Accepting request 1118995 from Apache

OBS-URL: https://build.opensuse.org/request/show/1118995
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=205

apache2.changes

@@ -1,3 +1,224 @@
+-------------------------------------------------------------------
+Thu Oct 19 14:23:08 UTC 2023 - David Anes <david.anes@suse.com>
+
+- Update to 2.4.58:
+  *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
+     memory not reclaimed right away on RST (cve.mitre.org)
+     When a HTTP/2 stream was reset (RST frame) by a client, there
+     was a time window were the request's memory resources were not
+     reclaimed immediately. Instead, de-allocation was deferred to
+     connection close. A client could send new requests and resets,
+     keeping the connection busy and open and causing the memory
+     footprint to keep on growing. On connection close, all resources
+     were reclaimed, but the process might run out of memory before
+     that.
+     This was found by the reporter during testing of CVE-2023-44487
+     (HTTP/2 Rapid Reset Exploit) with their own test client. During
+     "normal" HTTP/2 use, the probability to hit this bug is very
+     low. The kept memory would not become noticeable before the
+     connection closes or times out.
+     Users are recommended to upgrade to version 2.4.58, which fixes
+     the issue.
+     Credits: Will Dormann of Vul Labs
+
+  *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
+     initial windows size 0 (cve.mitre.org)
+     An attacker, opening a HTTP/2 connection with an initial window
+     size of 0, was able to block handling of that connection
+     indefinitely in Apache HTTP Server. This could be used to
+     exhaust worker resources in the server, similar to the well
+     known "slow loris" attack pattern.
+     This has been fixed in version 2.4.58, so that such connection
+     are terminated properly after the configured connection timeout.
+     This issue affects Apache HTTP Server: from 2.4.55 through
+     2.4.57.
+     Users are recommended to upgrade to version 2.4.58, which fixes
+     the issue.
+     Credits: Prof. Sven Dietrich (City University of New York)
+
+  *) SECURITY: CVE-2023-31122: mod_macro buffer over-read
+     (cve.mitre.org)
+     Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
+     Server.This issue affects Apache HTTP Server: through 2.4.57.
+     Credits: David Shoon (github/davidshoon)
+
+  *) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
+     SSL routines::unexpected eof while reading" when using
+     OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
+     available. [Rainer Jung]
+
+  *) mod_http2: improved early cleanup of streams.
+     [Stefan Eissing]
+
+  *) mod_proxy_http2: improved error handling on connection errors while
+     response is already underway.
+     [Stefan Eissing]
+
+  *) mod_http2: fixed a bug that could lead to a crash in main connection
+     output handling. This occured only when the last request on a HTTP/2
+     connection had been processed and the session decided to shut down.
+     This could lead to an attempt to send a final GOAWAY while the previous
+     write was still in progress. See PR 66646.
+     [Stefan Eissing]
+
+  *) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
+     Fixes PR66752.
+     [Stefan Eissing]
+
+  *) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
+     described in RFC 8441. A new directive 'H2WebSockets on|off' has been
+     added. The feature is by default not enabled.
+     As also discussed in the manual, this feature should work for setups
+     using "ProxyPass backend-url upgrade=websocket" without further changes.
+     Special server modules for WebSockets will have to be adapted,
+     most likely, as the handling if IO events is different with HTTP/2.
+     HTTP/2 WebSockets are supported on platforms with native pipes. This
+     excludes Windows.
+     [Stefan Eissing]
+
+  *) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
+     in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
+
+  *) mod_http2: fixed a bug in flushing pending data on an already closed
+     connection that could lead to a busy loop, preventing the HTTP/2 session
+     to close down successfully. Fixed PR 66624.
+     [Stefan Eissing]
+
+  *) mod_http2: v2.0.15 with the following fixes and improvements
+     - New directive 'H2EarlyHint name value' to add headers to a response,
+       picked up already when a "103 Early Hints" response is sent. 'name' and
+       'value' must comply to the HTTP field restrictions.
+       This directive can be repeated several times and header fields of the
+       same names add. Sending a 'Link' header with 'preload' relation will
+       also cause a HTTP/2 PUSH if enabled and supported by the client.
+     - Fixed an issue where requests were not logged and accounted in a timely
+       fashion when the connection returns to "keepalive" handling, e.g. when
+       the request served was the last outstanding one.
+       This led to late appearance in access logs with wrong duration times
+       reported.
+     - Accurately report the bytes sent for a request in the '%O' Log format.
+       This addresses #203, a long outstanding issue where mod_h2 has reported
+       numbers over-eagerly from internal buffering and not what has actually
+       been placed on the connection.
+       The numbers are now the same with and without H2CopyFiles enabled.
+     [Stefan Eissing]
+
+  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
