On Mon, May 15, 2017 at 8:35 AM, Ken Dreyer <kdreyer@xxxxxxxxxx> wrote: > On Fri, May 5, 2017 at 1:51 PM, Yehuda Sadeh-Weinraub <yehuda@xxxxxxxxxx> wrote: >> >> TL;DR: Does anyone care if we remove support for fastcgi in rgw? > > Please remove it as soon as possible. The old libfcgi project's code > is a security liability. When upstream died, there was a severe lack > of coordination around distributing patches to fix CVE-2012-6687. I > expect a similar level of chaos if another CVE surfaces in this > library. There are also unanswered questions about libfcgi's continued > use of poll vs select, see > https://bugs.launchpad.net/ubuntu/+source/libfcgi/+bug/933417/comments/5 > . Didn't see any compelling reason to keep it. It seems to me that the SSL issue that Roger was pointing at could be solved either through a different apache config, or something that we could fix (and might have already fixed) in civetweb. As a first go I think we should still keep the code around but not build it for Luminous. Yehuda _______________________________________________ ceph-users mailing list ceph-users@xxxxxxxxxxxxxx http://lists.ceph.com/listinfo.cgi/ceph-users-ceph.com
 |