Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-11 Thread Eric Covener 
committed two related things to trunk this afternoon:

- allow anything if redirecting and no [NE] flag
- add another [B] like flag that escapes only controls and spaces.


On Sat, Mar 11, 2023 at 2:30 PM Eric Covener  wrote:
>
> Pulling up some of the checks so we can consider the flag:
> http://people.apache.org/~covener/patches/rewrite-escaping.diff
>
> (needs to be duplicated in fixups hook)
>
> On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic  wrote:
> >
> > On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
> > >
> > > Saw another report on users@
> > >
> > > Any thoughts on something like this to just allow spaces?
> > > http://people.apache.org/~covener/patches/rewrite-lax.diff
> >
> > What about:
> >
> > Index: modules/mappers/mod_rewrite.c
> > ===
> > --- modules/mappers/mod_rewrite.c(revision 1908254)
> > +++ modules/mappers/mod_rewrite.c(working copy)
> > @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
> >  apr_size_t flen;
> >  int to_proxyreq;
> >
> > -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> > +if (rulestatus == ACTION_NOESCAPE
> > +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
> >  /*
> >   * We have a raw control character or a ' ' in r->args.
> >   * Correct encoding was missed.
> > ?
> >
> > Regards;
> > Yann.
>
>
>
> --
> Eric Covener
> cove...@gmail.com



-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-11 Thread Eric Covener 
Pulling up some of the checks so we can consider the flag:
http://people.apache.org/~covener/patches/rewrite-escaping.diff

(needs to be duplicated in fixups hook)

On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic  wrote:
>
> On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
> >
> > Saw another report on users@
> >
> > Any thoughts on something like this to just allow spaces?
> > http://people.apache.org/~covener/patches/rewrite-lax.diff
>
> What about:
>
> Index: modules/mappers/mod_rewrite.c
> ===
> --- modules/mappers/mod_rewrite.c(revision 1908254)
> +++ modules/mappers/mod_rewrite.c(working copy)
> @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
>  apr_size_t flen;
>  int to_proxyreq;
>
> -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> +if (rulestatus == ACTION_NOESCAPE
> +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
>  /*
>   * We have a raw control character or a ' ' in r->args.
>   * Correct encoding was missed.
> ?
>
> Regards;
> Yann.



-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-10 Thread Eric Covener 
> Allowing a space to be sent within the proxied request target is not an 
> option,
> regardless of how the user has configured the server. The CVE fix was just to
> prevent an invalid target sent from us.

This context in mod_rewrite is not specific to proxying. The CVE is
addressed in a similar snippet in the proxy modules.

> Why don't we fix the source of the spaces? The place where the variable is 
> decoding
> the matched string being inserted. I find that bit surprising, since it 
> doesn't behave
> like a proper regex.

The input here is the decoded URL-path.  rewrite can explicitly look
at the original request verbatim, but it's a rare thing to be used.

> Likewise, the rewrite mapper should always pct-encode or reject embedded 
> spaces
> long before we get to the proxy (or internal redirect) request.

In the non-proxy case, the backreference may be in a local filename or
the query string. I guess the latter is still bogus in CGI-like cases,
but it's been tolerated forever and being passed onto CGI-like things
without automatic encoding.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-10 Thread Roy T. Fielding 
On Mar 10, 2023, at 8:56 AM, Yann Ylavic  wrote:

> On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
>> 
>> Saw another report on users@
>> 
>> Any thoughts on something like this to just allow spaces?
>> http://people.apache.org/~covener/patches/rewrite-lax.diff
> 
> What about:
> 
> Index: modules/mappers/mod_rewrite.c
> ===
> --- modules/mappers/mod_rewrite.c(revision 1908254)
> +++ modules/mappers/mod_rewrite.c(working copy)
> @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
> apr_size_t flen;
> int to_proxyreq;
> 
> -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> +if (rulestatus == ACTION_NOESCAPE
> +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
> /*
>  * We have a raw control character or a ' ' in r->args.
>  * Correct encoding was missed.
> ?
> 
> Regards;
> Yann.

