Re: VUDDY: unpatched CVEs in apache httpd

On Wed, May 24, 2017 at 1:16 PM, Reindl Harald wrote: > for user/admin/vendor it's nothing different than any of the other undrets > to thousands of packages on their system "yum/dnf upgrade, apt-get > upgrade.." and now they *really* are up-to-date That's already how it

Re: VUDDY: unpatched CVEs in apache httpd

Am 24.05.2017 um 19:12 schrieb Eric Covener: On Wed, May 24, 2017 at 1:05 PM, Reindl Harald wrote: than also the source should not be bundeled and instead a requirement to have it installed for build Already covered ITT: "apr-util 1.6.0 will ship without an embedded

Re: VUDDY: unpatched CVEs in apache httpd

On Wed, May 24, 2017 at 1:05 PM, Reindl Harald wrote: > than also the source should not be bundeled and instead a requirement to > have it installed for build Already covered ITT: "apr-util 1.6.0 will ship without an embedded copy of the expat software." -- Eric Covener

Re: VUDDY: unpatched CVEs in apache httpd

Am 24.05.2017 um 17:46 schrieb Eric Covener: On Wed, May 24, 2017 at 11:44 AM, Reindl Harald wrote: and why does it need to be an embedded copy? It's not required to be embedded than also the source should not be bundeled and instead a requirement to have it

Re: The drive for 2.4.26

2017-05-22 16:35 GMT+02:00 Jim Jagielski : > I think we are *really* close! What say we try for a T > sometime this week? > > Who wants to RM? If no one does, I will. > One last thing! :) I am wondering if we could think about reviewing/backporting to 2.4.x the code that Yann

Re: VUDDY: unpatched CVEs in apache httpd

On Wed, May 24, 2017 at 11:44 AM, Reindl Harald wrote: > and why does it need to be an embedded copy? It's not required to be embedded

Re: VUDDY: unpatched CVEs in apache httpd

Am 24.05.2017 um 17:02 schrieb William A Rowe Jr: apr-util 1.6.0 will ship without an embedded copy of the expat software. Obtaining expat and keeping it refreshed and up to date with respect to security patches will become an exercise for the user/admin/vendor. This is scheduled for "RSN" -

Re: VUDDY: unpatched CVEs in apache httpd

apr-util 1.6.0 will ship without an embedded copy of the expat software. Obtaining expat and keeping it refreshed and up to date with respect to security patches will become an exercise for the user/admin/vendor. This is scheduled for "RSN" - real soon now. Bill On Wed, May 24, 2017 at 1:43

Re: mod_substitute debugging

On 05/24/2017 03:56 PM, Nick Gearls wrote: > I added some debugging features in mod_substitute, damned useful when trying > to troubleshoot things. > I'll propose a patch but I'd like your advise about when to log debug info: > > I added the following info: > 1. line to be parsed, type or

mod_substitute debugging

I added some debugging features in mod_substitute, damned useful when trying to troubleshoot things. I'll propose a patch but I'd like your advise about when to log debug info: I added the following info: 1. line to be parsed, type or search (regex/string), replace string 2. in case of

Re: is the mod_authz_host's parsed_subnets cache htaccess-safe?

On Wed, May 24, 2017 at 8:37 AM, Eric Covener wrote: > I was copy/pasting bits of this from mod_authz_host into a derivative > of mod_limit_ipconn and noticed that the parsed_subnets cache seems > unsafe if we are parsing directives in multiple threads from htaccess. > >

is the mod_authz_host's parsed_subnets cache htaccess-safe?

I was copy/pasting bits of this from mod_authz_host into a derivative of mod_limit_ipconn and noticed that the parsed_subnets cache seems unsafe if we are parsing directives in multiple threads from htaccess. parsed_subnets is an apr_hash_t that we write to when parsing 'Require ip ..'. It seems

VUDDY: unpatched CVEs in apache httpd

Hello list, while reading "http://www.ieee-security.org/TC/SP2017/papers/71.pdf; they claim to have found unpatched security holes in apache httpd. While reading further it seems that the only missing peace is the unpatched xmlparse from expat. While searching on our build server it turns out to