Jim, you have very vocally and hostility reacted to *all* discussion
of improving the release process at the httpd project.
The project bylaws are clear, no individual PMC member may
block a release (the PMC chair may, owing to the fact that they
alone represent the board as the appointed VP, that
HTTPD team,
Since our downloads are to be authenticated by their .asc PGP
signatures, and the hashes simply serve as checksums, is it reasonable
to offer only MD5 and SHA256 at this point?
Anyone without SHA256 (rare, I'd expect) can use MD5 as the simplest
supported checksum. All others should a
On Mon, Oct 23, 2017 at 11:53 AM, William A Rowe Jr wrote:
> On Mon, Oct 23, 2017 at 11:45 AM, Jim Jagielski wrote:
>> Apache HTTP Server 2.4.29 Released
>>
>> October 23, 2017
>>
>> The Apache Software Foundation and the Apache HTTP Server Proje
On Mon, Oct 23, 2017 at 11:45 AM, Jim Jagielski wrote:
> Apache HTTP Server 2.4.29 Released
>
> October 23, 2017
>
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce the release of version 2.4.29 of the Apache
> HTTP Server ("Apache"). This
On Mon, Oct 23, 2017 at 9:54 AM, Stefan Eissing
wrote:
>
>> Am 23.10.2017 um 16:25 schrieb Yann Ylavic :
>>
>> Hi Stefan,
>>
>> On Mon, Oct 23, 2017 at 2:42 PM, Stefan Eissing
>> wrote:
>>>
>>> Can you give me a sign if this will arrive soonish or need to be stashed?
>>> Thanks!
>>
>> I've just
On Thu, Oct 19, 2017 at 4:15 PM, Steffen wrote:
> I said before: In Apache.dsw is now project xml removed, it is not building
> out of the box with current released apr-util. With coming apr-util 1.6.1 it
> should be possible to build.
>
> With the expat/xml changes in apr-util and httpd, it i
# Failed test 56 in t/ssl/varlookup.t at line 109 fail #56
# Failed test 58 in t/ssl/varlookup.t at line 109 fail #58
# testing : SSL_SERVER_SAN_DNS_0
# expected: 'localhost'
# received: 'localhost.localdomain'
not ok 56
# testing : SSL_SERVER_SAN_OTHER_dnsSRV_0
# expected: '_https.localhost'
# re
On Fri, Oct 13, 2017 at 8:25 AM, Jim Jagielski wrote:
> Why lump 2.5.0 into all this?
>
> There is no rational reason to force connect 2.4.29 and 2.5.0
>
> Tag 2.4.29 and leave 2.5.0 alone until people discuss it. Until then
> I will veto any foolishness about 2.5.0-whatever.
Good work, you helpe
On Wed, Oct 18, 2017 at 12:36 AM, Marion & Christophe JAILLET <
christophe.jail...@wanadoo.fr> wrote:
> Hi,
>
> just for my own curiosity: why do we prefer 32 bits libs?
>
It is not a value judgement, we simply consume lib/pkginfo before
lib64/pkginfo in this patch. We didn't even look at lib64/p
Seems Jim is +0 to back out and I'm +0 to keep. First
strong opinion wins so we can get to tagging :)
Absolute consensus on informing our apr, and httpd
builders what not to pass as CFLAGS, and why.
On Oct 16, 2017 13:58, "William A Rowe Jr" wrote:
> If the patch has
Rainer,
https://ci.apache.org/builders/httpd-trunk/builds/1203
would you please re-kick this build from a clean svn checkout? I think we have
various mistakes in our exports.c preprocessor that become tangled in any
rebuild scenario.
On Mon, Oct 16, 2017 at 8:30 AM, Rainer Jung wrote:
> Am 16.
If the patch has merit on it's own, without being generalized, then I'm fine
with tagging 1.6.1 with the OS/X specific backport included.
