mod_wasm: v0.12.0 release

[Jesús González]

Hola,

We just released mod_wasm 
v0.12.0!

This new version introduces a new directive, WasmMapCGIFileNames, providing the 
ability to configure CGI applications using custom guest directories, 
eliminating the need for both the host and the guest to use the same paths. It 
also normalizes SCRIPT_FILENAME to use Unix-like forward slashes. This feature 
is particularly helpful when setting up Windows applications, as it allows for 
the use of paths that may not be compatible in Windows (with backslashes and 
drive letters).

Looking forward to your feedback.

Cheers,
Jesús

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Ruediger Pluem]

On 4/10/23 11:37 PM, BUSH Steve wrote:
> I just downloaded the apache 2.4.57 source code and attempting to compile on 
> Windows, mod_rewrite.c fails with this error:
> 

> 
> I fixed it for my local build by editing modules/mapper/mod_rewrite.mak and 
> updating the CPP_PROJ= lines to include the following
> highlighted additions:
> 
> CPP_PROJ=/nologo /MD /W3 /Zi /O2 /Oy- /I "../../include" /I "../../server" /I 
> "../database" /I "../ssl" /I
> "../../srclib/apr/include" /I "../../srclib/apr-util/include" /D "NDEBUG" /D 
> "WIN32" /D "_WINDOWS" /Fo"$(INTDIR)\\"
> /Fd"$(INTDIR)\mod_rewrite_src" /FD /c
> 
> and
> 
>     CPP_PROJ=/nologo /MDd /W3 /Zi /Od /I "../../include" /I 
> "../../server" /I "../database" /I "../ssl" /I
> "../../srclib/apr/include" /I "../../srclib/apr-util/include" /D "_DEBUG" /D 
> "WIN32" /D "_WINDOWS" /Fo"$(INTDIR)\\"
> /Fd"$(INTDIR)\mod_rewrite_src" /FD /EHsc /c

http://svn.apache.org/viewvc?view=revision=1908937
http://svn.apache.org/viewvc?view=revision=1909061

Thanks for the hint of the second location.

Regards

Rüdiger

RE: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[BUSH Steve]

I just downloaded the apache 2.4.57 source code and attempting to compile on 
Windows, mod_rewrite.c fails with this error:

mod_rewrite.c
mod_rewrite.c(109): fatal error C1083: Cannot open include file: 'test_char.h': 
No such file or directory
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Professional\VC\Tools\MSVC\14.28.29910\bin\HostX64\x64\cl.exe"' : 
return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Professional\VC\Tools\MSVC\14.28.29910\bin\HostX64\x64\nmake.exe"' 
: return code '0x2'
Stop.
NMAKE : fatal error U1077: '"C:\Program Files (x86)\Microsoft Visual 
Studio\2019\Professional\VC\Tools\MSVC\14.28.29910\bin\HostX64\x64\nmake.exe"' 
: return code '0x2'
Stop.


Looking at the comparison between mod_rewrite.c in 2.4.56 and 2.4.57, this line 
was added to 2.4.57:
#include "mod_rewrite.h"
#include "ap_expr.h"

#include "test_char.h"

Looking in the build tree, test_char.h is located in server/test_char.h, but 
the build settings are not picking it up.

I build with
nmake /f Makefile.win installr XML_PARSER="libexpat"

I fixed it for my local build by editing modules/mapper/mod_rewrite.mak and 
updating the CPP_PROJ= lines to include the following highlighted additions:
CPP_PROJ=/nologo /MD /W3 /Zi /O2 /Oy- /I "../../include" /I "../../server" /I 
"../database" /I "../ssl" /I "../../srclib/apr/include" /I 
"../../srclib/apr-util/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" 
/Fo"$(INTDIR)\\" /Fd"$(INTDIR)\mod_rewrite_src" /FD /c
and
CPP_PROJ=/nologo /MDd /W3 /Zi /Od /I "../../include" /I 
"../../server" /I "../database" /I "../ssl" /I "../../srclib/apr/include" /I 
"../../srclib/apr-util/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" 
/Fo"$(INTDIR)\\" /Fd"$(INTDIR)\mod_rewrite_src" /FD /EHsc /c

Steve



From: Eric Covener 
Sent: Wednesday, April 5, 2023 12:05 PM
To: Apache HTTP Server Development List 
Subject: Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

On Sun, Apr 2, 2023 at 12: 10 PM Eric Covener  wrote: > > 
Hi all, > > Please find below the proposed release tarball and signatures: > > 
https: //urldefense. com/v3/__https: //dist. apache. 
org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!8DCCBctTbhX1spkJE4gZ9qtBOb5nXByw5xDUdZZ2airtNqNH4rVWHzx8MyOsxF2kx0RNY2MeA_S38Hk$[dist[.
 ]apache[. ]org]


On Sun, Apr 2, 2023 at 12:10 PM Eric Covener 
mailto:cove...@gmail.com>> wrote:

>

> Hi all,

>

> Please find below the proposed release tarball and signatures:

>

> https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!8DCCBctTbhX1spkJE4gZ9qtBOb5nXByw5xDUdZZ2airtNqNH4rVWHzx8MyOsxF2kx0RNY2MeA_S38Hk$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!8DCCBctTbhX1spkJE4gZ9qtBOb5nXByw5xDUdZZ2airtNqNH4rVWHzx8MyOsxF2kx0RNY2MeA_S38Hk$>[dist[.]apache[.]org]

>

> I would like to call a VOTE over the next few days to release

> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:

> [ ] +1: It's not just good, it's good enough!

> [ ] +0: Let's have a talk.

> [ ] -1: There's trouble in paradise. Here's what's wrong.

>

> The computed digests of the tarball up for vote are:

> sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45

> *httpd-2.4.57-rc1.tar.gz

> sha512: 
> 730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4

> *httpd-2.4.57-rc1.tar.gz

>

> The SVN candidate source is found at tags/2.4.57-rc1-candidate.



Vote passes with many binding +1 and no negative votes:

+1: covener, rpluem, steffenal, gbechis, jorton, jailletc36, ylavic



I will finalize some time over the next day or two.



--

Eric Covener

cove...@gmail.com<mailto:cove...@gmail.com>

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Eric Covener]

On Sun, Apr 2, 2023 at 12:10 PM Eric Covener  wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
> *httpd-2.4.57-rc1.tar.gz
> sha512: 
> 730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
> *httpd-2.4.57-rc1.tar.gz
>
> The SVN candidate source is found at tags/2.4.57-rc1-candidate.

Vote passes with many binding +1 and no negative votes:
+1: covener, rpluem, steffenal, gbechis, jorton, jailletc36, ylavic

I will finalize some time over the next day or two.

-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Marion & Christophe JAILLET]

Le 03/04/2023 à 21:44, Christophe JAILLET a écrit :

Le 02/04/2023 à 18:10, Eric Covener a écrit :

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
*httpd-2.4.57-rc1.tar.gz
sha512: 
730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4

*httpd-2.4.57-rc1.tar.gz

The SVN candidate source is found at tags/2.4.57-rc1-candidate.



+1

Tested only with event.

Tested with:
Linux pop-os 6.2.0
gcc (Ubuntu 12.1.0-2ubuntu1~22.04) 12.1.0
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
   libssl-dev 3.0.2
   libbrotli-dev 1.0.9
   libjansson-dev 2.13.1
   libnghttp2-dev 1.43.0
   libpcre2-dev 10.39
   liblua5.3-dev 5.3.6
   libsystemd-dev 249.11
   libldap2-dev 2.5.14+dfsg
   libxml2-dev 2.9.13+dfsg
   libcurl4-openssl-dev 7.81.0


Still can't get the pytest run correctly.
I've tried to make some clean-ups. Should have a real look at it one day :(


> pip install -U multipart
did the trick. (thanks error.log!)

I don't know if it is a new requirement or if I did something wrong on 
my setup.


Does is worth mentioning in README.pytest?



Another point, when building mod_tls.
After upgrading to latest github rustls-ffi, I now get:

tls_core.c: In function ‘extract_client_hello_values’:
tls_core.c:510:14: error: ‘rustls_client_hello’ has no member named 
‘sni_name’

  510 | if (hello->sni_name.len > 0) {
  |  ^~
tls_core.c:511:55: error: ‘rustls_client_hello’ has no member named 
‘sni_name’
  511 | cc->sni_hostname = apr_pstrndup(c->pool, 
hello->sni_name.data, hello->sni_name.len);

  |   ^~
tls_core.c:511:77: error: ‘rustls_client_hello’ has no member named 
‘sni_name’
  511 | cc->sni_hostname = apr_pstrndup(c->pool, 
hello->sni_name.data, hello->sni_name.len);



Apparently related to:

https://github.com/rustls/rustls-ffi/commit/ed82a03f2481095f251e7aee604a2ca29b8c1c5e#diff-6f7bcae64b59e4d5ad181e43c27a22088434c36827db05f8767e00dabcd7973eR426


So, maybe some trouble and conditional compilation to come in a close 
future.




This module is tagged as experimental, so from my POV it can't be a show 
stopper.


CJ

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Steffen]

Good day,

+1 no issues seen on Windows after include ../../server for mod_rewrite  
test_char.h

Steffen 

> Op 2 apr. 2023 om 18:11 heeft Eric Covener  het volgende 
> geschreven:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
> *httpd-2.4.57-rc1.tar.gz
> sha512: 
> 730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
> *httpd-2.4.57-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.57-rc1-candidate.
> 
> -- 
> Eric Covener
> cove...@gmail.com

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Christophe JAILLET]

Le 02/04/2023 à 18:10, Eric Covener a écrit :

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
*httpd-2.4.57-rc1.tar.gz
sha512: 
730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
*httpd-2.4.57-rc1.tar.gz

The SVN candidate source is found at tags/2.4.57-rc1-candidate.



+1

Tested only with event.

Tested with:
Linux pop-os 6.2.0
gcc (Ubuntu 12.1.0-2ubuntu1~22.04) 12.1.0
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
  libssl-dev 3.0.2
  libbrotli-dev 1.0.9
  libjansson-dev 2.13.1
  libnghttp2-dev 1.43.0
  libpcre2-dev 10.39
  liblua5.3-dev 5.3.6
  libsystemd-dev 249.11
  libldap2-dev 2.5.14+dfsg
  libxml2-dev 2.9.13+dfsg
  libcurl4-openssl-dev 7.81.0


Still can't get the pytest run correctly.
I've tried to make some clean-ups. Should have a real look at it one day :(

CJ

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Yann Ylavic]

On Sun, Apr 2, 2023 at 6:11 PM Eric Covener  wrote:
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:

[X] +1: It's not just good, it's good enough!

All tests pass on Debian 11 and 12, sums and sigs OK.

Thanks Eric,
Yann.

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Joe Orton]

On Sun, Apr 02, 2023 at 12:10:25PM -0400, Eric Covener wrote:
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

+1 for release, CHANGES looks good, sigs match, tests pass on RHEL 8+9. 
Thanks for RMing.

Regards, Joe

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[SteffenAL]

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Ruediger Pluem]

On 4/3/23 12:19 PM, SteffenAL wrote:
> vcxproj  files since a few years . They where generated from the dsp files.

But these are not part of the source, but your local ones?

> 
> can I just include the test_char.h generated from gen_test_char.c /.exe ?

Yes you can.

Regards

Rüdiger

>  
> On Monday 03/04/2023 at 11:26, Ruediger Pluem wrote:
>> How do you build it? Via cmake or via the mak files?
>>
>> Regards
>>
>> Rüdiger
>>
>> On 4/3/23 10:51 AM, SteffenAL wrote:
>>> Build no go:
>>>
>>>
>>> ErrorC1083Cannot open include file: 'test_char.h': No such file or
>>> directorymod_rewriteC:\VS17\Win64\httpd-2.4\modules\mappers\mod_rewrite.c109
>>>
>>> Is it ok that I include the test_char.h generated from gen_test_char.exe ?
>>>
>>> Steffen
>>>  
>>>  
>>> On Sunday 02/04/2023 at 18:11, Eric Covener wrote:
>>>> Hi all,
>>>>
>>>> Please find below the proposed release tarball and signatures:
>>>>
>>>> https://dist.apache.org/repos/dist/dev/httpd/
>>>>
>>>> I would like to call a VOTE over the next few days to release
>>>> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
>>>> [ ] +1: It's not just good, it's good enough!
>>>> [ ] +0: Let's have a talk.
>>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>>>
>>>> The computed digests of the tarball up for vote are:
>>>> sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
>>>> *httpd-2.4.57-rc1.tar.gz
>>>> sha512:
>>>> 730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
>>>> *httpd-2.4.57-rc1.tar.gz
>>>>
>>>> The SVN candidate source is found at tags/2.4.57-rc1-candidate.
>>>>
>>>> -- 
>>>> Eric Covener
>>>> cove...@gmail.com
>>>
> 

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[SteffenAL]

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Ruediger Pluem]

How do you build it? Via cmake or via the mak files?

