Re: [VOTE] Release httpd-2.4.46

[Alex Hautequest]

I don’t see why a verbiage similar to “Fixed in Apache httpd-2.4.44 (not 
released to the public)” couldn’t be used: this is, after all, a true statement.

While it should be common understanding that newer code versions carry 
improvements and fixes from previous ones, maybe this should be clarified on 
the initial paragraphs of the vulnerabilities page.

Last but not least, this also resolves thoughts of “where is 2.4.44, I cannot 
find it” (although only if one browses to the vulnerabilities page).

What I am not sure, however, is how much this affects the existing automation 
workflow.

Alex

> On Aug 8, 2020, at 08:27, Daniel Ruggeri  wrote:
> 
> Hi, Bill;
>   I wondered about this myself. I agree that we allow for ambiguity
> when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't
> released). Perhaps we should just bump the 'fixed' version up to the
> released version... but then we should also add to the 'affected'
> versions the version numbers we burned during QA. That's odd, too,
> because we didn't release those versions so they aren't really 'affected'.
> 
>   I could go either way... the vulnerability reporting is enough "after
> work" for a release that makes it a prime candidate for processing it
> with announce.sh, so I'm happy to encode whatever we consider the best
> way forward into that script.
> 
> -- 
> Daniel Ruggeri
> 
>> On 8/7/2020 8:56 AM, William A Rowe Jr wrote:
>> Following the announcement link, it isn't clear that
>> https://httpd.apache.org/security/vulnerabilities_24.html
>> fixes issues in 2.4.46.
>> Should the fixed-in be promoted to the revision of Apache HTTP Server
>> actually published (released) by the project? It almost reads like
>> "fixed in
>> 2.4.46-dev" (which 0-day disclosures are described as, until a release
>> is actually published.)
>> On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri > > wrote:
>>   Hi, all;
>>  With 12 binding PMC +1 votes, two additional +1 votes from the
>>   community, and no -1 votes, I'm pleased to report that the vote has
>>   PASSED to release 2.4.46. I will begin the process of pushing to the
>>   distribution mirrors which should enable us for a Friday
>>   announcement -
>>   a great way to wrap up the week!
>>   Here are the votes I recorded during the thread:
>>   PMC
>>   jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
>>   gbechis, gsmith, druggeri, jblond, rjung
>>   Community
>>   Noel Butler, wrowe
>>   --
>>   Daniel Ruggeri
>>>   On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
>>> Hi, all;
>>>   Third time is a charm! Please find below the proposed release
>>   tarball
>>> and signatures:
>>> https://dist.apache.org/repos/dist/dev/httpd/
>>> I would like to call a VOTE over the next few days to release this
>>> candidate tarball as 2.4.46:
>>> [ ] +1: It's not just good, it's good enough!
>>> [ ] +0: Let's have a talk.
>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>> The computed digests of the tarball up for vote are:
>>> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
>>> sha256:
>>   44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
>>> *httpd-2.4.46.tar.gz
>>> sha512:
>>   
>> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
>>> *httpd-2.4.46.tar.gz
>>> The SVN tag is '2.4.46' at r1880505.

Re: [VOTE] Release httpd-2.4.46

[Daniel Ruggeri]

Hi, Bill;
   I wondered about this myself. I agree that we allow for ambiguity
when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't
released). Perhaps we should just bump the 'fixed' version up to the
released version... but then we should also add to the 'affected'
versions the version numbers we burned during QA. That's odd, too,
because we didn't release those versions so they aren't really 'affected'.

   I could go either way... the vulnerability reporting is enough "after
work" for a release that makes it a prime candidate for processing it
with announce.sh, so I'm happy to encode whatever we consider the best
way forward into that script.

