2024-06-08 17:38:24 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 30 13:44:03 UTC 2024 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- security update
|
|
|
|
|
- added patches
|
|
|
|
|
fix CVE-2023-38709 [bsc#1222330], HTTP response splitting
|
|
|
|
|
+ apache2-CVE-2023-38709.patch
|
|
|
|
|
fix CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
|
|
|
|
|
+ apache2-CVE-2024-24795.patch
|
|
|
|
|
fix CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
|
|
|
|
|
+ apache2-CVE-2024-27316.patch
|
|
|
|
|
|
2024-05-03 11:05:23 +02:00
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 19 14:23:08 UTC 2023 - David Anes <david.anes@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to 2.4.58:
|
|
|
|
|
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
|
|
|
|
|
memory not reclaimed right away on RST (cve.mitre.org)
|
|
|
|
|
When a HTTP/2 stream was reset (RST frame) by a client, there
|
|
|
|
|
was a time window were the request's memory resources were not
|
|
|
|
|
reclaimed immediately. Instead, de-allocation was deferred to
|
|
|
|
|
connection close. A client could send new requests and resets,
|
|
|
|
|
keeping the connection busy and open and causing the memory
|
|
|
|
|
footprint to keep on growing. On connection close, all resources
|
|
|
|
|
were reclaimed, but the process might run out of memory before
|
|
|
|
|
that.
|
|
|
|
|
This was found by the reporter during testing of CVE-2023-44487
|
|
|
|
|
(HTTP/2 Rapid Reset Exploit) with their own test client. During
|
|
|
|
|
"normal" HTTP/2 use, the probability to hit this bug is very
|
|
|
|
|
low. The kept memory would not become noticeable before the
|
|
|
|
|
connection closes or times out.
|
|
|
|
|
Users are recommended to upgrade to version 2.4.58, which fixes
|
|
|
|
|
the issue.
|
|
|
|
|
Credits: Will Dormann of Vul Labs
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
|
|
|
|
|
initial windows size 0 (cve.mitre.org)
|
|
|
|
|
An attacker, opening a HTTP/2 connection with an initial window
|
|
|
|
|
size of 0, was able to block handling of that connection
|
|
|
|
|
indefinitely in Apache HTTP Server. This could be used to
|
|
|
|
|
exhaust worker resources in the server, similar to the well
|
|
|
|
|
known "slow loris" attack pattern.
|
|
|
|
|
This has been fixed in version 2.4.58, so that such connection
|
|
|
|
|
are terminated properly after the configured connection timeout.
|
|
|
|
|
This issue affects Apache HTTP Server: from 2.4.55 through
|
|
|
|
|
2.4.57.
|
|
|
|
|
Users are recommended to upgrade to version 2.4.58, which fixes
|
|
|
|
|
the issue.
|
|
|
|
|
Credits: Prof. Sven Dietrich (City University of New York)
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read
|
|
|
|
|
(cve.mitre.org)
|
|
|
|
|
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
|
|
|
|
|
Server.This issue affects Apache HTTP Server: through 2.4.57.
|
|
|
|
|
Credits: David Shoon (github/davidshoon)
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
|
|
|
|
|
SSL routines::unexpected eof while reading" when using
|
|
|
|
|
OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
|
|
|
|
|
available. [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: improved early cleanup of streams.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http2: improved error handling on connection errors while
|
|
|
|
|
response is already underway.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: fixed a bug that could lead to a crash in main connection
|
|
|
|
|
output handling. This occured only when the last request on a HTTP/2
|
|
|
|
|
connection had been processed and the session decided to shut down.
|
|
|
|
|
This could lead to an attempt to send a final GOAWAY while the previous
|
|
|
|
|
write was still in progress. See PR 66646.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
|
|
|
|
|
Fixes PR66752.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
|
|
|
|
|
described in RFC 8441. A new directive 'H2WebSockets on|off' has been
|
|
|
|
|
added. The feature is by default not enabled.
|
|
|
|
|
As also discussed in the manual, this feature should work for setups
|
|
|
|
|
using "ProxyPass backend-url upgrade=websocket" without further changes.
|
|
|
|
|
Special server modules for WebSockets will have to be adapted,
|
|
|
|
|
most likely, as the handling if IO events is different with HTTP/2.
|
|
|
|
|
HTTP/2 WebSockets are supported on platforms with native pipes. This
|
|
|
|
|
excludes Windows.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
|
|
|
|
|
in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: fixed a bug in flushing pending data on an already closed
|
|
|
|
|
connection that could lead to a busy loop, preventing the HTTP/2 session
|
|
|
|
|
to close down successfully. Fixed PR 66624.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: v2.0.15 with the following fixes and improvements
|
|
|
|
|
- New directive 'H2EarlyHint name value' to add headers to a response,
|
|
|
|
|
picked up already when a "103 Early Hints" response is sent. 'name' and
|
|
|
|
|
'value' must comply to the HTTP field restrictions.
|
|
|
|
|
This directive can be repeated several times and header fields of the
|
|
|
|
|
same names add. Sending a 'Link' header with 'preload' relation will
|
|
|
|
|
also cause a HTTP/2 PUSH if enabled and supported by the client.
|
|
|
|
|
- Fixed an issue where requests were not logged and accounted in a timely
|
|
|
|
|
fashion when the connection returns to "keepalive" handling, e.g. when
|
|
|
|
|
the request served was the last outstanding one.
|
|
|
|
|
This led to late appearance in access logs with wrong duration times
|
|
|
|
|
reported.
|
|
|
|
|
- Accurately report the bytes sent for a request in the '%O' Log format.
|
|
|
|
|
This addresses #203, a long outstanding issue where mod_h2 has reported
|
|
|
|
|
numbers over-eagerly from internal buffering and not what has actually
|
|
|
|
|
been placed on the connection.
|
|
|
|
|
The numbers are now the same with and without H2CopyFiles enabled.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http2: fix retry handling to not leak temporary errors.
|
|
|
|
|
On detecting that that an existing connection was shutdown by the other
|
|
|
|
|
side, a 503 response leaked even though the request was retried on a
|
|
|
|
|
fresh connection.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_rewrite: Add server directory to include path as mod_rewrite requires
|
|
|
|
|
test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
|
|
|
|
|
of HTTP/2 requests in a forward proxy configuration.
|
|
|
|
|
General forward proxying is enabled via `ProxyRequests`. If the
|
|
|
|
|
HTTP/2 protocol is also enabled for such a server/host, this new
|
|
|
|
|
directive is needed in addition.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) core: Updated conf/mime.types:
|
|
|
|
|
- .js moved from 'application/javascript' to 'text/javascript'
|
|
|
|
|
- .mjs was added as 'text/javascript'
|
|
|
|
|
- add .opus ('audio/ogg')
|
|
|
|
|
- add 'application/vnd.geogebra.slides'
|
|
|
|
|
- add WebAssembly MIME types and extension
|
|
|
|
|
[Mathias Bynens <@mathiasbynens> via PR 318,
|
|
|
|
|
Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
|
|
|
|
|
Zbynek Konecny <zbynek1729 gmail.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
|
|
|
|
|
connection when sending data on the frontend one. This caused crashes
|
|
|
|
|
or infinite loops in rare situations.
|
|
|
|
|
*) mod_proxy_http2: fixed a bug in retry/response handling that could lead
|
|
|
|
|
to wrong status codes or HTTP messages send at the end of response bodies
|
|
|
|
|
exceeding the announced content-length.
|
|
|
|
|
*) mod_proxy_http2: fix retry handling to not leak temporary errors.
|
|
|
|
|
On detecting that that an existing connection was shutdown by the other
|
|
|
|
|
side, a 503 response leaked even though the request was retried on a
|
|
|
|
|
fresh connection.
|
|
|
|
|
*) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
|
|
|
|
|
the wrong order when a bucket_beam was destroyed.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: avoid double chunked-encoding on internal redirects.
|
|
|
|
|
PR 66597 [Yann Ylavic, Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
|
|
|
|
|
HTTP/2 requests twice. Fixes PR 66801.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Fix handling of Certificate Revoked messages
|
|
|
|
|
in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: fixed a bug in handling of stream timeouts.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
|
|
|
|
|
Checking in configure for proper version installed. Code
|
|
|
|
|
fixes for changed clienthello member name.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_md:
|
|
|
|
|
- New directive `MDMatchNames all|servernames` to allow more control over how
|
|
|
|
|
MDomains are matched to VirtualHosts.
|
|
|
|
|
- New directive `MDChallengeDns01Version`. Setting this to `2` will provide
|
|
|
|
|
the command also with the challenge value on `teardown` invocation. In version
|
|
|
|
|
1, the default, only the `setup` invocation gets this parameter.
|
|
|
|
|
Refs #312. Thanks to @domrim for the idea.
|
|
|
|
|
- For Managed Domain in "manual" mode, the checks if all used ServerName and
|
|
|
|
|
ServerAlias are part of the MDomain now reports a warning instead of an error
|
|
|
|
|
(AH10040) when not all names are present.
|
|
|
|
|
- MDChallengeDns01 can now be configured for individual domains.
|
|
|
|
|
Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
|
|
|
|
|
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
|
|
|
|
|
teardown not being invoked as it should.
|
|
|
|
|
|
|
|
|
|
*) mod_ldap: Avoid performance overhead of APR-util rebind cache for
|
|
|
|
|
OpenLDAP 2.2+. PR 64414. [Joe Orton]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
|
|
|
|
|
amount of response body bytes put into a single HTTP/2 DATA frame.
|
|
|
|
|
Setting this to 0 places no limit (but the max size allowed by the
|
|
|
|
|
protocol is observed).
|
|
|
|
|
The module, by default, tries to use the maximum size possible, which is
|
|
|
|
|
somewhat around 16KB. This sets the maximum. When less response data is
|
|
|
|
|
available, smaller frames will be sent.
|
|
|
|
|
|
|
|
|
|
*) mod_md: fixed passing of the server environment variables to programs
|
|
|
|
|
started via MDMessageCmd and MDChallengeDns01 on *nix system.
|
|
|
|
|
See <https://github.com/icing/mod_md/issues/319>.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_dav: Add DavBasePath directive to configure the repository root
|
|
|
|
|
path. PR 35077. [Joe Orton]
|
|
|
|
|
|
|
|
|
|
*) mod_alias: Add AliasPreservePath directive to map the full
|
|
|
|
|
path after the alias in a location. [Graham Leggett]
|
|
|
|
|
|
|
|
|
|
*) mod_alias: Add RedirectRelative to allow relative redirect targets to be
|
|
|
|
|
issued as-is. [Eric Covener, Graham Leggett]
|
|
|
|
|
|
|
|
|
|
*) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
|
|
|
|
|
sure that if the format is configured early enough it applies to every log
|
|
|
|
|
line. PR 62161. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_deflate: Add DeflateAlterETag to control how the ETag
|
|
|
|
|
is modified. The 'NoChange' parameter mimics 2.2.x behavior.
|
|
|
|
|
PR 45023, PR 39727. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
*) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
|
|
|
|
|
Resolve inconsistency between the previous two occurrences by
|
|
|
|
|
counting workers in state SERVER_GRACEFUL no longer as busy,
|
|
|
|
|
but instead in a new counter "GracefulWorkers" (or on HTML
|
|
|
|
|
view as "workers gracefully restarting"). Also add the graceful
|
|
|
|
|
counter as a new column to the existing HTML per process table
|
|
|
|
|
for async MPMs. PR 63300. [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Aug 5 11:44:23 UTC 2023 - Dirk Stoecker <opensuse@dstoecker.de>
|
|
|
|
|
|
|
|
|
|
- Enable building of mod_md
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 7 13:17:47 UTC 2023 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
|
|
|
|
|
|
- Update to 2.4.57:
|
|
|
|
|
*) mod_proxy: Check before forwarding that a nocanon path has not been
|
|
|
|
|
rewritten with spaces during processing. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
|
|
|
|
|
double encode encoded slashes in the URL sent by the reverse proxy to the
|
|
|
|
|
backend. [Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: fixed a crash during connection termination. See PR 66539.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
|
|
|
|
|
in a question mark. PR66547. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
|
|
|
|
|
characters on redirections without the "NE" flag.
|
|
|
|
|
[Yann Ylavic, Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
|
|
|
|
|
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_mime: Do not match the extention against possible query string
|
|
|
|
|
parameters in case ProxyPass was used with the nocanon option.
|
|
|
|
|
[Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 8 19:44:32 UTC 2023 - David Anes <david.anes@suse.com>
|
|
|
|
|
|
|
|
|
|
- This update fixes the following security issues:
|
|
|
|
|
* CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting
|
|
|
|
|
* CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy
|
|
|
|
|
|
|
|
|
|
- Update to 2.4.56:
|
|
|
|
|
*) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
|
|
|
|
|
truncated without the initial logfile being truncated. [Eric Covener]
|
|
|
|
|
*) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
|
|
|
|
|
allow connections of any age to be reused. Up to now, a negative value
|
|
|
|
|
was handled as an error when parsing the configuration file. PR 66421.
|
|
|
|
|
[nailyk <bzapache nailyk.fr>, Christophe Jaillet]
|
|
|
|
|
*) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
|
|
|
|
|
of headers. [Ruediger Pluem]
|
|
|
|
|
*) mod_md:
|
|
|
|
|
- Enabling ED25519 support and certificate transparency information when
|
|
|
|
|
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
|
|
|
|
|
- MDChallengeDns01 can now be configured for individual domains.
|
|
|
|
|
Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
|
|
|
|
|
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
|
|
|
|
|
teardown not being invoked as it should.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
|
|
|
|
|
reported in access logs and error documents. The processing of the
|
|
|
|
|
reset was correct, only unneccesary reporting was caused.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 18 21:54:41 UTC 2023 - David Anes <david.anes@suse.com>
|
|
|
|
|
|
|
|
|
|
- This update fixes the following security issues:
|
|
|
|
|
* CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting
|
|
|
|
|
* CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling
|
|
|
|
|
* CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
|
|
|
|
|
|
|
|
|
|
- Update to 2.4.55:
|
|
|
|
|
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
|
|
|
|
|
2.4.55 allows a backend to trigger HTTP response splitting
|
|
|
|
|
(cve.mitre.org)
|
|
|
|
|
Prior to Apache HTTP Server 2.4.55, a malicious backend can
|
|
|
|
|
cause the response headers to be truncated early, resulting in
|
|
|
|
|
some headers being incorporated into the response body. If the
|
|
|
|
|
later headers have any security purpose, they will not be
|
|
|
|
|
interpreted by the client.
|
|
|
|
|
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
|
|
|
|
|
Possible request smuggling (cve.mitre.org)
|
|
|
|
|
Inconsistent Interpretation of HTTP Requests ('HTTP Request
|
|
|
|
|
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
|
|
|
|
|
allows an attacker to smuggle requests to the AJP server it
|
|
|
|
|
forwards requests to. This issue affects Apache HTTP Server
|
|
|
|
|
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
|
|
|
|
|
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
|
|
|
|
|
at Qi'anxin Group
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
|
|
|
|
|
of zero byte (cve.mitre.org)
|
|
|
|
|
A carefully crafted If: request header can cause a memory read,
|
|
|
|
|
or write of a single zero byte, in a pool (heap) memory location
|
|
|
|
|
beyond the header value sent. This could cause the process to
|
|
|
|
|
crash.
|
|
|
|
|
This issue affects Apache HTTP Server 2.4.54 and earlier.
|
|
|
|
|
|
|
|
|
|
*) mod_dav: Open the lock database read-only when possible.
|
|
|
|
|
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http2: apply the standard httpd content type handling
|
|
|
|
|
to responses from the backend, as other proxy modules do. Fixes PR 66391.
|
|
|
|
|
Thanks to Jérôme Billiras for providing the patch.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
|
|
|
|
|
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
|
|
|
|
|
<alejandro.alvarez.ayllon cern.ch>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: version 2.0.10 of the module, synchronizing changes
|
|
|
|
|
with the gitgub version. This is a partial rewrite of how connections
|
|
|
|
|
and streams are handled.
|
|
|
|
|
- an APR pollset and pipes (where supported) are used to monitor
|
|
|
|
|
the main connection and react to IO for request/response handling.
|
|
|
|
|
This replaces the stuttered timed waits of earlier versions.
|
|
|
|
|
- H2SerializeHeaders directive still exists, but has no longer an effect.
|
|
|
|
|
- Clients that seemingly misbehave still get less resources allocated,
|
|
|
|
|
but ongoing requests are no longer disrupted.
|
|
|
|
|
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
|
|
|
|
|
were overwritten instead of preserved. [PR by @daum3ns]
|
|
|
|
|
- A regression in v1.15.24 was fixed that could lead to httpd child
|
|
|
|
|
processes not being terminated on a graceful reload or when reaching
|
|
|
|
|
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
|
|
|
|
|
the time, these could stall. See #212.
|
|
|
|
|
- Improved information displayed in 'server-status' for H2 connections when
|
|
|
|
|
Extended Status is enabled. Now one can see the last request that IO
|
|
|
|
|
operations happened on and transferred IO stats are updated as well.
|
|
|
|
|
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
|
|
|
|
|
send a GOAWAY frame much too early on new connections, leading to invalid
|
|
|
|
|
protocol state and a client failing the request. See PR65731 at
|
|
|
|
|
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
|
|
|
|
|
The module now initializes the HTTP/2 protocol correctly and allows the
|
|
|
|
|
client to submit one request before the shutdown via a GOAWAY frame
|
|
|
|
|
is being announced.
|
|
|
|
|
- :scheme pseudo-header values, not matching the
|
|
|
|
|
connection scheme, are forwarded via absolute uris to the
|
|
|
|
|
http protocol processing to preserve semantics of the request.
|
|
|
|
|
Checks on combinations of pseudo-headers values/absence
|
|
|
|
|
have been added as described in RFC 7540. Fixes #230.
|
|
|
|
|
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
|
|
|
|
|
generated in certain cases was fixed. See #233 where it prevented
|
|
|
|
|
gRPC responses to be properly generated.
|
|
|
|
|
- Request and response header values are automatically stripped of leading
|
|
|
|
|
and trialing space/tab characters. This is equivalent behaviour to what
|
|
|
|
|
Apache httpd's http/1.1 parser does.
|
|
|
|
|
The checks for this in nghttp2 v1.50.0+ are disabled.
|
|
|
|
|
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
|
|
|
|
|
on the v2.0.x versions for stability. Many thanks!
|
|
|
|
|
*) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
|
|
|
|
|
request ':authority' is known. Improved test case that did not catch that
|
|
|
|
|
the previous 'fix' was incorrect.
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
|
|
|
|
|
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: The AH03408 warning for a forcibly closed backend
|
|
|
|
|
connection is now logged at INFO level. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: When dumping the configuration, the existence of
|
|
|
|
|
certificate/key files is no longer tested. [Joe Orton]
|
|
|
|
|
|
|
|
|
|
*) mod_authn_core: Add expression support to AuthName and AuthType.
|
|
|
|
|
[Graham Leggett]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: when a proxy connection had handled a request using SSL, an
|
|
|
|
|
error was logged when "SSLProxyEngine" was only configured in the
|
|
|
|
|
location/proxy section and not the overall server. The connection
|
|
|
|
|
continued to work, the error log was in error. Fixed PR66190.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
|
|
|
|
|
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
|
|
|
|
|
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
|
|
|
|
|
setups with a shared file system for `MDStoreDir` to order
|
|
|
|
|
activation of renewed certificates when several cluster nodes are
|
|
|
|
|
restarted at the same time. Store locks are not enabled by default.
|
|
|
|
|
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
|
|
|
|
|
the use of curl_multi for OCSP requests to work with that.
|
|
|
|
|
Fixes <https://github.com/icing/mod_md/issues/293>.
|
|
|
|
|
|
|
|
|
|
*) core: Avoid an overflow on large inputs in ap_is_matchexp. PR 66033
|
|
|
|
|
[Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
|
|
|
|
|
storage instead of slotmem. Needed after setting
|
|
|
|
|
HeartbeatMaxServers default to the documented value 10 in 2.4.54.
|
|
|
|
|
PR 66131. [Jérôme Billiras]
|
|
|
|
|
|
|
|
|
|
*) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
|
|
|
|
|
This is a game changer for performances if client use PROPFIND a lot,
|
|
|
|
|
PR 66313. [Emmanuel Dreyfus]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 12 08:58:58 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
|
|
|
|
|
|
|
|
|
- switch to pkgconfig(zlib) so that alternative providers can be
|
|
|
|
|
used
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 23 06:06:26 UTC 2022 - Stephan Kulow <coolo@suse.com>
|
|
|
|
|
|
|
|
|
|
- The 2.4.54 release brought support for PCRE2, but for that we also
|
|
|
|
|
need to change buildrequires to pcre2-devel
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 20 15:01:58 UTC 2022 - David Anes <david.anes@suse.com>
|
|
|
|
|
|
|
|
|
|
- Remove references to README.QUICKSTART and point them to
|
|
|
|
|
https://en.opensuse.org/SDB:Apache_installation (bsc#1203573)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 1 06:31:31 UTC 2022 - Stefan Schubert <schubi@suse.com>
|
|
|
|
|
|
|
|
|
|
- Migration to /usr/etc: Saving user changed configuration files
|
|
|
|
|
in /etc and restoring them while an RPM update.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 28 14:39:26 UTC 2022 - Stefan Schubert <schubi@intern>
|
|
|
|
|
|
|
|
|
|
- Moved logrotate files from user specific directory /etc/logrotate.d
|
|
|
|
|
to vendor specific directory /usr/etc/logrotate.d.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 8 11:26:13 UTC 2022 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- update httpd-framework to svn revision 1898917
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 8 10:06:34 UTC 2022 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.54
|
|
|
|
|
Changes with Apache 2.4.54
|
|
|
|
|
*) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
|
|
|
|
|
hop-by-hop mechanism (cve.mitre.org)
|
|
|
|
|
Apache HTTP Server 2.4.53 and earlier may not send the
|
|
|
|
|
X-Forwarded-* headers to the origin server based on client side
|
|
|
|
|
Connection header hop-by-hop mechanism.
|
|
|
|
|
This may be used to bypass IP based authentication on the origin
|
|
|
|
|
server/application.
|
|
|
|
|
Credits: The Apache HTTP Server project would like to thank
|
|
|
|
|
Gaetan Ferry (Synacktiv) for reporting this issue
|
|
|
|
|
*) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
|
|
|
|
|
websockets (cve.mitre.org)
|
|
|
|
|
Apache HTTP Server 2.4.53 and earlier may return lengths to
|
|
|
|
|
applications calling r:wsread() that point past the end of the
|
|
|
|
|
storage allocated for the buffer.
|
|
|
|
|
Credits: The Apache HTTP Server project would like to thank
|
|
|
|
|
Ronald Crane (Zippenhop LLC) for reporting this issue
|
|
|
|
|
*) SECURITY: CVE-2022-30522: mod_sed denial of service
|
|
|
|
|
(cve.mitre.org)
|
|
|
|
|
If Apache HTTP Server 2.4.53 is configured to do transformations
|
|
|
|
|
with mod_sed in contexts where the input to mod_sed may be very
|
|
|
|
|
large, mod_sed may make excessively large memory allocations and
|
|
|
|
|
trigger an abort.
|
|
|
|
|
Credits: This issue was found by Brian Moussalli from the JFrog
|
|
|
|
|
Security Research team
|
|
|
|
|
*) SECURITY: CVE-2022-29404: Denial of service in mod_lua
|
|
|
|
|
r:parsebody (cve.mitre.org)
|
|
|
|
|
In Apache HTTP Server 2.4.53 and earlier, a malicious request to
|
|
|
|
|
a lua script that calls r:parsebody(0) may cause a denial of
|
|
|
|
|
service due to no default limit on possible input size.
|
|
|
|
|
Credits: The Apache HTTP Server project would like to thank
|
|
|
|
|
Ronald Crane (Zippenhop LLC) for reporting this issue
|
|
|
|
|
*) SECURITY: CVE-2022-28615: Read beyond bounds in
|
|
|
|
|
ap_strcmp_match() (cve.mitre.org)
|
|
|
|
|
Apache HTTP Server 2.4.53 and earlier may crash or disclose
|
|
|
|
|
information due to a read beyond bounds in ap_strcmp_match()
|
|
|
|
|
when provided with an extremely large input buffer. While no
|
|
|
|
|
code distributed with the server can be coerced into such a
|
|
|
|
|
call, third-party modules or lua scripts that use
|
|
|
|
|
ap_strcmp_match() may hypothetically be affected.
|
|
|
|
|
Credits: The Apache HTTP Server project would like to thank
|
|
|
|
|
Ronald Crane (Zippenhop LLC) for reporting this issue
|
|
|
|
|
*) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
|
|
|
|
|
(cve.mitre.org)
|
|
|
|
|
The ap_rwrite() function in Apache HTTP Server 2.4.53 and
|
|
|
|
|
earlier may read unintended memory if an attacker can cause the
|
|
|
|
|
server to reflect very large input using ap_rwrite() or
|
|
|
|
|
ap_rputs(), such as with mod_luas r:puts() function.
|
|
|
|
|
Credits: The Apache HTTP Server project would like to thank
|
|
|
|
|
Ronald Crane (Zippenhop LLC) for reporting this issue
|
|
|
|
|
*) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
|
|
|
|
|
(cve.mitre.org)
|
|
|
|
|
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
|
|
|
|
|
bounds when configured to process requests with the mod_isapi
|
|
|
|
|
module.
|
|
|
|
|
Credits: The Apache HTTP Server project would like to thank
|
|
|
|
|
Ronald Crane (Zippenhop LLC) for reporting this issue
|
|
|
|
|
*) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
|
|
|
|
|
smuggling (cve.mitre.org)
|
|
|
|
|
Inconsistent Interpretation of HTTP Requests ('HTTP Request
|
|
|
|
|
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
|
|
|
|
|
allows an attacker to smuggle requests to the AJP server it
|
|
|
|
|
forwards requests to. This issue affects Apache HTTP Server
|
|
|
|
|
Apache HTTP Server 2.4 version 2.4.53 and prior versions.
|
|
|
|
|
Credits: Ricter Z @ 360 Noah Lab
|
|
|
|
|
*) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
|
|
|
|
|
[Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
|
|
|
|
|
*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
|
|
|
|
|
PR 65666. [Yann Ylavic]
|
|
|
|
|
*) mod_md: a bug was fixed that caused very large MDomains
|
|
|
|
|
with the combined DNS names exceeding ~7k to fail, as
|
|
|
|
|
request bodies would contain partially wrong data from
|
|
|
|
|
uninitialized memory. This would have appeared as failure
|
|
|
|
|
in signing-up/renewing such configurations.
|
|
|
|
|
[Stefan Eissing, Ronald Crane (Zippenhop LLC)]
|
|
|
|
|
*) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
|
|
|
|
|
PR 65666. [Yann Ylavic]
|
|
|
|
|
*) MPM event: Restart children processes killed before idle maintenance.
|
|
|
|
|
PR 65769. [Yann Ylavic, Ruediger Pluem]
|
|
|
|
|
*) ab: Allow for TLSv1.3 when the SSL library supports it.
|
|
|
|
|
[abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
|
|
|
|
|
*) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
|
|
|
|
|
transmission delays. PR 66019. [Yann Ylavic]
|
|
|
|
|
*) MPM event: Fix accounting of active/total processes on ungraceful restart,
|
|
|
|
|
PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic]
|
|
|
|
|
*) core: make ap_escape_quotes() work correctly on strings
|
|
|
|
|
with more than MAX_INT/2 characters, counting quotes double.
|
|
|
|
|
Credit to <generalbugs@zippenhop.com> for finding this.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
|
|
|
|
|
an ACME CA. This gives a failover for renewals when several consecutive attempts
|
|
|
|
|
to get a certificate failed.
|
|
|
|
|
A new directive was added: `MDRetryDelay` sets the delay of retries.
|
|
|
|
|
A new directive was added: `MDRetryFailover` sets the number of errored
|
|
|
|
|
attempts before an alternate CA is selected for certificate renewals.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_http2: remove unused and insecure code. Fixes PR66037.
|
|
|
|
|
Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy: Add backend port to log messages to
|
|
|
|
|
ease identification of involved service. [Rainer Jung]
|
|
|
|
|
*) mod_http2: removing unscheduling of ongoing tasks when
|
|
|
|
|
connection shows potential abuse by a client. This proved
|
|
|
|
|
counter-productive and the abuse detection can false flag
|
|
|
|
|
requests using server-side-events.
|
|
|
|
|
Fixes <https://github.com/icing/mod_h2/issues/231>.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_md: Implement full auto status ("key: value" type status output).
|
|
|
|
|
Especially not only status summary counts for certificates and
|
|
|
|
|
OCSP stapling but also lists. Auto status format is similar to
|
|
|
|
|
what was used for mod_proxy_balancer.
|
|
|
|
|
[Rainer Jung]
|
|
|
|
|
*) mod_md: fixed a bug leading to failed transfers for OCSP
|
|
|
|
|
stapling information when more than 6 certificates needed
|
|
|
|
|
updates in the same run. [Stefan Eissing]
|
|
|
|
|
*) mod_proxy: Set a status code of 502 in case the backend just closed the
|
|
|
|
|
connection in reply to our forwarded request. [Ruediger Pluem]
|
|
|
|
|
*) mod_md: a possible NULL pointer deref was fixed in
|
|
|
|
|
the JSON code for persisting time periods (start+end).
|
|
|
|
|
Fixes #282 on mod_md's github.
|
|
|
|
|
Thanks to @marcstern for finding this. [Stefan Eissing]
|
|
|
|
|
*) mod_heartmonitor: Set the documented default value
|
|
|
|
|
"10" for HeartbeatMaxServers instead of "0". With "0"
|
|
|
|
|
no shared memory slotmem was initialized. [Rainer Jung]
|
|
|
|
|
*) mod_md: added support for managing certificates via a
|
|
|
|
|
local tailscale daemon for users of that secure networking.
|
|
|
|
|
This gives trusted certificates for tailscale assigned
|
|
|
|
|
domain names in the *.ts.net space.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
- modified patches
|
|
|
|
|
% apache-test-application-xml-type.patch (refreshed)
|
|
|
|
|
% apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed)
|
|
|
|
|
% apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 14 12:19:36 UTC 2022 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- httpd-framework updated to svn1898917
|
|
|
|
|
- deleted patches
|
|
|
|
|
- apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
|
|
|
|
|
- apache2-perl-io-socket.patch (upstreamed)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 14 11:20:53 UTC 2022 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.53
|
|
|
|
|
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
|
|
|
|
|
(cve.mitre.org)
|
|
|
|
|
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
|
|
|
|
|
Server allows an attacker to overwrite heap memory with possibly
|
|
|
|
|
attacker provided data.
|
|
|
|
|
This issue affects Apache HTTP Server 2.4 version 2.4.52 and
|
|
|
|
|
prior versions.
|
|
|
|
|
Credits: Ronald Crane (Zippenhop LLC)
|
|
|
|
|
*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
|
|
|
|
|
very large or unlimited LimitXMLRequestBody (cve.mitre.org)
|
|
|
|
|
If LimitXMLRequestBody is set to allow request bodies larger
|
|
|
|
|
than 350MB (defaults to 1M) on 32 bit systems an integer
|
|
|
|
|
overflow happens which later causes out of bounds writes.
|
|
|
|
|
This issue affects Apache HTTP Server 2.4.52 and earlier.
|
|
|
|
|
Credits: Anonymous working with Trend Micro Zero Day Initiative
|
|
|
|
|
*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
|
|
|
|
|
in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
|
|
|
|
|
Apache HTTP Server 2.4.52 and earlier fails to close inbound
|
|
|
|
|
connection when errors are encountered discarding the request
|
|
|
|
|
body, exposing the server to HTTP Request Smuggling
|
|
|
|
|
Credits: James Kettle <james.kettle portswigger.net>
|
|
|
|
|
*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
|
|
|
|
|
in r:parsebody (cve.mitre.org)
|
|
|
|
|
A carefully crafted request body can cause a read to a random
|
|
|
|
|
memory area which could cause the process to crash.
|
|
|
|
|
This issue affects Apache HTTP Server 2.4.52 and earlier.
|
|
|
|
|
Credits: Chamal De Silva
|
|
|
|
|
*) core: Make sure and check that LimitXMLRequestBody fits in system memory.
|
|
|
|
|
[Ruediger Pluem, Yann Ylavic]
|
|
|
|
|
*) core: Simpler connection close logic if discarding the request body fails.
|
|
|
|
|
[Yann Ylavic, Ruediger Pluem]
|
|
|
|
|
*) mod_http2: preserve the port number given in a HTTP/1.1
|
|
|
|
|
request that was Upgraded to HTTP/2. Fixes PR65881.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy: Allow for larger worker name. PR 53218. [Yann Ylavic]
|
|
|
|
|
*) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
|
|
|
|
|
an attempt to load a dbm driver fails, log clearly which driver triggered
|
|
|
|
|
the error (not "default"), and what the error was. [Graham Leggett]
|
|
|
|
|
*) mod_proxy: Use the maxium of front end and backend timeouts instead of the
|
|
|
|
|
minimum when tunneling requests (websockets, CONNECT requests).
|
|
|
|
|
Backend timeouts can be configured more selectively (per worker if needed)
|
|
|
|
|
as front end timeouts and typically the backend timeouts reflect the
|
|
|
|
|
application requirements better. PR 65886 [Ruediger Pluem]
|
|
|
|
|
*) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
|
|
|
|
|
when an efficient TLS implementation is available. [Yann Ylavic]
|
|
|
|
|
*) core, mod_info: Add compiled and loaded PCRE versions to version
|
|
|
|
|
number display. [Rainer Jung]
|
|
|
|
|
*) mod_md: do not interfere with requests to /.well-known/acme-challenge/
|
|
|
|
|
resources if challenge type 'http-01' is not configured for a domain.
|
|
|
|
|
Fixes <https://github.com/icing/mod_md/issues/279>.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_dav: Fix regression when gathering properties which could lead to huge
|
|
|
|
|
memory consumption proportional to the number of resources.
|
|
|
|
|
[Evgeny Kotkov, Ruediger Pluem]
|
|
|
|
|
*) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
|
|
|
|
|
for regular expression evaluation. This depends on locating pcre2-config.
|
|
|
|
|
[William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]
|
|
|
|
|
*) Add the ldap function to the expression API, allowing LDAP filters and
|
|
|
|
|
distinguished names based on expressions to be escaped correctly to
|
|
|
|
|
guard against LDAP injection. [Graham Leggett]
|
|
|
|
|
*) mod_md: the status description in MDomain's JSON, exposed in the
|
|
|
|
|
md-status handler (if configured) did sometimes not carry the correct
|
|
|
|
|
message when certificates needed renew.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mpm_event: Fix a possible listener deadlock on heavy load when restarting
|
|
|
|
|
and/or reaching MaxConnectionsPerChild. PR 65769. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 27 13:57:47 UTC 2022 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- ssl-global.conf: set SSLCipherSuite to PROFILE=SYSTEM instead of
|
|
|
|
|
DEFAULT_SUSE [jsc#SLE-22561]
|
|
|
|
|
- set also SSLProxyCipherSuite to PROFILE=SYSTEM
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-ssl-global.conf
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 11 12:05:55 UTC 2022 - David Anes <david.anes@suse.com>
|
|
|
|
|
|
|
|
|
|
- Align some defaults in apache2-server-tuning.conf to upstream
|
|
|
|
|
defaults:
|
|
|
|
|
* Updated MaxRequestWorkers and ServerLimit to 256. [bsc#1194062]
|
|
|
|
|
- The old name MaxRequestsPerChild is changed to MaxConnectionsPerChild.
|
|
|
|
|
* See https://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxconnectionsperchild
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 10 18:12:38 UTC 2022 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Add apache2-perl-io-socket.patch: t/ssl/ocsp.t: Handle new error
|
|
|
|
|
message raised by IO-Socket-SSL 2.073.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 10 16:16:16 UTC 2022 - olaf@aepfle.de
|
|
|
|
|
|
|
|
|
|
- remove instance units from post scripts, they can not be reloaded
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 20 11:26:49 UTC 2021 - David Anes <david.anes@suse.com>
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.52:
|
|
|
|
|
* fix CVE-2021-44224: NULL dereference or SSRF in forward proxy
|
|
|
|
|
configurations [boo#1193943]
|
|
|
|
|
* fix CVE-2021-44790: buffer overflow when parsing multipart
|
|
|
|
|
content in mod_lua [boo#1193942]
|
|
|
|
|
*) http: Enforce that fully qualified uri-paths not to be forward-proxied
|
|
|
|
|
have an http(s) scheme, and that the ones to be forward proxied have a
|
|
|
|
|
hostname, per HTTP specifications.
|
|
|
|
|
*) OpenSSL autoconf detection improvement: pick up openssl.pc in the
|
|
|
|
|
already sent it to the client.
|
|
|
|
|
*) mod_http: Correctly sent a 100 Continue status code when sending an interim
|
|
|
|
|
response as result of an Expect: 100-Continue in the request and not the
|
|
|
|
|
current status code of the request
|
|
|
|
|
*) mod_dav: Some DAV extensions, like CalDAV, specify both document
|
|
|
|
|
elements and property elements that need to be taken into account
|
|
|
|
|
when generating a property. The document element and property element
|
|
|
|
|
are made available in the dav_liveprop_elem structure by calling
|
|
|
|
|
dav_get_liveprop_element()
|
|
|
|
|
*) mod_dav: Add utility functions dav_validate_root_ns(),
|
|
|
|
|
dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
|
|
|
|
|
dav_find_attr() so that other modules get to play too.
|
|
|
|
|
*) mpm_event: Restart stopping of idle children after a load peak
|
|
|
|
|
*) mod_http2: fixes 2 regressions in server limit handling.
|
|
|
|
|
1. When reaching server limits, such as MaxRequestsPerChild, the
|
|
|
|
|
HTTP/2 connection send a GOAWAY frame much too early on new
|
|
|
|
|
connections, leading to invalid protocol state and a client
|
|
|
|
|
failing the request
|
|
|
|
|
The module now initializes the HTTP/2 protocol correctly and
|
|
|
|
|
allows the client to submit one request before the shutdown
|
|
|
|
|
via a GOAWAY frame is being announced.
|
|
|
|
|
2. A regression in v1.15.24 was fixed that could lead to httpd
|
|
|
|
|
child processes not being terminated on a graceful reload or
|
|
|
|
|
when reaching MaxConnectionsPerChild. When unprocessed h2
|
|
|
|
|
requests were queued at the time, these could stall.
|
|
|
|
|
See <https://github.com/icing/mod_h2/issues/212>.
|
|
|
|
|
*) mod_ssl: Add build support for OpenSSL v3
|
|
|
|
|
*) mod_proxy_connect: Honor the smallest of the backend or client timeout
|
|
|
|
|
while tunneling
|
|
|
|
|
*) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
|
|
|
|
|
half-close forwarding when tunneling protocols
|
|
|
|
|
*) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
|
|
|
|
|
a third-party module. PR 65627.
|
|
|
|
|
*) mod_md: Fix memory leak in case of failures to load the private key.
|
|
|
|
|
*) mod_md: adding v2.4.8 with the following changes
|
|
|
|
|
- Added support for ACME External Account Binding (EAB).
|
|
|
|
|
Use the new directive `MDExternalAccountBinding` to provide the
|
|
|
|
|
server with the value for key identifier and hmac as provided by
|
|
|
|
|
your CA.
|
|
|
|
|
While working on some servers, EAB handling is not uniform
|
|
|
|
|
across CAs. First tests with a Sectigo Certificate Manager in
|
|
|
|
|
demo mode are successful. But ZeroSSL, for example, seems to
|
|
|
|
|
regard EAB values as a one-time-use-only thing, which makes them
|
|
|
|
|
fail if you create a seconde account or retry the creation of the
|
|
|
|
|
first account with the same EAB.
|
|
|
|
|
- The directive 'MDCertificateAuthority' now checks if its parameter
|
|
|
|
|
is a http/https url or one of a set of known names. Those are
|
|
|
|
|
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
|
|
|
|
|
for now and they are not case-sensitive.
|
|
|
|
|
The default of LetsEncrypt is unchanged.
|
|
|
|
|
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
|
|
|
|
|
section.
|
|
|
|
|
- Treating 401 HTTP status codes for orders like 403, since some ACME
|
|
|
|
|
servers seem to prefer that for accessing oders from other accounts.
|
|
|
|
|
- When retrieving certificate chains, try to read the repsonse even
|
|
|
|
|
if the HTTP Content-Type is unrecognized.
|
|
|
|
|
- Fixed a bug that reset the error counter of a certificate renewal
|
|
|
|
|
and prevented the increasing delays in further attempts.
|
|
|
|
|
- Fixed the renewal process giving up every time on an already existing
|
|
|
|
|
order with some invalid domains. Now, if such are seen in a previous
|
|
|
|
|
order, a new order is created for a clean start over again.
|
|
|
|
|
See <https://github.com/icing/mod_md/issues/268>
|
|
|
|
|
- Fixed a mixup in md-status handler when static certificate files
|
|
|
|
|
and renewal was configured at the same time.
|
|
|
|
|
*) mod_md: values for External Account Binding (EAB) can
|
|
|
|
|
now also be configured to be read from a separate JSON
|
|
|
|
|
file. This allows to keep server configuration permissions
|
|
|
|
|
world readable without exposing secrets.
|
|
|
|
|
*) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Nov 24 11:04:43 UTC 2021 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- httpd-framework updated to svn1894461
|
|
|
|
|
- added patches
|
|
|
|
|
fix reverted logic, DirectorySlash NotFound is available in trunk only
|
|
|
|
|
+ apache-test-DirectorySlash-NotFound-logic.patch
|
|
|
|
|
- do not consider php tests, they do not run anyway
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Nov 14 10:21:09 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
|
|
|
|
|
|
- add section for the 'event' MPM to apache2-server-tuning.conf
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 7 17:30:44 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.51
|
|
|
|
|
*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
|
|
|
|
|
Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
|
|
|
|
|
fix of CVE-2021-41773) (cve.mitre.org)
|
|
|
|
|
*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
|
|
|
|
|
unused AP_NORMALIZE_DROP_PARAMETERS flag.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 4 15:23:51 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.50
|
|
|
|
|
*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
|
|
|
|
|
the uri-path when it's preceded by a dot. [Yann Ylavic]
|
|
|
|
|
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
|
|
|
|
|
fails (!= 0 exit), the renewal process is aborted and an error is
|
|
|
|
|
reported for the MDomain. This provides scripts that distribute
|
|
|
|
|
information in a cluster to abort early with bothering an ACME
|
|
|
|
|
server to validate a dns name that will not work. The common
|
|
|
|
|
retry logic will make another attempt in the future, as with
|
|
|
|
|
other failures.
|
|
|
|
|
Fixed a bug when adding private key specs to an already working
|
|
|
|
|
MDomain, see <https://github.com/icing/mod_md/issues/260>.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
|
|
|
|
|
had no hostname ("unix:/..."). [Yann Ylavic]
|
|
|
|
|
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
|
|
|
|
|
run into an assertion which terminated (and restarted) the child process where
|
|
|
|
|
the task was running. Eventually, all OCSP responses were collected, but not
|
|
|
|
|
in the way that things are supposed to work.
|
|
|
|
|
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
|
|
|
|
|
The bug was possibly triggered when more than one OCSP status needed updating
|
|
|
|
|
at the same time. For example for several renewed certificates after a server
|
|
|
|
|
reload.
|
|
|
|
|
*) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules. PR 57691 + 65590.
|
|
|
|
|
[Janne Peltonen <janne.peltonen sange.fi>]
|
|
|
|
|
*) event mpm: Correctly count active child processes in parent process if
|
|
|
|
|
child process dies due to MaxConnectionsPerChild.
|
|
|
|
|
PR 65592 [Ruediger Pluem]
|
|
|
|
|
*) mod_http2: when a server is restarted gracefully, any idle h2 worker
|
|
|
|
|
threads are shut down immediately.
|
|
|
|
|
Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
|
|
|
|
|
Adds all other, never proposed code changes to make a clean
|
|
|
|
|
sync of http2 sources. [Stefan Eissing]
|
|
|
|
|
*) mod_dav: Correctly handle errors returned by dav providers on REPORT
|
|
|
|
|
requests. [Ruediger Pluem]
|
|
|
|
|
*) core: do not install core input/output filters on secondary
|
|
|
|
|
connections. [Stefan Eissing]
|
|
|
|
|
*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
|
|
|
|
|
and use it to prevent that failures in running the pre_connection
|
|
|
|
|
hook cause crashes afterwards. [Ruediger Pluem]
|
|
|
|
|
*) mod_speling: Add CheckBasenameMatch PR 44221. [Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 17 08:37:29 UTC 2021 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.49
|
|
|
|
|
*) core/mod_proxy/mod_ssl:
|
|
|
|
|
Adding `outgoing` flag to conn_rec, indicating a connection is
|
|
|
|
|
initiated by the server to somewhere, in contrast to incoming
|
|
|
|
|
connections from clients.
|
|
|
|
|
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
|
|
|
|
|
as outgoing and is used by mod_proxy instead of the previous
|
|
|
|
|
optional function `ssl_engine_set`. This enables other SSL
|
|
|
|
|
module to secure proxy connections.
|
|
|
|
|
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
|
|
|
|
|
`ssl_proxy_enable` are now provided by the core to have backward
|
|
|
|
|
compatibility with non-httpd modules that might use them. mod_ssl
|
|
|
|
|
itself no longer registers these functions, but keeps them in its
|
|
|
|
|
header for backward compatibility.
|
|
|
|
|
The core provided optional function wrap any registered function
|
|
|
|
|
like it was done for `ssl_is_ssl`.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_ssl: Support logging private key material for use with
|
|
|
|
|
wireshark via log file given by SSLKEYLOGFILE environment
|
|
|
|
|
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
|
|
|
|
|
*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
|
|
|
|
|
"ProxyPassInterpolateEnv On" are configured. PR 65549.
|
|
|
|
|
[Joel Self <joelself gmail.com>]
|
|
|
|
|
*) mpm_event: Fix children processes possibly not stopped on graceful
|
|
|
|
|
restart. PR 63169. [Joel Self <joelself gmail.com>]
|
|
|
|
|
*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
|
|
|
|
|
protocols from mod_proxy_http, and a timeout triggering falsely when
|
|
|
|
|
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
|
|
|
|
|
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
|
|
|
|
|
*) mod_unique_id: Reduce the time window where duplicates may be generated
|
|
|
|
|
PR 65159
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
*) mpm_prefork: Block signals for child_init hooks to prevent potential
|
|
|
|
|
threads created from there to catch MPM's signals.
|
|
|
|
|
[Ruediger Pluem, Yann Ylavic]
|
|
|
|
|
*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
|
|
|
|
|
PR 65159" added in 2.4.47.
|
|
|
|
|
This causes issue on Windows.
