I am +1 on folding in the simpler patch that fixes the immediate problem and holding off on anything more complicated for the next release....
On Jul 15, 2014, at 8:38 AM, Joe Orton <jor...@redhat.com> wrote: > On Tue, Jul 15, 2014 at 12:27:00PM -0000, jor...@apache.org wrote: >> Author: jorton >> Date: Tue Jul 15 12:27:00 2014 >> New Revision: 1610674 >> >> URL: http://svn.apache.org/r1610674 >> Log: >> SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse >> proxy configuration, a remote attacker could send a carefully crafted >> request which could crash a server process, resulting in denial of >> service. > > Backporting this to 2.4.x is non-trivial since trunk has diverged from > 2.4.x via at least this change to how r->headers_in is handled: > > http://svn.apache.org/viewvc?view=revision&revision=1588527 > > I am not sure how/whether that impacts the backport. > > We have a simpler version of the crasher fix which doesn't add strict > interpretation of the Connection header - I am going to propose that for > 2.4.x. If somebody wants to propose a backport of r1610674 for 2.4.x > please jump to it ASAP! > > Regards, Joe >