-- 
Daniel Ruggeri

On 8/7/2020 8:56 AM, William A Rowe Jr wrote:
> Following the announcement link, it isn't clear that 
>
> https://httpd.apache.org/security/vulnerabilities_24.html 
>
> fixes issues in 2.4.46.
>
> Should the fixed-in be promoted to the revision of Apache HTTP Server
> actually published (released) by the project? It almost reads like
> "fixed in
> 2.4.46-dev" (which 0-day disclosures are described as, until a release
> is actually published.)
>
> On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri  > wrote:
>
> Hi, all;
>
>    With 12 binding PMC +1 votes, two additional +1 votes from the
> community, and no -1 votes, I'm pleased to report that the vote has
> PASSED to release 2.4.46. I will begin the process of pushing to the
> distribution mirrors which should enable us for a Friday
> announcement -
> a great way to wrap up the week!
>
> Here are the votes I recorded during the thread:
> PMC
> jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
> gbechis, gsmith, druggeri, jblond, rjung
>
> Community
> Noel Butler, wrowe
>
> -- 
> Daniel Ruggeri
>
> On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> > Hi, all;
> >    Third time is a charm! Please find below the proposed release
> tarball
> > and signatures:
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release this
> > candidate tarball as 2.4.46:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> > sha256:
> 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> > *httpd-2.4.46.tar.gz
> > sha512:
> >
> 
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> > *httpd-2.4.46.tar.gz
> >
> > The SVN tag is '2.4.46' at r1880505.
> >
>

Re: [VOTE] Release httpd-2.4.46

[William A Rowe Jr]

Following the announcement link, it isn't clear that

https://httpd.apache.org/security/vulnerabilities_24.html

fixes issues in 2.4.46.

Should the fixed-in be promoted to the revision of Apache HTTP Server
actually published (released) by the project? It almost reads like "fixed in
2.4.46-dev" (which 0-day disclosures are described as, until a release
is actually published.)

On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri  wrote:

> Hi, all;
>
>With 12 binding PMC +1 votes, two additional +1 votes from the
> community, and no -1 votes, I'm pleased to report that the vote has
> PASSED to release 2.4.46. I will begin the process of pushing to the
> distribution mirrors which should enable us for a Friday announcement -
> a great way to wrap up the week!
>
> Here are the votes I recorded during the thread:
> PMC
> jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
> gbechis, gsmith, druggeri, jblond, rjung
>
> Community
> Noel Butler, wrowe
>
> --
> Daniel Ruggeri
>
> On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> > Hi, all;
> >Third time is a charm! Please find below the proposed release tarball
> > and signatures:
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release this
> > candidate tarball as 2.4.46:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> > sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> > *httpd-2.4.46.tar.gz
> > sha512:
> >
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> > *httpd-2.4.46.tar.gz
> >
> > The SVN tag is '2.4.46' at r1880505.
> >
>
>

Re: [VOTE] Release httpd-2.4.46

[Daniel Ruggeri]

Hi, all;

   With 12 binding PMC +1 votes, two additional +1 votes from the
community, and no -1 votes, I'm pleased to report that the vote has
PASSED to release 2.4.46. I will begin the process of pushing to the
distribution mirrors which should enable us for a Friday announcement -
a great way to wrap up the week!

Here are the votes I recorded during the thread:
PMC
jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
gbechis, gsmith, druggeri, jblond, rjung

Community
Noel Butler, wrowe

-- 
Daniel Ruggeri

On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>

Re: [VOTE] Release httpd-2.4.46

[William A Rowe Jr]

On Sat, Aug 1, 2020 at 9:13 AM Daniel Ruggeri  wrote:

> Hi, all;
>Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/


Just as a footnote to 2.4.46, as mentioned before mod_lua won't compile
against the
current lua release 5.4.0. Can this be mentioned in the release
announcement that
the lua 5.3.5 release or earlier is still required? (It's my guess that
after breaking the
API with the release of 5.4.0, they aren't about to revert that change in a
later flavor.)

Re: [VOTE] Release httpd-2.4.46

[William A Rowe Jr]

On Sat, Aug 1, 2020 at 9:13 AM Daniel Ruggeri  wrote:

> Hi, all;
>Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
>

>From the peanut gallery;

[✔] +1: It's not just good, it's as good as can be expected!

Windows via cmake, ubuntu 16, 18, 20 LTS's and centos 7, 8.

Re: [VOTE] Release httpd-2.4.46

[Joe Orton]

On Tue, Aug 04, 2020 at 01:48:08PM +0200, Rainer Jung wrote:
> GDB info (sporadic) Solaris shutdown crashes during OpenSSL shutdown in
> mod_watchdog:

Awesome level of testing as usual, thanks Rainer!

