You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mr...@apache.org on 2014/08/21 17:35:44 UTC
svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS
Author: mrumph
Date: Thu Aug 21 15:35:43 2014
New Revision: 1619446
URL: http://svn.apache.org/r1619446
Log:
Comment on possible trailers CVE delay.
Modified:
httpd/httpd/branches/2.2.x/STATUS
Modified: httpd/httpd/branches/2.2.x/STATUS
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1619446&r1=1619445&r2=1619446&view=diff
==============================================================================
--- httpd/httpd/branches/2.2.x/STATUS (original)
+++ httpd/httpd/branches/2.2.x/STATUS Thu Aug 21 15:35:43 2014
@@ -111,7 +111,10 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
2.2.x patch: http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff
+1: covener, wrowe, rpluem
covener: Since this was not released yet in 2.4.x, maybe it's better to cut 2.2.28 w/o it?
-
+ mrumph: Delaying a nonCVE fix would be reasonable to maintain backward compatibility.
+ But for a CVE that has already been made public,
+ wouldn't it make more sense to make the fix available as quickly as possible?
+
* mod_deflate: Fix reentrance in output and input filters (buffering of
incomplete Zlib header or validation bytes). PR 46146.
trunk patch: https://svn.apache.org/r1572655
Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS
Posted by Jeff Trawick <tr...@gmail.com>.
On Fri, Aug 22, 2014 at 7:46 AM, William A. Rowe Jr. <wr...@rowe-clan.net>
wrote:
> On Thu, 21 Aug 2014 15:10:02 -0400
> Jeff Trawick <tr...@gmail.com> wrote:
>
> > * Place a patch for 2.4.10 in patches/apply_to_
> > * Refer to the 2.4.10 patch after the description of the vulnerability
> > within the 2.2.next announcement.
>
> Rather than maintaining these any longer in dist/, we have
> https://svn.apache.org/rREV history (and most security patches
> are condensed down to a single patch by the time they hit our
> legacy/maintenance branches)... and maintain all pointers out
> in the http://httpd.apache.org/security/vulnerabilities_24.html
> tables. WDYT?
>
>
>
It sounds reasonable, but implications are unclear... In particular, I am
concerned that listing occasional patches there, such as in the rare
circumstance when 2.2.x releases a fix prior to 2.4.x, almost begs for
people who review that to want similar treatment for other vulnerabilities.
Not a bad thing, but it will consume more time...
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS
Posted by Ruediger Pluem <rp...@apache.org>.
William A. Rowe Jr. wrote:
> On Thu, 21 Aug 2014 15:10:02 -0400
> Jeff Trawick <tr...@gmail.com> wrote:
>
>> * Place a patch for 2.4.10 in patches/apply_to_
>> * Refer to the 2.4.10 patch after the description of the vulnerability
>> within the 2.2.next announcement.
>
> Rather than maintaining these any longer in dist/, we have
> https://svn.apache.org/rREV history (and most security patches
> are condensed down to a single patch by the time they hit our
> legacy/maintenance branches)... and maintain all pointers out
> in the http://httpd.apache.org/security/vulnerabilities_24.html
> tables. WDYT?
>
>
>
+0.9: Requires more clicks to get the patch from ViewVC, but OTOH provides more information about it.
Regards
RĂ¼diger
Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS
Posted by "William A. Rowe Jr." <wr...@rowe-clan.net>.
On Thu, 21 Aug 2014 15:10:02 -0400
Jeff Trawick <tr...@gmail.com> wrote:
> * Place a patch for 2.4.10 in patches/apply_to_
> * Refer to the 2.4.10 patch after the description of the vulnerability
> within the 2.2.next announcement.
Rather than maintaining these any longer in dist/, we have
https://svn.apache.org/rREV history (and most security patches
are condensed down to a single patch by the time they hit our
legacy/maintenance branches)... and maintain all pointers out
in the http://httpd.apache.org/security/vulnerabilities_24.html
tables. WDYT?
Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS
Posted by Jeff Trawick <tr...@gmail.com>.
On Thu, Aug 21, 2014 at 11:35 AM, <mr...@apache.org> wrote:
> Author: mrumph
> Date: Thu Aug 21 15:35:43 2014
> New Revision: 1619446
>
> URL: http://svn.apache.org/r1619446
> Log:
> Comment on possible trailers CVE delay.
>
> Modified:
> httpd/httpd/branches/2.2.x/STATUS
>
> Modified: httpd/httpd/branches/2.2.x/STATUS
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1619446&r1=1619445&r2=1619446&view=diff
>
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/STATUS (original)
> +++ httpd/httpd/branches/2.2.x/STATUS Thu Aug 21 15:35:43 2014
> @@ -111,7 +111,10 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
> 2.2.x patch:
> http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff
> +1: covener, wrowe, rpluem
> covener: Since this was not released yet in 2.4.x, maybe it's better
> to cut 2.2.28 w/o it?
> -
> + mrumph: Delaying a nonCVE fix would be reasonable to maintain
> backward compatibility.
> + But for a CVE that has already been made public,
> + wouldn't it make more sense to make the fix available as
> quickly as possible?
> +
> * mod_deflate: Fix reentrance in output and input filters (buffering of
> incomplete Zlib header or validation bytes). PR 46146.
> trunk patch: https://svn.apache.org/r1572655
>
>
>
IMO:
* Place a patch for 2.4.10 in patches/apply_to_
* Refer to the 2.4.10 patch after the description of the vulnerability
within the 2.2.next announcement.
--
Born in Roswell... married an alien...
http://emptyhammock.com/