On 2017-01-22 11:25:08, Stefan Fritsch wrote:
> On Thursday, 19 January 2017 20:47:15 CET Stefan Fritsch wrote:
>> On Tuesday, 17 January 2017 11:59:17 CET Antoine Beaupré wrote:
>> > I would need people to start testing the package at this point, not
>> > necessarily in production considering how big the change is, but your
>> > comfort level will vary with the severity and complexity of services. :)
>>
>> There is a separate test suite available, though it needs some tweaks to
>> make it run with the Debian config layout. I will try to find some time
>> coming week- end to run it against the wheezy package with and without your
>> changes.
>
> This doesn't look too bad, but not perfect. The diff of the results from
> 2.2.22-13+deb7u7 to your packages, with tweaks to make the test suite run the
> tests that are new for 2.2.32 is this:
>
> Test Summary Report
> -------------------
> t/apache/chunkinput.t (Wstat: 0 Tests: 37 Failed: 1)
> Failed test: 3
> t/apache/contentlength.t (Wstat: 0 Tests: 24 Failed: 8)
> Failed tests: 2, 4, 14, 16, 18, 20, 22, 24
> +t/apache/http_strict.t (Wstat: 0 Tests: 85 Failed: 3)
> + Failed tests: 2, 8, 26
> +t/apache/mmn.t (Wstat: 0 Tests: 2 Failed: 1)
> + Failed test: 2
> +t/apache/server_name_port.t (Wstat: 0 Tests: 84 Failed: 0)
> + TODO passed: 57, 60, 81, 84
> t/security/CVE-2005-3352.t (Wstat: 0 Tests: 2 Failed: 1)
> Failed test: 2
> -Files=116, Tests=3479, 233 wallclock secs ( 1.31 usr 0.12 sys + 51.14 cusr
> 8.12 csys = 60.69 CPU)
> +Files=116, Tests=3567, 238 wallclock secs ( 1.36 usr 0.07 sys + 52.43 cusr
> 8.02 csys = 61.88 CPU)
>
> The mmn.t fail is expected and ok. You haven't backported all new features
> from 2.2.32, so you should not bump the magic number to the number from
> 2.2.32.
Understood. I was wondering if I should change it somehow... Note that I
do not use the 2.2.32 version, but some inferior one, which is probably
also wrong... I have just removed this chunk from the patchset.
> The messages from t/apache/server_name_port.t are just unexpected PASSes,
> probably the test suite lacks proper TODO specification for 2.2.32 here.
Ack.
> Apart from that, your package does not cause any regressions. However, of the
> new tests for the HTTPProtocolOptions feature, three tests fail. Two of these
> have to do with NUL-Bytes in the request.
Right, good catch, I'll take a look at those now.
> I have put the full logs and some scripts and diffs to run the test suite at
> [1].
Thanks!!
> For jessie, I am not that far, yet. So I don't have any hints about the
> http_strict.t test fails.
Understood, I'll report back what I found.
> In 2.4.25, the changes have been reported to break underscores in hostnames
> [2]. While these are not RFC-conforming, this is probably not something one
> should break in a security update. Therefore I would relax the hostname
> checking to also accept underscores. I think the relevant code is in vhost.c
> in fix_hostname_non_v6() .
I agree. Lots of domain names break RFC, I was surprised to find in the
past... I'll take a look.
By the way, would it be possible to enable the test suite in the package
build, since we have the code ready to go there anyways? Or in
autopkgtest?
I was wondering how to run the apache2 test suite, which I figured would
necessarily exist, but didn't find it in the package so I gave up...
a.
--
We must learn to live together as brothers or perish together as fools.
- Martin Luther King, Jr.