I see similar crashes with mod_watchdog active for 2.4 prefork.  I think 
the trigger is also loading mod_md, which causes mod_watchdog to have 
active threads?  May be wrong.  

I started investigating mod_watchdog mutex abuse (r1876511) but in the 
end concluded that prefork ungraceful shutdown is inherently broken 
because it does everything inside a signal handler in each child, which 
is totally unsafe and unsurprisingly crashy.

In this case you have:

1) a child's main thread exiting with APEXIT_CHILDSICK (from first 
argument == 7 == APEXIT_CHILDSICK) - possibly the listener mutex got 
whacked by the parent?

2) there is a mod_watchdog thread which caught SIGTERM and is handling 
that at the same time.

It seems pretty daft that the mod_watchdog thread is catching any 
signals.  It looks like wd_worker() should call 
apr_setup_signal_thread() to block such signals - if fact any thread use 
within httpd outside of the MPMs should be doing that?

Regards, Joe

> 
> -  lwp# 1 / thread# 1  
>  ff07b670 apr_pool_destroy (393280, 41d848, ffbfee19, 38c8a0, 393268, 1018)
> + 284
>  fed529e0 clean_child_exit (7, 22f, 3, 3, 9, cc4b0) + 60
>  fed52f2c child_main (fed6b93c, fed6b938, 9c71c, fed6b954, fed6b944, 9becc)
> + 344
>  fed535fc make_child (cc4b0, 2, 2, 392e50, 1, 0) + 1d0
>  fed545e4 prefork_run (0, ffbfefdc, ffbfefc8, fed6b94c, 9becc, fed6b95c) +
> 91c
>  00039e64 ap_run_mpm (a7338, ce008, cc4b0, 9bd3c, 0, 1eaa08) + 54
>  00075cfc main (37a54, 9b718, 76d90, 9becc, 9beb8, a53c0) + 9b4
>  00031654 _start   (0, 0, 0, 0, 0, 0) + 5c
> -  lwp# 2 / thread# 2  
>  fee42480 mutex_lock_impl (fce10200, 0, 0, 0, fd839278, 0) + 168
>  fd827ff8 __deregister_frame_info_bases (fd8392a8, 0, 0, 0, fd839290, 0) +
> d8
>  fd82130c  (0, 0, fd8392a0, fd839628, 0, fd83962c)
>  fd828540 _fini(ff3f418c, ff3f5b10, 2ae70, 0, ff3f48e8, 1821) + 4
>  ff3c5a5c call_fini (ff3f418c, febc1058, fd82853c, ff3f4380, ff3f4338,
> ff3f48e8) + cc
>  ff3c5c2c atexit_fini (ff3f418c, 2ed28, fee42cc0, ff3f48e8, fce10200,
> febc1058) + 78
>  fedc2374 _exithandle (feeb7500, feeb5900, 1c00, feeb9330, 24, 222c88) + 40
>  fedb0790 exit (0, 222c88, ff076cc8, 0, fce10200, 38c904) + 4
>  fed52a18 clean_child_exit (0, 0, 0, 0, 0, 0) + 98
>  fed52a3c just_die (f, 0, fcdfba70, 1, 0, 0) + 4
>  fee4961c __sighndlr (f, 0, fcdfba70, fed52a38, 0, 1) + c
>  fee3dce8 call_user_handler (f, 0, 0, 0, fce10200, fcdfba70) + 3b8
>  fee3ded0 sigacthandler (f, 0, fcdfba70, 0, 0, 0) + 60
>  --- called from signal handler with signal 15 (SIGTERM) ---
>  fee4cdc0 __pollsys (fcdfbde8, 0, fcdfbe50, 0, 0, 0) + 8
>  fede8590 pselect  (fcdfbde8, feeb4728, feeb4728, 0, fcdfbe50, 0) + 1c8
>  fede8908 select   (0, 0, 0, 0, fcdfbeb8, f4240) + a0
>  ff087d20 apr_sleep (0, 186a0, a129c, a1298, 0, 0) + 4c
>  fe372f30 wd_worker (fe389744, 3900b0, 1, fcdfbf38, 5abe9, 815e16a) + 348
>  ff087274 dummy_worker (390ef0, fcdfc000, 0, 0, ff087268, 1) + c
>  fee494f0 _lwp_start (0, 0, 0, 0, 0, 0)
> 

