logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: Apache httpd 2.4.42-dev VS16 snapshot 1 available
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2806
Location: Hilversum, NL, EU

PostPosted: Fri 21 Feb '20 14:08    Post subject: Apache httpd 2.4.42-dev VS16 snapshot 1 available Reply with quote

The snapshot contains already committed changes for the coming 2.4.42.

See Changes below.
Noticeable is mod_md with lots new features.

When more changes are applied we come with a new snapshot.

Download: Removed


PGP and check sums on request.

The snapshot is based on svn branches/2.4 Revision 1874288 Fri Feb 21 00:36:36 2020 UTC.

Please give it a try !!

Enjoy

Steffen



25-March-2019 Changes with 2.4.42-dev-snap1

Apache Lounge changes:

*) Upgraded OpenSSL to 1.1.1d from 1.1.1c
*) Upgraded nghttp2 to 1.40.0 from 1.39.1
*) Upgraded curl to 7.68.0 from 7.65.3
*) Upgraded pcre to 8.44 from 8.43
*) Upgraded libxml2 2.9.10 from 2.9.9
*) Upgraded expat to 2.2.9 from 2.2.7

ASF changes:

*) Add a config layout for OpenWRT. [Graham Leggett]

*) Add support for cross compiling to apxs. If apxs is being executed from somewhere
other than its target location, add that prefix to includes and library directories.
Without this, apxs would fail to find config_vars.mk and exit. [Graham Leggett]

*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

*) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
[Graham Leggett]

*) mod_ssl: Support use of private keys and certificates from an
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

*) test: Added continuous testing with Travis CI.
This tests various scenarios on Ubuntu with the full test suite.
Architectures tested: amd64, s390x, ppc64le, arm64
The tests pass successfully.
[Luca Toscano, Joe Orton, Mike Rumph, and others]

*) core: Be stricter in parsing of Transfer-Encoding headers.
[ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

*) mod_ssl: negotiate the TLS protocol version per name based vhost
configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
SSLProtocol (from the first vhost declared on the IP:port) is now only
relevant if no SSLProtocol is declared for the vhost or globally,
otherwise the vhost or global value apply. [Yann Ylavic]

*) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
output. PR 64096. [Joe Orton]

*) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

*) mod_systemd: New module providing integration with systemd. [Jan Kaluza]

*) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
r:notes_table, r:subprocess_env_table as read-only native table alternatives
that can be iterated over. [Eric Covener]

*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
[Yann Ylavic, Stefan Eissing]

*) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
r.headers_out, etc) to remove the key from the table. PR63971.
[Eric Covener]

*) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
always `on`, regardless of configuration. Found and reported by
<Armin.Abfalterer@united-security-providers.ch> and
<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

*) mod_http2: Multiple field length violations in the same request no longer cause
several log entries to be written. [@mkauf]

*) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
[Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

*) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
[Jim Jagielski]

*) mod_authn_socache: Increase the maximum length of strings that can be cached by
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]

*) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
[Ruediger Pluem, Eric Covener]

*) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
valid (For example, testing for a file on a flash drive that is not mounted)
[Christophe Jaillet]

*) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]

*) mod_md v2.2.3:
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in directy communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

*) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
[Stefan Eissing]

*) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
Back to top
DnvrSysEngr



Joined: 15 Apr 2012
Posts: 203
Location: Denver, CO USA

PostPosted: Fri 21 Feb '20 19:39    Post subject: Reply with quote

Granted I have a very basic implementation of Apache, this version (2.4.42) appears to be working without any issues for me.

Thank you everyone for your dedication.

-S
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 602

PostPosted: Fri 20 Mar '20 12:19    Post subject: Reply with quote

Thanks for testing.
Snap1 was downloaded a lot, but mostly when there are no problems users are not posting.

So special thanks to DnvrSysEngr !

Removed the downloads.

Yesterday the 2.4.42 voting has started and differs minor with the above Snap1.

Stay tuned for 2.4.42.

