Re: announce mails
The mirror system is no longer used. Most downloads are processed through a CDN instead. European downloaders will tend to hit downloads.apache.org which is "instantly" updated once a release artifact is committed to the svn distribution repository. rsync.apache should be just as instant. If not, then please file an INFRA ticket. Cheers, -g On Mon, Dec 20, 2021 at 7:26 PM Nick Edwards wrote: > Why would the release system initiate an announce when the mirrors are not > up to date, they cant be, since rsync.apache still lists 2.4.51 as latest, > the process is to allow time for mirrors to get the package before > announcing it > > > On Mon, Dec 20, 2021 at 7:53 PM Stefan Eissing wrote: > >> The mailings to announce lists continue to bother me. The release >> announcement is the the moderation queue (hopefully) and the cveprocess >> mails go right through to the list. This is not the order I prefer. >> >> I am holden back the send about the second CVE until I see the release >> announcement winked through. >> >> - Stefan > >
Re: announce mails
Why would the release system initiate an announce when the mirrors are not up to date, they cant be, since rsync.apache still lists 2.4.51 as latest, the process is to allow time for mirrors to get the package before announcing it On Mon, Dec 20, 2021 at 7:53 PM Stefan Eissing wrote: > The mailings to announce lists continue to bother me. The release > announcement is the the moderation queue (hopefully) and the cveprocess > mails go right through to the list. This is not the order I prefer. > > I am holden back the send about the second CVE until I see the release > announcement winked through. > > - Stefan
Re: announce mails
Am 20.12.2021 um 10:53 schrieb Stefan Eissing: > The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through to the list. This is not the order I prefer. > > I am holden back the send about the second CVE until I see the release announcement winked through. > > - Stefan Pada Sel, 21 Dis 2021, 1:46 PG Rainer Jung menulis: > Aaah, sorry, it did come in now,, son't know whether via dev@ or > announce@. Thanks. > > Am 20.12.2021 um 10:53 schrieb Stefan Eissing: > > The mailings to announce lists continue to bother me. The release > announcement is the the moderation queue (hopefully) and the cveprocess > mails go right through to the list. This is not the order I prefer. > > > > I am holden back the send about the second CVE until I see the release > announcement winked through. > > > > - Stefan >
Re: announce mails
Aaah, sorry, it did come in now,, son't know whether via dev@ or announce@. Thanks. Am 20.12.2021 um 10:53 schrieb Stefan Eissing: The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through to the list. This is not the order I prefer. I am holden back the send about the second CVE until I see the release announcement winked through. - Stefan
Re: announce mails
Hmmm, still no announcement mail received, or did I miss it? Am 20.12.2021 um 10:53 schrieb Stefan Eissing: The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through to the list. This is not the order I prefer. I am holden back the send about the second CVE until I see the release announcement winked through. - Stefan
CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier
Severity: high Description: A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. Credit: Chamal Anonymous working with Trend Micro Zero Day Initiative
announce mails
The mailings to announce lists continue to bother me. The release announcement is the the moderation queue (hopefully) and the cveprocess mails go right through to the list. This is not the order I prefer. I am holden back the send about the second CVE until I see the release announcement winked through. - Stefan
CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier
Severity: moderate Description: A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). Credit: 漂亮鼠 TengMA(@Te3t123)
Re: [VOTE] Release httpd-2.4.52-rc1 as httpd-2.4.52
With 7 +1 votes and no objections, the vote has PASSED. Thank you all who took the time to test this! I will start the release work. Kind Regards, Stefan > Am 19.12.2021 um 17:56 schrieb Steffen : > > +1 for Windows release. > > Cheers, Steffen > >> Op 16 dec. 2021 om 15:03 heeft Stefan Eissing het >> volgende geschreven: >> >> Hi all, >> >> Please find below the proposed release tarball and signatures: >> >> https://dist.apache.org/repos/dist/dev/httpd/ >> >> I would like to call a VOTE over the next few days to release >> this candidate tarball httpd-2.4.52-rc1 as 2.4.52: >> [ ] +1: It's not just good, it's good enough! >> [ ] +0: Let's have a talk. >> [ ] -1: There's trouble in paradise. Here's what's wrong. >> >> The computed digests of the tarball up for vote are: >> sha256: 296c74a8adde1a8acd6617b21fc3d19719ff4fa39319b2bdbd898aca4d5df97f >> *httpd-2.4.52-rc1.tar.gz >> sha512: >> b9012096d6658f7d34a3c655eac31b39ffd439c11de6f3e6e9f309d55f4186a4fb26134eb97522e416ae8ca10ed008a14e96fa01a3e3105d9e547f72e2dc3bc2 >> *httpd-2.4.52-rc1.tar.gz >> >> The SVN candidate source is found at tags/candidate-2.4.52-rc1. >> >> Kind Regards, >> Stefan >
Re: Testing mod_tls
> Am 19.12.2021 um 10:36 schrieb Christophe JAILLET > : > > Hi, > > I've been able to build mod_tls > > Basically, I've done: > > sudo apt install cargo > sudo apt install cbindgen > > git clone https://github.com/rustls/rustls-ffi.git git_rustls-ffi > sudo make install > > I have: > /usr/local/lib/libcrustls.a > /usr/local/lib/librustls.a > /usr/local/include/crustls.h > /usr/local/include/rustls.h > > > pytest is also (apparently correctly) installed. > pytest test/modules/http2 works fine. > > > However, when I 'pytest test/modules/tls', I get: > > Syntax error on line 31 of > XXX/svn_httpd_2.4.x/test/gen/apache/conf/modules.conf: Cannot load > XXX/httpd-2.4/modules/mod_tls.so into server: > XXX/httpd-2.4/modules/mod_tls.so: undefined symbol: fmaf > > > My understanding is that mod_tls is correctly compiled, but that there is a > missing library somewhere. > > Does it ring some bell to s.o.? The issue came up here: https://github.com/rustls/rustls-ffi/issues/133 > > CJ >