On Mon, Oct 23, 2017 at 11:45 AM, Jim Jagielski wrote:
> Apache HTTP Server 2.4.29 Released
>
> October 23, 2017
>
> The Apache Software Foundation and the Apache HTTP Server Project
> are pleased to announce the release of version 2.4.29 of the Apache
> HTTP Server
On Mon, Oct 23, 2017 at 9:54 AM, Stefan Eissing
wrote:
>
>> Am 23.10.2017 um 16:25 schrieb Yann Ylavic :
>>
>> Hi Stefan,
>>
>> On Mon, Oct 23, 2017 at 2:42 PM, Stefan Eissing
>> wrote:
>>>
>>> Can you give me a
On Thu, Oct 19, 2017 at 4:15 PM, Steffen wrote:
> I said before: In Apache.dsw is now project xml removed, it is not building
> out of the box with current released apr-util. With coming apr-util 1.6.1 it
> should be possible to build.
>
> With the expat/xml changes in
# Failed test 56 in t/ssl/varlookup.t at line 109 fail #56
# Failed test 58 in t/ssl/varlookup.t at line 109 fail #58
# testing : SSL_SERVER_SAN_DNS_0
# expected: 'localhost'
# received: 'localhost.localdomain'
not ok 56
# testing : SSL_SERVER_SAN_OTHER_dnsSRV_0
# expected: '_https.localhost'
#
On Fri, Oct 13, 2017 at 8:25 AM, Jim Jagielski wrote:
> Why lump 2.5.0 into all this?
>
> There is no rational reason to force connect 2.4.29 and 2.5.0
>
> Tag 2.4.29 and leave 2.5.0 alone until people discuss it. Until then
> I will veto any foolishness about 2.5.0-whatever.
On Wed, Oct 18, 2017 at 12:36 AM, Marion & Christophe JAILLET <
christophe.jail...@wanadoo.fr> wrote:
> Hi,
>
> just for my own curiosity: why do we prefer 32 bits libs?
>
It is not a value judgement, we simply consume lib/pkginfo before
lib64/pkginfo in this patch. We didn't even look at
Seems Jim is +0 to back out and I'm +0 to keep. First
strong opinion wins so we can get to tagging :)
Absolute consensus on informing our apr, and httpd
builders what not to pass as CFLAGS, and why.
On Oct 16, 2017 13:58, "William A Rowe Jr" <wr...@rowe-clan.net> wrote:
&g
Rainer,
https://ci.apache.org/builders/httpd-trunk/builds/1203
would you please re-kick this build from a clean svn checkout? I think we have
various mistakes in our exports.c preprocessor that become tangled in any
rebuild scenario.
On Mon, Oct 16, 2017 at 8:30 AM, Rainer Jung
If the patch has merit on it's own, without being generalized, then I'm fine
with tagging 1.6.1 with the OS/X specific backport included.
Note that the proposed httpd fix is still uneasy about the trunk flavor;
https://ci.apache.org/builders/httpd-trunk/builds/1202
On Mon, Oct 16, 2017 at 1:11
I raised the question of whether the OS/X changes introduced and backported
in APR are still necessary or desired, or if they should be backed out, and
whether this patch, munged for APR_ macros, is needed for apr 1.6.3 tag?
Yann suggests;
On Oct 16, 2017 11:31, "Yann Ylavic"
with current released apr-util.
>
> With coming apr-util 1.6.1 it should be fine.
>
> On Friday 13/10/2017 at 15:20, William A Rowe Jr wrote:
>
> Is anyone seeing an issue of concern about stability on 2.4.x branch?
>
> Has anyone else looked at Jim's proposed fixes for xcod
I've been watching the maintainer mode deliberations on dev@apr with great
interest. I'm also keenly aware of Steffen's concerns, especially since
dropping pcre didn't cause nearly this much trouble.
If we are all on the same page, I'll continue to work through the expat
headache on Monday and
Reading this commentary, we agree that is an enhancement.
On Oct 15, 2017 06:32, wrote:
> Author: rjung
> Date: Sun Oct 15 11:31:58 2017
> New Revision: 1812217
>
> URL: http://svn.apache.org/viewvc?rev=1812217=rev
> Log:
> Vote, comment.
>
> Modified:
>
Thank you for this summary!
