httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject August Apache HTTP Server Project status report
Date Mon, 17 Aug 2009 01:20:46 GMT
Over the past three months, Roy Fielding stepped down as the chair of the
project to concentrate on board-level issues.  The committee thanks him
for his service as Project Chairman, again, for these past four years.
William Rowe was appointed to serve in this capacity at the July Board

Stas Bekman and David Welton both requested to withdraw to an emeritus
status from the PMC; no new PMC members were added in this period.
The committee added Dan Poirier (poirier) as a committer to httpd.

Following seven months without release activity, httpd 2.2.12 was
released on 7/28 for security fixes, bug fixes and new features
including the first to support SNI (server name identification) for
mod_ssl, permitting named virtual https: hosts.

An httpd release 2.2.13 followed on 8/8 due to an apr flaw that would
conceivably elevate the risks for any third party module vulnerability
(which might or might not exist) due to allocating memory based on
untrusted user input.

There was no release activity on older branches, the current development
trunk, or the module subprojects this quarter.  Updating snapshots to
the current branches was discussed, but no action was taken.

The Apache HTTP Project is represented at ApacheCon 2009 in November
with two days of content organized by Rich Bowen and Noirin Plunket
and sponsored by Thawte, and a two day tutorial by Rich Bowen and Jim
Jagielski.  The project's modules make an additional appearance on the
Tomcat track.  The potential for hackathon or meetup activities will be
discussed on the dev or user lists as appropriate.

The project noted a revival of interest in resource exhaustion attacks
based on the "slowloris" tool, reported to httpd security list and posted
on bugtraq, etc.  Discussion of this class of issues was moved to the
dev@ list for discussion, due to their well-known nature (since the 90's).

HTTP Server Project is in-sync with the new subversion structure for
LDAP migration, with the httpd-pmc list in-sync with committee-info.txt.

There are no board level issues at this time.

View raw message