Note that the proposed httpd fix is still uneasy about the trunk flavor;
https://ci.apache.org/builders/httpd-trunk/builds/1202
On Mon, Oct 16, 2017 at 1:11
I raised the question of whether the OS/X changes introduced and backported
in APR are still necessary or desired, or if they should be backed out, and
whether this patch, munged for APR_ macros, is needed for apr 1.6.3 tag?
Yann suggests;
On Oct 16, 2017 11:31, "Yann Ylavic" wrote:
I didn't lo
r-util.
>
> With coming apr-util 1.6.1 it should be fine.
>
> On Friday 13/10/2017 at 15:20, William A Rowe Jr wrote:
>
> Is anyone seeing an issue of concern about stability on 2.4.x branch?
>
> Has anyone else looked at Jim's proposed fixes for xcode 9 building
> u
I've been watching the maintainer mode deliberations on dev@apr with great
interest. I'm also keenly aware of Steffen's concerns, especially since
dropping pcre didn't cause nearly this much trouble.
If we are all on the same page, I'll continue to work through the expat
headache on Monday and oth
Reading this commentary, we agree that is an enhancement.
On Oct 15, 2017 06:32, wrote:
> Author: rjung
> Date: Sun Oct 15 11:31:58 2017
> New Revision: 1812217
>
> URL: http://svn.apache.org/viewvc?rev=1812217&view=rev
> Log:
> Vote, comment.
>
> Modified:
> httpd/httpd/branches/2.4.x/STATU
Thank you for this summary!
On Oct 13, 2017 10:51, "Jim Jagielski" wrote:
> Let's recall what is really happening...
>
> In maintainer mode, the build system sets -Werror and -Wstrict-prototypes.
> This means that functions which lack strict prototypes will "fail".
>
> Now note that AC_CHECK_LIB
On Oct 13, 2017 08:41, "Stefan Eissing"
wrote:
> Am 13.10.2017 um 15:19 schrieb William A Rowe Jr :
>
> Is anyone seeing an issue of concern about stability on 2.4.x branch?
Not any more than in previous releases, I think.
> Has anyone else looked at Jim's proposed
Is anyone seeing an issue of concern about stability on 2.4.x branch?
Has anyone else looked at Jim's proposed fixes for xcode 9 building
under maintainer mode? A couple-line quick fix to configure.in, that
anyone on OS/X should be able to validate in minutes. The same fix
is already present on AP
ann Ylavic" wrote:
> On Thu, Oct 12, 2017 at 9:18 PM, Yann Ylavic wrote:
> > On Thu, Oct 12, 2017 at 7:42 PM, William A Rowe Jr
> wrote:
> >> On Sep 19, 2017 05:17, wrote:
> >>
> >>
> >> Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_
On Thu, Oct 12, 2017 at 2:30 PM, Yann Ylavic wrote:
> On Thu, Oct 12, 2017 at 9:18 PM, Yann Ylavic wrote:
> > On Thu, Oct 12, 2017 at 7:42 PM, William A Rowe Jr
> wrote:
> >> On Sep 19, 2017 05:17, wrote:
> >>
> >>
> >> Modified: httpd/httpd/b
On Sep 19, 2017 05:17, wrote:
Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/
modules/proxy/mod_proxy.c?rev=1808855&r1=1808854&r2=1808855&view=diff
==
I will review again tomorrow.
My jump-around idea was to check against all of the bits in not dir loc
file, and if the module's MMN minor is too early, treat the
section as if that bit is set.
On Oct 11, 2017 16:13, "Yann Ylavic" wrote:
On Wed, Oct 11, 2017 at 11:02 PM, Yann Ylavic wrote:
>
On Mon, Apr 25, 2016 at 7:04 PM, wrote:
> Author: ylavic
> Date: Tue Apr 26 00:04:57 2016
> New Revision: 1740928
>
> URL: http://svn.apache.org/viewvc?rev=1740928&view=rev
> Log:
> mod_proxy, mod_ssl: Handle SSLProxy* directives in sections,
> allowing different TLS configurations per backend.
