From: Jim Jagielski <jim@apache.org>
Date: Wed, 5 Oct 2011 18:42:28 +0000 (+0000)
Subject: Add these as showstoppers...
X-Git-Tag: 2.0.65~108
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a59be844c1239f857822504c97c90e466361d919;p=thirdparty%2Fapache%2Fhttpd.git

Add these as showstoppers...


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1179375 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index ca86b1b927a..da452a08379 100644
--- a/STATUS
+++ b/STATUS
@@ -114,10 +114,27 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
+  * SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+    reverse proxy configurations by strictly validating the request-URI.
+    Trunk patch: http://svn.apache.org/viewvc?rev=1179239&view=rev
+    2.2.x patch: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/CVE-2011-3368.patch
+    +1: jim
+
+  * byterange: Range of '0-' returns 206.
+    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1175980
+                 http://svn.apache.org/viewvc?view=revision&revision=1175992
+    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177080
+    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177081
+    2.0.x patch: http://people.apache.org/~jim/patches/2.0-byterange0-.txt
+    +1: jim, rjung
+    rjung: You might want to add the "special case: 0- ..." comment from the
+           2.2 patch. I'm fine either way.
+
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
+
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new
@@ -155,16 +172,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     Revert r1002174 in test framework, once this is fixed.
     +1: rjung, wrowe
 
-  * byterange: Range of '0-' returns 206.
-    Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1175980
-                 http://svn.apache.org/viewvc?view=revision&revision=1175992
-    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177080
-    2.2.x patch: http://svn.apache.org/viewvc?view=revision&revision=1177081
-    2.0.x patch: http://people.apache.org/~jim/patches/2.0-byterange0-.txt
-    +1: jim, rjung
-    rjung: You might want to add the "special case: 0- ..." comment from the
-           2.2 patch. I'm fine either way.
-
   * byterange: Backport MaxRanges configuration directive and
     ap_set_accept_ranges() utility function.
     Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1162584