Security announcements for CVE-2020-9490/CVE-2020-11993 ?

Hi, on https://httpd.apache.org/security/vulnerabilities_24.html , both CVE-2020-9490 and CVE-2020-11993 have the Subject "Push Diary Crash on Specifically Crafted HTTP/2 Header". Shouldn't the Subject for CVE-2020-11993 be something like "memory corruption due to concurrent log pool usage"? Or

CVE-2019-10097 vs. CHANGEs entry

Hi, Shouldn't CVE-2019-10097 be listed under 2.4.41, too? Cheers, Stefan --- httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:43:00 1865188 +++ httpd/httpd/branches/2.4.x/CHANGES 2019/08/14 20:52:45 1865189 @@ -1,8 +1,39 @@ -*-

Re: svn commit: r1406495 - in /httpd/httpd/trunk: CHANGES include/http_config.h server/core.c

On Tuesday, 11 July 2017 15:20:44 CEST Eric Covener wrote: > Does anyone recall what kind of directives were misbehaving? Sorry, I don't remember. But maybe all directives that expect useful information in cmd_parms->path ? This is always "*If" in If-Sections. Cheers, Stefan > It seems > like

Re: Problems using Apache::Test on Debian (and Ubuntu)

On Tuesday, 7 March 2017 12:56:04 CET William A Rowe Jr wrote: > My comment was that having an alternate target name, e.g. httpd.prefork > or httpd.worker ends up resulting in $prefix/conf/httpd.prefork.conf as the > derived config file name (although that file is actually httpd.conf). The > fact

Re: Problems using Apache::Test on Debian (and Ubuntu)

On Tuesday, 7 March 2017 11:17:57 CET Eric Covener wrote: > On Tue, Mar 7, 2017 at 10:32 AM, William A Rowe Jr wrote: > > It seems we should have the framework process the bin/envvars (in the > > normal path, or /etc/apache2 in this case)... but that should be based > > on

Re: Problems using Apache::Test on Debian (and Ubuntu)

On Friday, 3 March 2017 22:59:10 CET Sam Tregar wrote: > Hello all. I've been working on getting Apache::Test running on Debian and > it's not going well. One problem seems to be that Debian's system Apache > conf is not named what Apache::Test thinks it should be named (apache2.conf > vs

Is mpm_event missing allocator mutexes?

Hi, I may be missing something but this looks wrong to me: apr_allocator uses a mutex to be thread safe. Pools use this mutex also to protect sub-pool creation, cleanup registering, etc. When apr creates the initial allocator and global_pool in apr_pool_initialize(), it also creates a mutex

Re: Post 2.4.25

On Saturday, 24 December 2016 08:29:35 CET Rich Bowen wrote: > From my perspective, watching Nginx gain traction through superior > marketing, and channeling Dilbert's Pointy Haired Boss in assuming that > everything which I have never done must be simple, I, for one, would > like to see us

Automated tests

Hi, it's quite rare that I have a bit of time for httpd nowadays. But I want to comment on a mail that Jacob Champion wrote on -security that contains some valid points about the lack of our test framework. I am posting this to -dev with his permission. On Wednesday, 21 December 2016

Re: Async write completion broken in trunk?

Hi Graham, On Wed, 14 Sep 2016, Graham Leggett wrote: > On 06 Sep 2016, at 12:06 AM, Stefan Fritsch <s...@sfritsch.de> wrote: > > > in trunk, when having a lot of slow long running transfers, most of them > > seem > > to hog a thread and only a few of them go in

Async write completion broken in trunk?

Hi, in trunk, when having a lot of slow long running transfers, most of them seem to hog a thread and only a few of them go into async write completion mode. Compare this to 2.4, where many transfers are doing async write completion and only a small number of threads are busy. Is this a known

Re: [Bug 53555] Scoreboard full error with event/ssl

On Tuesday, 14 June 2016 17:31:50 CEST Eric Covener wrote: > On Wed, Apr 13, 2016 at 6:27 PM, Stefan Fritsch <s...@sfritsch.de> wrote: > > Maybe it would be better to remove the logic to re-use scoreboard > > slots of processes which have already terminated some threads. >

Re: Improving logs to make AUTH_DENIES easy to understand and fix

Hi, sorry for the late response. On Wednesday, 18 May 2016 02:12:39 CEST Tianyin Xu wrote: > I propose to apply the same good practices (such as mod_authz_owner & > mod_authz_dbm) to all the authn/authz modules. Basically, I want to add log > messages before each AUTHN/Z_DENIES to pinpoint: > >

