-Original Message-
From: Christophe JAILLET [mailto:christophe.jail...@wanadoo.fr]
Sent: Montag, 14. Juli 2014 22:55
To: dev@httpd.apache.org
Subject: Question on ap_method_* functions
Hi,
I was about to submit a patch in order to remove the 'register' keyword
in a variable
I will be tagging and rolling today, right around noon eastern.
On Tue, Jul 15, 2014 at 12:27:00PM -, jor...@apache.org wrote:
Author: jorton
Date: Tue Jul 15 12:27:00 2014
New Revision: 1610674
URL: http://svn.apache.org/r1610674
Log:
SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a reverse
proxy configuration, a remote attacker could
On Tue, Jul 15, 2014 at 2:38 PM, Joe Orton jor...@redhat.com wrote:
If somebody wants to propose a backport of r1610674 for 2.4.x
please jump to it ASAP!
Attached is a 2.4.x version of r1610674 that should work.
r1588527 copies headers_in sooner in the function but
ap_proxy_clear_connection()
Isn't
x.is_req = (headers == r-headers_in);
in ap_proxy_clear_connection an issue, when only called with the copy of
r-headers_in?
Regards
Rüdiger
-Original Message-
From: Yann Ylavic Sent: Dienstag, 15. Juli 2014 15:00
To: httpd
Subject: Re: svn commit: r1610674 - in
On Tue, Jul 15, 2014 at 3:07 PM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
Isn't
x.is_req = (headers == r-headers_in);
in ap_proxy_clear_connection an issue, when only called with the copy of
r-headers_in?
Hm, you are right.
Here is a v2 which introduces
On Tue, Jul 15, 2014 at 03:14:56PM +0200, Yann Ylavic wrote:
On Tue, Jul 15, 2014 at 3:07 PM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
Isn't
x.is_req = (headers == r-headers_in);
in ap_proxy_clear_connection an issue, when only called with the copy of
I am +1 on folding in the simpler patch that fixes the
immediate problem and holding off on anything more
complicated for the next release
On Jul 15, 2014, at 8:38 AM, Joe Orton jor...@redhat.com wrote:
On Tue, Jul 15, 2014 at 12:27:00PM -, jor...@apache.org wrote:
Author: jorton
Candidate patch uses %I and %O but they are used by mod_logio. It is
hard to find two good unused characters.
What do people think about allowing two-character log formats? I
think patch below only breaks someone who had a %XX where XX is a
registered two digit tag and they expect the 1 char +
I am very hesitant about adding this with so little
review time... I would like to propose that we simply
release 2.4.10 with the simple, trivial crash-fixer
and allow us to spend more time on the below, in order
to ensure it's solid.
I'm -0.99 (for 2.4.x) :)
On Jul 15, 2014, at 9:18 AM, Joe
On Tue, Jul 15, 2014 at 09:25:20AM -0400, Jim Jagielski wrote:
I am very hesitant about adding this with so little
review time... I would like to propose that we simply
release 2.4.10 with the simple, trivial crash-fixer
and allow us to spend more time on the below, in order
to ensure it's
something odd in proxy path when backend has
#0 0x7f16f51b92e1 in apr_table_clear (t=0x0) at tables/apr_tables.c:467
467 t-a.nelts = 0;
(gdb) where
#0 0x7f16f51b92e1 in apr_table_clear (t=0x0) at tables/apr_tables.c:467
#1 0x00483bfc in read_chunked_trailers
Can you try if the following patch on top fixes this:
Index: mod_proxy_http.c
===
--- mod_proxy_http.c(revision 1610607)
+++ mod_proxy_http.c(working copy)
@@ -1003,9 +1003,11 @@
rp-status = HTTP_OK;
Yes, thanks! The patch I started with had out but not in initialized there
On Tue, Jul 15, 2014 at 10:20 AM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
Can you try if the following patch on top fixes this:
Index: mod_proxy_http.c
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Dienstag, 15. Juli 2014 15:25
To: Apache HTTP Server Development List
Subject: Re: stop copying footers to r-headers_in?
Candidate patch uses %I and %O but they are used by mod_logio. It is
hard to find two
On Jul 15, 2014, at 10:38 AM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Dienstag, 15. Juli 2014 15:25
To: Apache HTTP Server Development List
Subject: Re: stop copying footers to
On Tue, Jul 15, 2014 at 10:38 AM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
Is there a way for people with such a setup to fix this with a different
config?
From the top of my head I would say no and that would be a blocker.
