From: Rainer Jung <rjung@apache.org>
Date: Mon, 30 Jan 2012 13:29:37 +0000 (+0000)
Subject: CVE-2011-3348: nothing to fix, original problem
X-Git-Tag: 2.0.65~86
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bb5b423e84a05c57109b447914d74e42dc25b481;p=thirdparty%2Fapache%2Fhttpd.git

CVE-2011-3348: nothing to fix, original problem
only applied to mod_proxy_ajp which does not
exist in 2.0.x.

CVE-2010-2068: added comment. I think nothing
to fix either, but mor eeyes welcome.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@1237644 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index c660838eb4b..c86be09bcb9 100644
--- a/STATUS
+++ b/STATUS
@@ -122,16 +122,15 @@ RELEASE SHOWSTOPPERS:
     2.0.x patch: http://people.apache.org/~jim/patches/2.0-byterange0-.txt
     +1: jim, rjung, wrowe
 
-  * Backport jorton's work on backstopping unrooted URI's (regex protection)
-    and any mod_rewrite example corrections.
+  *) Backport jorton's work on backstopping unrooted URI's (regex protection)
+     and any mod_rewrite example corrections.
 
   *) SECURITY: CVE-2010-2068 (cve.mitre.org)
      mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
      for platforms Windows, Netware and OS2.  PR: 49417. [Rainer Jung]
-
-  *) SECURITY: CVE-2011-3348 (cve.mitre.org)
-     mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not
-     recognized.  [Jean-Frederic Clere]
+     rjung: mod_proxy_ajp and mod_reqtimeout don't apply for 2.0.x
+            I checked proxy_http and could not find a code path to fix.
+            More eyes welcome.
 
   *) SECURITY: CVE-2011-3607 (cve.mitre.org)
      Fix integer overflow in ap_pregsub() which, when the mod_setenvif module