> Am 05.10.2022 um 18:48 schrieb Eric Covener :
>
> On Wed, Oct 5, 2022 at 12:44 PM Roy T. Fielding wrote:
>>
>>> On Sep 26, 2022, at 5:29 AM, ic...@apache.org wrote:
>>>
>>> Author: icing
>>> Date: Mon Sep 26 12:29:47 2022
>>> New Revision: 1904269
>>>
>>> URL:
> Am 30.09.2022 um 20:51 schrieb Christophe JAILLET
> :
>
> Le 27/09/2022 à 13:00, ic...@apache.org a écrit :
>> Author: icing
>> Date: Tue Sep 27 11:00:10 2022
>> New Revision: 1904299
>> URL: http://svn.apache.org/viewvc?rev=1904299=rev
>> Log:
>> *) mod_http2: use proper apr_time_t where
Hi Rainer,
> Am 28.09.2022 um 15:33 schrieb Rainer Jung :
>
> Hi all,
>
> today I stumbled into an unexpected request denial by a rule in the
> mod_security Core Rule Set 3. It denies requests without body, that have
> Transfer-Encoding chunked set.
>
> When I send a normal GET request,
> Am 27.09.2022 um 13:43 schrieb Ruediger Pluem :
>
>
>
> On 9/27/22 12:53 PM, ic...@apache.org wrote:
>> Author: icing--- httpd/httpd/trunk/modules/http2/h2_stream.c (original)
>> +++ httpd/httpd/trunk/modules/http2/h2_stream.c Tue Sep 27 10:53:51 2022
>> @@ -147,7 +147,7 @@ static int
> Am 27.09.2022 um 08:49 schrieb Ruediger Pluem :
>
>
>
> On 9/26/22 2:29 PM, ic...@apache.org wrote:
>> Author: icing
>> Date: Mon Sep 26 12:29:47 2022
>> New Revision: 1904269
>>
>> URL: http://svn.apache.org/viewvc?rev=1904269=rev
>> Log:
>> *) mod_http2: new directive
FYI: pytest now logs test case names in the server log. This makes it
easier to find the context in which unexpected errors are logged on the server
side. So, you'll see in error.log lines as:
[Time] [aptest:info] [pid ] [client 127.0.0.1:50063] test[test_h2_600_01]:
GET / HTTP/1.1
...
Hi Karin,
> Am 16.09.2022 um 16:47 schrieb Karin Hedlund :
>
> Does anybody know of any plans to add support for rfc8441
> (https://datatracker.ietf.org/doc/html/rfc8441) in Apache httpd?
Nothing planned that I know of.
> I've really tried, but couldn't find anything regarding it other than
>
added is chosen randomly per frame. This applies to HEADERS, DATA and
>> PUSH_PROMISE
>> frames equally. The default continues to be 0, e.g. no padding. [Stefan
>> Eissing]
>>
>> *) mod_http2: ripping out all the h2_req_engine internal features now that
>> mod_pr
> Am 10.07.2022 um 18:56 schrieb Ivan Zhakov :
>
> On Mon, 20 Jun 2022 at 11:24, Stefan Eissing wrote:
> I would like to move the h2 worker pool into the mpm at some time in the
> future. To be available on systems with threads and non-prefork
> configurations.
>
Hi Rainer,
that reminds me of buried bodies in the basement. Any watchdog task is in
danger of missing a shutdown, as no one waits for it. Checking in the task
itself does not help. A task like mod_md, communicating with another server,
may check after a read(), but that may already be too
> Am 20.06.2022 um 13:08 schrieb Yann Ylavic :
>
> On Fri, Jun 17, 2022 at 11:24 AM wrote:
>>
>> --- httpd/httpd/trunk/modules/http2/h2_workers.h (original)
>> +++ httpd/httpd/trunk/modules/http2/h2_workers.h Fri Jun 17 09:24:57 2022
>> @@ -28,59 +28,94 @@ struct h2_mplx;
>> struct
I would like to move the h2 worker pool into the mpm at some time in the
future. To be available on systems with threads and non-prefork configurations.