On Tue, Oct 10, 2017 at 4:04 AM, Ivan Zhakov wrote:
> On 28 September 2017 at 20:17, wrote:
> >
> > Author: wrowe
> > Date: Thu Sep 28 17:17:42 2017
> > New Revision: 1810012
> >
> > URL: http://svn.apache.org/viewvc?rev=1810012&view=rev
> > Log:
> > Duplicate mod_watchdog.h to include/
> >
> >
e sez it was, and it looks like an Email was
>> sent to announce@a.o but I'm not seeing anything on
>> the httpd lists
>>
>
> Weitergeleitete Nachricht
> Betreff:[Announcement] Apache HTTP Server 2.4.28 Released
> Datum: Thu, 5
Have you tried bisecting the config directives to see which is triggering
the memory abuse?
Sounds like the module might not be async-ready, but should httpd really be
doing many thread swaps before the listener thread is tripped?
Does one of your modules load a large table al la Geo IP mapping?
Wed, Oct 4, 2017 at 7:41 AM, Jim Jagielski wrote:
> Sure. Anyone who wants to announce, please do so!! :)
>
> > On Oct 3, 2017, at 11:47 AM, William A Rowe Jr
> wrote:
> >
> > On Tue, Oct 3, 2017 at 6:46 AM, Jim Jagielski wrote:
> >> With more than the requi
We have been at 2.4.29-dev for a few days now, are you ready to advance
this proposal?
On Fri, Sep 22, 2017 at 1:07 PM, William A Rowe Jr
wrote:
> On Fri, Sep 22, 2017 at 1:02 PM, Joe Orton wrote:
> > On Fri, Sep 22, 2017 at 11:39:54AM -0500, William A Rowe Jr wrote:
> >>
On Thu, Oct 5, 2017 at 7:28 AM, Eric Covener wrote:
> On Thu, Oct 5, 2017 at 8:08 AM, Plüm, Rüdiger, Vodafone Group
> wrote:
> > Is backporting .gdbinit changes to a stable branch CTR or RTC?
>
> I would think CTR for a typical change there is reasonable.
>
+1, this falls into platform-specific
On Tue, Oct 3, 2017 at 2:15 AM, Yann Ylavic wrote:
> On Mon, Oct 2, 2017 at 11:57 PM, wrote:
>> Author: ylavic
>> Date: Mon Oct 2 21:57:26 2017
>> New Revision: 1810605
>>
>> URL: http://svn.apache.org/viewvc?rev=1810605&view=rev
>> Log:
>> ap_expr: open string expressions to the .
>>
>> Modifi
On Tue, Oct 3, 2017 at 6:46 AM, Jim Jagielski wrote:
> With more than the required 3 +1 (binding) votes, and no
> vetos, I call this vote CLOSED with the result that
> the vote passes.
>
> I will start moving the artifacts for mirror sync and
> let's plan on announcing on Friday.
Uhm, why?
I und
On Thu, Sep 28, 2017 at 7:44 AM, Stefan Eissing
wrote:
> Update: disregard the man behind the curtain - for now.
>
> I have the strangest effects on my main machine under native macOS 10.12.6,
> which
> do not happen on my parallels ubuntu image and my laptop with macOS 10.13.0.
> I tested
> wit
Does this raise concerns for anyone? I'd note than in the case of the x-font
items, we entirely skipped application/font- promotions prior to
font/* registry.
It doesn't seem sane to keep x- tags for posterity, but we might want to mention
the previous application/* types... however we have no pre
On Mon, Sep 25, 2017 at 12:11 PM, Steffen wrote:
> On Windows it does not build out of the box.
>
> Missing modules/core include for mod_watchdog.h in
> mod_proxy_balancer.dsp/mak and libhttp.dsp/mak . Did not checked cmake.
Seems baffling, but it is pretty straightforward in hindsight.
libhttpd
The assert() has me concerned, and Steffen's report is problematic. He has
a vote but hasn't cast it. At this moment I'm -0 and would spin a 2.4.29
next week to address these issues, unless you decide to respin before this
release, yourself.