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
|
|
|
|
|
*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
|
|
|
|
|
as successful or a staged renewal is replacing the existing certificates.
|
|
|
|
|
This avoid potential mess ups in the md store file system to render the active
|
|
|
|
|
certificates non-working. [@mkauf]
|
|
|
|
|
*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
|
|
|
|
|
connections. If ALPN protocols are provided and sent to the
|
|
|
|
|
remote server, the received protocol selected is inspected
|
|
|
|
|
and checked for a match. Without match, the peer handshake
|
|
|
|
|
fails.
|
|
|
|
|
An exception is the proposal of "http/1.1" where it is
|
|
|
|
|
accepted if the remote server did not answer ALPN with
|
|
|
|
|
a selected protocol. This accomodates for hosts that do
|
|
|
|
|
not observe/support ALPN and speak http/1.x be default.
|
|
|
|
|
*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
|
|
|
|
|
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_dav: Add method_precondition hook. WebDAV extensions define
|
|
|
|
|
conditions that must exist before a WebDAV method can be executed.
|
|
|
|
|
This hook allows a WebDAV extension to verify these preconditions.
|
|
|
|
|
[Graham Leggett]
|
|
|
|
|
*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
|
|
|
|
|
modules apart from versioning implementations to handle the REPORT method.
|
|
|
|
|
[Graham Leggett]
|
|
|
|
|
*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
|
|
|
|
|
dav_get_resource() to mod_dav.h. [Graham Leggett]
|
|
|
|
|
*) core: fix ap_escape_quotes substitution logic. [Eric Covener]
|
|
|
|
|
*) Easy patches: synch 2.4.x and trunk
|
|
|
|
|
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
|
|
|
|
|
- mod_ldap: log and abort locking errors.
|
|
|
|
|
- mod_ldap: style fix for r1831165
|
|
|
|
|
- mod_ldap: build break fix for r1831165
|
|
|
|
|
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
|
|
|
|
|
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
|
|
|
|
|
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
|
|
|
|
|
- mod_rewrite: Save a few cycles.
|
|
|
|
|
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
|
|
|
|
|
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
|
|
|
|
|
stopping a child process. The additional `graceful` parameter allows
|
|
|
|
|
registered hooks to free resources early during a graceful shutdown.
|
|
|
|
|
[Yann Ylavic, Stefan Eissing]
|
|
|
|
|
*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
|
|
|
|
|
balancer-manager, which can lead to a crash. [Yann Ylavic]
|
|
|
|
|
*) mpm_event: Fix graceful stop/restart of children processes if connections
|
|
|
|
|
are in lingering close for too long. [Yann Ylavic]
|
|
|
|
|
*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
|
|
|
|
|
server returned 2xx responses without content type. Reported by chuangwen.
|
|
|
|
|
[chuangwen, Stefan Eissing]
|
|
|
|
|
*) mod_md:
|
|
|
|
|
- Domain names in `<MDomain ...>` can now appear in quoted form.
|
|
|
|
|
- Fixed a failure in ACME challenge selection that aborted further searches
|
|
|
|
|
when the tls-alpn-01 method did not seem to be suitable.
|
|
|
|
|
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
|
|
|
|
|
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
|
|
|
|
|
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
|
|
|
|
|
*) Add CPING to health check logic. [Jean-Frederic Clere]
|
|
|
|
|
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
|
|
|
|
|
*) core, h2: common ap_parse_request_line() and ap_check_request_header()
|
|
|
|
|
code. [Yann Ylavic]
|
|
|
|
|
*) core: Add StrictHostCheck to allow unconfigured hostnames to be
|
|
|
|
|
rejected. [Eric Covener]
|
|
|
|
|
*) htcacheclean: Improve help messages. [Christophe Jaillet]
|
|
|
|
|
- modified patches
|
|
|
|
|
% apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2.keyring
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 2 17:32:18 UTC 2021 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- introduce APACHE_TACEENABLE sysconfig variable, which translates
|
|
|
|
|
to /etc/apache2/sysconfig.d/global.conf:TraceEnable on/off
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-global.conf
|
|
|
|
|
% apache2-start_apache2
|
|
|
|
|
% sysconfig.apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 2 07:31:14 UTC 2021 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.48
|
|
|
|
|
|
|
|
|
|
Changes with Apache 2.4.48
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
|
|
|
|
|
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
|
|
|
|
|
BZ 65294. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) core: Fix a regression that stripped the ETag header from 304 responses.
|
|
|
|
|
PR 61820 [Ruediger Pluem, Roy T. Fielding]
|
|
|
|
|
|
|
|
|
|
*) core: Adding SSL related inquiry functions to the server API.
|
|
|
|
|
These function are always available, even when no module providing
|
|
|
|
|
SSL is loaded. They provide their own "shadowing" implementation for
|
|
|
|
|
the optional functions of similar name that mod_ssl and impersonators
|
|
|
|
|
of mod_ssl provide.
|
|
|
|
|
This enables loading of several SSL providing modules when all but
|
|
|
|
|
one of them registers itself into the new hooks. Two old-style SSL
|
|
|
|
|
modules will not work, as they replace the others optional functions
|
|
|
|
|
with their own.
|
|
|
|
|
Modules using the old-style optional functions will continue to work
|
|
|
|
|
as core supplies its own versions of those.
|
|
|
|
|
The following has been added so far:
|
|
|
|
|
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
|
|
|
|
|
- ap_ssl_var_lookup() to query SSL related variables for a
|
|
|
|
|
server/connection/request.
|
|
|
|
|
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
|
|
|
|
|
providing SSL can install their own value supplying functions.
|
|
|
|
|
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
|
|
|
|
|
certificate and keys for an SSL module like mod_ssl.
|
|
|
|
|
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
|
|
|
|
|
provide a fallback certificate in case no 'proper' certificate is
|
|
|
|
|
available for an SSL module like mod_ssl.
|
|
|
|
|
- ap_ssl_answer_challenge() to enable other modules like mod_md to
|
|
|
|
|
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
|
|
|
|
|
for the ACME protocol for an SSL module like mod_ssl. The function
|
|
|
|
|
and its hook provide PEM encoded data instead of file names.
|
|
|
|
|
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
|
|
|
|
|
'ssl_answer_challenge' where modules like mod_md can provide providers
|
|
|
|
|
to the above mentioned functions.
|
|
|
|
|
- These functions reside in the new 'http_ssl.h' header file.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
|
|
|
|
|
allows modules to access and provide OCSP response data without being tied
|
|
|
|
|
of each other. The data is exchanged in standard, portable formats (PEM encoded
|
|
|
|
|
certificates and DER encoded responses), so that the actual SSL/crypto
|
|
|
|
|
implementations used by the modules are independant of each other.
|
|
|
|
|
Registration and retrieval happen in the context of a server (server_rec)
|
|
|
|
|
which modules may use to decide if they are configured for this or not.
|
|
|
|
|
The area of changes:
|
|
|
|
|
1. core: defines 2 functions in include/http_ssl.h, so that modules may
|
|
|
|
|
register a certificate, together with its issuer certificate for OCSP
|
|
|
|
|
response provisioning and ask for current response data (DER bytes) later.
|
|
|
|
|
Also, 2 hooks are defined that allow modules to implement this OCSP
|
|
|
|
|
provisioning.
|
|
|
|
|
2. mod_ssl uses the new functions, in addition to what it did already, to
|
|
|
|
|
register its certificates this way. If no one is interested in providing
|
|
|
|
|
OCSP, it falls back to its own (if configured) stapling implementation.
|
|
|
|
|
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
|
|
|
|
|
on configuration, it will accept registrations of its own certificates only,
|
|
|
|
|
all certificates or none.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_md: v2.4.0 with improvements and bugfixes
|
|
|
|
|
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
|
|
|
|
|
optional key lengths elliptic curves can be configured. This means you can
|
|
|
|
|
have multiple certificates for a Managed Domain with different key types.
|
|
|
|
|
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
|
|
|
|
|
certificate and all modern client will use the shorter ECDSA, while older
|
|
|
|
|
client will get the RSA certificate.
|
|
|
|
|
Many thanks to @tlhackque who pushed and helped on this.
|
|
|
|
|
- Support added for MDomains consisting of a wildcard. Configuring
|
|
|
|
|
```MDomain *.host.net``` will match all virtual hosts matching that pattern
|
|
|
|
|
and obtain one certificate for it (assuming you have 'dns-01' challenge
|
|
|
|
|
support configured). Addresses #239.
|
|
|
|
|
- Removed support for ACMEv1 servers. The only known installation used to
|
|
|
|
|
be Let's Encrypt which has disabled that version more than a year ago for
|
|
|
|
|
new accounts.
|
|
|
|
|
- Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the
|
|
|
|
|
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
|
|
|
|
|
renewal attempt. This is useful in clustered installations, as
|
|
|
|
|
discussed in #233).
|
|
|
|
|
- New event ```challenge-setup:<type>:<domain>```, triggered when the
|
|
|
|
|
challenge data for a domain has been created. This is invoked before the
|
|
|
|
|
ACME server is told to check for it. The type is one of the ACME challenge
|
|
|
|
|
types. This is invoked for every DNS name in a MDomain.
|
|
|
|
|
- The max delay for retries has been raised to daily (this is like all
|
|
|
|
|
retries jittered somewhat to avoid repeats at fixed time of day).
|
|
|
|
|
- Certain error codes reported by the ACME server that indicate a problem
|
|
|
|
|
with the configured data now immediately switch to daily retries. For
|
|
|
|
|
example: if the ACME server rejects a contact email or a domain name,
|
|
|
|
|
frequent retries will most likely not solve the problem. But daily retries
|
|
|
|
|
still make sense as there might be an error at the server and un-supervised
|
|
|
|
|
certificate renewal is the goal. Refs #222.
|
|
|
|
|
- Test case and work around for domain names > 64 octets. Fixes #227.
|
|
|
|
|
When the first DNS name of an MD is longer than 63 octets, the certificate
|
|
|
|
|
request will not contain a CN field, but leave it up to the CA to choose one.
|
|
|
|
|
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
|
|
|
|
|
fails the request if none is found. But it is really up to the CA (and what
|
|
|
|
|
browsers/libs accept here) and may change over the years. That is why
|
|
|
|
|
the decision is best made at the CA.
|
|
|
|
|
- Retry delays now have a random +/-[0-50]% modification applied to let
|
|
|
|
|
retries from several servers spread out more, should they have been
|
|
|
|
|
restarted at the same time of day.
|
|
|
|
|
- Fixed several places where the 'badNonce' return code from an ACME server
|
|
|
|
|
was not handled correctly. The test server 'pebble' simulates this behaviour
|
|
|
|
|
by default and helps nicely in verifying this behaviour. Thanks, pebble!
|
|
|
|
|
- Set the default `MDActivationDelay` to 0. This was confusing to users that
|
|
|
|
|
new certificates were deemed not usably before a day of delay. When clocks are
|
|
|
|
|
correct, using a new certificate right away should not pose a problem.
|
|
|
|
|
- When handling ACME authorization resources, the module no longer requires
|
|
|
|
|
the server to return a "Location" header, as was necessary in ACMEv1.
|
|
|
|
|
Fixes #216.
|
|
|
|
|
- Fixed a theoretical uninitialized read when testing for JSON error responses
|
|
|
|
|
from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>.
|
|
|
|
|
- ACME problem reports from CAs that include parameters in the Content-Type
|
|
|
|
|
header are handled correctly. (Previously, the problem text would not be
|
|
|
|
|
reported and retries could exceed CA limits.)
|
|
|
|
|
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
|
|
|
|
|
Previously, an empty JSON object was sent - which apparently LE accepted,
|
|
|
|
|
but others reject.
|
|
|
|
|
[Stefan Eissing, @tlhackque, Andreas Ulm]
|
|
|
|
|
|
|
|
|
|
Changes with Apache 2.4.47
|
|
|
|
|
|
|
|
|
|
*) mod_dav_fs: Improve logging output when failing to open files for
|
|
|
|
|
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: Fixed a race condition that could lead to streams being
|
|
|
|
|
aborted (RST to the client), although a response had been produced.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) MPM event/worker: Fix possible crash in child process on early signal
|
|
|
|
|
delivery. PR 64533. [Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_http2: sync with github standalone version 1.15.17
|
|
|
|
|
- Log requests and sent the configured error response in case of early detected
|
|
|
|
|
errors like too many or too long headers. [Ruediger Pluem]
|
|
|
|
|
- new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
|
|
|
|
|
The default is on, which is the behaviour of older mod-h2 versions. When off, all
|
|
|
|
|
bytes are made available immediately to the main connection for sending them
|
|
|
|
|
out to the client. This fixes interop issues with certain flavours of gRPC, see
|
|
|
|
|
also <https://github.com/icing/mod_h2/issues/207>.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_unique_id: Fix potential duplicated ID generation under heavy load.
|
|
|
|
|
PR 65159
|
|
|
|
|
[Jonas Müntener <jonas.muentener ergon.ch>, Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
*) "[mod_dav_fs etag handling] should really honor the FileETag setting".
|
|
|
|
|
- It now does.
|
|
|
|
|
- Add "Digest" to FileETag directive, allowing a strong ETag to be
|
|
|
|
|
generated using a file digest.
|
|
|
|
|
- Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
|
|
|
|
|
ETag generation.
|
|
|
|
|
- Add concept of "binary notes" to request_rec, allowing packed bit flags
|
|
|
|
|
to be added to a request.
|
|
|
|
|
- First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
|
|
|
|
|
the ETag to a strong ETag to comply with RFC requirements, such as those
|
|
|
|
|
mandated by various WebDAV extensions.
|
|
|
|
|
[Graham Leggett]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http: Fix a possibly crash when the origin connection gets
|
|
|
|
|
interrupted before completion. PR 64234.
|
|
|
|
|
[Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Do not keep connections to OCSP responders alive when doing
|
|
|
|
|
OCSP requests. PR 64135. [Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Improve the coalescing filter to buffer into larger TLS
|
|
|
|
|
records, and avoid revealing the HTTP header size via TLS record
|
|
|
|
|
boundaries (for common response generators).
|
|
|
|
|
[Joe Orton, Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_hcheck: Don't pile up health checks if the previous one did
|
|
|
|
|
not finish before hcinterval. PR 63010. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_session: Improve session parsing. [Yann Yalvic]
|
|
|
|
|
|
|
|
|
|
*) mod_authnz_ldap: Prevent authentications with empty passwords for the
|
|
|
|
|
initial bind to fail with status 500. [Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
|
|
|
|
|
the format can't match anyway. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
|
|
|
|
|
Transfer-Encoding from the client, spooling the request body when needed
|
|
|
|
|
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
|
|
|
|
|
proxy_util. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Improve tunneling loop to support half closed connections and
|
|
|
|
|
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
|
|
|
|
|
and switched protocol forwarding. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
|
|
|
|
|
allowing for (non-)Upgrade negotiation with the origin server.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
|
|
|
|
|
codes. PR63628. [Martin Drößler <mail martindroessler.de>]
|
|
|
|
|
|
|
|
|
|
*) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
|
|
|
|
|
directives. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) core: Ensure that aborted connections are logged as such. PR 62823
|
|
|
|
|
[Arnaud Grandville <contact@grandville.net>]
|
|
|
|
|
|
|
|
|
|
*) http: Allow unknown response status' lines returned in the form of
|
|
|
|
|
"HTTP/x.x xxx Status xxx". [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
|
|
|
|
|
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
|
|
|
|
|
*) core: Remove headers on 304 Not Modified as specified by RFC7234, as
|
|
|
|
|
opposed to passing an explicit subset of headers. PR 61820.
|
|
|
|
|
[Giovanni Bechis]
|
|
|
|
|
|
|
|
|
|
*) mpm_event: Don't reset connections after lingering close, restoring prior
|
|
|
|
|
to 2.4.28 behaviour. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mpm_event: Kill connections in keepalive state only when there is no more
|
|
|
|
|
workers available, not when the maximum number of connections is reached,
|
|
|
|
|
restoring prior to 2.4.30 behaviour. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
|
|
|
|
|
avoiding the use of '@'. PR 57044.
|
|
|
|
|
[Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
|
|
|
|
|
|
|
|
|
|
*) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
|
|
|
|
|
SameSite attribute. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Add proxy check_trans hook. This allows proxy
|
|
|
|
|
modules to decline request handling at early stage.
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_wstunnel: Decline requests without an Upgrade
|
|
|
|
|
header so ws/wss can be enabled overlapping with later
|
|
|
|
|
http/https.
|
|
|
|
|
|
|
|
|
|
*) mod_http2: Log requests and sent the configured error response in case of
|
|
|
|
|
early detected errors like too many or too long headers.
|
|
|
|
|
[Ruediger Pluem, Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
|
|
|
|
|
as proposed by <alexander.gerasimov codeit.pro>. [Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
|
|
|
|
|
value. PR 64598 [Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
|
|
|
|
|
substitution, such that they apply to the backend connection. Note that
|
|
|
|
|
connection reuse is disabled by default to avoid compatibility issues.
|
|
|
|
|
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2.keyring
|
|
|
|
|
- deleted patches
|
|
|
|
|
- apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
|
|
|
|
|
- lua54.patch (upstreamed)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 27 17:42:09 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Add lua54.patch to fix building with lua54
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 22 12:25:23 UTC 2021 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- added Provides: http_daemon to fix bsc#1180132
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 22 07:44:28 UTC 2021 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- remove suexec2 from premissions as well
|
|
|
|
|
- modified sources
|
|
|
|
|
% permissions.apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 13 20:16:34 UTC 2021 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
|
|
|
|
|
|
- suexec2 was renamed to suexec in 2015 and the symlink to suexec
|
|
|
|
|
no longer exists
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 12 22:29:52 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
|
|
|
|
|
|
|
|
|
|
- re-add rcapache2 symlink (was lost about 6 weeks ago)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 12 11:24:20 UTC 2021 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- gensslcert sets CA:TRUE in basic constrains of CA cert [bsc#1180530]
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-gensslcert
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 8 14:59:12 UTC 2021 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- mod_php8 provides php_module
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-script-helpers
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 17 17:22:23 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- obsolete apache2-example-page and obsolete/provide apache2-doc
|
|
|
|
|
[bsc#180075]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 14 11:19:46 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
|
|
|
|
|
|
- only include BuildRequires: apache2-{prefork,worker,event} used in
|
|
|
|
|
test target
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 11 20:01:03 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- added https://httpd.apache.org/server-status like server status
|
|
|
|
|
(configured by APACHE_EXTENDED_STATUS="lua")
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-mod_status.conf
|
|
|
|
|
% apache2-start_apache2
|
|
|
|
|
% sysconfig.apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 10 16:45:36 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- actually install suse provided READMEs
|
|
|
|
|
- install upstream configuration example
|
|
|
|
|
- added sources
|
|
|
|
|
+ apache2-README-configuration.txt
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 9 19:36:02 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- apxs -q PREFIX now returns /srv/www again
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 9 08:00:12 UTC 2020 - Dominique Leuenberger <dleuenberger@suse.com>
|
|
|
|
|
|
|
|
|
|
- Require /usr/bin/which instead of which: allow usage of busybox
|
|
|
|
|
variant for containers.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 7 14:08:42 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- apache2 main package recommends apache2-utils
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 3 11:23:48 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- break some long lines in the spec as requested by review team
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Dec 1 13:14:29 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- maybe make spec acceptable for factory bot
|
|
|
|
|
- modified sources
|
|
|
|
|
% _multibuild
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Dec 1 09:44:08 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- buildrequire netcfg for tests
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Nov 29 13:45:39 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
|
|
|
|
|
|
- remove Requires(post): firewalld hard dependency (this is already
|
|
|
|
|
handled by the %firewalld_reload macro)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 26 12:10:52 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- package reworked trough [bsc#1178478]
|
|
|
|
|
- modified patches
|
|
|
|
|
% apache2-mod_proxy_uwsgi-fix-crash.patch (refreshed)
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-loadmodule.conf
|
|
|
|
|
% apache2-manual.conf
|
|
|
|
|
% apache2-script-helpers
|
|
|
|
|
% apache2@.service
|
|
|
|
|
% sysconfig.apache2
|
|
|
|
|
- deleted patches
|
|
|
|
|
- deprecated-scripts-arch.patch (not needed)
|
|
|
|
|
- httpd-2.0.54-envvars.dif (not needed)
|
|
|
|
|
- httpd-2.1.3alpha-layout.dif
|
|
|
|
|
(renamed to apache2-system-dirs-layout.patch)
|
|
|
|
|
- httpd-2.2.0-apxs-a2enmod.dif (not needed)
|
|
|
|
|
- httpd-2.4.9-bnc690734.patch
|
|
|
|
|
(renamed to apache2-LimitRequestFieldSize-limits-headers.patch)
|
|
|
|
|
- httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
|
|
|
|
|
(renamed to apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch)
|
|
|
|
|
- httpd-2.x.x-logresolve.patch
|
|
|
|
|
(renamed to apache2-logresolve-tmp-security.patch)
|
|
|
|
|
- httpd-apachectl.patch
|
|
|
|
|
(renamed to apache2-apachectl.patch)
|
|
|
|
|
- httpd-implicit-pointer-decl.patch (not needed)
|
|
|
|
|
- httpd-visibility.patch (not needed)
|
|
|
|
|
- deleted sources
|
|
|
|
|
- SUSE-NOTICE (outdated)
|
|
|
|
|
- a2enflag (renamed to apache2-a2enflag)
|
|
|
|
|
- a2enmod (renamed to apache2-a2enmod)
|
|
|
|
|
- apache-22-24-upgrade (outdated)
|
|
|
|
|
- apache2-README (outdated)
|
|
|
|
|
- apache2-README.QUICKSTART (outedated)
|
|
|
|
|
- apache2-find-directives (renamed to apache2-find_directives)
|
|
|
|
|
- apache2-init.logrotate (not needed)
|
|
|
|
|
- apache2.firewalld (renamed to firewalld.apache2)
|
|
|
|
|
- apache2.logrotate (renamed to logrotate.apache2)
|
|
|
|
|
- apache2.ssl.firewalld (renamed to firewalld-ssl.apache2)
|
|
|
|
|
- apache2.ssl.susefirewall (renamed to susefirewall.apache2)
|
|
|
|
|
- apache2.susefirewall (renamed to susefirewall-ssl.apache2)
|
|
|
|
|
- favicon.ico (not needed)
|
|
|
|
|
- rc.apache2 (not needed)
|
|
|
|
|
- robots.txt (not needed)
|
|
|
|
|
- sysconf_addword (not needed, in aaa_base)
|
|
|
|
|
- added patches
|
|
|
|
|
fix PATCH: https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2
|
|
|
|
|
+ apache-test-application-xml-type.patch
|
|
|
|
|
fix these variables from the test
|
|
|
|
|
+ apache-test-turn-off-variables-in-ssl-var-lookup.patch
|
|
|
|
|
fix [fate317766] backport of an upstream commit
|
|
|
|
|
+ apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch
|
|
|
|
|
fix [bnc#690734] TODO, to be upstreamed
|
|
|
|
|
+ apache2-LimitRequestFieldSize-limits-headers.patch
|
|
|
|
|
fix apachectl is frontend for start_apache2, suse specific
|
|
|
|
|
+ apache2-apachectl.patch
|
|
|
|
|
fix [bnc#210904] perhaps to be upstreamed
|
|
|
|
|
+ apache2-logresolve-tmp-security.patch
|
|
|
|
|
fix layout of system dirs configuration, may be upstreamed
|
|
|
|
|
+ apache2-system-dirs-layout.patch
|
|
|
|
|
- added sources
|
|
|
|
|
+ _multibuild
|
|
|
|
|
+ apache2-a2enflag
|
|
|
|
|
+ apache2-a2enmod
|
|
|
|
|
+ apache2-find_directives
|
|
|
|
|
+ apache2-gensslcert
|
|
|
|
|
+ apache2-mod_example.c
|
|
|
|
|
+ apache2-start_apache2
|
|
|
|
|
+ firewalld-ssl.apache2
|
|
|
|
|
+ firewalld.apache2
|
|
|
|
|
+ logrotate.apache2
|
|
|
|
|
+ susefirewall-ssl.apache2
|
|
|
|
|
+ susefirewall.apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 14 09:43:08 UTC 2020 - Franck Bui <fbui@suse.com>
|
|
|
|
|
|
|
|
|
|
- /var/run is depracted, /run should be used instead
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 14 06:43:21 UTC 2020 - Franck Bui <fbui@suse.com>
|
|
|
|
|
|
|
|
|
|
- systemd-ask-password is located in /usr/bin
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 22 09:12:31 UTC 2020 - Jacek Tomasiak <jtomasiak@suse.com>
|
|
|
|
|
|
|
|
|
|
- gensslcert: fix SAN in final cert generation
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 11 15:24:39 UTC 2020 - Franck Bui <fbui@suse.com>
|
|
|
|
|
|
|
|
|
|
- Make use of %service_del_postun_without_restart
|
|
|
|
|
|
|
|
|
|
And stop using DISABLE_RESTART_ON_UPDATE as this interface is
|
|
|
|
|
obsolete.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 31 11:08:16 UTC 2020 - Jacek Tomasiak <jtomasiak@suse.com>
|
|
|
|
|
|
|
|
|
|
- gensslcert: add -a argument to override default SAN value
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 31 09:07:44 UTC 2020 - Antonio Larrosa <alarrosa@suse.com>
|
|
|
|
|
|
|
|
|
|
- Provide mod_ssl to keep compatibility with other distributions.
|
|
|
|
|
Now obsoletes mod_ssl < %{version} instead of mod_ssl < 2.8.16.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 27 11:33:07 UTC 2020 - Dominique Leuenberger <dimstar@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- Install firewalld service files to %{_prefix}/lib/firewalld, NOT
|
|
|
|
|
%{_libexecdir}/firewalld (boo#1174075).
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 7 12:25:58 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.46
|
|
|
|
|
Changes with Apache 2.4.46
|
|
|
|
|
*) mod_proxy_fcgi: Fix build warnings for Windows platform
|
|
|
|
|
[Eric Covener, Christophe Jaillet]
|
|
|
|
|
Changes with Apache 2.4.45
|
|
|
|
|
*) mod_http2: remove support for abandoned http-wg draft
|
|
|
|
|
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
Changes with Apache 2.4.44
|
|
|
|
|
*) mod_proxy_uwsgi: Error out on HTTP header larger than 16K (hard
|
|
|
|
|
protocol limit). [Yann Ylavic]
|
|
|
|
|
*) mod_http2:
|
|
|
|
|
Fixes <https://github.com/icing/mod_h2/issues/200>:
|
|
|
|
|
"LimitRequestFields 0" now disables the limit, as documented.
|
|
|
|
|
Fixes <https://github.com/icing/mod_h2/issues/201>:
|
|
|
|
|
Do not count repeated headers with same name against the field
|
|
|
|
|
count limit. The are merged internally, as if sent in a single HTTP/1 line.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_http2: Avoid segfaults in case of handling certain responses for
|
|
|
|
|
already aborted connections. [Stefan Eissing, Ruediger Pluem]
|
|
|
|
|
*) mod_http2: The module now handles master/secondary connections and has marked
|
|
|
|
|
methods according to use. [Stefan Eissing]
|
|
|
|
|
*) core: Drop an invalid Last-Modified header value coming
|
|
|
|
|
from a FCGI/CGI script instead of replacing it with Unix epoch.
|
|
|
|
|
[Yann Ylavic, Luca Toscano]
|
|
|
|
|
*) Add support for strict content-length parsing through addition of
|
|
|
|
|
ap_parse_strict_length() [Yann Ylavic]
|
|
|
|
|
*) mod_proxy_fcgi: ProxyFCGISetEnvIf unsets variables when expression
|
|
|
|
|
evaluates to false. PR64365. [Michael König <mail ikoenig.net>]
|
|
|
|
|
*) mod_proxy_http: flush spooled request body in one go to avoid
|
|
|
|
|
leaking (or long lived) temporary file. PR 64452. [Yann Ylavic]
|
|
|
|
|
*) mod_ssl: Fix a race condition and possible crash when using a proxy client
|
|
|
|
|
certificate (SSLProxyMachineCertificateFile).
|
|
|
|
|
[Armin Abfalterer <a.abfalterer gmail.com>]
|
|
|
|
|
*) mod_ssl: Fix memory leak in stapling code. PR63687. [Stefan Eissing]
|
|
|
|
|
*) mod_http2: Fixed regression that no longer set H2_STREAM_ID and H2_STREAM_TAG.
|
|
|
|
|
PR64330 [Stefan Eissing]
|
|
|
|
|
*) mod_http2: Fixed regression that caused connections to close when mod_reqtimeout
|
|
|
|
|
was configured with a handshake timeout. Fixes gitub issue #196.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy_http2: the "ping" proxy parameter
|
|
|
|
|
(see <https://httpd.apache.org/docs/2.4/mod/mod_proxy.html>) is now used
|
|
|
|
|
when checking the liveliness of a new or reused h2 connection to the backend.
|
|
|
|
|
With short durations, this makes load-balancing more responsive. The module
|
|
|
|
|
will hold back requests until ping conditions are met, using features of the
|
|
|
|
|
HTTP/2 protocol alone. [Ruediger Pluem, Stefan Eissing]
|
|
|
|
|
*) core: httpd is no longer linked against -lsystemd if mod_systemd
|
|
|
|
|
is enabled (and built as a DSO). [Rainer Jung]
|
|
|
|
|
*) mod_proxy_http2: respect ProxyTimeout settings on backend connections
|
|
|
|
|
while waiting on incoming data. [Ruediger Pluem, Stefan Eissing]
|
|
|
|
|
- modified patches
|
|
|
|
|
% apache2-mod_proxy_uwsgi-fix-crash.patch (refreshed)
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2.keyring
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 15 09:16:02 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix crash in mod_proxy_uwsgi for empty values of environment
|
|
|
|
|
variables [bsc#1174052]
|
|
|
|
|
- added patches
|
|
|
|
|
fix https://svn.apache.org/viewvc?view=revision
|
|
|
|
|
+ apache2-mod_proxy_uwsgi-fix-crash.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 3 12:09:55 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- declare ap_sock_disable_nagle to fix loading mod_proxy_http2
|
|
|
|
|
(thanks to mliska@suse.com)
|
|
|
|
|
- modified patches
|
|
|
|
|
% httpd-visibility.patch (refreshed)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 2 08:56:48 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.43
|
|
|
|
|
*) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
|
|
|
|
|
*) mod_proxy_http: Fix the forwarding of requests with content body when a
|
|
|
|
|
balancer member is unavailable; the retry on the next member was issued
|
|
|
|
|
with an empty body (regression introduced in 2.4.41). PR63891.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
|
|
|
|
|
identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
|
|
|
|
|
[Michael Kaufmann, Stefan Eissing]
|
|
|
|
|
*) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
|
|
|
|
|
PR64140. [Renier Velazco <renier.velazco upr.edu>]
|
|
|
|
|
*) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
|
|
|
|
|
PR64172.
|
|
|
|
|
*) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
|
|
|
|
|
to allow customization of the usertrack cookie. PR64077.
|
|
|
|
|
[Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
|
|
|
|
|
*) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
|
|
|
|
|
AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
|
|
|
|
|
*) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
|
|
|
|
|
[Eric Covener, Yann Ylavic]
|
|
|
|
|
*) Add a config layout for OpenWRT. [Graham Leggett]
|
|
|
|
|
*) Add support for cross compiling to apxs. If apxs is being executed from
|
|
|
|
|
somewhere other than its target location, add that prefix to includes and
|
|
|
|
|
library directories. Without this, apxs would fail to find config_vars.mk
|
|
|
|
|
and exit. [Graham Leggett]
|
|
|
|
|
*) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
|
|
|
|
|
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
|
|
|
|
|
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
|
|
|
|
|
*) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
|
|
|
|
|
[Graham Leggett]
|
|
|
|
|
*) mod_ssl: Support use of private keys and certificates from an
|
|
|
|
|
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
|
|
|
|
|
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
|
|
|
|
|
*) mod_md:
|
|
|
|
|
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
|
|
|
|
|
thanks to Timothe Litt (@tlhackque).
|
|
|
|
|
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
|
|
|
|
|
check all matching virtual hosts for protocol support. Thanks to @mkauf.
|
|
|
|
|
- Corrected a check when OCSP stapling was configured for hosts
|
|
|
|
|
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
|
|
|
|
|
- Softening the restrictions where mod_md configuration directives may appear. This should
|
|
|
|
|
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
|
|
|
|
|
you wanted in the first place, is another matter.
|
|
|
|
|
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
|
|
|
|
|
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
|
|
|
|
|
*) test: Added continuous testing with Travis CI.
|
|
|
|
|
This tests various scenarios on Ubuntu with the full test suite.
|
|
|
|
|
Architectures tested: amd64, s390x, ppc64le, arm64
|
|
|
|
|
The tests pass successfully.
|
|
|
|
|
[Luca Toscano, Joe Orton, Mike Rumph, and others]
|
|
|
|
|
*) core: Be stricter in parsing of Transfer-Encoding headers.
|
|
|
|
|
[ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
|
|
|
|
|
*) mod_ssl: negotiate the TLS protocol version per name based vhost
|
|
|
|
|
configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
|
|
|
|
|
SSLProtocol (from the first vhost declared on the IP:port) is now only
|
|
|
|
|
relevant if no SSLProtocol is declared for the vhost or globally,
|
|
|
|
|
otherwise the vhost or global value apply. [Yann Ylavic]
|
|
|
|
|
*) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
|
|
|
|
|
output. PR 64096. [Joe Orton]
|
|
|
|
|
*) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
|
|
|
|
|
[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
|
|
|
|
|
*) mod_systemd: New module providing integration with systemd. [Jan Kaluza]
|
|
|
|
|
*) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
|
|
|
|
|
r:notes_table, r:subprocess_env_table as read-only native table alternatives
|
|
|
|
|
that can be iterated over. [Eric Covener]
|
|
|
|
|
*) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
|
|
|
|
|
[Yann Ylavic, Stefan Eissing]
|
|
|
|
|
*) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
|
|
|
|
|
r.headers_out, etc) to remove the key from the table. PR63971.
|
|
|
|
|
[Eric Covener]
|
|
|
|
|
*) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
|
|
|
|
|
ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
|
|
|
|
|
always `on`, regardless of configuration. Found and reported by
|
|
|
|
|
<Armin.Abfalterer@united-security-providers.ch> and
|
|
|
|
|
<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
|
|
|
|
|
*) mod_http2: Multiple field length violations in the same request no longer cause
|
|
|
|
|
several log entries to be written. [@mkauf]
|
|
|
|
|
*) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
|
|
|
|
|
[Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
|
|
|
|
|
*) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
|
|
|
|
|
[Jim Jagielski]
|
|
|
|
|
*) mod_authn_socache: Increase the maximum length of strings that can be cached by
|
|
|
|
|
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
|
|
|
|
|
*) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
|
|
|
|
|
[Ruediger Pluem, Eric Covener]
|
|
|
|
|
*) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
|
|
|
|
|
valid (For example, testing for a file on a flash drive that is not mounted)
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
*) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
|
|
|
|
|
means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]
|
|
|
|
|
*) mod_md v2.2.3:
|
|
|
|
|
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
|
|
|
|
|
had been additive before which was not the intended behaviour. [@mkauf]
|
|
|
|
|
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
|
|
|
|
|
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
|
|
|
|
|
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
|
|
|
|
|
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
|
|
|
|
|
"transfer-encoding" to POST requests. This failed in directy communication with
|
|
|
|
|
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
|
|
|
|
|
*) mod_md: Adding the several new features.
|
|
|
|
|
The module offers an implementation of OCSP Stapling that can replace fully or
|
|
|
|
|
for a limited set of domains the existing one from mod_ssl. OCSP handling
|
|
|
|
|
is part of mod_md's monitoring and message notifications. If can be used
|
|
|
|
|
for sites that do not have ACME certificates.
|
|
|
|
|
The url for a CTLog Monitor can be configured. It is used in the server-status
|
|
|
|
|
to link to the external status page of a certicate.
|
|
|
|
|
The MDMessageCmd is called with argument "installed" when a new certificate
|
|
|
|
|
has been activated on server restart/reload. This allows for processing of
|
|
|
|
|
the new certificate, for example to applications that require it in different
|
|
|
|
|
locations or formats.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
|
|
|
|
|
protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
|
|
|
|
|
- deleted patches
|
|
|
|
|
- apache2-load-private-keys-from-pkcs11.patch (upstreamed)
|
|
|
|
|
- httpd-2.4.3-mod_systemd.patch (upstreamed)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 26 10:33:47 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- use r1874196 [SLE-7653]
|
|
|
|
|
- modified patches
|
|
|
|
|
% apache2-load-private-keys-from-pkcs11.patch (upstream 2.4.x port)
|
|
|
|
|
- deleted patches
|
|
|
|
|
- apache2-load-certificates-from-pkcs11.patch (merged to above)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 18 12:49:55 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- require just libbrotli-devel
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 13 18:38:57 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- build mod_proxy_http2 extension
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 12 13:13:05 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix build for older distributions
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 31 18:22:09 UTC 2020 - Cristian Rodríguez <crrodriguez@opensuse.org>
|
|
|
|
|
|
|
|
|
|
- define DEFAULT_LISTENBACKLOG=APR_INT32_MAX. We want apache
|
|
|
|
|
to honour net.core.somaxconn sysctl as the mandatory limit.
|
|
|
|
|
the old value of 511 was never used as until v5.4-rc6 it was
|
|
|
|
|
clamped to 128, in current kernels the default limit is 4096.
|
|
|
|
|
Cannot use the apr_socket_listen(.., -1) idiom because the function
|
|
|
|
|
expects a positive integer argument.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 20 13:04:23 UTC 2020 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- apache2-devel now provides httpd-devel [bsc#1160100]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 18 16:36:08 UTC 2019 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- add openssl call to DEFAULT_SUSE comment [bsc#1159480]
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-ssl-global.conf
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 8 08:58:25 UTC 2019 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- use %license [bsc#1156171]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 22 07:01:23 UTC 2019 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- load private keys and certificates from pkcs11 token [SLE-7653]
|
|
|
|
|
- added patches
|
|
|
|
|
load certificates from openssl engine
|
|
|
|
|
+ apache2-load-certificates-from-pkcs11.patch
|
|
|
|
|
load private keys from openssl engine
|
|
|
|
|
+ apache2-load-private-keys-from-pkcs11.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Oct 5 14:03:54 UTC 2019 - Yunhe Guo <i@guoyunhe.me>
|
|
|
|
|
|
|
|
|
|
- Add custom log files to logrotate according to apache2-vhost.template
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 23 18:06:12 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Remove redundant metadata from summary.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 15 09:05:22 UTC 2019 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.41 with security fixes:
|
|
|
|
|
* low: Limited cross-site scripting in mod_proxy
|
|
|
|
|
error page (CVE-2019-10092)
|
|
|
|
|
* low: mod_rewrite potential open redirect (CVE-2019-10098)
|
|
|
|
|
* moderate: mod_http2, read-after-free in h2
|
|
|
|
|
connection shutdown (CVE-2019-10082)
|
|
|
|
|
* moderate: mod_http2, memory corruption on
|
|
|
|
|
early pushes (CVE-2019-10081)
|
|
|
|
|
* moderate: mod_http2, DoS attack by exhausting
|
|
|
|
|
h2 workers. (CVE-2019-9517)
|
|
|
|
|
* moderate: mod_remoteip: Stack buffer overflow and
|
|
|
|
|
NULL pointer dereference (CVE-2019-10097)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 26 07:34:16 UTC 2019 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix typo
|
|
|
|
|
- modified sources
|
|
|
|
|
% apache2-README-instances.txt
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 13 14:31:22 UTC 2019 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- revive apache-22-24-upgrade [bsc#1134294] (internal)
|
|
|
|
|
- added sources
|
|
|
|
|
+ apache-22-24-upgrade
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 2 10:26:21 UTC 2019 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- version update to 2.4.39
|
|
|
|
|
* mod_proxy/ssl: Cleanup per-request SSL configuration anytime a
|
|
|
|
|
backend connection is recycled/reused to avoid a possible crash
|
|
|
|
|
with some SSLProxy configurations in <Location> or <Proxy>
|
|
|
|
|
context. PR 63256. [Yann Ylavic]
|
|
|
|
|
* mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA
|
|
|
|
|
failure. [Michael Kaufmann <mail michael-kaufmann.ch>]
|
|
|
|
|
* mod_log_config: Support %{c}h for conn-hostname, %h for
|
|
|
|
|
useragent_host PR 55348
|
|
|
|
|
* mod_socache_redis: Support for Redis as socache storage
|
|
|
|
|
provider.
|
|
|
|
|
* core: new configuration option 'MergeSlashes on|off' that
|
|
|
|
|
controls handling of multiple, consecutive slash ('/')
|
|
|
|
|
characters in the path component of the request URL. [Eric
|
|
|
|
|
Covener]
|
|
|
|
|
* mod_http2: when SSL renegotiation is inhibited and a 403
|
|
|
|
|
ErrorDocument is in play, the proper HTTP/2 stream reset did
|
|
|
|
|
not trigger with H2_ERR_HTTP_1_1_REQUIRED. Fixed. [Michael
|
|
|
|
|
Kaufmann]
|
|
|
|
|
* mod_http2: new configuration directive: `H2Padding numbits` to
|
|
|
|
|
control padding of HTTP/2 payload frames. 'numbits' is a number
|
|
|
|
|
from 0-8, controlling the range of padding bytes added to a
|
|
|
|
|
frame. The actual number added is chosen randomly per frame.
|
|
|
|
|
This applies to HEADERS, DATA and PUSH_PROMISE frames equally.
|
|
|
|
|
The default continues to be 0, e.g. no padding. [Stefan
|
|
|
|
|
Eissing]
|
|
|
|
|
* mod_http2: ripping out all the h2_req_engine internal features
|
|
|
|
|
now that mod_proxy_http2 has no more need for it. Optional
|
|
|
|
|
functions are still declared but no longer implemented. While
|
|
|
|
|
previous mod_proxy_http2 will work with this, it is
|
|
|
|
|
recommeneded to run the matching versions of both modules.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
* mod_proxy_http2: changed mod_proxy_http2 implementation and
|
|
|
|
|
fixed several bugs which resolve PR63170. The proxy module does
|
|
|
|
|
now a single h2 request on the (reused) connection and returns.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
* mod_http2/mod_proxy_http2: proxy_http2 checks correct master
|
|
|
|
|
connection aborted status to trigger immediate shutdown of
|
|
|
|
|
backend connections. This is now always signalled by mod_http2
|
|
|
|
|
when the the session is being released. proxy_http2 now only
|
|
|
|
|
sends a PING frame to the backend when there is not already one
|
|
|
|
|
in flight. [Stefan Eissing]
|
|
|
|
|
* mod_proxy_http2: fixed an issue where a proxy_http2 handler
|
|
|
|
|
entered an infinite loop when encountering certain errors on
|
|
|
|
|
the backend connection. See
|
|
|
|
|
<https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan
|
|
|
|
|
Eissing]
|
|
|
|
|
* mod_http2: Configuration directives H2Push and H2Upgrade can
|
|
|
|
|
now be specified per Location/Directory, e.g. disabling PUSH
|
|
|
|
|
for a specific set of resources. [Stefan Eissing]
|
|
|
|
|
* mod_http2: HEAD requests to some module such as mod_cgid caused
|
|
|
|
|
the stream to terminate improperly and cause a HTTP/2
|
|
|
|
|
PROTOCOL_ERROR. Fixes
|
|
|
|
|
<https://github.com/icing/mod_h2/issues/167>. [Michael
|
|
|
|
|
Kaufmann]
|
|
|
|
|
* http: Fix possible empty response with mod_ratelimit for HEAD
|
|
|
|
|
requests. PR 63192. [Yann Ylavic]
|
|
|
|
|
* mod_cache_socache: Avoid reallocations and be safe with
|
|
|
|
|
outgoing data lifetime. [Yann Ylavic]
|
|
|
|
|
* MPMs unix: bind the bucket number of each child to its slot
|
|
|
|
|
number, for a more efficient per bucket maintenance. [Yann
|
|
|
|
|
Ylavic]
|
|
|
|
|
* mod_auth_digest: Fix a race condition. Authentication with
|
|
|
|
|
valid credentials could be refused in case of concurrent
|
|
|
|
|
accesses from different users. PR 63124. [Simon Kappel
|
|
|
|
|
<simon.kappel axis.com>]
|
|
|
|
|
* mod_http2: enable re-use of slave connections again. Fixed
|
|
|
|
|
slave connection keepalives counter. [Stefan Eissing]
|
|
|
|
|
* mod_reqtimeout: Allow to configure (TLS-)handshake timeouts. PR
|
|
|
|
|
61310. [Yann Ylavic]
|
|
|
|
|
* mod_proxy_wstunnel: Fix websocket proxy over UDS. PR 62932
|
|
|
|
|
<pavel dcmsys.com>
|
|
|
|
|
* mod_ssl: Don't unset FIPS mode on restart unless it's forced by
|
|
|
|
|
configuration (SSLFIPS on) and not active by default in
|
|
|
|
|
OpenSSL. PR 63136. [Yann Ylavic]
|
|
|
|
|
- deleted patches
|
|
|
|
|
- apache2-mod_http2-issue-167.patch (upstreamed)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 18 21:44:17 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Reduce scriptlets' hard dependency on systemd.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 27 14:15:52 UTC 2019 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- added patches
|
|
|
|
|
fix https://github.com/icing/mod_h2/issues/167 [bsc#1125965]
|
|
|
|
|
+ apache2-mod_http2-issue-167.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 8 01:58:37 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
|
|
|
|
|
|
|
|
|
|
- Replace old $RPM_* shell vars. Avoid old tar syntax.
|
|
|
|
|
- Tag scriptlets as explicitly requiring bash.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 18 15:12:08 UTC 2019 - Manu Maier <mmanu84@outlook.de>
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.38
|
|
|
|
|
* mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
|
|
|
|
|
PR 63052 [Joe Orton]
|
|
|
|
|
* mod_negotiation: Treat LanguagePriority as case-insensitive to match
|
|
|
|
|
AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
|
|
|
|
|
* mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
|
|
|
|
|
have been fixed. [Michael Kaufmann, Stefan Eissing]
|
|
|
|
|
* mod_setenvif: We can have expressions that become true if a regex pattern
|
|
|
|
|
in the expression does NOT match. In this case val is NULL
|
|
|
|
|
and we should just set the value for the environment variable
|
|
|
|
|
like in the pattern case. [Ruediger Pluem]
|
|
|
|
|
* mod_session: Always decode session attributes early. [Hank Ibell]
|
|
|
|
|
* core: Incorrect values for environment variables are substituted when
|
|
|
|
|
multiple environment variables are specified in a directive. [Hank Ibell]
|
|
|
|
|
* mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
|
|
|
|
|
this type of map is present in the configuration. PR62311.
|
|
|
|
|
[Hank Ibell <hwibell gmail.com>]
|
|
|
|
|
* mod_dav: Fix invalid Location header when a resource is created by
|
|
|
|
|
passing an absolute URI on the request line [Jim Jagielski]
|
|
|
|
|
* mod_session_cookie: avoid duplicate Set-Cookie header in the response.
|
|
|
|
|
[Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
|
|
|
|
|
* mod_ssl: clear *SSL errors before loading certificates and checking
|
|
|
|
|
afterwards. Otherwise errors are reported when other SSL using modules
|
|
|
|
|
are in play. Fixes PR 62880. [Michael Kaufmann]
|
|
|
|
|
* mod_ssl: Fix the error code returned in an error path of
|
|
|
|
|
'ssl_io_filter_handshake()'. This messes-up error handling performed
|
|
|
|
|
in 'ssl_io_filter_error()' [Yann Ylavic]
|
|
|
|
|
* mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
|
|
|
|
|
authz provider so "Require ssl" works correctly in HTTP/2.
|
|
|
|
|
PR 61519, 62654. [Joe Orton, Stefan Eissing]
|
|
|
|
|
* mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
|
|
|
|
|
redirects, subsequent ProxyPassReverse statements, whether they are
|
|
|
|
|
relative or absolute, may fail. PR 60408. [Peter Haworth <pmh1wheel gmail.com>]
|
|
|
|
|
* mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 16 08:56:20 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
|
|
|
|
|
|
- SSLProtocol use TLSv1.2 or higher
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 9 10:26:46 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
|
|
|
|
|
|
|
|
|
|
- do not create sysconfig.d when already exists [bsc#1121086]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jan 6 15:14:43 UTC 2019 - Dirk Mueller <dmueller@suse.com>
|
|
|
|
|
|
|
|
|
|
- use secure http sites by default in configs
|
|
|
|
|
- Switch to DEFAULT_SUSE Cipher suite
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 25 17:28:42 UTC 2018 - Arjen de Korte <suse+build@de-korte.org>
|
|
|
|
|
|
|
|
|
|
- the "event" MPM is fully supported since 2.4
|
|
|
|
|
- configure an OCSP stapling cache by default (still requires enabling
|
|
|
|
|
SSLUseStapling in vhost)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 18 20:41:02 UTC 2018 - Manu Maier <mmanu84@outlook.de>
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.37
|
|
|
|
|
* mod_ssl: Fix HTTP/2 failures when using OpenSSL 1.1.1. [Rainer Jung]
|
|
|
|
|
* mod_ssl: Fix crash during SSL renegotiation with OptRenegotiate set,
|
|
|
|
|
when client certificates are available from the original handshake
|
|
|
|
|
but were originally not verified and should get verified now.
|
|
|
|
|
This is a regression in 2.4.36 (unreleased). [Ruediger Pluem]
|
|
|
|
|
* mod_ssl: Correctly merge configurations that have client certificates set
|
|
|
|
|
by SSLProxyMachineCertificate{File|Path}. [Ruediger Pluem]
|
|
|
|
|
- updated to 2.4.36
|
|
|
|
|
* mod_brotli, mod_deflate: Restore the separate handling of 304 Not Modified
|
|
|
|
|
responses. Regression introduced in 2.4.35.
|
|
|
|
|
* mod_proxy_scgi, mod_proxy_uwsgi: improve error handling when sending the
|
|
|
|
|
body of the response. [Jim Jagielski]
|
|
|
|
|
* mod_http2: adding defensive code for stream EOS handling, in case the request handler
|
|
|
|
|
missed to signal it the normal way (eos buckets). Addresses github issues
|
|
|
|
|
https://github.com/icing/mod_h2/issues/164, https://github.com/icing/mod_h2/issues/167
|
|
|
|
|
and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
|
|
|
|
|
* ab: Add client certificate support. [Graham Leggett]
|
|
|
|
|
* ab: Disable printing temp key for OpenSSL before
|
|
|
|
|
version 1.0.2. SSL_get_server_tmp_key is not available
|
|
|
|
|
there. [Rainer Jung]
|
|
|
|
|
* mod_ssl: Fix a regression that the configuration settings for verify mode
|
|
|
|
|
and verify depth were taken from the frontend connection in case of
|
|
|
|
|
connections by the proxy to the backend. PR 62769. [Ruediger Pluem]
|
|
|
|
|
* MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
|
|
|
|
|
before signals handling to avoid lifetime issues on restart or shutdown.
|
|
|
|
|
PR 62658. [Yann Ylavic]
|
|
|
|
|
* mod_ssl: Add support for OpenSSL 1.1.1 and TLSv1.3. TLSv1.3 has
|
|
|
|
|
behavioural changes compared to v1.2 and earlier; client and
|
|
|
|
|
configuration changes should be expected. SSLCipherSuite is
|
|
|
|
|
enhanced for TLSv1.3 ciphers, but applies at vhost level only.
|
|
|
|
|
[Stefan Eissing, Yann Ylavic, Ruediger Pluem, Joe Orton]
|
|
|
|
|
* mod_auth_basic: Be less tolerant when parsing the credencial. Only spaces
|
|
|
|
|
should be accepted after the authorization scheme. \t are also tolerated.
