From: Jeff Trawick <trawick@apache.org>
Date: Wed, 26 Jun 2013 16:09:35 +0000 (+0000)
Subject: The merge of AllowAnyURI to 2.0.x (r1489910) included the changes I
X-Git-Tag: 2.0.65~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0f63ef04a245161a7c57e716bf1f54d68a1e85a;p=thirdparty%2Fapache%2Fhttpd.git

The merge of AllowAnyURI to 2.0.x (r1489910) included the changes I
wanted, and 2.0.x-HEAD passes my 3368/4317 testcases with HTTP 0.9
and 1.0, so I have no remaining concerns.  (Thanks rjung+covener.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1496984 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 79242a60aae..11da568cafa 100644
--- a/STATUS
+++ b/STATUS
@@ -114,55 +114,6 @@ CURRENT RELEASE NOTES:
 
 RELEASE SHOWSTOPPERS:
 
-  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
-     Resolve additional cases of URL rewriting with ProxyPassMatch or
-     RewriteRule, where particular request-URIs could result in undesired
-     backend network exposure in some configurations.
-     [Joe Orton]
-
-     trawick: Applying the existing 2.0.x patch for CVE-2011-3368 to
-              2.0.64, the three well-known testcases work for HTTP 1.0
-              but fail with HTTP 0.9; after applying r1235443 (backing
-              out the server/protocol.c change and fixing rewrite and
-              proxy), the three well-known testcases work for me with
-              both HTTP 1.0 and HTTP 0.9.
-
-              The reason is that ap_read_request() looks for a bad
-              status only for HTTP >= 1.0; processing proceeds for
-              HTTP/0.9 even after going through the error path in the 
-              existing CVE-2011-3368 patch.
-
-              The CVE-2011-3368 solution for 2.0 could be modified,
-              but I prefer going with the current CVE-2011-4317
-              solution since it handles everything.
-
-              While 2.2 also skips checking r->status for HTTP 0.9
-              in the obvious place, this logic in ap_read_request()
-              finally catches the problem before proceeding too far 
-              with the request:
-
-1052	     * status codes that do not cause the connection to be dropped and
-1053	     * in situations where the connection should be kept alive.
-1054	     */
-1055	
-1056	    ap_add_input_filter_handle(ap_http_input_filter_handle,
-1057	                               NULL, r, r->connection);
-1058	
-1059	    if (r->status != HTTP_OK) {
-1060	        ap_send_error_response(r, 0);
-1061	        ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
-
-     From 2.2.x: http://svn.apache.org/viewvc?view=revision&revision=1235443
-        Individual patches apply with offsets; here's a clean all-in-one:
-        http://people.apache.org/~trawick/2.0-CVE-2011-4317-r1235443.patch
-       +1: jim, wrowe (as incorporated by rjung below)
-       trawick: 2.2/2.4 now have a different solution (AllowAnyURI).
-       rjung: I added the AllowAnyURI patch below. Version 2 of the patch
-              integrates your 2.0-CVE-2011-4317-r1235443.patch.
-       covener: this is no longer needed after rjungs AllowAnyURI which is now 
-                backported, right?
-                http://svn.apache.org/viewvc?view=revision&revision=r1489910
-
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]