Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Jim Jagielski]

At the very least, upgrading from 2.4.7 to 2.4.8 should not
cause this much pain. I will let the vote run a bit more to
gauge additional feedback, but my sense says that 2.4.8
will likely be revoked/dropped and 2.4.9 will be proposed
which either (1) removes r1573360 or (2) fixes this bug.

On Mar 11, 2014, at 8:59 PM, Dr Stephen Henson  
wrote:

> On 12/03/2014 00:30, Dr Stephen Henson wrote:
>> 
>> The fix was applied on Feb 11 2013. That would mean that official releases
>> affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release 
>> should
>> include the fix but we weren't planning to make any more 0.9.8 official 
>> releases
>> though a 0.9.8 snapshot should include the fix.
>> 
>> OS specific versions of OpenSSL might not have included the fix. This is the
>> actual diff:
>> 
>> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10
>> 
> 
> It looks like the only case this can happen is ssl_init_server_certs where an
> SSL structure is created, SSL_get_certificate called and then it is freed.
> 
> If so then calling SSL_set_connect_state before the SSL_get_certificate
> call is a potential workaround. This works because the faulty code isn't used 
> by
> SSL structures where ssl->server == 0 and SSL_set_connect_state does that,
> among other things.
> 
> This is a bit of a hack because it's called on a server SSL structure. This
> would probably fail horribly if an attempt was made to use the SSL structure 
> but
> in this case we're freeing it up immediately so this should hopefully not 
> matter.
> 
> Steve.
> -- 
> Dr Stephen Henson. OpenSSL Software Foundation, Inc.
> 1829 Mount Ephraim Road
> Adamstown, MD 21710
> +1 877-673-6775
> shen...@opensslfoundation.com
> 

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Graham Leggett]

On 12 Mar 2014, at 12:37 PM, Jim Jagielski  wrote:

> At the very least, upgrading from 2.4.7 to 2.4.8 should not
> cause this much pain. I will let the vote run a bit more to
> gauge additional feedback, but my sense says that 2.4.8
> will likely be revoked/dropped and 2.4.9 will be proposed
> which either (1) removes r1573360 or (2) fixes this bug.

+1.

Regards,
Graham
--

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Rainer Jung]

On 12.03.2014 11:37, Jim Jagielski wrote:
> At the very least, upgrading from 2.4.7 to 2.4.8 should not
> cause this much pain. I will let the vote run a bit more to
> gauge additional feedback, but my sense says that 2.4.8
> will likely be revoked/dropped and 2.4.9 will be proposed
> which either (1) removes r1573360 or (2) fixes this bug.

Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
an issue but since all Major versions seem to show the behavior and
there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
should implement the workaround suggested by Steve.

Regards,

Rainer

Re: svn commit: r1576504 - /httpd/httpd/branches/2.4.x/STATUS

[Jeff Trawick]

On Tue, Mar 11, 2014 at 5:12 PM, Yann Ylavic  wrote:

> Probably 2.4.8/STATUS should be fixed too.
>

no, we wouldn't retag the file, and we wouldn't regenerate the tarballs of
the same version to fix anything; if there's a truly hot issue to resolve
in a tagged version we'll bump the version and create a new tarball
("version numbers are cheap" as the saying goes)


>
> On Tue, Mar 11, 2014 at 10:10 PM,   wrote:
> > Author: ylavic
> > Date: Tue Mar 11 21:10:01 2014
> > New Revision: 1576504
> >
> > URL: http://svn.apache.org/r1576504
> > Log:
> > Fix 2.4.8 release year.
> >
> > Modified:
> > httpd/httpd/branches/2.4.x/STATUS
> >
> > Modified: httpd/httpd/branches/2.4.x/STATUS
> > URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/STATUS?rev=1576504&r1=1576503&r2=1576504&view=diff
> >
> ==
> > --- httpd/httpd/branches/2.4.x/STATUS (original)
> > +++ httpd/httpd/branches/2.4.x/STATUS Tue Mar 11 21:10:01 2014
> > @@ -33,7 +33,7 @@ Release history:
> >while x.{even}.z versions are Stable/GA releases.]
> >
> >  2.4.9   : In development.
> > -2.4.8   : Tagged on March 11, 2013.
> > +2.4.8   : Tagged on March 11, 2014.
> >  2.4.7   : Tagged on November 19, 2013. Released on Nov 25, 2013
> >  2.4.6   : Tagged on July 15, 2013. Released July, 22, 2013
> >  2.4.5   : Tagged on July 11, 2013, not released.
> >
> >
>



