[ANNOUNCE] mod_perl 2.0.8

[Fred Moyer <ph...@apache.org>]

I'm pleased to announce that mod_perl 2.0.8 is coming to a CPAN mirror near
you, as well as the following Apache project website links (note that the
Apache.org links may take a few hours to propagate to the mirrors).

Thanks to all the contributors on this version!


http://apache.org/dist/perl/mod_perl-2.0.8.tar.gz
http://apache.org/dist/perl/mod_perl-2.0.8.tar.gz.asc (pgp sig)

  file: $CPAN/authors/id/P/PH/PHRED/mod_perl-2.0.8.tar.gz
  size: 3790026 bytes
   md5: df89f50a39e93ba5054651c281483ffb

=item 2.0.8 April 17, 2013

Perl 5.16.3's fix for a rehash-based DoS makes it more difficult to invoke
the workaround for the old hash collision attack, which breaks mod_perl's
t/perl/hash_attack.t. Patch from rt.cpan.org #83916 improves the fix
previously applied as revision 1455340. [Zefram]

On Perl 5.17.6 and above, hash seeding has changed, and HvREHASH has
disappeared. Patch to update mod_perl accordingly from rt.cpan.org #83921.
[Zefram]

Restore build with Perl 5.8.1, 5.8.2 etc: take care to use
$Config{useithreads} rather than $Config{usethreads}, and supply definitions
of Newx and Newxz as necessary. [Steve Hay]

On Perl 5.17.9, t/apache/read2.t fails because an "uninitialized value"
warning is generated for the buffer being autovivified. This is because
the sv_setpvn() that's meant to vivify the buffer doesn't perform set
magic; the warning is generated by the immediately following SvPV_force().
Patch to fix this from rt.cpan.org #83922. [Zefram]

Fix t/perl/hash_attack.t to work with Perl 5.14.4, 5.16.3 etc, which
contain a fix for CVE-2013-1667 (memory exhaustion with arbitrary hash
keys). This resolves rt.perl.org #116863, from where the patch was taken.
[Hugo van der Sanden]

use APR::Finfo instead of Perl's stat() in ModPerl::RegistryCooker to
generate HTTP code 404 even if the requested filename contains newlines
[Torsten]

Remove all uses of deprecated core perl symbols. [Steve Hay]

Add branch release tag to 'make tag' target. [Phred]

Re: [ANNOUNCE] mod_perl 2.0.8

[Fred Moyer <fr...@redhotpenguin.com>]

Thanks for the spot. I just pinged the Apache infrastructure team to see if
there's a cron job which makes the sync that needs a poke.


On Sat, Apr 20, 2013 at 10:43 AM, Dominic Hargreaves <do...@earth.li> wrote:

> On Wed, Apr 17, 2013 at 07:25:45PM -0700, Fred Moyer wrote:
> > I'm pleased to announce that mod_perl 2.0.8 is coming to a CPAN mirror
> near
> > you, as well as the following Apache project website links (note that the
> > Apache.org links may take a few hours to propagate to the mirrors).
> >
> > Thanks to all the contributors on this version!
> >
> >
> > http://apache.org/dist/perl/mod_perl-2.0.8.tar.gz
> > http://apache.org/dist/perl/mod_perl-2.0.8.tar.gz.asc (pgp sig)
>
> I noticed that the Debian package watch file has
>
> http://perl.apache.org/dist/
>
> configured as the place to look for new versions, but 2.0.8 hasn't
> appeared there. Is this a deliberate or accidental divergence?
>
> Cheers,
> Dominic.
>
> --
> Dominic Hargreaves | http://www.larted.org.uk/~dom/
> PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
>

Re: [ANNOUNCE] mod_perl 2.0.8

[Dominic Hargreaves <do...@earth.li>]

On Wed, Apr 17, 2013 at 07:25:45PM -0700, Fred Moyer wrote:
> I'm pleased to announce that mod_perl 2.0.8 is coming to a CPAN mirror near
> you, as well as the following Apache project website links (note that the
> Apache.org links may take a few hours to propagate to the mirrors).
> 
> Thanks to all the contributors on this version!
> 
> 
> http://apache.org/dist/perl/mod_perl-2.0.8.tar.gz
> http://apache.org/dist/perl/mod_perl-2.0.8.tar.gz.asc (pgp sig)

I noticed that the Debian package watch file has

http://perl.apache.org/dist/

configured as the place to look for new versions, but 2.0.8 hasn't
appeared there. Is this a deliberate or accidental divergence?

Cheers,
Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)