On Tue, Jul 15, 2014 at 12:27:00PM -0000, [email protected] wrote: > Author: jorton > Date: Tue Jul 15 12:27:00 2014 > New Revision: 1610674 > > URL: http://svn.apache.org/r1610674 > Log: > SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse > proxy configuration, a remote attacker could send a carefully crafted > request which could crash a server process, resulting in denial of > service.
Backporting this to 2.4.x is non-trivial since trunk has diverged from 2.4.x via at least this change to how r->headers_in is handled: http://svn.apache.org/viewvc?view=revision&revision=1588527 I am not sure how/whether that impacts the backport. We have a simpler version of the crasher fix which doesn't add strict interpretation of the Connection header - I am going to propose that for 2.4.x. If somebody wants to propose a backport of r1610674 for 2.4.x please jump to it ASAP! Regards, Joe
