-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Montag, 19. März 2012 15:31
To: dev@httpd.apache.org
Subject: Re: svn commit: r1302444 - in /httpd/httpd/trunk: CHANGES
modules/proxy/mod_proxy.c
On Mar 19, 2012, at 9:53 AM, rpl...@apache.org wrote:
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Freitag, 16. März 2012 12:55
To: dev@httpd.apache.org
Subject: printing r-filename for access denied errors
Seems like IRC users are often confused that permission denied errors
include the URI only and not
-Original Message-
From: Nick Kew
Sent: Freitag, 16. März 2012 14:50
To: dev@httpd.apache.org
Subject: Re: printing r-filename for access denied errors
On Fri, 16 Mar 2012 07:54:37 -0400
Eric Covener cove...@gmail.com wrote:
Seems like IRC users are often confused that
Sounds reasonable.
-Original Message-
From: Jeff Trawick [mailto:traw...@gmail.com]
Sent: Dienstag, 6. März 2012 14:37
To: dev@httpd.apache.org
Subject: Re: httpd 2.4.1 and mod_slotmem_shm / mod_proxy_balancer
(AH01179)
On Tue, Mar 6, 2012 at 7:56 AM, Jim Jagielski
The files that you see in strace are not mutex files. Hence the mutex directive
cannot
work here. The correct fix would be IMHO another directive (either for
mod_proxy or better
for mod_proxy_balancer) to allow defining a directory where these shared memory
files should be created.
Regards
:-)
-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Montag, 13. Februar 2012 08:20
To: dev@httpd.apache.org
Subject: Re: Intent to TR 2.4.1
Lame mathematician joke: 2.4 at 2^4 (16th Apache birthday).
Regards,
Rainer
--enable-mpms-shared=all \
will not work with 2.2. Only 2.4 and up.
With 2.2 you still need - --with-mpm=worker
Regards
Rüdiger
From: Michael Felt [mailto:mamf...@gmail.com]
Sent: Mittwoch, 8. Februar 2012 15:08
To: dev@httpd.apache.org; packag...@httpd.apache.org
-Original Message-
From: Dr Stephen Henson [mailto:shen...@opensslfoundation.com]
Sent: Donnerstag, 2. Februar 2012 15:14
To: dev@httpd.apache.org
Subject: OpenSSL configuration and mod_ssl
Guys,
It has been apparent for some time that mod_ssl (and other applications)
require
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Donnerstag, 2. Februar 2012 15:54
To: dev@httpd.apache.org
Subject: [VOTE] Bundle apr/apu with 2.4.x
I'm calling a vote to get consensus on whether we should continue
to bundle apr/apu with httpd 2.4.x.
Never mind. I just saw that it was done in r1238833.
Regards
Rüdiger
-Original Message-
From: Rüdiger Plüm [mailto:ruediger.pl...@vodafone.com]
Sent: Mittwoch, 1. Februar 2012 09:43
To: dev@httpd.apache.org
Subject: Fwd: svn commit: r1238824 - in /httpd/httpd/branches/2.4.x: ./
-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Dienstag, 31. Januar 2012 17:37
To: dev@httpd.apache.org
Subject: Re: Questions on open ports between trunk and 2.4.x
On 31.01.2012 17:17, Graham Leggett wrote:
On 31 Jan 2012, at 5:43 PM, Rainer Jung
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Mittwoch, 23. November 2011 15:23
To: dev@httpd.apache.org
Subject: [RFC] further proxy/rewrite URL validation security
issue (CVE-2011-4317)
Prutha Parikh from Qualys reported a variant on the
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Samstag, 19. November 2011 03:37
To: dev@httpd.apache.org
Subject: Re: [Vote] .htaccess logic abuse
On Friday 18 November 2011, William A. Rowe Jr. wrote:
Resource abuse of an .htaccess config in the form
-Original Message-
From: Steffen [mailto:i...@apachelounge.com]
Sent: Montag, 21. November 2011 11:50
To: dev@httpd.apache.org
Subject: Win 2.3.15 :: The timeout specified has expired
Observing that the error.log is filling with [http:error]
lines, never seen
with 2.2:
The patch is fine on trunk because the affected code is not within
AP_DECLARE(char *) ap_pregsub(...)
but within
static apr_status_t regsub_core(apr_pool_t *p, char **result,
struct ap_varbuf *vb, const char *input,
const char
mod_ssl is part of Apache Http Server 2.0.x and up. Just open a report in
bugzilla and attach the patch as a proposed enhancement.
