date:20190121

Apache 0-day / apache-uaf / use after free bugs

2019-01-21 Thread Stefan Priebe - Profihost AG

Hi,

in twitter and other social media channels they're talking about a
current apache 0 day:
https://twitter.com/i/web/status/1087593706444730369

which wasn't handled / isn't currently fixed.

Some details are here:
https://github.com/hannob/apache-uaf

If this is true there will be exploits soon. Is there anything planned?
Does 2.4.38 fix those issues?

Greets,
Stefan

Re: [RESULT][VOTE] Release httpd-2.4.38 PASSED

2019-01-21 Thread Dennis Clarke


On 1/21/19 9:37 AM, Daniel Ruggeri wrote:

Hi, all;
    I am delighted to announce that the VOTE proposed in the following
thread has PASSED.
https://lists.apache.org/thread.html/a41d69a42a6352aaeee583d9671a2f3854560d7e70a115fbbbd9469a@%3Cdev.httpd.apache.org%3E


I have recorded the following votes:
PMC
jorton, jim, druggeri, rjung, ylavic

Community
Noel Butler, Dennis Clark

I thank everyone for their time in testing and verifying this latest
release. I will begin the process of promoting to the mirrors for sync.



Dennis Clarke .. with an 'e'.  At your service.

Read that with a Sean Connery 'James Bond' sort of voice.   ;-)

dc

Re: svn commit: r32075 - /dev/httpd/ /release/httpd/

2019-01-21 Thread Marion & Christophe JAILLET


Fixed in r32079.

I hope I did it right.

CJ

Le 21/01/2019 à 17:48, Marion et Christophe JAILLET a écrit :


s/September/January/

in the announcement (html and txt)

CJ

> Message du 21/01/19 16:03
> De : drugg...@apache.org
> A : c...@httpd.apache.org
> Copie à :
> Objet : svn commit: r32075 - /dev/httpd/ /release/httpd/
>
> Author: druggeri
> Date: Mon Jan 21 15:03:33 2019
> New Revision: 32075
>
> Log:
> Push 2.4.38 up to the release directory
>
> Added:
> release/httpd/CHANGES_2.4.38
> - copied unchanged from r32074, dev/httpd/CHANGES_2.4.38
> release/httpd/httpd-2.4.38.tar.bz2
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2
> release/httpd/httpd-2.4.38.tar.bz2.asc
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2.asc
> release/httpd/httpd-2.4.38.tar.bz2.md5
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2.md5
> release/httpd/httpd-2.4.38.tar.bz2.sha1
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2.sha1
> release/httpd/httpd-2.4.38.tar.bz2.sha256
> - copied unchanged from r32074,
dev/httpd/httpd-2.4.38.tar.bz2.sha256
> release/httpd/httpd-2.4.38.tar.gz
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz
> release/httpd/httpd-2.4.38.tar.gz.asc
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.asc
> release/httpd/httpd-2.4.38.tar.gz.md5
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.md5
> release/httpd/httpd-2.4.38.tar.gz.sha1
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.sha1
> release/httpd/httpd-2.4.38.tar.gz.sha256
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.sha256
> Removed:
> dev/httpd/CHANGES_2.4
> dev/httpd/CHANGES_2.4.38
> dev/httpd/httpd-2.4.38-deps.tar.bz2
> dev/httpd/httpd-2.4.38-deps.tar.bz2.asc
> dev/httpd/httpd-2.4.38-deps.tar.bz2.md5
> dev/httpd/httpd-2.4.38-deps.tar.bz2.sha1
> dev/httpd/httpd-2.4.38-deps.tar.bz2.sha256
> dev/httpd/httpd-2.4.38-deps.tar.gz
> dev/httpd/httpd-2.4.38-deps.tar.gz.asc
> dev/httpd/httpd-2.4.38-deps.tar.gz.md5
> dev/httpd/httpd-2.4.38-deps.tar.gz.sha1
> dev/httpd/httpd-2.4.38-deps.tar.gz.sha256
> dev/httpd/httpd-2.4.38.tar.bz2
> dev/httpd/httpd-2.4.38.tar.bz2.asc
> dev/httpd/httpd-2.4.38.tar.bz2.md5
> dev/httpd/httpd-2.4.38.tar.bz2.sha1
> dev/httpd/httpd-2.4.38.tar.bz2.sha256
> dev/httpd/httpd-2.4.38.tar.gz
> dev/httpd/httpd-2.4.38.tar.gz.asc
> dev/httpd/httpd-2.4.38.tar.gz.md5
> dev/httpd/httpd-2.4.38.tar.gz.sha1
> dev/httpd/httpd-2.4.38.tar.gz.sha256
> Modified:
> release/httpd/Announcement2.4.html
> release/httpd/Announcement2.4.txt
> release/httpd/CHANGES_2.4
>
> Modified: release/httpd/Announcement2.4.html
>

