Accepting request 1186139 from Apache

OBS-URL: https://build.opensuse.org/request/show/1186139
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=210

apache2-issue-444.patch

@@ -1,36 +0,0 @@
-Index: httpd-2.4.59/modules/generators/mod_cgid.c
-===================================================================
---- httpd-2.4.59.orig/modules/generators/mod_cgid.c
-+++ httpd-2.4.59/modules/generators/mod_cgid.c
-@@ -1625,7 +1625,12 @@ static int cgid_handler(request_rec *r)
-          */
-         if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
-             apr_table_unset(r->headers_out, "Content-Length");
--        apr_table_unset(r->headers_out, "Transfer-Encoding");
-+
-+        if (apr_table_get(r->headers_out, "Transfer-Encoding") != NULL) {
-+            apr_brigade_cleanup(bb);
-+            return log_scripterror(r, conf, HTTP_BAD_GATEWAY, 0, APLOGNO(10501)
-+                                   "script sent Transfer-Encoding");
-+        }
- 
-         if (ret != OK) {
-             ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL);
-Index: httpd-2.4.59/modules/generators/mod_cgi.c
-===================================================================
---- httpd-2.4.59.orig/modules/generators/mod_cgi.c
-+++ httpd-2.4.59/modules/generators/mod_cgi.c
-@@ -976,7 +976,12 @@ static int cgi_handler(request_rec *r)
-          */
-         if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
-             apr_table_unset(r->headers_out, "Content-Length");
--        apr_table_unset(r->headers_out, "Transfer-Encoding");
-+
-+        if (apr_table_get(r->headers_out, "Transfer-Encoding") != NULL) {
-+            apr_brigade_cleanup(bb);
-+            return log_scripterror(r, conf, HTTP_BAD_GATEWAY, 0, APLOGNO(10501),
-+                                   "script sent Transfer-Encoding");
-+        }
- 
-         if (ret != OK) {
-             ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err);