Nothing I've changed today altered the httpd tarball sig
On Fri, Sep 22, 2017 at 1:02 PM, Joe Orton wrote:
> On Fri, Sep 22, 2017 at 11:39:54AM -0500, William A Rowe Jr wrote:
>> This defect still appears to exist in 2.4.28-dev, no?
>>
>> The rewrite appears to have enjoyed both committer and external testing and
>> t
On Fri, Sep 22, 2017 at 7:06 AM, Jim Jagielski wrote:
> STATUS looks clean.
>
> Hoping to do a T&R this afternoon, eastern, unless I hear
> any objections or concerns re: timing.
svn looks good here. Only one potentially missed item IMO, it could wait
till 2.4.29, but if we hear right back from j
This defect still appears to exist in 2.4.28-dev, no?
The rewrite appears to have enjoyed both committer and external testing and
the patch looks suitable for backport. It has enjoyed careful consideration by
at least four committers.
Reading https://bz.apache.org/bugzilla/show_bug.cgi?id=61222#c
What more would we want to say here? Mention that the Allow: header may respond
with corrupted output? It seems other side effects can be present, which is why
I kept this simple.
On Thu, Sep 21, 2017 at 1:33 PM, wrote:
> Author: wrowe
> Date: Thu Sep 21 18:33:47 2017
> New Revision: 1809192
>
Thanks for the report Michael.
The 2.2.x series is now retired and end-of-life.
The warnings are no-ops... they are inherited to child ./configure bits so
the basic httpd-2.x/configure may holler about options only applicable to
the bundled packages, and the bundled packages may holler about opti
So as most people have correctly identified, this defect has existed
for an incredibly long time.
But how it is triggered and avoided would help us to correctly study
unexpected behaviors.
OPTIONS * - won't trigger the defect, .htaccess should not be examined.
OPTIONS / - may trigger the defect,
Duplicate file type matches will just confuse the hash lookup, I suspect.
Drop the file-types from deprecated mime type entries, include mention the
deprecated types though, for the sake of completeness. There are other
examples of this pattern in mime.types, of types with no file type assigned.
This has been the object of some debate, read Lisa's errata rejection of ID
1081 and 1353...
https://www.rfc-editor.org/errata/rfc1123
On Sep 16, 2017 10:00, "Eric Covener" wrote:
On Sat, Sep 16, 2017 at 9:48 AM, Yann Ylavic wrote:
> On Sat, Sep 16, 2017 at 3:37 AM, Eric Covener wrote:
>> O
n my opinion unless
> somebody steps up to work on it I'd be in favor of remove it from
> www.a.o/dist/httpd/flood.
>
> Luca
>
>
> 2017-09-01 18:39 GMT+02:00 William A Rowe Jr :
>>
>> What's our position on this? Is it time to declare flood abandoned?
&g
On Thu, Sep 14, 2017 at 4:50 AM, Nick Kew wrote:
> On Wed, 13 Sep 2017 08:29:44 -0500
> William A Rowe Jr wrote:
>
>> So moving forwards, can we stop accepting stuff that isn't HTTP/1.1 in
>> our HTTP/1.1 server? Do we really want people to configure their
>> serv
So moving forwards, can we stop accepting stuff that isn't HTTP/1.1 in
our HTTP/1.1 server? Do we really want people to configure their
server to speak "other"?
I'm starting to collect https://wiki.apache.org/httpd/Applications
based on searching google for instances where users have toggled
HttpP
On Fri, Sep 8, 2017 at 10:14 AM, Yann Ylavic wrote:
> Hi Stefan,
>
> On Fri, Sep 8, 2017 at 5:06 PM, wrote:
>> Author: icing
>> Date: Fri Sep 8 15:06:44 2017
>> New Revision: 180
>>
>> URL: http://svn.apache.org/viewvc?rev=180&view=rev
>> Log:
>> On the trunk:
>>
>> mod_md: added necess
Reminder, this will not work with the current server_rec, we have a 1:1
correspondence to the server port. We would need to stop looking at that
field and track the port entirely on the connection and the server rec
addresses array.
