RE: [ANNOUNCEMENT] Apache HTTP Server 2.4.59 Released

[BUSH Steve via dev]

Hi Eric,

Just an FYI: The https://httpd.apache.org/security/vulnerabilities_24.html file 
is missing.

https://httpd.apache.org/security/

Thanks,
Steve Bush

From: covener 
Sent: Thursday, April 4, 2024 6:54 AM
To: annou...@httpd.apache.org
Subject: [ANNOUNCEMENT] Apache HTTP Server 2.4.59 Released

Apache HTTP Server 2. 4. 59 Released April 04, 2024 The Apache Software 
Foundation and the Apache HTTP Server Project are pleased to announce the 
release of version 2. 4. 59 of the Apache HTTP Server ("Apache"). This version 
of Apache is our latest


Apache HTTP Server 2.4.59 Released



   April 04, 2024



   The Apache Software Foundation and the Apache HTTP Server Project

   are pleased to announce the release of version 2.4.59 of the Apache

   HTTP Server ("Apache").  This version of Apache is our latest GA

   release of the new generation 2.4.x branch of Apache HTTPD and

   represents fifteen years of innovation by the project, and is

   recommended over all previous releases. This release of Apache is

   a security, feature and bug fix release.



   We consider this release to be the best version of Apache available, and

   encourage users of all prior versions to upgrade.



   Apache HTTP Server 2.4.59 is available for download from:



 
https://urldefense.com/v3/__https://httpd.apache.org/download.cgi__;!!FbCVDoc3r24SyHFW!90aLZxJz8v9h9Kjw6c8g56Tx2CK_uJ2yN4oR-keptUBiTXodK5IUaXv6ObxDT0ah-kYLWQpXr_qL2qM7$[httpd[.]apache[.]org]



   Apache 2.4 offers numerous enhancements, improvements, and performance

   boosts over the 2.2 codebase.  For an overview of new features

   introduced since 2.4 please see:



 
https://urldefense.com/v3/__https://httpd.apache.org/docs/trunk/new_features_2_4.html__;!!FbCVDoc3r24SyHFW!90aLZxJz8v9h9Kjw6c8g56Tx2CK_uJ2yN4oR-keptUBiTXodK5IUaXv6ObxDT0ah-kYLWQpXr48c1jIZ$[httpd[.]apache[.]org]



   Please see the CHANGES_2.4 file, linked from the download page, for a

   full list of changes. A condensed list, CHANGES_2.4.59 includes only

   those changes introduced since the prior 2.4 release.  A summary of all

   of the security vulnerabilities addressed in this and earlier releases

   is available:



 
https://urldefense.com/v3/__https://httpd.apache.org/security/vulnerabilities_24.html__;!!FbCVDoc3r24SyHFW!90aLZxJz8v9h9Kjw6c8g56Tx2CK_uJ2yN4oR-keptUBiTXodK5IUaXv6ObxDT0ah-kYLWQpXrxf1GEXG$[httpd[.]apache[.]org]



   This release requires the Apache Portable Runtime (APR), minimum

   version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may

   require the 1.6.x version of both APR and APR-Util. The APR libraries

   must be upgraded for all features of httpd to operate correctly.



   This release builds on and extends the Apache 2.2 API.  Modules written

   for Apache 2.2 will need to be recompiled in order to run with Apache

   2.4, and require minimal or no source code changes.



 
https://urldefense.com/v3/__https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING__;!!FbCVDoc3r24SyHFW!90aLZxJz8v9h9Kjw6c8g56Tx2CK_uJ2yN4oR-keptUBiTXodK5IUaXv6ObxDT0ah-kYLWQpXr6mT32m1$[svn[.]apache[.]org]



   When upgrading or installing this version of Apache, please bear in mind

   that if you intend to use Apache with one of the threaded MPMs (other

   than the Prefork MPM), you must ensure that any modules you will be

   using (and the libraries they depend on) are thread-safe.



   Please note the 2.2.x branch has now passed the end of life at the Apache

   HTTP Server project and no further activity will occur including security

   patches.  Users must promptly complete their transitions to this 2.4.x

   release of httpd to benefit from further bug fixes or new features.





This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.