On Oct 13, 2017 10:51, "Jim Jagielski" wrote:
> Let's recall what is really happening...
>
> In maintainer mode, the build system sets -Werror and -Wstrict-prototypes.
> This means that functions which lack strict prototypes will "fail".
>
> Now
On Oct 13, 2017 08:41, "Stefan Eissing" <stefan.eiss...@greenbytes.de>
wrote:
> Am 13.10.2017 um 15:19 schrieb William A Rowe Jr <wr...@rowe-clan.net>:
>
> Is anyone seeing an issue of concern about stability on 2.4.x branch?
Not any more than in previous releas
Is anyone seeing an issue of concern about stability on 2.4.x branch?
Has anyone else looked at Jim's proposed fixes for xcode 9 building
under maintainer mode? A couple-line quick fix to configure.in, that
anyone on OS/X should be able to validate in minutes. The same fix
is already present on
lavic" <ylavic@gmail.com> wrote:
> On Thu, Oct 12, 2017 at 9:18 PM, Yann Ylavic <ylavic@gmail.com> wrote:
> > On Thu, Oct 12, 2017 at 7:42 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >> On Sep 19, 2017 05:17, <j...@apache.org> wro
On Thu, Oct 12, 2017 at 2:30 PM, Yann Ylavic <ylavic@gmail.com> wrote:
> On Thu, Oct 12, 2017 at 9:18 PM, Yann Ylavic <ylavic@gmail.com> wrote:
> > On Thu, Oct 12, 2017 at 7:42 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >> On Sep
On Sep 19, 2017 05:17, wrote:
Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/
modules/proxy/mod_proxy.c?rev=1808855=1808854=1808855=diff
I will review again tomorrow.
My jump-around idea was to check against all of the bits in not dir loc
file, and if the module's MMN minor is too early, treat the
section as if that bit is set.
On Oct 11, 2017 16:13, "Yann Ylavic" wrote:
On Wed, Oct 11, 2017 at 11:02
On Mon, Apr 25, 2016 at 7:04 PM, wrote:
> Author: ylavic
> Date: Tue Apr 26 00:04:57 2016
> New Revision: 1740928
>
> URL: http://svn.apache.org/viewvc?rev=1740928=rev
> Log:
> mod_proxy, mod_ssl: Handle SSLProxy* directives in sections,
> allowing different TLS
On Tue, Oct 10, 2017 at 4:04 AM, Ivan Zhakov wrote:
> On 28 September 2017 at 20:17, wrote:
> >
> > Author: wrowe
> > Date: Thu Sep 28 17:17:42 2017
> > New Revision: 1810012
> >
> > URL: http://svn.apache.org/viewvc?rev=1810012=rev
> > Log:
> > Duplicate
unced? At least the
>> website sez it was, and it looks like an Email was
>> sent to announce@a.o but I'm not seeing anything on
>> the httpd lists
>>
>
> Weitergeleitete Nachricht
> Betreff:[Announcement] Apache HTTP Server 2.4.28 Released
>
Have you tried bisecting the config directives to see which is triggering
the memory abuse?
Sounds like the module might not be async-ready, but should httpd really be
doing many thread swaps before the listener thread is tripped?
Does one of your modules load a large table al la Geo IP mapping?
ct 4, 2017 at 7:41 AM, Jim Jagielski <j...@jagunet.com> wrote:
> Sure. Anyone who wants to announce, please do so!! :)
>
> > On Oct 3, 2017, at 11:47 AM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
> >
> > On Tue, Oct 3, 2017 at 6:46 AM, Jim Jagiel
We have been at 2.4.29-dev for a few days now, are you ready to advance
this proposal?
On Fri, Sep 22, 2017 at 1:07 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> On Fri, Sep 22, 2017 at 1:02 PM, Joe Orton <jor...@redhat.com> wrote:
> > On Fri, Sep 22, 2017 at 11:3
On Thu, Oct 5, 2017 at 7:28 AM, Eric Covener wrote:
> On Thu, Oct 5, 2017 at 8:08 AM, Plüm, Rüdiger, Vodafone Group
> wrote:
> > Is backporting .gdbinit changes to a stable branch CTR or RTC?