Re: [VOTE] Release httpd-2.4.46

[Rainer Jung]

Am 01.08.2020 um 16:13 schrieb Daniel Ruggeri:

Hi, all;
    Third time is a charm! Please find below the proposed release tarball
and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this
candidate tarball as 2.4.46:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
*httpd-2.4.46.tar.gz
sha512:
5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
*httpd-2.4.46.tar.gz

The SVN tag is '2.4.46' at r1880505.


+1 to release and thanks a bunch for multi-RM!

Summary: all OK except for

- 12 shutdown crashes on Solaris, all for prefork (already observed 
previously). Happens in mod_watchdog during server shutdown.

gdb info at end. Not a regression.

Detailed report:

- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas

Built and test results based on 2.4.45 but are valid for 2.4.46 due to 
the minimal code change between them.


Built on

- Solaris 10 Sparc as 32 Bit Binaries
- SLES 11+12+15 (64 Bits)
- RHEL 6+7+8 (64 Bits)

For all platforms built

- with default (shared) and static modules
- with module set reallyall
- using --enable-load-all-modules
- against external APR/APU 1.7.0/1.6.1
  plus APR/APU 1.6.5/1.6.1
  plus APR/APU 1.7.x r1880146/1.7.x r1880148 with expat
  plus APR/APU 1.7.x r1880146/1.7.x r1880148 with libxml2
  plus APR/APU from deps tarball

- using external libraries
  - expat 2.2.9
  - pcre 8.44
  - lua 5.3.5 (compiled with LUA_COMPAT_MODULE)
  - libxml2 2.9.10
  - libnghttp2 1.41.0
  - brotli 1.0.7
  - curl 7.71.1
  - jansson 2.13.1
  - libldap 2.4.50
and
  - openssl 0.9.8zh, 1.0.2, 1.0.2u, 1.0.1e, 1.0.1l, 1.1.1, 1.1.1g plus 
patches (head of master on 2020-07-11), 3.0.0alpha5


- Tool chain:
- platform gcc except on Solaris
  (gcc 9.3.0 Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  - on Solaris additionally -mpcu=v9, -D_XOPEN_SOURCE,
-D_XOPEN_SOURCE_EXTENDED=1, -D__EXTENSIONS__
and -D_XPG6

All of the 1064 builds succeeded.

- compiler warnings:

  - only on Solaris (GCC 9.3.0):
srclib/apr/locks/unix/proc_mutex.c:979:49: warning: 
'mutex_proc_pthread_cond_methods' defined but not used 
[-Wunused-const-variable=]


  - deprecation warnings when building against OpenSSL 3.0.0, see other 
thread



Tested for

- Solaris 10, SLES 11+12+15, RHEL 6+7+8
- MPMs prefork, worker, event
- default and static module builds
- log level trace8
- module set reallyall (128 modules plus 3 MPMs)
- Perl client bundle build against OpenSSL 1.1.1g plus patches, 1.1.0l, 
1.0.2u and 0.9.8zh

- OpenSSL once linked statically and once as a shared library

Every OpenSSL version in the client tested with every OpenSSL version in 
the server. Nearly all tests with dynamically linked OpenSSL are done.


The total number of test suite runs was 5913 (many more to come ...).

