Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2 for openSUSE:Factory checked
in at 2022-06-13 13:01:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
and /work/SRC/openSUSE:Factory/.apache2.new.1548 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2"
Mon Jun 13 13:01:51 2022 rev:194 rq:981545 version:2.4.54
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2022-03-15
19:04:57.912949956 +0100
+++ /work/SRC/openSUSE:Factory/.apache2.new.1548/apache2.changes
2022-06-13 13:01:53.073062883 +0200
@@ -1,0 +2,143 @@
+Wed Jun 8 11:26:13 UTC 2022 - pgaj...@suse.com
+
+- update httpd-framework to svn revision 1898917
+
+-------------------------------------------------------------------
+Wed Jun 8 10:06:34 UTC 2022 - pgaj...@suse.com
+
+- version update to 2.4.54
+ Changes with Apache 2.4.54
+ *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
+ hop-by-hop mechanism (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier may not send the
+ X-Forwarded-* headers to the origin server based on client side
+ Connection header hop-by-hop mechanism.
+ This may be used to bypass IP based authentication on the origin
+ server/application.
+ Credits: The Apache HTTP Server project would like to thank
+ Gaetan Ferry (Synacktiv) for reporting this issue
+ *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
+ websockets (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier may return lengths to
+ applications calling r:wsread() that point past the end of the
+ storage allocated for the buffer.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+ *) SECURITY: CVE-2022-30522: mod_sed denial of service
+ (cve.mitre.org)
+ If Apache HTTP Server 2.4.53 is configured to do transformations
+ with mod_sed in contexts where the input to mod_sed may be very
+ large, mod_sed may make excessively large memory allocations and
+ trigger an abort.
+ Credits: This issue was found by Brian Moussalli from the JFrog
+ Security Research team
+ *) SECURITY: CVE-2022-29404: Denial of service in mod_lua
+ r:parsebody (cve.mitre.org)
+ In Apache HTTP Server 2.4.53 and earlier, a malicious request to
+ a lua script that calls r:parsebody(0) may cause a denial of
+ service due to no default limit on possible input size.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+ *) SECURITY: CVE-2022-28615: Read beyond bounds in
+ ap_strcmp_match() (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier may crash or disclose
+ information due to a read beyond bounds in ap_strcmp_match()
+ when provided with an extremely large input buffer. While no
+ code distributed with the server can be coerced into such a
+ call, third-party modules or lua scripts that use
+ ap_strcmp_match() may hypothetically be affected.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+ *) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
+ (cve.mitre.org)
+ The ap_rwrite() function in Apache HTTP Server 2.4.53 and
+ earlier may read unintended memory if an attacker can cause the
+ server to reflect very large input using ap_rwrite() or
+ ap_rputs(), such as with mod_luas r:puts() function.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+ *) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
+ (cve.mitre.org)
+ Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
+ bounds when configured to process requests with the mod_isapi
+ module.
+ Credits: The Apache HTTP Server project would like to thank
+ Ronald Crane (Zippenhop LLC) for reporting this issue
+ *) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
+ smuggling (cve.mitre.org)
+ Inconsistent Interpretation of HTTP Requests ('HTTP Request
+ Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
+ allows an attacker to smuggle requests to the AJP server it
+ forwards requests to. This issue affects Apache HTTP Server
+ Apache HTTP Server 2.4 version 2.4.53 and prior versions.
+ Credits: Ricter Z @ 360 Noah Lab
+ *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
+ [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
+ *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
+ PR 65666. [Yann Ylavic]
+ *) mod_md: a bug was fixed that caused very large MDomains
+ with the combined DNS names exceeding ~7k to fail, as
+ request bodies would contain partially wrong data from
+ uninitialized memory. This would have appeared as failure
+ in signing-up/renewing such configurations.
+ [Stefan Eissing, Ronald Crane (Zippenhop LLC)]
+ *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
+ PR 65666. [Yann Ylavic]
+ *) MPM event: Restart children processes killed before idle maintenance.
+ PR 65769. [Yann Ylavic, Ruediger Pluem]
+ *) ab: Allow for TLSv1.3 when the SSL library supports it.
+ [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
+ *) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
+ transmission delays. PR 66019. [Yann Ylavic]
+ *) MPM event: Fix accounting of active/total processes on ungraceful
restart,
+ PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic]
+ *) core: make ap_escape_quotes() work correctly on strings
+ with more than MAX_INT/2 characters, counting quotes double.