>
> I would think CTR for a typical change there is
On Tue, Oct 3, 2017 at 2:15 AM, Yann Ylavic wrote:
> On Mon, Oct 2, 2017 at 11:57 PM, wrote:
>> Author: ylavic
>> Date: Mon Oct 2 21:57:26 2017
>> New Revision: 1810605
>>
>> URL: http://svn.apache.org/viewvc?rev=1810605=rev
>> Log:
>> ap_expr: open
On Thu, Sep 28, 2017 at 7:44 AM, Stefan Eissing
wrote:
> Update: disregard the man behind the curtain - for now.
>
> I have the strangest effects on my main machine under native macOS 10.12.6,
> which
> do not happen on my parallels ubuntu image and my laptop with
Does this raise concerns for anyone? I'd note than in the case of the x-font
items, we entirely skipped application/font- promotions prior to
font/* registry.
It doesn't seem sane to keep x- tags for posterity, but we might want to mention
the previous application/* types... however we have no
On Mon, Sep 25, 2017 at 12:11 PM, Steffen wrote:
> On Windows it does not build out of the box.
>
> Missing modules/core include for mod_watchdog.h in
> mod_proxy_balancer.dsp/mak and libhttp.dsp/mak . Did not checked cmake.
Seems baffling, but it is pretty straightforward
The assert() has me concerned, and Steffen's report is problematic. He has
a vote but hasn't cast it. At this moment I'm -0 and would spin a 2.4.29
next week to address these issues, unless you decide to respin before this
release, yourself.
Nothing I've changed today altered the httpd tarball
On Fri, Sep 22, 2017 at 1:02 PM, Joe Orton <jor...@redhat.com> wrote:
> On Fri, Sep 22, 2017 at 11:39:54AM -0500, William A Rowe Jr wrote:
>> This defect still appears to exist in 2.4.28-dev, no?
>>
>> The rewrite appears to have enjoyed both committer and external tes
On Fri, Sep 22, 2017 at 7:06 AM, Jim Jagielski wrote:
> STATUS looks clean.
>
> Hoping to do a T this afternoon, eastern, unless I hear
> any objections or concerns re: timing.
svn looks good here. Only one potentially missed item IMO, it could wait
till 2.4.29, but if we hear
This defect still appears to exist in 2.4.28-dev, no?
The rewrite appears to have enjoyed both committer and external testing and
the patch looks suitable for backport. It has enjoyed careful consideration by
at least four committers.
Reading
What more would we want to say here? Mention that the Allow: header may respond
with corrupted output? It seems other side effects can be present, which is why
I kept this simple.
On Thu, Sep 21, 2017 at 1:33 PM, wrote:
> Author: wrowe
> Date: Thu Sep 21 18:33:47 2017
> New
Thanks for the report Michael.
The 2.2.x series is now retired and end-of-life.
The warnings are no-ops... they are inherited to child ./configure bits so
the basic httpd-2.x/configure may holler about options only applicable to
the bundled packages, and the bundled packages may holler about
So as most people have correctly identified, this defect has existed
for an incredibly long time.
But how it is triggered and avoided would help us to correctly study
unexpected behaviors.
OPTIONS * - won't trigger the defect, .htaccess should not be examined.
OPTIONS / - may trigger the
Duplicate file type matches will just confuse the hash lookup, I suspect.
Drop the file-types from deprecated mime type entries, include mention the
deprecated types though, for the sake of completeness. There are other
examples of this pattern in mime.types, of types with no file type assigned.
This has been the object of some debate, read Lisa's errata rejection of ID
1081 and 1353...
https://www.rfc-editor.org/errata/rfc1123
On Sep 16, 2017 10:00, "Eric Covener" wrote:
On Sat, Sep 16, 2017 at 9:48 AM, Yann Ylavic wrote:
> On Sat, Sep 16,
s abandoned, so in my opinion unless
> somebody steps up to work on it I'd be in favor of remove it from
> www.a.o/dist/httpd/flood.
>
> Luca
>
>
> 2017-09-01 18:39 GMT+02:00 William A Rowe Jr <wr...@rowe-clan.net>:
>>
>> What's our position on this? Is it time
On Thu, Sep 14, 2017 at 4:50 AM, Nick Kew <n...@apache.org> wrote:
> On Wed, 13 Sep 2017 08:29:44 -0500
> William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
>> So moving forwards, can we stop accepting stuff that isn't HTTP/1.1 in
>> our HTTP/1.1 server? Do w
So moving forwards, can we stop accepting stuff that isn't HTTP/1.1 in
our HTTP/1.1 server? Do we really want people to configure their
server to speak "other"?
