httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Knocking items off the plate, one by one
Date Fri, 09 Jun 2006 18:02:23 GMT
Before Dublin, I'd like to scratch several of my own itches to start with
something of a 'blank page' and moving forward with new stuff, rather than
our usual rehashes @ the hackathon.

Numero Uno is to permanantly remove apache 1.3.x from our live
http://www.apache.org/dist/httpd/binaries/win32/ site, I have no interest
in rolling 1.3.36 since it solves no apparent problems that 1.3.34 had,
but moreso, httpd 2.0 is well over four years old.

http://archives.apache.org/dist/httpd is always out there ;-)

I simply have no reason to roll 1.3.x binaries as there is no sane reason
for them to continue to be used on Windows.  (As I've said before, on Unix
I'm entirely neutral.)  Please vote;

   [ ] Jettison apache/win 1.3 binaries to a footnote of history in archives
   [ ] Beg of Bill, "One more Round!" of 1.3.36 for old times sake
   [ ] Keep them available from www even if they are never updated again
   [ ] "I'm insane, I'll take over rolling 1.3, fill me in on the procedure Bill?"

If jettisoned, I'll simply remove any 1.3 language from the page.  There is
already a note "Looking for older binaries? Please don't" which goes on to
point out where they live for the sadists.  That should cover it.  Any other
thoughts?

Second verse, same as the first, we have some _old_ directories lingering in
httpd/binaries/..., I will kill these today once I know for a fact they are
mirrored already on archives.apache.org (I thought we had killed these before.)

Third verse (sing along!) our web site reports

   Fixed in Apache httpd 1.3.32

         moderate: mod_proxy buffer overflow CVE-2004-0492

   Fixed in Apache httpd 2.0.55

         moderate: HTTP Request Spoofing CVE-2005-2088

Each of these is out of the control of the operator once they enable common
features, as opposed to other more recent, very specific flaws that need
specific configuration, unusual use cases or local web administration access
to trigger or reproduce.  (Who uses IMAP lol?)

So the final vote that we need to have a concensus on is;

   [ ] Remove all pre 2.0.55/pre 1.3.32 binaries from www.a.o (to archive.a.o)
   [ ] Leave the last unmaintained 2.0.x in whatever state it's in
   [ ] Leave the last unmaintained 1.3.x and 2.0.x in whatever state they are in

Votes/comments please?

Thanks,

Bill



Mime
View raw message