Re: svn commit: r40863 - /dev/httpd/ /release/httpd/

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r40863 - /dev/httpd/ /release/httpd/

Rainer Jung-3
Could you fix the date (September 21, 2018 sems wrong).

Thanks!

Rainer

Am 05.08.2020 um 13:32 schrieb [hidden email]:

> Author: druggeri
> Date: Wed Aug  5 11:32:51 2020
> New Revision: 40863
>
> Log:
> Push 2.4.46 up to the release directory
>
> Added:
>      release/httpd/CHANGES_2.4.46
>        - copied unchanged from r40862, dev/httpd/CHANGES_2.4.46
>      release/httpd/httpd-2.4.46.tar.bz2
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2
>      release/httpd/httpd-2.4.46.tar.bz2.asc
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.asc
>      release/httpd/httpd-2.4.46.tar.bz2.md5
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.md5
>      release/httpd/httpd-2.4.46.tar.bz2.sha1
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.sha1
>      release/httpd/httpd-2.4.46.tar.bz2.sha256
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.sha256
>      release/httpd/httpd-2.4.46.tar.bz2.sha512
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.sha512
>      release/httpd/httpd-2.4.46.tar.gz
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz
>      release/httpd/httpd-2.4.46.tar.gz.asc
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.asc
>      release/httpd/httpd-2.4.46.tar.gz.md5
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.md5
>      release/httpd/httpd-2.4.46.tar.gz.sha1
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha1
>      release/httpd/httpd-2.4.46.tar.gz.sha256
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha256
>      release/httpd/httpd-2.4.46.tar.gz.sha512
>        - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha512
> Removed:
>      dev/httpd/CHANGES_2.4
>      dev/httpd/CHANGES_2.4.46
>      dev/httpd/httpd-2.4.46-deps.tar.bz2
>      dev/httpd/httpd-2.4.46-deps.tar.bz2.asc
>      dev/httpd/httpd-2.4.46-deps.tar.bz2.md5
>      dev/httpd/httpd-2.4.46-deps.tar.bz2.sha1
>      dev/httpd/httpd-2.4.46-deps.tar.bz2.sha256
>      dev/httpd/httpd-2.4.46-deps.tar.bz2.sha512
>      dev/httpd/httpd-2.4.46-deps.tar.gz
>      dev/httpd/httpd-2.4.46-deps.tar.gz.asc
>      dev/httpd/httpd-2.4.46-deps.tar.gz.md5
>      dev/httpd/httpd-2.4.46-deps.tar.gz.sha1
>      dev/httpd/httpd-2.4.46-deps.tar.gz.sha256
>      dev/httpd/httpd-2.4.46-deps.tar.gz.sha512
>      dev/httpd/httpd-2.4.46.tar.bz2
>      dev/httpd/httpd-2.4.46.tar.bz2.asc
>      dev/httpd/httpd-2.4.46.tar.bz2.md5
>      dev/httpd/httpd-2.4.46.tar.bz2.sha1
>      dev/httpd/httpd-2.4.46.tar.bz2.sha256
>      dev/httpd/httpd-2.4.46.tar.bz2.sha512
>      dev/httpd/httpd-2.4.46.tar.gz
>      dev/httpd/httpd-2.4.46.tar.gz.asc
>      dev/httpd/httpd-2.4.46.tar.gz.md5
>      dev/httpd/httpd-2.4.46.tar.gz.sha1
>      dev/httpd/httpd-2.4.46.tar.gz.sha256
>      dev/httpd/httpd-2.4.46.tar.gz.sha512
> Modified:
>      release/httpd/Announcement2.4.html
>      release/httpd/Announcement2.4.txt
>      release/httpd/CHANGES_2.4
>
> Modified: release/httpd/Announcement2.4.html
> ==============================================================================
> --- release/httpd/Announcement2.4.html (original)
> +++ release/httpd/Announcement2.4.html Wed Aug  5 11:32:51 2020
> @@ -49,27 +49,27 @@
>   <div class="banner"></div>
>  
>   <h1>
> -                       Apache HTTP Server 2.4.43 Released
> +                       Apache HTTP Server 2.4.46 Released
>   </h1>
>   <p>
> -   April 01, 2020
> +   September 21, 2018
>   </p>
>   <p>
>      The Apache Software Foundation and the Apache HTTP Server Project are
>      pleased to <a href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
