On 8/17/2012 1:10 PM, Rainer Jung wrote: > On 17.08.2012 19:22, William A. Rowe Jr. wrote: >> This list is frankly too long to consider for a T&R today, which will happen >> later this afternoon or early evening as I mentioned several days ago. >> >> Rainer, can you draw our attention to the backports most critical to closing >> any security issues present in 2.2, so we can give those proper review? > > I'm only aware of one security issue in 2.2.22, which AFAIR was rated as low > impact: > mod_negotiation: Escape filenames in variant list to prevent a possible XSS > for a site > where untrusted users can upload files to a location with MultiViews enabled. > SECURITY: CVE-2012-2687 (cve.mitre.org) > > My personal preference amongst the rest: the AllowAnyURI patch. Without it > many sites > using forward proxy and mod_rewrite fail currently.
I'm OK with this fix, there are some users impacted who did use enough caution in their rewrite rules in the first place. But it still needs one more pair of eyeballs; since I'm waiting on review of the TLSv1.1/TLSv1.2 protocol switch patch, I can give this a bit more time before I T&R tomorrow by midday. > For everything else I'm undecided. > > Note that here are about additional 40 patches in the queue which do *not* > backport any > features but are mostly small fixes which have already been applied to trunk > and 2.4 but > never to 2.2. I'm not saying they need to go into 2.2.23 just wanting to give > the whole > picture. > > I plan to review them over the next days and propose the ones that fit well > into 2.2. We > can have another 2.2. in a few months so that the backports get some time to > settle. The > reason I want to propose them soon is that some of us recently reviewed them > for 2.4 so a > 2.2 review might be easier soon. Understood, and I'm happy to help make that happen in the next 6-12 weeks, rather than letting these sit for another six months (again). Bill
