Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-25 Thread William A Rowe Jr 
That would have been a good fix to include, but the release has been
tagged. If it is voted down on some other defects and we roll 2.2.34, I
would concur. But there is no defined single char header, and x- headers
are always 3+ chars by definition. So I don't look at this one as a
showstopper.

>From here on out, all defect fixes will be up to the end user to patch, I'm
most concerned about getting a release with the full assortment of security
fixes into users's hands reminding them the branch is EOL now, as we close
the 2.2 chapter.

On Jun 25, 2017 4:56 PM, "Mark Blackman"  wrote:

>
> On 14 Jun 2017, at 22:12, William A Rowe Jr  wrote:
>
>
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.
>
>
> Would it be an option to get a fix in for the single-character header bug?
> ( https://bz.apache.org/bugzilla/show_bug.cgi?id=61220 )
>
> If you add
>
> HttpProtocolOptions Unsafe LenientMethods Allow0.9
>
> to a default httpd.conf
>
> single character header lines are rejected with a 400 code.
>
> macmini:httpd-2.2.33 mark$ telnet localhost 8033
> Trying ::1...
> Connected to localhost.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: foobar
> x: 0
>
> HTTP/1.1 400 Bad Request
> Date: Sun, 25 Jun 2017 21:43:53 GMT
> Server: Apache/2.2.33 (Unix)
> Content-Length: 226
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> 
> 
> 400 Bad Request
> 
> Bad Request
> Your browser sent a request that this server could not understand.
> 
> 
> Connection closed by foreign host.
>
>

Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-25 Thread Mark Blackman 

> On 14 Jun 2017, at 22:12, William A Rowe Jr  wrote:
> 
> 
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.

Would it be an option to get a fix in for the single-character header bug? ( 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61220 
 ) 

If you add

HttpProtocolOptions Unsafe LenientMethods Allow0.9

to a default httpd.conf

single character header lines are rejected with a 400 code.

macmini:httpd-2.2.33 mark$ telnet localhost 8033
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
Host: foobar
x: 0

HTTP/1.1 400 Bad Request
Date: Sun, 25 Jun 2017 21:43:53 GMT
Server: Apache/2.2.33 (Unix)
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1



400 Bad Request

Bad Request
Your browser sent a request that this server could not understand.


Connection closed by foreign host.

Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-19 Thread Ruediger Pluem 


On 06/15/2017 04:49 PM, Eric Covener wrote:
> On Thu, Jun 15, 2017 at 10:18 AM, William A Rowe Jr  
> wrote:
 Thoughts/comments? Patches to hold for before we roll? If I don't hear
 otherwise, and we stick to the simpler alternative, then I'd plan to roll
 these candidates Thursday.
> 
> One more w/ bundled deps sounds OK.
> 

+1 to the simpler alternative.

Regards

RĂ¼diger

Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-15 Thread Eric Covener 
On Thu, Jun 15, 2017 at 10:18 AM, William A Rowe Jr  wrote:
>>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>>> these candidates Thursday.

One more w/ bundled deps sounds OK.

Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-15 Thread William A Rowe Jr 
On Thu, Jun 15, 2017 at 2:47 AM, Yann Ylavic  wrote:
> On Wed, Jun 14, 2017 at 11:12 PM, William A Rowe Jr  
> wrote:
>>
>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>> these candidates Thursday.
>
> Three patches (missing a single vote) in STATUS already, +1 with them in.

Just finished reviewing, so everything in there is cleared for backport.

Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-15 Thread Yann Ylavic 
On Wed, Jun 14, 2017 at 11:12 PM, William A Rowe Jr  wrote:
>
> The alternative I prefer is to roll with the final apr[-util] 1.5 releases
> as the 2.2.32 tarball had, and include the same warning as given
> in the 2.2 release announcement;

+1

>
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.

Three patches (missing a single vote) in STATUS already, +1 with them in.

Thanks Bill to take care of the old lady :)

Re: [Discuss] Rolling a 'final' 2.2.33 release

2017-06-14 Thread William A Rowe Jr 
On Wed, Jun 14, 2017 at 4:12 PM, William A Rowe Jr  wrote:
>
>Please note that Apache Web Server Project will only provide maintenance
>releases of the 2.2.x flavor through June of 2017, and will provide some
>security patches beyond this date through at least December of 2017.
>Minimal maintenance patches of 2.2.x are expected throughout this period,
>and users are strongly encouraged to promptly complete their transitions
>to the the 2.4.x flavor of httpd to benefit from a much larger assortment
>of minor security and bug fixes as well as new features.

Just FYI, we've just about reached the 50% inflection point
I anticipated, it likely happens around the end of July;

https://w3techs.com/technologies/history_details/ws-apache/2

Now this might suggest that continuing to release 2.2 is important,
but that would be a misunderstanding of what "apache 2.2" means;

https://w3techs.com/technologies/details/ws-apache/2.2/all

As the list illustrates, 5 months later, only 2.5% of the 2.2 sites (~0.6%
or so of the total apache sites) had updated to 2.2.32 released in Jan.

Given the text above, this shouldn't come as a surprise, since users
likely adopted 2.4 rather than updating to another 2.2 release.

The majority of these 2.2 sites simply won't be updating their version
of httpd 2.2 again until their entire site is redeployed to a new server.
You can contrast this to the behavior of 2.4 administrators;

https://w3techs.com/technologies/details/ws-apache/2.4/all

Here, over 25% of 2.4 sites adopted 2.4.25 during the same time period.

Publishing security patches will help different vendors coordinate the
patches used to correct legacy releases they support, but will likely
not have a great impact on the typical httpd user, directly. We are
facing diminishing odds of users installing a 2.2 maintenance release
or patch from sources.