You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2020/11/05 16:39:47 UTC
[VOTE] Release libapreq2-2.15
Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
https://dist.apache.org/repos/dist/dev/httpd/libapreq/
This release is mainly to address a security issue in libapreq2 which
has been outstanding for over a year, CVE-2019-12412.
I would like to call a VOTE over the next few days to release this
candidate tarball as v2.15:
[ ] +1: It's not just good, it's good enough!
[ ] +0: Let's have a talk.
[ ] -1: There's trouble in paradise. Here's what's wrong.
SHA1/256/512 checksum for the tarball are as follows:
2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d libapreq2-2.15.tar.gz
4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494 libapreq2-2.15.tar.gz
abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701 libapreq2-2.15.tar.gz
The release is prepared from:
https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146
Regards, Joe
Re: [VOTE] Release libapreq2-2.15
Posted by Yann Ylavic <yl...@gmail.com>.
[X] +1: It's not just good, it's good enough!
All tests pass here.
Thanks Joe for RMing!
Regards;
Yann.
Re: [VOTE] Release libapreq2-2.15
Posted by Ruediger Pluem <rp...@apache.org>.
On 11/5/20 5:39 PM, Joe Orton wrote:
> Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
>
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
>
> This release is mainly to address a security issue in libapreq2 which
> has been outstanding for over a year, CVE-2019-12412.
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as v2.15:
>
> [X] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> SHA1/256/512 checksum for the tarball are as follows:
>
> 2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d libapreq2-2.15.tar.gz
> 4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494 libapreq2-2.15.tar.gz
> abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701 libapreq2-2.15.tar.gz
>
> The release is prepared from:
> https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146
>
Regards
Rüdiger
Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Christophe JAILLET <ch...@wanadoo.fr>.
Le 08/03/2021 à 18:00, Ruediger Pluem a écrit :
>
>
> On 3/8/21 5:40 PM, Steve Hay wrote:
>> On Tue, 23 Feb 2021 at 10:20, Joe Orton <jo...@redhat.com> wrote:
>>>
>>> On Mon, Feb 22, 2021 at 03:57:25PM +0000, Steve Hay wrote:
>>>> On Fri, 13 Nov 2020 at 16:43, Joe Orton <jo...@redhat.com> wrote:
>>>>>
>>>>> Thanks all for testing, the vote has passed:
>>>>>
>>>>> PMC votes +1: ylavic, rpluem, covener
>>>>> Community +1: stevehay
>>>>>
>>>>> (Steve, looks like we need to get you on the httpd PMC!)
>>>>>
>>>>> and no -1 votes.
>>>>>
>>>>> I'll promote the release & prep the announcement mail.
>>>>>
>>>>
>>>> I think these releases normally go to Perl's CPAN as well (it is item
>>>> 12 in build/RELEASE), but I don't see 2.15 here:
>>>> https://metacpan.org/release/libapreq2
>>>>
>>>> Do you have perms to upload there? If not then I don't mind trying to
>>>> see if I can do it. (I've done mod_perl releases before, so it might
>>>> work ;-))
>>>
>
>> The simplest way for us to fix this is to release a 2.16 with a
>> corrected META.yml. I've just committed rev. 1887336 to fix the
>> generation of the META.yml file for our next release.
>>
>
>
> I would be willing to vote again with a +1 if Joe is willing to roll 2.16 with just that change over 2.15.
>
> Regards
>
> Rüdiger
>
>
>
Hi,
should a new release be done quickly, BZ 56598 and maybe BZ 52370 should
be looked at.
It looks like easy to check and test patches.
I've not svn'ed this repo so far, I won't be able to do so in the near
future.
Just my 2c
CJ
Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Yann Ylavic <yl...@gmail.com>.
On Mon, Mar 8, 2021 at 6:00 PM Ruediger Pluem <rp...@apache.org> wrote:
>
> I would be willing to vote again with a +1 if Joe is willing to roll 2.16 with just that change over 2.15.
+1
Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Ruediger Pluem <rp...@apache.org>.