Regards

Rüdiger

On 4/3/23 10:51 AM, SteffenAL wrote:
> Build no go:
> 
> 
> ErrorC1083Cannot open include file: 'test_char.h': No such file or
> directorymod_rewriteC:\VS17\Win64\httpd-2.4\modules\mappers\mod_rewrite.c109
> 
> Is it ok that I include the test_char.h generated from gen_test_char.exe ?
> 
> Steffen
>  
>  
> On Sunday 02/04/2023 at 18:11, Eric Covener wrote:
>> Hi all,
>>
>> Please find below the proposed release tarball and signatures:
>>
>> https://dist.apache.org/repos/dist/dev/httpd/
>>
>> I would like to call a VOTE over the next few days to release
>> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
>> [ ] +1: It's not just good, it's good enough!
>> [ ] +0: Let's have a talk.
>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>
>> The computed digests of the tarball up for vote are:
>> sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
>> *httpd-2.4.57-rc1.tar.gz
>> sha512:
>> 730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
>> *httpd-2.4.57-rc1.tar.gz
>>
>> The SVN candidate source is found at tags/2.4.57-rc1-candidate.
>>
>> -- 
>> Eric Covener
>> cove...@gmail.com
> 

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[giovanni]

On 4/2/23 18:10, Eric Covener wrote:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
*httpd-2.4.57-rc1.tar.gz
sha512: 
730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
*httpd-2.4.57-rc1.tar.gz

The SVN candidate source is found at tags/2.4.57-rc1-candidate.


+1
tested on Fedora 37 and OpenBSD 7.3
Thanks of RMing
 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[SteffenAL]

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Ruediger Pluem]

On 4/2/23 6:10 PM, Eric Covener wrote:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
> *httpd-2.4.57-rc1.tar.gz
> sha512: 
> 730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
> *httpd-2.4.57-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.57-rc1-candidate.
> 

+1

Tested on RedHat 8 x86_64

Regards

Rüdiger

Re: [VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Eric Covener]

On Sun, Apr 2, 2023 at 12:10 PM Eric Covener  wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
> [x] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

my +1, ubuntu 22.04 and aix/xlc/ppc64

[VOTE] Release httpd-2.4.57-rc1 as httpd-2.4.57

[Eric Covener]

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.57-rc1 as 2.4.57:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: bc3e7e540b83ec24f9b847c6b4d7148c55b79b27d102e21227eb65f7183d6b45
*httpd-2.4.57-rc1.tar.gz
sha512: 
730560d4aab3699aa59716bb75858f8432a902aeab3c380b4d3e0f6813e9ae4e278d3b7fdf63a4e94c07b5100933d8684d76f6095f3d60d48ea0f1458c9ed0b4
*httpd-2.4.57-rc1.tar.gz

The SVN candidate source is found at tags/2.4.57-rc1-candidate.

-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

committed two related things to trunk this afternoon:

- allow anything if redirecting and no [NE] flag
- add another [B] like flag that escapes only controls and spaces.


On Sat, Mar 11, 2023 at 2:30 PM Eric Covener  wrote:
>
> Pulling up some of the checks so we can consider the flag:
> http://people.apache.org/~covener/patches/rewrite-escaping.diff
>
> (needs to be duplicated in fixups hook)
>
> On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic  wrote:
> >
> > On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
> > >
> > > Saw another report on users@
> > >
> > > Any thoughts on something like this to just allow spaces?
> > > http://people.apache.org/~covener/patches/rewrite-lax.diff
> >
> > What about:
> >
> > Index: modules/mappers/mod_rewrite.c
> > ===
> > --- modules/mappers/mod_rewrite.c(revision 1908254)
> > +++ modules/mappers/mod_rewrite.c(working copy)
> > @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
> >  apr_size_t flen;
> >  int to_proxyreq;
> >
> > -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> > +if (rulestatus == ACTION_NOESCAPE
> > +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
> >  /*
> >   * We have a raw control character or a ' ' in r->args.
> >   * Correct encoding was missed.
> > ?
> >
> > Regards;
> > Yann.
>
>
>
> --
> Eric Covener
> cove...@gmail.com



-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

Pulling up some of the checks so we can consider the flag:
http://people.apache.org/~covener/patches/rewrite-escaping.diff

(needs to be duplicated in fixups hook)

On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic  wrote:
>
> On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
> >
> > Saw another report on users@
> >
> > Any thoughts on something like this to just allow spaces?
> > http://people.apache.org/~covener/patches/rewrite-lax.diff
>
> What about:
>
> Index: modules/mappers/mod_rewrite.c
> ===
> --- modules/mappers/mod_rewrite.c(revision 1908254)
> +++ modules/mappers/mod_rewrite.c(working copy)
> @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
>  apr_size_t flen;
>  int to_proxyreq;
>
> -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> +if (rulestatus == ACTION_NOESCAPE
> +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
>  /*
>   * We have a raw control character or a ' ' in r->args.
>   * Correct encoding was missed.
> ?
>
> Regards;
> Yann.



-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

> Allowing a space to be sent within the proxied request target is not an 
> option,
> regardless of how the user has configured the server. The CVE fix was just to
> prevent an invalid target sent from us.

This context in mod_rewrite is not specific to proxying. The CVE is
addressed in a similar snippet in the proxy modules.

> Why don't we fix the source of the spaces? The place where the variable is 
> decoding
> the matched string being inserted. I find that bit surprising, since it 
> doesn't behave
> like a proper regex.

The input here is the decoded URL-path.  rewrite can explicitly look
at the original request verbatim, but it's a rare thing to be used.

> Likewise, the rewrite mapper should always pct-encode or reject embedded 
> spaces
> long before we get to the proxy (or internal redirect) request.

In the non-proxy case, the backreference may be in a local filename or
the query string. I guess the latter is still bogus in CGI-like cases,
but it's been tolerated forever and being passed onto CGI-like things
without automatic encoding.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Roy T. Fielding]

On Mar 10, 2023, at 8:56 AM, Yann Ylavic  wrote:

> On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
>> 
>> Saw another report on users@
>> 
>> Any thoughts on something like this to just allow spaces?
>> http://people.apache.org/~covener/patches/rewrite-lax.diff
> 
> What about:
> 
> Index: modules/mappers/mod_rewrite.c
> ===
> --- modules/mappers/mod_rewrite.c(revision 1908254)
> +++ modules/mappers/mod_rewrite.c(working copy)
> @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
> apr_size_t flen;
> int to_proxyreq;
> 
> -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> +if (rulestatus == ACTION_NOESCAPE
> +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
> /*
>  * We have a raw control character or a ' ' in r->args.
>  * Correct encoding was missed.
> ?
> 
> Regards;
> Yann.

Allowing a space to be sent within the proxied request target is not an option,
regardless of how the user has configured the server. The CVE fix was just to
prevent an invalid target sent from us.

Why don't we fix the source of the spaces? The place where the variable is 
decoding
the matched string being inserted. I find that bit surprising, since it doesn't 
behave
like a proper regex.

Likewise, the rewrite mapper should always pct-encode or reject embedded spaces
long before we get to the proxy (or internal redirect) request.

Roy

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[giovanni]

On 3/10/23 16:33, Eric Covener wrote:

Saw another report on users@

Any thoughts on something like this to just allow spaces?
http://people.apache.org/~covener/patches/rewrite-lax.diff


that makes sense, any other possible char that we should allow other then 
spaces ?
 Giovanni




(this is off my $bigco fork so may not actually apply)

On Thu, Mar 9, 2023 at 3:08 PM BUSH Steve  wrote:



Maybe we can slip an additional entry into the changelog.



I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?




Yes, the error log did include the AH10410 message.



URL encoding the spaces either as \%20 (path or query string) or + (query 
string) does eliminate the problem for our mappings.



From: Eric Covener 
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56



On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
Correction! I used our test template for the rule when I e-mailed just now, but once 
it is converted to the apache httpd. conf format, the actual rule appears in the

ZjQcmQR

YFpfptBannerEnd



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]



Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.



We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?





Maybe we can slip an additional entry into the changelog.

I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?





This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/









OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

On Fri, Mar 10, 2023 at 11:57 AM Yann Ylavic  wrote:
>
> On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
> >
> > Saw another report on users@
> >
> > Any thoughts on something like this to just allow spaces?
> > http://people.apache.org/~covener/patches/rewrite-lax.diff
>
> What about:
>
> Index: modules/mappers/mod_rewrite.c
> ===
> --- modules/mappers/mod_rewrite.c(revision 1908254)
> +++ modules/mappers/mod_rewrite.c(working copy)
> @@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
>  apr_size_t flen;
>  int to_proxyreq;
>
> -if (r->args && *(ap_scan_vchar_obstext(r->args))) {
> +if (rulestatus == ACTION_NOESCAPE
> +&& r->args && *(ap_scan_vchar_obstext(r->args))) {
>  /*
>   * We have a raw control character or a ' ' in r->args.
>   * Correct encoding was missed.

I think it helps for the users@ redirect case, but I think we still
have a concern with non-redirect (where IIUC there is not any escaping
even w/o the flag/status, but I am not 100% sure on this)

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Yann Ylavic]

On Fri, Mar 10, 2023 at 4:34 PM Eric Covener  wrote:
>
> Saw another report on users@
>
> Any thoughts on something like this to just allow spaces?
> http://people.apache.org/~covener/patches/rewrite-lax.diff

What about:

Index: modules/mappers/mod_rewrite.c
===
--- modules/mappers/mod_rewrite.c(revision 1908254)
+++ modules/mappers/mod_rewrite.c(working copy)
@@ -4814,7 +4814,8 @@ static int hook_uri2file(request_rec *r)
 apr_size_t flen;
 int to_proxyreq;

-if (r->args && *(ap_scan_vchar_obstext(r->args))) {
+if (rulestatus == ACTION_NOESCAPE
+&& r->args && *(ap_scan_vchar_obstext(r->args))) {
 /*
  * We have a raw control character or a ' ' in r->args.
  * Correct encoding was missed.
?

Regards;
Yann.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Fossies Administrator]

On Fri, 10 Mar 2023, Eric Covener wrote:


Saw another report on users@

Any thoughts on something like this to just allow spaces?
http://people.apache.org/~covener/patches/rewrite-lax.diff

(this is off my $bigco fork so may not actually apply)

On Thu, Mar 9, 2023 at 3:08 PM BUSH Steve  wrote:



Maybe we can slip an additional entry into the changelog.



I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?




Yes, the error log did include the AH10410 message.



URL encoding the spaces either as \%20 (path or query string) or + (query 
string) does eliminate the problem for our mappings.



From: Eric Covener 
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56



On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
Correction! I used our test template for the rule when I e-mailed just now, but once 
it is converted to the apache httpd. conf format, the actual rule appears in the

ZjQcmQR

YFpfptBannerEnd



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]



Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.



We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?





Maybe we can slip an additional entry into the changelog.

I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?





This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/


I found now in https://httpd.apache.org/docs/2.4/rewrite/flags.html#flag_b 
that the RewriteRule flag B allows also to specify special characters to 
be escaped:


 In 2.4.26 and later, you can limit the escaping to specific characters in
 backreferences by listing them: [B=#?;]. Note: The space character can be
 used in the list of characters to escape, but it cannot be the last
 character in the list.

At first I had problems to specify a space character but I found that 
escaping them helps. To circumvent the above mentioned restriction 
regarding the space character I used as a hack simply two ones so using 
the additionally flag


 [B=\ \ ]

helped at least in my case as workaround (but not yet properly tested for 
side effects).


Jens

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

Saw another report on users@

Any thoughts on something like this to just allow spaces?
http://people.apache.org/~covener/patches/rewrite-lax.diff

(this is off my $bigco fork so may not actually apply)

On Thu, Mar 9, 2023 at 3:08 PM BUSH Steve  wrote:
>
> >> Maybe we can slip an additional entry into the changelog.
>
> >> I think in this case, for now at least, we'd primarily rely on the 
> >> error_log entry. Did this produce the new AH10410?
>
>
>
> Yes, the error log did include the AH10410 message.
>
>
>
> URL encoding the spaces either as \%20 (path or query string) or + (query 
> string) does eliminate the problem for our mappings.
>
>
>
> From: Eric Covener 
> Sent: Wednesday, March 8, 2023 8:31 PM
> To: dev@httpd.apache.org
> Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56
>
>
>
> On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
> Correction! I used our test template for the rule when I e-mailed just now, 
> but once it is converted to the apache httpd. conf format, the actual rule 
> appears in the
>
> ZjQcmQR
>
> YFpfptBannerEnd
>
>
>
> On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:
>
> Correction!
>
> I used our test template for the rule when I e-mailed just now, but once it 
> is converted to the apache httpd.conf format, the actual rule appears in the 
> httpd.conf as:
>
> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
> Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>
>
>
> Thanks for the report.   Time will tell, but I think this is a very fringe 
> case. The space isn't a backreference (where `B` would have fixed it) and a 
> literal with a space in the substitution has to be quite rare (famous last 
> words)
>
> I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 
> and it’s clear that the use of spaces in the query string of the mapped URL 
> are the cause of the 403 forbidden messages.
>
>
>
> We can update our httpd.conf mapping code, so it won’t be a problem for us, 
> but it might be worth updating the mod_rewrite documentation on this?
>
>
>
>
>
> Maybe we can slip an additional entry into the changelog.
>
> I think in this case, for now at least, we'd primarily rely on the error_log 
> entry. Did this produce the new AH10410?
>
>
>
>
>
> This email and any attachments are intended solely for the use of the 
> individual or entity to whom it is addressed and may be confidential and/or 
> privileged.
>
> If you are not one of the named recipients or have received this email in 
> error,
>
> (i) you should not read, disclose, or copy it,
>
> (ii) please notify sender of your receipt by reply email and delete this 
> email and all attachments,
>
> (iii) Dassault Systèmes does not accept or assume any liability or 
> responsibility for any use of or reliance on this email.
>
>
> Please be informed that your personal data are processed according to our 
> data privacy policy as described on our website. Should you have any 
> questions related to personal data protection, please contact 3DS Data 
> Protection Officer https://www.3ds.com/privacy-policy/contact/
>
>


-- 
Eric Covener
cove...@gmail.com

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

>> Maybe we can slip an additional entry into the changelog.
>> I think in this case, for now at least, we'd primarily rely on the error_log 
>> entry. Did this produce the new AH10410?