-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Re: [PATCH 51648 apreq2] Remove redundant Apache2::Cookie::httpcookie documentation

[Jeff Trawick]

On Tue, Mar 11, 2014 at 10:51 AM, Lubomir Rintel  wrote:

> ---
> Hi,
>
> please review and merge this. It seems to be an easyfix, but the ticket [1]
> seemengly generated no useful attention.
>

Hi,

Where is the patched code maintained in ASF svn?  Is that part of the Perl
project?


>
> [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=51648
>
> Thank you,
> Lubo
>
>
>  glue/perl/lib/Apache2/Cookie.pm | 14 --
>  1 file changed, 14 deletions(-)
>
> diff --git a/glue/perl/lib/Apache2/Cookie.pm
> b/glue/perl/lib/Apache2/Cookie.pm
> index 715ab14..d6a5b31 100644
> --- a/glue/perl/lib/Apache2/Cookie.pm
> +++ b/glue/perl/lib/Apache2/Cookie.pm
> @@ -450,20 +450,6 @@ Get or set the HttpOnly flag for the cookie:
>
>
>
> -=head2 httponly
> -
> -$cookie->httponly()
> -$cookie->httponly($set)
> -
> -Get or set the HttpOnly flag for the cookie:
> -
> -$cookie->httponly(1);
> -$is_HttpOnly = $cookie->httponly;
> -$cookie->httponly(0);
> -
> -
> -
> -
>  =head2 comment
>
>  $cookie->comment()
> --
> 1.8.3.1
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

RE: [VOTE] Release Apache httpd 2.4.8 as GA

[Plüm , Rüdiger , Vodafone Group]

> -Original Message-
> From: Rainer Jung [mailto:rainer.j...@kippdata.de]
> Sent: Mittwoch, 12. März 2014 13:30
> To: dev@httpd.apache.org
> Subject: Re: [VOTE] Release Apache httpd 2.4.8 as GA
> 
> On 12.03.2014 11:37, Jim Jagielski wrote:
> > At the very least, upgrading from 2.4.7 to 2.4.8 should not
> > cause this much pain. I will let the vote run a bit more to
> > gauge additional feedback, but my sense says that 2.4.8
> > will likely be revoked/dropped and 2.4.9 will be proposed
> > which either (1) removes r1573360 or (2) fixes this bug.
> 
> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
> an issue but since all Major versions seem to show the behavior and
> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
> should implement the workaround suggested by Steve.

+1

Regards

Rüdiger

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Jim Jagielski]

On Mar 12, 2014, at 8:29 AM, Rainer Jung  wrote:

> On 12.03.2014 11:37, Jim Jagielski wrote:
>> At the very least, upgrading from 2.4.7 to 2.4.8 should not
>> cause this much pain. I will let the vote run a bit more to
>> gauge additional feedback, but my sense says that 2.4.8
>> will likely be revoked/dropped and 2.4.9 will be proposed
>> which either (1) removes r1573360 or (2) fixes this bug.
> 
> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
> an issue but since all Major versions seem to show the behavior and
> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
> should implement the workaround suggested by Steve.
> 

We'll need to put that into trunk, check that it works w/o
causing a regression, first.

My personal opinion is to pull out the commit in 2.4.x to give it
more time in trunk to ferment and to release 2.4.9 w/o r1573360.

