Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2022-03-15 19:04:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new.25692 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Tue Mar 15 19:04:18 2022 rev:193 rq:961736 version:2.4.53 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2022-02-03 23:17:05.636363978 +0100 +++ /work/SRC/openSUSE:Factory/.apache2.new.25692/apache2.changes 2022-03-15 19:04:57.912949956 +0100 @@ -1,0 +2,79 @@ +Mon Mar 14 12:19:36 UTC 2022 - pgaj...@suse.com + +- httpd-framework updated to svn1898917 +- deleted patches + - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed) + - apache2-perl-io-socket.patch (upstreamed) + +------------------------------------------------------------------- +Mon Mar 14 11:20:53 UTC 2022 - pgaj...@suse.com + +- version update to 2.4.53 + *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds + (cve.mitre.org) + Out-of-bounds Write vulnerability in mod_sed of Apache HTTP + Server allows an attacker to overwrite heap memory with possibly + attacker provided data. + This issue affects Apache HTTP Server 2.4 version 2.4.52 and + prior versions. + Credits: Ronald Crane (Zippenhop LLC) + *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with + very large or unlimited LimitXMLRequestBody (cve.mitre.org) + If LimitXMLRequestBody is set to allow request bodies larger + than 350MB (defaults to 1M) on 32 bit systems an integer + overflow happens which later causes out of bounds writes. + This issue affects Apache HTTP Server 2.4.52 and earlier. + Credits: Anonymous working with Trend Micro Zero Day Initiative + *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability + in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org) + Apache HTTP Server 2.4.52 and earlier fails to close inbound + connection when errors are encountered discarding the request + body, exposing the server to HTTP Request Smuggling + Credits: James Kettle <james.kettle portswigger.net> + *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of + in r:parsebody (cve.mitre.org) + A carefully crafted request body can cause a read to a random + memory area which could cause the process to crash. + This issue affects Apache HTTP Server 2.4.52 and earlier. + Credits: Chamal De Silva + *) core: Make sure and check that LimitXMLRequestBody fits in system memory. + [Ruediger Pluem, Yann Ylavic] + *) core: Simpler connection close logic if discarding the request body fails. + [Yann Ylavic, Ruediger Pluem] + *) mod_http2: preserve the port number given in a HTTP/1.1 + request that was Upgraded to HTTP/2. Fixes PR65881. + [Stefan Eissing] + *) mod_proxy: Allow for larger worker name. PR 53218. [Yann Ylavic] + *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When + an attempt to load a dbm driver fails, log clearly which driver triggered + the error (not "default"), and what the error was. [Graham Leggett] + *) mod_proxy: Use the maxium of front end and backend timeouts instead of the + minimum when tunneling requests (websockets, CONNECT requests). + Backend timeouts can be configured more selectively (per worker if needed) + as front end timeouts and typically the backend timeouts reflect the + application requirements better. PR 65886 [Ruediger Pluem] + *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers + when an efficient TLS implementation is available. [Yann Ylavic] + *) core, mod_info: Add compiled and loaded PCRE versions to version + number display. [Rainer Jung] + *) mod_md: do not interfere with requests to /.well-known/acme-challenge/ + resources if challenge type 'http-01' is not configured for a domain. + Fixes <https://github.com/icing/mod_md/issues/279>. + [Stefan Eissing] + *) mod_dav: Fix regression when gathering properties which could lead to huge + memory consumption proportional to the number of resources. + [Evgeny Kotkov, Ruediger Pluem] + *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x) + for regular expression evaluation. This depends on locating pcre2-config. + [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung] + *) Add the ldap function to the expression API, allowing LDAP filters and + distinguished