Yes, the error log did include the AH10410 message.

URL encoding the spaces either as \%20 (path or query string) or + (query 
string) does eliminate the problem for our mappings.

From: Eric Covener 
Sent: Wednesday, March 8, 2023 8:31 PM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

On Wed, Mar 8, 2023 at 11: 02 PM BUSH Steve  wrote: 
Correction! I used our test template for the rule when I e-mailed just now, but 
once it is converted to the apache httpd. conf format, the actual rule appears 
in the
ZjQcmQR
YFpfptBannerEnd

On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve 
mailto:steven.b...@3ds.com>> wrote:
Correction!
I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)
I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?


Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?



This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Frank Gingras]

Or use [B], while being aware of the drawbacks.

On Thu, Mar 9, 2023 at 2:38 PM Fossies Administrator <
jens.schleuse...@fossies.org> wrote:

> On Thu, 9 Mar 2023, Eric Covener wrote:
>
> > On Thu, Mar 9, 2023 at 12:14 PM  wrote:
> >>
> >> On 3/9/23 05:30, Eric Covener wrote:
> >>>
> >>>
> >>> On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  > wrote:
> >>>
> >>> Correction!
> >>>
> >>> I used our test template for the rule when I e-mailed just now,
> but once it is converted to the apache httpd.conf format, the actual rule
> appears in the httpd.conf as:
> >>>
> >>> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number
> of Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
> >>>
> >>>
> >>> Thanks for the report.   Time will tell, but I think this is a very
> fringe case. The space isn't a backreference (where `B` would have fixed
> it) and a literal with a space in the substitution has to be quite rare
> (famous last words)
> >>
> >> I wonder how many websites might have a snippet similar to:
> >>
> >> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]
> >
> > I do worry about this style a lot more, especially with how much of a
> > pain [B] has been for me in the past.
> > I think we can wait and see and only look for more problematic
> > characters in the mod_rewrite.c change.
>
> I use a bit historically a rule principally like
>
>   RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L]
>
> With httpd-2.4.56 now all requests using file names containing a space are
> blocked (403 Forbidden) with the according error log entry
>
>   AH10410: Rewritten query string contains control characters or spaces
>
> The called CGI application tries to handle "bad" characters itself so from
> my egoistic point of view at least spaces should be allowed here (may be
> by an extra directive).
>
> In my case, the only but unsatisfactory workaround I have found so far
> would be to replace the affected spaces with %2520.
>
> Jens

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Fossies Administrator]

On Thu, 9 Mar 2023, Eric Covener wrote:


On Thu, Mar 9, 2023 at 12:14 PM  wrote:


On 3/9/23 05:30, Eric Covener wrote:



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve mailto:steven.b...@3ds.com>> wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it 
is converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]


Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)


I wonder how many websites might have a snippet similar to:

RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]


I do worry about this style a lot more, especially with how much of a
pain [B] has been for me in the past.
I think we can wait and see and only look for more problematic
characters in the mod_rewrite.c change.


I use a bit historically a rule principally like

 RewriteRule file_name_pattern cgi_app?$1/$2 [T=application/x-httpd-cgi,L]

With httpd-2.4.56 now all requests using file names containing a space are 
blocked (403 Forbidden) with the according error log entry


 AH10410: Rewritten query string contains control characters or spaces

The called CGI application tries to handle "bad" characters itself so from 
my egoistic point of view at least spaces should be allowed here (may be 
by an extra directive).


In my case, the only but unsatisfactory workaround I have found so far 
would be to replace the affected spaces with %2520.


Jens

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

On Thu, Mar 9, 2023 at 12:14 PM  wrote:
>
> On 3/9/23 05:30, Eric Covener wrote:
> >
> >
> > On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  > > wrote:
> >
> > Correction!
> >
> > I used our test template for the rule when I e-mailed just now, but 
> > once it is converted to the apache httpd.conf format, the actual rule 
> > appears in the httpd.conf as:
> >
> > RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
> > Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
> >
> >
> > Thanks for the report.   Time will tell, but I think this is a very fringe 
> > case. The space isn't a backreference (where `B` would have fixed it) and a 
> > literal with a space in the substitution has to be quite rare (famous last 
> > words)
>
> I wonder how many websites might have a snippet similar to:
>
> RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]

I do worry about this style a lot more, especially with how much of a
pain [B] has been for me in the past.
I think we can wait and see and only look for more problematic
characters in the mod_rewrite.c change.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[giovanni]

On 3/9/23 05:30, Eric Covener wrote:



On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve mailto:steven.b...@3ds.com>> wrote:

Correction!

I used our test template for the rule when I e-mailed just now, but once it 
is converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:

RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]


Thanks for the report.   Time will tell, but I think this is a very fringe 
case. The space isn't a backreference (where `B` would have fixed it) and a 
literal with a space in the substitution has to be quite rare (famous last 
words)


I wonder how many websites might have a snippet similar to:

RewriteRule ^/search/(.*)$ /search.php?term=$1 [PT,L,QSA]

  Giovanni




I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 
and it’s clear that the use of spaces in the query string of the mapped URL are 
the cause of the 403 forbidden messages.

__ __

We can update our httpd.conf mapping code, so it won’t be a problem for us, 
but it might be worth updating the mod_rewrite documentation on this?



Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the error_log 
entry. Did this produce the new AH10410?






OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Stefan Eissing via dev]

> Am 08.03.2023 um 23:38 schrieb Eric Covener :
> 
> On Wed, Mar 8, 2023 at 4:57 PM BUSH Steve  wrote:
> 
>> Please remember to send the release announcement to annou...@httpd.apache.org
> 
> Maybe a moderation issue? Can anyone with the proper hat help check it
> out please?

In the releases I did, announce@ did *always* show delayed/lost processing of 
messages. It's not one of infras better services...

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

On Wed, Mar 8, 2023 at 11:02 PM BUSH Steve  wrote:

> Correction!
>
> I used our test template for the rule when I e-mailed just now, but once
> it is converted to the apache httpd.conf format, the actual rule appears in
> the httpd.conf as:
>
> RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of
> Records=$1&__poolid=animal-magic" [B,PT,L,QSA]
>

Thanks for the report.   Time will tell, but I think this is a very fringe
case. The space isn't a backreference (where `B` would have fixed it) and a
literal with a space in the substitution has to be quite rare (famous last
words)

> I just looked at the mod_rewrite.c source differences from 2.4.55 to
> 2.4.56 and it’s clear that the use of spaces in the query string of the
> mapped URL are the cause of the 403 forbidden messages.
>
>
>
> We can update our httpd.conf mapping code, so it won’t be a problem for
> us, but it might be worth updating the mod_rewrite documentation on this?
>
>
>
Maybe we can slip an additional entry into the changelog.
I think in this case, for now at least, we'd primarily rely on the
error_log entry. Did this produce the new AH10410?

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

Correction!
I used our test template for the rule when I e-mailed just now, but once it is 
converted to the apache httpd.conf format, the actual rule appears in the 
httpd.conf as:
RewriteRule ^/zoology/animals/reset/(\d+)$ "/auth/launchjob?Number of 
Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

I just looked at the mod_rewrite.c source differences from 2.4.55 to 2.4.56 and 
it’s clear that the use of spaces in the query string of the mapped URL are the 
cause of the 403 forbidden messages.

We can update our httpd.conf mapping code, so it won’t be a problem for us, but 
it might be worth updating the mod_rewrite documentation on this?


From: BUSH Steve 
Sent: Wednesday, March 8, 2023 7:45 PM
To: dev@httpd.apache.org
Subject: RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I just completed upgrading to 2. 4. 56 from 2. 4. 55 and now we are having 
problems with existing mod_rewrite directives that use parameter substitution: 
An example of a mod_rewrite declaration we have is: RewriteCond 
%{REQUEST_METHOD} GET [NC]
ZjQcmQRYFpfptBannerStart

I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems 
with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ 
"/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET 
https://SERVER:PORT/zoology/animals/reset/10<https://urldefense.com/v3/__https:/SERVER:PORT/zoology/animals/reset/10__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxZz_PhN$>

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with 
“Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden.  Calling the mapped service directly 
works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for 
REST service mapping.
The rewrite flags are 
(https://httpd.apache.org/docs/2.4/rewrite/flags.html<https://urldefense.com/v3/__https:/httpd.apache.org/docs/2.4/rewrite/flags.html__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn9W_LAw3$>):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused 
unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56<https://urldefense.com/v3/__https:/downloads.apache.org/httpd/CHANGES_2.4.56__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7HnxVfkr2d$>
  *) SECURITY: CVE-2023-25690: HTTP request splitting with
 mod_rewrite and mod_proxy (cve.mitre.org)
 Some mod_proxy configurations on Apache HTTP Server versions
 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
 Configurations are affected when mod_proxy is enabled along with
 some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and
 is then
 re-inserted into the proxied request-target using variable
 substitution. For example, something like:
 RewriteEngine on
 RewriteRule "^/here/(.*)" "
 
http://example.com:8080/elsewhere?$1;<https://urldefense.com/v3/__http:/example.com:8080/elsewhere?$1*22__;JQ!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn6gkZ4bx$>
 
http://example.com:8080/elsewhere<https://urldefense.com/v3/__http:/example.com:8080/elsewhere__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn2C8BrgB$>
 ; [P]
 ProxyPassReverse /here/  
http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
 
http://example.com:8080/<https://urldefense.com/v3/__http:/example.com:8080/__;!!FbCVDoc3r24SyHFW!_-zhgOd86kLhZzViw-FJz3SSzseF2CGIOuKLfYEr9r6zLbWV2E5lbUhjizmWgYNvRN_Ow1ApsB7Hn3qX03Hd$>
 Request splitting/smuggling could result in bypass of access
 controls in the proxy server, proxying unintended URLs to
 existing origin servers, and cache poisoning.
 Credits: Lars Krapf of Adobe



From: Eric Covener mailto:cove...@gmail.com>>
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org<mailto:dev@httpd.apache.org>
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one 

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

I just completed upgrading to 2.4.56 from 2.4.55 and now we are having problems 
with existing mod_rewrite directives that use parameter substitution:

An example of a mod_rewrite declaration we have is:
RewriteCond %{REQUEST_METHOD} GET [NC]
RewriteRule ^/zoology/animals/reset/(\d+)$ 
"/auth/launchjob?Number_of_Records=$1&__poolid=animal-magic" [B,PT,L,QSA]

Our internal test case calls GET https://SERVER:PORT/zoology/animals/reset/10

In 2.4.55,
this works successfully and our internal service /auth/launchjob is called with 
“Number_of_Records” = 10

However, after upgrading to 2.4.56,
The service now returns 403 Forbidden.  Calling the mapped service directly 
works okay.

In this case, the RewriteRule is not associated with mod_proxy and is used for 
REST service mapping.
The rewrite flags are (https://httpd.apache.org/docs/2.4/rewrite/flags.html):
B: Escape Backreferences
PT: Passthrough
L: Last
QSA: qsappend (query string append)

It seems to me that the changes to address CVE-2023-25690 have caused 
unintended side effects?

https://downloads.apache.org/httpd/CHANGES_2.4.56
  *) SECURITY: CVE-2023-25690: HTTP request splitting with
 mod_rewrite and mod_proxy (cve.mitre.org)
 Some mod_proxy configurations on Apache HTTP Server versions
 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack.
 Configurations are affected when mod_proxy is enabled along with
 some form of RewriteRule
 or ProxyPassMatch in which a non-specific pattern matches
 some portion of the user-supplied request-target (URL) data and
 is then
 re-inserted into the proxied request-target using variable
 substitution. For example, something like:
 RewriteEngine on
 RewriteRule "^/here/(.*)" "
 http://example.com:8080/elsewhere?$1;
 http://example.com:8080/elsewhere ; [P]
 ProxyPassReverse /here/  http://example.com:8080/
 http://example.com:8080/
 Request splitting/smuggling could result in bypass of access
 controls in the proxy server, proxying unintended URLs to
 existing origin servers, and cache poisoning.
 Credits: Lars Krapf of Adobe



From: Eric Covener 
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem 
mailto:rpl...@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

cove...@gmail.com<mailto:cove...@gmail.com>

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

On Wed, Mar 8, 2023 at 4:57 PM BUSH Steve  wrote:

> Please remember to send the release announcement to annou...@httpd.apache.org

Maybe a moderation issue? Can anyone with the proper hat help check it
out please?

RE: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[BUSH Steve]

Please remember to send the release announcement to annou...@httpd.apache.org

From: Eric Covener 
Sent: Tuesday, March 7, 2023 3:51 AM
To: dev@httpd.apache.org
Subject: Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

I am going to call this one early and proceed with the release. 9 binding +1 
and no other votes. fielding, covener, icing, gbechis, ylavic, jblond, jorton, 
steffenAL, rpluem On Tue, Mar 7, 2023 at 3: 18 AM Ruediger Pluem 


I am going to call this one early and proceed with the release. 9

binding +1 and no other votes.



fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem



On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem 
mailto:rpl...@apache.org>> wrote:

>

>

>

> On 3/5/23 10:31 PM, Eric Covener wrote:

> > Hi all,

> >

> > Please find below the proposed release tarball and signatures:

> >

> > https://urldefense.com/v3/__https://dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$<https://urldefense.com/v3/__https:/dist.apache.org/repos/dist/dev/httpd/__;!!FbCVDoc3r24SyHFW!4XFRouSU1jZhSNWbdncMG2fbqx5jgbylu1lrmT3TcHgZF4isGV_f5UyJUDBZ5vwW8drNCig33VLluiM$>[dist[.]apache[.]org]

> >

> > I would like to call a VOTE over the next few days to release

> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

> > [X] +1: It's not just good, it's good enough!

