> -Original Message-
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: Samstag, 29. August 2015 16:02
> To: Apache HTTP Server Development List
> Subject: Re: svn commit: r1610674 - in /httpd/httpd/trunk:
> include/ap_mmn.h include/httpd.h modules/proxy/mod_prox
On Sat, Aug 29, 2015 at 1:51 AM, Christophe JAILLET
wrote:
> If i understand correctly, if we find an invalid char and 'skip_invalid', we
> first look for the next comma and start searching for new token from there.
> If no comma is found before the trailing NULL, then nothing more can be
> found
Hi,
spotted while looking at
https://raw.githubusercontent.com/icing/mod_h2/master/sandbox/httpd/patches/core-protocols.patch
which include it.
CJ
Le 15/07/2014 14:27, jor...@apache.org a écrit :
Author: jorton
Date: Tue Jul 15 12:27:00 2014
New Revision: 1610674
URL: http://svn.apache.org/
On Tue, Jul 15, 2014 at 11:59 AM, Joe Orton wrote:
> On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
> > I've stuck it in STATUS. Any other opinions?
>
> Come on... one more for this, either way?
>
>* mod_proxy Connection handling crasher, CVE-2014-0117
>trunk patch: http://sv
On Tue, Jul 15, 2014 at 11:59 AM, Joe Orton wrote:
> On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
> > I've stuck it in STATUS. Any other opinions?
>
> Come on... one more for this, either way?
>
>* mod_proxy Connection handling crasher, CVE-2014-0117
>trunk patch: http://sv
On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
> I've stuck it in STATUS. Any other opinions?
Come on... one more for this, either way?
* mod_proxy Connection handling crasher, CVE-2014-0117
trunk patch: http://svn.apache.org/r1610674
ALTERNATIVE #1
2.4.x patch: http://pe
On Tue, Jul 15, 2014 at 09:25:20AM -0400, Jim Jagielski wrote:
> I am very hesitant about adding this with so little
> review time... I would like to propose that we simply
> release 2.4.10 with the simple, trivial crash-fixer
> and allow us to spend more time on the below, in order
> to ensure it'
I am very hesitant about adding this with so little
review time... I would like to propose that we simply
release 2.4.10 with the simple, trivial crash-fixer
and allow us to spend more time on the below, in order
to ensure it's solid.
I'm -0.99 (for 2.4.x) :)
On Jul 15, 2014, at 9:18 AM, Joe Orto
I am +1 on folding in the simpler patch that fixes the
immediate problem and holding off on anything more
complicated for the next release
On Jul 15, 2014, at 8:38 AM, Joe Orton wrote:
> On Tue, Jul 15, 2014 at 12:27:00PM -, jor...@apache.org wrote:
>> Author: jorton
>> Date: Tue Jul 15
On Tue, Jul 15, 2014 at 03:14:56PM +0200, Yann Ylavic wrote:
> On Tue, Jul 15, 2014 at 3:07 PM, Plüm, Rüdiger, Vodafone Group
> wrote:
> > Isn't
> >
> > x.is_req = (headers == r->headers_in);
> >
> > in ap_proxy_clear_connection an issue, when only called with the copy of
> > r->headers_in?
>
>
On Tue, Jul 15, 2014 at 3:07 PM, Plüm, Rüdiger, Vodafone Group
wrote:
> Isn't
>
> x.is_req = (headers == r->headers_in);
>
> in ap_proxy_clear_connection an issue, when only called with the copy of
> r->headers_in?
Hm, you are right.
Here is a v2 which introduces ap_proxy_clear_connection_ex()
svn commit: r1610674 - in /httpd/httpd/trunk:
> include/ap_mmn.h include/httpd.h modules/proxy/mod_proxy_http.c
> modules/proxy/proxy_util.c server/util.c
>
> On Tue, Jul 15, 2014 at 2:38 PM, Joe Orton wrote:
> If somebody wants to propose a backport of r1610674 for 2.4.x
> > p
On Tue, Jul 15, 2014 at 2:38 PM, Joe Orton wrote:
If somebody wants to propose a backport of r1610674 for 2.4.x
> please jump to it ASAP!
Attached is a 2.4.x version of r1610674 that should work.
r1588527 copies headers_in sooner in the function but
ap_proxy_clear_connection() can still be calle
On Tue, Jul 15, 2014 at 12:27:00PM -, jor...@apache.org wrote:
> Author: jorton
> Date: Tue Jul 15 12:27:00 2014
> New Revision: 1610674
>
> URL: http://svn.apache.org/r1610674
> Log:
> SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
> proxy configuration, a remote attacker c
14 matches
Mail list logo