Further discussion on this patch might happen there or here (depending on the
contents of the discussion).
Regards
Rüdiger
+1
Regards
Rüdiger
-Original Message-
From: William A. Rowe Jr.
Sent: Freitag, 11. November 2011 17:49
To: dev@httpd.apache.org
Subject: [VOTE] Formal deprecation of 2.0.x branch
Stealing a plan executed by Colm for 1.3, I'd like to propose that
we set a two week window
I don't think that this has something to do with AliasMatch. Most likely this
is caused by reading the file that should be delivered into some request pool
backed
memory in order to write it to the cache. If you don't cache the file it is
probably not read by httpd but transported via a
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Dienstag, 8. November 2011 03:15
To: dev@httpd.apache.org
Subject: Re: Fwd: svn commit: r1197405 - in
/httpd/httpd/trunk: CHANGES docs/manual/upgrading.xml
modules/filters/mod_substitute.c
On Sun, 6 Nov
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Donnerstag, 3. November 2011 12:53
To: dev@httpd.apache.org
Subject: Re: prefetch proxy
On Nov 2, 2011, at 7:40 AM, Plüm, Rüdiger, VF-Group wrote:
I think a timeout should be handled like it is now
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Mittwoch, 2. November 2011 12:22
To: dev@httpd.apache.org
Subject: Re: prefetch proxy
On Nov 2, 2011, at 5:44 AM, Rüdiger Plüm wrote:
Am 01.11.2011 21:23, schrieb Jim Jagielski:
In
Can you please check if the following patch fixes this issue?
Index: protocol.c
===
--- protocol.c (revision 1181036)
+++ protocol.c (working copy)
@@ -672,6 +672,7 @@
r-hostname = NULL;
r-status =
to our 2.2.12 codebase (attached) and my testcase
now correctly reports a 400 from the testserver when
doing
GET @www.suse.de/foo.png
as request.
Ciao, Marcus
On Tue, Oct 25, 2011 at 02:49:08PM +0200, Plüm, Rüdiger,
VF-Group wrote:
Can you please check if the following patch fixes
that
was changed in r1100200 and hence changed since 2.2.18.
Regards
Rüdiger
-Original Message-
From: Plüm, Rüdiger, VF-Group [mailto:ruediger.pl...@vodafone.com]
Sent: Dienstag, 25. Oktober 2011 17:58
To: dev@httpd.apache.org
Subject: RE: CVE-2011-3368 not fully fixed?
Thanks
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Dienstag, 25. Oktober 2011 18:44
To: dev@httpd.apache.org
Subject: Re: CVE-2011-3368 not fully fixed?
On 10/25/2011 11:21 AM, Plüm, Rüdiger, VF-Group wrote:
I did some further analysis. While
-Original Message-
From: Plüm, Rüdiger, VF-Group [mailto:ruediger.pl...@vodafone.com]
Sent: Dienstag, 25. Oktober 2011 18:48
To: dev@httpd.apache.org
Subject: RE: CVE-2011-3368 not fully fixed?
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe
-Original Message-
From: Nick Kew [mailto:n...@webthing.com]
Sent: Freitag, 14. Oktober 2011 10:45
To: dev@httpd.apache.org
Subject: Re: mod_proxy_html
On 14 Oct 2011, at 07:55, jean-frederic clere wrote:
I think I prefer it in 2.4 than in a separate module.
OK, there
-Original Message-
From: Igor Galić [mailto:i.ga...@brainsware.org]
Sent: Mittwoch, 5. Oktober 2011 16:51
To: dev
Subject: ap_log_error wants a string literal in mod_lua
Hey folks,
When trunk with (hardened) gcc 4.6 on Ubuntu beta, I get:
lua_config.c: In function
Basicly this behaviour is a design decision. If we run out of memory, then:
SEGFAULT, when such a NULL pointer is used.
Regards
Rüdiger
From: narayana.na...@thomsonreuters.com
[mailto:narayana.na...@thomsonreuters.com]
Sent: Freitag, 30.
