httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Terbush <>
Subject Re: 1.1.2 plan
Date Sun, 12 Jan 1997 01:48:36 GMT
> So, Randy will put together 1.1.2 with the two security fixes and upload them.  
In progress.

> 1) I suggest he provide them as both a tarball and as two patches so that
> people with hacked installations can add them.

Patches will be in the patches directory. (Assuming we have one)

> 2) I also suggest we recommend two non-code fixes:
>    a) compile without mod_cookies to fix the mod_cookies problem
>    b) Turn DirectoryIndexing off (index.html will still be returned for
> requests like "GET / HTTP/1.0", yes?), which can be configured per-dir,if
> people don't want to muck with patching code.
> 3) I don't think we need to remove the binary distributions, but we might want
> to consider adding a note about the warning to the listing in the binaries
> directory,

Hmmm. I might vote to remove binaries. At one point we were compiling
the binaries with mod_cookies if I remember correctly.

> 4) Once all that is done, we can send a message to c.i.w.s.u and ap-announce
> (to ap-announce first, though).  I propose something like the following.
> To-be-determined comments in []'s.

I agree with Marc's comments regarding the announcement. Don't give
away too much info about the exploit. Also don't give to much info
about the coming snprint() changes.

View raw message