apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: apr-1.3.10 release schedule?
Date Mon, 16 Nov 2009 11:55:17 GMT
On Mon, Nov 16, 2009 at 6:38 AM, Bill Weir <William.Weir@sun.com> wrote:
> Hi,
>
> I have downloaded and built Apache-2.2.14, using the bundled apr-1.3.9.  On
> x86 Solaris I am seeing bad behaviour which looks very like what is
> described in https://issues.apache.org/bugzilla/show_bug.cgi?id=48029 (and
> maybe also https://issues.apache.org/bugzilla/show_bug.cgi?id=48030 ).  As
> far as I can see, these bugs are fixed in apr-1.3.10, but I can't find a
> release schedule for that.
>
> I also notice that the APR download page quotes apr-1.3.8 as the best
> available version, rather than the apr-1.3.9 that is bundled with
> apache-2.2.14.
>
> So, a bit confused here.  The reason I'm building Apache at all is to get a
> fix for this vulnerability -
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2699 - which says
> that it affects apr-1.3.8 and earlier.  But apr-1.3.9 is apparently broken
> as well, as discussed above, and I can't find a release schedule for
> apr-1.3.10.
>
> How should I best proceed?

* use the patches in those PRs with APR 1.3.9
* use httpd 2.2.13 with a special port_getn() interposer I wrote which
accidentally avoids the PR 48029 issue and doesn't try to fix the
theoretical problem that is related to PR 48030
** attached to this OpenSolaris forum thread:
http://opensolaris.org/jive/thread.jspa?messageID=421151
* get the Solaris kernel team to provide a kernel patch for the
bugs/design flaws that required special handling to resolve the two
PRs you quote above (okay, I'm dreaming)

Mime
View raw message