Anyone time for remote eyes if my findings are correct or wrong?
Regards
Rüdiger
-Original Message-
From: Ruediger Pluem
Sent: Mittwoch, 28. September 2011 08:29
To: dev@httpd.apache.org
Subject: Re: svn commit: r1176019 - in /httpd/httpd/trunk:
CHANGES
, Rüdiger, VF-Group wrote:
Anyone time for remote eyes if my findings are correct or wrong?
I did only locally check the scratch and fbytes stuff, but I agree, it
must be
Index: modules/filters/mod_substitute.c
-Original Message-
From: Rainer Jung
Sent: Donnerstag, 29. September 2011 16:32
To: dev@httpd.apache.org
Subject: Improving SSL config
In light of the TLS 1.0 CBC attack (aka BEAST, CVE-2011-3389)
I suggest
we update our SSL configuration analogous to what's in trunk.
-
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Dienstag, 27. September 2011 13:21
To: dev@httpd.apache.org
Cc: c...@httpd.apache.org
Subject: Re: svn commit: r1176254 - /httpd/httpd/branches/2.2.x/STATUS
Fixed... Thx!
Hm.
Ok. Looks like the cache issue fixed itself now.
Regards
Rüdiger
-Original Message-
From: Plüm, Rüdiger, VF-Group [mailto:ruediger.pl...@vodafone.com]
Sent: Dienstag, 27. September 2011 14:04
To: dev@httpd.apache.org
Cc: c...@httpd.apache.org
Subject: RE: svn commit: r1176254
-Original Message-
From: Jim Jagielski
Sent: Dienstag, 27. September 2011 16:48
To: dev@httpd.apache.org
Cc: c...@httpd.apache.org
Subject: Re: svn commit: r1176351 - /httpd/httpd/branches/2.2.x/STATUS
done and done and done :)
Really :-)? I just downloaded the proposed
-Original Message-
From: Rainer Jung [mailto:rainer.j...@kippdata.de]
Sent: Montag, 26. September 2011 17:47
To: dev@httpd.apache.org
Subject: Re: httpd 2.0.65 - when?
On 26.09.2011 17:35, Jim Jagielski wrote:
All looks good... testing passes w/ no regressions so I'll
-Original Message-
From: William A. Rowe Jr.
Sent: Montag, 26. September 2011 18:13
To: dev@httpd.apache.org
Subject: Re: httpd 2.0.65 - when?
On 9/26/2011 10:46 AM, Rainer Jung wrote:
On 26.09.2011 17:35, Jim Jagielski wrote:
All looks good... testing passes w/ no
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Montag, 26. September 2011 18:30
To: dev@httpd.apache.org
Subject: Re: httpd 2.0.65 - when?
On Monday 26 September 2011, Plüm, Rüdiger, VF-Group wrote:
Agreed, if people decide our handling of range 0
-Original Message-
From: Kaspar Brand
Sent: Freitag, 23. September 2011 17:07
To: dev@httpd.apache.org
Subject: Re: svn commit: r1172010 -
/httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
Maybe I'm somewhat confused by what Apache Group is
actually referring
to here - I
ServerName/ServerAlias doesn't work
Hi Rüdiger,
On 08/23/2011 12:25 PM CEST +02:00, Plüm, Rüdiger, VF-Group wrote:
IMHO the patch does not solve the issue mentioned in the comment
and is not needed.
Keep in mind the difference between ap_matches_request_vhost and
check_host_alias
-Original Message-
From: Joe Orton
Sent: Donnerstag, 8. September 2011 14:16
To: dev@httpd.apache.org
Subject: Re: svn commit: r1166551 -
/httpd/httpd/trunk/modules/proxy/mod_proxy_ajp.c
On Thu, Sep 08, 2011 at 07:45:40AM -, Jean-Frederic Clere wrote:
---
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Dienstag, 6. September 2011 13:34
To: dev@httpd.apache.org
Subject: MaxRanges
From the code, MaxRanges 0 means unlimited...
Is that what we want? I can envision some use-cases where
an admin may want to
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Dienstag, 6. September 2011 14:09
To: dev@httpd.apache.org
Subject: Re: MaxRanges
On Tue, Sep 6, 2011 at 7:34 AM, Jim Jagielski j...@jagunet.com wrote:
From the code, MaxRanges 0 means unlimited...