> > [ ] +0: Let's have a talk.

> > [ ] -1: There's trouble in paradise. Here's what's wrong.

> >

> > The computed digests of the tarball up for vote are:

> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698

> > *httpd-2.4.56-rc1.tar.gz

> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724

> > *httpd-2.4.56-rc1.tar.gz

> >

> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.

> >

>

> Sigs and Hashes ok

> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

>

> Regards

>

> Rüdiger







--

Eric Covener

cove...@gmail.com<mailto:cove...@gmail.com>

This email and any attachments are intended solely for the use of the 
individual or entity to whom it is addressed and may be confidential and/or 
privileged.

If you are not one of the named recipients or have received this email in error,

(i) you should not read, disclose, or copy it,

(ii) please notify sender of your receipt by reply email and delete this email 
and all attachments,

(iii) Dassault Systèmes does not accept or assume any liability or 
responsibility for any use of or reliance on this email.


Please be informed that your personal data are processed according to our data 
privacy policy as described on our website. Should you have any questions 
related to personal data protection, please contact 3DS Data Protection Officer 
https://www.3ds.com/privacy-policy/contact/

Re: svn commit: r1908179 - /httpd/dev-tools/release/README

[Eric Covener]

the irony! Thanks.

On Tue, Mar 7, 2023 at 6:05 PM  wrote:
>
> Author: gbechis
> Date: Tue Mar  7 23:05:49 2023
> New Revision: 1908179
>
> URL: http://svn.apache.org/viewvc?rev=1908179=rev
> Log:
> typo
>
> Modified:
> httpd/dev-tools/release/README
>
> Modified: httpd/dev-tools/release/README
> URL: 
> http://svn.apache.org/viewvc/httpd/dev-tools/release/README?rev=1908179=1908178=1908179=diff
> ======
> --- httpd/dev-tools/release/README (original)
> +++ httpd/dev-tools/release/README Tue Mar  7 23:05:49 2023
> @@ -51,7 +51,7 @@ Usage overview:
>   and tweak as needed. g...@github.com:/apache/httpd-site has one-time 
> copies of CVE.json, edit and
>   commit and the site will be rebuilt immediately.
>
> - If CHANGES is really bad, cosnider replacing the various CHANGES files 
> on dist/httpd.
> + If CHANGES is really bad, consider replacing the various CHANGES files 
> on dist/httpd.
>
>   On vote failure or when aborting for other reasons:
> > $DEV_TOOLS/release/reset-candidate.sh version
>
>


-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

I am going to call this one early and proceed with the release. 9
binding +1 and no other votes.

fielding, covener, icing, gbechis, ylavic, jblond, jorton, steffenAL, rpluem

On Tue, Mar 7, 2023 at 3:18 AM Ruediger Pluem  wrote:
>
>
>
> On 3/5/23 10:31 PM, Eric Covener wrote:
> > Hi all,
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release
> > this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> > [X] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> > *httpd-2.4.56-rc1.tar.gz
> > sha512: 
> > 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> > *httpd-2.4.56-rc1.tar.gz
> >
> > The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> >
>
> Sigs and Hashes ok
> Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3
>
> Regards
>
> Rüdiger



-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Ruediger Pluem]

On 3/5/23 10:31 PM, Eric Covener wrote:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 
> 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> 

Sigs and Hashes ok
Tested on RedHat 8 x86_64 with apr 1.7.2 / apr-util 1.6.3

Regards

Rüdiger

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Steffen]

+1 All looks fine on Windows. 

> Op 5 mrt. 2023 om 22:32 heeft Eric Covener  het volgende 
> geschreven:
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 
> 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.
> 
> -- 
> Eric Covener
> cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Joe Orton]

On Sun, Mar 05, 2023 at 04:31:34PM -0500, Eric Covener wrote:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

+1, tests pass on RHEL 8+9 (x86_64), sigs good, thanks for RMing.

Seems there is some tweak required to get Actions to work for a tag 
which I will look into.

Regards, Joe

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Mario Brandt]

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
[x] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

+1

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Yann Ylavic]

On Sun, Mar 5, 2023 at 10:31 PM Eric Covener  wrote:
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:

+1: It's not just good, it's good enough!

All checksums/sigs and tests pass (Debian 11 & 12), thanks Eric for RMing.

Regards;
Yann.

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[giovanni]

On 3/5/23 22:31, Eric Covener wrote:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
*httpd-2.4.56-rc1.tar.gz
sha512: 
68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
*httpd-2.4.56-rc1.tar.gz


+1
tested on Fedora 37 and OpenBSD 7.2 and 7.3-beta
 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Stefan Eissing via dev]

> Am 05.03.2023 um 22:31 schrieb Eric Covener :
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
> *httpd-2.4.56-rc1.tar.gz
> sha512: 
> 68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
> *httpd-2.4.56-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.56-rc1-candidate.

+1 

Darwin xxx 22.3.0 Darwin Kernel Version 22.3.0 (macOS ventura x86_64)

Thanks for RMing,

Stefan


> 
> -- 
> Eric Covener
> cove...@gmail.com

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

On Sun, Mar 5, 2023 at 4:31 PM Eric Covener  wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [x] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

my +1 on ubuntu

Re: [VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Roy T. Fielding]

> On Mar 5, 2023, at 1:31 PM, Eric Covener  wrote:
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
> [X] +1: It's not just good, it's good enough!

Verified sigs, compiled and installed locally (Macbook Pro M1, macos Ventura 
13.2.1),
and tested around the relevant changes. Everything looks good.

+1 for release.

Roy T. Fielding

[VOTE] [VOTE] Release httpd-2.4.56-rc1 as httpd-2.4.56

[Eric Covener]

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.56-rc1 as 2.4.56:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: db0d4c76007b231fd3ab41b580548dc798ae3844bb7c3d5ce1e4174ca2364698
*httpd-2.4.56-rc1.tar.gz
sha512: 
68b1e8c3e3436e6947c0ccfeee6fea83254560e4d43bddbc79a4206d804a6dda6662cf5734e0b2f4019ab5c1fff40141a16dd7698e8fe72b7fd343fbebd42724
*httpd-2.4.56-rc1.tar.gz

The SVN candidate source is found at tags/2.4.56-rc1-candidate.

-- 
Eric Covener
cove...@gmail.com

Re: [httpd-site] branch main updated: publishing release httpd-2.4.55

[Daniel Gruno]

On 2023-01-17 18:59, Eric Covener wrote:

Something is still subtly wrong here, the 2.4.55 section only has 1
entry instead of 3.
Will chat about it on #httpd on ASF slack.


We have addressed the immediate issue, and the page is rendering as 
intended, but we'll have to talk to the folks in charge of the cve 
process about the proper schema here, as ours may be a bit ... off.


TBD



On Tue, Jan 17, 2023 at 12:17 PM Daniel Gruno  wrote:


I have patched the system to deal with the inconsistencies, but those
should really be looked at. There seems to be a mix of "timeline"
entries that are not consistent throughout the dir (even when accounting
for v4.0 vs v5.0 CVE data), and those were throwing spanners into the
build process.

The CVE page should be back now, however.

On 2023-01-17 17:46, Eric Covener wrote:

Humbedooh is helping.

Note that the SVN repo is dead content, real content is in
g...@github.com:/apache/httpd-site

On Tue, Jan 17, 2023 at 11:39 AM Eric Covener  wrote:


I think it's 
https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/cvejsontohtml.py
it hasn't been updated for the V5 JSON format, I misinterpreted Mark's mail.

I will try to make it tolerant of both.

On Tue, Jan 17, 2023 at 11:29 AM Ruediger Pluem  wrote:




On 1/17/23 5:16 PM, cove...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

covener pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git


The following commit(s) were added to refs/heads/main by this push:
   new 83e7062  publishing release httpd-2.4.55
83e7062 is described below

commit 83e7062476d4a912f20ab275137b9587d441fdf0
Author: Eric Covener 
AuthorDate: Tue Jan 17 11:16:01 2023 -0500

  publishing release httpd-2.4.55
---
   content/doap.rdf  |   4 +-
   content/download.md   |  24 +++
   content/index.md  |   6 +-
   content/security/json/CVE-2006-20001.json | 110 
++
   content/security/json/CVE-2022-36760.json | 103 
   content/security/json/CVE-2022-37436.json |  88 


Looks like something went wrong as 
https://httpd.apache.org/security/vulnerabilities_24.html now results in a 404.

Regards

Rüdiger




--
Eric Covener
cove...@gmail.com

Re: [httpd-site] branch main updated: publishing release httpd-2.4.55

[Eric Covener]

Something is still subtly wrong here, the 2.4.55 section only has 1
entry instead of 3.
Will chat about it on #httpd on ASF slack.

On Tue, Jan 17, 2023 at 12:17 PM Daniel Gruno  wrote:
>
> I have patched the system to deal with the inconsistencies, but those
> should really be looked at. There seems to be a mix of "timeline"
> entries that are not consistent throughout the dir (even when accounting
> for v4.0 vs v5.0 CVE data), and those were throwing spanners into the
> build process.
>
> The CVE page should be back now, however.
>
> On 2023-01-17 17:46, Eric Covener wrote:
> > Humbedooh is helping.
> >
> > Note that the SVN repo is dead content, real content is in
> > g...@github.com:/apache/httpd-site
> >
> > On Tue, Jan 17, 2023 at 11:39 AM Eric Covener  wrote:
> >>
> >> I think it's 
> >> https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/cvejsontohtml.py
> >> it hasn't been updated for the V5 JSON format, I misinterpreted Mark's 
> >> mail.
> >>
> >> I will try to make it tolerant of both.
> >>
> >> On Tue, Jan 17, 2023 at 11:29 AM Ruediger Pluem  wrote:
> >>>
> >>>
> >>>
> >>> On 1/17/23 5:16 PM, cove...@apache.org wrote:
> >>>> This is an automated email from the ASF dual-hosted git repository.
> >>>>
> >>>> covener pushed a commit to branch main
> >>>> in repository https://gitbox.apache.org/repos/asf/httpd-site.git
> >>>>
> >>>>
> >>>> The following commit(s) were added to refs/heads/main by this push:
> >>>>   new 83e7062  publishing release httpd-2.4.55
> >>>> 83e7062 is described below
> >>>>
> >>>> commit 83e7062476d4a912f20ab275137b9587d441fdf0
> >>>> Author: Eric Covener 
> >>>> AuthorDate: Tue Jan 17 11:16:01 2023 -0500
> >>>>
> >>>>  publishing release httpd-2.4.55
> >>>> ---
> >>>>   content/doap.rdf  |   4 +-
> >>>>   content/download.md   |  24 +++
> >>>>   content/index.md  |   6 +-
> >>>>   content/security/json/CVE-2006-20001.json | 110 
> >>>> ++
> >>>>   content/security/json/CVE-2022-36760.json | 103 
> >>>> 
> >>>>   content/security/json/CVE-2022-37436.json |  88 
> >>>> 
> >>>
> >>> Looks like something went wrong as 
> >>> https://httpd.apache.org/security/vulnerabilities_24.html now results in 
> >>> a 404.
> >>>
> >>> Regards
> >>>
> >>> Rüdiger
> >>>
> >>
> >>
> >> --
> >> Eric Covener
> >> cove...@gmail.com
> >
> >
> >
>


-- 
Eric Covener
cove...@gmail.com

Re: [httpd-site] branch main updated: publishing release httpd-2.4.55

[Daniel Gruno]

I have patched the system to deal with the inconsistencies, but those 
should really be looked at. There seems to be a mix of "timeline" 
entries that are not consistent throughout the dir (even when accounting 
for v4.0 vs v5.0 CVE data), and those were throwing spanners into the 
build process.


The CVE page should be back now, however.

On 2023-01-17 17:46, Eric Covener wrote:

Humbedooh is helping.

Note that the SVN repo is dead content, real content is in
g...@github.com:/apache/httpd-site

On Tue, Jan 17, 2023 at 11:39 AM Eric Covener  wrote:


I think it's 
https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/cvejsontohtml.py
it hasn't been updated for the V5 JSON format, I misinterpreted Mark's mail.

I will try to make it tolerant of both.

On Tue, Jan 17, 2023 at 11:29 AM Ruediger Pluem  wrote:




On 1/17/23 5:16 PM, cove...@apache.org wrote:

This is an automated email from the ASF dual-hosted git repository.

covener pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/httpd-site.git


The following commit(s) were added to refs/heads/main by this push:
  new 83e7062  publishing release httpd-2.4.55
83e7062 is described below

commit 83e7062476d4a912f20ab275137b9587d441fdf0
Author: Eric Covener 
AuthorDate: Tue Jan 17 11:16:01 2023 -0500

 publishing release httpd-2.4.55
---
  content/doap.rdf  |   4 +-
  content/download.md   |  24 +++
  content/index.md  |   6 +-
  content/security/json/CVE-2006-20001.json | 110 ++
  content/security/json/CVE-2022-36760.json | 103 
  content/security/json/CVE-2022-37436.json |  88 


Looks like something went wrong as 
https://httpd.apache.org/security/vulnerabilities_24.html now results in a 404.

