svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS

[mr...@apache.org]

Author: mrumph
Date: Thu Aug 21 15:35:43 2014
New Revision: 1619446

URL: http://svn.apache.org/r1619446
Log:
Comment on possible trailers CVE delay.

Modified:
    httpd/httpd/branches/2.2.x/STATUS

Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1619446&r1=1619445&r2=1619446&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Thu Aug 21 15:35:43 2014
@@ -111,7 +111,10 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
      2.2.x patch:  http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff
      +1: covener, wrowe, rpluem
      covener: Since this was not released yet in 2.4.x, maybe it's better to cut 2.2.28 w/o it?
-    
+     mrumph:  Delaying a nonCVE fix would be reasonable to maintain backward compatibility.
+              But for a CVE that has already been made public,
+              wouldn't it make more sense to make the fix available as quickly as possible?
+     
    * mod_deflate: Fix reentrance in output and input filters (buffering of
                   incomplete Zlib header or validation bytes). PR 46146.
      trunk patch: https://svn.apache.org/r1572655

Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS

[Jeff Trawick <tr...@gmail.com>]

On Fri, Aug 22, 2014 at 7:46 AM, William A. Rowe Jr. <wr...@rowe-clan.net>
wrote:

> On Thu, 21 Aug 2014 15:10:02 -0400
> Jeff Trawick <tr...@gmail.com> wrote:
>
> > * Place a patch for 2.4.10 in patches/apply_to_
> > * Refer to the 2.4.10 patch after the description of the vulnerability
> > within the 2.2.next announcement.
>
> Rather than maintaining these any longer in dist/, we have
> https://svn.apache.org/rREV history (and most security patches
> are condensed down to a single patch by the time they hit our
> legacy/maintenance branches)... and maintain all pointers out
> in the http://httpd.apache.org/security/vulnerabilities_24.html
> tables.  WDYT?
>
>
>
It sounds reasonable, but implications are unclear...  In particular, I am
concerned that listing occasional patches there, such as in the rare
circumstance when 2.2.x releases a fix prior to 2.4.x, almost begs for
people who review that to want similar treatment for other vulnerabilities.
 Not a bad thing, but it will consume more time...


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS

[Ruediger Pluem <rp...@apache.org>]

William A. Rowe Jr. wrote:
> On Thu, 21 Aug 2014 15:10:02 -0400
> Jeff Trawick <tr...@gmail.com> wrote:
> 
>> * Place a patch for 2.4.10 in patches/apply_to_
>> * Refer to the 2.4.10 patch after the description of the vulnerability
>> within the 2.2.next announcement.
> 
> Rather than maintaining these any longer in dist/, we have
> https://svn.apache.org/rREV history (and most security patches 
> are condensed down to a single patch by the time they hit our
> legacy/maintenance branches)... and maintain all pointers out
> in the http://httpd.apache.org/security/vulnerabilities_24.html
> tables.  WDYT?
> 
> 
> 

+0.9: Requires more clicks to get the patch from ViewVC, but OTOH provides more information about it.

Regards

Rüdiger

Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS

["William A. Rowe Jr." <wr...@rowe-clan.net>]

On Thu, 21 Aug 2014 15:10:02 -0400
Jeff Trawick <tr...@gmail.com> wrote:

> * Place a patch for 2.4.10 in patches/apply_to_
> * Refer to the 2.4.10 patch after the description of the vulnerability
> within the 2.2.next announcement.

Rather than maintaining these any longer in dist/, we have
https://svn.apache.org/rREV history (and most security patches 
are condensed down to a single patch by the time they hit our
legacy/maintenance branches)... and maintain all pointers out
in the http://httpd.apache.org/security/vulnerabilities_24.html
tables.  WDYT?

Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS

[Jeff Trawick <tr...@gmail.com>]

On Thu, Aug 21, 2014 at 11:35 AM, <mr...@apache.org> wrote:

> Author: mrumph
> Date: Thu Aug 21 15:35:43 2014
> New Revision: 1619446
>
> URL: http://svn.apache.org/r1619446
> Log:
> Comment on possible trailers CVE delay.
>
> Modified:
>     httpd/httpd/branches/2.2.x/STATUS
>
> Modified: httpd/httpd/branches/2.2.x/STATUS
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1619446&r1=1619445&r2=1619446&view=diff
>
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/STATUS (original)
> +++ httpd/httpd/branches/2.2.x/STATUS Thu Aug 21 15:35:43 2014
> @@ -111,7 +111,10 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>       2.2.x patch:
> http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff
>       +1: covener, wrowe, rpluem
>       covener: Since this was not released yet in 2.4.x, maybe it's better
> to cut 2.2.28 w/o it?
> -
> +     mrumph:  Delaying a nonCVE fix would be reasonable to maintain
> backward compatibility.
> +              But for a CVE that has already been made public,
> +              wouldn't it make more sense to make the fix available as
> quickly as possible?
> +
>     * mod_deflate: Fix reentrance in output and input filters (buffering of
>                    incomplete Zlib header or validation bytes). PR 46146.
>       trunk patch: https://svn.apache.org/r1572655
>
>
>
IMO:

* Place a patch for 2.4.10 in patches/apply_to_
* Refer to the 2.4.10 patch after the description of the vulnerability
within the 2.2.next announcement.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/