On 9/1/2011 7:51 AM, Dirk-Willem van Gulik wrote:
>
> On 1 Sep 2011, at 13:33, Jim Jagielski wrote:
>
>>
>> On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
>>> I already fixed that in trunk.
>>> I think this regression justifies another release for 2.2.x. But IMHO we
>>> should wait a
On 9/1/2011 10:23 AM, Marcus Meissner wrote:
> On Thu, Sep 01, 2011 at 05:17:16PM +0200, Reindl Harald wrote:
> ..
>> mtime -> well, is directly in the header -> Last-Modified
>> size -> well, directly in the header -> Content-Length
>> inode -> well, where is there any security implication?
> I co
On 01.09.2011 23:39, Joshua Marantz wrote:
> Hello from mod_pagespeed again.
>
> We are adding support for running in the Worker MPM, having spent most of
> our time since we launched the product sheltered in the prefork MPM where
> our multi-threading challenges are all of our own making.
>
> Ha
On 01.09.2011 19:18, William A. Rowe Jr. wrote:
> On 9/1/2011 2:41 AM, "Plüm, Rüdiger, VF-Group" wrote:
> Ideally can you provide me the -verbose output (offlist or to your
> people.a.o/ space if it's lengthy)?
Sorry for kicking in late. I was on holidays until Sunday and was a bit
overwhelmed by
On Sep 1, 2011, at 1:11 AM, Tim Bannister wrote:
> On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote:
>> On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote:
>>> The presumption here is that the client requests bytes=0- to begin the
>>> transmission, and provided it sees a 206, restarting
On 9/1/2011 2:41 AM, "Plüm, Rüdiger, VF-Group" wrote:
>
>
>> -Original Message-
>> From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
>> Sent: Donnerstag, 1. September 2011 03:51
>> To: dev@httpd.apache.org
>> Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?
>>
>> On 8/31/201
Hi Dirk,
Am 31.08.2011 22:03, schrieb Dirk-WIllem van Gulik:
Suggestion for
http://people.apache.org/~dirkx/CVE-2011-3192.txt
to be sent to announce and the usual security places.
> 4) Deploy a Range header count module as a temporary stopgap measure.
>An improved stop-gap modul
> -Original Message-
> From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
> Sent: Donnerstag, 1. September 2011 18:38
> To: dev@httpd.apache.org
> Subject: Re: svn commit: r1163918 -
> /httpd/httpd/trunk/modules/http/byterange_filter.c
>
> On 9/1/2011 1:30 AM, rpl...@apache.org wr
On 9/1/2011 1:30 AM, rpl...@apache.org wrote:
> Author: rpluem
> Date: Thu Sep 1 06:30:02 2011
> New Revision: 1163918
>
> URL: http://svn.apache.org/viewvc?rev=1163918&view=rev
> Log:
> * Fix error message
> --- httpd/httpd/trunk/modules/http/byterange_filter.c (original)
> +++ httpd/httpd/trun
> -Original Message-
> From: Joe Orton [mailto:jor...@redhat.com]
> Sent: Donnerstag, 1. September 2011 16:46
> To: Marcus Meissner
> Cc: dev@httpd.apache.org
> Subject: Re: CVE-2003-1418 - still affects apache 2 current
>
> On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wro
On Thu, Sep 1, 2011 at 11:16 AM, Ray Morris wrote:
> > this code has to run crazy fast and has lots of mileage on it.
> ...
> > OK given the stack-trace above it's hard for me to figure out
> > a path back from my module.
>
> Why not run the test without your new module loaded?
>
This is such an
On Thu, Sep 01, 2011 at 05:17:16PM +0200, Reindl Harald wrote:
..
> mtime -> well, is directly in the header -> Last-Modified
> size -> well, directly in the header -> Content-Length
> inode -> well, where is there any security implication?
I could not directly think of one.
The reason is just th
Am 01.09.2011 17:09, schrieb Marcus Meissner:
> On Thu, Sep 01, 2011 at 03:55:28PM +0100, Nick Kew wrote:
>> On Thu, 1 Sep 2011 16:36:24 +0200
>> Marcus Meissner wrote:
>>
>>
>>> This just md5s the inodenr, right?
>>>
>>> If yes, this is just obfuscation if you do not add some kind of random sal
> this code has to run crazy fast and has lots of mileage on it.
...
> OK given the stack-trace above it's hard for me to figure out
> a path back from my module.
Why not run the test without your new module loaded?
That sems like a far simpler and more reliable indication
of whether the issu
On Thu, Sep 01, 2011 at 03:55:28PM +0100, Nick Kew wrote:
> On Thu, 1 Sep 2011 16:36:24 +0200
> Marcus Meissner wrote:
>
>
> > This just md5s the inodenr, right?
> >
> > If yes, this is just obfuscation if you do not add some kind of random salt.
> >
> > (You can still just do
> > for (i=0
On Thu, 1 Sep 2011 16:36:24 +0200
Marcus Meissner wrote:
> This just md5s the inodenr, right?
>
> If yes, this is just obfuscation if you do not add some kind of random salt.
>
> (You can still just do
> for (i=0;i<...;i++) md5($i)
> and compare, including use of Rainbow Tables.)
Erm,
On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
> Hi,
>
> CVE-2003-1418, a minor security issue, is still affecting the current
> codebase.
>
> someone opened a tracker bug a year ago without feedback:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
>
> Do you have a
On Thu, Sep 01, 2011 at 03:30:57PM +0100, Nick Kew wrote:
> On Thu, 1 Sep 2011 14:39:11 +0200
> Marcus Meissner wrote:
>
> > Hi,
> >
> > CVE-2003-1418, a minor security issue, is still affecting the current
> > codebase.