+ Credit to <generalb...@zippenhop.com> for finding this.
+ [Stefan Eissing]
+ *) mod_md: the `MDCertificateAuthority` directive can take more than one
URL/name of
+ an ACME CA. This gives a failover for renewals when several consecutive
attempts
+ to get a certificate failed.
+ A new directive was added: `MDRetryDelay` sets the delay of retries.
+ A new directive was added: `MDRetryFailover` sets the number of errored
+ attempts before an alternate CA is selected for certificate renewals.
+ [Stefan Eissing]
+ *) mod_http2: remove unused and insecure code. Fixes PR66037.
+ Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
+ [Stefan Eissing]
+ *) mod_proxy: Add backend port to log messages to
+ ease identification of involved service. [Rainer Jung]
+ *) mod_http2: removing unscheduling of ongoing tasks when
+ connection shows potential abuse by a client. This proved
+ counter-productive and the abuse detection can false flag
+ requests using server-side-events.
+ Fixes <https://github.com/icing/mod_h2/issues/231>.
+ [Stefan Eissing]
+ *) mod_md: Implement full auto status ("key: value" type status output).
+ Especially not only status summary counts for certificates and
+ OCSP stapling but also lists. Auto status format is similar to
+ what was used for mod_proxy_balancer.
+ [Rainer Jung]
+ *) mod_md: fixed a bug leading to failed transfers for OCSP
+ stapling information when more than 6 certificates needed
+ updates in the same run. [Stefan Eissing]
+ *) mod_proxy: Set a status code of 502 in case the backend just closed the
+ connection in reply to our forwarded request. [Ruediger Pluem]
+ *) mod_md: a possible NULL pointer deref was fixed in
+ the JSON code for persisting time periods (start+end).
+ Fixes #282 on mod_md's github.
+ Thanks to @marcstern for finding this. [Stefan Eissing]
+ *) mod_heartmonitor: Set the documented default value
+ "10" for HeartbeatMaxServers instead of "0". With "0"
+ no shared memory slotmem was initialized. [Rainer Jung]
+ *) mod_md: added support for managing certificates via a
+ local tailscale daemon for users of that secure networking.
+ This gives trusted certificates for tailscale assigned
+ domain names in the *.ts.net space.
+ [Stefan Eissing]
+- modified patches
+ % apache-test-application-xml-type.patch (refreshed)
+ % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed)
+ % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
+
+-------------------------------------------------------------------
Old:
----
httpd-2.4.53.tar.bz2
httpd-2.4.53.tar.bz2.asc
httpd-framework-svn1898917.tar.bz2
New:
----
httpd-2.4.54.tar.bz2
httpd-2.4.54.tar.bz2.asc
httpd-framework-svn1901574.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.6fxOtP/_old 2022-06-13 13:01:55.157065794 +0200
+++ /var/tmp/diff_new_pack.6fxOtP/_new 2022-06-13 13:01:55.165065805 +0200
@@ -18,7 +18,7 @@
%global upstream_name httpd
%global testsuite_name %{upstream_name}-framework
-%global tversion svn1898917
+%global tversion svn1901574
%global flavor @BUILD_FLAVOR@%{nil}
%define mpm %{nil}
%if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork"
@@ -103,19 +103,11 @@
%define psuffix -%{flavor}
%endif
-%if 0%{?suse_version} >= 1500
%define use_firewalld 1
-%else
-%define use_firewalld 0
-%endif
-%if 0%{?suse_version} >= 1500 || 0%{?is_opensuse}