RE: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[BUSH Steve]

I just downloaded the apache 2.4.57 source code and attempting to compile on 
Windows, mod_rewrite.c fails with this error:

mod_rewrite.c
mod_rewrite.c(109): fatal error C1083: Cannot open include file: 'test_char.h': 
No such file or directory
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Professional\VC\Tools\MSVC\14.28.29910\bin\HostX64\x64\cl.exe"' : 
return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Professional\VC\Tools\MSVC\14.28.29910\bin\HostX64\x64\nmake.exe"' 
: return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Professional\VC\Tools\MSVC\14.28.29910\bin\HostX64\x64\nmake.exe"' 
: return code '0x2'
Stop.


Looking at the comparison between mod_rewrite.c in 2.4.56 and 2.4.57, this line 
was added to 2.4.57:
#include "mod_rewrite.h"
#include "ap_expr.h"

#include "test_char.h"

Looking in the build tree, test_char.h is located in server/test_char.h, but 
the build settings are not picking it up.

I build with
nmake /f Makefile.win installr XML_PARSER="libexpat"

I fixed it for my local build by editing modules/mapper/mod_rewrite.mak and 
updating the CPP_PROJ= lines to include the following highlighted additions:
CPP_PROJ=/nologo /MD /W3 /Zi /O2 /Oy- /I "../../include" /I "../../server" /I 
"../database" /I "../ssl" /I "../../srclib/apr/include" /I 
"../../srclib/apr-util/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" 
/Fo"$(INTDIR)\\" /Fd"$(INTDIR)\mod_rewrite_src" /FD /c
and
CPP_PROJ=/nologo /MDd /W3 /Zi /Od /I "../../include" /I 
"../../server" /I "../database" /I "../ssl" /I "../../srclib/apr/include" /I 
"../../srclib/apr-util/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" 
/Fo"$(INTDIR)\\" /Fd"$(INTDIR)\mod_rewrite_src" /FD /EHsc /c

Steve



From: Eric Covener 
Sent: Wednesday, April 5, 2023 12:05 PM
To: Apache HTTP Server Development List 
Subject: Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

On Sun, Apr 2, 2023 at 12: 10 PM Eric Covener  wrote: > > 
Hi all, > > Please find below the proposed release tarball and signatures: > > 
https: //urldefense. com/v3/__https: //dist. apache. 
org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!8DCCBctTbhX1spkJE4gZ9qtBOb5nXByw5xDUdZZ2airtNqNH4rVWHzx8MyOsxF2kx0RNY2MeA_S38Hk$[dist[.
 ]apache[. ]org]


On Sun, Apr 2, 2023 at 12:10 PM Eric Covener 
mailto:cove...@gmail.com>> wrote:

>

> Hi all,

>

> Please find below the proposed release tarball and signatures:

>

> https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!8DCCBctTbhX1spkJE4gZ9qtBOb5nXByw5xDUdZZ2airtNqNH4rVWHzx8MyOsxF2kx0RNY2MeA_S38Hk$[dist[.]apache[.]org]

>

> I would like to call a VOTE over the next few days to release

> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:

> [ ] +1: It's not just good, it's good enough!

> [ ] +0: Let's have a talk.

> [ ] -1: There's trouble in paradise. Here's what's wrong.

>

> The computed digests of the tarball up for vote are:

> sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45

> *httpd-2.4.57-rc1.tar.gz

> sha512: 
> 730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4

> *httpd-2.4.57-rc1.tar.gz

>

> The SVN candidate source is found at tags/2.4.57-rc1-candidate.



Vote passes with many binding +1 and no negative votes:

+1: covener, rpluem, steffenal, gbechis, jorton, jailletc36, ylavic



I will finalize some time over the next day or two.



--

Eric Covener

cove...@gmail.com

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

>> Maybe we can slip an additional entry into the changelog.
>> I think in this case, for now at least, we'd primarily rely on the error_log 
>> entry. Did this produce the new AH10410?

Yes, the error log did include the AH10410 message.

URL encoding the spaces either as \%20 (path or query string) or + (query 
string) does eliminate the problem for our mappings.

From: Eric Covener 
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
Correction! I used our test template for the rule when I e-mailed just now, but 
once it is converted to the apache httpd. conf format, the actual rule appears 
in the
ZjQcmQR
YFpfptBannerEnd

On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve 
mailto:steven.b...@3ds.com>> wrote:
Correction!
I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)
I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?


Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?



This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

Correction!
I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?