==
> --- release/httpd/Announcement2.4.html (original)
> +++ release/httpd/Announcement2.4.html Mon Jan 21 15:03:33 2019
> @@ -49,15 +49,15 @@
>

>
>



  > - Apache HTTP Server 2.4.37 Released
  > + Apache HTTP Server 2.4.38 Released
  >


>

>
> - October 23, 2018
> + September 21, 2018
>


>

>
> The Apache Software Foundation and the Apache HTTP Server
Project are
> pleased to announce

> - the release of version 2.4.37 of the Apache
> + the release of version 2.4.38 of the Apache
> HTTP Server ("Apache"). This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> @@ -69,7 +69,7 @@
> encourage users of all prior versions to upgrade.
>


>

>
> - Apache HTTP Server 2.4.37 is available for download from:
> + Apache HTTP Server 2.4.38 is available for download from:
>


>

>
> @@ -77,7 +77,7 @@
> 


>

>
> Please see the CHANGES_2.4 file, linked from the download page,
for a
> - full list of changes. A condensed list, CHANGES_2.4.37
includes only
> + full list of changes. A condensed list, CHANGES_2.4.38
includes only
> those changes introduced since the prior 2.4 release. A summary
of all
> of the security vulnerabilities addressed in this and earlier
releases
> is available:
>
> Modified: release/httpd/Announcement2.4.txt
>

==
> --- release/httpd/Announcement2.4.txt (original)
> +++ release/httpd/Announcement2.4.txt Mon Jan 21 15:03:33 2019
> @@ -1,9 +1,9 @@
> - Apache HTTP Server 2.4.37 Released
> + Apache HTTP Server 2.4.38 Released
>

re: svn commit: r32075 - /dev/httpd/ /release/httpd/

2019-01-21 Thread Marion et Christophe JAILLET

 

s/September/January/

in the announcement (html and txt)

 

CJ

 

 

