You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/09/25 19:48:38 UTC

[STATUS] 1.2.5: Thu Sep 25 10:48:06 PDT 1997

No timeline.  1.3b1 should be released first.

Committed since 1.2.4:

    * PR#1107: defend against linux select EFAULT
    * PR#1064: inetd mode uses timeouts without setting up the jmpbuf

Available:

    see http://www.arctic.org/~dgaudet/apache/1.2.5

    mod_userdir_finfo:
	mod_userdir overwrites r->finfo in cases where it does not also
	update r->filename.  These two are meant to be in sync, so this
	is a bug.
	Status: Dean +1
	Already applied to 1.3.

    Ken's mod_include_redirect:
	mod_include doesn't deal properly with redirect status codes from
	CGIs other than 302.
	Status: Dean +1
	Already applied to 1.3.

    Dean's mod_include_etag:
	PR#1133: mod_include shouldn't send ETag when XBitHack Full is
	set.
	Status: Dean +1
	Alternate solution already in 1.3.

    Jason Dour's suexec_log:
	suexec.c is supposed to be able to be compiled with LOG_EXEC
	undefined.
	Status: Jason +1
	not in 1.3 yet

    mod_imap blocks non-GET methods
	see: <Pi...@localhost>
	Status: Brian +1, Dean thinks that POST should be allowed too
	not in 1.3 yet
    
    Dean's mod_include_1139.patch:
	PR#1139: mod_include uses uninitialized data when parsing exprs
	using && and ||.
	Status: Dean +1
	not in 1.3 yet

    Garey's OS/2 proxy fix.
	<19...@mail.slink.com>
	This is against 1.2.4.
	Status: Garey +1
	needs to be done for 1.3 as well
    
    [PATCH] config/1159: Configure always returns exit code of 0 (fwd)
	<Pi...@twinlark.arctic.org>
	Status: Dean +1
	probably needs to be done for 1.3 as well
    
    Lars' [PATCH] proxy matching bug PR#974
	<XF...@unix-ag.org>
	Fixes proxy bug when accessing multi-ip hosts.
	Status: Dean +1
	not in 1.3 yet

RE: [STATUS] 1.2.5: Thu Sep 25 10:48:06 PDT 1997

Posted by Lars Eilebrecht <La...@unix-ag.org>.

According to Dean Gaudet:

>      Lars' [PATCH] proxy matching bug PR#974
>       <XF...@unix-ag.org>
>       Fixes proxy bug when accessing multi-ip hosts.
>       Status: Dean +1
>       not in 1.3 yet

This patch is for 1.3 only (1.2 doesn't has the NoProxy feature).


ciao...
--
Lars Eilebrecht                            - I still miss Windows...
sfx@unix-ag.org                         - but my aim is getting better.
http://www.si.unix-ag.org/~sfx/

[PATCH]: check_hostalias (was Re: [STATUS] 1.2.5....)

Posted by Ed Korthof <ed...@organic.com>.

There are several bugs I noted a while ago in 1.2.x, regarding name-based
virtual hosts.  I wrote some patches, but then got caught up in other
stuff before I finished testing and cleaning them up.

The first problem is mixing port- and name-based virtual hosts.  This is
not a common situation, but basically, if you have a name-based virtual
host (ie it shares IPs and its port w/ the main server), then it will not
be available on any of the ip:port entries before the last one in the
<VirtualHost> line, which have a different port than the last item.
(Unless the last item has port '*' and the Port directive is not used.) If
the Port directive is used, it takes the place of the last port statement
in the VirtualHost line.

The second problem is a potential security hole. It's fairly minor, but
is something people might easily overlook: if any virtual host is
protected by packet-filter or firewall ip based rules, but not by Apache's
ip-based protection (which is plausible, if unlikely), then that host may
be accessible through it's name (given a couple of conditions which I can
outline) -- something you would not (IMO) expect w/o reading the code.

Anyway, the attached patch solves these two issues; I believe it does not
alter Apache's behavior in any other way.

My understanding (after speaking w/ Alexei) is that this second item was
left in due to the possibility of someone switching DNS -- it's entirely
plausible that during a time of transition for name-based virtual hosts,
this could cause a period of inaccessibility.  However, that can be dealt
with use ServerAlias, which was (and is, after this patch) a kind of wild
card.

It's certainly possible to fix the first item w/o doing the second one --
if people want to do that, that's fine with me.  But the second item will
not cause any problems accept as noted above, during DNS transitions; and
there are ways around that.  It is a small bug, but again, it's one people
might well overlook and never realize they were missing it.

     -- Ed Korthof        |  Web Server Engineer --
     -- ed@organic.com    |  Organic Online, Inc --
     -- (415) 278-5676    |  Fax: (415) 284-6891 --

On Thu, 25 Sep 1997, Dean Gaudet wrote:

> No timeline.  1.3b1 should be released first.