Re: CVE-2013-5704 fix breaks mod_wsgi

Okay, I screwed up that analysis a bit. It is APR 1.X to 2.X which is the issue and I can fix by having: #if APR_MAJOR_VERSION < 2 #include "apr_support.h" #endif The specific code was: #if APR_MAJOR_VERSION < 2 rv = apr_wait_for_io_or_timeout(NULL, sock, 0); #else rv = apr_socke

Re: CVE-2013-5704 fix breaks mod_wsgi

FWIW, there is potentially another issue for mod_wsgi coming up as well. Seems that I was using an APR function which was tagged as internal and in trunk of APR the header file that function is defined in is no longer installed, or at least when within srclib of httpd, thus mod_wsgi will no longer

Re: CVE-2013-5704 fix breaks mod_wsgi

mod_ftpd too I believe

Re: CVE-2013-5704 fix breaks mod_wsgi

Thanks for the heads up and I appreciate very much the steps you are taking to limit possible affects. What I will do is the following: 1. Verify that recompiling mod_wsgi is actually sufficient given than my direct use of request_rec isn't going to populate the extra fields and they will remain

Re: Time for 2.4.11

Hi, Am 08.01.2015 um 12:11 schrieb Jim Jagielski: > Let's shoot for a T&R next week. The work will keep me > warm :) Can we please get another vote on this? * core: Fix -D[efined] or [d] variables lifetime accross restarts. PR 57328. trunk patch: http://svn.apache.org/r1643825 2.

Re: Reverse proxy: invalid Content-Length leads to 413 + 400 errors mixed up

Sorry, this shouldn't have gone to dev@httpd.apache.org.

Re: Reverse proxy: invalid Content-Length leads to 413 + 400 errors mixed up

Hi Ewald, zunächst mal ein gutes neues Jahr! Am 08.01.2015 um 17:29 schrieb Ewald Dieterich: > On 01/08/2015 04:15 PM, Yann Ylavic wrote: >>> Can you test this (attached) patch please (without yours applied)? >> >> Or with yours and just changing "return >> ap_map_http_request_error(status, HTTP_

Re: CVE-2013-5704 fix breaks mod_wsgi

On 01/09/2015 09:48 PM, Jeff Trawick wrote: > On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton > wrote: > > Since Jim is talking 2.4.11, I should report this now. We discovered > this week in Fedora: mod_wsgi does some interesting things in daemon > mode, notably

Re: CVE-2013-5704 fix breaks mod_wsgi

On 01/09/2015 09:23 PM, Joe Orton wrote: > Since Jim is talking 2.4.11, I should report this now. We discovered > this week in Fedora: mod_wsgi does some interesting things in daemon > mode, notably that it allocates a request_rec internally which ends up > getting used by httpd. > > Reason

Re: CVE-2013-5704 fix breaks mod_wsgi

On Fri, Jan 9, 2015 at 3:23 PM, Joe Orton wrote: > Since Jim is talking 2.4.11, I should report this now. We discovered > this week in Fedora: mod_wsgi does some interesting things in daemon > mode, notably that it allocates a request_rec internally which ends up > getting used by httpd. > > Rea

CVE-2013-5704 fix breaks mod_wsgi

Since Jim is talking 2.4.11, I should report this now. We discovered this week in Fedora: mod_wsgi does some interesting things in daemon mode, notably that it allocates a request_rec internally which ends up getting used by httpd. Reason is, the fix for CVE-2013-5704 extends the request_rec:

RE: Time for 2.4.11

Hi Jim, Thanks for your email. I think it should not be very hard to back port. After you trunked the original patch last June, I was working with Yann Ylavic last November to fix some minor issues. With current trunked code, there is no major API change to 2.4 version and we have tested with m

Re: Time for 2.4.11

On Fri, Jan 9, 2015 at 10:15 AM, Martynas Bendorius wrote: > And what about https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 ? :) Not likely for the release on the horizon. A few people would need to deep-dive into suexec to be able to change it responsibly.

Re: Time for 2.4.11

And what about https://issues.apache.org/bugzilla/show_bug.cgi?id=37564 ? :) Best regards, Martynas Bendorius On 1/9/15 4:45 PM, Eric Covener wrote: On Fri, Jan 9, 2015 at 9:41 AM, Jacob Perkins wrote: Any chance we could get this back ported into 2.4 for the 2.4.11 release? https://issues.a

Re: Time for 2.4.11

Testing this out as we speak... > On Jan 9, 2015, at 9:45 AM, Eric Covener wrote: > > On Fri, Jan 9, 2015 at 9:41 AM, Jacob Perkins > wrote: >> Any chance we could get this back ported into 2.4 for the 2.4.11 release? >> >> https://issues.apache.org/bugzilla/show_bug.cgi?id=55910 >> >> This

Re: Time for 2.4.11

On Fri, Jan 9, 2015 at 9:41 AM, Jacob Perkins wrote: > Any chance we could get this back ported into 2.4 for the 2.4.11 release? > > https://issues.apache.org/bugzilla/show_bug.cgi?id=55910 > > This is causing us some headaches with our mod_security rollouts. This one is proposed but needs two m

Re: Time for 2.4.11

Good morning! Any chance we could get this back ported into 2.4 for the 2.4.11 release? https://issues.apache.org/bugzilla/show_bug.cgi?id=55910 This is causing us some headaches with our mod_security rollouts. Thanks! — Jacob Perkins

ALPN/NPN support in 2.4

Hi, I hope this is the right place for it: for an upcoming customer project I need ALPN/NPN support in apache 2.4.x. There is a (reopened) ticket with patch for this (https://issues.apache.org/bugzilla/show_bug.cgi?id=52210) that was started on 2.2.x The patch is applied with slight variation

Re: Time for 2.4.11

Let me look... how easy is the backport? > On Jan 8, 2015, at 12:22 PM, Lu, Yingqi wrote: > > Hi All, > > Can we make the "SO_REUSEPORT" support into this new stable version? The > first version of the patch was trunked last June. After tests and > modifications, I think it is ready to go. >

Re: Time for 2.4.11

Thx. Will do. > On Jan 8, 2015, at 7:06 AM, olli hauer wrote: > > On 2015-01-08 12:11, Jim Jagielski wrote: >> Let's shoot for a T&R next week. The work will keep me >> warm :) >> > > Perhaps you can take a look into this two bug id's: > > - https://issues.apache.org/bugzilla/show_bug.cgi?id=5