trawick at gmail
Jan 30, 2012, 2:49 PM
Post #3 of 3
(269 views)
Permalink
|
|
Re: 1.3 patches for recent security issues (funny or not, depending on your situation)
[In reply to]
|
|
On Mon, Jan 30, 2012 at 5:07 PM, William A. Rowe Jr.
<wrowe [at] rowe-clan> wrote:
> On 1/30/2012 3:54 PM, Jeff Trawick wrote:
>> Notes to the general public:
>> * This is not necessarily a complete list, depending on your idea of "recent".
>> * These are not official patches.
>> * These do not match any vetted commits to the source tree.
>> * No official release of these or other fixes to 1.3 is planned.
>>
>> CVE-2011-3368/CVE-2011-4317:
>> http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch
>>
>> CVE-2012-0053:
>> http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
>
> Perhaps update security.xml for these? They can be deposited into the
> appropriate patches/apply_to_1.3.42/ - and we should probably clean out
> all the other apply_to_1.3 patches from www.a.o (still, on archive.a.o).
I'll get security.xml updated. CVE-2011-3368 is already mentioned,
but someone else should reach the same conclusion as me that only
these other CVEs need to be added. (4317 is tricky as it explicitly
covers the stuff not fixed by the 3368 fix, but there was no 3368 fix
for 1.3... and then there's the HTTP/0.9 fun with
2.0+original-3368-patch.)
The patches need some reviews before uploading.
|
