Re: apply_to_2.2.21 -- please review

[Jeff Trawick <tr...@gmail.com>]

On Tue, Jan 17, 2012 at 10:46 AM, Eric Covener <co...@gmail.com> wrote:
> I've collected the 3 backported security fixes pending for 2.2.22 and
> tried to emulate apply_to_2.3.5/CVE-2010-2068-r953418.patch.
>
> http://people.apache.org/~covener/patches/apply_to_2.2.21/
>
> The text is a lot more brief and just written in one off-the-cuff
> pass.  I made sure they all apply together and are taken from svn diff
> of the rev as applied to 2.2.x.
>
> Since these are all in the CHANGES, I guess this could have been dev@.

yes (moved there now)

>
> Would appreciate if someone could review/copy-and-edit and give some
> hints about publishing to apply_to_xxx that someone who hasn't ever
> touched a distributed artifact.

in case I get distracted, here's part of the answer:

$ svn info
Path: .
URL: https://dist.apache.org/repos/dist/release/httpd
Repository Root: https://dist.apache.org/repos/dist
Repository UUID: 0d268c88-bc11-4956-87df-91683dc98e59
Revision: 403
Node Kind: directory
Schedule: normal
Last Changed Author: wrowe
Last Changed Rev: 401
Last Changed Date: 2011-09-14 02:21:18 -0400 (Wed, 14 Sep 2011)

$ ls patches/
apply_to_1.3.0   apply_to_1.3.20  apply_to_1.3.31  apply_to_2.0.42
apply_to_2.0.51  apply_to_2.2.15
apply_to_1.3.1   apply_to_1.3.22  apply_to_1.3.4   apply_to_2.0.43
apply_to_2.0.52  apply_to_2.2.19
apply_to_1.3.11  apply_to_1.3.23  apply_to_1.3.6   apply_to_2.0.44
apply_to_2.0.53  apply_to_2.2.4
apply_to_1.3.12  apply_to_1.3.24  apply_to_1.3.9   apply_to_2.0.45
apply_to_2.0.63  apply_to_2.2.8
apply_to_1.3.14  apply_to_1.3.26  apply_to_2.0.35  apply_to_2.0.47
apply_to_2.0.64  apply_to_2.2.9
apply_to_1.3.17  apply_to_1.3.27  apply_to_2.0.36  apply_to_2.0.48
apply_to_2.2.0   apply_to_2.3.5
apply_to_1.3.19  apply_to_1.3.28  apply_to_2.0.39  apply_to_2.0.49
apply_to_2.2.11  HEADER.html
apply_to_1.3.2   apply_to_1.3.3   apply_to_2.0.40  apply_to_2.0.50
apply_to_2.2.14  README.html

Re: apply_to_2.2.21 -- please review

[Jeff Trawick <tr...@gmail.com>]

On Wed, Jan 18, 2012 at 8:43 AM, Jeff Trawick <tr...@gmail.com> wrote:
> On Tue, Jan 17, 2012 at 10:46 AM, Eric Covener <co...@gmail.com> wrote:
>> I've collected the 3 backported security fixes pending for 2.2.22 and
>> tried to emulate apply_to_2.3.5/CVE-2010-2068-r953418.patch.
>>
>> http://people.apache.org/~covener/patches/apply_to_2.2.21/
>>
>> The text is a lot more brief and just written in one off-the-cuff
>> pass.  I made sure they all apply together and are taken from svn diff
>> of the rev as applied to 2.2.x.
>>
>> Since these are all in the CHANGES, I guess this could have been dev@.
>
> yes (moved there now)

+1 to the patches for CVE-2012-0053 and CVE-2011-3607

I suspect the fix for CVE-2011-3368 will be changed before 2.2.22 is
released.  While the CVE-2011-3368 patch is fine for what it promises
to fix, I'd like to see the follow-on vulnerability fix concluded in
the next 24 hours and one fix for both posted.  (+1 for the
CVE-2011-3368 if we can't get our act together.)

I'd like to see some semicolons changed to colons.  Examples:

# CVE-2012-0053; Scoreboard issue which could allow an unprivileged child
# Further details organized by httpd release may be available from;

(apply to all three descriptions)