I don’t see why a verbiage similar to “Fixed in Apache httpd-2.4.44 (not 
released to the public)” couldn’t be used: this is, after all, a true statement.

While it should be common understanding that newer code versions carry 
improvements and fixes from previous ones, maybe this should be clarified on 
the initial paragraphs of the vulnerabilities page.

Last but not least, this also resolves thoughts of “where is 2.4.44, I cannot 
find it” (although only if one browses to the vulnerabilities page).

What I am not sure, however, is how much this affects the existing automation 
workflow.

Alex

> On Aug 8, 2020, at 08:27, Daniel Ruggeri <dan...@bitnebula.com> wrote:
> 
> Hi, Bill;
>   I wondered about this myself. I agree that we allow for ambiguity
> when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't
> released). Perhaps we should just bump the 'fixed' version up to the
> released version... but then we should also add to the 'affected'
> versions the version numbers we burned during QA. That's odd, too,
> because we didn't release those versions so they aren't really 'affected'.
> 
>   I could go either way... the vulnerability reporting is enough "after
> work" for a release that makes it a prime candidate for processing it
> with announce.sh, so I'm happy to encode whatever we consider the best
> way forward into that script.
> 
> -- 
> Daniel Ruggeri
> 
>> On 8/7/2020 8:56 AM, William A Rowe Jr wrote:
>> Following the announcement link, it isn't clear that
>> https://httpd.apache.org/security/vulnerabilities_24.html
>> fixes issues in 2.4.46.
>> Should the fixed-in be promoted to the revision of Apache HTTP Server
>> actually published (released) by the project? It almost reads like
>> "fixed in
>> 2.4.46-dev" (which 0-day disclosures are described as, until a release
>> is actually published.)
>> On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri <dan...@bitnebula.com
>> <mailto:dan...@bitnebula.com>> wrote:
>>   Hi, all;
>>      With 12 binding PMC +1 votes, two additional +1 votes from the
>>   community, and no -1 votes, I'm pleased to report that the vote has
>>   PASSED to release 2.4.46. I will begin the process of pushing to the
>>   distribution mirrors which should enable us for a Friday
>>   announcement -
>>   a great way to wrap up the week!
>>   Here are the votes I recorded during the thread:
>>   PMC
>>   jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
>>   gbechis, gsmith, druggeri, jblond, rjung
>>   Community
>>   Noel Butler, wrowe
>>   --
>>   Daniel Ruggeri
>>>   On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
>>> Hi, all;
>>>   Third time is a charm! Please find below the proposed release
>>   tarball
>>> and signatures:
>>> https://dist.apache.org/repos/dist/dev/httpd/
>>> I would like to call a VOTE over the next few days to release this
>>> candidate tarball as 2.4.46:
>>> [ ] +1: It's not just good, it's good enough!
>>> [ ] +0: Let's have a talk.
>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>> The computed digests of the tarball up for vote are:
>>> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
>>> sha256:
>>   44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
>>> *httpd-2.4.46.tar.gz
>>> sha512:
>>   
>> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
>>> *httpd-2.4.46.tar.gz
>>> The SVN tag is '2.4.46' at r1880505.

Reply via email to