New segfault with 2.4.20 with mod_perl

Hi, I got a report about a new crash in mod_perl tests with 2.4.20: (gdb) bt #0 apr_getnameinfo (hostname=hostname@entry=0x7fd4461ee368, sockaddr=0x0, flags=flags@entry=0) at /tmp/buildd/apr-1.5.2/network_io/unix/sockaddr.c:663 #1 0x55feaf0f513a in ap_get_useragent_host

Re: [Bug 53555] Scoreboard full error with event/ssl

On Monday 11 April 2016 18:12:43, Eric Covener wrote: > On Mon, Apr 11, 2016 at 4:59 PM, wrote: > > ServerLimit >= 10 * MaxRequestWorkers / ThreadsPerChild > > Hi Stefan -- I am curious -- prior to the recent patches, just > having the extra capacity in ServerLimit didn't

Re: Feedback needed: suexec different-owner patch

On Friday 01 April 2016 14:03:12, montt...@heavyspace.ca wrote: > On 2016-03-30 16:35, Jacob Champion wrote: > >> Sorry, but that is not a good approach. You must assume that a > >> local attacker calls suexec directly and passes arguments of his > >> liking. That is the attack vector that

Re: Feedback needed: suexec different-owner patch

On Saturday 19 March 2016 11:09:40, montt...@heavyspace.ca wrote: > Since its been a while since this issue was mentioned, this patch > allows Apache to suexec files by a different (but still restricted > by UID) owner, to avoid the security issue where apache forces you > to suexec to files it

Re: [PATCH] Add "FreeListen" to support IP_FREEBIND

On Tuesday 29 March 2016 07:26:06, Jan Kaluža wrote: > > I am not against the freebind feature as such, it's useful for > > failover solutions/VRRP/etc. But I am strictly against advertising > > this as a workaround for broken systemd design. > > We do not advertise it publicly as a workaround

Re: [PATCH] Add "FreeListen" to support IP_FREEBIND

On Monday 07 March 2016 12:41:25, Jan Kaluža wrote: > This is needed for httpd startup with systemd when one wants to use > particular IP address to bind. There is no way how to start httpd > after the IP address has been configured in systemd and according > to systemd developers, the

Re: DER encoded cert no longer supported in 2.4 since 2.4.8

On Friday 04 December 2015 11:01:41, William A Rowe Jr wrote: > > IMHO documenting the change would be enough. > > That's a good start for anyone tripping over 2.4.8-2.4.x, whether > it is fixed or not. Personally, I didn't know DER was supported. The docs only speak about PEM, too. I agree

Update bugzilla for 2.4.17

Hi, can anyone with bugzilla fu please add 2.4.17 and mod_http2 to the bugzilla selections? Thanks. Cheers, Stefan

Re: Expression Parser: search and replace with s/PATTERN/REPLACEMENT/FLAGS

On Sunday 04 October 2015 12:51:13, Graham Leggett wrote: > On 04 Oct 2015, at 12:46 PM, Rainer Jung wrote: > > Yes, I agree. When starting to think closer, I noticed that the > > string mode currently only supports a syntax that is pretty > > different from the boolean

Re: Supporting "SSL:" in the expression parser via mod_ssl

On Wednesday 30 September 2015 23:26:30, Rainer Jung wrote: > I noticed that currently the expression parser in 2.4/trunk does not > support the SSL:VARIABLE lookups that mod_rewrite supports. > > The expression parser uses ":" as an alternative function call > syntax, so HTTP:VARIABLE is the

Re: [Bug 53555] Scoreboard full error with event/ssl

Moving the discussion to dev@ On Monday 05 October 2015 22:40:15, bugzi...@apache.org wrote: > https://bz.apache.org/bugzilla/show_bug.cgi?id=53555 > > --- Comment #25 from Yann Ylavic <ylavic@gmail.com> --- > (In reply to Stefan Fritsch from comment #24) > > > (I

Re: Expression Parser: search and replace with s/PATTERN/REPLACEMENT/FLAGS

On Thursday 01 October 2015 13:55:40, Rainer Jung wrote: > Am 01.10.2015 um 12:31 schrieb Graham Leggett: > > On 01 Oct 2015, at 12:26 PM, Rainer Jung wrote: > >> Since it gets more common to use the expression parser for string > >> operations and not only for boolean

Re: mod_macro New in 2.4

On Monday 16 February 2015 17:53:11, Tom Browder wrote: As far as I can tell mod_macro is new in 2.4 yet I cannot find it mentioned in new features. I think it is well worth advertising since it has simplified multiple virtual hosting immensely. It has been introduced later, in 2.4.5 (see

Blacklisting HTTP_PROXY variable for CGIs?

