Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 398B0200D06 for ; Mon, 25 Sep 2017 14:12:27 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 384621609C4; Mon, 25 Sep 2017 12:12:27 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 0840D1609BB for ; Mon, 25 Sep 2017 14:12:25 +0200 (CEST) Received: (qmail 60520 invoked by uid 500); 25 Sep 2017 12:12:25 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 60511 invoked by uid 99); 25 Sep 2017 12:12:25 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Sep 2017 12:12:25 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id A94D63A01AB for ; Mon, 25 Sep 2017 12:12:23 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: svn commit: r21978 - /dev/httpd/ Date: Mon, 25 Sep 2017 12:12:20 -0000 To: cvs@httpd.apache.org From: jim@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20170925121223.A94D63A01AB@svn01-us-west.apache.org> archived-at: Mon, 25 Sep 2017 12:12:27 -0000 Author: jim Date: Mon Sep 25 12:12:20 2017 New Revision: 21978 Log: Commit test tarball distros for Apache httpd 2.4.28 Added: dev/httpd/CHANGES_2.4.28 dev/httpd/httpd-2.4.28-deps.tar.bz2 (with props) dev/httpd/httpd-2.4.28-deps.tar.bz2.asc (with props) dev/httpd/httpd-2.4.28-deps.tar.bz2.md5 dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1 dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256 dev/httpd/httpd-2.4.28-deps.tar.gz (with props) dev/httpd/httpd-2.4.28-deps.tar.gz.asc (with props) dev/httpd/httpd-2.4.28-deps.tar.gz.md5 dev/httpd/httpd-2.4.28-deps.tar.gz.sha1 dev/httpd/httpd-2.4.28-deps.tar.gz.sha256 dev/httpd/httpd-2.4.28.tar.bz2 (with props) dev/httpd/httpd-2.4.28.tar.bz2.asc (with props) dev/httpd/httpd-2.4.28.tar.bz2.md5 dev/httpd/httpd-2.4.28.tar.bz2.sha1 dev/httpd/httpd-2.4.28.tar.bz2.sha256 dev/httpd/httpd-2.4.28.tar.gz (with props) dev/httpd/httpd-2.4.28.tar.gz.asc (with props) dev/httpd/httpd-2.4.28.tar.gz.md5 dev/httpd/httpd-2.4.28.tar.gz.sha1 dev/httpd/httpd-2.4.28.tar.gz.sha256 Removed: dev/httpd/CHANGES_2.4.27 dev/httpd/httpd-2.4.27-deps.tar.bz2 dev/httpd/httpd-2.4.27-deps.tar.bz2.asc dev/httpd/httpd-2.4.27-deps.tar.bz2.md5 dev/httpd/httpd-2.4.27-deps.tar.bz2.sha1 dev/httpd/httpd-2.4.27-deps.tar.bz2.sha256 dev/httpd/httpd-2.4.27-deps.tar.gz dev/httpd/httpd-2.4.27-deps.tar.gz.asc dev/httpd/httpd-2.4.27-deps.tar.gz.md5 dev/httpd/httpd-2.4.27-deps.tar.gz.sha1 dev/httpd/httpd-2.4.27-deps.tar.gz.sha256 dev/httpd/httpd-2.4.27.tar.bz2 dev/httpd/httpd-2.4.27.tar.bz2.asc dev/httpd/httpd-2.4.27.tar.bz2.md5 dev/httpd/httpd-2.4.27.tar.bz2.sha1 dev/httpd/httpd-2.4.27.tar.bz2.sha256 dev/httpd/httpd-2.4.27.tar.gz dev/httpd/httpd-2.4.27.tar.gz.asc dev/httpd/httpd-2.4.27.tar.gz.md5 dev/httpd/httpd-2.4.27.tar.gz.sha1 dev/httpd/httpd-2.4.27.tar.gz.sha256 Modified: dev/httpd/Announcement2.4.html dev/httpd/Announcement2.4.txt dev/httpd/CHANGES_2.4 Modified: dev/httpd/Announcement2.4.html ============================================================================== --- dev/httpd/Announcement2.4.html (original) +++ dev/httpd/Announcement2.4.html Mon Sep 25 12:12:20 2017 @@ -49,7 +49,7 @@

- Apache HTTP Server 2.4.27 Released + Apache HTTP Server 2.4.28 Released

XXXX XX, 2017 @@ -57,7 +57,7 @@

The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce - the release of version 2.4.27 of the Apache + the release of version 2.4.28 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is @@ -69,7 +69,7 @@ encourage users of all prior versions to upgrade.

