Hi, Bill; I wondered about this myself. I agree that we allow for ambiguity when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't released). Perhaps we should just bump the 'fixed' version up to the released version... but then we should also add to the 'affected' versions the version numbers we burned during QA. That's odd, too, because we didn't release those versions so they aren't really 'affected'.
I could go either way... the vulnerability reporting is enough "after work" for a release that makes it a prime candidate for processing it with announce.sh, so I'm happy to encode whatever we consider the best way forward into that script. -- Daniel Ruggeri On 8/7/2020 8:56 AM, William A Rowe Jr wrote: > Following the announcement link, it isn't clear that > > https://httpd.apache.org/security/vulnerabilities_24.html > > fixes issues in 2.4.46. > > Should the fixed-in be promoted to the revision of Apache HTTP Server > actually published (released) by the project? It almost reads like > "fixed in > 2.4.46-dev" (which 0-day disclosures are described as, until a release > is actually published.) > > On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri <dan...@bitnebula.com > <mailto:dan...@bitnebula.com>> wrote: > > Hi, all; > > With 12 binding PMC +1 votes, two additional +1 votes from the > community, and no -1 votes, I'm pleased to report that the vote has > PASSED to release 2.4.46. I will begin the process of pushing to the > distribution mirrors which should enable us for a Friday > announcement - > a great way to wrap up the week! > > Here are the votes I recorded during the thread: > PMC > jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener, > gbechis, gsmith, druggeri, jblond, rjung > > Community > Noel Butler, wrowe > > -- > Daniel Ruggeri > > On 8/1/2020 9:13 AM, Daniel Ruggeri wrote: > > Hi, all; > > Third time is a charm! Please find below the proposed release > tarball > > and signatures: > > https://dist.apache.org/repos/dist/dev/httpd/ > > > > I would like to call a VOTE over the next few days to release this > > candidate tarball as 2.4.46: > > [ ] +1: It's not just good, it's good enough! > > [ ] +0: Let's have a talk. > > [ ] -1: There's trouble in paradise. Here's what's wrong. > > > > The computed digests of the tarball up for vote are: > > sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz > > sha256: > 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2 > > *httpd-2.4.46.tar.gz > > sha512: > > > > 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15 > > *httpd-2.4.46.tar.gz > > > > The SVN tag is '2.4.46' at r1880505. > > >
