You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jeroen Verhoeckx <j....@protonmail.com.INVALID> on 2022/02/18 18:01:53 UTC
[users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?
Hello Apache Administrators,
On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but no one has responded since then.
It's about this bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=2037967
Does someone have an idea about what I could do next?
Does someone know I place where I can contact RHEL Apache developers/administrators?
Or is there another friendly way to get attention for this bug report?
Yours sincerely,
Jeroen Verhoeckx
--------------------------------------------------------
Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
RE: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?
Posted by Marc <Ma...@f1-outsourcing.eu>.
>
> Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
>
I agree. The days of relying on a lts distribution are coming to an end. I have the impression that RedHat is not the place to be anymore. Moving packages from the lts to scl, now dropping centos etc. They seem not to be able to catch up with patching everything. I think the trend will be getting your crucial rpm's directly from the source.
Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?
Posted by Jeroen Verhoeckx <j....@protonmail.com.INVALID>.
@Yehuda Katz: what do you think of my e-mail/comment below?
------- Original Message -------
On Tuesday, March 1st, 2022 at 8:11 PM, Jeroen Verhoeckx <j....@protonmail.com> wrote:
>> Please keep your replies on the mailing list so that everyone can benefit from the discussion.
>
> Oh, sorry, I probably click on Reply and not Reply All! Will keep an eye on that in the future!
>
> I'm worried that the version of Apache released by The Apache Software Foundation is less safe because of the warnings [on this page of Red Hat](https://access.redhat.com/solutions/445713):
> https://access.redhat.com/solutions/445713
>
> "Note that the versions of Apache HTTP Server included in the above products are in most cases vastly different from the upstream community releases of the same version
> This is explained by Red Hat's Security Backporting Policy and is the most common cause of admins/auditors trying to get a newer version of Apache
> For example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream v2.2.26; however, they also include multiple CVE security fixes which are not in the original community release of Apache httpd 2.2.266
> Community releases of Apache httpd are NOT supported"
>
> What do you think of this?
>
> - Jeroen
>
> --------------------------------------------------------
> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
> ------- Original Message -------
> On Tuesday, March 1st, 2022 at 5:27 PM, Yehuda Katz <ye...@ymkatz.net> wrote:
>
>> Please keep your replies on the mailing list so that everyone can benefit from the discussion.
>>
>> What is your "threat model" in which this way is less safe?
>>
>> For example: Are you worried that the packaged version from someone else has been modified with a backdoor? Are you worried that you would not be able to get RPMs for new versions in a timely fashion when a security issue is announced?
>>
>> There are different ways to address different concerns, but if you are more specific, we can make sure you get the best answer.
>>
>> - Y
>>
>> Sent from a device with a very small keyboard and hyperactive autocorrect.
>>
>> On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx <j....@protonmail.com> wrote:
>>
>>>> Since you don't have paid support from RedHat, there is absolutely no reason to not install your own version of httpd.
>>>
>>> I don't mind doing that but I'm afraid it's less safe?
>>>
>>> Thanks for thinking along!
>>>
>>> Jeroen Verhoeckx
>>>
>>> --------------------------------------------------------
>>> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>>
>>> ------- Original Message -------
>>> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz <ye...@ymkatz.net> wrote:
>>>
>>>> In terms of getting a RedHat eningeer, it looks like you have done all you can do. There are RedHat developers on this list and on the RedHat forums and they also look at Bugzilla, so there probably isn't much more you can do.
>>>>
>>>> Since you don't have paid support from RedHat, there is absolutely no reason to not install your own version of httpd.
>>>>
>>>> - Y
>>>>
>>>> On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx <j....@protonmail.com> wrote:
>>>>
>>>>> Hello Yehuda,
>>>>>
>>>>> First: sorry for my very late reply!
>>>>>
>>>>>> You mention in the bug report that you are running an old version of HTTPD because you are using the version packaged by RedHat.
>>>>>> Your bug report asks RedHat to backport the specific fixes for your issue.
>>>>>
>>>>> Yes, that's a really good summary of what I try to achieve!
>>>>>
>>>>> About the two options:
>>>>>
>>>>> - I have the 'Red Hat Developer Subscription for Individuals' and thus I'm not entitled to get any official support.
>>>>> - Red Hat strongly discourages the installation of a different version of Apache (https://access.redhat.com/solutions/445713) .
>>>>>
>>>>> I asked the same question on Red Hat Community portal (https://access.redhat.com/discussions/6756211) but so far I didn't get any reaction.
>>>>>
>>>>> Does someone know where the Apache developers of Red Hat hang out?
