On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton <jor...@redhat.com> wrote: > Either way, the fix for CVE-2013-5704 ends up breaking backwards > compatibility with existing 2.4.x builds of mod_wsgi, which is kind of > Bad. I don't have a good proposal for how to fix or avoid this. Worst > case, we make clear the mod_wsgi case is API/ABI abuse and warn binary > distributors they have to handle this by rebuilding.
Is there anything we can do in 2.4.11 for packagers who haven't picked this up yet since we're already picking up a problematic extension of the struct? What if we stashed away the MMN after these fields, and validated it? Or just a request_rec version? That way we'd be be able to read past the end and blow up intentionally w/ a message, but wouldn't be writing past the end and blowing up much confusingly. I think a big factor in whether we do something is how many modules might have already been corrected for it. I am thinking not many if we haven't heard about yet (other than mod_ftpd). Part of that question is probably "who else has figured out how to cope
