Topic: Apache httpd 2.4.42-dev VS16 snapshot 1 available

[Steffen]

The snapshot contains already committed changes for the coming 2.4.42.

See Changes below.
Noticeable is mod_md with lots new features.

When more changes are applied we come with a new snapshot.

Download: Removed


PGP and check sums on request.

The snapshot is based on svn branches/2.4 Revision 1874288 Fri Feb 21 00:36:36 2020 UTC.

Please give it a try !!

Enjoy

Steffen



25-March-2019 Changes with 2.4.42-dev-snap1

Apache Lounge changes:

*) Upgraded OpenSSL to 1.1.1d from 1.1.1c
*) Upgraded nghttp2 to 1.40.0 from 1.39.1
*) Upgraded curl to 7.68.0 from 7.65.3
*) Upgraded pcre to 8.44 from 8.43
*) Upgraded libxml2 2.9.10 from 2.9.9
*) Upgraded expat to 2.2.9 from 2.2.7

ASF changes:

*) Add a config layout for OpenWRT. [Graham Leggett]

*) Add support for cross compiling to apxs. If apxs is being executed from somewhere
other than its target location, add that prefix to includes and library directories.
Without this, apxs would fail to find config_vars.mk and exit. [Graham Leggett]

*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]

*) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
[Graham Leggett]

*) mod_ssl: Support use of private keys and certificates from an
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]

*) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]

*) test: Added continuous testing with Travis CI.
This tests various scenarios on Ubuntu with the full test suite.
Architectures tested: amd64, s390x, ppc64le, arm64
The tests pass successfully.
[Luca Toscano, Joe Orton, Mike Rumph, and others]

*) core: Be stricter in parsing of Transfer-Encoding headers.
[ZeddYu <zeddyu.lu gmail.com>, Eric Covener]

*) mod_ssl: negotiate the TLS protocol version per name based vhost
configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
SSLProtocol (from the first vhost declared on the IP:port) is now only
relevant if no SSLProtocol is declared for the vhost or globally,
otherwise the vhost or global value apply. [Yann Ylavic]

*) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
output. PR 64096. [Joe Orton]

*) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]

*) mod_systemd: New module providing integration with systemd. [Jan Kaluza]

*) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
r:notes_table, r:subprocess_env_table as read-only native table alternatives
that can be iterated over. [Eric Covener]

*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
[Yann Ylavic, Stefan Eissing]

*) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
r.headers_out, etc) to remove the key from the table. PR63971.
[Eric Covener]

*) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
always `on`, regardless of configuration. Found and reported by
<Armin.Abfalterer@united-security-providers.ch> and
<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]

*) mod_http2: Multiple field length violations in the same request no longer cause
several log entries to be written. [@mkauf]

*) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
[Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]

*) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
[Jim Jagielski]

*) mod_authn_socache: Increase the maximum length of strings that can be cached by
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]

*) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
[Ruediger Pluem, Eric Covener]

*) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
valid (For example, testing for a file on a flash drive that is not mounted)
[Christophe Jaillet]

*) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]

*) mod_md v2.2.3:
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in directy communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]

*) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
[Stefan Eissing]

*) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]

[DnvrSysEngr]

Granted I have a very basic implementation of Apache, this version (2.4.42) appears to be working without any issues for me.

Thank you everyone for your dedication.

-S

[admin]

Thanks for testing.
Snap1 was downloaded a lot, but mostly when there are no problems users are not posting.

So special thanks to DnvrSysEngr !

Removed the downloads.

Yesterday the 2.4.42 voting has started and differs minor with the above Snap1.

Stay tuned for 2.4.42.

Changelog is already at www.apachelounge.com/Changelog-2.4.html

[Jan-E]

[glsmith]

Go to 2.4.43 since numbers are cheap. When that will happen is the question.

[Steffen]

The vote did not passed.

Waiting now for vote 2.4.43.

[Jan-E]

The vote for 2.4.43 has started now.