apache2.changes

@@ -1,3 +1,149 @@
+-------------------------------------------------------------------
+Thu Jul  4 20:58:39 UTC 2024 - Arjen de Korte <suse+build@de-korte.org>
+
+- Update to 2.4.61
+
+  *) SECURITY: CVE-2024-39884: Apache HTTP Server: source code
+     disclosure with handlers configured via AddType (cve.mitre.org)
+     [boo#1227353]
+     A regression in the core of Apache HTTP Server 2.4.60 ignores
+     some use of the legacy content-type based configuration of
+     handlers.   "AddType" and similar configuration, under some
+     circumstances where files are requested indirectly, result in
+     source code disclosure of local content. For example, PHP
+     scripts may be served instead of interpreted.
+     Users are recommended to upgrade to version 2.4.61, which fixes
+     this issue.
+
+- Update to 2.4.60
+
+  *) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
+     handler substitution (cve.mitre.org) [boo#1227271]
+     Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
+     earlier allows an attacker to cause unsafe RewriteRules to
+     unexpectedly setup URL's to be handled by mod_proxy.
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+  *) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
+     Denial of Service in mod_proxy via a malicious request
+     (cve.mitre.org) [boo#1227270]
+     null pointer dereference in mod_proxy in Apache HTTP Server
+     2.4.59 and earlier allows an attacker to crash the server via a
+     malicious request.
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+  *) SECURITY: CVE-2024-38476: Apache HTTP Server may use
+     exploitable/malicious backend application output to run local
+     handlers via internal redirect (cve.mitre.org) [boo#1227269]
+     Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
+     are vulnerably to information disclosure, SSRF or local script
+     execution via backend applications whose response headers are
+     malicious or exploitable.
+
+     Note: Some legacy uses of the 'AddType' directive to connect a
+     request to a handler must be ported to 'AddHandler' after this fix.
+
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+  *) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
+     mod_rewrite when first segment of substitution matches
+     filesystem path. (cve.mitre.org) [boo#1227268]
+     Improper escaping of output in mod_rewrite in Apache HTTP Server
+     2.4.59 and earlier allows an attacker to map URLs to filesystem
+     locations that are permitted to be served by the server but are
+     not intentionally/directly reachable by any URL, resulting in
+     code execution or source code disclosure.
+     Substitutions in server context that use a backreferences or
+     variables as the first segment of the substitution are affected.
+     Some unsafe RewiteRules will be broken by this change and the
+     rewrite flag "UnsafePrefixStat" can be used to opt back in once
+     ensuring the substitution is appropriately constrained.
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+  *) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
+     encoded question marks in backreferences (cve.mitre.org)
+     [boo#1227278]
+     Substitution encoding issue in mod_rewrite in Apache HTTP Server
+     2.4.59 and earlier allows attacker to execute scripts in
+     directories permitted by the configuration but not directly
+     reachable by any URL or source disclosure of scripts meant to
+     only to be executed as CGI.
+
+     Note: Some RewriteRules that capture and substitute unsafely will now
+     fail unless rewrite flag "UnsafeAllow3F" is specified.
+
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+  *) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
+     problem (cve.mitre.org) [boo#1227276]
+     Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
+     earlier allows request URLs with incorrect encoding to be sent
+     to backend services, potentially bypassing authentication via
+     crafted requests.
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+  *) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
+     (cve.mitre.org) [boo#1227267]
+     SSRF in Apache HTTP Server on Windows allows to potentially leak
+     NTML hashes to a malicious server via SSRF and malicious
+     requests or content
+
+     Note: Existing configurations that access UNC paths
+     will have to configure new directive "UNCList" to allow access
+     during request processing.
+
+     Credits: Orange Tsai (@orange_8361) from DEVCORE
+
+  *) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
+     pointer in websocket over HTTP/2 (cve.mitre.org) [boo#1227272]
+     Serving WebSocket protocol upgrades over a HTTP/2 connection
+     could result in a Null Pointer dereference, leading to a crash
+     of the server process, degrading performance.
+     Credits: Marc Stern (<marc.stern AT approach-cyber.com>)
+
+  *) mod_proxy: Fix DNS requests and connections closed before the
+     configured addressTTL.  BZ 69126.  [Yann Ylavic]
+
+  *) core: On Linux, log the real thread ID in error logs.  [Joe Orton]
+
+  *) core: Support zone/scope in IPv6 link-local addresses in Listen and
+     VirtualHost directives (requires APR 1.7.x or later).  PR 59396
+     [Joe Orton]
+
+  *) mod_ssl: Reject client-initiated renegotiation with a TLS alert
+     (rather than connection closure).  [Joe Orton, Yann Ylavic]
+
+  *) Updated mime.types.  [Mohamed Akram <mohd.akram outlook.com>,
+     Adam Silverstein <adamsilverstein earthboundhosting.com>]
+
+  *) mod_ssl: Fix a regression that causes the default DH parameters for a key
+     no longer set and thus effectively disabling DH ciphers when no explicit
+     DH parameters are set. PR 68863 [Ruediger Pluem]
+
+  *) mod_cgid: Optional support for file descriptor passing, fixing
+     error log handling (configure --enable-cgid-fdpassing) on Unix
+     platforms. PR 54221.  [Joe Orton]
+
+  *) mod_cgid/mod_cgi: Distinguish script stderr output clearly in
+     error logs.  PR 61980.  [Hank Ibell <hwibell gmail.com>]
+
+  *) mod_tls: update version of rustls-ffi to v0.13.0.
+     [Daniel McCarney (@cpu}]
+
+  *) mod_md:
+     - Using OCSP stapling information to trigger certificate renewals. Proposed
+       by @frasertweedale.
+     - Added directive `MDCheckInterval` to control how often the server checks
+       for detected revocations. Added proposals for configurations in the
+       README.md chapter "Revocations".
+     - OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
+       allowed in RFC 6960. Treat those as having an update interval of 12 hours.
+       Added by @frasertweedale.
+     - Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
+
+- removed patches (upstreamed)
+  - apache2-issue-444.patch
+
 -------------------------------------------------------------------
 Thu Jun 13 13:34:23 UTC 2024 - pgajdos@suse.com
 

apache2.spec

@@ -107,7 +107,7 @@
 %define build_http2 1
 
 Name:           apache2%{psuffix}
-Version:        2.4.59
+Version:        2.4.61
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0
@@ -190,8 +190,6 @@ Patch100:       apache-test-application-xml-type.patch
 # even if in live system I do not experience this inconsistency, let's turn off
 # these variables from the test
 Patch101:       apache-test-turn-off-variables-in-ssl-var-lookup.patch
-# https://github.com/apache/httpd/pull/444/commits/c2fffd29b0f58bdc9caaaff4fec68e17a676f182
-Patch102:       apache2-issue-444.patch
 BuildRequires:  apache-rpm-macros-control
 #Since 2.4.7 the event MPM requires apr 1.5.0 or later.
 BuildRequires:  apr-devel >= 1.5.0