> -   the release of version 2.4.43 of the Apache
> +   the release of version 2.4.46 of the Apache
>      HTTP Server ("Apache").  This version of Apache is our latest GA
>      release of the new generation 2.4.x branch of Apache HTTPD and
>      represents fifteen years of innovation by the project, and is
>      recommended over all previous releases. This release of Apache is
> -   a security, feature and bug fix release.
> +   a feature and bug fix release.
>   </p>
>   <p>
>      We consider this release to be the best version of Apache available, and
>      encourage users of all prior versions to upgrade.
>   </p>
>   <p>
> -   Apache HTTP Server 2.4.43 is available for download from:
> +   Apache HTTP Server 2.4.46 is available for download from:
>   </p>
>   <dl>
>     <dd><a href="https://httpd.apache.org/download.cgi"
> @@ -77,7 +77,7 @@
>   </dl>
>   <p>
>      Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file, linked from the download page, for a
> -   full list of changes.  A condensed list, <a href="./CHANGES_2.4.43">CHANGES_2.4.43</a> includes only
> +   full list of changes.  A condensed list, <a href="./CHANGES_2.4.46">CHANGES_2.4.46</a> includes only
>      those changes introduced since the prior 2.4 release.  A summary of all
>      of the security vulnerabilities addressed in this and earlier releases
>      is available:
>
> Modified: release/httpd/Announcement2.4.txt
> ==============================================================================
> --- release/httpd/Announcement2.4.txt (original)
> +++ release/httpd/Announcement2.4.txt Wed Aug  5 11:32:51 2020
> @@ -1,19 +1,19 @@
> -                Apache HTTP Server 2.4.43 Released
> +                Apache HTTP Server 2.4.46 Released
>  
> -   April 01, 2020
> +   September 21, 2018
>  
>      The Apache Software Foundation and the Apache HTTP Server Project
> -   are pleased to announce the release of version 2.4.43 of the Apache
> +   are pleased to announce the release of version 2.4.46 of the Apache
>      HTTP Server ("Apache").  This version of Apache is our latest GA
>      release of the new generation 2.4.x branch of Apache HTTPD and
>      represents fifteen years of innovation by the project, and is
>      recommended over all previous releases. This release of Apache is
> -   a security, feature and bug fix release.
> +   a feature and bug fix release.
>  
>      We consider this release to be the best version of Apache available, and
>      encourage users of all prior versions to upgrade.
>  
> -   Apache HTTP Server 2.4.43 is available for download from:
> +   Apache HTTP Server 2.4.46 is available for download from:
>  
>        https://httpd.apache.org/download.cgi
>  
> @@ -24,7 +24,7 @@
>        https://httpd.apache.org/docs/trunk/new_features_2_4.html
>  
>      Please see the CHANGES_2.4 file, linked from the download page, for a
> -   full list of changes. A condensed list, CHANGES_2.4.43 includes only
> +   full list of changes. A condensed list, CHANGES_2.4.46 includes only
>      those changes introduced since the prior 2.4 release.  A summary of all
>      of the security vulnerabilities addressed in this and earlier releases
>      is available:
>
> Modified: release/httpd/CHANGES_2.4
> ==============================================================================
> --- release/httpd/CHANGES_2.4 (original)
> +++ release/httpd/CHANGES_2.4 Wed Aug  5 11:32:51 2020
> @@ -1,6 +1,78 @@
>                                                            -*- coding: utf-8 -*-
> +Changes with Apache 2.4.46
> +  *) mod_proxy_fcgi: Fix build warnings for Windows platform
> +     [Eric Covener, Christophe Jaillet]
> +
