On Thu, Aug 21, 2014 at 11:35 AM, <mru...@apache.org> wrote: > Author: mrumph > Date: Thu Aug 21 15:35:43 2014 > New Revision: 1619446 > > URL: http://svn.apache.org/r1619446 > Log: > Comment on possible trailers CVE delay. > > Modified: > httpd/httpd/branches/2.2.x/STATUS > > Modified: httpd/httpd/branches/2.2.x/STATUS > URL: > http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1619446&r1=1619445&r2=1619446&view=diff > > ============================================================================== > --- httpd/httpd/branches/2.2.x/STATUS (original) > +++ httpd/httpd/branches/2.2.x/STATUS Thu Aug 21 15:35:43 2014 > @@ -111,7 +111,10 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK: > 2.2.x patch: > http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff > +1: covener, wrowe, rpluem > covener: Since this was not released yet in 2.4.x, maybe it's better > to cut 2.2.28 w/o it? > - > + mrumph: Delaying a nonCVE fix would be reasonable to maintain > backward compatibility. > + But for a CVE that has already been made public, > + wouldn't it make more sense to make the fix available as > quickly as possible? > + > * mod_deflate: Fix reentrance in output and input filters (buffering of > incomplete Zlib header or validation bytes). PR 46146. > trunk patch: https://svn.apache.org/r1572655 > > > IMO:
* Place a patch for 2.4.10 in patches/apply_to_ * Refer to the 2.4.10 patch after the description of the vulnerability within the 2.2.next announcement. -- Born in Roswell... married an alien... http://emptyhammock.com/