I'm starting to collect https://wiki.apache.org/httpd/Applications
based on searching google for instances where users have toggled
On Fri, Sep 8, 2017 at 10:14 AM, Yann Ylavic wrote:
> Hi Stefan,
>
> On Fri, Sep 8, 2017 at 5:06 PM, wrote:
>> Author: icing
>> Date: Fri Sep 8 15:06:44 2017
>> New Revision: 180
>>
>> URL: http://svn.apache.org/viewvc?rev=180=rev
>> Log:
>> On
Reminder, this will not work with the current server_rec, we have a 1:1
correspondence to the server port. We would need to stop looking at that
field and track the port entirely on the connection and the server rec
addresses array.
On Fri, Sep 1, 2017 at 10:12 AM, Eric Covener
What's our position on this? Is it time to declare flood abandoned?
Are there any users of this tool who want to contribute to maintaining it?
Offhand, I expect it does not support TLS/SNI. Nor HTTP/2.
If abandoned, we can simply remove www.a.o/dist/httpd/flood
to resolve Daniel's issue. If not
This slightly overlaps what Jacob has been working on with his
schema for our autobuilds, wrapping up my own work and then
turning to his efforts to see where we have some good synergies
to exchange.
One thing that has stood out, but I never claimed I had much
skill in the unix build schema (now
On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald
wrote:
>
>
> ServerName corecms.example.com
> DocumentRoot "/www/corecms.example.com"
>
This doesn't work, of course, owing to server_rec members such as scheme
and port. If these moved to the addrs member, and we
On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald wrote:
>
> it also would solve the chicken-egg-problem (again, without mod_md) that you
> first need the http-host working for the well-known verfication file and the
> path of the certificate could be easily pre-configured in
On Thu, Aug 10, 2017 at 9:19 AM, Stefan Eissing
<stefan.eiss...@greenbytes.de> wrote:
>
>> Am 10.08.2017 um 16:09 schrieb William A Rowe Jr <wr...@rowe-clan.net>:
>>
>>> Would we expect breakage by such a change?
>>
>> I think that Listen
On Thu, Aug 10, 2017 at 4:37 AM, Stefan Eissing
wrote:
>
>> Am 09.08.2017 um 20:32 schrieb Jacob Perkins :
>>
>> Hi Stefan,
>>
>> A patch for 2.4.27 would be great.
>>
>> Your assistance is greatly appreciated.
>
> Gladly. Patch available
Let's break it down and consider the implications of Listen...
On Thu, Aug 10, 2017 at 8:28 AM, Stefan Eissing
wrote:
> Now that mod_md has landed in trunk, I am looking at more ways
> to simplify a SSL configuration. Looking at the Listen directive,
> it has an
This current behavior still seems wrong in httpd. A content (as opposed
perhaps to transfer) should not vary, in fact cannot vary if an etag is
presented.
I suspect that the deflate filter looks to see if there is a benefit to
compression, and cannot do so until it has a body. If it is going to
+1.
As an alternative... an execute-on-read directive of ProxyBalancerPrecision
or similarly named directive (default 100, but drop or add decimals as
they will)
would let anyone add in or sub out a decimal.
My thought, taking away 1000 (3 decimal) from 2bn really wouldn't be a
hardship on any
On Fri, Aug 4, 2017 at 4:26 AM, Stefan Eissing
wrote:
> I talked about some kind of SSL Policy definition in httpd's configuration
> in the past and am now about to get serious about it. Here is what I wan to
> do:
>
> Recap: the general idea is
> 2. Provide a set of
IMO that's garbage, please revert. I don't believe that any ASF project,
which has very firm rules about appropriating code bases, should be
tolerating namespace abuse and mark infringement against other
projects.
If they want us to test a symbol in a LIBRESSL space, that's fine, but
OPENSSL
On Wed, Aug 2, 2017 at 12:33 PM, Jim Jagielski wrote:
> I'll be adding some code to allow for lbfactors to be
> single decimal numbers (like 1.1, 2.5, etc...)... People
> have asked "How do I change it so that machine B is like 10%
> preferred" and I mention that "Well, you
.. that was fixed earlier today, so
> you should be good to go now!