%define build_http2 1
-%else
-%define build_http2 0
-%endif
Name: apache2%{psuffix}
-Version: 2.4.53
+Version: 2.4.54
Release: 0
Summary: The Apache HTTPD Server
License: Apache-2.0
++++++ httpd-2.4.53.tar.bz2 -> httpd-2.4.54.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/apache2/httpd-2.4.53.tar.bz2
/work/SRC/openSUSE:Factory/.apache2.new.1548/httpd-2.4.54.tar.bz2 differ: char
11, line 1
++++++ httpd-framework-svn1898917.tar.bz2 -> httpd-framework-svn1901574.tar.bz2
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/httpd-framework/README new/httpd-framework/README
--- old/httpd-framework/README 2022-03-14 12:48:22.142186913 +0100
+++ new/httpd-framework/README 2022-06-08 13:07:45.628354895 +0200
@@ -36,7 +36,7 @@
HTTP::DAV DateTime Time::HiRes \
Test::Harness Crypt::SSLeay Net::SSLeay IO::Socket::SSL \
IO::Socket::IP IO::Select LWP::Protocol::https AnyEvent \
- AnyEvent::WebSocket::Client FCGI
+ AnyEvent::WebSocket::Client LWP::Protocol::AnyEvent::http FCGI
```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/httpd-framework/t/conf/extra.conf.in
new/httpd-framework/t/conf/extra.conf.in
--- old/httpd-framework/t/conf/extra.conf.in 2022-03-14 12:48:21.594183689
+0100
+++ new/httpd-framework/t/conf/extra.conf.in 2022-06-08 13:07:45.728355485
+0200
@@ -1462,6 +1462,11 @@
<IfModule mod_sed.c>
AliasMatch /apache/sed/[^/]+/(.*) @DocumentRoot@/$1
+ <Location /apache/sed-echo>
+ SetHandler echo_post
+ SetInputFilter sed
+ </Location>
+
<Location /apache/sed/>
AddOutputFilter sed .html
</Location>
@@ -1469,6 +1474,13 @@
<Location /apache/sed/out-foo>
OutputSed "s/foo/bar/g"
</Location>
+ <Location /apache/sed-echo/input>
+ InputSed "s/foo/bar/g"
+ </Location>
+ <Location /apache/sed-echo/out-foo-grow>
+ SetOutputFilter sed
+ OutputSed "s/foo/barbarbarbar/g"
+ </Location>
</IfModule>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/httpd-framework/t/conf/ssl/proxyssl.conf.in
new/httpd-framework/t/conf/ssl/proxyssl.conf.in
--- old/httpd-framework/t/conf/ssl/proxyssl.conf.in 2022-03-14
12:48:21.594183689 +0100
+++ new/httpd-framework/t/conf/ssl/proxyssl.conf.in 2022-06-08
13:07:45.728355485 +0200
@@ -51,6 +51,8 @@
ProxyPass / https://@proxyssl_url@/
ProxyPassReverse / https://@proxyssl_url@/
+
+ ProxyPass /proxy/wsoc
wss://localhost:@proxy_https_https_port@/modules/lua/websockets.lua
</VirtualHost>
#here we can test http <-> https using SSLProxyMachine* inside <Proxy>
@@ -118,7 +120,6 @@
ProxyPass / http://@servername@:@port@/
ProxyPassReverse / http://@servername@:@port@/
</VirtualHost>
-
</IfModule>
</IfModule>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/httpd-framework/t/htdocs/modules/lua/websockets.lua
new/httpd-framework/t/htdocs/modules/lua/websockets.lua
--- old/httpd-framework/t/htdocs/modules/lua/websockets.lua 2022-03-14
12:48:21.726184465 +0100
+++ new/httpd-framework/t/htdocs/modules/lua/websockets.lua 2022-06-08
13:07:45.696355296 +0200
@@ -2,6 +2,11 @@
if r:wsupgrade() then -- if we can upgrade:
while true do
local line, isFinal = r:wsread()
+ local len = string.len(line);
+ r:debug(string.format("writing line of len %d: %s", len, line))
+ if len >= 1024 then
+ r:debug("writing line ending in '" .. string.sub(line, -127, -1) ..
"'")
+ end
r:wswrite(line)
if line == "quit" then
r:wsclose() -- goodbye!
