httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <>
Subject Re: Roll 2.2.30 in conjunction with 2.4.14
Date Thu, 11 Jun 2015 13:07:39 GMT
I believe the opposite, that the announcement 2.4 contains enhancements,
bug fixes, and security fixes, and 2.2 legacy containing security fixes
will set user expectations.  A later 2.2 announce muddies the waters when
users ponder if it is 'current' and sufficient.  We have language in both
files to clarify this, but still...

Another way to put it is that 2.2.30 shouldn't be a headline and receive
its own announcement, but sit as a sidebar of our significant public
message that 2.4 release is out.

But withholding a security fix for legacy server users?  Sounds like a way
to earn distrust of the user community, not reassure them that 2.4.14 is
the best version available.  Whose interest does that serve?

Not ours, it leaves the risk in place between 2.2 and 2.4 instances because
request splitting attacks require agents to interpret request length
indications differently.  Updating every affected server is the responsible
action by the user, and a security release is rarely a smart moment in time
to perform a major upgrade (config changes etc) without proper testing of
those configs and services.
 On Jun 11, 2015 4:27 AM, "Steffen" <> wrote:

>   Not so happy to roll 2.2.30 in conjunction with 2.4.14.
> It does not stimulate pp to upgrade to 2.4., it suggest that the
> httpd-project gives 2.2 (legacy) the same priority as 2.4.
> Better first 2.4 and after some time 2.2. I do not agree with the argument
> to simplify the announcement.
>  *From:* William A Rowe Jr <>
> *Sent:* Thursday, June 11, 2015 4:54 AM
> *Newsgroups:* gmane.comp.apache.devel
> *To:* httpd <>
> *Subject:* Re: Review of 2.2.x security patch sought.
>  Just a quick /nag that I'm happy to roll 2.2.30 in conjunction with
> 2.4.14,
> so that we present both to the community at the same time, and simplify
> the announcement.  This patch still needs a third +1 to be adopted (it is
> already in trunk, and in the 2.4.14 Jim will be tagging & rolling shortly).
> ...
> ...
> ...

View raw message