This list is frankly too long to consider for a T&R today, which will happen later this afternoon or early evening as I mentioned several days ago.
Rainer, can you draw our attention to the backports most critical to closing any security issues present in 2.2, so we can give those proper review? On 8/17/2012 3:52 AM, rj...@apache.org wrote: > Author: rjung > Date: Fri Aug 17 08:52:35 2012 > New Revision: 1374178 > > URL: http://svn.apache.org/viewvc?rev=1374178&view=rev > Log: > Give some love to 2.2.x: ddd a round of backports, > which are already part of trunk and 2.4. > > The list includes any fixes applied to 2.4 between > March 15 and July 19 2012. > > Most of them easy to review, some not. > Unfortunately especially the important backport of > AllowAnyURI needs two additional prerequisite backports. > > Modified: > httpd/httpd/branches/2.2.x/STATUS > > Modified: httpd/httpd/branches/2.2.x/STATUS > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1374178&r1=1374177&r2=1374178&view=diff > ============================================================================== > --- httpd/httpd/branches/2.2.x/STATUS (original) > +++ httpd/httpd/branches/2.2.x/STATUS Fri Aug 17 08:52:35 2012 > @@ -205,6 +205,118 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: > any version. Also, if you read my note to dev@ you will see > why it is not premature. > > + * mod_proxy_balancer: fix error message implying recovery during a > markdown > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1299738 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1301194 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/mod_proxy_balancer-fix-error-message-2_2.patch > + +1: rjung > + > + * core: (dummy_connection): Destroy temp pool and return on connect() > failure. > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1300171 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1301649 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/dummy_connection-destroy-pool-and-return-on-failure-2_2.patch > + +1: rjung > + > + * core: add filesystem paths to some common error messages. > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1301504 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1302426 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/improve-forbidden-error-message-2_2.patch > + +1: rjung > + > + * core: Fix error handling in ap_scan_script_header_err_brigade() if there > + is no EOS bucket in the brigade: > + Also don't loop if there is a timeout when discarding the script output. > + Thanks to Edgar Frank for the analysis. > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1311174 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1331414 > + 2.2.x patch: trunk patch applies > + +1: rjung > + > + * core: Bail out *before* signalling the server if the config is bad. > + (as per the claim in the docs!) Prevents "httpd -k restart" from > + killing server in presence of config error. > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1328345 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1331847 > + 2.2.x patch: trunk patch applies > + +1: rjung > + > + * mod_ssl: When receiving http on https, send the error response with > http 1.0 > + It is important that we send a proper error status, or search engines > + may index the error message. > + Remove the link in the speaking-http-on-https error message. > + With SNI, the link will usually be wrong. So better send no link at all. > + PR: 50823 > + trunk patch: > http://svn.apache.org/viewvc?view=revision&revision=1328325 and > + http://svn.apache.org/viewvc?view=revision&revision=1328326 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1334346 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/improve-speaking-http-on-https-message-2_2.patch > + +1: rjung > + > + * mod_proxy_http: Use the the same hostname for SNI as for the HTTP > request when > + forwarding to SSL backends. > + PR: 53134 > + Based on a patch from: Michael Weiser <michael weiser.dinsnail.net> > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1333969 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356881 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/mod_proxy_http-fix-hostname-ssl-2_2.patch > + +1: rjung > + > + * server/mpm_unix.c (dummy_connection): Use a TLS 1.0 close_notify > + alert if the chosen listener is configured for https; not perfect > + but better than sending an HTTP request. Adjust comments. > + Based on a patch from: Michael Weiser <michael weiser.dinsnail.net> > + trunk patch: > http://svn.apache.org/viewvc?view=revision&revision=1327036 and > + http://svn.apache.org/viewvc?view=revision&revision=1327080 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356884 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/dummy_connection-https-tls-2_2.patch > + +1: rjung > + > + * htdbm/htpasswd: fix handling of crypt() failures. > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1346905 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356887 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/htdbm-htpasswd-handling_crypt_failure-2_2.patch > + +1: rjung > + > + * mod_negotiation: Escape filenames in variant list to prevent an > + possible XSS for a site where untrusted users can upload files to a > + location with MultiViews enabled. > + SECURITY: CVE-2012-2687 (cve.mitre.org): > + Submitted by: Niels Heinen <heinenn google.com> > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1349905 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1356889 > + 2.2.x patch: trunk patch applies > + +1: rjung > + > + * mod_rewrite: add "AllowAnyURI" option. > + Prerequisites: > + - allow the user to configure which rules come first when RewriteRules > + are merged with RewriteOptions Inherit. PR 39313 > + - change signed single-bit fields to unsigned > + trunk patch: > http://svn.apache.org/viewvc?view=revision&revision=1356115 and > + > http://svn.apache.org/viewvc?view=revision&revision=1356813 and > + > http://svn.apache.org/viewvc?view=revision&revision=1086662 and > + http://svn.apache.org/viewvc?view=revision&revision=1032431 > + 2.4.x patch: > http://svn.apache.org/viewvc?view=revision&revision=1359687 and > + > http://svn.apache.org/viewvc?view=revision&revision=1086662 and > + http://svn.apache.org/viewvc?view=revision&revision=1032431 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/mod_rewrite-directory_conf-allowanyuri-2_2.patch > + +1: rjung > + > + * mod_log_config: %{abc}C truncates cookies whose values contain '=' > + PR 53104 > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1328133 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1359690 > + 2.2.x patch: trunk patch applies > + +1: rjung > + > + * include/util_ldap.h: Treat LDAP_UNAVAILABLE as a transient error > + with non-MS LDAP SDKs; seen with OpenLDAP against Novell eDirectory. > + Submitted by: Filip Valder <filip.valder vsb.cz> (via RH bugzilla) > + trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1348036 > + 2.4.x patch: http://svn.apache.org/viewvc?view=revision&revision=1362056 > + 2.2.x patch: > http://people.apache.org/~rjung/patches/treat_ldap_unavailable_transient-2_2.patch > + +1: rjung > + > PATCHES/ISSUES THAT ARE STALLED > > * core: Support wildcards in both the directory and file components of > > > >
