On 17.08.2012 19:22, William A. Rowe Jr. wrote:
This list is frankly too long to consider for a T&R today, which will happen
later this afternoon or early evening as I mentioned several days ago.
Rainer, can you draw our attention to the backports most critical to closing
any security issues present in 2.2, so we can give those proper review?
I'm only aware of one security issue in 2.2.22, which AFAIR was rated as
low impact: mod_negotiation: Escape filenames in variant list to prevent
a possible XSS for a site where untrusted users can upload files to a
location with MultiViews enabled.
SECURITY: CVE-2012-2687 (cve.mitre.org)
My personal preference amongst the rest: the AllowAnyURI patch. Without
it many sites using forward proxy and mod_rewrite fail currently.
For everything else I'm undecided.
Note that here are about additional 40 patches in the queue which do
*not* backport any features but are mostly small fixes which have
already been applied to trunk and 2.4 but never to 2.2. I'm not saying
they need to go into 2.2.23 just wanting to give the whole picture.
I plan to review them over the next days and propose the ones that fit
well into 2.2. We can have another 2.2. in a few months so that the
backports get some time to settle. The reason I want to propose them
soon is that some of us recently reviewed them for 2.4 so a 2.2 review
might be easier soon.
Regards,
Rainer
