You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Christophe JAILLET <ch...@wanadoo.fr> on 2021/06/09 20:10:10 UTC

Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json

Le 08/06/2021 à 13:42, mjc@apache.org a écrit :
> Author: mjc
> Date: Tue Jun  8 11:42:36 2021
> New Revision: 1890598
> 
> URL: http://svn.apache.org/viewvc?rev=1890598&view=rev
> Log:
> Fix the release date and version
> 
> Modified:
>      httpd/site/trunk/content/security/json/CVE-2019-17567.json
>      httpd/site/trunk/content/security/json/CVE-2020-13938.json
>      httpd/site/trunk/content/security/json/CVE-2020-13950.json
>      httpd/site/trunk/content/security/json/CVE-2020-35452.json
>      httpd/site/trunk/content/security/json/CVE-2021-26690.json
>      httpd/site/trunk/content/security/json/CVE-2021-26691.json
>      httpd/site/trunk/content/security/json/CVE-2021-30641.json
>      httpd/site/trunk/content/security/json/CVE-2021-31618.json
> 
> Modified: httpd/site/trunk/content/security/json/CVE-2019-17567.json
> URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/json/CVE-2019-17567.json?rev=1890598&r1=1890597&r2=1890598&view=diff
> ==============================================================================
> --- httpd/site/trunk/content/security/json/CVE-2019-17567.json (original)
> +++ httpd/site/trunk/content/security/json/CVE-2019-17567.json Tue Jun  8 11:42:36 2021
> @@ -13,14 +13,14 @@
>         "value": "reported"
>       },
>       {
> -      "time": "--",
> +      "time": "2021-06-01",
>         "lang": "eng",
>         "value": "public"
>       },
>       {
> -      "time": "--",
> +      "time": "2021-06-01",
>         "lang": "eng",
> -      "value": "2.4.47 released"
> +      "value": "2.4.48 released"
>       }
>     ],
>     "CNA_private": {
> @@ -30,7 +30,7 @@
>       "ASSIGNER": "security@apache.org",
>       "AKA": "",
>       "STATE": "PUBLIC",
> -    "DATE_PUBLIC": "--",
> +    "DATE_PUBLIC": "2021-06-01",
>       "ID": "CVE-2019-17567",
>       "TITLE": "mod_proxy_wstunnel tunneling of non Upgraded connections"
>     },
> @@ -210,4 +210,4 @@
>         ]
>       }
>     }
> -}
> \ No newline at end of file
> +}
> 
> 

Not a big issue from my point of view, but now cvetool, CHANGES and 
CHANGES_2.48 are not in line anymore with vulnerabilities_xx.html

My own preference is for keeping 2.4.47 because it was really fixed in 
this version, even if not announced.

I guess that it is mostly a matter of taste and that both point of view 
are acceptable.

CJ

Re: svn commit: r1890598 - in /httpd/site/trunk/content/security/json: CVE-2019-17567.json CVE-2020-13938.json CVE-2020-13950.json CVE-2020-35452.json CVE-2021-26690.json CVE-2021-26691.json CVE-2021-30641.json CVE-2021-31618.json

Posted by Stefan Eissing <st...@greenbytes.de>.


> Am 09.06.2021 um 22:10 schrieb Christophe JAILLET <ch...@wanadoo.fr>:
> 
> Le 08/06/2021 à 13:42, mjc@apache.org a écrit :
>> Author: mjc
>> Date: Tue Jun  8 11:42:36 2021
>> New Revision: 1890598
>> URL: http://svn.apache.org/viewvc?rev=1890598&view=rev
>> Log:
>> Fix the release date and version
>> Modified:
>>     httpd/site/trunk/content/security/json/CVE-2019-17567.json
>>     httpd/site/trunk/content/security/json/CVE-2020-13938.json
>>     httpd/site/trunk/content/security/json/CVE-2020-13950.json
>>     httpd/site/trunk/content/security/json/CVE-2020-35452.json
>>     httpd/site/trunk/content/security/json/CVE-2021-26690.json
>>     httpd/site/trunk/content/security/json/CVE-2021-26691.json
>>     httpd/site/trunk/content/security/json/CVE-2021-30641.json
>>     httpd/site/trunk/content/security/json/CVE-2021-31618.json
>> Modified: httpd/site/trunk/content/security/json/CVE-2019-17567.json
>> URL: http://svn.apache.org/viewvc/httpd/site/trunk/content/security/json/CVE-2019-17567.json?rev=1890598&r1=1890597&r2=1890598&view=diff
>> ==============================================================================
>> --- httpd/site/trunk/content/security/json/CVE-2019-17567.json (original)
>> +++ httpd/site/trunk/content/security/json/CVE-2019-17567.json Tue Jun  8 11:42:36 2021
>> @@ -13,14 +13,14 @@
>>        "value": "reported"
>>      },
>>      {
>> -      "time": "--",
>> +      "time": "2021-06-01",
>>        "lang": "eng",
>>        "value": "public"
>>      },
>>      {
>> -      "time": "--",
>> +      "time": "2021-06-01",
>>        "lang": "eng",
>> -      "value": "2.4.47 released"
>> +      "value": "2.4.48 released"
>>      }
>>    ],
>>    "CNA_private": {
>> @@ -30,7 +30,7 @@
>>      "ASSIGNER": "security@apache.org",
>>      "AKA": "",
>>      "STATE": "PUBLIC",
>> -    "DATE_PUBLIC": "--",
>> +    "DATE_PUBLIC": "2021-06-01",
>>      "ID": "CVE-2019-17567",
>>      "TITLE": "mod_proxy_wstunnel tunneling of non Upgraded connections"
>>    },
>> @@ -210,4 +210,4 @@
>>        ]
>>      }
>>    }
>> -}
>> \ No newline at end of file
>> +}
> 
> Not a big issue from my point of view, but now cvetool, CHANGES and CHANGES_2.48 are not in line anymore with vulnerabilities_xx.html
> 
> My own preference is for keeping 2.4.47 because it was really fixed in this version, even if not announced.
> 
> I guess that it is mostly a matter of taste and that both point of view are acceptable.
> 
> CJ

From users's point of view, it seems more usable when CVE announcements point to releases they can actually get from us, I guess.

The fact that one has to explain the httpd release numbering to everyone outside the project, says that we are outside the main stream. It seems for no other reason than history. All fair enough.

Stefan