PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
[ start all new proposals below, under PATCHES PROPOSED. ]
- *) core: CVE-2016-5387: Mitigate [f]cgi "httpoxy" issues
- Trunk version of patch:
- http://svn.apache.org/viewvc?rev=1753228&view=rev
- http://svn.apache.org/viewvc?rev=1753229&view=rev
- Backport version for 2.4.x of patch:
- Trunk version of patch works (modulo CHANGES)
- +1: wrowe, jim, ylavic
-
- *) mod_dav: Add support for childtags to dav_error.
- trunk patch: http://svn.apache.org/r1746207
- 2.4.x: trunk works modulo CHANGES/MMN
- +1: minfrin, jim, ylavic
-
- *) mod_dav: Add dav_begin_multistatus, dav_send_one_response,
- dav_finish_multistatus, dav_send_multistatus, dav_handle_err,
- dav_failed_proppatch, dav_success_proppatch to mod_dav.h.
- trunk patch: http://svn.apache.org/r1748047
- 2.4.x: trunk works modulo CHANGES/MMN
- +1: minfrin, jim, ylavic
-
- *) mod_proxy: Correctly consider error response codes by the backend when
- processing failonstatus. PR 59869
- Trunk version of patch:
- http://svn.apache.org/r1753592
- Backport version for 2.4.x of patch:
- Trunk version of patch works (modulo CHANGES)
- +1: rpluem, jim, ylavic
-
- *) mod_proxy_balancer: Prevent redirect loops between workers within a
- balancer by limiting the number of redirects to the number balancer
- members. PR 59864
- Trunk version of patch:
- http://svn.apache.org/r1753594
- Backport version for 2.4.x of patch:
- Trunk version of patch works (modulo CHANGES)
- +1: rpluem, jim, ylavic
+ * mod_cgid: Wrong CGI process killed when a small CGI response is followed
+ by another CGI request, because of min bytes to write in core output filter
+ delaying the pool cleanup. Likely fixes PR57771 too.
+ trunk patch: http://svn.apache.org/r1758083
+ 2.4.x: trunk works modulo CHANGES
+ +1 covener, jim, icing
PATCHES PROPOSED TO BACKPORT FROM TRUNK:
ylavic: there may be missing bits, see thread for commit r1736510.
*) core: Drop an invalid Last-Modified header value coming
- from a FCGI/CGI script instead of replacing it with Unix epoch.
- Warn the users about Last-Modified header value replacements and
- improved handling of non-GMT datestr.
+ from a (F)CGI script instead of replacing it with Unix epoch.
+ Warn the users about Last-Modified header value replacements
+ and violations of the RFC.
trunk patch: http://svn.apache.org/r1748379
http://svn.apache.org/r1750747
http://svn.apache.org/r1750749
http://svn.apache.org/r1751138
http://svn.apache.org/r1751139
http://svn.apache.org/r1751147
- 2.4.x: trunk patches works (final view http://apaste.info/9v3)
- The last revision has been discussed in dev@ and submitted by Yann.
+ http://svn.apache.org/r1757818
+ 2.4.x: trunk patches works (final view http://apaste.info/FCs)
+ The last revision has been discussed extensively in dev@ and this seems to be
+ a good compromise for the moment.
Tested the code with a simple PHP script returning different Last-Modified
- headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday).
- +1: elukey, jchampion
-
- *) ab: Set the Server Name Indication (SNI) extension on outgoing TLS
- connections (unless -I is specified), according to the Host header (if
- any) or the requested URL's hostname otherwise.
- trunk patch: http://svn.apache.org/r1750854
- http://svn.apache.org/r1750855
- http://svn.apache.org/r1750947
- http://svn.apache.org/r1750955
- http://svn.apache.org/r1750960
- 2.4.x patch: http://home.apache.org/~ylavic/patches/httpd-2.4.x-ab_sni.patch
- (needed to adapt CHANGES entry since r1750854)
- +1: ylavic, covener
+ headers (GMT now, GMT now Europe/Paris, GMT tomorrow, GMT yesterday, PST now).
+ +1: elukey
*) CMake: fix various issues for Windows/Visual Studio build environments.
PR59685.
trunk patch: http://svn.apache.org/r1752331
http://svn.apache.org/r1752332
http://svn.apache.org/r1752333
- +1: jchampion
-
- *) mod_proxy_fcgi: read the whole FCGI response even when the content has
- not been modified (HTTP 304) to avoid subsequent bogus reads and
- confusing error messages logged.
- trunk patch: http://svn.apache.org/r1752347
- 2.4.x patch: trunk works (modulo CHANGES)
- +1: elukey, ylavic
+ +1: jchampion, jim (by inspection)
*) autoconf: minor cleanup and removal of some dead code.
trunk patch: http://svn.apache.org/r1753315
http://svn.apache.org/r1753316
+ 2.4.x patch: http://home.apache.org/~jchampion/patches/2.4.x-autoconf-cleanup.patch
+ (combines both patches and corrects for differences in the
+ AC_CONFIG_FILES list)
+1: jchampion
ylavic: some conflicts with r1753315 in 2.4.x's configure.in.
