diff --git a/apache2-default-vhost-ssl.conf b/apache2-default-vhost-ssl.conf
index 828d164..214ae8e 100644
--- a/apache2-default-vhost-ssl.conf
+++ b/apache2-default-vhost-ssl.conf
@@ -36,17 +36,17 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
- # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
- SSLProtocol all -SSLv2 -SSLv3
-
+ # SSL Protocol support:
+ # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
+ # List the protocol versions which clients are allowed to
+ # connect with. Disable SSLv2 by default (cf. RFC 6176).
+ SSLProtocol all -SSLv2
+
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#
- # formerly, this was set to the following:
- # ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- #
- # We now disable weak ciphers by default.
+ # Weak ciphers are disabled by default.
# Please see the documentation via the links above, and
# "openssl ciphers -v" for a complete list of ciphers that are
# available.
@@ -58,8 +58,21 @@
# For more information, please have a look at
# /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
# package.
- SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
-
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+ # Speed-optimized SSL Cipher configuration:
+ # If speed is your main concern (on busy HTTPS servers e.g.),
+ # you might want to force clients to specific, performance
+ # optimized ciphers. In this case, prepend those ciphers
+ # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+ # Caveat: by giving precedence to RC4-SHA and AES128-SHA
+ # (as in the example below), most connections will no longer
+ # have perfect forward secrecy - if the server's key is
+ # compromised, captures of past or future traffic must be
+ # considered compromised, too.
+ #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+ #SSLHonorCipherOrder on
+
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
@@ -150,10 +163,6 @@
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
- # o CompatEnvVars:
- # This exports obsolete environment variables for backward compatibility
- # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
- # to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
@@ -161,15 +170,15 @@
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
- #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-
- SSLOptions +StdEnvVars
-
-
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
+ SSLOptions +StdEnvVars
+
+
- SSLOptions +StdEnvVars
+ SSLOptions +StdEnvVars
-
+
AllowOverride None
#Options +Indexes +MultiViews +FollowSymLinks
@@ -218,13 +227,10 @@
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
- # remark: The below configuration snippet is here for illustration purposes.
- # Browser specific deficiencies exist, but generally all of them
- # should handle SSL/TLS encapsulated connections well.
- #SetEnvIf User-Agent ".*MSIE.*" \
- # nokeepalive ssl-unclean-shutdown \
- # downgrade-1.0 force-response-1.0
-
+ BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
diff --git a/apache2-server-tuning.conf b/apache2-server-tuning.conf
index c4ba4c8..e7f45d5 100644
--- a/apache2-server-tuning.conf
+++ b/apache2-server-tuning.conf
@@ -90,6 +90,13 @@ MaxKeepAliveRequests 100
#
KeepAliveTimeout 15
+#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
#
# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
diff --git a/apache2-ssl-global.conf b/apache2-ssl-global.conf
index ed88bce..451aef7 100644
--- a/apache2-ssl-global.conf
+++ b/apache2-ssl-global.conf
@@ -46,14 +46,12 @@
#SSLSessionCache dbm:/var/lib/apache2/ssl_scache
#SSLSessionCache shmht:/var/lib/apache2/ssl_scache(512000)
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
- SSLSessionCacheTimeout 600
+ SSLSessionCacheTimeout 300
- # This configures the SSL engine's semaphore (aka. lock) which is
- # used for mutual exclusion of operations which have to be done in a
- # synchronized way between the pre-forked Apache server processes.
- # "default" tells the SSL Module to pick the default locking
- # implementation as determined by the platform and APR.
- SSLMutex default
+ # Semaphore:
+ # Configure the path to the mutual exclusion semaphore the
+ # SSL engine uses internally for inter-process synchronization.
+ SSLMutex "file:/var/lib/apache2/ssl_mutex"
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
diff --git a/apache2-vhost-ssl.template b/apache2-vhost-ssl.template
index cf4d277..118949a 100644
--- a/apache2-vhost-ssl.template
+++ b/apache2-vhost-ssl.template
@@ -40,14 +40,25 @@
# SSL protocols
# Supporting TLS only is adequate nowadays
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
- # We disable weak ciphers by default.
- # See the mod_ssl documentation or "openssl ciphers -v" for a
- # complete list.
- SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
+ # See the mod_ssl documentation for a complete list.