Is
-Original Message-
From: Jeff Trawick [mailto:traw...@gmail.com]
Sent: Sonntag, 4. September 2011 17:30
To: Apache HTTP Server Development List
Subject: next steps for range fix in 2.2.x
Can anyone fill in any details for the following?
1. Any known regressions not yet fixed
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Montag, 5. September 2011 15:21
To: dev@httpd.apache.org
Cc: tho...@redhat.com
Subject: Re: CVE-2003-1418 - still affects apache 2 current
On Thu, Sep 01, 2011 at 06:27:35PM +0200, Plüm, Rüdiger,
VF-Group
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Freitag, 2. September 2011 15:43
To: dev@httpd.apache.org
Subject: Re: svn commit: r1163833 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On Sep 1, 2011, at 2:44 PM, Roy T. Fielding wrote:
On
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Mittwoch, 31. August 2011 23:09
To: dev@httpd.apache.org
Subject: non-splittable buckets (was: Regression with range fix)
On Wednesday 31 August 2011, Jim Jagielski wrote:
Looking at the patch in 2.2.x;
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Donnerstag, 1. September 2011 03:51
To: dev@httpd.apache.org
Subject: Re: Appropriate patches for 2.2.19 and 2.0.64?
On 8/31/2011 4:16 PM, William A. Rowe Jr. wrote:
I've attempted to simply
PR 51748 (https://issues.apache.org/bugzilla/show_bug.cgi?id=51748) is an IMHO
valid regression
in range behaviour (from the report):
Request and response sample in each versions.
= version 2.2.20
GET / HTTP/1.1
Host: localhost
Range: bytes=-1
HTTP/1.1 206 Partial Content
Server:
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Donnerstag, 1. September 2011 14:39
To: dev@httpd.apache.org
Subject: Re: non-splittable buckets (was: Regression with range fix)
On Wed, Aug 31, 2011 at 11:08:51PM +0200, Stefan Fritsch wrote:
On Wednesday
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Donnerstag, 1. September 2011 16:46
To: Marcus Meissner
Cc: dev@httpd.apache.org
Subject: Re: CVE-2003-1418 - still affects apache 2 current
On Thu, Sep 01, 2011 at 02:39:11PM +0200, Marcus Meissner wrote:
-Original Message-
From: William A. Rowe Jr. [mailto:wr...@rowe-clan.net]
Sent: Donnerstag, 1. September 2011 18:38
To: dev@httpd.apache.org
Subject: Re: svn commit: r1163918 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On 9/1/2011 1:30 AM, rpl...@apache.org wrote:
-Original Message-
From: Joe Orton [mailto:jor...@redhat.com]
Sent: Mittwoch, 31. August 2011 11:13
To: dev@httpd.apache.org
Subject: Re: Regression with range fix
On Tue, Aug 30, 2011 at 08:51:55PM +0200, Stefan Fritsch wrote:
The first regression report, though slightly too
-Original Message-
From: Steffen [mailto:i...@apachelounge.com]
Sent: Tuesday, August 30, 2011 2:57 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] httpd-2.2.20 tarballs
All looks fine on Windows +1
Download for testing available www.apachelounge.com
btw.
warning C4244: 'function' :
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Sonntag, 28. August 2011 23:36
To: dev@httpd.apache.org
Subject: Re: svn commit: r1162579 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On Sun, 28 Aug 2011, s...@apache.org wrote:
Author: sf
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Montag, 29. August 2011 09:45
To: dev@httpd.apache.org
Subject: Re: svn commit: r1162579 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On Sunday 28 August 2011, Stefan Fritsch wrote:
This is
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Montag, 29. August 2011 17:03
To: dev@httpd.apache.org
Subject: Re: 2.2 approach for byterange; please review
On Monday 29 August 2011, Jim Jagielski wrote:
I propose we add the cheap brigade copy +
From: Greg Ames [mailto:ames.g...@gmail.com]
Sent: Montag, 29. August 2011 17:32
To: dev@httpd.apache.org
Subject: Re: 2.2 approach for byterange?
