On Wed, Jul 20, 2016 at 6:27 AM, Konstantin Kolinko <kkoli...@apache.org> wrote:
> 2016-07-20 12:37 GMT+03:00 Bertrand Delacretaz <bdelacre...@apache.org>: > > On Tue, Jul 19, 2016 at 8:02 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > >> What if we digest the audience and list the scope (different projects > which > >> are impacted/offering mitigations) in a more conversational tone, > mention > >> the httpoxy URL and just point the reader to > >> https://www.apache.org/security/asf-httpoxy-response.txt for all the > >> detailed workarounds we've offered?... > > > > That sounds good to me, here's a minimal suggestion that we might > > publish at https://blogs.apache.org/foundation/ unless you want > > something more complete. > > > > *** > > Title: "httpoxy" CGI vulnerability response > > > > A group of ASF projects (HTTP, Tomcat, Traffic Server, Perl) has > > analyzed the CGI application vulnerability recently published at > > https://httpoxy.org/ > > > > Their detailed analysis, targeted at Web server administrators and CGI > > developers and including mitigation information, can be found at > > https://www.apache.org/security/asf-httpoxy-response.txt > > *** > > > I think that perl in list of ASF projects should be spelled "Perl > (mod_perl)", > to distinguish it from Perl programming language as a whole. > > Also HTTP in that list to be spelled "HTTP Server" > Good points, think we can go with your text plus these edits, Bertrand. Thanks! Bill