From: Eric Covener <covener@apache.org>
Date: Mon, 2 Mar 2015 18:24:25 +0000 (+0000)
Subject: propose stack overflow in lua websockets
X-Git-Tag: 2.4.13~380
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c0a15db43557b4a51653c552e06f5e17f6d6fee1;p=apache

propose stack overflow in lua websockets


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1663389 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index f0c4d836c5..d6334f5a87 100644
--- a/STATUS
+++ b/STATUS
@@ -257,6 +257,13 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
      2.4.x patch: trunk works (modulo CHANGES)
      ylavic: +1
 
+  *) SECURITY: CVE-2015-0228 (cve.mitre.org)
+     mod_lua: A maliciously crafted websockets PING after a script
+     calls r:wsupgrade() can cause a child process crash.
+     trunk patch: http://svn.apache.org/viewvc?view=revision&revision=1657261
+     2.4.x patch: trunk works
+     Note: Technically CTR but it's a CVE.
+     covener: +1
 
 OTHER PROPOSALS