On Sun, Aug 28, 2011 at 4:22 PM, Stefan Fritsch
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Montag, 29. August 2011 17:43
To: dev@httpd.apache.org
Subject: RE: 2.2 approach for byterange?
On Mon, 29 Aug 2011, Plüm, Rüdiger, VF-Group wrote:
Sent: Montag, 29. August 2011 17:32
To: dev
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Montag, 29. August 2011 18:00
To: dev@httpd.apache.org
Subject: Re: svn commit: r1162881 -
/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c
On Mon, 29 Aug 2011, j...@apache.org wrote:
I am fine with this on 2.2.x. +1.
Regards
Rüdiger
-Original Message-
From: Jim Jagielski [mailto:j...@apache.org]
Sent: Montag, 29. August 2011 18:22
To: dev@httpd.apache.org
Subject: Re: svn commit: r1162881 -
/httpd/httpd/branches/2.2.x/modules/http/byterange_filter.c
Do
Below comments make sense to me.
We should pick this up.
Regards
Rüdiger
-Original Message-
From: Dirk-Willem van Gulik
Sent: Freitag, 26. August 2011 13:35
To: dev@httpd.apache.org
Subject: Advisory improvement
From the Full Disclosure list. Does anyone have time to
confirm
-Original Message-
From: Jim Jagielski
Sent: Freitag, 26. August 2011 13:38
To: dev@httpd.apache.org
Subject: Re: svn commit: r1161661 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
I still think that your version is wrong wrong wrong and am
tempted to veto it.
It
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Freitag, 26. August 2011 13:49
To: dev@httpd.apache.org
Subject: Re: svn commit: r1161661 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On Aug 26, 2011, at 2:50 AM, Ruediger Pluem wrote:
I
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Freitag, 26. August 2011 14:38
To: dev@httpd.apache.org
Subject: Re: svn commit: r1161661 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On Aug 26, 2011, at 8:31 AM, Jim Jagielski wrote:
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Freitag, 26. August 2011 14:56
To: dev@httpd.apache.org
Subject: Re: svn commit: r1161661 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On Aug 26, 2011, at 8:46 AM, Plüm, Rüdiger, VF-Group wrote
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Freitag, 26. August 2011 15:41
To: dev@httpd.apache.org
Subject: Re: svn commit: r1161661 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
On Fri, August 26, 2011 14:38, Jim Jagielski wrote:
On
-Original Message-
From: Jim Jagielski [mailto:j...@apache.org]
Sent: Freitag, 26. August 2011 16:27
To: dev@httpd.apache.org
Subject: Re: svn commit: r1161661 -
/httpd/httpd/trunk/modules/http/byterange_filter.c
I guess we can do both: Count the ',' and give the number
IMHO commit and let it be fixed in trunk.
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Freitag, 26. August 2011 16:34
To: dev@httpd.apache.org
Subject: PoC ready
Should I commit or post?
-Original Message-
From: Plüm, Rüdiger, VF-Group [mailto:ruediger.pl...@vodafone.com]
Sent: Freitag, 26. August 2011 16:38
To: dev@httpd.apache.org
Subject: RE: PoC ready
IMHO commit and let it be fixed in trunk.
I mean improved :-).
Not to imply your code has errors
I guess this should catch cases where you have overlapping or adjacent ranges
next to each other but in the wrong order,
so e.g.
2000-3000,1000-2000
or
2000-3000,1500-2500
But I think this check is currently wrong as you point out. Currently not sure
how to fix it.
Regards
Rüdiger
I think the
+if (in_merge) {
+overlaps++;
+continue;
+} else {
+new = (char **)apr_array_push(merged);
+*new = apr_psprintf(r-pool, % APR_OFF_T_FMT -% APR_OFF_T_FMT,
+ostart, oend);
+
@@ -252,6 +205,9 @@
off_last += start64 - off_first;
copy = out_first;
}
+else {
+APR_BRIGADE_INSERT_TAIL(bbout, copy);
+}
if (end64 - off_last != (apr_uint64_t)e-length) {
rv =
-Original Message-
From: Stefan Fritsch
Sent: Donnerstag, 25. August 2011 08:21
To: dev@httpd.apache.org
Subject: Re: DoS with mod_deflate range requests
On Thursday 25 August 2011, Jim Jagielski wrote:
OK then... we seem to be coalescing into some consensus here...
