j...@apache.org wrote:
Author: jim
Date: Thu Jan 9 14:28:39 2014
New Revision: 1556815
URL: http://svn.apache.org/r1556815
Log:
Merge r1524368, r1524388 from trunk:
Use apr_socket_timeout_get instead of hard-coded 30 seconds timeout.
Use apr_socket_timeout_get instead of
minf...@apache.org wrote:
Author: minfrin
Date: Mon Dec 30 19:50:52 2013
New Revision: 1554300
URL: http://svn.apache.org/r1554300
Log:
core: Support named groups and backreferences within the LocationMatch,
DirectoryMatch, FilesMatch and ProxyMatch directives.
Modified:
Open source projects, ASF or otherwise, have varying procedures for commits
of fixes to vulnerabilities. One important aspect of these procedures is
whether or not fixes to vulnerabilities can be committed to a repository
with commit logs and possibly CHANGES entries which purposefully obscure
[X] It is mandatory to provide best available description and any available
tracking information when committing fixes for vulnerabilities to any
branch, delaying committing of the fix if the information shouldn't be
provided yet.
--/--
IMO it is not appropriate to let skilled attackers see a
Von: Jeff Trawick [mailto:traw...@gmail.com]
Gesendet: Freitag, 10. Januar 2014 14:39
An: Apache HTTP Server Development List
Betreff: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to
vulnerabilities
Open source projects, ASF or otherwise, have varying procedures for commits of
+1
On Jan 10, 2014, at 8:44 AM, Jeff Trawick traw...@gmail.com wrote:
[X] It is mandatory to provide best available description and any available
tracking information when committing fixes for vulnerabilities to any branch,
delaying committing of the fix if the information shouldn't be
Helo,
could http://svn.apache.org/r1538776 be considered for backport too (PR 55475)?
It's about mod_proxy to detect/handle incomplete (interrupted) backend
responses.
Regards,
Yann.
+1
in some cases re-consider if a used option is really needed
and disable it may close a vulnerability, the admin only
needs to know that there is danger
Am 10.01.2014 15:24, schrieb Jim Jagielski:
+1
On Jan 10, 2014, at 8:44 AM, Jeff Trawick traw...@gmail.com wrote:
[X] It is mandatory to
Also PR 55666, patches starting with
https://issues.apache.org/bugzilla/show_bug.cgi?id=55666#c12 have not
been reviewed/commited yet.
It's about mod_deflate input/output filters to be reentrant when
parsing zlib header, so to avoid Zlib: Invalid header or
Insufficient data for inflate.
Regards.
Le 10/01/2014 14:38, Jeff Trawick a écrit :
[ ] It is an accepted practice (but not required) to obscure or omit
the vulnerability impact in CHANGES or commit log information when
committing fixes for vulnerabilities to any branch.
[X] It is mandatory to provide best available description
On Fri, 2014-01-10 at 08:38 -0500, Jeff Trawick wrote:
[ X] It is mandatory to provide best available description and any
available tracking information when committing fixes for
vulnerabilities to any branch, delaying committing of the fix if the
information shouldn't be provided yet.
On 1/10/14, 5:38 AM, Jeff Trawick wrote:
[ ] It is an accepted practice (but not required) to obscure or omit the
vulnerability impact in CHANGES or commit log information when committing
fixes
for vulnerabilities to any branch.
[ ] It is mandatory to provide best available description and
12 matches
Mail list logo