Re: [PATCH] DTrace probes patch.
> I see no issues with making this the default and having a --disable-dtrace. > I can see a reason that someone might wish to turn them off -- thought > that someone isn't me. +1 --disable-dtrace could be useful in certain scenarios e.g dtrace internal bugs. IMHO, by default it should be enabled. Regards, Basant.
Impact of OpenSSL Randomness issues on Debian
If you are just catching up: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166 http://it.slashdot.org/article.pl?sid=08/05/13/1533212 Most of the talk has been about how SSH Servers and Client private keys are vulnerable. However, Private x509 Keys generated by a vulnerable machine, and used by HTTPS are also guessable. Debian and Ubuntu have made several tools to detect weak key signatures in OpenSSH and OpenVPN. 1) Shouldn't it be possible to write something that detects the weak private key fingerprint from the SSL handshake? 2) Should we remind users on [EMAIL PROTECTED] or another medium, that any x509 keys generated on an debian or ubuntu server, such as those used for HTTPS, in the last 2 years, should be re-generated? Thanks, -Paul
Missing vote for persistent SSL backend proxy connections
I know that the following patch really requires some work to review, but it is missing only one vote and it would be really worth to be included in 2.2.9: * mod_proxy: Allow for keepalive backend proxies (PR43238), which also addresses PR44026 and PR44543. These are pretty much interwrapped here. Trunk version of patch: http://svn.apache.org/viewvc?view=rev&revision=602542 http://svn.apache.org/viewvc?view=rev&revision=603237 http://svn.apache.org/viewvc?view=rev&revision=603502 http://svn.apache.org/viewvc?view=rev&revision=603543 http://svn.apache.org/viewvc?view=rev&revision=604447 http://svn.apache.org/viewvc?view=rev&revision=604449 http://svn.apache.org/viewvc?view=rev&revision=605314 http://svn.apache.org/viewvc?view=rev&revision=605838 Backport version for 2.2.x of patch: http://people.apache.org/~rpluem/patches/proxy-ssl-44026-patch.txt +1: jim, rpluem Regards RĂ¼diger
Re: svn commit: r655711 - in /httpd/httpd/trunk: CHANGES support/suexec.c
On 05/13/2008 04:21 AM, [EMAIL PROTECTED] wrote: Author: fielding Date: Mon May 12 19:21:33 2008 New Revision: 655711 URL: http://svn.apache.org/viewvc?rev=655711&view=rev Log: When group is given as a numeric gid, validate it by looking up the actual group name such that the name can be used in log entries. PR: 7862 Submitted by: , Leif W Modified: httpd/httpd/trunk/CHANGES httpd/httpd/trunk/support/suexec.c Modified: httpd/httpd/trunk/CHANGES URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=655711&r1=655710&r2=655711&view=diff > Modified: httpd/httpd/trunk/support/suexec.c URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/suexec.c?rev=655711&r1=655710&r2=655711&view=diff == --- httpd/httpd/trunk/support/suexec.c (original) +++ httpd/httpd/trunk/support/suexec.c Mon May 12 19:21:33 2008 @@ -395,13 +395,15 @@ log_err("invalid target group name: (%s)\n", target_gname); exit(106); } -gid = gr->gr_gid; -actual_gname = strdup(gr->gr_name); } else { -gid = atoi(target_gname); -actual_gname = strdup(target_gname); +if ((gr = getgrgid(atoi(target_gname))) == NULL) { Don't we need to check if getgrgid is available on the target platform? As I see from my man page on Linux getgrgid requires which is only included if we have HAVE_GRP_H set. Regards RĂ¼diger