You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Paul Querna <ch...@force-elite.com> on 2005/06/24 10:03:57 UTC
2.1.6 is available for veto^H^H^H^Hvoting
Please vote on releasing 2.1.6 as -alpha.
Available at:
http://httpd.apache.org/dev/dist/
http://people.apache.org/~pquerna/dev/httpd-2.1.6/
MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
Thanks,
Paul
Re: 2.0.55
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 01:12 PM 6/27/2005, Sander Striker wrote:
>William A. Rowe, Jr. wrote:
>
>[...]
>>My goal is to tag and roll 2.0 by Friday for release early next
>>week, unless the fixes are ready sooner. There is a list of already-accepted patches in status, if anyone wants to pick some
>>low hanging fruit for 2.0.
>
>Bill, are you volunteering for RM? I'm happy to RM FWIW, and do
>the 2.0.55 T&R on friday. Which, by the way, will imply release
>around wednesday the following week given our regular own dogfood
>test.
Ack on the force-feeding. Yes I would RM - but would be happy
to pass that half of the baton, if you would like to RM the source
I'll handle the .zip's/.msi's etc, with you.
Bill
2.0.55, WAS: Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Sander Striker <st...@apache.org>.
William A. Rowe, Jr. wrote:
[...]
> My goal is to tag and roll 2.0 by Friday for release early next
> week, unless the fixes are ready sooner. There is a list of
> already-accepted patches in status, if anyone wants to pick some
> low hanging fruit for 2.0.
Bill, are you volunteering for RM? I'm happy to RM FWIW, and do
the 2.0.55 T&R on friday. Which, by the way, will imply release
around wednesday the following week given our regular own dogfood
test.
Thanks,
Sander
Re: 2.0.55
Posted by Jeff Trawick <tr...@gmail.com>.
On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> At 12:20 PM 6/27/2005, Jeff Trawick wrote:
> >On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> >
> >> My goal is to tag and roll 2.0 by Friday for release early next
> >> week, unless the fixes are ready sooner. There is a list of
> >> already-accepted patches in status, if anyone wants to pick some
> >> low hanging fruit for 2.0.
> >
> >I have a tested proxy smuggling patch for 2.0 which I'll upload to
> >people.apache.org and add to STATUS. It is somewhere amidst the 2.1.5
> >or 2.1.6 messages.
>
> Thanks! The patch raised another question for me. We have the
> downgrade-1.0 and nokeepalive switches to force the CLIENT connection
> to skip any spoofing attack.
>
> But since 2.0/2.1 mod_proxy now uses keepalives for real, do we have
> any similar choice for administrators to 'work around' potentially
> broken back ends?
proxy_http.c: if ( apr_table_get(r->subprocess_env,"proxy-nokeepalive")) {
Re: 2.0.55
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 12:20 PM 6/27/2005, Jeff Trawick wrote:
>On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
>
>> My goal is to tag and roll 2.0 by Friday for release early next
>> week, unless the fixes are ready sooner. There is a list of
>> already-accepted patches in status, if anyone wants to pick some
>> low hanging fruit for 2.0.
>
>I have a tested proxy smuggling patch for 2.0 which I'll upload to
>people.apache.org and add to STATUS. It is somewhere amidst the 2.1.5
>or 2.1.6 messages.
Thanks! The patch raised another question for me. We have the
downgrade-1.0 and nokeepalive switches to force the CLIENT connection
to skip any spoofing attack.
But since 2.0/2.1 mod_proxy now uses keepalives for real, do we have
any similar choice for administrators to 'work around' potentially
broken back ends?
It's certainly not a security hole in Apache. But it would help
folks who have insecure back end applications to mitigate the damage.
Bill
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Jeff Trawick <tr...@gmail.com>.
On 6/27/05, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> My goal is to tag and roll 2.0 by Friday for release early next
> week, unless the fixes are ready sooner. There is a list of
> already-accepted patches in status, if anyone wants to pick some
> low hanging fruit for 2.0.
I have a tested proxy smuggling patch for 2.0 which I'll upload to
people.apache.org and add to STATUS. It is somewhere amidst the 2.1.5
or 2.1.6 messages.
HTTP Spoofing
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
1.3 proxy doesn't accept T-E:chunked request bodies.
1.3 proxy doesn't perform keep-alives against a backend.
I think we are safe, but additional opinions are welcome.
Bill
At 02:18 PM 6/30/2005, Mark J Cox wrote:
>> I'm obtaining a CVE name for this issue -- (as the issue is already public
>> it requires co-ordination with Mitre)
>
>CAN-2005-2088
>
>Has anyone looked to make sure this doesn't apply to later 1.3 releases?
>
>Cheers,
>Mark
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Mark J Cox <ma...@awe.com>.
> I'm obtaining a CVE name for this issue -- (as the issue is already public
> it requires co-ordination with Mitre)
CAN-2005-2088
Has anyone looked to make sure this doesn't apply to later 1.3 releases?
Cheers,
Mark
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Mark J Cox <ma...@awe.com>.
