Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 10 Aug 2020 22:29:35 +0000
From: Seth Arnold <seth.arnold@...onical.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer
 overlow

On Sat, Aug 08, 2020 at 07:21:35AM -0500, Daniel Ruggeri wrote:
>    You're correct. That was an error on our part. We try to double check
> this data (since sometimes we burn a release number as we test the
> candidate) and things can get out of sync. I have it in my personal TODO
> list to add some tooling around automating this particular part of the
> release management process.
> 
> I've fixed this in a recent patch and the the site should now show the
> correct data - many thanks for the correction

Hello Daniel, thanks for the fixes, this is a lot more clear to me now.

Quite a lot of my confusion came from not knowing that some releases were
versioned but not released -- suddenly quite a lot more makes sense.

> > The headings are out of order:

> No problem - I thought about this as I was putting together the
> announcement but didn't adjust it at the time. I've fixed this as well

Thanks -- I know how it goes, there's always something somewhere that
needs to fixed.

> > And, something is a bit off with the CURRENT-IS-$version markers:
> >
> > $ curl -sq https://archive.apache.org/dist/httpd/ | grep -c CURRENT
> > 47
> I can see how that appears odd. This URL is our archive distribution
> point, so anything we release to the formal distribution point will be
> added here automatically to preserve history. It's best to use the
> current distribution point:
> https://dist.apache.org/repos/dist/release/httpd/

Aha! And this explains the duplicates. It's nice to know it's intentional.

> Thanks for taking the time to provide feedback! Have a great weekend

Thanks for the quick fixes :)



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.