httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe Jr." <wr...@rowe-clan.net>
Subject Re: security patches and releases (was [VOTE] Release Apache httpd 2.4.0)
Date Tue, 17 Jan 2012 20:03:26 GMT
On 1/17/2012 2:01 PM, Eric Covener wrote:
> On Tue, Jan 17, 2012 at 2:58 PM, William A. Rowe Jr.
> <wrowe@rowe-clan.net> wrote:
>> On 1/17/2012 1:56 PM, Eric Covener wrote:
>>>> I'd suggest that patches/apply_to_x.y.z/ is a clumsy notation.  It seems
>>>> more efficient to set these up as patches/CVE-yyyy-iiii/ with individual
>>>> files for actively (or semi-actively) maintained versions.  If there is
>>>> one patch which applies to 2.2.n < 2.2.17, and a second patch for 2.2.17
>>>> and higher, it would be easier to differentiate these all within one
>>>> directory.
>>>
>>> The current scheme has one benefit in that a responsible user on the
>>> latest release has a one-stop shop for "What do I need to add?".
>>>
>>> With the CVE as the directory, they'd have to start with some other
>>> resource/hint or browse through the descriptions/patches.
>>
>> I'm not sure about that.  If I have 2.2.18, what do I apply?  If there
>> were patches in .21 how do I know they apply to me?
>>
> 
> Cross your fingers and visit three directories full of patches -- the
> farther back you stay, the more work you've got in store for you.
> 
> I don't think you're in much better shape tracking down e.g. 7 CVEs though.

Actually, I think you are (now).

  http://httpd.apache.org/security/vulnerabilities_22.html



Mime
View raw message