-Original Message-
From: Stefan Fritsch
Sent: Donnerstag, 25. August 2011 01:39
To: dev@httpd.apache.org
Subject: Re: Fixing Ranges
On Thursday 25 August 2011, Greg Ames wrote:
On Wed, Aug 24, 2011 at 5:16 PM, Stefan Fritsch s...@sfritsch.de
wrote:
I have another idea:
+1
Regards
Rüdiger
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Donnerstag, 25. August 2011 14:13
To: dev@httpd.apache.org
Subject: Re: Next update on CVE-2011-3192
I have a feeling that we could push this out today...
I'm going to fold Stefan's
+1 for 2.3, -0 for 2.2. I guess for 2.2 we should only detect misuse (the
definition of misuse
needs to configurable) and reply with a 200 if misuse is detected.
misuse would be
- too much ranges [Let the number be configurable with a sane default e.g. 100
and a possible setting of 0 for
-Original Message-
From: Stefan Fritsch
Sent: Mittwoch, 24. August 2011 00:28
To: dev@httpd.apache.org
Subject: Re: DoS with mod_deflate range requests
On Tuesday 23 August 2011, William A. Rowe Jr. wrote:
On 8/23/2011 4:00 PM, Greg Ames wrote:
On Tue, Aug 23, 2011 at
-Original Message-
From: NormW [mailto:no...@gknw.net]
Sent: Mittwoch, 24. August 2011 10:12
To: dev@httpd.apache.org
Subject: CT oops?
G/E,
httpd-trunk\modules\ssl\ssl_engine_config.c (164):
mctx-pkp-cert_file = NULL;
mctx-pkp-cert_path = NULL;
-Original Message-
From: Dirk-Willem van Gulik
Sent: Mittwoch, 24. August 2011 13:33
To: dev@httpd.apache.org
Subject: Mitigation Range header (Was: DoS with mod_deflate
range requests)
Folks,
This issue is now active in the wild. So some unified/simple
comms is needed.
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Mittwoch, 24. August 2011 14:05
To: dev@httpd.apache.org
Subject: Re: Mitigation Range header (Was: DoS with
mod_deflate range requests)
On Wed, Aug 24, 2011 at 7:57 AM, Plüm, Rüdiger, VF-Group
-Original Message-
From: Dirk-Willem van Gulik [mailto:di...@webweaving.org]
Sent: Mittwoch, 24. August 2011 14:14
To: dev@httpd.apache.org
Subject: Re: Mitigation Range header (Was: DoS with
mod_deflate range requests)
On 24 Aug 2011, at 12:57, Plüm, Rüdiger, VF-Group
-Original Message-
From: Dirk-WIllem van Gulik [mailto:di...@webweaving.org]
Sent: Mittwoch, 24. August 2011 14:40
To: dev@httpd.apache.org
Cc: Plüm, Rüdiger, VF-Group
Subject: Re: Mitigation Range header
On 24 Aug 2011, at 13:22, Florian Weimer wrote:
* Plüm, Rüdiger
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Mittwoch, 24. August 2011 14:59
To: dev@httpd.apache.org
Subject: Re: Mitigation Range header (Was: DoS with
mod_deflate range requests)
Of course it should have been:
RewriteCond %{HTTP:range}
Reverse the order a litte bit:
2) , 3), 1) (as 1) is likely to break the most things compared to 2) and 3))
Regarding 2) see the ongoing discussion between Eric and me to find the correct
expression.
