On Mon, Jan 30, 2012 at 5:07 PM, William A. Rowe Jr. <[email protected]> wrote: > On 1/30/2012 3:54 PM, Jeff Trawick wrote: >> Notes to the general public: >> * This is not necessarily a complete list, depending on your idea of >> "recent". >> * These are not official patches. >> * These do not match any vetted commits to the source tree. >> * No official release of these or other fixes to 1.3 is planned. >> >> CVE-2011-3368/CVE-2011-4317: >> http://people.apache.org/~trawick/1.3-CVE-2011-4317-r1235443.patch >> >> CVE-2012-0053: >> http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch > > Perhaps update security.xml for these? They can be deposited into the > appropriate patches/apply_to_1.3.42/ - and we should probably clean out > all the other apply_to_1.3 patches from www.a.o (still, on archive.a.o).
I'll get security.xml updated. CVE-2011-3368 is already mentioned, but someone else should reach the same conclusion as me that only these other CVEs need to be added. (4317 is tricky as it explicitly covers the stuff not fixed by the 3368 fix, but there was no 3368 fix for 1.3... and then there's the HTTP/0.9 fun with 2.0+original-3368-patch.) The patches need some reviews before uploading.