Hi, there are several programs that honor the HTTP_PROXY environment variable in upper case. This is of course problematic if such programs are called inside CGIs because the variable can be set by an attacker via the Proxy: header. It goes without question that all these programs need to be

Re: Proposed simple shell-shock protection

On Thursday 16 October 2014 02:38:15, Marian Marinov wrote: I just want to point out that () is not the only possible string. Actually what you want to catch is something like this: ^\(.*\) I don't think so. Where did you get that information?

Re: Proposed simple shell-shock protection

On Monday 29 September 2014 10:07:40, Nick Kew wrote: Yes. It's catching potential attacks in r-headers_in. The rest is paranoia-mode afterthoughts: PATH_INFO/QUERY_STRING because they could contain something interesting, subprocess_env just because it's there (there's a code comment about

Re: Question about APLOGNO

On Saturday 19 July 2014 20:04:09, Christophe JAILLET wrote: Using the following regex: ap_log_.?error.*(_ERR|_EMERG|_CRIT)[^A]*$ many places with missing APLOGNO can be found. There are some false positives because the [^A]* at the end of the regex is here to check, in a more or less

Affected versions for CVE-2014-0098

Hi, I have been looking at backporting the cookie issue fix, and it looks to me that it was introduced in http://svn.apache.org/viewvc?view=revisionrevision=r1374538 http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/loggers/mod_log_config.c?r1=1374538r2=1374537pathrev=1374538

Re: [VOTE] obscuring (or not) commit logs/CHANGES for fixes to vulnerabilities

Am Freitag, 10. Januar 2014, 08:38:51 schrieb Jeff Trawick: [X] It is mandatory to provide best available description and any available tracking information when committing fixes for vulnerabilities to any branch, delaying committing of the fix if the information shouldn't be provided yet.

Re: svn commit: r1554300 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/ap_regex.h include/http_core.h modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h server/core.c server/request.c ser

Am Montag, 30. Dezember 2013, 19:50:53 schrieb minf...@apache.org: Author: minfrin Date: Mon Dec 30 19:50:52 2013 New Revision: 1554300 URL: http://svn.apache.org/r1554300 Log: core: Support named groups and backreferences within the LocationMatch, DirectoryMatch, FilesMatch and

Re: svn commit: r1554300 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/ap_regex.h include/http_core.h modules/proxy/mod_proxy.c modules/proxy/mod_proxy.h server/core.c server/request.c ser

Am Mittwoch, 1. Januar 2014, 14:06:17 schrieb Graham Leggett: Maybe making ap_regname() accept an optional prefix string that is prepended to each name would be a good idea? Maybe the use in LocationMatch and friends should add some prefix to the names? Like m_ or match_ or m:?

Re: mod_dav: Can dav be enabled in the root / location?

Am Montag, 30. Dezember 2013, 16:48:51 schrieb Graham Leggett: I am currently struggling to turn mod_dav on. In theory, it is just Dav on, but in practice I am getting a 405 Method Not Allowed in response to PROPFIND, and nothing in the error_log to give a clue that anything is wrong. Having

digest auth is not really more secure than basic auth (Fwd: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml)

Does anyone disagree with the below change (not yet merged to 2.x branches)? There is a similar paragraph in howto/auth.xml that I intend to remove. -- Author: sf Date: Mon Dec 30 16:49:31 2013 New Revision: 1554276 URL: http://svn.apache.org/r1554276 Log: digest auth is only

Re: mod_dav: Can dav be enabled in the root / location?

Am Montag, 30. Dezember 2013, 19:04:53 schrieb Graham Leggett: The first is there is no way to switch mod_dir off - you add the module that means on. If you need the module on in one virtual host, but off in another you're stuffed. Doesn't DirectoryIndex disabled do the trick?