Beware of using OpenSSL 1.1.1e for the next AL Release. Stay at OpenSSL 1.1.1d. A bugfix release for OpenSSL 1.1.1e is expected:
https://github.com/openssl/openssl/issues/11378

[glsmith]

I don't know, reading through the last few comments it looks like an edge case that may not be too common. If 'f' doesn't make it by the 72 hours vote I would rather just go with 'e'.

This is a bug and not a vulnerability. I would rather have a bug that causes an error now and then than a vulnerability no matter how low a priority that 'd' has.

Since I already had the AH downloads built and packaged before you pointed us to this, I would rather not start over now only to have to do it all over yet a third (or 4th if 2.4.43 fails the vote) time.

I have 36+/- hours to think about it at least and see what happens. I have been running it myself since 09:30 my time. So far no problems but I don't have a very busy server.

[admin]

Already is 1.1.1e included in the current 2.4.41 build since more then a week. Downloaded over 50.000.

No issues reported.

[Jan-E]

[Otomatic]

[Steffen]

For now I stay with 1.1.1e in the current 2.4.41 and the coming 2.4.43. When it is a serious issue, we hear from OpenSSL.org.

Going back to 1.1.1d is no option at the moment, because there were quite some urgent requests for 1.1.1e. And also IAVA published and requires compliance in some industries.

[Jan-E]

nginx seems to stick with OpenSSL 1.1.1d for the moment.
https://forum.nginx.org/read.php?2,287377,287427#msg-287427

The official PHP releases are also shipped with OpenSSL 1.1.1d. I checked that for PHP 7.4.4, released March 19:
https://windows.php.net/download

[admin]

Found: in one of the links above ;

[glsmith]

@Otomatic

If you'll notice on the download pages, it says "Updated March 2020." Then if you click on the "Info & Changelog" link under the "Apache 2.4 VC15/VS16" headers you'll see OpenSSL 1.1.1e listed.

[glsmith]

Per the OSSL bug report:

HTTP/2 is unaffected.
HTTP/1.1 if not using chunked encoding and not receiving a content-length header it'll error.
HTTP/0.9 & 1.0 are problematic because they do not include content-length headers and I'm not sure if they can do chunked encoding or not.

As far as my reading translates in my brain, there's a number of factors that have to be met to run into this bug. Looking at yesterdays log 96% of connections to my server were HTTP/2, 1 came in at HTTP/1.0 and the little left over were HTTP/1.1.

Curling into my server with HTTP/1.0 I get upgraded to HTTP/1.1. Personally I don't want HTTP/0.9 or 1.0 speaking to my server anyway. That you cannot turn off 0.9 or 1.0 in Apache (see Protocols) I'm not fond of but there's always;

<If "%{SERVER_PROTOCOL} =~ /HTTP\/(0.9|1.0)">
Require all denied
</If>

Which I just may try out of personal interest.

I see the merit in your thinking and would just hold off on 2.4.43 at AH if I knew 1.1.1f was going to release in a day or two. But policy there is similar to here, no -dev, current released versions.

[Jan-E]

Matt Caswell in gmane.comp.encryption.openssl.project (Fri, 27 Mar 2020 14:10:18 +0000):

[Steffen]

Asked the Apache dev's :


Rainer:

I did a few hundred test suite runs on 5 platforms for the 2.4.42 release candidate against OpenSSL 1.1.1e and noticed no special new ssl related errors.

So either our tests do not detect it or httpd does not have that problem.

There will be a new OpenSSL 1.1.1f release next week.

Rüdiger:

From a quick look at the code I would say that we are not affected. Unless ssl-unclean-shutdown
(http://httpd.apache.org/docs/2.4/ssl/ssl_faq.html) is set and we did not detect a closed socket we sent a close_notify alert via
modssl_smart_shutdown.

For me no worry. Also because I have no reports related to SSL.

[Jan-E]

The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 1.1.1f.

This release will be made available on Tuesday 31st March 2020 between 1200-1600 UTC. This is a bug fix only release.

[long76]

openssl 1.1.1f released(https://github.com/openssl/openssl/releases)