Re: announce mails

2021-12-20 Thread Greg Stein
The mirror system is no longer used. Most downloads are processed through a CDN instead. European downloaders will tend to hit downloads.apache.org which is "instantly" updated once a release artifact is committed to the svn distribution repository. rsync.apache should be just as instant. If not,

Re: announce mails

2021-12-20 Thread Nick Edwards
Why would the release system initiate an announce when the mirrors are not up to date, they cant be, since rsync.apache still lists 2.4.51 as latest, the process is to allow time for mirrors to get the package before announcing it On Mon, Dec 20, 2021 at 7:53 PM Stefan Eissing wrote: > The

Re: announce mails

2021-12-20 Thread Samsul 2525
Am 20.12.2021 um 10:53 schrieb Stefan Eissing: > The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through to the list. This is not the order I prefer. > > I am holden back the send about the

Re: announce mails

2021-12-20 Thread Rainer Jung
Aaah, sorry, it did come in now,, son't know whether via dev@ or announce@. Thanks. Am 20.12.2021 um 10:53 schrieb Stefan Eissing: The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through

Re: announce mails

2021-12-20 Thread Rainer Jung
Hmmm, still no announcement mail received, or did I miss it? Am 20.12.2021 um 10:53 schrieb Stefan Eissing: The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through to the list. This is not

CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier

2021-12-20 Thread Stefan Eissing
Severity: high Description: A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects

announce mails

2021-12-20 Thread Stefan Eissing
The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through to the list. This is not the order I prefer. I am holden back the send about the second CVE until I see the release announcement

CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier

2021-12-20 Thread Stefan Eissing
Severity: moderate Description: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain

Re: [VOTE] Release httpd-2.4.52-rc1 as httpd-2.4.52

2021-12-20 Thread Stefan Eissing
With 7 +1 votes and no objections, the vote has PASSED. Thank you all who took the time to test this! I will start the release work. Kind Regards, Stefan > Am 19.12.2021 um 17:56 schrieb Steffen : > > +1 for Windows release. > > Cheers, Steffen > >> Op 16 dec. 2021 om 15:03 heeft Stefan

Re: Testing mod_tls

2021-12-20 Thread Stefan Eissing
> Am 19.12.2021 um 10:36 schrieb Christophe JAILLET > : > > Hi, > > I've been able to build mod_tls > > Basically, I've done: > > sudo apt install cargo > sudo apt install cbindgen > > git clone https://github.com/rustls/rustls-ffi.git git_rustls-ffi > sudo make install > > I have: >