On Fri, Sep 1, 2017 at 10:12 AM, Eric Covener wrote:
> On Fri, S
What's our position on this? Is it time to declare flood abandoned?
Are there any users of this tool who want to contribute to maintaining it?
Offhand, I expect it does not support TLS/SNI. Nor HTTP/2.
If abandoned, we can simply remove www.a.o/dist/httpd/flood
to resolve Daniel's issue. If not
This slightly overlaps what Jacob has been working on with his
schema for our autobuilds, wrapping up my own work and then
turning to his efforts to see where we have some good synergies
to exchange.
One thing that has stood out, but I never claimed I had much
skill in the unix build schema (now o
On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald
wrote:
>
>
> ServerName corecms.example.com
> DocumentRoot "/www/corecms.example.com"
>
This doesn't work, of course, owing to server_rec members such as scheme
and port. If these moved to the addrs member, and we tracked the current
vhost by se
On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald wrote:
>
> it also would solve the chicken-egg-problem (again, without mod_md) that you
> first need the http-host working for the well-known verfication file and the
> path of the certificate could be easily pre-configured in the way of my
> example,
On Thu, Aug 10, 2017 at 9:19 AM, Stefan Eissing
wrote:
>
>> Am 10.08.2017 um 16:09 schrieb William A Rowe Jr :
>>
>>> Would we expect breakage by such a change?
>>
>> I think that Listen *:NNN is maybe the most common misconfiguration
>> in general, on m
On Thu, Aug 10, 2017 at 4:37 AM, Stefan Eissing
wrote:
>
>> Am 09.08.2017 um 20:32 schrieb Jacob Perkins :
>>
>> Hi Stefan,
>>
>> A patch for 2.4.27 would be great.
>>
>> Your assistance is greatly appreciated.
>
> Gladly. Patch available at:
> https://github.com/icing/mod_h2/blob/master/patches/
Let's break it down and consider the implications of Listen...
On Thu, Aug 10, 2017 at 8:28 AM, Stefan Eissing
wrote:
> Now that mod_md has landed in trunk, I am looking at more ways
> to simplify a SSL configuration. Looking at the Listen directive,
> it has an optional 2nd protocol parameter.
>
This current behavior still seems wrong in httpd. A content (as opposed
perhaps to transfer) should not vary, in fact cannot vary if an etag is
presented.
I suspect that the deflate filter looks to see if there is a benefit to
compression, and cannot do so until it has a body. If it is going to do
+1.
As an alternative... an execute-on-read directive of ProxyBalancerPrecision
or similarly named directive (default 100, but drop or add decimals as
they will)
would let anyone add in or sub out a decimal.
My thought, taking away 1000 (3 decimal) from 2bn really wouldn't be a
hardship on any co
On Fri, Aug 4, 2017 at 4:26 AM, Stefan Eissing
wrote:
> I talked about some kind of SSL Policy definition in httpd's configuration
> in the past and am now about to get serious about it. Here is what I wan to
> do:
>
> Recap: the general idea is
> 2. Provide a set of already defined policies that
IMO that's garbage, please revert. I don't believe that any ASF project,
which has very firm rules about appropriating code bases, should be
tolerating namespace abuse and mark infringement against other
projects.
If they want us to test a symbol in a LIBRESSL space, that's fine, but
OPENSSL names
On Wed, Aug 2, 2017 at 12:33 PM, Jim Jagielski wrote:
> I'll be adding some code to allow for lbfactors to be
> single decimal numbers (like 1.1, 2.5, etc...)... People
> have asked "How do I change it so that machine B is like 10%
> preferred" and I mention that "Well, you could make one a
> 10 a
ier today, so
> you should be good to go now!
