[VOTE] Release httpd-2.4.46

classic Classic list List threaded Threaded
22 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release httpd-2.4.46

Daniel Ruggeri-3
Hi, Bill;
   I wondered about this myself. I agree that we allow for ambiguity
when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't
released). Perhaps we should just bump the 'fixed' version up to the
released version... but then we should also add to the 'affected'
versions the version numbers we burned during QA. That's odd, too,
because we didn't release those versions so they aren't really 'affected'.

   I could go either way... the vulnerability reporting is enough "after
work" for a release that makes it a prime candidate for processing it
with announce.sh, so I'm happy to encode whatever we consider the best
way forward into that script.

--
Daniel Ruggeri

On 8/7/2020 8:56 AM, William A Rowe Jr wrote:

> Following the announcement link, it isn't clear that 
>
> https://httpd.apache.org/security/vulnerabilities_24.html 
>
> fixes issues in 2.4.46.
>
> Should the fixed-in be promoted to the revision of Apache HTTP Server
> actually published (released) by the project? It almost reads like
> "fixed in
> 2.4.46-dev" (which 0-day disclosures are described as, until a release
> is actually published.)
>
> On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Hi, all;
>
>        With 12 binding PMC +1 votes, two additional +1 votes from the
>     community, and no -1 votes, I'm pleased to report that the vote has
>     PASSED to release 2.4.46. I will begin the process of pushing to the
>     distribution mirrors which should enable us for a Friday
>     announcement -
>     a great way to wrap up the week!
>
>     Here are the votes I recorded during the thread:
>     PMC
>     jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
>     gbechis, gsmith, druggeri, jblond, rjung
>
>     Community
>     Noel Butler, wrowe
>
>     --
>     Daniel Ruggeri
>
>     On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
>     > Hi, all;
>     >    Third time is a charm! Please find below the proposed release
>     tarball
>     > and signatures:
>     > https://dist.apache.org/repos/dist/dev/httpd/
>     >
>     > I would like to call a VOTE over the next few days to release this
>     > candidate tarball as 2.4.46:
>     > [ ] +1: It's not just good, it's good enough!
>     > [ ] +0: Let's have a talk.
>     > [ ] -1: There's trouble in paradise. Here's what's wrong.
>     >
>     > The computed digests of the tarball up for vote are:
>     > sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
>     > sha256:
>     44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
>     > *httpd-2.4.46.tar.gz
>     > sha512:
>     >
>     5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
>     > *httpd-2.4.46.tar.gz
>     >
>     > The SVN tag is '2.4.46' at r1880505.
>     >
>

Reply | Threaded
Open this post in threaded view
|

Re: [VOTE] Release httpd-2.4.46

Alex Hautequest
In reply to this post by Daniel Ruggeri-3
I don’t see why a verbiage similar to “Fixed in Apache httpd-2.4.44 (not released to the public)” couldn’t be used: this is, after all, a true statement.

While it should be common understanding that newer code versions carry improvements and fixes from previous ones, maybe this should be clarified on the initial paragraphs of the vulnerabilities page.

Last but not least, this also resolves thoughts of “where is 2.4.44, I cannot find it” (although only if one browses to the vulnerabilities page).

What I am not sure, however, is how much this affects the existing automation workflow.

Alex

> On Aug 8, 2020, at 08:27, Daniel Ruggeri <[hidden email]> wrote:
>
> Hi, Bill;
>   I wondered about this myself. I agree that we allow for ambiguity
> when we say an issue is fixed in 2.4.44 and 2.4.45 (which weren't
> released). Perhaps we should just bump the 'fixed' version up to the
> released version... but then we should also add to the 'affected'
> versions the version numbers we burned during QA. That's odd, too,
> because we didn't release those versions so they aren't really 'affected'.
>
>   I could go either way... the vulnerability reporting is enough "after
> work" for a release that makes it a prime candidate for processing it
> with announce.sh, so I'm happy to encode whatever we consider the best
> way forward into that script.
>
> --
> Daniel Ruggeri
>
>> On 8/7/2020 8:56 AM, William A Rowe Jr wrote:
>> Following the announcement link, it isn't clear that
>> https://httpd.apache.org/security/vulnerabilities_24.html
>> fixes issues in 2.4.46.
>> Should the fixed-in be promoted to the revision of Apache HTTP Server
>> actually published (released) by the project? It almost reads like
>> "fixed in
>> 2.4.46-dev" (which 0-day disclosures are described as, until a release
>> is actually published.)
>> On Wed, Aug 5, 2020 at 6:32 AM Daniel Ruggeri <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>   Hi, all;
>>      With 12 binding PMC +1 votes, two additional +1 votes from the
>>   community, and no -1 votes, I'm pleased to report that the vote has
>>   PASSED to release 2.4.46. I will begin the process of pushing to the
>>   distribution mirrors which should enable us for a Friday
>>   announcement -
>>   a great way to wrap up the week!
>>   Here are the votes I recorded during the thread:
>>   PMC
>>   jailletc36, steffenal, elukey, jorton, jfclere, ylavic, covener,
>>   gbechis, gsmith, druggeri, jblond, rjung
>>   Community
>>   Noel Butler, wrowe
>>   --
>>   Daniel Ruggeri
>>>   On 8/1/2020 9:13 AM, Daniel Ruggeri wrote:
>>> Hi, all;
>>>   Third time is a charm! Please find below the proposed release
>>   tarball
>>> and signatures:
>>> https://dist.apache.org/repos/dist/dev/httpd/
>>> I would like to call a VOTE over the next few days to release this
>>> candidate tarball as 2.4.46:
>>> [ ] +1: It's not just good, it's good enough!
>>> [ ] +0: Let's have a talk.
>>> [ ] -1: There's trouble in paradise. Here's what's wrong.
>>> The computed digests of the tarball up for vote are:
>>> sha1: 15adb7eb3dc97e89c8a4237901a9d6887056ab98 *httpd-2.4.46.tar.gz
>>> sha256:
>>   44b759ce932dc090c0e75c0210b4485ebf6983466fb8ca1b446c8168e1a1aec2
>>> *httpd-2.4.46.tar.gz
>>> sha512:
>>   5801c1dd0365f706a5e2365e58599b5adac674f3c66b0f39249909841e6cdf16bfdfe001fbd668f323bf7b6d14b116b5e7af49867d456336fad5e685ba020b15
>>> *httpd-2.4.46.tar.gz
>>> The SVN tag is '2.4.46' at r1880505.

12