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+ # Speed-optimized SSL Cipher configuration:
+ # If speed is your main concern (on busy HTTPS servers e.g.),
+ # you might want to force clients to specific, performance
+ # optimized ciphers. In this case, prepend those ciphers
+ # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+ # Caveat: by giving precedence to RC4-SHA and AES128-SHA
+ # (as in the example below), most connections will no longer
+ # have perfect forward secrecy - if the server's key is
+ # compromised, captures of past or future traffic must be
+ # considered compromised, too.
+ #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+ #SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
@@ -139,10 +150,6 @@
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
- # o CompatEnvVars:
- # This exports obsolete environment variables for backward compatibility
- # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
- # to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
@@ -150,10 +157,10 @@
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
- #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+
SSLOptions +StdEnvVars
-
+
SSLOptions +StdEnvVars
@@ -182,7 +189,7 @@
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
- SetEnvIf User-Agent ".*MSIE [1-5].*" \
+ BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
diff --git a/apache2.changes b/apache2.changes
index 6ffdee6..ef06d53 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Sat Feb 18 21:15:08 UTC 2012 - poeml@cmdline.net
+
+- update to 2.2.22
+ *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+ Reject requests where the request-URI does not match the HTTP
+ specification, preventing unexpected expansion of target URLs in
+ some reverse proxy configurations.
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+ is enabled, could allow local users to gain privileges via a .htaccess
+ file.
+ *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+ *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+ mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+ string is in use and a client sends a nameless, valueless cookie, causing
+ a denial of service. The issue existed since version 2.2.17. PR 52256.
+ *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+ Fix scoreboard issue which could allow an unprivileged child process
+ could cause the parent to crash at shutdown rather than terminate
+ cleanly.
+ *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+ Fix an issue in error responses that could expose "httpOnly" cookies
+ when no custom ErrorDocument is specified for status code 400.
+ *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
+ in error.
+ *) config: Update the default mod_ssl configuration: Disable SSLv2, only
+ allow >= 128bit ciphers, add commented example for speed optimized cipher
+ list, limit MSIE workaround to MSIE <= 5.
+ *) core: Fix segfault in ap_send_interim_response(). PR 52315.
+ *) mod_log_config: Prevent segfault. PR 50861.
+ *) mod_win32: Invert logic for env var UTF-8 fixing.
+ Now we exclude a list of vars which we know for sure they dont hold UTF-8
+ chars; all other vars will be fixed. This has the benefit that now also
+ all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
+ *) core: Fix hook sorting for Perl modules, a regression introduced in
+ 2.2.21. PR: 45076.
+ *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
+ A range of '0-' will now return 206 instead of 200. PR 51878.
+ *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
+ of "0").
+ *) mod_substitute: Fix buffer overrun.
+- adjusted SSL template/default config for upstream changes, and added
