logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: 2.2.16 status?
Author
DjiXas



Joined: 10 Jun 2008
Posts: 11

PostPosted: Tue 06 Jul '10 10:43    Post subject: 2.2.16 status? Reply with quote

Hi,

Does anyone know, whether 2.2.16 will be released this month or not?
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 06 Jul '10 10:57    Post subject: Reply with quote

Doubt it. Any particular reason?
Back to top
DjiXas



Joined: 10 Jun 2008
Posts: 11

PostPosted: Tue 06 Jul '10 20:10    Post subject: Reply with quote

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2068
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Tue 06 Jul '10 21:06    Post subject: Reply with quote

Thought that might be it.

If you are using Apache.org binaries
http://www.apache.org/dist/httpd/binaries/win32/mod_proxy_http-CVE-2010-2068.zip

If you are using any VC9 built Apache binary (Apache Lounge, Apache Haus, ??)
http://www.apachehaus.com/
there's a announce with link to download page on the front page of the site
Back to top
DjiXas



Joined: 10 Jun 2008
Posts: 11

PostPosted: Wed 07 Jul '10 20:21    Post subject: Reply with quote

Call me an idiot, but I prefer to wait :-)

Thanks, though.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2268
Location: Sun Diego, USA

PostPosted: Thu 08 Jul '10 0:46    Post subject: Reply with quote

I wouldn't do that, you have your reasons regardless of my opinion. If you do not use mod_proxy_http, there is no need at this point to even update that module with the CVE fix. If you are running *nix, chances are it has already been fixed and pushed in an update a few weeks ago.

I would like to point out however that this "is" an official release, just in the form of the fixed module instead of an entire server package. The only two changes to this module to date are in there.

There have not been enough other changes to call for a full release, there have only been two others, none of which to the core.

*) mod_ssl: Fix segfault at startup if proxy client certs are shared
across multiple vhosts. PR 39915. [Joe Orton]

*) apxs: Fix -A and -a options to ignore whitespace in httpd.conf
[Philip M. Gollucci]


There are 4 more accepted to backport from trunk soon to be included, none of which to the core. There are 13 more proposed with 0 - 2 votes (requires 3), only 2 require changes to core. None of these possible 17 are vulnerability related changes.

The gears move much slower in the summer, so unless a CVE comes down the road that requires a change to the core, you are probably going to be waiting awhile.

References:
http://httpd.apache.org/security/vulnerabilities_22.html
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=co
http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/STATUS?view=co
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7371
Location: Germany, Next to Hamburg

PostPosted: Mon 12 Jul '10 23:01    Post subject: Reply with quote

The discussion started http://marc.info/?l=apache-httpd-dev&m=127896116715588&w=2 So let's wait and see what happens.
Back to top
DjiXas



Joined: 10 Jun 2008
Posts: 11

PostPosted: Tue 13 Jul '10 11:58    Post subject: Reply with quote

Thanks for the insight, guys!
Back to top


Reply to topic   Topic: 2.2.16 status? View previous topic :: View next topic
Post new topic   Forum Index -> Apache