Regards

Rüdiger




--
Eric Covener
cove...@gmail.com

Re: [httpd-site] branch main updated: publishing release httpd-2.4.55

[Eric Covener]

Humbedooh is helping.

Note that the SVN repo is dead content, real content is in
g...@github.com:/apache/httpd-site

On Tue, Jan 17, 2023 at 11:39 AM Eric Covener  wrote:
>
> I think it's 
> https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/cvejsontohtml.py
> it hasn't been updated for the V5 JSON format, I misinterpreted Mark's mail.
>
> I will try to make it tolerant of both.
>
> On Tue, Jan 17, 2023 at 11:29 AM Ruediger Pluem  wrote:
> >
> >
> >
> > On 1/17/23 5:16 PM, cove...@apache.org wrote:
> > > This is an automated email from the ASF dual-hosted git repository.
> > >
> > > covener pushed a commit to branch main
> > > in repository https://gitbox.apache.org/repos/asf/httpd-site.git
> > >
> > >
> > > The following commit(s) were added to refs/heads/main by this push:
> > >  new 83e7062  publishing release httpd-2.4.55
> > > 83e7062 is described below
> > >
> > > commit 83e7062476d4a912f20ab275137b9587d441fdf0
> > > Author: Eric Covener 
> > > AuthorDate: Tue Jan 17 11:16:01 2023 -0500
> > >
> > > publishing release httpd-2.4.55
> > > ---
> > >  content/doap.rdf  |   4 +-
> > >  content/download.md   |  24 +++
> > >  content/index.md  |   6 +-
> > >  content/security/json/CVE-2006-20001.json | 110 
> > > ++
> > >  content/security/json/CVE-2022-36760.json | 103 
> > > 
> > >  content/security/json/CVE-2022-37436.json |  88 
> >
> > Looks like something went wrong as 
> > https://httpd.apache.org/security/vulnerabilities_24.html now results in a 
> > 404.
> >
> > Regards
> >
> > Rüdiger
> >
>
>
> --
> Eric Covener
> cove...@gmail.com



-- 
Eric Covener
cove...@gmail.com

Re: [httpd-site] branch main updated: publishing release httpd-2.4.55

[Eric Covener]

I think it's 
https://svn.apache.org/repos/asf/httpd/site/trunk/content/security/cvejsontohtml.py
it hasn't been updated for the V5 JSON format, I misinterpreted Mark's mail.

I will try to make it tolerant of both.

On Tue, Jan 17, 2023 at 11:29 AM Ruediger Pluem  wrote:
>
>
>
> On 1/17/23 5:16 PM, cove...@apache.org wrote:
> > This is an automated email from the ASF dual-hosted git repository.
> >
> > covener pushed a commit to branch main
> > in repository https://gitbox.apache.org/repos/asf/httpd-site.git
> >
> >
> > The following commit(s) were added to refs/heads/main by this push:
> >  new 83e7062  publishing release httpd-2.4.55
> > 83e7062 is described below
> >
> > commit 83e7062476d4a912f20ab275137b9587d441fdf0
> > Author: Eric Covener 
> > AuthorDate: Tue Jan 17 11:16:01 2023 -0500
> >
> > publishing release httpd-2.4.55
> > ---
> >  content/doap.rdf  |   4 +-
> >  content/download.md   |  24 +++
> >  content/index.md  |   6 +-
> >  content/security/json/CVE-2006-20001.json | 110 
> > ++
> >  content/security/json/CVE-2022-36760.json | 103 
> > 
> >  content/security/json/CVE-2022-37436.json |  88 
>
> Looks like something went wrong as 
> https://httpd.apache.org/security/vulnerabilities_24.html now results in a 
> 404.
>
> Regards
>
> Rüdiger
>


-- 
Eric Covener
cove...@gmail.com

Re: [httpd-site] branch main updated: publishing release httpd-2.4.55

[Ruediger Pluem]

On 1/17/23 5:16 PM, cove...@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
> 
> covener pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/httpd-site.git
> 
> 
> The following commit(s) were added to refs/heads/main by this push:
>  new 83e7062  publishing release httpd-2.4.55
> 83e7062 is described below
> 
> commit 83e7062476d4a912f20ab275137b9587d441fdf0
> Author: Eric Covener 
> AuthorDate: Tue Jan 17 11:16:01 2023 -0500
> 
> publishing release httpd-2.4.55
> ---
>  content/doap.rdf  |   4 +-
>  content/download.md   |  24 +++
>  content/index.md  |   6 +-
>  content/security/json/CVE-2006-20001.json | 110 
> ++
>  content/security/json/CVE-2022-36760.json | 103 
>  content/security/json/CVE-2022-37436.json |  88 

Looks like something went wrong as 
https://httpd.apache.org/security/vulnerabilities_24.html now results in a 404.

Regards

Rüdiger

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Eric Covener]

Vote, passes w/ 6 binding +1 and no -1:

+1 covener, jorton, icing, ylavic, jim, gbechis

I will continue the release process tomorrow.

On Tue, Jan 10, 2023 at 8:40 AM Eric Covener  wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> The computed digests of the tarball up for vote are:
> sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
> *httpd-2.4.55-rc1.tar.gz
> sha512: 
> ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
> *httpd-2.4.55-rc1.tar.gz
>
> The SVN candidate source is found at tags/2.4.55-rc1-candidate.
>
> --
> Eric Covener
> cove...@gmail.com



-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Rainer Jung]

Not a showstopper, but: srclib/apr/configure was again generated with 
autoconf 2.70+ (2.71). This triggers a bug which is fixed in APR 1.7.x 
head, but the fix has not been released as there was not APR release vor 
almost 4 years now.


Since the bundled APR/APU are not actually part of the release, for me 
this is not a show stopper. I just wanted to note the defect in case 
others are wondering, why the bundled APR can not be build using configure.


Technical details:

configure: error: could not determine the string function for int64_t

It comes from defining some things once in conftest.c and again in the 
included confdefs.h.


Some pointers:

https://github.com/apache/apr/pull/25
https://github.com/apache/apr/commit/a15958a37a06f71c42c690278f9c958b93b7ee20
https://github.com/apache/apr/commit/e0197912a5438b3836ce2e76371f01e289d82931

https://www.mail-archive.com/bug-autoconf@gnu.org/msg04695.html

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97998

Best regards,

Rainer

Am 10.01.23 um 14:40 schrieb Eric Covener:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
*httpd-2.4.55-rc1.tar.gz
sha512: 
ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
*httpd-2.4.55-rc1.tar.gz

The SVN candidate source is found at tags/2.4.55-rc1-candidate.

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Christophe JAILLET]

Le 11/01/2023 à 10:05, Stefan Eissing via dev a écrit :

Nearly all mod_tls in error (likely something missing in my conf)


Not here. Do you have any more information on those failures?



Still don't have time to spend some minutes on it, but:
  configure:35461: checking whether to enable mod_tls
  configure:35521: result: checking dependencies
  configure:35526: checking for rustls
  configure:35538: checking for user-provided rustls base directory
  configure:35552: result: none

looks a good starting point for: (likely something missing in my conf*)

CJ

(* conf being whatever from *.conf, --configure, apt install 
, ...)

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Jim Jagielski]

> On Jan 10, 2023, at 8:40 AM, Eric Covener  wrote:
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 

+1!

Tested:

  macOS 12.6.2 / Xcode 14.2
  Ubuntu 20.04LTS
  CentOS 7

Thanks for RMing.

Cheers!

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[giovanni]

On 1/10/23 14:40, Eric Covener wrote:

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.55-rc1 as 2.4.55

+1 for release
looks fine on OpenBSD 7.2 and CentOS8-Stream (x86_64),
thank you for RMing.
 Giovanni


OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Stefan Eissing via dev]

> Am 11.01.2023 um 15:50 schrieb Yann Ylavic :
> 
> On Wed, Jan 11, 2023 at 10:10 AM Stefan Eissing via dev
>  wrote:
>> 
>>> Am 10.01.2023 um 22:39 schrieb Christophe JAILLET 
>>> :
>>> 
>>> 1 issue with pytest:
>>>  test/modules/http2/test_600_h2proxy.py .F
>>> (details at the end of the mail)
>>> 
>>> Don't know if expected or not. Some pytest commits are only in trunk and 
>>> have not been backported to 2.4.x. I don't know if it is linked to this 
>>> failing test.
>> 
>> This one works on my machine(tm). Odd indeed. This tries to verify proxy 
>> behaviour in regard to "enable_reuse" and var substitution in the urls 
>> authority. See , discussed 
>> further in 
>> .
>> 
>> The test has a flexible proxypass using a part of the path to construct the 
>> backend url. Accessing first one path and then the other creates backend 
>> urls with different port numbers. Those backend resources produce a JSON 
>> response carrying the port number used.
>> 
>> With "enable_reuse=on" the test expects the backend connection from the 
>> first request to be reused on the second, therefore producing a JSON that 
>> carries to first port number and not the second.
> 
> Does curl reuse the same connection (keepalive) for the two requests?
> Otherwise I think we need "ServerLimit 1" or something for the test to
> be reliable, because the two requests could be handled by two
> different child processes due to TCP queuing/scheduling (and the
> backend connection would not be reused obviously).

Good point. We could limit the server count in this test to avoid contacting 
the "other" instance.

For the vote: I see no impact here. Code is behaving as it should, the test is 
not reliable.

Cheers,
Stefan

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Eric Covener]

On Wed, Jan 11, 2023 at 9:51 AM Yann Ylavic  wrote:
>
> On Wed, Jan 11, 2023 at 10:10 AM Stefan Eissing via dev
>  wrote:
> >
> > > Am 10.01.2023 um 22:39 schrieb Christophe JAILLET 
> > > :
> > >
> > > 1 issue with pytest:
> > >   test/modules/http2/test_600_h2proxy.py .F
> > > (details at the end of the mail)
> > >
> > > Don't know if expected or not. Some pytest commits are only in trunk and 
> > > have not been backported to 2.4.x. I don't know if it is linked to this 
> > > failing test.
> >
> > This one works on my machine(tm). Odd indeed. This tries to verify proxy 
> > behaviour in regard to "enable_reuse" and var substitution in the urls 
> > authority. See , discussed 
> > further in 
> > .
> >
> > The test has a flexible proxypass using a part of the path to construct the 
> > backend url. Accessing first one path and then the other creates backend 
> > urls with different port numbers. Those backend resources produce a JSON 
> > response carrying the port number used.
> >
> > With "enable_reuse=on" the test expects the backend connection from the 
> > first request to be reused on the second, therefore producing a JSON that 
> > carries to first port number and not the second.
>
> Does curl reuse the same connection (keepalive) for the two requests?
> Otherwise I think we need "ServerLimit 1" or something for the test to
> be reliable, because the two requests could be handled by two
> different child processes due to TCP queuing/scheduling (and the
> backend connection would not be reused obviously).

Looks like no as they are two one-shot curl executable calls,  but
from grepping around the framework does have the easy ability to
append to the config and restart for a test.

-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Yann Ylavic]

On Wed, Jan 11, 2023 at 10:10 AM Stefan Eissing via dev
 wrote:
>
> > Am 10.01.2023 um 22:39 schrieb Christophe JAILLET 
> > :
> >
> > 1 issue with pytest:
> >   test/modules/http2/test_600_h2proxy.py .F
> > (details at the end of the mail)
> >
> > Don't know if expected or not. Some pytest commits are only in trunk and 
> > have not been backported to 2.4.x. I don't know if it is linked to this 
> > failing test.
>
> This one works on my machine(tm). Odd indeed. This tries to verify proxy 
> behaviour in regard to "enable_reuse" and var substitution in the urls 
> authority. See , discussed 
> further in .
>
> The test has a flexible proxypass using a part of the path to construct the 
> backend url. Accessing first one path and then the other creates backend urls 
> with different port numbers. Those backend resources produce a JSON response 
> carrying the port number used.
>
> With "enable_reuse=on" the test expects the backend connection from the first 
> request to be reused on the second, therefore producing a JSON that carries 
> to first port number and not the second.

Does curl reuse the same connection (keepalive) for the two requests?
Otherwise I think we need "ServerLimit 1" or something for the test to
be reliable, because the two requests could be handled by two
different child processes due to TCP queuing/scheduling (and the
backend connection would not be reused obviously).

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Yann Ylavic]

On Tue, Jan 10, 2023 at 2:41 PM Eric Covener  wrote:
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.55-rc1 as 2.4.55:

+1 on Debian 11 & 12, thanks Eric for RMing.

Regards;
Yann.

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Stefan Eissing via dev]

I am +1 on my macOS testing of the candidate.


Addressing the findings from Christophe:

> Am 10.01.2023 um 22:39 schrieb Christophe JAILLET 
> :
> 
> Le 10/01/2023 à 14:40, Eric Covener a écrit :
>> Hi all,
>> Please find below the proposed release tarball and signatures:
>> https://dist.apache.org/repos/dist/dev/httpd/
>> I would like to call a VOTE over the next few days to release
>> this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
>> [ ] +1: It's not just good, it's good enough!
>> [X] +0: Let's have a talk.
>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>> The computed digests of the tarball up for vote are:
>> sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
>> *httpd-2.4.55-rc1.tar.gz
>> sha512: 
>> ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
>> *httpd-2.4.55-rc1.tar.gz
>> The SVN candidate source is found at tags/2.4.55-rc1-candidate.
> 
> +0
> 
> 
> Tested only with event.
> 
> All good, as usual with the perl framework
> 
> 
> 1 issue with pytest:
>   test/modules/http2/test_600_h2proxy.py .F
> (details at the end of the mail)
> 
> Don't know if expected or not. Some pytest commits are only in trunk and have 
> not been backported to 2.4.x. I don't know if it is linked to this failing 
> test.

