Hi Dirk,
Am 31.08.2011 22:03, schrieb Dirk-WIllem van Gulik:
Suggestion for
http://people.apache.org/~dirkx/CVE-2011-3192.txt
to be sent to announce and the usual security places.
> 4) Deploy a Range header count module as a temporary stopgap measure.
>An improved stop-gap modul
On 1 Sep 2011, at 12:06, Ben Laurie wrote:
> On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
> wrote:
>> Suggestion for
>>
>>http://people.apache.org/~dirkx/CVE-2011-3192.txt
>
> You probably mean "deprecated" not "desecrated", amusing though that is.
>
Darn Functional MRI - th
On Wed, Aug 31, 2011 at 9:03 PM, Dirk-WIllem van Gulik
wrote:
> Suggestion for
>
> http://people.apache.org/~dirkx/CVE-2011-3192.txt
You probably mean "deprecated" not "desecrated", amusing though that is.
On 31 Aug 2011, at 21:03, Dirk-WIllem van Gulik wrote:
> Suggestion for
>
> http://people.apache.org/~dirkx/CVE-2011-3192.txt
>
> to be sent to announce and the usual security places.
>
> ->Comments on weaken/strenghten 1.3 text
>
> Happy to completely recant that it was vulne
Suggestion for
http://people.apache.org/~dirkx/CVE-2011-3192.txt
to be sent to announce and the usual security places.
-> Comments on weaken/strenghten 1.3 text
Happy to completely recant that it was vulnerable. Or happy to keep a
bit of a warning in there.
-> Lots o
On 26 Aug 2011, at 18:05, William A. Rowe Jr. wrote:
> On 8/26/2011 11:41 AM, Eric Covener wrote:
>> Should we bump the "5"'s in the draft advisory and/or code to a more
>> liberal #? At the very least for the 2.0 rewrite solution that will
>> return forbidden instead of full content?
>
> Can w
On 31 Aug 2011, at 18:20, William A. Rowe Jr. wrote:
> Note some additional improvements for a 'final' update 3 advisory…
Ack! Draft coming in half an hour or so,
Dw.
On Aug 31, 2011, at 7:20 AM, William A. Rowe Jr. wrote:
> We must advise that 1.3 is not affected, per our further research,
> although we can note that the default configuration (MaxClients etc)
> may already be inappropriate in any number of distributions, and
> remind administrators to tune th
Note some additional improvements for a 'final' update 3 advisory...
We aught to mention that mod_header or mod_rewrite and mod_setenvif
are required for their respective workarounds, this apparently confuses
some beginning users.
We aught to mention that backend/application servers are not prote
On 8/26/2011 11:41 AM, Eric Covener wrote:
> Should we bump the "5"'s in the draft advisory and/or code to a more
> liberal #? At the very least for the 2.0 rewrite solution that will
> return forbidden instead of full content?
Can we please avoid sending more advisories without a canonical link
Should we bump the "5"'s in the draft advisory and/or code to a more
liberal #? At the very least for the 2.0 rewrite solution that will
return forbidden instead of full content?
On 26 aug. 2011, at 18:35, Guenter Knauf wrote:
> Hi Dirk,
> Am 26.08.2011 12:44, schrieb Dirk-Willem van Gulik:
>> 4) Deploy a Range header count module as a temporary stopgap measure:
>>
>>http://people.apache.org/~dirkx/mod_rangecnt.c
> you have a c&p error for the 1.3.x part:
>
> --- mo
Hi Dirk,
Am 26.08.2011 12:44, schrieb Dirk-Willem van Gulik:
4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
you have a c&p error for the 1.3.x part:
--- mod_rangecnt.c.orig Fri Aug 26 18:30:08 2011
+++ mod_rangecnt.c
On 26 aug. 2011, at 10:47, Dirk-Willem van Gulik wrote:
> Folks - as we're not quit there yet - I want to do sent out an updated
> advisory at 11:00 UTC. We have enough new information and extra mitigations.
> Will post the draft(s) to security@ this time.
Apologies for the rush and blindsiding
Folks - as we're not quit there yet - I want to do sent out an updated advisory
at 11:00 UTC. We have enough new information and extra mitigations. Will post
the draft(s) to security@ this time.
Secondly - I got below updates to the regex-es; to optimise the pcre
expressions and remove the exha
On Thursday 25 August 2011, Stefan Fritsch wrote:
> On Thursday 25 August 2011, Dirk-WIllem van Gulik wrote:
> > Folks,
> >
> > What is wisdom? We have an updated version at
> > people.apache.org/CVE-2011-3192.txt.
> >
> > i'd say, let's send this of day if we expect the full patch to
> > take an
On Thursday 25 August 2011, Dirk-WIllem van Gulik wrote:
> Folks,
>
> What is wisdom? We have an updated version at
> people.apache.org/CVE-2011-3192.txt.
>
> i'd say, let's send this of day if we expect the full patch to take
> another 24+ hours. As there is a need for the i proved mitigations
>
Folks,
What is wisdom? We have an updated version at
people.apache.org/CVE-2011-3192.txt.
i'd say, let's send this of day if we expect the full patch to take another 24+
hours. As there is a need for the i proved mitigations And otherwise skip it
and go to final ASAP?
What is your take ?
T
+1
Regards
Rüdiger
> -Original Message-
> From: Jim Jagielski [mailto:j...@jagunet.com]
> Sent: Donnerstag, 25. August 2011 14:13
> To: dev@httpd.apache.org
> Subject: Re: Next update on CVE-2011-3192
>
> I have a feeling that we could push this out today...
&
I have a feeling that we could push this out today…
I'm going to fold Stefan's path into trunk, and we should use
trunk (CTR) to polish up the patch as well as add whatever
other features we need. From there, backporting to 2.2/2.0
will be trivial.
On Aug 25, 2011, at 4:18 AM, Dirk-Willem van Gul
I am keeping a draft at
http://people.apache.org/~dirkx/CVE-2011-3192.txt
Changes since last are:
- version ranges more specific
- vendor information added
- backgrounder on relation to 2007 issues (see below to ensure I got this
right).
I suggest we sent this out lat
21 matches
Mail list logo