Some local adjustments to tests were used:

- t/modules/buffer.t: removing huge buffer tests
  -my $bigsize = 10;
  +my $bigsize = 1;

- fixing "sub which" in Apache-Test/lib/Apache/TestConfig.pm
  +# No need to search PATH components
  +# if $program already contains a path
  +return $program if !OSX and !WINFU and
  +$program =~ /\// and -f $program and -x $program;
  +

- fixing limitrequestline overwrite which does not yet really work

The following test failures were seen:

a Crashes only on Solaris, only with prefork MPM and
  dynamically linked builds.
  The crash seems to happen only at the end of a process during pchild
  clean up and it might be problematic, that the watchdog thread at that
  time still exists.
  gdb info see at end.

b Tests 2 of t/apache/pr35292.t
  Tests 2 at line 29
  Only once on Solaris. Unclear failure showing the socket
  was disconected, but the next test case sees correct response content.

c Tests 27 and 28 of t/modules/http2.t
  Tests 27 and 28 at lines 303 and 304
  Response status and content length undef for
  test case: TC0015, necho.pl 10x10:
  GET 
http://localhost:8536/modules/h2/necho.pl?count=10=0123456789

  Only once on Solaris.

d Tests 207 and 265 of t/ssl/proxy.t
  eat_post received "502 Proxy Error".
  Each of the two failed test cases only once on Solaris.

e OpenSSL 3.0.0 and t/ssl/proxy.t
  eat_post fails always, see other thread about OpenSSL 3.0.0

f All https tests fail between OpenSSL 0.9.8zh and 3.0.0alpha5
  Probably need to figure out how to load the legacy provider
  during the tests

g Test 5 in t/modules/dav.t line 69:
  Not a regression.
  Only once on SLES 11.
  Creation, modified and now times not in 

Re: [VOTE] Release httpd-2.4.46

[Mario Brandt]

 [x] +1: It's not just good, it's good enough!
 [ ] +0: Let's have a talk.
 [ ] -1: There's trouble in paradise. Here's what's wrong.

Debian 10 build.

Re: [VOTE] Release httpd-2.4.46

[Gregg Smith]

On 8/1/2020 7:13 AM, Daniel Ruggeri wrote:

Hi, all;
    Third time is a charm! Please find below the proposed release tarball
and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this
candidate tarball as 2.4.46:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
*httpd-2.4.46.tar.gz
sha512:
5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
*httpd-2.4.46.tar.gz

The SVN tag is '2.4.46' at r1880505.


+1 on Windows VS15 & 16 built at command line.

Re: [VOTE] Release httpd-2.4.46

[Daniel Ruggeri]

For my own +1... tested under the following versions:

system:
  kernel:
    name: Linux
    release: 4.19.0-10-amd64
    version: #1 SMP Debian 4.19.132-1 (2020-07-24)
    machine: x86_64

  libraries:
    openssl: "1.1.1g"
    openldap: "2.4.50"
    apr: "1.7.0"
    apr-util: "1.6.1"
    iconv: "1.2.2"
    brotli: "1.0.7"
    nghttp2: "1.41.0"
    zlib: "1.2.11"
    pcre: "8.44"
    libxml2: "2.9.9"
    php: "7.4.8"
    lua: "5.3.5"
    curl: "7.71.1"

-- 
Daniel Ruggeri

On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
>
> The SVN tag is '2.4.46' at r1880505.
>

Re: [VOTE] Release httpd-2.4.46

[Giovanni Bechis]

On 8/1/20 4:13 PM, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
> 
> The SVN tag is '2.4.46' at r1880505.
> 
+1, tested on Fedora32 and OpenBSD-current.

 Giovanni

Re: [VOTE] Release httpd-2.4.46

[Eric Covener]

On Sat, Aug 1, 2020 at 10:14 AM Daniel Ruggeri  wrote:
>
> Hi, all;
>Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!

+1

Re: [VOTE] Release httpd-2.4.46

[Yann Ylavic]

On Sat, Aug 1, 2020 at 4:14 PM Daniel Ruggeri  wrote:
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:

[X] +1: It's not just good, it's good enough!

All good in my testing, thanks Daniel for RMing.

Re: [VOTE] Release httpd-2.4.46

[jean-frederic clere]

On 01/08/2020 16:13, Daniel Ruggeri wrote:

[X] +1: It's not just good, it's good enough!


Passed on fedroa32 x86_64.

--
Cheers

Jean-Frederic

Re: [VOTE] Release httpd-2.4.46

[Joe Orton]

On Sat, Aug 01, 2020 at 09:13:29AM -0500, Daniel Ruggeri wrote:
> Hi, all;
>    Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [X] +1: It's not just good, it's good enough!

