Hi,
I've been load-testing our module
(mod_pagespeedhttp://code.google.com/speed/page-speed/docs/module.html)
with httpd 2.2.16 built with these options:
--enable-pool-debug --with-mpm=worker
I've been getting periodic aborts from apr_table_addn that don't look like
they are from my module.
On Thu, Sep 1, 2011 at 13:52, Joshua Marantz jmara...@google.com wrote:
Hi,
I've been load-testing our module
(mod_pagespeedhttp://code.google.com/speed/page-speed/docs/module.html)
with httpd 2.2.16 built with these options:
--enable-pool-debug --with-mpm=worker
I've been getting
Hello from mod_pagespeed again.
We are adding support for running in the Worker MPM, having spent most of
our time since we launched the product sheltered in the prefork MPM where
our multi-threading challenges are all of our own making.
Having tuned our threading model for prefork, where all
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Mittwoch, 31. August 2011 23:09
To: dev@httpd.apache.org
Subject: non-splittable buckets (was: Regression with range fix)
On Wednesday 31 August 2011, Jim Jagielski wrote:
Looking at the patch in 2.2.x;
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Donnerstag, 1. September 2011 03:51
To: dev@httpd.apache.org
Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?
On 8/31/2011 4:16 PM, William A. Rowe Jr. wrote:
I've attempted to simply
On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote:
On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote:
The presumption here is that the client requests bytes=0- to begin the
transmission, and provided it sees a 206, restarting somewhere in the
stream results in aborting the
Is there anyone has tested the 2.2.19 with this patch?
2011/9/1 Plüm, Rüdiger, VF-Group ruediger.pl...@vodafone.com
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Donnerstag, 1. September 2011 03:51
To: dev@httpd.apache.org
Subject: Re:
PR 51748 (https://issues.apache.org/bugzilla/show_bug.cgi?id=51748) is an IMHO
valid regression
in range behaviour (from the report):
Request and response sample in each versions.
= version 2.2.20
GET / HTTP/1.1
Host: localhost
Range: bytes=-1
HTTP/1.1 206 Partial Content
Server:
On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
di...@webweaving.org wrote:
Suggestion for
http://people.apache.org/~dirkx/CVE-2011-3192.txt
You probably mean deprecated not desecrated, amusing though that is.
On 1 Sep 2011, at 12:06, Ben Laurie wrote:
On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
di...@webweaving.org wrote:
Suggestion for
http://people.apache.org/~dirkx/CVE-2011-3192.txt
You probably mean deprecated not desecrated, amusing though that is.
Darn Functional
On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
I already fixed that in trunk.
I think this regression justifies another release for 2.2.x. But IMHO we
should wait at least until
mid next week to see if other regressions come thru and hit them all with a
2.2.21.
+1
Hi,
CVE-2003-1418, a minor security issue, is still affecting the current codebase.
someone opened a tracker bug a year ago without feedback:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
Do you have a statement?
The Qualys security scanner detects and reports this issue and
On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
On Wednesday 31 August 2011, Jim Jagielski wrote:
Looking at the patch in 2.2.x; there is a lot of effort expended
deadling with apr_bucket_split() returning ENOTIMPL - that looks
unnecessary; the filter will only handle
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Donnerstag, 1. September 2011 14:39
To: dev@httpd.apache.org
Subject: Re: non-splittable buckets (was: Regression with range fix)
On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
On Wednesday
On 1 Sep 2011, at 13:33, Jim Jagielski wrote:
On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
I already fixed that in trunk.
I think this regression justifies another release for 2.2.x. But IMHO we
should wait at least until
mid next week to see if other regressions come thru
On Thu, Sep 01, 2011 at 02:47:19PM +0200, Plüm, Rüdiger, VF-Group wrote:
If we rip it out, we should replace it with ap_assert()s. And maybe
only do it in 2.3?
It would seem odd to have ENOTIMPL as a fatal error but other
real errors non-fatal. *No* error should occur here with
Hi Ben,
Hmmm...don't know what happened to that subject line po. Not what I meant
to type, obviously!
On Thu, Sep 1, 2011 at 8:14 AM, Ben Noordhuis i...@bnoordhuis.nl wrote:
That assertion is triggered when you add a string from pool A to a
table in pool B where A is a child of B (adding
On Sep 1, 2011, at 8:59 AM, Joe Orton wrote:
On Thu, Sep 01, 2011 at 02:47:19PM +0200, Plüm, Rüdiger, VF-Group wrote:
If we rip it out, we should replace it with ap_assert()s. And maybe
only do it in 2.3?
It would seem odd to have ENOTIMPL as a fatal error but other
real errors
Hello
In case I don't want to support Range and Request-Range headers at all,
would it be safe to remove those headers in the early processing hook?
Something like:
RequestHeader unset Range early
RequestHeader unset Range-Request early
I'm asking because the documentation of mod_headers
Oh also I should not that when I do my load-test with pool-debugging off,
all is well. The error_log has zero signals/aborts. The main reason I was
using pool-debug in the first place was to get better valgrind leak-checks.
