Re: svn commit: r920084 - in /httpd/site/trunk: docs/security/vulnerabilities-oval.xml docs/security/vulnerabilities_22.html xdocs/security/vulnerabilities-httpd.xml
On 3/7/2010 2:12 PM, m...@apache.org wrote: > Author: mjc > Date: Sun Mar 7 20:12:21 2010 > New Revision: 920084 > > URL: http://svn.apache.org/viewvc?rev=920084&view=rev > Log: > Just make it clear this is a flaw only affecting Windows > installations that use mod_isapi. These entries need a bit > more cleanup, but another day /ditto > +undefined state and result in a segfault. On Windows platforms using > mod_isapi, a > +remote attacker could send a malicious request to trigger this issue, and as > win32 MPM runs only one not only using mod_isapi, but further configured to load a dll subject to exploitation. Long explanation, so I was specific to use the phrase 'potentially allow arbitrary code execution'. Thanks for the edits!
Re: What happened to mod_lua?
On Mar 7, 2010, at 7:58 PM, HyperHacker wrote: > Nothing on Apache's site at all. It's been adopted into httpd trunk: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/lua/ Also mentioned on the New Features page: http://httpd.apache.org/docs/trunk/new_features_2_4.html although it seems that documentation is a work in progress. S. -- Sander Temme scte...@apache.org PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF smime.p7s Description: S/MIME cryptographic signature
What happened to mod_lua?
A while back I had the idea that Lua would be a great scripting language for web servers. I checked Google, and several pages mentioned a recently developed Apache httpd module that does just that. However, even months later, all a search finds is a couple blogs and sites talking about "the next version", many 404s, and a little discussion about the history/future of this module and how cool it's going to be. There are a few different "home pages" and "official" trackers which were last updated years ago; broken, run-down ghost towns of sites. Nothing on Apache's site at all. My question is, where is it? What's happened? I wanted to get involved in its development, but I can't find it! Only these old run-down sites hosting 3-year-old Win32 binaries. Has the project been abandoned? -- Sent from my toaster.
Re: memory leak in 2.3.4-alpha
Hm, on closer inspection it seems the high memory usage we're seeing is common to both 2.3.5 and 2.2.12, so it's likely an mod_mbox issue, which is probably infra's ball of wax to deal with. If anyone committer wants to help, the invitation is still open, but this time it's for eos (another Solaris 10 host). Aurora, the box I was talking about in the message below, failed to survive a reboot, so the issues we've been dealing with it in infra may not be the fault of code in httpd. - Original Message > From: Joe Schaefer > To: dev@httpd.apache.org > Sent: Sun, March 7, 2010 1:47:22 PM > Subject: memory leak in 2.3.4-alpha > > Unfortunately all the httpd hackers in infrastructure have > wandered off the reservation, but we've been running 2.3.5 > for the Apache websites for the past coupla weeks and it > has a rather serious memory leak somewhere. That's the core > reason why we ran into those gzip encoding issues in February. > > > If any httpd committer familiar with Solaris 10 wants to take > a look at the server, I'd be happy to arrange access. Just > hop on #asfinfra on freenode. > > Thanks.