On 3/8/21 5:40 PM, Steve Hay wrote:
> On Tue, 23 Feb 2021 at 10:20, Joe Orton <jo...@redhat.com> wrote:
>>
>> On Mon, Feb 22, 2021 at 03:57:25PM +0000, Steve Hay wrote:
>>> On Fri, 13 Nov 2020 at 16:43, Joe Orton <jo...@redhat.com> wrote:
>>>>
>>>> Thanks all for testing, the vote has passed:
>>>>
>>>> PMC votes +1: ylavic, rpluem, covener
>>>> Community +1: stevehay
>>>>
>>>> (Steve, looks like we need to get you on the httpd PMC!)
>>>>
>>>> and no -1 votes.
>>>>
>>>> I'll promote the release & prep the announcement mail.
>>>>
>>>
>>> I think these releases normally go to Perl's CPAN as well (it is item
>>> 12 in build/RELEASE), but I don't see 2.15 here:
>>> https://metacpan.org/release/libapreq2
>>>
>>> Do you have perms to upload there? If not then I don't mind trying to
>>> see if I can do it. (I've done mod_perl releases before, so it might
>>> work ;-))
>>
> The simplest way for us to fix this is to release a 2.16 with a
> corrected META.yml. I've just committed rev. 1887336 to fix the
> generation of the META.yml file for our next release.
>
I would be willing to vote again with a +1 if Joe is willing to roll 2.16 with just that change over 2.15.
Regards
Rüdiger
Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Steve Hay <st...@googlemail.com>.
On Tue, 23 Feb 2021 at 10:20, Joe Orton <jo...@redhat.com> wrote:
>
> On Mon, Feb 22, 2021 at 03:57:25PM +0000, Steve Hay wrote:
> > On Fri, 13 Nov 2020 at 16:43, Joe Orton <jo...@redhat.com> wrote:
> > >
> > > Thanks all for testing, the vote has passed:
> > >
> > > PMC votes +1: ylavic, rpluem, covener
> > > Community +1: stevehay
> > >
> > > (Steve, looks like we need to get you on the httpd PMC!)
> > >
> > > and no -1 votes.
> > >
> > > I'll promote the release & prep the announcement mail.
> > >
> >
> > I think these releases normally go to Perl's CPAN as well (it is item
> > 12 in build/RELEASE), but I don't see 2.15 here:
> > https://metacpan.org/release/libapreq2
> >
> > Do you have perms to upload there? If not then I don't mind trying to
> > see if I can do it. (I've done mod_perl releases before, so it might
> > work ;-))
>
> I have never submitted anything to CPAN before, so if you are set up to
> do it, that'd be great, please go ahead!
>
Apologies for the delay in getting back to you on this. I uploaded the
file but there have been problems getting it correctly indexed -
partly due to me initially not having the required permissions (now
resolved by the CPAN admins), but also partly due to a weakness in our
META.yml file.
The distro is now on MetaCPAN, but as you can see here many modules
are listed as UNAUTHORIZED: https://metacpan.org/release/libapreq2
The problem is that our META.yml file fails to include the "file"
attribute for each item in the "provides" list. The "file" attribute
is now a *required* attribute -- see
https://metacpan.org/pod/CPAN::Meta::Spec#file1
The file is therefore regarded as invalid and MetaCPAN constructs its
own file instead, but includes every file within the distro, many of
which are not candidates for indexing and it all goes wrong...
The simplest way for us to fix this is to release a 2.16 with a
corrected META.yml. I've just committed rev. 1887336 to fix the
generation of the META.yml file for our next release.
Is there any appetite for a quick release of 2.16 to resolve this
indexing issue?
If not then we can leave it until whenever we next naturally make a
release, and in the meantime it may be possible for the CPAN admins to
fix up the indexing temporarily, but I think it's more trouble for
them than a quick release would be for us.
Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Joe Orton <jo...@redhat.com>.
On Mon, Feb 22, 2021 at 03:57:25PM +0000, Steve Hay wrote:
> On Fri, 13 Nov 2020 at 16:43, Joe Orton <jo...@redhat.com> wrote:
> >
> > Thanks all for testing, the vote has passed:
> >
> > PMC votes +1: ylavic, rpluem, covener
> > Community +1: stevehay
> >
> > (Steve, looks like we need to get you on the httpd PMC!)
