httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: Might as well be a CERT warning.
Date Sat, 11 Jan 1997 19:28:50 GMT
Jim Jagielski sez:
> Randy Terbush wrote:
> > 
> > > Randy Terbush wrote:
> > > > 
> > > > 
> > > > Looks like we have concensus to roll a 1.1.2 release with this patch
> > > > applied. Shall I?  I raise the concern about all the other overflow
> > > > problems that are being addressed in 1.2. Seems this could be used
> > > > as a catalist to get these people to move to 1.2 instead of a 1.1.2.
> > > > 
> > > > *shrug*
> > > 
> > > In my view, we _must_ release a 1.1.2 which addresses the problem, though
> > > it doesn't have to be that patch, of course. We can't have a server in the
> > > wild with a known security hole.
> > > 
> > > Cheers,
> > > 
> > > Ben.
> > > 
> > 
> > *sigh*, But as the "Extra Long URL" email that just came in shows,
> > there are a bunch of other problems.
> > 
> > Do we create a patched version backporting the changes that Marc Slemko
> > is working on, or offer 1.2 as the fix?
> > 
> 
> I would like to be able to offer 1.2 as a fix, but we have no idea
> when it will be out. And people will not like to go from 1.1.1 golden
> to 1.2beta, no matter what.
> 
> 1.1.2 fixes one specific hole. Hopefully soon we will be able to release
> 1.2 that fixes a slew of potential ones.

Yes, but IMO, the "Extra Long URL" mail coming off of BUGTRAQ has
the potential to be a _much_ bigger problem. This other problem
is a hole in a non-standard module that is not compiled in by
default.

I think that if we are going to go to the trouble to release a 1.1.2,
we need to consider fixing this most recent bug as well. We all know
that there is no easy way to fix it aside from the fix that Marc is
working on.

I'm playing Devil's advocate as much as anything here, but firmly
believe that this recent URL length problem is potentially a bigger
headache.




Mime
View raw message