names based on expressions to be escaped correctly to + guard against LDAP injection. [Graham Leggett] + *) mod_md: the status description in MDomain's JSON, exposed in the + md-status handler (if configured) did sometimes not carry the correct + message when certificates needed renew. + [Stefan Eissing] + *) mpm_event: Fix a possible listener deadlock on heavy load when restarting + and/or reaching MaxConnectionsPerChild. PR 65769. [Yann Ylavic] + +------------------------------------------------------------------- Old: ---- apache-test-DirectorySlash-NotFound-logic.patch apache2-perl-io-socket.patch httpd-2.4.52.tar.bz2 httpd-2.4.52.tar.bz2.asc httpd-framework-svn1894461.tar.bz2 New: ---- httpd-2.4.53.tar.bz2 httpd-2.4.53.tar.bz2.asc httpd-framework-svn1898917.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.VnGGnD/_old 2022-03-15 19:05:00.512951719 +0100 +++ /var/tmp/diff_new_pack.VnGGnD/_new 2022-03-15 19:05:00.516951721 +0100 @@ -18,7 +18,7 @@ %global upstream_name httpd %global testsuite_name %{upstream_name}-framework -%global tversion svn1894461 +%global tversion svn1898917 %global flavor @BUILD_FLAVOR@%{nil} %define mpm %{nil} %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork" @@ -115,7 +115,7 @@ %endif Name: apache2%{psuffix} -Version: 2.4.52 +Version: 2.4.53 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 @@ -198,10 +198,6 @@ # even if in live system I do not experience this inconsistency, let's turn off # these variables from the test Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch -# PATCH: reverted logic, DirectorySlash NotFound is available in trunk onlyyet -Patch102: apache-test-DirectorySlash-NotFound-logic.patch -# https://svn.apache.org/viewvc?view=revision&revision=1896889 -Patch103: apache2-perl-io-socket.patch BuildRequires: apache-rpm-macros-control #Since 2.4.7 the event MPM requires apr 1.5.0 or later. BuildRequires: apr-devel >= 1.5.0 @@ -330,10 +326,6 @@ %patch4 -p1 %patch100 -p1 %patch101 -p1 -%patch102 -p1 -(cd httpd-framework -%patch103 -p4 -) # # BUILD ++++++ httpd-2.4.52.tar.bz2 -> httpd-2.4.53.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/apache2/httpd-2.4.52.tar.bz2 /work/SRC/openSUSE:Factory/.apache2.new.25692/httpd-2.4.53.tar.bz2 differ: char 11, line 1 ++++++ httpd-framework-svn1894461.tar.bz2 -> httpd-framework-svn1898917.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/httpd-framework/scripts/memcached-init.sh new/httpd-framework/scripts/memcached-init.sh --- old/httpd-framework/scripts/memcached-init.sh 2021-03-24 12:48:50.816365345 +0100 +++ new/httpd-framework/scripts/memcached-init.sh 2022-03-14 12:48:21.558183476 +0100 @@ -1,7 +1,7 @@ #!/bin/bash -ex DOCKER=${DOCKER:-`which docker 2>/dev/null || which podman 2>/dev/null`} ${DOCKER} build -t httpd_memcached - <<EOF -FROM quay.io/centos/centos:8 +FROM quay.io/centos/centos:stream8 RUN yum install -y memcached CMD /usr/bin/memcached -u memcached -v EOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/httpd-framework/scripts/redis-init.sh new/httpd-framework/scripts/redis-init.sh --- old/httpd-framework/scripts/redis-init.sh 2021-03-24 12:48:50.816365345 +0100 +++ new/httpd-framework/scripts/redis-init.sh 2022-03-14 12:48:21.558183476 +0100 @@ -1,7 +1,7 @@ #!/bin/bash -ex DOCKER=${DOCKER:-`which docker 2>/dev/null || which podman 2>/dev/null`} ${DOCKER} build -t httpd_redis - <<EOF -FROM quay.io/centos/centos:8 +FROM quay.io/centos/centos:stream8 RUN yum install -y redis CMD /usr/bin/redis-server EOF diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/httpd-framework/t/conf/extra.conf.in new/httpd-framework/t/conf/extra.conf.in --- old/httpd-framework/t/conf/extra.conf.in 2021-11-24 10:46:13.874812668 +0100 +++ new/httpd-framework/t/conf/extra.conf.in 2022-03-14 12:48:21.594183689 +0100 @@ -918,6 +918,15 @@ </IfModule> ## +## mod_dumpio configuration +## +<IfModule mod_dumpio.c> + DumpIOInput on + DumpIOOutput on + LogLevel dumpio:trace7 +</IfModule> + +## ## LogLevel configuration ## <IfDefine APACHE2> @@ -1447,3 +1456,19 @@ </IfModule> </IfModule> +# +# t/modules/sed.t test config +# +<IfModule mod_sed.c> + AliasMatch /apache/sed/[^/]+/(.