Re: [users@httpd] [ANNOUNCE] Apache HTTP Server 2.4.29 Released

On Mon, Oct 23, 2017 at 11:45 AM, Jim Jagielski wrote: > Apache HTTP Server 2.4.29 Released > > October 23, 2017 > > The Apache Software Foundation and the Apache HTTP Server Project > are pleased to announce the release of version 2.4.29 of the Apache > HTTP Server

Re: SSLProxy* in section

On Mon, Oct 23, 2017 at 9:54 AM, Stefan Eissing wrote: > >> Am 23.10.2017 um 16:25 schrieb Yann Ylavic : >> >> Hi Stefan, >> >> On Mon, Oct 23, 2017 at 2:42 PM, Stefan Eissing >> wrote: >>> >>> Can you give me a

Re: [VOTE] Release Apache httpd 2.4.29 as GA

On Thu, Oct 19, 2017 at 4:15 PM, Steffen wrote: > I said before: In Apache.dsw is now project xml removed, it is not building > out of the box with current released apr-util. With coming apr-util 1.6.1 it > should be possible to build. > > With the expat/xml changes in

Revisiting odd test framework servername behaviors

# Failed test 56 in t/ssl/varlookup.t at line 109 fail #56 # Failed test 58 in t/ssl/varlookup.t at line 109 fail #58 # testing : SSL_SERVER_SAN_DNS_0 # expected: 'localhost' # received: 'localhost.localdomain' not ok 56 # testing : SSL_SERVER_SAN_OTHER_dnsSRV_0 # expected: '_https.localhost' #

Why tag 2.5.0? [Was: Re: Tagging 2.4.29 / 2.5.0-{alpha/beta?} today]

On Fri, Oct 13, 2017 at 8:25 AM, Jim Jagielski wrote: > Why lump 2.5.0 into all this? > > There is no rational reason to force connect 2.4.29 and 2.5.0 > > Tag 2.4.29 and leave 2.5.0 alone until people discuss it. Until then > I will veto any foolishness about 2.5.0-whatever.

Re: svn commit: r1812393 - in /httpd/httpd/branches/2.4.x: ./ STATUS modules/http2/ modules/http2/config2.m4

On Wed, Oct 18, 2017 at 12:36 AM, Marion & Christophe JAILLET < christophe.jail...@wanadoo.fr> wrote: > Hi, > > just for my own curiosity: why do we prefer 32 bits libs? > It is not a value judgement, we simply consume lib/pkginfo before lib64/pkginfo in this patch. We didn't even look at

Re: svn commit: r1812303 - /httpd/httpd/branches/2.4.x/STATUS

Seems Jim is +0 to back out and I'm +0 to keep. First strong opinion wins so we can get to tagging :) Absolute consensus on informing our apr, and httpd builders what not to pass as CFLAGS, and why. On Oct 16, 2017 13:58, "William A Rowe Jr" <wr...@rowe-clan.net> wrote: &g

Re: buildbot failure in on httpd-trunk

Rainer, https://ci.apache.org/builders/httpd-trunk/builds/1203 would you please re-kick this build from a clean svn checkout? I think we have various mistakes in our exports.c preprocessor that become tangled in any rebuild scenario. On Mon, Oct 16, 2017 at 8:30 AM, Rainer Jung

Re: svn commit: r1812303 - /httpd/httpd/branches/2.4.x/STATUS

If the patch has merit on it's own, without being generalized, then I'm fine with tagging 1.6.1 with the OS/X specific backport included. Note that the proposed httpd fix is still uneasy about the trunk flavor; https://ci.apache.org/builders/httpd-trunk/builds/1202 On Mon, Oct 16, 2017 at 1:11

Re: svn commit: r1812303 - /httpd/httpd/branches/2.4.x/STATUS

I raised the question of whether the OS/X changes introduced and backported in APR are still necessary or desired, or if they should be backed out, and whether this patch, munged for APR_ macros, is needed for apr 1.6.3 tag? Yann suggests; On Oct 16, 2017 11:31, "Yann Ylavic"

Re: Tagging 2.4.29 / 2.5.0-{alpha/beta?} today

with current released apr-util. > > With coming apr-util 1.6.1 it should be fine. > > On Friday 13/10/2017 at 15:20, William A Rowe Jr wrote: > > Is anyone seeing an issue of concern about stability on 2.4.x branch? > > Has anyone else looked at Jim's proposed fixes for xcod

Re: Tagging 2.4.29 / 2.5.0-{alpha/beta?} today

I've been watching the maintainer mode deliberations on dev@apr with great interest. I'm also keenly aware of Steffen's concerns, especially since dropping pcre didn't cause nearly this much trouble. If we are all on the same page, I'll continue to work through the expat headache on Monday and

