You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by wr...@apache.org on 2010/09/14 01:03:47 UTC

svn commit: r996719 - /httpd/httpd/branches/2.0.x/STATUS

Author: wrowe
Date: Mon Sep 13 23:03:47 2010
New Revision: 996719

URL: http://svn.apache.org/viewvc?rev=996719&view=rev
Log:
Promote, demote. Please look at this specific patch if you care that it just hit the 'going nowhere' category

Modified:
    httpd/httpd/branches/2.0.x/STATUS

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=996719&r1=996718&r2=996719&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Mon Sep 13 23:03:47 2010
@@ -111,6 +111,14 @@ CURRENT RELEASE NOTES:
     get feedback and votes on list or in STATUS, then merge into 
     branches/2.2.x, and finally merge into branches/2.0.x, as applicable.
 
+  * mod_ssl: Further mitigation for the TLS renegotation attack, CVE-2009-3555
+    Trunk version of patch:
+      http://svn.apache.org/viewvc?rev=891282&view=rev
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?rev=896900&view=rev
+    Backport:
+      http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x-backport-r891282.patch
+    +1: rjung, pgollucci (+1 2.0.64 w/ this), wrowe
 
 RELEASE SHOWSTOPPERS:
 
@@ -126,6 +134,21 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
     +1: pgollucci, poirier, rjung
       PG: whomever proposed this should vote for it
 
+  * mod_ssl: Implement SSLInsecureRenegotiation
+    Trunk version of patch:
+      http://svn.apache.org/viewcvs.cgi?rev=906039&view=rev
+      http://svn.apache.org/viewcvs.cgi?rev=906057&view=rev
+      http://svn.apache.org/viewcvs.cgi?rev=906485&view=rev
+      http://svn.apache.org/viewcvs.cgi?rev=906491&view=rev
+      http://svn.apache.org/viewcvs.cgi?rev=908015&view=rev
+      http://svn.apache.org/viewcvs.cgi?rev=916733&view=rev
+      http://svn.apache.org/viewcvs.cgi?rev=916817&view=rev
+    Patch in 2.2.x branch:
+      http://svn.apache.org/viewvc?rev=917044&view=rev
+    Backport:
+      http://people.apache.org/~rjung/patches/SSLInsecureRenegotiation_httpd_2_0_x-backport-r917044.patch 
+    +1: rjung, pgollucci (+1 2.0.64 w/ this), wrowe
+
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new
@@ -165,30 +188,6 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
              if (nLogFD == NULL) {
                  /* Uh-oh. Failed to open the new log file. Try to clear
 
-  * mod_ssl: Further mitigation for the TLS renegotation attack, CVE-2009-3555
-    Trunk version of patch:
-      http://svn.apache.org/viewvc?rev=891282&view=rev
-    Patch in 2.2.x branch:
-      http://svn.apache.org/viewvc?rev=896900&view=rev
-    Backport:
-      http://people.apache.org/~rjung/patches/cve-2009-3555_httpd_2_0_x-backport-r891282.patch
-    +1: rjung, pgollucci (+1 2.0.64 w/ this)
-
-  * mod_ssl: Implement SSLInsecureRenegotiation
-    Trunk version of patch:
-      http://svn.apache.org/viewcvs.cgi?rev=906039&view=rev
-      http://svn.apache.org/viewcvs.cgi?rev=906057&view=rev
-      http://svn.apache.org/viewcvs.cgi?rev=906485&view=rev
-      http://svn.apache.org/viewcvs.cgi?rev=906491&view=rev
-      http://svn.apache.org/viewcvs.cgi?rev=908015&view=rev
-      http://svn.apache.org/viewcvs.cgi?rev=916733&view=rev
-      http://svn.apache.org/viewcvs.cgi?rev=916817&view=rev
-    Patch in 2.2.x branch:
-      http://svn.apache.org/viewvc?rev=917044&view=rev
-    Backport:
-      http://people.apache.org/~rjung/patches/SSLInsecureRenegotiation_httpd_2_0_x-backport-r917044.patch 
-    +1: rjung, pgollucci (+1 2.0.64 w/ this)
-
   * gen_test_char.c: enable building gen_test_char for running on build machine
     when cross-compiling. The patch doesnt introduce code changes for any
     platform unless CROSS_COMPILE is defined. 
@@ -205,12 +204,13 @@ PATCHES PROPOSED TO BACKPORT FROM TRUNK:
     Use recent files from http://git.savannah.gnu.org/cgit/config.git.
     +1: rjung
 
+PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
+
   * CVE-2010-1452 fix for mod_dav
     Trunk patch: http://svn.apache.org/viewvc?view=revision&revision=966348
       (mod_cache and mod_session portions don't apply to 2.0.x)
     2.0.x patch: http://archive.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2010-1452-patch-2.0.txt
-
-PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
+    wrowe observes: nothing belongs in STATUS without a champion/sponsor/at least 1 +1
 
     *) mod_headers: Support {...}s tag for SSL variable lookup.
        http://www.apache.org/~jorton/mod_headers-2.0-ssl.diff

Re: svn commit: r996719 - /httpd/httpd/branches/2.0.x/STATUS

Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.

On 9/13/2010 6:27 PM, Jeff Trawick wrote:
> 
> I've seen you and somebody else say that, so I'll stop.  At the same time I will point out
> that

Coulda been me before (on a different patch issue)

> * Sometimes people without commit access ask for something to be backported, possibly even
> with a patch to STATUS.  Where better for the request to live a couple of days down the
> calendar when the request has scrolled off the first screen of most in-boxes?

Not disagreeing, but someone should pipe up in support of the patch if it will rest
here... hard to determine what is in the 'going nowhere' category since we don't
actually date stamp the text file entries.

> * Updating STATUS and finding a place to host a patch for a security backport, even before
> reviewing/testing it properly, serves as a good reminder that something needs to be done
> and gets a bit of bookkeeping out of the way.  Additionally, multiples of us have already
> reviewed and tested patches for backport to our own private trees and know exactly what
> should work.  One could just as well ask on dev@ "Hey, is it really this simple for 2.0"
> or whatever, or cut to the chase and update STATUS since it has to be there anyway.

I'm happy with moving this to showstoppers, all things considered.

Re: svn commit: r996719 - /httpd/httpd/branches/2.0.x/STATUS

Posted by Jeff Trawick <tr...@gmail.com>.

On Mon, Sep 13, 2010 at 7:03 PM, <wr...@apache.org> wrote:

> Author: wrowe
> Date: Mon Sep 13 23:03:47 2010
> New Revision: 996719
>
> URL: http://svn.apache.org/viewvc?rev=996719&view=rev
> Log:
> Promote, demote. Please look at this specific patch if you care that it
> just hit the 'going nowhere' category
>
> Modified:
>    httpd/httpd/branches/2.0.x/STATUS
>
> Modified: httpd/httpd/branches/2.0.x/STATUS
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/STATUS?rev=996719&r1=996718&r2=996719&view=diff
>
> ==============================================================================
> --- httpd/httpd/branches/2.0.x/STATUS (original)
> +++ httpd/httpd/branches/2.0.x/STATUS Mon Sep 13 23:03:47 2010
>
> +PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
> +
>   * CVE-2010-1452 fix for mod_dav
>     Trunk patch:
> http://svn.apache.org/viewvc?view=revision&revision=966348
>       (mod_cache and mod_session portions don't apply to 2.0.x)
>     2.0.x patch:
> http://archive.apache.org/dist/httpd/patches/apply_to_2.0.63/CVE-2010-1452-patch-2.0.txt
> -
> -PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON:
> +    wrowe observes: nothing belongs in STATUS without a
> champion/sponsor/at least 1 +1
>

I've seen you and somebody else say that, so I'll stop.  At the same time I
will point out that

* Sometimes people without commit access ask for something to be backported,
possibly even with a patch to STATUS.  Where better for the request to live
a couple of days down the calendar when the request has scrolled off the
first screen of most in-boxes?

* Updating STATUS and finding a place to host a patch for a security
backport, even before reviewing/testing it properly, serves as a good
reminder that something needs to be done and gets a bit of bookkeeping out
of the way.  Additionally, multiples of us have already reviewed and tested
patches for backport to our own private trees and know exactly what should
work.  One could just as well ask on dev@ "Hey, is it really this simple for
2.0" or whatever, or cut to the chase and update STATUS since it has to be
there anyway.

For this particular 2.0 patch, it should have been reviewed at about the
same time (I'll punt on the sequencing) that it was put in the official
patches directory.  Rather than raising the issue in the couple of minutes I
had, it was easier to just say, in the canonical way, "uh, who agrees that
this is the right patch so we can get svn to match what we're telling people
to use".