date:20180925

Re: Announce missing - in moderation?

2018-09-25 Thread Daniel Ruggeri

FWIW, this was a straight forward multi-To field email message addressed to 
both lists. If there is a way I can improve the announce/release automation, I 
am happy to do so. Maybe a better way is to send multiple messages?
-- 
Daniel Ruggeri

On September 25, 2018 7:12:25 PM EDT, William A Rowe Jr  
wrote:
>Agreed it was published to ann@httpd.a.o, likely Jim's approval.
>
> It has not arrived at a...@apache.org.
>
>Sebb, can you shed any light on this moderation issue?
>
>
>
>On Tue, Sep 25, 2018, 12:29 Jim Jagielski  wrote:
>
>> FWIW, I just saw a mod request for *an* announcement and approved it
>>
>> On Sep 25, 2018, at 12:19 PM, Private LIst Moderation <
>> mod-priv...@gsuite.cloud.apache.org> wrote:
>>
>> Hi Daniel,
>>
>> I've looked in the moderation queue and did not find the announce@
>> moderation email.
>>
>> Craig
>>
>> On Sep 25, 2018, at 7:00 AM, Daniel Ruggeri 
>wrote:
>>
>> Infra points out it's easier to just resend than to dig out the
>message
>> they found on the server. I've sent again - receiving these
>confirmations:
>>
>> < 235 2.7.0 Authentication successful
>>
>> MAIL FROM: SIZE=2919
>>
>> < 250 2.1.0 Ok
>>
>> RCPT TO:
>>
>> < 250 2.1.5 Ok
>>
>> DATA
>>
>> < 354 End data with .
>> } [data not shown]
>> * We are completely uploaded and fine
>> < 250 2.0.0 Ok: queued as EB77F2332
>>
>> < 235 2.7.0 Authentication successful
>>
>> MAIL FROM: SIZE=874
>>
>> < 250 2.1.0 Ok
>>
>> RCPT TO:
>>
>> < 250 2.1.5 Ok
>>
>> DATA
>>
>> < 354 End data with .
>> } [data not shown]
>> * We are completely uploaded and fine
>> < 250 2.0.0 Ok: queued as 9B4B1E1B
>>
>> I've also added Craig here as he was unable to find the message sent
>to
>> announce@a.o - with luck, these won't vanish, but at least this time
>I
>> have the message IDs...
>> --
>> Daniel Ruggeri
>>
>> On 2018-09-24 16:59, Daniel Ruggeri wrote:
>>
>> Yes, I sent via curl (true story, you can send email with curl)
>> directly to the relay service and authenticated with my ASF
>> credentials. I had checked in with Infra here at ACNA and they saw
>> *something* that looked like my message. I'll check in with them
>> again.
>> Thanks, folks
>> --
>> Daniel Ruggeri
>> On September 24, 2018 3:07:00 PM EDT, William A Rowe Jr
>>  wrote:
>>
>> I'm seeing no announce@httpd moderation request. (I am not an
>> annou...@apache.org moderator.)
>> Did you send from your @apache.org [1] avail-id through the ASF
>> server? It would
>> be rejected for non-apache and for mismatched SPF records.
>> On Mon, Sep 24, 2018 at 9:16 AM Daniel Ruggeri 
>> wrote:
>>
>> Hi, all;
>> I sent the announce message for 2.4.35, but haven't received it
>> myself. I didn't get errors sending that I am aware of. Perhaps it
>> is in moderation? If not, I can check in with infra to see if
>> mail-relay.a.o ate it.
>> Thanks
>> --
>> Daniel Ruggeri
>>
>> Links:
>> --
>> [1] http://apache.org
>>
>>
>>
>> Craig L Russell
>> Secretary, Apache Software Foundation
>> c...@apache.org http://db.apache.org/jdo
>>
>>
>>

Re: Announce missing - in moderation?

2018-09-25 Thread William A Rowe Jr

Agreed it was published to ann@httpd.a.o, likely Jim's approval.