> Message du 21/01/19 16:03
> De : drugg...@apache.org
> A : c...@httpd.apache.org
> Copie à : 
> Objet : svn commit: r32075 - /dev/httpd/ /release/httpd/
> 
> Author: druggeri
> Date: Mon Jan 21 15:03:33 2019
> New Revision: 32075
> 
> Log:
> Push 2.4.38 up to the release directory
> 
> Added:
> release/httpd/CHANGES_2.4.38
> - copied unchanged from r32074, dev/httpd/CHANGES_2.4.38
> release/httpd/httpd-2.4.38.tar.bz2
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2
> release/httpd/httpd-2.4.38.tar.bz2.asc
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2.asc
> release/httpd/httpd-2.4.38.tar.bz2.md5
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2.md5
> release/httpd/httpd-2.4.38.tar.bz2.sha1
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2.sha1
> release/httpd/httpd-2.4.38.tar.bz2.sha256
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.bz2.sha256
> release/httpd/httpd-2.4.38.tar.gz
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz
> release/httpd/httpd-2.4.38.tar.gz.asc
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.asc
> release/httpd/httpd-2.4.38.tar.gz.md5
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.md5
> release/httpd/httpd-2.4.38.tar.gz.sha1
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.sha1
> release/httpd/httpd-2.4.38.tar.gz.sha256
> - copied unchanged from r32074, dev/httpd/httpd-2.4.38.tar.gz.sha256
> Removed:
> dev/httpd/CHANGES_2.4
> dev/httpd/CHANGES_2.4.38
> dev/httpd/httpd-2.4.38-deps.tar.bz2
> dev/httpd/httpd-2.4.38-deps.tar.bz2.asc
> dev/httpd/httpd-2.4.38-deps.tar.bz2.md5
> dev/httpd/httpd-2.4.38-deps.tar.bz2.sha1
> dev/httpd/httpd-2.4.38-deps.tar.bz2.sha256
> dev/httpd/httpd-2.4.38-deps.tar.gz
> dev/httpd/httpd-2.4.38-deps.tar.gz.asc
> dev/httpd/httpd-2.4.38-deps.tar.gz.md5
> dev/httpd/httpd-2.4.38-deps.tar.gz.sha1
> dev/httpd/httpd-2.4.38-deps.tar.gz.sha256
> dev/httpd/httpd-2.4.38.tar.bz2
> dev/httpd/httpd-2.4.38.tar.bz2.asc
> dev/httpd/httpd-2.4.38.tar.bz2.md5
> dev/httpd/httpd-2.4.38.tar.bz2.sha1
> dev/httpd/httpd-2.4.38.tar.bz2.sha256
> dev/httpd/httpd-2.4.38.tar.gz
> dev/httpd/httpd-2.4.38.tar.gz.asc
> dev/httpd/httpd-2.4.38.tar.gz.md5
> dev/httpd/httpd-2.4.38.tar.gz.sha1
> dev/httpd/httpd-2.4.38.tar.gz.sha256
> Modified:
> release/httpd/Announcement2.4.html
> release/httpd/Announcement2.4.txt
> release/httpd/CHANGES_2.4
> 
> Modified: release/httpd/Announcement2.4.html
> ==
> --- release/httpd/Announcement2.4.html (original)
> +++ release/httpd/Announcement2.4.html Mon Jan 21 15:03:33 2019
> @@ -49,15 +49,15 @@
>
 

> 
>

> - Apache HTTP Server 2.4.37 Released
> + Apache HTTP Server 2.4.38 Released
>

>
> 
> - October 23, 2018
> + September 21, 2018
>


>
> 
> The Apache Software Foundation and the Apache HTTP Server Project are
> pleased to announce
> - the release of version 2.4.37 of the Apache
> + the release of version 2.4.38 of the Apache
> HTTP Server ("Apache"). This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> @@ -69,7 +69,7 @@
> encourage users of all prior versions to upgrade.
>


>
> 
> - Apache HTTP Server 2.4.37 is available for download from:
> + Apache HTTP Server 2.4.38 is available for download from:
>


>
>> @@ -77,7 +77,7 @@
> 
>
> 
> Please see the CHANGES_2.4 file, linked from the download page, for a
> - full list of changes. A condensed list, CHANGES_2.4.37 includes only
> + full list of changes. A condensed list, CHANGES_2.4.38 includes only
> those changes introduced since the prior 2.4 release. A summary of all 
> of the security vulnerabilities addressed in this and earlier releases 
> is available:
> 
> Modified: release/httpd/Announcement2.4.txt
> ==
> --- release/httpd/Announcement2.4.txt (original)
> +++ release/httpd/Announcement2.4.txt Mon Jan 21 15:03:33 2019
> @@ -1,9 +1,9 @@
> - Apache HTTP Server 2.4.37 Released
> + Apache HTTP Server 2.4.38 Released
> 
> - October 23, 2018
> + September 21, 2018
> 
> The Apache Software Foundation and the Apache HTTP Server Project
> - are pleased to announce the release of version 2.4.37 of the Apache
> + are pleased to announce the release of version 2.4.38 of the Apache
> HTTP Server ("Apache"). This version of Apache is our latest GA
> release of the new generation 2.4.x branch of Apache HTTPD and
> represents fifteen years of innovation by the project, and is
> @@ -13,7 +13,7 @@
> We consider this release to be the best version of Apache available, and
> encourage users of all prior versions to upgrade.
> 
> - Apache HTTP Server 2.4.37 is available for download from:
> + Apache HTTP Server 2.4.38 is available for

Re: [VOTE] Release httpd-2.4.38

2019-01-21 Thread Steffen




+1

Build and tested by Apache Lounge Community  Windows Win32/Win64 VC11, 
VC14 VC15, no trouble reports received.