Bug report for Apache httpd-1.3 [2010/03/07]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |10744|New|Nor|2002-07-12|suexec might fail to open log file| |10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i| |10760|New|Maj|2002-07-12|empty ftp directory listings from cached ftp direc| |14518|Opn|Reg|2002-11-13|QUERY_STRING parts not incorporated by mod_rewrite| |16013|Opn|Nor|2003-01-13|Fooling mod_autoindex + IndexIgnore | |16631|Inf|Min|2003-01-31|.htaccess errors logged outside the virtual host l| |17318|Inf|Cri|2003-02-23|Abend on deleting a temporary cache file if proxy | |19279|Inf|Min|2003-04-24|Invalid chmod options in solaris build| |21637|Inf|Nor|2003-07-16|Timeout causes a status code of 200 to be logged | |21777|Inf|Min|2003-07-21|mod_mime_magic doesn't handle little gif files| |21975|Opn|Nor|2003-07-29|mod_rewrite RewriteMap from external program gets | |22618|New|Maj|2003-08-21|MultiViews invalidates PATH_TRANSLATED if cgi-wrap| |25057|Inf|Maj|2003-11-27|Empty PUT access control in .htaccess overrides co| |26126|New|Nor|2004-01-14|mod_include hangs with request body | |26152|Ass|Nor|2004-01-15|Apache 1.3.29 and below directory traversal vulner| |26790|New|Maj|2004-02-09|error deleting old cache file | |29257|Opn|Nor|2004-05-27|Problem with apache-1.3.31 and mod_frontpage (dso,| |29498|New|Maj|2004-06-10|non-anonymous ftp broken in mod_proxy | |29538|Ass|Enh|2004-06-12|No facility used in ErrorLog to syslog| |30207|New|Nor|2004-07-20|Piped logs don't close read end of pipe | |30877|New|Nor|2004-08-26|htpasswd clears passwd file on Sun when /var/tmp i| |30909|New|Cri|2004-08-28|sporadic segfault resulting in broken connections | |31975|New|Nor|2004-10-29|httpd-1.3.33: buffer overflow in htpasswd if calle| |32078|New|Enh|2004-11-05|clean up some compiler warnings | |32539|New|Trv|2004-12-06|[PATCH] configure --enable-shared= brocken on SuSE| |32974|Inf|Maj|2005-01-06|Client IP not set | |33086|New|Nor|2005-01-13|unconsistency betwen 404 displayed path and server| |33495|Inf|Cri|2005-02-10|Apache crashes with "WSADuplicateSocket failed for| |33772|New|Nor|2005-02-28|inconsistency in manual and error reporting by sue| |33875|New|Enh|2005-03-07|Apache processes consuming CPU| |34108|New|Nor|2005-03-21|mod_negotiation changes mtime to mtime of Document| |34114|New|Nor|2005-03-21|Apache could interleave log entries when writing t| |34404|Inf|Blk|2005-04-11|RewriteMap prg can not handle fpout | |34571|Inf|Maj|2005-04-22|Apache 1.3.33 stops logging vhost| |34573|Inf|Maj|2005-04-22|.htaccess not working / mod_auth_mysql| |35424|New|Nor|2005-06-20|httpd disconnect in Timeout on CGI| |35439|New|Nor|2005-06-21|Problem with remove "/../" in util.c and mod_rewri| |35547|Inf|Maj|2005-06-29|Problems with libapreq 1.2 and Apache::Cookie | |3|New|Nor|2005-06-30|Can't find DBM on Debian Sarge| |36375|Opn|Nor|2005-08-26|Cannot include http_config.h from C++ file| |37166|New|Nor|2005-10-19|Under certain conditions, mod_cgi delivers an empt| |37252|New|Reg|2005-10-26|gen_test_char reject NLS string | |38989|New|Nor|2006-03-15|restart + piped logs stalls httpd for 24 minutes (| |39104|New|Enh|2006-03-25|[FR] fix build with -Wl,--as-needed | |39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn| |39937|New|Nor|2006-06-30|Garbage output if README.html is gzipped or compre| |40224|Ver|Nor|2006-08-10|System time crashes Apache @year 2038 (win32 only?| |41279|New|Nor|2007-01-02|Apache 1.3.37 htpasswd is vulnerable to buffer ove| |42355|New|Maj|2007-05-08|Apache 1.3 permits non-rfc HTTP error code >= 600 | |43626|New|Maj|2007-10-15|r->path_info returning invalid value | |44768|New|Blk|2008-04-07|Server suddenly reverted to showing test page only| |44926|
apr_dbd: Support for multiple database connections from the same virtual host
Hi all, I am currently looking through the apr_dbd module to find whether it is possible to support multiple database connections per virtual host. I am finding references on the mailing list[1] that this capability was present on trunk, but looking at trunk, I don't see see any evidence of this kind of capability. Is this documented anywhere? [1] http://www.mail-archive.com/us...@httpd.apache.org/msg38390.html Regards, Graham --
memory leak in 2.3.4-alpha
Unfortunately all the httpd hackers in infrastructure have wandered off the reservation, but we've been running 2.3.5 for the Apache websites for the past coupla weeks and it has a rather serious memory leak somewhere. That's the core reason why we ran into those gzip encoding issues in February. If any httpd committer familiar with Solaris 10 wants to take a look at the server, I'd be happy to arrange access. Just hop on #asfinfra on freenode. Thanks.
Re: svn commit: r101 - in /release/httpd: CHANGES_2.2 CHANGES_2.2.15
On Sun, Mar 7, 2010 at 10:06 AM, wrote: > Author: trawick > Date: Sun Mar 7 10:06:46 2010 > New Revision: 101 > > Log: > axe BOM (maybe Safari will display it now?) yep