 It has not arrived at a...@apache.org.

Sebb, can you shed any light on this moderation issue?



On Tue, Sep 25, 2018, 12:29 Jim Jagielski  wrote:

> FWIW, I just saw a mod request for *an* announcement and approved it
>
> On Sep 25, 2018, at 12:19 PM, Private LIst Moderation <
> mod-priv...@gsuite.cloud.apache.org> wrote:
>
> Hi Daniel,
>
> I've looked in the moderation queue and did not find the announce@
> moderation email.
>
> Craig
>
> On Sep 25, 2018, at 7:00 AM, Daniel Ruggeri  wrote:
>
> Infra points out it's easier to just resend than to dig out the message
> they found on the server. I've sent again - receiving these confirmations:
>
> < 235 2.7.0 Authentication successful
>
> MAIL FROM: SIZE=2919
>
> < 250 2.1.0 Ok
>
> RCPT TO:
>
> < 250 2.1.5 Ok
>
> DATA
>
> < 354 End data with .
> } [data not shown]
> * We are completely uploaded and fine
> < 250 2.0.0 Ok: queued as EB77F2332
>
> < 235 2.7.0 Authentication successful
>
> MAIL FROM: SIZE=874
>
> < 250 2.1.0 Ok
>
> RCPT TO:
>
> < 250 2.1.5 Ok
>
> DATA
>
> < 354 End data with .
> } [data not shown]
> * We are completely uploaded and fine
> < 250 2.0.0 Ok: queued as 9B4B1E1B
>
> I've also added Craig here as he was unable to find the message sent to
> announce@a.o - with luck, these won't vanish, but at least this time I
> have the message IDs...
> --
> Daniel Ruggeri
>
> On 2018-09-24 16:59, Daniel Ruggeri wrote:
>
> Yes, I sent via curl (true story, you can send email with curl)
> directly to the relay service and authenticated with my ASF
> credentials. I had checked in with Infra here at ACNA and they saw
> *something* that looked like my message. I'll check in with them
> again.
> Thanks, folks
> --
> Daniel Ruggeri
> On September 24, 2018 3:07:00 PM EDT, William A Rowe Jr
>  wrote:
>
> I'm seeing no announce@httpd moderation request. (I am not an
> annou...@apache.org moderator.)
> Did you send from your @apache.org [1] avail-id through the ASF
> server? It would
> be rejected for non-apache and for mismatched SPF records.
> On Mon, Sep 24, 2018 at 9:16 AM Daniel Ruggeri 
> wrote:
>
> Hi, all;
> I sent the announce message for 2.4.35, but haven't received it
> myself. I didn't get errors sending that I am aware of. Perhaps it
> is in moderation? If not, I can check in with infra to see if
> mail-relay.a.o ate it.
> Thanks
> --
> Daniel Ruggeri
>
> Links:
> --
> [1] http://apache.org
>
>
>
> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org http://db.apache.org/jdo
>
>
>

Re: Announce missing - in moderation?

