Received: by taz.hyperreal.com (8.8.3/V2.0) id PAA13939;
 Sat, 11 Jan 1997 15:28:13 -0800 (PST)
Received: from scanner.worldgate.com by taz.hyperreal.com (8.8.3/V2.0) with
 ESMTP id PAA13935; Sat, 11 Jan 1997 15:28:07 -0800 (PST)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com
 (8.7.5/8.7.3) with UUCP id QAA20734 for new-httpd@hyperreal.com;
 Sat, 11 Jan 1997 16:28:05 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3)
 with SMTP id QAA20603 for <new-httpd@hyperreal.com>;
 Sat, 11 Jan 1997 16:27:08 -0700 (MST)
Date: Sat, 11 Jan 1997 16:27:08 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: new-httpd@hyperreal.com
Subject: Re: possible long url index fix 
In-Reply-To: <199701112304.RAA22666@sierra.zyzzyva.com>
Message-ID: <Pine.BSF.3.95.970111162010.17488O-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

On Sat, 11 Jan 1997, Randy Terbush wrote:

> > Comments?
> 
> This all looks fine. Portable to any system I have access to.
> BSDI, FreeBSD, NetBSD, SunOS 5.5
> 
> My plan is to apply this and the other patch to 1.1.1 and roll a
> 1.1.2 in the next hour. Agreed?

Once 1.2 comes out, all the buffer overflows which were fixed will
become public knowledge.  That means that anyone still running
1.1.x will be vulnerable to more serious security holes than the ones
being fixed in 1.1.2.  

The amount of work to put the buffer overflow fixes into 1.1.x isn't
trivial because of the amount of checks that have to be done, but it
is worth considering if more discussion is needed on what to do with
1.1.x and security.