Re: Review of 2.2.x security patch sought.

Wed, 10 Jun 2015 19:55:33 -0700 

Just a quick /nag that I'm happy to roll 2.2.30 in conjunction with 2.4.14,
so that we present both to the community at the same time, and simplify
the announcement.  This patch still needs a third +1 to be adopted (it is
already in trunk, and in the 2.4.14 Jim will be tagging & rolling shortly).

Apologies for being short on details until the announcement, but in short,
the way httpd interpreted chunk headers didn't follow the RFC.  This may
lead to similar circumstances as were exploited with CVE-2005-2088.
The project currently rates this risk as low, but as security vendors, such
as Watchfire, mapped how other backend and proxy implementations
interacted with httpd itself, CVE-2005-2088 was upgraded to medium
severity.  That is a possibility and the reason for requesting review of the
2.2 backport, on an expedited basis.







On Tue, Jun 9, 2015 at 3:32 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:

> Committers,
>
> we ended up short on reviewers in the security list, and are proceeding
> shortly with 2.4.14.
>
> I can't proceed with 2.2.30 until I get a third set of eyeballs on the
> 2.2.30-dev backport,
> could someone offer to review ASAP?  I will be tagging once the backport
> is approved,
> no other changes to 2.2.x. branch until 2.2.31-dev.
>
> The defect is considered Low severity based on httpd team's initial
> assessment.
> The other patch coming in a moment doesn't apply to 2.2.x at all.
>
> On Tue, Jun 9, 2015 at 3:26 PM, <wr...@apache.org> wrote:
>
>> Adjust URL for public consumption
>>
>> Modified:
>>     httpd/httpd/branches/2.2.x/STATUS
>>
>> Modified: httpd/httpd/branches/2.2.x/STATUS
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1684520&r1=1684519&r2=1684520&view=diff
>>
>> ==============================================================================
>> --- httpd/httpd/branches/2.2.x/STATUS (original)
>> +++ httpd/httpd/branches/2.2.x/STATUS Tue Jun  9 20:26:47 2015
>> @@ -109,12 +109,12 @@ RELEASE SHOWSTOPPERS:
>>    Reported by: Régis Leroy
>>
>>    trunk
>> +    http://svn.apache.org/r1484852
>> +    http://svn.apache.org/r1684513
>>    2.4.x branch
>> +    http://svn.apache.org/r1684515
>>    2.2.x branch
>> +
>> http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
>>    +1: ylavic, wrowe
>>    jim notes: test framework errors due to 413->400 error change [test
>> adjusted]
>>
>>
>>
>>
>

Reply via email to