From: Rainer Jung <rjung@apache.org>
Date: Fri, 17 Aug 2012 08:52:35 +0000 (+0000)
Subject: Give some love to 2.2.x: ddd a round of backports,
X-Git-Tag: 2.2.23~44
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9aa743988fed8303ff6b80b5fca5314a28d4b86f;p=thirdparty%2Fapache%2Fhttpd.git

Give some love to 2.2.x: ddd a round of backports,
which are already part of trunk and 2.4.

The list includes any fixes applied to 2.4 between
March 15 and July 19 2012.

Most of them easy to review, some not.
Unfortunately especially the important backport of
AllowAnyURI needs two additional prerequisite backports.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374178 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 7b7b96bbadc..00d5eea4cd1 100644
--- a/STATUS
+++ b/STATUS
@@ -205,6 +205,118 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
           any version. Also, if you read my note to dev@ you will see
           why it is not premature.
 
+   * mod_proxy_balancer: fix error message implying recovery during a markdown
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1299738
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1301194
+     2.2.x patch: http://people.apache.org/~rjung/patches/mod_proxy_balancer-fix-error-message-2_2.patch
+     +1: rjung
+
+   * core: (dummy_connection): Destroy temp pool and return on connect() failure.
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1300171
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1301649
+     2.2.x patch: http://people.apache.org/~rjung/patches/dummy_connection-destroy-pool-and-return-on-failure-2_2.patch
+     +1: rjung
+
+   * core: add filesystem paths to some common error messages.
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1301504
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1302426
+     2.2.x patch: http://people.apache.org/~rjung/patches/improve-forbidden-error-message-2_2.patch
+     +1: rjung
+
+   * core: Fix error handling in ap_scan_script_header_err_brigade() if there
+     is no EOS bucket in the brigade:
+     Also don't loop if there is a timeout when discarding the script output.
+     Thanks to Edgar Frank for the analysis.
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1311174
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1331414
+     2.2.x patch: trunk patch applies
+     +1: rjung
+
+   * core: Bail out *before* signalling the server if the config is bad.
+     (as per the claim in the docs!) Prevents "httpd -k restart" from
+     killing server in presence of config error.
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1328345
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1331847
+     2.2.x patch: trunk patch applies
+     +1: rjung
+
+   * mod_ssl: When receiving http on https, send the error response with http 1.0
+     It is important that we send a proper error status, or search engines
+     may index the error message.
+     Remove the link in the speaking-http-on-https error message.
+     With SNI, the link will usually be wrong. So better send no link at all.
+     PR: 50823
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1328325 and
+                  http://svn.apache.org/viewvc?view=revision&revision=1328326
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1334346
+     2.2.x patch: http://people.apache.org/~rjung/patches/improve-speaking-http-on-https-message-2_2.patch
+     +1: rjung
+
+   * mod_proxy_http: Use the the same hostname for SNI as for the HTTP request when
+     forwarding to SSL backends.
+     PR: 53134
+     Based on a patch from: Michael Weiser <michael weiser.dinsnail.net>
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1333969
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356881
+     2.2.x patch: http://people.apache.org/~rjung/patches/mod_proxy_http-fix-hostname-ssl-2_2.patch
+     +1: rjung
+
+   * server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify
+     alert if the chosen listener is configured for https; not perfect
+     but better than sending an HTTP request.  Adjust comments.
+     Based on a patch from: Michael Weiser <michael weiser.dinsnail.net>
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1327036 and
+                  http://svn.apache.org/viewvc?view=revision&revision=1327080
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356884
+     2.2.x patch: http://people.apache.org/~rjung/patches/dummy_connection-https-tls-2_2.patch
+     +1: rjung
+
+   * htdbm/htpasswd: fix handling of crypt() failures.
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1346905
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356887
+     2.2.x patch: http://people.apache.org/~rjung/patches/htdbm-htpasswd-handling_crypt_failure-2_2.patch
+     +1: rjung
+
+   * mod_negotiation: Escape filenames in variant list to prevent an
+     possible XSS for a site where untrusted users can upload files to a
+     location with MultiViews enabled.
+     SECURITY: CVE-2012-2687 (cve.mitre.org):
+     Submitted by: Niels Heinen <heinenn google.com>
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356889
+     2.2.x patch: trunk patch applies
+     +1: rjung
+
+   * mod_rewrite: add "AllowAnyURI" option.
+     Prerequisites:
+     - allow the user to configure which rules come first when RewriteRules
+       are merged with RewriteOptions Inherit. PR 39313
+     - change signed single-bit fields to unsigned
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1356115 and
+                  http://svn.apache.org/viewvc?view=revision&revision=1356813 and
+                  http://svn.apache.org/viewvc?view=revision&revision=1086662 and
+                  http://svn.apache.org/viewvc?view=revision&revision=1032431
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1359687 and
+                  http://svn.apache.org/viewvc?view=revision&revision=1086662 and
+                  http://svn.apache.org/viewvc?view=revision&revision=1032431
+     2.2.x patch: http://people.apache.org/~rjung/patches/mod_rewrite-directory_conf-allowanyuri-2_2.patch
+     +1: rjung
+
+   * mod_log_config: %{abc}C truncates cookies whose values contain '='
+     PR 53104
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1328133
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1359690
+     2.2.x patch: trunk patch applies
+     +1: rjung
+
+   * include/util_ldap.h: Treat LDAP_UNAVAILABLE as a transient error
+     with non-MS LDAP SDKs; seen with OpenLDAP against Novell eDirectory.
+     Submitted by: Filip Valder <filip.valder vsb.cz> (via RH bugzilla)
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1348036
+     2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1362056
+     2.2.x patch: http://people.apache.org/~rjung/patches/treat_ldap_unavailable_transient-2_2.patch
+     +1: rjung
+
 PATCHES/ISSUES THAT ARE STALLED
 
   * core: Support wildcards in both the directory and file components of