>
> Cheers,
> -g
>
>
> On Wed, Jul 26, 2017 at 2:53 PM, William A Rowe Jr <wr...@apache.org>
> wrote:
>
>> I would push this edit live (looking good from a local regen here), but
>> ht
I would push this edit live (looking good from a local regen here), but
https://cms.a.o has been down for a number of hours. bcc'ing root@
so that they are aware that we've lost that control panel, @infrabot
hasn't posted a status on the service.
Cheers,
Bill
> Author: wrowe
> Date: Wed Jul 26
CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
all versions through 2.2.33 and 2.4.26
Description:
The value placeholder in [Proxy-]Authorization headers
of type 'Digest' was not initialized or
CVE-2017-9789: Read after free in mod_http2
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.26
Description:
When under stress, closing many connections, the HTTP/2
handling code would sometimes access memory after it has
been freed, resulting in
On Wed, Jul 12, 2017 at 4:47 AM, Daniel wrote:
> Hello,
>
> Just FYI
>
> http://httpd.apache.org/download.cgi is still pointing to 2.2.32
> version and thus gives a 404 when trying to download.
Thanks for the report! Now fixed.
July 11, 2017
The Apache Software Foundation and the Apache HTTP Server Project
announce the release of version 2.2.34 of the Apache HTTP Server
("Apache"), the final maintenance release of the 2.2 series. No
further 2.2 releases are anticipated. This version of Apache is
.4.25, but still NG.
>
> Next, I read Apache HTTP Server Change log, I found
> mod_filter changes. I tested mod_filter.so and
> mod_ext_filter.so to 2.4.25, NG.
>
> Next, I tested httpd.exe to 2.4.25, NG.
>
> Next, I read Apache Lounge's used modules, I found APR is
> upgraded to
to the list
of those where we accept PROXY protocol wrapping?
On Fri, Jun 9, 2017 at 8:29 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Fri, Jun 9, 2017 at 4:17 AM, Sander Hoentjen <san...@hoentjen.eu> wrote:
>> On 06/08/2017 07:30 PM, Daniel Rugge
On Thu, Jul 6, 2017 at 2:33 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> For your consideration... pre-release candidate tarballs of
> Apache legacy httpd 2.2.34 can be found in;
>
> http://httpd.apache.org/dev/dist/
>
> Thanks all who merged the security
On Fri, Jul 7, 2017 at 7:13 AM, Jim Jagielski wrote:
> 2.4.26/27 doesn't *require* APR/APU 1.6.x, but there are
> some features that depend on it. If it's a bug in apr 1.6.x,
> then it's not a httpd bug specifically... imo at least.
>
> any further detail on how the below is
For your consideration... pre-release candidate tarballs of
Apache legacy httpd 2.2.34 can be found in;
http://httpd.apache.org/dev/dist/
Thanks all who merged the security work in and other fixes,
and helped identify a couple more lingering defects.
As we picked end of maintenance Jul 1 '17 -
On Fri, Jun 23, 2017 at 5:19 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> For your consideration... pre-release candidate tarballs of
> Apache legacy httpd 2.2.33 can be found in;
>
> http://httpd.apache.org/dev/dist/
To make things clear, this call for [VOTE]
On Thu, Jul 6, 2017 at 12:28 PM, Jacob Champion wrote:
>
> Administrators using prefork who would like to switch to HTTP/2 in the
> future need to understand the limitations of the prefork architecture they
> have selected. And sure, our users can request that we implement a
On Thu, Jul 6, 2017 at 12:20 PM, Helmut K. C. Tessarek
wrote:
> On 2017-07-06 13:09, Reindl Harald wrote:
>> with removing mpm_prefork support for H2 you kill HTTP2 support for a
>> lot of production setups which may consider switch to H2 in the future
>> and for sure not
+1 to removing support of mom prefork. I'd prefer it still start and if
configured, with an [error] level alert in the logs and simply be disabled.
Server must start when module is loaded but not configured, e.g. in test
framework, IMO.
