On 1/10/14, 5:38 AM, Jeff Trawick wrote:
> [ ] It is an accepted practice (but not required) to obscure or omit the
> vulnerability impact in CHANGES or commit log information when committing
> fixes
> for vulnerabilities to any branch.
>
> [ ] It is mandatory to provide best available descriptio
On Fri, 2014-01-10 at 08:38 -0500, Jeff Trawick wrote:
>
>
> [ X] It is mandatory to provide best available description and any
> available tracking information when committing fixes for
> vulnerabilities to any branch, delaying committing of the fix if the
> information shouldn't be provided ye
Le 10/01/2014 14:38, Jeff Trawick a écrit :
[ ] It is an accepted practice (but not required) to obscure or omit
the vulnerability impact in CHANGES or commit log information when
committing fixes for vulnerabilities to any branch.
[X] It is mandatory to provide best available description and
Also PR 55666, patches starting with
https://issues.apache.org/bugzilla/show_bug.cgi?id=55666#c12 have not
been reviewed/commited yet.
It's about mod_deflate input/output filters to be reentrant when
parsing zlib header, so to avoid "Zlib: Invalid header" or
"Insufficient data for inflate".
Regar
+1
in some cases re-consider if a used option is really needed
and disable it may close a vulnerability, the admin only
needs to know that there is danger
Am 10.01.2014 15:24, schrieb Jim Jagielski:
> +1
> On Jan 10, 2014, at 8:44 AM, Jeff Trawick wrote:
>
>> [X] It is mandatory to provide best
Helo,
could http://svn.apache.org/r1538776 be considered for backport too (PR 55475)?
It's about mod_proxy to detect/handle incomplete (interrupted) backend
responses.
Regards,
Yann.
+1
On Jan 10, 2014, at 8:44 AM, Jeff Trawick wrote:
> [X] It is mandatory to provide best available description and any available
> tracking information when committing fixes for vulnerabilities to any branch,
> delaying committing of the fix if the information shouldn't be provided yet.
>
> -
Von: Jeff Trawick [mailto:traw...@gmail.com]
Gesendet: Freitag, 10. Januar 2014 14:39
An: Apache HTTP Server Development List
Betreff: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to
vulnerabilities
Open source projects, ASF or otherwise, have varying procedures for commits of
fixes
[X] It is mandatory to provide best available description and any available
tracking information when committing fixes for vulnerabilities to any
branch, delaying committing of the fix if the information shouldn't be
provided yet.
--/--
IMO it is not appropriate to let skilled attackers see a cod
Open source projects, ASF or otherwise, have varying procedures for commits
of fixes to vulnerabilities. One important aspect of these procedures is
whether or not fixes to vulnerabilities can be committed to a repository
with commit logs and possibly CHANGES entries which purposefully obscure
the
minf...@apache.org wrote:
> Author: minfrin
> Date: Mon Dec 30 19:50:52 2013
> New Revision: 1554300
>
> URL: http://svn.apache.org/r1554300
> Log:
> core: Support named groups and backreferences within the LocationMatch,
> DirectoryMatch, FilesMatch and ProxyMatch directives.
>
> Modified:
>
j...@apache.org wrote:
> Author: jim
> Date: Thu Jan 9 14:28:39 2014
> New Revision: 1556815
>
> URL: http://svn.apache.org/r1556815
> Log:
> Merge r1524368, r1524388 from trunk:
>
> Use apr_socket_timeout_get instead of hard-coded 30 seconds timeout.
>
>
> Use apr_socket_timeout_get instead
12 matches
Mail list logo
