Re: [VOTE] Release httpd-2.4.51-rc1 as httpd-2.4.51

+1 on Fedora 34 On 2021/10/07 13:17:36, "ste...@eissing.org" wrote: > Hi all, > > due to found security weaknesses in our 2.4.50 release, the security team > feels it is necessary to do a new release on very short notice. We will skip > the usual 3 day voting period and close the vote once we

Re: [httpd-site] branch main updated: publishing release httpd-2.4.49

. Issues: https://github.com/iamamoose/Vulnogram/issues ASF changes from the upstream Vulnogram code: https://github.com/Vulnogram/Vulnogram/compare/master...iamamoose:asfmaster Regards, Mark J Cox ASF Security On Thu, Sep 16, 2021 at 4:57 PM Ruediger Pluem wrote: > > > On 9/16/21 3:16

Re: Changing the httpd security process

> > This roughly reverts the httpd process to what we used prior to adopting > > the Tomcat-esque policy for the whole ASF. We would have to document > > this and possibly need it approved by the ASF security team. > > Not sure if we need to have it approved, but at least we should discuss

Re: [Fwd: iDefense Final Notice [IDEF1445]]

For reference, Mitre assigned: CVE-2007-1741 - Path Checking Race Condition Vulnerability CVE-2007-1742 - Path Checking Design Error Vulnerability CVE-2007-1743 - Arbitrary GID Input Validation Vulnerability We can supply statements to Mitre for any we dispute. Mark -- Mark J Cox | www.awe.com

CGI Script Source Code Disclosure Vulnerability in Apache for Windows

that as an DISPUTED to CVE But the original reporter disagrees: http://marc.theaimsgroup.com/?l=bugtraqm=115583509231594w=2 I think the right response here is to make it more explicit in the documentation that putting a ScriptAlias cgi-bin inside document root is bad. Mark -- Mark J Cox | www.awe.com

Re: [Fwd: 2.2+ security page empty?]

There is nothing on the security page any more for 2.2, is there a bug with the report you use to populate it? Fixed Cheers, Mark

Re: svn commit: r398494 - in /httpd/site/trunk: docs/security/vulnerabilities_13.html docs/security/vulnerabilities_20.html docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities_22.xml

This killed the list of vulnerabilities for all versions. Was this intended? And if yes, where can they be found now? Must be someone with bad java foo, fixing. Mark -- Mark J Cox | www.awe.com/mark

Re: svn commit: r392230 - in /httpd/site/trunk: docs/security/vulnerabilities_13.html xdocs/security/vulnerabilities-httpd.xml

1.3 was UNAFFECTED Yes, indeed it was me that insisted that this didn't affect 1.3, I'll revert it :) Cheers, Mark

Security release needed for 2.0

We've a few security issues fixed recently that haven't made it out into releases from the ASF, but have made it out into releases from the various OS vendors. One issue is important severity, and public now for 10 days. I don't watch this list much, are there other things holding up a

Re: 2.1.6 is available for veto^H^H^H^Hvoting

Do we have an incident number for this report as it pertains to the Apache HTTP Server? I'm obtaining a CVE name for this issue -- (as the issue is already public it requires co-ordination with Mitre) Cheers, Mark

Re: 2.1.6 is available for veto^H^H^H^Hvoting

I'm obtaining a CVE name for this issue -- (as the issue is already public it requires co-ordination with Mitre) CAN-2005-2088 Has anyone looked to make sure this doesn't apply to later 1.3 releases? Cheers, Mark

CAN-2004-0492 mod_proxy security issue

advisory on June 10th. Mark -- Mark J Cox ... www.awe.com/mark Apache Software Foundation . OpenSSL Group . Apache Week editor Index: src/CHANGES === RCS file: /home/cvs/apache-1.3/src

Re: [patch] - digest nonce including MM bump, doc and changes.

this issue. [Dirk-Willem van Gulik] + Use CAN-2003-0987 for this issue Mark -- Mark J Cox ... www.awe.com/mark Apache Software Foundation . OpenSSL Group . Apache Week editor

Re: Why Redhat 8.0 / 9.0 still use 2.0.40 (+ security fixes)

with other changes in a new release ;) Mark -- Mark J Cox ... www.awe.com/mark Apache Software Foundation . OpenSSL Group . Apache Week editor

Apache 2.0 vulnerability affects non-Unix platforms

-BEGIN PGP SIGNED MESSAGE- For Immediate Disclosure === SUMMARY Title: Apache 2.0 vulnerability affects non-Unix platforms Date: 9th August 2002 Version: 1 Product Name: Apache web server 2.0 OS/Platform: Windows, OS2, Netware

Re: cvs commit: httpd-site/xdocs/info security_bulletin_20020809a.txt

Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt Hmmm, actually it really ought to be 20020809a.txt like the files I commited, the text that went out was wrong due to too many us-uk conversions ;). A cunning redirect rule in the server config would fix it so

Re: cvs commit: httpd-site/xdocs/info security_bulletin_20020809a.txt

On Fri, 9 Aug 2002, Joshua Slive wrote: [EMAIL PROTECTED] wrote: Revision ChangesPath 1.1 httpd-site/docs/info/security_bulletin_20020809a.txt Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt I put in a symlink for now

Re: [PATCH] adding xml output to mod_status -- [REPOST]

- on Linux and NetWare I only get the data unformated back, looks as there are problems with the scoreboard.xsl or so. Any ideas what's Yeah, Mozilla isn't very stable at doing the rendering. Most of the problems you mention are due to the XSLT being done inside the browser. I'm not real

Re: Apache 1.3.21 tag this evening....

I've written an Announcement file for 1.3.21 and will commit within the hour (just got back from dentist) Mark