+ MaxRanges example to apache2-server-tuning.conf
+- fixed installation of (moved) man pages
+
-------------------------------------------------------------------
Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com
diff --git a/apache2.spec b/apache2.spec
index 5b3b98e..1e1a610 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -15,6 +15,8 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
+
Name: apache2
BuildRequires: automake
BuildRequires: db-devel
@@ -73,8 +75,8 @@ BuildRequires: expat-devel
# "Server:" header
%define VENDOR SUSE
%define platform_string Linux/%VENDOR
-%define realver 2.2.21
-Version: 2.2.21
+%define realver 2.2.22
+Version: 2.2.22
Release: 0
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
@@ -850,10 +852,10 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
%defattr(-,root,root)
%doc INSTALL READM* LICENSE ABOUT_APACHE CHANGES
%doc support/SHA1
-%doc %{_mandir}/man8/apachectl%{vers}.8.*
-%doc %{_mandir}/man8/htcacheclean%{vers}.8.*
-%doc %{_mandir}/man8/%{httpd}.8.*
-%doc %{_mandir}/man8/apxs%{vers}.8.*
+%doc %{_mandir}/man?/apachectl%{vers}.?.*
+%doc %{_mandir}/man?/htcacheclean%{vers}.?.*
+%doc %{_mandir}/man?/%{httpd}.?.*
+%doc %{_mandir}/man?/apxs%{vers}.?.*
%doc robots.txt
%doc printenv
%doc test-cgi
@@ -976,14 +978,15 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
%files utils
%defattr(-,root,root)
-%doc %{_mandir}/man8/ab%{vers}.8.*
-%doc %{_mandir}/man1/dbmmanage%{vers}.1.*
-%doc %{_mandir}/man1/htdbm%{vers}.1.*
-%doc %{_mandir}/man1/htdigest%{vers}.1.*
-%doc %{_mandir}/man1/htpasswd%{vers}.1.*
-%doc %{_mandir}/man8/logresolve%{vers}.8.*
-%doc %{_mandir}/man8/rotatelogs%{vers}.8.*
-%doc %{_mandir}/man8/suexec%{vers}.8.*
+%doc %{_mandir}/man?/ab%{vers}.?.*
+%doc %{_mandir}/man?/dbmmanage%{vers}.?.*
+%doc %{_mandir}/man?/htdbm%{vers}.?.*
+%doc %{_mandir}/man?/htdigest%{vers}.?.*
+%doc %{_mandir}/man?/htpasswd%{vers}.?.*
+%doc %{_mandir}/man?/httxt2dbm%{vers}.?.*
+%doc %{_mandir}/man?/logresolve%{vers}.?.*
+%doc %{_mandir}/man?/rotatelogs%{vers}.?.*
+%doc %{_mandir}/man?/suexec%{vers}.?.*
%{_bindir}/check_forensic%{vers}
%{_bindir}/dbmmanage%{vers}
%{_bindir}/gensslcert
diff --git a/httpd-2.2.21.tar.bz2 b/httpd-2.2.21.tar.bz2
deleted file mode 100644
index 599657a..0000000
--- a/httpd-2.2.21.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f
-size 5324905
diff --git a/httpd-2.2.21.tar.bz2.asc b/httpd-2.2.21.tar.bz2.asc
deleted file mode 100644
index d11ac68..0000000
--- a/httpd-2.2.21.tar.bz2.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-iQIcBAABAgAGBQJOaiQfAAoJEFWTvKlgxUQtWu4P/j/xCzXtpb2h1H4gNQtakXjp
-KFhfccvzlOGFpkUjauQ0so5Jj+wVVAgiElr7L0+YvmtXoUyNjCgToqqJTqT/3fwG
-uxKDFfqB5ujbCstKbJ4yKhMy92aDjX1+uWWr8J/1WX//SOWY/uUl/GhJnhEFAB6p
-YExuqqrQfrZcAfC6ME35Gbam6+I8OfHVIeT0m6hLOw6UaHaPXdoRj0CAKNy4NFEf
-ckyw2ddlz83ivek9naGxVFg4v/jN8CoSw3zVfto1QaQ7P+FMA5CrYoCPiEI0A6KA
-534L8xcXf02mN6Y2lgl3C6PYQYcGO198Zmd9xU3RCXsfaFgaOrV4D/fD9TVq1hLK
-OSHPU3AOf7IdFiq99qo7EsXNYrxS0xurv67HaodKXvNNRg8D8TBxDNWO1NpbGp3A
-/zDLm3wxpV2qSOSaZbIbyH8PhX2i4UurSo6y2AVrLENUmV4/bD51qJlitCL23YOo
-5vnK99CnPsWHe36p/GyMMJW2d2fn2tUroLTo/ebCdICZlQJhhWYI7+GHNQNkhqMt
-hp5m8so9Goabs+cKtdxiyARR6+AsyLh+2aRc35dgHpa95Tn3SkuAJ1KTM3ecbzgj
-BxJbA0M3snO9RmNo2h88HELzaA5WaB0Z1kVgYW6gjYELnWRpu+iGMJxFpgXQ6guQ
-CUiByAFuIQukRlpIU/qx
-=AWI2
------END PGP SIGNATURE-----
diff --git a/httpd-2.2.22.tar.bz2 b/httpd-2.2.22.tar.bz2
new file mode 100644
index 0000000..01c3754
--- /dev/null
+++ b/httpd-2.2.22.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231
+size 5378934
diff --git a/httpd-2.2.22.tar.bz2.asc b/httpd-2.2.22.tar.bz2.asc
new file mode 100644
index 0000000..b8ef53b
Binary files /dev/null and b/httpd-2.2.22.tar.bz2.asc differ