Re: svn commit: r1812217 - /httpd/httpd/branches/2.4.x/STATUS

Reading this commentary, we agree that is an enhancement. On Oct 15, 2017 06:32, wrote: > Author: rjung > Date: Sun Oct 15 11:31:58 2017 > New Revision: 1812217 > > URL: http://svn.apache.org/viewvc?rev=1812217=rev > Log: > Vote, comment. > > Modified: >

Re: AC_CHECK_LIB issues under maintainer mode (Was: Re: Tagging 2.4.29 / 2.5.0-{alpha/beta?} today)

Thank you for this summary! On Oct 13, 2017 10:51, "Jim Jagielski" wrote: > Let's recall what is really happening... > > In maintainer mode, the build system sets -Werror and -Wstrict-prototypes. > This means that functions which lack strict prototypes will "fail". > > Now

Re: Tagging 2.4.29 / 2.5.0-{alpha/beta?} today

On Oct 13, 2017 08:41, "Stefan Eissing" <stefan.eiss...@greenbytes.de> wrote: > Am 13.10.2017 um 15:19 schrieb William A Rowe Jr <wr...@rowe-clan.net>: > > Is anyone seeing an issue of concern about stability on 2.4.x branch? Not any more than in previous releas

Tagging 2.4.29 / 2.5.0-{alpha/beta?} today

Is anyone seeing an issue of concern about stability on 2.4.x branch? Has anyone else looked at Jim's proposed fixes for xcode 9 building under maintainer mode? A couple-line quick fix to configure.in, that anyone on OS/X should be able to validate in minutes. The same fix is already present on

Re: svn commit: r1808855 [2/2] - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/ docs/manual/mod/mod_proxy.xml modules/http2/ modules/proxy/mod_proxy.c modules/proxy/mod_proxy_balancer.

lavic" <ylavic@gmail.com> wrote: > On Thu, Oct 12, 2017 at 9:18 PM, Yann Ylavic <ylavic@gmail.com> wrote: > > On Thu, Oct 12, 2017 at 7:42 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > >> On Sep 19, 2017 05:17, <j...@apache.org> wro

Re: svn commit: r1808855 [2/2] - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/ docs/manual/mod/mod_proxy.xml modules/http2/ modules/proxy/mod_proxy.c modules/proxy/mod_proxy_balancer.

On Thu, Oct 12, 2017 at 2:30 PM, Yann Ylavic <ylavic@gmail.com> wrote: > On Thu, Oct 12, 2017 at 9:18 PM, Yann Ylavic <ylavic@gmail.com> wrote: > > On Thu, Oct 12, 2017 at 7:42 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > >> On Sep

Re: svn commit: r1808855 [2/2] - in /httpd/httpd/branches/2.4.x: ./ CHANGES STATUS docs/manual/ docs/manual/mod/mod_proxy.xml modules/http2/ modules/proxy/mod_proxy.c modules/proxy/mod_proxy_balancer.

On Sep 19, 2017 05:17, wrote: Modified: httpd/httpd/branches/2.4.x/modules/proxy/mod_proxy.c URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/ modules/proxy/mod_proxy.c?rev=1808855=1808854=1808855=diff

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

I will review again tomorrow. My jump-around idea was to check against all of the bits in not dir loc file, and if the module's MMN minor is too early, treat the section as if that bit is set. On Oct 11, 2017 16:13, "Yann Ylavic" wrote: On Wed, Oct 11, 2017 at 11:02

Re: svn commit: r1740928 - in /httpd/httpd/trunk: ./ include/ modules/http2/ modules/proxy/ modules/ssl/ server/

On Mon, Apr 25, 2016 at 7:04 PM, wrote: > Author: ylavic > Date: Tue Apr 26 00:04:57 2016 > New Revision: 1740928 > > URL: http://svn.apache.org/viewvc?rev=1740928=rev > Log: > mod_proxy, mod_ssl: Handle SSLProxy* directives in sections, > allowing different TLS

Re: svn commit: r1810012 - in /httpd/httpd/branches/2.4.x: libhttpd.dsp libhttpd.mak

On Tue, Oct 10, 2017 at 4:04 AM, Ivan Zhakov wrote: > On 28 September 2017 at 20:17, wrote: > > > > Author: wrowe > > Date: Thu Sep 28 17:17:42 2017 > > New Revision: 1810012 > > > > URL: http://svn.apache.org/viewvc?rev=1810012=rev > > Log: > > Duplicate

Re: [CLOSED] [VOTE] Release Apache httpd 2.4.28 as GA

unced? At least the >> website sez it was, and it looks like an Email was >> sent to announce@a.o but I'm not seeing anything on >> the httpd lists >> > > Weitergeleitete Nachricht > Betreff:[Announcement] Apache HTTP Server 2.4.28 Released >

Re: httpd memory consumption

Have you tried bisecting the config directives to see which is triggering the memory abuse? Sounds like the module might not be async-ready, but should httpd really be doing many thread swaps before the listener thread is tripped? Does one of your modules load a large table al la Geo IP mapping?