The main motivation for this is that h2 workers have been so far "under the
hood" of mod_http2. This makes them invisible to other parts of
> Am 20.06.2022 um 09:21 schrieb Ruediger Pluem :
>
>
>
> On 6/17/22 11:24 AM, ic...@apache.org wrote:
>> Author: icing
>> Date: Fri Jun 17 09:24:57 2022
>> New Revision: 1902005
>>
>> URL: http://svn.apache.org/viewvc?rev=1902005=rev
>> Log:
>> *) mod_http2: new implementation of h2
> Am 20.06.2022 um 09:08 schrieb Ruediger Pluem :
>
>
>
> On 6/17/22 11:24 AM, ic...@apache.org wrote:
>> Author: icing
>> Date: Fri Jun 17 09:24:57 2022
>> New Revision: 1902005
>>
>> URL: http://svn.apache.org/viewvc?rev=1902005=rev
>> Log:
>> *) mod_http2: new implementation of h2
> Am 20.06.2022 um 09:01 schrieb Stefan Eissing :
>
>
>
>> Am 20.06.2022 um 08:59 schrieb Ruediger Pluem :
>>
>>
>>
>> On 6/20/22 8:53 AM, Ruediger Pluem wrote:
>>>
>>>
>>> On 6/17/22 11:24 AM, ic...@apache.org w
> Am 20.06.2022 um 08:59 schrieb Ruediger Pluem :
>
>
>
> On 6/20/22 8:53 AM, Ruediger Pluem wrote:
>>
>>
>> On 6/17/22 11:24 AM, ic...@apache.org wrote:
>>> Author: icing
>>> Date: Fri Jun 17 09:24:57 2022
>>> New Revision: 1902005
>>>
>>> URL:
Apache httpd 2.4.54 release should be completely done now.
If anyone notices something I missed, please let us know!
Kind Regards,
Stefan
Severity: low
Description:
Apache HTTP Server 2.4.53 and earlier may crash or disclose information due to
a read beyond bounds in ap_strcmp_match() when provided with an extremely large
input buffer. While no code distributed with the server can be coerced into
such a call, third-party
Severity: low
Description:
Apache HTTP Server 2.4.53 and earlier may not send the X-Forwarded-* headers to
the origin server based on client side Connection header hop-by-hop mechanism.
This may be used to bypass IP based authentication on the origin
server/application.
Credit:
The Apache
Severity: low
Description:
Apache HTTP Server 2.4.53 and earlier may return lengths to applications
calling r:wsread() that point past the end of the storage allocated for the
buffer.
Credit:
The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC)
for reporting this
Severity: low
Description:
If Apache HTTP Server 2.4.53 is configured to do transformations with mod_sed
in contexts where the input to mod_sed may be very large, mod_sed may make
excessively large memory allocations and trigger an abort.
Credit:
This issue was found by Brian Moussalli from
Severity: low
Description:
In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script
that calls r:parsebody(0) may cause a denial of service due to no default limit
on possible input size.
Credit:
The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop
Severity: low
Description:
The ap_rwrite() function in Apache HTTP Server 2.4.53 and earlier may read
unintended memory if an attacker can cause the server to reflect very large
input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function.
Credit:
The Apache HTTP Server
Severity: low
Description:
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond bounds when
configured to process requests with the mod_isapi module.
Credit:
The Apache HTTP Server project would like to thank Ronald Crane (Zippenhop LLC)
for reporting this issue
References:
Severity: moderate
Description:
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to
smuggle requests to the AJP server it forwards requests to. This issue affects
Apache HTTP Server Apache HTTP
With 9 +1 the voting is complete and I will make the release now.
Thanks everyone for testing!
Kind Regards,
Stefan
> Am 08.06.2022 um 09:04 schrieb Petr Gajdos :
>
> On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
> [x] +1: It's not just good, it's good enough!
&g
> Am 07.06.2022 um 12:21 schrieb Yann Ylavic :
>
> On Mon, Jun 6, 2022 at 4:25 PM Stefan Eissing wrote:
>>
>> I would like to call a VOTE over the next few days to release
>> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
>
> [X] +1: It's not just good
Seems a lot of people are either on vacation or busy - and that is fine.
Since the rc* candidates merely differed on the TCP_FLUSH defines, I tend
to count all positive votes as still applicable!
Otherwise, speak up!
Kind Regards,
Stefan
> Am 07.06.2022 um 12:00 schrieb Stefan Eiss
+1 from me on my macOS machine.
> Am 07.06.2022 um 10:58 schrieb Joe Orton :
>
> On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
>> Here we go again! Sorry for the repeats, but that is why we build
>> candidates, right?