This one works on my machine(tm). Odd indeed. This tries to verify proxy 
behaviour in regard to "enable_reuse" and var substitution in the urls 
authority. See <https://github.com/icing/mod_h2/issues/235>, discussed further 
in <https://lists.apache.org/thread/tlzfbvopg5k61nz8mhjq518oowkmm43f>.

The test has a flexible proxypass using a part of the path to construct the 
backend url. Accessing first one path and then the other creates backend urls 
with different port numbers. Those backend resources produce a JSON response 
carrying the port number used.

With "enable_reuse=on" the test expects the backend connection from the first 
request to be reused on the second, therefore producing a JSON that carries to 
first port number and not the second.

> Most of mod_md tests skippep (likely something missing in my conf)
There are test cases in mod_md that work with the a2md executable, not build 
via httpd. Maybe I should just remove them to avoid this confusion. The other 
skipped test cases are related to the ACME test server one has. The default one 
(pebble) has no OCSP support and skips therefore those tests.


> Nearly all mod_tls in error (likely something missing in my conf)

Not here. Do you have any more information on those failures?

> I won't have time to investigate further, but only the failure in 
> test_600_h2proxy looks odd to me.
> So I just report it and vote +0.
> 
> 
> 
> Tested with:
> Linux pop-os 6.0.6
> gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
> OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
>  libssl-dev 3.0.2
>  libbrotli-dev 1.0.9
>  libjansson-dev 2.13.1
>  libnghttp2-dev 1.43.0
>  libpcre2-dev 10.39
>  liblua5.3-dev 5.3.6
>  libsystemd-dev 249.11
>  libldap-dev 2.5.13+dfsg
>  libldap2-dev 2.5.13+dfsg
>  libxml2-dev 2.9.13+dfsg
>  libcurl4-openssl-dev 7.81.0
> 
> 
> 
> __ 
> TestH2Proxy.test_h2_600_05[on] 
> ___
> 
> self = , env = 
> , enable_reuse = 'on'
> 
>@pytest.mark.parametrize("enable_reuse", [ "on", "off" ])
>def test_h2_600_05(self, env, enable_reuse):
>conf = H2Conf(env, extras={
>f'cgi.{env.http_tld}': [
>f"ProxyPassMatch ^/h2proxy/([0-9]+)/(.*)$ "
>f"  h2c://127.0.0.1:$1/$2 enablereuse={enable_reuse} 
> keepalive=on",
>]
>})
>conf.add_vhost_cgi()
>conf.add([
>f'Listen {env.http_port2}',
>'UseCanonicalName On',
>'UseCanonicalPhysicalPort On'
>])
>conf.start_vhost(domains=[f'cgi.{env.http_tld}'],
> port=5004, doc_root="htdocs/cgi")
>conf.add("AddHandler cgi-script .py")
>conf.end_vhost()
>conf.install()
>assert env.apache_restart() == 0
>url = env.mkurl("https", "cgi", f"/h2proxy/{env.http_port}/hello.py")
>r = env.curl_get(url, 5)
>assert r.response["status"] == 200
>assert int(r.json["port"]) == env.http_port
># going to another backend port must create a new connection and
># we should see stream id one again
>url = env.mkurl("https", "cgi", f"/h2proxy/{env.http_port2}/hello.py")
>r = env.curl_get(url, 5)
>assert r.response["status"] == 200
>exp_port = env.http_port if enable_reuse == "on" else env.http_port2
> >   assert int(r.json["port"]) == exp_port
> E   AssertionError: assert 5004 == 5002
> E+  where 5004 = int('5004')
> 

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Christophe JAILLET]

Le 10/01/2023 à 14:40, Eric Covener a écrit :

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
[ ] +1: It's not just good, it's good enough!
[X] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
*httpd-2.4.55-rc1.tar.gz
sha512: 
ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
*httpd-2.4.55-rc1.tar.gz

The SVN candidate source is found at tags/2.4.55-rc1-candidate.



+0


Tested only with event.

All good, as usual with the perl framework


1 issue with pytest:
   test/modules/http2/test_600_h2proxy.py .F
(details at the end of the mail)

Don't know if expected or not. Some pytest commits are only in trunk and 
have not been backported to 2.4.x. I don't know if it is linked to this 
failing test.


Most of mod_md tests skippep (likely something missing in my conf)
Nearly all mod_tls in error (likely something missing in my conf)

I won't have time to investigate further, but only the failure in 
test_600_h2proxy looks odd to me.

So I just report it and vote +0.



Tested with:
Linux pop-os 6.0.6
gcc (Ubuntu 11.3.0-1ubuntu1~22.04) 11.3.0
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
  libssl-dev 3.0.2
  libbrotli-dev 1.0.9
  libjansson-dev 2.13.1
  libnghttp2-dev 1.43.0
  libpcre2-dev 10.39
  liblua5.3-dev 5.3.6
  libsystemd-dev 249.11
  libldap-dev 2.5.13+dfsg
  libldap2-dev 2.5.13+dfsg
  libxml2-dev 2.9.13+dfsg
  libcurl4-openssl-dev 7.81.0



__ 
TestH2Proxy.test_h2_600_05[on] 
___


self = , 
env = , enable_reuse = 'on'


@pytest.mark.parametrize("enable_reuse", [ "on", "off" ])
def test_h2_600_05(self, env, enable_reuse):
conf = H2Conf(env, extras={
f'cgi.{env.http_tld}': [
f"ProxyPassMatch ^/h2proxy/([0-9]+)/(.*)$ "
f"  h2c://127.0.0.1:$1/$2 enablereuse={enable_reuse} 
keepalive=on",

]
})
conf.add_vhost_cgi()
conf.add([
f'Listen {env.http_port2}',
'UseCanonicalName On',
'UseCanonicalPhysicalPort On'
])
conf.start_vhost(domains=[f'cgi.{env.http_tld}'],
 port=5004, doc_root="htdocs/cgi")
conf.add("AddHandler cgi-script .py")
conf.end_vhost()
conf.install()
assert env.apache_restart() == 0
url = env.mkurl("https", "cgi", 
f"/h2proxy/{env.http_port}/hello.py")

r = env.curl_get(url, 5)
assert r.response["status"] == 200
assert int(r.json["port"]) == env.http_port
# going to another backend port must create a new connection and
# we should see stream id one again
url = env.mkurl("https", "cgi", 
f"/h2proxy/{env.http_port2}/hello.py")

r = env.curl_get(url, 5)
assert r.response["status"] == 200
exp_port = env.http_port if enable_reuse == "on" else 
env.http_port2

>   assert int(r.json["port"]) == exp_port
E   AssertionError: assert 5004 == 5002
E+  where 5004 = int('5004')

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[SteffenAL]

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Joe Orton]

On Tue, Jan 10, 2023 at 10:21:55AM -0500, Eric Covener wrote:
> On Tue, Jan 10, 2023 at 10:17 AM Giovanni Bechis  wrote:
...
> > In file included from /usr/include/openssl/asn1.h:27,
> >  from /usr/include/openssl/rsa.h:21,
> >  from ab.c:169:
> > /usr/include/openssl/bio.h:279:28: note: declared here
> >   279 | OSSL_DEPRECATEDIN_3_0 void BIO_set_callback(BIO *b, BIO_callback_fn 
> > callback);
> >   |^~~~
> > cc1: all warnings being treated as errors
> > -
> >
> > Is this considered a blocker ?
> > This can be workarounded by building with different "-Werror" options.
> >  Giovanni
> 
> I think it's a known issue in ab.c and openssl 3.0
> I think no regression, no veto -- but everyones vote (beyond veto) is
> their own. AFAIK it has been there since 3.0 toleration was added.

Yup - there are many more deprecation warnings in mod_ssl itself too 
when building against OpenSSL 3.x. Some of them are worthwhile fixing 
but IIRC some looked quite involved to fix.

> I was going to send an email on this one, reminded by the recent
> Actions CI activity.  I think we could drop the -wno-error-deprecated
> from CI if ab.c was either fixed or maybe had something in its build
> to set this itself. That way deprecated stuff sneaking in elsewhere
> would not be supresed in maintainer mode.

Adding -Wno-deprecated-declarations or -Wno-error-etc is probably a good 
idea for all OpenSSL 3 builds, yeah.

Regards, Joe

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Eric Covener]

On Tue, Jan 10, 2023 at 10:17 AM Giovanni Bechis  wrote:
>
> On Tue, Jan 10, 2023 at 08:40:52AM -0500, Eric Covener wrote:
> > Hi all,
> >
> > Please find below the proposed release tarball and signatures:
> >
> > https://dist.apache.org/repos/dist/dev/httpd/
> >
> > I would like to call a VOTE over the next few days to release
> > this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
> > [ ] +1: It's not just good, it's good enough!
> > [ ] +0: Let's have a talk.
> > [ ] -1: There's trouble in paradise. Here's what's wrong.
> >
> > The computed digests of the tarball up for vote are:
> > sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
> > *httpd-2.4.55-rc1.tar.gz
> > sha512: 
> > ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
> > *httpd-2.4.55-rc1.tar.gz
> >
> > The SVN candidate source is found at tags/2.4.55-rc1-candidate.
> >
> on Fedora 37 (gcc 12.2.1 or clang 15.0.6) build fails with:
> -
> /usr/lib64/apr-1/build/libtool --silent --mode=compile gcc-std=c89 
> -Werror -Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations 
> -Wdeclaration-after-statement -Wpointer-arith -Wformat -Wformat-security 
> -Wunused -DLINUX -D_REENTRANT -D_GNU_SOURCE -DAP_DEBUG  \
>   -I. -I [...]/httpd/httpd-2.4/modules/mappers  -prefer-non-pic -static 
> -c ab.c && touch ab.lo
> ab.c: In function 'ssl_proceed_handshake':
> ab.c:769:25: error: 'EVP_PKEY_get1_EC_KEY' is deprecated: Since OpenSSL 3.0 
> [-Werror=deprecated-declarations]
>   769 | EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
>   | ^~
> In file included from /usr/include/openssl/x509.h:29,
>  from ab.c:171:
> /usr/include/openssl/evp.h:1374:19: note: declared here
>  1374 | struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
>   |   ^~~~
> ab.c:770:25: error: 'EC_KEY_get0_group' is deprecated: Since OpenSSL 3.0 
> [-Werror=deprecated-declarations]
>   770 | int nid = 
> EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
>   | ^~~
> In file included from /usr/include/openssl/x509.h:33:
> /usr/include/openssl/ec.h:1034:39: note: declared here
>  1034 | OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY 
> *key);
>   |   ^
> ab.c:771:25: error: 'EC_KEY_free' is deprecated: Since OpenSSL 3.0 
> [-Werror=deprecated-declarations]
>   771 | EC_KEY_free(ec);
>   | ^~~
> /usr/include/openssl/ec.h:1003:28: note: declared here
>  1003 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
>   |^~~
> ab.c: In function 'start_connect':
> ab.c:1431:13: error: 'BIO_set_callback' is deprecated: Since OpenSSL 3.0 
> [-Werror=deprecated-declarations]
>  1431 | BIO_set_callback(bio, ssl_print_cb);
>   | ^~~~
> In file included from /usr/include/openssl/asn1.h:27,
>  from /usr/include/openssl/rsa.h:21,
>  from ab.c:169:
> /usr/include/openssl/bio.h:279:28: note: declared here
>   279 | OSSL_DEPRECATEDIN_3_0 void BIO_set_callback(BIO *b, BIO_callback_fn 
> callback);
>   |^~~~
> cc1: all warnings being treated as errors
> -
>
> Is this considered a blocker ?
> This can be workarounded by building with different "-Werror" options.
>  Giovanni

I think it's a known issue in ab.c and openssl 3.0
I think no regression, no veto -- but everyones vote (beyond veto) is
their own. AFAIK it has been there since 3.0 toleration was added.

I was going to send an email on this one, reminded by the recent
Actions CI activity.  I think we could drop the -wno-error-deprecated
from CI if ab.c was either fixed or maybe had something in its build
to set this itself. That way deprecated stuff sneaking in elsewhere
would not be supresed in maintainer mode.