>
> Cheers,
> -g
>
>
> On Wed, Jul 26, 2017 at 2:53 PM, William A Rowe Jr
> wrote:
>
>> I would push this edit live (looking good from a local regen here), but
>> https://cms.a.o has been down for a number of hour
I would push this edit live (looking good from a local regen here), but
https://cms.a.o has been down for a number of hours. bcc'ing root@
so that they are aware that we've lost that control panel, @infrabot
hasn't posted a status on the service.
Cheers,
Bill
> Author: wrowe
> Date: Wed Jul 26 1
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
all versions through 2.2.33 and 2.4.26
Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or rese
CVE-2017-9789: Read after free in mod_http2
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.26
Description:
When under stress, closing many connections, the HTTP/2
handling code would sometimes access memory after it has
been freed, resulting in potential
On Wed, Jul 12, 2017 at 4:47 AM, Daniel wrote:
> Hello,
>
> Just FYI
>
> http://httpd.apache.org/download.cgi is still pointing to 2.2.32
> version and thus gives a 404 when trying to download.
Thanks for the report! Now fixed.
July 11, 2017
The Apache Software Foundation and the Apache HTTP Server Project
announce the release of version 2.2.34 of the Apache HTTP Server
("Apache"), the final maintenance release of the 2.2 series. No
further 2.2 releases are anticipated. This version of Apache is
principa
ut still NG.
>
> Next, I read Apache HTTP Server Change log, I found
> mod_filter changes. I tested mod_filter.so and
> mod_ext_filter.so to 2.4.25, NG.
>
> Next, I tested httpd.exe to 2.4.25, NG.
>
> Next, I read Apache Lounge's used modules, I found APR is
> upgrad
umers to the list
of those where we accept PROXY protocol wrapping?
On Fri, Jun 9, 2017 at 8:29 AM, William A Rowe Jr wrote:
> On Fri, Jun 9, 2017 at 4:17 AM, Sander Hoentjen wrote:
>> On 06/08/2017 07:30 PM, Daniel Ruggeri wrote:
>>> Hi, all;
>>> With the proposal to
On Thu, Jul 6, 2017 at 2:33 PM, William A Rowe Jr wrote:
> For your consideration... pre-release candidate tarballs of
> Apache legacy httpd 2.2.34 can be found in;
>
> http://httpd.apache.org/dev/dist/
>
> Thanks all who merged the security work in and other fixes,
> and hel
On Fri, Jul 7, 2017 at 7:13 AM, Jim Jagielski wrote:
> 2.4.26/27 doesn't *require* APR/APU 1.6.x, but there are
> some features that depend on it. If it's a bug in apr 1.6.x,
> then it's not a httpd bug specifically... imo at least.
>
> any further detail on how the below is actually borken??
> Wh
For your consideration... pre-release candidate tarballs of
Apache legacy httpd 2.2.34 can be found in;
http://httpd.apache.org/dev/dist/
Thanks all who merged the security work in and other fixes,
and helped identify a couple more lingering defects.
As we picked end of maintenance Jul 1 '17 - t
On Fri, Jun 23, 2017 at 5:19 PM, William A Rowe Jr wrote:
> For your consideration... pre-release candidate tarballs of
> Apache legacy httpd 2.2.33 can be found in;
>
> http://httpd.apache.org/dev/dist/
To make things clear, this call for [VOTE] is withdrawn based
on the regression
On Thu, Jul 6, 2017 at 12:28 PM, Jacob Champion wrote:
>
> Administrators using prefork who would like to switch to HTTP/2 in the
> future need to understand the limitations of the prefork architecture they
> have selected. And sure, our users can request that we implement a solution
> that "just
On Thu, Jul 6, 2017 at 12:20 PM, Helmut K. C. Tessarek
wrote:
> On 2017-07-06 13:09, Reindl Harald wrote:
>> with removing mpm_prefork support for H2 you kill HTTP2 support for a
>> lot of production setups which may consider switch to H2 in the future
>> and for sure not rework there whole config
+1 to removing support of mom prefork. I'd prefer it still start and if
configured, with an [error] level alert in the logs and simply be disabled.
Server must start when module is loaded but not configured, e.g. in test
framework, IMO.