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
* mod_proxy_hcheck: Fix issues with interval determination. PR 62318
|
|
|
|
|
[Jim Jagielski]
|
|
|
|
|
* mod_proxy_hcheck: Fix issues with TCP health checks. PR 61499
|
|
|
|
|
[Dominik Stillhard <dominik.stillhard united-security-providers.ch>]
|
|
|
|
|
* mod_proxy_hcheck: take balancer's SSLProxy* directives into account.
|
|
|
|
|
[Jim Jagielski]
|
|
|
|
|
* mod_status, mod_echo: Fix the display of client addresses.
|
|
|
|
|
They were truncated to 31 characters which is not enough for IPv6 addresses.
|
|
|
|
|
This is done by deprecating the use of the 'client' field and using
|
|
|
|
|
the new 'client64' field in worker_score.
|
|
|
|
|
PR 54848 [Bernhard Schmidt <berni birkenwald de>, Jim Jagielski]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 1 13:38:05 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
|
|
|
|
|
|
|
|
|
|
- consider also patterns in APACHE_CONF_INCLUDE_DIRS as documentation
|
|
|
|
|
says (patch Juergen Gleiss)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 27 10:25:40 UTC 2018 - Petr Gajdos <pgajdos@suse.com>
|
|
|
|
|
|
|
|
|
|
- relink /usr/sbin/httpd after apache2-MPM uninstall [bsc#1107930c#1]
|
|
|
|
|
- simplify find_mpm function from script-helpers
|
|
|
|
|
- /usr/sbin/httpd is now created depending on preference hardcoded
|
|
|
|
|
in find_mpm (script-helpers), not depending on alphabetical
|
|
|
|
|
order of MPMs
|
|
|
|
|
- simplify spec file a bit
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 24 12:53:08 UTC 2018 - Michael Ströder <michael@stroeder.com>
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.35:
|
|
|
|
|
* http: Enforce consistently no response body with both 204 and 304
|
|
|
|
|
statuses.
|
|
|
|
|
* mod_status: Cumulate CPU time of exited child processes in the
|
|
|
|
|
"cu" and "cs" values. Add CPU time of the parent process to the
|
|
|
|
|
"c" and "s" values.
|
|
|
|
|
* mod_proxy: Improve the balancer member data shown in mod_status when
|
|
|
|
|
"ProxyStatus" is "On": add "busy" count and show byte counts in
|
|
|
|
|
auto mode always in units of kilobytes.
|
|
|
|
|
* mod_status: Add cumulated response duration time in milliseconds.
|
|
|
|
|
* mod_status: Complete the data shown for async MPMs in "auto" mode.
|
|
|
|
|
Added number of processes, number of stopping processes and number
|
|
|
|
|
of busy and idle workers.
|
|
|
|
|
* mod_ratelimit: Don't interfere with "chunked" encoding, fixing regression
|
|
|
|
|
introduced in 2.4.34. PR 62568.
|
|
|
|
|
* mod_proxy: Remove load order and link dependency between mod_lbmethod_*
|
|
|
|
|
modules and mod_proxy. PR 62557.
|
|
|
|
|
* Allow the argument to <IfFile>, <IfDefine>, <IfSection>, <IfDirective>,
|
|
|
|
|
and <IfModule> to be quoted. This is primarily for the benefit of
|
|
|
|
|
<IfFile>.
|
|
|
|
|
* mod_watchdog: Correct some log messages.
|
|
|
|
|
* mod_md: When the last domain name from an MD is moved to another one,
|
|
|
|
|
that now empty MD gets moved to the store archive. PR 62572.
|
|
|
|
|
* mod_ssl: Fix merging of SSLOCSPOverrideResponder.
|
|
|
|
|
* mod_proxy_balancer: Restore compatibility with APR 1.4.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 16 12:03:39 UTC 2018 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.34:
|
|
|
|
|
*) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
|
|
|
|
|
document translations. [CodeingBoy, popcorner]
|
|
|
|
|
*) event: avoid possible race conditions with modules on the child pool.
|
|
|
|
|
[Stefan Fritsch]
|
|
|
|
|
*) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
|
|
|
|
|
ProxyPassReverseCookiePath directive could fail to update correctly
|
|
|
|
|
'domain=' or 'path=' in the 'Set-Cookie' header. PR 61560.
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
*) mod_ratelimit: fix behavior when proxing content. PR 62362.
|
|
|
|
|
[Luca Toscano, Yann Ylavic]
|
|
|
|
|
*) core: Re-allow '_' (underscore) in hostnames.
|
|
|
|
|
[Eric Covener]
|
|
|
|
|
*) mod_authz_core: If several parameters are used in a AuthzProviderAlias
|
|
|
|
|
directive, if these parameters are not enclosed in quotation mark, only
|
|
|
|
|
the first one is handled. The other ones are silently ignored.
|
|
|
|
|
Add a message to warn about such a spurious configuration.
|
|
|
|
|
PR 62469 [Hank Ibell <hwibell gmail.com>, Christophe Jaillet]
|
|
|
|
|
*) mod_md: improvements and bugfixes
|
|
|
|
|
- MDNotifyCmd now takes additional parameter that are passed on to the called command.
|
|
|
|
|
- ACME challenges have better checks for interference with other modules
|
|
|
|
|
- ACME challenges are only handled for domains managed by the module, allowing
|
|
|
|
|
other ACME clients to operate for other domains in the server.
|
|
|
|
|
- better libressl integration
|
|
|
|
|
*) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
|
|
|
|
|
PR 62480. [Lubos Uhliarik <luhliari redhat.com>}
|
|
|
|
|
*) logging: Some early logging-related startup messages could be lost
|
|
|
|
|
when using syslog for the global ErrorLog. [Eric Covener]
|
|
|
|
|
*) mod_cache: Handle case of an invalid Expires header value RFC compliant
|
|
|
|
|
like the case of an Expires time in the past: allow to overwrite the
|
|
|
|
|
non-caching decision using CacheStoreExpired and respect Cache-Control
|
|
|
|
|
"max-age" and "s-maxage". [Rainer Jung]
|
|
|
|
|
*) mod_xml2enc: Fix forwarding of error metadata/responses. PR 62180.
|
|
|
|
|
[Micha Lenk <micha lenk.info>, Yann Ylavic]
|
|
|
|
|
*) mod_proxy_http: Fix response header thrown away after the previous one
|
|
|
|
|
was considered too large and truncated. PR 62196. [Yann Ylavic]
|
|
|
|
|
*) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
|
|
|
|
|
of functions to consume the end of line when the buffer is exhausted.
|
|
|
|
|
PR 62198. [Yann Ylavic]
|
|
|
|
|
*) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
|
|
|
|
|
allow maximum HTTP response header size to be increased past 8192
|
|
|
|
|
bytes. PR 62199. [Hank Ibell <hwibell gmail.com>]
|
|
|
|
|
*) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
|
|
|
|
|
of a certificate chain. PR62112.
|
|
|
|
|
[Ricardo Martin Camarero <rickyepoderi yahoo.es>]
|
|
|
|
|
*) http: Fix small memory leak per request when handling persistent
|
|
|
|
|
connections. [Ruediger Pluem, Joe Orton]
|
|
|
|
|
*) mod_proxy_html: Fix variable interpolation and memory allocation failure
|
|
|
|
|
in ProxyHTMLURLMap. [Ewald Dieterich <ewald mailbox.org>]
|
|
|
|
|
*) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
|
|
|
|
|
PR 62220. [Chritophe Jaillet, Yann Ylavic]
|
|
|
|
|
*) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
|
|
|
|
|
zero out what had been initialized as the connection-level port. PR59931.
|
|
|
|
|
[Hank Ibell <hwibell gmail.com>]
|
|
|
|
|
*) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
|
|
|
|
|
Hot spare members are used as drop-in replacements for unusable workers
|
|
|
|
|
in the same load balancer set. This differs from hot standbys which are
|
|
|
|
|
only used when all workers in a set are unusable. PR 61140. [Jim Riggs]
|
|
|
|
|
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
|
|
|
|
|
setuid/setgid capability bits rather than a setuid root binary.
|
|
|
|
|
[Joe Orton]
|
|
|
|
|
*) suexec: Add support for logging to syslog as an alternative to
|
|
|
|
|
logging to a file; use --without-suexec-logfile --with-suexec-syslog.
|
|
|
|
|
[Joe Orton]
|
|
|
|
|
*) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
|
|
|
|
|
which broke some rare but previously-working configs. [Joe Orton]
|
|
|
|
|
*) core, log: improve sanity checks for the ErrorLog's syslog config, and
|
|
|
|
|
explicitly allow only lowercase 'syslog' settings. PR 62102
|
|
|
|
|
[Luca Toscano, Jim Riggs, Christophe Jaillet]
|
|
|
|
|
*) mod_http2: accurate reporting of h2 data input/output per request via
|
|
|
|
|
mod_logio. Fixes an issue where output sizes where counted n-times on
|
|
|
|
|
reused slave connections. [Stefan Eissing]
|
|
|
|
|
See github issue: https://github.com/icing/mod_h2/issues/158
|
|
|
|
|
*) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy: Do not restrict the maximum pool size for backend connections
|
|
|
|
|
any longer by the maximum number of threads per process and use a better
|
|
|
|
|
default if mod_http2 is loaded.
|
|
|
|
|
[Yann Ylavic, Ruediger Pluem, Stefan Eissing, Gregg Smith]
|
|
|
|
|
*) mod_slotmem_shm: Add generation number to shm filename to fix races
|
|
|
|
|
with graceful restarts. PRs 62044 and 62308. [Jim Jagielski, Yann Ylavic]
|
|
|
|
|
*) core: Preserve the original HTTP request method in the '%<m' LogFormat
|
|
|
|
|
when an path-based ErrorDocument is used. PR 62186.
|
|
|
|
|
[Micha Lenk <micha lenk.info>]
|
|
|
|
|
*) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
|
|
|
|
|
HTTP/2 requests. [Stefan Eissing]
|
|
|
|
|
See also https://github.com/roadrunner2/mod-proxy-protocol/issues/6
|
|
|
|
|
*) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
|
|
|
|
|
regression introduced in 2.4.30. PR 62232. [Rainer Jung, Yann Ylavic]
|
|
|
|
|
*) mod_md: Fix compilation with OpenSSL before version 1.0.2. [Rainer Jung]
|
|
|
|
|
*) mod_dumpio: do nothing below log level TRACE7. [Yann Ylavic]
|
|
|
|
|
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
|
|
|
|
|
[Eric Covener]
|
|
|
|
|
*) core: On ECBDIC platforms, some errors related to oversized headers
|
|
|
|
|
may be misreported or be logged as ASCII escapes. PR 62200
|
|
|
|
|
[Hank Ibell <hwibell gmail.com>]
|
|
|
|
|
*) mod_ssl: Fix cmake-based build. PR 62266. [Rainer Jung]
|
|
|
|
|
*) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
|
|
|
|
|
section containers. [Eric Covener, Joe Orton]
|
|
|
|
|
* %check: do not load all modules, just use default loadmodule.conf; some
|
|
|
|
|
modules require to load another ones in advance
|
|
|
|
|
* %install: parallel install is broken
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 27 15:22:00 UTC 2018 - mikhail.kasimov@gmail.com
|
|
|
|
|
|
|
|
|
|
- Updated description for SSLProtocol option. [bsc#1086854]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 27 14:19:00 UTC 2018 - mikhail.kasimov@gmail.com
|
|
|
|
|
|
|
|
|
|
- Updated description (PCI DSS) for SSLProtocol option. [bsc#1086854]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 26 14:16:14 UTC 2018 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- SSLProtocol TLSv1.2 [bsc#1086854]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 19 09:15:28 UTC 2018 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.33:
|
|
|
|
|
*) core: Fix request timeout logging and possible crash for error_log hooks.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
|
|
|
|
|
where children processes need to attach them instead since they are owned
|
|
|
|
|
by the parent process already. [Yann Ylavic]
|
|
|
|
|
*) ab: try all destination socket addresses returned by
|
|
|
|
|
apr_sockaddr_info_get instead of failing on first one when not available.
|
|
|
|
|
Needed for instance if localhost resolves to both ::1 and 127.0.0.1
|
|
|
|
|
e.g. if both are in /etc/hosts. [Jan Kaluza]
|
|
|
|
|
*) ab: Use only one connection to determine working destination socket
|
|
|
|
|
address. [Jan Kaluza]
|
|
|
|
|
*) ab: LibreSSL doesn't have or require Windows applink.c. [Gregg L. Smith]
|
|
|
|
|
*) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
|
|
|
|
|
apr-util's bcrypt implementation doesn't tolerate EBCDIC. [Eric Covener]
|
|
|
|
|
*) htpasswd/htdbm: report the right limit when get_password() overflows.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) htpasswd: Don't fail in -v mode if password file is unwritable.
|
|
|
|
|
PR 61631. [Joe Orton]
|
|
|
|
|
*) htpasswd: don't point to (unused) stack memory on output
|
|
|
|
|
to make static analysers happy. PR 60634.
|
|
|
|
|
[Yann Ylavic, reported by shqking and Zhenwei Zou]
|
|
|
|
|
*) mod_access_compat: Fail if a comment is found in an Allow or Deny
|
|
|
|
|
directive. [Jan Kaluza]
|
|
|
|
|
*) mod_authz_host: Ignore comments after "Require host", logging a
|
|
|
|
|
warning, or logging an error if the line is otherwise empty.
|
|
|
|
|
[Jan Kaluza, Joe Orton]
|
|
|
|
|
*) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
|
|
|
|
|
Y2K38 bug. [Joe Orton]
|
|
|
|
|
*) mod_ssl: Support SSL DN raw variable extraction without conversion
|
|
|
|
|
to UTF-8, using _RAW suffix on variable names. [Joe Orton]
|
|
|
|
|
*) ab: Fix https:// connection failures (regression in 2.4.30); fix
|
|
|
|
|
crash generating CSV output for large -n. [Joe Orton, Jan Kaluza]
|
|
|
|
|
*) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
|
|
|
|
|
parameters. [Luca Toscano, Ruediger Pluem, Yann Ylavic]
|
|
|
|
|
*) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
|
|
|
|
|
improper merging of the cache lock in vhost config.
|
|
|
|
|
PR 43164 [Eric Covener]
|
|
|
|
|
*) mpm_event: Do lingering close in worker(s). [Yann Ylavic]
|
|
|
|
|
*) mpm_queue: Put fdqueue code in common for MPMs event and worker.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_session: Strip Session header when SessionEnv is on. [Yann Ylavic]
|
|
|
|
|
*) mod_cache_socache: Fix caching of empty headers up to carriage return.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) core: For consistency, ensure that read lines are NUL terminated on any
|
|
|
|
|
error, not only on buffer full. [Yann Ylavic]
|
|
|
|
|
*) mod_authnz_ldap: Fix language long names detection as short name.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_proxy: Worker schemes and hostnames which are too large are no
|
|
|
|
|
longer fatal errors; it is logged and the truncated values are stored.
|
|
|
|
|
[Jim Jagielski]
|
|
|
|
|
*) regex: Allow to configure global/default options for regexes, like
|
|
|
|
|
caseless matching or extended format. [Yann Ylavic]
|
|
|
|
|
*) mod_auth_digest: Actually use the secret when generating nonces. This change
|
|
|
|
|
may cause problems if used with round robin load balancers. PR 54637
|
|
|
|
|
[Stefan Fritsch]
|
|
|
|
|
*) mod_proxy: Allow setting options to globally defined balancer from
|
|
|
|
|
ProxyPass used in VirtualHost. Balancers are now merged using the new
|
|
|
|
|
merge_balancers method which merges the balancers options. [Jan Kaluza]
|
|
|
|
|
*) logresolve: Fix incorrect behavior or segfault if -c flag is used
|
|
|
|
|
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
|
|
|
|
|
[Stefan Fritsch]
|
|
|
|
|
*) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
|
|
|
|
|
Add ability for PROXY protocol processing to be optional to donated code.
|
|
|
|
|
See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
|
|
|
|
|
[Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri]
|
|
|
|
|
*) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
|
|
|
|
|
allowing per backend TLS configuration. [Yann Ylavic]
|
|
|
|
|
*) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module. [Roberto De Ioris,
|
|
|
|
|
Jim Jagielski]
|
|
|
|
|
*) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
|
|
|
|
|
depend on the number of restarts (non-Unix systems) and preserve shared
|
|
|
|
|
names as much as possible on configuration changes for SHMs and persisted
|
|
|
|
|
files. PR 62044. [Yann Ylavic, Jim Jagielski]
|
|
|
|
|
*) mod_http2: obsolete code removed, no more events on beam pool destruction,
|
|
|
|
|
discourage content encoders on http2-status response (where they do not work).
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mpm_event: Let the listener thread do its maintenance job on resources
|
|
|
|
|
shortage. PR 61979. [Yann Ylavic]
|
|
|
|
|
*) mpm_event: Wakeup the listener to re-enable listening sockets.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mod_ssl: The SSLCompression directive will now give an error if used
|
|
|
|
|
with an OpenSSL build which does not support any compression methods.
|
|
|
|
|
[Joe Orton]
|
|
|
|
|
*) mpm_event,worker: Mask signals for threads created by modules in child
|
|
|
|
|
init, so that they don't receive (implicitely) the ones meant for the MPM.
|
|
|
|
|
PR 62009. [Armin Abfalterer <a.abfalterer gmail com>, Yann Ylavic]
|
|
|
|
|
*) mod_md: new experimental, module for managing domains across virtual hosts,
|
|
|
|
|
implementing the Let's Encrypt ACMEv1 protocol to signup and renew
|
|
|
|
|
certificates. Please read the modules documentation for further instructions
|
|
|
|
|
on how to use it. [Stefan Eissing]
|
|
|
|
|
*) mod_proxy_html: skip documents shorter than 4 bytes
|
|
|
|
|
PR 56286 [Micha Lenk <micha lenk info>]
|
|
|
|
|
*) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
|
|
|
|
|
the lifetime of the connection, each time it is processed by MPM event.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) mpm_event: Update scoreboard status for KeepAlive state. [Yann Ylavic]
|
|
|
|
|
*) mod_ldap: Fix a case where a full LDAP cache would continually fail to
|
|
|
|
|
purge old entries and log AH01323. PR61891.
|
|
|
|
|
[Hendrik Harms <hendrik.harms gmail.com>]
|
|
|
|
|
*) mpm_event: close connections not reported as handled by any module to
|
|
|
|
|
avoid losing track of them and leaking scoreboard entries. PR 61551.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) core: A signal received while stopping could have crashed the main
|
|
|
|
|
process. PR 61558. [Yann Ylavic]
|
|
|
|
|
*) mod_ssl: support for mod_md added. [Stefan Eissing]
|
|
|
|
|
*) mod_proxy_html: process parsed comments immediately.
|
|
|
|
|
Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
|
|
|
|
|
where parsed comments may be lost. [Nick Kew]
|
|
|
|
|
*) mod_proxy_html: introduce doctype for HTML 5 [Nick Kew]
|
|
|
|
|
*) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
|
|
|
|
|
HTML/XHTML. PR 56457 [Nick Kew]
|
|
|
|
|
*) mpm_event: avoid a very unlikely race condition between the listener and
|
|
|
|
|
the workers when the latter fails to add a connection to the pollset.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
*) core: silently ignore a not existent file path when IncludeOptional
|
|
|
|
|
is used. PR 57585. [Alberto Murillo Silva <powerbsd yahoo.com>, Luca Toscano]
|
|
|
|
|
*) mod_macro: fix usability of globally defined macros in .htaccess files.
|
|
|
|
|
PR 57525. [Jose Kahan <jose w3.org>, Yann Ylavic]
|
|
|
|
|
*) mod_rewrite, core: add the Vary header when a condition evaluates to true
|
|
|
|
|
and the related RewriteRule is used in a Directory context
|
|
|
|
|
(triggering an internal redirect). [Luca Toscano]
|
|
|
|
|
*) ab: Make the TLS layer aware that the underlying socket is nonblocking,
|
|
|
|
|
and use/handle POLLOUT where needed to avoid busy IOs and recover write
|
|
|
|
|
errors when appropriate. [Yann Ylavic]
|
|
|
|
|
*) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
|
|
|
|
|
read was incomplete (the SSL case can cause the next poll() to timeout
|
|
|
|
|
since data are buffered already). PR 61301 [Luca Toscano, Yann Ylavic]
|
|
|
|
|
*) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
|
|
|
|
|
information retrievals on null bucket beams where it makes sense. [Stefan Eissing]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 19 07:53:04 UTC 2018 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- Replace SuSEFirewall2 by firewalld II (fate#323460) [bsc#1083492]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 5 07:14:03 UTC 2018 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- build mod_http2 also for 42.3
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 2 07:39:23 UTC 2018 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- remove NameVirtualHost from documentation [bsc#1078557]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 30 09:16:26 UTC 2018 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- for older distros, still use SuSEFirewall2 [bsc#1071548c#7]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 29 09:23:46 UTC 2018 - knut.anderssen@suse.com
|
|
|
|
|
|
|
|
|
|
- Replace SuSEFirewall2 by firewalld (fate#323460)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 20 16:18:56 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- build brotli module
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 20 13:17:46 UTC 2017 - fcrozat@suse.com
|
|
|
|
|
|
|
|
|
|
- Do not requires w3m, only recommends it.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Dec 19 09:47:13 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- do not build with nghttp2 for SLE-12-SP3
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 15 13:05:29 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- which was split after SLE11
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Nov 26 17:25:10 UTC 2017 - sergiolindo.empresa@gmail.com
|
|
|
|
|
|
|
|
|
|
- Add which and w3m as dependencies. poo#28406
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 23 13:43:30 UTC 2017 - rbrown@suse.com
|
|
|
|
|
|
|
|
|
|
- Replace references to /var/adm/fillup-templates with new
|
|
|
|
|
%_fillupdir macro (boo#1069468)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 20 08:43:45 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- APACHE_MODULES now contains authn_core in default configuration
|
|
|
|
|
[bsc#1066661]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 18 09:22:41 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.29:
|
|
|
|
|
*) mod_unique_id: Use output of the PRNG rather than IP address and
|
|
|
|
|
pid, avoiding sleep() call and possible DNS issues at startup,
|
|
|
|
|
plus improving randomness for IPv6-only hosts. [Jan Kaluza]
|
|
|
|
|
*) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
|
|
|
|
|
is used in a condition that evaluates to true. PR 58231 [Luca Toscano]
|
|
|
|
|
*) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
|
|
|
|
|
beams that could lead to assertion failure in edge cases.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
|
|
|
|
|
in 2.4.28. [Jim Jagielski]
|
|
|
|
|
*) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
|
|
|
|
|
PR 61546. [Lubos Uhliarik <luhliari redhat.com>]
|
|
|
|
|
*) mod_rewrite: Add support for starting External Rewriting Programs
|
|
|
|
|
as non-root user on UNIX systems by specifying username and group
|
|
|
|
|
name as third argument of RewriteMap directive. [Jan Kaluza]
|
|
|
|
|
*) core: Rewrite the Content-Length filter to avoid excessive memory
|
|
|
|
|
consumption. Chunked responses will be generated in more cases
|
|
|
|
|
than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem]
|
|
|
|
|
*) mod_ssl: Fix SessionTicket callback return value, which does seem to
|
|
|
|
|
matter with OpenSSL 1.1. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 17 12:41:23 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- gensslcert:
|
|
|
|
|
* set also SAN [bsc#1045159]
|
|
|
|
|
* drop -C argument, it was not mapped to CN actually
|
|
|
|
|
* consider also case when hostname does return empty string or
|
|
|
|
|
does not exist [bsc#1057406]
|
|
|
|
|
* do not consider environment ROOT variable
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 6 07:45:55 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.28:
|
|
|
|
|
*) SECURITY: CVE-2017-9798 (cve.mitre.org)
|
|
|
|
|
Corrupted or freed memory access. <Limit[Except]> must now be used in the
|
|
|
|
|
main configuration file (httpd.conf) to register HTTP methods before the
|
|
|
|
|
.htaccess files. [Yann Ylavic]
|
|
|
|
|
*) event: Avoid possible blocking in the listener thread when shutting down
|
|
|
|
|
connections. PR 60956. [Yann Ylavic]
|
|
|
|
|
*) mod_speling: Don't embed referer data in a link in error page.
|
|
|
|
|
PR 38923 [Nick Kew]
|
|
|
|
|
*) htdigest: prevent a buffer overflow when a string exceeds the allowed max
|
|
|
|
|
length in a password file.
|
|
|
|
|
[Luca Toscano, Hanno Böck <hanno hboeck de>]
|
|
|
|
|
*) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
|
|
|
|
|
[Jim Jagielski]
|
|
|
|
|
*) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
|
|
|
|
|
PR 61142.
|
|
|
|
|
*) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
|
|
|
|
|
down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
|
|
|
|
|
's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
|
|
|
|
|
*) mod_http2: Fix for stalling when more than 32KB are written to a
|
|
|
|
|
suspended stream. [Stefan Eissing]
|
|
|
|
|
*) build: allow configuration without APR sources. [Jacob Champion]
|
|
|
|
|
*) mod_ssl, ab: Fix compatibility with LibreSSL. PR 61184.
|
|
|
|
|
[Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
|
|
|
|
|
Yann Ylavic]
|
|
|
|
|
*) core/log: Support use of optional "tag" in syslog entries.
|
|
|
|
|
PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
|
|
|
|
|
*) mod_proxy: Fix ProxyAddHeaders merging. [Joe Orton]
|
|
|
|
|
*) core: Disallow multiple Listen on the same IP:port when listener buckets
|
|
|
|
|
are configured (ListenCoresBucketsRatio > 0), consistently with the single
|
|
|
|
|
bucket case (default), thus avoiding the leak of the corresponding socket
|
|
|
|
|
descriptors on graceful restart. [Yann Ylavic]
|
|
|
|
|
*) event: Avoid listener periodic wake ups by using the pollset wake-ability
|
|
|
|
|
when available. PR 57399. [Yann Ylavic, Luca Toscano]
|
|
|
|
|
*) mod_proxy_wstunnel: Fix detection of unresponded request which could have
|
|
|
|
|
led to spurious HTTP 502 error messages sent on upgrade connections.
|
|
|
|
|
PR 61283. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 5 12:57:56 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- suexec binary moved to main package [bsc#1054741]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 3 16:13:13 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- do not call and do not ship apache-22-24-upgrade [bsc#1042037]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 24 15:25:09 UTC 2017 - schneemann@b1-systems.de
|
|
|
|
|
|
|
|
|
|
- make the package runable on non systemd systems
|
|
|
|
|
+ deprecated-scripts-arch.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 17 09:30:36 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.27:
|
|
|
|
|
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
|
|
|
|
|
global variable when using Lua 5.2 or later. This was exported as a
|
|
|
|
|
side effect from luaL_register, which is no longer supported as of
|
|
|
|
|
Lua 5.2 which deprecates pollution of the global namespace.
|
|
|
|
|
[Rainer Jung]
|
|
|
|
|
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
|
|
|
|
|
The server will continue to run, but HTTP/2 will no longer be negotiated.
|
|
|
|
|
[Stefan Eissing]
|
|
|
|
|
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
|
|
|
|
|
default ProxyFCGIBackendType, fixing a regression with PHP-FPM. PR 61202.
|
|
|
|
|
[Jacob Champion, Jim Jagielski]
|
|
|
|
|
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
|
|
|
|
|
PR58188, PR60831, PR61245. [Rainer Jung]
|
|
|
|
|
*) mod_http2: Simplify ready queue, less memory and better performance. Update
|
|
|
|
|
mod_http2 version to 1.10.7. [Stefan Eissing]
|
|
|
|
|
*) Allow single-char field names inadvertantly disallowed in 2.4.25.
|
|
|
|
|
PR 61220. [Yann Ylavic]
|
|
|
|
|
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
|
|
|
|
|
passwd file to a possibly existing passwd file. PR 61240. [Ruediger Pluem]
|
|
|
|
|
*) core: Avoid duplicate HEAD in Allow header.
|
|
|
|
|
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
|
|
|
|
|
PR 61207. [Christophe Jaillet]
|
|
|
|
|
- drop upstreamed patch:
|
|
|
|
|
* httpd-2.4.12-lua-5.2.patch (see upstream's PR#58188 for details)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 12 06:37:57 UTC 2017 - mpluskal@suse.com
|
|
|
|
|
|
|
|
|
|
- Adjust dependencies for rename apr/apr-util packages
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 20 13:57:18 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- remove /usr/bin/http2 symlink only during apache2 package
|
|
|
|
|
uninstall, not upgrade [bsc#1041830]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 19 08:15:40 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- updated to 2.4.26: This release of Apache is a security, feature,
|
|
|
|
|
and bug fix release. For details, see
|
|
|
|
|
http://httpd.apache.org/dev/dist/CHANGES_2.4.26
|
|
|
|
|
- refreshed patches:
|
|
|
|
|
. httpd-2.4.12-lua-5.2.patch
|
|
|
|
|
. httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
|
|
|
|
|
- removed patches (upstreamed)
|
|
|
|
|
. httpd-cache-forward-http-proxy.patch
|
|
|
|
|
. httpd-cache-revert-svn1773397.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 2 07:36:43 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- server-tunning.conf: MaxClients was renamed to MaxRequestWorkers
|
|
|
|
|
[bsc#1037731]
|
|
|
|
|
- gensslcert: use hostname when fqdn is too long [bsc#1035829]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri May 19 09:01:33 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- remove apache-doc and apache-example-pages obsoletes/provides
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 16 18:59:58 UTC 2017 - kukuk@suse.com
|
|
|
|
|
|
|
|
|
|
- PreRequire user wwwrun and group www
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 7 15:14:29 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- start_apache2: include individual sysconfig.d files instead of
|
|
|
|
|
sysconfig.d dir, include sysconfig.d/include.conf after httpd.conf
|
|
|
|
|
is processed [bsc#1023616]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 23 14:12:48 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- revert an attempt to fix PR 60458
|
|
|
|
|
+ httpd-cache-revert-svn1773397.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 21 07:22:19 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix caching of forward proxy
|
|
|
|
|
+ httpd-cache-forward-http-proxy.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Feb 18 17:49:58 UTC 2017 - kukuk@suse.com
|
|
|
|
|
|
|
|
|
|
- Don't require insserv if we don't need it.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 10 22:00:14 UTC 2017 - jweberhofer@weberhofer.at
|
|
|
|
|
|
|
|
|
|
- Added new HTTP2 option to sysconfig to ease enabling http2
|
|
|
|
|
- Added new protocols.conf which is included globally
|
|
|
|
|
- Enable http2 also for Leap 42.2+ and SLE12_SP2+
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 2 09:50:00 UTC 2017 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- update to 2.4.25: fixed several security issues (CVE-2016-8740,
|
|
|
|
|
CVE-2016-5387, CVE-2016-2161, CVE-2016-0736, CVE-2016-8743), many
|
|
|
|
|
fixes and improvements of mod_http2 and other modules; see CHANGES
|
|
|
|
|
for full change log
|
|
|
|
|
- verify tarball: added httpd*.bz2.asc, apache2.keyring and remove
|
|
|
|
|
60C5442D.key
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 9 12:21:27 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix build with new systemd
|
|
|
|
|
+ amended httpd-2.4.3-mod_systemd.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 2 20:53:50 UTC 2016 - jimmy@boombatower.com
|
|
|
|
|
|
|
|
|
|
- Replace mixed indentation with predominant style.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 13 06:39:50 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- add NotifyAccess=all to service file [bsc#980663]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 5 11:36:28 UTC 2016 - tchvatal@suse.com
|
|
|
|
|
|
|
|
|
|
- Remove the omc xml config. It is useless nowdays
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 5 09:15:11 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- readd the support of multiple entries in APACHE_ACCESS_LOG
|
|
|
|
|
[bsc#991032]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 12 14:49:09 UTC 2016 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- add httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
|
|
|
|
|
Introduces directives to control two protocol options:
|
|
|
|
|
* HttpContentLengthHeadZero - allow Content-Length of 0 to be
|
|
|
|
|
returned on HEAD
|
|
|
|
|
* HttpExpectStrict - allow admin to control whether we must
|
|
|
|
|
see "100-continue"
|
|
|
|
|
[bsc#894225], [fate#317766]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 6 16:16:57 UTC 2016 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- version 2.4.23
|
|
|
|
|
* Fixes CVE-2016-4979 [bsc#987365]
|
|
|
|
|
* mod_proxy_hcheck was missing due to upstream bug.
|
|
|
|
|
* mod_proxy_fdpass needs explicit configure line now.
|
|
|
|
|
* Full list of changes:
|
|
|
|
|
http://www-eu.apache.org/dist//httpd/CHANGES_2.4.23
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 6 06:29:57 UTC 2016 - fbui@suse.com
|
|
|
|
|
|
|
|
|
|
- Remove pkgconfig(libsystemd-daemon). Nowadays pkgconfig(libsystemd)
|
|
|
|
|
is enough and replaces all libsystemd-* libs which are obsolete.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 26 08:13:16 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- remove Alias= from [Install] of the template service
|
|
|
|
|
[bsc#981541c#10]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 18 06:30:34 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- remove unneded httpd-2.4.17-debug-crash.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 9 13:57:54 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- start apache services after remote-fs [bsc#978543]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 5 07:06:05 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- removed note about ulimits in sysconfig file [bsc#976711]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 2 07:48:44 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- do not build mod_http2 for 13.2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 11 04:43:21 UTC 2016 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Update to version 2.4.20 (2.4.19 was never released)
|
|
|
|
|
* Drop httpd-2.4.18-missing-semicolon.patch now upstream
|
|
|
|
|
- Big changelog available, see:
|
|
|
|
|
http://www.apache.org/dist/httpd/CHANGES_2.4.20 for details.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 4 11:19:14 UTC 2016 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- enable authnz_fcgi module
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 14 16:44:55 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix build for SLE_11_SP4:
|
|
|
|
|
+ httpd-2.4.18-missing-semicolon.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 12 15:57:21 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Update to version 2.4.18
|
|
|
|
|
* drop 2.4.17-protocols.patch in upstream.
|
|
|
|
|
- Change list too long to mention here see:
|
|
|
|
|
http://www.apache.org/dist/httpd/CHANGES_2.4.18 for details.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 7 18:05:37 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- systemd: Set TasksMax=infinity for current systemd releases.
|
|
|
|
|
The default limit of 512 is too small and prevents the creation of
|
|
|
|
|
new server processes. Apache has its own runtime/harcoded limits.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 3 10:00:28 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix crash when for -X
|
|
|
|
|
+ httpd-2.4.17-debug-crash.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 23 11:02:19 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- add a note: FollowSymLinks or SymLinksIfOwnerMatch is neccessary
|
|
|
|
|
for RewriteRule in given dir [bnc#955701]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 6 10:06:19 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- restart apache once after the rpm or zypper transaction
|
|
|
|
|
[bnc#893659]
|
|
|
|
|
- drop some old compat code from %post
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 5 16:52:45 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- 2.4.17-protocols.patch from upstream http2 module:
|
|
|
|
|
* master conn_rec* addition to conn_rec
|
|
|
|
|
* improved ALPN and Upgrade handling
|
|
|
|
|
* allowing requests for servers whose TLS configuration is compatible
|
|
|
|
|
to the SNI server ones
|
|
|
|
|
* disabling TLS renegotiation for slave connections
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Nov 4 06:29:27 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- LogLevel directive into correct config file, thanks Michael Calmer
|
|
|
|
|
for the fix [bsc#953329]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 26 09:34:28 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- do not build mod_http2 for older distros than 13.2 for now (nghttp2
|
|
|
|
|
does not build there)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 26 09:14:29 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- Include directives really into /etc/apache2/sysconfig.d/include.conf,
|
|
|
|
|
fix from Erik Wegner [bsc#951901]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 21 07:35:30 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- gensslcert: CN now defaults to `hostname -f` [bnc#949766]
|
|
|
|
|
(internal), fix help [bnc#949771] (internal)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Oct 18 03:47:09 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Update to 2.4.17
|
|
|
|
|
- Enable mod_http2/ BuildRequire nghttp2
|
|
|
|
|
- MPMs: Support SO_REUSEPORT to create multiple duplicated listener
|
|
|
|
|
records for scalability
|
|
|
|
|
- mod_ssl: Support compilation against libssl built with OPENSSL_NO_SSL3
|
|
|
|
|
- For more changes see: http://www.apache.org/dist/httpd/CHANGES_2.4.17
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 12 09:00:27 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- start_apache2: reintroduce sysconfig.d, include it on
|
|
|
|
|
command line (not in httpd.conf) instead of individual directives
|
|
|
|
|
[bnc#949434] (internal), [bnc#941331]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 13 13:04:00 UTC 2015 - schwab@suse.de
|
|
|
|
|
|
|
|
|
|
- Fixup libdir in installed files
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 11 15:52:42 UTC 2015 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- fix Logjam vulnerability: change SSLCipherSuite cipherstring to
|
|
|
|
|
disable export cipher suites and deploy Ephemeral Elliptic-Curve
|
|
|
|
|
Diffie-Hellman (ECDHE) ciphers. Adjust 'gensslcert' script to
|
|
|
|
|
generate a strong and unique Diffie Hellman Group and append it
|
|
|
|
|
to the server certificate file [bnc#931723], [CVE-2015-4000]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 29 06:22:59 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- add reference upstream bug#58188 along httpd-2.4.12-lua-5.2.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 20 13:35:21 UTC 2015 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- update to 2.4.16
|
|
|
|
|
* changes http://www.apache.org/dist/httpd/CHANGES_2.4.16
|
|
|
|
|
* remove the following patches (fixed in 2.4.16)
|
|
|
|
|
* httpd-2.4.x-mod_lua_websocket_DoS.patch
|
|
|
|
|
* httpd-2.4.12-CVE-2015-0253.patch
|
|
|
|
|
* update httpd-2.4.12-lua-5.2.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jul 18 03:50:24 UTC 2015 - i@marguerite.su
|
|
|
|
|
|
|
|
|
|
- add patch: httpd-2.4.12-lua-5.2.patch
|
|
|
|
|
* lua_dump introduced a new strip option in 5.3, set it to 0
|
|
|
|
|
to get the old behavior
|
|
|
|
|
* luaL_register was deprecated in 5.2, use luaL_setfuncs and
|
|
|
|
|
luaL_newlib instead
|
|
|
|
|
* luaL_optint was deprecated in 5.3, use luaL_optinteger instead
|
|
|
|
|
* lua_strlen and lua_objlen wad deprecated in 5.2, use lua_rawlen
|
|
|
|
|
instead
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jul 16 08:46:22 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- change Provides: from suse_maintenance_mmn = # to
|
|
|
|
|
suse_maintenance_mmn_#
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 15 14:47:33 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- apache2 Suggests:, not Recommends: apache2-prefork; that means
|
|
|
|
|
for example, that `zypper in apache2-worker` will not pull
|
|
|
|
|
apache2-prefork also
|
|
|
|
|
- installing /usr/sbin/httpd link:
|
|
|
|
|
* do not try to install it in '%post <MPM>' when apache2 (which
|
|
|
|
|
includes /usr/share/apache2/script-helpers) is not installed
|
|
|
|
|
yet (fixes installation on 11sp3)
|
|
|
|
|
* install it in '%post' if apache2 is installed after
|
|
|
|
|
apache2-<MPM> to be sure it is there
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 14 07:32:00 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- access_compat shared also for 11sp3
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 13 15:14:20 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- apache2-implicit-pointer-decl.patch renamed to
|
|
|
|
|
httpd-implicit-pointer-decl.patch to align with other
|
|
|
|
|
patches names
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 13 15:12:29 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- apachectl is now wrapper to start_apache2; therefore, it honors
|
|
|
|
|
HTTPD_INSTANCE variable, see README-instances.txt for details
|
|
|
|
|
+ httpd-apachectl.patch
|
|
|
|
|
- httpd-2.4.10-apachectl.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 13 13:37:53 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- a2enmod/a2dismod and a2enflag/a2disflag now respect
|
|
|
|
|
HTTPD_INSTANCE=<instance_name> environment variable, which can be
|
|
|
|
|
used to specify apache instance name; sysconfig file is expected
|
|
|
|
|
at /etc/sysconfig/apache2@<instance_name>
|
|
|
|
|
(see README-instances.txt for details)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 13 11:21:43 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- provides suse_maintenance_mmn symbol [bnc#915666] (internal)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 13 10:05:17 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- credits to Roman Drahtmueller:
|
|
|
|
|
* add reference to /etc/permissions.local to output of %post if
|
|
|
|
|
setting the permissions of suexec2 fails
|
|
|
|
|
* do not enable mod_php5 by default any longer
|
|
|
|
|
* httpd-2.0.49-log_server_status.dif obsoleted
|
|
|
|
|
* apache2-mod_ssl_npn.patch removed because not used
|
|
|
|
|
* include mod_reqtimeout.conf in httpd.conf
|
|
|
|
|
* added cgid-timeout.conf, include
|
|
|
|
|
it in httpd.conf
|
|
|
|
|
- fix default value APACHE_MODULES in sysconfig file
|
|
|
|
|
- %service_* macros for apache2@.service
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 13 09:52:21 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- reenable 690734.patch, it should be upstreamed by the author
|
|
|
|
|
(Adrian Schroeter) though
|
|
|
|
|
+ httpd-2.4.9-bnc690734.patch
|
|
|
|
|
- httpd-2.2.x-bnc690734.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 13 09:51:34 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- drop startssl from start_apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 1 09:41:31 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- allow to run multiple instances of Apache on one system
|
|
|
|
|
[fate#317786] (internal)
|
|
|
|
|
* distributed httpd.conf no longer includes sysconfig.d, nor this
|
|
|
|
|
directory is shipped. httpd.conf includes loadmodule.conf and
|
|
|
|
|
global.conf which are former sysconfig.d/loadmodule.conf and
|
|
|
|
|
sysconfig.d/global.conf for default /etc/sysconfig/apache2
|
|
|
|
|
global.conf and loadmodule.conf are not included when
|
|
|
|
|
sysconfig variables could have been read by start_apache2
|
|
|
|
|
startup script (run with systemd services). Therefore, when
|
|
|
|
|
starting server via /usr/sbin/httpd, sysconfig variables
|
|
|
|
|
are not taken into account.