>>>>>
>>>>> Jeroen Verhoeckx
>>>>>
>>>>> --------------------------------------------------------
>>>>> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>>>>
>>>>> ------- Original Message -------
>>>>> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz <ye...@ymkatz.net> wrote:
>>>>>
>>>>>> I see two options for you going forward:
>>>>>> 1. Contacting RedHat: You need a subscription to do this. Posting to the upstream HTTPD mailing list probably won't help.
>>>>>>
>>>>>> 2. Use a different package: There are newer rpms available if you don't want to build your own. You can look at rpmfind or build the rpm yourself (https://httpd.apache.org/docs/2.4/platform/rpm.html)
>>>>>>
>>>>>> - Y
>>>>>>
>>>>>> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx <j....@protonmail.com.invalid> wrote:
>>>>>>
>>>>>>> Hello Apache Administrators,
>>>>>>>
>>>>>>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but no one has responded since then.
>>>>>>>
>>>>>>> It's about this bug report:
>>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>>>>>>
>>>>>>> Does someone have an idea about what I could do next?
>>>>>>> Does someone know I place where I can contact RHEL Apache developers/administrators?
>>>>>>> Or is there another friendly way to get attention for this bug report?
>>>>>>>
>>>>>>> Yours sincerely,
>>>>>>>
>>>>>>> Jeroen Verhoeckx
>>>>>>>
>>>>>>> --------------------------------------------------------
>>>>>>> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?
Posted by Jeroen Verhoeckx <j....@protonmail.com.INVALID>.
> Please keep your replies on the mailing list so that everyone can benefit from the discussion.
Oh, sorry, I probably click on Reply and not Reply All! Will keep an eye on that in the future!
I'm worried that the version of Apache released by The Apache Software Foundation is less safe because of the warnings [on this page of Red Hat](https://access.redhat.com/solutions/445713):
https://access.redhat.com/solutions/445713
"Note that the versions of Apache HTTP Server included in the above products are in most cases vastly different from the upstream community releases of the same version
This is explained by Red Hat's Security Backporting Policy and is the most common cause of admins/auditors trying to get a newer version of Apache
For example: EWS 2.1.0 & EAP 6.4.0 include Apache httpd based on upstream v2.2.26; however, they also include multiple CVE security fixes which are not in the original community release of Apache httpd 2.2.266
Community releases of Apache httpd are NOT supported"
What do you think of this?
- Jeroen
--------------------------------------------------------
Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
------- Original Message -------
On Tuesday, March 1st, 2022 at 5:27 PM, Yehuda Katz <ye...@ymkatz.net> wrote:
> Please keep your replies on the mailing list so that everyone can benefit from the discussion.
>
> What is your "threat model" in which this way is less safe?
>
> For example: Are you worried that the packaged version from someone else has been modified with a backdoor? Are you worried that you would not be able to get RPMs for new versions in a timely fashion when a security issue is announced?
>
> There are different ways to address different concerns, but if you are more specific, we can make sure you get the best answer.
>
> - Y
>
> Sent from a device with a very small keyboard and hyperactive autocorrect.
>
> On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx <j....@protonmail.com> wrote:
>
>>> Since you don't have paid support from RedHat, there is absolutely no reason to not install your own version of httpd.
>>
>> I don't mind doing that but I'm afraid it's less safe?
>>
>> Thanks for thinking along!
>>
>> Jeroen Verhoeckx
>>
>> --------------------------------------------------------
>> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>
>> ------- Original Message -------
>> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz <ye...@ymkatz.net> wrote:
>>
>>> In terms of getting a RedHat eningeer, it looks like you have done all you can do. There are RedHat developers on this list and on the RedHat forums and they also look at Bugzilla, so there probably isn't much more you can do.
>>>
>>> Since you don't have paid support from RedHat, there is absolutely no reason to not install your own version of httpd.
>>>
>>> - Y
>>>
>>> On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx <j....@protonmail.com> wrote:
>>>
>>>> Hello Yehuda,
>>>>
>>>> First: sorry for my very late reply!
>>>>
>>>>> You mention in the bug report that you are running an old version of HTTPD because you are using the version packaged by RedHat.
>>>>> Your bug report asks RedHat to backport the specific fixes for your issue.
>>>>
>>>> Yes, that's a really good summary of what I try to achieve!
>>>>
>>>> About the two options:
>>>>
>>>> - I have the 'Red Hat Developer Subscription for Individuals' and thus I'm not entitled to get any official support.
>>>> - Red Hat strongly discourages the installation of a different version of Apache (https://access.redhat.com/solutions/445713) .
>>>>
>>>> I asked the same question on Red Hat Community portal (https://access.redhat.com/discussions/6756211) but so far I didn't get any reaction.
>>>>
>>>> Does someone know where the Apache developers of Red Hat hang out?