Changelog is already at www.apachelounge.com/Changelog-2.4.html
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1005
Location: Amsterdam, NL, EU

PostPosted: Fri 20 Mar '20 17:24    Post subject: Reply with quote

admin wrote:

Yesterday the 2.4.42 voting has started and differs minor with the above Snap1.

A bug has been found in the 2.4.42 sources and been fixed already:
https://marc.info/?l=apache-httpd-dev&m=158470934704139&w=2

I wonder if Apache will go straight to 2.4.43 or just modify this version.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2223
Location: Sun Diego, USA

PostPosted: Fri 20 Mar '20 21:45    Post subject: Reply with quote

Go to 2.4.43 since numbers are cheap. When that will happen is the question.
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2806
Location: Hilversum, NL, EU

PostPosted: Tue 24 Mar '20 12:08    Post subject: Reply with quote

The vote did not passed.

Waiting now for vote 2.4.43.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1005
Location: Amsterdam, NL, EU

PostPosted: Thu 26 Mar '20 22:20    Post subject: Reply with quote

The vote for 2.4.43 has started now.

Beware of using OpenSSL 1.1.1e for the next AL Release. Stay at OpenSSL 1.1.1d. A bugfix release for OpenSSL 1.1.1e is expected:
https://github.com/openssl/openssl/issues/11378
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2223
Location: Sun Diego, USA

PostPosted: Fri 27 Mar '20 4:20    Post subject: Reply with quote

I don't know, reading through the last few comments it looks like an edge case that may not be too common. If 'f' doesn't make it by the 72 hours vote I would rather just go with 'e'.

This is a bug and not a vulnerability. I would rather have a bug that causes an error now and then than a vulnerability no matter how low a priority that 'd' has.

Since I already had the AH downloads built and packaged before you pointed us to this, I would rather not start over now only to have to do it all over yet a third (or 4th if 2.4.43 fails the vote) time.

I have 36+/- hours to think about it at least and see what happens. I have been running it myself since 09:30 my time. So far no problems but I don't have a very busy server.
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 602

PostPosted: Fri 27 Mar '20 8:40    Post subject: Reply with quote

Already is 1.1.1e included in the current 2.4.41 build since more then a week. Downloaded over 50.000.

No issues reported.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1005
Location: Amsterdam, NL, EU

PostPosted: Fri 27 Mar '20 8:45    Post subject: Reply with quote

glsmith wrote:
I don't know, reading through the last few comments it looks like an edge case that may not be too common.

See https://github.com/openssl/openssl/issues/11378#issuecomment-602283952
It may be an edge case, but the impact could clearly be shown.

glsmith wrote:
This is a bug and not a vulnerability. I would rather have a bug that causes an error now and then than a vulnerability no matter how low a priority that 'd' has.

The vulnerability that was fixed in 1.1.1e was published on December 6, 2019.
https://www.openssl.org/news/secadv/20191206.txt

So your server has been running with a known vulnerability from December 6 up until at least March 17 (release date of 1.1.1e). More than 3 months. It is your call, but I prefer staying with 1.1.1d.
Back to top
Otomatic



Joined: 01 Sep 2011
Posts: 20
Location: Otomatic

PostPosted: Fri 27 Mar '20 11:18    Post subject: Reply with quote

admin wrote:
Downloaded over 50.000.
No issues reported.

Hello,
Me too, I would like to test 2.4.43 for Wampserver but, even if I clean my glasses well Shocked I don't see any download links Wink
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2806
Location: Hilversum, NL, EU

PostPosted: Fri 27 Mar '20 11:28    Post subject: Reply with quote

For now I stay with 1.1.1e in the current 2.4.41 and the coming 2.4.43. When it is a serious issue, we hear from OpenSSL.org.

