
Date: Sun, 10 May 2015 19:38:38 +0000 (+0000)
Subject: Propose safety backport.
X-Git-Tag: 2.2.30~126
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72e50b98b9dda9b7bc3c897f97b188049b5baf8f;p=thirdparty%2Fapache%2Fhttpd.git

Propose safety backport.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1678595 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 9c7ef2f2fa3..6b623d51bc6 100644
--- a/STATUS
+++ b/STATUS
@@ -230,6 +230,16 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      2.4.x patch: http://people.apache.org/~jailletc36/PR52831.patch
      +1: jailletc36, ylavic
 
+   * core: Avoid potential use of uninitialized (NULL) request data in
+     request line error path.
+     trunk patch: http://svn.apache.org/r1664205
+     2.2.x patch: http://people.apache.org/~ylavic/httpd-2.2.x-read_request_line.patch
+     2.2.x patch: trunk works (module CHANGES)
+     +1: ylavic
+     ylavic: this is CVE-2015-0253 wrt 2.4.13, although 2.2.x is not
+             vulnerable per se (no ErrorDocument handling from early
+             request line parser), better be safe than sorry.
+
 PATCHES/ISSUES THAT ARE STALLED
 
    * mod_proxy_balancer: Always initialize the shared parameters of a load