httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: Last call... STATUS needing one sec fix vote [was Re: Roll 2.2.30]
Date Wed, 24 Jun 2015 16:04:13 GMT
On Fri, Jun 19, 2015 at 11:42 AM, William A Rowe Jr <>

> On Jun 18, 2015 1:45 PM, "William A Rowe Jr" <> wrote:
> >
> > On Jun 11, 2015 8:22 AM, "Eric Covener" <> wrote:
> > >
> > > On Thu, Jun 11, 2015 at 9:08 AM William A Rowe Jr <>
> wrote:
> > >>
> > >> But withholding a security fix for legacy server users?  Sounds like
> a way to earn distrust of the user community, not reassure them that 2.4.14
> is the best version available.
> > >
> > > +1
> >
> > The 2.2 patches are in alignment with the resolved 2.4 security patches
> plus relaxed trailing spaces rule. Yann and I have reviewed, still weeks
> later 2.2.30 needs one more pair of eyeballs and a third +1 of the 2
> patches.
> >
> > I can T&R in the morning Friday if it has been reviewed, else it will be
> a while before I can RM.
> If there is a vote in the next 90 minutes, I'll proceed, otherwise I can
> proceed sometime next week after missing +1 is cast.
Just as a reminder, 2.2 STATUS contains;

  *) SECURITY: CVE-2015-3183 (
     core: Fix chunk header parsing defect.
     Remove apr_brigade_flatten(), buffering and duplicated code from
     the HTTP_IN filter, parse chunks in a single pass with zero copy.
     Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
     authorized characters.  [Graham Leggett, Yann Ylavic]
  Submitted by: minfrin, ylavic
  Reviewed by: ylavic, wrowe,
  Backports: 1484852, 1684513
  Reported by: regilero <regis.leroy>

  2.4.x branch
  2.2.x branch
  +1: ylavic, wrowe
  jim notes: test framework errors due to 413->400 error change [test adjusted]
  wrowe notes: r1684513 was not neglected in this patch, already included

  *) core: Allow spaces after chunk-size for compatibility with implementations
     using a pre-filled buffer.
     trunk patch:
     2.[24].x patch:
                     (trunk works but CHANGES entry in the above patch is
                      better since the APLOG_INFO part is already included
                      in the CVE-2015-3183 patch)
     +1: ylavic, wrowe
     ylavic: CVE-2015-3183 patch httpd-2.2.x-ap_http_filter-chunked-v6.patch
             above must be applied first.

and has lingered now for two weeks (a month, actually, when measuring time).  This blocks not only tagging 2.2, but
also publishing security guidance with corresponding patches for general
consumption, barring a successful release including these patches for 2.4
and 2.2.

If you had offered to review security patches in Jeff's 2.2 interest thread
of a month ago, please consider taking a bit of time to compare this change
to the corresponding change already approved in 2.4.x branch (and rather
extensively reviewed over the past two release votes).

View raw message