> Do we have an incident number for this report as it pertains
> to the Apache HTTP Server?
I'm obtaining a CVE name for this issue -- (as the issue is already public
it requires co-ordination with Mitre)
Cheers, Mark
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
In the announce, we should have;
proxy HTTP: If a response contains both Transfer-Encoding
and a Content-Length, remove the Content-Length to eliminate
an HTTP Request Smuggling vulnerability, and and don't reuse
the connection, stopping some HTTP Request Spoofing attacks.
"The Apache httpd project thanks the Watchfire team of Linhart,
Klein, Heled and Orrin for the responsible notification and
disclosure of this information."
Do we have an incident number for this report as it pertains
to the Apache HTTP Server?
I agree with Jeff after spending quite a few hours; patches to
the proxy now diverge quite radically from 2.0's proxy_http.c.
The band aids will land in slightly different places, but we
should encourage folks to validate proper proxied header and
body transmission.
My goal is to tag and roll 2.0 by Friday for release early next
week, unless the fixes are ready sooner. There is a list of
already-accepted patches in status, if anyone wants to pick some
low hanging fruit for 2.0.
Bill
At 01:08 PM 6/26/2005, Paul Querna wrote:
>+1 for Alpha from Joe Orton, Brad Nicholes, Wilfredo Sánchez Vega, and Paul Querna.
>
>Therefore, I consider 2.1.6-alpha to be released.
>
>I have moved the 2.1.6-alpha source files to the dist folder to be picked up by mirrors. I will add it to the download.xml and index.xml for httpd.apache.org later today, after giving the mirrors time to pick it up.
>
>Thanks to everyone who tested it,
>
>-Paul
>
>Paul Querna wrote:
>
>>Please vote on releasing 2.1.6 as -alpha.
>>
>>Available at:
>>http://httpd.apache.org/dev/dist/
>>http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>>
>>MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
>>MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
>>MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>>
>>Thanks,
>>
>>Paul
>
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Paul Querna <ch...@force-elite.com>.
+1 for Alpha from Joe Orton, Brad Nicholes, Wilfredo Sánchez Vega, and
Paul Querna.
Therefore, I consider 2.1.6-alpha to be released.
I have moved the 2.1.6-alpha source files to the dist folder to be
picked up by mirrors. I will add it to the download.xml and index.xml
for httpd.apache.org later today, after giving the mirrors time to pick
it up.
Thanks to everyone who tested it,
-Paul
Paul Querna wrote:
> Please vote on releasing 2.1.6 as -alpha.
>
> Available at:
> http://httpd.apache.org/dev/dist/
> http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>
> MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
> MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
> MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>
> Thanks,
>
> Paul
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
At 03:03 AM 6/24/2005, Paul Querna wrote:
>Please vote on releasing 2.1.6 as -alpha.
Your subject would probably mislead some casual readers,
Releases cannot be veto'ed. They need 3 +1's, more +1's
than -1's for release (with some reasonable time for folks
to vote, 2-3 days seems typical.)
Patches -can- be vetoed, but on technical merit with specific
justification.
In any case, if this picked up Trawick's patch 193205, then
I'll zip up a win32 source package and even tinker with rolling
binaries. Will likely have to disable TLS, if it's enabled by
default, for LDAP. Microsoft's SDK grows cruftier (it already
was, somewhat) as ldap_start_tls comes into play. SVN trunk
seems to behave correctly w.r.t. issues raised by Watchfire
but I have a bit more testing of some other combinations.
Bill
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Paul Querna <ch...@force-elite.com>.
And for the record, +1 on FreeBSD 6.0-CURRENT.
Paul Querna wrote:
> Please vote on releasing 2.1.6 as -alpha.
>
> Available at:
> http://httpd.apache.org/dev/dist/
> http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>
> MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
> MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
> MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>
> Thanks,
>
> Paul
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Jun 24, 2005 at 01:03:57AM -0700, Paul Querna wrote:
> Please vote on releasing 2.1.6 as -alpha.
+1 for alpha, manual test OK and httpd-test passes for this tarball on
all-the-linuxes here.
joe
Re: 2.1.6 is available for veto^H^H^H^Hvoting
Posted by Wilfredo Sánchez Vega <ws...@apple.com>.
+1 on Mac OS 10.4.
-wsv
On Jun 24, 2005, at 1:03 AM, Paul Querna wrote:
> Please vote on releasing 2.1.6 as -alpha.
>
> Available at:
> http://httpd.apache.org/dev/dist/
> http://people.apache.org/~pquerna/dev/httpd-2.1.6/
>
> MD5 (httpd-2.1.6-alpha.tar.gz) = 4602f254693e64293bdf36c8d066c66b
> MD5 (httpd-2.1.6-alpha.tar.bz2) = 26f457e6ab945ff1db7378a06aee046a
> MD5 (httpd-2.1.6-alpha.tar.Z) = 39a7e0e084abc45e51a57a60cde3557b
>
> Thanks,
>
> Paul
>