Accepting request 106392 from Apache

regular 2.2.22 update

OBS-URL: https://build.opensuse.org/request/show/106392
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=57

apache2-default-vhost-ssl.conf

@@ -36,17 +36,17 @@
     #   Enable/Disable SSL for this virtual host.
     SSLEngine on
 
-    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
-    SSLProtocol all -SSLv2 -SSLv3
-
+    #   SSL Protocol support:
+    # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
+    #   List the protocol versions which clients are allowed to
+    #   connect with. Disable SSLv2 by default (cf. RFC 6176).
+    SSLProtocol all -SSLv2
+    
     #   SSL Cipher Suite:
     #   List the ciphers that the client is permitted to negotiate.
     #   See the mod_ssl documentation for a complete list.
     #
-        #   formerly, this was set to the following:
-    #   ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
-    #
-    #   We now disable weak ciphers by default.
+    #   Weak ciphers are disabled by default.
     #   Please see the documentation via the links above, and
     #   "openssl ciphers -v" for a complete list of ciphers that are
     #   available.
@@ -58,8 +58,21 @@
     # For more information, please have a look at
     # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
     # package.
-    SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
-
+    SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+    
+    #   Speed-optimized SSL Cipher configuration:
+    #   If speed is your main concern (on busy HTTPS servers e.g.),
+    #   you might want to force clients to specific, performance
+    #   optimized ciphers. In this case, prepend those ciphers
+    #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+    #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+    #   (as in the example below), most connections will no longer
+    #   have perfect forward secrecy - if the server's key is
+    #   compromised, captures of past or future traffic must be
+    #   considered compromised, too.
+    #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+    #SSLHonorCipherOrder on 
+    
     #   Server Certificate:
     #   Point SSLCertificateFile at a PEM encoded certificate.  If
     #   the certificate is encrypted, then you will be prompted for a
@@ -150,10 +163,6 @@
     #     because the extraction step is an expensive operation and is usually
     #     useless for serving static content. So one usually enables the
     #     exportation for CGI and SSI requests only.
-    #   o CompatEnvVars:
-    #     This exports obsolete environment variables for backward compatibility
-    #     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-    #     to provide compatibility to existing CGI scripts.
     #   o StrictRequire:
     #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
     #     under a "Satisfy any" situation, i.e. when it applies access is denied
@@ -161,15 +170,15 @@
     #   o OptRenegotiate:
     #     This enables optimized SSL connection renegotiation handling when SSL
     #     directives are used in per-directory context. 
-    #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
-	SSLOptions +StdEnvVars
-    </Files>
-
+    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+    <FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+    </FilesMatch>
+    
     <Directory "/srv/www/cgi-bin">
-	SSLOptions +StdEnvVars
+    SSLOptions +StdEnvVars
     </Directory>
-
+    
     <Directory "/srv/www/htdocs">
 	AllowOverride None
 	#Options +Indexes +MultiViews +FollowSymLinks
@@ -218,13 +227,10 @@
     #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
     #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
     #   "force-response-1.0" for this.
-    #   remark: The below configuration snippet is here for illustration purposes.
-    #           Browser specific deficiencies exist, but generally all of them
-    #           should handle SSL/TLS encapsulated connections well.
-    #SetEnvIf User-Agent ".*MSIE.*" \
-    #	 nokeepalive ssl-unclean-shutdown \
-    #	 downgrade-1.0 force-response-1.0
-
+    BrowserMatch "MSIE [2-5]" \
+             nokeepalive ssl-unclean-shutdown \
+             downgrade-1.0 force-response-1.0
+    
     #   Per-Server Logging:
     #   The home of a custom SSL log file. Use this when you want a
     #   compact non-error SSL logfile on a virtual host basis.

apache2-server-tuning.conf

@@ -90,6 +90,13 @@ MaxKeepAliveRequests 100
 #
 KeepAliveTimeout 15
 
+#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
 #
 # EnableMMAP: Control whether memory-mapping is used to deliver
 # files (assuming that the underlying OS supports it).

apache2-ssl-global.conf

@@ -46,14 +46,12 @@
 	#SSLSessionCache         dbm:/var/lib/apache2/ssl_scache
 	#SSLSessionCache        shmht:/var/lib/apache2/ssl_scache(512000)
 	SSLSessionCache         shmcb:/var/lib/apache2/ssl_scache(512000)
-	SSLSessionCacheTimeout  600
+	SSLSessionCacheTimeout  300
 
-	#   This configures the SSL engine's semaphore (aka. lock) which is
-	#   used for mutual exclusion of operations which have to be done in a
-	#   synchronized way between the pre-forked Apache server processes.
-	#   "default" tells the SSL Module to pick the default locking
-	#   implementation as determined by the platform and APR.
-	SSLMutex  default
+	#   Semaphore:
+	#   Configure the path to the mutual exclusion semaphore the
+	#   SSL engine uses internally for inter-process synchronization. 
+	SSLMutex  "file:/var/lib/apache2/ssl_mutex"
 