*) @DocumentRoot@/$1 + + <Location /apache/sed/> + AddOutputFilter sed .html + </Location> + + <Location /apache/sed/out-foo> + OutputSed "s/foo/bar/g" + </Location> +</IfModule> + + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/httpd-framework/t/modules/dir.t new/httpd-framework/t/modules/dir.t --- old/httpd-framework/t/modules/dir.t 2021-11-24 10:46:13.886812737 +0100 +++ new/httpd-framework/t/modules/dir.t 2022-03-14 12:48:21.702184323 +0100 @@ -97,11 +97,11 @@ $res = GET "/modules/dir/htaccess", redirect_ok => 0; ok ($res->code == 403); -if (have_min_apache_version('2.5.1')) { +if (!have_min_apache_version('2.5.1')) { skip("missing DirectorySlash NotFound"); } else { - $res = GET "/modules/dir/htaccess/sub1", redirect_ok => 0; + $res = GET "/modules/dir/htaccess/sub", redirect_ok => 0; ok ($res->code == 404); } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/httpd-framework/t/modules/rewrite.t new/httpd-framework/t/modules/rewrite.t --- old/httpd-framework/t/modules/rewrite.t 2021-03-24 12:48:50.632364343 +0100 +++ new/httpd-framework/t/modules/rewrite.t 2022-03-14 12:48:21.702184323 +0100 @@ -26,7 +26,7 @@ # Specific tests for PR 58231 my $vary_header_tests = (have_min_apache_version("2.4.30") ? 9 : 0) + (have_min_apache_version("2.4.29") ? 4 : 0); -my $cookie_tests = have_min_apache_version("2.5.1") ? 6 : 0; +my $cookie_tests = have_min_apache_version("2.4.47") ? 6 : 0; plan tests => @map * @num + 16 + $vary_header_tests + $cookie_tests, todo => \@todo, need_module 'rewrite'; @@ -170,7 +170,7 @@ ok t_cmp($r->header("Vary"), qr/(?!.*Host.*)/, "Vary:Host header not added, OK"); } -if (have_min_apache_version("2.5.1")) { +if (have_min_apache_version("2.4.47")) { $r = GET("/modules/rewrite/cookie/"); ok t_cmp($r->header("Set-Cookie"), qr/(?!.*SameSite=.*)/, "samesite not present with no arg"); $r = GET("/modules/rewrite/cookie/0"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/httpd-framework/t/modules/sed.t new/httpd-framework/t/modules/sed.t --- old/httpd-framework/t/modules/sed.t 1970-01-01 01:00:00.000000000 +0100 +++ new/httpd-framework/t/modules/sed.t 2022-03-14 12:48:21.702184323 +0100 @@ -0,0 +1,26 @@ +use strict; +use warnings FATAL => 'all'; + +use Apache::Test; +use Apache::TestRequest; +use Apache::TestUtil; + +my @ts = ( + # see t/conf/extra.conf.in + { url => "/apache/sed/out-foo/foobar.html", content => 'barbar', msg => "sed output filter", code => 200 } +); + +my $tests = 2*scalar @ts; + +plan tests => $tests, need_module('sed'); + + +for my $t (@ts) { + my $req = GET $t->{'url'}; + ok t_cmp($req->code, $t->{'code'}, "status code for " . $t->{'url'}); + my $content = $req->content; + chomp($content); + ok t_cmp($content, $t->{content}, $t->{msg}); +} + + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/httpd-framework/t/ssl/ocsp.t new/httpd-framework/t/ssl/ocsp.t --- old/httpd-framework/t/ssl/ocsp.t 2019-03-21 08:49:48.258795217 +0100 +++ new/httpd-framework/t/ssl/ocsp.t 2022-03-14 12:48:22.010186136 +0100 @@ -32,13 +32,21 @@ $r = GET $url, cert => undef; my $message = $r->content() || ''; my $warning = $r->header('Client-Warning') || ''; + print "warning: $warning\n"; + print "message: $message"; + print "response:\n"; print $r->as_string; $r->code == 500 && $warning =~ 'Internal response' && - $message =~ /alert handshake failure|read failed/; + $message =~ /alert handshake failure|read failed|closed connection without sending any data/; }; sok { $r = GET $url, cert => 'client_ok'; + my $warning = $r->header('Client-Warning') || ''; + my $message = $r->content() || ''; + print "warning: $warning\n"; + print "message: $message"; + print "response:\n"; print $r->as_string; $r->code == 200; }; @@ -47,7 +55,10 @@ $r = GET $url, cert => 'client_revoked'; my $message = $r->content() || ''; my $warning = $r->header('Client-Warning') || ''; + print "warning: $warning\n"; + print "message: $message"; + print "response:\n"; print $r->as_string; $r->code == 500 && $warning =~ 'Internal response' && - $message =~ /alert certificate revoked|read failed/; + $message =~ /alert certificate revoked|read failed|closed connection without sending any data/; };