>>>>
>>>> Jeroen Verhoeckx
>>>>
>>>> --------------------------------------------------------
>>>> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
>>>>
>>>> ------- Original Message -------
>>>> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz <ye...@ymkatz.net> wrote:
>>>>
>>>>> I see two options for you going forward:
>>>>> 1. Contacting RedHat: You need a subscription to do this. Posting to the upstream HTTPD mailing list probably won't help.
>>>>>
>>>>> 2. Use a different package: There are newer rpms available if you don't want to build your own. You can look at rpmfind or build the rpm yourself (https://httpd.apache.org/docs/2.4/platform/rpm.html)
>>>>>
>>>>> - Y
>>>>>
>>>>> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx <j....@protonmail.com.invalid> wrote:
>>>>>
>>>>>> Hello Apache Administrators,
>>>>>>
>>>>>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but no one has responded since then.
>>>>>>
>>>>>> It's about this bug report:
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>>>>>
>>>>>> Does someone have an idea about what I could do next?
>>>>>> Does someone know I place where I can contact RHEL Apache developers/administrators?
>>>>>> Or is there another friendly way to get attention for this bug report?
>>>>>>
>>>>>> Yours sincerely,
>>>>>>
>>>>>> Jeroen Verhoeckx
>>>>>>
>>>>>> --------------------------------------------------------
>>>>>> Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/)
Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?
Posted by Yehuda Katz <ye...@ymkatz.net>.
Please keep your replies on the mailing list so that everyone can benefit
from the discussion.
What is your "threat model" in which this way is less safe?
For example: Are you worried that the packaged version from someone else
has been modified with a backdoor? Are you worried that you would not be
able to get RPMs for new versions in a timely fashion when a security issue
is announced?
There are different ways to address different concerns, but if you are more
specific, we can make sure you get the best answer.
- Y
Sent from a device with a very small keyboard and hyperactive autocorrect.
On Tue, Mar 1, 2022, 11:18 AM Jeroen Verhoeckx <j....@protonmail.com>
wrote:
> > Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
>
> I don't mind doing that but I'm afraid it's less safe?
>
>
> Thanks for thinking along!
>
> Jeroen Verhoeckx
>
>
>
> --------------------------------------------------------
> *Support the independent web, use **Firefox*
> <https://www.mozilla.org/en-US/firefox/new/>
>
>
>
> ------- Original Message -------
> On Thursday, February 24th, 2022 at 10:41 PM, Yehuda Katz <
> yehuda@ymkatz.net> wrote:
>
> In terms of getting a RedHat eningeer, it looks like you have done all you
> can do. There are RedHat developers on this list and on the RedHat forums
> and they also look at Bugzilla, so there probably isn't much more you can
> do.
>
> Since you don't have paid support from RedHat, there is absolutely no
> reason to not install your own version of httpd.
>
> - Y
>
> On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx <
> j.verhoeckx@protonmail.com> wrote:
>
>> Hello Yehuda,
>>
>> First: sorry for my very late reply!
>>
>> > You mention in the bug report that you are running an old version of
>> HTTPD because you are using the version packaged by RedHat.
>> > Your bug report asks RedHat to backport the specific fixes for your
>> issue.
>>
>> Yes, that's a really good summary of what I try to achieve!
>>
>>
>> About the two options:
>>
>>
>> 1. I have the 'Red Hat Developer Subscription for Individuals' and
>> thus I'm not entitled to get any official support.
>> 2. Red Hat strongly discourages the installation of a different
>> version of Apache (https://access.redhat.com/solutions/445713) .
>>
>>
>>
>> I asked the same question on Red Hat Community portal (
>> https://access.redhat.com/discussions/6756211) but so far I didn't get
>> any reaction.
>>
>>
>> Does someone know where the Apache developers of Red Hat hang out?
>>
>>
>>
>> Jeroen Verhoeckx
>>
>>
>>
>> --------------------------------------------------------
>> *Support the independent web, use **Firefox*
>> <https://www.mozilla.org/en-US/firefox/new/>
>>
>>
>>
>> ------- Original Message -------
>> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz <ye...@ymkatz.net>
>> wrote:
>>
>>
>> I see two options for you going forward:
>> 1. Contacting RedHat: You need a subscription to do this. Posting to the
>> upstream HTTPD mailing list probably won't help.
>>
>> 2. Use a different package: There are newer rpms available if you don't
>> want to build your own. You can look at rpmfind or build the rpm yourself (
>> https://httpd.apache.org/docs/2.4/platform/rpm.html)
>>
>> - Y
>>
>> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx
>> <j....@protonmail.com.invalid> wrote:
>>
>>> Hello Apache Administrators,
>>>
>>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but
>>> no one has responded since then.
>>>
>>> It's about this bug report:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>>
>>>
>>> Does someone have an idea about what I could do next?
