httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: svn commit: r1619446 - /httpd/httpd/branches/2.2.x/STATUS
Date Thu, 21 Aug 2014 19:10:02 GMT
On Thu, Aug 21, 2014 at 11:35 AM, <mrumph@apache.org> wrote:

> Author: mrumph
> Date: Thu Aug 21 15:35:43 2014
> New Revision: 1619446
>
> URL: http://svn.apache.org/r1619446
> Log:
> Comment on possible trailers CVE delay.
>
> Modified:
>     httpd/httpd/branches/2.2.x/STATUS
>
> Modified: httpd/httpd/branches/2.2.x/STATUS
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?rev=1619446&r1=1619445&r2=1619446&view=diff
>
> ==============================================================================
> --- httpd/httpd/branches/2.2.x/STATUS (original)
> +++ httpd/httpd/branches/2.2.x/STATUS Thu Aug 21 15:35:43 2014
> @@ -111,7 +111,10 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
>       2.2.x patch:
> http://people.apache.org/~covener/patches/httpd-2.2.x-trailers-2.diff
>       +1: covener, wrowe, rpluem
>       covener: Since this was not released yet in 2.4.x, maybe it's better
> to cut 2.2.28 w/o it?
> -
> +     mrumph:  Delaying a nonCVE fix would be reasonable to maintain
> backward compatibility.
> +              But for a CVE that has already been made public,
> +              wouldn't it make more sense to make the fix available as
> quickly as possible?
> +
>     * mod_deflate: Fix reentrance in output and input filters (buffering of
>                    incomplete Zlib header or validation bytes). PR 46146.
>       trunk patch: https://svn.apache.org/r1572655
>
>
>
IMO:

* Place a patch for 2.4.10 in patches/apply_to_
* Refer to the 2.4.10 patch after the description of the vulnerability
within the 2.2.next announcement.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message