Re: [CLOSED] [VOTE] Release Apache httpd 2.4.28 as GA

ct 4, 2017 at 7:41 AM, Jim Jagielski <j...@jagunet.com> wrote: > Sure. Anyone who wants to announce, please do so!! :) > > > On Oct 3, 2017, at 11:47 AM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > > > > On Tue, Oct 3, 2017 at 6:46 AM, Jim Jagiel

Re: svn commit: r1808230 - /httpd/httpd/trunk/server/protocol.c

We have been at 2.4.29-dev for a few days now, are you ready to advance this proposal? On Fri, Sep 22, 2017 at 1:07 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Fri, Sep 22, 2017 at 1:02 PM, Joe Orton <jor...@redhat.com> wrote: > > On Fri, Sep 22, 2017 at 11:3

Re: .gdbinit changes backports. CTR or RTC?

On Thu, Oct 5, 2017 at 7:28 AM, Eric Covener wrote: > On Thu, Oct 5, 2017 at 8:08 AM, Plüm, Rüdiger, Vodafone Group > wrote: > > Is backporting .gdbinit changes to a stable branch CTR or RTC? > > I would think CTR for a typical change there is

Re: svn commit: r1810605 [1/2] - in /httpd/httpd/trunk: include/ server/

On Tue, Oct 3, 2017 at 2:15 AM, Yann Ylavic wrote: > On Mon, Oct 2, 2017 at 11:57 PM, wrote: >> Author: ylavic >> Date: Mon Oct 2 21:57:26 2017 >> New Revision: 1810605 >> >> URL: http://svn.apache.org/viewvc?rev=1810605=rev >> Log: >> ap_expr: open

Re: [VOTE] Release Apache httpd 2.4.28 as GA

On Thu, Sep 28, 2017 at 7:44 AM, Stefan Eissing wrote: > Update: disregard the man behind the curtain - for now. > > I have the strangest effects on my main machine under native macOS 10.12.6, > which > do not happen on my parallels ubuntu image and my laptop with

Re: svn commit: r1810121 - /httpd/httpd/trunk/docs/conf/mime.types

Does this raise concerns for anyone? I'd note than in the case of the x-font items, we entirely skipped application/font- promotions prior to font/* registry. It doesn't seem sane to keep x- tags for posterity, but we might want to mention the previous application/* types... however we have no

Re: [VOTE] Release Apache httpd 2.4.28 as GA

On Mon, Sep 25, 2017 at 12:11 PM, Steffen wrote: > On Windows it does not build out of the box. > > Missing modules/core include for mod_watchdog.h in > mod_proxy_balancer.dsp/mak and libhttp.dsp/mak . Did not checked cmake. Seems baffling, but it is pretty straightforward

Re: [VOTE] Release Apache httpd 2.4.28 as GA

The assert() has me concerned, and Steffen's report is problematic. He has a vote but hasn't cast it. At this moment I'm -0 and would spin a 2.4.29 next week to address these issues, unless you decide to respin before this release, yourself. Nothing I've changed today altered the httpd tarball

Re: svn commit: r1808230 - /httpd/httpd/trunk/server/protocol.c

On Fri, Sep 22, 2017 at 1:02 PM, Joe Orton <jor...@redhat.com> wrote: > On Fri, Sep 22, 2017 at 11:39:54AM -0500, William A Rowe Jr wrote: >> This defect still appears to exist in 2.4.28-dev, no? >> >> The rewrite appears to have enjoyed both committer and external tes

Re: Time for 2.4.28 ?