> +Changes with Apache 2.4.45
> +
> +  *) mod_http2: remove support for abandoned http-wg draft
> +     <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
> +     [Stefan Eissing]
> +
> +Changes with Apache 2.4.44
> +
> +  *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
> +     protocol limit).  [Yann Ylavic]
> +
> +  *) mod_http2:
> +     Fixes <https://github.com/icing/mod_h2/issues/200>:
> +     "LimitRequestFields 0" now disables the limit, as documented.
> +     Fixes <https://github.com/icing/mod_h2/issues/201>:
> +     Do not count repeated headers with same name against the field
> +     count limit. The are merged internally, as if sent in a single HTTP/1 line.
> +     [Stefan Eissing]
> +
> +  *) mod_http2: Avoid segfaults in case of handling certain responses for
> +     already aborted connections.  [Stefan Eissing, Ruediger Pluem]
> +
> +  *) mod_http2: The module now handles master/secondary connections and has marked
> +     methods according to use. [Stefan Eissing]
> +
> +  *) core: Drop an invalid Last-Modified header value coming
> +     from a FCGI/CGI script instead of replacing it with Unix epoch.
> +     [Yann Ylavic, Luca Toscano]
> +
> +  *) Add support for strict content-length parsing through addition of
> +     ap_parse_strict_length() [Yann Ylavic]
> +
> +  *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
> +     evaluates to false.  PR64365. [Michael König <mail ikoenig.net>]
> +
> +  *) mod_proxy_http: flush spooled request body in one go to avoid
> +     leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
> +
> +  *) mod_ssl: Fix a race condition and possible crash when using a proxy client
> +     certificate (SSLProxyMachineCertificateFile).
> +     [Armin Abfalterer <a.abfalterer gmail.com>]
> +
> +  *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
> +
> +  *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
> +     PR64330 [Stefan Eissing]
> +
> +  *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
> +     was configured with a handshake timeout. Fixes gitub issue #196.
> +     [Stefan Eissing]
> +
> +  *) mod_proxy_http2: the "ping" proxy parameter
> +     (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
> +     when checking the liveliness of a new or reused h2 connection to the backend.
> +     With short durations, this makes load-balancing more responsive. The module
> +     will hold back requests until ping conditions are met, using features of the
> +     HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
> +
> +  *) core: httpd is no longer linked against -lsystemd if mod_systemd
> +     is enabled (and built as a DSO).  [Rainer Jung]
> +
> +  *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
> +     while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
> +
>   Changes with Apache 2.4.43
>  
> +  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
> +
> +Changes with Apache 2.4.42
> +
>     *) SECURITY: CVE-2020-1934 (cve.mitre.org)
>        mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
>        server. [Eric Covener]
> @@ -10,10 +82,6 @@ Changes with Apache 2.4.43
>        matches and substitutions with encoded line break characters.
>        The fix for CVE-2019-10098 was not effective.  [Ruediger Pluem]
>  
> -  *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
> -
> -Changes with Apache 2.4.42
> -
>     *) mod_proxy_http: Fix the forwarding of requests with content body when a
>        balancer member is unavailable; the retry on the next member was issued
>        with an empty body (regression introduced in 2.4.41). PR63891.
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r40863 - /dev/httpd/ /release/httpd/

