On Wed, Jun 24, 2015 at 6:04 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > *) SECURITY: CVE-2015-3183 (cve.mitre.org) > core: Fix chunk header parsing defect. > Remove apr_brigade_flatten(), buffering and duplicated code from > the HTTP_IN filter, parse chunks in a single pass with zero copy. > Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext > authorized characters. [Graham Leggett, Yann Ylavic] > > *) core: Allow spaces after chunk-size for compatibility with > implementations
Both backported in r1687338 and r1687339.