> >
> > and no -1 votes.
> >
> > I'll promote the release & prep the announcement mail.
> >
>
> I think these releases normally go to Perl's CPAN as well (it is item
> 12 in build/RELEASE), but I don't see 2.15 here:
> https://metacpan.org/release/libapreq2
>
> Do you have perms to upload there? If not then I don't mind trying to
> see if I can do it. (I've done mod_perl releases before, so it might
> work ;-))
I have never submitted anything to CPAN before, so if you are set up to
do it, that'd be great, please go ahead!
Regards, Joe
Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Steve Hay <st...@googlemail.com>.
On Fri, 13 Nov 2020 at 16:43, Joe Orton <jo...@redhat.com> wrote:
>
> Thanks all for testing, the vote has passed:
>
> PMC votes +1: ylavic, rpluem, covener
> Community +1: stevehay
>
> (Steve, looks like we need to get you on the httpd PMC!)
>
> and no -1 votes.
>
> I'll promote the release & prep the announcement mail.
>
I think these releases normally go to Perl's CPAN as well (it is item
12 in build/RELEASE), but I don't see 2.15 here:
https://metacpan.org/release/libapreq2
Do you have perms to upload there? If not then I don't mind trying to
see if I can do it. (I've done mod_perl releases before, so it might
work ;-))
Re: [RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Ruediger Pluem <rp...@apache.org>.
On 11/13/20 5:43 PM, Joe Orton wrote:
> Thanks all for testing, the vote has passed:
>
> PMC votes +1: ylavic, rpluem, covener
> Community +1: stevehay
>
> (Steve, looks like we need to get you on the httpd PMC!)
>
> and no -1 votes.
>
> I'll promote the release & prep the announcement mail.
Thanks for RM, moving this forward and get the long standing CVE fixed.
Regards
Rüdiger
[RESULT: PASS] Re: [VOTE] Release libapreq2-2.15
Posted by Joe Orton <jo...@redhat.com>.
Thanks all for testing, the vote has passed:
PMC votes +1: ylavic, rpluem, covener
Community +1: stevehay
(Steve, looks like we need to get you on the httpd PMC!)
and no -1 votes.
I'll promote the release & prep the announcement mail.
Regards, Joe
Re: [VOTE] Release libapreq2-2.15
Posted by Steve Hay <st...@googlemail.com>.
On Thu, 5 Nov 2020 at 16:39, Joe Orton <jo...@redhat.com> wrote:
>
> Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
>
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
>
> This release is mainly to address a security issue in libapreq2 which
> has been outstanding for over a year, CVE-2019-12412.
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as v2.15:
>
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
+1 I think. At least it has the Win32 build fixes that have been
unreleased for ages, so thanks for making this release.
I am getting a test failure (Windows 10, VS2019 v16.7.3, httpd 2.4.41,
perl 5.30.1), but this was happening with the unreleased "2.14" that
I've been using recently anyway. Verbose output:
D:\Dev\Temp\libapreq2-2.15\glue\perl>perl.exe -Iblib\arch -Iblib\lib
t\TEST -verbose=1 t\apreq\cgi.t
[...]
t\apreq\cgi.t ..
# writing file: D:\Dev\Temp\libapreq2-2.15\glue\perl\t\cgi-bin\test_cgi.pl
1..71
# Running under perl version 5.030001 for MSWin32
# Current time local: Fri Nov 6 17:19:49 2020
# Current time GMT: Fri Nov 6 17:19:49 2020
# Using Test.pm version 1.31
# Using Apache/Test.pm version 1.42
[...]
ok 31
Odd number of elements in hash assignment at t\apreq\cgi.t line 197.
