[Discuss] Rolling a 'final' 2.2.33 release

[William A Rowe Jr <wr...@rowe-clan.net>]

Per to our discussion last year, this EOL is here. That discussion
resulted in the following Announcement statement;

   We consider the Apache HTTP Server 2.4 release to be the best version
   of Apache available, and encourage users of 2.2 and all prior versions
   to upgrade. This 2.2 maintenance release is offered for those unable
   to upgrade at this time.

   Please note that Apache Web Server Project will only provide maintenance
   releases of the 2.2.x flavor through June of 2017, and will provide some
   security patches beyond this date through at least December of 2017.
   Minimal maintenance patches of 2.2.x are expected throughout this period,
   and users are strongly encouraged to promptly complete their transitions
   to the the 2.4.x flavor of httpd to benefit from a much larger assortment
   of minor security and bug fixes as well as new features.

If we incorporate apr[-util] 1.6, that would remove expat from this
final 2.2 release. If we do this, we need to backport various build
logic charges, backporting those changes for all build schemas.
I believe Windows and Netware have unified expat builds, and
the httpd-level solution files would need to be regenerated to
consume externally built expat (as apr-util already does); going
that far, it likely makes sense to incorporate externally build pcre.

The alternative I prefer is to roll with the final apr[-util] 1.5 releases
as the 2.2.32 tarball had, and include the same warning as given
in the 2.2 release announcement;

   This release includes the Apache Portable Runtime (APR) version 1.5.2
   and APR Utility Library (APR-util) version 1.5.4, bundled with the tar
   and zip distributions. The APR libraries libapr and libaprutil (and
   on Win32, libapriconv version 1.2.1) must all be updated to ensure
   binary compatibility and address many known security and platform bugs.
   APR version 1.5 and APR-util version 1.5 represent minor version upgrades
   from earlier httpd 2.2 source distributions.

   Note this package also includes very stale and known-vulnerable versions
   of the Expat [http://expat.sourceforge.net/] and PCRE [http://www.pcre.org/]
   packages. Users are strongly encouraged to first install the most recent
   versions of these components (of PCRE 8.x, not PCRE2 10.x at this time.)

Thoughts/comments? Patches to hold for before we roll? If I don't hear
otherwise, and we stick to the simpler alternative, then I'd plan to roll
these candidates Thursday.

Re: [Discuss] Rolling a 'final' 2.2.33 release

[William A Rowe Jr <wr...@rowe-clan.net>]

That would have been a good fix to include, but the release has been
tagged. If it is voted down on some other defects and we roll 2.2.34, I
would concur. But there is no defined single char header, and x- headers
are always 3+ chars by definition. So I don't look at this one as a
showstopper.

From here on out, all defect fixes will be up to the end user to patch, I'm
most concerned about getting a release with the full assortment of security
fixes into users's hands reminding them the branch is EOL now, as we close
the 2.2 chapter.

On Jun 25, 2017 4:56 PM, "Mark Blackman" <ma...@exonetric.com> wrote:

>
> On 14 Jun 2017, at 22:12, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
>
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.
>
>
> Would it be an option to get a fix in for the single-character header bug?
> ( https://bz.apache.org/bugzilla/show_bug.cgi?id=61220 )
>
> If you add
>
> HttpProtocolOptions Unsafe LenientMethods Allow0.9
>
> to a default httpd.conf
>
> single character header lines are rejected with a 400 code.
>
> macmini:httpd-2.2.33 mark$ telnet localhost 8033
> Trying ::1...
> Connected to localhost.
> Escape character is '^]'.
> GET / HTTP/1.1
> Host: foobar
> x: 0
>
> HTTP/1.1 400 Bad Request
> Date: Sun, 25 Jun 2017 21:43:53 GMT
> Server: Apache/2.2.33 (Unix)
> Content-Length: 226
> Connection: close
> Content-Type: text/html; charset=iso-8859-1
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html><head>
> <title>400 Bad Request</title>
> </head><body>
> <h1>Bad Request</h1>
> <p>Your browser sent a request that this server could not understand.<br />
> </p>
> </body></html>
> Connection closed by foreign host.
>
>

Re: [Discuss] Rolling a 'final' 2.2.33 release

[Mark Blackman <ma...@exonetric.com>]

> On 14 Jun 2017, at 22:12, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> 
> 
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.

