Bug report for Apache httpd-2 [2019/03/03]

2019-03-02 Thread bugzilla 
+---+
| Bugzilla Bug ID   |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved)   |
| |   +-+
| |   | Severity: BLK=Blocker CRI=Critical  REG=Regression  MAJ=Major   |
| |   |   MIN=Minor   NOR=NormalENH=Enhancement TRV=Trivial |
| |   |   +-+
| |   |   | Date Posted |
| |   |   |  +--+
| |   |   |  | Description  |
| |   |   |  |  |
|10747|New|Maj|2002-07-12|ftp SIZE command and 'smart' ftp servers results i|
|11580|Opn|Enh|2002-08-09|generate Content-Location headers |
|12033|Opn|Nor|2002-08-26|Graceful restart immediately result in [warn] long|
|13661|Ass|Enh|2002-10-15|Apache cannot not handle dynamic IP reallocation  |
|14104|Opn|Enh|2002-10-30|not documented: must restart server to load new CR|
|16811|Ass|Maj|2003-02-05|mod_autoindex always return webpages in UTF-8.|
|17244|Ass|Nor|2003-02-20|./configure --help gives false information regardi|
|17497|Opn|Nor|2003-02-27|mod_mime_magic generates incorrect response header|
|20036|Ass|Nor|2003-05-19|Trailing Dots stripped from PATH_INFO environment |
|21260|Opn|Nor|2003-07-02|CacheMaxExpire directive not enforced !   |
|21533|Ass|Cri|2003-07-11|Multiple levels of htacces files can cause mod_aut|
|22484|Opn|Maj|2003-08-16|semaphore problem takes httpd down|
|22686|Opn|Nor|2003-08-25|ab: apr_poll: The timeout specified has expired (7|
|22898|Opn|Nor|2003-09-02|nph scripts with two HTTP header  |
|23911|Opn|Cri|2003-10-18|CGI processes left defunct/zombie under 2.0.54|
|24095|Opn|Cri|2003-10-24|ERROR "Parent: child process exited with status 32|
|24437|Opn|Nor|2003-11-05|mod_auth_ldap doubly-escapes backslash (\) charact|
|24890|Opn|Nor|2003-11-21|Apache config parser should not be local aware ( g|
|25469|Opn|Enh|2003-12-12|create AuthRoot for defining paths to auth files  |
|25484|Ass|Nor|2003-12-12|Non-service Apache cannot be stopped in WinXP |
|26153|Opn|Cri|2004-01-15|Apache cygwin directory traversal vulnerability   |
|27257|Ass|Enh|2004-02-26|rotatelogs with getopt and setuid |
|27715|Ass|Enh|2004-03-16|Client sending misformed Range "bytes = 0-100" ins|
|29090|Ass|Enh|2004-05-19|MultiviewsMatch NegotiatedOnly extensions not resp|
|29510|Ass|Enh|2004-06-10|ab does not support multiple cookies  |
|29644|Ver|Nor|2004-06-17|mod_proxy keeps downloading even after the client |
|30259|Ass|Enh|2004-07-22|When proxy connects to backend, a DNS lookup is do|
|30505|Ass|Enh|2004-08-05|Apache uses 'Error', and not lower level event typ|
|31302|Opn|Cri|2004-09-19|suexec doesn't execute commands if they're not in |
|31352|Ass|Enh|2004-09-21|RFE, Bind to LDAP server with browser supplier use|
|31418|Opn|Nor|2004-09-25|SSLUserName is not usable by other modules|
|32328|Opn|Enh|2004-11-19|Make mod_rewrite escaping optional / expose intern|
|32750|Ass|Maj|2004-12-17|mod_proxy + Win32DisableAcceptEx = memory leak|
|33089|New|Nor|2005-01-13|mod_include: Options +Includes (or IncludesNoExec)|
|33207|Opn|Nor|2005-01-23|Results of my suexec.c code audit |
|34270|Inf|Nor|2005-04-01|Large POSTs over SSL from Internet Explorer do not|
|34519|New|Enh|2005-04-19|Directory index should emit valid XHTML   |
|35098|Ver|Maj|2005-05-27|Install fails using --prefix  |
|35652|Opn|Min|2005-07-07|Improve error message: "pcfg_openfile: unable to c|
|35768|Ver|Nor|2005-07-17|Missing file logs at far too high of log level|
|36636|Opn|Maj|2005-09-13|database write lock taken for PROPFIND operations |
|36676|New|Nor|2005-09-15|time() bug in httpd/os/win32/util_win32.c:wait_for|
|36710|Opn|Blk|2005-09-19|CGI output not captured   |
|37290|Opn|Min|2005-10-28|DirectoryIndex don't work in scriptaliased directo|
|37355|Opn|Enh|2005-11-04|Allow to specify Proxy-Authorization in ProxyRemot|
|37564|New|Enh|2005-11-19|Suggestion: mod_suexec SuexecUserGroup directive i|
|38325|Opn|Nor|2006-01-20|impossible to determine AUTH_TYPE of interpreted r|
|38571|New|Enh|2006-02-08|CustomLog directive checked by apachectl configtes|
|38995|New|Nor|2006-03-16|httpd tries to communicate with the CGI daemon eve|
|39275|Opn|Nor|2006-04-11|slow child_init causes MaxClients warning |
|39287|New|Nor|2006-04-12|Incorrect If-Modified-Since validation (due to syn|