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/httpd-framework/t/modules/proxy_websockets.t
new/httpd-framework/t/modules/proxy_websockets.t
--- old/httpd-framework/t/modules/proxy_websockets.t 2022-03-14
12:48:21.654184041 +0100
+++ new/httpd-framework/t/modules/proxy_websockets.t 2022-06-08
13:07:45.728355485 +0200
@@ -6,7 +6,10 @@
use Apache::TestUtil;
use Apache::TestConfig ();
-my $total_tests = 1;
+# not reliable, hangs for some people:
+# my @test_cases = ( "ping0", "ping1" x 10, "ping2" x 100, "ping3" x 1024,
"ping4" x 4096, "sendquit");
+my @test_cases = ( "ping0", "ping1" x 10, "ping2" x 100, "ping3" x 1024,
"sendquit");
+my $total_tests = 2;
plan tests => $total_tests, need 'AnyEvent::WebSocket::Client',
need_module('proxy_http', 'lua'), need_min_apache_version('2.4.47');
@@ -21,7 +24,8 @@
my $quit_program = AnyEvent->condvar;
-my $pingok = 0;
+my $responses = 0;
+my $surprised = 0;
$client->connect("ws://$hostport/proxy/wsoc")->cb(sub {
our $connection = eval { shift->recv };
@@ -33,21 +37,45 @@
return;
}
- $connection->send('ping');
+ # AnyEvent::WebSocket::Connection does not pass the PONG message down to the
callback
+ # my $actualpingmsg = AnyEvent::WebSocket::Message->new(opcode => 0x09, body
=> "xxx");
+ # $connection->send($actualpingmsg);
+
+ foreach (@test_cases){
+ $connection->send($_);
+ }
+
+ $connection->on(finish => sub {
+ t_debug("finish");
+ });
+
# recieve message from the websocket...
$connection->on(each_message => sub {
# $connection is the same connection object
# $message isa AnyEvent::WebSocket::Message
my($connection, $message) = @_;
- t_debug("wsoc msg received: " . $message->body);
- if ("ping" eq $message->body) {
- $pingok = 1;
+ $responses++;
+ t_debug("wsoc msg received: " . substr($message->body, 0, 5). " opcode " .
$message->opcode);
+ if ("sendquit" eq $message->body) {
+ $connection->send('quit');
+ t_debug("closing");
+ $connection->close; # doesn't seem to close TCP.
+ $quit_program->send();
+ }
+ elsif ($message->body =~ /^ping(\d)/) {
+ my $offset = $1;
+ if ($message->body ne $test_cases[$offset]) {
+ $surprised++;
+ }
+ }
+ else {
+ $surprised++;
}
- $connection->send('quit');
- $quit_program->send();
});
+
});
$quit_program->recv;
-ok t_cmp($pingok, 1);
+ok t_cmp($surprised, 0);
+ok t_cmp($responses, scalar(@test_cases) );
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/httpd-framework/t/modules/proxy_websockets_ssl.t
new/httpd-framework/t/modules/proxy_websockets_ssl.t
--- old/httpd-framework/t/modules/proxy_websockets_ssl.t 1970-01-01
01:00:00.000000000 +0100
+++ new/httpd-framework/t/modules/proxy_websockets_ssl.t 2022-06-08
13:07:45.728355485 +0200
@@ -0,0 +1,86 @@
+use strict;
+use warnings FATAL => 'all';
+
+use Apache::Test;
+use Apache::TestRequest;
+use Apache::TestUtil;
+use Apache::TestConfig ();
+
+# my @test_cases = ( "ping0", "ping1" x 10, "ping2" x 100, "ping3" x 1024,
"ping4" x 4000, "sendquit");
+my @test_cases = ( "ping0", "ping1" x 10, "ping2" x 100, "ping3" x 1024,
"sendquit");
+my $total_tests = 2;
+
+plan tests => $total_tests, need 'AnyEvent::WebSocket::Client',
+ need_module('ssl', 'proxy_http', 'lua'), need_min_apache_version('2.4.47');
+
+require AnyEvent;
+require AnyEvent::WebSocket::Client;
+
+my $config = Apache::Test::config();
+#my $hostport = $config->{vhosts}->{proxy_https_https}->{hostport};
+my $hostport =
$config->{vhosts}->{$config->{vars}->{ssl_module_name}}->{hostport};
+my $client = AnyEvent::WebSocket::Client->new(timeout => 5, ssl_ca_file =>
$config->{vars}->{sslca} . "/" . $config->{vars}->{sslcaorg} .
"/certs/ca.crt");
+
+my $quit_program = AnyEvent->condvar;
+
+my $responses = 0;
+my $surprised = 0;
+
+t_debug("wss://$hostport/modules/lua/websockets.lua");
+
+# $client->connect("wss://$hostport/proxy/wsoc")->cb(sub {
+$client->connect("wss://$hostport/modules/lua/websockets.lua")->cb(sub {
+ our $connection = eval { shift->recv };
+ t_debug("wsoc connected");
+ if($@) {
+ # handle error...