RE: Turn off SSL session tickets

[Plüm , Rüdiger , Vodafone Group]

Anyone?

Regards

Rüdiger

> -Original Message-
> From: Plüm, Rüdiger, Vodafone Group
> Sent: Montag, 10. März 2014 11:22
> To: dev@httpd.apache.org
> Subject: Turn off SSL session tickets
> 
> Reading the trunk documentation it seems possible to turn off SSL session
> tickets via
> 
> SSLOpenSSLConfCmd Options -SessionTicket
> 
> I assume there are no other options doing so on 2.2.x and 2.4.x, correct?
> 
> Regards
> 
> Rüdiger
> 

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Dr Stephen Henson]

On 12/03/2014 12:29, Rainer Jung wrote:
> On 12.03.2014 11:37, Jim Jagielski wrote:
>> At the very least, upgrading from 2.4.7 to 2.4.8 should not
>> cause this much pain. I will let the vote run a bit more to
>> gauge additional feedback, but my sense says that 2.4.8
>> will likely be revoked/dropped and 2.4.9 will be proposed
>> which either (1) removes r1573360 or (2) fixes this bug.
> 
> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
> an issue but since all Major versions seem to show the behavior and
> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
> should implement the workaround suggested by Steve.
> 

Applied to trunk as r1576741. I've tried to keep the changes to the absolute
minimum.

I've tested OpenSSL 0.9.8y without this change and can reproduce the crash. It
doesn't crash with this fix.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: Turn off SSL session tickets

[Dr Stephen Henson]

On 10/03/2014 10:22, Plüm, Rüdiger, Vodafone Group wrote:
> Reading the trunk documentation it seems possible to turn off SSL session 
> tickets via
> 
> SSLOpenSSLConfCmd Options -SessionTicket
> 
> I assume there are no other options doing so on 2.2.x and 2.4.x, correct?
> 

A quick grep for the SSL_OP_NO_TICKET flag (which disables tickets) in mod_ssl
came up empty so yes that is the only way. That should also work with 2.4.x but
in both cases it requires OpenSSL 1.0.2.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Rainer Jung]

On 12.03.2014 01:59, Dr Stephen Henson wrote:
> On 12/03/2014 00:30, Dr Stephen Henson wrote:
>>
>> The fix was applied on Feb 11 2013. That would mean that official releases
>> affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release 
>> should
>> include the fix but we weren't planning to make any more 0.9.8 official 
>> releases
>> though a 0.9.8 snapshot should include the fix.
>>
>> OS specific versions of OpenSSL might not have included the fix. This is the
>> actual diff:
>>
>> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10
>>
> 
> It looks like the only case this can happen is ssl_init_server_certs where an
> SSL structure is created, SSL_get_certificate called and then it is freed.
> 
> If so then calling SSL_set_connect_state before the SSL_get_certificate
> call is a potential workaround. This works because the faulty code isn't used 
> by
> SSL structures where ssl->server == 0 and SSL_set_connect_state does that,
> among other things.
> 
> This is a bit of a hack because it's called on a server SSL structure. This
> would probably fail horribly if an attempt was made to use the SSL structure 
> but
> in this case we're freeing it up immediately so this should hopefully not 
> matter.

Following your advice I added the following patch:

http://people.apache.org/~rjung/patches/ssl-init-crash.patch

and switched back to using OpenSSL 1.0.1e. Indeed the crash during
startup didn't occur with that patch in place.

I will wait a bit and if I hear no complains apply to trunk (if noone
beats me to it).

Regards,

Rainer

Re: [PATCH 51648 apreq2] Remove redundant Apache2::Cookie::httpcookie documentation

[Lubomir Rintel]

Hello,

On Wed, 2014-03-12 at 08:42 -0400, Jeff Trawick wrote:
> On Tue, Mar 11, 2014 at 10:51 AM, Lubomir Rintel  wrote:
> 
> > ---
> > Hi,
> >
> > please review and merge this. It seems to be an easyfix, but the ticket [1]
> > seemengly generated no useful attention.
> >
> 
> Hi,
> 
> Where is the patched code maintained in ASF svn?  Is that part of the Perl
> project?