- Apache HTTP Server 2.4.27 is available for download from: + Apache HTTP Server 2.4.28 is available for download from:

Please see the CHANGES_2.4 file, linked from the download page, for a - full list of changes. A condensed list, CHANGES_2.4.27 includes only + full list of changes. A condensed list, CHANGES_2.4.28 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: @@ -88,13 +88,14 @@

- Of particular note in this release are 3 COMPATIBILITY items: + Of particular note in this release is 1 SECURITY item:

    -
  • HTTP/2 will not be negotiated when using the Prefork MPM
    • -
  • FastCGI compatibility with PHP-FPM is fixed
    • -
  • mod_lua no longer exports the undocumented and unsupported - apr_table variable.
    • +
  • SECURITY: CVE-2017-9798 (cve.mitre.org).
    + Corrupted or freed memory access. <Limit[Except]> must now be used in + the main configuration file (httpd.conf) to register HTTP methods + before the .htaccess files. +

This release requires the Apache Portable Runtime (APR), minimum version Modified: dev/httpd/Announcement2.4.txt ============================================================================== --- dev/httpd/Announcement2.4.txt (original) +++ dev/httpd/Announcement2.4.txt Mon Sep 25 12:12:20 2017 @@ -1,9 +1,9 @@ - Apache HTTP Server 2.4.27 Released + Apache HTTP Server 2.4.28 Released XXXX XX, 2017 The Apache Software Foundation and the Apache HTTP Server Project - are pleased to announce the release of version 2.4.27 of the Apache + are pleased to announce the release of version 2.4.28 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is @@ -13,7 +13,7 @@ We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. - Apache HTTP Server 2.4.27 is available for download from: + Apache HTTP Server 2.4.28 is available for download from: http://httpd.apache.org/download.cgi @@ -24,19 +24,19 @@ http://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a - full list of changes. A condensed list, CHANGES_2.4.27 includes only + full list of changes. A condensed list, CHANGES_2.4.28 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: http://httpd.apache.org/security/vulnerabilities_24.html - Of particular note in this release are 3 COMPATIBILITY items: + Of particular note in this release is 1 SECURITY : - o HTTP/2 will not be negotiated when using the Prefork MPM - o FastCGI compatibility with PHP-FPM is fixed - o mod_lua no longer exports the undocumented and unsupported - 'apr_table' variable. + o SECURITY: CVE-2017-9798 (cve.mitre.org). + Corrupted or freed memory access. must now be used in + the main configuration file (httpd.conf) to register HTTP methods + before the .htaccess files. This release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may Modified: dev/httpd/CHANGES_2.4 ============================================================================== --- dev/httpd/CHANGES_2.4 (original) +++ dev/httpd/CHANGES_2.4 Mon Sep 25 12:12:20 2017 @@ -1,7 +1,71 @@ -*- coding: utf-8 -*- +Changes with Apache 2.4.28 + + *) SECURITY: CVE-2017-9798 (cve.mitre.org) + Corrupted or freed memory access. must now be used in the + main configuration file (httpd.conf) to register HTTP methods before the + .htaccess files. [Yann Ylavic] + + *) event: Avoid possible blocking in the listener thread when shutting down + connections. PR 60956. [Yann Ylavic] + + *) mod_speling: Don't embed referer data in a link in error page. + PR 38923 [Nick Kew] + + *) htdigest: prevent a buffer overflow when a string exceeds the allowed max + length in a password file. + [Luca Toscano, Hanno Böck ] + + *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25). + [Jim Jagielski] + + *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically. + PR 61142. + + *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified + down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond), + 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski] + + *) mod_http2: Fix for stalling when more than 32KB are written to a + suspended stream. [Stefan Eissing] + + *) build: allow configuration without APR sources. [Jacob Champion] + + *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184. + [Bernard Spil , Michael Schlenker , + Yann Ylavic] + + *) core/log: Support use of optional "tag" in syslog entries. + PR 60525. [Ben Rubson , Jim Jagielski] + + *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton] + + *) core: Disallow multiple Listen on the same IP:port when listener buckets + are configured (ListenCoresBucketsRatio > 0), consistently with the single + bucket case (default), thus avoiding the leak of the corresponding socket + descriptors on graceful restart. [Yann