Re: [RESULT] Was: Re: [VOTE] Release Apache httpd 2.4.16 as GA
It seems that httpd.a.o still refers to 2.4.12, whereas 2.4.16 effectively reached www.a.o/dist/httpd and mirrors (leading to 2.4.16 not being visible and 2.4.12 issuing 404s). On Tue, Jul 14, 2015 at 2:05 PM, Jim Jagielski j...@jagunet.com wrote: After 72+ hours, and with all +1 votes (more than 3 of which were binding) and no -1 votes, I call this vote CLOSED with a result that the vote PASSES! Thx to all testers and committers! I will start the push of the tarballs to the mirrors.
[VOTE] [24 hr] Release 2.2.31 as GA?
The pre-release candidate tarballs of Apache httpd 2.2.31, can be found in; http://httpd.apache.org/dev/dist/ +/-1 [ ] Release 2.2.31 GA (apr 1.5.2, apr-util 1.5.4) Win32 src to follow in an hour this round. With such an insignificant set of changes to a generally approved 2.2.30 which enjoyed the full 3-day voting period, I expect to end this vote tomorrow at 17:00GMT Thursday, if there are sufficient votes cast. The entire delta between 2.2.30 and 2.2.31 is attached, for your initial inspection. httpd-2.2.30-2.2.31.delta Description: Binary data
[ANNOUNCEMENT] Apache HTTP Server 2.4.16 Released
Apache HTTP Server 2.4.16 Released
The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.16 of the Apache
HTTP Server (Apache). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a security, feature and bug fix release. NOTE: versions
2.4.13, 2.4.14 and 2.4.15 were not released.
CVE-2015-3183 (cve.mitre.org)
core: Fix chunk header parsing defect.
Remove apr_brigade_flatten(), buffering and duplicated code from
the HTTP_IN filter, parse chunks in a single pass with zero copy.
Limit accepted chunk-size to 2^63-1 and be strict about chunk-ext
authorized characters.
CVE-2015-3185 (cve.mitre.org)
Replacement of ap_some_auth_required (unusable in Apache httpd 2.4)
with new ap_some_authn_required and ap_force_authn hook.
CVE-2015-0253 (cve.mitre.org)
core: Fix a crash with ErrorDocument 400 pointing to a local URL-path
with the INCLUDES filter active, introduced in 2.4.11. PR 57531.
CVE-2015-0228 (cve.mitre.org)
mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash.
Also in this release are some exciting new features including:
*) Better default recommended SSLCipherSuite and SSLProxyCipherSuite
*) mod_proxy_scgi: ProxySCGIInternalRedirect now allows an alternate
response header to be used by the application
*) Event MPM improvements
*) Various mod_proxy_* improvements
*) mod_log_config: Add %{UNIT}T format to output request duration in
seconds, milliseconds or microseconds depending on UNIT (s, ms,
us)
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
Apache HTTP Server 2.4.16 is available for download from:
http://httpd.apache.org/download.cgi
Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase. For an overview of new features
introduced since 2.4 please see:
http://httpd.apache.org/docs/trunk/new_features_2_4.html
Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.16 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:
http://httpd.apache.org/security/vulnerabilities_24.html
This release requires the Apache Portable Runtime (APR) version 1.5.x
and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.
This release builds on and extends the Apache 2.2 API. Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.
http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING
When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.
Re: building httpd 2.2 on windows automation question.
Yup, 2.2.31 built fine, and surprisingly it had the ssl deps change too. I put the nmake into a retry loop :) And now it's all automated. Yay. Thanks for the help, Andy On 07/15/2015 10:22 AM, Andy Wang wrote: On 07/14/2015 09:37 PM, Gregg Smith wrote: On 7/14/2015 12:09 PM, Andy Wang wrote: link.exe -lib @C:\Users\runtime\AppData\Local\Temp\nm9E02.tmp c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\nmake.exe - nologo -f libaprutil.mak CFG=libaprutil - Win32 Release RECURSE=0 if not exist .\Release/ mkdir .\Release tempfile.bat libaprutil.mak(1494) : fatal error U1054: cannot create inline file 'tempfile.ba t' Stop. I've run into this on VC11/Win7x64 more than once. I think I just restarted the build again and it has always gone through. Microsoft says a tempfile.bat already exists with a read-only attribute so it evidently has started creating the file before removing the prior one. .. snipped .. Give it another try with 2.2.31 when it arrives, hopefully tomorrow. Gave it a try with the patched 2.2.31, and you're right, continuing on gets around the error. It does occur about half a dozen times though. I'll have to script that in if this works. The openssl problem bit me though. And it looks like that change you mentioned will do it too. Haven't patched it yet. Thanks for pointing this out. Andy
Re: [VOTE] [24 hr] Release 2.2.31 as GA?