>>
>> Hi all,
>
Here we go again! Sorry for the repeats, but that is why we build candidates,
right?
Hi all,
Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/
I would like to call a VOTE over the next few days to release
this candidate tarball
> Am 06.06.2022 um 16:11 schrieb Eric Covener :
>
> On Mon, Jun 6, 2022 at 7:09 AM Stefan Eissing wrote:
>>
>> Guys, shall I make an rc3 with the recent apr version check changes? It
>> seems the correct way to handle this...
>
> Especially given limi
FYI: Had a DNS problem (it's always dns!) on my mail server, resulting in
rejected incoming mails. Should work again now...
> Am 06.06.2022 um 13:09 schrieb Stefan Eissing :
>
> Guys, shall I make an rc3 with the recent apr version check changes? It seems
> the correct w
Guys, shall I make an rc3 with the recent apr version check changes? It seems
the correct way to handle this...
Cheers,
Stefan
> Am 06.06.2022 um 10:12 schrieb giova...@paclan.it:
>
> On 6/4/22 14:59, Stefan Eissing wrote:
>> Hi all,
>>
>> next attempt
Hi all,
next attempt at 2.5.54. Thanks everyone for participating!
Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/
I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.54-rc2 as 2.4.54:
[ ]
This vote is cancelled due to build problems under Windows.
I'll create a rc2 candidate and post that for voting soon.
Thanks everyone.
> Am 03.06.2022 um 16:57 schrieb Stefan Eissing :
>
> Hi all,
>
> Please find below the proposed release tarball and signatu
> Am 04.06.2022 um 14:08 schrieb Eric Covener :
>
> 2.4.x ready to reroll
Nice! Thanks Eric. Will roll an rc2 in a few minutes.
Cheers, Stefan
>
> On Sat, Jun 4, 2022 at 7:36 AM Eric Covener wrote:
>>
>> On Sat, Jun 4, 2022 at 7:11 AM Stefan Eissing wrote:
>
How is the definition in your include/apr.h for APR_TCP_NOPUSH_FLAG? On my
macOS it is:
#define APR_TCP_NOPUSH_FLAG TCP_NOPUSH
It maybe that the added lines
#if APR_TCP_NOPUSH_FLAG && !defined(__APPLE__)
needs a check for Windows too?
> Am 04.06.2022 um 12:49 schrieb SteffenAL :
>
>
more
what the offending code piece is?
Thanks,
Stefan
>
>
>
> On Friday 03/06/2022 at 16:57, Stefan Eissing wrote:
>> Hi all,
>>
>> Please find below the proposed release tarball and signatures:
>>
>> https://dist.apache.org/repos/dist/dev/httpd/
&
Hi all,
Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/
I would like to call a VOTE over the next few days (at least
up to and including Monday) to release this candidate tarball
httpd-2.4.54-rc1 as 2.4.54:
[ ] +1: It's not just
Hi,
I intend to tag a 2.4.x release candidate later today. It seems everything
is prepped, our CI is green and it has been about 3 months since the last
release.
If you see any reason we should wait, please speak up!
Kind Regards,
Stefan
> Am 25.05.2022 um 21:45 schrieb Christophe JAILLET
> :
>
> Le 16/03/2022 à 09:28, ic...@apache.org a écrit :
>> Author: icing
>> Date: Wed Mar 16 08:28:27 2022
>> New Revision: 1898962
>> URL: http://svn.apache.org/viewvc?rev=1898962=rev
>> Log:
>> *) mod_md: fix compiler warning about
Anyone feeling release vibes in the air?
it's been a good 2.5 months and some things have accumulated.
Maybe the start of June would be a good target?
Kind Regards,
Stefan
> Am 19.05.2022 um 17:20 schrieb Ruediger Pluem :
>
>
>
> On 5/19/22 5:15 PM, Stefan Eissing wrote:
>>
>>
>>> Am 19.05.2022 um 16:44 schrieb Joe Orton :
>>>
>>> On Wed, May 18, 2022 at 05:34:22PM +0200, Ruediger Pluem wrote:
&
> Am 19.05.2022 um 16:44 schrieb Joe Orton :
>
> On Wed, May 18, 2022 at 05:34:22PM +0200, Ruediger Pluem wrote:
>> On 5/18/22 4:55 PM, Joe Orton wrote:
>>> I think for httpd it is only safe and sane to run httpd with LANG=C, we
>>> do this in the default service scripts in Fedora/RHEL for a
> Am 18.05.2022 um 19:17 schrieb Nick Kew :
>
>
>> On 18 May 2022, at 16:34, Ruediger Pluem wrote:
>>
>> Rüdiger
>
> What locale are YOU in there? Any attempt at locale is going to have to draw
> lines:
> what are the rules for when Ruediger == Rüdiger?