httpd-2.4.59.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ec51501ec480284ff52f637258135d333230a7d229c3afa6f6c2f9040e321323
-size 7503198

httpd-2.4.59.tar.bz2.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmYNSicACgkQgngd5G1Z
-VPq4Hw//ah2IWHUlwcCbgIGFWh7r4PlLIOQXUQaiBWrAMjpboT64kPXBA7fylxgB
-vUheKnxJZY2UPoOkHN75hBxyLXZCDJ4WkKQny/992XADWOSVHE/arDX1cfnFgUQA
-VrLPKVz7/UVorzx6tEqCCs8Uv3zrtmqhKFRJLRs4tdrYdzwASAl5rOllKx0vkvwv
-hlED8jr3IxGTF5mwp+g0ZrvjIWM42VQYFoSXI8hdacOiF3NnIFuPDiq6WIDaJ0vZ
-WpBisebo3kP1i0ykwZH+UBoDbEEKcxDVCotZmUjPu1YZ1Nti451oHKtkOSkIbl/M
-KKjtpM7mPikj+JARjSBGCaUsKTS8CoB+MnGf30DCXvK+mnMoQSnW9Cn/i3c+dq9l
-qVIYHsvQTVDhA6rinEJchaz/agQPW9Ilv3T+qYtzM6SsDcy1cYIwyUcCB2vABSHV
-cOi9yoGvrc9HHiL0ji5Rsd+zXTdv3kbOzzkhqsnnZc38A007HFS5/jw0PIAf2tfx
-N7VOzMtvgjtjtw3BxJyq3rnc/8j4RJTg/gJhw2eaqKweqUYi0V3ENj7tihYfuKEu
-W2t1PzoBcD/8oy/egAgIftlB0JcvTq3r6tOuyM5yN9W1f6LpsYVil/D2kXSzDD3Y
-LSqSEfLevbPx/mzLujT2febr1BZf0I1P/u6JUZfWb09KGc5TMD8=
-=kE+v
------END PGP SIGNATURE-----

httpd-2.4.61.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ea8ba86fd95bd594d15e46d25ac5bbda82ae0c9122ad93998cc539c133eaceb6
+size 7512908

httpd-2.4.61.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmaEBhQACgkQgngd5G1Z
+VPpsJg//QI5CO5SIH+aEdgwwF4/d9ChDmcU1laAe/sLVXmIMcpHvE76rjjs2rlSI
+kZPlHdYZLfj6nhbDFcvWAsdBikWP0sbxb4wTR+rEztmFVewrN7EwZee9Qfe4Gkh0
+FwgHyHUexfOAP2znkqcgbADuhYCn00WumNM9Sh8+pBbtX10RhA95MxMR9Z2WXDpR
+wxey/h2kxjlLA42MNraF+C89U+hoNq5+MPbfRp4O3S53ftP7cwfNaJT0p4pZvn8z
+fvpjqwc1QVqzJoB+Z2Pw7krK74AcW4IBDLmDvJzhvXN9I9MwT58PFkb86y5yDi6Q
+6w31G7vYvLDQ0o+Z4PsH9hOtaeo/NzuaVZcCQMfd4awJkQ7ADxKzckqyy0JbITob
+VN7RFISHigIC7b5RR3VpQhLQEPJHSc24tMIjYSU/sd7SZEVAIo3Waq84zhKjQVZ5
+gWou9gfVT9um8iTAWRWz0dcS+rV5tnvVv8rls57VWIrysjoUWWujBf/5i8QLnR1S
++y5AO4XigRERc4Z9oD7NUXVJglXCuDUBCesYXuIn52aROlcMPeMQ+E21l+3k449Y
+HXHazw0KgBZoLu7UmcbULCgRsVkAADoUUuvMh+lLsA2XpOUqSyVEoz1xGqnCuKDF
+RYkLrmBDEiYLf6vWzq5JZ2znHXn3n1e+08bWEeWqyFKYLHHZJaw=
+=te+z
+-----END PGP SIGNATURE-----