From: Jeff Trawick <trawick@apache.org>
Date: Wed, 12 May 2010 18:08:31 +0000 (+0000)
Subject: propose backporting a few security fixes to the 2.0.x branch
X-Git-Tag: 2.0.64~56
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0e18662a2a3ebcf8cdd6e503fd431d29d775474;p=thirdparty%2Fapache%2Fhttpd.git

propose backporting a few security fixes to the 2.0.x branch

I haven't properly reviewed/tested these yet myself, but I'd guess
that some among us may be in a good position to review.  (And I
should get to it eventually.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@943603 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 59403266235..d5a20a83f75 100644
--- a/STATUS
+++ b/STATUS
@@ -202,6 +202,27 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     with some offset and fuzz.
     +1: rjung
 
+  * mod_proxy_ftp, CVE-2009-3094, NULL pointer dereference on error paths
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?view=revision&revision=814844
+    Backport:
+      http://people.apache.org/~trawick/CVE-2009-3094-2.0.txt
+    +1:
+
+  * mod_proxy_ftp, CVE-2009-3095, sanity check authn credentials
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?view=revision&revision=814847
+    Backport:
+      http://people.apache.org/~trawick/CVE-2009-3095-2.0.txt
+    +1:
+
+  * core output filter, CVE-2009-1891, consuming CPU after client disconnects
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?view=revision&revision=791454
+    Dan's patch posted last year for 2.0.x:
+      http://people.apache.org/~trawick/CVE-2009-1891-2.0-poirier.txt
+    +1:
+
 PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
 
     *) mod_headers: Support {...}s tag for SSL variable lookup.