Index: src/CHANGES
===================================================================
RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1942
diff -u -p -u -r1.1942 CHANGES
--- src/CHANGES	2 Jun 2004 22:49:03 -0000	1.1942
+++ src/CHANGES	9 Jun 2004 15:58:44 -0000
@@ -1,5 +1,9 @@
 Changes with Apache 1.3.32
 
+  *) SECURITY: CAN-2004-0492 (cve.mitre.org)
+     Reject responses from a remote server if sent an invalid (negative) 
+     Content-Length.  [Mark Cox]
+
   *) Fix a bunch of cases where the return code of the regex compiler
      was not checked properly. This affects mod_usertrack and
      core. PR 28218.  [André Malo]
Index: src/modules/proxy/proxy_http.c
===================================================================
RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_http.c,v
retrieving revision 1.106
diff -u -p -u -r1.106 proxy_http.c
--- src/modules/proxy/proxy_http.c	29 Mar 2004 17:47:15 -0000	1.106
+++ src/modules/proxy/proxy_http.c	8 Jun 2004 14:23:05 -0000
@@ -485,6 +485,13 @@ int ap_proxy_http_handler(request_rec *r
         content_length = ap_table_get(resp_hdrs, "Content-Length");
         if (content_length != NULL) {
             c->len = ap_strtol(content_length, NULL, 10);
+
+	    if (c->len < 0) {
+		ap_kill_timeout(r);
+		return ap_proxyerror(r, HTTP_BAD_GATEWAY, ap_pstrcat(r->pool,
+				     "Invalid Content-Length from remote server",
+                                      NULL));
+	    }
         }
 
     }