-- 
Eric Covener
cove...@gmail.com

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Giovanni Bechis]

On Tue, Jan 10, 2023 at 08:40:52AM -0500, Eric Covener wrote:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
> *httpd-2.4.55-rc1.tar.gz
> sha512: 
> ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
> *httpd-2.4.55-rc1.tar.gz
> 
> The SVN candidate source is found at tags/2.4.55-rc1-candidate.
> 
on Fedora 37 (gcc 12.2.1 or clang 15.0.6) build fails with:
-
/usr/lib64/apr-1/build/libtool --silent --mode=compile gcc-std=c89 -Werror 
-Wall -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations 
-Wdeclaration-after-statement -Wpointer-arith -Wformat -Wformat-security 
-Wunused -DLINUX -D_REENTRANT -D_GNU_SOURCE -DAP_DEBUG  \
  -I. -I [...]/httpd/httpd-2.4/modules/mappers  -prefer-non-pic -static -c 
ab.c && touch ab.lo
ab.c: In function 'ssl_proceed_handshake':
ab.c:769:25: error: 'EVP_PKEY_get1_EC_KEY' is deprecated: Since OpenSSL 3.0 
[-Werror=deprecated-declarations]
  769 | EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
  | ^~
In file included from /usr/include/openssl/x509.h:29,
 from ab.c:171:
/usr/include/openssl/evp.h:1374:19: note: declared here
 1374 | struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
  |   ^~~~
ab.c:770:25: error: 'EC_KEY_get0_group' is deprecated: Since OpenSSL 3.0 
[-Werror=deprecated-declarations]
  770 | int nid = 
EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
  | ^~~
In file included from /usr/include/openssl/x509.h:33:
/usr/include/openssl/ec.h:1034:39: note: declared here
 1034 | OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY 
*key);
  |   ^
ab.c:771:25: error: 'EC_KEY_free' is deprecated: Since OpenSSL 3.0 
[-Werror=deprecated-declarations]
  771 | EC_KEY_free(ec);
  | ^~~
/usr/include/openssl/ec.h:1003:28: note: declared here
 1003 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
  |^~~
ab.c: In function 'start_connect':
ab.c:1431:13: error: 'BIO_set_callback' is deprecated: Since OpenSSL 3.0 
[-Werror=deprecated-declarations]
 1431 | BIO_set_callback(bio, ssl_print_cb);
  | ^~~~
In file included from /usr/include/openssl/asn1.h:27,
 from /usr/include/openssl/rsa.h:21,
 from ab.c:169:
/usr/include/openssl/bio.h:279:28: note: declared here
  279 | OSSL_DEPRECATEDIN_3_0 void BIO_set_callback(BIO *b, BIO_callback_fn 
callback);
  |^~~~
cc1: all warnings being treated as errors
-

Is this considered a blocker ?
This can be workarounded by building with different "-Werror" options.
 Giovanni


signature.asc
Description: PGP signature

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Joe Orton]

On Tue, Jan 10, 2023 at 08:40:52AM -0500, Eric Covener wrote:
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
> *httpd-2.4.55-rc1.tar.gz
> sha512: 
> ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
> *httpd-2.4.55-rc1.tar.gz

+1 for release, thank you for RMing!

Test suite passes on RHEL 8 and 9 (x86_64).

Regards, Joe

Re: [VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Eric Covener]

On Tue, Jan 10, 2023 at 8:40 AM Eric Covener  wrote:
>
> Hi all,
>
> Please find below the proposed release tarball and signatures:
>
> https://dist.apache.org/repos/dist/dev/httpd/
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
> [x] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

+1 AIX/xlc/ppc64 with just some familiar failures below.

Test Summary Report
---
t/ab/base.t   (Wstat: 0 Tests: 5 Failed: 4)
  Failed tests:  1-4 (libpath stuff)
t/security/CVE-2009-3555.t(Wstat: 2048 Tests: 0 Failed: 0)
  Non-zero exit status: 8 (perl SSLEAY stuff)
  Parse errors: Bad plan.  You planned 4 tests but ran 0.

[VOTE] Release httpd-2.4.55-rc1 as httpd-2.4.55

[Eric Covener]

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.55-rc1 as 2.4.55:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: 5276ea8bc6fff31eed5c82132ae51a0b2ee05f9e6b61a00fa877f6cadab3b638
*httpd-2.4.55-rc1.tar.gz
sha512: 
ca0d03b5e74078977378fe711ca3ed8cf63c109b7dbe73f2c43f7f30f7e522bbe46f93189a183b7675394d57fffb0c2526facd8d40508be984a7a8f64d18f8d6
*httpd-2.4.55-rc1.tar.gz

The SVN candidate source is found at tags/2.4.55-rc1-candidate.

-- 
Eric Covener
cove...@gmail.com

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.17

[Yann Ylavic]

On Thu, Sep 29, 2022 at 1:16 PM Steve Hay  wrote:
>
> On Thu, 25 Aug 2022 at 09:58, Joe Orton  wrote:
> >
> > Thanks for testing. The release is approved:
> >
> > PMC votes: +1 from ylavic, jfclere, jorton
> >
> > I will promote the release and announce it.
> >
>
> Thanks for this release. I didn't get round to uploading it to CPAN
> yet, but a bug report has come in for it anyway:
>
> https://rt.cpan.org/Public/Bug/Display.html?id=144470

Do we have an example of a payload/upload which does not pass apreq's
multipart parsing in 2.17?


Regards;
Yann.

Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.17

[Steve Hay]

On Thu, 25 Aug 2022 at 09:58, Joe Orton  wrote:
>
> Thanks for testing. The release is approved:
>
> PMC votes: +1 from ylavic, jfclere, jorton
>
> I will promote the release and announce it.
>

Thanks for this release. I didn't get round to uploading it to CPAN
yet, but a bug report has come in for it anyway:

https://rt.cpan.org/Public/Bug/Display.html?id=144470

[RESULT: PASS] Re: [VOTE] Release libapreq2-2.17

[Joe Orton]

Thanks for testing. The release is approved:

PMC votes: +1 from ylavic, jfclere, jorton

I will promote the release and announce it.

Regards, Joe

Re: [VOTE] Release libapreq2-2.17

[Joe Orton]

On Thu, Aug 18, 2022 at 12:31:56PM +0100, Joe Orton wrote:
> Hi, I've prepared a candidate release tarball for libapreq2 v2.17 here:
> 
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
> 
> I would like to call a VOTE over the next week to release this candidate 
> tarball as v2.17:
> 
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.

Adding my own +1, tests fine here on Fedora 36.

Regards, Joe

Re: [VOTE] Release libapreq2-2.17

[jean-frederic clere]

On 8/18/22 13:31, Joe Orton wrote:

[X] +1: It's not just good, it's good enough!


Tested on fedora 36

--
Cheers

Jean-Frederic

Re: [VOTE] Release libapreq2-2.17

[Yann Ylavic]

On Mon, Aug 22, 2022 at 11:32 AM Yann Ylavic  wrote:
>
> On Thu, Aug 18, 2022 at 1:32 PM Joe Orton  wrote:
> >
> > I would like to call a VOTE over the next week to release this candidate
> > tarball as v2.17:
>
> +1 on Debian(s).

Not really related to apreq, but somehow the perl test framework is
now generating certificate key files in PKCS#8 format (for
SSLProxyMachineCertificateFile), previously they were in PKCS#1
format. That's the case for the httpd test framework too.
Any idea what happened there?

As a result load_x509_info()::PEM_X509_INFO_read_bio() does not
recognize them as private key files and httpd-2.4.x fails to load.
httpd-trunk is loading still, thanks to r1884552, but this commit
looks quite orthogonal/incidental per the commit message?
Linking httpd-trunk with libapreq seems useless/hopeless though, since
the apreq util/helper functions have been copied in server/apreq_*.c
files with the exact same apreq_ prefix, httpd will always use its own
ones..


Regards;
Yann.

Re: [VOTE] Release libapreq2-2.17

[Yann Ylavic]

On Thu, Aug 18, 2022 at 1:32 PM Joe Orton  wrote:
>
> I would like to call a VOTE over the next week to release this candidate
> tarball as v2.17:

+1 on Debian(s).


Thanks Joe for RMIng!

[VOTE] Release libapreq2-2.17

[Joe Orton]

Hi, I've prepared a candidate release tarball for libapreq2 v2.17 here:

https://dist.apache.org/repos/dist/dev/httpd/libapreq/

I would like to call a VOTE over the next week to release this candidate 
tarball as v2.17:

[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

SHA-256 and SHA-512 checksums for the tarball are as follows:

046487f084c12fa1c822affc5f7de56efed9b48905a426e631a6b949c114d86c  
libapreq2-2.17.tar.gz
89b139b8673145d9e2d8fd77d36f878c519c1deb7f9b853cda2a15d34cbb619d1c5e784ba21553f23c2ef07803f07c75a83d96cd770f80e1b36283a4cbb88999
  libapreq2-2.17.tar.gz

The release is prepared from:
https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.17 at r1903514

Regards, Joe

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Rainer Jung]

Am 06.06.2022 um 16:25 schrieb Stefan Eissing:

Here we go again! Sorry for the repeats, but that is why we build candidates, 
right?

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.


+1 to release and thanks a bunch for RM!

The full range of unit tests is still running, but enough have completed 
for a vote.


I actually used rc2 plus the one "#if" patch which got included in rc3 
to build and test, but also did the simple release checks for rc3.


! KEYS maybe missing (see other mail)
- Sigs and hashes OK
- contents of tarballs identical
- contents of tag and tarballs identical
  except for expected deltas

Built on

- Solaris 10 Sparc as 32 Bit Binaries
- SLES 11+12+15 (64 Bits)
- RHEL 6+7+8 (64 Bits)

For all platforms built

- with default (shared) and static modules
  (Solaris only shared modules)
- with module set reallyall
- using --enable-load-all-modules

- using libraries
  - APR/APU
- bundled deps tarball
- 1.7.0/1.6.1
- 1.6.5/1.6.1
- 1.7.x(r1901250)/1.7.x(r1901250) with libxml2
- 1.7.x(r1901250)/1.7.x(r1901250) with expat
- 1.6.x(r1898636)/1.6.x(r1901250)
- trunk(r1901250) with libxml2
- trunk(r1901250) with expat
  - OpenSSL 3.0.3, 1.1.1o, 1.1.1,
1.0.2u, 1.0.2, 0.9.8zh, 0.9.8b
  - expat 2.4.8
  - pcre 10.39, sometimes 10.40
  - lua 5.4.4 (compiled with LUA_COMPAT_MODULE)
  - libxml2 2.9.14
  - libnghttp2 1.47.0
  - brotli 1.0.9
  - curl 7.83.1
  - jansson 2.14
  - libldap 2.6.2 (2.5.7 with OpenSSL 1.1.1,
   2.4.59 with OpenSSL 1.0.2*,
   2.4.52 with OpenSSL 0.9.8*)
  - on Solaris also platform ldap library

- in total 96 builds per platform, 60 on Solaris

- Tool chain:
- platform gcc except on Solaris
  (gcc 9.3.0 Solaris 10)
- CFLAGS: -O2 -g -Wall -fno-strict-aliasing
  - on Solaris additionally -mpcu=v9, -D_XOPEN_SOURCE,
-D_XOPEN_SOURCE_EXTENDED=1, -D__EXTENSIONS__
and -D_XPG6

All 636 builds succeeded.

- compiler warnings:

  - only on Solaris (GCC 9.3.0):
srclib/apr/locks/unix/proc_mutex.c:979:49: warning: 
'mutex_proc_pthread_cond_methods' defined but not used 
[-Wunused-const-variable=]


  - deprecation warnings when building against OpenSSL 3.0.0, see other 
thread


Tested for

- SLES 11+12+15
- RHEL 6+7+8
- Solaris 10 Sparc
- MPMs prefork, worker, event
- log level trace8
- Perl client bundle build against OpenSSL 3.0.0, ,
  1.1.1g plus patches, 1.1.0l, 1.0.2u and 0.9.8zh

Every OpenSSL version in the client tested with every OpenSSL version in 
the server. 15 unit test runs (3 MPMS x 5 OpenSSL clients) per server build.

About 2.400 unit test runs are done, most for shared module builds.

Some local adjustments to tests were used:

- t/modules/buffer.t: removing huge buffer tests
  -my $bigsize = 10;
  +my $bigsize = 5;

The following test failures were seen:

a t/modules/buffer.t line 37
  Test 4 (411 times), test 8 (217 times) and 12 (18 times)
  Not a regression
  Only on RHEL 6, SLES 11 and Solaris 10.

b Various tests in t/modules/cgi.t, mostly lines 195 and 223,
  sometimes line 167 and 252
  Not a regression
  Only on Solaris and once on RHEL 6
  110 failed test runs (out of 120 on Solaris)
  Test checks log contents. Could be false positive due to
  logs written to NFS.

c t/modules/sed.t line 37 test 3
  91 times Solaris 10, 12 times RHEL 9, 6 times SLES 11
  At least two cases I checked were
  "(12)Cannot allocate memory" (Linux) resp.
  "(12)Not enough space:" (Solaris).

d A couple of tests fail for OpenSSL 0.9.8 based server
  when tested with a OpenSSL 3.0.0 based client:
  - t/modules/proxy_websockets_ssl.t
  - t/protocol/echo.t
  - t/security/CVE-2005-2700.t
  - t/security/CVE-2009-3555.t
  - t/ssl/basicauth.t
  - t/ssl/env.t
  - t/ssl/extlookup.t
  - t/ssl/fakeauth.t
  - t/ssl/headers.t
  - t/ssl/ocsp.t
  - t/ssl/pr12355.t
  - t/ssl/pr43738.t
  - t/ssl/proxy.t
  - t/ssl/require.t
  - t/ssl/varlookup.t
  - t/ssl/verify.t
  That might be expected due to the behavior of the 3.0
  default security level (not investigated)


Regards,

Rainer

> The computed digests of the tarball up for vote are:
> sha256: 
c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
*httpd-2.4.54-rc3.tar.gz
> sha512: 
e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd 
*httpd-2.4.54-rc3.tar.gz

>
> The SVN candidate source is found at tags/2.4.54-rc3-candidate.
>
> Kind Regards,
> Stefan

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Stefan Eissing]

With 9 +1 the voting is complete and I will make the release now.

Thanks everyone for testing!

Kind Regards,
Stefan

> Am 08.06.2022 um 09:04 schrieb Petr Gajdos :
> 
> On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
> [x] +1: It's not just good, it's good enough!
> 
> SLE 15sp4, openSUSE 15.4,Tumbleweed
> 
> -- 
> Have a lot of fun!