|
|
|
|
|
* some not-maintained scripts are moved from
|
|
|
|
|
/usr/share/apache2 to /usr/share/apache2/deprecated-scripts
|
|
|
|
|
* all modules comment in sysconfig file is not generated
|
|
|
|
|
anymore
|
|
|
|
|
* added README-instances.txt
|
|
|
|
|
* removed Sources:
|
|
|
|
|
load_configuration
|
|
|
|
|
find_mpm
|
|
|
|
|
get_module_list
|
|
|
|
|
get_includes
|
|
|
|
|
find_httpd_includes
|
|
|
|
|
apache-find-directives
|
|
|
|
|
* added Sources:
|
|
|
|
|
deprecated-scripts.tar.xz
|
|
|
|
|
apache2-README-instances.txt
|
|
|
|
|
apache2-loadmodule.conf
|
|
|
|
|
apache2-global.conf
|
|
|
|
|
apache2-find-directives
|
|
|
|
|
apache2@.service
|
|
|
|
|
apache2-script-helpers
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 25 15:52:14 UTC 2015 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- add SSLHonorCipherOrder directive to apache2-ssl-global.conf
|
|
|
|
|
- adopt SSLCipherSuite directive value from SLE12
|
|
|
|
|
- remove default-vhost-ssl.conf and default-vhost.conf from
|
|
|
|
|
/etc/apache2. These two files are not (!) read by the
|
|
|
|
|
configuration framework, but are named *.conf, which is
|
|
|
|
|
misleading. The files are almost identical with the vhost
|
|
|
|
|
templates in /etc/apache2/vhosts.d/. The two templates there do
|
|
|
|
|
it right because they are not named *.conf and are not sourced
|
|
|
|
|
either. apache's response with no explicit (eg. default, vanilla)
|
|
|
|
|
configuration is contained in /etc/apache2/default-server.conf.
|
|
|
|
|
* remove apache2-README.default-vhost as there are no
|
|
|
|
|
default-vhost* files anymore.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 25 03:52:01 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- apache2.service: We have to use KillMode=mixed for the
|
|
|
|
|
graceful stop, restart to work properly.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jun 11 09:09:05 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- dropped 2.0 -> 2.2 modules transition during upgrade
|
|
|
|
|
* apache-20-22-upgrade renamed to apache-22-24-upgrade
|
|
|
|
|
- apache-*-upgrade script is called in %posttrans now [bnc#927223]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 9 09:04:32 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix find_mpm to echo mpm binary
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 2 23:17:40 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- apache2.service: Only order us after network.target and
|
|
|
|
|
nss-lookup.target but not pull the units in.
|
|
|
|
|
- apache2.service: SSL requires correct system time to
|
|
|
|
|
work properly, order after time-sync.target
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 26 11:57:44 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- align filenames with upstream names (and add compat symlinks)
|
|
|
|
|
- find_httpd2_includes renamed to find_httpd_includes
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 25 10:27:13 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- access_compat now built as shared and disabled by default
|
|
|
|
|
- amend config to use also old syntax when access_compat is
|
|
|
|
|
loaded
|
|
|
|
|
- added apache2-README-access_compat.txt
|
|
|
|
|
- added apache-find-directive script
|
|
|
|
|
- see [bnc#896083] and its duplicates
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 11 13:34:40 UTC 2015 - hguo@suse.com
|
|
|
|
|
|
|
|
|
|
- add httpd-2.4.12-CVE-2015-0253.patch to fix SECURITY: CVE-2015-0253
|
|
|
|
|
(cve.mitre.org) core: Fix a crash introduced in with ErrorDocument
|
|
|
|
|
400 pointing to a local URL-path with the INCLUDES filter active,
|
|
|
|
|
introduced in 2.4.11. PR 57531. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 5 12:36:10 UTC 2015 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- simplify apache2.logrotate, use sharedscripts [bnc#713581]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 5 12:17:21 UTC 2015 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- remove curly brackets around format sequence "%y" in
|
|
|
|
|
`stat --format="%{y}" %{SOURCE1}` that caused an incorrect
|
|
|
|
|
evaluation. Add escaping to proper spec-cleaner processing in
|
|
|
|
|
the future
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 9 15:53:27 UTC 2015 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- remove 'exit 0' from the %post section in the specfile that was
|
|
|
|
|
placed here incorrectly and caused that the rest of the %post
|
|
|
|
|
section couldn't be executed.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 9 13:12:46 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- /etc/init.d/apache2 reload -> systemctl reload apache2.service
|
|
|
|
|
in apache2.logrotate [bnc#926523]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 30 08:42:07 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- authz_default -> authz_core in sysconfig.apache2/APACHE_MODULES
|
|
|
|
|
[bnc#922236]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 10 17:16:21 UTC 2015 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Add Requires(post) apache2 to the subpackage -worker, -event and
|
|
|
|
|
-prefork: their respective post scriptlets execute
|
|
|
|
|
/usr/share/apache2/get_module_list, which is shipped as part of
|
|
|
|
|
the main package. This script has the side-effect to call
|
|
|
|
|
find_mpm, which in turn creates the corresponding /usr/sbin/httpd2
|
|
|
|
|
symlink.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 26 08:17:42 UTC 2015 - jsegitz@novell.com
|
|
|
|
|
|
|
|
|
|
- Patched get_module_list to ensure proper SELinux context for
|
|
|
|
|
sysconfig.d/loadmodule.conf
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 25 21:02:59 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
|
|
- Pname -> name variable reduction
|
|
|
|
|
- Try to fix sle11 build
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 25 19:59:36 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
|
|
- Version bumpt o 2.4.12:
|
|
|
|
|
*) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
|
|
|
|
|
internationalization. [William Rowe]
|
|
|
|
|
*) mpm_winnt: Normalize the error and status messages emitted by service.c,
|
|
|
|
|
the service control interface for Windows. [William Rowe]
|
|
|
|
|
*) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
|
|
|
|
|
[ olli hauer <ohauer gmx.de>, Yann Ylavic ]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 25 18:03:20 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
|
|
- Exit cleanly on end of the post and cleanup the update detection
|
|
|
|
|
- Remove Apache.xpm as it ain't used
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 25 15:59:26 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
|
|
- Cleanup init/unit decision making and provide just systemd service
|
|
|
|
|
on systemd systems
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 25 13:53:16 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
|
|
- Deprecate realver define as it is equal to version.
|
|
|
|
|
- Explicitely state MPM mods to ensure we don't lose some bnc#444878
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 25 13:23:40 UTC 2015 - tchvatal@suse.com
|
|
|
|
|
|
|
|
|
|
- Pass over spec-cleaner, there should be no actual technical
|
|
|
|
|
change in this just reduction of lines in the spec
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 23 16:58:11 UTC 2015 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- add httpd-2.4.x-mod_lua_websocket_DoS.patch to fix mod_lua bug
|
|
|
|
|
where a maliciously crafted websockets PING after a script calls
|
|
|
|
|
r:wsupgrade() can cause a child process crash
|
|
|
|
|
[CVE-2015-0228], [bnc#918352].
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 3 15:12:04 UTC 2015 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- httpd2.pid in rc.apache2 was wrong [bnc#898193]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 19 19:18:28 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- httpd-2.4.3-mod_systemd.patch find libsystemd-daemon
|
|
|
|
|
with pkg-config, this is the only correct way, in current
|
|
|
|
|
versions sd_notify is in libsystemd and in old products
|
|
|
|
|
in libsystemd-daemon.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 16 04:24:04 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- remove obsolete patches
|
|
|
|
|
* httpd-2.4.10-check_null_pointer_dereference.patch
|
|
|
|
|
* httpd-event-deadlock.patch
|
|
|
|
|
* httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch
|
|
|
|
|
* httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 16 04:13:59 UTC 2015 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Apache 2.4.11
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2014-3583 (cve.mitre.org)
|
|
|
|
|
mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
|
|
|
|
|
response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2014-3581 (cve.mitre.org)
|
|
|
|
|
mod_cache: Avoid a crash when Content-Type has an empty value.
|
|
|
|
|
PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2014-8109 (cve.mitre.org)
|
|
|
|
|
mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
|
|
|
|
|
used in multiple Require directives with different arguments.
|
|
|
|
|
PR57204 [Edward Lu <Chaosed0 gmail.com>]
|
|
|
|
|
|
|
|
|
|
*) SECURITY: CVE-2013-5704 (cve.mitre.org)
|
|
|
|
|
core: HTTP trailers could be used to replace HTTP headers
|
|
|
|
|
late during request processing, potentially undoing or
|
|
|
|
|
otherwise confusing modules that examined or modified
|
|
|
|
|
request headers earlier. Adds "MergeTrailers" directive to restore
|
|
|
|
|
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: New directive SSLSessionTickets (On|Off).
|
|
|
|
|
The directive controls the use of TLS session tickets (RFC 5077),
|
|
|
|
|
default value is "On" (unchanged behavior).
|
|
|
|
|
Session ticket creation uses a random key created during web
|
|
|
|
|
server startup and recreated during restarts. No other key
|
|
|
|
|
recreation mechanism is available currently. Therefore using session
|
|
|
|
|
tickets without restarting the web server with an appropriate frequency
|
|
|
|
|
(e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi: Provide some basic alternate options for specifying
|
|
|
|
|
how PATH_INFO is passed to FastCGI backends by adding significance to
|
|
|
|
|
the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
|
|
|
|
|
to opt-in to connection reuse and other Proxy options via explicitly
|
|
|
|
|
declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
|
|
|
|
|
[Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
|
|
|
|
|
[Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly
|
|
|
|
|
setting proxy option disablereuse=off. [Eric Covener] PR 57378.
|
|
|
|
|
|
|
|
|
|
*) event: Update the internal "connection id" when requests
|
|
|
|
|
move from thread to thread. Reuse can confuse modules like
|
|
|
|
|
mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
|
|
|
|
|
passed to fastcgi backends. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) core: Configuration files with long lines and continuation characters
|
|
|
|
|
are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
|
|
|
|
|
|
|
|
|
|
*) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
|
|
|
|
|
leading 'e' was written in upper case in <!--#if expr="..." -->
|
|
|
|
|
statements. [Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
*) split-logfile: Fix perl error: 'Can't use string ("example.org:80")
|
|
|
|
|
as a symbol ref while "strict refs"'. PR 56329.
|
|
|
|
|
[Holger Mauermann <mauermann gmail.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Prevent ProxyPassReverse from doing a substitution when
|
|
|
|
|
the URL parameter interpolates to an empty string. PR 56603.
|
|
|
|
|
[<ajprout hotmail.com>]
|
|
|
|
|
|
|
|
|
|
*) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
|
|
|
|
|
PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Preserve original request headers even if they differ
|
|
|
|
|
from the ones to be forwarded to the backend. PR 45387.
|
|
|
|
|
[Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: dump SSL IO/state for the write side of the connection(s),
|
|
|
|
|
like reads (level TRACE4). [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.
|
|
|
|
|
[Jan Kaluza]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Do not crash when looking up SSL related variables during
|
|
|
|
|
expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_ajp: Fix handling of the default port (8009) in the
|
|
|
|
|
ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mpm_event: Avoid a possible use after free when notifying the end of
|
|
|
|
|
connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
|
|
|
|
|
improperly or too large. [Jeff Trawick]
|
|
|
|
|
|
|
|
|
|
*) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
|
|
|
|
|
[Jeff Trawick]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
|
|
|
|
|
error when parsing or forwarding the response fails. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e
|
|
|
|
|
PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
|
|
|
|
|
determine whether it is a normal close or a real error. PR 57168. [Yann
|
|
|
|
|
Ylavic]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_wstunnel: abort backend connection on polling error to avoid
|
|
|
|
|
further processing. [Yann Ylavic]
|
|
|
|
|
|
|
|
|
|
*) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
|
|
|
|
|
PR 57167 [Edward Lu <Chaosed0 gmail.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC
|
|
|
|
|
systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
|
|
|
|
|
|
|
|
|
|
*) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
|
|
|
|
|
CacheLock error occurs during cache revalidation. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_ssl: Move OCSP stapling information from a per-certificate store to
|
|
|
|
|
a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
|
|
|
|
|
Yann Ylavic, Kaspar Brand]
|
|
|
|
|
|
|
|
|
|
*) mod_cache_socache: Change average object size hint from 32 bytes to
|
|
|
|
|
2048 bytes. [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) mod_cache_socache: Add cache status to server-status. [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) event: Fix worker-listener deadlock in graceful restart.
|
|
|
|
|
PR 56960.
|
|
|
|
|
|
|
|
|
|
*) Concat strings at compile time when possible. PR 53741.
|
|
|
|
|
|
|
|
|
|
*) mod_substitute: Restrict configuration in .htaccess to
|
|
|
|
|
FileInfo as documented. [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) mod_substitute: Make maximum line length configurable. [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) mod_substitute: Fix line length limitation in case of regexp plus flatten.
|
|
|
|
|
[Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy: Truncated character worker names are no longer fatal
|
|
|
|
|
errors. PR53218. [Jim Jagielski]
|
|
|
|
|
|
|
|
|
|
*) mod_dav: Set r->status_line in dav_error_response. PR 55426.
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
|
|
|
|
|
[Yann Ylavic, Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
*) http_protocol: fix logic in ap_method_list_(add|remove) in order:
|
|
|
|
|
- to correctly reset bits
|
|
|
|
|
- not to modify the 'method_mask' bitfield unnecessarily
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
*) mod_slotmem_shm: Increase log level for some originally debug messages.
|
|
|
|
|
[Jim Jagielski]
|
|
|
|
|
|
|
|
|
|
*) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
|
|
|
|
|
the wrong credentials when a backend connection is reused.
|
|
|
|
|
[Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_macro: Add missing APLOGNO for some Warning log messages.
|
|
|
|
|
[Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
*) mod_cache: Avoid sending 304 responses during failed revalidations
|
|
|
|
|
PR56881. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_status: Honor client IP address using mod_remoteip. PR 55886.
|
|
|
|
|
[Jim Jagielski]
|
|
|
|
|
|
|
|
|
|
*) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
|
|
|
|
|
and later. PR 56615. [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]
|
|
|
|
|
|
|
|
|
|
*) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
|
|
|
|
|
failed) messages from ERROR to TRACE1. Other filters do not bother
|
|
|
|
|
re-reporting failures from lower level filters. PR56832. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) core: Avoid useless warning message when parsing a section guarded by
|
|
|
|
|
<IfDefine foo> if $(foo) is used within the section.
|
|
|
|
|
PR 56503 [Christophe Jaillet]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
|
|
|
|
|
application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>]
|
|
|
|
|
|
|
|
|
|
*) mod_proxy_http: Proxy responses with error status and
|
|
|
|
|
"ProxyErrorOverride On" hang until proxy timeout.
|
|
|
|
|
PR53420 [Rainer Jung]
|
|
|
|
|
|
|
|
|
|
*) mod_log_config: Allow three character log formats to be registered. For
|
|
|
|
|
backwards compatibility, the first character of a three-character format
|
|
|
|
|
must be the '^' (caret) character. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
*) mod_lua: Don't quote Expires and Path values. PR 56734.
|
|
|
|
|
[Keith Mashinter, <kmashint yahoo com>]
|
|
|
|
|
|
|
|
|
|
*) mod_authz_core: Allow <AuthzProviderAlias>'es to be seen from auth
|
|
|
|
|
stanzas under virtual hosts. PR 56870. [Eric Covener]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 12 10:51:32 UTC 2015 - bruno@ioda-net.ch
|
|
|
|
|
|
|
|
|
|
- Redone lost patch to fix boo#859439
|
|
|
|
|
+ service reload can cause log data to be lost with logrotate
|
|
|
|
|
under some circumstances: remove "-t" from service reload.
|
|
|
|
|
[bnc#859439]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 8 13:03:24 UTC 2015 - schwab@linux-m68k.org
|
|
|
|
|
|
|
|
|
|
- Fix URL syntax in various files
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 29 15:12:51 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix IfModule directive around SSLSessionCache [bnc#842377c#11]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 15 17:29:28 UTC 2014 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- added httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch
|
|
|
|
|
to fix flaw in the way mod_headers handled chunked requests. Adds
|
|
|
|
|
"MergeTrailers" directive to restore legacy behavior
|
|
|
|
|
[bnc#871310], [CVE-2013-5704].
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 12 15:46:29 UTC 2014 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- added httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch
|
|
|
|
|
that fixes handling of the Require line when a LuaAuthzProvider is
|
|
|
|
|
used in multiple Require directives with different arguments
|
|
|
|
|
[bnc#909715], [CVE-2014-8109].
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 5 20:10:28 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fixed start at boot for ssl and encrypted key [bnc#792309]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 29 02:43:00 UTC 2014 - Led <ledest@gmail.com>
|
|
|
|
|
|
|
|
|
|
- fix shebang in start_apache2 script that contains bash-specific
|
|
|
|
|
constructions
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 27 13:38:25 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- small improvement of ssl instructions [bnc#891813]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Nov 09 00:57:00 UTC 2014 - Led <ledest@gmail.com>
|
|
|
|
|
|
|
|
|
|
- fix bashisms in post scripts
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 7 15:52:47 UTC 2014 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid
|
|
|
|
|
a crash when Content-Type has an empty value [bnc#899836],
|
|
|
|
|
CVE-2014-3581
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 31 16:04:15 UTC 2014 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- httpd-event-deadlock.patch: Fix worker-listener
|
|
|
|
|
deadlock in graceful restart.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Oct 18 16:21:00 UTC 2014 - Led <ledest@gmail.com>
|
|
|
|
|
|
|
|
|
|
- httpd-2.1.9-apachectl.dif renamed to httpd-2.4.10-apachectl.patch
|
|
|
|
|
and updated (fixed bashism).
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 16 12:29:06 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- drop (turned off) itk mpm spec file code as mpm-itk is now
|
|
|
|
|
provided as a separate module, not via patch
|
|
|
|
|
(see http://mpm-itk.sesse.net/ and [bnc#851229])
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 13 12:34:44 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- enable mod_imagemap [bnc#866366]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 10 07:48:45 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fixed link to Apache quickstart [bnc#624681], [bnc#789806]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 6 12:30:07 UTC 2014 - kstreitova@suse.com
|
|
|
|
|
|
|
|
|
|
- the following unused patches were removed from the package:
|
|
|
|
|
* apache2-mod_ssl_npn.patch
|
|
|
|
|
* httpd-2.0.49-log_server_status.dif
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 29 11:57:40 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and
|
|
|
|
|
/usr/sbin/start_apache2 [bnc#851627]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 26 15:38:17 UTC 2014 - oholecek@suse.com
|
|
|
|
|
|
|
|
|
|
- allow only TCP ports in Yast2 firewall files
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 26 15:00:45 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- more 2.2 -> 2.4 [bnc#862058]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 25 14:39:05 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- ServerSignature=Off and ServerTokens=Prod by request from
|
|
|
|
|
security team [bnc#716495]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 24 13:11:16 UTC 2014 - pgajdos@suse.com
|
|
|
|
|
|
|
|
|
|
- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 21 16:23:51 UTC 2014 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Update package Summary and Description.
|
|
|
|
|
- version 2.4.10
|
|
|
|
|
* SECURITY: CVE-2014-0117 (cve.mitre.org)
|
|
|
|
|
* SECURITY: CVE-2014-3523 (cve.mitre.org)
|
|
|
|
|
* SECURITY: CVE-2014-0226 (cve.mitre.org)
|
|
|
|
|
* SECURITY: CVE-2014-0118 (cve.mitre.org)
|
|
|
|
|
* SECURITY: CVE-2014-0231 (cve.mitre.org)
|
|
|
|
|
* Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua
|
|
|
|
|
* mod_proxy_fcgi supports unix sockets.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 21 07:21:21 UTC 2014 - mc@suse.com
|
|
|
|
|
|
|
|
|
|
- provide httpd.service as alias for apache2.service for
|
|
|
|
|
compatibility reasons (bnc#888093)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 14 08:47:02 UTC 2014 - lnussel@suse.de
|
|
|
|
|
|
|
|
|
|
- move most ssl options to ssl-global.conf. There is usually no need
|
|
|
|
|
for every vhost to re-define the ciphers for example (bnc#865582).
|
|
|
|
|
Drop some commented entries that only lead to confusion.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 27 16:18:27 UTC 2014 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- version 2.4.9
|
|
|
|
|
* SECURITY: CVE-2014-0098
|
|
|
|
|
* SECURITY: CVE-2013-6438
|
|
|
|
|
* multiple bugfixes and improvements to mod_ssl, mod_lua,
|
|
|
|
|
mod_session and core, see CHANGES for details.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 17 18:31:11 CET 2014 - draht@suse.de
|
|
|
|
|
|
|
|
|
|
- /etc/sysconfig/apache2: add socache_shmcb to the list of modules
|
|
|
|
|
that are enabled.
|
|
|
|
|
/etc/apache2/ssl-global.conf: make SSLSessionCache shmcb...
|
|
|
|
|
conditional on IfModule socache_shmcb.
|
|
|
|
|
The same applies to SSLSessionCache dmb:* via module socache_dbm
|
|
|
|
|
in commented section of same file. [bnc#864185]
|
|
|
|
|
- /etc/sysconfig/apache2: remove reference to non-existing script
|
|
|
|
|
/usr/share/doc/packages/apache2/certificate.sh, which was only a
|
|
|
|
|
wrapper to mkcert.sh anyways. [bnc#864185]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 25 22:15:51 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- update to apache 2.4.7, important changes:
|
|
|
|
|
|
|
|
|
|
* This release requires both apr and apr-util 1.5.x series
|
|
|
|
|
and therefore will no longer build in older released products
|
|
|
|
|
* mod_ssl: Improve handling of ephemeral DH and ECDH keys
|
|
|
|
|
(obsoletes httpd-mod_ssl_ephemeralkeyhandling.patch)
|
|
|
|
|
* event MPM: Fix possible crashes
|
|
|
|
|
* mod_deflate: Improve error detection
|
|
|
|
|
* core: Add open_htaccess hook in conjunction with dirwalk_stat.
|
|
|
|
|
* mod_rewrite: Make rewrite websocket-aware to allow proxying.
|
|
|
|
|
* mod_ssl: drop support for export-grade ciphers with ephemeral RSA
|
|
|
|
|
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
|
|
|
|
|
(not overridable via SSLCipherSuite)
|
|
|
|
|
* core, mod_ssl: Enable the ability for a module to reverse the
|
|
|
|
|
sense of a poll event from a read to a write or vice versa
|
|
|
|
|
(obsoletes httpd-event-ssl.patch)
|
|
|
|
|
* see CHANGES for more details
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 16 00:52:15 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- httpd-mod_ssl_ephemeralkeyhandling.patch obsoletes
|
|
|
|
|
mod_ssl-2.4.x-ekh.diff this new patch is the final
|
|
|
|
|
form of the rework, merged for 2.4.7.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 4 20:55:52 UTC 2013 - freek@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Removed obsolete directive DefaultType
|
|
|
|
|
- Changed all access control to new Require directive
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 25 00:05:02 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- reenable mod_ssl-2.4.x-ekh.diff
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 22 15:43:53 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Correct build in old distros.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 22 15:09:21 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- disable (revert) mod_ssl changes in the previous
|
|
|
|
|
commit so it does not end in factory or 13.1 yet.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 22 15:06:19 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- make mod_systemd static so scenarios described in
|
|
|
|
|
[bnc#846897] do not happen again.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 21 23:44:19 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- mod_ssl: improve ephemeral key handling in particular, support DH params
|
|
|
|
|
with more than 1024 bits, and allow custom configuration.
|
|
|
|
|
This patch adjust DH parameters according to the relevant RFC
|
|
|
|
|
recommendations and permanently disables the usage of "export"
|
|
|
|
|
and "NULL" ciphers no matter what the user configuration is
|
|
|
|
|
(mod_ssl-2.4.x-ekh.diff, to be in 2.4.7)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 21 23:27:56 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- fix [bnc#846897] problems building kiwi images due to
|
|
|
|
|
systemd not being running in chroot. (submit to 13.1 ASAP)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 14 19:58:23 UTC 2013 - aj@suse.com
|
|
|
|
|
|
|
|
|
|
- Fix SUSE spelling.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 3 15:37:37 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Also fix subtle non-obvious systemd unit confusion
|
|
|
|
|
we really mean -DFOREGROUND not -DNO_DETACH the latter only
|
|
|
|
|
inhibits the parent from forking, not quite the same as
|
|
|
|
|
running in well.. the foreground as required.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 3 03:58:27 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Ensure we only use /run and not /var/run
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 30 04:48:07 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Really use %requires_ge for libapr1 and libapr-util1
|
|
|
|
|
mentioned but not implemented in the previous commit.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 28 07:29:47 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Use %requires_ge for libapr1 and libapr-util1
|
|
|
|
|
- apache2-default-server.conf: Need to use IncludeOptional
|
|
|
|
|
- apache-20-22-upgrade: also load authz_core
|
|
|
|
|
- httpd-visibility.patch: Use compiler symbol visibility.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 2 08:18:03 UTC 2013 - meissner@suse.com
|
|
|
|
|
|
|
|
|
|
- Make the default keysize in the sample gensslcerts 2048 bits to match
|
|
|
|
|
government recommendations.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 1 02:06:38 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Enable mod_proxy_html, mod_xml2enc and mod_lua (missed BuildRequires)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 29 19:53:48 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- provide and obsolete mod_macro
|
|
|
|
|
- upgrade: some people complain that log_config module
|
|
|
|
|
is not enabled by default sometimes, fix that.
|
|
|
|
|
- upgrade : "SSLMutex" no longer exists.
|
|
|
|
|
- Toogle EnableSendfile on because now apache defaults to off
|
|
|
|
|
due to kernel bugs. that's a silly thing to do here
|
|
|
|
|
as kernel bugs have to be fixed at their source, not worked around
|
|
|
|
|
in applications.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 22 21:57:40 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- httpd-event-ssl.patch: from upstream
|
|
|
|
|
Lift the restriction that prevents mod_ssl taking
|
|
|
|
|
full advantage of the event MPM.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 22 16:44:22 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Update to version 2.4.6
|
|
|
|
|
* SECURITY: CVE-2013-1896 (cve.mitre.org)
|
|
|
|
|
* SECURITY: CVE-2013-2249 (cve.mitre.org)
|
|
|
|
|
* Major updates to mod_lua
|
|
|
|
|
* Support for proxying websocket requests
|
|
|
|
|
* Higher performant shm-based cache implementation
|
|
|
|
|
* Addition of mod_macro for easier configuration management
|
|
|
|
|
* As well as several exciting fixes, especially those related to RFC edge
|
|
|
|
|
cases in mod_cache and mod_proxy.
|
|
|
|
|
|
|
|
|
|
- IMPORTANT : With the current packaging scheme, we can no longer
|
|
|
|
|
Include the ITK MPM, therefore it has been disabled. This is because
|
|
|
|
|
this MPM can now only be provided as a loadable module but we do
|
|
|
|
|
not currently build MPMs as shared modules but as independant
|
|
|
|
|
binaries and all helpers/startup scripts depend on that behaviour.
|
|
|
|
|
It will be fixed in the upcoming weeks/months.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 18 07:41:36 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- apache-20-22-upgrade: still no cookie, module authn_file
|
|
|
|
|
is ok and must not be disabled on update.
|
|
|
|
|
authn_core must however be enabled too.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 18 06:42:33 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- fix apache_mmn spec macro, otherwise all modules down
|
|
|
|
|
the chain will have broken dependencies
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 18 05:53:31 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- remove After=mysql.service php-fpm.service postgresql.service
|
|
|
|
|
which were added in the previous change, those must be added
|
|
|
|
|
as Before=apache2.service in the respective services.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 14 21:51:09 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Include mod_systemd for more complete integration with
|
|
|
|
|
systemd, turn the service to Typé=notify as required
|
|
|
|
|
|
|
|
|
|
- Disable SSL NPN patch for now, it is required for mod_spdy
|
|
|
|
|
but mod_spdy does not support apache 2.4
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jun 1 03:54:50 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- apache 2.4.4
|
|
|
|
|
* fix for CVE-2012-3499
|
|
|
|
|
* fix for the CRIME attack (disable ssl compression by default)
|
|
|
|
|
* many other bugfies
|
|
|
|
|
|
|
|
|
|
* build access_compat amd unixd as static modules and solve
|
|
|
|
|
some other upgrade quirks (bnc#813705)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 25 08:19:41 UTC 2013 - mlin@suse.com
|
|
|
|
|
|
|
|
|
|
- Install apache2.service accordingly (/usr/lib/systemd for 12.3
|
|
|
|
|
and up or /lib/systemd for older versions).
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jan 26 05:06:07 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Apache 2.4.3
|
|
|
|
|
* SECURITY: CVE-2012-3502
|
|
|
|
|
* SECURITY: CVE-2012-2687
|
|
|
|
|
* mod_cache: Set content type in case we return stale content.
|
|
|
|
|
* lots of bugfixes see http://www.apache.org/dist/httpd/CHANGES_2.4.3
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jan 26 05:00:00 UTC 2013 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Improve systemd unit file (tested for months)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 18 11:52:30 CET 2013 - mhrusecky@suse.cz
|
|
|
|
|
|
|
|
|
|
- use %set_permissions instead %run_permissions (bnc#764097)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 1 04:10:13 UTC 2012 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Fix factory-auto (aka r2dbag) complains about URL.
|
|
|
|
|
- Provide a symlink for apxs2 new location otherwise
|
|
|
|
|
all buggy spec files of external modules will break.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 1 02:21:34 UTC 2012 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- BuildRequire xz explicitly, fix build in !Factory
|
|
|
|
|
- Drop more old, unused patches
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 1 01:14:35 UTC 2012 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Upgrade to apache 2.4.2
|
|
|
|
|
** ATTENTION, before installing this update YOU MUST
|
|
|
|
|
READ https://httpd.apache.org/docs/2.4/upgrading.html
|
|
|
|
|
CAREFULLY otherwise your server will most likely
|
|
|
|
|
fail to start due to backward incompatible changes.
|
|
|
|
|
|
|
|
|
|
* You can read the huge complete list of changes
|
|
|
|
|
at https://httpd.apache.org/docs/2.4/new_features_2_4.html
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 25 11:32:34 UTC 2012 - saschpe@suse.de
|
|
|
|
|
|
|
|
|
|
- gensslcert: Use 0400 permissions for generated SSL certificate files
|
|
|
|
|
instead of 0644
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 6 11:58:03 UTC 2012 - meissner@suse.com
|
|
|
|
|
|
|
|
|
|
- modified apache2.2-mpm-itk-20090414-00.patch to fix
|
|
|
|
|
itk running as root. bnc#681176 / CVE-2011-1176
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jul 6 09:42:00 UTC 2012 - meissner@suse.com
|
|
|
|
|
|
|
|
|
|
- remove the insecure LD_LIBRARY_PATH line. bnc#757710
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Apr 22 20:14:22 UTC 2012 - dimstar@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Add apache2-mod_ssl_npn.patch: Add npn support to mod_ssl, which
|
|
|
|
|
is needed by spdy.
|
|
|
|
|
- Provide apache2(mod_ssl+npn), indicating that our mod_ssl does
|
|
|
|
|
have the npn patch. This can be used by mod_spdy to ensure a
|
|
|
|
|
compatible apache/mod_ssl is installed.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 20 14:05:49 UTC 2012 - adrian@suse.de
|
|
|
|
|
|
|
|
|
|
- fix truncating and resulting paniking of answer headers (bnc#690734)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Feb 18 21:15:08 UTC 2012 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- update to 2.2.22
|
|
|
|
|
*) SECURITY: CVE-2011-3368 (cve.mitre.org)
|
|
|
|
|
Reject requests where the request-URI does not match the HTTP
|
|
|
|
|
specification, preventing unexpected expansion of target URLs in
|
|
|
|
|
some reverse proxy configurations.
|
|
|
|
|
*) SECURITY: CVE-2011-3607 (cve.mitre.org)
|
|
|
|
|
Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
|
|
|
|
|
is enabled, could allow local users to gain privileges via a .htaccess
|
|
|
|
|
file.
|
|
|
|
|
*) SECURITY: CVE-2011-4317 (cve.mitre.org)
|
|
|
|
|
Resolve additional cases of URL rewriting with ProxyPassMatch or
|
|
|
|
|
RewriteRule, where particular request-URIs could result in undesired
|
|
|
|
|
backend network exposure in some configurations.
|
|
|
|
|
*) SECURITY: CVE-2012-0021 (cve.mitre.org)
|
|
|
|
|
mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
|
|
|
|
|
string is in use and a client sends a nameless, valueless cookie, causing
|
|
|
|
|
a denial of service. The issue existed since version 2.2.17. PR 52256.
|
|
|
|
|
*) SECURITY: CVE-2012-0031 (cve.mitre.org)
|
|
|
|
|
Fix scoreboard issue which could allow an unprivileged child process
|
|
|
|
|
could cause the parent to crash at shutdown rather than terminate
|
|
|
|
|
cleanly.
|
|
|
|
|
*) SECURITY: CVE-2012-0053 (cve.mitre.org)
|
|
|
|
|
Fix an issue in error responses that could expose "httpOnly" cookies
|
|
|
|
|
when no custom ErrorDocument is specified for status code 400.
|
|
|
|
|
*) mod_proxy_ajp: Try to prevent a single long request from marking a worker
|
|
|
|
|
in error.
|
|
|
|
|
*) config: Update the default mod_ssl configuration: Disable SSLv2, only
|
|
|
|
|
allow >= 128bit ciphers, add commented example for speed optimized cipher
|
|
|
|
|
list, limit MSIE workaround to MSIE <= 5.
|
|
|
|
|
*) core: Fix segfault in ap_send_interim_response(). PR 52315.
|
|
|
|
|
*) mod_log_config: Prevent segfault. PR 50861.
|
|
|
|
|
*) mod_win32: Invert logic for env var UTF-8 fixing.
|
|
|
|
|
Now we exclude a list of vars which we know for sure they dont hold UTF-8
|
|
|
|
|
chars; all other vars will be fixed. This has the benefit that now also
|
|
|
|
|
all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
|
|
|
|
|
*) core: Fix hook sorting for Perl modules, a regression introduced in
|
|
|
|
|
2.2.21. PR: 45076.
|
|
|
|
|
*) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
|
|
|
|
|
A range of '0-' will now return 206 instead of 200. PR 51878.
|
|
|
|
|
*) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
|
|
|
|
|
of "0").
|
|
|
|
|
*) mod_substitute: Fix buffer overrun.
|
|
|
|
|
- adjusted SSL template/default config for upstream changes, and added
|
|
|
|
|
MaxRanges example to apache2-server-tuning.conf
|
|
|
|
|
- fixed installation of (moved) man pages
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com
|
|
|
|
|
|
|
|
|
|
- compile with pcre 8.30 - patch taken from apache bugzilla
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jan 21 13:54:01 CET 2012 - draht@suse.de
|
|
|
|
|
|
|
|
|
|
- enable mod_reqtimeout by default via APACHE_MODULES in
|
|
|
|
|
/etc/sysconfig/apache2, configuration
|
|
|
|
|
/etc/apache2/mod_reqtimeout.conf .
|
|
|
|
|
Of course, the existing configuration remains unchanged.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 16 20:53:39 UTC 2011 - chris@computersalat.de
|
|
|
|
|
|
|
|
|
|
- add default vhost configs
|
|
|
|
|
* default-vhost.conf, default-vhost-ssl.conf, README.default-vhost
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 10 10:34:26 CET 2011 - meissner@suse.de
|
|
|
|
|
|
|
|
|
|
- openldap2 is not necessary, just openldap2-devel as buildrequires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Dec 2 07:18:56 UTC 2011 - coolo@suse.com
|
|
|
|
|
|
|
|
|
|
- add automake as buildrequire to avoid implicit dependency
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 18 15:04:12 CET 2011 - draht@suse.de
|
|
|
|
|
|
|
|
|
|
- update to /etc/init.d/apache2: handle reload with deleted
|
|
|
|
|
binaries after package update more thoughtfully: If the binaries
|
|
|
|
|
have been replaced, then a dlopen(3) on the apache modules is
|
|
|
|
|
prone to fail. => Don't reload then, but complain and fail.
|
|
|
|
|
Especially important for logrotate!
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 7 17:11:56 CEST 2011 - draht@suse.de
|
|
|
|
|
|
|
|
|
|
- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy
|
|
|
|
|
reverse exposure via RewriteRule or ProxyPassMatch directives.
|
|
|
|
|
This is CVE-2011-3368.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 7 14:36:31 UTC 2011 - fcrozat@suse.com
|
|
|
|
|
|
|
|
|
|
- Ensure service_add_pre macro is correctly called for
|
|
|
|
|
openSUSE 12.1 or later.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 27 08:19:35 UTC 2011 - fcrozat@suse.com
|
|
|
|
|
|
|
|
|
|
- Fix systemd files packaging, %ghost is not a good idea.
|
|
|
|
|
- Use systemd rpm macros for openSUSE 12.1 and later.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 15 13:33:30 CEST 2011 - draht@suse.de
|
|
|
|
|
|
|
|
|
|
- don't create $RPM_BUILD_ROOT/etc/init.d twice in %install.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 14 01:11:55 CEST 2011 - draht@suse.de
|
|
|
|
|
|
|
|
|
|
- Update to 2.2.21. News therein:
|
|
|
|
|
* re-worked CVE-2011-3192 (byterange_filter.c) with a regression
|
|
|
|
|
fix. New config option: MaxRanges (PR 51748)
|
|
|
|
|
* multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs,
|
|
|
|
|
mod_alias, mod_rewrite. As always, see CHANGES file.
|
|
|
|
|
- added httpd-%{realver}.tar.bz2.asc to source, along with
|
|
|
|
|
60C5442D.key which the tarball was signed with.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 13 10:37:37 CEST 2011 - draht@suse.de
|
|
|
|
|
|
|
|
|
|
- need to add %ghost /lib/systemd to satisfy distributions that
|
|
|
|
|
have no systemd yet.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 1 09:43:49 UTC 2011 - fcrozat@suse.com
|
|
|
|
|
|
|
|
|
|
- Add apache2-systemd-ask-pass / apache2.service / start_apache2
|
|
|
|
|
and modify apache2-ssl-global.conf for systemd support
|
|
|
|
|
(bnc#697137).
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 31 12:52:22 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Update to version 2.2.20, fix CVE-2011-3192
|
|
|
|
|
mod_deflate D.o.S.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 5 06:02:35 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Fix apache PR 45076
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jul 17 19:49:55 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 22 16:12:10 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Add 2 patches from the "low hanging fruit" warnings in apache
|
|
|
|
|
STATUS page.
|
|
|
|
|
* mod_deflate: Stop compressing HEAD requests
|
|
|
|
|
if there is not Content-Length header
|
|
|
|
|
* mod_reqtimeout: Disable keep-alive after read timeout
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 10 00:59:53 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Remove -fno-strict-aliasing from CFLAGS, no longer needed.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 8 19:10:41 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Allow KeepAliveTimeout to be expressed in miliseconds
|
|
|
|
|
sometimes one second is too long, upstream r733557.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 6 18:16:05 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- When linux changes to version 3.x configure tests are gonna break.
|
|
|
|
|
remove version check, assuming kernel 2.2 or later.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 26 03:35:05 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Update to 2.2.19, only one bugfix.
|
|
|
|
|
*) Revert ABI breakage in 2.2.18 caused by the function signature change
|
|
|
|
|
of ap_unescape_url_keep2f(). This release restores the signature from
|
|
|
|
|
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
|
|
|
|
|
[Eric Covener]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri May 20 19:28:03 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Remove SSLv2 disabled patch, already in upstream.
|
|
|
|
|
- Update to version 2.2.18
|
|
|
|
|
* mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
|
|
|
|
|
* core: Treat timeout reading request as 408 error, not 400.
|
|
|
|
|
* core: Only log a 408 if it is no keepalive timeout.
|
|
|
|
|
* mod_rewrite: Allow to unset environment variables.
|
|
|
|
|
* prefork: Update MPM state in children during a graceful restart.
|
|
|
|
|
* Other fixes in mod_cache,mod_dav,mod_proxy se NEWS for detail.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 20 23:24:26 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Fix regular expression in vhost ssl template IE workaround
|
|
|
|
|
it is obsolete see https://issues.apache.org/bugzilla/show_bug.cgi?id=49484
|
|
|
|
|
You should apply this update to fix painfully slow SSL
|
|
|
|
|
connections when using IE.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 11 16:19:14 UTC 2011 - crrodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Allow usage of an openSSL library compiled without SSlv2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 8 13:41:48 UTC 2011 - lnussel@suse.de
|
|
|
|
|
|
|
|
|
|
- set sane default cipher string in apache2-vhost-ssl.template
|
|
|
|
|
- remove useless example snakeoil certs
|
|
|
|
|
- remove broken mkcert script
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 17 12:39:06 CET 2011 - werner@suse.de
|
|
|
|
|
|
|
|
|
|
- Tag boot script as interactive as systemd uses it
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 7 16:25:16 UTC 2011 - lnussel@suse.de
|
|
|
|
|
|
|
|
|
|
- recommend the default mpm package (bnc#670027)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 19 17:16:16 UTC 2010 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- update to 2.2.17:
|
|
|
|
|
SECURITY: CVE-2010-1623 (cve.mitre.org)
|
|
|
|
|
Fix a denial of service attack against apr_brigade_split_line().
|
|
|
|
|
[Actual fix is in the libapr 1.3 line, which we don't use // poeml]
|
|
|
|
|
SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
|
|
|
|
|
Fix two buffer over-read flaws in the bundled copy of expat which could
|
|
|
|
|
cause applications to crash while parsing specially-crafted XML documents.
|
|
|
|
|
[We build with system expat library // poeml]
|
|
|
|
|
prefork MPM: Run cleanups for final request when process exits gracefully
|
|
|
|
|
to work around a flaw in apr-util. PR 43857
|
|
|
|
|
core:
|
|
|
|
|
- check symlink ownership if both FollowSymlinks and
|
|
|
|
|
SymlinksIfOwnerMatch are set
|
|
|
|
|
- fix origin checking in SymlinksIfOwnerMatch PR 36783
|
|
|
|
|
- (re)-introduce -T commandline option to suppress documentroot
|
|
|
|
|
check at startup. PR 41887
|
|
|
|
|
vhost:
|
|
|
|
|
- A purely-numeric Host: header should not be treated as a port. PR 44979
|
|
|
|
|
rotatelogs:
|
|
|
|
|
- Fix possible buffer overflow if admin configures a
|
|
|
|
|
mongo log file path.
|
|
|
|
|
Proxy balancer: support setting error status according to HTTP response
|
|
|
|
|
code from a backend. PR 48939.
|
|
|
|
|
mod_authnz_ldap:
|
|
|
|
|
- If AuthLDAPCharsetConfig is set, also convert the
|
|
|
|
|
password to UTF-8. PR 45318.
|
|
|
|
|
mod_dir, mod_negotiation:
|
|
|
|
|
- Pass the output filter information to newly created sub requests; as these
|
|
|
|
|
are later on used as true requests with an internal redirect. This allows
|
|
|
|
|
for mod_cache et.al. to trap the results of the redirect. PR 17629, 43939
|
|
|
|
|
mod_headers:
|
|
|
|
|
- Enable multi-match-and-replace edit option PR 46594
|
|
|
|
|
mod_log_config:
|
|
|
|
|
- Make ${cookie}C correctly match whole cookie names
|
|
|
|
|
instead of substrings. PR 28037.
|
|
|
|
|
mod_reqtimeout:
|
|
|
|
|
- Do not wrongly enforce timeouts for mod_proxy's backend
|
|
|
|
|
connections and other protocol handlers (like mod_ftp). Enforce the
|
|
|
|
|
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
|
|
|
|
|
close time from 30 to 2 seconds.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Do not do overlapping memcpy. PR 45444
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Oct 5 18:25:39 UTC 2010 - cristian.rodriguez@opensuse.org
|
|
|
|
|
|
|
|
|
|
- Add missing libcap-devel to BuildRequires, wanted by "itk" MPM.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jul 29 15:40:29 UTC 2010 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- update to 2.2.16:
|
|
|
|
|
SECURITY: CVE-2010-1452 (cve.mitre.org)
|
|
|
|
|
mod_dav, mod_cache: Fix Handling of requests without a path segment.
|
|
|
|
|
PR: 49246
|
|
|
|
|
SECURITY: CVE-2010-2068 (cve.mitre.org)
|
|
|
|
|
mod_proxy_ajp, mod_proxy_http, mod_reqtimeout: Fix timeout detection
|
|
|
|
|
for platforms Windows, Netware and OS2. PR: 49417.
|
|
|
|
|
core:
|
|
|
|
|
- Filter init functions are now run strictly once per request
|
|
|
|
|
before handler invocation. The init functions are no longer run
|
|
|
|
|
for connection filters. PR 49328.
|
|
|
|
|
mod_filter:
|
|
|
|
|
- enable it to act on non-200 responses. PR 48377
|
|
|
|
|
mod_ldap:
|
|
|
|
|
- LDAP caching was suppressed (and ldap-status handler returns
|
|
|
|
|
title page only) when any mod_ldap directives were used in VirtualHost
|
|
|
|
|
context.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Fix segfault at startup if proxy client certs are shared
|
|
|
|
|
across multiple vhosts. PR 39915.
|
|
|
|
|
mod_proxy_http:
|
|
|
|
|
- Log the port of the remote server in various messages.
|
|
|
|
|
PR 48812.
|
|
|
|
|
apxs:
|
|
|
|
|
- Fix -A and -a options to ignore whitespace in httpd.conf
|
|
|
|
|
mod_dir:
|
|
|
|
|
- add FallbackResource directive, to enable admin to specify
|
|
|
|
|
an action to happen when a URL maps to no file, without resorting
|
|
|
|
|
to ErrorDocument or mod_rewrite. PR 47184
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Allow to set environment variables without explicitely
|
|
|
|
|
giving a value.
|
|
|
|
|
- add Requires and BuildRequires on libapr1 >= 1.4.2. In the past, libapr1 >=
|
|
|
|
|
1.0 was sufficient. But since 2.2.16, a failure to create listen sockets can
|
|
|
|
|
occur, unless newer libapr1 is used. See
|
|
|
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=516331
|
|
|
|
|
- remove obsolete httpd-2.2.15-deprecated_use_of_build_in_variable.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 17 14:33:47 UTC 2010 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- add type and encoding for zipped SVG images (.svgz)
|
|
|
|
|
Thanks to Sebastian Siebert (via Submit Request #40059)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 11 21:42:11 UTC 2010 - lars@linux-schulserver.de
|
|
|
|
|
|
|
|
|
|
- fix deprecated usage of $[ in apxs2
|
|
|
|
|
(httpd-2.2.15-deprecated_use_of_build_in_variable.patch)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri May 7 12:38:10 UTC 2010 - aj@suse.de
|
|
|
|
|
|
|
|
|
|
- Do not compile in build time but use mtime of changes file instead.
|
|
|
|
|
This allows build-compare to identify that no changes have happened.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 30 23:49:28 UTC 2010 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- add apache2-prefork to the Requires of apache2-devel, because apxs2 will
|
|
|
|
|
build for prefork, if not called as apxs2-worker (which should rarely be the
|
|
|
|
|
case). Also added gcc to the Requires.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 8 12:34:18 UTC 2010 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- update to 2.2.15:
|
|
|
|
|
SECURITY: CVE-2009-3555 (cve.mitre.org)
|
|
|
|
|
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
|
|
|
|
|
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
|
|
|
|
|
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and
|
|
|
|
|
offer unsafe legacy renegotiation with clients which do not yet support
|
|
|
|
|
the new secure renegotiation protocol, RFC 5746.
|
|
|
|
|
SECURITY: CVE-2009-3555 (cve.mitre.org)
|
|
|
|
|
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
|
|
|
|
|
by rejecting any client-initiated renegotiations. Forcibly disable
|
|
|
|
|
keepalive for the connection if there is any buffered data readable. Any
|
|
|
|
|
configuration which requires renegotiation for per-directory/location
|
|
|
|
|
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
|
|
|
|
|
SECURITY: CVE-2010-0408 (cve.mitre.org)
|
|
|
|
|
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
|
|
|
|
|
when request headers indicate a request body is incoming; not a case of
|
|
|
|
|
HTTP_INTERNAL_SERVER_ERROR.
|
|
|
|
|
SECURITY: CVE-2010-0425 (cve.mitre.org)
|
|
|
|
|
mod_isapi: Do not unload an isapi .dll module until the request processing
|
|
|
|
|
is completed, avoiding orphaned callback pointers.
|
|
|
|
|
SECURITY: CVE-2010-0434 (cve.mitre.org)
|
|
|
|
|
Ensure each subrequest has a shallow copy of headers_in so that the parent
|
|
|
|
|
request headers are not corrupted. Elimiates a problematic optimization
|
|
|
|
|
in the case of no request body. PR 48359
|
|
|
|
|
mod_reqtimeout:
|
|
|
|
|
- New module to set timeouts and minimum data rates for receiving requests
|
|
|
|
|
from the client.
|
|
|
|
|
core:
|
|
|
|
|
- Fix potential memory leaks by making sure to not destroy bucket brigades
|
|
|
|
|
that have been created by earlier filters.
|
|
|
|
|
- Return APR_EOF if request body is shorter than the length announced by the
|
|
|
|
|
client. PR 33098
|
|
|
|
|
- Preserve Port information over internal redirects PR 35999
|
|
|
|
|
- Build: fix --with-module to work as documented PR 43881
|
|
|
|
|
worker:
|
|
|
|
|
- Don't report server has reached MaxClients until it has. Add message when
|
|
|
|
|
server gets within MinSpareThreads of MaxClients. PR 46996.
|
|
|
|
|
ab, mod_ssl:
|
|
|
|
|
- Restore compatibility with OpenSSL < 0.9.7g.
|
|
|
|
|
mod_authnz_ldap:
|
|
|
|
|
- Add AuthLDAPBindAuthoritative to allow Authentication to try other
|
|
|
|
|
providers in the case of an LDAP bind failure. PR 46608
|
|
|
|
|
- Failures to map a username to a DN, or to check a user password now result
|
|
|
|
|
in an informational level log entry instead of warning level.
|
|
|
|
|
mod_cache:
|
|
|
|
|
- Introduce the thundering herd lock, a mechanism to keep the flood of
|
|
|
|
|
requests at bay that strike a backend webserver as a cached entity goes
|
|
|
|
|
stale.
|
|
|
|
|
- correctly consider s-maxage in cacheability decisions.
|
|
|
|
|
mod_disk_cache, mod_mem_cache:
|
|
|
|
|
- don't cache incomplete responses, per RFC 2616, 13.8. PR15866.
|
|
|
|
|
mod_charset_lite:
|
|
|
|
|
- Honor 'CharsetOptions NoImplicitAdd'.
|
|
|
|
|
mod_filter:
|
|
|
|
|
- fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054
|
|
|
|
|
mod_include:
|
|
|
|
|
- Allow fine control over the removal of Last-Modified and ETag headers
|
|
|
|
|
within the INCLUDES filter, making it possible to cache responses if
|
|
|
|
|
desired. Fix the default value of the SSIAccessEnable directive.
|
|
|
|
|
mod_ldap:
|
|
|
|
|
- If LDAPSharedCacheSize is too small, try harder to purge some cache
|
|
|
|
|
entries and log a warning. Also increase the default LDAPSharedCacheSize
|
|
|
|
|
to 500000. This is a more realistic size suitable for the default values
|
|
|
|
|
of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749.
|
|
|
|
|
mod_log_config:
|
|
|
|
|
- Add the R option to log the handler used within the request.
|
|
|
|
|
mod_mime:
|
|
|
|
|
- Make RemoveType override the info from TypesConfig. PR 38330.
|
|
|
|
|
- Detect invalid use of MultiviewsMatch inside Location and LocationMatch
|
|
|
|
|
sections. PR 47754.
|
|
|
|
|
mod_negotiation:
|
|
|
|
|
- Preserve query string over multiviews negotiation. This buglet was fixed
|
|
|
|
|
for type maps in 2.2.6, but the same issue affected multiviews and was
|
|
|
|
|
overlooked. PR 33112
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- unable to connect to a backend is SERVICE_UNAVAILABLE, rather than
|
|
|
|
|
BAD_GATEWAY or (especially) NOT_FOUND. PR 46971
|
|
|
|
|
mod_proxy, mod_proxy_http:
|
|
|
|
|
- Support remote https proxies by using HTTP CONNECT. PR 19188.
|
|
|
|
|
mod_proxy_http:
|
|
|
|
|
- Make sure that when an ErrorDocument is served from a reverse proxied URL,
|
|
|
|
|
that the subrequest respects the status of the original request. This
|
|
|
|
|
brings the behaviour of proxy_handler in line with default_handler. PR
|
|
|
|
|
47106.
|
|
|
|
|
mod_proxy_ajp:
|
|
|
|
|
- Really regard the operation a success, when the client aborted the
|
|
|
|
|
connection. In addition adjust the log message if the client aborted the
|
|
|
|
|
connection.