On Jul 6, 2017 10:31 AM, "Stefan Eissing"
wrote:
> Correcti
t/apache/expr_string.t(Wstat: 0 Tests: 23 Failed: 1)
Failed test: 14
# writing file:
/home/wrowe/dev/test/test2x-apr20-ossl110/t/htdocs/apache/expr/.htaccess
ok 12
Expected return code 200, got 200 for '}'
ok 13
Got '}', expected '}'
ok 14
Any reason I should expect an intermittent
+1
On Jul 3, 2017 6:33 AM, "Jim Jagielski" wrote:
> Anyone opposed to a quick T&R and release of 2.4.27 within
> the next week?
>
I'm reading https://tools.ietf.org/html/rfc3875#section-4.1.5 as the
PATH_INFO is entirely distinct from QUERY_STRING.
On Sun, Jul 2, 2017 at 10:08 AM, Jim Jagielski wrote:
> There is one (I hope!) final question... There seems to be
> conflicting interpretations on whether PATH_INFO should, or
>
You already have my unconditional +1 to bring us back to a trusted state.
On Jun 30, 2017 16:55, "Jacob Champion" wrote:
> On 06/30/2017 11:40 AM, Jacob Champion wrote:
>
>> As far as I can tell it has no downsides, so my only request is that we
>> add it to CHANGES (or some documentation, somew
-1 on showstopper. It's a bug, no security implications, cope with it.
Thousands of bugs pass through STATUS, what makes yours special?
That said, unconditional +1 to any mod_proxy_fcgi.c patches you or Jim or
any committers determine for backport, I'd prefer we treat the module as
experimental u
On Wed, Jun 28, 2017 at 8:08 AM, wrote:
> Author: jim
> Date: Wed Jun 28 13:08:41 2017
> New Revision: 1800162
>
> --- httpd/test/framework/trunk/t/modules/proxy.t (original)
> +++ httpd/test/framework/trunk/t/modules/proxy.t Wed Jun 28 13:08:41 2017
> @@ -7,7 +7,7 @@ use Apache::TestUtil;
> use
Actually, I should have backed out rpluem's vote for the original one line
patch.
Can we get one more pair of eyeballs (or cross-vote the other branch) so
this is properly accepted?
On Jun 28, 2017 10:49, wrote:
> Author: ylavic
> Date: Wed Jun 28 15:49:07 2017
> New Revision: 1800181
>
> URL:
On Wed, Jun 28, 2017 at 7:14 AM, Yann wrote:
>
> Looks like the code after the patch below would be simpler and work too :
Agreed this is easier to follow, tmp_field is otherwise unused in the
unsafe code path. Proposed for backport, thanks.
Note this patch is the 2.2, non-APLOGNO flavor;
> Ind
Sounds great. Reviewing Yann's alternate patch now.
On Jun 28, 2017 06:41, "Yann" wrote:
> On Wed, Jun 28, 2017 at 11:51 AM, Jim Jagielski wrote:
> > I would also suggest to reroll: I'll test the reroll on my systems here.
>
> +1
>
aside,
we are looking pretty good according to the test framework. Looks like a
one line patch as described in the bugzilla ticket.
On Jun 27, 2017 12:44, "Jacob Champion" wrote:
> On 06/27/2017 10:21 AM, William A Rowe Jr wrote:
>
>> If voters would rather that I addres
On Jun 23, 2017 5:19 PM, "William A Rowe Jr" wrote:
For your consideration... pre-release candidate tarballs of
Apache legacy httpd 2.2.33 can be found in;
http://httpd.apache.org/dev/dist/
Thanks all who merged the security work in and other fixes.
As we picked end of maintenance
Thanks Petr, every review and evaluation is appreciated!
