Commit c9a2aab2 authored by Yann Ylavic's avatar Yann Ylavic
Browse files

Propose mod_session_crypto fix for CVE-2016-0736. 

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772814 13f79535-47bb-0310-9956-ffa450edef68
parent a2adf371

STATUS

+10 −1
Original line number Diff line number Diff line
@@ -149,7 +149,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 
     jailletc36: compatibility note missing in the XML file

     jim:        Will address during commit





  *) mod_lua: Fix default value of LuaInherit directive. It should be 

     'parent-first' instead of 'none', as per documentation.  PR 60419

     trunk patch: http://svn.apache.org/r1772489
@@ -157,6 +156,16 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK: 
     2.4.x patch: trunk works

     +1: jailletc36, jim



  *) SECURITY: CVE-2016-0736 (cve.mitre.org)

     mod_session_crypto: Authenticate the session data/cookie with a

     MAC (SipHash) to prevent deciphering or tampering from a padding

     oracle attack.  [Yann Ylavic, Colm MacCarthaigh]

     trunk patch: http://svn.apache.org/r1772812

                  http://svn.apache.org/r1772813

     2.4.x patch: trunk works (modulo CHANGES)

     +1: ylavic





PATCHES/ISSUES THAT ARE BEING WORKED

  [ New entried should be added at the START of the list ]