Ylavic] + + *) event: Avoid listener periodic wake ups by using the pollset wake-ability + when available. PR 57399. [Yann Ylavic, Luca Toscano] + + *) mod_proxy_wstunnel: Fix detection of unresponded request which could have + led to spurious HTTP 502 error messages sent on upgrade connections. + PR 61283. [Yann Ylavic] Changes with Apache 2.4.27 + *) SECURITY: CVE-2017-9789 (cve.mitre.org) + mod_http2: Read after free. When under stress, closing many connections, + the HTTP/2 handling code would sometimes access memory after it has been + freed, resulting in potentially erratic behaviour. + [Stefan Eissing] + + *) SECURITY: CVE-2017-9788 (cve.mitre.org) + mod_auth_digest: Uninitialized memory reflection. The value placeholder + in [Proxy-]Authorization headers type 'Digest' was not initialized or + reset before or between successive key=value assignments. + [William Rowe] + *) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table' global variable when using Lua 5.2 or later. This was exported as a side effect from luaL_register, which is no longer supported as of Added: dev/httpd/CHANGES_2.4.28 ============================================================================== --- dev/httpd/CHANGES_2.4.28 (added) +++ dev/httpd/CHANGES_2.4.28 Mon Sep 25 12:12:20 2017 @@ -0,0 +1,66 @@ + -*- coding: utf-8 -*- +Changes with Apache 2.4.28 + + *) SECURITY: CVE-2017-9798 (cve.mitre.org) + Corrupted or freed memory access. must now be used in the + main configuration file (httpd.conf) to register HTTP methods before the + .htaccess files. [Yann Ylavic] + + *) event: Avoid possible blocking in the listener thread when shutting down + connections. PR 60956. [Yann Ylavic] + + *) mod_speling: Don't embed referer data in a link in error page. + PR 38923 [Nick Kew] + + *) htdigest: prevent a buffer overflow when a string exceeds the allowed max + length in a password file. + [Luca Toscano, Hanno Böck ] + + *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25). + [Jim Jagielski] + + *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically. + PR 61142. + + *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified + down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond), + 's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski] + + *) mod_http2: Fix for stalling when more than 32KB are written to a + suspended stream. [Stefan Eissing] + + *) build: allow configuration without APR sources. [Jacob Champion] + + *) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184. + [Bernard Spil , Michael Schlenker , + Yann Ylavic] + + *) core/log: Support use of optional "tag" in syslog entries. + PR 60525. [Ben Rubson , Jim Jagielski] + + *) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton] + + *) core: Disallow multiple Listen on the same IP:port when listener buckets + are configured (ListenCoresBucketsRatio > 0), consistently with the single + bucket case (default), thus avoiding the leak of the corresponding socket + descriptors on graceful restart. [Yann Ylavic] + + *) event: Avoid listener periodic wake ups by using the pollset wake-ability + when available. PR 57399. [Yann Ylavic, Luca Toscano] + + *) mod_proxy_wstunnel: Fix detection of unresponded request which could have + led to spurious HTTP 502 error messages sent on upgrade connections. + PR 61283. [Yann Ylavic] + + + [Apache 2.3.0-dev includes those bug fixes and changes with the + Apache 2.2.xx tree as documented, and except as noted, below.] + +Changes with Apache 2.2.x and later: + + *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/CHANGES?view=markup + +Changes with Apache 2.0.x and later: + + *) http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/CHANGES?view=markup + Added: dev/httpd/httpd-2.4.28-deps.tar.bz2 ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28-deps.tar.bz2 ------------------------------------------------------------------------------ svn:mime-type = application/x-bzip2 Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28-deps.tar.bz2.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.md5 ============================================================================== --- dev/httpd/httpd-2.4.28-deps.tar.bz2.md5 (added) +++ dev/httpd/httpd-2.4.28-deps.tar.bz2.md5 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +10f342c9752afc1e3bd26cdbf3ed6daf *httpd-2.4.28-deps.tar.bz2 Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1 ============================================================================== --- dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1 (added) +++ dev/httpd/httpd-2.4.28-deps.tar.bz2.sha1 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +00a636bd5c1861f36f108ef1ec0898f7b4b925fc *httpd-2.4.28-deps.tar.bz2 Added: dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256 ============================================================================== --- dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256 (added) +++ dev/httpd/httpd-2.4.28-deps.tar.bz2.sha256 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +601c84e27ff3224cc741e92bc804e21b2752af579970901a2bbf14b6f1304369 *httpd-2.4.28-deps.tar.bz2 Added: dev/httpd/httpd-2.4.28-deps.tar.gz ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28-deps.tar.gz ------------------------------------------------------------------------------ svn:mime-type = application/x-gzip Added: dev/httpd/httpd-2.4.28-deps.tar.gz.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28-deps.tar.gz.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.28-deps.tar.gz.md5 ============================================================================== --- dev/httpd/httpd-2.4.28-deps.tar.gz.md5 (added) +++ dev/httpd/httpd-2.4.28-deps.tar.gz.md5 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +7398c86998f69b33de0c94df529e11c6 *httpd-2.4.28-deps.tar.gz Added: dev/httpd/httpd-2.4.28-deps.tar.gz.sha1 ============================================================================== --- dev/httpd/httpd-2.4.28-deps.tar.gz.sha1 (added) +++ dev/httpd/httpd-2.4.28-deps.tar.gz.sha1 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +f625588340dffda99efe658df9b400b652cec39f *httpd-2.4.28-deps.tar.gz Added: dev/httpd/httpd-2.4.28-deps.tar.gz.sha256 ============================================================================== --- dev/httpd/httpd-2.4.28-deps.tar.gz.sha256 (added) +++ dev/httpd/httpd-2.4.28-deps.tar.gz.sha256 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +00f27c44550fe7b518ed735bc6c74f4b6027b86e0b3fa87487f162676ff44ea1 *httpd-2.4.28-deps.tar.gz Added: dev/httpd/httpd-2.4.28.tar.bz2 ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28.tar.bz2 ------------------------------------------------------------------------------ svn:mime-type = application/x-bzip2 Added: dev/httpd/httpd-2.4.28.tar.bz2.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28.tar.bz2.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.28.tar.bz2.md5 ============================================================================== --- dev/httpd/httpd-2.4.28.tar.bz2.md5 (added) +++ dev/httpd/httpd-2.4.28.tar.bz2.md5 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +49007ffe8e37a0834255b279810edf24 *httpd-2.4.28.tar.bz2 Added: dev/httpd/httpd-2.4.28.tar.bz2.sha1 ============================================================================== --- dev/httpd/httpd-2.4.28.tar.bz2.sha1 (added) +++ dev/httpd/httpd-2.4.28.tar.bz2.sha1 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +0b37522b808dcee72e1d56d656b0def530b820a2 *httpd-2.4.28.tar.bz2 Added: dev/httpd/httpd-2.4.28.tar.bz2.sha256 ============================================================================== --- dev/httpd/httpd-2.4.28.tar.bz2.sha256 (added) +++ dev/httpd/httpd-2.4.28.tar.bz2.sha256 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666 *httpd-2.4.28.tar.bz2 Added: dev/httpd/httpd-2.4.28.tar.gz ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28.tar.gz ------------------------------------------------------------------------------ svn:mime-type = application/x-gzip Added: dev/httpd/httpd-2.4.28.tar.gz.asc ============================================================================== Binary file - no diff available. Propchange: dev/httpd/httpd-2.4.28.tar.gz.asc ------------------------------------------------------------------------------ svn:mime-type = application/pgp-signature Added: dev/httpd/httpd-2.4.28.tar.gz.md5 ============================================================================== --- dev/httpd/httpd-2.4.28.tar.gz.md5 (added) +++ dev/httpd/httpd-2.4.28.tar.gz.md5 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +dcfd6812c8d60f518b27af18f8785d55 *httpd-2.4.28.tar.gz Added: dev/httpd/httpd-2.4.28.tar.gz.sha1 ============================================================================== --- dev/httpd/httpd-2.4.28.tar.gz.sha1 (added) +++ dev/httpd/httpd-2.4.28.tar.gz.sha1 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +f879973e9e223d1fc67325e10aaec1b4de199075 *httpd-2.4.28.tar.gz Added: dev/httpd/httpd-2.4.28.tar.gz.sha256 ============================================================================== --- dev/httpd/httpd-2.4.28.tar.gz.sha256 (added) +++ dev/httpd/httpd-2.4.28.tar.gz.sha256 Mon Sep 25 12:12:20 2017 @@ -0,0 +1 @@ +8fefbf4f5aa87534a2b924f9a72f572f68c3c60a3a2cfd039bb67e8ccd79386d *httpd-2.4.28.tar.gz