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Make sure that a hostname:port isn't fully qualified if the request is a
|
|
|
|
|
CONNECT request. PR 47928
|
|
|
|
|
- Add scgi scheme detection.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Fix a potential I/O hang if a long list of trusted CAs is configured for
|
|
|
|
|
client cert auth. PR 46952.
|
|
|
|
|
- When extracting certificate subject/issuer names to the SSL_*_DN_*
|
|
|
|
|
variables, handle RDNs with duplicate tags by exporting multiple
|
|
|
|
|
varialables with an "_n" integer suffix. PR 45875.
|
|
|
|
|
- obsolete patch CVE-2009-3555-2.2.patch removed
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Mar 5 09:29:10 UTC 2010 - coolo@novell.com
|
|
|
|
|
|
|
|
|
|
- readd whitespace removed by autobuild
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 16 10:56:35 CET 2009 - jengelh@medozas.de
|
|
|
|
|
|
|
|
|
|
- package documentation as noarch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 7 11:30:06 UTC 2009 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- add patch for CVE-2009-3555 (cve.mitre.org)
|
|
|
|
|
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
|
|
|
|
|
http://mail-archives.apache.org/mod_mbox/httpd-announce/200911.mbox/%3c20091107013220.31376.qmail@minotaur.apache.org%3e
|
|
|
|
|
A partial fix for the TLS renegotiation prefix injection attack by rejecting
|
|
|
|
|
any client-initiated renegotiations. Any configuration which requires
|
|
|
|
|
renegotiation for per-directory/location access control is still vulnerable,
|
|
|
|
|
unless using OpenSSL >= 0.9.8l.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 26 12:48:11 UTC 2009 - poeml@cmdline.net
|
|
|
|
|
|
|
|
|
|
- update to 2.2.14:
|
|
|
|
|
*) SECURITY: CVE-2009-2699 (cve.mitre.org)
|
|
|
|
|
Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support
|
|
|
|
|
(Event Port backend) which could trigger hangs in the prefork and event
|
|
|
|
|
MPMs on that platform. PR 47645. [Jeff Trawick]
|
|
|
|
|
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
|
|
|
|
|
mod_proxy_ftp: sanity check authn credentials.
|
|
|
|
|
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
|
|
|
|
|
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
|
|
|
|
|
mod_proxy_ftp: NULL pointer dereference on error paths.
|
|
|
|
|
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
|
|
|
|
|
*) mod_proxy_scgi: Backport from trunk. [André Malo]
|
|
|
|
|
*) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL
|
|
|
|
|
has been defined at a very high level. PR 45946. [Eric Covener]
|
|
|
|
|
*) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
|
|
|
|
|
*) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries
|
|
|
|
|
usage() in synch with the manual and the implementation (0 and -1
|
|
|
|
|
both disable the cache). [Eric Covener]
|
|
|
|
|
*) mod_ssl: The error message when SSLCertificateFile is missing should
|
|
|
|
|
at least give the name or position of the problematic virtual host
|
|
|
|
|
definition. [Stefan Fritsch sf sfritsch.de]
|
|
|
|
|
*) htdbm: Fix possible buffer overflow if dbm database has very
|
|
|
|
|
long values. PR 30586 [Dan Poirier]
|
|
|
|
|
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
|
|
|
|
|
*) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
|
|
|
|
|
type. PR 45107. [Michael Ströder <michael stroeder.com>,
|
|
|
|
|
Peter Sylvester <peter.sylvester edelweb.fr>]
|
|
|
|
|
*) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
|
|
|
|
|
defined session identifiers encoded in the URL when caching.
|
|
|
|
|
[Ruediger Pluem]
|
|
|
|
|
*) mod_mem_cache: fix seg fault under load due to pool concurrency problem
|
|
|
|
|
PR: 47672 [Dan Poirier <poirier pobox.com>]
|
|
|
|
|
*) mod_autoindex: Correctly create an empty cell if the description
|
|
|
|
|
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 10 03:15:09 CEST 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.2.13:
|
|
|
|
|
*) SECURITY: CVE-2009-2412 (cve.mitre.org)
|
|
|
|
|
Distributed with APR 1.3.8 and APR-util 1.3.9 to fix potential overflow
|
|
|
|
|
in pools and rmm, where size alignment was taking place.
|
|
|
|
|
*) mod_ssl, ab: improve compatibility with OpenSSL 1.0.0 betas. Report
|
|
|
|
|
warnings compiling mod_ssl against OpenSSL to the httpd developers.
|
|
|
|
|
*) mod_cgid: Do not add an empty argument when calling the CGI script.
|
|
|
|
|
PR 46380
|
|
|
|
|
*) Fix potential segfaults with use of the legacy ap_rputs() etc
|
|
|
|
|
interfaces, in cases where an output filter fails. PR 36780.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 27 22:20:11 CEST 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.2.12:
|
|
|
|
|
SECURITY: CVE-2009-1891 (cve.mitre.org)
|
|
|
|
|
Fix a potential Denial-of-Service attack against mod_deflate or other
|
|
|
|
|
modules, by forcing the server to consume CPU time in compressing a
|
|
|
|
|
large file after a client disconnects. PR 39605.
|
|
|
|
|
SECURITY: CVE-2009-1195 (cve.mitre.org)
|
|
|
|
|
Prevent the "Includes" Option from being enabled in an .htaccess
|
|
|
|
|
file if the AllowOverride restrictions do not permit it.
|
|
|
|
|
SECURITY: CVE-2009-1890 (cve.mitre.org)
|
|
|
|
|
Fix a potential Denial-of-Service attack against mod_proxy in a
|
|
|
|
|
reverse proxy configuration, where a remote attacker can force a
|
|
|
|
|
proxy process to consume CPU time indefinitely.
|
|
|
|
|
SECURITY: CVE-2009-1191 (cve.mitre.org)
|
|
|
|
|
mod_proxy_ajp: Avoid delivering content from a previous request which
|
|
|
|
|
failed to send a request body. PR 46949
|
|
|
|
|
SECURITY: CVE-2009-0023, CVE-2009-1955, CVE-2009-1956 (cve.mitre.org)
|
|
|
|
|
The bundled copy of the APR-util library has been updated, fixing three
|
|
|
|
|
different security issues which may affect particular configurations
|
|
|
|
|
and third-party modules.
|
|
|
|
|
core:
|
|
|
|
|
- New piped log syntax: Use "||process args" to launch the given process
|
|
|
|
|
without invoking the shell/command interpreter. Use "|$command line"
|
|
|
|
|
(the default behavior of "|command line" in 2.2) to invoke using shell,
|
|
|
|
|
consuming an additional shell process for the lifetime of the logging
|
|
|
|
|
pipe program but granting additional process invocation flexibility.
|
|
|
|
|
- prefork: Fix child process hang during graceful restart/stop in
|
|
|
|
|
configurations with multiple listening sockets. PR 42829.
|
|
|
|
|
- Translate the status line to ASCII on EBCDIC platforms in
|
|
|
|
|
ap_send_interim_response() and for locally generated "100
|
|
|
|
|
Continue" responses.
|
|
|
|
|
- CGI: return 504 (Gateway timeout) rather than 500 when a
|
|
|
|
|
script times out before returning status line/headers. PR 42190
|
|
|
|
|
- prefork: Log an error instead of segfaulting when child startup fails
|
|
|
|
|
due to pollset creation failures. PR 46467.
|
|
|
|
|
- core/utils: Enhance ap_escape_html API to support escaping non-ASCII chars
|
|
|
|
|
- Set Listen protocol to "https" if port is set to 443 and no proto is specified
|
|
|
|
|
(as documented but not implemented). PR 46066
|
|
|
|
|
- Output -M and -S dumps (modules and vhosts) to stdout instead of stderr.
|
|
|
|
|
PR 42571 and PR 44266 (dup).
|
|
|
|
|
mod_alias:
|
|
|
|
|
- check sanity in Redirect arguments. PR 44729
|
|
|
|
|
- Ensure Redirect emits HTTP-compliant URLs. PR 44020
|
|
|
|
|
mod_authnz_ldap:
|
|
|
|
|
- Reduce number of initialization debug messages and make
|
|
|
|
|
information more clear. PR 46342
|
|
|
|
|
mod_cache:
|
|
|
|
|
- Introduce 'no-cache' per-request environment variable to
|
|
|
|
|
prevent the saving of an otherwise cacheable response.
|
|
|
|
|
- Correctly save Content-Encoding of cachable entity. PR 46401
|
|
|
|
|
- When an explicit Expires or Cache-Control header is set, cache
|
|
|
|
|
normally non-cacheable response statuses. PR 46346.
|
|
|
|
|
mod_cgid:
|
|
|
|
|
- fix segfault problem on solaris. PR 39332
|
|
|
|
|
mod_disk_cache:
|
|
|
|
|
- The module now turns off sendfile support if 'EnableSendfile
|
|
|
|
|
off' is defined globally. PR 41218.
|
|
|
|
|
mod_disk_cache/mod_mem_cache:
|
|
|
|
|
- Fix handling of CacheIgnoreHeaders directive to correctly
|
|
|
|
|
remove headers before storing them.
|
|
|
|
|
mod_deflate:
|
|
|
|
|
- revert changes in 2.2.8 that caused an invalid etag to be
|
|
|
|
|
emitted for on-the-fly gzip content-encoding. PR 39727 will
|
|
|
|
|
require larger fixes and this fix was far more harmful than
|
|
|
|
|
the original code. PR 45023.
|
|
|
|
|
mod_ext_filter:
|
|
|
|
|
- fix error handling when the filter prog fails to start, and
|
|
|
|
|
introduce an onfail configuration option to abort the request
|
|
|
|
|
or to remove the broken filter and continue. PR 41120
|
|
|
|
|
mod_include:
|
|
|
|
|
- fix potential segfault when handling back references on an
|
|
|
|
|
empty SSI variable.
|
|
|
|
|
- Prevent a case of SSI timefmt-smashing with filter chains
|
|
|
|
|
including multiple INCLUDES filters. PR 39369
|
|
|
|
|
- support generating non-ASCII characters as entities in SSI PR
|
|
|
|
|
25202
|
|
|
|
|
mod_ldap:
|
|
|
|
|
- Avoid a segfault when result->rc is checked in
|
|
|
|
|
uldap_connection_init when result is NULL. This could happen
|
|
|
|
|
if LDAP initialization failed. PR 45994.
|
|
|
|
|
mod_negotiation:
|
|
|
|
|
- Escape pathes of filenames in 406 responses to avoid HTML
|
|
|
|
|
injections and HTTP response splitting. PR 46837.
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Complete ProxyPassReverse to handle balancer URL's. Given;
|
|
|
|
|
BalancerMember balancer://alias http://example.com/foo
|
|
|
|
|
ProxyPassReverse /bash balancer://alias/bar backend url
|
|
|
|
|
http://example.com/foo/bar/that is now translated /bash/that
|
|
|
|
|
mod_proxy_ajp:
|
|
|
|
|
- Check more strictly that the backend follows the AJP protocol.
|
|
|
|
|
- Forward remote port information by default.
|
|
|
|
|
mod_proxy_http:
|
|
|
|
|
- fix Host: header for literal IPv6 addresses. PR 47177
|
|
|
|
|
- fix case sensitivity checking transfer encoding PR 47383
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Remove locking for writing to the rewritelog. PR 46942
|
|
|
|
|
- Fix the error string returned by RewriteRule. RewriteRule
|
|
|
|
|
returned "RewriteCond: bad flag delimiters" when the 3rd
|
|
|
|
|
argument of RewriteRule was not started with "[" or not ended
|
|
|
|
|
with "]". PR 45082
|
|
|
|
|
- When evaluating a proxy rule in directory context, do escape
|
|
|
|
|
the filename by default. PR 46428
|
|
|
|
|
- Introduce DiscardPathInfo|DPI flag to stop the troublesome way
|
|
|
|
|
that per-directory rewrites append the previous notion of
|
|
|
|
|
PATH_INFO to each substitution before evaluating subsequent
|
|
|
|
|
rules. PR38642
|
|
|
|
|
- fix "B" flag breakage by reverting r589343 PR 45529
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Add server name indication support (RFC 4366) and better
|
|
|
|
|
support for name based virtual hosts with SSL. PR 34607
|
|
|
|
|
- Add SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives
|
|
|
|
|
to enable stricter checking of remote server certificates.
|
|
|
|
|
- Add SSLRenegBufferSize directive to allow changing the size of
|
|
|
|
|
the buffer used for the request-body where necessary during a
|
|
|
|
|
per-dir renegotiation. PR 39243.
|
|
|
|
|
mod_substitute:
|
|
|
|
|
- Fix a memory leak. PR 44948
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 14 14:14:22 CEST 2009 - hvogel@suse.de
|
|
|
|
|
|
|
|
|
|
- Fix missing -Y option in gensslcert [bnc#416888]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 9 17:09:35 CEST 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- merge changes from openSUSE:Factory:
|
|
|
|
|
- trailing spaces removed from robots.txt
|
|
|
|
|
- moved Snakeoil certificates to separate subpackage
|
|
|
|
|
example-certificates [bnc#419601]
|
|
|
|
|
- removed outdated ca-bundle.crt
|
|
|
|
|
- NOT merging the change from [bnc#301380] (setting TraceEnable
|
|
|
|
|
Off), since there is no reason to deviate from upstream
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 9 08:52:34 CEST 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- avoid useless (and potentially irritating) messages from usermod
|
|
|
|
|
called in %post when updating the package - this should probably
|
|
|
|
|
only be run when updating from very old installs anyway.
|
|
|
|
|
- likewise, avoid similar useless messages about creation of the
|
|
|
|
|
httpd user when installing on Fedora.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue May 5 12:43:29 CEST 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix hyperref to the quickstart howto in the installed httpd.conf
|
|
|
|
|
[bnc#500938] Thanks, Frank!
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 27 16:12:46 CEST 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add ITK MPM (apache2.2-mpm-itk-20090414-00.patch)
|
|
|
|
|
see http://mpm-itk.sesse.net/
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Apr 27 11:21:43 CEST 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- buildfix (from Factory): replace "shadow" by "pwdutils" in requires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 12 07:01:58 CET 2009 - crrodriguez@suse.de
|
|
|
|
|
|
|
|
|
|
- update apache2-vhost.template mod_php4 references [bnc#444205]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 9 15:33:40 CET 2009 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fixed the ed script which turns apxs into
|
|
|
|
|
apxs-{prefork,worker,event) to work on Fedora, by using - instead
|
|
|
|
|
of ^ to go "up" one line. Thereby fixing Fedora build. (Package
|
|
|
|
|
probably needs further tuning to fit into a Fedora environment.)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 20 00:49:29 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.2.11:
|
|
|
|
|
core:
|
|
|
|
|
- Worker MPM: Crosscheck that idle workers are still available
|
|
|
|
|
before using them and thus preventing an overflow of the
|
|
|
|
|
worker queue which causes a SegFault. PR 45605
|
|
|
|
|
- Add ap_timeout_parameter_parse to public API.
|
|
|
|
|
- When the ap_http_header_filter processes an error bucket,
|
|
|
|
|
cleanup the passed brigade before returning AP_FILTER_ERROR
|
|
|
|
|
down the filter chain. This unambiguously ensures the same
|
|
|
|
|
error bucket isn't revisited
|
|
|
|
|
- Error responses set by filters were being coerced into 500
|
|
|
|
|
errors, sometimes appended to the original error response. Log
|
|
|
|
|
entry of: 'Handler for (null) returned invalid result code -3'
|
|
|
|
|
- configure: Don't reject libtool 2.x PR 44817
|
|
|
|
|
- Build: Correctly set SSL_LIBS during openssl detection if
|
|
|
|
|
pkgconfig is not available. PR 46018
|
|
|
|
|
mod_autoindex:
|
|
|
|
|
- add configuration option to insert string in HTML HEAD (IndexHeadInsert).
|
|
|
|
|
mod_cache:
|
|
|
|
|
- Convert age of cached object to seconds before comparing it to
|
|
|
|
|
age supplied by the request when checking whether to send a
|
|
|
|
|
Warning header for a stale response. PR 39713.
|
|
|
|
|
mod_expires:
|
|
|
|
|
- Do not sets negative max-age / Expires header in the past. PR 39774
|
|
|
|
|
mod_info:
|
|
|
|
|
- Was displaying the wrong value for the KeepAliveTimeout value.
|
|
|
|
|
mod_log_config:
|
|
|
|
|
- Add new LogFormat parameter, %k, which logs the number of
|
|
|
|
|
keepalive requests on this connection for this request. PR 45762
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Add the possibility to set the worker parameters
|
|
|
|
|
connectiontimeout and ping in milliseconds.
|
|
|
|
|
- Prevent segmentation faults by correctly adjusting the
|
|
|
|
|
lifetime of the buckets read from the proxy backend. PR 45792
|
|
|
|
|
mod_proxy_ajp:
|
|
|
|
|
- Do not fail if response data is sent before all request
|
|
|
|
|
data is read. PR 45911
|
|
|
|
|
- Fix wrongly formatted requests where client sets
|
|
|
|
|
Content-Length header, but doesn't provide a body. Servlet
|
|
|
|
|
container always expects that next packet is body whenever C-L
|
|
|
|
|
is present in the headers. This can lead to wrong
|
|
|
|
|
interpretation of the packets. In this case send the empty
|
|
|
|
|
body packet, so container can deal with that.
|
|
|
|
|
mod_proxy_balancer:
|
|
|
|
|
- Add in forced recovery for balancer members if
|
|
|
|
|
all are in error state.
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Export and install the mod_rewrite.h header to ensure the optional
|
|
|
|
|
rewrite_mapfunc_t and ap_register_rewrite_mapfunc functions are
|
|
|
|
|
available to third party modules.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 17 15:45:07 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- remove mod_authn_dbm and mod_suexec from the default module list.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 21 12:01:00 CET 2008 - skh@suse.de
|
|
|
|
|
|
|
|
|
|
- apache2-server-tuning.conf:
|
|
|
|
|
Enclose module-specific configuration in IfModule tags [bnc#440584]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 14 09:40:05 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- apply Dirks fix for [bnc#444878], making the packaging of per-mpm
|
|
|
|
|
modules more deterministic. They'll reliably put into the
|
|
|
|
|
subpackage or main package now, which varied in a ping-pong way
|
|
|
|
|
from build to build in the past.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 29 18:38:17 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update year of copyright in rc.apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 29 00:13:58 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.2.10:
|
|
|
|
|
SECURITY: CVE-2008-2939 (cve.mitre.org)
|
|
|
|
|
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
|
|
|
|
|
the FTP URL. Discovered by Marc Bevand of Rapid7.
|
|
|
|
|
core:
|
|
|
|
|
- Support chroot on Unix-family platforms. PR 43596
|
|
|
|
|
mod_authn_alias:
|
|
|
|
|
- Detect during startup when AuthDigestProvider is configured to
|
|
|
|
|
use an incompatible provider via AuthnProviderAlias. PR 45196
|
|
|
|
|
mod_cgid:
|
|
|
|
|
- Pass along empty command line arguments from an ISINDEX query
|
|
|
|
|
that has consecutive '+' characters in the QUERY_STRING,
|
|
|
|
|
matching the behavior of mod_cgi.
|
|
|
|
|
mod_charset_lite:
|
|
|
|
|
- Avoid dropping error responses by handling meta buckets
|
|
|
|
|
correctly. PR 45687
|
|
|
|
|
mod_dav_fs:
|
|
|
|
|
- Retrieve minimal system information about directory entries
|
|
|
|
|
when walking a DAV fs, resolving a performance degradation on
|
|
|
|
|
Windows. PR 45464.
|
|
|
|
|
mod_headers:
|
|
|
|
|
- Prevent Header edit from processing only the first header of
|
|
|
|
|
possibly multiple headers with the same name and deleting the
|
|
|
|
|
remaining ones. PR 45333.
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Allow for smax to be 0 for balancer members so that all idle
|
|
|
|
|
connections are able to be dropped should they exceed ttl. PR 43371
|
|
|
|
|
- Add 'scolonpathdelim' parameter to allow for ';' to also be
|
|
|
|
|
used as a session path separator/delim PR 45158.
|
|
|
|
|
- Add connectiontimeout parameter for proxy workers in order to
|
|
|
|
|
be able to set the timeout for connecting to the backend separately.
|
|
|
|
|
PR 45445.
|
|
|
|
|
mod_proxy_http:
|
|
|
|
|
- Don't trigger a retry by the client if a failure to
|
|
|
|
|
read the response line was the result of a timeout.
|
|
|
|
|
- Introduce environment variable proxy-initial-not-pooled to
|
|
|
|
|
avoid reusing pooled connections if the client connection is an initial
|
|
|
|
|
connection. PR 37770.
|
|
|
|
|
- Do not forward requests with 'Expect: 100-continue' to
|
|
|
|
|
known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
|
|
|
|
|
mod_proxy_balancer:
|
|
|
|
|
- Move nonce field in the balancer manager page inside
|
|
|
|
|
the html form where it belongs. PR 45578.
|
|
|
|
|
- Add 'bybusyness' load balance method.
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Allow Cookie option to set secure and HttpOnly flags. PR 44799
|
|
|
|
|
- Preserve the query string when [proxy,noescape]. PR 45247.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- implement dynamic mutex callbacks for the benefit of OpenSSL.
|
|
|
|
|
- Rewrite shmcb to avoid memory alignment issues. PR 42101.
|
|
|
|
|
- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 24 13:23:41 CEST 2008 - skh@suse.de
|
|
|
|
|
|
|
|
|
|
- apache2.firewall, apache2.ssl-firewall
|
|
|
|
|
Use unique name tags "HTTP Server" and "HTTPS Server" in for
|
|
|
|
|
SuSEFirewall2 configuration [bnc#414962]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 19 16:18:39 CEST 2008 - skh@suse.de
|
|
|
|
|
|
|
|
|
|
- add httpd-2.x.x-logresolve.patch again [bnc#210904]
|
|
|
|
|
- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]:
|
|
|
|
|
mod_proxy_ftp: Prevent XSS attacks when using wildcards in
|
|
|
|
|
the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
|
|
|
|
|
[Ruediger Pluem]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 26 22:59:55 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- drop rc.config handling (was removed in or after SuSE Linux 8.0)
|
|
|
|
|
- don't use fillup_insserv options which have been removed lately
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 15 11:25:47 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix init script LSB headers
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jun 25 14:36:06 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add note to /etc/sysconfig/apache2 and /etc/init.d/apache2 about
|
|
|
|
|
how to set ulimits when starting the server
|
|
|
|
|
- undocument APACHE_BUFFERED_LOGS and APACHE_TIMEOUT in the
|
|
|
|
|
sysconfig template. They still work but I think it is good to
|
|
|
|
|
keep this stuff out of the beginner's config, first because both
|
|
|
|
|
features are sophisticated enough to not being tweaked in most
|
|
|
|
|
cases, second because it only confuses people I guess, and makes
|
|
|
|
|
the sysconfig file larger than necessary.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jun 15 19:39:46 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.2.9:
|
|
|
|
|
SECURITY: CVE-2008-2364 (cve.mitre.org)
|
|
|
|
|
mod_proxy_http: Better handling of excessive interim responses
|
|
|
|
|
from origin server to prevent potential denial of service and
|
|
|
|
|
high memory usage. Reported by Ryujiro Shibuya.
|
|
|
|
|
SECURITY: CVE-2007-6420 (cve.mitre.org)
|
|
|
|
|
mod_proxy_balancer: Prevent CSRF attacks against the
|
|
|
|
|
balancer-manager interface.
|
|
|
|
|
- htpasswd: Fix salt generation weakness. PR 31440
|
|
|
|
|
worker/event MPM:
|
|
|
|
|
- Fix race condition in pool recycling that leads to
|
|
|
|
|
segmentation faults under load. PR 44402
|
|
|
|
|
core:
|
|
|
|
|
- Fix address-in-use startup failure on some platforms caused by
|
|
|
|
|
creating an IPv4 listener which overlaps with an existing IPv6
|
|
|
|
|
listener.
|
|
|
|
|
- Add the filename of the configuration file to the warning
|
|
|
|
|
message about the useless use of AllowOverride. PR 39992.
|
|
|
|
|
- Do not allow Options ALL if not all options are allowed to be
|
|
|
|
|
overwritten. PR 44262
|
|
|
|
|
- reinstate location walk to fix config for subrequests PR 41960
|
|
|
|
|
- Fix garbled TRACE response on EBCDIC platforms.
|
|
|
|
|
- gen_test_char: add double-quote to the list of
|
|
|
|
|
T_HTTP_TOKEN_STOP. PR 9727
|
|
|
|
|
http_filters:
|
|
|
|
|
- Don't return 100-continue on redirects. PR 43711
|
|
|
|
|
- Don't return 100-continue on client error PR 43711
|
|
|
|
|
- Don't spin if get an error when reading the next chunk. PR 44381
|
|
|
|
|
- Don't add bogus duplicate Content-Language entries
|
|
|
|
|
suexec:
|
|
|
|
|
- When group is given as a numeric gid, validate it by looking up
|
|
|
|
|
the actual group name such that the name can be used in log entries.
|
|
|
|
|
PR 7862
|
|
|
|
|
mod_authn_dbd:
|
|
|
|
|
- Disambiguate and tidy database authentication error messages. PR 43210.
|
|
|
|
|
mod_cache:
|
|
|
|
|
- Handle If-Range correctly if the cached resource was stale. PR 44579
|
|
|
|
|
- Revalidate cache entities which have Cache-Control: no-cache
|
|
|
|
|
set in their response headers. PR 44511
|
|
|
|
|
mod_cgid:
|
|
|
|
|
- Explicitly set permissions of the socket (ScriptSock) shared
|
|
|
|
|
by mod_cgid and request processing threads, for OS'es such as
|
|
|
|
|
HPUX and AIX that do not use umask for AF_UNIX socket permissions.
|
|
|
|
|
- Don't try to restart the daemon if it fails to initialize the socket.
|
|
|
|
|
mod_charset_lite:
|
|
|
|
|
- Add TranslateAllMimeTypes sub-option to CharsetOptions,
|
|
|
|
|
allowing the administrator to skip the mimetype checking that
|
|
|
|
|
precedes translation.
|
|
|
|
|
mod_dav:
|
|
|
|
|
- Return "method not allowed" if the destination URI of a WebDAV
|
|
|
|
|
copy / move operation is no DAV resource. PR 44734
|
|
|
|
|
mod_headers:
|
|
|
|
|
- Add 'merge' option to avoid duplicate values within the same header.
|
|
|
|
|
mod_include:
|
|
|
|
|
- Correctly handle SSI directives split over multiple filter
|
|
|
|
|
mod_log_config:
|
|
|
|
|
- Add format options for %p so that the actual local or remote
|
|
|
|
|
port can be logged. PR 43415.
|
|
|
|
|
mod_logio:
|
|
|
|
|
- Provide optional function to allow modules to adjust the
|
|
|
|
|
bytes_in count
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Make all proxy modules nocanon aware and do not add the
|
|
|
|
|
query string again in this case. PR 44803.
|
|
|
|
|
- scoreboard: Remove unused proxy load balancer elements from scoreboard
|
|
|
|
|
image (not scoreboard memory itself).
|
|
|
|
|
- Support environment variable interpolation in reverse
|
|
|
|
|
proxying directives.
|
|
|
|
|
- Do not try a direct connection if the connection via a
|
|
|
|
|
remote proxy failed before and the request has a request body.
|
|
|
|
|
- ProxyPassReverse is now balancer aware.
|
|
|
|
|
- Lower memory consumption for short lived connections.
|
|
|
|
|
PR 44026.
|
|
|
|
|
- Keep connections to the backend persistent in the HTTPS case.
|
|
|
|
|
mod_proxy_ajp:
|
|
|
|
|
- Do not retry request in the case that we either failed to
|
|
|
|
|
sent a part of the request body or if the request is not idempotent.
|
|
|
|
|
PR 44334
|
|
|
|
|
mod_proxy_ftp:
|
|
|
|
|
- Fix base for directory listings. PR 27834
|
|
|
|
|
mod_proxy_http:
|
|
|
|
|
- Fix processing of chunked responses if Connection:
|
|
|
|
|
Transfer-Encoding is set in the response of the proxied
|
|
|
|
|
system. PR 44311
|
|
|
|
|
- Return HTTP status codes instead of apr_status_t values for
|
|
|
|
|
errors encountered while forwarding the request body PR 44165
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Initialize hash needed by ap_register_rewrite_mapfunc early
|
|
|
|
|
enough. PR 44641
|
|
|
|
|
- Check all files used by DBM maps for freshness, mod_rewrite
|
|
|
|
|
didn't pick up on updated sdbm maps due to this. PR41190
|
|
|
|
|
- Don't canonicalise URLs with [P,NE] PR 43319
|
|
|
|
|
mod_speling:
|
|
|
|
|
- remove regression from 1.3/2.0 behavior and drop dependency
|
|
|
|
|
between mod_speling and AcceptPathInfo.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Fix a memory leak with connections that have zlib compression
|
|
|
|
|
turned on. PR 44975
|
|
|
|
|
mod_substitute:
|
|
|
|
|
- The default is now flattening the buckets after each
|
|
|
|
|
substitution. The newly added 'q' flag allows for the quicker,
|
|
|
|
|
more efficient bucket-splitting if the user so
|
|
|
|
|
mod_unique_id:
|
|
|
|
|
- Fix timestamp value in UNIQUE_ID. PR 37064
|
|
|
|
|
ab (apache benchmark):
|
|
|
|
|
- Include <limits.h> earlier if available since we may need
|
|
|
|
|
INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS.
|
|
|
|
|
- Improve client performance by clearing connection pool instead
|
|
|
|
|
- Don't stop sending a request if EAGAIN is returned, which
|
|
|
|
|
will only happen if both the write and subsequent wait are
|
|
|
|
|
returning EAGAIN, and count posted bytes correctly when the initial
|
|
|
|
|
write of a request is not complete. PR 10038, 38861, 39679
|
|
|
|
|
- Overhaul stats collection and reporting to avoid integer
|
|
|
|
|
truncation and time divisions within the test loop, retain
|
|
|
|
|
native time resolution until output, remove unused data,
|
|
|
|
|
consistently round milliseconds, and generally avoid losing
|
|
|
|
|
accuracy of calculation due to type casts. PR 44878, 44931.
|
|
|
|
|
- Add -r option to continue after socket receive errors.
|
|
|
|
|
- Do not try to read non existing response bodies of HEAD requests.
|
|
|
|
|
- Use a 64 bit unsigned int instead of a signed long to count the
|
|
|
|
|
rotatelogs:
|
|
|
|
|
- Log the current file size and error code/description when
|
|
|
|
|
failing to write to the log file.
|
|
|
|
|
- Added '-f' option to force rotatelogs to create the logfile as
|
|
|
|
|
soon as started, and not wait until it reads the first entry.
|
|
|
|
|
- Don't leak memory when reopening the logfile. PR 40183
|
|
|
|
|
- Improve atomicity when using -l and cleaup code. PR 44004
|
|
|
|
|
- drop obsolete patches httpd-2.1.3alpha-autoconf-2.59.dif
|
|
|
|
|
httpd-2.2.x-CVE-2008-1678.patch
|
|
|
|
|
- don't run autoreconf on SLES9
|
|
|
|
|
- remove the addition of -g to the CFLAGS, since the build service
|
|
|
|
|
handles debuginfo packages now
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 9 17:18:03 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- build service supports the debuginfo flag in metadata now; remove
|
|
|
|
|
debug_package macro from the specfile therefore.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon May 26 16:55:37 CEST 2008 - skh@suse.de
|
|
|
|
|
|
|
|
|
|
- CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config):
|
|
|
|
|
Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a
|
|
|
|
|
per-connection memory leak which occurs if the client indicates
|
|
|
|
|
support for a compression algorithm in the initial handshake, and
|
|
|
|
|
mod_ssl is linked against OpenSSL >= 0.9.8f. [bnc#392096]
|
|
|
|
|
httpd-2.2.x-CVE-2008-1678.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu May 15 01:58:08 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix build on Mandriva 2007, by escaping commented %build macro
|
|
|
|
|
- make filelist of man pages independant of the compression method
|
|
|
|
|
(gz, bz2, lzma)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 18 11:55:14 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix from Factory:
|
|
|
|
|
- remove dir /usr/share/omc/svcinfo.d as it is provided now
|
|
|
|
|
by filesystem
|
|
|
|
|
- remove obsolete httpd-2.2.x.doublefree.patch file, which isn't
|
|
|
|
|
used since quite some time since the issue is resolved.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Apr 17 17:58:02 CEST 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- new implementation of sysconf_addword, using sed instead of ed.
|
|
|
|
|
Moving it from the -utils subpackage into the parent package,
|
|
|
|
|
where it's actually needed. If sysconf_addword is already present
|
|
|
|
|
in the system, it is preferred (by PATH). That's because the tool
|
|
|
|
|
has been integrated into aaa_base.rpm with openSUSE 11.0.
|
|
|
|
|
Removing the requires on the ed package. [bnc#377131]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 12 14:29:04 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- require ed package, since ed is needed by sysconf_addword, which
|
|
|
|
|
in turn is used by a2enmod/a2enflag
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 29 14:06:52 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- better documentation how to enable SSL in /etc/sysconfig/apache2
|
|
|
|
|
- quickstart readme: the link to the openSUSE wiki is about to move
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 19 13:14:45 CET 2008 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add "127.0.0.1" to the local access list in mod_status.conf,
|
|
|
|
|
because on some systems "localhost" seems to resolve only to IPv6
|
|
|
|
|
localhost
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Feb 2 05:37:34 CET 2008 - crrodriguez@suse.de
|
|
|
|
|
|
|
|
|
|
- upstream 2.2.8
|
|
|
|
|
SECURITY: CVE-2007-6421 (cve.mitre.org)
|
|
|
|
|
mod_proxy_balancer: Correctly escape the worker route and the worker
|
|
|
|
|
redirect string in the HTML output of the balancer manager.
|
|
|
|
|
Reported by SecurityReason.
|
|
|
|
|
SECURITY: CVE-2007-6422 (cve.mitre.org)
|
|
|
|
|
Prevent crash in balancer manager if invalid balancer name is passed
|
|
|
|
|
as parameter. Reported by SecurityReason.
|
|
|
|
|
SECURITY: CVE-2007-6388 (cve.mitre.org)
|
|
|
|
|
mod_status: Ensure refresh parameter is numeric to prevent
|
|
|
|
|
a possible XSS attack caused by redirecting to other URLs.
|
|
|
|
|
Reported by SecurityReason.
|
|
|
|
|
SECURITY: CVE-2007-5000 (cve.mitre.org)
|
|
|
|
|
mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT.
|
|
|
|
|
SECURITY: CVE-2008-0005 (cve.mitre.org)
|
|
|
|
|
Introduce the ProxyFtpDirCharset directive, allowing the administrator
|
|
|
|
|
to identify a default, or specific servers or paths which list their
|
|
|
|
|
contents in other-than ISO-8859-1 charset (e.g. utf-8).
|
|
|
|
|
mod_autoindex:
|
|
|
|
|
- Generate valid XHTML output by adding the xhtml namespace. PR 43649
|
|
|
|
|
mod_charset_lite:
|
|
|
|
|
- Don't crash when the request has no associated filename.
|
|
|
|
|
mod_dav:
|
|
|
|
|
- Fix evaluation of If-Match * and If-None-Match * conditionals. PR 38034
|
|
|
|
|
- Adjust etag generation to produce identical results on 32-bit
|
|
|
|
|
and 64-bit platforms and avoid a regression with conditional PUT's on lock
|
|
|
|
|
and etag. PR 44152.
|
|
|
|
|
mod_deflate:
|
|
|
|
|
- initialise inflate-out filter correctly when the first brigade
|
|
|
|
|
contains no data buckets. PR 43512
|
|
|
|
|
mod_disk_cache:
|
|
|
|
|
- Delete temporary files if they cannot be renamed to their final
|
|
|
|
|
name.
|
|
|
|
|
mod_filter:
|
|
|
|
|
- Don't segfault on (unsupported) chained FilterProvider usage. PR 43956
|
|
|
|
|
mod_include:
|
|
|
|
|
- Add an "if" directive syntax to test whether an URL is
|
|
|
|
|
accessible, and if so, conditionally display content. This
|
|
|
|
|
allows a webmaster to hide a link to a private page when the
|
|
|
|
|
user has no access to that page.
|
|
|
|
|
mod_ldap:
|
|
|
|
|
- Try to establish a new backend LDAP connection when the
|
|
|
|
|
Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g.
|
|
|
|
|
after the LDAP server has closed the connection due to a
|
|
|
|
|
timeout. PR 39095
|
|
|
|
|
- Give callers a reference to data copied into the request pool
|
|
|
|
|
instead of references directly into the cache PR 43786
|
|
|
|
|
- Stop passing a reference to pconf around for (limited) use
|
|
|
|
|
during request processing, avoiding possible memory corruption
|
|
|
|
|
and crashes.
