FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 08-31-2011, 06:28 PM
Reindl Harald
 
Default Apache HTTP Server 2.2.20 Released

Am 31.08.2011 19:31, schrieb Paul W. Frields:
> On Wed, Aug 31, 2011 at 05:39:14PM +0200, Reindl Harald wrote:
>> this update should be really fast pushed out
>>
>> the demo-exploit brings down a 4x2.50GHz machine with 8 GB
>> RAM in some seconds without having the known workarounds
>> or explicit mod_security-Rules in front
>>
>> -------- Original-Nachricht --------
>> Betreff: [ANNOUNCEMENT] Apache HTTP Server 2.2.20 Released
>> Datum: Wed, 31 Aug 2011 07:21:33 -0400
>> Von: Jim Jagielski <jim@jaguNET.com>
>> Antwort an: dev@httpd.apache.org
>> An: dev@httpd.apache.org
>>
>> Apache HTTP Server 2.2.20 Released
> [...snip...]
>
> The security bug is already being tracked:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192
>
> I'd expect a new package to be issued shortly. Once that happens, if
> you want to contribute to pushing this out, be ready to test the fixed
> package and add karma. The process works when people participate

we are in production with > 20 servers on F14 since some hours
own packages with optimized build-flags based on the Fedora-SPEC-File

--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 08-31-2011, 08:09 PM
"Paul W. Frields"
 
Default Apache HTTP Server 2.2.20 Released

On Wed, Aug 31, 2011 at 08:28:20PM +0200, Reindl Harald wrote:
>
>
> Am 31.08.2011 19:31, schrieb Paul W. Frields:
> > On Wed, Aug 31, 2011 at 05:39:14PM +0200, Reindl Harald wrote:
> >> this update should be really fast pushed out
> >>
> >> the demo-exploit brings down a 4x2.50GHz machine with 8 GB
> >> RAM in some seconds without having the known workarounds
> >> or explicit mod_security-Rules in front
> >>
> >> -------- Original-Nachricht --------
> >> Betreff: [ANNOUNCEMENT] Apache HTTP Server 2.2.20 Released
> >> Datum: Wed, 31 Aug 2011 07:21:33 -0400
> >> Von: Jim Jagielski <jim@jaguNET.com>
> >> Antwort an: dev@httpd.apache.org
> >> An: dev@httpd.apache.org
> >>
> >> Apache HTTP Server 2.2.20 Released
> > [...snip...]
> >
> > The security bug is already being tracked:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192
> >
> > I'd expect a new package to be issued shortly. Once that happens, if
> > you want to contribute to pushing this out, be ready to test the fixed
> > package and add karma. The process works when people participate
>
> we are in production with > 20 servers on F14 since some hours
> own packages with optimized build-flags based on the Fedora-SPEC-File

Not sure what this had to do with my reply, but in the meantime you
can use the mitigation that Apache sent out. I'm doing that on my own
servers for now.

--
Paul W. Frields http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - - http://pfrields.fedorapeople.org/
The open source story continues to grow: http://opensource.com
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 08-31-2011, 08:41 PM
Reindl Harald
 
Default Apache HTTP Server 2.2.20 Released

Am 31.08.2011 22:09, schrieb Paul W. Frields:
> On Wed, Aug 31, 2011 at 08:28:20PM +0200, Reindl Harald wrote:
>>
>>
>> Am 31.08.2011 19:31, schrieb Paul W. Frields:
>>> On Wed, Aug 31, 2011 at 05:39:14PM +0200, Reindl Harald wrote:
>>>> this update should be really fast pushed out
>>>>
>>>> the demo-exploit brings down a 4x2.50GHz machine with 8 GB
>>>> RAM in some seconds without having the known workarounds
>>>> or explicit mod_security-Rules in front
>>>>
>>>> -------- Original-Nachricht --------
>>>> Betreff: [ANNOUNCEMENT] Apache HTTP Server 2.2.20 Released
>>>> Datum: Wed, 31 Aug 2011 07:21:33 -0400
>>>> Von: Jim Jagielski <jim@jaguNET.com>
>>>> Antwort an: dev@httpd.apache.org
>>>> An: dev@httpd.apache.org
>>>>
>>>> Apache HTTP Server 2.2.20 Released
>>> [...snip...]
>>>
>>> The security bug is already being tracked:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3192
>>>
>>> I'd expect a new package to be issued shortly. Once that happens, if
>>> you want to contribute to pushing this out, be ready to test the fixed
>>> package and add karma. The process works when people participate
>>
>> we are in production with > 20 servers on F14 since some hours
>> own packages with optimized build-flags based on the Fedora-SPEC-File
>
> Not sure what this had to do with my reply, but in the meantime you
> can use the mitigation that Apache sent out. I'm doing that on my own
> servers for now

it had to do to say we have 2.2.20 since some hours
so the fedora packages are not interesting me really

it was a friendly reminder because on koji a build is even not started
and with updates-testing it seems to take a long tiem for a critical fix
to get to the users since there is nothing to test

httpd-tools-2.2.20-2.fc14.rh.20110831.x86_64
httpd-2.2.20-2.fc14.rh.20110831.x86_64

File: „/usr/sbin/httpd“
Size: 371680 Blocks: 728 IO Block: 4096 reguläre Datei
Device: 811h/2065d Inode: 385752 Links: 1
Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2011-08-31 18:11:58.000000000 +0200
Modify: 2011-08-31 18:11:58.000000000 +0200
Change: 2011-08-31 18:29:40.118166712 +0200


--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 
Old 08-31-2011, 08:49 PM
Kevin Fenzi
 
Default Apache HTTP Server 2.2.20 Released

On Wed, 31 Aug 2011 22:41:29 +0200
Reindl Harald <h.reindl@thelounge.net> wrote:

...snip...

>
> it was a friendly reminder because on koji a build is even not started
> and with updates-testing it seems to take a long tiem for a critical
> fix to get to the users since there is nothing to test
>
> httpd-tools-2.2.20-2.fc14.rh.20110831.x86_64
> httpd-2.2.20-2.fc14.rh.20110831.x86_64

I'm sure the maintainers are testing as fast as they can.

If you read the bug, you will note that this version already has
someone reporting that it breaks part of rfc2616. For something as
widely used as httpd, care in pushing updates is appreciated by me at
least.

In the mean time you can use the workarounds or hope that the upstream
version doesn't have issues and use that.

Not sure there's much more to say on this thread...

kevin
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
 

Thread Tools




All times are GMT. The time now is 04:05 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org