On Wed, Jan 18, 2012 at 8:43 AM, Jeff Trawick <[email protected]> wrote: > On Tue, Jan 17, 2012 at 10:46 AM, Eric Covener <[email protected]> wrote: >> I've collected the 3 backported security fixes pending for 2.2.22 and >> tried to emulate apply_to_2.3.5/CVE-2010-2068-r953418.patch. >> >> http://people.apache.org/~covener/patches/apply_to_2.2.21/ >> >> The text is a lot more brief and just written in one off-the-cuff >> pass. I made sure they all apply together and are taken from svn diff >> of the rev as applied to 2.2.x. >> >> Since these are all in the CHANGES, I guess this could have been dev@. > > yes (moved there now)
+1 to the patches for CVE-2012-0053 and CVE-2011-3607 I suspect the fix for CVE-2011-3368 will be changed before 2.2.22 is released. While the CVE-2011-3368 patch is fine for what it promises to fix, I'd like to see the follow-on vulnerability fix concluded in the next 24 hours and one fix for both posted. (+1 for the CVE-2011-3368 if we can't get our act together.) I'd like to see some semicolons changed to colons. Examples: # CVE-2012-0053; Scoreboard issue which could allow an unprivileged child # Further details organized by httpd release may be available from; (apply to all three descriptions)
