Re: [RESULT][VOTE] Release httpd-2.4.39

2019-04-02 Thread Niklas Edmundsson 

On Sat, 30 Mar 2019, Daniel Ruggeri wrote:


Hi, all;
   I am pleased to report that the vote has PASSED with the following
recorded votes:
+1: jorton, icing, jim, ylavic, covener, rjung, druggeri
+0: cjaillet (apparent test system issue)

Thanks to everyone who took the time to test and vote as well as the
work that went into the release itself!
I shall forthwith begin the distribution of the release tarball to the
mirrors.


Thanks for RM:ing.

A nitpick for a future release: Review the CHANGES files (I'm looking 
at http://www.apache.org/dist/httpd/CHANGES_2.4.39), the comments at 
the bottom wrt:


[Apache 2.3.0-dev includes those bug fixes and changes with the Apache 
2.2.xx tree as documented, and except as noted, below.]


are a bit confusing since we're at 2.4.x now, but there are no links 
to the 2.4.x full changelog..


For the 2.4.version only changelog a referral to the complete 2.4 
changelog would also make sense.



/Nikke
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 Niklas Edmundsson, Admin @ {acc,hpc2n}.umu.se  | ni...@acc.umu.se
---
 There's something you don't see every day. Unless you're us. - Xander
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

re: svn commit: r33393 - /release/httpd/CHANGES_2.4

2019-04-02 Thread Daniel Ruggeri 
The announcement message was also rejected by moderators because we don't have 
KEYS directly linked on the download page.

I will correct both (about three hrs from now) and reattempt announcement.
-- 
Daniel Ruggeri

On April 2, 2019 1:01:31 AM CDT, Marion et Christophe JAILLET 
 wrote:
>Hi,
>
> 
>
>CHANGES_2.4 has been updated with the SECURITY tags and is available
>from httpd.a.o.
>
>However, http://www.apache.org/dist/httpd/CHANGES_2.4.39 still reflects
>the file without these SECURITY items.
>
> 
>
>I won't be able to update it before Friday, so feel free to fix it in
>the meantime.
>
> 
>
>CJ
>
> 
>
> 
>
> 
>
>> Message du 02/04/19 03:04
>> De : drugg...@apache.org
>> A : c...@httpd.apache.org
>> Copie à : 
>> Objet : svn commit: r33393 - /release/httpd/CHANGES_2.4
>> 
>> Author: druggeri
>> Date: Tue Apr 2 01:04:50 2019
>> New Revision: 33393
>> 
>> Log:
>> Correct changelog for vulnerabilities
>> 
>> Modified:
>> release/httpd/CHANGES_2.4
>> 
>> Modified: release/httpd/CHANGES_2.4
>>
>==
>> --- release/httpd/CHANGES_2.4 (original)
>> +++ release/httpd/CHANGES_2.4 Tue Apr 2 01:04:50 2019
>> @@ -1,13 +1,50 @@
>> -*- coding: utf-8 -*-
>> Changes with Apache 2.4.39
>> + *) SECURITY: CVE-2019-0197 (cve.mitre.org)
>> + mod_http2: fixes a possible crash when HTTP/2 was enabled for a
>http:
>> + host or H2Upgrade was enabled for h2 on a https: host. An Upgrade
>> + request from http/1.1 to http/2 that was not the first request on a
>> + connection could lead to a misconfiguration and crash. Servers that
>> + never enabled the h2 protocol or only enabled it for https: and
>> + did not set "H2Upgrade on" are unaffected by this issue.
>> + [Stefan Eissing]
>> +
>> + *) SECURITY: CVE-2019-0196 (cve.mitre.org)
>> + mod_http2: using fuzzed network input, the http/2 request
>> + handling could be made to access freed memory in string
>> + comparision when determining the method of a request and
>> + thus process the request incorrectly. [Stefan Eissing]
>> +
>> + *) SECURITY: CVE-2019-0211 (cve.mitre.org)
>> + MPMs unix: Fix a local priviledge escalation vulnerability by not
>> + maintaining each child's listener bucket number in the scoreboard,
>> + preventing unprivileged code like scripts run by/on the server
>(e.g. via
>> + mod_php) from modifying it persistently to abuse the priviledged
>main
>> + process. [Charles Fol , Yann Ylavic]
>> +
>> + *) SECURITY: CVE-2019-0196 (cve.mitre.org)
>> + mod_http2: using fuzzed network input, the http/2 request
>> + handling could be made to access freed memory in string
>> + comparision when determining the method of a request and
>> + thus process the request incorrectly. [Stefan Eissing]
>> +
>> + *) SECURITY: CVE-2019-0217 (cve.mitre.org)
>> + mod_auth_digest: Fix a race condition checking user credentials
>which
>> + could allow a user with valid credentials to impersonate another,
>> + under a threaded MPM. PR 63124. [Simon Kappel ]
>> +
>> + *) SECURITY: CVE-2019-0215 (cve.mitre.org)
>> + mod_ssl: Fix access control bypass for per-location/per-dir client
>> + certificate verification in TLSv1.3.
>> +
>> + *) SECURITY: CVE-2019-0220 (cve.mitre.org)
>> + Merge consecutive slashes in URL's. Opt-out with
>> + `MergeSlashes OFF`. [Eric Covener]
>> 
>> *) mod_proxy/ssl: Cleanup per-request SSL configuration anytime a
>backend
>> connection is recycled/reused to avoid a possible crash with some
>SSLProxy
>> configurations in or context. PR 63256. [Yann Ylavic]
>> 
>> - *) mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA
>failure.
>> - [Michael Kaufmann ]
>> -
>> *) mod_log_config: Support %{c}h for conn-hostname, %h for
>useragent_host
>> PR 55348
>> 
>> @@ -59,13 +96,6 @@ Changes with Apache 2.4.39
>> *) mod_cache_socache: Avoid reallocations and be safe with outgoing
>data
>> lifetime. [Yann Ylavic]
>> 
>> - *) MPMs unix: bind the bucket number of each child to its slot
>number, for a
>> - more efficient per bucket maintenance. [Yann Ylavic]
>> -
>> - *) mod_auth_digest: Fix a race condition. Authentication with valid
>> - credentials could be refused in case of concurrent accesses from
>> - different users. PR 63124. [Simon Kappel ]
>> -
>> *) mod_http2: enable re-use of slave connections again. Fixed slave
>connection
>> keepalives counter. [Stefan Eissing]
>> 
>> 
>> 
>>