2018-09-25 Thread Jim Jagielski

FWIW, I just saw a mod request for *an* announcement and approved it

> On Sep 25, 2018, at 12:19 PM, Private LIst Moderation 
>  wrote:
> 
> Hi Daniel,
> 
> I've looked in the moderation queue and did not find the announce@ moderation 
> email.
> 
> Craig
> 
>> On Sep 25, 2018, at 7:00 AM, Daniel Ruggeri > > wrote:
>> 
>> Infra points out it's easier to just resend than to dig out the message they 
>> found on the server. I've sent again - receiving these confirmations:
>> 
>> < 235 2.7.0 Authentication successful
>>> MAIL FROM:mailto:drugg...@apache.org>> SIZE=2919
>> < 250 2.1.0 Ok
>>> RCPT TO:mailto:annou...@httpd.apache.org>>
>> < 250 2.1.5 Ok
>>> DATA
>> < 354 End data with .
>> } [data not shown]
>> * We are completely uploaded and fine
>> < 250 2.0.0 Ok: queued as EB77F2332
>> 
>> < 235 2.7.0 Authentication successful
>>> MAIL FROM:mailto:drugg...@apache.org>> SIZE=874
>> < 250 2.1.0 Ok
>>> RCPT TO:mailto:annou...@httpd.apache.org>>
>> < 250 2.1.5 Ok
>>> DATA
>> < 354 End data with .
>> } [data not shown]
>> * We are completely uploaded and fine
>> < 250 2.0.0 Ok: queued as 9B4B1E1B
>> 
>> I've also added Craig here as he was unable to find the message sent to 
>> announce@a.o  - with luck, these won't vanish, but at 
>> least this time I have the message IDs...
>> -- 
>> Daniel Ruggeri
>> 
>> On 2018-09-24 16:59, Daniel Ruggeri wrote:
>>> Yes, I sent via curl (true story, you can send email with curl)
>>> directly to the relay service and authenticated with my ASF
>>> credentials. I had checked in with Infra here at ACNA and they saw
>>> *something* that looked like my message. I'll check in with them
>>> again.
>>> Thanks, folks
>>> --
>>> Daniel Ruggeri
>>> On September 24, 2018 3:07:00 PM EDT, William A Rowe Jr
>>> mailto:wr...@rowe-clan.net>> wrote:
 I'm seeing no announce@httpd moderation request. (I am not an
 annou...@apache.org  moderator.)
 Did you send from your @apache.org [1] avail-id through the ASF
 server? It would
 be rejected for non-apache and for mismatched SPF records.
 On Mon, Sep 24, 2018 at 9:16 AM Daniel Ruggeri >>> >
 wrote:
> Hi, all;
> I sent the announce message for 2.4.35, but haven't received it
> myself. I didn't get errors sending that I am aware of. Perhaps it
> is in moderation? If not, I can check in with infra to see if
> mail-relay.a.o ate it.
> Thanks
> --
> Daniel Ruggeri
>>> Links:
>>> --
>>> [1] http://apache.org 
>> 
> 
> Craig L Russell
> Secretary, Apache Software Foundation
> c...@apache.org  http://db.apache.org/jdo 
>

Re: svn commit: r1841225 - /httpd/httpd/trunk/modules/dav/main/props.c

2018-09-25 Thread Greg Stein

We learned a lot about pool handling while writing Subversion, after I
wrote that mod_dav code. There are definite some improvements to be made.
I'm not surprised that a propfind can go nuts like that ... I'll review the
change and take a look generally.

h/t to DanielR for the pointer to this thread.


On Tue, Sep 18, 2018 at 8:04 AM Ruediger Pluem  wrote:

> Pools are very tricky in mod_dav. Hence additional eyeballs are very much
> welcome here.
> As I only did testing with mod_dav_fs I would be keen to know if things
> still work with Subversion.
> So if someone from the Subversion guys is listening here: Having this
> tested with Subversion would be very welcome :-).
>
> Regards
>
> Rüdiger
>
> On 09/18/2018 02:58 PM, rpl...@apache.org wrote:
> > Author: rpluem
> > Date: Tue Sep 18 12:58:57 2018
> > New Revision: 1841225
> >
> > URL: http://svn.apache.org/viewvc?rev=1841225&view=rev
> > Log:
> > * Doing a PROPFIND on a large collection e.g. 50.000 elements can easily
> >   consume 1 GB of memory as the subrequests and propdb pools are not
> >   destroyed and cleared after each element was handled.
> >   Do this now. There is one case in dav_get_props where elem->priv
> >   lives longer then the propdb pool. In this case allocate from r->pool.
> >   Furthermore also recycle propdb's which allows to clear the propdb's
> >   pools instead of destroying them and creating them again.
> >
> > Modified:
> > httpd/httpd/trunk/modules/dav/main/props.c
> >
> > Modified: httpd/httpd/trunk/modules/dav/main/props.c
> > URL:
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/dav/main/props.c?rev=1841225&r1=1841224&r2=1841225&view=diff
> >
> ==
> > --- httpd/httpd/trunk/modules/dav/main/props.c (original)
> > +++ httpd/httpd/trunk/modules/dav/main/props.c Tue Sep 18 12:58:57 2018
> > @@ -524,7 +524,21 @@ DAV_DECLARE(dav_error *)dav_open_propdb(
> >  apr_array_header_t * ns_xlate,
> >  dav_propdb **p_propdb)
> >  {
> > -dav_propdb *propdb = apr_pcalloc(r->pool, sizeof(*propdb));
> > +dav_propdb *propdb = NULL;
> > +/*
> > + * Check if we have tucked away a previous propdb and reuse it.
> > + * Otherwise create a new one and tuck it away
> > + */
> > +apr_pool_userdata_get((void **)&propdb, "propdb", r->pool);
> > +if (!propdb) {
> > +propdb = apr_pcalloc(r->pool, sizeof(*propdb));
> > +apr_pool_userdata_setn(propdb, "propdb", NULL, r->pool);
> > +apr_pool_create(&propdb->p, r->pool);
> > +}
> > +else {
> > +/* Play safe and clear the pool of the reused probdb */
> > +apr_pool_clear(propdb->p);
> > +}
> >
> >  *p_propdb = NULL;
> >
> > @@ -537,7 +551,6 @@ DAV_DECLARE(dav_error *)dav_open_propdb(
> >  #endif
> >
> >  propdb->r = r;
> > -apr_pool_create(&propdb->p, r->pool);
> >  propdb->resource = resource;
> >  propdb->ns_xlate = ns_xlate;
> >
> > @@ -562,10 +575,12 @@ DAV_DECLARE(void) dav_close_propdb(dav_p
> >  (*propdb->db_hooks->close)(propdb->db);
> >  }
> >
> > -/* Currently, mod_dav's pool usage doesn't allow clearing this
> pool. */
> > -#if 0
> > -apr_pool_destroy(propdb->p);
> > -#endif
> > +if (propdb->subreq) {
> > +ap_destroy_sub_req(propdb->subreq);
> > +propdb->subreq = NULL;
> > +}
> > +
> > +apr_pool_clear(propdb->p);
> >  }
> >
> >  DAV_DECLARE(dav_get_props_result) dav_get_allprops(dav_propdb *propdb,
> > @@ -815,7 +830,8 @@ DAV_DECLARE(dav_get_props_result) dav_ge
> >  */
> >
> >  if (elem->priv == NULL) {
> > -elem->priv = apr_pcalloc(propdb->p, sizeof(*priv));
> > +/* elem->priv outlives propdb->p. Hence use the request
> pool */
> > +elem->priv = apr_pcalloc(propdb->r->pool, sizeof(*priv));
> >  }
> >  priv = elem->priv;
> >
> >
> >
> >
>

Re: Announce missing - in moderation?

2018-09-25 Thread Private LIst Moderation

Hi Daniel,

I've looked in the moderation queue and did not find the announce@ moderation 
email.

