> -Original Message-
> From: Eric Covener [mailto:cove...@gmail.com]
> Sent: Samstag, 29. August 2015 16:02
> To: Apache HTTP Server Development List
> Subject: Re: svn commit: r1610674 - in /httpd/httpd/trunk:
> include/ap_mmn.h include/httpd.h modules/proxy/mod_prox
On Sat, Aug 29, 2015 at 1:51 AM, Christophe JAILLET
christophe.jail...@wanadoo.fr wrote:
If i understand correctly, if we find an invalid char and 'skip_invalid', we
first look for the next comma and start searching for new token from there.
If no comma is found before the trailing NULL, then
Hi,
spotted while looking at
https://raw.githubusercontent.com/icing/mod_h2/master/sandbox/httpd/patches/core-protocols.patch
which include it.
CJ
Le 15/07/2014 14:27, jor...@apache.org a écrit :
Author: jorton
Date: Tue Jul 15 12:27:00 2014
New Revision: 1610674
URL:
On Tue, Jul 15, 2014 at 12:27:00PM -, jor...@apache.org wrote:
Author: jorton
Date: Tue Jul 15 12:27:00 2014
New Revision: 1610674
URL: http://svn.apache.org/r1610674
Log:
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could
On Tue, Jul 15, 2014 at 2:38 PM, Joe Orton jor...@redhat.com wrote:
If somebody wants to propose a backport of r1610674 for 2.4.x
please jump to it ASAP!
Attached is a 2.4.x version of r1610674 that should work.
r1588527 copies headers_in sooner in the function but
ap_proxy_clear_connection()
/httpd/trunk:
include/ap_mmn.h include/httpd.h modules/proxy/mod_proxy_http.c
modules/proxy/proxy_util.c server/util.c
On Tue, Jul 15, 2014 at 2:38 PM, Joe Orton jor...@redhat.com wrote:
If somebody wants to propose a backport of r1610674 for 2.4.x
please jump to it ASAP!
Attached is a 2.4.x
On Tue, Jul 15, 2014 at 3:07 PM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
Isn't
x.is_req = (headers == r-headers_in);
in ap_proxy_clear_connection an issue, when only called with the copy of
r-headers_in?
Hm, you are right.
Here is a v2 which introduces
On Tue, Jul 15, 2014 at 03:14:56PM +0200, Yann Ylavic wrote:
On Tue, Jul 15, 2014 at 3:07 PM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
Isn't
x.is_req = (headers == r-headers_in);
in ap_proxy_clear_connection an issue, when only called with the copy of
I am +1 on folding in the simpler patch that fixes the
immediate problem and holding off on anything more
complicated for the next release
On Jul 15, 2014, at 8:38 AM, Joe Orton jor...@redhat.com wrote:
On Tue, Jul 15, 2014 at 12:27:00PM -, jor...@apache.org wrote:
Author: jorton
I am very hesitant about adding this with so little
review time... I would like to propose that we simply
release 2.4.10 with the simple, trivial crash-fixer
and allow us to spend more time on the below, in order
to ensure it's solid.
I'm -0.99 (for 2.4.x) :)
On Jul 15, 2014, at 9:18 AM, Joe
On Tue, Jul 15, 2014 at 09:25:20AM -0400, Jim Jagielski wrote:
I am very hesitant about adding this with so little
review time... I would like to propose that we simply
release 2.4.10 with the simple, trivial crash-fixer
and allow us to spend more time on the below, in order
to ensure it's
On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
I've stuck it in STATUS. Any other opinions?
Come on... one more for this, either way?
* mod_proxy Connection handling crasher, CVE-2014-0117
trunk patch: http://svn.apache.org/r1610674
ALTERNATIVE #1
2.4.x patch:
On Tue, Jul 15, 2014 at 11:59 AM, Joe Orton jor...@redhat.com wrote:
On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
I've stuck it in STATUS. Any other opinions?
Come on... one more for this, either way?
* mod_proxy Connection handling crasher, CVE-2014-0117
trunk patch:
On Tue, Jul 15, 2014 at 11:59 AM, Joe Orton jor...@redhat.com wrote:
On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
I've stuck it in STATUS. Any other opinions?
Come on... one more for this, either way?
* mod_proxy Connection handling crasher, CVE-2014-0117
trunk patch:
14 matches
Mail list logo