Re: svn commit: r1809192 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

2017-09-21 Thread William A Rowe Jr
What more would we want to say here? Mention that the Allow: header may respond with corrupted output? It seems other side effects can be present, which is why I kept this simple. On Thu, Sep 21, 2017 at 1:33 PM, wrote: > Author: wrowe > Date: Thu Sep 21 18:33:47 2017 > New

Re: configure option --enable-option-checking warns about things it does know (httpd-2.2.X)

2017-09-21 Thread William A Rowe Jr
Thanks for the report Michael. The 2.2.x series is now retired and end-of-life. The warnings are no-ops... they are inherited to child ./configure bits so the basic httpd-2.x/configure may holler about options only applicable to the bundled packages, and the bundled packages may holler about

Re: Time for 2.4.28 ?

2017-09-21 Thread Jim Jagielski
Looks like we need 1 more vote on it for it to be folded in on time for 2.4.28. > On Sep 19, 2017, at 1:48 PM, Jim Jagielski wrote: > > There have been no issues w/ that on trunk... will > fold into 2.4 and do some stress testing over the next > 2 days. > >> On Sep 19, 2017,

Re: SSLSrvConfigRec shared

2017-09-21 Thread Yann Ylavic
On Thu, Sep 21, 2017 at 2:51 PM, Eric Covener wrote: > On Thu, Sep 21, 2017 at 8:44 AM, Yann Ylavic wrote: >> On Thu, Sep 21, 2017 at 2:11 PM, Eric Covener wrote: >>> >>> IIUC it should be safe to extend module_struct with a minor bump

Re: SSLSrvConfigRec shared

2017-09-21 Thread Eric Covener
On Thu, Sep 21, 2017 at 8:44 AM, Yann Ylavic wrote: > On Thu, Sep 21, 2017 at 2:11 PM, Eric Covener wrote: >> >> IIUC it should be safe to extend module_struct with a minor bump to >> add 'int flags' to the bottom, but when you check the value you'd need

Re: SSLSrvConfigRec shared

2017-09-21 Thread Yann Ylavic
On Thu, Sep 21, 2017 at 2:11 PM, Eric Covener wrote: > > IIUC it should be safe to extend module_struct with a minor bump to > add 'int flags' to the bottom, but when you check the value you'd need > to check the MMN first. In the module you'd then just have some flags > or'ed

Re: SSLSrvConfigRec shared

2017-09-21 Thread Eric Covener
On Thu, Sep 21, 2017 at 7:42 AM, Stefan Eissing wrote: > >> Am 21.09.2017 um 13:35 schrieb Eric Covener : >> >> On Thu, Sep 21, 2017 at 7:00 AM, Yann Ylavic wrote: >>> On Thu, Sep 21, 2017 at 11:48 AM, Stefan Eissing >>>

configure option --enable-option-checking warns about things it does know (httpd-2.2.X)

2017-09-21 Thread Michael
Just thought I would mention option-checking in httpd-2.2.X is borked. Fortunately, it just warns :) A small subset of the warnings: configure: WARNING: unrecognized options: --with-z, --enable-layout, --with-apr, --with-apr-util, --with-mpm, --enable-ssl, --enable-proxy,

Re: SSLSrvConfigRec shared

2017-09-21 Thread Stefan Eissing
> Am 21.09.2017 um 13:35 schrieb Eric Covener : > > On Thu, Sep 21, 2017 at 7:00 AM, Yann Ylavic wrote: >> On Thu, Sep 21, 2017 at 11:48 AM, Stefan Eissing >> wrote: >>> Am 21.09.2017 um 11:37 schrieb Yann Ylavic

Re: SSLSrvConfigRec shared

2017-09-21 Thread Eric Covener
On Thu, Sep 21, 2017 at 7:00 AM, Yann Ylavic wrote: > On Thu, Sep 21, 2017 at 11:48 AM, Stefan Eissing > wrote: >> >>> Am 21.09.2017 um 11:37 schrieb Yann Ylavic : >>> >>> If the module defines its own

Re: SSLSrvConfigRec shared

2017-09-21 Thread Yann Ylavic
On Thu, Sep 21, 2017 at 11:48 AM, Stefan Eissing wrote: > >> Am 21.09.2017 um 11:37 schrieb Yann Ylavic : >> >> If the module defines its own server_config_create() which allocates >> one, each vhost will have its own, and the module's >>

Re: SSLSrvConfigRec shared

2017-09-21 Thread Stefan Eissing
> Am 21.09.2017 um 11:37 schrieb Yann Ylavic : > > Hi Stefan, > > On Wed, Sep 20, 2017 at 2:06 PM, Stefan Eissing > wrote: >> >>> Am 20.09.2017 um 12:33 schrieb Yann Ylavic : >>> >>> On Wed, Sep 20, 2017 at 12:09 PM,

Re: SSLSrvConfigRec shared

2017-09-21 Thread Yann Ylavic
Hi Stefan, On Wed, Sep 20, 2017 at 2:06 PM, Stefan Eissing wrote: > >> Am 20.09.2017 um 12:33 schrieb Yann Ylavic : >> >> On Wed, Sep 20, 2017 at 12:09 PM, Stefan Eissing >> wrote: >>> >>> Is there some better

Re: Understanding OptionsBleed

2017-09-21 Thread Yann Ylavic
On Thu, Sep 21, 2017 at 10:54 AM, Yann Ylavic wrote: > On Wed, Sep 20, 2017 at 6:36 PM, William A Rowe Jr > wrote: >> >> Provided AllowOverride is None, and AllowOverrideList does not include >> "

Re: Understanding OptionsBleed

2017-09-21 Thread Yann Ylavic
On Wed, Sep 20, 2017 at 6:36 PM, William A Rowe Jr wrote: > > Provided AllowOverride is None, and AllowOverrideList does not include > " this theory;

Re: Understanding OptionsBleed

2017-09-21 Thread Yann Ylavic
Hi Bill, nice summary, totally agreed. Thanks! On Wed, Sep 20, 2017 at 6:36 PM, William A Rowe Jr wrote: > So as most people have correctly identified, this defect has existed > for an incredibly long time. > > But how it is triggered and avoided would help us to