+     On detecting that that an existing connection was shutdown by the other
+     side, a 503 response leaked even though the request was retried on a
+     fresh connection.
+     [Stefan Eissing]
+
+  *) mod_rewrite: Add server directory to include path as mod_rewrite requires
+     test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]
+
+  *) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
+     of HTTP/2 requests in a forward proxy configuration.
+     General forward proxying is enabled via `ProxyRequests`. If the
+     HTTP/2 protocol is also enabled for such a server/host, this new
+     directive is needed in addition.
+     [Stefan Eissing]
+
+  *) core: Updated conf/mime.types:
+     - .js moved from 'application/javascript' to 'text/javascript'
+     - .mjs was added as 'text/javascript'
+     - add .opus ('audio/ogg')
+     - add 'application/vnd.geogebra.slides'
+     - add WebAssembly MIME types and extension
+     [Mathias Bynens <@mathiasbynens> via PR 318,
+      Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
+      Zbynek Konecny <zbynek1729 gmail.com>]
+
+  *) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
+     connection when sending data on the frontend one. This caused crashes
+     or infinite loops in rare situations.
+  *) mod_proxy_http2: fixed a bug in retry/response handling that could lead
+     to wrong status codes or HTTP messages send at the end of response bodies
+     exceeding the announced content-length.
+  *) mod_proxy_http2: fix retry handling to not leak temporary errors.
+     On detecting that that an existing connection was shutdown by the other
+     side, a 503 response leaked even though the request was retried on a
+     fresh connection.
+  *) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
+     the wrong order when a bucket_beam was destroyed.
+     [Stefan Eissing]
+
+  *) mod_http2: avoid double chunked-encoding on internal redirects.
+     PR 66597 [Yann Ylavic, Stefan Eissing]
+
+  *) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
+     HTTP/2 requests twice. Fixes PR 66801.
+     [Stefan Eissing]
+
+  *) mod_ssl: Fix handling of Certificate Revoked messages
+     in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
+
+  *) mod_http2: fixed a bug in handling of stream timeouts.
+     [Stefan Eissing]
+
+  *) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
+     Checking in configure for proper version installed. Code
+     fixes for changed clienthello member name.
+     [Stefan Eissing]
+
+  *) mod_md:
+     - New directive `MDMatchNames all|servernames` to allow more control over how
+       MDomains are matched to VirtualHosts.
+     - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
+       the command also with the challenge value on `teardown` invocation. In version
+       1, the default, only the `setup` invocation gets this parameter.
+       Refs #312. Thanks to @domrim for the idea.
+     - For Managed Domain in "manual" mode, the checks if all used ServerName and
+       ServerAlias are part of the MDomain now reports a warning instead of an error
+       (AH10040) when not all names are present.
+     - MDChallengeDns01 can now be configured for individual domains.
+       Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
+     - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
+       teardown not being invoked as it should.
+
+  *) mod_ldap: Avoid performance overhead of APR-util rebind cache for
+     OpenLDAP 2.2+.  PR 64414.  [Joe Orton]
+
+  *) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
+     amount of response body bytes put into a single HTTP/2 DATA frame.
+     Setting this to 0 places no limit (but the max size allowed by the
+     protocol is observed).
+     The module, by default, tries to use the maximum size possible, which is
+     somewhat around 16KB. This sets the maximum. When less response data is
+     available, smaller frames will be sent.
+
+  *) mod_md: fixed passing of the server environment variables to programs
+     started via MDMessageCmd and MDChallengeDns01 on *nix system.
+     See <https://github.com/icing/mod_md/issues/319>.
+     [Stefan Eissing]
+
+  *) mod_dav: Add DavBasePath directive to configure the repository root
+     path.  PR 35077.  [Joe Orton]
+
+  *) mod_alias: Add AliasPreservePath directive to map the full
+     path after the alias in a location. [Graham Leggett]
+
+  *) mod_alias: Add RedirectRelative to allow relative redirect targets to be
+     issued as-is. [Eric Covener, Graham Leggett]
+
+  *) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
+     sure that if the format is configured early enough it applies to every log
+     line.  PR 62161.  [Yann Ylavic]
+
+  *) mod_deflate: Add DeflateAlterETag to control how the ETag
+     is modified. The 'NoChange' parameter mimics 2.2.x behavior.
+     PR 45023, PR 39727. [Eric Covener]
+
+  *) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]
+
+  *) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
+     Resolve inconsistency between the previous two occurrences by
+     counting workers in state SERVER_GRACEFUL no longer as busy,
+     but instead in a new counter "GracefulWorkers" (or on HTML
+     view as "workers gracefully restarting"). Also add the graceful
+     counter as a new column to the existing HTML per process table
+     for async MPMs. PR 63300. [Rainer Jung]
+
 -------------------------------------------------------------------
 Sat Aug  5 11:44:23 UTC 2023 - Dirk Stoecker <opensuse@dstoecker.de>
 