+1 for release, tested in Fedora 32, and thanks again-again.

Regards, Joe

Re: [VOTE] Release httpd-2.4.46

[Luca Toscano]

On Sat, Aug 1, 2020 at 4:14 PM Daniel Ruggeri  wrote:
>
> Hi, all;
>Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [x] +1: It's not just good, it's good enough!

Tested on Debian 10 "Buster", apr 1.6 + apr-util 1.6, openssl 1.1, php-fpm 7.3.
Verified all signatures and digests (nit: do we still need to publish
the .md5 ones?)

Thanks Daniel!

Luca

Re: [VOTE] Release httpd-2.4.46

[Noel Butler]

On 02/08/2020 00:13, Daniel Ruggeri wrote:

> Hi, all;
> Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

All good running on slackware 13.1 through to -current  

built with included APR 1.7.0,  APR-Util 1.6.1

--
Regards,
Noel Butler 

This Email, including attachments, may contain legally privileged
information, therefore at all times remains confidential and subject to
copyright protected under international law. You may not disseminate
this message without the authors express written authority to do so. If
you are not the intended recipient, please notify the sender then delete
all copies of this message including attachments immediately.
Confidentiality, copyright, and legal privilege are not waived or lost
by reason of the mistaken delivery of this message.

Re: [VOTE] Release httpd-2.4.46

[Steffen Land]