On Fri, Sep 22, 2017 at 7:06 AM, Jim Jagielski wrote: > STATUS looks clean. > > Hoping to do a T this afternoon, eastern, unless I hear > any objections or concerns re: timing. svn looks good here. Only one potentially missed item IMO, it could wait till 2.4.29, but if we hear

Re: svn commit: r1808230 - /httpd/httpd/trunk/server/protocol.c

This defect still appears to exist in 2.4.28-dev, no? The rewrite appears to have enjoyed both committer and external testing and the patch looks suitable for backport. It has enjoyed careful consideration by at least four committers. Reading

Re: svn commit: r1809192 - /httpd/site/trunk/content/security/vulnerabilities-httpd.xml

What more would we want to say here? Mention that the Allow: header may respond with corrupted output? It seems other side effects can be present, which is why I kept this simple. On Thu, Sep 21, 2017 at 1:33 PM, wrote: > Author: wrowe > Date: Thu Sep 21 18:33:47 2017 > New

Re: configure option --enable-option-checking warns about things it does know (httpd-2.2.X)

Thanks for the report Michael. The 2.2.x series is now retired and end-of-life. The warnings are no-ops... they are inherited to child ./configure bits so the basic httpd-2.x/configure may holler about options only applicable to the bundled packages, and the bundled packages may holler about

Understanding OptionsBleed

So as most people have correctly identified, this defect has existed for an incredibly long time. But how it is triggered and avoided would help us to correctly study unexpected behaviors. OPTIONS * - won't trigger the defect, .htaccess should not be examined. OPTIONS / - may trigger the

Re: mime type woff woff2

Duplicate file type matches will just confuse the hash lookup, I suspect. Drop the file-types from deprecated mime type entries, include mention the deprecated types though, for the sake of completeness. There are other examples of this pattern in mime.types, of types with no file type assigned.

Re: svn commit: r1426877 - in /httpd/httpd/trunk: CHANGES include/ap_mmn.h include/http_core.h include/httpd.h modules/http/http_filters.c server/core.c server/protocol.c server/util.c server/vhost.c

This has been the object of some debate, read Lisa's errata rejection of ID 1081 and 1353... https://www.rfc-editor.org/errata/rfc1123 On Sep 16, 2017 10:00, "Eric Covener" wrote: On Sat, Sep 16, 2017 at 9:48 AM, Yann Ylavic wrote: > On Sat, Sep 16,

Re: Flood 0.4 status? (was: flood 0.4 was never signed for?)

s abandoned, so in my opinion unless > somebody steps up to work on it I'd be in favor of remove it from > www.a.o/dist/httpd/flood. > > Luca > > > 2017-09-01 18:39 GMT+02:00 William A Rowe Jr <wr...@rowe-clan.net>: >> >> What's our position on this? Is it time

Re: Drop HttpProtocolOptions Unsafe from 2.later/3.0 httpd releases?

On Thu, Sep 14, 2017 at 4:50 AM, Nick Kew <n...@apache.org> wrote: > On Wed, 13 Sep 2017 08:29:44 -0500 > William A Rowe Jr <wr...@rowe-clan.net> wrote: > >> So moving forwards, can we stop accepting stuff that isn't HTTP/1.1 in >> our HTTP/1.1 server? Do w

Drop HttpProtocolOptions Unsafe from 2.later/3.0 httpd releases?

So moving forwards, can we stop accepting stuff that isn't HTTP/1.1 in our HTTP/1.1 server? Do we really want people to configure their server to speak "other"? I'm starting to collect https://wiki.apache.org/httpd/Applications based on searching google for instances where users have toggled

Re: svn commit: r1807777 - /httpd/httpd/trunk/modules/md/Makefile.in

On Fri, Sep 8, 2017 at 10:14 AM, Yann Ylavic wrote: > Hi Stefan, > > On Fri, Sep 8, 2017 at 5:06 PM, wrote: >> Author: icing >> Date: Fri Sep 8 15:06:44 2017 >> New Revision: 180 >> >> URL: http://svn.apache.org/viewvc?rev=180=rev >> Log: >> On

Re: Listen 443 https

Reminder, this will not work with the current server_rec, we have a 1:1 correspondence to the server port. We would need to stop looking at that field and track the port entirely on the connection and the server rec addresses array. On Fri, Sep 1, 2017 at 10:12 AM, Eric Covener

Flood 0.4 status? (was: flood 0.4 was never signed for?)

What's our position on this? Is it time to declare flood abandoned? Are there any users of this tool who want to contribute to maintaining it? Offhand, I expect it does not support TLS/SNI. Nor HTTP/2. If abandoned, we can simply remove www.a.o/dist/httpd/flood to resolve Daniel's issue. If not

Missing make install files?

