httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@lnd.com>
Subject RE: IBM HTTP SERVER / APACHE (fwd)
Date Fri, 02 Jun 2000 03:00:04 GMT
> From: Marc Slemko [mailto:marcs@znep.com]
> Sent: Thursday, June 01, 2000 7:24 PM
> To: security@apache.org; TLOSAP
> Subject: Re: IBM HTTP SERVER / APACHE (fwd)
> 
> So is anyone investigating this and fixing and/or following 
> up to bugtraq?

ACKED - reproduced under 1.3.13-dev (tonight's tree), NT 4.0 SP6

Can't reproduce under 2.0a4-dev (tonight's tree - MPM service patch applied)

Everyone want to start banging on 2.0 to see if we can't break that too?

I'm debugging 1.3.13-dev now.

AFAIC if the fix is solid, and I can get the last 1.3.13-dev issues resolved
over the next couple days, NW is in, I'd like to freeze at the end of the
day Tuesday and roll on Friday.  Is 8 days enough time for all?  Is it
reasonable?

Bill

***

Given our disclaimers - Win32 is experimental, I'm not convinced we should 
do an instant roll for a Win32 1.3 hole.  It doesn't appear (yet) that 
this produces any side effects that can harm the server, per sei.  But it 
is a significant hole into admins with blantent user.dat files sitting in
their public web, and the patches have accumulated in 1.3.13-dev.

The patch will be here by Noon a.m.



Mime
View raw message