On 07/15/2015 12:44 PM, William A Rowe Jr wrote: The pre-release candidate tarballs of Apache httpd 2.2.31, can be found in; http://httpd.apache.org/dev/dist/ +/-1 [X] Release 2.2.31 GA (apr 1.5.2, apr-util 1.5.4) The diffs look good to me. I ran the test suite on FreeBSD 10 and obtained the same results as with 2.2.29 and 2.2.30. Thanks!
Release annoucements missing on annou...@httpd.apache.org
Hi all, since 2.4.10 and 2.2.29 the annou...@httpd.apache.org is abandoned. Is this intentional? Someone already asked about this last year: http://marc.info/?l=apache-httpd-devm=141157921203967w=2 If this is not the right list to ask this question, where should it be addressed then? b. PS: Congrats for finally successful 2.4.16 release :)
Re: [VOTE] [24 hr] Release 2.2.31 as GA?
On 7/15/2015 9:44 AM, William A Rowe Jr wrote: The pre-release candidate tarballs of Apache httpd 2.2.31, can be found in; [+1] Release 2.2.31 GA (apr 1.5.2, apr-util 1.5.4) Thanks for the quick turnaround RM!
Re: [VOTE] [24 hr] Release 2.2.31 as GA?
On Wed, Jul 15, 2015 at 6:44 PM, William A Rowe Jr wr...@rowe-clan.net wrote: +/-1 [+1] Release 2.2.31 GA (apr 1.5.2, apr-util 1.5.4) Retested worker and prefork, included apr-1.5.2 and apr-util-1.5.4, on: - Debian 8 - 64bit, - Debian 7 - 64bit, - Debian 6 - 64bit, - Debian 6 - mixed 32/64bit system/kernel. No surprise. Thanks!
Re: some test failures...
*grin* On Jul 15, 2015, at 8:53 AM, Stefan Eissing stefan.eiss...@greenbytes.de wrote: ...are amusing when looked at closely: # testing : GET /modules/include/file.shtml # expected: 'Donnerstag, Juli 9, 2015 Donnerstag, Juli 9, 2015 1436433857 1436433857' # received: 'Thursday, July 9, 2015 Thursday, July 9, 2015 1436433857 1436433857' not ok 59 ;-) green/bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
some test failures...
...are amusing when looked at closely: # testing : GET /modules/include/file.shtml # expected: 'Donnerstag, Juli 9, 2015 Donnerstag, Juli 9, 2015 1436433857 1436433857' # received: 'Thursday, July 9, 2015 Thursday, July 9, 2015 1436433857 1436433857' not ok 59 ;-) green/bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
Re: building httpd 2.2 on windows automation question.
On 07/14/2015 09:37 PM, Gregg Smith wrote: On 7/14/2015 12:09 PM, Andy Wang wrote: link.exe -lib @C:\Users\runtime\AppData\Local\Temp\nm9E02.tmp c:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\BIN\nmake.exe - nologo -f libaprutil.mak CFG=libaprutil - Win32 Release RECURSE=0 if not exist .\Release/ mkdir .\Release tempfile.bat libaprutil.mak(1494) : fatal error U1054: cannot create inline file 'tempfile.ba t' Stop. I've run into this on VC11/Win7x64 more than once. I think I just restarted the build again and it has always gone through. Microsoft says a tempfile.bat already exists with a read-only attribute so it evidently has started creating the file before removing the prior one. .. snipped .. Give it another try with 2.2.31 when it arrives, hopefully tomorrow. Gave it a try with the patched 2.2.31, and you're right, continuing on gets around the error. It does occur about half a dozen times though. I'll have to script that in if this works. The openssl problem bit me though. And it looks like that change you mentioned will do it too. Haven't patched it yet. Thanks for pointing this out. Andy
finally...
...got the test framework to PASS on my OS X against httpd/trunk built. I added more description of what I found in the README and checked that in. I have the attached patch to the test code itself, which I will not just dump on you. I think the changes are ok, but will wait for some feedback. The changes are in - t/modules/cgi.t - t/modules/include.t - t/security/CVE-2004-0747.t Cheers, Stefan proposed.patch Description: Binary data green/bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
