On Wed, Jun 26, 2013 at 11:42 AM, William A. Rowe Jr. <[email protected]>wrote:
> Jeff (specifically), > > could you please clear up any concerns on the SECURITY: CVE-2011-4317 > STATUS item from the 2.0 branch? > > > If someone would quickly review the mod_rewrite escape-args fix, I > believe we are ready for the final 2.0.65 tag, which I would like to > accomplish today. I would like this final release and retirement to > occur before July, which means tagging today, concluding a vote Sat > so the mirrors catch up Sun. > > If we have another vote supporting only the -SSLv2 / default ciphers > bits from rjung's proposed patch to httpd.conf.in - then I'm also happy > to kill SSLv2 from the default config of this final tarball. I've gone > ahead and created a patch of that small subset for consideration in > http://people.apache.org/~wrowe/2.0-ssl-noV2.patch > > > Prior to tagging, I intend to modify STATUS as follows; > > APACHE 2.0 STATUS: > -*-text-*- Last modified at [$Date$] > > -The current version of this file can be found at: > > - * http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/STATUS > - > -Documentation status is maintained seperately and can be found at: > - > - * docs/STATUS in this source tree, or > - * > http://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x/docs/STATUS - > -Consult the following STATUS files for information on related projects: > - > - * http://svn.apache.org/repos/asf/apr/apr/branches/0.9.x/STATUS > - * http://svn.apache.org/repos/asf/apr/apr-util/branches/0.9.x/STATUS > - > -Consult the trunk/ for all new development and documentation efforts: > - > - * http://svn.apache.org/repos/asf/httpd/httpd/trunk/STATUS > - * http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/STATUS > - > - > Release history: > > - 2.0.65 : In maintainance. > + 2.0.65 : Tagged and Retired June ##, 2013. > 2.0.64 : Released October 19, 2010. > 2.0.63 : Released January 19, 2008. > 2.0.62 : Tagged January 4, 2008. Not released. > > > -Contributors looking for a mission: > - > - * Just do an egrep on "TODO" or "XXX" in the source. > - > - * Review the bug database at: http://issues.apache.org/bugzilla/ > - > - * Review the "PatchAvailable" bugs in the bug database: > - > - > > http://issues.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&product=Apache+httpd-2.0&keywords=PatchAvailable > - > - After testing, you can append a comment saying "Reviewed and > tested". - > - * Open bugs in the bug database. > - > - > CURRENT RELEASE NOTES: > > - * Forward binary compatibility is expected of Apache 2.0.x releases, > such > - that no MMN major number changes will occur. Such changes can > only be > - made in the trunk. > - > - * All commits to branches/2.0.x must be reflected in SVN trunk, > - as well, if they apply. Logical progression is commit to trunk, > - get feedback and votes on list or in STATUS, then merge into > - branches/2.2.x, and finally merge into branches/2.0.x, as > applicable. > + > + ** THIS BRANCH IS CLOSED TO DEVELOPMENT AND MAINTENANCE ** > + * Refer to the development trunk and maintained/stable branches for > current > + activity; > + http://svn.apache.org/repos/asf/httpd/httpd/trunk/STATUS > > > -RELEASE SHOWSTOPPERS: > - > - > -PATCHES ACCEPTED TO BACKPORT FROM TRUNK: > - [ start all new proposals below, under PATCHES PROPOSED. ] > - > - > -PATCHES PROPOSED TO BACKPORT FROM TRUNK: > - [ please place SVN revisions from trunk here, so it is easy to > - identify exactly what the proposed changes are! Add all new > - proposals to the end of this list. ] > - > -PATCHES TO BACKPORT THAT ARE ON HOLD OR NOT GOING ANYWHERE SOON: > - > +UNADDRESSED ISSUES: > +1 all around Did anyone else have a chance to think about wrowe's suggested addendum to the CHANGES entry for CVE-2011-3607? -- Born in Roswell... married an alien... http://emptyhammock.com/