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Canonicalisation improvements. Add "nocanon" keyword to
|
|
|
|
|
ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also,
|
|
|
|
|
don't escape/unescape forward-proxied URLs. PR 41798, 42592
|
|
|
|
|
- Don't by default violate RFC2616 by setting Max-Forwards when
|
|
|
|
|
the client didn't send it to us. Leave that as a
|
|
|
|
|
configuration option. PR 16137
|
|
|
|
|
- Fix persistent backend connections. PR 43472
|
|
|
|
|
- escape error-notes correctly PR 40952
|
|
|
|
|
- check ProxyBlock for all blocked addresses PR 36987
|
|
|
|
|
- Don't lose bytes when a response line arrives in small chunks.
|
|
|
|
|
PR 40894
|
|
|
|
|
mod_proxy_ajp:
|
|
|
|
|
- Use 64K as maximum AJP packet size. This is the maximum length
|
|
|
|
|
we can squeeze inside the AJP message packet.
|
|
|
|
|
- Ignore any ajp13 flush packets received before we send the
|
|
|
|
|
response headers. See Tomcat PR 43478.
|
|
|
|
|
- Differentiate within AJP between GET and HEAD requests. PR 43060
|
|
|
|
|
mod_proxy_balancer:
|
|
|
|
|
- Do not reset lbstatus, lbfactor and lbset when starting a new
|
|
|
|
|
child. PR 39907
|
|
|
|
|
mod_proxy_http:
|
|
|
|
|
- Remove Warning headers with wrong date PR 16138
|
|
|
|
|
- Correctly parse all Connection headers in proxy. PR 43509
|
|
|
|
|
- add Via header correctly (if enabled) to response, even where
|
|
|
|
|
other Via headers exist. PR 19439
|
|
|
|
|
- Correctly forward unexpected interim (HTTP 1xx) responses from
|
|
|
|
|
the backend according to RFC2616. But make it configurable in
|
|
|
|
|
case something breaks on it. PR 16518
|
|
|
|
|
- strip hop-by-hop response headers PR 43455
|
|
|
|
|
- Propagate Proxy-Authorization header correctly. PR 25947
|
|
|
|
|
- Don't segfault on bad line in FTP listing PR 40733
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Add option to suppress URL unescaping PR 34602
|
|
|
|
|
- Add the novary flag to RewriteCond.
|
|
|
|
|
mod_substitute:
|
|
|
|
|
- Added a new output filter, which performs inline response
|
|
|
|
|
content pattern matching (including regex) and substitution.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Fix handling of the buffered request body during a per-location
|
|
|
|
|
renegotiation, when an internal redirect occurs. PR 43738.
|
|
|
|
|
- Fix SSL client certificate extensions parsing bug. PR 44073.
|
|
|
|
|
- Prevent memory corruption of version string. PR 43865, 43334
|
|
|
|
|
mod_status:
|
|
|
|
|
- Add SeeRequestTail directive, which determines if
|
|
|
|
|
ExtendedStatus displays the 1st 63 characters of the request
|
|
|
|
|
or the last 63. Useful for those requests with large string
|
|
|
|
|
lengths and which only vary with the last several characters.
|
|
|
|
|
event MPM:
|
|
|
|
|
- Add support for running under mod_ssl, by reverting to the
|
|
|
|
|
Worker MPM behaviors, when run under an input filter that buffers
|
|
|
|
|
its own data.
|
|
|
|
|
core:
|
|
|
|
|
- Fix regression in 2.2.7 in chunk filtering with massively
|
|
|
|
|
chunked requests.
|
|
|
|
|
- Lower memory consumption of ap_r* functions by reusing the
|
|
|
|
|
brigade instead of recreating it during each filter pass.
|
|
|
|
|
- Lower memory consumption in case that flush buckets are passed
|
|
|
|
|
thru the chunk filter as last bucket of a brigade. PR 23567.
|
|
|
|
|
- Fix broken chunk filtering that causes all non blocking reads
|
|
|
|
|
to be converted into blocking reads. PR 19954, 41056.
|
|
|
|
|
- Change etag generation to produce identical results on 32-bit
|
|
|
|
|
and 64-bit platforms. PR 40064.
|
|
|
|
|
- Handle unrecognised transfer-encodings. PR 43882
|
|
|
|
|
- Avoid some unexpected connection closes by telling the client
|
|
|
|
|
that the connection is not persistent if the MPM process
|
|
|
|
|
handling the request is already exiting when the response
|
|
|
|
|
header is built.
|
|
|
|
|
- fix possible crash at startup in case of nonexistent
|
|
|
|
|
DocumentRoot. PR 39722
|
|
|
|
|
- http_core: OPTIONS * no longer maps to local storage or URI
|
|
|
|
|
space. Note that unlike previous versions, OPTIONS * no longer
|
|
|
|
|
returns an Allow: header. PR 43519
|
|
|
|
|
- scoreboard: improve error message on apr_shm_create failure PR
|
|
|
|
|
40037
|
|
|
|
|
- Don't send spurious "100 Continue" response lines. PR 38014
|
|
|
|
|
- http_protocol:
|
|
|
|
|
- Escape request method in 413 error reporting. Determined to
|
|
|
|
|
be not generally exploitable, but a flaw in any case. PR
|
|
|
|
|
44014
|
|
|
|
|
- Add "DefaultType none" option. PR 13986 and PR 16139
|
|
|
|
|
- Escape request method in 405 error reporting. This has no
|
|
|
|
|
security impact since the browser cannot be tricked into
|
|
|
|
|
sending arbitrary method strings.
|
|
|
|
|
- Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009
|
|
|
|
|
- Add explicit charset to the output of various modules to work
|
|
|
|
|
around possible cross-site scripting flaws affecting web
|
|
|
|
|
browsers that do not derive the response character set as
|
|
|
|
|
required by RFC2616. One of these reported by SecurityReason
|
|
|
|
|
- rotatelogs: Change command-line parsing to report more types
|
|
|
|
|
of errors. Allow local timestamps to be used when rotating based
|
|
|
|
|
on file size.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 12 20:11:37 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix graceful-restart. Wait until the pidfile is gone, but don't
|
|
|
|
|
wait for the parent to disappear. It stays there, after closing
|
|
|
|
|
the listen ports.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 12 15:49:15 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- use debug_package macro only on suse, because it breaks the build
|
|
|
|
|
on Mandriva
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 12 13:41:16 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- don't configure in maintainer-mode. It not only enables compile
|
|
|
|
|
time warnings, but also adds AP_DEBUG into the mix which causes
|
|
|
|
|
enablement of debug code which is not wanted in production
|
|
|
|
|
builds.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 10 17:32:56 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- upstream 2.2.6
|
|
|
|
|
SECURITY: CVE-2007-3847 (cve.mitre.org)
|
|
|
|
|
mod_proxy: Prevent reading past the end of a buffer when parsing
|
|
|
|
|
date-related headers. PR 41144.
|
|
|
|
|
SECURITY: CVE-2007-1863 (cve.mitre.org)
|
|
|
|
|
mod_cache: Prevent a segmentation fault if attributes are listed in a
|
|
|
|
|
Cache-Control header without any value.
|
|
|
|
|
SECURITY: CVE-2007-3304 (cve.mitre.org)
|
|
|
|
|
prefork, worker, event MPMs: Ensure that the parent process cannot
|
|
|
|
|
be forced to kill processes outside its process group.
|
|
|
|
|
SECURITY: CVE-2006-5752 (cve.mitre.org)
|
|
|
|
|
mod_status: Fix a possible XSS attack against a site with a public
|
|
|
|
|
server-status page and ExtendedStatus enabled, for browsers which
|
|
|
|
|
perform charset "detection". Reported by Stefan Esser.
|
|
|
|
|
SECURITY: CVE-2007-1862 (cve.mitre.org)
|
|
|
|
|
mod_mem_cache: Copy headers into longer lived storage; header names and
|
|
|
|
|
values could previously point to cleaned up storage. PR 41551.
|
|
|
|
|
mod_alias:
|
|
|
|
|
- Accept path components (URL part) in Redirects. PR 35314.
|
|
|
|
|
mod_authnz_ldap:
|
|
|
|
|
- Don't return HTTP_UNAUTHORIZED during authorization when
|
|
|
|
|
LDAP authentication is configured but we haven't seen any
|
|
|
|
|
'Require ldap-*' directives, allowing authorization to be passed to lower
|
|
|
|
|
level modules (e.g. Require valid-user) PR 43281
|
|
|
|
|
mod_autoindex:
|
|
|
|
|
- Add in Type and Charset options to IndexOptions
|
|
|
|
|
directive. This allows the admin to explicitly set the
|
|
|
|
|
content-type and charset of the generated page and is therefore
|
|
|
|
|
a viable workaround for buggy browsers affected by CVE-2007-4465
|
|
|
|
|
mod_cache:
|
|
|
|
|
- Remove expired content from cache that cannot be revalidated.
|
|
|
|
|
PR 30370.
|
|
|
|
|
- Do not set Date or Expires when they are missing from the
|
|
|
|
|
original response or are invalid.
|
|
|
|
|
- Correctly handle HEAD requests on expired cache content. PR
|
|
|
|
|
41230.
|
|
|
|
|
- Let Cache-Control max-age set the expiration of the cached
|
|
|
|
|
representation if Expires is not set.
|
|
|
|
|
- Allow caching of requests with query arguments when
|
|
|
|
|
Cache-Control max-age is explicitly specified.
|
|
|
|
|
- Use the same cache key throughout the whole request processing
|
|
|
|
|
to handle escaped URLs correctly. PR 41475.
|
|
|
|
|
- Add CacheIgnoreQueryString directive. PR 41484.
|
|
|
|
|
- While serving a cached entity ensure that filters that have
|
|
|
|
|
been applied to this cached entity before saving it to the
|
|
|
|
|
cache are not applied again. PR 40090.
|
|
|
|
|
- Correctly cache objects whose URL query string has been
|
|
|
|
|
modified by mod_rewrite. PR 40805.
|
|
|
|
|
mod_cgi, mod_cgid:
|
|
|
|
|
- Fix use of CGI scripts as ErrorDocuments. PR 39710.
|
|
|
|
|
mod_dbd:
|
|
|
|
|
- Introduce configuration groups to allow inheritance by virtual
|
|
|
|
|
hosts of database configurations from the main server.
|
|
|
|
|
Determine the minimal set of distinct configurations and share
|
|
|
|
|
connection pools whenever possible. Allow virtual hosts to
|
|
|
|
|
override inherited SQL statements. PR 41302.
|
|
|
|
|
- Create memory sub-pools for each DB connection and close DB
|
|
|
|
|
connections in a pool cleanup function. Ensure prepared
|
|
|
|
|
statements are destroyed before DB connection is closed. When
|
|
|
|
|
using reslists, prevent segfaults when child processes exit,
|
|
|
|
|
and stop memory leakage of ap_dbd_t structures. Avoid use of
|
|
|
|
|
global s->process->pool, which isn't destroyed by exiting
|
|
|
|
|
child processes in most multi-process MPMs. PR 39985.
|
|
|
|
|
- Handle error conditions in dbd_construct() properly. Simplify
|
|
|
|
|
ap_dbd_open() and use correct arguments to apr_dbd_error()
|
|
|
|
|
when non-threaded. Register correct cleanup data in
|
|
|
|
|
non-threaded ap_dbd_acquire() and ap_dbd_cacquire(). Clean up
|
|
|
|
|
configuration data and merge function. Use ap_log_error()
|
|
|
|
|
wherever possible.
|
|
|
|
|
- Stash DBD connections in request_config of initial request
|
|
|
|
|
only, or else sub-requests and internal redirections may cause
|
|
|
|
|
entire DBD pool to be stashed in a single HTTP request.
|
|
|
|
|
mod_deflate:
|
|
|
|
|
- don't try to process metadata buckets as data. what should
|
|
|
|
|
have been a 413 error was logged as a 500 and a blank screen
|
|
|
|
|
appeared at the browser.
|
|
|
|
|
- fix protocol handling in deflate input filter PR 23287
|
|
|
|
|
mod_disk_cache:
|
|
|
|
|
- Allow Vary'd responses to be refreshed properly.
|
|
|
|
|
mod_dumpio:
|
|
|
|
|
- Fix for correct dumping of traffic on EBCDIC hosts Data had
|
|
|
|
|
been incorrectly converted twice, resulting in garbled log
|
|
|
|
|
output.
|
|
|
|
|
mod_expires:
|
|
|
|
|
- don't crash on bad configuration data PR 43213
|
|
|
|
|
mod_filter:
|
|
|
|
|
- fix integer comparisons in dispatch rules PR 41835
|
|
|
|
|
- fix merging of ! and = in FilterChain PR 42186
|
|
|
|
|
mod_headers:
|
|
|
|
|
- Allow % at the end of a Header value. PR 36609.
|
|
|
|
|
mod_info:
|
|
|
|
|
- mod_info outputs invalid XHTML 1.0 transitional. PR 42847
|
|
|
|
|
mod_ldap:
|
|
|
|
|
- Avoid possible crashes, hangs, and busy loops due to improper
|
|
|
|
|
merging of the cache lock in vhost config PR 43164
|
|
|
|
|
mod_ldap:
|
|
|
|
|
- Remove the hardcoded size limit parameter for
|
|
|
|
|
ldap_search_ext_s and replace it with an APR_ defined value
|
|
|
|
|
that is set according to the LDAP SDK being used.
|
|
|
|
|
mod_mem_cache:
|
|
|
|
|
- Increase the minimum and default value for MCacheMinObjectSize
|
|
|
|
|
from 0 to 1, as a MCacheMinObjectSize of 0 does not make sense
|
|
|
|
|
and leads to a division by zero. PR 40576.
|
|
|
|
|
mod_negotiation:
|
|
|
|
|
- preserve Query String in resolving a type map PR 33112
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as
|
|
|
|
|
synonymous. PR 43183
|
|
|
|
|
- Ensure that at least scheme://hostname[:port] matches between
|
|
|
|
|
worker and URL when searching for the best fitting worker for
|
|
|
|
|
a given URL. PR 40910
|
|
|
|
|
- Improve network performance by setting APR_TCP_NODELAY
|
|
|
|
|
(disable Nagle algorithm) on sockets if implemented. PR 42871
|
|
|
|
|
- Add a missing assignment in an error checking code path. PR 40865
|
|
|
|
|
- don't URLencode tilde in path component PR 38448
|
|
|
|
|
- enable Ignore Errors option on ProxyPass Status. PR 43167
|
|
|
|
|
- Allow to use different values for sessionid in url encoded id
|
|
|
|
|
and cookies. PR 41897.
|
|
|
|
|
- Fix the 503 returned when session route does not match any of
|
|
|
|
|
the balancer members.
|
|
|
|
|
- Added ProxyPassMatch directive, which is similar to ProxyPass
|
|
|
|
|
but takes a regex local path prefix.
|
|
|
|
|
- Print the correct error message for erroneous configured
|
|
|
|
|
ProxyPass directives. PR 40439.
|
|
|
|
|
- Fix some proxy setting inheritance problems (eg:
|
|
|
|
|
ProxyTimeout). PR 11540.
|
|
|
|
|
- proxy/ajp_header.c: Fixed header token string comparisons
|
|
|
|
|
Matching of header tokens failed to include the trailing NIL
|
|
|
|
|
byte and could misinterpret a longer header token for a
|
|
|
|
|
shorter. Additionally, a "Content-Type" comparison was made
|
|
|
|
|
case insensitive.
|
|
|
|
|
- proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC
|
|
|
|
|
On EBCDIC machines, the status_line string was incorrectly
|
|
|
|
|
converted twice.
|
|
|
|
|
mod_proxy_connect:
|
|
|
|
|
- avoid segfault on DNS lookup failure. PR 40756
|
|
|
|
|
mod_proxy_http:
|
|
|
|
|
- HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses
|
|
|
|
|
alone. Only processing of error responses (4xx, 5xx) will be
|
|
|
|
|
altered. PR 39245.
|
|
|
|
|
- Don't try to read body of a HEAD request before responding. PR 41644
|
|
|
|
|
- Handle request bodies larger than 2 GB by converting the
|
|
|
|
|
Content-Length header of the request correctly. PR 40883.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Fix spurious hostname mismatch warning for valid wildcard
|
|
|
|
|
certificates. PR 37911.
|
|
|
|
|
- Version reporting update; displays 'compiled against' Apache
|
|
|
|
|
and build-time SSL Library versions at loglevel [info], while
|
|
|
|
|
reporting the run-time SSL Library version in the server info
|
|
|
|
|
tags. Helps to identify a mod_ssl built against one flavor of
|
|
|
|
|
OpenSSL but running against another (also adds SSL-C version
|
|
|
|
|
number reporting.)
|
|
|
|
|
- initialize thread locks before initializing the hardware
|
|
|
|
|
acceleration library, so the latter can make use of the
|
|
|
|
|
former. PR 20951.
|
|
|
|
|
core:
|
|
|
|
|
- Do not replace a Date header set by a proxied backend server. PR 40232
|
|
|
|
|
- log core: ensure we use a special pool for stderr logging, so that
|
|
|
|
|
the stderr channel remains valid from the time plog is destroyed,
|
|
|
|
|
until the time the open_logs hook is called again.
|
|
|
|
|
- main core: Emit errors during the initial apr_app_initialize()
|
|
|
|
|
or apr_pool_create() (when apr-based error reporting is not ready).
|
|
|
|
|
- log core: fix the new piped logger case where we couldn't connect
|
|
|
|
|
the replacement stderr logger's stderr to the NULL stdout stream.
|
|
|
|
|
Continue in this case, since the previous alternative of no error
|
|
|
|
|
logging at all (/dev/null) is far worse.
|
|
|
|
|
- Correct a regression since 2.0.x in the handling of AllowOverride
|
|
|
|
|
Options. PR 41829.
|
|
|
|
|
- Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory
|
|
|
|
|
can work after that terminating signal.
|
|
|
|
|
- mod_so: Provide more helpful LoadModule feedback when an error occurs.
|
|
|
|
|
misc:
|
|
|
|
|
- mime.types: Many updates to sync with IANA registry and common
|
|
|
|
|
unregistered types that the owners refuse to register. Admins
|
|
|
|
|
are encouraged to update their installed mime.types file. PR:
|
|
|
|
|
35550, 37798, 39317, 31483
|
|
|
|
|
- mime.types: add Registered Javascript/ECMAScript MIME types
|
|
|
|
|
(RFC4329) PR 40299
|
|
|
|
|
- htdbm: Enable crypt support on platforms with crypt() but not
|
|
|
|
|
<crypt.h>, such as z/OS.
|
|
|
|
|
- ab.c: Correct behavior of HTTP request headers sent by ab in
|
|
|
|
|
presence of -H command-line overrides. PR 31268, 26554.
|
|
|
|
|
- ab.c: The apr_port_t type is unsigned, but ab was using a
|
|
|
|
|
signed format code in its reports. PR 42070.
|
|
|
|
|
- drop obsolete patches apache2-mod_cache-CVE-2007-1863.patch
|
|
|
|
|
apache2-mod_status-CVE-2006-5752.patch
|
|
|
|
|
httpd-2.2.4-mod_autoindex-charset-r570962.patch
|
|
|
|
|
mod_dbd.c-issue18989-autoconnect.dif
|
|
|
|
|
mod_dbd.c-r571441
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 3 13:43:22 CEST 2007 - skh@suse.de
|
|
|
|
|
|
|
|
|
|
- get_module_list: replace loadmodule.conf atomically [bnc #214863]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Sep 1 01:49:37 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- /etc/init.d/apache2: implement restart-graceful, stop-graceful
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 31 14:21:27 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update mod_dbd to trunk version (r571441)
|
|
|
|
|
* apr_dbd_check_conn() just returns APR_SUCCESS or
|
|
|
|
|
APR_EGENERAL, so we don't actually have a driver-specific value
|
|
|
|
|
to pass to apr_dbd_error(), but that's OK because most/all
|
|
|
|
|
drivers just ignore this value anyway
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 31 12:37:27 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- replace httpd-2.2.3-AddDirectoryIndexCharset.patch with the upstream
|
|
|
|
|
solution, httpd-2.2.4-mod_autoindex-charset-r570962.patch [#153557]
|
|
|
|
|
(backport from 2.2.6)
|
|
|
|
|
* Merge r570532, r570535, r570558 from trunk:
|
|
|
|
|
IndexOptions ContentType=text/html Charset=UTF-8 magic.
|
|
|
|
|
http://svn.apache.org/viewvc?rev=570962&view=rev
|
|
|
|
|
http://issues.apache.org/bugzilla/show_bug.cgi?id=42105
|
|
|
|
|
This means that the AddDirectoryIndexCharset is no longer
|
|
|
|
|
available. Instead, IndexOptions Charset=xyz can be used.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 31 11:42:58 CEST 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- remove libexpat-devel in the build service version of the package
|
|
|
|
|
- apply apache2-mod_cache-CVE-2007-1863.patch (patch 152) in the
|
|
|
|
|
buildservice package
|
|
|
|
|
- don't apply mod_dbd.c-issue18989-autoconnect.dif, since it
|
|
|
|
|
patches only modules/database/mod_dbd.c which is replaced with
|
|
|
|
|
trunk version anyway
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 23 11:27:19 CEST 2007 - mskibbe@suse.de
|
|
|
|
|
|
|
|
|
|
- Bug 289996 - VUL-0: mod_status XSS in public server status page
|
|
|
|
|
- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 18 16:04:05 CEST 2007 - skh@suse.de
|
|
|
|
|
|
|
|
|
|
- split off apache2-utils subpackage, containing all helper tools that
|
|
|
|
|
are useful for system administrators in general (b.n.c. #272292 and
|
|
|
|
|
FATE #302059)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 29 19:14:16 CEST 2007 - dmueller@suse.de
|
|
|
|
|
|
|
|
|
|
- add zlib-devel to BuildRequires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Mar 23 08:55:47 CET 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add mod_dbd.c from trunk (r512038), the version we run ourselves
|
|
|
|
|
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/database/mod_dbd.c?view=log
|
|
|
|
|
- add mod_dbd.c-issue18989-autoconnect.dif, but disabled. It
|
|
|
|
|
applies to 2.2.4 mod_dbd.c but not to the trunk version
|
|
|
|
|
- build mod_version
|
|
|
|
|
- fix documentation link in apache2-httpd.conf
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 20 10:47:18 CET 2007 - mskibbe@suse.de
|
|
|
|
|
|
|
|
|
|
- add firewall file for ssl (#246929)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 19 12:44:22 CET 2007 - mskibbe@suse.de
|
|
|
|
|
|
|
|
|
|
- Apache - Support for FATE #300687: Ports for SuSEfirewall added
|
|
|
|
|
via packages (#246929)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 26 12:44:04 CET 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- the QUICKSTART Readmes have been moved to
|
|
|
|
|
http://www.opensuse.org/Apache
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 22 11:24:32 CET 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- point out better in README.QUICKSTART.SSL that a vhost needs to
|
|
|
|
|
be created
|
|
|
|
|
- fixes to README.QUICKSTART.WebDAV
|
|
|
|
|
- updated email addresses (now there is apache@suse.de)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jan 20 17:16:20 CET 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add httpd-2.2.x.doublefree.patch, backport of
|
|
|
|
|
http://svn.apache.org/viewvc?diff_format=h&view=rev&revision=496831
|
|
|
|
|
See http://issues.apache.org/bugzilla/show_bug.cgi?id=39985
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 18 22:00:48 CET 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- create debuginfo package in the buildservice
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 12 14:25:51 CET 2007 - mskibbe@suse.de
|
|
|
|
|
|
|
|
|
|
- change path to service cml document (fate #301708)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 9 15:59:42 CET 2007 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- upstream 2.2.4
|
|
|
|
|
mod_authnz_ldap:
|
|
|
|
|
- Add an AuthLDAPRemoteUserAttribute directive. If set,
|
|
|
|
|
REMOTE_USER will be set to this attribute, rather than the
|
|
|
|
|
username supplied by the user. Useful for example when you
|
|
|
|
|
want users to log in using an email address, but need to
|
|
|
|
|
supply a userid instead to the backend.
|
|
|
|
|
mod_cache:
|
|
|
|
|
- From RFC3986 (section 6.2.3.) if a URI contains an authority
|
|
|
|
|
component and an empty path, the empty path is to be
|
|
|
|
|
equivalent to "/". It explicitly cites the following four URIs
|
|
|
|
|
as equivalents:
|
|
|
|
|
http://example.com
|
|
|
|
|
http://example.com/
|
|
|
|
|
http://example.com:/
|
|
|
|
|
http://example.com:80/
|
|
|
|
|
- Eliminate a bogus error in the log when a filter returns
|
|
|
|
|
AP_FILTER_ERROR.
|
|
|
|
|
- Don't cache requests with a expires date in the past;
|
|
|
|
|
otherwise mod_cache will always try to cache the URL. This bug
|
|
|
|
|
might lead to numerous rename() errors on win32 if the URL was
|
|
|
|
|
previously cached.
|
|
|
|
|
mod_cgi and mod_cgid:
|
|
|
|
|
- Don't use apr_status_t error return from input filters as HTTP
|
|
|
|
|
return value from the handler. PR 31579.
|
|
|
|
|
mod_dbd:
|
|
|
|
|
- share per-request database handles across subrequests and
|
|
|
|
|
internal redirects
|
|
|
|
|
- key connection pools to virtual hosts correctly even when
|
|
|
|
|
ServerName is unset/unavailable
|
|
|
|
|
mod_deflate:
|
|
|
|
|
- Rework inflate output and deflate output filter to fix several
|
|
|
|
|
issues: Incorrect handling of flush buckets, potential memory
|
|
|
|
|
leaks, excessive memory usage in inflate output filter for
|
|
|
|
|
large compressed content. PR 39854.
|
|
|
|
|
mod_disk_cache:
|
|
|
|
|
- Make sure that only positive integers are accepted for the
|
|
|
|
|
CacheMaxFileSize and CacheMinFileSize parameters in the config
|
|
|
|
|
file. PR39380.
|
|
|
|
|
mod_dumpio:
|
|
|
|
|
- Allow mod_dumpio to log at other than DEBUG levels via the new
|
|
|
|
|
DumpIOLogLevel directive.
|
|
|
|
|
mod_echo:
|
|
|
|
|
- Fix precedence problem in if statement. PR 40658.
|
|
|
|
|
mod_ext_filter:
|
|
|
|
|
- Handle filter names which include capital letters. PR 40323.
|
|
|
|
|
mod_headers:
|
|
|
|
|
- Support regexp-based editing of HTTP headers.
|
|
|
|
|
mod_mime_magic:
|
|
|
|
|
- Fix precedence problem in if statement. PR 40656.
|
|
|
|
|
mod_mem_cache:
|
|
|
|
|
- Memory leak fix: Unconditionally free the buffer.
|
|
|
|
|
- Convert mod_mem_cache to use APR memory pool functions by
|
|
|
|
|
creating a root pool for object persistence across requests.
|
|
|
|
|
This also eliminates the need for custom serialization code.
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Don't try to use dead backend connection. PR 37770.
|
|
|
|
|
- Add explicit flushing feature. When Servlet container sends
|
|
|
|
|
AJP body message with size 0, this means that Servlet
|
|
|
|
|
container has asked for an explicit flush. Create flush bucket
|
|
|
|
|
in that case. This feature has been added to the recent Tomcat
|
|
|
|
|
versions without breaking the AJP protocol.
|
|
|
|
|
mod_proxy_ajp:
|
|
|
|
|
- Close connection to backend if reading of request body fails.
|
|
|
|
|
PR 40310.
|
|
|
|
|
- Added cping/cpong support for the AJP protocol. A new worker
|
|
|
|
|
directive ping=timeout will cause CPING packet to be send
|
|
|
|
|
expecting CPONG packet within defined timeout. In case the
|
|
|
|
|
backend is too busy this will fail instead sending the full
|
|
|
|
|
header.
|
|
|
|
|
mod_proxy_balancer:
|
|
|
|
|
- Workers can now be defined as part of a balancer cluster "set"
|
|
|
|
|
in which members of a lower-numbered set are preferred over
|
|
|
|
|
higher numbered ones.
|
|
|
|
|
- Workers can now be defined as "hot standby" which will only be
|
|
|
|
|
used if all other workers are unusable (eg: in error or
|
|
|
|
|
disabled). Also, the balancer-manager displays the election
|
|
|
|
|
count and I/O counts of all workers.
|
|
|
|
|
- Retry worker chosen by route / redirect worker if it is in
|
|
|
|
|
error state before sending "Service Temporarily Unavailable".
|
|
|
|
|
PR 38962.
|
|
|
|
|
- Extract stickysession routing information contained as
|
|
|
|
|
parameter in the URL correctly. PR 40400.
|
|
|
|
|
- Set the new environment variable BALANCER_ROUTE_CHANGED if a
|
|
|
|
|
worker with a route different from the one supplied by the
|
|
|
|
|
client had been chosen or if the client supplied no routing
|
|
|
|
|
information for a balancer with sticky sessions.
|
|
|
|
|
- Add information about the route, the sticky session and the
|
|
|
|
|
worker used during a request as environment variables. PR
|
|
|
|
|
39806.
|
|
|
|
|
core:
|
|
|
|
|
- Fix issue which could cause piped loggers to be orphaned and
|
|
|
|
|
never terminate after a graceful restart. PR 40651.
|
|
|
|
|
- Fix address-in-use startup failure caused by corruption of the
|
|
|
|
|
list of listen sockets in some configurations with multiple
|
|
|
|
|
generic Listen directives.
|
|
|
|
|
- Fix NONBLOCK status of listening sockets on restart/graceful
|
|
|
|
|
PR 37680.
|
|
|
|
|
- Deal with the widespread use of apr_status_t return values as
|
|
|
|
|
HTTP status codes, as documented in PR#31759 (a bug shared by
|
|
|
|
|
the default handler, mod_cgi, mod_cgid, mod_proxy, and
|
|
|
|
|
probably others). PR31759.
|
|
|
|
|
- The full server version information is now included in the
|
|
|
|
|
error log at startup as well as server status reports,
|
|
|
|
|
irrespective of the setting of the ServerTokens directive.
|
|
|
|
|
ap_get_server_version() is now deprecated, and is replaced by
|
|
|
|
|
ap_get_server_banner() and ap_get_server_description().
|
|
|
|
|
misc:
|
|
|
|
|
- Allow htcacheclean, httxt2dbm, and fcgistarter to link
|
|
|
|
|
apr/apr-util statically like the older support programs.
|
|
|
|
|
- Better detection and clean up of ldap connection that has been
|
|
|
|
|
terminated by the ldap server. PR 40878.
|
|
|
|
|
- rotatelogs: Improve error message for open failures. PR
|
|
|
|
|
39487.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 8 11:57:04 CET 2007 - mskibbe@suse.de
|
|
|
|
|
|
|
|
|
|
- Apache XML Service Description Document (fate #301708)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 21 10:36:14 CET 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add patch to add charset=utf-8 to directory listings generated by
|
|
|
|
|
mod_autoindex, and add a directive to allow overriding the
|
|
|
|
|
charset (testing, needs to be discussed with upstream) [#153557]
|
|
|
|
|
httpd-2.2.3-AddDirectoryIndexCharset.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 20 15:58:35 CET 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- set a proper HOME (/var/lib/apache2), otherwise the server might
|
|
|
|
|
end up HOME=/root and some script might try to use that [#132769]
|
|
|
|
|
- add two notes to the QUICKSTART readmes
|
|
|
|
|
- don't install /etc/apache2/extra configuration since this is only
|
|
|
|
|
serving as an example and installed with the documentation anyway
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 26 11:13:52 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add rpm macro for suexec_safepath
|
|
|
|
|
- use _bindir/_sbindir in a few places [#202355]
|
|
|
|
|
- remove unused /sbin/conf.d directory from build root
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 31 15:26:54 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- Enable fatal exception hook for use by diagnostic modules.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 29 16:33:59 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- move some binaries, where calling by users makes sense (dbmmanage
|
|
|
|
|
htdbm htdigest htpasswd), from /usr/sbin to /usr/bin [#140133]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 9 16:13:07 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- upstream 2.2.3
|
|
|
|
|
|SECURITY: CVE-2006-3747 (cve.mitre.org)
|
|
|
|
|
| mod_rewrite: Fix an off-by-one security problem in the ldap scheme
|
|
|
|
|
| handling. For some RewriteRules this could lead to a pointer being
|
|
|
|
|
| written out of bounds. Reported by Mark Dowd of McAfee.
|
|
|
|
|
| mod_authn_alias: Add a check to make sure that the base provider and the
|
|
|
|
|
| alias names are different and also that the alias has not been registered
|
|
|
|
|
| before. PR 40051.
|
|
|
|
|
| mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP
|
|
|
|
|
| client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.
|
|
|
|
|
| mod_autoindex: Fix filename escaping with FancyIndexing disabled.
|
|
|
|
|
| PR 38910.
|
|
|
|
|
| mod_cache:
|
|
|
|
|
| - Make caching of reverse SSL proxies possible again. PR 39593.
|
|
|
|
|
| - Do not overwrite the Content-Type in the cache, for
|
|
|
|
|
| successfully revalidated cached objects. PR 39647.
|
|
|
|
|
| mod_charset_lite: Bypass translation when the source and dest charsets
|
|
|
|
|
| are the same.
|
|
|
|
|
| mod_dbd: Fix dependence on virtualhost configuration in
|
|
|
|
|
| defining prepared statements (possible segfault at startup
|
|
|
|
|
| in user modules such as mod_authn_dbd).
|
|
|
|
|
| mod_mem_cache: Set content type correctly when delivering data from
|
|
|
|
|
| cache. PR 39266.
|
|
|
|
|
| mod_speling: Add directive to deal with case corrections only
|
|
|
|
|
| and ignore other misspellings
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - Add optional 'scheme://' prefix to ServerName directive,
|
|
|
|
|
| allowing correct determination of the canonical server URL
|
|
|
|
|
| for use behind a proxy or offload device handling SSL;
|
|
|
|
|
| fixing redirect generation in those cases. PR 33398.
|
|
|
|
|
| - Added server_scheme field to server_rec for above. Minor MMN bump.
|
|
|
|
|
| - Worker MPM: On graceless shutdown or restart, send signals
|
|
|
|
|
| to each worker thread to wake them up if they're polling on
|
|
|
|
|
| a Keep-Alive connection. PR 38737.
|
|
|
|
|
| - worker and event MPMs: fix excessive forking if fork() or
|
|
|
|
|
| child_init take a long time. PR 39275.
|
|
|
|
|
| - Respect GracefulShutdownTimeout in the worker and event MPMs.
|
|
|
|
|
| - configure: Add "--with-included-apr" flag to force use of
|
|
|
|
|
| the bundled version of APR at build time.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 4 12:20:54 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- a2enmod, a2enflag: add /usr/sbin to PATH so sysconf_addword is
|
|
|
|
|
found
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 23 09:52:17 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix typo in apache-20-22-upgrade script: mod_image_map ->
|
|
|
|
|
mod_imagemap
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 12 11:28:59 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- enable logresolve processing of lines longer than 1024 characters
|
|
|
|
|
by compiling with MAXLINE=4096 [#162806]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 9 23:11:45 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- upstream 2.2.2
|
|
|
|
|
| SECURITY: CVE-2005-3357 (cve.mitre.org)
|
|
|
|
|
| mod_ssl: Fix a possible crash during access control checks
|
|
|
|
|
| if a non-SSL request is processed for an SSL vhost (such as
|
|
|
|
|
| the "HTTP request received on SSL port" error message when
|
|
|
|
|
| an 400 ErrorDocument is configured, or if using "SSLEngine
|
|
|
|
|
| optional"). PR 37791.
|
|
|
|
|
| SECURITY: CVE-2005-3352 (cve.mitre.org)
|
|
|
|
|
| mod_imagemap: Escape untrusted referer header before
|
|
|
|
|
| outputting in HTML to avoid potential cross-site scripting.
|
|
|
|
|
| Change also made to ap_escape_html so we escape quotes.
|
|
|
|
|
| Reported by JPCERT.
|
|
|
|
|
| mod_cache:
|
|
|
|
|
| - Make caching of reverse proxies possible again. PR 38017.
|
|
|
|
|
| mod_disk_cache:
|
|
|
|
|
| - Return the correct error codes from bucket read failures,
|
|
|
|
|
| instead of APR_EGENERAL.
|
|
|
|
|
| mod_dbd:
|
|
|
|
|
| - Update defaults, improve error reporting.
|
|
|
|
|
| - Create own pool and mutex to avoid problem use of process
|
|
|
|
|
| pool in request processing.
|
|
|
|
|
| mod_deflate:
|
|
|
|
|
| - work correctly in an internal redirect
|
|
|
|
|
| mod_proxy:
|
|
|
|
|
| - don't reuse a connection that may be to the wrong backend PR 39253
|
|
|
|
|
| - Do not release connections from connection pool twice. PR 38793.
|
|
|
|
|
| - Fix KeepAlives not being allowed and set to backend servers. PR 38602.
|
|
|
|
|
| - Fix incorrect usage of local and shared worker init. PR 38403.
|
|
|
|
|
| - If we get an error reading the upstream response, close the
|
|
|
|
|
| connection.
|
|
|
|
|
| mod_proxy_balancer:
|
|
|
|
|
| - Initialize members of a balancer correctly. PR 38227.
|
|
|
|
|
| mod_proxy_ajp:
|
|
|
|
|
| - Flushing of the output after each AJP chunk is now
|
|
|
|
|
| configurable at runtime via the 'flushpackets' and 'flushwait'
|
|
|
|
|
| worker params. Minor MMN bump.
|
|
|
|
|
| - Crosscheck the length of the body chunk with the length of the
|
|
|
|
|
| ajp message to prevent mod_proxy_ajp from reading beyond the
|
|
|
|
|
| buffer boundaries and thus revealing possibly sensitive memory
|
|
|
|
|
| contents to the client.
|
|
|
|
|
| - Support common headers of the AJP protocol in responses. PR 38340.
|
|
|
|
|
| mod_proxy_http:
|
|
|
|
|
| - Do send keep-alive header if the client sent connection:
|
|
|
|
|
| keep-alive and do not close backend connection if the client
|
|
|
|
|
| sent connection: close. PR 38524.
|
|
|
|
|
| mod_proxy_balancer:
|
|
|
|
|
| - Do not overwrite the status of initialized workers and respect
|
|
|
|
|
| the configured status of uninitilized workers when creating a
|
|
|
|
|
| new child process.
|
|
|
|
|
| - Fix off-by-one error in proxy_balancer. PR 37753.
|
|
|
|
|
| mod_speling:
|
|
|
|
|
| - Stop crashing with certain non-file requests.
|
|
|
|
|
| mod_ssl:
|
|
|
|
|
| - Fix possible crashes in shmcb with gcc 4 on platforms
|
|
|
|
|
| requiring word-aligned pointers. PR 38838.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - core: Prevent reading uninitialized memory while reading a line of
|
|
|
|
|
| protocol input. PR 39282.
|
|
|
|
|
| - core: Reject invalid Expect header immediately. PR 38123.
|
|
|
|
|
| - Default handler: Don't return output filter apr_status_t values.
|
|
|
|
|
| PR 31759.
|
|
|
|
|
| - Add APR/APR-Util Compiled and Runtime Version numbers to the
|
|
|
|
|
| output of 'httpd -V'.
|
|
|
|
|
| - http: If a connection is aborted while waiting for a chunked line,
|
|
|
|
|
| flag the connection as errored out.
|
|
|
|
|
| - Don't hang on error return from post_read_request. PR 37790.
|
|
|
|
|
| - Fix mis-shifted 32 bit scope, masked to 64 bits as a method.
|
|
|
|
|
| - Fix recursive ErrorDocument handling. PR 36090.
|
|
|
|
|
| - Ensure that the proper status line is written to the client, fixing
|
|
|
|
|
| incorrect status lines caused by filters which modify r->status without
|
|
|
|
|
| resetting r->status_line, such as the built-in byterange filter.
|
|
|
|
|
| - HTML-escape the Expect error message. Not classed as security as
|
|
|
|
|
| an attacker has no way to influence the Expect header a victim will
|
|
|
|
|
| send to a target site.
|
|
|
|
|
| - Chunk filter: Fix chunk filter to create correct chunks in the case that
|
|
|
|
|
| a flush bucket is surrounded by data buckets.
|
|
|
|
|
| - Avoid Server-driven negotiation when a script has emitted an
|
|
|
|
|
| explicit Status: header. PR 38070.
|
|
|
|
|
| - htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.
|
|
|
|
|
| - htdbm: Warn the user when adding a plaintext password on a platform
|
|
|
|
|
| where it wouldn't work with the server (i.e., anywhere that has
|
|
|
|
|
| crypt()).
|
|
|
|
|
- adapted httpd-2.1.3alpha-autoconf-2.59.dif
|
|
|
|
|
- other user visible changes:
|
|
|
|
|
* use a2enmod, a2enflag in apache2-README.QUICKSTART.*
|
|
|
|
|
* add README.QUICKSTART link to httpd.conf
|
|
|
|
|
- when installing/updating, avoid irritating message in
|
|
|
|
|
/var/log/messages ("group is unknown - group=wwwadmin") [#183071]
|
|
|
|
|
- build system changes:
|
|
|
|
|
* clean up old cruft tight to suse_version macros
|
|
|
|
|
* don't run buildconf, and thus don't need python.
|
|
|
|
|
* don't ship uid.conf as source file, but create it dynamically
|
|
|
|
|
instead, according to user/group defined via rpm macro
|
|
|
|
|
* create wwwrun:www user on non-SUSE builds
|
|
|
|
|
* work around missimg macros insserv_prereq and fillup_prereq on non-SUSE builds
|
|
|
|
|
* add openssl-devel and expat-devel to Buildrequires for non-SUSE builds
|
|
|
|
|
* make sure that the rpm macro sles_version is defined
|
|
|
|
|
* remove obsolete VENDOR UnitedLinux macro
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Apr 25 18:10:28 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- obsolete 'apache' package on SLES10 (obsolete it on all platforms
|
|
|
|
|
except SLES9 and old SL releases)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 29 11:54:00 CEST 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- remove php4 from default modules [#155333]
|
|
|
|
|
- fix comment in /etc/init.d/apache2 [#148559]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 20 13:49:07 CET 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fixed comment in init script which indicated wrong version [#148559]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jan 30 12:41:20 CET 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- added Requires: libapr-util1-devel to apache2-devel package [#146496]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 27 15:10:15 CET 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add a note about NameVirtualHost statements to the vhost template
|
|
|
|
|
files [#145000]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 25 21:34:16 CET 2006 - mls@suse.de
|
|
|
|
|
|
|
|
|
|
- converted neededforbuild to BuildRequires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 20 13:20:04 CET 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- cleanup: remove obsolete metuxmpm patch
|
|
|
|
|
- improve informational text in apache-20-22-upgrade
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jan 18 10:11:12 CET 2006 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- the new DYNAMIC_MODULE_LIMIT default in 2.2 is 128, so no need to
|
|
|
|
|
increase it anymore (fixes [#143536])
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Dec 19 13:25:20 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.2.0
|
|
|
|
|
- enable all new modules
|
|
|
|
|
- replaced modules "auth auth_dbm access" in default configuration
|
|
|
|
|
by "auth_basic authn_file authn_dbm authz_host authz_default
|
|
|
|
|
authz_user""
|
|
|
|
|
- /usr/share/apache2/apache-20-22-upgrade will fix the module list
|
|
|
|
|
on upgrade
|
|
|
|
|
- fix bug in sysconf_addword (used by a2enmod) to respect word
|
|
|
|
|
boundaries when removing a word (but don't count slashes as word
|
|
|
|
|
boundary)
|
|
|
|
|
- remove perchild mpm subpackage, add experimemtal event mpm
|
|
|
|
|
- remove obsolete tool apache2-reconfigure-mpm
|
|
|
|
|
- remove obsolete perchild config from apache2-server-tuning.conf
|
|
|
|
|
- remove libapr0 subpackage; add libapr1 and libapr-util1 to #neededforbuild
|
|
|
|
|
- build against system pcre
|
|
|
|
|
- build with --enable-pie
|
|
|
|
|
- don't modify which libraries are linked in
|
|
|
|
|
- adjust IndexIgnore setting to upstream default. Previously, the
|
|
|
|
|
parent directory (..) was being ignored
|
|
|
|
|
- package the symlinks in ssl.crt
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 7 11:07:21 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- patch apxs to use the new a2enmod tool, when called with -a
|
|
|
|
|
- add -l option to a2enmod, which gives a list of active modules
|
|
|
|
|
- adjust feedback address in the readmes
|
|
|
|
|
- update README.QUICKSTART.SSL (mention TinyCA)
|
|
|
|
|
- add more documentation in server-tuning.conf, and adjust defaults
|
|
|
|
|
- do not document the restart-hup action of the init script. It
|
|
|
|
|
should not be used
|
|
|
|
|
- don't install the tool checkgid -- it is only usable during
|
|
|
|
|
installation
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 18 13:22:21 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix duplicated Source45 tag
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 24 14:17:08 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.55. Relevant changes:
|
|
|
|
|
| SECURITY: CAN-2005-2700 (cve.mitre.org)
|
|
|
|
|
| mod_ssl: Fix a security issue where "SSLVerifyClient" was
|
|
|
|
|
| not enforced in per-location context if "SSLVerifyClient
|
|
|
|
|
| optional" was configured in the vhost configuration.
|
|
|
|
|
| SECURITY: CAN-2005-2491 (cve.mitre.org):
|
|
|
|
|
| Fix integer overflows in PCRE in quantifier parsing which
|
|
|
|
|
| could be triggered by a local user through use of a
|
|
|
|
|
| carefully-crafted regex in an .htaccess file.
|
|
|
|
|
| SECURITY: CAN-2005-2088 (cve.mitre.org)
|
|
|
|
|
| proxy: Correctly handle the Transfer-Encoding and
|
|
|
|
|
| Content-Length headers. Discard the request Content-Length
|
|
|
|
|
| whenever T-E: chunked is used, always passing one of either
|
|
|
|
|
| C-L or T-E: chunked whenever the request includes a request
|
|
|
|
|
| body. Resolves an entire class of proxy HTTP Request
|
|
|
|
|
| Splitting/Spoofing attacks.
|
|
|
|
|
| SECURITY: CAN-2005-2728 (cve.mitre.org)
|
|
|
|
|
| Fix cases where the byterange filter would buffer responses
|
|
|
|
|
| into memory. PR 29962.
|
|
|
|
|
| SECURITY: CAN-2005-2088 (cve.mitre.org)
|
|
|
|
|
| core: If a request contains both Transfer-Encoding and
|
|
|
|
|
| Content-Length headers, remove the Content-Length,
|
|
|
|
|
| mitigating some HTTP Request Splitting/Spoofing attacks.
|
|
|
|
|
| SECURITY: CAN-2005-1268 (cve.mitre.org)
|
|
|
|
|
| mod_ssl: Fix off-by-one overflow whilst printing CRL
|
|
|
|
|
| information at "LogLevel debug" which could be triggered if
|
|
|
|
|
| configured to use a "malicious" CRL. PR 35081.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - worker MPM: Fix a memory leak which can occur after an
|
|
|
|
|
| aborted connection in some limited circumstances.
|
|
|
|
|
| - worker mpm: don't take down the whole server for a transient
|
|
|
|
|
| thread creation failure. PR 34514
|
|
|
|
|
| - Added TraceEnable [on|off|extended] per-server directive to
|
|
|
|
|
| alter the behavior of the TRACE method. This addresses a
|
|
|
|
|
| flaw in proxy conformance to RFC 2616 - previously the proxy
|
|
|
|
|
| server would accept a TRACE request body although the RFC
|
|
|
|
|
| prohibited it. The default remains 'TraceEnable on'.
|
|
|
|
|
| - Add ap_log_cerror() for logging messages associated with
|
|
|
|
|
| particular client connections.
|
|
|
|
|
| - Support the suppress-error-charset setting, as with Apache
|
|
|
|
|
| 1.3.x. PR 31274.
|
|
|
|
|
| - Fix bad globbing comparison which could result in getting a
|
|
|
|
|
| directory listing when a file was requested. PR 34512.
|
|
|
|
|
| - Fix a file descriptor leak when starting piped loggers. PR
|
|
|
|
|
| 33748.
|
|
|
|
|
| - Prevent hangs of child processes when writing to piped
|
|
|
|
|
| loggers at the time of graceful restart. PR 26467.
|
|
|
|
|
| mod_cgid:
|
|
|
|
|
| - Correct mod_cgid's argv[0] so that the full path can be
|
|
|
|
|
| delved by the invoked cgi application, to conform to the
|
|
|
|
|
| behavior of mod_cgi.
|
|
|
|
|
| mod_include:
|
|
|
|
|
| - Fix possible environment variable corruption when using
|
|
|
|
|
| nested includes. PR 12655.
|
|
|
|
|
| mod_ldap:
|
|
|
|
|
| - Fix PR 36563. Keep track of the number of attributes
|
|
|
|
|
| retrieved from LDAP so that all of the values can be
|
|
|
|
|
| properly cached even if the value is NULL.
|
|
|
|
|
| - Fix core dump if mod_auth_ldap's
|
|
|
|
|
| mod_auth_ldap_auth_checker() was called even if
|
|
|
|
|
| mod_auth_ldap_check_user_id() was not (or if it didn't
|
|
|
|
|
| succeed) for non-authoritative cases.
|
|
|
|
|
| - Avoid segfaults when opening connections if using a version
|
|
|
|
|
| of OpenLDAP older than 2.2.21. PR 34618.