>>> Does someone know I place where I can contact RHEL Apache
>>> developers/administrators?
>>> Or is there another friendly way to get attention for this bug report?
>>>
>>>
>>> Yours sincerely,
>>>
>>> Jeroen Verhoeckx
>>>
>>>
>>>
>>> --------------------------------------------------------
>>> *Support the independent web, use **Firefox*
>>> <https://www.mozilla.org/en-US/firefox/new/>
>>>
>>>
>>>
>>
>
Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?
Posted by Yehuda Katz <ye...@ymkatz.net>.
In terms of getting a RedHat eningeer, it looks like you have done all you
can do. There are RedHat developers on this list and on the RedHat forums
and they also look at Bugzilla, so there probably isn't much more you can
do.
Since you don't have paid support from RedHat, there is absolutely no
reason to not install your own version of httpd.
- Y
On Thu, Feb 24, 2022 at 9:37 AM Jeroen Verhoeckx <j....@protonmail.com>
wrote:
> Hello Yehuda,
>
> First: sorry for my very late reply!
>
> > You mention in the bug report that you are running an old version of
> HTTPD because you are using the version packaged by RedHat.
> > Your bug report asks RedHat to backport the specific fixes for your
> issue.
>
> Yes, that's a really good summary of what I try to achieve!
>
>
> About the two options:
>
>
> 1. I have the 'Red Hat Developer Subscription for Individuals' and
> thus I'm not entitled to get any official support.
> 2. Red Hat strongly discourages the installation of a different
> version of Apache (https://access.redhat.com/solutions/445713) .
>
>
>
> I asked the same question on Red Hat Community portal (
> https://access.redhat.com/discussions/6756211) but so far I didn't get
> any reaction.
>
>
> Does someone know where the Apache developers of Red Hat hang out?
>
>
>
> Jeroen Verhoeckx
>
>
>
> --------------------------------------------------------
> *Support the independent web, use **Firefox*
> <https://www.mozilla.org/en-US/firefox/new/>
>
>
>
> ------- Original Message -------
> On Friday, February 18th, 2022 at 8:38 PM, Yehuda Katz <ye...@ymkatz.net>
> wrote:
>
>
> I see two options for you going forward:
> 1. Contacting RedHat: You need a subscription to do this. Posting to the
> upstream HTTPD mailing list probably won't help.
>
> 2. Use a different package: There are newer rpms available if you don't
> want to build your own. You can look at rpmfind or build the rpm yourself (
> https://httpd.apache.org/docs/2.4/platform/rpm.html)
>
> - Y
>
> On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx
> <j....@protonmail.com.invalid> wrote:
>
>> Hello Apache Administrators,
>>
>> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but
>> no one has responded since then.
>>
>> It's about this bug report:
>> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>>
>>
>> Does someone have an idea about what I could do next?
>> Does someone know I place where I can contact RHEL Apache
>> developers/administrators?
>> Or is there another friendly way to get attention for this bug report?
>>
>>
>> Yours sincerely,
>>
>> Jeroen Verhoeckx
>>
>>
>>
>> --------------------------------------------------------
>> *Support the independent web, use **Firefox*
>> <https://www.mozilla.org/en-US/firefox/new/>
>>
>>
>>
>
Re: [users@httpd] How to get someone to look at a Apache bug report on Red Hat's Bugzilla?
Posted by Yehuda Katz <ye...@ymkatz.net>.
You mention in the bug report that you are running an old version of HTTPD
because you are using the version packaged by RedHat.
Your bug report asks RedHat to backport the specific fixes for your issue.
I see two options for you going forward:
1. Contacting RedHat: You need a subscription to do this. Posting to the
upstream HTTPD mailing list probably won't help.
2. Use a different package: There are newer rpms available if you don't
want to build your own. You can look at rpmfind or build the rpm yourself (
https://httpd.apache.org/docs/2.4/platform/rpm.html)
- Y
On Fri, Feb 18, 2022 at 1:02 PM Jeroen Verhoeckx
<j....@protonmail.com.invalid> wrote:
> Hello Apache Administrators,
>
> On 6 January I reported a possible bug of Apache on Red Hat's Bugzilla, but
> no one has responded since then.
>
> It's about this bug report:
> https://bugzilla.redhat.com/show_bug.cgi?id=2037967
>
>
> Does someone have an idea about what I could do next?
> Does someone know I place where I can contact RHEL Apache
> developers/administrators?
> Or is there another friendly way to get attention for this bug report?
>
>
> Yours sincerely,
>
> Jeroen Verhoeckx
>
>
>
> --------------------------------------------------------
> *Support the independent web, use **Firefox*
> <https://www.mozilla.org/en-US/firefox/new/>
>
>
>