Closed wrowe closed 2 years ago
Holding up closing this to verify resolution
httpd 2.4.52 remains incompatible with pcre2-10.x. As the author dropped ftp.pcre.org, but maintains its alias ftp.exim.org, we were able to provide a temporary band-aid to this problem, fixed for now on main branch.
Beyond the logistics, I'll be moving ahead with plans to offer the pcre2 backport from trunk to 2.4.x release branch for the 2.4.53 release.
httpd 2.4.53 is now compatible with both pcre-8.x and pcre2-10.x. Closing as resolved.
Per https://pcre.org - the Apache HTTP Server supported pcre library v8.x is at end of life at release 8.45.
In the process, development of the pcre2 version 10.x branch was moved from to its new home at https://github.com/PhilipHazel/pcre2
https://ftp.pcre.org/ was also shuttered, with the project offering the historical unofficial sourceforge mirror. That clickbait engine is unusable for package automation, leaving fossies.org as one last unofficial 'mirror'. to obtain the final package. If migration to pcre2-10.x is not feasible today, we will have to elect between recognizing fossies.org as that mirror or mirroring the pcre-8.45.tar.bz + .sig elsewhere for this build.
"pcre2" is now at version 10.39 - a significant rewrite and redesign to address some underlying flaws that made pcre 8.x ripe for various abuse patterns. The patches exist upstream at httpd for pcre 10.x support.
Because that support drops a specific optimization in memory usage, which relied on pcre capturing expression groups on the stack, and this general pattern of malicious actors abusing stack overflow or underflow, it has led to various security vulnerabilities in the past when combined with vulnerabilities in pcre itself. The change from pcre 8.x to pcre2-10.x will have a measurable performance impact, which is entirely justified in terms of the security benefit of this change.