apache2.spec

@@ -107,7 +107,7 @@
 %define build_http2 1
 
 Name:           apache2%{psuffix}
-Version:        2.4.57
+Version:        2.4.58
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0

httpd-2.4.57.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a
-size 7457022

httpd-2.4.57.tar.bz2.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmQpqJUACgkQgngd5G1Z
-VPrSqhAAge2udhX49FI9zwhoxeCND0dxB/DZ8vWc6MbDryYUYZBA2+o7cvwSRSdZ
-fxghFliJUWDSDD7YFjIrsAKPcjdKS2vn6+vmNRU05dw+JoZuQuyzg9PMuEOo3qRN
-poVd7SsxFhAT3ow6+j2ns3ei+B87BWrgkN6P2A4UNiUKKej+EACL3JnrOGbcPoLa
-ThEdphd5B6qTegw3Sz3aHgJ06833mH5KdrUNXwjmhsZCdgmBORyepjAQFKQChOq6
-JExsk/PTPgy0KX27IWMgrgQohW0zEzr8BtrZsu+DXxuhjen7bKm06uEoYDCR6xF1
-gu/oGBLVuDkktnRfleGUtmXoJ+yVMyz06ILL/ka5Jy3ob8sdWqD37oAcGQJeZYog
-uUnW+FoCmfv6uLRxZbFr2SCr2Jc8cnI45cPpppG0OraBJHHja99W60lInDpjFvHF
-U9Ev+UNU3PwtYuIhwp8tJB61cnQzxyH0Frt5lQfXxPKWTuFY3MSuoNJi1x3IqZvx
-fan2kxN0R0RyvXOhD6eJcQpydRHNDj/zgIo46gL7XRPB4aFBZRPyXwTVejcT6juL
-CHX/AUk18DIlBd+X7wJ115UQg9m6bABrj+Jg6ujoTb62Vstuju3P6XJ/qbCpGQcY
-ZyLOwbFiDD8CMm06ELQixDa9momkXXWH6mH+cEQDkPl+Scz5pf0=
-=qbuf
------END PGP SIGNATURE-----

httpd-2.4.58.tar.bz2.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmUtUXcACgkQ03fJ59GU
+TGZJnA/+KAE23IcOsePVK93RsfY2pCXvrQWH2vRaPQOV68lMMyI9I3D7Dd6ZbOIL
+kfdcuMydaOzkwAzgM9dgfC2PF5rO/8LDHtieBRfLNVjcK7ngatZLzRU+2qARk4PG
+bxfnpVzpnshBTkMuQ0C3nr6mi+bXQgdbbSLXGS5SOBqckBMfkpEXzArU8PU0EQwT
+u3Id+eAqWtxXtwRKz+lRNwLzmyiXc8a1YwXJh5d2ldrL+WlFA1cts+k3nR5YPzF1
+QsHLkoTuiAbXpRYHJg83AAENVxYPvwttIdthLeQtUgV6dcoiAuJzOt0/EBnUN5B3
+J+T10z4zvXN0MogTVceAFfySZ6fQrR5PXs3raepDjo/AtVH9dvSQdXhpOGtyiCI9
+4eabSL69Z7r+Nr3UzVLVYb4Uan5Z7G1UkKQNxJVJSR4mzitf1d3Fylw52ivBGnLv
+OMcY1/b3Kx0m69dIiIlLPnG7UMgHwqgYcxJKomjI9opdobmpK42u8ZjOEYFoNAtk
+sINfcehp83WwxdDuvpuSFNYWQXGhKONAZIyCW8lAuFWBG8oXra5osWY176OSUGTu
+Ah+pM1NlbwL45r5kw+3t4L/3Hhx+dDqtI8jrQYReN/u4dBuIcqqLT1Ik2WjBuTyE
+QiY/ZOzdxO7UAGYvgFyMHX+KsuqrxZKHd1JN2+TzHhEtstSICnE=
+=CtTT
+-----END PGP SIGNATURE-----