From: BUSH Steve 
Sent: Wednesday, March 8, 2023 7:45 PM
To: dev@httpd.apache.org
Subject: RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I just completed upgrading to 2. 4. 56 from 2. 4. 55 and now we are having 
problems with existing mod_rewrite directives that use parameter substitution: 
An example of a mod_rewrite declaration we have is: RewriteCond 
%{REQUEST_METHOD} GET [NC]
ZjQcmQRYFpfptBannerStart

I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems 
with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ 
"/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET 
https://SERVER:PORT/zoology/animals/reset/10<https://urldefense.com/v3/__https:/SERVER:PORT/zoology/animals/reset/10__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxZz_PhN$>

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with 
“Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden.  Calling the mapped service directly 
works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for 
REST service mapping.
The rewrite flags are 
(https://httpd.apache.org/docs/2.4/rewrite/flags.html<https://urldefense.com/v3/__https:/httpd.apache.org/docs/2.4/rewrite/flags.html__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn9W_LAw3$>):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused 
unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56<https://urldefense.com/v3/__https:/downloads.apache.org/httpd/CHANGES_2.4.56__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxVfkr2d$>
  *) SECURITY: CVE-2023-25690: HTTP request splitting with
 mod_rewrite and mod_proxy (cve.mitre.org)
 Some mod_proxy configurations on Apache HTTP Server versions
 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
 Configurations are affected when mod_proxy is enabled along with
 some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and
 is then
 re-inserted into the proxied request-target using variable
 substitution. For example, something like:
 RewriteEngine on
 RewriteRule "^/here/(.*)" "
 
http://example.com:8080/elsewhere?$1;<https://urldefense.com/v3/__http:/example.com:8080/elsewhere?$1*22__;JQ!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn6gkZ4bx$>
 
http://example.com:8080/elsewhere<https://urldefense.com/v3/__http:/example.com:8080/elsewhere__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn2C8BrgB$>
 ; [P]
 ProxyPassReverse /here/  
http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
 
http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
 Request splitting/smuggling could result in bypass of access
 controls in the proxy server, proxying unintended URLs to
 existing origin servers, and cache poisoning.
 Credits: Lars Krapf of Adobe



From: Eric Covener mailto:cove...@gmail.com>>
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org<mailto:dev@httpd.apache.org>
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one 

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems 
with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ 
"/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET https://SERVER:PORT/zoology/animals/reset/10

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with 
“Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden.  Calling the mapped service directly 
works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for 
REST service mapping.
The rewrite flags are (https://httpd.apache.org/docs/2.4/rewrite/flags.html):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused 
unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56
  *) SECURITY: CVE-2023-25690: HTTP request splitting with
 mod_rewrite and mod_proxy (cve.mitre.org)
 Some mod_proxy configurations on Apache HTTP Server versions
 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
 Configurations are affected when mod_proxy is enabled along with
 some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and
 is then
 re-inserted into the proxied request-target using variable
 substitution. For example, something like:
 RewriteEngine on
 RewriteRule "^/here/(.*)" "
 http://example.com:8080/elsewhere?$1;
 http://example.com:8080/elsewhere ; [P]
 ProxyPassReverse /here/  http://example.com:8080/
 http://example.com:8080/
 Request splitting/smuggling could result in bypass of access
 controls in the proxy server, proxying unintended URLs to
 existing origin servers, and cache poisoning.
 Credits: Lars Krapf of Adobe



From: Eric Covener 
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem 
mailto:rpl...@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

cove...@gmail.com

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

Please remember to send the release announcement to annou...@httpd.apache.org

From: Eric Covener 
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem 
mailto:rpl...@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

cove...@gmail.com

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Announcing new releases on annou...@httpd.apache.org

[BUSH Steve]

Several Apache Server releases over the past year have not been announced to 
the annou...@httpd.apache.org mailing list

See the archives at:
https://lists.apache.org/list?annou...@httpd.apache.org

2.4.53 was announced in March of this year
2.4.50 was announced in October, 2021

However, each of 2.4.51, 2.4.52, and 2.4.54 were not announced.

Can I please ask for the person or people who are responsible for the releases 
to make sure that they also announce the releases on the announce@ mailing list.

Thank you in advance,
Steve Bush


This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Syst?mes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
at 3ds.compliance-priv...@3ds.com


For other languages, go to https://www.3ds.com/terms/email-disclaimer