Allowing a space to be sent within the proxied request target is not an option,
regardless of how the user has configured the server. The CVE fix was just to
prevent an invalid target sent from us.

Why don't we fix the source of the spaces? The place where the variable is 
decoding
the matched string being inserted. I find that bit surprising, since it doesn't 
behave
like a proper regex.

Likewise, the rewrite mapper should always pct-encode or reject embedded spaces
long before we get to the proxy (or internal redirect) request.

Roy

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-10 Thread giovanni 

On 3/10/23 16:33, Eric Covener wrote:

Saw another report on users@

Any thoughts on something like this to just allow spaces?
http://people.apache.org/~covener/patches/rewrite-lax.diff


that makes sense, any other possible char that we should allow other then 
spaces ?
 Giovanni




(this is off my $bigco fork so may not actually apply)

On Thu, Mar 9, 2023 at 3:08 PM BUSH Steve  wrote:



Maybe we can slip an additional entry into the changelog.



I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?




Yes, the error log did include the AH10410 message.



URL encoding the spaces either as \%20 (path or query string) or + (query 
string) does eliminate the problem for our mappings.



From: Eric Covener 
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56



On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
Correction! I used our test template for the rule when I e-mailed just now, but once 
it is converted to the apache httpd. conf format, the actual rule appears in the

ZjQcmQR

YFpfptBannerEnd



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]



Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.



We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?





Maybe we can slip an additional entry into the changelog.

I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?





This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/









OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-10 Thread Eric Covener 
On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic  wrote:
>
> On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
> >
> > Saw another report on users@
> >
> > Any thoughts on something like this to just allow spaces?
> > http://people.apache.org/~covener/patches/rewrite-lax.diff
>
> What about:
>
> Index: modules/mappers/mod_rewrite.c
> ===
> --- modules/mappers/mod_rewrite.c(revision 1908254)
> +++ modules/mappers/mod_rewrite.c(working copy)
> @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
>  apr_size_t flen;
>  int to_proxyreq;
>
> -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> +if (rulestatus == ACTION_NOESCAPE
> +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
>  /*
>   * We have a raw control character or a ' ' in r->args.
>   * Correct encoding was missed.

I think it helps for the users@ redirect case, but I think we still
have a concern with non-redirect (where IIUC there is not any escaping
even w/o the flag/status, but I am not 100% sure on this)

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-10 Thread Yann Ylavic 
On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
>
> Saw another report on users@
>
> Any thoughts on something like this to just allow spaces?
> http://people.apache.org/~covener/patches/rewrite-lax.diff

What about:

Index: modules/mappers/mod_rewrite.c
===
--- modules/mappers/mod_rewrite.c(revision 1908254)
+++ modules/mappers/mod_rewrite.c(working copy)
@@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
 apr_size_t flen;
 int to_proxyreq;

-if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+if (rulestatus == ACTION_NOESCAPE
+&& r->args && *(ap_scan_vchar_obstext(r->args))) {
 /*
  * We have a raw control character or a ' ' in r->args.
  * Correct encoding was missed.
?

Regards;
Yann.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-10 Thread Fossies Administrator 

On Fri, 10 Mar 2023, Eric Covener wrote:


Saw another report on users@

Any thoughts on something like this to just allow spaces?
http://people.apache.org/~covener/patches/rewrite-lax.diff

(this is off my $bigco fork so may not actually apply)

On Thu, Mar 9, 2023 at 3:08 PM BUSH Steve  wrote:



Maybe we can slip an additional entry into the changelog.



I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?




Yes, the error log did include the AH10410 message.



URL encoding the spaces either as \%20 (path or query string) or + (query 
string) does eliminate the problem for our mappings.



From: Eric Covener 
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56



On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
Correction! I used our test template for the rule when I e-mailed just now, but once 
it is converted to the apache httpd. conf format, the actual rule appears in the

ZjQcmQR

YFpfptBannerEnd



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]



Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.



We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?





Maybe we can slip an additional entry into the changelog.

I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?





This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/


I found now in https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_b 
that the RewriteRule flag B allows also to specify special characters to 
be escaped:


 In 2.4.26 and later, you can limit the escaping to specific characters in
 backreferences by listing them: [B=#?;]. Note: The space character can be
 used in the list of characters to escape, but it cannot be the last
 character in the list.

