Re: [PATCH] DTrace probes patch.

[Basant Kukreja]

> I see no issues with making this the default and having a --disable-dtrace. 
>  I can see a reason that someone might wish to turn them off -- thought 
> that someone isn't me.
+1
--disable-dtrace could be useful in certain scenarios e.g dtrace internal bugs.
IMHO, by default it should be enabled.

Regards,
Basant.

Impact of OpenSSL Randomness issues on Debian

[Paul Querna]

If you are just catching up:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
http://it.slashdot.org/article.pl?sid=08/05/13/1533212

Most of the talk has been about how SSH Servers and Client private keys 
are vulnerable.


However, Private x509 Keys generated by a vulnerable machine, and used 
by HTTPS are also guessable.


Debian and Ubuntu have made several tools to detect weak key signatures 
in OpenSSH and OpenVPN.


1) Shouldn't it be possible to write something that detects the weak 
private key fingerprint from the SSL handshake?


2) Should we remind users on [EMAIL PROTECTED] or another medium, that any 
x509 keys generated on an debian or ubuntu server, such as those used 
for HTTPS, in the last 2 years, should be re-generated?


Thanks,

-Paul

Missing vote for persistent SSL backend proxy connections

[Ruediger Pluem]

I know that the following patch really requires some work to review, but it
is missing only one vote and it would be really worth to be included in 2.2.9:

 * mod_proxy: Allow for keepalive backend proxies (PR43238), which also
   addresses PR44026 and PR44543. These are pretty much interwrapped here.
Trunk version of patch:
  http://svn.apache.org/viewvc?view=rev&revision=602542
  http://svn.apache.org/viewvc?view=rev&revision=603237
  http://svn.apache.org/viewvc?view=rev&revision=603502
  http://svn.apache.org/viewvc?view=rev&revision=603543
  http://svn.apache.org/viewvc?view=rev&revision=604447
  http://svn.apache.org/viewvc?view=rev&revision=604449
  http://svn.apache.org/viewvc?view=rev&revision=605314
  http://svn.apache.org/viewvc?view=rev&revision=605838
Backport version for 2.2.x of patch:
  http://people.apache.org/~rpluem/patches/proxy-ssl-44026-patch.txt
   +1: jim, rpluem

Regards

Rüdiger

Re: svn commit: r655711 - in /httpd/httpd/trunk: CHANGES support/suexec.c

[Ruediger Pluem]

On 05/13/2008 04:21 AM, [EMAIL PROTECTED] wrote:

Author: fielding
Date: Mon May 12 19:21:33 2008
New Revision: 655711

URL: http://svn.apache.org/viewvc?rev=655711&view=rev
Log:
When group is given as a numeric gid, validate it by looking up the
actual group name such that the name can be used in log entries.

PR: 7862
Submitted by: , Leif W 

Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/support/suexec.c

Modified: httpd/httpd/trunk/CHANGES
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=655711&r1=655710&r2=655711&view=diff

 > Modified: httpd/httpd/trunk/support/suexec.c

URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/support/suexec.c?rev=655711&r1=655710&r2=655711&view=diff
==
--- httpd/httpd/trunk/support/suexec.c (original)
+++ httpd/httpd/trunk/support/suexec.c Mon May 12 19:21:33 2008
@@ -395,13 +395,15 @@
 log_err("invalid target group name: (%s)\n", target_gname);
 exit(106);
 }
-gid = gr->gr_gid;
-actual_gname = strdup(gr->gr_name);
 }
 else {
-gid = atoi(target_gname);
-actual_gname = strdup(target_gname);
+if ((gr = getgrgid(atoi(target_gname))) == NULL) {


Don't we need to check if getgrgid is available on the target platform?
As I see from my man page on Linux getgrgid requires  which is
only included if we have HAVE_GRP_H set.

Regards

Rüdiger