+ warn $@;
+ $quit_program->send();
+ return;
+ }
+
+
+ # AnyEvent::WebSocket::Connection does not pass the PONG message down to the
callback
+ # my $actualpingmsg = AnyEvent::WebSocket::Message->new(opcode => 0x09, body
=> "xxx");
+ # $connection->send($actualpingmsg);
+
+ foreach (@test_cases){
+ $connection->send($_);
+ }
+
+ $connection->on(finish => sub {
+ t_debug("finish");
+ $quit_program->send();
+ });
+
+ # recieve message from the websocket...
+ $connection->on(each_message => sub {
+ # $connection is the same connection object
+ # $message isa AnyEvent::WebSocket::Message
+ my($connection, $message) = @_;
+ $responses++;
+ t_debug("wsoc msg received: " . substr($message->body, 0, 5). " opcode " .
$message->opcode);
+ if ("sendquit" eq $message->body) {
+ $connection->send('quit');
+ t_debug("closing");
+ $connection->close; # doesn't seem to close TCP.
+ $quit_program->send();
+ }
+ elsif ($message->body =~ /^ping(\d)/) {
+ my $offset = $1;
+ if ($message->body ne $test_cases[$offset]) {
+ t_debug("wrong data");
+ $surprised++;
+ }
+ }
+ else {
+ $surprised++;
+ }
+ });
+
+});
+
+$quit_program->recv;
+ok t_cmp($surprised, 0);
+# We don't expect the 20k over SSL to work, and we won't read the "sendquit"
echoed back either.
+ok t_cmp($responses, scalar(@test_cases));
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/httpd-framework/t/modules/sed.t
new/httpd-framework/t/modules/sed.t
--- old/httpd-framework/t/modules/sed.t 2022-03-14 12:48:21.702184323 +0100
+++ new/httpd-framework/t/modules/sed.t 2022-06-08 13:07:45.728355485 +0200
@@ -7,20 +7,42 @@
my @ts = (
# see t/conf/extra.conf.in
- { url => "/apache/sed/out-foo/foobar.html", content => 'barbar', msg =>
"sed output filter", code => 200 }
+ { url => "/apache/sed/out-foo/foobar.html", content => 'barbar', msg =>
"sed output filter", code => '200' },
+ # error after status sent
+ { url => "/apache/sed-echo/out-foo-grow/foobar.html", content => "", msg =>
"sed output filter too large", code => '200', body=>"foo" x (8192*1024),
resplen=>0},
+ { url => "/apache/sed-echo/input", content => 'barbar', msg => "sed input
filter", code => '200', body=>"foobar" },
+ { url => "/apache/sed-echo/input", content => undef, msg => "sed input
filter", code => '200', body=>"foo" x (1024)},
+ # fixme: returns 400 default error doc for some people instead
+ # { url => "/apache/sed-echo/input", content => '!!!ERROR!!!', msg => "sed
input filter", code => '200', skippable=>true body=>"foo" x (1024*4096)}
);
my $tests = 2*scalar @ts;
-plan tests => $tests, need_module('sed');
+plan tests => $tests, need 'LWP::Protocol::AnyEvent::http', need_module('sed');
+# Hack to allow streaming of data in/out of mod_echo
+require LWP::Protocol::AnyEvent::http;
for my $t (@ts) {
- my $req = GET $t->{'url'};
+ my $req;
+ if (defined($t->{'body'})) {
+ t_debug "posting body of size ". length($t->{'body'});
+ $req = POST $t->{'url'}, content => $t->{'body'};
+ t_debug "... posted body of size ". length($t->{'body'});
+ }
+ else {
+ $req = GET $t->{'url'};
+ }
+ t_debug "Content Length " . length $req->content;
ok t_cmp($req->code, $t->{'code'}, "status code for " . $t->{'url'});
- my $content = $req->content;
- chomp($content);
- ok t_cmp($content, $t->{content}, $t->{msg});
+ if (defined($t->{content})) {
+ my $content = $req->content;
+ chomp($content);
+ ok t_cmp($content, $t->{content}, $t->{msg});
+ }
+ else {
+ ok "no body check";
+ }
}