On Jul 6, 2017 10:31 AM, "Stefan Eissing"
t/apache/expr_string.t(Wstat: 0 Tests: 23 Failed: 1)
Failed test: 14
# writing file:
/home/wrowe/dev/test/test2x-apr20-ossl110/t/htdocs/apache/expr/.htaccess
ok 12
Expected return code 200, got 200 for '}'
ok 13
Got '}', expected '}'
ok 14
Any reason I should expect an
+1
On Jul 3, 2017 6:33 AM, "Jim Jagielski" wrote:
> Anyone opposed to a quick T and release of 2.4.27 within
> the next week?
>
I'm reading https://tools.ietf.org/html/rfc3875#section-4.1.5 as the
PATH_INFO is entirely distinct from QUERY_STRING.
On Sun, Jul 2, 2017 at 10:08 AM, Jim Jagielski wrote:
> There is one (I hope!) final question... There seems to be
> conflicting interpretations on whether
You already have my unconditional +1 to bring us back to a trusted state.
On Jun 30, 2017 16:55, "Jacob Champion" wrote:
> On 06/30/2017 11:40 AM, Jacob Champion wrote:
>
>> As far as I can tell it has no downsides, so my only request is that we
>> add it to CHANGES (or
-1 on showstopper. It's a bug, no security implications, cope with it.
Thousands of bugs pass through STATUS, what makes yours special?
That said, unconditional +1 to any mod_proxy_fcgi.c patches you or Jim or
any committers determine for backport, I'd prefer we treat the module as
experimental
On Wed, Jun 28, 2017 at 8:08 AM, wrote:
> Author: jim
> Date: Wed Jun 28 13:08:41 2017
> New Revision: 1800162
>
> --- httpd/test/framework/trunk/t/modules/proxy.t (original)
> +++ httpd/test/framework/trunk/t/modules/proxy.t Wed Jun 28 13:08:41 2017
> @@ -7,7 +7,7 @@ use
Actually, I should have backed out rpluem's vote for the original one line
patch.
Can we get one more pair of eyeballs (or cross-vote the other branch) so
this is properly accepted?
On Jun 28, 2017 10:49, wrote:
> Author: ylavic
> Date: Wed Jun 28 15:49:07 2017
> New
On Wed, Jun 28, 2017 at 7:14 AM, Yann wrote:
>
> Looks like the code after the patch below would be simpler and work too :
Agreed this is easier to follow, tmp_field is otherwise unused in the
unsafe code path. Proposed for backport, thanks.
Note this patch is the 2.2,
Sounds great. Reviewing Yann's alternate patch now.
On Jun 28, 2017 06:41, "Yann" wrote:
> On Wed, Jun 28, 2017 at 11:51 AM, Jim Jagielski wrote:
> > I would also suggest to reroll: I'll test the reroll on my systems here.
>
> +1
>
are looking pretty good according to the test framework. Looks like a
one line patch as described in the bugzilla ticket.
On Jun 27, 2017 12:44, "Jacob Champion" <champio...@gmail.com> wrote:
> On 06/27/2017 10:21 AM, William A Rowe Jr wrote:
>
>> If voters would
On Jun 23, 2017 5:19 PM, "William A Rowe Jr" <wr...@rowe-clan.net> wrote:
For your consideration... pre-release candidate tarballs of
Apache legacy httpd 2.2.33 can be found in;
http://httpd.apache.org/dev/dist/
Thanks all who merged the security work in and other fixes.
Thanks Petr, every review and evaluation is appreciated!
On Jun 26, 2017 8:46 AM, "Petr Gajdos" <pgaj...@suse.cz> wrote:
On Fri, Jun 23, 2017 at 05:19:47PM -0500, William A Rowe Jr wrote:
> For your consideration... pre-release candidate tarballs of
> Apache legacy htt
On Jun 27, 2017 12:08 PM, "Moradhassel, Kavian" wrote:
Did this discussion result in a decision to provide a fix for the bug in
2.4.26 and plan for a 2.4.27 soon? I'm wondering if I should be waiting
for a 2.4.27 in the next handful of weeks, or if I should just accept that
On Jun 27, 2017 3:00 AM, "Yann" <ylavic@gmail.com> wrote:
On Tue, Jun 27, 2017 at 12:49 AM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
> On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <wr...@rowe-clan.net>
wrote:
>> On Mon, Jun 26, 2017 at 5:34
On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Mon, Jun 26, 2017 at 5:34 PM, Yann <ylavic@gmail.com> wrote:
>
>> What could be the "security blunders" with 404 vs 403?