This slightly overlaps what Jacob has been working on with his schema for our autobuilds, wrapping up my own work and then turning to his efforts to see where we have some good synergies to exchange. One thing that has stood out, but I never claimed I had much skill in the unix build schema (now

Re: Listen 443 https

On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald wrote: > > > ServerName corecms.example.com > DocumentRoot "/www/corecms.example.com" > This doesn't work, of course, owing to server_rec members such as scheme and port. If these moved to the addrs member, and we

Re: Listen 443 https

On Thu, Aug 10, 2017 at 9:21 AM, Reindl Harald wrote: > > it also would solve the chicken-egg-problem (again, without mod_md) that you > first need the http-host working for the well-known verfication file and the > path of the certificate could be easily pre-configured in

Re: Listen 443 https

On Thu, Aug 10, 2017 at 9:19 AM, Stefan Eissing <stefan.eiss...@greenbytes.de> wrote: > >> Am 10.08.2017 um 16:09 schrieb William A Rowe Jr <wr...@rowe-clan.net>: >> >>> Would we expect breakage by such a change? >> >> I think that Listen

Re: v1.10.10: fixing stream response getting stuck when writing >32k on a...

On Thu, Aug 10, 2017 at 4:37 AM, Stefan Eissing wrote: > >> Am 09.08.2017 um 20:32 schrieb Jacob Perkins : >> >> Hi Stefan, >> >> A patch for 2.4.27 would be great. >> >> Your assistance is greatly appreciated. > > Gladly. Patch available

Re: Listen 443 https

Let's break it down and consider the implications of Listen... On Thu, Aug 10, 2017 at 8:28 AM, Stefan Eissing wrote: > Now that mod_md has landed in trunk, I am looking at more ways > to simplify a SSL configuration. Looking at the Listen directive, > it has an

Re: Content-Type / AddOutputFilterByType DEFLATE text/html

This current behavior still seems wrong in httpd. A content (as opposed perhaps to transfer) should not vary, in fact cannot vary if an etag is presented. I suspect that the deflate filter looks to see if there is a benefit to compression, and cannot do so until it has a body. If it is going to

Re: A little nit

+1. As an alternative... an execute-on-read directive of ProxyBalancerPrecision or similarly named directive (default 100, but drop or add decimals as they will) would let anyone add in or sub out a decimal. My thought, taking away 1000 (3 decimal) from 2bn really wouldn't be a hardship on any

Re: SSLPolicy

On Fri, Aug 4, 2017 at 4:26 AM, Stefan Eissing wrote: > I talked about some kind of SSL Policy definition in httpd's configuration > in the past and am now about to get serious about it. Here is what I wan to > do: > > Recap: the general idea is > 2. Provide a set of

Re: svn commit: r1803396 - in /httpd/httpd/trunk: modules/ssl/ support/

IMO that's garbage, please revert. I don't believe that any ASF project, which has very firm rules about appropriating code bases, should be tolerating namespace abuse and mark infringement against other projects. If they want us to test a symbol in a LIBRESSL space, that's fine, but OPENSSL

Re: A little nit

On Wed, Aug 2, 2017 at 12:33 PM, Jim Jagielski wrote: > I'll be adding some code to allow for lbfactors to be > single decimal numbers (like 1.1, 2.5, etc...)... People > have asked "How do I change it so that machine B is like 10% > preferred" and I mention that "Well, you

Re: svn commit: r1803072 - /httpd/site/trunk/content/security/vulnerabilities-httpd.page/securitydb.xsl

.. that was fixed earlier today, so > you should be good to go now! > > Cheers, > -g > > > On Wed, Jul 26, 2017 at 2:53 PM, William A Rowe Jr <wr...@apache.org> > wrote: > >> I would push this edit live (looking good from a local regen here), but >> ht

Re: svn commit: r1803072 - /httpd/site/trunk/content/security/vulnerabilities-httpd.page/securitydb.xsl

I would push this edit live (looking good from a local regen here), but https://cms.a.o has been down for a number of hours. bcc'ing root@ so that they are aware that we've lost that control panel, @infrabot hasn't posted a status on the service. Cheers, Bill > Author: wrowe > Date: Wed Jul 26

CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest

CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest Severity: Important Vendor: The Apache Software Foundation Versions Affected: all versions through 2.2.33 and 2.4.26 Description: The value placeholder in [Proxy-]Authorization headers of type 'Digest' was not initialized or

CVE-2017-9789: Read after free in mod_http2

CVE-2017-9789: Read after free in mod_http2 Severity: Important Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.26 Description: When under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in

Re: [Announcement] Apache HTTP Server 2.2.34 Released

On Wed, Jul 12, 2017 at 4:47 AM, Daniel wrote: > Hello, > > Just FYI > > http://httpd.apache.org/download.cgi is still pointing to 2.2.32 > version and thus gives a 404 when trying to download. Thanks for the report! Now fixed.

