Re: CVE-2020-11984: Apache httpd: mod_uwsgi buffer overlow

[Seth Arnold <seth.arnold () canonical com>]

On Sat, Aug 08, 2020 at 07:21:35AM -0500, Daniel Ruggeri wrote:
>    You're correct. That was an error on our part. We try to double check
> this data (since sometimes we burn a release number as we test the
> candidate) and things can get out of sync. I have it in my personal TODO
> list to add some tooling around automating this particular part of the
> release management process.
>
> I've fixed this in a recent patch and the the site should now show the
> correct data - many thanks for the correction

Hello Daniel, thanks for the fixes, this is a lot more clear to me now.

Quite a lot of my confusion came from not knowing that some releases were
versioned but not released -- suddenly quite a lot more makes sense.

> > The headings are out of order:

> No problem - I thought about this as I was putting together the
> announcement but didn't adjust it at the time. I've fixed this as well

Thanks -- I know how it goes, there's always something somewhere that
needs to fixed.

> > And, something is a bit off with the CURRENT-IS-$version markers:
> >
> > $ curl -sq https://archive.apache.org/dist/httpd/ | grep -c CURRENT
> > 47
> I can see how that appears odd. This URL is our archive distribution
> point, so anything we release to the formal distribution point will be
> added here automatically to preserve history. It's best to use the
> current distribution point:
> https://dist.apache.org/repos/dist/release/httpd/

Aha! And this explains the duplicates. It's nice to know it's intentional.

> Thanks for taking the time to provide feedback! Have a great weekend

Thanks for the quick fixes :)

Attachment: signature.asc
Description: