Re: [ANNOUNCE] mod_perl-2.0.11
On 10/16/19 5:55 AM, André Warnier (tomcat) wrote: > On 16.10.2019 05:57, Randolf Richardson wrote: > The change is drastic. The best perl documentation resource in that > respect may be > https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod This keeps coming up. If someone wants to scrape those docs and include them in the mod_perl dist, you have my full blessing to do so. My time is somewhat limited due to family life and job at present, and I'm honestly not sure who to contact to get this done. Regards, Michael Schout (AuthCookie maintainer)
Re: [ANNOUNCE] mod_perl-2.0.11
On 16.10.2019 05:57, Randolf Richardson wrote: Before upgrading from Apache HTTPd v2.2 to v2.4, I highly recommend refreshing your familiarity with the Order, Allow, and Require directives. Also, if you're doing any authentication customization, you'll want to take extra care with testing this as I believe the authentication modules may have changed quite a bit too. +many. The change is drastic. The best perl documentation resource in that respect may be https://metacpan.org/pod/distribution/Apache-AuthCookie/README.apache-2.4.pod In very short summary : In Apache up to 2.2, there were 3 distinct and consecutive phases, and corresponding mod_perl handlers : - Access Control --> PerlAccessHandler - Authentication --> PerlAuthenHandler - Authorization --> PerlAuthzHandler Since Apache 2.4, this is replaced by the following schema : - the Access Control phase (and corresponding PerlAccessHandler handler) has disapparead, and has been merged as just one specific case of the "Authorization" phase. - the "Authorization" phase is always called first, and IF it determines that a user-id is needed in order to authorize access, THEN (and only then) it calls the "Authentication" module which is configured for this particular request (URL). (Thus the "PerlAuthenHandler" directive and modules are still valid). And then, the "Authorization" phase is called again, until it returns either "granted" or "denied". Finally, the "PerlAuthzHandler" directive has also disappeared, and one has to use the "PerlAddAuthzProvider" directive instead (depending on the "Require"'s). Unfortunately, the on-line mod_perl documentation does not reflect this change, and is still at the Apache 2.2 level for AAA. Unfortunately also, I have not been able so far to locate any Apache httpd 2.4 documentation which explains this AAA change in any level of detail. (This should exist somewhere, as all the providers of Apache AAA modules have had to adapt their code to this new architecture, but i haven't found it yet).
Re: [ANNOUNCE] mod_perl-2.0.11
> Edward J. Sabol wrote: > > Except we're actually upgrading from Apache 2.2.34 to 2.4.41, and all the > > tests pass with 2.2.34 (I just ran them again and verified this), so this > > is kind of a new issue for us, but I'm happy to trust in the experiences of > > other folks who have running using mod_perl with Apache 2.4.x. > > We also run mp2 with httpd 2.2. should we upgrade to httpd 2.4 for > better performance? I'm using Apache HTTPd v2.4.29 with ModPerl 2.0.10 in production without any major problems. We're also using PostgreSQL DBD with DBI and ImageMagick, plus much more, but I mention these because DBI and ImageMagick are particularly significant modules for a lot of sites. I have noticed an improvement in performance, but it wasn't like with switching from Apache HTTPd v1.3 to v2.0 many years ago, which, as I recall, was a drastic improvement. Before upgrading from Apache HTTPd v2.2 to v2.4, I highly recommend refreshing your familiarity with the Order, Allow, and Require directives. Also, if you're doing any authentication customization, you'll want to take extra care with testing this as I believe the authentication modules may have changed quite a bit too. Upgrading to 2.4 from 2.2 https://httpd.apache.org/docs/current/upgrading.html I hope this helps. Randolf Richardson - rand...@inter-corporate.com Inter-Corporate Computer & Network Services, Inc. Beautiful British Columbia, Canada https://www.inter-corporate.com/
Re: [ANNOUNCE] mod_perl-2.0.11
On Oct 12, 2019, at 4:09 AM, Wesley Peng wrote: > Edward J. Sabol wrote: >> Except we're actually upgrading from Apache 2.2.34 to 2.4.41, and all the >> tests pass with 2.2.34 (I just ran them again and verified this), so this >> is kind of a new issue for us, but I'm happy to trust in the experiences of >> other folks who have running using mod_perl with Apache 2.4.x. > > We also run mp2 with httpd 2.2. should we upgrade to httpd 2.4 for better > performance? I have no idea. We're upgrading to httpd 2.4.x for security reasons, not performance reasons. Regards, Ed
Re: [ANNOUNCE] mod_perl-2.0.11
Edward J. Sabol wrote: Except we're actually upgrading from Apache 2.2.34 to 2.4.41, and all the tests pass with 2.2.34 (I just ran them again and verified this), so this is kind of a new issue for us, but I'm happy to trust in the experiences of other folks who have running using mod_perl with Apache 2.4.x. We also run mp2 with httpd 2.2. should we upgrade to httpd 2.4 for better performance? regards.
Re: [ANNOUNCE] mod_perl-2.0.11
On Oct 11, 2019, at 3:59 PM, Steve Hay wrote: >> Is the consensus that these test failures are innocuous and >> it's OK to upgrade anyway? > > I believe so, especially since the same failures existed in 2.0.9 and > 2.0.10, so at least aren't a new issue if that's what you're upgrading > from. Except we're actually upgrading from Apache 2.2.34 to 2.4.41, and all the tests pass with 2.2.34 (I just ran them again and verified this), so this is kind of a new issue for us, but I'm happy to trust in the experiences of other folks who have running using mod_perl with Apache 2.4.x. Thanks, Ed
Re: [ANNOUNCE] mod_perl-2.0.11
On Fri, 11 Oct 2019 at 20:49, Edward J. Sabol wrote: > > Hello. I'm seeing the same failures in > > t/filter/in_bbs_inject_header.t (Wstat: 0 Tests: 36 Failed: 3) > Failed tests: 22, 26, 30 > > that others reported with the release candidates. Those are > the only failures. This is when building with Apache 2.4.41 on > RHEL. All tests pass if I build with Apache 2.2.34 instead. > > Is the consensus that these test failures are innocuous and > it's OK to upgrade anyway? > I believe so, especially since the same failures existed in 2.0.9 and 2.0.10, so at least aren't a new issue if that's what you're upgrading from.
Re: [ANNOUNCE] mod_perl-2.0.11
Hello. I'm seeing the same failures in t/filter/in_bbs_inject_header.t (Wstat: 0 Tests: 36 Failed: 3) Failed tests: 22, 26, 30 that others reported with the release candidates. Those are the only failures. This is when building with Apache 2.4.41 on RHEL. All tests pass if I build with Apache 2.2.34 instead. Is the consensus that these test failures are innocuous and it's OK to upgrade anyway? Thanks, Ed
Re: [ANNOUNCE] mod_perl-2.0.11
Hurray ! and thanks. On 05.10.2019 13:57, Steve Hay wrote: We are pleased to announce the release of mod_perl 2.0.11. mod_perl is an Apache HTTP Server module for embedding a Perl interpreter in your web server, giving you super-fast dynamic content by avoiding the overhead of starting an external interpreter. This release is now, or soon will be, available for download from a mirror site near you via: http://perl.apache.org/download/index.html or in the meantime directly from: http://apache.org/dist/perl/ https://metacpan.org/release/SHAY/mod_perl-2.0.11 Checksums for this release are: MD5 = 897708961bcc079b53c91860f95a2b59 SHA1 = 7606ab4862605a72db4b51d2e498588305b45719 Major changes in this release are as follows: Fix t/modules/apache_resource.t failures [Steve Hay] Fix [CVE-2011-2767] Arbitrary Perl code execution in the context of the user account via a user-owned .htaccess. Patch from bugs.debian.org #644169. [Jan Ingvoldstad ] Fix potential test suite hangs due to pipelined response deadlocks. Patch from rt.cpan.org #82409. [Zefram ] Fix t/compat/request.t failures [Steve Hay] Fix use-after-free segfault in ap_server_config_defines seen on start-up on OpenBSD. [Found/fixed by Sam Vaughan/Joe Orton] Fix build with Perls earlier than 5.13.6. [Rainer Jung ] Fix filter/in_bbs_inject_header.t test failure with Apache 2.4.25+. [Stefan Fritsch ] Fix apache/read.t test failure with Apache 2.4.25+. [Niko Tyni ]
Re: [ANNOUNCE] mod_perl-2.0.11
Congrats on every new release of mod Perl world. Thanks for all your hard work. Regards, Wesley Peng > Am Oct 5, 2019 - 7:55 PM schrieb steve...@apache.org: > > > We are pleased to announce the release of mod_perl 2.0.11. > > mod_perl is an Apache HTTP Server module for embedding a Perl > interpreter in your web server, giving you super-fast dynamic content > by avoiding the overhead of starting an external interpreter. > > This release is now, or soon will be, available for download from a > mirror site near you via: > > http://perl.apache.org/download/index.html > > or in the meantime directly from: > > http://apache.org/dist/perl/ > https://metacpan.org/release/SHAY/mod_perl-2.0.11 > > Checksums for this release are: > > MD5 = 897708961bcc079b53c91860f95a2b59 > SHA1 = 7606ab4862605a72db4b51d2e498588305b45719 > > Major changes in this release are as follows: > > Fix t/modules/apache_resource.t failures [Steve Hay] > > Fix [CVE-2011-2767] Arbitrary Perl code execution in the context of > the user account via a user-owned .htaccess. Patch from > bugs.debian.org #644169. [Jan Ingvoldstad > ] > > Fix potential test suite hangs due to pipelined response deadlocks. > Patch from rt.cpan.org #82409. [Zefram ] > > Fix t/compat/request.t failures [Steve Hay] > > Fix use-after-free segfault in ap_server_config_defines seen on > start-up on OpenBSD. [Found/fixed by Sam Vaughan/Joe Orton] > > Fix build with Perls earlier than 5.13.6. [Rainer Jung > ] > > Fix filter/in_bbs_inject_header.t test failure with Apache 2.4.25+. > [Stefan Fritsch ] > > Fix apache/read.t test failure with Apache 2.4.25+. [Niko Tyni > ] >