Accepting request 941816 from home:AndreasStieger:branches:Apache

changlog update for 2.4.52:
CVE-2021-44224 boo#1193943
CVE-2021-44790 boo#1193942

OBS-URL: https://build.opensuse.org/request/show/941816
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=662

apache2.changes

@@ -2,32 +2,32 @@
 Mon Dec 20 11:26:49 UTC 2021 - David Anes <david.anes@suse.com>
 
 - version update to 2.4.52:
+  * fix CVE-2021-44224: NULL dereference or SSRF in forward proxy
+    configurations [boo#1193943]
+  * fix CVE-2021-44790: buffer overflow when parsing multipart
+    content in mod_lua [boo#1193942]
   *) http: Enforce that fully qualified uri-paths not to be forward-proxied
      have an http(s) scheme, and that the ones to be forward proxied have a
-     hostname, per HTTP specifications.  [Ruediger Pluem, Yann Ylavic]
+     hostname, per HTTP specifications.
   *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
-     specified openssl path. [Joe Orton]
-  *) mod_proxy_connect, mod_proxy: Do not change the status code after we
      already sent it to the client.
   *) mod_http: Correctly sent a 100 Continue status code when sending an interim
      response as result of an Expect: 100-Continue in the request and not the
-     current status code of the request. PR 65725 [Ruediger Pluem]
+     current status code of the request
   *) mod_dav: Some DAV extensions, like CalDAV, specify both document
      elements and property elements that need to be taken into account
      when generating a property. The document element and property element
      are made available in the dav_liveprop_elem structure by calling
-     dav_get_liveprop_element(). [Graham Leggett]
+     dav_get_liveprop_element()
   *) mod_dav: Add utility functions dav_validate_root_ns(),
      dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
      dav_find_attr() so that other modules get to play too.
-     [Graham Leggett]
-  *) mpm_event: Restart stopping of idle children after a load peak. PR 65626.
-     [Yann Ylavic, Ruediger Pluem]
+  *) mpm_event: Restart stopping of idle children after a load peak
   *) mod_http2: fixes 2 regressions in server limit handling.
      1. When reaching server limits, such as MaxRequestsPerChild, the
         HTTP/2 connection send a GOAWAY frame much too early on new
         connections, leading to invalid protocol state and a client
-        failing the request. See PR65731.
+        failing the request
         The module now initializes the HTTP/2 protocol correctly and
         allows the client to submit one request before the shutdown
         via a GOAWAY frame is being announced.
@@ -36,22 +36,14 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes <david.anes@suse.com>
         when reaching MaxConnectionsPerChild. When unprocessed h2
         requests were queued at the time, these could stall.
         See <https://github.com/icing/mod_h2/issues/212>.
-     [Stefan Eissing]
-  *) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung,
-     Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton,
-     Giovanni Bechis]
+  *) mod_ssl: Add build support for OpenSSL v3
   *) mod_proxy_connect: Honor the smallest of the backend or client timeout
-     while tunneling.  [Yann Ylavic]
+     while tunneling
   *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
-     half-close forwarding when tunneling protocols.  [Yann Ylavic]
-
+     half-close forwarding when tunneling protocols
   *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
      a third-party module.  PR 65627.
-     [acmondor <bz.apache.org acmondor.ca>, Yann Ylavic]
-
   *) mod_md: Fix memory leak in case of failures to load the private key.
-     PR 65620 [ Filipe Casal <filipe.casal@trailofbits.com> ]
-
   *) mod_md: adding v2.4.8 with the following changes
     - Added support for ACME External Account Binding (EAB).
       Use the new directive `MDExternalAccountBinding` to provide the
@@ -82,15 +74,11 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes <david.anes@suse.com>
       See <https://github.com/icing/mod_md/issues/268>
     - Fixed a mixup in md-status handler when static certificate files
       and renewal was configured at the same time.
-
   *) mod_md: values for External Account Binding (EAB) can
      now also be configured to be read from a separate JSON
      file. This allows to keep server configuration permissions
      world readable without exposing secrets.
-     [Stefan Eissing]
-
   *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
-     PR 65616.  [Ruediger Pluem]
 
 -------------------------------------------------------------------
 Wed Nov 24 11:04:43 UTC 2021 - pgajdos@suse.com