But if this is just not compatible with Worker MPM I can stay with pool
On Thu, 1 Sep 2011 14:39:11 +0200
Marcus Meissner meiss...@suse.de wrote:
Hi,
CVE-2003-1418, a minor security issue, is still affecting the current
codebase.
someone opened a tracker bug a year ago without feedback:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
I've just
On Thu, 1 Sep 2011 16:58:07 +0300
Yehezkel Horowitz horow...@checkpoint.com wrote:
Hello
In case I don't want to support Range and Request-Range headers at all,
would it be safe to remove those headers in the early processing hook?
Something like:
RequestHeader unset Range early
On Thu, Sep 01, 2011 at 03:30:57PM +0100, Nick Kew wrote:
On Thu, 1 Sep 2011 14:39:11 +0200
Marcus Meissner meiss...@suse.de wrote:
Hi,
CVE-2003-1418, a minor security issue, is still affecting the current
codebase.
someone opened a tracker bug a year ago without feedback:
On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
Hi,
CVE-2003-1418, a minor security issue, is still affecting the current
codebase.
someone opened a tracker bug a year ago without feedback:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
Do you have a
On Thu, 1 Sep 2011 16:36:24 +0200
Marcus Meissner meiss...@suse.de wrote:
This just md5s the inodenr, right?
If yes, this is just obfuscation if you do not add some kind of random salt.
(You can still just do
for (i=0;i...;i++) md5($i)
and compare, including use of Rainbow
On Thu, Sep 01, 2011 at 03:55:28PM +0100, Nick Kew wrote:
On Thu, 1 Sep 2011 16:36:24 +0200
Marcus Meissner meiss...@suse.de wrote:
This just md5s the inodenr, right?
If yes, this is just obfuscation if you do not add some kind of random salt.
(You can still just do
for
this code has to run crazy fast and has lots of mileage on it.
...
OK given the stack-trace above it's hard for me to figure out
a path back from my module.
Why not run the test without your new module loaded?
That sems like a far simpler and more reliable indication
of whether the issue
On Thu, Sep 01, 2011 at 05:17:16PM +0200, Reindl Harald wrote:
..
mtime - well, is directly in the header - Last-Modified
size - well, directly in the header - Content-Length
inode - well, where is there any security implication?
I could not directly think of one.
The reason is just that
On Thu, Sep 1, 2011 at 11:16 AM, Ray Morris supp...@bettercgi.com wrote:
this code has to run crazy fast and has lots of mileage on it.
...
OK given the stack-trace above it's hard for me to figure out
a path back from my module.
Why not run the test without your new module loaded?
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Donnerstag, 1. September 2011 16:46
To: Marcus Meissner
Cc: dev@httpd.apache.org
Subject: Re: CVE-2003-1418 - still affects apache 2 current
On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
On 9/1/2011 1:30 AM, rpl...@apache.org wrote:
Author: rpluem
Date: Thu Sep 1 06:30:02 2011
New Revision: 1163918
URL: http://svn.apache.org/viewvc?rev=1163918view=rev
Log:
* Fix error message
--- httpd/httpd/trunk/modules/http/byterange_filter.c (original)
+++
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Donnerstag, 1. September 2011 18:38
To: dev@httpd.apache.org
Subject: Re: svn commit: r1163918 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On 9/1/2011 1:30 AM, rpl...@apache.org wrote:
Hi Dirk,
Am 31.08.2011 22:03, schrieb Dirk-WIllem van Gulik:
Suggestion for
http://people.apache.org/~dirkx/CVE-2011-3192.txt
to be sent to announce and the usual security places.
4) Deploy a Range header count module as a temporary stopgap measure.
An improved stop-gap module
On 9/1/2011 2:41 AM, Plüm, Rüdiger, VF-Group wrote:
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Donnerstag, 1. September 2011 03:51
To: dev@httpd.apache.org
Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?
On 8/31/2011 4:16 PM,
On Sep 1, 2011, at 1:11 AM, Tim Bannister wrote:
On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote:
On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote:
The presumption here is that the client requests bytes=0- to begin the
transmission, and provided it sees a 206, restarting
On 01.09.2011 19:18, William A. Rowe Jr. wrote:
On 9/1/2011 2:41 AM, Plüm, Rüdiger, VF-Group wrote:
Ideally can you provide me the -verbose output (offlist or to your
people.a.o/ space if it's lengthy)?
Sorry for kicking in late. I was on holidays until Sunday and was a bit
overwhelmed by
On 9/1/2011 10:23 AM, Marcus Meissner wrote:
On Thu, Sep 01, 2011 at 05:17:16PM +0200, Reindl Harald wrote:
..
mtime - well, is directly in the header - Last-Modified
size - well, directly in the header - Content-Length
inode - well, where is there any security implication?
I could not
On 9/1/2011 7:51 AM, Dirk-Willem van Gulik wrote:
On 1 Sep 2011, at 13:33, Jim Jagielski wrote:
On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
I already fixed that in trunk.
I think this regression justifies another release for 2.2.x. But IMHO we
should wait at least until
38 matches
Mail list logo