Re: svn commit: r1554276 - /httpd/httpd/trunk/docs/manual/mod/mod_auth_digest.xml

Am Montag, 30. Dezember 2013, 18:11:56 schrieb Reindl Harald: Am 30.12.2013 18:07, schrieb Graham Leggett: On 30 Dec 2013, at 6:58 PM, Stefan Fritsch s...@sfritsch.de wrote: Does anyone disagree with the below change (not yet merged to 2.x branches)? There is a similar paragraph in howto

Re: module log id missing for main.c

be correct for anything logged from inside main.c. I'd say yes. There is r952783: === Author: Stefan Fritsch s...@apache.org Date: Tue Jun 8 19:30:24 2010 + remove APLOG_USE_MODULE from main.c: It causes build problems on Windows and the ap_log* calls

Re: svn commit: r1542615 - /httpd/httpd/trunk/build/config-stubs

Hi Rainer, Am Sonntag, 17. November 2013, 12:47:53 schrieb Rainer Jung: URL: http://svn.apache.org/r1542615 Log: Explicitly list in which directories to look for config*.m4 files. --- httpd/httpd/trunk/build/config-stubs (original) +++ httpd/httpd/trunk/build/config-stubs Sat Nov

Re: error log providers, multiple vhosts, mod_syslog

Am Dienstag, 12. November 2013, 13:33:23 schrieb Jan Kaluža: I think LDAPLibraryDebug is one user of stderr going to the error log. As the logging is done by the ldap library, there is really no way to change it. But I guess it would be acceptable if that works only if logging to a file

Re: Question on APLOGNO assignment, 2.4 vs trunk

Am Dienstag, 12. November 2013, 23:44:08 schrieb Graham Leggett: On 12 Nov 2013, at 11:41 PM, William A. Rowe Jr. wrowe@rowe- clan.net wrote: Trying to apply http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-ta gs/next-number?r1=1527925r2=1527924pathrev=1527925 ... there is

Re: error log providers, multiple vhosts, mod_syslog

On Thu, 7 Nov 2013, Joe Orton wrote: On Thu, Oct 17, 2013 at 12:33:50PM +, Plüm, Rüdiger, Vodafone Group wrote: Hmm. This points out another issue when using an error log provider for the main server log: We lose everything that the server or other programs like CGI-scripts write

Re: mod_ssl: why do we flush on EOS in ssl_io_filter_output()?

On Mon, 4 Nov 2013, Graham Leggett wrote: Looking a little bit deeper, we find the following: - The event MPM seems to want to perform write completion on the very last filter in the chain only, which seems completely arbitrary - why should another filter (like mod_ssl) be prevented from

Re: uds support

On Mon, 14 Oct 2013, Jim Jagielski wrote: On Oct 14, 2013, at 10:09 AM, Plüm, Rüdiger, Vodafone Group ruediger.pl...@vodafone.com wrote: Which one? sock://var/run/server.sock|http://localhost/foo/bar or http://localhost/foo/bar|sock:/var/run.s.sock I guess we could

Re: Forbid directive in core?

Am Samstag, 28. September 2013, 09:19:28 schrieb Eric Covener: I've come back to this because I've struggled in another area with access_checker vs. access_checker_ex. I really think we need basic access control outside of Require and Satisfy. I have a copy of the Forbidden directive in

Re: r1470679, async write completion, non blocking writes, and mod_ssl

Am Donnerstag, 15. August 2013, 02:36:25 schrieb Graham Leggett: On 14 Aug 2013, at 22:43, Stefan Fritsch s...@sfritsch.de wrote: Unfortunately, I haven't been able to trigger the new code path in mod_ssl being actually used. Do you have any example setup/situation, where

Re: r1470679, async write completion, non blocking writes, and mod_ssl

Am Donnerstag, 15. August 2013, 10:45:25 schrieb Graham Leggett: On 15 Aug 2013, at 09:56, Stefan Fritsch s...@sfritsch.de wrote: I have understood that. But I would have liked to see the sense code in action, but failed to trigger it. At least t/ssl/pr12355.t in the test suite uses

Re: breach attack

Am Dienstag, 6. August 2013, 10:24:15 schrieb Paul Querna: 1) Disabling HTTP compression 2) Separating secrets from user input 3) Randomizing secrets per request 4) Masking secrets (effectively randomizing by XORing with a random secret per request) 5) Protecting vulnerable pages with CSRF

Re: r1470679, async write completion, non blocking writes, and mod_ssl

On Mon, 5 Aug 2013, Graham Leggett wrote: Are you seeing a specific problem? Well, when I download a large file over a slow link, the request does not enter write completion state but rather the worker thread is still hogged for (nearly) the entire download. The way openssl's async behaviour

