commit apache2 for openSUSE:Factory

Tue, 24 Jan 2023 11:17:44 -0800 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package apache2 for openSUSE:Factory checked 
in at 2023-01-24 19:42:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
 and      /work/SRC/openSUSE:Factory/.apache2.new.32243 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "apache2"

Tue Jan 24 19:42:19 2023 rev:200 rq:1060451 version:2.4.55

Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes  2022-12-17 
20:36:12.072491608 +0100
+++ /work/SRC/openSUSE:Factory/.apache2.new.32243/apache2.changes       
2023-01-24 20:17:25.915590463 +0100
@@ -1,0 +2,135 @@
+Wed Jan 18 21:54:41 UTC 2023 - David Anes <david.a...@suse.com>
+
+- Update to 2.4.55:
+    *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
+      2.4.55 allows a backend to trigger HTTP response splitting
+      (cve.mitre.org)
+      Prior to Apache HTTP Server 2.4.55, a malicious backend can
+      cause the response headers to be truncated early, resulting in
+      some headers being incorporated into the response body. If the
+      later headers have any security purpose, they will not be
+      interpreted by the client.
+      Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
+
+    *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
+      Possible request smuggling (cve.mitre.org)
+      Inconsistent Interpretation of HTTP Requests ('HTTP Request
+      Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
+      allows an attacker to smuggle requests to the AJP server it
+      forwards requests to.  This issue affects Apache HTTP Server
+      Apache HTTP Server 2.4 version 2.4.54 and prior versions.
+      Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
+      at Qi'anxin Group
+
+    *) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
+      of zero byte (cve.mitre.org)
+      A carefully crafted If: request header can cause a memory read,
+      or write of a single zero byte, in a pool (heap) memory location
+      beyond the header value sent. This could cause the process to
+      crash.
+      This issue affects Apache HTTP Server 2.4.54 and earlier.
+
+    *) mod_dav: Open the lock database read-only when possible.
+      PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
+
+    *) mod_proxy_http2: apply the standard httpd content type handling
+      to responses from the backend, as other proxy modules do. Fixes PR 66391.
+      Thanks to Jérôme Billiras for providing the patch.
+      [Stefan Eissing]
+
+    *) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
+      [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
+      <alejandro.alvarez.ayllon cern.ch>]
+
+    *) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]
+
+    *) mod_http2: version 2.0.10 of the module, synchronizing changes
+      with the gitgub version. This is a partial rewrite of how connections
+      and streams are handled.
+      - an APR pollset and pipes (where supported) are used to monitor
+        the main connection and react to IO for request/response handling.
+        This replaces the stuttered timed waits of earlier versions.
+      - H2SerializeHeaders directive still exists, but has no longer an effect.
+      - Clients that seemingly misbehave still get less resources allocated,
+        but ongoing requests are no longer disrupted.
+      - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
+        were overwritten instead of preserved. [PR by @daum3ns]
+      - A regression in v1.15.24 was fixed that could lead to httpd child
+        processes not being terminated on a graceful reload or when reaching
+        MaxConnectionsPerChild. When unprocessed h2 requests were queued at
+        the time, these could stall. See #212.
+      - Improved information displayed in 'server-status' for H2 connections 
when
+        Extended Status is enabled. Now one can see the last request that IO
+        operations happened on and transferred IO stats are updated as well.
+      - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 
connection
+        send a GOAWAY frame much too early on new connections, leading to 
invalid
+        protocol state and a client failing the request. See PR65731 at
+        <https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
+        The module now initializes the HTTP/2 protocol correctly and allows the
+        client to submit one request before the shutdown via a GOAWAY frame
+        is being announced.
+      - :scheme pseudo-header values, not matching the
+        connection scheme, are forwarded via absolute uris to the
+        http protocol processing to preserve semantics of the request.
+        Checks on combinations of pseudo-headers values/absence
+        have been added as described in RFC 7540. Fixes #230.
+      - A bug that prevented trailers (e.g. HEADER frame at the end) to be
+        generated in certain cases was fixed. See #233 where it prevented
+        gRPC responses to be properly generated.
+      - Request and response header values are automatically stripped of 
leading
+        and trialing space/tab characters. This is equivalent behaviour to what
+        Apache httpd's http/1.1 parser does.
+        The checks for this in nghttp2 v1.50.0+ are disabled.
+      - Extensive testing in production done by Alessandro Bianchi 
(@alexskynet)
+        on the v2.0.x versions for stability. Many thanks!
+    *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
+      request ':authority' is known. Improved test case that did not catch that
+      the previous 'fix' was incorrect.
+
+    *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
+      using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
+
+    *) mod_proxy: The AH03408 warning for a forcibly closed backend
+      connection is now logged at INFO level.  [Yann Ylavic]
+
+    *) mod_ssl: When dumping the configuration, the existence of
+      certificate/key files is no longer tested.  [Joe Orton]
+
+    *) mod_authn_core: Add expression support to AuthName and AuthType.
+      [Graham Leggett]
+
+    *) mod_ssl: when a proxy connection had handled a request using SSL, an
+      error was logged when "SSLProxyEngine" was only configured in the
+      location/proxy section and not the overall server. The connection
+      continued to work, the error log was in error. Fixed PR66190.
+      [Stefan Eissing]
+
+    *) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
+      [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
+
+    *) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
+      [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
+
+    *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
+
+    *) mod_md: a new directive `MDStoreLocks` can be used on cluster
+      setups with a shared file system for `MDStoreDir` to order
+      activation of renewed certificates when several cluster nodes are
+      restarted at the same time. Store locks are not enabled by default.
+      Restored curl_easy cleanup behaviour from v2.4.14 and refactored
+      the use of curl_multi for OCSP requests to work with that.
+      Fixes <https://github.com/icing/mod_md/issues/293>.
+
+    *) core: Avoid an overflow on large inputs in ap_is_matchexp.  PR 66033
+      [Ruediger Pluem]
+
+    *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
+      storage instead of slotmem. Needed after setting
+      HeartbeatMaxServers default to the documented value 10 in 2.4.54.
+      PR 66131.  [Jérôme Billiras]
+
+    *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
+      This is a game changer for performances if client use PROPFIND a lot,
+      PR 66313. [Emmanuel Dreyfus]
+
+-------------------------------------------------------------------

Old:
----
  httpd-2.4.54.tar.bz2
  httpd-2.4.54.tar.bz2.asc

New:
----
  httpd-2.4.55.tar.bz2
  httpd-2.4.55.tar.bz2.asc

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.lvALpJ/_old  2023-01-24 20:17:27.275597510 +0100
+++ /var/tmp/diff_new_pack.lvALpJ/_new  2023-01-24 20:17:27.287597572 +0100
@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -107,7 +107,7 @@
 %define build_http2 1
 
 Name:           apache2%{psuffix}
-Version:        2.4.54
+Version:        2.4.55
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0

++++++ apache2.keyring ++++++
++++ 9107 lines (skipped)
++++ between /work/SRC/openSUSE:Factory/apache2/apache2.keyring
++++ and /work/SRC/openSUSE:Factory/.apache2.new.32243/apache2.keyring

++++++ httpd-2.4.54.tar.bz2 -> httpd-2.4.55.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/apache2/httpd-2.4.54.tar.bz2 
/work/SRC/openSUSE:Factory/.apache2.new.32243/httpd-2.4.55.tar.bz2 differ: char 
11, line 1

Reply via email to