|
|
|
|
|
| - Fix various shared memory cache handling bugs. PR 34209.
|
|
|
|
|
| mod_proxy:
|
|
|
|
|
| - Fix over-eager handling of '%' for reverse proxies. PR
|
|
|
|
|
| 15207.
|
|
|
|
|
| - proxy HTTP: If a response contains both Transfer-Encoding
|
|
|
|
|
| and a Content-Length, remove the Content-Length and don't
|
|
|
|
|
| reuse the connection, mitigating some HTTP Response
|
|
|
|
|
| Splitting attacks.
|
|
|
|
|
| - proxy HTTP: Rework the handling of request bodies to handle
|
|
|
|
|
| chunked input and input filters which modify content length,
|
|
|
|
|
| and avoid spooling arbitrary-sized request bodies in memory.
|
|
|
|
|
| PR 15859.
|
|
|
|
|
| mod_ssl:
|
|
|
|
|
| - Fix build with OpenSSL 0.9.8. PR 35757.
|
|
|
|
|
| mod_rewrite:
|
|
|
|
|
| - use buffered I/O to improve performance with large
|
|
|
|
|
| RewriteMap txt: files.
|
|
|
|
|
| mod_userdir:
|
|
|
|
|
| - Fix possible memory corruption issue. PR 34588.
|
|
|
|
|
- drop obsolete patches httpd-2.0.54-openssl-0.9.8.dif
|
|
|
|
|
httpd-2.0.54-CAN-2005-1268-mod_ssl-crl.dif
|
|
|
|
|
apache2-bundled-pcre-5.0-CAN-2005-2491.dif
|
|
|
|
|
httpd-2.0.54-SSLVerifyClient-CAN-2005-2700.diff
|
|
|
|
|
httpd-2.0.54-ap_byterange-CAN-2005-2728.diff
|
|
|
|
|
- add httpd-2.0.55-37145_2.0.x.diff (broken mod_proxy in 2.0.55)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 20 15:50:35 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- rc.apache2: when stopping the server, wait for the actual binary
|
|
|
|
|
of the parent process to disappear. Waiting for the pid file to
|
|
|
|
|
disappear is not sufficient, because not all cleanup might be
|
|
|
|
|
finished at the time of its removal. [#96492], [#85539]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Oct 12 15:42:47 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix security hole by wrongly initializing LD_LIBRARY_PATH in
|
|
|
|
|
/usr/sbin/envvars (used by apache2ctl only) [#118188]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 30 09:47:20 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- accomodate API changes to OpenSSL 0.9.8 (r209468 from 2.0.x branch)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 26 01:24:18 CEST 2005 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- define LDAP_DEPRECATED in CFLAGS
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 2 12:55:08 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix [CAN-2005-2728 (cve.mitre.org)]:
|
|
|
|
|
fix memory consumption bug in byterange handling
|
|
|
|
|
- security fix [CAN-2005-2700 (cve.mitre.org)]: [#114701]
|
|
|
|
|
if "SSLVerifyClient optional" has been configured at the vhost
|
|
|
|
|
context then "SSLVerifyClient require" is not enforced in a
|
|
|
|
|
location context within that vhost; effectively allowing clients
|
|
|
|
|
to bypass client-cert authentication checks. [#114701]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 31 15:39:38 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- Security fix: fix integer overflows in PCRE in quantifier parsing which
|
|
|
|
|
could be triggered by a local user through use of a carefully-crafted
|
|
|
|
|
regex in an .htaccess file. CAN-2005-2491 [#112651] [#106209]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 30 17:41:46 CEST 2005 - lmuelle@suse.de
|
|
|
|
|
|
|
|
|
|
- Escape also any forward slash while removing a word with sysconf_addword.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 26 14:33:34 CEST 2005 - lmuelle@suse.de
|
|
|
|
|
|
|
|
|
|
- Escape any forward slash in the word argument of sysconf_addword.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Aug 14 00:20:26 CEST 2005 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- alingn suexec2 permissions with permissions.secure
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 11 11:09:49 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- the permissions files are now maintained centrally and packaged
|
|
|
|
|
in the permissions package. Package suexec2 with mode 0750. [#66304]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 5 13:10:21 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- change SSLMutex "default" so APR always picks the best on the
|
|
|
|
|
platform
|
|
|
|
|
- fix Source42 tag which was present twice
|
|
|
|
|
- add a2enmod/a2enflag to add/remove modules/flags conveniently
|
|
|
|
|
- add charset.conv table for mod_auth_ldap
|
|
|
|
|
- make sure that suse_version is defined (it might be unset by e.g.
|
|
|
|
|
ISPs preinstallations)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jul 12 23:49:29 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix [CAN-2005-2088 (cve.mitre.org)]: core: If a request
|
|
|
|
|
contains both Transfer-Encoding and a Content-Length, remove the
|
|
|
|
|
Content-Length, stopping some HTTP Request smuggling attacks.
|
|
|
|
|
mod_proxy: Reject chunked requests. [#95709]
|
|
|
|
|
- security fix [CAN-2005-1268 (cve.mitre.org)]: mod_ssl: fix
|
|
|
|
|
off-by-one overflow whilst printing CRL information at "LogLevel
|
|
|
|
|
debug" which could be triggered if configured to use a
|
|
|
|
|
"malicious" CRL. PR 35081. [#95709]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jun 20 12:57:17 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add httpd-2.0.47-pie.patch from from 2.1.3-dev to compile with
|
|
|
|
|
-fpie and link with -pie
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 18 16:46:22 CEST 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.54. Relevant changes:
|
|
|
|
|
| mod_cache:
|
|
|
|
|
| - Add CacheIgnoreHeaders directive. PR 30399.
|
|
|
|
|
| mod_dav:
|
|
|
|
|
| - Correctly export all public functions.
|
|
|
|
|
| mod_ldap:
|
|
|
|
|
| - Added the directive LDAPConnectionTimeout to configure the
|
|
|
|
|
| ldap socket connection timeout value.
|
|
|
|
|
| mod_ssl:
|
|
|
|
|
| - If SSLUsername is used, set r->user earlier. PR 31418.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - Unix MPMs: Shut down the server more quickly when child
|
|
|
|
|
| processes are slow to exit.
|
|
|
|
|
| - worker MPM: Fix a problem which could cause httpd processes
|
|
|
|
|
| to remain active after shutdown.
|
|
|
|
|
| - Remove formatting characters from ap_log_error() calls.
|
|
|
|
|
| These were escaped as fallout from CAN-2003-0020.
|
|
|
|
|
| - core_input_filter: Move buckets to a persistent brigade
|
|
|
|
|
| instead of creating a new brigade. This stop a memory leak
|
|
|
|
|
| when proxying a Streaming Media Server. PR 33382.
|
|
|
|
|
| - htdigest: Fix permissions of created files. PR 33765.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 14 17:13:27 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- revise README
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 7 17:14:16 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- when building the suexec binary, set the "docroot" compile time
|
|
|
|
|
option to the datadir (/srv/www) instead of the htdocsdir
|
|
|
|
|
(/srv/www/htdocs), so it can be used with virtual hosts placed
|
|
|
|
|
e.g. in /srv/www/vhosts [#63845] Suggested by Winfried Kuiper.
|
|
|
|
|
- add php5 to APACHE_MODULES by default, so it can be used simply
|
|
|
|
|
by installing the package. Suppress warning about not-found
|
|
|
|
|
module in the php4/php5 case. [#66729]
|
|
|
|
|
- remove a redundant get_module_list call from the init script
|
|
|
|
|
- add hints about vhost setup to README.QUICKSTART
|
|
|
|
|
- after a change of APACHE_MPM, apache2-reconfigure-mpm is no
|
|
|
|
|
longer needed since SuSEconfig.apache2 is gone. Leave it for
|
|
|
|
|
compatibility, because /etc/sysconfig/apache2 is probably not
|
|
|
|
|
updated and yast may still use it.
|
|
|
|
|
- move the 4 most important variables in sysconfig.apache2 to the
|
|
|
|
|
top of the file
|
|
|
|
|
- add note about the old monolithic configuration file and how to
|
|
|
|
|
use it
|
|
|
|
|
- drop patch httpd-2.0.40-openssl-version.dif (we don't even have
|
|
|
|
|
openssl-0.9.6e anywhere, any longer)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 2 12:38:55 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix TLS upgrade patch: with SSLEngine set to Optional, an
|
|
|
|
|
additional token in an Upgrade: header before "TLS/1.0" could
|
|
|
|
|
result into an infinite loop [#67126]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 22 16:23:33 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- run /usr/share/apache2/get_module_list post install, which will
|
|
|
|
|
also create the symlink to the httpd2 binary, which might be
|
|
|
|
|
necessary during package building when apache has been installed
|
|
|
|
|
but never been run.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 21 16:16:16 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- remove SuSEconfig.apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 11 15:14:14 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- raise DYNAMIC_MODULE_LIMIT to 80. The test suite loading all
|
|
|
|
|
available modules plus 9 perl modules was beginning to fail
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Feb 9 11:46:37 CET 2005 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.53. Relevant changes:
|
|
|
|
|
| SECURITY: CAN-2004-0942 (cve.mitre.org)
|
|
|
|
|
| Fix for memory consumption DoS in handling of MIME folded request
|
|
|
|
|
| headers.
|
|
|
|
|
| SECURITY: CAN-2004-0885 (cve.mitre.org)
|
|
|
|
|
| mod_ssl: Fix a bug which allowed an SSLCipherSuite setting to be
|
|
|
|
|
| bypassed during an SSL renegotiation. PR 31505.
|
|
|
|
|
| mod_dumpio:
|
|
|
|
|
| - new I/O logging/dumping module, added to the
|
|
|
|
|
| modules/expermimental subdirectory.
|
|
|
|
|
| mod_ssl:
|
|
|
|
|
| - fail quickly if SSL connection is aborted rather than making
|
|
|
|
|
| many doomed ap_pass_brigade calls. PR 32699.
|
|
|
|
|
| - Fail at startup rather than segfault at runtime if a client cert
|
|
|
|
|
| is configured with an encrypted private key. PR 24030.
|
|
|
|
|
| mod_include:
|
|
|
|
|
| - Fix bug which could truncate variable expansions of N*64
|
|
|
|
|
| characters by one byte. PR 32985.
|
|
|
|
|
| mod_status:
|
|
|
|
|
| - Start keeping track of time-taken-to-process-request again if
|
|
|
|
|
| ExtendedStatus is enabled.
|
|
|
|
|
| util_ldap:
|
|
|
|
|
| - Util_ldap: Implemented the util_ldap_cache_getuserdn() API so
|
|
|
|
|
| that ldap authorization only modules have access to the
|
|
|
|
|
| util_ldap user cache without having to require ldap
|
|
|
|
|
| authentication as well. PR 31898.
|
|
|
|
|
| mod_ldap:
|
|
|
|
|
| - Fix format strings to use %APR_PID_T_FMT instead of %d.
|
|
|
|
|
| - prevent the possiblity of an infinite loop in the LDAP
|
|
|
|
|
| statistics display. PR 29216.
|
|
|
|
|
| - fix a bogus error message to tell the user which file is causing
|
|
|
|
|
| a potential problem with the LDAP shared memory cache. PR 31431
|
|
|
|
|
| - Fix the re-linking issue when purging elements from the LDAP
|
|
|
|
|
| cache PR 24801.
|
|
|
|
|
| mod_auth_ldap:
|
|
|
|
|
| - Added the directive "Requires ldap-attribute" that allows the
|
|
|
|
|
| module to only authorize a user if the attribute value specified
|
|
|
|
|
| matches the value of the user object. PR 31913
|
|
|
|
|
| - Handle the inconsistent way in which the MS LDAP library handles
|
|
|
|
|
| special characters. PR 24437.
|
|
|
|
|
| mod_proxy:
|
|
|
|
|
| - Fix ProxyRemoteMatch directive. PR 33170.
|
|
|
|
|
| - Respect errors reported by pre_connection hooks.
|
|
|
|
|
| - Handle client-aborted connections correctly. PR 32443.
|
|
|
|
|
| mod_cache:
|
|
|
|
|
| - CacheDisable will only disable the URLs it was meant to disable,
|
|
|
|
|
| not all caching. PR 31128.
|
|
|
|
|
| - Try to correctly follow RFC 2616 13.3 on validating stale cache
|
|
|
|
|
| responses.
|
|
|
|
|
| - Fix Expires handling.
|
|
|
|
|
| mod_disk_cache:
|
|
|
|
|
| - Do not store aborted content. PR 21492.
|
|
|
|
|
| - Correctly store cached content type. PR 30278.
|
|
|
|
|
| - Do not store hop-by-hop headers.
|
|
|
|
|
| - Fix races in saving responses.
|
|
|
|
|
| mod_expires:
|
|
|
|
|
| - Alter mod_expires to run at a different filter priority to allow
|
|
|
|
|
| proper Expires storage by mod_cache.
|
|
|
|
|
| mod_rewrite:
|
|
|
|
|
| - Handle per-location rules when r->filename is unset. Previously
|
|
|
|
|
| this would segfault or simply not match as expected, depending
|
|
|
|
|
| on the platform.
|
|
|
|
|
| - Fix 0 bytes write into random memory position. PR 31036.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - Fix --with-apr=/usr and/or --with-apr-util=/usr. PR 29740.
|
|
|
|
|
| - apxs: fix handling of -Wc/-Wl and "-o mod_foo.so". PR 31448
|
|
|
|
|
| - Allow for the use of --with-module=foo:bar where the ./modules/foo
|
|
|
|
|
| directory is local only. Assumes, of course, that the required
|
|
|
|
|
| files are in ./modules/foo, but makes it easier to statically
|
|
|
|
|
| build/log "external" modules.
|
|
|
|
|
| - --with-module can now take more than one module to be statically
|
|
|
|
|
| linked: --with-module=<modtype>:<modfile>,<modtype>:<modfile>,...
|
|
|
|
|
| If the <modtype>-subdirectory doesn't exist it will be created and
|
|
|
|
|
| populated with a standard Makefile.in.
|
|
|
|
|
| - Fix handling of files >2Gb on all platforms (or builds) where
|
|
|
|
|
| apr_off_t is larger than apr_size_t. PR 28898.
|
|
|
|
|
| - Remove compiled-in upper limit on LimitRequestFieldSize.
|
|
|
|
|
| - Correct handling of certain bucket types in ap_save_brigade, fixing
|
|
|
|
|
| possible segfaults in mod_cgi with #include virtual. PR 31247.
|
|
|
|
|
| - conf: Remove AddDefaultCharset from the default configuration
|
|
|
|
|
| because setting a site-wide default does more harm than good. PR
|
|
|
|
|
| 23421.
|
|
|
|
|
| - Add charset to example CGI scripts.
|
|
|
|
|
- merge tls-upgrade.patch
|
|
|
|
|
- remove obsolete httpd-2.0.47-headtail.dif
|
|
|
|
|
httpd-2.0.52-util_ldap_cache_mgr.c.dif
|
|
|
|
|
httpd-2.0.52-SSLCipherSuite-bypass-CAN-2004-0885.dif
|
|
|
|
|
httpd-2.0.52-ssl-incomplete-keypair.dif
|
|
|
|
|
httpd-2.0.52-memory-consumption-DoS-CAN-2004-0942.dif
|
|
|
|
|
httpd-2.0.52.21492.diff
|
|
|
|
|
httpd-2.0.52.30278.diff
|
|
|
|
|
httpd-2.0.52.30399.diff
|
|
|
|
|
httpd-2.0.52.30419.diff
|
|
|
|
|
httpd-2.0.52.31385.diff
|
|
|
|
|
- sync configuration with upstream changes
|
|
|
|
|
* Remove AddDefaultCharset (see upstream changelog above)
|
|
|
|
|
* LanguagePriority for error documents updated
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Jan 15 20:46:53 CET 2005 - schwab@suse.de
|
|
|
|
|
|
|
|
|
|
- Use <owner>:<group> in permissions file.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 11 14:08:35 CET 2005 - schwab@suse.de
|
|
|
|
|
|
|
|
|
|
- Fix /etc/init.d/apache2 to use readlink instead of linkto or file.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 29 14:42:40 CET 2004 - hvogel@suse.de
|
|
|
|
|
|
|
|
|
|
- fix permission handling
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 11 13:06:22 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix /etc/init.d/apache2 to correctly handle the start of multiple
|
|
|
|
|
instances of the same binary (using startproc -f plus prior check
|
|
|
|
|
for running instance) [#48153]
|
|
|
|
|
- fix helper scripts to allow overriding of $sysconfig_file and
|
|
|
|
|
other useful values
|
|
|
|
|
- remove unused 'rundir' variable from /etc/init.d/apache2
|
|
|
|
|
- removed backward compatibility code for pre-8.0
|
|
|
|
|
- add documentation to the vhost template files and
|
|
|
|
|
README.QUICKSTART
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Nov 8 16:14:23 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix [CAN-2004-0942 (cve.mitre.org)]: Fix for memory
|
|
|
|
|
consumption DoS [#47967]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Nov 4 16:47:59 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- remove heimdal-devel from #neededforbuild, it is not needed
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 15 07:44:20 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix SSLCipherSuite bypass CAN-2004-0885 (cve.mitre.org) [#47117]
|
|
|
|
|
- update the TLS upgrade patch [#47207]
|
|
|
|
|
- mod_ssl returned invalid method on TLS upgraded connections
|
|
|
|
|
- additional checks for httpd_method and default_port hooks
|
|
|
|
|
- fixed typo in upgrade header
|
|
|
|
|
- add patches from Ruediger Pluem for the experimental modules
|
|
|
|
|
mod_disk_cache, mod_cache
|
|
|
|
|
PR 21492: mod_disk_cache: Do not store aborted content.
|
|
|
|
|
PR 30278: mod_disk_cache: Correctly store cached content type.
|
|
|
|
|
PR 30399: make storing of Set-Cookie headers optional
|
|
|
|
|
PR 30419: weird caching behaviour of mod_cache and old Cookies
|
|
|
|
|
PR 31385: skipping start of file if recaching already cached file
|
|
|
|
|
- patch from 2.0.53: Fail to configure when an SSL proxy is
|
|
|
|
|
configured with incomplete client cert keypair, rather than
|
|
|
|
|
segfaulting at runtime. PR 24030
|
|
|
|
|
http://cvs.apache.org/viewcvs/httpd-2.0/modules/ssl/ssl_engine_init.c.diff?r1=1.118&r2=1.119
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 11 14:31:42 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add patch fixing re-linking issue when purging elements from the
|
|
|
|
|
LDAP cache. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=24801
|
|
|
|
|
http://www.apache.org/dist/httpd/patches/apply_to_2.0.52/util_ldap_cache_mgr.c.patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 11 14:07:33 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- sync update configuration with upstream changes (2.0.52)
|
|
|
|
|
(mostly comments; configuration for spanish manual added)
|
|
|
|
|
- add mime type for shortcut icons (favicon.ico)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Oct 8 18:36:21 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.52. Relevant changes:
|
|
|
|
|
| SECURITY: CAN-2004-0811 (cve.mitre.org)
|
|
|
|
|
| Fix merging of the Satisfy directive, which was applied to
|
|
|
|
|
| the surrounding context and could allow access despite configured
|
|
|
|
|
| authentication. PR 31315.
|
|
|
|
|
| util_ldap:
|
|
|
|
|
| Fix a segfault in the LDAP cache when it is configured switched off.
|
|
|
|
|
| mod_mem_cache:
|
|
|
|
|
| Fixed race condition causing segfault because of memory being
|
|
|
|
|
| freed twice, or reused after being freed.
|
|
|
|
|
| mod_log_config:
|
|
|
|
|
| Fix a bug which prevented request completion time from being
|
|
|
|
|
| logged for I_INSIST_ON_EXTRA_CYCLES_FOR_CLF_COMPLIANCE
|
|
|
|
|
| processing. PR 29696.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - Use HTML 2.0 <hr> for error pages. PR 30732
|
|
|
|
|
| - Fix the handling of URIs containing %2F when
|
|
|
|
|
| AllowEncodedSlashes is enabled. Previously, such urls would
|
|
|
|
|
| still be rejected.
|
|
|
|
|
| - Fix the global mutex crash when the global mutex is never
|
|
|
|
|
| allocated due to disabled/empty caches.
|
|
|
|
|
| - Add -l option to rotatelogs to let it use local time rather
|
|
|
|
|
| than UTC. PR 24417.
|
|
|
|
|
- changes from 2.0.51:
|
|
|
|
|
| SECURITY: CAN-2004-0786 (cve.mitre.org)
|
|
|
|
|
| Fix an input validation issue in apr-util which could be
|
|
|
|
|
| triggered by malformed IPv6 literal addresses.
|
|
|
|
|
| SECURITY: CAN-2004-0747 (cve.mitre.org)
|
|
|
|
|
| Fix buffer overflow in expansion of environment variables in
|
|
|
|
|
| configuration file parsing.
|
|
|
|
|
| SECURITY: CAN-2004-0809 (cve.mitre.org)
|
|
|
|
|
| mod_dav_fs: Fix a segfault in the handling of an indirect lock
|
|
|
|
|
| refresh. PR 31183.
|
|
|
|
|
| SECURITY: CAN-2004-0751 (cve.mitre.org)
|
|
|
|
|
| mod_ssl: Fix a segfault in the SSL input filter which could be
|
|
|
|
|
| triggered if using "speculative" mode, for instance by a proxy
|
|
|
|
|
| request to an SSL server. PR 30134.
|
|
|
|
|
| SECURITY: CAN-2004-0748 (cve.mitre.org)
|
|
|
|
|
| mod_ssl: Fix a potential infinite loop. PR 29964.
|
|
|
|
|
| mod_include:
|
|
|
|
|
| no longer checks for recursion, because that's done in the core.
|
|
|
|
|
| This allows for careful usage of recursive SSI.
|
|
|
|
|
| mod_rewrite:
|
|
|
|
|
| - Fix memory leak in the cache handlingof mod_rewrite. PR 27862.
|
|
|
|
|
| - Add %{SSL:...} and %{HTTPS} variable lookups. PR 30464.
|
|
|
|
|
| - mod_rewrite now officially supports RewriteRules in <Proxy>
|
|
|
|
|
| sections. PR 27985.
|
|
|
|
|
| - no longer confuse the RewriteMap caches if different maps
|
|
|
|
|
| defined in different virtual hosts use the same map name. PR 26462.
|
|
|
|
|
| mod_ssl:
|
|
|
|
|
| - Add new 'ssl_is_https' optional function.
|
|
|
|
|
| - Add "SSLUserName" directive to set r->user based on a chosen SSL
|
|
|
|
|
| environment variable. PR 20957.
|
|
|
|
|
| - Avoid startup failure after unclean shutdown if using shmcb. PR 18989.
|
|
|
|
|
| mod_autoindex:
|
|
|
|
|
| - Don't truncate the directory listing if a stat() call fails (for
|
|
|
|
|
| instance on a >2Gb file). PR 17357.
|
|
|
|
|
| mod_cache, mod_disk_cache, mod_mem_cache:
|
|
|
|
|
| - Refactor cache modules, and switch to the provider API instead
|
|
|
|
|
| of hooks.
|
|
|
|
|
| mod_disk_cache:
|
|
|
|
|
| - Implement binary format for on-disk header files.
|
|
|
|
|
| - Optimize network performance of disk cache subsystem by allowing
|
|
|
|
|
| zero-copy (sendfile) writes and other miscellaneous fixes.
|
|
|
|
|
| mod_userdir:
|
|
|
|
|
| - Ensure that the userdir identity is used for suexec userdir
|
|
|
|
|
| access in a virtual host which has suexec configured. PR 18156.
|
|
|
|
|
| mod_setenvif:
|
|
|
|
|
| - Remove "support" for Remote_User variable which never worked at
|
|
|
|
|
| all. PR 25725.
|
|
|
|
|
| - Extend the SetEnvIf directive to capture subexpressions of the
|
|
|
|
|
| matched value.
|
|
|
|
|
| mod_headers:
|
|
|
|
|
| - Backport from 2.1 / Regression from 1.3: mod_headers now knows
|
|
|
|
|
| again the functionality of the ErrorHeader directive. But
|
|
|
|
|
| instead using this misnomer additional flags to the Header
|
|
|
|
|
| directive were introduced ("always" and "onsuccess", defaulting
|
|
|
|
|
| to the latter). PR 28657.
|
|
|
|
|
| mod_usertrack:
|
|
|
|
|
| - Escape the cookie name before pasting into the regexp.
|
|
|
|
|
| mod_dir:
|
|
|
|
|
| - the trailing-slash behaviour is now configurable using the
|
|
|
|
|
| DirectorySlash directive.
|
|
|
|
|
| util_ldap:
|
|
|
|
|
| - Switched the lock types on the shared memory cache from thread
|
|
|
|
|
| reader/writer locks to global mutexes in order to provide cross
|
|
|
|
|
| process cache protection.
|
|
|
|
|
| - Reworked the cache locking scheme to eliminate duplicate cache
|
|
|
|
|
| entries in the credentials cache due to race conditions.
|
|
|
|
|
| - Enhanced the util_ldap cache-info display to show more detail
|
|
|
|
|
| about the contents and current state of the cache.
|
|
|
|
|
| mod_ldap:
|
|
|
|
|
| - Enable the option to support anonymous shared memory in
|
|
|
|
|
| mod_ldap. This makes the cache work on Linux again.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - Include directives no longer refuse to process symlinks on
|
|
|
|
|
| directories. Instead there's now a maximum nesting level of
|
|
|
|
|
| included directories (128 as distributed). This is configurable
|
|
|
|
|
| at compile time using the -DAP_MAX_INCLUDE_DIR_DEPTH switch. PR
|
|
|
|
|
| 28492, PR 28370.
|
|
|
|
|
| - Prevent CGI script output which includes a Content-Range header
|
|
|
|
|
| from being passed through the byterange filter.
|
|
|
|
|
| - Satisfy directives now can be influenced by a surrounding
|
|
|
|
|
| <Limit> container. PR 14726.
|
|
|
|
|
| - Makefile fix: httpd is linked against LIBS given to the 'make'
|
|
|
|
|
| invocation. PR 7882.
|
|
|
|
|
| - suexec: Pass the SERVER_SIGNATURE envvar through to CGIs.
|
|
|
|
|
| - apachectl: Fix a problem finding envvars if sbindir != bindir.
|
|
|
|
|
| PR 30723.
|
|
|
|
|
| - Use the higher performing 'httpready' Accept Filter on all
|
|
|
|
|
| platforms except FreeBSD < 4.1.1.
|
|
|
|
|
| - Allow proxying of resources that are invoked via DirectoryIndex.
|
|
|
|
|
| PR 14648, 15112, 29961.
|
|
|
|
|
| - Small fix to allow reverse proxying to an ftp server. Previously
|
|
|
|
|
| an attempt to do this would try and connect to 0.0.0.0,
|
|
|
|
|
| regardless of the server specified. PR 24922
|
|
|
|
|
| - Enable special ErrorDocument value 'default' which restores the
|
|
|
|
|
| canned server response for the scope of the directive.
|
|
|
|
|
| - work around MSIE Digest auth bug - if
|
|
|
|
|
| AuthDigestEnableQueryStringHack is set in r->subprocess_env
|
|
|
|
|
| allow mismatched query strings to pass. PR 27758.
|
|
|
|
|
| - Accept URLs for the ServerAdmin directive. If the supplied
|
|
|
|
|
| argument is not recognized as an URL, assume it's a mail
|
|
|
|
|
| address. PR 28174.
|
|
|
|
|
| - initialize server arrays prior to calling
|
|
|
|
|
| ap_setup_prelinked_modules so that static modules can push
|
|
|
|
|
| Defines values when registering hooks just like DSO modules can
|
|
|
|
|
- drop obsolete security fixes
|
|
|
|
|
httpd-2.0.50-CAN-2004-0751-mod_ssl-proxied-request-segfault.dif
|
|
|
|
|
httpd-2.0.50-CAN-2004-0748-mod_ssl-input-filter-infinite-loop.dif
|
|
|
|
|
httpd-2.0.50-CAN-2004-0747-ENVVAR.dif
|
|
|
|
|
httpd-2.0.50-CAN-2004-0786-apr_uri_parse-IPv6-address-validation.dif
|
|
|
|
|
httpd-2.0.50-CAN-2004-0809-mod_dav-crash.dif
|
|
|
|
|
- httpd-2.0.45-anon-mmap.dif included upstream
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 14 12:11:58 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix [CAN-2004-0809 (cve.mitre.org)]: fix possible DoS in
|
|
|
|
|
mod_dav by remotely triggerable null-pointer dereference
|
|
|
|
|
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=31183 [#45231]
|
|
|
|
|
- fix hint about vhost checking in the SSL readme
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Sep 8 14:24:19 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix [CAN-2004-0786 (cve.mitre.org)]: fix a vulnerability
|
|
|
|
|
in the apr-util library (lacking input validation on IPv6 literal
|
|
|
|
|
addresses in the apr_uri_parse function [#44736]
|
|
|
|
|
- security fix [CAN-2004-0747 (cve.mitre.org)]: fix a buffer
|
|
|
|
|
overflow that can occur when expanding ${ENVVAR} constructs in
|
|
|
|
|
.htaccess or httpd.conf files. [#44736]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 6 12:48:21 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- rename check_forensic script to avoid clash with apache 1.3.x
|
|
|
|
|
package
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 27 16:18:41 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- implement action "startssl" in the init script. [#42365]
|
|
|
|
|
- add /usr/bin/check_forensic script to evaluate mod_log_forensic logs.
|
|
|
|
|
- disable building of leader and metuxmpm MPMs.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 25 12:58:20 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix [CAN-2004-0748 (cve.mitre.org)]: fix a potential
|
|
|
|
|
infinite loop in the SSL input filter which can be triggered by
|
|
|
|
|
an aborted connection
|
|
|
|
|
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=29964 [#44103]
|
|
|
|
|
- security fix [CAN-2004-0751 (cve.mitre.org)]: fix a potential
|
|
|
|
|
segfault in the SSL input filter which can be triggered by the
|
|
|
|
|
response to request which is proxied to a remote SSL server
|
|
|
|
|
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=30134 [#44103]
|
|
|
|
|
- remove the obsolete notify message on package update
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jul 8 14:17:13 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.50. Relevant changes:
|
|
|
|
|
| SECURITY: CAN-2004-0493 (cve.mitre.org)
|
|
|
|
|
| Close a denial of service vulnerability identified by Georgi
|
|
|
|
|
| Guninski which could lead to memory exhaustion with certain
|
|
|
|
|
| input data.
|
|
|
|
|
| SECURITY: CAN-2004-0488 (cve.mitre.org)
|
|
|
|
|
| mod_ssl: Fix a buffer overflow in the FakeBasicAuth code for
|
|
|
|
|
| a (trusted) client certificate subject DN which exceeds 6K in
|
|
|
|
|
| length.
|
|
|
|
|
| mod_alias:
|
|
|
|
|
| now emits a warning if it detects overlapping *Alias* directives.
|
|
|
|
|
| mod_cgi: Handle output on stderr during script execution on Unix
|
|
|
|
|
| platforms; preventing deadlock when stderr output fills pipe
|
|
|
|
|
| buffer. Also fixes case where stderr from nph- scripts could be
|
|
|
|
|
| lost. PR 22030, 18348.
|
|
|
|
|
| mod_dav:
|
|
|
|
|
| - Fix a problem that could cause crashes when manipulating locks
|
|
|
|
|
| on some platforms.
|
|
|
|
|
| mod_dav_fs:
|
|
|
|
|
| - Fix MKCOL response for missing parent collections, which caused
|
|
|
|
|
| issues for the Eclipse WebDAV extension. PR 29034.
|
|
|
|
|
| mod_deflate:
|
|
|
|
|
| - Fix memory consumption (which was proportional to the response
|
|
|
|
|
| size). PR 29318.
|
|
|
|
|
| mod_expires:
|
|
|
|
|
| - Fix segfault which occured under certain circumstances. PR 28047.
|
|
|
|
|
| mod_headers:
|
|
|
|
|
| - no longer crashes if an empty header value should be added.
|
|
|
|
|
| mod_log_forensic:
|
|
|
|
|
| - new module.
|
|
|
|
|
| mod_logio:
|
|
|
|
|
| - no longer removes the EOS bucket. PR 27928.
|
|
|
|
|
| mod_proxy:
|
|
|
|
|
| - Fix handling of IPv6 numeric strings.
|
|
|
|
|
| mod_rewrite:
|
|
|
|
|
| no longer turns forward proxy requests into reverse proxy
|
|
|
|
|
| requests. PR 28125
|
|
|
|
|
| mod_ssl:
|
|
|
|
|
| - Log the errors returned on failure to load or initialize a
|
|
|
|
|
| crypto accelerator engine.
|
|
|
|
|
| - Fix a potential segfault in the 'shmcb' session cache for small
|
|
|
|
|
| cache sizes. PR 27751.
|
|
|
|
|
| - Fix memory leak in session cache handling. PR 26562
|
|
|
|
|
| - Fix potential segfaults when performing SSL shutdown from a pool
|
|
|
|
|
| cleanup. PR 27945.
|
|
|
|
|
| mod_auth_ldap/util_ldap:
|
|
|
|
|
| - allow relative paths for LDAPTrustedCA to be resolved against
|
|
|
|
|
| ServerRoot PR#26602
|
|
|
|
|
| - Throw an error message if an attempt is made to use the
|
|
|
|
|
| LDAPTrustedCA or LDAPTrustedCAType directives in a VirtualHost.
|
|
|
|
|
| PR 26390
|
|
|
|
|
| - Fix a potential segfault if the bind password in the LDAP cache
|
|
|
|
|
| is NULL. PR 28250.
|
|
|
|
|
| - Overhaul handling of LDAP error conditions, so that the
|
|
|
|
|
| util_ldap_* functions leave the connections in a sane state
|
|
|
|
|
| after errors have occurred. PR 27748, 17274, 17599, 18661,
|
|
|
|
|
| 21787, 24595, 24683, 27134, 27271
|
|
|
|
|
| - mod_ldap calls ldap_simple_bind_s() to validate the user
|
|
|
|
|
| credentials. If the bind fails, the connection is left in an
|
|
|
|
|
| unbound state. Make sure that the ldap connection record is
|
|
|
|
|
| updated to show that the connection is no longer bound.
|
|
|
|
|
| - Update the bind credentials for the cached LDAP connection to
|
|
|
|
|
| reflect the last bind. This prevents util_ldap from creating
|
|
|
|
|
| unnecessary connections rather than reusing cached connections.
|
|
|
|
|
| - Quotes cannot be used around require group and require dn
|
|
|
|
|
| directives, update the documentation to reflect this. Also add
|
|
|
|
|
| quotes around the dn and group within debug messages, to make it
|
|
|
|
|
| more obvious why authentication is failing if quotes are used in
|
|
|
|
|
| error. PR 19304.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - Allow RequestHeader directives to be conditional. PR 27951.
|
|
|
|
|
| - Allow LimitRequestBody to be reset to unlimited. PR 29106
|
|
|
|
|
| - <VirtualHost myhost> now applies to all IP addresses for myhost
|
|
|
|
|
| instead of just the first one reported by the resolver. This
|
|
|
|
|
| corrects a regression since 1.3.
|
|
|
|
|
| - Fix a bunch of cases where the return code of the regex compiler
|
|
|
|
|
| was not checked properly. This affects: mod_setenvif,
|
|
|
|
|
| mod_usertrack, mod_proxy, mod_proxy_ftp and core. PR 28218.
|
|
|
|
|
| - Remove 2Gb log file size restriction on some 32-bit platforms.
|
|
|
|
|
| PR 13511.
|
|
|
|
|
| - htpasswd no longer refuses to process files that contain empty
|
|
|
|
|
| lines.
|
|
|
|
|
| - Regression from 1.3: At startup, suexec now will be checked for
|
|
|
|
|
| availability, the setuid bit and user root. The works only if
|
|
|
|
|
| httpd is compiled with the shipped APR version (0.9.5). PR
|
|
|
|
|
| 28287.
|
|
|
|
|
| - Unix MPMs: Stop dropping connections when the file descriptor is
|
|
|
|
|
| at least FD_SETSIZE.
|
|
|
|
|
| - Fix a segfault when requests for shared memory fails and returns
|
|
|
|
|
| NULL. Fix a segfault caused by a lack of bounds checking on the
|
|
|
|
|
| cache. PR 24801.
|
|
|
|
|
| - Ensure that lines in the request which are too long are properly
|
|
|
|
|
| terminated before logging.
|
|
|
|
|
| - htpasswd: use apr_temp_dir_get() and general cleanup
|
|
|
|
|
| - logresolve: Allow size of log line buffer to be overridden at
|
|
|
|
|
| build time (MAXLINE). PR 27793.
|
|
|
|
|
| - Fix the comment delimiter in htdbm so that it correctly parses
|
|
|
|
|
| the username comment. Also add a terminate function to allow
|
|
|
|
|
| NetWare to pause the output before the screen is destroyed.
|
|
|
|
|
| - Fix crash when Apache was started with no Listen directives.
|
|
|
|
|
| - core_output_filter: Fix bug that could result in sending garbage
|
|
|
|
|
| over the network when module handlers construct bucket brigades
|
|
|
|
|
| containing multiple file buckets all referencing the same open
|
|
|
|
|
| file descriptor.
|
|
|
|
|
| - Fix memory corruption problem with ap_custom_response()
|
|
|
|
|
| function. The core per-dir config would later point to request
|
|
|
|
|
| pool data that would be reused for different purposes on
|
|
|
|
|
| different requests.
|
|
|
|
|
- drop obsolete patches
|
|
|
|
|
- change vendor string SuSE -> SUSE
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 29 11:35:24 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix [CAN-2004-0493 (cve.mitre.org)]: fix Denial of
|
|
|
|
|
Service vulnaribility which could lead to memory exhaustion with
|
|
|
|
|
certain input data. [#42566]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jun 18 11:39:53 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- package forgotten CHANGES file
|
|
|
|
|
- package apr and apr-util documentation files
|
|
|
|
|
- fix log_server_status2 to use perl's Socket module
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 19 13:38:41 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix for mod_ssl: fix buffer overflow in
|
|
|
|
|
ssl_util_uuencode() [#40791]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 28 14:04:34 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add TLS upgrade patch [#39449]
|
|
|
|
|
- add patch to allow writing log files larger than 2>GB [#39453]
|
|
|
|
|
- obsolete apache and mod_ssl versions only when older than what is
|
|
|
|
|
shipped with 9.1
|
|
|
|
|
- don't provide mod_ssl
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Apr 2 15:56:30 CEST 2004 - cschum@suse.de
|
|
|
|
|
|
|
|
|
|
- Add "suse_help_viewer" provides [#37932]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 29 17:57:46 CEST 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- provide and obsolete packages apache, mod_ssl, apache-doc and
|
|
|
|
|
apache-example-pages [#37084]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 22 18:37:27 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- disable large file support by not building with _FILE_OFFSET_BITS=64,
|
|
|
|
|
in favour of retaining a binary compatible module API.
|
|
|
|
|
Therefore, do not change the module magic number. LFS can be
|
|
|
|
|
enabled by building via rpmbuild --define 'build_with_LFS 1'
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 18 20:35:06 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to proposed 2.0.49 tarball
|
|
|
|
|
- mod_cgid: Fix storage corruption caused by use of incorrect pool.
|
|
|
|
|
- docs update
|
|
|
|
|
- remove APACHE_DOCUMENT_ROOT from sysconfig.apache2 [#32635]
|
|
|
|
|
- fix a comment in default-server.conf
|
|
|
|
|
- remove obsolete ssl_scache_cleanup support script and ftok helper
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 16 00:41:07 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- change mmn in header file as well, for modules that include it
|
|
|
|
|
from there
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 15 17:36:07 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.49-rc2. Relevant changes:
|
|
|
|
|
| The whole codebase was relicensed and is now available under the
|
|
|
|
|
| Apache License, Version 2.0 (http://www.apache.org/licenses).
|
|
|
|
|
| [Apache Software Foundation]
|
|
|
|
|
| Security [CAN-2004-0113 (cve.mitre.org)]: mod_ssl: Fix a memory
|
|
|
|
|
| leak in plain-HTTP-on-SSL-port handling. PR 27106.
|
|
|
|
|
| Security [CAN-2003-0020 (cve.mitre.org)]: Escape arbitrary data
|
|
|
|
|
| before writing into the errorlog. Unescaped errorlogs are still
|
|
|
|
|
| possible using the compile time switch
|
|
|
|
|
| "-DAP_UNSAFE_ERROR_LOG_UNESCAPED".
|
|
|
|
|
| mod_ssl:
|
|
|
|
|
| - Send the Close Alert message to the peer before closing the
|
|
|
|
|
| SSL session. PR 27428.
|
|
|
|
|
| - Fix bug in passphrase handling which could cause spurious
|
|
|
|
|
| failures in SSL functions later. PR 21160.
|
|
|
|
|
| - Fix potential segfault on lookup of SSL_SESSION_ID. PR 15057.
|
|
|
|
|
| - Fix streaming output from an nph- CGI script. PR 21944
|
|
|
|
|
| - Advertise SSL library version as determined at run-time rather
|
|
|
|
|
| than at compile-time. PR 23956.
|
|
|
|
|
| - Fix segfault on a non-SSL request if the 'c' log format code
|
|
|
|
|
| is used. PR 22741.
|
|
|
|
|
| - Fix segfaults at startup if other modules which use OpenSSL
|
|
|
|
|
| are also loaded.
|
|
|
|
|
| - Use human-readable OpenSSL error strings in logs; use
|
|
|
|
|
| thread-safe interface for retrieving error strings.
|
|
|
|
|
| mod_cache:
|
|
|
|
|
| - Fixed cache-removal order in mod_mem_cache.
|
|
|
|
|
| - Fix segfault in mod_mem_cache cache_insert() due to cache size
|
|
|
|
|
| becoming negative. PR: 21285, 21287
|
|
|
|
|
| - Modified the cache code to be header-location agnostic. Also
|
|
|
|
|
| fixed a number of other cache code bugs related to PR 15852.
|
|
|
|
|
| Includes a patch submitted by Sushma Rai <rsushma novell.com>.
|
|
|
|
|
| This fixes mod_mem_cache but not mod_disk_cache yet so I'm not
|
|
|
|
|
| closing the PR since that is what they are using.
|
|
|
|
|
| mod_dav:
|
|
|
|
|
| - Reject requests which include an unescaped fragment in the
|
|
|
|
|
| Request-URI. PR 21779.
|
|
|
|
|
| - Use bucket brigades when reading PUT data. This avoids
|
|
|
|
|
| problems if the data stream is modified by an input filter. PR
|
|
|
|
|
| 22104.
|
|
|
|
|
| - Return a WWW-auth header for MOVE/COPY requests where the
|
|
|
|
|
| destination resource gives a 401. PR 15571.
|
|
|
|
|
| - Fix a problem with namespace mappings being dropped in
|
|
|
|
|
| mod_dav_fs; if any property values were set which defined
|
|
|
|
|
| namespaces these came out mangled in the PROPFIND response.
|
|
|
|
|
| PR 11637.
|
|
|
|
|
| mod_expires:
|
|
|
|
|
| - Initialize ExpiresDefault to NULL instead of "" to avoid
|
|
|
|
|
| reporting an Internal Server error if it is used without
|
|
|
|
|
| having been set in the httpd.conf file. PR: 23748, 24459
|
|
|
|
|
| - Add support for IMT minor-type wildcards (e.g., text/*) to
|
|
|
|
|
| ExpiresByType. PR#7991
|
|
|
|
|
| mod_log_config / logging:
|
|
|
|
|
| - Fix some piped log problems: bogus "piped log program '(null)'
|
|
|
|
|
| failed" messages during restart and problem with the logger
|
|
|
|
|
| respawning again after Apache is stopped. PR 21648, PR 24805.
|
|
|
|
|
| - mod_log_config: Fix corruption of buffered logs with threaded
|
|
|
|
|
| MPMs. PR 25520.
|
|
|
|
|
| - mod_log_config: Log the minutes component of the timezone correctly.
|
|
|
|
|
| PR 23642.
|
|
|
|
|
| mod_proxy*:
|
|
|
|
|
| - proxy_http fix: mod_proxy hangs when both KeepAlive and
|
|
|
|
|
| ProxyErrorOverride are enabled, and a non-200 response without a
|
|
|
|
|
| body is generated by the backend server. (e.g.: a client makes a
|
|
|
|
|
| request containing the "If-Modified-Since" and "If-None-Match"
|
|
|
|
|
| headers, to which the backend server respond with status 304.)
|
|
|
|
|
| - Fix memory leak in handling of request bodies during reverse
|
|
|
|
|
| proxy operations. PR 24991.
|
|
|
|
|
| - mod_proxy: Fix cases where an invalid status-line could be sent
|
|
|
|
|
| to the client. PR 23998.
|
|
|
|
|
| mod_rewrite:
|
|
|
|
|
| - Catch an edge case, where strange subsequent RewriteRules
|
|
|
|
|
| could lead to a 400 (Bad Request) response.
|
|
|
|
|
| - Make REMOTE_PORT variable available in mod_rewrite. PR 25772.
|
|
|
|
|
| - In external rewrite maps lookup keys containing
|
|
|
|
|
| a newline now cause a lookup failure. PR 14453.
|
|
|
|
|
| - Fix RewriteBase directive to not add double slashes.
|
|
|
|
|
| mod_usertrack:
|
|
|
|
|
| - Fix bug in mod_usertrack when no CookieName is set.
|
|
|
|
|
| - mod_usertrack no longer inspects the Cookie2 header for
|
|
|
|
|
| the cookie name. PR 11475.
|
|
|
|
|
| - mod_usertrack no longer overwrites other cookies.
|
|
|
|
|
| PR 26002.
|
|
|
|
|
| mod_include, filters:
|
|
|
|
|
| - Backport major overhaul of mod_include's filter parser from 2.1.
|
|
|
|
|
| The new parser code is expected to be more robust and should
|
|
|
|
|
| catch all of the edge cases that were not handled by the previous one.
|
|
|
|
|
| The 2.1 external API changes were hidden by a wrapper which is
|
|
|
|
|
| expected to keep the API backwards compatible.
|
|
|
|
|
| - Add a hook (insert_error_filter) to allow filters to re-insert
|
|
|
|
|
| themselves during processing of error responses. Enable mod_expires
|
|
|
|
|
| to use the new hook to include Expires headers in valid error
|
|
|
|
|
| responses. This addresses an RFC violation. It fixes PRs 19794,
|
|
|
|
|
| 24884, and 25123.