Re: r1470679, async write completion, non blocking writes, and mod_ssl

Am Montag, 5. August 2013, 09:57:16 schrieb Jim Jagielski: On Aug 5, 2013, at 4:00 AM, Stefan Fritsch s...@sfritsch.de wrote: An ideal solution would put the buffering/decision for blocking/non-blocking into ap_pass_brigade(). This way other filters like deflate could also be called

r1470679, async write completion, non blocking writes, and mod_ssl

Hi, I did some testing/reviewing of the ssl/event backport proposal * core, mod_ssl: Lift the restriction that prevents mod_ssl taking full advantage of the event MPM. Enable the ability for a module to reverse the sense of a poll event from a read to a write or vice versa. The

Re: Resolved (sort of): Struggling with AuthMerging

Am Freitag, 2. August 2013, 23:05:09 schrieb Ben Reser: If all of your authz/authn providers are using the CONF flag and you're getting duplicated authz processing for subrequests that have the same conf applied to them then it's possible there's a bug here. I haven't ever specifically looked

Re: mod_proxy, oooled backend connections and the keep-alive race condition

Am Freitag, 2. August 2013, 11:21:56 schrieb Eric Covener: I think this does not work for GET requests or request without a request body. Just re-read spec, you are right -- we are abusing this in a module as a sort of extended handshake even w/ no body, but not against heterogenous

Re: Hey Steinar... Re: Revisiting the pre_htaccess hook

Am Montag, 22. Juli 2013, 19:58:11 schrieb Steinar H. Gunderson: On Wed, Jul 10, 2013 at 03:07:56PM -0400, Jeff Trawick wrote: I guess it seems to work in the earlier e-mail is the validation that the API is sufficient for MPM-ITK. I see that 2.4.6 has been released, with no mention of

Re: [PATCH 55178] mod_authnz_ldap SASL authentication support

Hi Lubomir, On Friday 12 July 2013, Lubomir Rintel wrote: I'm have submitted the following-up patches adding SASL authentication to LDAP modules. Some wise person on an IRC channel suggested that I'm breaking API and it's a good idea to take this to the list as an extra work might be needed.

Re: [VOTE] Release Apache httpd 2.4.5 as GA

On Thursday 11 July 2013, Jim Jagielski wrote: The pre-release test tarballs for Apache httpd 2.4.5 can be found at the usual place: http://httpd.apache.org/dev/dist/ I'm calling a VOTE on releasing these as Apache httpd 2.4.5 GA. NOTE: The -deps tarballs are included here *only* to

Re: [discuss] The 'RM' Baton [was VOTE]

On Wednesday 10 July 2013, William A. Rowe Jr. wrote: On Wed, 10 Jul 2013 21:18:06 +1000 Noel Butler noel.but...@ausics.net wrote: on holiday with a dog slow 3G vpn tonight, so I'll be brief (and wont see any replies until I return on Sunday...) I have never agreed with any release

Re: Whereforeartthou, 2.5.0?

On Wednesday 10 July 2013, William A. Rowe Jr. wrote: Jim Jagielski j...@jagunet.com wrote: In any case, I *am* concerned that w seem to have quite a bit of difficulty in getting 3 +1s a lot of the time and that the backport process from trunk to 2.4 is becoming more and more painful.

Re: Hey Steinar... Re: Revisiting the pre_htaccess hook

On Wednesday 10 July 2013, Steinar H. Gunderson wrote: I don't like all that much having to duplicate the “official” hook (in particular the ap_make_full_path() call), but I guess it's better than what used to be there, and it's only two lines. Yes, that's the price to pay for the more

Re: [PATCH] mod_unique_id: use ap_random_insecure_bytes() to get unique ID

On Sunday 07 July 2013, Daniel Lescohier wrote: Another option: typedef struct { apr_uint32_t stamp; apr_uint32_t counter; apr_uint16_t stamp_fraction; char root[ROOT_SIZE]; } unique_id_rec; where ROOT_SIZE=8, and stamp_fraction is set on every request to

Re: [PATCH] mod_unique_id: use ap_random_insecure_bytes() to get unique ID

On Tuesday 09 July 2013, Joe Orton wrote: On Tue, Jul 09, 2013 at 10:00:19AM +0200, Jan Kaluza wrote: I agree 20 bytes could be too much. I have changed my patch to have only 10 bytes long root. I will check the Daniel's ideas mentioned in another mail in this thread and try to implement

proxy pool handling (was: svn commit: r1500437 - /httpd/httpd/trunk/modules/proxy/proxy_util.c)