>
> In a WWW (and hence httpd)
2022 and we discuss strcasecmp() again?
Background: OpenSSL 3.0.3 added OPENSSL_strcasecmp() and friends and there are
several issue around their implementation. Up to this version, they relied on
the POSIX strcasecmp(). Whatever their reasons for their change...
Checking our sources, we have
Thanks for checking. I merged the change Yann mentioned and travis is
considering maybe starting the ci suite some day in the future...we'll see.
> Am 17.05.2022 um 15:33 schrieb Rainer Jung :
>
> Forget the below. The real error was already detected by others and 25.000
> lines higher in
> Am 17.05.2022 um 15:20 schrieb Yann Ylavic :
>
> Hi,
>
>>
>> We have the CI for 2.4.x failing for some time in endless log messages for
>> "Linux Ubuntu Focal, ASan, pool-debug"
>>
>> [Mon May 16 14:36:38.939810 2022] [optional_hook_import:error] [pid
>> 64983:tid 140667614734080]
We have the CI for 2.4.x failing for some time in endless log messages for
"Linux Ubuntu Focal, ASan, pool-debug"
[Mon May 16 14:36:38.939810 2022] [optional_hook_import:error] [pid 64983:tid
140667614734080] AH01866: Optional hook test said: GET
/getfiles-perl-pod/perlapi.pod HTTP/1.1
-keep-using-golang
Kind Regards,
Stefan
>
> Best,
> Simon
>
>
>
> On 5/12/22 12:13, Stefan Eissing wrote:
>> Hi Simon,
>>
>>> Am 12.05.2022 um 11:28 schrieb Simon Studer :
>>>
>>> Hi everyone,
>>>
>>> When I r
Hi Simon,
> Am 12.05.2022 um 11:28 schrieb Simon Studer :
>
> Hi everyone,
>
> When I read about Apache's use of rustls I thought of this thread again.
>
> For mod_tls, the module itself was written in C linking to the rustls-ffi. I
> have been wondering if it would be desirable to implement
> Am 11.05.2022 um 13:46 schrieb Joe Orton :
>
> On Tue, May 10, 2022 at 10:50:12PM +0200, Stefan Eissing wrote:
>> Will look at it tomorrow.
>
> Could we cache the crates if building them is the source of
> unreliability? It looks like we just have to add a couple
Will look at it tomorrow.
> Am 10.05.2022 um 15:17 schrieb Ruediger Pluem :
>
> The latest build 0f 2.4.x on Travis failed with mod_tls. Ideas?
>
> https://app.travis-ci.com/github/apache/httpd/jobs/569587665
>
> Regards
>
> Rüdiger
Hi Rainer,
there is a list of patterns and APLOGNOs that are allowed to happen. In the
http2 tests, those are defined in env.py, lines 88-97.
If we get new ones with openssl 3.0.2, we need to add them there. Could you
give this a shot?
Kind Regards,
Stefan
> Am 24.04.2022 um 22:03 schrieb
> Am 15.04.2022 um 18:20 schrieb Yann Ylavic :
>
> On Fri, Apr 15, 2022 at 6:19 PM Yann Ylavic wrote:
>>
>> On Fri, Apr 15, 2022 at 4:21 PM Stefan Eissing wrote:
>>>
>>>> Am 15.04.2022 um 15:24 schrieb Yann Ylavic :
>>>>
>>>
> Am 15.04.2022 um 15:24 schrieb Yann Ylavic :
>
> On Wed, Apr 6, 2022 at 11:17 AM wrote:
>>
>> Modified: httpd/httpd/trunk/server/util.c
>> URL:
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/server/util.c?rev=1899609=1899608=1899609=diff
>>
In r1899885 the test checks on dynamic child behaviour on a graceful reload.
Is this a setup that allows us to verify behaviour that troubled us in the past?