>
> A 403 says "go away, you are
On Mon, Jun 26, 2017 at 5:34 PM, Yann <ylavic@gmail.com> wrote:
> On Mon, Jun 26, 2017 at 11:51 PM, William A Rowe Jr <wr...@rowe-clan.net>
> wrote:
>> On Mon, Jun 26, 2017 at 4:44 PM, William A Rowe Jr <wr...@rowe-clan.net>
>> wrote:
>>>
>&g
On Mon, Jun 26, 2017 at 4:44 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> On Mon, Jun 26, 2017 at 3:40 PM, Gregg Smith <g...@gknw.net> wrote:
>>
>> On 6/24/2017 10:02 AM, William A Rowe Jr wrote:
>>>
>>> On Sat, Jun 24, 2017 at 12:4
Hi Gregg,
sending publicly while you have a negotiation with your email client :)
On Mon, Jun 26, 2017 at 3:40 PM, Gregg Smith <g...@gknw.net> wrote:
>
> On 6/24/2017 10:02 AM, William A Rowe Jr wrote:
>>
>> On Sat, Jun 24, 2017 at 12:49 AM, <gsm...@apache.org>
On Mon, Jun 26, 2017 at 3:14 PM, Jacob Champion <champio...@gmail.com> wrote:
> On 06/20/2017 11:08 PM, William A Rowe Jr wrote:
>>
>> Sorry but I reraise my objection and veto worthless cpu cycles.
>
> For posterity, can I get a succinct description of your technical
&g
kman" <m...@exonetric.com> wrote:
>
> On 14 Jun 2017, at 22:12, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
>
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these ca
On Sat, Jun 24, 2017 at 12:49 AM, wrote:
> Author: gsmith
> Date: Sat Jun 24 05:49:45 2017
> New Revision: 1799731
>
> URL: http://svn.apache.org/viewvc?rev=1799731=rev
> Log:
> Send a 404 response like other OSs do instead of 403 on Windows when
> a path segment or file
For your consideration... pre-release candidate tarballs of
Apache legacy httpd 2.2.33 can be found in;
http://httpd.apache.org/dev/dist/
Thanks all who merged the security work in and other fixes.
As we picked end of maintenance Jul 1 '17 - the [discuss]
thread had sufficient time for response
If two commits occur in a short enough period of time, the datestamp of the
newly refreshed source may be earlier than the .o generated by the first
update.
On Jun 21, 2017 11:06, "Jacob Champion" wrote:
> On 06/21/2017 09:00 AM, build...@apache.org wrote:
>
>> The
mod_proxy_balancer.c: In function 'balancer_handler':
mod_proxy_balancer.c:1144:25: error: 'HCHECK_WATHCHDOG_INTERVAL'
undeclared (first use in this function)
if (ival >= HCHECK_WATHCHDOG_INTERVAL) {
^
mod_proxy_balancer.c:1144:25: note: each undeclared
On Wed, Jun 21, 2017 at 1:08 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> But there were only two questionable values for \0, and in this case the
> answer is obvious. Invert the rule to a TOKEN char from the rather dubious
> TOKEN_STOP definition. Solved.
... for t
Sorry but I reraise my objection and veto worthless cpu cycles.
The correct fix to your concern is to document all expected behavior of the
null but in gen_test_char.c - and in such tests a /* !c && */ notation is
fine.
Due to the way we assemble the code, I'm not convinced it that any compiler
On Tue, Jun 20, 2017 at 1:32 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Tue, Jun 20, 2017 at 12:12 PM, Jim Jagielski <j...@jagunet.com> wrote:
>>
>>> On Jun 20, 2017, at 1:03 PM, Jacob Champion <champio...@gmail.com> wrote:
>>>
>&g
On Tue, Jun 20, 2017 at 12:12 PM, Jim Jagielski <j...@jagunet.com> wrote:
>
>> On Jun 20, 2017, at 1:03 PM, Jacob Champion <champio...@gmail.com> wrote:
>>
>> On 06/20/2017 10:00 AM, William A Rowe Jr wrote:
>>> You must presume it is in the wild, a
401 - 500 of 6128 matches
Mail list logo