On Sun, 7 Jul 2013, j...@apache.org wrote: Author: jim Date: Sun Jul 7 14:05:37 2013 New Revision: 1500437 URL: http://svn.apache.org/r1500437 Log: conf-mutex is not used... Also, ensure that pool use is protected Modified: httpd/httpd/trunk/modules/proxy/proxy_util.c

Re: no error message for failed write in 2.4

On Thursday 27 June 2013, Eric Covener wrote: The venerable INFO level message: core_output_filter: writing data to the network Seems to be gone in 2.4 and not replaced with anything but %X in the access log. Should we be issuing _something_ every time c-aborted is set in

Re: [PATCH] mod_unique_id: use ap_random_insecure_bytes() to get unique ID

On Wednesday 26 June 2013, Jan Kaluža wrote: currently mod_unique_id uses apr_gethostname(...) and PID pair as a base to generate unique ID. The way how it's implemented brings some problems: 1. For IPv6-only hosts it uses low-order bits of IPv6 address as if they were unique, which is

Re: [PATCH] mod_unique_id: use ap_random_insecure_bytes() to get unique ID

On Wednesday 26 June 2013, Daniel Lescohier wrote: When I looked into the ap random functions, I didn't like the implementation, because I didn't see anywhere in the httpd codebase that entropy is periodically added to the entropy pool. After reading the details of how the Linux entropy pool

Re: svn commit: r1498880 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/http_config.h server/config.c server/core.c

On Wed, 3 Jul 2013, Ruediger Pluem wrote: s...@apache.org wrote: Author: sf Date: Tue Jul 2 11:26:41 2013 New Revision: 1498880 URL: http://svn.apache.org/r1498880 Log: Replace pre_htaccess hook with more flexible open_htaccess hook Modified: httpd/httpd/trunk/CHANGES

Re: Revisiting the pre_htaccess hook

Jim Jagielski j...@jagunet.com schrieb: I like the idea as well... The only issue I see is wondering if/when we'll have the implementation. On Jun 25, 2013, at 9:12 AM, Jeff Trawick traw...@gmail.com wrote: On Sun, Jun 9, 2013 at 5:57 AM, Stefan Fritsch s...@sfritsch.de wrote: Hi, first

Re: looking for luv

On Tuesday 18 June 2013, Jim Jagielski wrote: I will be removing this backport request, but I'd ask sf to actually address his concerns by actually working on the code instead of just blocking it for whatever reason. That's not what I intended. I did not vote -1. The comments were meant to

Re: svn commit: r1492395 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_digest.c

On Thursday 13 June 2013, Roy T. Fielding wrote: On Jun 12, 2013, at 12:34 PM, s...@apache.org wrote: Author: sf Date: Wed Jun 12 19:34:19 2013 New Revision: 1492395 URL: http://svn.apache.org/r1492395 Log: Actually use the secret when generating nonces. This change may cause

Re: svn commit: r1492395 - in /httpd/httpd/trunk: CHANGES modules/aaa/mod_auth_digest.c

On Friday 14 June 2013, Stefan Fritsch wrote: Using a global pointer to an allocated pool variable is not even remotely safe when that pool gets deallocated. And a routine that gets called within .htaccess files is not an appropriate place to set a server-wide value. It's the process

Re: svn commit: r1493247 - /httpd/httpd/branches/2.4.x/STATUS

Hi André, I consider this a new vote and therefore have removed your -1. If you still are -1, please add it to STATUS again. On Friday 14 June 2013, s...@apache.org wrote: Author: sf Date: Fri Jun 14 21:07:19 2013 New Revision: 1493247 URL: http://svn.apache.org/r1493247 Log: update

Re: looking for luv

On Wednesday 12 June 2013, Jim Jagielski wrote: 2 backport proposals looking 4 3vote-luv * skiplist: Add skiplist functionality There doesn't seem to be any user of the skiplist than register_timed_callback, and there doesn't seem to be any user of register_timed_callback besides

Re: svn commit: r1491612 - /httpd/httpd/branches/2.4.x/STATUS

On Tuesday 11 June 2013, André Malo wrote: trunk patch: http://svn.apache.org/r1491155 2.4.x patch: trunk patch works nd: why would you do that in a stable branch? + sf: Because it is only annoying and serves no purpose anymore. If you + want, we can