Re: svn commit: r33392 - in /release/httpd: Announcement2.4.html Announcement2.4.txt CURRENT-IS-2.4.38 CURRENT-IS-2.4.39

2019-04-02 Thread Ruediger Pluem 



On 04/02/2019 08:14 AM, Ruediger Pluem wrote:
> 
> 
> On 04/02/2019 02:54 AM, drugg...@apache.org wrote:
>> Author: druggeri
>> Date: Tue Apr  2 00:54:25 2019
>> New Revision: 33392
>>
>> Log:
>> Updates for announcement of 2.4.39
>>
>> Added:
>> release/httpd/CURRENT-IS-2.4.39
>> Removed:
>> release/httpd/CURRENT-IS-2.4.38
>> Modified:
>> release/httpd/Announcement2.4.html
>> release/httpd/Announcement2.4.txt
>>
>> Modified: release/httpd/Announcement2.4.html
>> ==
>> --- release/httpd/Announcement2.4.html (original)
>> +++ release/httpd/Announcement2.4.html Tue Apr  2 00:54:25 2019
>> @@ -52,7 +52,7 @@
>> Apache HTTP Server 2.4.39 Released
>>  
>>  
>> -   September 21, 2018
>> +   April 01, 2019
>>  
>>  
>> The Apache Software Foundation and the Apache HTTP Server Project are
>> @@ -62,7 +62,7 @@
>> release of the new generation 2.4.x branch of Apache HTTPD and
>> represents fifteen years of innovation by the project, and is
>> recommended over all previous releases. This release of Apache is
>> -   a feature and bug fix release.
>> +   a bug fix release.
> 
> a security and bug fix release ?

I see: Already fixed in r33394 :-).

Regards

Rüdiger