httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Last call... STATUS needing one sec fix vote [was Re: Roll 2.2.30]
Date Wed, 24 Jun 2015 16:04:13 GMT
On Fri, Jun 19, 2015 at 11:42 AM, William A Rowe Jr <wrowe@rowe-clan.net>
wrote:

>
> On Jun 18, 2015 1:45 PM, "William A Rowe Jr" <wrowe@rowe-clan.net> wrote:
> >
> > On Jun 11, 2015 8:22 AM, "Eric Covener" <covener@gmail.com> wrote:
> > >
> > > On Thu, Jun 11, 2015 at 9:08 AM William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
> > >>
> > >> But withholding a security fix for legacy server users?  Sounds like
> a way to earn distrust of the user community, not reassure them that 2.4.14
> is the best version available.
> > >
> > > +1
> >
> > The 2.2 patches are in alignment with the resolved 2.4 security patches
> plus relaxed trailing spaces rule. Yann and I have reviewed, still weeks
> later 2.2.30 needs one more pair of eyeballs and a third +1 of the 2
> patches.
> >
> > I can T&R in the morning Friday if it has been reviewed, else it will be
> a while before I can RM.
>
> If there is a vote in the next 90 minutes, I'll proceed, otherwise I can
> proceed sometime next week after missing +1 is cast.
>
Just as a reminder, 2.2 STATUS contains;

  *) SECURITY: CVE-2015-3183 (cve.mitre.org)
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.  [Graham Leggett, Yann Ylavic]
  Submitted by: minfrin, ylavic
  Reviewed by: ylavic, wrowe,
  Backports: 1484852, 1684513
  Reported by: regilero <regis.leroy makina-corpus.com>

  trunk
    http://svn.apache.org/r1484852
    http://svn.apache.org/r1684513
  2.4.x branch
    http://svn.apache.org/r1684515
  2.2.x branch
    http://people.apache.org/~wrowe/httpd-2.2.x-ap_http_filter-chunked-v6.patch
  +1: ylavic, wrowe
  jim notes: test framework errors due to 413->400 error change [test adjusted]
  wrowe notes: r1684513 was not neglected in this patch, already included

  *) core: Allow spaces after chunk-size for compatibility with implementations
     using a pre-filled buffer.
     trunk patch: http://svn.apache.org/r1685345
                  http://svn.apache.org/r1685347
                  http://svn.apache.org/r1685349
                  http://svn.apache.org/r1685350
     2.[24].x patch:
http://people.apache.org/~ylavic/httpd-2.4.x-ap_http_filter_chunked-v3.patch
                     (trunk works but CHANGES entry in the above patch is
                      better since the APLOG_INFO part is already included
                      in the CVE-2015-3183 patch)
     +1: ylavic, wrowe
     ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
             above must be applied first.


and has lingered now for two weeks (a month, actually, when measuring
security@httpd.apache.org time).  This blocks not only tagging 2.2, but
also publishing security guidance with corresponding patches for general
consumption, barring a successful release including these patches for 2.4
and 2.2.

If you had offered to review security patches in Jeff's 2.2 interest thread
of a month ago, please consider taking a bit of time to compare this change
to the corresponding change already approved in 2.4.x branch (and rather
extensively reviewed over the past two release votes).

Mime
View raw message