Re: Apache 2.2 - Change default for SSLCompression to off

On Wednesday 12 June 2013, William A. Rowe Jr. wrote: On Wed, 12 Jun 2013 05:41:35 -0700 (PDT) Petr Sumbera petr.sumb...@oracle.com wrote: Hi guys, shouldn't Apache 2.2 contain the same change which went for 2.4? http://svn.apache.org/viewvc?view=revisionrevision=1400962 In

Re: Apache 2.2 - Change default for SSLCompression to off

On Wednesday 12 June 2013, William A. Rowe Jr. wrote: In fact, the patch's docs text is wrong on the face of it; Enabling compression causes security issues in most setups (the so called +CRIME attack) This is true of specific setups where the user agent simultaneously shares a

Re: Forbid directive in core?

On Monday 10 June 2013, Tim Bannister wrote: On 10 Jun 2013, at 15:17, Graham Leggett minf...@sharp.fm wrote: On 10 Jun 2013, at 3:35 PM, Eric Covener cove...@gmail.com wrote: I'd like to add an immutable Forbid directive to the core and use it in some places in the default configuration

Re: Forbid directive in core?

On Monday 10 June 2013, Plüm, Rüdiger, Vodafone Group wrote: I'd like to add an immutable Forbid directive to the core and use it in some places in the default configuration instead of require all denied. http://people.apache.org/~covener/forbid.diff This protects from a

Re: Location walk after directory walk?

On Monday 10 June 2013, Eric Covener wrote: Is there some historical or other reason that the location has higher precedence that directory/files? I don't know either, but I could imagine that it was just easier or more efficient to implement in this order, considering things like config walk

Revisiting the pre_htaccess hook

Hi, first of all, sorry that it took me so long to review at this. The current pre_access hook is executed before opening the htaccess and then can abort the request with a HTTP error code. Wouldn't a hook for opening the htaccess file make more sense because it would have more possible use

Re: [Vote] Switch mod_lua in 2.4 to CTR

On Saturday 08 June 2013, Rainer Jung wrote: I suggest to switch mod_lua in 2.4 to CTR mode. [ ] +1: I support this proposal +1

Re: DOS-Protection: RequestReadTimeout-like option missing

On Saturday 11 May 2013, Reindl Harald wrote: https://issues.apache.org/bugzilla/show_bug.cgi?id=41270 is most likely unrelated to the problem i see, but nobody and nothing needs 30 seconds to complete a TCP connection, most requests including the time of a php-script does not take more than

Re: mod_proxy seg faulting ?

On Sat, 4 May 2013, Micha Lenk wrote: I am pretty sure that this is a thread-unsafe pool usage. create_proxy_config() puts the global config pool into (proxy_server_conf)-pool. It is later (during request processing) used all over the place without further locking. This must be a sub-

Re: mod_proxy seg faulting ?

On Mon, 6 May 2013, Thomas Eckert wrote: Based on Stefan's reply I replaced mod_proxy's config pool with a sub-pool and wrapped a mutex around the pool usage. Basic testing went well but I have to do some more thorough parallel testing. Nice. One thing which had me confused was the

Re: mod_proxy seg faulting ?

On Thursday 02 May 2013, Thomas Eckert wrote: Lately, I've been seeing httpd/mod_proxy seg faulting in reverse proxy setups, frequency increasing. I am pretty sure that this is a thread-unsafe pool usage. create_proxy_config() puts the global config pool into (proxy_server_conf)-pool. It is

Re: URL scanning by bots

On Wednesday 01 May 2013, Graham Leggett wrote: Of course it might have an effect - the real important question is will it have a useful effect. A bot that gives up scanning a box that by definition isn't vulnerable to that bot (thus the 404) doesn't achieve anything useful, the bot failed

Re: Interpolating %{variables} in all directives

Hi, On Thursday 18 April 2013, Igor Galić wrote: From an IRC conversation in #httpd and #httpd-dev emerged the idea to interpolate %{variables} in all directives. According to sf we have somewhere a ~10 line code fragment which does that without much overhead (not benchmarked) when

Re: svn commit: r1463049 - /httpd/httpd/trunk/modules/aaa/mod_auth_digest.c

On Sunday 31 March 2013, Marion Christophe JAILLET wrote: doc also has to be clean the same way. The commit should not cause any user visible change. The relevant config directives errored out with 'not implemented' before the commit and still do. The doc needs some work in any case, though.