-
- *) mod_proxy_fcgi: avoid loops serving proxied error documents.
- trunk patch: http://svn.apache.org/r1753167
- 2.4.x patch: trunk works (modulo CHANGES)
- +1: elukey, ylavic
-
- *) mod_http: Add the HEAD method to the lookup hash for completeness.
- Trunk version of patch:
- http://svn.apache.org/r1753257
- Backport version for 2.4.x of patch:
- Trunk version of patch works
- +1: wrowe, ylavic
-
- *) Typo fixes in comments and text files. PR 59990.
- Trunk version of patch:
- http://svn.apache.org/r1756038
- Backport version for 2.4.x of patch:
- http://home.apache.org/~rjung/patches/httpd-2.4.x-typo-PR59990.patch
- (trunk version of patch merge plus CHANGES plus STATUS
- plus one hunk in modules/aaa/mod_auth_digest.c)
- +1: rjung, ylavic
+ jchampion: added a 2.4.x backport patch.
*) mod_ssl: Fix quick renegotiation (OptRenegotiaton) with no intermediate
in the client certificate chain. PR 55786.
cached entity (key), such that rewrites are taken into account when
running afterwards (CacheQuickHandler off). PR 21935.
trunk patch: http://svn.apache.org/r1756553
+ http://svn.apache.org/r1756631
2.4.x patch: trunk works (modulo CHANGES)
+ +1: ylavic, jim
+
+ *) mod_proxy_{http,ajp,fcgi}: don't reuse backend connections with data
+ available before the request is sent. PR 57832.
+ This also backports deprecation of ap_proxy_ssl_connection_cleanup() and
+ newly introduced proxy_conn->tmp_bb's usage in proxy code (both almost
+ related and immediate/simple follow ups, merge simplified by doing so).
+ trunk patch: http://svn.apache.org/r1750392
+ http://svn.apache.org/r1750412
+ http://svn.apache.org/r1750416
+ http://svn.apache.org/r1750474
+ http://svn.apache.org/r1750494
+ http://svn.apache.org/r1750508
+ 2.4.x patch: trunk works (modulo CHANGES/MMN), or:
+ http://home.apache.org/~ylavic/patches/httpd-2.4.x-r1750392.patch
+1: ylavic
+ * mpm_winnt: disable the 'data' accept filter entirely to prevent denial of
+ service. PR 59970.
+ trunk patch: http://svn.apache.org/r1758307
+ http://svn.apache.org/r1758308
+ http://svn.apache.org/r1758309
+ http://svn.apache.org/r1758311
+ 2.4.x patch: trunk works (modulo CHANGES and APLOGNO's next-number)
+ +1: jchampion, wrowe
+
+ * mpm_winnt: always zero out OVERLAPPED structs when recycling them.
+ trunk patch: http://svn.apache.org/r1758310
+ 2.4.x patch: trunk works
+ +1: jchampion, wrowe
+
+ * mod_status: Delay some memory allocation
+ Fix <p> tag closing syntax
+ trunk patch: http://svn.apache.org/r1757010
+ http://svn.apache.org/r1757011
+ 2.4.x patch: trunk works
+ +1: jailletc36, jchampion
+ jchampion: nitpick: r1757010 introduces trailing whitespace
+
+ * mod_proxy_connect: Delay some memory allocation
+ Fix some style (space only)
+ trunk patch: http://svn.apache.org/r1756852
+ http://svn.apache.org/r1756853
+ 2.4.x patch: trunk works
+ +1: jailletc36, jchampion
+
+ * mod_authn_dbd: Remove an unused structure
+ trunk patch: http://svn.apache.org/r1756846
+ 2.4.x patch: trunk works
+ +1: jailletc36, jchampion
PATCHES/ISSUES THAT ARE BEING WORKED
+1: jkaluza
+1: covener w/ doc or code to fix syntax (providername:providerarg not supported like syslog or socacheproviders,
needs 2 args which is not valid in ErrorLog manual)
- trawick: nit: fix "writing" in "/* NULL if we are writting to syslog */"
+ trawick: nit: fix "writing" in "/* NULL if we are writing to syslog */"
(sorry, haven't finished reviewing completely)
jim: What is the status of this??
+1: jkaluza
* mod_proxy: Ensure network errors detected by the proxy are returned as
- 504 Gateway Timout as opposed to 502 Bad Gateway
+ 504 Gateway Timeout as opposed to 502 Bad Gateway
trunk patch: https://svn.apache.org/viewvc?view=revision&revision=1480058
2.4.x patch: trunk patch works modulo CHANGES
+1:
of described indirectly in a sample?
Why are these new samples added to the install without three
votes? (I didn't veto it; put your name next to the two
- existing ones and I'll be satisified that enough people
+ existing ones and I'll be satisfied that enough people
considered this addition as an appropriate solution for a
real httpd usability problem.)
wrowe: I'd agree with trawick, and suggest that these scripts can begin