Would it be an option to get a fix in for the single-character header bug? ( https://bz.apache.org/bugzilla/show_bug.cgi?id=61220 <https://bz.apache.org/bugzilla/show_bug.cgi?id=61220> ) 

If you add

HttpProtocolOptions Unsafe LenientMethods Allow0.9

to a default httpd.conf

single character header lines are rejected with a 400 code.

macmini:httpd-2.2.33 mark$ telnet localhost 8033
Trying ::1...
Connected to localhost.
Escape character is '^]'.
GET / HTTP/1.1
Host: foobar
x: 0

HTTP/1.1 400 Bad Request
Date: Sun, 25 Jun 2017 21:43:53 GMT
Server: Apache/2.2.33 (Unix)
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
</body></html>
Connection closed by foreign host.

Re: [Discuss] Rolling a 'final' 2.2.33 release

[Ruediger Pluem <rp...@apache.org>]

On 06/15/2017 04:49 PM, Eric Covener wrote:
> On Thu, Jun 15, 2017 at 10:18 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>>>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>>>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>>>> these candidates Thursday.
> 
> One more w/ bundled deps sounds OK.
> 

+1 to the simpler alternative.

Regards

Rüdiger

Re: [Discuss] Rolling a 'final' 2.2.33 release

[Eric Covener <co...@gmail.com>]

On Thu, Jun 15, 2017 at 10:18 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>>> these candidates Thursday.

One more w/ bundled deps sounds OK.

Re: [Discuss] Rolling a 'final' 2.2.33 release

[William A Rowe Jr <wr...@rowe-clan.net>]

On Thu, Jun 15, 2017 at 2:47 AM, Yann Ylavic <yl...@gmail.com> wrote:
> On Wed, Jun 14, 2017 at 11:12 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>>
>> Thoughts/comments? Patches to hold for before we roll? If I don't hear
>> otherwise, and we stick to the simpler alternative, then I'd plan to roll
>> these candidates Thursday.
>
> Three patches (missing a single vote) in STATUS already, +1 with them in.

Just finished reviewing, so everything in there is cleared for backport.

Re: [Discuss] Rolling a 'final' 2.2.33 release

[Yann Ylavic <yl...@gmail.com>]

On Wed, Jun 14, 2017 at 11:12 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
> The alternative I prefer is to roll with the final apr[-util] 1.5 releases
> as the 2.2.32 tarball had, and include the same warning as given
> in the 2.2 release announcement;

+1

>
> Thoughts/comments? Patches to hold for before we roll? If I don't hear
> otherwise, and we stick to the simpler alternative, then I'd plan to roll
> these candidates Thursday.

Three patches (missing a single vote) in STATUS already, +1 with them in.

Thanks Bill to take care of the old lady :)

Re: [Discuss] Rolling a 'final' 2.2.33 release

[William A Rowe Jr <wr...@rowe-clan.net>]

On Wed, Jun 14, 2017 at 4:12 PM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
>
>    Please note that Apache Web Server Project will only provide maintenance
>    releases of the 2.2.x flavor through June of 2017, and will provide some
>    security patches beyond this date through at least December of 2017.
>    Minimal maintenance patches of 2.2.x are expected throughout this period,
>    and users are strongly encouraged to promptly complete their transitions
>    to the the 2.4.x flavor of httpd to benefit from a much larger assortment
>    of minor security and bug fixes as well as new features.

Just FYI, we've just about reached the 50% inflection point
I anticipated, it likely happens around the end of July;

https://w3techs.com/technologies/history_details/ws-apache/2

Now this might suggest that continuing to release 2.2 is important,
but that would be a misunderstanding of what "apache 2.2" means;

https://w3techs.com/technologies/details/ws-apache/2.2/all

As the list illustrates, 5 months later, only 2.5% of the 2.2 sites (~0.6%
or so of the total apache sites) had updated to 2.2.32 released in Jan.

Given the text above, this shouldn't come as a surprise, since users
likely adopted 2.4 rather than updating to another 2.2 release.

The majority of these 2.2 sites simply won't be updating their version
of httpd 2.2 again until their entire site is redeployed to a new server.
You can contrast this to the behavior of 2.4 administrators;

https://w3techs.com/technologies/details/ws-apache/2.4/all

Here, over 25% of 2.4 sites adopted 2.4.25 during the same time period.

Publishing security patches will help different vendors coordinate the
patches used to correct legacy releases they support, but will likely
not have a great impact on the typical httpd user, directly. We are
facing diminishing odds of users installing a 2.2 maintenance release
or patch from sources.