[Announcement] Apache HTTP Server 2.2.34 Released

July 11, 2017 The Apache Software Foundation and the Apache HTTP Server Project announce the release of version 2.2.34 of the Apache HTTP Server ("Apache"), the final maintenance release of the 2.2 series. No further 2.2 releases are anticipated. This version of Apache is

Re: httpd 2.4.26 with apr 1.6 ExtFilterDefine

.4.25, but still NG. > > Next, I read Apache HTTP Server Change log, I found > mod_filter changes. I tested mod_filter.so and > mod_ext_filter.so to 2.4.25, NG. > > Next, I tested httpd.exe to 2.4.25, NG. > > Next, I read Apache Lounge's used modules, I found APR is > upgraded to

Re: An ask for eyes on proposal

to the list of those where we accept PROXY protocol wrapping? On Fri, Jun 9, 2017 at 8:29 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Fri, Jun 9, 2017 at 4:17 AM, Sander Hoentjen <san...@hoentjen.eu> wrote: >> On 06/08/2017 07:30 PM, Daniel Rugge

[RESULT] [VOTE] Release httpd-2.2.34

On Thu, Jul 6, 2017 at 2:33 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > For your consideration... pre-release candidate tarballs of > Apache legacy httpd 2.2.34 can be found in; > > http://httpd.apache.org/dev/dist/ > > Thanks all who merged the security

Re: httpd 2.4.26 with apr 1.6 ExtFilterDefine

On Fri, Jul 7, 2017 at 7:13 AM, Jim Jagielski wrote: > 2.4.26/27 doesn't *require* APR/APU 1.6.x, but there are > some features that depend on it. If it's a bug in apr 1.6.x, > then it's not a httpd bug specifically... imo at least. > > any further detail on how the below is

[VOTE] Release httpd-2.2.34

For your consideration... pre-release candidate tarballs of Apache legacy httpd 2.2.34 can be found in; http://httpd.apache.org/dev/dist/ Thanks all who merged the security work in and other fixes, and helped identify a couple more lingering defects. As we picked end of maintenance Jul 1 '17 -

[WITHDRAWN] [VOTE] Release httpd-2.2.33

On Fri, Jun 23, 2017 at 5:19 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > For your consideration... pre-release candidate tarballs of > Apache legacy httpd 2.2.33 can be found in; > > http://httpd.apache.org/dev/dist/ To make things clear, this call for [VOTE]

Re: 2.4.27

On Thu, Jul 6, 2017 at 12:28 PM, Jacob Champion wrote: > > Administrators using prefork who would like to switch to HTTP/2 in the > future need to understand the limitations of the prefork architecture they > have selected. And sure, our users can request that we implement a

Re: 2.4.27

On Thu, Jul 6, 2017 at 12:20 PM, Helmut K. C. Tessarek wrote: > On 2017-07-06 13:09, Reindl Harald wrote: >> with removing mpm_prefork support for H2 you kill HTTP2 support for a >> lot of production setups which may consider switch to H2 in the future >> and for sure not

Re: 2.4.27

+1 to removing support of mom prefork. I'd prefer it still start and if configured, with an [error] level alert in the logs and simply be disabled. Server must start when module is loaded but not configured, e.g. in test framework, IMO. On Jul 6, 2017 10:31 AM, "Stefan Eissing"

Test case intermittent failure?

t/apache/expr_string.t(Wstat: 0 Tests: 23 Failed: 1) Failed test: 14 # writing file: /home/wrowe/dev/test/test2x-apr20-ossl110/t/htdocs/apache/expr/.htaccess ok 12 Expected return code 200, got 200 for '}' ok 13 Got '}', expected '}' ok 14 Any reason I should expect an

Re: 2.4.27

+1 On Jul 3, 2017 6:33 AM, "Jim Jagielski" wrote: > Anyone opposed to a quick T and release of 2.4.27 within > the next week? >

Re: FastCGI env-vars

I'm reading https://tools.ietf.org/html/rfc3875#section-4.1.5 as the PATH_INFO is entirely distinct from QUERY_STRING. On Sun, Jul 2, 2017 at 10:08 AM, Jim Jagielski wrote: > There is one (I hope!) final question... There seems to be > conflicting interpretations on whether

Re: svn commit: r1800306 - in /httpd/httpd/trunk: CHANGES modules/mappers/mod_actions.c modules/proxy/mod_proxy_fcgi.c

You already have my unconditional +1 to bring us back to a trusted state. On Jun 30, 2017 16:55, "Jacob Champion" wrote: > On 06/30/2017 11:40 AM, Jacob Champion wrote: > >> As far as I can tell it has no downsides, so my only request is that we >> add it to CHANGES (or