Daniel Ruggeri-3
Hi, Rainer;
Right - this file gets rewritten by the announce.sh script just before the notification goes out. This is done to ensure that the date is correct and to ensure the type of release (bug, security, enhancement) is correct. It appears as though the file was just changed, but really it's just because the text was bumped as-is from the 'dev' location to the 'dist' location.
--
Daniel Ruggeri

On August 5, 2020 7:23:33 AM CDT, Rainer Jung <[hidden email]> wrote:
Could you fix the date (September 21, 2018 sems wrong).

Thanks!

Rainer

Am 05.08.2020 um 13:32 schrieb [hidden email]:
Author: druggeri
Date: Wed Aug 5 11:32:51 2020
New Revision: 40863

Log:
Push 2.4.46 up to the release directory

Added:
release/httpd/CHANGES_2.4.46
- copied unchanged from r40862, dev/httpd/CHANGES_2.4.46
release/httpd/httpd-2.4.46.tar.bz2
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2
release/httpd/httpd-2.4.46.tar.bz2.asc
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.asc
release/httpd/httpd-2.4.46.tar.bz2.md5
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.md5
release/httpd/httpd-2.4.46.tar.bz2.sha1
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.sha1
release/httpd/httpd-2.4.46.tar.bz2.sha256
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.sha256
release/httpd/httpd-2.4.46.tar.bz2.sha512
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.sha512
release/httpd/httpd-2.4.46.tar.gz
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz
release/httpd/httpd-2.4.46.tar.gz.asc
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.asc
release/httpd/httpd-2.4.46.tar.gz.md5
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.md5
release/httpd/httpd-2.4.46.tar.gz.sha1
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha1
release/httpd/httpd-2.4.46.tar.gz.sha256
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha256
release/httpd/httpd-2.4.46.tar.gz.sha512
- copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha512
Removed:
dev/httpd/CHANGES_2.4
dev/httpd/CHANGES_2.4.46
dev/httpd/httpd-2.4.46-deps.tar.bz2
dev/httpd/httpd-2.4.46-deps.tar.bz2.asc
dev/httpd/httpd-2.4.46-deps.tar.bz2.md5
dev/httpd/httpd-2.4.46-deps.tar.bz2.sha1
dev/httpd/httpd-2.4.46-deps.tar.bz2.sha256
dev/httpd/httpd-2.4.46-deps.tar.bz2.sha512
dev/httpd/httpd-2.4.46-deps.tar.gz
dev/httpd/httpd-2.4.46-deps.tar.gz.asc
dev/httpd/httpd-2.4.46-deps.tar.gz.md5
dev/httpd/httpd-2.4.46-deps.tar.gz.sha1
dev/httpd/httpd-2.4.46-deps.tar.gz.sha256
dev/httpd/httpd-2.4.46-deps.tar.gz.sha512
dev/httpd/httpd-2.4.46.tar.bz2
dev/httpd/httpd-2.4.46.tar.bz2.asc
dev/httpd/httpd-2.4.46.tar.bz2.md5
dev/httpd/httpd-2.4.46.tar.bz2.sha1
dev/httpd/httpd-2.4.46.tar.bz2.sha256
dev/httpd/httpd-2.4.46.tar.bz2.sha512
dev/httpd/httpd-2.4.46.tar.gz
dev/httpd/httpd-2.4.46.tar.gz.asc
dev/httpd/httpd-2.4.46.tar.gz.md5
dev/httpd/httpd-2.4.46.tar.gz.sha1
dev/httpd/httpd-2.4.46.tar.gz.sha256
dev/httpd/httpd-2.4.46.tar.gz.sha512
Modified:
release/httpd/Announcement2.4.html
release/httpd/Announcement2.4.txt
release/httpd/CHANGES_2.4

Modified: release/httpd/Announcement2.4.html
--- release/httpd/Announcement2.4.html (original)
+++ release/httpd/Announcement2.4.html Wed Aug 5 11:32:51 2020
@@ -49,27 +49,27 @@
<div class="banner"></div>

<h1>
- Apache HTTP Server 2.4.43 Released
+ Apache HTTP Server 2.4.46 Released
</h1>
<p>
- April 01, 2020
+ September 21, 2018
</p>
<p>
The Apache Software Foundation and the Apache HTTP Server Project are
pleased to <a href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
- the release of version 2.4.43 of the Apache
+ the release of version 2.4.46 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature and bug fix release.
+ a feature and bug fix release.
</p>
<p>
We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.
</p>
<p>
- Apache HTTP Server 2.4.43 is available for download from:
+ Apache HTTP Server 2.4.46 is available for download from:
</p>
<dl>
<dd><a href="https://httpd.apache.org/download.cgi"
@@ -77,7 +77,7 @@
</dl>
<p>
Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file, linked from the download page, for a
- full list of changes. A condensed list, <a href="./CHANGES_2.4.43">CHANGES_2.4.43</a> includes only
+ full list of changes. A condensed list, <a href="./CHANGES_2.4.46">CHANGES_2.4.46</a> includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:

Modified: release/httpd/Announcement2.4.txt
--- release/httpd/Announcement2.4.txt (original)
+++ release/httpd/Announcement2.4.txt Wed Aug 5 11:32:51 2020
@@ -1,19 +1,19 @@
- Apache HTTP Server 2.4.43 Released
+ Apache HTTP Server 2.4.46 Released

- April 01, 2020
+ September 21, 2018

The Apache Software Foundation and the Apache HTTP Server Project
- are pleased to announce the release of version 2.4.43 of the Apache
+ are pleased to announce the release of version 2.4.46 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
- a security, feature and bug fix release.
+ a feature and bug fix release.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