Going back to 1.1.1d is no option at the moment, because there were quite some urgent requests for 1.1.1e. And also IAVA published and requires compliance in some industries.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1005
Location: Amsterdam, NL, EU

PostPosted: Fri 27 Mar '20 14:42    Post subject: Reply with quote

nginx seems to stick with OpenSSL 1.1.1d for the moment.
https://forum.nginx.org/read.php?2,287377,287427#msg-287427

The official PHP releases are also shipped with OpenSSL 1.1.1d. I checked that for PHP 7.4.4, released March 19:
https://windows.php.net/download
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 602

PostPosted: Fri 27 Mar '20 20:03    Post subject: Reply with quote

Found: in one of the links above ;
Code:

... possible application breakage caused by a change in behavior introduced in 1.1.1e.  It affects at least nginx, which logs error messages such as:
nginx[16652]: [crit] 16675#0: *358 SSL_read() failed (SSL: error:
4095126:SSL routines:ssl3_read_n:unexpected eof while reading) while keepalive, client: xxxx, server: [::]:443


So still not sure it effects Apache.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2223
Location: Sun Diego, USA

PostPosted: Fri 27 Mar '20 20:42    Post subject: Reply with quote

@Otomatic

If you'll notice on the download pages, it says "Updated March 2020." Then if you click on the "Info & Changelog" link under the "Apache 2.4 VC15/VS16" headers you'll see OpenSSL 1.1.1e listed.
Back to top
glsmith
Moderator


Joined: 16 Oct 2007
Posts: 2223
Location: Sun Diego, USA

PostPosted: Fri 27 Mar '20 21:38    Post subject: Reply with quote

Per the OSSL bug report:

HTTP/2 is unaffected.
HTTP/1.1 if not using chunked encoding and not receiving a content-length header it'll error.
HTTP/0.9 & 1.0 are problematic because they do not include content-length headers and I'm not sure if they can do chunked encoding or not.

As far as my reading translates in my brain, there's a number of factors that have to be met to run into this bug. Looking at yesterdays log 96% of connections to my server were HTTP/2, 1 came in at HTTP/1.0 and the little left over were HTTP/1.1.

Curling into my server with HTTP/1.0 I get upgraded to HTTP/1.1. Personally I don't want HTTP/0.9 or 1.0 speaking to my server anyway. That you cannot turn off 0.9 or 1.0 in Apache (see Protocols) I'm not fond of but there's always;

<If "%{SERVER_PROTOCOL} =~ /HTTP\/(0.9|1.0)">
Require all denied
</If>

Which I just may try out of personal interest.

I see the merit in your thinking and would just hold off on 2.4.43 at AH if I knew 1.1.1f was going to release in a day or two. But policy there is similar to here, no -dev, current released versions.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1005
Location: Amsterdam, NL, EU

PostPosted: Fri 27 Mar '20 23:53    Post subject: Reply with quote

Matt Caswell in gmane.comp.encryption.openssl.project (Fri, 27 Mar 2020 14:10:18 +0000):
Quote:
There seems to be broad support for a 1.1.1f release. Unless I hear an OMC objection I will formally announce this tomorrow.

Matt
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 2806
Location: Hilversum, NL, EU

PostPosted: Sat 28 Mar '20 10:58    Post subject: Reply with quote

Asked the Apache dev's :


Rainer:

I did a few hundred test suite runs on 5 platforms for the 2.4.42 release candidate against OpenSSL 1.1.1e and noticed no special new ssl related errors.

So either our tests do not detect it or httpd does not have that problem.

There will be a new OpenSSL 1.1.1f release next week.


Rüdiger:

From a quick look at the code I would say that we are not affected. Unless ssl-unclean-shutdown
(http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html) is set and we did not detect a closed socket we sent a close_notify alert via
modssl_smart_shutdown.


For me no worry. Also because I have no reports related to SSL.
Back to top
Jan-E



Joined: 09 Mar 2012
Posts: 1005
Location: Amsterdam, NL, EU

PostPosted: Mon 30 Mar '20 5:55    Post subject: Reply with quote

The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1f.

This release will be made available on Tuesday 31st March 2020 between 1200-1600 UTC. This is a bug fix only release.
Back to top
long76



Joined: 28 Oct 2017
Posts: 9

PostPosted: Tue 31 Mar '20 15:20    Post subject: Reply with quote

openssl 1.1.1f released(https://github.com/openssl/openssl/releases)
Back to top


Reply to topic   Topic: Apache httpd 2.4.42-dev VS16 snapshot 1 available View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout