httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: [VOTE] Release Apache httpd 2.4.8 as GA
Date Wed, 12 Mar 2014 18:03:01 GMT
On 12.03.2014 18:39, William A. Rowe Jr. wrote:
> On Wed, 12 Mar 2014 00:30:57 +0000
> Dr Stephen Henson <shenson@opensslfoundation.com> wrote:
> 
>> On 11/03/2014 21:46, Gregg Smith wrote:
>>> On 3/11/2014 1:29 PM, Rainer Jung wrote:
>>>> On 11.03.2014 17:34, Jim Jagielski wrote:
>>>>> The pre-release test tarballs for Apache httpd 2.4.8 can be found
>>>>> at the usual place:
>>>>>
>>>>>     http://httpd.apache.org/dev/dist/
>>>>>
>>>>> I'm calling a VOTE on releasing these as Apache httpd 2.4.8 GA.
>>>>>
>>>>> [ ] +1: Good to go
>>>>> [ ] +0: meh
>>>>> [ ] -1: Danger Will Robinson. And why.
>>>>>
>>>>> Vote will last the normal 72 hrs.
>>>>>
>>>>> NOTE: The *-deps are only there for convenience.
>>>> I get a segfault during startup init on www.apache.org when using
>>>> SSL. This didn't happen for r1570851. Candidate is r1573360.
>>>
>>> I'm seeing this with OpenSSL 0.9.8y on Windows.
>>>
>>
>> Here are some more details of the bug in OpenSSL I *think* triggers
>> this.
>>
>> The function SSL_get_certificate was modified in some versions of
>> OpenSSL to return the certificate the server used instead of the
>> current certificate it had done previously. This was to make OCSP
>> stapling work with multiple configured certificates. Unfortunately a
>> bug in the change mean it would crash if it was called before the
>> server sent the certificate. Later versions of OpenSSL restored the
>> original behaviour unless SSL_get_certificate was called inside the
>> OCSP callback when it would return the certificate actually sent.
>>
>> The fix was applied on Feb 11 2013. That would mean that official
>> releases affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later
>> official release should include the fix but we weren't planning to
>> make any more 0.9.8 official releases though a 0.9.8 snapshot should
>> include the fix.
> 
> Perhaps a typo above?  Or are we looking at several bugs?  Rainer had
> specifically mentioned 1.0.1e as faulting.
> 
> I'm of the same mind as Jim - that a 2.4.9 with some workaround patch
> as described is probably a good idea, but now I'm not clear whether
> the proposed workaround fixes the case you mention with 1.0.1c or also
> the 1.0.1e fault?

I think the problematic code is in 0.9.8y, 1.0.0k, 1.0.1d and 1.0.1e. It
has been fixed in the latest 1.0.0 and 1.0.1 releases and the fix is in
HEAD for 0.9.8 but not released. The problem should not occur with
versions older than the cited ones.

Regards,

Rainer

Mime
View raw message