Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

rpluem@apache.org wrote:
> +  *) SECURITY: CVE-2008-0005 (cve.mitre.org)

I thought we concur that (short of direct html injection in the page's
<head>) the browser misdetection of UTF-7, contrary on it's face to
RFC2616, was a client specific problem?  If so, this is a "related to
CVE-2008-0005" footnote, not the topic.

Bill

Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

[Nick Kew <ni...@webthing.com>]

On Wed, 9 Jan 2008 09:25:54 -0500
Jim Jagielski <ji...@jaguNET.com> wrote:

> In any case, one sees that we've done it both ways.
> Consider 2.2.5 and 2.2.1. Same with the 2.0.x
> ones as well...
> 
> Looking back, I prefer keeping the "old" way, where
> once we've tagged, we have a corresponding entry
> in CHANGES... My intent is to keep the 2.2.7,
> 2.0.62 and 1.3.40 lines in CHANGES.

Agreed.  I'd have preferred not wiping 2.2.5 from the record,
but not strongly enough to make a fuss.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

[Jim Jagielski <ji...@jaguNET.com>]

On Jan 9, 2008, at 9:21 AM, Jim Jagielski wrote:

>
> On Jan 9, 2008, at 9:00 AM, Nick Kew wrote:
>
>> On Wed, 9 Jan 2008 08:56:58 -0500
>> Jim Jagielski <ji...@jaguNET.com> wrote:
>>
>>>> BTW: Shouldn't we drop 2.2.7 entirely from the CHANGES file and
>>>> put all
>>>> changes since 2.2.6 under 2.2.8?
>>>>
>>>
>>> No, since there *was* a 2.2.7... it just wasn't released.
>>
>> Just as there *was* a 2.2.5.
>>
>
> Ohhh... I see what he's asking.... my mistake...
>

In any case, one sees that we've done it both ways.
Consider 2.2.5 and 2.2.1. Same with the 2.0.x
ones as well...

Looking back, I prefer keeping the "old" way, where
once we've tagged, we have a corresponding entry
in CHANGES... My intent is to keep the 2.2.7,
2.0.62 and 1.3.40 lines in CHANGES.

Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

[Jim Jagielski <ji...@jaguNET.com>]

On Jan 9, 2008, at 9:00 AM, Nick Kew wrote:

> On Wed, 9 Jan 2008 08:56:58 -0500
> Jim Jagielski <ji...@jaguNET.com> wrote:
>
>>> BTW: Shouldn't we drop 2.2.7 entirely from the CHANGES file and
>>> put all
>>> changes since 2.2.6 under 2.2.8?
>>>
>>
>> No, since there *was* a 2.2.7... it just wasn't released.
>
> Just as there *was* a 2.2.5.
>

Ohhh... I see what he's asking.... my mistake...

Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

[Nick Kew <ni...@webthing.com>]

On Wed, 9 Jan 2008 08:56:58 -0500
Jim Jagielski <ji...@jaguNET.com> wrote:

> > BTW: Shouldn't we drop 2.2.7 entirely from the CHANGES file and
> > put all
> > changes since 2.2.6 under 2.2.8?
> >
> 
> No, since there *was* a 2.2.7... it just wasn't released.

Just as there *was* a 2.2.5.

-- 
Nick Kew

Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/

Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

[Jim Jagielski <ji...@jaguNET.com>]

On Jan 8, 2008, at 3:19 PM, Ruediger Pluem wrote:

>
>
> On 01/08/2008 05:47 PM, Ruediger Pluem wrote:
>>
>> On 01/08/2008 05:12 PM, William A. Rowe, Jr. wrote:
>>> rpluem@apache.org wrote:
>>>> +  *) SECURITY: CVE-2008-0005 (cve.mitre.org)
>>> I thought we concur that (short of direct html injection in the  
>>> page's
>>> <head>) the browser misdetection of UTF-7, contrary on it's face to
>>> RFC2616, was a client specific problem?  If so, this is a  
>>> "related to
>>> CVE-2008-0005" footnote, not the topic.
>>
>> So did I misunderstood Mark in its mail on security@?
>> I am now confused, because the browser issue is one and the same for
>> all cases. Why having a special CVE number for the mod_proxy_ftp case
>> then?
>> Anyway I can change this to a footnote if you like.
>>
>
> BTW: Shouldn't we drop 2.2.7 entirely from the CHANGES file and put  
> all
> changes since 2.2.6 under 2.2.8?
>

No, since there *was* a 2.2.7... it just wasn't released.

Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

[Ruediger Pluem <rp...@apache.org>]

On 01/08/2008 05:47 PM, Ruediger Pluem wrote:
> 
> On 01/08/2008 05:12 PM, William A. Rowe, Jr. wrote:
>> rpluem@apache.org wrote:
>>> +  *) SECURITY: CVE-2008-0005 (cve.mitre.org)
>> I thought we concur that (short of direct html injection in the page's
>> <head>) the browser misdetection of UTF-7, contrary on it's face to
>> RFC2616, was a client specific problem?  If so, this is a "related to
>> CVE-2008-0005" footnote, not the topic.
> 
> So did I misunderstood Mark in its mail on security@?
> I am now confused, because the browser issue is one and the same for
> all cases. Why having a special CVE number for the mod_proxy_ftp case
> then?
> Anyway I can change this to a footnote if you like.
> 

BTW: Shouldn't we drop 2.2.7 entirely from the CHANGES file and put all
changes since 2.2.6 under 2.2.8?

Regards

Rüdiger

Re: svn commit: r609953 - /httpd/httpd/branches/2.2.x/CHANGES

[Ruediger Pluem <rp...@apache.org>]

On 01/08/2008 05:12 PM, William A. Rowe, Jr. wrote:
> rpluem@apache.org wrote:
>> +  *) SECURITY: CVE-2008-0005 (cve.mitre.org)
> 
> I thought we concur that (short of direct html injection in the page's
> <head>) the browser misdetection of UTF-7, contrary on it's face to
> RFC2616, was a client specific problem?  If so, this is a "related to
> CVE-2008-0005" footnote, not the topic.

So did I misunderstood Mark in its mail on security@?
I am now confused, because the browser issue is one and the same for
all cases. Why having a special CVE number for the mod_proxy_ftp case
then?
Anyway I can change this to a footnote if you like.


Regards

Rüdiger