buildbot success in on httpd-trunk

2019-03-02 Thread buildbot 
The Buildbot has detected a restored build on builder httpd-trunk while 
building . Full details are available at:
https://ci.apache.org/builders/httpd-trunk/builds/3287

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: bb_slave6_ubuntu

Build Reason: The Nightly scheduler named 'httpd-trunk-nightly-clean' triggered 
this build
Build Source Stamp: [branch httpd/httpd/trunk] HEAD
Blamelist: 

Build succeeded!

Sincerely,
 -The Buildbot

buildbot failure in on httpd-trunk

2019-03-02 Thread buildbot 
The Buildbot has detected a new failure on builder httpd-trunk while building . 
Full details are available at:
https://ci.apache.org/builders/httpd-trunk/builds/3286

Buildbot URL: https://ci.apache.org/

Buildslave for this Build: bb_slave6_ubuntu

Build Reason: The Nightly scheduler named 'httpd-trunk-nightly-clean' triggered 
this build
Build Source Stamp: [branch httpd/httpd/trunk] HEAD
Blamelist: 

BUILD FAILED: failed

Sincerely,
 -The Buildbot

Re: Incomplete communications of OpenSSL 1.1.1 compatibility?

2019-03-02 Thread Daniel Ruggeri 
Updated in r1854645 and published to the site. I made a slight
modification to the line I suggested yesterday to note that TLS 1.3 also
requires openssl-1.1.1, too.

I've also purged the old release from dist in r32727.

Thanks for the pointers. Have a great weekend!

-- 
Daniel Ruggeri

On 3/1/2019 6:50 AM, Daniel Ruggeri wrote:
> Hi, Bill;
> This is a good observation. I think we should add the line, "Apache
> httpd-2.4.38 or later is required in order to operate a TLS 1.3 web
> server." to the landing page. This is technically noted in the
> changelog, but the visibility of this fact should be improved because
> it is an important feature.
>
> I will update the landing page and remove .37 from dist later today or
> tomorrow morning at the latest (unless someone beats me to it).
> -- 
> Daniel Ruggeri
>
> On February 28, 2019 1:05:40 PM CST, William A Rowe Jr
>  wrote:
>
> I was just updating PR 63212 and could not point the user at a
> top-level, definitive statement that they were trying to
> accomplish something very unwise and which they should have known
> better. Apparently there are few sources of this information. From
> http://httpd.apache.org/ ...
>
>
>   Apache httpd 2.4.38 Released 2019-01-22
>
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce
>  the
> release of version 2.4.38 of the Apache HTTP Server ("httpd").
>
> This latest release from the 2.4.x stable branch represents the
> best available version of Apache HTTP Server.
>
>
> This seems to be somewhat unhelpful from a top-level knowledge
> point of view, it doesn't indicate that they should choose 2.4.38
> over 2.4.37 for any particular reason, or that they would *need*
> to choose 2.4.38 if they wished to have a server running against
> OpenSSL 1.1.1 and later.
>
> Is there a way to improve communication of "do not use" guidance,
> outside of information at
> http://httpd.apache.org/security/vulnerabilities_24.html nested
> two-clicks deep?
>
> I do not see such guidance at http://www.apache.org/dist/httpd/
> either, the Announcement does not suggest anything. Also finding
> the offending 2.4.37 release still available for download (surely
> just an oversight.)
>
> Note PR 63212 may be entirely specific to AIX, and may be a side
> effect of build schema changes of OpenSSL 1.1.1 itself. Sorry I no
> longer have the hardware to explore such issues.
>
>