# removing file: D:\Dev\Temp\libapreq2-2.15\glue\perl\t\cgi-bin\test_cgi.pl
# removing dir tree: D:\Dev\Temp\libapreq2-2.15\glue\perl\t\cgi-bin
Dubious, test returned 9 (wstat 2304, 0x900)
Failed 40/71 subtests
I get this in the error_log:
[Fri Nov 06 17:19:56.558841 2020] [cgi:error] [pid 24136:tid 1104]
[client 10.93.12.29:54076] End of script output before headers:
test_cgi.pl
[Fri Nov 06 17:19:56.558841 2020] [cgi:error] [pid 24136:tid 1104]
[client 10.93.12.29:54076] AH01215: test_cgi.pl(20): Creating
APR::Request::CGI object\r:
D:/Dev/Temp/libapreq2-2.15/glue/perl/t/cgi-bin/test_cgi.pl
[Fri Nov 06 17:19:56.558841 2020] [cgi:error] [pid 24136:tid 1104]
[client 10.93.12.29:54076] AH01215: $param->upload_tempname($req):
can't make spool bucket at
D:\\Dev\\Temp\\libapreq2-2.15\\glue\\perl\\blib\\lib/APR/Request/Param.pm
line 37.\r: D:/Dev/Temp/libapreq2-2.15/glue/perl/t/cgi-bin/test_cgi.pl
[Fri Nov 06 17:19:56.559839 2020] [http:trace3] [pid 24136:tid 1104]
http_filters.c(1125): [client 10.93.12.29:54076] Response sent with
status 500, headers:
Don't let this hold up the release since it isn't a new problem.
Re: [VOTE] Release libapreq2-2.15
Posted by Eric Covener <co...@gmail.com>.
On Thu, Nov 5, 2020 at 11:40 AM Joe Orton <jo...@redhat.com> wrote:
>
> Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
>
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
>
> This release is mainly to address a security issue in libapreq2 which
> has been outstanding for over a year, CVE-2019-12412.
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as v2.15:
>
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> SHA1/256/512 checksum for the tarball are as follows:
>
> 2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d libapreq2-2.15.tar.gz
> 4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494 libapreq2-2.15.tar.gz
> abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701 libapreq2-2.15.tar.gz
>
> The release is prepared from:
> https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146
>
> Regards, Joe
+1 based on diff to 2.13
Re: [VOTE] Release libapreq2-2.15
Posted by Fossies Administrator <Je...@fossies.org>.
Hi Joe,
> Hi, I've prepared a candidate release tarball for libapreq2 v2.15 here:
>
> https://dist.apache.org/repos/dist/dev/httpd/libapreq/
>
> This release is mainly to address a security issue in libapreq2 which
> has been outstanding for over a year, CVE-2019-12412.
>
> I would like to call a VOTE over the next few days to release this
> candidate tarball as v2.15:
>
> [ ] +1: It's not just good, it's good enough!
> [ ] +0: Let's have a talk.
> [ ] -1: There's trouble in paradise. Here's what's wrong.
>
> SHA1/256/512 checksum for the tarball are as follows:
>
> 2b1a99d9dec34b4e23dc5c63b4f232199f01bb3d libapreq2-2.15.tar.gz
> 4a48afcd88902b5c5039a3992382c448de0108664ddd046f45399709f9c4f494 libapreq2-2.15.tar.gz
> abdc34f4867ba891966e7296c8110cffaa723f9b966522a1de352bc459e89e5cfc60de25dcd20cf0fa9b7cdf9282719b0276b621af8aa7bb770c89a7fbae4701 libapreq2-2.15.tar.gz
>
> The release is prepared from:
> https://svn.apache.org/repos/asf/httpd/apreq/branches/v2.15 at r1883146
>
> Regards, Joe
Sorry, not a vote but just a small information:
Similar to the httpd project itself
(see https://bz.apache.org/bugzilla/show_bug.cgi?id=63923)
I had generated now on the FOSS server fossies.org also a codespell report
for the libapreq2-2.15.tar.gz tarball:
https://fossies.org/linux/test/libapreq2/codespell.html
That version-independent URL should be available at least for some days
and should redirect always to the last report (if available), so currently to
https://fossies.org/linux/test/libapreq2-2.15.tar.gz/codespell.html
By the way, the used special "test" folder isn't really integrated into
the standard Fossies services and should not be accessible to search
engines either.
Although the correction of misspellings and typos has probably not a top
priority, I hope that the report can nevertheless be a little bit useful.
Regards
Jens
--
FOSSIES - The Fresh Open Source Software archive
mainly for Internet, Engineering and Science
https://fossies.org/