httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject handling of security issues in alphas?
Date Sat, 08 Jan 2011 14:50:16 GMT
On Saturday 08 January 2011, sf@apache.org wrote:
> Author: sf
> Date: Sat Jan  8 14:29:12 2011
> New Revision: 1056713
> 
> URL: http://svn.apache.org/viewvc?rev=1056713&view=rev
> Log:
> Fix a bug in authz logic merging which caused
>         section->op == AUTHZ_LOGIC_AND
>         auth_result == AUTHZ_DENIED_NO_USER
>         child_result == AUTHZ_GRANTED
> to return AUTHZ_GRANTED instead of AUTHZ_DENIED_NO_USER.
> 
> While there, refactor the if blocks to make them a bit more
> readable.
> 
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/modules/aaa/mod_authz_core.c

This was broken since r964156 / 2.3.8.

Is there some agreed upon policy how to handle security issues that 
only affect alphas and/or betas? Do we need a CVE id?

IMO: No for alphas, but maybe yes for betas?

Mime
View raw message