You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by bu...@apache.org on 2016/12/03 11:00:10 UTC
svn commit: r1002093 - in /websites/staging/httpd/trunk/content: ./
dev/guidelines.html
Author: buildbot
Date: Sat Dec 3 11:00:10 2016
New Revision: 1002093
Log:
Staging update by buildbot for httpd
Modified:
websites/staging/httpd/trunk/content/ (props changed)
websites/staging/httpd/trunk/content/dev/guidelines.html
Propchange: websites/staging/httpd/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Dec 3 11:00:10 2016
@@ -1 +1 @@
-1772450
+1772455
Modified: websites/staging/httpd/trunk/content/dev/guidelines.html
==============================================================================
--- websites/staging/httpd/trunk/content/dev/guidelines.html (original)
+++ websites/staging/httpd/trunk/content/dev/guidelines.html Sat Dec 3 11:00:10 2016
@@ -404,27 +404,30 @@ available. The obfuscation is done by re
needed).</p>
<p>If the change is related to a bugzilla issue, include the PR number in the
log in the format:</p>
-<blockquote>
-<p>PR 1234</p>
-</blockquote>
+<div class="codehilite"><pre> <span class="n">PR</span> 1234
+</pre></div>
+
+
<p>Security-related changes should start like this:</p>
-<blockquote>
-<p>*) SECURITY: CVE-YYYY-NNNN (cve.mitre.org) xxxxx</p>
-</blockquote>
+<div class="codehilite"><pre> <span class="o">*</span><span class="p">)</span> <span class="n">SECURITY</span><span class="p">:</span> <span class="n">CVE</span><span class="o">-</span><span class="n">YYYY</span><span class="o">-</span><span class="n">NNNN</span> <span class="p">(</span><span class="n">cve</span><span class="p">.</span><span class="n">mitre</span><span class="p">.</span><span class="n">org</span><span class="p">)</span>
+ <span class="n">xxxxx</span>
+</pre></div>
+
+
<p>Most changes are inserted at the top of the CHANGES file. However,
security-related changes should always be at the top of the list of changes
for the relevant release, so if there are unreleased security changes at
the top of the file, insert other changes below them.</p>
<p>Example CHANGES entries: </p>
-<blockquote>
-<p>*) SECURITY: CVE-2009-3095 (cve.mitre.org) mod_proxy_ftp: sanity check authn credentials.
- [Stefan Fritsch <sf fritsch.de>, Joe Orton]</p>
-<p>*) Replace AcceptMutex, LockFile, RewriteLock, SSLMutex, SSLStaplingMutex,
- and WatchdogMutexPath with a single Mutex directive. Add APIs to
- simplify setup and user customization of APR proc and global mutexes.<br />
- (See util_mutex.h.) Build-time setting DEFAULT_LOCKFILE is no longer
- respected; set DEFAULT_REL_RUNTIMEDIR instead. [Jeff Trawick] </p>
-</blockquote>
+<div class="codehilite"><pre> <span class="o">*</span><span class="p">)</span> <span class="n">SECURITY</span><span class="p">:</span> <span class="n">CVE</span><span class="o">-</span>2009<span class="o">-</span>3095 <span class="p">(</span><span class="n">cve</span><span class="p">.</span><span class="n">mitre</span><span class="p">.</span><span class="n">org</span><span class="p">)</span>
+ <span class="n">mod_proxy_ftp</span><span class="p">:</span> <span class="n">sanity</span> <span class="n">check</span> <span class="n">authn</span> <span class="n">credentials</span><span class="p">.</span>
+ <span class="p">[</span><span class="n">Stefan</span> <span class="n">Fritsch</span> <span class="o">&</span><span class="n">lt</span><span class="p">;</span><span class="n">sf</span> <span class="n">fritsch</span><span class="p">.</span><span class="n">de</span><span class="o">&</span><span class="n">gt</span><span class="p">;,</span> <span class="n">Joe</span> <span class="n">Orton</span><span class="p">]</span>
+
+ <span class="o">*</span><span class="p">)</span> <span class="n">SECURITY</span><span class="p">:</span> <span class="n">CVE</span><span class="o">-</span>2016<span class="o">-</span>1546 <span class="p">(</span><span class="n">cve</span><span class="p">.</span><span class="n">mitre</span><span class="p">.</span><span class="n">org</span><span class="p">)</span>
+ <span class="n">mod_http2</span><span class="p">:</span> <span class="n">restricting</span> <span class="n">number</span> <span class="n">of</span> <span class="n">concurrent</span> <span class="n">stream</span> <span class="n">workers</span> <span class="n">per</span> <span class="n">connection</span> <span class="k">if</span> <span class="n">client</span> <span class="n">is</span> <span class="n">slow</span><span class="p">.</span>
+</pre></div>
+
+
<h1 id="committing-security-fixes">Committing Security Fixes<a class="headerlink" href="#committing-security-fixes" title="Permanent link">¶</a></h1>
<p>Open source projects, ASF or otherwise, have varying procedures for
commits of vulnerability fixes. One important aspect of these procedures
@@ -460,20 +463,17 @@ summary in the STATUS file should be upd
that message.</p>
<p>The patch should be created by using the <code>diff -u</code> command from
the original software file(s) to the modified software file(s). E.g. one of the following:</p>
-<blockquote>
-<p><code>diff -u http_main.c.orig http_main.c >> patchfile.txt</code>
-<code>svn diff http_main.c >> patchfile.txt</code> </p>
-</blockquote>
+<ul>
+<li><code>diff -u http_main.c.orig http_main.c >> patchfile.txt</code></li>
+<li><code>svn diff http_main.c >> patchfile.txt</code> </li>
+</ul>
<p>All patches necessary to address an action item should be concatenated
within a single patch message. If later modification of the patch proves
necessary, the entire new patch should be posted and not just the
difference between two patches. The STATUS file entry should then be
updated to point to the new patch message.</p>
<p>The completed patchfile should produce no errors or prompts when the
-following command is issued in the target repository:</p>
-<blockquote>
-<p><code>patch -s < patchfile</code></p>
-</blockquote>
+following command is issued in the target repository: <code>patch -s < patchfile</code></p>
<h1 id="addendum">Addendum<a class="headerlink" href="#addendum" title="Permanent link">¶</a></h1>
<p>Outstanding issues with this document</p>
<ul>