 	#   Pseudo Random Number Generator (PRNG):
 	#   Configure one or more sources to seed the PRNG of the 

apache2-vhost-ssl.template

@@ -40,14 +40,25 @@
 
 	#  SSL protocols
 	#  Supporting TLS only is adequate nowadays
-	SSLProtocol all -SSLv2 -SSLv3
+	SSLProtocol all -SSLv2
 
 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
-	#   We disable weak ciphers by default.
-	#   See the mod_ssl documentation or "openssl ciphers -v" for a
-	#   complete list.
-	SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
+	#   See the mod_ssl documentation for a complete list.
+	SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+	#   Speed-optimized SSL Cipher configuration:
+	#   If speed is your main concern (on busy HTTPS servers e.g.),
+	#   you might want to force clients to specific, performance
+	#   optimized ciphers. In this case, prepend those ciphers
+	#   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+	#   Caveat: by giving precedence to RC4-SHA and AES128-SHA
+	#   (as in the example below), most connections will no longer
+	#   have perfect forward secrecy - if the server's key is
+	#   compromised, captures of past or future traffic must be
+	#   considered compromised, too.
+	#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+	#SSLHonorCipherOrder on 
 
 	#   Server Certificate:
 	#   Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -139,10 +150,6 @@
 	#     because the extraction step is an expensive operation and is usually
 	#     useless for serving static content. So one usually enables the
 	#     exportation for CGI and SSI requests only.
-	#   o CompatEnvVars:
-	#     This exports obsolete environment variables for backward compatibility
-	#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this
-	#     to provide compatibility to existing CGI scripts.
 	#   o StrictRequire:
 	#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
 	#     under a "Satisfy any" situation, i.e. when it applies access is denied
@@ -150,10 +157,10 @@
 	#   o OptRenegotiate:
 	#     This enables optimized SSL connection renegotiation handling when SSL
 	#     directives are used in per-directory context. 
-	#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
-	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
+	#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+	<FilesMatch "\.(cgi|shtml|phtml|php)$">
 	    SSLOptions +StdEnvVars
-	</Files>
+	</FilesMatch>
 	<Directory "/srv/www/cgi-bin">
 	    SSLOptions +StdEnvVars
 	</Directory>
@@ -182,7 +189,7 @@
 	#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
 	#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
 	#   "force-response-1.0" for this.
-	SetEnvIf User-Agent ".*MSIE [1-5].*" \
+	BrowserMatch "MSIE [2-5]" \
 		 nokeepalive ssl-unclean-shutdown \
 		 downgrade-1.0 force-response-1.0
 

apache2.changes

@@ -1,3 +1,52 @@
+-------------------------------------------------------------------
+Sat Feb 18 21:15:08 UTC 2012 - poeml@cmdline.net
+
+- update to 2.2.22
+  *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+     Reject requests where the request-URI does not match the HTTP
+     specification, preventing unexpected expansion of target URLs in
+     some reverse proxy configurations. 
+  *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+     Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+     is enabled, could allow local users to gain privileges via a .htaccess
+     file.
+  *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+     Resolve additional cases of URL rewriting with ProxyPassMatch or
+     RewriteRule, where particular request-URIs could result in undesired
+     backend network exposure in some configurations.
+  *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+     mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+     string is in use and a client sends a nameless, valueless cookie, causing
+     a denial of service. The issue existed since version 2.2.17. PR 52256.
+  *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+     Fix scoreboard issue which could allow an unprivileged child process 
+     could cause the parent to crash at shutdown rather than terminate 
+     cleanly. 
+  *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+     Fix an issue in error responses that could expose "httpOnly" cookies
+     when no custom ErrorDocument is specified for status code 400.
+  *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
+     in error.
+  *) config: Update the default mod_ssl configuration: Disable SSLv2, only
+     allow >= 128bit ciphers, add commented example for speed optimized cipher
+     list, limit MSIE workaround to MSIE <= 5.
+  *) core: Fix segfault in ap_send_interim_response(). PR 52315.
+  *) mod_log_config: Prevent segfault. PR 50861.
+  *) mod_win32: Invert logic for env var UTF-8 fixing.
+     Now we exclude a list of vars which we know for sure they dont hold UTF-8
+     chars; all other vars will be fixed. This has the benefit that now also
+     all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
+  *) core: Fix hook sorting for Perl modules, a regression introduced in
+     2.2.21. PR: 45076.
+  *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
+     A range of '0-' will now return 206 instead of 200. PR 51878.
+  *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
+     of "0"). 
+  *) mod_substitute: Fix buffer overrun. 
+- adjusted SSL template/default config for upstream changes, and added
+  MaxRanges example to apache2-server-tuning.conf
+- fixed installation of (moved) man pages
+
 -------------------------------------------------------------------
 Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com
 

