Apache httpd 2.4.39 GA for Windows

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache httpd 2.4.39 GA for Windows

Steffen-2

Apacharians,


See www.apachelounge.com/viewtopic.php?t=8254

Highlight:

This release is primarily a bug fix & stability release, several http2
bugs fixed,
and a new module mod_socache_redis.


Enjoy,

Steffen



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache httpd 2.4.39 GA for Windows

Steffen-2
The ASF HTTPD project did not mention security vulnerabilities fixed in
the initial changelog 2.4.39.

Added now to www.apachelounge.com/Changelog-2.4.html

See also http://httpd.apache.org/security/vulnerabilities_24.html

On 31-3-2019 12:12, Steffen wrote:

>
> Apacharians,
>
>
> See www.apachelounge.com/viewtopic.php?t=8254
>
> Highlight:
>
> This release is primarily a bug fix & stability release, several http2
> bugs fixed,
> and a new module mod_socache_redis.
>
>
> Enjoy,
>
> Steffen
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Apache httpd 2.4.39 GA for Windows

William A Rowe Jr
On Tue, Apr 2, 2019 at 2:35 AM Steffen <[hidden email]> wrote:
The ASF HTTPD project did not mention security vulnerabilities fixed in
the initial changelog 2.4.39.

To be 100% accurate, the ASF HTTP Server project had not announced the
release of 2.4.39. It had concluded a vote, but only the RM's announcement
triggers the release. There is a delay for the RM to stage the artifacts so they
can be downloaded by anyone from our entire array of mirror sites. And in
that time, the RM could even pull the release owing to a serious packaging
glitch, if they should need to (this happened not so long ago at httpd.)

You jumped the gun by pre-announcing your package as a "release", ahead 
of the RM's announce and ahead of downloads from the ASF, which is poor 
form to say the least. 

Security issues are embargoed until that announcement is broadcast by 
the RM to the entire public at once. The project will not mention security 
vulnerabilities fixed until that moment.

This isn't to say you shouldn't assemble your release of version x.y.z based
on the vote candidate; in fact any change to that source package will always
trigger version x.y.z+1, so there is no risk that your build varies from the final
announced package. Be ahead of the game preparing your binary package,
but defer any publicity until after the actual announcement.


Reply | Threaded
Open this post in threaded view
|

Re: Apache httpd 2.4.39 GA for Windows

Steffen-2

Sorry, did not know,  new for me. 

Was just informing the community that the change log has undergone a change. And the new change log is only available with the next release. 

We and other sites (eg AH etc) making already for years and years a release available as soon as it had passed the vote as GA., and you should know that. Why now in public this mail after all that years ?

Please off list. 


Op 2 apr. 2019 om 19:14 heeft William A Rowe Jr <[hidden email]> het volgende geschreven:

On Tue, Apr 2, 2019 at 2:35 AM Steffen <[hidden email]> wrote:
The ASF HTTPD project did not mention security vulnerabilities fixed in
the initial changelog 2.4.39.

To be 100% accurate, the ASF HTTP Server project had not announced the
release of 2.4.39. It had concluded a vote, but only the RM's announcement
triggers the release. There is a delay for the RM to stage the artifacts so they
can be downloaded by anyone from our entire array of mirror sites. And in
that time, the RM could even pull the release owing to a serious packaging
glitch, if they should need to (this happened not so long ago at httpd.)

You jumped the gun by pre-announcing your package as a "release", ahead 
of the RM's announce and ahead of downloads from the ASF, which is poor 
form to say the least. 

Security issues are embargoed until that announcement is broadcast by 
the RM to the entire public at once. The project will not mention security 
vulnerabilities fixed until that moment.

This isn't to say you shouldn't assemble your release of version x.y.z based
on the vote candidate; in fact any change to that source package will always
trigger version x.y.z+1, so there is no risk that your build varies from the final
announced package. Be ahead of the game preparing your binary package,
but defer any publicity until after the actual announcement.