Do you think the required '^' prefix in the
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Dienstag, 15. Juli 2014 16:52
To: Apache HTTP Server Development List
Subject: Re: stop copying footers to r-headers_in?
On Tue, Jul 15, 2014 at 10:38 AM, Plüm, Rüdiger, Vodafone Group
On Tue, Jul 15, 2014 at 10:56 AM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Dienstag, 15. Juli 2014 16:52
To: Apache HTTP Server Development List
Subject: Re: stop copying footers to
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Dienstag, 15. Juli 2014 17:02
To: Apache HTTP Server Development List
Subject: Re: stop copying footers to r-headers_in?
On Tue, Jul 15, 2014 at 10:56 AM, Plüm, Rüdiger, Vodafone Group
On Tue, Jul 15, 2014 at 11:07 AM, Plüm, Rüdiger, Vodafone Group
ruediger.pl...@vodafone.com wrote:
This should work. But don't you need to register then ^Ti instead of Ti?
yeah, it needs to be registered and used in httpd.conf w/ the ^
--
Eric Covener
cove...@gmail.com
That would be at least half my fault for responding off-list... Here it is:
Thanks -- I went with ^
Shouldn't have much worry about responding to dev@
On Tue, Jul 15, 2014 at 9:42 AM, Houser, Rick rick.hou...@us.pgds.com wrote:
New to this list, so responding
On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
I've stuck it in STATUS. Any other opinions?
Come on... one more for this, either way?
* mod_proxy Connection handling crasher, CVE-2014-0117
trunk patch: http://svn.apache.org/r1610674
ALTERNATIVE #1
2.4.x patch:
On Tue, Jul 15, 2014 at 11:59 AM, Joe Orton jor...@redhat.com wrote:
On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
I've stuck it in STATUS. Any other opinions?
Come on... one more for this, either way?
* mod_proxy Connection handling crasher, CVE-2014-0117
trunk patch:
On Tue, Jul 15, 2014 at 11:59 AM, Joe Orton jor...@redhat.com wrote:
On Tue, Jul 15, 2014 at 02:41:44PM +0100, Joe Orton wrote:
I've stuck it in STATUS. Any other opinions?
Come on... one more for this, either way?
* mod_proxy Connection handling crasher, CVE-2014-0117
trunk patch:
The pre-release test tarballs for Apache httpd 2.4.10 can be found
at the usual place:
http://httpd.apache.org/dev/dist/
I'm calling a VOTE on releasing these as Apache httpd 2.4.10 GA.
[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.
Vote will last the normal 72
If so, I can RM.
Testing Linux and OSX 1st (all using Event MPM):
So far, +1 on all the below:
CentOS 7
Linux centos7.localdomain 3.10.0-123.4.2.el7.x86_64 #1 SMP Mon Jun 30
16:09:14 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
OSX 10.9.4 / Xcode 5.1.1
Darwin jimsys 13.3.0 Darwin Kernel Version 13.3.0:
cove...@apache.org wrote:
Author: covener
Date: Tue Jul 15 19:11:02 2014
New Revision: 1610814
URL: http://svn.apache.org/r1610814
Log:
*) SECURITY: CVE-2013-5704 (cve.mitre.org)
core: HTTP trailers could be used to replace HTTP headers
late during request processing,
On Tue, Jul 15, 2014 at 3:44 PM, Ruediger Pluem rpl...@apache.org wrote:
# testing : trailer (pid)
# expected: '25829'
# received: 'No chunked trailer available!'
not ok 3
thanks, r1610833:
#ifdef APACHE1
trailer_header = ap_table_get(r-headers_in, X-Chunk-Trailer);
+#elif
Le 15/07/2014 10:15, Plüm, Rüdiger, Vodafone Group a écrit :
- in 'ap_method_list_remove()',
l-method_mask |= ~(AP_METHOD_BIT methnum);
Doesn't this need to be
l-method_mask = ~(AP_METHOD_BIT methnum);
in order to remove it? Otherwise I set all methods but methnum.
On 15 Jul 2014, at 15:38, Rüdiger Plüm ruediger.pl...@vodafone.com wrote:
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Dienstag, 15. Juli 2014 15:25
To: Apache HTTP Server Development List
Subject: Re: stop copying footers to r-headers_in?
What do people
If you have the similar tool chain revs as .27, terrific! Otherwise, I'll tag
in the a.m.
+1 from me, of course.
Jim Jagielski j...@jagunet.com wrote:
If so, I can RM.
33 matches
Mail list logo
