On Mon, Nov 16, 2009 at 7:40 AM, Bill Weir <william.w...@sun.com> wrote: > Hi Jeff, > > Thanks for your replies. I notice you didn't respond to the question about > when apr-1.3.10 might hit the streets? :-)
There's certainly no formal plan, and I don't recall anyone discussing it. > My only reservation about your suggested fixes is that the Apache I'm > building is not destined just for in-house use, but is going to be bundled > with another product. If I do some patching as you suggest, it's not clear > to me how a prospective user will know that I have done that. If they look > at the Apache config they will see that it is apache-2.2.14 with apr-1.3.9, > but they won't know that it's apr-1.3.9 with additional fixes - so they > might be excused for assuming it will have the problems that apr-1.3.9 is > known to have. That's why my preferred solution is to use apr-1.3.10 when I > have the option to do that. Disabling the use of Event Ports via the environment variable is a valid configuration option. (In general I don't see how discussions with customers regarding applicability of fixes or vulnerabilities can be avoided. Good luck with that ;) )