WIN32 APR 1.7.0 APR-UTIL 1.6.1 with Analyses

Warning C6386   \apr\time\win32\timestr.c   189 Buffer overrun while 
writing to 'new_format':  the writable size is 'max+11' bytes, but 'j' bytes 
might be written.
Warning C26451  \apr\time\win32\time.c  239 Arithmetic overflow: Using 
operator '+' on a 4 byte value and then casting the result to a 8 byte value. 
Cast the value to the wider type before calling operator '+' to avoid overflow 
(io.2).
Warning C26451  \apr\time\win32\time.c  239 Arithmetic overflow: Using 
operator '-' on a 4 byte value and then casting the result to a 8 byte value. 
Cast the value to the wider type before calling operator '-' to avoid overflow 
(io.2).
Warning C6248   \apr\threadproc\win32\proc.c320 Setting a 
SECURITY_DESCRIPTOR's DACL to NULL will result in an unprotected object.
Warning C28182  \apr\tables\apr_skiplist.c  516 Dereferencing NULL 
pointer. 'tmp' contains the same NULL value as 'm->next' did. See line 511 for 
an earlier location where this can occur
Warning C6011   \apr\tables\apr_skiplist.c  570 Dereferencing NULL 
pointer 'ret'. 
Warning C6011   \apr\tables\apr_skiplist.c  571 Dereferencing NULL 
pointer 'li'. See line 570 for an earlier location where this can occur
Warning C6011   \apr\tables\apr_hash.c  505 Dereferencing NULL pointer 
'new_vals'. 
Warning C6237   \apr\strings\apr_snprintf.c 819 ( && 
) is always zero.   is never evaluated and might have 
side effects.
Warning C6285   \apr\strings\apr_snprintf.c 822 ( || 
) is always a non-zero constant.  Did you intend to use the 
bitwise-and operator?
Warning C6285   \apr\strings\apr_snprintf.c 834 ( || 
) is always a non-zero constant.  Did you intend to use the 
bitwise-and operator?
Warning C26451  \apr\random\unix\sha2.c 399 Arithmetic overflow: Using 
operator '<<' on a 4 byte value and then casting the result to a 8 byte value. 
Cast the value to the wider type before calling operator '<<' to avoid overflow 
(io.2).
Warning C6297   \apr\random\unix\sha2.c 399 Arithmetic overflow:  32-bit 
value is shifted, then cast to 64-bit value.  Results might not be an expected 
value.
Warning C26451  \apr\random\unix\sha2.c 406 Arithmetic overflow: Using 
operator '<<' on a 4 byte value and then casting the result to a 8 byte value. 
Cast the value to the wider type before calling operator '<<' to avoid overflow 
(io.2).
Warning C6297   \apr\random\unix\sha2.c 406 Arithmetic overflow:  32-bit 
value is shifted, then cast to 64-bit value.  Results might not be an expected 
value.
Warning C26451  \apr\random\unix\sha2.c 422 Arithmetic overflow: Using 
operator '<<' on a 4 byte value and then casting the result to a 8 byte value. 
Cast the value to the wider type before calling operator '<<' to avoid overflow 
(io.2).
Warning C6297   \apr\random\unix\sha2.c 422 Arithmetic overflow:  32-bit 
value is shifted, then cast to 64-bit value.  Results might not be an expected 
value.
Warning C6001   \apr\network_io\win32\sockopt.c 280 Using uninitialized 
memory 'oobmark'.
Warning C6255   \apr\network_io\win32\sendrecv.c118 _alloca 
indicates failure by raising a stack overflow exception.  Consider using 
_malloca instead.
Warning C6287   \apr\network_io\win32\sendrecv.c378 Redundant code: 
 the left and right sub-expressions are identical.
Warning C6387   \apr\network_io\win32\sendrecv.c381 
'sock->overlapped->hEvent' could be '0':  this does not adhere to the 
specification for the function 'WaitForSingleObject'. 
Warning C6001   \apr\network_io\unix\inet_pton.c114 Using 
uninitialized memory 'tmp'.
Warning C6001   \apr\mmap\win32\mmap.c  59  Using uninitialized memory 
'**themmap[BYTE:4]'.
Warning C6001   \apr\mmap\win32\mmap.c  59  Using uninitialized memory 
'*themmap[BYTE:4]'.
Warning C28159  \apr\misc\win32\misc.c  32  Consider using 'IsWindows*' 
instead of 'GetVersionExA'. Reason: Deprecated. Use VerifyVersionInfo* or 
IsWindows* macros from VersionHelpers.
Warning C6011   \apr\misc\win32\misc.c  218 Dereferencing NULL pointer 
'sbuf'. 
Warning C6387   \apr\misc\win32\misc.c  258 'sbuf' could be '0':  this does 
not adhere to the specification for the function 'sprintf'. See line 218 for an 
earlier location where this can occur
Warning C6387   \apr\misc\win32\misc.c  262 'sbuf' could be '0':  this does 
not adhere to the specification for the function 'strlen'. See line 218 for an 
earlier location where this can occur
Warning C6262   \apr\misc\win32\env.c   45  Function uses '16424' bytes of 
stack:  exceeds /analyze:stacksize '16384'.  Consider moving some data to heap.
Warning C6262   \apr\misc\win32\env.c   121 Function uses '16412' bytes of 
stack:  exceeds /analyze:stacksize '16384'.  Consider moving some data to heap.
Warning C6262   \apr\misc\win32\env.c   163 Function uses '16396' bytes of 
stack:  exceeds 

Re: [VOTE] Release httpd-2.4.46

[Christophe JAILLET]

Le 01/08/2020 à 16:13, Daniel Ruggeri a écrit :

Hi, all;
    Third time is a charm! Please find below the proposed release tarball
and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this
candidate tarball as 2.4.46:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
*httpd-2.4.46.tar.gz
sha512:
5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
*httpd-2.4.46.tar.gz

The SVN tag is '2.4.46' at r1880505.



+1

Tested on Ubuntu 20.04
Gcc 9.3.0
maintainer-mode
APR latest 1.7.x branch (i.e 1.7.0+)
APR-UTIL latest 1.6.x branch (i.e 1.6.1+)
Tested with event, prefork, worker

Thx for RMing.

CJ

Re: [VOTE] Release httpd-2.4.46

[Steffen]

Date in announcement is still : 
September 21, 2018

> Op 1 aug. 2020 om 16:13 heeft Daniel Ruggeri  het 
> volgende geschreven:
> 
> Hi, all;
>Third time is a charm! Please find below the proposed release tarball
> and signatures:
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release this
> candidate tarball as 2.4.46:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
> sha256: 44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
> *httpd-2.4.46.tar.gz
> sha512:
> 5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
> *httpd-2.4.46.tar.gz
> 
> The SVN tag is '2.4.46' at r1880505.
> 
> -- 
> Daniel Ruggeri
> 
>