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Petr Gajdos]

On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
[x] +1: It's not just good, it's good enough!

SLE 15sp4, openSUSE 15.4,Tumbleweed

-- 
Have a lot of fun!

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[giovanni]

On 6/7/22 12:02, Stefan Eissing wrote:
> Seems a lot of people are either on vacation or busy - and that is fine.
> 
> Since the rc* candidates merely differed on the TCP_FLUSH defines, I tend
> to count all positive votes as still applicable!
> 
+1 Fedora 36, OpenBSD 7.1 and OpenBSD-current.
 Giovanni 


> Otherwise, speak up!
> 
> Kind Regards,
> Stefan
> 
>> Am 07.06.2022 um 12:00 schrieb Stefan Eissing :
>>
>> +1 from me on my macOS machine.
>>
>>> Am 07.06.2022 um 10:58 schrieb Joe Orton :
>>>
>>> On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
>>>> Here we go again! Sorry for the repeats, but that is why we build 
>>>> candidates, right?
>>>>
>>>> Hi all,
>>>>
>>>> Please find below the proposed release tarball and signatures:
>>>>
>>>> https://dist.apache.org/repos/dist/dev/httpd/
>>>>
>>>> I would like to call a VOTE over the next few days to release
>>>> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
>>>> [X] +1: It's not just good, it's good enough!
>>>> [ ] +0: Let's have a talk.
>>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>>>
>>>> The computed digests of the tarball up for vote are:
>>>> sha256: c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
>>>> *httpd-2.4.54-rc3.tar.gz
>>>> sha512: 
>>>> e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd
>>>>  *httpd-2.4.54-rc3.tar.gz
>>>
>>> +1 for release, passes tests on Fedora 36, RHEL 8 & 9 (x86_64 only).
>>>
>>> One note: on F36 I had to manually add a route for the multicast range 
>>> to get t/modules/heartbeat.t to pass, which I guess is a change in the 
>>> default network configuration compared to earlier Fedora releases.
>>>
>>> Thanks for RMing! (x3)
>>>
>>> Regards, Joe
>>>
>>
> 



OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Eric Covener]

On Tue, Jun 7, 2022 at 6:04 AM Stefan Eissing  wrote:
>
> Seems a lot of people are either on vacation or busy - and that is fine.
>
> Since the rc* candidates merely differed on the TCP_FLUSH defines, I tend
> to count all positive votes as still applicable!

+1 aix/xlc/ppc64

Re[: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Mario Brandt]

On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:

Here we go again! Sorry for the repeats, but that is why we build candidates, 
right?

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
[X] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
*httpd-2.4.54-rc3.tar.gz
sha512: 
e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd
 *httpd-2.4.54-rc3.tar.gz


+1 on my Debian 11 x64

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Steffen]

+1 All looks fine on Windows. 

> Op 6 jun. 2022 om 16:25 heeft Stefan Eissing  het 
> volgende geschreven:
> 
> Here we go again! Sorry for the repeats, but that is why we build 
> candidates, right?
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
> *httpd-2.4.54-rc3.tar.gz
> sha512: 
> e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd
>  *httpd-2.4.54-rc3.tar.gz
> 
> The SVN candidate source is found at tags/2.4.54-rc3-candidate.
> 
> Kind Regards,
> Stefan

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Stefan Eissing]

> Am 07.06.2022 um 12:21 schrieb Yann Ylavic :
> 
> On Mon, Jun 6, 2022 at 4:25 PM Stefan Eissing  wrote:
>> 
>> I would like to call a VOTE over the next few days to release
>> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
> 
> [X] +1: It's not just good, it's good enough!
> 
> All good on Linux Debian(s).
> 
> Thanks Stefan for RMing!

:)

If no negative votes come in, I will make the release tomorrow morning.

Cheers,
Stefan

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Yann Ylavic]

On Mon, Jun 6, 2022 at 4:25 PM Stefan Eissing  wrote:
>
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:

[X] +1: It's not just good, it's good enough!

All good on Linux Debian(s).

Thanks Stefan for RMing!

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Stefan Eissing]

Seems a lot of people are either on vacation or busy - and that is fine.

Since the rc* candidates merely differed on the TCP_FLUSH defines, I tend
to count all positive votes as still applicable!

Otherwise, speak up!

Kind Regards,
Stefan

> Am 07.06.2022 um 12:00 schrieb Stefan Eissing :
> 
> +1 from me on my macOS machine.
> 
>> Am 07.06.2022 um 10:58 schrieb Joe Orton :
>> 
>> On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
>>> Here we go again! Sorry for the repeats, but that is why we build 
>>> candidates, right?
>>> 
>>> Hi all,
>>> 
>>> Please find below the proposed release tarball and signatures:
>>> 
>>> https://dist.apache.org/repos/dist/dev/httpd/
>>> 
>>> I would like to call a VOTE over the next few days to release
>>> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
>>> [X] +1: It's not just good, it's good enough!
>>> [ ] +0: Let's have a talk.
>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>> 
>>> The computed digests of the tarball up for vote are:
>>> sha256: c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
>>> *httpd-2.4.54-rc3.tar.gz
>>> sha512: 
>>> e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd
>>>  *httpd-2.4.54-rc3.tar.gz
>> 
>> +1 for release, passes tests on Fedora 36, RHEL 8 & 9 (x86_64 only).
>> 
>> One note: on F36 I had to manually add a route for the multicast range 
>> to get t/modules/heartbeat.t to pass, which I guess is a change in the 
>> default network configuration compared to earlier Fedora releases.
>> 
>> Thanks for RMing! (x3)
>> 
>> Regards, Joe
>> 
> 

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Stefan Eissing]

+1 from me on my macOS machine.

> Am 07.06.2022 um 10:58 schrieb Joe Orton :
> 
> On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
>> Here we go again! Sorry for the repeats, but that is why we build 
>> candidates, right?
>> 
>> Hi all,
>> 
>> Please find below the proposed release tarball and signatures:
>> 
>> https://dist.apache.org/repos/dist/dev/httpd/
>> 
>> I would like to call a VOTE over the next few days to release
>> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
>> [X] +1: It's not just good, it's good enough!
>> [ ] +0: Let's have a talk.
>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>> 
>> The computed digests of the tarball up for vote are:
>> sha256: c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
>> *httpd-2.4.54-rc3.tar.gz
>> sha512: 
>> e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd
>>  *httpd-2.4.54-rc3.tar.gz
> 
> +1 for release, passes tests on Fedora 36, RHEL 8 & 9 (x86_64 only).
> 
> One note: on F36 I had to manually add a route for the multicast range 
> to get t/modules/heartbeat.t to pass, which I guess is a change in the 
> default network configuration compared to earlier Fedora releases.
> 
> Thanks for RMing! (x3)
> 
> Regards, Joe
> 

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Joe Orton]

On Mon, Jun 06, 2022 at 04:25:31PM +0200, Stefan Eissing wrote:
> Here we go again! Sorry for the repeats, but that is why we build candidates, 
> right?
> 
> Hi all,
> 
> Please find below the proposed release tarball and signatures:
> 
> https://dist.apache.org/repos/dist/dev/httpd/
> 
> I would like to call a VOTE over the next few days to release
> this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
> 
> The computed digests of the tarball up for vote are:
> sha256: c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
> *httpd-2.4.54-rc3.tar.gz
> sha512: 
> e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd
>  *httpd-2.4.54-rc3.tar.gz

+1 for release, passes tests on Fedora 36, RHEL 8 & 9 (x86_64 only).

One note: on F36 I had to manually add a route for the multicast range 
to get t/modules/heartbeat.t to pass, which I guess is a change in the 
default network configuration compared to earlier Fedora releases.

Thanks for RMing! (x3)

Regards, Joe

Re: [VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Jan Ehrhardt]

Stefan Eissing in gmane.comp.apache.devel (Mon, 6 Jun 2022 16:25:31
+0200):
>I would like to call a VOTE over the next few days to release
>this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
>[x] +1: It's not just good, it's good enough!

No problems encountered on Windows (x64, VC15, OpenSSL 1.1.1).
-- 
Jan

[VOTE] Release httpd-2.4.54-rc3 as httpd-2.4.54

[Stefan Eissing]

Here we go again! Sorry for the repeats, but that is why we build candidates, 
right?

Hi all,

Please find below the proposed release tarball and signatures:

https://dist.apache.org/repos/dist/dev/httpd/

I would like to call a VOTE over the next few days to release
this candidate tarball httpd-2.4.54-rc3 as 2.4.54:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.

The computed digests of the tarball up for vote are:
sha256: c687b99c446c0ef345e7d86c21a8e15fc074b7d5152c4fe22b0463e2be346ffb 
*httpd-2.4.54-rc3.tar.gz
sha512: 
e9599df48a73b07b3a11dd44db2c22a671e8a41cdd5021bb434bbcde39d6fc498d165d9b0c4ed2b66a6321d9760b031c1c1c84c23661dbf44c42c52f637ec4dd
 *httpd-2.4.54-rc3.tar.gz

The SVN candidate source is found at tags/2.4.54-rc3-candidate.

Kind Regards,
Stefan

Re: [VOTE] Release httpd-2.4.54-rc2 as httpd-2.4.54

[Stefan Eissing]

> Am 06.06.2022 um 16:11 schrieb Eric Covener :
> 
> On Mon, Jun 6, 2022 at 7:09 AM Stefan Eissing  wrote:
>> 
>> Guys, shall I make an rc3 with the recent apr version check changes? It 
>> seems the correct way to handle this...
> 
> Especially given limited votes, I think so.

Agreed, I cancel the vote for rc2 and will announce rc3 soon.

Thanks,
Stefan

Re: [VOTE] Release httpd-2.4.54-rc2 as httpd-2.4.54

[Eric Covener]

On Mon, Jun 6, 2022 at 7:09 AM Stefan Eissing  wrote:
>
> Guys, shall I make an rc3 with the recent apr version check changes? It seems 
> the correct way to handle this...

Especially given limited votes, I think so.

Re: [VOTE] Release httpd-2.4.54-rc2 as httpd-2.4.54

[Stefan Eissing]

FYI: Had a DNS problem (it's always dns!) on my mail server, resulting in 
rejected incoming mails. Should work again now...

> Am 06.06.2022 um 13:09 schrieb Stefan Eissing :
> 
> Guys, shall I make an rc3 with the recent apr version check changes? It seems 
> the correct way to handle this...
> 
> Cheers,
> Stefan
> 
>> Am 06.06.2022 um 10:12 schrieb giova...@paclan.it:
>> 
>> On 6/4/22 14:59, Stefan Eissing wrote:
>>> Hi all,
>>> 
>>> next attempt at 2.5.54. Thanks everyone for participating!
>>> 
>>> Please find below the proposed release tarball and signatures:
>>> 
>>> https://dist.apache.org/repos/dist/dev/httpd/
>>> 
>>> I would like to call a VOTE over the next few days to release
>>> this candidate tarball httpd-2.4.54-rc2 as 2.4.54:
>>> [ ] +1: It's not just good, it's good enough!
>>> [ ] +0: Let's have a talk.
>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>> 
>>> The computed digests of the tarball up for vote are:
>>> sha256: fd461abb356592386e7de90835f888fa4eb0ce225a89986c38108bdcbce466ef 
>>> *httpd-2.4.54-rc2.tar.gz
>>> sha512: 
>>> 6267d43aca3c278a0b428633a41ddea346d73a1c94fa3e9d54a600e8c7ab71b4a7772c7dbbcd552a802606416c2f6193ceaa0c6bcf07fe2b61cf175cb48b892f
>>>  *httpd-2.4.54-rc2.tar.gz
>>> 
>>> The SVN candidate source is found at tags/2.4.54-rc2-candidate.
>>> 
>> +1
>> tested on Fedora 36, OpenBSD 7.1 and OpenBSD-current
>> 
>> Giovanni
> 

Re: [VOTE] Release httpd-2.4.54-rc2 as httpd-2.4.54

[Stefan Eissing]

Guys, shall I make an rc3 with the recent apr version check changes? It seems 
the correct way to handle this...

Cheers,
Stefan

> Am 06.06.2022 um 10:12 schrieb giova...@paclan.it:
> 
> On 6/4/22 14:59, Stefan Eissing wrote:
>> Hi all,
>> 
>> next attempt at 2.5.54. Thanks everyone for participating!
>> 
>> Please find below the proposed release tarball and signatures:
>> 
>> https://dist.apache.org/repos/dist/dev/httpd/
>> 
>> I would like to call a VOTE over the next few days to release
>> this candidate tarball httpd-2.4.54-rc2 as 2.4.54:
>> [ ] +1: It's not just good, it's good enough!
>> [ ] +0: Let's have a talk.
>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>> 
>> The computed digests of the tarball up for vote are:
>> sha256: fd461abb356592386e7de90835f888fa4eb0ce225a89986c38108bdcbce466ef 
>> *httpd-2.4.54-rc2.tar.gz
>> sha512: 
>> 6267d43aca3c278a0b428633a41ddea346d73a1c94fa3e9d54a600e8c7ab71b4a7772c7dbbcd552a802606416c2f6193ceaa0c6bcf07fe2b61cf175cb48b892f
>>  *httpd-2.4.54-rc2.tar.gz
>> 
>> The SVN candidate source is found at tags/2.4.54-rc2-candidate.
>> 
> +1
> tested on Fedora 36, OpenBSD 7.1 and OpenBSD-current
> 
> Giovanni