- Apache HTTP Server 2.4.43 is available for download from:
+ Apache HTTP Server 2.4.46 is available for download from:

https://httpd.apache.org/download.cgi

@@ -24,7 +24,7 @@
https://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.4 file, linked from the download page, for a
- full list of changes. A condensed list, CHANGES_2.4.43 includes only
+ full list of changes. A condensed list, CHANGES_2.4.46 includes only
those changes introduced since the prior 2.4 release. A summary of all
of the security vulnerabilities addressed in this and earlier releases
is available:

Modified: release/httpd/CHANGES_2.4
--- release/httpd/CHANGES_2.4 (original)
+++ release/httpd/CHANGES_2.4 Wed Aug 5 11:32:51 2020
@@ -1,6 +1,78 @@
-*- coding: utf-8 -*-
+Changes with Apache 2.4.46
+ *) mod_proxy_fcgi: Fix build warnings for Windows platform
+ [Eric Covener, Christophe Jaillet]
+
+Changes with Apache 2.4.45
+
+ *) mod_http2: remove support for abandoned http-wg draft
+ <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
+ [Stefan Eissing]
+
+Changes with Apache 2.4.44
+
+ *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
+ protocol limit). [Yann Ylavic]
+
+ *) mod_http2:
+ Fixes <https://github.com/icing/mod_h2/issues/200>:
+ "LimitRequestFields 0" now disables the limit, as documented.
+ Fixes <https://github.com/icing/mod_h2/issues/201>:
+ Do not count repeated headers with same name against the field
+ count limit. The are merged internally, as if sent in a single HTTP/1 line.
+ [Stefan Eissing]
+
+ *) mod_http2: Avoid segfaults in case of handling certain responses for
+ already aborted connections. [Stefan Eissing, Ruediger Pluem]
+
+ *) mod_http2: The module now handles master/secondary connections and has marked
+ methods according to use. [Stefan Eissing]
+
+ *) core: Drop an invalid Last-Modified header value coming
+ from a FCGI/CGI script instead of replacing it with Unix epoch.
+ [Yann Ylavic, Luca Toscano]
+
+ *) Add support for strict content-length parsing through addition of
+ ap_parse_strict_length() [Yann Ylavic]
+
+ *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
+ evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
+
+ *) mod_proxy_http: flush spooled request body in one go to avoid
+ leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
+
+ *) mod_ssl: Fix a race condition and possible crash when using a proxy client
+ certificate (SSLProxyMachineCertificateFile).
+ [Armin Abfalterer <a.abfalterer gmail.com>]
+
+ *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
+
+ *) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
+ PR64330 [Stefan Eissing]
+
+ *) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
+ was configured with a handshake timeout. Fixes gitub issue #196.
+ [Stefan Eissing]
+
+ *) mod_proxy_http2: the "ping" proxy parameter
+ (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
+ when checking the liveliness of a new or reused h2 connection to the backend.
+ With short durations, this makes load-balancing more responsive. The module
+ will hold back requests until ping conditions are met, using features of the
+ HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
+
+ *) core: httpd is no longer linked against -lsystemd if mod_systemd
+ is enabled (and built as a DSO). [Rainer Jung]
+
+ *) mod_proxy_http2: respect ProxyTimeout settings on backend connections
+ while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
+
Changes with Apache 2.4.43

+ *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
+
+Changes with Apache 2.4.42
+
*) SECURITY: CVE-2020-1934 (cve.mitre.org)
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
server. [Eric Covener]
@@ -10,10 +82,6 @@ Changes with Apache 2.4.43
matches and substitutions with encoded line break characters.
The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]

- *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
-
-Changes with Apache 2.4.42
-
*) mod_proxy_http: Fix the forwarding of requests with content body when a
balancer member is unavailable; the retry on the next member was issued
with an empty body (regression introduced in 2.4.41). PR63891.
Reply | Threaded
Open this post in threaded view
|

Re: svn commit: r40863 - /dev/httpd/ /release/httpd/

Rainer Jung-3
Thanks for the explanation and sorry about the wrong alarm!

