Return-Path: <apache-cvs-owner-apache-cvs-archive=hyperreal.org@apache.org>
Delivered-To: apache-cvs-archive@hyperreal.org
Received: (qmail 13633 invoked by uid 6000); 11 May 1998 23:45:15 -0000
Received: (qmail 13626 invoked by alias); 11 May 1998 23:45:14 -0000
Delivered-To: apache-1.3-cvs@hyperreal.org
Received: (qmail 13618 invoked by uid 24); 11 May 1998 23:45:13 -0000
Date: 11 May 1998 23:45:13 -0000
Message-ID: <19980511234513.13617.qmail@hyperreal.org>
From: brian@hyperreal.org
To: apache-1.3-cvs@hyperreal.org
Subject: cvs commit: apache-1.3 STATUS
Sender: apache-cvs-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

brian       98/05/11 16:45:13

  Modified:    .        STATUS
  Log:
  Moved two issues to non-showstopper status based on new-httpd discussions.
  
  Revision  Changes    Path
  1.396     +12 -10    apache-1.3/STATUS
  
  Index: STATUS
  ===================================================================
  RCS file: /export/home/cvs/apache-1.3/STATUS,v
  retrieving revision 1.395
  retrieving revision 1.396
  diff -u -r1.395 -r1.396
  --- STATUS	1998/05/11 20:08:02	1.395
  +++ STATUS	1998/05/11 23:45:11	1.396
  @@ -11,18 +11,8 @@
   
   FINAL RELEASE SHOWSTOPPERS:
   
  -    * Someone other than Dean has to do a security/correctness review on
  -      psprintf(), bprintf(), and ap_snprintf().  In particular these routines
  -      do lots of fun pointer manipulations and such and possibly have overflow
  -      errors.  The respective flush_funcs also need to be exercised.
  -       o Jim's looked over the ap_snprintf() stuff (the changes that Dean
  -         did to make thread-safe) and they look fine.
  -
   WIN32 1.3 FINAL RELEASE SHOWSTOPPERS:
   
  -    * SECURITY: check if the magic con/aux/nul/etc names do anything
  -	really bad
  -
       * SECURITY: numerous uses of strcpy and strcat have potential
   	for buffer overflow, someone should rewrite or verify
   	they're safe
  @@ -126,6 +116,15 @@
   
   Open issues:
   
  +    * Someone other than Dean has to do a security/correctness review on
  +      psprintf(), bprintf(), and ap_snprintf().  In particular these routines
  +      do lots of fun pointer manipulations and such and possibly have overflow
  +      errors.  The respective flush_funcs also need to be exercised.
  +       o Jim's looked over the ap_snprintf() stuff (the changes that Dean
  +         did to make thread-safe) and they look fine.
  +       o Laura La Gassa's looked over ap_vformatter & other related code
  +       o Could still use 1 or 2 more sets of eyeballs.
  +
       * Paul would like to see a 'gdbm' option because he uses
         it a lot.
   
  @@ -188,6 +187,9 @@
   	Ken: What's W95-specific about it?
   
    Help:
  +
  +    * SECURITY: check if the magic con/aux/nul/etc names do anything
  +	really bad
   
       * chdir() for CGI scripts and mod_include #exec needs to be 
         re-implemented.  This requires either serializing chdir/spawn