Cheers,
Stefan
> Am 15.04.2022 um 10:41 schrieb Stefan Eissing :
>
>
>
>> Am 14.04.2022 um 17:54 schrieb Yann Ylav
> Am 14.04.2022 um 17:54 schrieb Yann Ylavic :
>
> On Thu, Apr 14, 2022 at 1:43 PM Stefan Eissing wrote:
>>
>>
>> In test/modules/core/test_002_restarts.py there is now a start of this.
>> Invoked
>> specifically with:
>>
>> trunk>
> Am 14.04.2022 um 10:19 schrieb Yann Ylavic :
>
> On Thu, Apr 14, 2022 at 9:12 AM Stefan Eissing wrote:
>>
>> I have the feeling we are in need of some sort of stress tests on
>> the overall child management scenarios. Offering my help.
>
> Thanks Stef
> Am 13.04.2022 um 17:16 schrieb Ruediger Pluem :
>
>
>
> On 4/7/22 12:41 PM, ic...@apache.org wrote:
>> Author: icing
>> Date: Thu Apr 7 10:41:46 2022
>> New Revision: 1899648
>>
>> URL: http://svn.apache.org/viewvc?rev=1899648=rev
>> Log:
>> *) core/mod_http: use RESPONSE meta buckets
> Am 13.04.2022 um 17:33 schrieb Yann Ylavic :
>
> On Wed, Apr 13, 2022 at 4:22 PM Ruediger Pluem wrote:
>>
>> On 4/12/22 2:08 PM, yla...@apache.org wrote:
>>
>>> @@ -3447,9 +3480,11 @@ static void server_main_loop(int remaini
>>> continue;
>>> }
>>>
>>> +
feedback from anyone about it….If I
>> remember correctly, no one was around to make the cmake and Windows builds
>> for it.
>> I had given feedback and was able to build it on windows in 2017. In the
>> beginning some crashes, but Stefan solved.
>>> Op 8 apr. 2022
With
https://github.com/apache/httpd/pull/311
I present my PR for using REQUEST meta buckets in
httpd core to split HTTP from HTTP/1.x processing
and have core ready for all HTTP versions.
7 files are affected by this PR. Most changed lines
are moved from server/protocol.c to modules/http
I
> Am 07.04.2022 um 13:04 schrieb Rainer Jung :
>
> Hi there,
>
> during my experiments with the nice pytest based test suite against 2.4.x I
> noticed, that many mod_md tests need "a2md". The sources for this commandline
> tool ar in Stefan's GitHub repos for mod_md, but not inside the
> Am 05.04.2022 um 14:08 schrieb Rainer Jung :
>
> Thaks, will switch to that one. Should have reembered it ...
All fine. Hit me with questions if it gives you problems.
>
> Am 05.04.2022 um 14:04 schrieb Stefan Eissing:
>>> Am 05.04.2022 um 14:01 schrieb Rainer J
> Am 05.04.2022 um 14:01 schrieb Rainer Jung :
>
> Hi Stefan,
>
> Am 05.04.2022 um 13:49 schrieb Stefan Eissing:
>> Which test suite, the one in trunk or the one from github? Both work best
>> against the respective source.
>
> the test suite in
>
>
Which test suite, the one in trunk or the one from github? Both work best
against the respective source.
> Am 05.04.2022 um 13:47 schrieb Rainer Jung :
>
> I try to make the mod_h2 test suite run for me. Some difficulties are
> expected due to my non-standard setup, but the first test that
> Am 05.04.2022 um 10:20 schrieb Ruediger Pluem :
>
>
>
> On 4/5/22 9:53 AM, Stefan Eissing wrote:
>>
>>
>>> Am 05.04.2022 um 09:34 schrieb Ruediger Pluem :
>>>
>>>
>>>
>>> On 4/5/22 9:13 AM, Stefan Eissin
> Am 05.04.2022 um 09:34 schrieb Ruediger Pluem :
>
>
>
> On 4/5/22 9:13 AM, Stefan Eissing wrote:
>>
>>
>>> Am 04.04.2022 um 16:07 schrieb Ruediger Pluem :
>>>
>>>
>>>
>>> On 4/4/22 1:08 PM, ic...@apache.org wrote:
> Am 04.04.2022 um 16:07 schrieb Ruediger Pluem :
>
>
>
> On 4/4/22 1:08 PM, ic...@apache.org wrote:
>> Author: icing
>> Date: Mon Apr 4 11:08:58 2022
>> New Revision: 1899552
>>
>> URL: http://svn.apache.org/viewvc?rev=1899552=rev
>> Log:
>> *) mod_http: genereate HEADERS buckets for
https://github.com/apache/httpd/pull/307
is my PR on using the new RESPONSE meta bucket
in general HTTP processing. Up for review if you like.