Build with by Microsoft  supported convert with the in the tarball 
included  dsw/dsp/makefile files.


Build with dependencies:


- httpd.exe with OPENSSL_Applink and VC14/15 SupportedOS Manifest
- nghttp2 1.36.0
- jansson 2.12
- VC15 openssl 1.1.1a, VC14/11 1.0.2q
- curl 7.63.0 WinSSL
- apr 1.6.5
- apr-util 1.6.1 with Crypto OpenSSL enabled
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.7
- pcre 8.42 with JIT, SUPPORT_UTF, SUPPORT_UNICODE_PROPERTIES, 
REBUILD_CHARTABLES

- libxml2 2.9.9
- lua 5.2.4  with LUA_COMPAT_ALL
- expat 2.2.6

Not seen  new warnings over I reported here before.

Cheers,

Steffen



On Thursday 17/01/2019 at 19:49, Daniel Ruggeri  wrote:

Hi, all;
   Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release this 
candidate tarball as 2.4.38:

[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha1: 6ee19a7b936a6ddbbf81b313c4a8b38bf232b40e *httpd-2.4.38.tar.gz
sha256: 
38d0b73aa313c28065bf58faf64cec12bf7c7d5196146107df2ad07541aa26a6 
*httpd-2.4.38.tar.gz


--
Daniel Ruggeri

[RESULT][VOTE] Release httpd-2.4.38 PASSED

2019-01-21 Thread Daniel Ruggeri

Hi, all;
   I am delighted to announce that the VOTE proposed in the following
thread has PASSED.
https://lists.apache.org/thread.html/a41d69a42a6352aaeee583d9671a2f3854560d7e70a115fbbbd9469a@%3Cdev.httpd.apache.org%3E


I have recorded the following votes:
PMC
jorton, jim, druggeri, rjung, ylavic

Community
Noel Butler, Dennis Clark

I thank everyone for their time in testing and verifying this latest
release. I will begin the process of promoting to the mirrors for sync.

-- 
Daniel Ruggeri

Re: [VOTE] Release httpd-2.4.38

2019-01-21 Thread Daniel Ruggeri



On 1/20/2019 4:25 PM, Noel Butler wrote:
>
>
>>
>>   It's not just good, it's good enough!
>>
>  
> tongue in cheek here, but...
> shouldn't that be the other way around,  "It's not just good enough,
> it's good!"   :)
>  

haha - tounge in cheek indeed. The line, "It's not just good, it's good
enough" is a throwback to an old The Simpson's TV series reference.


>  
> -- 
>
> Kind Regards,
>
> Noel Butler
>
> This Email, including any attachments, may contain legally privileged
> information, therefore remains confidential and subject to copyright
> protected under international law. You may not disseminate, discuss,
> or reveal, any part, to anyone, without the authors express written
> authority to do so. If you are not the intended recipient, please
> notify the sender then delete all copies of this message including
> attachments, immediately. Confidentiality, copyright, and legal
> privilege are not waived or lost by reason of the mistaken delivery of
> this message. Only PDF  and ODF
>  documents accepted, please
> do not send proprietary formatted documents
>

Apache 0-day / apache-uaf / use after free bugs

Re: [RESULT][VOTE] Release httpd-2.4.38 PASSED

Re: svn commit: r32075 - /dev/httpd/ /release/httpd/

re: svn commit: r32075 - /dev/httpd/ /release/httpd/

Re: [VOTE] Release httpd-2.4.38

[RESULT][VOTE] Release httpd-2.4.38 PASSED

Re: [VOTE] Release httpd-2.4.38

7 matches

Site Navigation

Mail list logo

Footer information