In the announce, we should have;
proxy HTTP: If a response contains both Transfer-Encoding
and a Content-Length, remove the Content-Length to eliminate
an HTTP Request Smuggling vulnerability, and and don't reuse
the connection, stopping some HTTP Request Spoofing attacks.
"The Apache httpd project thanks the Watchfire team of Linhart,
Klein, Heled and Orrin for the responsible notification and
disclosure of this information."
Do we have an incident number for this report as it pertains
to the Apache HTTP Server?
I agree with Jeff after spending quite a few hours; patches to
the proxy now diverge quite radically from 2.0's proxy_http.c.
The band aids will land in slightly different places, but we
should encourage folks to validate proper proxied header and
body transmission.
My goal is to tag and roll 2.0 by Friday for release early next
week, unless the fixes are ready sooner. There is a list of
already-accepted patches in status, if anyone wants to pick some
low hanging fruit for 2.0.
Bill
At 01:08 PM 6/26/2005, Paul Querna wrote:
>+1 for Alpha from Joe Orton, Brad Nicholes, Wilfredo Sánchez Vega, and Paul
>Querna.
>
>Therefore, I consider 2.1.6-alpha to be released.
>
>I have moved the 2.1.6-alpha source files to the dist folder to be picked up
>by mirrors. I will add it to the download.xml and index.xml for
>httpd.apache.org later today, after giving the mirrors time to pick it up.
>
>Thanks to everyone who tested it,
>
>-Paul
>
>Paul Querna wrote:
>
>>Please vote on releasing 2.1.6 as -alpha.
>>
>>Available at:
>>http://httpd.apache.org/dev/dist/
>>http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>>
>>MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
>>MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
>>MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>>
>>Thanks,
>>
>>Paul
>
