On Fri, Jun 19, 2015 at 11:42 AM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
>
> On Jun 18, 2015 1:45 PM, "William A Rowe Jr" <wr...@rowe-clan.net> wrote:
> >
> > On Jun 11, 2015 8:22 AM, "Eric Covener" <cove...@gmail.com> wrote:
> > >
> > > On Thu, Jun 11, 2015 at 9:08 AM William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> > >>
> > >> But withholding a security fix for legacy server users? Sounds like
> a way to earn distrust of the user community, not reassure them that 2.4.14
> is the best version available.
> > >
> > > +1
> >
> > The 2.2 patches are in alignment with the resolved 2.4 security patches
> plus relaxed trailing spaces rule. Yann and I have reviewed, still weeks
> later 2.2.30 needs one more pair of eyeballs and a third +1 of the 2
> patches.
> >
> > I can T&R in the morning Friday if it has been reviewed, else it will be
> a while before I can RM.
>
> If there is a vote in the next 90 minutes, I'll proceed, otherwise I can
> proceed sometime next week after missing +1 is cast.
>
Just as a reminder, 2.2 STATUS contains;
*) SECURITY: CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters. [Graham Leggett, Yann Ylavic]
Submitted by: minfrin, ylavic
Reviewed by: ylavic, wrowe,
Backports: 1484852, 1684513
Reported by: regilero <regis.leroy makina-corpus.com>
trunk
http://svn.apache.org/r1484852
http://svn.apache.org/r1684513
2.4.x branch
http://svn.apache.org/r1684515
2.2.x branch
http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
+1: ylavic, wrowe
jim notes: test framework errors due to 413->400 error change [test adjusted]
wrowe notes: r1684513 was not neglected in this patch, already included
*) core: Allow spaces after chunk-size for compatibility with implementations
using a pre-filled buffer.
trunk patch: http://svn.apache.org/r1685345
http://svn.apache.org/r1685347
http://svn.apache.org/r1685349
http://svn.apache.org/r1685350
2.[24].x patch:
http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch
(trunk works but CHANGES entry in the above patch is
better since the APLOG_INFO part is already included
in the CVE-2015-3183 patch)
+1: ylavic, wrowe
ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
above must be applied first.
and has lingered now for two weeks (a month, actually, when measuring
secur...@httpd.apache.org time). This blocks not only tagging 2.2, but
also publishing security guidance with corresponding patches for general
consumption, barring a successful release including these patches for 2.4
and 2.2.
If you had offered to review security patches in Jeff's 2.2 interest thread
of a month ago, please consider taking a bit of time to compare this change
to the corresponding change already approved in 2.4.x branch (and rather
extensively reviewed over the past two release votes).