Re: svn commit: r1800307 - /httpd/httpd/branches/2.4.x/STATUS

-1 on showstopper. It's a bug, no security implications, cope with it. Thousands of bugs pass through STATUS, what makes yours special? That said, unconditional +1 to any mod_proxy_fcgi.c patches you or Jim or any committers determine for backport, I'd prefer we treat the module as experimental

Re: svn commit: r1800162 - in /httpd/test/framework/trunk/t: conf/extra.conf.in modules/proxy.t

On Wed, Jun 28, 2017 at 8:08 AM, wrote: > Author: jim > Date: Wed Jun 28 13:08:41 2017 > New Revision: 1800162 > > --- httpd/test/framework/trunk/t/modules/proxy.t (original) > +++ httpd/test/framework/trunk/t/modules/proxy.t Wed Jun 28 13:08:41 2017 > @@ -7,7 +7,7 @@ use

Re: svn commit: r1800181 - /httpd/httpd/branches/2.4.x/STATUS

Actually, I should have backed out rpluem's vote for the original one line patch. Can we get one more pair of eyeballs (or cross-vote the other branch) so this is properly accepted? On Jun 28, 2017 10:49, wrote: > Author: ylavic > Date: Wed Jun 28 15:49:07 2017 > New

Re: svn commit: r1800111 - /httpd/httpd/trunk/server/protocol.c

On Wed, Jun 28, 2017 at 7:14 AM, Yann wrote: > > Looks like the code after the patch below would be simpler and work too : Agreed this is easier to follow, tmp_field is otherwise unused in the unsafe code path. Proposed for backport, thanks. Note this patch is the 2.2,

Re: [VOTE] Release httpd-2.2.33

Sounds great. Reviewing Yann's alternate patch now. On Jun 28, 2017 06:41, "Yann" wrote: > On Wed, Jun 28, 2017 at 11:51 AM, Jim Jagielski wrote: > > I would also suggest to reroll: I'll test the reroll on my systems here. > > +1 >

Re: [VOTE] Release httpd-2.2.33

are looking pretty good according to the test framework. Looks like a one line patch as described in the bugzilla ticket. On Jun 27, 2017 12:44, "Jacob Champion" <champio...@gmail.com> wrote: > On 06/27/2017 10:21 AM, William A Rowe Jr wrote: > >> If voters would

Re: [VOTE] Release httpd-2.2.33

On Jun 23, 2017 5:19 PM, "William A Rowe Jr" <wr...@rowe-clan.net> wrote: For your consideration... pre-release candidate tarballs of Apache legacy httpd 2.2.33 can be found in; http://httpd.apache.org/dev/dist/ Thanks all who merged the security work in and other fixes.

Re: [VOTE] Release httpd-2.2.33

Thanks Petr, every review and evaluation is appreciated! On Jun 26, 2017 8:46 AM, "Petr Gajdos" <pgaj...@suse.cz> wrote: On Fri, Jun 23, 2017 at 05:19:47PM -0500, William A Rowe Jr wrote: > For your consideration... pre-release candidate tarballs of > Apache legacy htt

RE: svn commit: r1782209 - /httpd/httpd/branches/2.4.x/STATUS

On Jun 27, 2017 12:08 PM, "Moradhassel, Kavian" wrote: Did this discussion result in a decision to provide a fix for the bug in 2.4.26 and plan for a 2.4.27 soon? I'm wondering if I should be waiting for a 2.4.27 in the next handful of weeks, or if I should just accept that

Re: Anonymizing 403 responses [Was: svn commit: r1799731]

On Jun 27, 2017 3:00 AM, "Yann" <ylavic@gmail.com> wrote: On Tue, Jun 27, 2017 at 12:49 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: >> On Mon, Jun 26, 2017 at 5:34

Re: Anonymizing 403 responses [Was: svn commit: r1799731]

On Mon, Jun 26, 2017 at 5:43 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Mon, Jun 26, 2017 at 5:34 PM, Yann <ylavic@gmail.com> wrote: > >> What could be the "security blunders" with 404 vs 403? > > A 403 says "go away, you are

Re: Anonymizing 403 responses [Was: svn commit: r1799731]

On Mon, Jun 26, 2017 at 5:34 PM, Yann <ylavic@gmail.com> wrote: > On Mon, Jun 26, 2017 at 11:51 PM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: >> On Mon, Jun 26, 2017 at 4:44 PM, William A Rowe Jr <wr...@rowe-clan.net> >> wrote: >>> >&g

