You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2012/01/18 14:43:44 UTC
Re: apply_to_2.2.21 -- please review
On Tue, Jan 17, 2012 at 10:46 AM, Eric Covener <co...@gmail.com> wrote:
> I've collected the 3 backported security fixes pending for 2.2.22 and
> tried to emulate apply_to_2.3.5/CVE-2010-2068-r953418.patch.
>
> http://people.apache.org/~covener/patches/apply_to_2.2.21/
>
> The text is a lot more brief and just written in one off-the-cuff
> pass. I made sure they all apply together and are taken from svn diff
> of the rev as applied to 2.2.x.
>
> Since these are all in the CHANGES, I guess this could have been dev@.
yes (moved there now)
>
> Would appreciate if someone could review/copy-and-edit and give some
> hints about publishing to apply_to_xxx that someone who hasn't ever
> touched a distributed artifact.
in case I get distracted, here's part of the answer:
$ svn info
Path: .
URL: https://dist.apache.org/repos/dist/release/httpd
Repository Root: https://dist.apache.org/repos/dist
Repository UUID: 0d268c88-bc11-4956-87df-91683dc98e59
Revision: 403
Node Kind: directory
Schedule: normal
Last Changed Author: wrowe
Last Changed Rev: 401
Last Changed Date: 2011-09-14 02:21:18 -0400 (Wed, 14 Sep 2011)
$ ls patches/
apply_to_1.3.0 apply_to_1.3.20 apply_to_1.3.31 apply_to_2.0.42
apply_to_2.0.51 apply_to_2.2.15
apply_to_1.3.1 apply_to_1.3.22 apply_to_1.3.4 apply_to_2.0.43
apply_to_2.0.52 apply_to_2.2.19
apply_to_1.3.11 apply_to_1.3.23 apply_to_1.3.6 apply_to_2.0.44
apply_to_2.0.53 apply_to_2.2.4
apply_to_1.3.12 apply_to_1.3.24 apply_to_1.3.9 apply_to_2.0.45
apply_to_2.0.63 apply_to_2.2.8
apply_to_1.3.14 apply_to_1.3.26 apply_to_2.0.35 apply_to_2.0.47
apply_to_2.0.64 apply_to_2.2.9
apply_to_1.3.17 apply_to_1.3.27 apply_to_2.0.36 apply_to_2.0.48
apply_to_2.2.0 apply_to_2.3.5
apply_to_1.3.19 apply_to_1.3.28 apply_to_2.0.39 apply_to_2.0.49
apply_to_2.2.11 HEADER.html
apply_to_1.3.2 apply_to_1.3.3 apply_to_2.0.40 apply_to_2.0.50
apply_to_2.2.14 README.html
Re: apply_to_2.2.21 -- please review
Posted by Jeff Trawick <tr...@gmail.com>.
On Wed, Jan 18, 2012 at 8:43 AM, Jeff Trawick <tr...@gmail.com> wrote:
> On Tue, Jan 17, 2012 at 10:46 AM, Eric Covener <co...@gmail.com> wrote:
>> I've collected the 3 backported security fixes pending for 2.2.22 and
>> tried to emulate apply_to_2.3.5/CVE-2010-2068-r953418.patch.
>>
>> http://people.apache.org/~covener/patches/apply_to_2.2.21/
>>
>> The text is a lot more brief and just written in one off-the-cuff
>> pass. I made sure they all apply together and are taken from svn diff
>> of the rev as applied to 2.2.x.
>>
>> Since these are all in the CHANGES, I guess this could have been dev@.
>
> yes (moved there now)
+1 to the patches for CVE-2012-0053 and CVE-2011-3607
I suspect the fix for CVE-2011-3368 will be changed before 2.2.22 is
released. While the CVE-2011-3368 patch is fine for what it promises
to fix, I'd like to see the follow-on vulnerability fix concluded in
the next 24 hours and one fix for both posted. (+1 for the
CVE-2011-3368 if we can't get our act together.)
I'd like to see some semicolons changed to colons. Examples:
# CVE-2012-0053; Scoreboard issue which could allow an unprivileged child
# Further details organized by httpd release may be available from;
(apply to all three descriptions)