According to the project web site [1] it's


[1] https://httpd.apache.org/apreq/

Thanks,
Lubo

Re: [PATCH 51648 apreq2] Remove redundant Apache2::Cookie::httpcookie documentation

[Jeff Trawick]

On Wed, Mar 12, 2014 at 10:22 AM, Lubomir Rintel  wrote:

> Hello,
>
> On Wed, 2014-03-12 at 08:42 -0400, Jeff Trawick wrote:
> > On Tue, Mar 11, 2014 at 10:51 AM, Lubomir Rintel  wrote:
> >
> > > ---
> > > Hi,
> > >
> > > please review and merge this. It seems to be an easyfix, but the
> ticket [1]
> > > seemengly generated no useful attention.
> > >
> >
> > Hi,
> >
> > Where is the patched code maintained in ASF svn?  Is that part of the
> Perl
> > project?
>
> According to the project web site [1] it's
> 
>

Thanks :)  I was looking in the wrong tree.


>
> [1] https://httpd.apache.org/apreq/
>
> Thanks,
> Lubo
>
>


-- 
Born in Roswell... married an alien...
http://emptyhammock.com/
http://edjective.org/

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Rainer Jung]

On 12.03.2014 14:55, Dr Stephen Henson wrote:
> On 12/03/2014 12:29, Rainer Jung wrote:
>> On 12.03.2014 11:37, Jim Jagielski wrote:
>>> At the very least, upgrading from 2.4.7 to 2.4.8 should not
>>> cause this much pain. I will let the vote run a bit more to
>>> gauge additional feedback, but my sense says that 2.4.8
>>> will likely be revoked/dropped and 2.4.9 will be proposed
>>> which either (1) removes r1573360 or (2) fixes this bug.
>>
>> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
>> an issue but since all Major versions seem to show the behavior and
>> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
>> should implement the workaround suggested by Steve.
>>
> 
> Applied to trunk as r1576741. I've tried to keep the changes to the absolute
> minimum.
> 
> I've tested OpenSSL 0.9.8y without this change and can reproduce the crash. It
> doesn't crash with this fix.

OK, saw that message to late, functionaly equivalent with what I tried
(and you proposed). So agreed, this fixes it.

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Jim Jagielski]

I have added this is a SHOWSTOPPER patch for 2.4.x...

I will try to find a system where the bug exists to
test.

On Mar 12, 2014, at 11:17 AM, Rainer Jung  wrote:

> On 12.03.2014 14:55, Dr Stephen Henson wrote:
>> On 12/03/2014 12:29, Rainer Jung wrote:
>>> On 12.03.2014 11:37, Jim Jagielski wrote:
 At the very least, upgrading from 2.4.7 to 2.4.8 should not
 cause this much pain. I will let the vote run a bit more to
 gauge additional feedback, but my sense says that 2.4.8
 will likely be revoked/dropped and 2.4.9 will be proposed
 which either (1) removes r1573360 or (2) fixes this bug.
>>> 
>>> Agreed, if it were only about 1.0.1e vs. 1.0.1f it would be not that big
>>> an issue but since all Major versions seem to show the behavior and
>>> there's no easy workaround for 0.9.8 except upgrading to 1.x, I'd say we
>>> should implement the workaround suggested by Steve.
>>> 
>> 
>> Applied to trunk as r1576741. I've tried to keep the changes to the absolute
>> minimum.
>> 
>> I've tested OpenSSL 0.9.8y without this change and can reproduce the crash. 
>> It
>> doesn't crash with this fix.
> 
> OK, saw that message to late, functionaly equivalent with what I tried
> (and you proposed). So agreed, this fixes it.
> 
> Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[William A. Rowe Jr.]