|
|
|
|
|
| - complain via error_log when mod_include's INCLUDES filter is
|
|
|
|
|
| enabled, but the relevant Options flag allowing the filter to run
|
|
|
|
|
| for the specific resource wasn't set, so that the filter won't
|
|
|
|
|
| silently get skipped. next remove itself, so the warning will be
|
|
|
|
|
| logged only once
|
|
|
|
|
| - Fix mod_include's expression parser to recognize strings correctly
|
|
|
|
|
| even if they start with an escaped token.
|
|
|
|
|
| - Fix a problem with the display of empty variables ("SetEnv foo") in
|
|
|
|
|
| mod_include. PR 24734
|
|
|
|
|
| - mod_include no longer allows an ETag header on 304 responses.
|
|
|
|
|
| PR 19355.
|
|
|
|
|
| mod_autoindex:
|
|
|
|
|
| - Don't omit the <tr> start tag if the SuppressIcon option is
|
|
|
|
|
| set. PR 21668.
|
|
|
|
|
| - Restore the ability to add a description for directories that
|
|
|
|
|
| don't contain an index file. (Broken in 2.0.48)
|
|
|
|
|
| - mod_autoindex / core: Don't fail to show filenames containing
|
|
|
|
|
| special characters like '%'. PR 13598.
|
|
|
|
|
| - Add 'XHTML' option in order to allow switching between HTML
|
|
|
|
|
| 3.2 and XHTML 1.0 output. PR 23747.
|
|
|
|
|
| mod_status:
|
|
|
|
|
| - Add mod_status hook to allow modules to add to the mod_status
|
|
|
|
|
| report.
|
|
|
|
|
| - Report total CPU time accurately when using a threaded MPM.
|
|
|
|
|
| PR 23795.
|
|
|
|
|
| mod_info:
|
|
|
|
|
| - Fix mod_info to use the real config file name, not the default
|
|
|
|
|
| config file name.
|
|
|
|
|
| - HTML escape configuration information so it displays
|
|
|
|
|
| correctly. PR 24232.
|
|
|
|
|
| mod_auth_digest:
|
|
|
|
|
| - Allow mod_auth_digest to work with sub-requests with different
|
|
|
|
|
| methods than the original request. PR 25040.
|
|
|
|
|
| mod_auth_ldap:
|
|
|
|
|
| - Fix some segfaults in the cache logic. PR 18756.
|
|
|
|
|
| mod_cgid:
|
|
|
|
|
| - Restart the cgid daemon if it crashes. PR 19849
|
|
|
|
|
| mod_setenvif:
|
|
|
|
|
| - Fix the regex optimizer, which under circumstances
|
|
|
|
|
| treated the supplied regex as literal string. PR 24219.
|
|
|
|
|
| miscellaneous:
|
|
|
|
|
| - core.c: If large file support is enabled, allow any file that is
|
|
|
|
|
| greater than AP_MAX_SENDFILE to be split into multiple buckets.
|
|
|
|
|
| This allows Apache to send files that are greater than 2gig.
|
|
|
|
|
| Otherwise we run into 32/64 bit type mismatches in the file size.
|
|
|
|
|
| - Fixed file extensions for real media files and removed rpm extension
|
|
|
|
|
| from mime.types. PR 26079.
|
|
|
|
|
| - Remove compile-time length limit on request strings. Length is
|
|
|
|
|
| now enforced solely with the LimitRequestLine config directive.
|
|
|
|
|
| - Set the scoreboard state to indicate logging prior to running
|
|
|
|
|
| logging hooks so that server-status will show 'L' for hung loggers
|
|
|
|
|
| instead of 'W'.
|
|
|
|
|
| - Fix the inability to log errors like exec failure in
|
|
|
|
|
| mod_ext_filter/mod_cgi script children. This was broken after
|
|
|
|
|
| such children stopped inheriting the error log handle.
|
|
|
|
|
| - fix "Expected </Foo>> but saw </Foo>" errors in nested,
|
|
|
|
|
| argumentless containers.
|
|
|
|
|
| - ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm
|
|
|
|
|
| instead of mmn.
|
|
|
|
|
| - Add Polish translation of error messages. PR 25101.
|
|
|
|
|
| - Add AP_MPMQ_MPM_STATE function code for ap_mpm_query.
|
|
|
|
|
| - Fix htdbm to generate comment fields in DBM files correctly.
|
|
|
|
|
| - Correct UseCanonicalName Off to properly check incoming port number.
|
|
|
|
|
| - Fix slow graceful restarts with prefork MPM.
|
|
|
|
|
| - Keep focus of ITERATE and ITERATE2 on the current module when
|
|
|
|
|
| the module chooses to return DECLINE_CMD for the directive.
|
|
|
|
|
| PR 22299.
|
|
|
|
|
| - Build array of allowed methods with proper dimensions, fixing
|
|
|
|
|
| possible memory corruption.
|
|
|
|
|
| - worker MPM: fix stack overlay bug that could cause the parent
|
|
|
|
|
| process to crash.
|
|
|
|
|
| - Add XHTML Document Type Definitions to httpd.h (minor MMN bump).
|
|
|
|
|
| - Fix build with parallel make. PR 24643.
|
|
|
|
|
| - Add fatal exception hook for use by diagnostic modules. The hook
|
|
|
|
|
| is only available if the --enable-exception-hook configure parm
|
|
|
|
|
| is used and the EnableExceptionHook directive has been set to
|
|
|
|
|
| "on".
|
|
|
|
|
| - Improve 'configure --help' output for some modules.
|
|
|
|
|
- drop two hunks from httpd-2.0.47-headtail.dif (buildcheck.sh is
|
|
|
|
|
fixed)
|
|
|
|
|
- disable automatic restarts, because they do not work properly
|
|
|
|
|
[#35408]
|
|
|
|
|
- change MMN to prevent loading of incompatible modules (modules
|
|
|
|
|
that are not built with `apxs -q CFLAGS` and therefore miss
|
|
|
|
|
_FILE_OFFSET_BITS=64). Provide our old apache_mmn_20020903 in
|
|
|
|
|
addition.
|
|
|
|
|
- use CPPFLAGS for passing preprocessor flags because they are
|
|
|
|
|
removed from CFLAGS
|
|
|
|
|
- Stop dropping connections when the file descriptor
|
|
|
|
|
is at least FD_SETSIZE. This isn't a problem on Linux because
|
|
|
|
|
poll() is used instead of select() by APR. Assert HAVE_POLL.
|
|
|
|
|
[#34178]
|
|
|
|
|
- add modifications to the code to the NOTICE file as required by
|
|
|
|
|
the new license
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 27 17:42:24 CET 2004 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- compile with -DSSL_EXPERIMENTAL_ENGINE to allow usage of hardware
|
|
|
|
|
crypto accelerators
|
|
|
|
|
- compile with -DMAX_SERVER_LIMIT=200000
|
|
|
|
|
- if an SSL passphrase is not entered within the timeout, fall back
|
|
|
|
|
to start apache without SSL (with -D NOSSL). This could/should be
|
|
|
|
|
made configurable.
|
|
|
|
|
- clean up output of SuSEconfig.apache2
|
|
|
|
|
- add pre-defined LogFormat "vhost_combined"
|
|
|
|
|
- configure /var/lib/apache2 for WebDAV locks
|
|
|
|
|
- add a readme about configuring WebDAV with digest authentication
|
|
|
|
|
- add default configuration for mod_usertrack (this is the current
|
|
|
|
|
workaround for the problem in the 1.3.29/2.0.48 release that
|
|
|
|
|
occurs if no CookieName is configured)
|
|
|
|
|
- in vhost.template, enclose all virtual host configuration in the
|
|
|
|
|
VirtualHost container
|
|
|
|
|
- update metuxmpm patch to r7
|
|
|
|
|
- fix test run as non-root
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 13 16:38:05 CET 2004 - schwab@suse.de
|
|
|
|
|
|
|
|
|
|
- Fix quoting in autoconf macros.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Dec 13 17:28:48 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add changes to gensslcert from Volker Kuhlmann [#31803]
|
|
|
|
|
- revert default character set from UTF-8 to ISO-8859-1, and revert
|
|
|
|
|
the misleading comment that talked about filenames while it is
|
|
|
|
|
all about content of the files
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Nov 18 14:14:39 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add a ServerLimit directive to server-tuning.conf, so it's
|
|
|
|
|
already in the right place if someone needs to tweak it [#32852]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 7 13:00:07 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- mark apache2-manual.conf in %files doc as %config
|
|
|
|
|
- wrap directives specific to the mod_negotiation module into an
|
|
|
|
|
<IfModule> block [#32848]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 30 11:41:19 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.48. Relevant / user visible changes are:
|
|
|
|
|
Security [CAN-2003-0789]: Resolve some mishandling of the AF_UNIX
|
|
|
|
|
socket used to communicate with the cgid daemon and the CGI
|
|
|
|
|
script.
|
|
|
|
|
Security [CAN-2003-0542]: Fix buffer overflows in mod_alias and
|
|
|
|
|
mod_rewrite which occurred if one configured a regular
|
|
|
|
|
expression with more than 9 captures.
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Don't die silently when failing to open RewriteLogs. PR 23416
|
|
|
|
|
- Fix support of the [P] option to send rewritten request using
|
|
|
|
|
"proxy:". The code was adding multiple "proxy:" fields in the
|
|
|
|
|
rewritten URI. PR: 13946.
|
|
|
|
|
- Ignore RewriteRules in .htaccess files if the directory
|
|
|
|
|
containing the .htaccess file is requested without a trailing
|
|
|
|
|
slash. PR 20195.
|
|
|
|
|
mod_include:
|
|
|
|
|
- Fix a trio of bugs that would cause various unusual sequences
|
|
|
|
|
of parsed bytes to omit portions of the output stream. PR 21095
|
|
|
|
|
- fix segfault which occured if the filename was not set, for
|
|
|
|
|
example, when processing some error conditions.
|
|
|
|
|
mod_cgid: fix a hash table corruption problem which could
|
|
|
|
|
result in the wrong script being cleaned up at the end of a
|
|
|
|
|
request.
|
|
|
|
|
mod_ssl: Fix segfaults after renegotiation failure. PR 21370
|
|
|
|
|
- Fix a problem setting variables that represent the client
|
|
|
|
|
certificate chain. PR 21371
|
|
|
|
|
- Fix FakeBasicAuth for subrequest. Log an error when an
|
|
|
|
|
identity spoof is encountered.
|
|
|
|
|
- Assure that we block properly when reading input bodies with
|
|
|
|
|
SSL. PR 19242.
|
|
|
|
|
mod_autoindex: If a directory contains a file listed in the
|
|
|
|
|
DirectoryIndex directive, the folder icon is no longer replaced
|
|
|
|
|
by the icon of that file. PR 9587.
|
|
|
|
|
mod_usertrack: do not get false positive matches on the
|
|
|
|
|
user-tracking cookie's name. PR 16661.
|
|
|
|
|
mod_cache:
|
|
|
|
|
- Fix the cache code so that responses can be cached if they
|
|
|
|
|
have an Expires header but no Etag or Last-Modified headers.
|
|
|
|
|
PR 23130. cache_util: Fix ap_check_cache_freshness to check
|
|
|
|
|
max_age, smax_age, and expires as directed in RFC 2616.
|
|
|
|
|
mod_deflate:
|
|
|
|
|
- fix to not call deflate() without checking first whether it
|
|
|
|
|
has something to deflate. (Currently this causes deflate to
|
|
|
|
|
generate a fatal error according to the zlib spec.) PR 22259.
|
|
|
|
|
- Don't attempt to hold all of the response until we're done.
|
|
|
|
|
- Fix a bug, where mod_deflate sometimes unconditionally
|
|
|
|
|
compressed the content if the Accept-Encoding header
|
|
|
|
|
contained only other tokens than "gzip" (such as "deflate").
|
|
|
|
|
PR 21523.
|
|
|
|
|
mod_proxy: Don't respect the Server header field as set by
|
|
|
|
|
modules and CGIs. As with 1.3, for proxy requests any such
|
|
|
|
|
field is from the origin server; otherwise it will have our
|
|
|
|
|
server info as controlled by the ServerTokens directive.
|
|
|
|
|
mod_log_config: Fix %b log format to write really "-" when 0
|
|
|
|
|
bytes were sent (e.g. with 304 or 204 response codes).
|
|
|
|
|
mod_ext_filter: Set additional environment variables for use by
|
|
|
|
|
the external filter. PR 20944.
|
|
|
|
|
core:
|
|
|
|
|
- allow <Foo>..</Foo> containers (no arguments in the opening
|
|
|
|
|
tag), as in 1.3. Needed by mod_perl <Perl> sections
|
|
|
|
|
- Fix a misleading message from the some of the threaded MPMs
|
|
|
|
|
when MaxClients has to be lowered due to the setting of
|
|
|
|
|
ServerLimit.
|
|
|
|
|
- Avoid an infinite recursion, which occured if the name of an
|
|
|
|
|
included config file or directory contained a wildcard
|
|
|
|
|
character. PR 22194.
|
|
|
|
|
- MPMs: The bucket brigades subsystem now honors the MaxMemFree
|
|
|
|
|
setting.
|
|
|
|
|
- Lower the severity of the "listener thread didn't exit"
|
|
|
|
|
message to debug, as it is of interest only to developers.
|
|
|
|
|
miscellaneous:
|
|
|
|
|
- Update the header token parsing code to allow LWS between the
|
|
|
|
|
token word and the ':' seperator. [PR 16520]
|
|
|
|
|
- Remember an authenticated user during internal redirects if
|
|
|
|
|
the redirection target is not access protected and pass it to
|
|
|
|
|
scripts using the REDIRECT_REMOTE_USER environment variable.
|
|
|
|
|
PR 10678, 11602.
|
|
|
|
|
- Update mime.types to include latest IANA and W3C types.
|
|
|
|
|
- Modify ap_get_client_block() to note if it has seen EOS.
|
|
|
|
|
ab:
|
|
|
|
|
- Overlong credentials given via command line no longer clobber
|
|
|
|
|
the buffer.
|
|
|
|
|
- Work over non-loopback on Unix again. PR 21495.
|
|
|
|
|
- Fix NULL-pointer issue in ab when parsing an incomplete or
|
|
|
|
|
non-HTTP response. PR 21085.
|
|
|
|
|
- add another example to apache2-listen.conf
|
|
|
|
|
- update apache2-mod_mime-defaults.conf according to 2.0.48 changes
|
|
|
|
|
(be clearer in describing the connection between AddType and
|
|
|
|
|
AddEncoding for defining the meaning of compressed file
|
|
|
|
|
extensions.)
|
|
|
|
|
- use a better example domain name in apache2-vhost-ssl.template
|
|
|
|
|
- the "define version_perl" was nowhere needed
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 22 17:49:40 CEST 2003 - mls@suse.de
|
|
|
|
|
|
|
|
|
|
- don't provide httpddoc in apache2-doc
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Sep 18 18:48:33 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add mod_php4 to the default list of APACHE_MODULES, and change
|
|
|
|
|
get_module_list to ignore non-existant modules (warnings will
|
|
|
|
|
be issued when it is run from SuSEconfig, but not from the init
|
|
|
|
|
script). How to enable the PHP4 module has been the most
|
|
|
|
|
frequently asked questions in user feedback [cf to #29735].
|
|
|
|
|
This bug is tracked in [#31306]
|
|
|
|
|
- include conf.d/*.conf by default, as it was the case until
|
|
|
|
|
recently. User feedback showed that for many people the
|
|
|
|
|
separation of configuration includes into individual virtual
|
|
|
|
|
hosts is overkill, and it complicates the setup too much. More
|
|
|
|
|
finegrained control can be achieved by commenting out the
|
|
|
|
|
respective line in the default server config. [#30866], [#29735]
|
|
|
|
|
- remove the FIXME at the end of httpd.conf (obsoleted by the above
|
|
|
|
|
change), and place a strategical comment there about .local files
|
|
|
|
|
- add <IfDefine SSL> container around configuration in ssl template
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Sep 9 12:50:47 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- change comment in sysconfig template to work around a fillup bug
|
|
|
|
|
[#30279]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 8 18:28:12 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix wrong variable name in a comment of the sysconfig template
|
|
|
|
|
- update README.QUICKSTART
|
|
|
|
|
- add README.QUICKSTART.SSL
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 8 10:09:53 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- remove unused ENABLE_SUSECONFIG_APACHE from sysconfig template
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Sep 5 16:44:07 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- disallow UserDir for user root
|
|
|
|
|
- cope with "no" or "yes" as values for APACHE_SERVERSIGNATURE, as
|
|
|
|
|
they were set on SuSE Linux 8.1
|
|
|
|
|
- add more documentation to README.QUICKSTART, also mentioning what
|
|
|
|
|
might be too obvious: the document root [#29674]
|
|
|
|
|
- in %post, diff to httpd.conf.default only when .rpmnew is present
|
|
|
|
|
- improve message sent on update
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 29 23:22:31 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- improve documentation on configuration
|
|
|
|
|
- compile with -Wall
|
|
|
|
|
- do not obsolete httpddoc, which is provided by apache-doc package
|
|
|
|
|
from apache1
|
|
|
|
|
- add conflict apache2-example-pages <-> apache-example-pages
|
|
|
|
|
- fix building on older distros
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Aug 19 02:19:18 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- use httpd-2.0.47-metuxmpm-r6.diff, previous one was broken by me
|
|
|
|
|
- don't force setting of a DocumentRoot, because the configuration
|
|
|
|
|
of the default vhost already contains it
|
|
|
|
|
- when testing on SL 8.0, the www group has to be created as well
|
|
|
|
|
- when testing on even older systems, don't add buildroot to
|
|
|
|
|
DocumentRoot in default-server.conf
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 15 21:40:46 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- revamped configuration
|
|
|
|
|
- add some CustomLog formats
|
|
|
|
|
- AddDefaultCharset UTF-8 [#22427]
|
|
|
|
|
- add activation metadata to sysconfig template [#28834]
|
|
|
|
|
- default APACHE_MODULES: add mod_ssl, remove mod_status
|
|
|
|
|
- new sysconfig variables: APACHE_USE_CANONICAL_NAME,
|
|
|
|
|
APACHE_DOCUMENT_ROOT
|
|
|
|
|
- get rid of the "suse_" prefix in generated config snippets, and
|
|
|
|
|
place them below /etc/apache2/sysconfig.d/. On update, convert
|
|
|
|
|
the Include statements in httpd.conf for the new locations
|
|
|
|
|
- add /etc/apache2/vhosts.d and virtual host templates
|
|
|
|
|
- the configuration for the manual is now seperate and installed
|
|
|
|
|
together with apache2-doc (conf.d/apache2-manual.conf)
|
|
|
|
|
- add distilled wisdom in form of README.QUICKSTART
|
|
|
|
|
- change group of wwwrun user: nogroup -> www [#21782]
|
|
|
|
|
- proxycachedir and localstatedir should not be world readable
|
|
|
|
|
- set DEFAULT_PIDLOG to /var/run/httpd2.pid, so we don't need to
|
|
|
|
|
configure the PidFile directive
|
|
|
|
|
- add -fno-strict-aliasing, due to warnings about code where
|
|
|
|
|
dereferencing type-punned pointers will break strict aliasing
|
|
|
|
|
- clean the RPM_BUILD_ROOT, but not in the build system
|
|
|
|
|
- new macros for stop/restart of services on rpm update/removal,
|
|
|
|
|
and improved try-restart section in rc.apache2
|
|
|
|
|
- get rid of "modules" subdir, and remove dead code from
|
|
|
|
|
SuSEconfig.apache2
|
|
|
|
|
- add some tools: get_includes, find_httpd2_includes,
|
|
|
|
|
apache2-reconfigure-mpm
|
|
|
|
|
- rename README.SuSE to README.{SuSE,UnitedLinux}
|
|
|
|
|
- include directories in filelists of MPM subpackages
|
|
|
|
|
- enclose package descriptions of MPMs in %ifdef
|
|
|
|
|
- add a dependency of the MPM subpackages on the version of the
|
|
|
|
|
main package
|
|
|
|
|
- build a new MPM: metuxmpm (httpd-2.0.47-metuxmpm.diff)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 28 18:23:28 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add new sysconfig variables: APACHE_LOGLEVEL, APACHE_ACCESS_LOG,
|
|
|
|
|
and remove the respective directives from httpd.conf.dist
|
|
|
|
|
- merge the ssl.conf.dif and httpd.conf.dif into one patch
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jul 27 12:22:29 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- build with -D_FILE_OFFSET_BITS=64 when presumably the kernel
|
|
|
|
|
supports sendfile64 [#22191, #22018]. Define APR_HAS_LARGE_FILES
|
|
|
|
|
(which is unconditionally off, otherwise). Keep
|
|
|
|
|
-D_LARGEFILE_SOURCE since some modules might need it.
|
|
|
|
|
- make sure the package can be built as ordinary user
|
|
|
|
|
- special case mod_auth_mysql since its module_id is reversed
|
|
|
|
|
- don't increase DYNAMIC_MODULE_LIMIT (64 should be copious)
|
|
|
|
|
- don't explicitely strip binaries since RPM handles it, and may
|
|
|
|
|
keep the stripped information somewhere
|
|
|
|
|
- reformat the header of the spec file
|
|
|
|
|
- allow to pass a number-of-jobs parameter into spec file via rpm
|
|
|
|
|
--define 'jobs N'
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jul 10 16:49:50 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.47. relevant / user visible changes:
|
|
|
|
|
Security [CAN-2003-0192]: Fixed a bug whereby certain sequences
|
|
|
|
|
of per-directory renegotiations and the SSLCipherSuite
|
|
|
|
|
directive being used to upgrade from a weak ciphersuite to a
|
|
|
|
|
strong one could result in the weak ciphersuite being used in
|
|
|
|
|
place of the strong one.
|
|
|
|
|
Security [CAN-2003-0253]: Fixed a bug in prefork MPM causing
|
|
|
|
|
temporary denial of service when accept() on a rarely accessed
|
|
|
|
|
port returns certain errors.
|
|
|
|
|
Security [CAN-2003-0254]: Fixed a bug in ftp proxy causing denial
|
|
|
|
|
of service when target host is IPv6 but proxy server can't
|
|
|
|
|
create IPv6 socket. Fixed by the reporter.
|
|
|
|
|
Security [VU#379828]: Prevent the server from crashing when entering
|
|
|
|
|
infinite loops. The new LimitInternalRecursion directive
|
|
|
|
|
configures limits of subsequent internal redirects and nested
|
|
|
|
|
subrequests, after which the request will be aborted. PR 19753+
|
|
|
|
|
core:
|
|
|
|
|
core_output_filter: don't split the brigade after a FLUSH
|
|
|
|
|
bucket if it's the last bucket. This prevents creating
|
|
|
|
|
unneccessary empty brigades which may not be destroyed until
|
|
|
|
|
the end of a keepalive connection.
|
|
|
|
|
mod_cgid:
|
|
|
|
|
Eliminate a double-close of a socket. This resolves various
|
|
|
|
|
operational problems in a threaded MPM, since on the second
|
|
|
|
|
attempt to close the socket, the same descriptor was often
|
|
|
|
|
already in use by another thread for another purpose.
|
|
|
|
|
mod_negotiation:
|
|
|
|
|
Introduce "prefer-language" environment variable, which allows
|
|
|
|
|
to influence the negotiation process on request basis to prefer
|
|
|
|
|
a certain language.
|
|
|
|
|
mod_expire:
|
|
|
|
|
Make ExpiresByType directive work properly, including for
|
|
|
|
|
dynamically-generated documents.
|
|
|
|
|
- apr bugfixes
|
|
|
|
|
- more fixes of deprecated head/tail -1 calls
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 28 20:40:24 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.46. relevant / user visible changes:
|
|
|
|
|
Security [CAN-2003-0245]: Fixed a bug that could be triggered
|
|
|
|
|
remotely through mod_dav
|
|
|
|
|
Security [CAN-2003-0189]: Fixed a denial-of-service
|
|
|
|
|
vulnerability affecting basic authentication
|
|
|
|
|
Security: forward port of buffer overflow fixes for htdigest.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- SSL session caching(shmht) : Fix a SEGV problem with SHMHT
|
|
|
|
|
session caching.
|
|
|
|
|
mod_deflate:
|
|
|
|
|
- Add another check for already compressed content
|
|
|
|
|
- Check also err_headers_out for an already set
|
|
|
|
|
Content-Encoding: gzip header. This prevents gzip compressed
|
|
|
|
|
content from a CGI script from being compressed once more.
|
|
|
|
|
mod_mime_magic:
|
|
|
|
|
- If mod_mime_magic does not know the content-type, do not
|
|
|
|
|
attempt to guess.
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Fix handling of absolute URIs.
|
|
|
|
|
mod_log_config:
|
|
|
|
|
- Add the ability to log the id of the thread processing the
|
|
|
|
|
request via new %P formats.
|
|
|
|
|
mod_auth_ldap:
|
|
|
|
|
- Use generic whitespace character class when parsing "require"
|
|
|
|
|
directives, instead of literal spaces only.
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Fixed a segfault when multiple ProxyBlock directives were used.
|
|
|
|
|
- Added AllowEncodedSlashes directive to permit control of
|
|
|
|
|
whether the server will accept encoded slashes ('%2f') in the
|
|
|
|
|
URI path. Default condition is off (the historical behaviour).
|
|
|
|
|
- If Apache is started as root and you code CoreDumpDirectory,
|
|
|
|
|
coredumps are enabled via the prctl() syscall.
|
|
|
|
|
- htpasswd: Check the processed file on validity; add a delete flag.
|
|
|
|
|
- httpd-2.0.45-libtool-1.5.dif is obsolete
|
|
|
|
|
- mark suse_include.conf as %ghost
|
|
|
|
|
- note the rebirth of the httpd and apachectl man pages (thanks to
|
|
|
|
|
RPMv4 :)
|
|
|
|
|
- let the module RPM packages only depend on the _major_ module
|
|
|
|
|
magic number, not on the minor
|
|
|
|
|
- fix some paths in config_vars.mk, which facilitates building of
|
|
|
|
|
certain modules
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 14 14:12:56 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- use mmap() via MAP_ANON as shared memory allocation method, to
|
|
|
|
|
prevent restart problems with stale (or in use) files that are
|
|
|
|
|
associated with shared memory
|
|
|
|
|
- package forgotten files, and remove hack in %clean
|
|
|
|
|
- remove files from the build root that are not packaged
|
|
|
|
|
- remove suse_include.conf from filelist
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri May 9 14:47:54 CEST 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.45. relevant / user visible changes:
|
|
|
|
|
Security: Eliminated leaks of several file descriptors to
|
|
|
|
|
child processes, such as CGI scripts. This fix depends on the
|
|
|
|
|
latest APR library release 0.9.2, which is distributed with the
|
|
|
|
|
httpd source tarball for Apache 2.0.45. PR 17206
|
|
|
|
|
Security [CAN-2003-0132]: Close a Denial of Service
|
|
|
|
|
vulnerability identified by David Endler <DEndler@iDefense.com>
|
|
|
|
|
on all platforms.
|
|
|
|
|
General:
|
|
|
|
|
- Fix segfault which occurred when a section in an included
|
|
|
|
|
configuration file was not closed. PR 17093.
|
|
|
|
|
- Fix a nasty segfault in mmap_bucket_setaside() caused by
|
|
|
|
|
passing an incompatible pointer type to mmap_bucket_destroy(void*).
|
|
|
|
|
- prevent filters (such as mod_deflate) from adding garbage to
|
|
|
|
|
the response. PR 14451.
|
|
|
|
|
- Simpler, faster code path for request header scanning
|
|
|
|
|
- Try to log an error if a piped log program fails. Try to
|
|
|
|
|
restart a piped log program in more failure situations.
|
|
|
|
|
- Fix bug where 'Satisfy Any' without an AuthType lost all MIME
|
|
|
|
|
information (and more). Related to PR 9076.
|
|
|
|
|
- Fix If header parsing when a non-mod_dav lock token is passed to it.
|
|
|
|
|
- Fix apxs to insert LoadModule directives only outside of
|
|
|
|
|
sections.
|
|
|
|
|
- apxs: Include any special APR ld flags when linking the DSO.
|
|
|
|
|
suexec: Be more pedantic when cleaning environment. Clean it
|
|
|
|
|
immediately after startup. PR 2790, 10449. Use saner default
|
|
|
|
|
config values for suexec. PR 15713.
|
|
|
|
|
mod_cgi, mod_cgid, mod_ext_filter: Log errors when scripts cannot
|
|
|
|
|
be started on Unix because of such problems as bad permissions,
|
|
|
|
|
bad shebang line, etc. Fix possible segfaults under obscure
|
|
|
|
|
error conditions within the cgid daemon.
|
|
|
|
|
mod_deflate:
|
|
|
|
|
- you can now specify the compression level.
|
|
|
|
|
- Extend the DeflateFilterNote directive to allow accurate
|
|
|
|
|
logging of the filter's in- and outstream.
|
|
|
|
|
- Fix potential memory leaks in mod_deflate on malformed data. PR 16046.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
Allow SSLMutex to select/use the full range of APR locking
|
|
|
|
|
mechanisms available to it. Also, fix the bug that SSLMutex
|
|
|
|
|
uses APR_LOCK_DEFAULT no matter what. PR 8122
|
|
|
|
|
mod_autoindex no longer forgets output format and enabled version
|
|
|
|
|
sort in linked column headers.
|
|
|
|
|
mod_rewrite:
|
|
|
|
|
- Prevent endless loops of internal redirects in mod_rewrite by
|
|
|
|
|
aborting after exceeding a limit of internal redirects. The
|
|
|
|
|
limit defaults to 10 and can be changed using the
|
|
|
|
|
RewriteOptions directive. PR 17462.
|
|
|
|
|
- Allow "RewriteEngine Off" even if no "Options FollowSymlinks"
|
|
|
|
|
(or SymlinksIfOwnermatch) is set. PR 12395.
|
|
|
|
|
mod_ldap:
|
|
|
|
|
- Updated mod_ldap and mod_auth_ldap to support the Novell LDAP
|
|
|
|
|
SDK SSL and standardized the LDAP SSL support across the
|
|
|
|
|
various LDAP SDKs. Isolated the SSL functionality to
|
|
|
|
|
mod_ldap rather than speading it across mod_auth_ldap and
|
|
|
|
|
mod_ldap. Also added LDAPTrustedCA and LDAPTrustedCAType
|
|
|
|
|
directives to mod_ldap to allow for a more common method of
|
|
|
|
|
specifying the SSL certificate.
|
|
|
|
|
- fix fault when caching was disabled, and some memory leaks
|
|
|
|
|
- Fix mod_ldap to open an existing shared memory file should
|
|
|
|
|
one already exist. PR 12757.
|
|
|
|
|
- Added character set support to mod_auth_LDAP to allow it to
|
|
|
|
|
convert extended characters used in the user ID to UTF-8
|
|
|
|
|
before authenticating against the LDAP directory. The new
|
|
|
|
|
directive AuthLDAPCharsetConfig is used to specify the config
|
|
|
|
|
file that contains the character set conversion table.
|
|
|
|
|
mod_ssl:
|
|
|
|
|
- Fixed mod_ssl's SSLCertificateChain initialization to no
|
|
|
|
|
longer skip the first cert of the chain by default. This
|
|
|
|
|
misbehavior was introduced in 2.0.34. PR 14560
|
|
|
|
|
- Fix 64-bit problem in mod_ssl input logic.
|
|
|
|
|
mod_proxy:
|
|
|
|
|
- Hook mod_proxy's fixup before mod_rewrite's fixup, so that by
|
|
|
|
|
mod_rewrite proxied URLs will not be escaped accidentally by
|
|
|
|
|
mod_proxy's fixup. PR 16368
|
|
|
|
|
- Don't remove the Content-Length from responses in mod_proxy PR: 8677
|
|
|
|
|
mod_auth_digest no longer tries to guess AuthDigestDomain, if it's
|
|
|
|
|
not specified. Now it assumes "/" as already documented. PR 16937.
|
|
|
|
|
mod_file_cache: fix segfaults
|
|
|
|
|
- improve the start/restart section of the init script, and add a
|
|
|
|
|
ssl_scache_cleanup script
|
|
|
|
|
- understand a syntax like -DSTATUS, as described in the sysconfig
|
|
|
|
|
file help text (bug noted in #25404]
|
|
|
|
|
- don't package the *.exp files, as they are needed only on AIX
|
|
|
|
|
- fix filelist for usage of %dir for files
|
|
|
|
|
- fix the cosmetical but irritating "Inappropriate ioctl for
|
|
|
|
|
device" error message, when rcapache2 is called from within YaST
|
|
|
|
|
- remove the unused /etc/apache2/modules directory from the package
|
|
|
|
|
- remove the now unused --enable-experimental-libtool
|
|
|
|
|
- fix to build with libtool-1.5
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 9 02:00:20 CEST 2003 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- fix deprecated head/tail call syntax "-1"
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 17 11:59:36 CET 2003 - kukuk@suse.de
|
|
|
|
|
|
|
|
|
|
- Remove suse_help_viewer from provides [Bug #25436]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Mar 13 12:54:59 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- security fix: do not write the startup log file to a world
|
|
|
|
|
writable directory, reversing the change of Jan 23 (wasn't in any
|
|
|
|
|
released package) [#25239]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 10 17:36:00 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- change permissions of /var/log/apache2 from wwwrun:root mode 770
|
|
|
|
|
to root:root mode 750 [#24951]
|
|
|
|
|
- fix wrong list() in sysconfig.apache2 [#24719], and add a missing
|
|
|
|
|
default value
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Mar 3 17:41:56 CET 2003 - kukuk@suse.de
|
|
|
|
|
|
|
|
|
|
- Remove ghost entry for pid file [Bug #24566]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Feb 27 14:43:01 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- use the official MIME types, which are more complete [#23988]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 24 18:17:02 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- don't include log files into the package, and don't touch them in
|
|
|
|
|
%post; it's not needed
|
|
|
|
|
- fix comment in httpd.conf talking about SuSEconfig
|
|
|
|
|
- adjust some variable types in the sysconfig template
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Feb 18 11:39:18 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- apache2 Makefiles do support DESTDIR now, so let's use that
|
|
|
|
|
instead of the explicit paths (fixes a wrong path in
|
|
|
|
|
config_vars.mk [#23699]). Some files (*.exp, libapr*) are
|
|
|
|
|
automatically installed in the right location now.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Feb 14 16:39:40 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix configuration script to find apache modules on 64 bit archs
|
|
|
|
|
- mark ssl.conf (noreplace)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Feb 10 18:35:15 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add mod_ldap, mod_auth_ldap, but link only them against the LDAP
|
|
|
|
|
libs. Likewise, do not link everything against ssl libs. This way
|
|
|
|
|
we can avoid RPM package (and build) requirements on a lot of
|
|
|
|
|
libs for subversion and other packages that build on apache.
|
|
|
|
|
- move more code from SuSEconfig into rcapache2 (actually into
|
|
|
|
|
support scripts below /usr/share/apache2/, so apache2 can be
|
|
|
|
|
configured without starting it)
|
|
|
|
|
- improve full-server-status once again
|
|
|
|
|
- remove suse_loadmodule.conf from filelist
|
|
|
|
|
- remove obsolete README.modules
|
|
|
|
|
- rename LOADMODULES -> APACHE_MODULES
|
|
|
|
|
- add APACHE_BUFFERED_LOGS
|
|
|
|
|
- update README.SuSE
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jan 28 13:32:04 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- rc.apache2
|
|
|
|
|
- add extreme-configtest (trying to run server as nobody, which
|
|
|
|
|
detects _all_ config errors)
|
|
|
|
|
- evaluate LOADMODULES from sysconfig.apache2 on-the-fly from
|
|
|
|
|
rcapache2 instead of SuSEconfig
|
|
|
|
|
- when restarting, do something useful instead of 'sleep 3': wait
|
|
|
|
|
just as long until the server has terminated all children
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jan 26 21:27:31 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- build mod_logio, mod_case_filter, mod_case_filter_in
|
|
|
|
|
- rename apr subpackage to libapr0 (the library is called libapr-0
|
|
|
|
|
meanwhile). add compatibility links named (libapr{,util}.so.0)
|
|
|
|
|
- configure SSL session caching with shm circular buffer
|
|
|
|
|
SSLSessionCache shm:/var/lib/httpd/ssl_scache
|
|
|
|
|
SSLSessionCacheTimeout 600
|
|
|
|
|
SSLMutex sem
|
|
|
|
|
- SuSEconfig.apache2: prefer prefork MPM over worker, if guessing
|
|
|
|
|
- strip objects
|
|
|
|
|
- rename gensslcert2 to gensslcert
|
|
|
|
|
- show a list all available modules in /etc/sysconfig/apache2
|
|
|
|
|
- nicer output of apache2ctl
|
|
|
|
|
- reorder Requires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Jan 23 12:05:59 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.44
|
|
|
|
|
- obsoletes patch httpd-2.0.43-mod_ssl-memory-leak.dif
|
|
|
|
|
- the apachectl and httpd man pages have been dropped upstreams
|
|
|
|
|
- add robots.txt to the example-pages subpackage that blocks spiders
|
|
|
|
|
- disable the perchild MPM
|
|
|
|
|
- disable httpd-2.0.36-64bit.dif
|
|
|
|
|
- rename apachectl2 to apache2ctl
|
|
|
|
|
- write the startup log to /var/tmp instead of /var/log/apache2
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jan 12 22:52:50 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix last fix (rpm macro before hash wasn't expanded)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 10 02:35:58 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix lib64 path in SuSEconfig
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 3 23:01:14 CET 2003 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix typo in spec file, preventing replacement of @userdir@ in
|
|
|
|
|
httpd.conf-std.in
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Dec 18 15:11:53 CET 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- sysconfig.apache2:
|
|
|
|
|
- add APACHE_SERVER_FLAGS variable
|
|
|
|
|
- change default: APACHE_SERVERSIGNATURE=on to match apache deflt
|
|
|
|
|
- add APACHE_CONF_INCLUDE_DIRS
|
|
|
|
|
- drop bogus APACHE_ACCESS_SERVERINFO variable
|
|
|
|
|
- adapt to our new sysconfig template
|
|
|
|
|
- SuSEconfig.apache2:
|
|
|
|
|
- understand LOADMODULES also if it is not an array [#21816]
|
|
|
|
|
- be very flexible with regard to LOADMODULE input (e.g., say
|
|
|
|
|
mod_php4 and it will find libphp4.so with ID php4_module)
|
|
|
|
|
- also ignore *,v files
|
|
|
|
|
- include APACHE_CONF_INCLUDE_DIRS
|
|
|
|
|
- dump some files: suse_define.conf (not needed) & suse_text.conf
|
|
|
|
|
(too much overhead)
|
|
|
|
|
- rc.apache2:
|
|
|
|
|
- implement most of apachectl's commands (graceful, configtest)
|
|
|
|
|
- use server_flags from sysconfig.apache2
|
|
|
|
|
- pass server flags like -DSTATUS from the command line through
|
|
|
|
|
to httpd2
|
|
|
|
|
- add commmands to show the server status
|
|
|
|
|
- don't quit silently when no apache MPM is installed
|
|
|
|
|
- handle ServerSignature and other stuff on the command line
|
|
|
|
|
(save modifications to httpd.conf)
|
|
|
|
|
- fix the /manual Alias that points to the documentation
|
|
|
|
|
- configure /cgi-bin for cgi execution
|
|
|
|
|
- configure /home/*/public_html for mod_userdir -- if it is loaded
|
|
|
|
|
- configure internationalized error responses
|
|
|
|
|
- fix apachectl2
|
|
|
|
|
- add /etc/apache2/{,modules} to the filelist
|
|
|
|
|
- add /etc/apache2/conf.d as drop-in directory for packages
|
|
|
|
|
- hard code some more default paths into the executable
|
|
|
|
|
- finally, run a test!
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 5 13:55:06 CET 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- move ap{r,u}-config* into the apr package, as well
|
|
|
|
|
- add generic ap{r,u}-config
|
|
|
|
|
- add %includedir to filelist
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Dec 5 00:26:22 CET 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- more checks and warnings to SuSEconfig.apache2
|
|
|
|
|
- shift APR files into the the apr package
|
|
|
|
|
- try 1.136 revision of perchild.c
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Dec 3 16:27:35 CET 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add forgotten ssl.conf to the filelist (thanks, Robert)
|
|
|
|
|
- add httpd-2.0.43-mod_ssl-memory-leak.dif
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 14 19:34:38 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.43, that fixes a Cross-Site Scripting bug (CVE:
|
|
|
|
|
CAN-2002-0840)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Oct 7 09:39:45 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- do not append a '2' suffix to the scripts included with the
|
|
|
|
|
documentation
|
|
|
|
|
- move error, icons and manual dir to /usr/share/apache2
|
|
|
|
|
- fix nested array in SuSEconfig.apache2
|
|
|
|
|
- let SuSEconfig pick one MPM that is installed. Do not default to
|
|
|
|
|
"worker". [#20724]
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 3 14:50:20 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.42 (primarily a bug-fix release, including updates
|
|
|
|
|
to the experimental caching module, the removal of several memory
|
|
|
|
|
leaks, and fixes for several segfaults, one of which could have
|
|
|
|
|
been used as a denial-of-service against mod_dav (VU#406121).)
|
|
|
|
|
- increase flexibility of the spec file: build any set of MPMs,
|
|
|
|
|
depending on RPM %defines. Improve the mechanism that merges the
|
|
|
|
|
modules so it works with any number of MPMs.
|
|
|
|
|
- use a "Server:" header that fits the product apache is built for
|
|
|
|
|
- add an RPM dependency on the module magic number to the MPM
|
|
|
|
|
subpackages
|
|
|
|
|
- build the "leader/follower" MPM. On i686, enable nonportable but
|
|
|
|
|
faster atomics for it.
|
|
|
|
|
- use filelists for more flexibility. APRVARS ceased to exist.
|
|
|
|
|
Don't add README* twice.
|
|
|
|
|
- perchild: use AcceptMutex fcntl to prevent permission conflict as
|
|
|
|
|
suggested in Apache Bugzilla #7921
|
|
|
|
|
- remove mod_rewrite and mod_proxy from the default modules
|
|
|
|
|
- build the mod_auth_digest module
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Sep 9 15:30:34 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- add patch that changes PLATFORM (as seen in the HTTP Server
|
|
|
|
|
header) from "Unix" to "SuSE/Linux" [#18543]
|
|
|
|
|
- add README.SuSE, explaining how to build modules with apxs2
|
|
|
|
|
- fixed some paths in README.modules, put it into docdir and mark
|
|
|
|
|
it as %doc
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 28 16:39:59 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- new package, now building all three MPMs and putting all specific
|
|
|
|
|
modules in specific directories. Branch a subpackage for each
|
|
|
|
|
MPM, containing the server and MPM-specific modules.
|
|
|
|
|
- branch apr package off, so apache2 doesn't need to be installed
|
|
|
|
|
to have the libs. (apr is not released yet, that's why we build
|
|
|
|
|
it here)
|
|
|
|
|
- allow coexistence of apache1 by using directories named apache2
|
|
|
|
|
or suffixed with "2"
|
|
|
|
|
- allow building modules via apxs2 (for all server MPMs) --- or via
|
|
|
|
|
apxs2-{worker,perchild,prefork} for a specific server MPM
|
|
|
|
|
- add permissions.apache2 setting /usr/sbin/suexec2 to 4755
|
|
|
|
|
- rewrite SuSEconfig.apache2 for apache 2.
|
|
|
|
|
- add httpd-2.0.40-cache_util.c.diff that prevents a segfault in
|
|
|
|
|
mod_proxy when given an invalid URL
|
|
|
|
|
- branch apache2-example-pages off (docroot contents)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 19 16:43:37 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- actually use the new SuSE81 layout, and add SuSE81_64 layout
|
|
|
|
|
- cleaned up httpd-2.0.36-conf.dif
|
|
|
|
|
- fixed comment in SuSEconfig.apache
|
|
|
|
|
- drop SuSEconfig subpackage
|
|
|
|
|
- split main package and -devel package in three packages, one for
|
|
|
|
|
each MPM...
|
|
|
|
|
apache2 -> apache2-{worker,perchild,prefork}
|
|
|
|
|
apache2-devel -> apache2-{worker,perchild,prefork}-devel
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Aug 12 17:47:08 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- bugfix update to 2.0.40
|
|
|
|
|
- fix Requires of -devel subpackage
|
|
|
|
|
- add variable to sysconfig.apache to switch off SuSEconfig.apache
|
|
|
|
|
- add new layout SUSE81 to config.layout due to the moved server
|
|
|
|
|
root (so the old SuSE6.1 can be kept for building on older
|
|
|
|
|
distributions)
|
|
|
|
|
- one of the lib64 path fixes could be removed, now included
|
|
|
|
|
upstream
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 7 18:47:33 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- put PreReq in an if-statement to allow building on older distris
|
|
|
|
|
- relax the Requires
|
|
|
|
|
- the apache_mmn macro had to be moved down in the spec file to be
|
|
|
|
|
evaluated
|
|
|
|
|
- libmm is not needed for building (and it is not threadsafe)
|
|
|
|
|
- fix config.layout for the moved server root
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 2 23:44:31 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix libdir in config.layout for lib64
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Aug 2 12:22:33 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- fix RPM Requires
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 1 17:50:53 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- move datadir (i.e., ServerRoot) from /usr/local/httpd to /srv/www
|
|
|
|
|
- drop obsolete README.SuSE
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Aug 1 01:01:32 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- spec file: use PreReq
|
|
|
|
|
- don't delete SuSEconfig's md5 files in %post, that's no good
|
|
|
|
|
- add apache.logrotate
|
|
|
|
|
- provide the magic module number as executable script
|
|
|
|
|
(/usr/lib/apache/MMN) and as RPM Provides, indicating API changes
|
|
|
|
|
- mark httpd.conf noreplace
|
|
|
|
|
- fix installbuilddir in config.layout, needed for apxs
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Jul 14 15:27:24 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.39
|
|
|
|
|
- drop obsolete moduledir and apxs patches
|
|
|
|
|
- rc.apache INIT section: use X-UnitedLinux-Should-Start
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Jul 3 01:53:35 CEST 2002 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- rename to "apache2" again
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 11 17:02:47 CEST 2002 - ro@suse.de
|
|
|
|
|
|
|
|
|
|
- get apxs to work:
|
|
|
|
|
include needed files in devel package
|
|
|
|
|
adapt some pathes in apxs
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 29 18:16:00 CEST 2002 - poeml@suse.de
|
|
|
|
|
|
|
|
|
|
- update to 2.0.36
|
|
|
|
|
- drop mod_ssl subpackage; mod_ssl is part of the apache bsae
|
|
|
|
|
distribution now
|
|
|
|
|
- RPM can be built as user now
|
|
|
|
|
- SuSEconfig.apache: understand relative and absolute pathnames
|
|
|
|
|
- disable experimental auth_digest_module
|