httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <ra...@zyzzyva.com>
Subject Re: 1.1.2 plan
Date Sun, 12 Jan 1997 01:48:36 GMT
> 
> So, Randy will put together 1.1.2 with the two security fixes and upload them.  
In progress.


> 1) I suggest he provide them as both a tarball and as two patches so that
> people with hacked installations can add them.

Patches will be in the patches directory. (Assuming we have one)

> 2) I also suggest we recommend two non-code fixes:
>    a) compile without mod_cookies to fix the mod_cookies problem
>    b) Turn DirectoryIndexing off (index.html will still be returned for
> requests like "GET / HTTP/1.0", yes?), which can be configured per-dir,if
> people don't want to muck with patching code.
> 
> 3) I don't think we need to remove the binary distributions, but we might want
> to consider adding a note about the warning to the listing in the binaries
> directory, http://www.apache.org/dist/binaries.

Hmmm. I might vote to remove binaries. At one point we were compiling
the binaries with mod_cookies if I remember correctly.

> 4) Once all that is done, we can send a message to c.i.w.s.u and ap-announce
> (to ap-announce first, though).  I propose something like the following.
> To-be-determined comments in []'s.
> 

I agree with Marc's comments regarding the announcement. Don't give
away too much info about the exploit. Also don't give to much info
about the coming snprint() changes.





Mime
View raw message