Kind Regards,
Stefan
> Am 04.04.2022 um 15:43 schrieb Ruediger Pluem :
>
>
>
> On 4/4/22 11:41 AM, ic...@apache.org wrote:
>> Author: icing
>> Date: Mon Apr 4 09:41:25 2022
>> New Revision: 1899550
>>
>> URL: http://svn.apache.org/viewvc?rev=1899550=rev
>> Log:
>> *) core: add ap_h1_append_header() for single
The first PR to separate HTTP and HTTP/1.x processing is in:
https://github.com/apache/httpd/pull/306
This is a small subset of PR291 that is easier to read. While it has all API
additions from PR291, it
only uses a subset in the implementation. With further use coming in future PRs.
This PRs
one sitting here locally and will publish that once
our CI is working again (and I can be sure that they do as well).
Kind Regards,
Stefan
> Am 31.03.2022 um 09:40 schrieb jean-frederic clere :
>
> On 30/03/2022 11:11, Stefan Eissing wrote:
>>> Am 28.03.2022 um 15:52 schrieb j
> Am 01.04.2022 um 08:47 schrieb jean-frederic clere :
>
> On 31/03/2022 12:59, Ruediger Pluem wrote:
>> On 3/31/22 12:34 PM, Stefan Eissing wrote:
>>>
>>>
>>>> Am 31.03.2022 um 11:55 schrieb Ruediger Pluem :
>>>>
&
> Am 31.03.2022 um 11:55 schrieb Ruediger Pluem :
>
>
>
> On 3/31/22 11:11 AM, Ruediger Pluem wrote:
>>
>>
>> On 3/30/22 4:42 PM, jfcl...@apache.org wrote:
>>> Author: jfclere
>>> Date: Wed Mar 30 14:42:14 2022
>>> New Revision: 1899390
>>>
>>> URL:
> Am 28.03.2022 um 15:52 schrieb jean-frederic clere :
>
> On 24/03/2022 13:21, Stefan Eissing wrote:
>> You are invited to have a look at my PR for separating HTTP/1.x processing
>> from
>> generic HTTP protocol handling and verification:
>> https://github.co
> Am 28.03.2022 um 17:15 schrieb jean-frederic clere :
>
> On 28/03/2022 16:03, Stefan Eissing wrote:
>>> Am 28.03.2022 um 15:52 schrieb jean-frederic clere :
>>>
>>> On 24/03/2022 13:21, Stefan Eissing wrote:
>>>> You are invited to have a
> Am 28.03.2022 um 15:52 schrieb jean-frederic clere :
>
> On 24/03/2022 13:21, Stefan Eissing wrote:
>> You are invited to have a look at my PR for separating HTTP/1.x processing
>> from
>> generic HTTP protocol handling and verification:
>> https://github.co
> Am 28.03.2022 um 14:28 schrieb Rainer Jung :
>
>
> I am thinking about adding a JSON output format to mod_status and mod_info as
> an option controlled by a query string parameter.
>
> Since writing simple data structures from these modules is much simpler than
> parsing and processing a
You are invited to have a look at my PR for separating HTTP/1.x processing from
generic HTTP protocol handling and verification:
https://github.com/apache/httpd/pull/291
I made a description of the changes in the PR that helps reviewing it (I hope).
"Changes appear larger than they really are"
Severity: moderate
Description:
A carefully crafted request body can cause a read to a random memory area which
could cause the process to crash.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credit:
Chamal De Silva
Severity: important
Description:
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when
errors are encountered discarding the request body, exposing the server to HTTP
Request Smuggling
Credit:
James Kettle
Severity: low
Description:
If LimitXMLRequestBody is set to allow request bodies larger than 350MB
(defaults to 1M) on 32 bit systems an integer overflow happens which later
causes out of bounds writes.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credit:
Anonymous working with
Severity: important
Description:
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an
attacker to overwrite heap memory with possibly attacker provided data.