Craig

> On Sep 25, 2018, at 7:00 AM, Daniel Ruggeri  wrote:
> 
> Infra points out it's easier to just resend than to dig out the message they 
> found on the server. I've sent again - receiving these confirmations:
> 
> < 235 2.7.0 Authentication successful
>> MAIL FROM: SIZE=2919
> < 250 2.1.0 Ok
>> RCPT TO:
> < 250 2.1.5 Ok
>> DATA
> < 354 End data with .
> } [data not shown]
> * We are completely uploaded and fine
> < 250 2.0.0 Ok: queued as EB77F2332
> 
> < 235 2.7.0 Authentication successful
>> MAIL FROM: SIZE=874
> < 250 2.1.0 Ok
>> RCPT TO:
> < 250 2.1.5 Ok
>> DATA
> < 354 End data with .
> } [data not shown]
> * We are completely uploaded and fine
> < 250 2.0.0 Ok: queued as 9B4B1E1B
> 
> I've also added Craig here as he was unable to find the message sent to 
> announce@a.o - with luck, these won't vanish, but at least this time I have 
> the message IDs...
> -- 
> Daniel Ruggeri
> 
> On 2018-09-24 16:59, Daniel Ruggeri wrote:
>> Yes, I sent via curl (true story, you can send email with curl)
>> directly to the relay service and authenticated with my ASF
>> credentials. I had checked in with Infra here at ACNA and they saw
>> *something* that looked like my message. I'll check in with them
>> again.
>> Thanks, folks
>> --
>> Daniel Ruggeri
>> On September 24, 2018 3:07:00 PM EDT, William A Rowe Jr
>>  wrote:
>>> I'm seeing no announce@httpd moderation request. (I am not an
>>> annou...@apache.org moderator.)
>>> Did you send from your @apache.org [1] avail-id through the ASF
>>> server? It would
>>> be rejected for non-apache and for mismatched SPF records.
>>> On Mon, Sep 24, 2018 at 9:16 AM Daniel Ruggeri 
>>> wrote:
 Hi, all;
 I sent the announce message for 2.4.35, but haven't received it
 myself. I didn't get errors sending that I am aware of. Perhaps it
 is in moderation? If not, I can check in with infra to see if
 mail-relay.a.o ate it.
 Thanks
 --
 Daniel Ruggeri
>> Links:
>> --
>> [1] http://apache.org
> 

Craig L Russell
Secretary, Apache Software Foundation
c...@apache.org  http://db.apache.org/jdo

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

2018-09-25 Thread Barry Pollard

I'm confused.

Why are there no changes to mod_http2 mentioned in: 
http://www.apache.org/dist//httpd/CHANGES_2.4.35
 to presumably address this CVE?
Or does one of the other changes cover this? (No as far as I can see but could 
be wrong).
In previous changes files (e.g. 
 
http://www.apache.org/dist//httpd/CHANGES_2.4.34) these were listed at the top 
of the changes file.

Also should this not be mentioned in: 
https://httpd.apache.org/security/vulnerabilities_24.html?
Apologies if I've jumped the gun and this is still in progress.

I imagine CVEs are of special notice so think this should be corrected ASAP if 
possible.

Thanks,
Barry

From: Daniel Ruggeri 
Sent: 25 September 2018 15:08
To: annou...@httpd.apache.org; secur...@httpd.apache.org; 
oss-secur...@lists.openwall.com
Subject: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames


CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.34

Description:
By sending continuous, large SETTINGS frames a client can occupy a
connection, server thread and CPU time without any connection timeout
coming to effect.
This affects only HTTP/2 connections. A possible mitigation is to
not enable the h2 protocol.

Mitigation:
All httpd users should upgrade to 2.4.35 or later.

Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.

References:
https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhttpd.apache.org%2Fsecurity%2Fvulnerabilities_24.html&data=02%7C01%7C%7Ca3d01e3540b3447d878e08d622f05406%7C84df9e7fe9f640afb435%7C1%7C0%7C636734812921626527&sdata=SRwgGW5AtKqX26veuxpLRACBsEZYQme5%2BYVlXcbj46k%3D&reserved=0

Re: Announce missing - in moderation?

