Aaron Bannert wrote:
Let's take a typical scenario:
- Acme software releases mod_acme 2.0 to work with Apache 2.0
- They distribute a binary version of this module to work specifically
with 2.0.39 (the only version out that isn't susceptible to the
chunked-encoding vulnerability).
- Apache 2.0.40 is released, includes the new binary usec impl.
- Acme customers upgrade their servers to 2.0.40
- Acme customers experience all sorts of weird timing issues, "hung
connections" (which are really just timeouts that were translated
to busec's), etc...
I agree that this is a scenario that we need to avoid breaking. But changing the type name won't solve the problem: the run-time linker won't know the difference, since it doesn't know the types of fields inside structs or of function args. I think the way to fix the binary problem is to just increase the MMN major number.
--Brian