apache2.spec

@@ -15,6 +15,8 @@
 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
 
+
+
 Name:           apache2
 BuildRequires:  automake
 BuildRequires:  db-devel
@@ -73,8 +75,8 @@ BuildRequires:  expat-devel
 # "Server:" header
 %define VENDOR SUSE
 %define platform_string	Linux/%VENDOR
-%define realver 2.2.21
-Version:        2.2.21
+%define realver 2.2.22
+Version:        2.2.22
 Release:        0
 #Source0:      http://www.apache.org/dist/httpd-%{version}.tar.bz2
 Source0:        http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
@@ -850,10 +852,10 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 %defattr(-,root,root)
 %doc INSTALL READM* LICENSE ABOUT_APACHE CHANGES
 %doc support/SHA1
-%doc %{_mandir}/man8/apachectl%{vers}.8.*
-%doc %{_mandir}/man8/htcacheclean%{vers}.8.*
-%doc %{_mandir}/man8/%{httpd}.8.*
-%doc %{_mandir}/man8/apxs%{vers}.8.*
+%doc %{_mandir}/man?/apachectl%{vers}.?.*
+%doc %{_mandir}/man?/htcacheclean%{vers}.?.*
+%doc %{_mandir}/man?/%{httpd}.?.*
+%doc %{_mandir}/man?/apxs%{vers}.?.*
 %doc robots.txt
 %doc printenv
 %doc test-cgi
@@ -976,14 +978,15 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original .
 
 %files utils
 %defattr(-,root,root)
-%doc %{_mandir}/man8/ab%{vers}.8.*
-%doc %{_mandir}/man1/dbmmanage%{vers}.1.*
-%doc %{_mandir}/man1/htdbm%{vers}.1.*
-%doc %{_mandir}/man1/htdigest%{vers}.1.*
-%doc %{_mandir}/man1/htpasswd%{vers}.1.*
-%doc %{_mandir}/man8/logresolve%{vers}.8.*
-%doc %{_mandir}/man8/rotatelogs%{vers}.8.*
-%doc %{_mandir}/man8/suexec%{vers}.8.*
+%doc %{_mandir}/man?/ab%{vers}.?.*
+%doc %{_mandir}/man?/dbmmanage%{vers}.?.*
+%doc %{_mandir}/man?/htdbm%{vers}.?.*
+%doc %{_mandir}/man?/htdigest%{vers}.?.*
+%doc %{_mandir}/man?/htpasswd%{vers}.?.*
+%doc %{_mandir}/man?/httxt2dbm%{vers}.?.*
+%doc %{_mandir}/man?/logresolve%{vers}.?.*
+%doc %{_mandir}/man?/rotatelogs%{vers}.?.*
+%doc %{_mandir}/man?/suexec%{vers}.?.*
 %{_bindir}/check_forensic%{vers}
 %{_bindir}/dbmmanage%{vers}
 %{_bindir}/gensslcert

httpd-2.2.21.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f
-size 5324905

httpd-2.2.21.tar.bz2.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1.4.9 (GNU/Linux)
-
-iQIcBAABAgAGBQJOaiQfAAoJEFWTvKlgxUQtWu4P/j/xCzXtpb2h1H4gNQtakXjp
-KFhfccvzlOGFpkUjauQ0so5Jj+wVVAgiElr7L0+YvmtXoUyNjCgToqqJTqT/3fwG
-uxKDFfqB5ujbCstKbJ4yKhMy92aDjX1+uWWr8J/1WX//SOWY/uUl/GhJnhEFAB6p
-YExuqqrQfrZcAfC6ME35Gbam6+I8OfHVIeT0m6hLOw6UaHaPXdoRj0CAKNy4NFEf
-ckyw2ddlz83ivek9naGxVFg4v/jN8CoSw3zVfto1QaQ7P+FMA5CrYoCPiEI0A6KA
-534L8xcXf02mN6Y2lgl3C6PYQYcGO198Zmd9xU3RCXsfaFgaOrV4D/fD9TVq1hLK
-OSHPU3AOf7IdFiq99qo7EsXNYrxS0xurv67HaodKXvNNRg8D8TBxDNWO1NpbGp3A
-/zDLm3wxpV2qSOSaZbIbyH8PhX2i4UurSo6y2AVrLENUmV4/bD51qJlitCL23YOo
-5vnK99CnPsWHe36p/GyMMJW2d2fn2tUroLTo/ebCdICZlQJhhWYI7+GHNQNkhqMt
-hp5m8so9Goabs+cKtdxiyARR6+AsyLh+2aRc35dgHpa95Tn3SkuAJ1KTM3ecbzgj
-BxJbA0M3snO9RmNo2h88HELzaA5WaB0Z1kVgYW6gjYELnWRpu+iGMJxFpgXQ6guQ
-CUiByAFuIQukRlpIU/qx
-=AWI2
------END PGP SIGNATURE-----

httpd-2.2.22.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:dcdc9f1dc722f84798caf69d69dca78daa5e09a4269060045aeca7e4f44cb231
+size 5378934