logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Using secret attribute in mod_proxy with AJP
Author
tang_88888



Joined: 10 Jul 2015
Posts: 9

PostPosted: Mon 09 Mar '20 5:18    Post subject: Using secret attribute in mod_proxy with AJP Reply with quote

In the Apache documentation (https://httpd.apache.org/docs/2.4/mod/mod_proxy_ajp.html), there is a "secret" attribute for the mod_proxy_ajp. But it mentioned it is "Supported since 2.4.42".

As the recent vulnerability (CVE-2020-1938) is about to apply a password between Apache HTTP server and Tomcat server using AJP protocol, are there any official release of Apache 2.4.42 to support the "secret"?
Back to top
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3049
Location: Hilversum, NL, EU

PostPosted: Mon 09 Mar '20 12:20    Post subject: Reply with quote

It is expected this month, no day set.

The fix is already accepted to go in 2.4.42 :

mod_proxy_ajp: Add "secret" parameter to proxy workers
to implement legacy AJP13 authentication. The attribute is now suggested/required by tomcat.

Coming day I planned to make a snap 2 available for VS16, see https://www.apachelounge.com/viewtopic.php?t=8441
Back to top
bthomas102



Joined: 13 Mar 2020
Posts: 2
Location: India,mumbai

PostPosted: Thu 26 Mar '20 19:42    Post subject: Reply with quote

Hi,

Do we have an update on the release date for 2.4.42
Back to top
admin
Site Admin


Joined: 15 Oct 2005
Posts: 677

PostPosted: Thu 26 Mar '20 20:31    Post subject: Reply with quote

2.4.42 is not released, see https://www.apachelounge.com/Changelog-2.4.html

Voting for 2.4.43 is started today. Early next week is expected.
Back to top
bthomas102



Joined: 13 Mar 2020
Posts: 2
Location: India,mumbai

PostPosted: Wed 01 Apr '20 7:05    Post subject: Reply with quote

just wanted confirmation that the "secret" parameter is part of the 2.4.43 release.
Back to top


Reply to topic   Topic: Using secret attribute in mod_proxy with AJP View previous topic :: View next topic
Post new topic   Forum Index -> Apache