At first I had problems to specify a space character but I found that 
escaping them helps. To circumvent the above mentioned restriction 
regarding the space character I used as a hack simply two ones so using 
the additionally flag


 [B=\ \ ]

helped at least in my case as workaround (but not yet properly tested for 
side effects).


Jens

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-10 Thread Eric Covener 
Saw another report on users@

Any thoughts on something like this to just allow spaces?
http://people.apache.org/~covener/patches/rewrite-lax.diff

(this is off my $bigco fork so may not actually apply)

On Thu, Mar 9, 2023 at 3:08 PM BUSH Steve  wrote:
>
> >> Maybe we can slip an additional entry into the changelog.
>
> >> I think in this case, for now at least, we'd primarily rely on the 
> >> error_log entry. Did this produce the new AH10410?
>
>
>
> Yes, the error log did include the AH10410 message.
>
>
>
> URL encoding the spaces either as \%20 (path or query string) or + (query 
> string) does eliminate the problem for our mappings.
>
>
>
> From: Eric Covener 
> Sent: Wednesday, March 8, 2023 8:31 PM
> To: dev@httpd.apache.org
> Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
>
>
>
> On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
> Correction! I used our test template for the rule when I e-mailed just now, 
> but once it is converted to the apache httpd. conf format, the actual rule 
> appears in the
>
> ZjQcmQR
>
> YFpfptBannerEnd
>
>
>
> On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:
>
> Correction!
>
> I used our test template for the rule when I e-mailed just now, but once it 
> is converted to the apache httpd.conf format, the actual rule appears in the 
> httpd.conf as:
>
> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
> Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>
>
>
> Thanks for the report.   Time will tell, but I think this is a very fringe 
> case. The space isn't a backreference (where `B` would have fixed it) and a 
> literal with a space in the substitution has to be quite rare (famous last 
> words)
>
> I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 
> and it’s clear that the use of spaces in the query string of the mapped URL 
> are the cause of the 403 forbidden messages.
>
>
>
> We can update our httpd.conf mapping code, so it won’t be a problem for us, 
> but it might be worth updating the mod_rewrite documentation on this?
>
>
>
>
>
> Maybe we can slip an additional entry into the changelog.
>
> I think in this case, for now at least, we'd primarily rely on the error_log 
> entry. Did this produce the new AH10410?
>
>
>
>
>
> This email and any attachments are intended solely for the use of the 
> individual or entity to whom it is addressed and may be confidential and/or 
> privileged.
>
> If you are not one of the named recipients or have received this email in 
> error,
>
> (i) you should not read, disclose, or copy it,
>
> (ii) please notify sender of your receipt by reply email and delete this 
> email and all attachments,
>
> (iii) Dassault Systèmes does not accept or assume any liability or 
> responsibility for any use of or reliance on this email.
>
>
> Please be informed that your personal data are processed according to our 
> data privacy policy as described on our website. Should you have any 
> questions related to personal data protection, please contact 3DS Data 
> Protection Officer https://www.3ds.com/privacy-policy/contact/
>
>


-- 
Eric Covener
cove...@gmail.com

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-09 Thread BUSH Steve 
>> Maybe we can slip an additional entry into the changelog.
>> I think in this case, for now at least, we'd primarily rely on the error_log 
>> entry. Did this produce the new AH10410?

Yes, the error log did include the AH10410 message.

URL encoding the spaces either as \%20 (path or query string) or + (query 
string) does eliminate the problem for our mappings.

From: Eric Covener 
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
Correction! I used our test template for the rule when I e-mailed just now, but 
once it is converted to the apache httpd. conf format, the actual rule appears 
in the
ZjQcmQR
YFpfptBannerEnd

On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve 
mailto:steven.b...@3ds.com>> wrote:
Correction!
I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)
I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?


Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?



This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-09 Thread Frank Gingras 
Or use [B], while being aware of the drawbacks.

On Thu, Mar 9, 2023 at 2:38 PM Fossies Administrator <
jens.schleuse...@fossies.org> wrote:

> On Thu, 9 Mar 2023, Eric Covener wrote:
>
> > On Thu, Mar 9, 2023 at 12:14 PM  wrote:
> >>
> >> On 3/9/23 05:30, Eric Covener wrote:
> >>>
> >>>
> >>> On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  > wrote:
> >>>
> >>> Correction!
> >>>
> >>> I used our test template for the rule when I e-mailed just now,
> but once it is converted to the apache httpd.conf format, the actual rule
> appears in the httpd.conf as:
> >>>
> >>> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number
> of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
> >>>
> >>>
> >>> Thanks for the report.   Time will tell, but I think this is a very
> fringe case. The space isn't a backreference (where `B` would have fixed
> it) and a literal with a space in the substitution has to be quite rare
> (famous last words)
> >>
> >> I wonder how many websites might have a snippet similar to:
> >>
> >> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]
> >
> > I do worry about this style a lot more, especially with how much of a
> > pain [B] has been for me in the past.
> > I think we can wait and see and only look for more problematic
> > characters in the mod_rewrite.c change.
>
> I use a bit historically a rule principally like
>
>   RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L]
>
> With httpd-2.4.56 now all requests using file names containing a space are
> blocked (403 Forbidden) with the according error log entry
>
>   AH10410: Rewritten query string contains control characters or spaces
>
> The called CGI application tries to handle "bad" characters itself so from
> my egoistic point of view at least spaces should be allowed here (may be
> by an extra directive).
>
> In my case, the only but unsatisfactory workaround I have found so far
> would be to replace the affected spaces with %2520.
>
> Jens

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-09 Thread Fossies Administrator 

On Thu, 9 Mar 2023, Eric Covener wrote:


On Thu, Mar 9, 2023 at 12:14 PM  wrote:


On 3/9/23 05:30, Eric Covener wrote:



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve mailto:steven.b...@3ds.com>> wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it 
is converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]


Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)


I wonder how many websites might have a snippet similar to:

RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]


I do worry about this style a lot more, especially with how much of a
pain [B] has been for me in the past.
I think we can wait and see and only look for more problematic
characters in the mod_rewrite.c change.


I use a bit historically a rule principally like

 RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L]

With httpd-2.4.56 now all requests using file names containing a space are 
blocked (403 Forbidden) with the according error log entry


 AH10410: Rewritten query string contains control characters or spaces

The called CGI application tries to handle "bad" characters itself so from 
my egoistic point of view at least spaces should be allowed here (may be 
by an extra directive).


In my case, the only but unsatisfactory workaround I have found so far 
would be to replace the affected spaces with %2520.


Jens

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-09 Thread Eric Covener 
On Thu, Mar 9, 2023 at 12:14 PM  wrote:
>
> On 3/9/23 05:30, Eric Covener wrote:
> >
> >
> > On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  > > wrote:
> >
> > Correction!
> >
> > I used our test template for the rule when I e-mailed just now, but 
> > once it is converted to the apache httpd.conf format, the actual rule 
> > appears in the httpd.conf as:
> >
> > RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
> > Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
> >
> >
> > Thanks for the report.   Time will tell, but I think this is a very fringe 
> > case. The space isn't a backreference (where `B` would have fixed it) and a 
> > literal with a space in the substitution has to be quite rare (famous last 
> > words)
>
> I wonder how many websites might have a snippet similar to:
>
> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]

I do worry about this style a lot more, especially with how much of a
pain [B] has been for me in the past.
I think we can wait and see and only look for more problematic
characters in the mod_rewrite.c change.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-09 Thread giovanni 

On 3/9/23 05:30, Eric Covener wrote:



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve mailto:steven.b...@3ds.com>> wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it 
is converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]


Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)


I wonder how many websites might have a snippet similar to:

RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]

  Giovanni




I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 
and it’s clear that the use of spaces in the query string of the mapped URL are 
the cause of the 403 forbidden messages.

__ __

We can update our httpd.conf mapping code, so it won’t be a problem for us, 
but it might be worth updating the mod_rewrite documentation on this?



Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?






OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-09 Thread Stefan Eissing via dev 



> Am 08.03.2023 um 23:38 schrieb Eric Covener :
> 
> On Wed, Mar 8, 2023 at 4:57 PM BUSH Steve  wrote:
> 
>> Please remember to send the release announcement to annou...@httpd.apache.org
> 
> Maybe a moderation issue? Can anyone with the proper hat help check it
> out please?

In the releases I did, announce@ did *always* show delayed/lost processing of 
messages. It's not one of infras better services...

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-08 Thread Eric Covener 
On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:

> Correction!
>
> I used our test template for the rule when I e-mailed just now, but once
> it is converted to the apache httpd.conf format, the actual rule appears in
> the httpd.conf as:
>
> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of
> Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>

Thanks for the report.   Time will tell, but I think this is a very fringe
case. The space isn't a backreference (where `B` would have fixed it) and a
literal with a space in the substitution has to be quite rare (famous last
words)

> I just looked at the mod_rewrite.c source differences from 2.4.55 to
> 2.4.56 and it’s clear that the use of spaces in the query string of the
> mapped URL are the cause of the 403 forbidden messages.
>
>
>
> We can update our httpd.conf mapping code, so it won’t be a problem for
> us, but it might be worth updating the mod_rewrite documentation on this?
>
>
>
Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the
error_log entry. Did this produce the new AH10410?

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-08 Thread BUSH Steve 
Correction!
I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?


From: BUSH Steve 
Sent: Wednesday, March 8, 2023 7:45 PM
To: dev@httpd.apache.org
Subject: RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I just completed upgrading to 2. 4. 56 from 2. 4. 55 and now we are having 
problems with existing mod_rewrite directives that use parameter substitution: 
An example of a mod_rewrite declaration we have is: RewriteCond 
%{REQUEST_METHOD} GET [NC]
ZjQcmQRYFpfptBannerStart

I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems 
with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ 
"/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET 
https://SERVER:PORT/zoology/animals/reset/10<https://urldefense.com/v3/__https:/SERVER:PORT/zoology/animals/reset/10__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxZz_PhN$>

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with 
“Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden.  Calling the mapped service directly 
works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for 
REST service mapping.
The rewrite flags are 
(https://httpd.apache.org/docs/2.4/rewrite/flags.html<https://urldefense.com/v3/__https:/httpd.apache.org/docs/2.4/rewrite/flags.html__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn9W_LAw3$>):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused 
unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56<https://urldefense.com/v3/__https:/downloads.apache.org/httpd/CHANGES_2.4.56__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxVfkr2d$>
  *) SECURITY: CVE-2023-25690: HTTP request splitting with
 mod_rewrite and mod_proxy (cve.mitre.org)
 Some mod_proxy configurations on Apache HTTP Server versions
 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
 Configurations are affected when mod_proxy is enabled along with
 some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and
 is then
 re-inserted into the proxied request-target using variable
 substitution. For example, something like:
 RewriteEngine on
 RewriteRule "^/here/(.*)" "
 
http://example.com:8080/elsewhere?$1;<https://urldefense.com/v3/__http:/example.com:8080/elsewhere?$1*22__;JQ!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn6gkZ4bx$>
 
http://example.com:8080/elsewhere<https://urldefense.com/v3/__http:/example.com:8080/elsewhere__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn2C8BrgB$>
 ; [P]
 ProxyPassReverse /here/  
http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
 
http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
 Request splitting/smuggling could result in bypass of access
 controls in the proxy server, proxying unintended URLs to
 existing origin servers, and cache poisoning.
 Credits: Lars Krapf of Adobe



From: Eric Covener mailto:cove...@gmail.com>>
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org<mailto:dev@httpd.apache.org>
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-08 Thread BUSH Steve 
I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems 
with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ 
"/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET https://SERVER:PORT/zoology/animals/reset/10

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with 
“Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden.  Calling the mapped service directly 
works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for 
REST service mapping.
The rewrite flags are (https://httpd.apache.org/docs/2.4/rewrite/flags.html):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused 
unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56
  *) SECURITY: CVE-2023-25690: HTTP request splitting with
 mod_rewrite and mod_proxy (cve.mitre.org)
 Some mod_proxy configurations on Apache HTTP Server versions
 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
 Configurations are affected when mod_proxy is enabled along with
 some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and
 is then
 re-inserted into the proxied request-target using variable
 substitution. For example, something like:
 RewriteEngine on
 RewriteRule "^/here/(.*)" "
 http://example.com:8080/elsewhere?$1;
 http://example.com:8080/elsewhere ; [P]
 ProxyPassReverse /here/  http://example.com:8080/
 http://example.com:8080/
 Request splitting/smuggling could result in bypass of access
 controls in the proxy server, proxying unintended URLs to
 existing origin servers, and cache poisoning.
 Credits: Lars Krapf of Adobe



From: Eric Covener 
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem 
mailto:rpl...@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

cove...@gmail.com<mailto:cove...@gmail.com>

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-08 Thread Eric Covener 
On Wed, Mar 8, 2023 at 4:57 PM BUSH Steve  wrote:

> Please remember to send the release announcement to annou...@httpd.apache.org

Maybe a moderation issue? Can anyone with the proper hat help check it
out please?

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-08 Thread BUSH Steve 
Please remember to send the release announcement to annou...@httpd.apache.org

From: Eric Covener 
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem 
mailto:rpl...@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

cove...@gmail.com<mailto:cove...@gmail.com>

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-07 Thread Eric Covener 
I am going to call this one early and proceed with the release. 9
binding +1 and no other votes.

fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem

On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem  wrote:
>
>
>
> On 3/5/23 10:31 PM, Eric Covener wrote:
> > Hi all,
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release
> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> > [X] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> > *httpd-2.4.56-rc1.tar.gz
> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> > *httpd-2.4.56-rc1.tar.gz
> >
> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> >
>
> Sigs and Hashes ok
> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3
>
> Regards
>
> Rüdiger



-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-07 Thread Ruediger Pluem 



On 3/5/23 10:31 PM, Eric Covener wrote:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 
> 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> 

Sigs and Hashes ok
Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

Regards

Rüdiger

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-06 Thread Steffen 
+1 All looks fine on Windows. 

> Op 5 mrt. 2023 om 22:32 heeft Eric Covener  het volgende 
> geschreven:
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 
> 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> 
> -- 
> Eric Covener
> cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-06 Thread Joe Orton 
On Sun, Mar 05, 2023 at 04:31:34PM -0500, Eric Covener wrote:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

+1, tests pass on RHEL 8+9 (x86_64), sigs good, thanks for RMing.

Seems there is some tweak required to get Actions to work for a tag 
which I will look into.

Regards, Joe

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-06 Thread Mario Brandt 

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
[x] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

+1

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-06 Thread Yann Ylavic 
On Sun, Mar 5, 2023 at 10:31 PM Eric Covener  wrote:
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

+1: It's not just good, it's good enough!

All checksums/sigs and tests pass (Debian 11 & 12), thanks Eric for RMing.

Regards;
Yann.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-06 Thread giovanni 

On 3/5/23 22:31, Eric Covener wrote:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
*httpd-2.4.56-rc1.tar.gz
sha512: 
68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
*httpd-2.4.56-rc1.tar.gz


+1
tested on Fedora 37 and OpenBSD 7.2 and 7.3-beta
 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-05 Thread Stefan Eissing via dev 



> Am 05.03.2023 um 22:31 schrieb Eric Covener :
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 
> 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.

+1 

Darwin xxx 22.3.0 Darwin Kernel Version 22.3.0 (macOS ventura x86_64)

Thanks for RMing,

Stefan


> 
> -- 
> Eric Covener
> cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-05 Thread Eric Covener 
On Sun, Mar 5, 2023 at 4:31 PM Eric Covener  wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [x] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

my +1 on ubuntu

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

2023-03-05 Thread Roy T. Fielding 
> On Mar 5, 2023, at 1:31 PM, Eric Covener  wrote:
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!

Verified sigs, compiled and installed locally (Macbook Pro M1, macos Ventura 
13.2.1),
and tested around the relevant changes. Everything looks good.

+1 for release.

Roy T. Fielding