2018-09-25 Thread Daniel Ruggeri

Infra points out it's easier to just resend than to dig out the message 
they found on the server. I've sent again - receiving these 
confirmations:


< 235 2.7.0 Authentication successful

MAIL FROM: SIZE=2919

< 250 2.1.0 Ok

RCPT TO:

< 250 2.1.5 Ok

DATA

< 354 End data with .
} [data not shown]
* We are completely uploaded and fine
< 250 2.0.0 Ok: queued as EB77F2332

< 235 2.7.0 Authentication successful

MAIL FROM: SIZE=874

< 250 2.1.0 Ok

RCPT TO:

< 250 2.1.5 Ok

DATA

< 354 End data with .
} [data not shown]
* We are completely uploaded and fine
< 250 2.0.0 Ok: queued as 9B4B1E1B

I've also added Craig here as he was unable to find the message sent to 
announce@a.o - with luck, these won't vanish, but at least this time I 
have the message IDs...

--
Daniel Ruggeri

On 2018-09-24 16:59, Daniel Ruggeri wrote:

Yes, I sent via curl (true story, you can send email with curl)
directly to the relay service and authenticated with my ASF
credentials. I had checked in with Infra here at ACNA and they saw
*something* that looked like my message. I'll check in with them
again.

Thanks, folks
--
Daniel Ruggeri

On September 24, 2018 3:07:00 PM EDT, William A Rowe Jr
 wrote:


I'm seeing no announce@httpd moderation request. (I am not an
annou...@apache.org moderator.)

Did you send from your @apache.org [1] avail-id through the ASF
server? It would
be rejected for non-apache and for mismatched SPF records.

On Mon, Sep 24, 2018 at 9:16 AM Daniel Ruggeri 
wrote:


Hi, all;
I sent the announce message for 2.4.35, but haven't received it
myself. I didn't get errors sending that I am aware of. Perhaps it
is in moderation? If not, I can check in with infra to see if
mail-relay.a.o ate it.

Thanks
--
Daniel Ruggeri



Links:
--
[1] http://apache.org

Re: Review

2018-09-25 Thread Andrei Ivanov

On Tue, Sep 25, 2018 at 1:25 PM, Graham Leggett  wrote:

> On 25 Sep 2018, at 12:17, Andrei Ivanov  wrote:
>
> I'm trying again to bring this to your attention, hoping that you might
> have a bit of time to take a look at the following changes made by Yann and
> possibly get them into 2.4.x.
>
> http://svn.apache.org/r1810605
>
> http://svn.apache.org/r1811104
> http://svn.apache.org/r1811105
>
>
> Definitely keen to backport these to v2.4, but they need docs updates
> before they can be.
>
> Well, maybe Yann wants to know if the implementation is acceptable to the
other developers before writing any docs :-)


> I hope I didn't break any etiquette rules with this message :-)
>
>
> Not at all :)
>
> Regards,
> Graham
> —
>
>

Re: Review

2018-09-25 Thread Graham Leggett

On 25 Sep 2018, at 12:17, Andrei Ivanov  wrote:

> I'm trying again to bring this to your attention, hoping that you might have 
> a bit of time to take a look at the following changes made by Yann and 
> possibly get them into 2.4.x.
> 
> http://svn.apache.org/r1810605 
> http://svn.apache.org/r1811104 
> 
> http://svn.apache.org/r1811105  

Definitely keen to backport these to v2.4, but they need docs updates before 
they can be.

> I hope I didn't break any etiquette rules with this message :-)

Not at all :)

Regards,
Graham
—



smime.p7s
Description: S/MIME cryptographic signature

Review

2018-09-25 Thread Andrei Ivanov

Hi,
I'm trying again to bring this to your attention, hoping that you might
have a bit of time to take a look at the following changes made by Yann and
possibly get them into 2.4.x.

http://svn.apache.org/r1810605
http://svn.apache.org/r1811104
http://svn.apache.org/r1811105

I hope I didn't break any etiquette rules with this message :-)

Thank you

Re: Announce missing - in moderation?

Re: Announce missing - in moderation?

Re: Announce missing - in moderation?

Re: svn commit: r1841225 - /httpd/httpd/trunk/modules/dav/main/props.c

Re: Announce missing - in moderation?

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

Re: Announce missing - in moderation?

Re: Review

Re: Review

Review

10 matches

Site Navigation

Mail list logo

Footer information