Re: httpd 1.3 / 2.0 / 2.2 tags this weekend?
William A. Rowe, Jr. wrote:
I'd like to see new tarballs rolled soonish, given the single significant
bug that was disclosed earlier today.
Obviously most mass-vhosters are capable of compiling their own binary,
so providing the seperate-pid-table patch (whoever gets around to writing
one) resolves any immediate urgency.
I don't believe its a critical security issue -- if you can run code on
the server, as the server process, we can't defend against it. This
seems to me like a battle line firmly in the scripting languages land.
Anyways, until we have a patch that we can consider, I'm in no hurry.
On APR{,-Util}: Likely a good idea anyways.
-Paul
Re: httpd 1.3 / 2.0 / 2.2 tags this weekend?
On May 30, 2007, at 1:56 AM, William A. Rowe, Jr. wrote: I'd like to see new tarballs rolled soonish, given the single significant bug that was disclosed earlier today. Obviously most mass-vhosters are capable of compiling their own binary, so providing the seperate-pid-table patch (whoever gets around to writing one) resolves any immediate urgency. But people get skittish when they see httpd anywhere near vulnerability, so I'll roll apr 0.9/1.2 in 36 hours which means midday Sunday it's likely to be released and ready to drop into 2.0 / 2.2. 1.3 could be rolled/released whenever it's been patched, but I'd personally rather see *one* announcement, again, like we did about a year back, so we don't have silly people scrambling to install 1.3 in place of 2.2 :) I volunteer to roll 1.3 when it's ready, since Sander offered to roll 2.2 (and perhaps 2.0?) Sounds good. I can likely take a look at adding the parent has local pid table and verifies scoreboard with it patch to 1.3 maybe over the weekend (the 2.0 and 2.2 will likely follow the same concept), unless someone beats me to it :)
Re: httpd 1.3 / 2.0 / 2.2 tags this weekend?
On May 29, 2007, at 10:56 PM, William A. Rowe, Jr. wrote: I volunteer to roll 1.3 when it's ready, since Sander offered to roll 2.2 (and perhaps 2.0?) I'll be happy to RM both. S. -- [EMAIL PROTECTED] http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
Re: httpd 1.3 / 2.0 / 2.2 tags this weekend?
On Wed, 30 May 2007 11:31:02 +0200 Ruediger Pluem [EMAIL PROTECTED] wrote: Given the fact that we wanted to do this about 4 weeks ago anyway +1 on rolling. But we should wait for a seperate-pid-table patch, because releasing now with the security statement out and no patch for at least the one that we regard as somewhat sensitive seems to have the potential of confusing people even more than not releasing. (They release a new version without a fix for this security hole. WTF?). +1 to that. We can't entirely ignore the wagging of tongues. We also have remaining bugfixes that *should* go in. PR#39710 is simple enough to review, and another release without fixing that would be a huge WTF??? I'm also part way through reviewing Chris's mod_dbd rewrite. It's clearly an improvement on what we have, but getting three +1s by the weekend seems optimistic. -- Nick Kew Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
Re: httpd 1.3 / 2.0 / 2.2 tags this weekend?
On May 30, 2007, at 2:41 PM, Sander Temme wrote: On May 29, 2007, at 10:56 PM, William A. Rowe, Jr. wrote: I volunteer to roll 1.3 when it's ready, since Sander offered to roll 2.2 (and perhaps 2.0?) I'll be happy to RM both. I'd like to, but my time will be sporadic enough the next few days as to make it unwise to depend on me to do this :)
Re: httpd 1.3 / 2.0 / 2.2 tags this weekend?
On 05/30/2007 09:37 PM, Nick Kew wrote: We also have remaining bugfixes that *should* go in. PR#39710 is simple enough to review, and another release without Good reminder. I just casted my vote for the backport. So lets hope that we get the missing +1. fixing that would be a huge WTF??? I'm also part way through reviewing Chris's mod_dbd rewrite. It's clearly an improvement on what we have, but getting three +1s by the weekend seems optimistic. Yes, that would be very optimistic. IMHO his patches deserve more attention, but I am currently too short on time and not so familar with the mod_dbd code that I can do this. But as there are several proposals from Chris, you and Chris may be able to advice which of them are most important / easiest to review. So maybe some lower hanging fruits :-). Regards RĂ¼diger
httpd 1.3 / 2.0 / 2.2 tags this weekend?
I'd like to see new tarballs rolled soonish, given the single significant bug that was disclosed earlier today. Obviously most mass-vhosters are capable of compiling their own binary, so providing the seperate-pid-table patch (whoever gets around to writing one) resolves any immediate urgency. But people get skittish when they see httpd anywhere near vulnerability, so I'll roll apr 0.9/1.2 in 36 hours which means midday Sunday it's likely to be released and ready to drop into 2.0 / 2.2. 1.3 could be rolled/released whenever it's been patched, but I'd personally rather see *one* announcement, again, like we did about a year back, so we don't have silly people scrambling to install 1.3 in place of 2.2 :) I volunteer to roll 1.3 when it's ready, since Sander offered to roll 2.2 (and perhaps 2.0?) Bill