Best regards,

Rainer

Am 06.08.2020 um 00:31 schrieb Daniel Ruggeri:

> Hi, Rainer;
> Right - this file gets rewritten by the announce.sh script just before
> the notification goes out. This is done to ensure that the date is
> correct and to ensure the type of release (bug, security, enhancement)
> is correct. It appears as though the file was just changed, but really
> it's just because the text was bumped as-is from the 'dev' location to
> the 'dist' location.
> --
> Daniel Ruggeri
>
> On August 5, 2020 7:23:33 AM CDT, Rainer Jung <[hidden email]>
> wrote:
>
>     Could you fix the date (September 21, 2018 sems wrong).
>
>     Thanks!
>
>     Rainer
>
>     Am 05.08.2020 um 13:32 schrieb [hidden email]:
>
>         Author: druggeri
>         Date: Wed Aug 5 11:32:51 2020
>         New Revision: 40863
>
>         Log:
>         Push 2.4.46 up to the release directory
>
>         Added:
>         release/httpd/CHANGES_2.4.46
>         - copied unchanged from r40862, dev/httpd/CHANGES_2.4.46
>         release/httpd/httpd-2.4.46.tar.bz2
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2
>         release/httpd/httpd-2.4.46.tar.bz2.asc
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.asc
>         release/httpd/httpd-2.4.46.tar.bz2.md5
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.md5
>         release/httpd/httpd-2.4.46.tar.bz2.sha1
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.bz2.sha1
>         release/httpd/httpd-2.4.46.tar.bz2.sha256
>         - copied unchanged from r40862,
>         dev/httpd/httpd-2.4.46.tar.bz2.sha256
>         release/httpd/httpd-2.4.46.tar.bz2.sha512
>         - copied unchanged from r40862,
>         dev/httpd/httpd-2.4.46.tar.bz2.sha512
>         release/httpd/httpd-2.4.46.tar.gz
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz
>         release/httpd/httpd-2.4.46.tar.gz.asc
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.asc
>         release/httpd/httpd-2.4.46.tar.gz.md5
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.md5
>         release/httpd/httpd-2.4.46.tar.gz.sha1
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha1
>         release/httpd/httpd-2.4.46.tar.gz.sha256
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha256
>         release/httpd/httpd-2.4.46.tar.gz.sha512
>         - copied unchanged from r40862, dev/httpd/httpd-2.4.46.tar.gz.sha512
>         Removed:
>         dev/httpd/CHANGES_2.4
>         dev/httpd/CHANGES_2.4.46
>         dev/httpd/httpd-2.4.46-deps.tar.bz2
>         dev/httpd/httpd-2.4.46-deps.tar.bz2.asc
>         dev/httpd/httpd-2.4.46-deps.tar.bz2.md5
>         dev/httpd/httpd-2.4.46-deps.tar.bz2.sha1
>         dev/httpd/httpd-2.4.46-deps.tar.bz2.sha256
>         dev/httpd/httpd-2.4.46-deps.tar.bz2.sha512
>         dev/httpd/httpd-2.4.46-deps.tar.gz
>         dev/httpd/httpd-2.4.46-deps.tar.gz.asc
>         dev/httpd/httpd-2.4.46-deps.tar.gz.md5
>         dev/httpd/httpd-2.4.46-deps.tar.gz.sha1
>         dev/httpd/httpd-2.4.46-deps.tar.gz.sha256
>         dev/httpd/httpd-2.4.46-deps.tar.gz.sha512
>         dev/httpd/httpd-2.4.46.tar.bz2
>         dev/httpd/httpd-2.4.46.tar.bz2.asc
>         dev/httpd/httpd-2.4.46.tar.bz2.md5
>         dev/httpd/httpd-2.4.46.tar.bz2.sha1
>         dev/httpd/httpd-2.4.46.tar.bz2.sha256
>         dev/httpd/httpd-2.4.46.tar.bz2.sha512
>         dev/httpd/httpd-2.4.46.tar.gz
>         dev/httpd/httpd-2.4.46.tar.gz.asc
>         dev/httpd/httpd-2.4.46.tar.gz.md5
>         dev/httpd/httpd-2.4.46.tar.gz.sha1
>         dev/httpd/httpd-2.4.46.tar.gz.sha256
>         dev/httpd/httpd-2.4.46.tar.gz.sha512
>         Modified:
>         release/httpd/Announcement2.4.html
>         release/httpd/Announcement2.4.txt
>         release/httpd/CHANGES_2.4
>
>         Modified: release/httpd/Announcement2.4.html
>         ------------------------------------------------------------------------
>         --- release/httpd/Announcement2.4.html (original)
>         +++ release/httpd/Announcement2.4.html Wed Aug 5 11:32:51 2020
>         @@ -49,27 +49,27 @@
>         <div class="banner"></div>
>
>         <h1>
>         - Apache HTTP Server 2.4.43 Released
>         + Apache HTTP Server 2.4.46 Released
>         </h1>
>         <p>
>         - April 01, 2020
>         + September 21, 2018
>         </p>
>         <p>