On Jun 26, 2017 8:46 AM, "Petr Gajdos" wrote:
On Fri, Jun 23, 2017 at 05:19:47PM -0500, William A Rowe Jr wrote:
> For your consideration... pre-release candidate tarballs of
> Apache legacy httpd 2.2.33 can be fo
On Jun 27, 2017 12:08 PM, "Moradhassel, Kavian" wrote:
Did this discussion result in a decision to provide a fix for the bug in
2.4.26 and plan for a 2.4.27 soon? I'm wondering if I should be waiting
for a 2.4.27 in the next handful of weeks, or if I should just accept that
2.4.26 has a bug that
On Jun 27, 2017 3:00 AM, "Yann" wrote:
On Tue, Jun 27, 2017 at 12:49 AM, William A Rowe Jr
wrote:
> On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr
wrote:
>> On Mon, Jun 26, 2017 at 5:34 PM, Yann wrote:
>>
>>> What could be the "security blunders"
On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr wrote:
> On Mon, Jun 26, 2017 at 5:34 PM, Yann wrote:
>
>> What could be the "security blunders" with 404 vs 403?
>
> A 403 says "go away, you are denied". Hopefully modules are smart
> about that.
>
&
On Mon, Jun 26, 2017 at 5:34 PM, Yann wrote:
> On Mon, Jun 26, 2017 at 11:51 PM, William A Rowe Jr
> wrote:
>> On Mon, Jun 26, 2017 at 4:44 PM, William A Rowe Jr
>> wrote:
>>>
>>> On Mon, Jun 26, 2017 at 3:40 PM, Gregg Smith wrote:
>>>>
>
On Mon, Jun 26, 2017 at 4:44 PM, William A Rowe Jr wrote:
>
> On Mon, Jun 26, 2017 at 3:40 PM, Gregg Smith wrote:
>>
>> On 6/24/2017 10:02 AM, William A Rowe Jr wrote:
>>>
>>> On Sat, Jun 24, 2017 at 12:49 AM, wrote:
>
>>> While we are at it
Hi Gregg,
sending publicly while you have a negotiation with your email client :)
On Mon, Jun 26, 2017 at 3:40 PM, Gregg Smith wrote:
>
> On 6/24/2017 10:02 AM, William A Rowe Jr wrote:
>>
>> On Sat, Jun 24, 2017 at 12:49 AM, wrote:
>>>
>>> Author: gsmit
On Mon, Jun 26, 2017 at 3:14 PM, Jacob Champion wrote:
> On 06/20/2017 11:08 PM, William A Rowe Jr wrote:
>>
>> Sorry but I reraise my objection and veto worthless cpu cycles.
>
> For posterity, can I get a succinct description of your technical
> justification for th
ackman" wrote:
>
> On 14 Jun 2017, at 22:12, William A Rowe Jr wrote:
>
>
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.
>
>
On Sat, Jun 24, 2017 at 12:49 AM, wrote:
> Author: gsmith
> Date: Sat Jun 24 05:49:45 2017
> New Revision: 1799731
>
> URL: http://svn.apache.org/viewvc?rev=1799731&view=rev
> Log:
> Send a 404 response like other OSs do instead of 403 on Windows when
> a path segment or file requested uses a res
For your consideration... pre-release candidate tarballs of
Apache legacy httpd 2.2.33 can be found in;
http://httpd.apache.org/dev/dist/
Thanks all who merged the security work in and other fixes.
As we picked end of maintenance Jul 1 '17 - the [discuss]
thread had sufficient time for response -
If two commits occur in a short enough period of time, the datestamp of the
newly refreshed source may be earlier than the .o generated by the first
update.
On Jun 21, 2017 11:06, "Jacob Champion" wrote:
> On 06/21/2017 09:00 AM, build...@apache.org wrote:
>
>> The Buildbot has detected a new fa
mod_proxy_balancer.c: In function 'balancer_handler':
mod_proxy_balancer.c:1144:25: error: 'HCHECK_WATHCHDOG_INTERVAL'
undeclared (first use in this function)
if (ival >= HCHECK_WATHCHDOG_INTERVAL) {
^
mod_proxy_balancer.c:1144:25: note: each undeclared identif
401 - 500 of 6469 matches
Mail list logo