This issue affects Apache HTTP Server 2.4 version 2.4.52 and prior versions.
Credit:
Ronald Crane (Zippenhop
Thank you all! With 7 +1 votes and no other, I announce rc2 has passed.
I will do the release of 2.4.53 on Monday.
Kind Regards and a nice weekend to you all,
Stefan
> Am 09.03.2022 um 17:19 schrieb Stefan Eissing :
>
> Hi all,
>
> Please find below the proposed
?
> Am 09.03.2022 um 17:19 schrieb Stefan Eissing :
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarb
> Am 09.03.2022 um 17:19 schrieb Stefan Eissing :
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this cand
Hi all,
Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/
I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.53-rc2 as 2.4.53:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have
> Am 09.03.2022 um 15:07 schrieb Stefan Eissing :
>
>
>
>> Am 09.03.2022 um 15:05 schrieb Ruediger Pluem :
>>
>>
>>
>> On 3/9/22 2:46 PM, Stefan Eissing wrote:
>>> Are we ready for an rc2 for 2.4.53?
>>
>> With r1898786 I wo
> Am 09.03.2022 um 15:05 schrieb Ruediger Pluem :
>
>
>
> On 3/9/22 2:46 PM, Stefan Eissing wrote:
>> Are we ready for an rc2 for 2.4.53?
>
> With r1898786 I would say yes.
Thanks everyone, will do.
>
> Regards
>
> Rüdiger
>
Are we ready for an rc2 for 2.4.53?
> Am 09.03.2022 um 14:44 schrieb Stefan Eissing :
>
>
>
>> Am 09.03.2022 um 14:25 schrieb Yann Ylavic :
>>
>> On Tue, Mar 8, 2022 at 6:22 PM Rainer Jung wrote:
>>>
>>> - configure for APR in the depend
> Am 09.03.2022 um 14:25 schrieb Yann Ylavic :
>
> On Tue, Mar 8, 2022 at 6:22 PM Rainer Jung wrote:
>>
>> - configure for APR in the dependency tarball still fails for me due to
>> a bug in autoconf 2.71 used to create the configure script. That problem
>> was already reported by me during
> Am 09.03.2022 um 13:11 schrieb Yann Ylavic :
>
> On Tue, Mar 8, 2022 at 2:34 PM Jim Jagielski wrote:
>>
>>> On Mar 8, 2022, at 7:58 AM, Graham Leggett wrote:
>>>
>>> I would far rather the empty APLOGNO check was part of the build.
>>>
>>> Vastly simpler.
>>
>>
>> I agree w/ that...
>
CANCELLED.
Due to errors/warnings found during your tests, I cancel the vote on rc1.
Thanks for giving us these feedbacks! I'll put up the rc2 vote as soon
as we're ready.
Thanks,
Stefan
> Am 09.03.2022 um 08:50 schrieb Ruediger Pluem :
>
>
>
> On 3/8/22 10:09 PM, Rainer Jung wrote:
>>
>
For anyone thinking about testing rc1, there is a high chance of an rc2 coming
soon.
Will announce here,
Stefan
> Am 08.03.2022 um 16:33 schrieb Rainer Jung :
>
>
> Am 07.03.2022 um 16:55 schrieb Stefan Eissing:
>> Hi all,
>> Please find below the proposed releas
> Am 08.03.2022 um 14:34 schrieb Jim Jagielski :
>
>> On Mar 8, 2022, at 7:58 AM, Graham Leggett wrote:
>>
>>
>> I would far rather the empty APLOGNO check was part of the build.
>>
>> Vastly simpler.
>>
>
> I agree w/ that...
I have the feeling that the work that has went into making
Hi all,
Please find below the proposed release tarball and signatures:
https://dist.apache.org/repos/dist/dev/httpd/
I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.53-rc1 as 2.4.53:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have
Joe,
I'll change the release candidate tag/branch names and if that works, you can
strip some regex from the travis setup.
Kind Regards,
Stefan
> Am 07.03.2022 um 02:53 schrieb Yann Ylavic :
>
> On Sat, Mar 5, 2022 at 12:17 PM Stefan Eissing wrote:
>>
>>> Am 04.03.2022 um 18:40 schrieb Roy T. Fielding :
>>>
>>>> On Mar 4, 2022, at 6:17 AM, Eric Covener wrote:
>>>>
101 - 200 of 1630 matches
Mail list logo