From: William A. Rowe Jr Date: Fri, 17 Aug 2012 19:57:17 +0000 (+0000) Subject: Vote and promote X-Git-Tag: 2.2.23~35 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=34256c9d2e54804e119744c5c56f029afc5ec139;p=thirdparty%2Fapache%2Fhttpd.git Vote and promote git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374418 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/STATUS b/STATUS index 09ed4bdb3da..6cd7bcef40f 100644 --- a/STATUS +++ b/STATUS @@ -93,6 +93,15 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] + * mod_negotiation: Escape filenames in variant list to prevent an + possible XSS for a site where untrusted users can upload files to a + location with MultiViews enabled. + SECURITY: CVE-2012-2687 (cve.mitre.org): + Submitted by: Niels Heinen + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905 + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356889 + 2.2.x patch: trunk patch applies + +1: rjung, trawick, wrowe PATCHES PROPOSED TO BACKPORT FROM TRUNK: [ New proposals should be added at the end of the list ] @@ -251,16 +260,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 2.2.x patch: http://people.apache.org/~rjung/patches/htdbm-htpasswd-handling_crypt_failure-2_2.patch +1: rjung - * mod_negotiation: Escape filenames in variant list to prevent an - possible XSS for a site where untrusted users can upload files to a - location with MultiViews enabled. - SECURITY: CVE-2012-2687 (cve.mitre.org): - Submitted by: Niels Heinen - trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905 - 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356889 - 2.2.x patch: trunk patch applies - +1: rjung, trawick - * mod_rewrite: add "AllowAnyURI" option. Prerequisites: - allow the user to configure which rules come first when RewriteRules