Regards
Rüdiger
-Original Message-
From: Dirk-WIllem van Gulik
Sent: Mittwoch,
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Mittwoch, 24. August 2011 15:29
To: dev@httpd.apache.org
Subject: Re: CVE-2011-3192: Range header DoS vulnerability in
Apache 1.3 and Apache 2 (DRAFT-3)
On Wed, Aug 24, 2011 at 9:17 AM, Eric Covener
From: Greg Ames Sent: Mittwoch, 24. August 2011 16:05
To: dev@httpd.apache.org
Subject: Re: Mitigation Range header
On Wed, Aug 24, 2011 at 9:01 AM, Plüm, Rüdiger, VF-Group
ruediger.pl...@vodafone.com wrote
-Original Message-
From: Dirk-Willem van Gulik [mailto:di...@webweaving.org]
Sent: Mittwoch, 24. August 2011 16:36
To: dev@httpd.apache.org
Subject: VOTES please -- CVE-2011-3192: Range header DoS
vulnerability in Apache 1.3 and Apache 2 (Final-5)
Folks,
Can I have a few
-Original Message-
From: Dirk-Willem van Gulik [mailto:dirk-willem.van.gu...@bbc.co.uk]
Sent: Mittwoch, 24. August 2011 17:46
To: dev@httpd.apache.org
Subject: Re: DoS with mod_deflate range requests
On 24 Aug 2011, at 16:35, Tim Bannister wrote:
On Tue, Aug 23, 2011,
-Original Message-
From: Jim Jagielski [mailto:j...@jagunet.com]
Sent: Mittwoch, 24. August 2011 17:48
To: dev@httpd.apache.org
Subject: Re: DoS with mod_deflate range requests
On Aug 24, 2011, at 4:05 AM, Plüm, Rüdiger, VF-Group wrote:
Patch looks good, but some
...
But merging might require sorting...
If not, then some sort of runtime limit on the number of allowable
ranges plus a 416 w/ overlapping ranges makes the most sense.
On Aug 24, 2011, at 11:55 AM, Plüm, Rüdiger, VF-Group wrote:
Hm. If I got it right what Roy says above about the spec
sorting
From: Greg Ames [mailto:ames.g...@gmail.com]
Sent: Mittwoch, 24. August 2011 18:20
To: dev@httpd.apache.org
Subject: Re: Mitigation Range header
On Wed, Aug 24, 2011 at 10:33 AM, Plüm, Rüdiger, VF
-Original Message-
From: Micha Lenk [mailto:mi...@lenk.info]
Sent: Dienstag, 23. August 2011 12:08
To: dev@httpd.apache.org
Subject: Re: With IP address in Host: header
ServerName/ServerAlias doesn't work
Hi,
On 08/23/2011 10:42 AM CEST +02:00, Micha Lenk wrote:
However,
-Original Message-
From: Stefan Fritsch [mailto:s...@sfritsch.de]
Sent: Dienstag, 23. August 2011 13:09
To: dev@httpd.apache.org
Subject: DoS with mod_deflate range requests
http://seclists.org/fulldisclosure/2011/Aug/175
I haven't looked into it so far. And I am not sure I
-Original Message-
From: Micha Lenk [mailto:mi...@lenk.info]
Sent: Montag, 22. August 2011 14:19
To: dev@httpd.apache.org
Subject: Re: [PATCH 51489] ProxyPassReverse issue + patch
Hi Ruediger,
sorry, things piled up recently...
On 07/13/2011 06:36 PM CEST +02:00, Ruediger
-Original Message-
From: Micha Lenk
Sent: Montag, 22. August 2011 18:10
To: dev@httpd.apache.org
Subject: With IP address in Host: header
ServerName/ServerAlias doesn't work
Do you agree that this is something that needs to be fixed?
If yes I could start to work on a
-Original Message-
From: Micha Lenk [mailto:mi...@lenk.info]
Sent: Montag, 22. August 2011 18:27
To: dev@httpd.apache.org
Subject: Re: With IP address in Host: header
ServerName/ServerAlias doesn't work
Hi Ruediger,
On 08/22/2011 06:16 PM CEST +02:00, Plüm, Rüdiger, VF
IMHO it can be resigned in place since we do not touch the release artifacts
itself.
But as Bill did the release IMHO he should resign the release to be consistent
with the
other metadata of this release (e.g. the creator of the 2.2.19) tag.
Regards
Rüdiger
-Original Message-
From:
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
Sent: Donnerstag, 11. August 2011 15:19
To: dev@httpd.apache.org
Subject: Re: Half-baked subprojects
Would I be right in assuming apreq maintenance straddles httpd
and mod_perl folks, and you are around on this
Can you please try if the following patch fixes your issue?
Index: mod_proxy_ajp.c
===
--- mod_proxy_ajp.c (revision 1150558)
+++ mod_proxy_ajp.c (working copy)
@@ -506,16 +506,18 @@
if (bb_len !=
1 - 100 of 496 matches
Mail list logo