Re: svn commit: r1463045 - /httpd/httpd/trunk/modules/aaa/mod_auth_digest.c

On Sunday 31 March 2013, Marion Christophe JAILLET wrote: they are 3 similar constructions in server/log.c Thanks. Fixed Le 31/03/2013 22:13, s...@apache.org a écrit : Author: sf Date: Sun Mar 31 20:13:48 2013 New Revision: 1463045 URL: http://svn.apache.org/r1463045 Log:

Re: [mod_auth_digest] zombie code

Hi Pascal, On Tuesday 26 March 2013, Pascal Junod (Mailing Lists) wrote: Dear Apache developpers, You might want to clean a bit the code of modules/aaa/mod_auth_digest.c This blog post http://crypto.junod.info/2013/03/25/awakening-zombie-code-in-apache -httpd/ explains why and

Re: mod_proxy_websocket

, Jim Jagielski j...@jagunet.com wrote: On Mar 18, 2013, at 4:56 PM, Stefan Fritsch s...@sfritsch.de wrote: Alternatively, mod_reqtimeout could offer an API to allow modules to disable it. But I think that is the worse of the two solutions. Actually, I think that's the most logical

Re: svn commit: r1451478 - /httpd/httpd/trunk/server/util_script.c

On Tuesday 19 March 2013, Marion Christophe JAILLET wrote: Le 18/03/2013 22:43, Stefan Fritsch a écrit : On Thursday 14 March 2013, you wrote: BTW, I tried to activate pool debug with using |-enable-pool-debug=all but the server crashes while starting |on my test machine. Do

Re: mod_proxy_websocket

On Wednesday 06 March 2013, Micha Lenk wrote: However, using mod_websocket from the mentioned Github location, I discovered that it has timeout issues when mod_reqtimeout is loaded too (unless request body timeouts are disabled). Apparently mod_reqtimeout now enforces timeouts in

Re: svn commit: r1458003 - /httpd/httpd/trunk/server/util_expr_eval.c

On Monday 18 March 2013, Graham Leggett wrote: This code came from mod_auth_digest, which could probably also be simplified: Done, thanks.

Re: svn commit: r1451478 - /httpd/httpd/trunk/server/util_script.c

On Thursday 14 March 2013, you wrote: BTW, I tried to activate pool debug with using |-enable-pool-debug=all but the server crashes while starting on my test machine. Do you know if it is supposed to work (and I do something wrong) or no one uses it with httpd ? I am sure that I have used

Re: svn commit: r1451478 - /httpd/httpd/trunk/server/util_script.c

Note that there is some macro magic in http_log.h that does this automatically on C99 compilers. There is nothing wrong with doing the check explicitly, and it is definitely a good idea if the saved function call is very expensive. But in general other improvements may have more impact and

Re: svn commit: r1455225 - in /httpd/httpd/branches/2.4.x: ./ docs/manual/ docs/manual/howto/ docs/manual/mod/ include/ modules/filters/ modules/generators/ modules/slotmem/ os/unix/ server/ support/

On Monday 11 March 2013, Marion Christophe JAILLET wrote: AFIAK, __attribute__ is gcc specific. What about non-gcc compilers? What's might be a consequence of a compiler ignoring it (as MSVC does), or will it break any other non-gcc compilers? Gregg I proposed it because there

Re: Proposed Lua backport for 2.4

On Fri, 8 Mar 2013, Daniel Gruno wrote: On 03/08/2013 08:22 PM, Jim Jagielski wrote: From what I can see, that's exactly what it does... I plan on testing this weekend. Daniel, do you have any testing suites you use? I have some additions to the Perl framework we use, but that's mostly for

Re: Question about APR_BRIGADE_INSERT_TAIL usage

On Tuesday 26 February 2013, Christophe JAILLET wrote: My understanding is that: - apr_brigade_[putc|puts|write...] try to reuse last bucket if possible, avoiding memory allocation - if needed (not enough space available, not allowed to write in the last bucket), it creates a heap

apr_password_validate (was: [VOTE] Release Apache httpd 2.4.4 as GA)

[moving to dev@apr, please remove dev@httpd when replying] On Wednesday 20 February 2013, Noel Butler wrote: On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote: Which remains my point... our current 2.4 and 2.2 candidates should suffer the same flaw. Confirmed, 2.2 candidate

  1   2   3   4   5   6   7   8   9   >