Re: [VOTE] Release Apache httpd 2.4.20 as GA

2016-04-04 Thread Jacob Perkins 
Not a voter, but I wanted to send along our results.

> [X ] +1: Good to go

CentOS 6 32/64bit
CentOS 7 64bit

—
Jacob Perkins
Product Owner
cPanel Inc.

jacob.perk...@cpanel.net 
Office:  713-529-0800 x 4046
Cell:  713-560-8655

> On Apr 4, 2016, at 11:20 AM, Jim Jagielski  wrote:
> 
> The pre-release test tarballs for Apache httpd 2.4.20 can be found
> at the usual place:
> 
>   http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.20 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience.
> 
> Thx!



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [VOTE] Release Apache httpd 2.4.20 as GA

2016-04-04 Thread olli hauer 
On 2016-04-04 18:20, Jim Jagielski wrote:
> The pre-release test tarballs for Apache httpd 2.4.20 can be found
> at the usual place:
> 
>   http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.20 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience.
> 
> Thx!
> 

+1

Build OK on
- FreeBSD 9.3 (64bit)
- FreeBSD 10.x (32/64bit)

until now 2.4 r1737255 and later r1737466 was running on ~ 20 systems and I 
haven't received any complain from users

-- 
olli

Re: Feedback needed: suexec different-owner patch

2016-04-04 Thread Jacob Champion 
On 04/02/2016 12:56 PM, Stefan Fritsch wrote:
> If suexec allowed to suid to a user different than the owner of a 
> script, on that server it would allow any local user to execute any 
> script as any other user. Even if suexec checked that the script is 
> owned by a special "trusted" user, it would still allow to execute 
> that script as any user, without any "opt-in" necessary by the target 
> user.

Ah, this finally made it click for me.

In the case where only the trusted-owner CGI script is compromised (e.g.
an arbitrary code execution vuln), this proposal makes things better,
since the attacker can at least be denied access to the disk. But if
httpd is compromised, it makes things worse, since the attacker can now
run the trusted-owner script as any non-system user. And if both httpd
and the trusted-owner script are compromised, this proposal makes things
*much* worse: an attacker can now run arbitrary code as any non-system user.

Thanks for your feedback on this. Your xattrs suggestion seems like it
might solve the two negative cases, but it uses a much more obscure
(IMO) mechanism to operate... Likewise, having suexec parse a separate
configuration file seems like a lot of complexity to add.

> BTW, using the immutable flag (which can only be done by root) on the 
> scripts is a work-around for your problem that does not involve 
> modifying suexec.

Good point, though I don't think it can be used for the proposed use
case (which was for the trusted user to be able to regularly maintain
the scripts).

--Jacob

Re: [VOTE] Release Apache httpd 2.4.20 as GA

2016-04-04 Thread Jim Jagielski 
+1 on:

  o OS X 10.11.4, Xcode 7.3, 64bit
  o CentOS 6, 64bit
  o CentOS 7, 64bit
  o Ubuntu 15.10, 64bit
  o Fedora 23, 64bit

Event and Prefork, http/2, Lua, OpenSSL 1.0.2g

> On Apr 4, 2016, at 12:20 PM, Jim Jagielski  wrote:
> 
> The pre-release test tarballs for Apache httpd 2.4.20 can be found
> at the usual place:
> 
>   http://httpd.apache.org/dev/dist/
> 
> I'm calling a VOTE on releasing these as Apache httpd 2.4.20 GA.
> 
> [ ] +1: Good to go
> [ ] +0: meh
> [ ] -1: Danger Will Robinson. And why.
> 
> Vote will last the normal 72 hrs.
> 
> NOTE: The *-deps are only there for convenience.
> 
> Thx!

[VOTE] Release Apache httpd 2.4.20 as GA

2016-04-04 Thread Jim Jagielski 
The pre-release test tarballs for Apache httpd 2.4.20 can be found
at the usual place:

http://httpd.apache.org/dev/dist/

I'm calling a VOTE on releasing these as Apache httpd 2.4.20 GA.

[ ] +1: Good to go
[ ] +0: meh
[ ] -1: Danger Will Robinson. And why.

Vote will last the normal 72 hrs.

NOTE: The *-deps are only there for convenience.

Thx!

Re: NOTICE: T&R of 2.4.20 on April 4 ~noon eastern

2016-04-04 Thread Stefan Eissing 
Thanks Steffen! At least I seem not to wreck the Windows build this time...

-Stefan

> Am 03.04.2016 um 14:34 schrieb Steffen :
> 
> Just build and run Windows from Branches/2.4.x ,  looks fine here.
> 
> Steffen
> 
> -Original Message- From: Jim Jagielski Sent: Sunday, April 3, 2016 
> 1:58 PM To: httpd Subject: NOTICE: T&R of 2.4.20 on April 4 ~noon eastern 
> Subj kinda sez it all...