> >
> > someone opened a tracker bug a year ago without feedback:
> > htt
On Thu, 1 Sep 2011 16:58:07 +0300
Yehezkel Horowitz wrote:
> Hello
>
> In case I don't want to support "Range" and "Request-Range" headers at all,
> would it be safe to remove those headers in the early processing hook?
>
> Something like:
> RequestHeader unset Range early
> RequestHeader unse
On Thu, 1 Sep 2011 14:39:11 +0200
Marcus Meissner wrote:
> Hi,
>
> CVE-2003-1418, a minor security issue, is still affecting the current
> codebase.
>
> someone opened a tracker bug a year ago without feedback:
> https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
I've just hacked up a s
Oh also I should not that when I do my load-test with pool-debugging off,
all is well. The error_log has zero signals/aborts. The main reason I was
using pool-debug in the first place was to get better valgrind leak-checks.
But if this is just not compatible with Worker MPM I can stay with pool
d
Hello
In case I don't want to support "Range" and "Request-Range" headers at all,
would it be safe to remove those headers in the early processing hook?
Something like:
RequestHeader unset Range early
RequestHeader unset Range-Request early
I'm asking because the documentation of mod_headers re
On Sep 1, 2011, at 8:59 AM, Joe Orton wrote:
> On Thu, Sep 01, 2011 at 02:47:19PM +0200, "Plüm, Rüdiger, VF-Group" wrote:
If we rip it out, we should replace it with ap_assert()s. And maybe
only do it in 2.3?
>>>
>>> It would seem odd to have ENOTIMPL as a "fatal" error but other
>>>
Hi Ben,
Hmmm...don't know what happened to that subject line "po". Not what I meant
to type, obviously!
On Thu, Sep 1, 2011 at 8:14 AM, Ben Noordhuis wrote:
>
> That assertion is triggered when you add a string from pool A to a
> table in pool B where A is a child of B (adding headers from the
On Thu, Sep 01, 2011 at 02:47:19PM +0200, "Plüm, Rüdiger, VF-Group" wrote:
> > > If we rip it out, we should replace it with ap_assert()s. And maybe
> > > only do it in 2.3?
> >
> > It would seem odd to have ENOTIMPL as a "fatal" error but other
> > "real" errors non-fatal. *No* error should oc
On 1 Sep 2011, at 13:33, Jim Jagielski wrote:
>
> On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
>> I already fixed that in trunk.
>> I think this regression justifies another release for 2.2.x. But IMHO we
>> should wait at least until
>> mid next week to see if other regressions c
> -Original Message-
> From: Joe Orton [mailto:jor...@redhat.com]
> Sent: Donnerstag, 1. September 2011 14:39
> To: dev@httpd.apache.org
> Subject: Re: non-splittable buckets (was: Regression with range fix)
>
> On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
> > On Wed
On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
> On Wednesday 31 August 2011, Jim Jagielski wrote:
> > >> Looking at the patch in 2.2.x; there is a lot of effort expended
> > >> deadling with apr_bucket_split() returning ENOTIMPL - that looks
> > >> unnecessary; the filter will onl
Hi,
CVE-2003-1418, a minor security issue, is still affecting the current codebase.
someone opened a tracker bug a year ago without feedback:
https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
Do you have a statement?
The Qualys security scanner detects and reports this issue and continue
On Sep 1, 2011, at 6:31 AM, Plüm, Rüdiger, VF-Group wrote:
> I already fixed that in trunk.
> I think this regression justifies another release for 2.2.x. But IMHO we
> should wait at least until
> mid next week to see if other regressions come thru and hit them all with a
> 2.2.21.
>
+1
On 1 Sep 2011, at 12:06, Ben Laurie wrote:
> On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
> wrote:
>> Suggestion for
>>
>>http://people.apache.org/~dirkx/CVE-2011-3192.txt
>
> You probably mean "deprecated" not "desecrated", amusing though that is.
>
Darn Functional MRI - th
On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
wrote:
> Suggestion for
>
> http://people.apache.org/~dirkx/CVE-2011-3192.txt
You probably mean "deprecated" not "desecrated", amusing though that is.
PR 51748 (https://issues.apache.org/bugzilla/show_bug.cgi?id=51748) is an IMHO
valid regression
in range behaviour (from the report):
Request and response sample in each versions.
= version 2.2.20
GET / HTTP/1.1
Host: localhost
Range: bytes=-1
HTTP/1.1 206 Partial Content
Server: Apache/2.2.
Is there anyone has tested the 2.2.19 with this patch?
2011/9/1 "Plüm, Rüdiger, VF-Group"
>
>
> > -Original Message-
> > From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
> > Sent: Donnerstag, 1. September 2011 03:51
> > To: dev@httpd.apache.org
> > Subject: Re: Appropriate patches
On Wed, Aug 31, 2011 at 6:28 PM, Roy T. Fielding wrote:
On Aug 31, 2011, at 6:10 PM, William A. Rowe Jr. wrote:
The presumption here is that the client requests bytes=0- to begin the
transmission, and provided it sees a 206, restarting somewhere in the
stream results in aborting the connection
> -Original Message-
> From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
> Sent: Donnerstag, 1. September 2011 03:51
> To: dev@httpd.apache.org
> Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?
>
> On 8/31/2011 4:16 PM, William A. Rowe Jr. wrote:
> > I've attempted to simp
> -Original Message-
> From: Stefan Fritsch [mailto:s...@sfritsch.de]
> Sent: Mittwoch, 31. August 2011 23:09
> To: dev@httpd.apache.org
> Subject: non-splittable buckets (was: Regression with range fix)
>
> On Wednesday 31 August 2011, Jim Jagielski wrote:
> > >> Looking at the patch
37 matches
Mail list logo
