You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by "William A. Rowe, Jr." <wr...@rowe-clan.net> on 2005/06/27 20:27:31 UTC
Re: 2.0.55
At 12:20 PM 6/27/2005, Jeff Trawick wrote:
>On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
>
>> My goal is to tag and roll 2.0 by Friday for release early next
>> week, unless the fixes are ready sooner. There is a list of
>> already-accepted patches in status, if anyone wants to pick some
>> low hanging fruit for 2.0.
>
>I have a tested proxy smuggling patch for 2.0 which I'll upload to
>people.apache.org and add to STATUS. It is somewhere amidst the 2.1.5
>or 2.1.6 messages.
Thanks! The patch raised another question for me. We have the
downgrade-1.0 and nokeepalive switches to force the CLIENT connection
to skip any spoofing attack.
But since 2.0/2.1 mod_proxy now uses keepalives for real, do we have
any similar choice for administrators to 'work around' potentially
broken back ends?
It's certainly not a security hole in Apache. But it would help
folks who have insecure back end applications to mitigate the damage.
Bill
Re: 2.0.55
Posted by Jeff Trawick <tr...@gmail.com>.
On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> At 12:20 PM 6/27/2005, Jeff Trawick wrote:
> >On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> >
> >> My goal is to tag and roll 2.0 by Friday for release early next
> >> week, unless the fixes are ready sooner. There is a list of
> >> already-accepted patches in status, if anyone wants to pick some
> >> low hanging fruit for 2.0.
> >
> >I have a tested proxy smuggling patch for 2.0 which I'll upload to
> >people.apache.org and add to STATUS. It is somewhere amidst the 2.1.5
> >or 2.1.6 messages.
>
> Thanks! The patch raised another question for me. We have the
> downgrade-1.0 and nokeepalive switches to force the CLIENT connection
> to skip any spoofing attack.
>
> But since 2.0/2.1 mod_proxy now uses keepalives for real, do we have
> any similar choice for administrators to 'work around' potentially
> broken back ends?
proxy_http.c: if ( apr_table_get(r->subprocess_env,"proxy-nokeepalive")) {