Hi,
Are there any particular reasons that regex code shouldn't be moved to
the apr-utils like expat is. That way we'll be (the non httpd
developers) able to use the same code for the things that need regular
expressions, instead of linking the same lib multiple times.
MT.
-BEGIN PGP SIGNED MESSAGE-
For Immediate Disclosure
=== SUMMARY
Title: Apache 2.0 vulnerability affects non-Unix platforms
Date: 9th August 2002
Version: 1
Product Name: Apache web server 2.0
OS/Platform: Windows, OS2, Netware
Perma
With the recent vulnerabilities found in OpenSSL, I thought it'd make sense
for Apache to check for OpenSSL 0.9.6e or higher.
-Madhu
$ cvs diff acinclude.m4
Index: acinclude.m4
===
RCS file: /home/cvspublic/httpd-2.0/acinclude.m4,v
[EMAIL PROTECTED] wrote:
> Revision ChangesPath
> 1.1 httpd-site/docs/info/security_bulletin_20020809a.txt
> Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
Problem here. Not the month/day day/month switch. I've done a "mv" on
daedalus
> > Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
Hmmm, actually it really ought to be 20020809a.txt like the files I
commited, the text that went out was wrong due to too many us-uk
conversions ;). A cunning redirect rule in the server config would fix
it so 2
Mark J Cox wrote:
> -BEGIN PGP SIGNED MESSAGE-
>
> For Immediate Disclosure
Incidentally, I didn't see this get sent to users@httpd and
announce@httpd (it was sent to [EMAIL PROTECTED]). Did I miss it?
Joshua.
> Incidentally, I didn't see this get sent to users@httpd and
> announce@httpd (it was sent to [EMAIL PROTECTED]). Did I miss it?
Doh. So thats two mistakes, where is the third?
Mark
I got a bit frustrated by the lack of flexibility in the mod_log_config CustomLog
directive. What I wanted was to make logging conditional on multiple environment
variables that get set by different modules, and also to be able to make logging
behaviour depend on the value of the variables rat
On Fri, 9 Aug 2002, Joshua Slive wrote:
> [EMAIL PROTECTED] wrote:
>
> > Revision ChangesPath
> > 1.1 httpd-site/docs/info/security_bulletin_20020809a.txt
>
> > Permanent URL: http://httpd.apache.org/info/security_bulletin_20020908a.txt
I put in a symlink for now se
Em Fri, Aug 09, 2002 at 09:58:03AM -0700, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
escreveu:
> With the recent vulnerabilities found in OpenSSL, I thought it'd make sense
> for Apache to check for OpenSSL 0.9.6e or higher.
And what about patched openssl versions? Given the notorious
binary incom
Thanks for pointing it out. I'd missed it completely (mainly because I
thought 0.9.7 is still in beta)
Here's an updated patch which checks specifically for > 0.9.6e or >
0.9.[7-9]*
$ cvs diff acinclude.m4
Index: acinclude.m4
===
RCS
On Fri, 2002-08-09 at 15:33, Andreas Hasenack wrote:
> Em Fri, Aug 09, 2002 at 09:58:03AM -0700, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
>escreveu:
> > With the recent vulnerabilities found in OpenSSL, I thought it'd make sense
> > for Apache to check for OpenSSL 0.9.6e or higher.
>
> And what
I'm not sure how to address this : For ex., do we allow building Apache
against OpenSSL 0.9.5x ?.. I don't believe so. If it's regarding OpenSSL
0.9.6x, I'm not sure how much of binary incompability it introduces.
Moreover, considering the fact that we have a CERT advisory asking ppl to
move to Op
Em Fri, Aug 09, 2002 at 02:04:36PM -0700, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)
escreveu:
> move to OpenSSL 0.9.6e, I thought it'd be prudent to check specifically for
> version 0.9.6e or greater.
A warning would be prudent.
...since Friday, 09-Aug-2002 13:39:01 PDT. The traffic was pretty light then
but is likely to get heavy soon, so I went ahead and bounced it. It's got a
Redirect for the dyslexic security bulletin.
I had a moment of panic:
[gregames@daedalus apache2.0.40]$ sudo apbounce apache2.0.40
(48)Addres
-1. Please revert the change. The purpose of the check is to identify
incompatible APIs, not security holes.
Roy
Alan Skea wrote:
> I got a bit frustrated by the lack of flexibility in the mod_log_config CustomLog
>directive. What I wanted was to make logging conditional on multiple environment
>variables that get set by different modules, and also to be able to make logging
>behaviour depend on the valu
-Original Message-
From: Roy T. Fielding [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 09, 2002 3:03 PM
>-1. Please revert the change. The purpose of the check is to identify
>incompatible APIs, not security holes.
should apache be allowed to be built against a version of OpenSSL tha
>> -1. Please revert the change. The purpose of the check is to identify
>> incompatible APIs, not security holes.
>
> should apache be allowed to be built against a version of OpenSSL that
> has a
> known problem - I don't think so. But if everybody thinks against - then,
> so
> be it.
Peopl
> -1. Please revert the change. The purpose of the check is to identify
> incompatible APIs, not security holes.
I have a patch to turn it into a warning -- will commit once tested.
Roy
+1. This seems too restrictive to me. People *do* patch the source as well :)
Roy T. Fielding wrote:
>
> -1. Please revert the change. The purpose of the check is to identify
> incompatible APIs, not security holes.
>
> Roy
>
--
Sander Striker [mailto:[EMAIL PROTECTED]] wrote:
> We have also included support for IPv6 on any
> platform that supports IPv6.
Hmmm Windows NT/2k/XP/.Net/98/95 supports IPv6, now where is the IPv6
capable binary (or source for that matter ;) ?
(Btw... Mac OS X sports IPv6 also in beta's and pu
At 23:27 09/08/02, Joshua Slive wrote:
>Alan Skea wrote:
>>I got a bit frustrated by the lack of flexibility in the mod_log_config CustomLog
>directive. What I wanted was to make logging conditional on multiple environment
>variables that get set by different modules, and also to be able to ma
Alan Skea wrote:
> I don't think SetEnvIf quite does it. In one module I extract a session tracking
>token from the URI and set it into an env var. If this var is present then I want to
>use a particular log format. I also started looking at a module called robotcop the
>other day. It moni
> Cool. I believe something is better than nothing :).
>
> (I'm sure you're already aware of this - but thought it'd be better to let
> you know)
> I believe my patch went into r1.127 - and has been labelled for the 2.0.40
> release. So, you might want to bump the label before it's released.
It h
At 08:31 PM 8/9/2002, Roy T. Fielding wrote:
>>Cool. I believe something is better than nothing :).
>>
>>(I'm sure you're already aware of this - but thought it'd be better to let
>>you know)
>>I believe my patch went into r1.127 - and has been labelled for the 2.0.40
>>release. So, you might want
26 matches
Mail list logo