Hi,
Are there any particular reasons that regex code shouldn't be moved to
the apr-utils like expat is. That way we'll be (the non httpd
developers) able to use the same code for the things that need regular
expressions, instead of linking the same lib multiple times.
MT.
-BEGIN PGP SIGNED MESSAGE-
For Immediate Disclosure
=== SUMMARY
Title: Apache 2.0 vulnerability affects non-Unix platforms
Date: 9th August 2002
Version: 1
Product Name: Apache web server 2.0
OS/Platform: Windows, OS2, Netware
With the recent vulnerabilities found in OpenSSL, I thought it'd make sense
for Apache to check for OpenSSL 0.9.6e or higher.
-Madhu
$ cvs diff acinclude.m4
Index: acinclude.m4
===
RCS file:
[EMAIL PROTECTED] wrote:
Revision ChangesPath
1.1 httpd-site/docs/info/security_bulletin_20020809a.txt
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
Problem here. Not the month/day day/month switch. I've done a mv on
daedalus so
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
Hmmm, actually it really ought to be 20020809a.txt like the files I
commited, the text that went out was wrong due to too many us-uk
conversions ;). A cunning redirect rule in the server config would fix
it so
Mark J Cox wrote:
-BEGIN PGP SIGNED MESSAGE-
For Immediate Disclosure
Incidentally, I didn't see this get sent to users@httpd and
announce@httpd (it was sent to [EMAIL PROTECTED]). Did I miss it?
Joshua.
I got a bit frustrated by the lack of flexibility in the mod_log_config CustomLog
directive. What I wanted was to make logging conditional on multiple environment
variables that get set by different modules, and also to be able to make logging
behaviour depend on the value of the variables
On Fri, 9 Aug 2002, Joshua Slive wrote:
[EMAIL PROTECTED] wrote:
Revision ChangesPath
1.1 httpd-site/docs/info/security_bulletin_20020809a.txt
Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
I put in a symlink for now
Em Fri, Aug 09, 2002 at 09:58:03AM -0700, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
escreveu:
With the recent vulnerabilities found in OpenSSL, I thought it'd make sense
for Apache to check for OpenSSL 0.9.6e or higher.
And what about patched openssl versions? Given the notorious
binary
Thanks for pointing it out. I'd missed it completely (mainly because I
thought 0.9.7 is still in beta)
Here's an updated patch which checks specifically for 0.9.6e or
0.9.[7-9]*
$ cvs diff acinclude.m4
Index: acinclude.m4
===
RCS
On Fri, 2002-08-09 at 15:33, Andreas Hasenack wrote:
Em Fri, Aug 09, 2002 at 09:58:03AM -0700, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
escreveu:
With the recent vulnerabilities found in OpenSSL, I thought it'd make sense
for Apache to check for OpenSSL 0.9.6e or higher.
And what about
I'm not sure how to address this : For ex., do we allow building Apache
against OpenSSL 0.9.5x ?.. I don't believe so. If it's regarding OpenSSL
0.9.6x, I'm not sure how much of binary incompability it introduces.
Moreover, considering the fact that we have a CERT advisory asking ppl to
move to
Em Fri, Aug 09, 2002 at 02:04:36PM -0700, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
escreveu:
move to OpenSSL 0.9.6e, I thought it'd be prudent to check specifically for
version 0.9.6e or greater.
A warning would be prudent.
...since Friday, 09-Aug-2002 13:39:01 PDT. The traffic was pretty light then
but is likely to get heavy soon, so I went ahead and bounced it. It's got a
Redirect for the dyslexic security bulletin.
I had a moment of panic:
[gregames@daedalus apache2.0.40]$ sudo apbounce apache2.0.40
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
Roy
Alan Skea wrote:
I got a bit frustrated by the lack of flexibility in the mod_log_config CustomLog
directive. What I wanted was to make logging conditional on multiple environment
variables that get set by different modules, and also to be able to make logging
behaviour depend on the value
-Original Message-
From: Roy T. Fielding [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 09, 2002 3:03 PM
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
should apache be allowed to be built against a version of OpenSSL that
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
should apache be allowed to be built against a version of OpenSSL that
has a
known problem - I don't think so. But if everybody thinks against - then,
so
be it.
People need to
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
I have a patch to turn it into a warning -- will commit once tested.
Roy
+1. This seems too restrictive to me. People *do* patch the source as well :)
Roy T. Fielding wrote:
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
Roy
--
Sander Striker [mailto:[EMAIL PROTECTED]] wrote:
SNIP
We have also included support for IPv6 on any
platform that supports IPv6.
Hmmm Windows NT/2k/XP/.Net/98/95 supports IPv6, now where is the IPv6
capable binary (or source for that matter ;) ?
(Btw... Mac OS X sports IPv6 also in beta's and
At 23:27 09/08/02, Joshua Slive wrote:
Alan Skea wrote:
I got a bit frustrated by the lack of flexibility in the mod_log_config CustomLog
directive. What I wanted was to make logging conditional on multiple environment
variables that get set by different modules, and also to be able to make
Alan Skea wrote:
I don't think SetEnvIf quite does it. In one module I extract a session tracking
token from the URI and set it into an env var. If this var is present then I want to
use a particular log format. I also started looking at a module called robotcop the
other day. It
Cool. I believe something is better than nothing :).
(I'm sure you're already aware of this - but thought it'd be better to let
you know)
I believe my patch went into r1.127 - and has been labelled for the 2.0.40
release. So, you might want to bump the label before it's released.
It has
At 08:31 PM 8/9/2002, Roy T. Fielding wrote:
Cool. I believe something is better than nothing :).
(I'm sure you're already aware of this - but thought it'd be better to let
you know)
I believe my patch went into r1.127 - and has been labelled for the 2.0.40
release. So, you might want to bump
25 matches
Mail list logo
