You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by wr...@apache.org on 2005/10/07 23:32:52 UTC

svn commit: r307201 - /httpd/httpd/branches/2.0.x/STATUS

Author: wrowe
Date: Fri Oct  7 14:32:50 2005
New Revision: 307201

URL: http://svn.apache.org/viewcvs?rev=307201&view=rev
Log:

  Almost a security hole, but certainly not for mod_echo.  Save other
  protocol modules a significant hole if based purely on mod_echo.

Modified:
    httpd/httpd/branches/2.0.x/STATUS

Modified: httpd/httpd/branches/2.0.x/STATUS
URL: http://svn.apache.org/viewcvs/httpd/httpd/branches/2.0.x/STATUS?rev=307201&r1=307200&r2=307201&view=diff
==============================================================================
--- httpd/httpd/branches/2.0.x/STATUS (original)
+++ httpd/httpd/branches/2.0.x/STATUS Fri Oct  7 14:32:50 2005
@@ -104,6 +104,20 @@
 
 RELEASE SHOWSTOPPERS:
 
+    *) Fix CAN-2005-2700, mod_ssl SSLVerifyClient bug
+         http://svn.apache.org/viewcvs?rev=264800&view=rev
+       test case: perl-framework/t/security/CAN-2005-2700.t
+       +1: jorton, wrowe, trawick
+       wrowe cautions to backport to 2.2.x branch as well.
+
+    *) SECURITY: CAN-2005-2970 (cve.mitre.org)
+       worker MPM: Fix a memory leak which can occur after an aborted
+       connection in some limited circumstances.
+       http://people.apache.org/~trawick/CAN-2005-2970.txt
+       +1: trawick, brianp
+       +0: wrowe [greg ames and jeff trawick were of two minds, I'm
+                  +1 on either patch they mutually agree upon.]
+
 
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
@@ -150,11 +164,6 @@
        +1: pquerna, nd, wrowe
        Votes from before the integration branch: +1: jerenkrantz
 
-    *) Fix CAN-2005-2700, mod_ssl SSLVerifyClient bug
-         http://svn.apache.org/viewcvs?rev=264800&view=rev
-       test case: perl-framework/t/security/CAN-2005-2700.t
-       +1: jorton, wrowe, trawick
-       wrowe cautions to backport to 2.2.x branch as well.
 
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
@@ -272,11 +281,16 @@
                  server.  (old way: use system-specific configuration
                  knobs that affect all applications.)
 
-    *) SECURITY: CAN-2005-2970 (cve.mitre.org)
-       worker MPM: Fix a memory leak which can occur after an aborted
-       connection in some limited circumstances.
-       http://people.apache.org/~trawick/CAN-2005-2970.txt
-       +1: trawick, brianp
+    *) Fix all non-http protocol modules that were modeled after the
+       broken mod_echo.c example; remove the -initial- timeout setting
+       from NET_TIME (never inserted by non-request based protocols)
+       and move it to the core pre_connection logic, so every core
+       connection can read with timeout on Linux, Solaris, instead of
+       read (untimed) blocking on Linux, and failing read non-block on
+       Solaris.  Leaves NET_TIME intact until after the 2.0.x branch.
+         http://people.apache.org/~wrowe/httpd-2.0-proto-timeout.patch
+         +1: wrowe
+
 
 PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON: