At 12:20 PM 6/27/2005, Jeff Trawick wrote: >On 6/27/05, William A. Rowe, Jr. <[EMAIL PROTECTED]> wrote: > >> My goal is to tag and roll 2.0 by Friday for release early next >> week, unless the fixes are ready sooner. There is a list of >> already-accepted patches in status, if anyone wants to pick some >> low hanging fruit for 2.0. > >I have a tested proxy smuggling patch for 2.0 which I'll upload to >people.apache.org and add to STATUS. It is somewhere amidst the 2.1.5 >or 2.1.6 messages.
Thanks! The patch raised another question for me. We have the downgrade-1.0 and nokeepalive switches to force the CLIENT connection to skip any spoofing attack. But since 2.0/2.1 mod_proxy now uses keepalives for real, do we have any similar choice for administrators to 'work around' potentially broken back ends? It's certainly not a security hole in Apache. But it would help folks who have insecure back end applications to mitigate the damage. Bill