Anonymizing 403 responses [Was: svn commit: r1799731]

On Mon, Jun 26, 2017 at 4:44 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > On Mon, Jun 26, 2017 at 3:40 PM, Gregg Smith <g...@gknw.net> wrote: >> >> On 6/24/2017 10:02 AM, William A Rowe Jr wrote: >>> >>> On Sat, Jun 24, 2017 at 12:4

Re: svn commit: r1799731 - in /httpd/httpd/trunk: CHANGES server/request.c

Hi Gregg, sending publicly while you have a negotiation with your email client :) On Mon, Jun 26, 2017 at 3:40 PM, Gregg Smith <g...@gknw.net> wrote: > > On 6/24/2017 10:02 AM, William A Rowe Jr wrote: >> >> On Sat, Jun 24, 2017 at 12:49 AM, <gsm...@apache.org>

Re: svn commit: r1799375 - /httpd/httpd/trunk/server/util.c

On Mon, Jun 26, 2017 at 3:14 PM, Jacob Champion <champio...@gmail.com> wrote: > On 06/20/2017 11:08 PM, William A Rowe Jr wrote: >> >> Sorry but I reraise my objection and veto worthless cpu cycles. > > For posterity, can I get a succinct description of your technical &g

Re: [Discuss] Rolling a 'final' 2.2.33 release

kman" <m...@exonetric.com> wrote: > > On 14 Jun 2017, at 22:12, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > > Thoughts/comments? Patches to hold for before we roll? If I don't hear > otherwise, and we stick to the simpler alternative, then I'd plan to roll > these ca

Re: svn commit: r1799731 - in /httpd/httpd/trunk: CHANGES server/request.c

On Sat, Jun 24, 2017 at 12:49 AM, wrote: > Author: gsmith > Date: Sat Jun 24 05:49:45 2017 > New Revision: 1799731 > > URL: http://svn.apache.org/viewvc?rev=1799731=rev > Log: > Send a 404 response like other OSs do instead of 403 on Windows when > a path segment or file

[VOTE] Release httpd-2.2.33

For your consideration... pre-release candidate tarballs of Apache legacy httpd 2.2.33 can be found in; http://httpd.apache.org/dev/dist/ Thanks all who merged the security work in and other fixes. As we picked end of maintenance Jul 1 '17 - the [discuss] thread had sufficient time for response

Re: buildbot failure in on httpd-trunk

If two commits occur in a short enough period of time, the datestamp of the newly refreshed source may be earlier than the .o generated by the first update. On Jun 21, 2017 11:06, "Jacob Champion" wrote: > On 06/21/2017 09:00 AM, build...@apache.org wrote: > >> The

Re: buildbot failure in on httpd-trunk

mod_proxy_balancer.c: In function 'balancer_handler': mod_proxy_balancer.c:1144:25: error: 'HCHECK_WATHCHDOG_INTERVAL' undeclared (first use in this function) if (ival >= HCHECK_WATHCHDOG_INTERVAL) { ^ mod_proxy_balancer.c:1144:25: note: each undeclared

Re: svn commit: r1799375 - /httpd/httpd/trunk/server/util.c

On Wed, Jun 21, 2017 at 1:08 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > > But there were only two questionable values for \0, and in this case the > answer is obvious. Invert the rule to a TOKEN char from the rather dubious > TOKEN_STOP definition. Solved. ... for t

Re: svn commit: r1799375 - /httpd/httpd/trunk/server/util.c

Sorry but I reraise my objection and veto worthless cpu cycles. The correct fix to your concern is to document all expected behavior of the null but in gen_test_char.c - and in such tests a /* !c && */ notation is fine. Due to the way we assemble the code, I'm not convinced it that any compiler

Re: svn commit: r1782209 - /httpd/httpd/branches/2.4.x/STATUS

On Tue, Jun 20, 2017 at 1:32 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote: > On Tue, Jun 20, 2017 at 12:12 PM, Jim Jagielski <j...@jagunet.com> wrote: >> >>> On Jun 20, 2017, at 1:03 PM, Jacob Champion <champio...@gmail.com> wrote: >>> >&g

Re: svn commit: r1782209 - /httpd/httpd/branches/2.4.x/STATUS

On Tue, Jun 20, 2017 at 12:12 PM, Jim Jagielski <j...@jagunet.com> wrote: > >> On Jun 20, 2017, at 1:03 PM, Jacob Champion <champio...@gmail.com> wrote: >> >> On 06/20/2017 10:00 AM, William A Rowe Jr wrote: >>> You must presume it is in the wild, a

<    1   2   3   4   5   6   7   8   9   10   >