On 1/30/2012 3:54 PM, Jeff Trawick wrote: > Notes to the general public: > * This is not necessarily a complete list, depending on your idea of "recent". > * These are not official patches. > * These do not match any vetted commits to the source tree. > * No official release of these or other fixes to 1.3 is planned. > > CVE-2011-3368/CVE-2011-4317: > http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch > > CVE-2012-0053: > http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch
Perhaps update security.xml for these? They can be deposited into the appropriate patches/apply_to_1.3.42/ - and we should probably clean out all the other apply_to_1.3 patches from www.a.o (still, on archive.a.o).