On Wed, 12 Mar 2014 00:30:57 +
Dr Stephen Henson  wrote:

> On 11/03/2014 21:46, Gregg Smith wrote:
> > On 3/11/2014 1:29 PM, Rainer Jung wrote:
> >> On 11.03.2014 17:34, Jim Jagielski wrote:
> >>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
> >>> at the usual place:
> >>>
> >>> http://httpd.apache.org/dev/dist/
> >>>
> >>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
> >>>
> >>> [ ] +1: Good to go
> >>> [ ] +0: meh
> >>> [ ] -1: Danger Will Robinson. And why.
> >>>
> >>> Vote will last the normal 72 hrs.
> >>>
> >>> NOTE: The *-deps are only there for convenience.
> >> I get a segfault during startup init on www.apache.org when using
> >> SSL. This didn't happen for r1570851. Candidate is r1573360.
> > 
> > I'm seeing this with OpenSSL 0.9.8y on Windows.
> > 
> 
> Here are some more details of the bug in OpenSSL I *think* triggers
> this.
> 
> The function SSL_get_certificate was modified in some versions of
> OpenSSL to return the certificate the server used instead of the
> current certificate it had done previously. This was to make OCSP
> stapling work with multiple configured certificates. Unfortunately a
> bug in the change mean it would crash if it was called before the
> server sent the certificate. Later versions of OpenSSL restored the
> original behaviour unless SSL_get_certificate was called inside the
> OCSP callback when it would return the certificate actually sent.
> 
> The fix was applied on Feb 11 2013. That would mean that official
> releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later
> official release should include the fix but we weren't planning to
> make any more 0.9.8 official releases though a 0.9.8 snapshot should
> include the fix.

Perhaps a typo above?  Or are we looking at several bugs?  Rainer had
specifically mentioned 1.0.1e as faulting.

I'm of the same mind as Jim - that a 2.4.9 with some workaround patch
as described is probably a good idea, but now I'm not clear whether
the proposed workaround fixes the case you mention with 1.0.1c or also
the 1.0.1e fault?--- Begin Message ---
On 11.03.2014 21:41, Dr Stephen Henson wrote:
> On 11/03/2014 20:29, Rainer Jung wrote:
>> On 11.03.2014 17:34, Jim Jagielski wrote:
>>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
>>> at the usual place:
>>>
>>> http://httpd.apache.org/dev/dist/
>>>
>>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>>>
>>> [ ] +1: Good to go
>>> [ ] +0: meh
>>> [ ] -1: Danger Will Robinson. And why.
>>>
>>> Vote will last the normal 72 hrs.
>>>
>>> NOTE: The *-deps are only there for convenience.
>>
>> I get a segfault during startup init on www.apache.org when using SSL.
>> This didn't happen for r1570851. Candidate is r1573360.
>>
>> That server currently uses OpenSSL 1.0.1e.
>>
>> GDB:
>>
>> Program terminated with signal 11, Segmentation fault.
>> #0  0x00010287a19a in ssl_set_cert_masks () from
>> /usr/local/lib/libssl.so.8
>> (gdb) bt full
>> #0  0x00010287a19a in ssl_set_cert_masks () from
>> /usr/local/lib/libssl.so.8
>> No symbol table info available.
>> #1  0x00010287a6f6 in ssl_get_server_send_pkey () from
>> /usr/local/lib/libssl.so.8
> 
> Could be a known issue in OpenSSL 1.0.1e which is fixed in 1.0.1f.

Thanks Steve. Will try, actually was on my way to update when I noticed
there was not yet a BSD port for 1.0.1f. Will try nevertheless.