>         The Apache Software Foundation and the Apache HTTP Server
>         Project are
>         pleased to <a
>         href="https://www.apache.org/dist/httpd/Announcement2.4.html">announce</a>
>         - the release of version 2.4.43 of the Apache
>         + the release of version 2.4.46 of the Apache
>         HTTP Server ("Apache"). This version of Apache is our latest GA
>         release of the new generation 2.4.x branch of Apache HTTPD and
>         represents fifteen years of innovation by the project, and is
>         recommended over all previous releases. This release of Apache is
>         - a security, feature and bug fix release.
>         + a feature and bug fix release.
>         </p>
>         <p>
>         We consider this release to be the best version of Apache
>         available, and
>         encourage users of all prior versions to upgrade.
>         </p>
>         <p>
>         - Apache HTTP Server 2.4.43 is available for download from:
>         + Apache HTTP Server 2.4.46 is available for download from:
>         </p>
>         <dl>
>         <dd><a href="https://httpd.apache.org/download.cgi"
>         @@ -77,7 +77,7 @@
>         </dl>
>         <p>
>         Please see the <a href="./CHANGES_2.4">CHANGES_2.4</a> file,
>         linked from the download page, for a
>         - full list of changes. A condensed list, <a
>         href="./CHANGES_2.4.43">CHANGES_2.4.43</a> includes only
>         + full list of changes. A condensed list, <a
>         href="./CHANGES_2.4.46">CHANGES_2.4.46</a> includes only
>         those changes introduced since the prior 2.4 release. A summary
>         of all
>         of the security vulnerabilities addressed in this and earlier
>         releases
>         is available:
>
>         Modified: release/httpd/Announcement2.4.txt
>         ------------------------------------------------------------------------
>         --- release/httpd/Announcement2.4.txt (original)
>         +++ release/httpd/Announcement2.4.txt Wed Aug 5 11:32:51 2020
>         @@ -1,19 +1,19 @@
>         - Apache HTTP Server 2.4.43 Released
>         + Apache HTTP Server 2.4.46 Released
>
>         - April 01, 2020
>         + September 21, 2018
>
>         The Apache Software Foundation and the Apache HTTP Server Project
>         - are pleased to announce the release of version 2.4.43 of the
>         Apache
>         + are pleased to announce the release of version 2.4.46 of the
>         Apache
>         HTTP Server ("Apache"). This version of Apache is our latest GA
>         release of the new generation 2.4.x branch of Apache HTTPD and
>         represents fifteen years of innovation by the project, and is
>         recommended over all previous releases. This release of Apache is
>         - a security, feature and bug fix release.
>         + a feature and bug fix release.
>
>         We consider this release to be the best version of Apache
>         available, and
>         encourage users of all prior versions to upgrade.
>
>         - Apache HTTP Server 2.4.43 is available for download from:
>         + Apache HTTP Server 2.4.46 is available for download from:
>
>         https://httpd.apache.org/download.cgi
>
>         @@ -24,7 +24,7 @@
>         https://httpd.apache.org/docs/trunk/new_features_2_4.html
>
>         Please see the CHANGES_2.4 file, linked from the download page,
>         for a
>         - full list of changes. A condensed list, CHANGES_2.4.43
>         includes only
>         + full list of changes. A condensed list, CHANGES_2.4.46
>         includes only
>         those changes introduced since the prior 2.4 release. A summary
>         of all
>         of the security vulnerabilities addressed in this and earlier
>         releases
>         is available:
>
>         Modified: release/httpd/CHANGES_2.4
>         ------------------------------------------------------------------------
>         --- release/httpd/CHANGES_2.4 (original)
>         +++ release/httpd/CHANGES_2.4 Wed Aug 5 11:32:51 2020
>         @@ -1,6 +1,78 @@
>         -*- coding: utf-8 -*-
>         +Changes with Apache 2.4.46
>         + *) mod_proxy_fcgi: Fix build warnings for Windows platform
>         + [Eric Covener, Christophe Jaillet]
>         +
>         +Changes with Apache 2.4.45
>         +
>         + *) mod_http2: remove support for abandoned http-wg draft
>         + <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
>         + [Stefan Eissing]
>         +
>         +Changes with Apache 2.4.44
>         +
>         + *) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
>         + protocol limit). [Yann Ylavic]
>         +
>         + *) mod_http2:
>         + Fixes <https://github.com/icing/mod_h2/issues/200>:
>         + "LimitRequestFields 0" now disables the limit, as documented.
>         + Fixes <https://github.com/icing/mod_h2/issues/201>:
>         + Do not count repeated headers with same name against the field
>         + count limit. The are merged internally, as if sent in a single
>         HTTP/1 line.
>         + [Stefan Eissing]
>         +
>         + *) mod_http2: Avoid segfaults in case of handling certain
>         responses for
>         + already aborted connections. [Stefan Eissing, Ruediger Pluem]
>         +
>         + *) mod_http2: The module now handles master/secondary
>         connections and has marked
>         + methods according to use. [Stefan Eissing]
>         +
>         + *) core: Drop an invalid Last-Modified header value coming
>         + from a FCGI/CGI script instead of replacing it with Unix epoch.
>         + [Yann Ylavic, Luca Toscano]
>         +
>         + *) Add support for strict content-length parsing through
>         addition of
>         + ap_parse_strict_length() [Yann Ylavic]
>         +
>         + *) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when
>         expression
>         + evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
>         +
>         + *) mod_proxy_http: flush spooled request body in one go to avoid
>         + leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
>         +
>         + *) mod_ssl: Fix a race condition and possible crash when using
>         a proxy client
>         + certificate (SSLProxyMachineCertificateFile).
>         + [Armin Abfalterer <a.abfalterer gmail.com>]
>         +
>         + *) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan
>         Eissing]
>         +
>         + *) mod_http2: Fixed regression that no longer set H2_STREAM_ID
>         and H2_STREAM_TAG.
>         + PR64330 [Stefan Eissing]
>         +
>         + *) mod_http2: Fixed regression that caused connections to
>         close when mod_reqtimeout
>         + was configured with a handshake timeout. Fixes gitub issue #196.
>         + [Stefan Eissing]
>         +
>         + *) mod_proxy_http2: the "ping" proxy parameter
>         + (see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>)
>         is now used
>         + when checking the liveliness of a new or reused h2 connection
>         to the backend.
>         + With short durations, this makes load-balancing more
>         responsive. The module
>         + will hold back requests until ping conditions are met, using
>         features of the
>         + HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
>         +
>         + *) core: httpd is no longer linked against -lsystemd if
>         mod_systemd
>         + is enabled (and built as a DSO). [Rainer Jung]
>         +
>         + *) mod_proxy_http2: respect ProxyTimeout settings on backend
>         connections
>         + while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
>         +
>         Changes with Apache 2.4.43
>
>         + *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann
>         Ylavic]
>         +
>         +Changes with Apache 2.4.42
>         +
>         *) SECURITY: CVE-2020-1934 (cve.mitre.org)
>         mod_proxy_ftp: Use of uninitialized value with malicious backend FTP
>         server. [Eric Covener]
>         @@ -10,10 +82,6 @@ Changes with Apache 2.4.43
>         matches and substitutions with encoded line break characters.
>         The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
>
>         - *) mod_ssl: Fix memory leak of OCSP stapling response. [Yann
>         Ylavic]
>         -
>         -Changes with Apache 2.4.42
>         -
>         *) mod_proxy_http: Fix the forwarding of requests with content
>         body when a
>         balancer member is unavailable; the retry on the next member was
>         issued
>         with an empty body (regression introduced in 2.4.41). PR63891.