Regards,

Rainer

--- End Message ---

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Rainer Jung]

On 12.03.2014 18:39, William A. Rowe Jr. wrote:
> On Wed, 12 Mar 2014 00:30:57 +
> Dr Stephen Henson  wrote:
> 
>> On 11/03/2014 21:46, Gregg Smith wrote:
>>> On 3/11/2014 1:29 PM, Rainer Jung wrote:
 On 11.03.2014 17:34, Jim Jagielski wrote:
> The pre-release test tarballs for Apache httpd 2.4.8 can be found
> at the usual place:
>
> http://httpd.apache.org/dev/dist/
>
> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
>
> Vote will last the normal 72 hrs.
>
> NOTE: The *-deps are only there for convenience.
 I get a segfault during startup init on www.apache.org when using
 SSL. This didn't happen for r1570851. Candidate is r1573360.
>>>
>>> I'm seeing this with OpenSSL 0.9.8y on Windows.
>>>
>>
>> Here are some more details of the bug in OpenSSL I *think* triggers
>> this.
>>
>> The function SSL_get_certificate was modified in some versions of
>> OpenSSL to return the certificate the server used instead of the
>> current certificate it had done previously. This was to make OCSP
>> stapling work with multiple configured certificates. Unfortunately a
>> bug in the change mean it would crash if it was called before the
>> server sent the certificate. Later versions of OpenSSL restored the
>> original behaviour unless SSL_get_certificate was called inside the
>> OCSP callback when it would return the certificate actually sent.
>>
>> The fix was applied on Feb 11 2013. That would mean that official
>> releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later
>> official release should include the fix but we weren't planning to
>> make any more 0.9.8 official releases though a 0.9.8 snapshot should
>> include the fix.
> 
> Perhaps a typo above?  Or are we looking at several bugs?  Rainer had
> specifically mentioned 1.0.1e as faulting.
> 
> I'm of the same mind as Jim - that a 2.4.9 with some workaround patch
> as described is probably a good idea, but now I'm not clear whether
> the proposed workaround fixes the case you mention with 1.0.1c or also
> the 1.0.1e fault?

I think the problematic code is in 0.9.8y, 1.0.0k, 1.0.1d and 1.0.1e. It
has been fixed in the latest 1.0.0 and 1.0.1 releases and the fix is in
HEAD for 0.9.8 but not released. The problem should not occur with
versions older than the cited ones.

Regards,

Rainer

Re: [VOTE] Release Apache httpd 2.4.8 as GA

[Dr Stephen Henson]

On 12/03/2014 17:39, William A. Rowe Jr. wrote:
>>
>> The fix was applied on Feb 11 2013. That would mean that official
>> releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later
>> official release should include the fix but we weren't planning to
>> make any more 0.9.8 official releases though a 0.9.8 snapshot should
>> include the fix.
> 
> Perhaps a typo above?  Or are we looking at several bugs?  Rainer had
> specifically mentioned 1.0.1e as faulting.
> 

Yes sorry. It's all the same single bug. Checking through the versions:

For 0.9.8 branches: 0.9.8y affected, only fixed in 0.9.8 snapshots.
For 1.0.0 branches: 1.0.0k affected fixed in 1.0.0l
For 1.0.1 branches: 1.0.1d, 1.0.1e affected fixed in 1.0.0f

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shen...@opensslfoundation.com

Re: svn commit: r1576504 - /httpd/httpd/branches/2.4.x/STATUS

[Yann Ylavic]

On Wed, Mar 12, 2014 at 1:40 PM, Jeff Trawick  wrote:
> On Tue, Mar 11, 2014 at 5:12 PM, Yann Ylavic  wrote:
>>
>> Probably 2.4.8/STATUS should be fixed too.
>
>
> no, we wouldn't retag the file, and we wouldn't regenerate the tarballs of
> the same version to fix anything; if there's a truly hot issue to resolve in
> a tagged version we'll bump the version and create a new tarball ("version
> numbers are cheap" as the saying goes)

Thanks for clarification, I wasn't sure at all, especially as STATUS
is not part of the tarball.
Just wanted to point out the copy of the typo within the 2.4.8 tag.