diff --git a/apache2.changes b/apache2.changes index 0f26367..0a54890 100644 --- a/apache2.changes +++ b/apache2.changes @@ -2,32 +2,32 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes - version update to 2.4.52: + * fix CVE-2021-44224: NULL dereference or SSRF in forward proxy + configurations [boo#1193943] + * fix CVE-2021-44790: buffer overflow when parsing multipart + content in mod_lua [boo#1193942] *) http: Enforce that fully qualified uri-paths not to be forward-proxied have an http(s) scheme, and that the ones to be forward proxied have a - hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic] + hostname, per HTTP specifications. *) OpenSSL autoconf detection improvement: pick up openssl.pc in the - specified openssl path. [Joe Orton] - *) mod_proxy_connect, mod_proxy: Do not change the status code after we already sent it to the client. *) mod_http: Correctly sent a 100 Continue status code when sending an interim response as result of an Expect: 100-Continue in the request and not the - current status code of the request. PR 65725 [Ruediger Pluem] + current status code of the request *) mod_dav: Some DAV extensions, like CalDAV, specify both document elements and property elements that need to be taken into account when generating a property. The document element and property element are made available in the dav_liveprop_elem structure by calling - dav_get_liveprop_element(). [Graham Leggett] + dav_get_liveprop_element() *) mod_dav: Add utility functions dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() so that other modules get to play too. - [Graham Leggett] - *) mpm_event: Restart stopping of idle children after a load peak. PR 65626. - [Yann Ylavic, Ruediger Pluem] + *) mpm_event: Restart stopping of idle children after a load peak *) mod_http2: fixes 2 regressions in server limit handling. 1. When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client - failing the request. See PR65731. + failing the request The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. @@ -36,22 +36,14 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See . - [Stefan Eissing] - *) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung, - Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton, - Giovanni Bechis] + *) mod_ssl: Add build support for OpenSSL v3 *) mod_proxy_connect: Honor the smallest of the backend or client timeout - while tunneling. [Yann Ylavic] + while tunneling *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP - half-close forwarding when tunneling protocols. [Yann Ylavic] - + half-close forwarding when tunneling protocols *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by a third-party module. PR 65627. - [acmondor , Yann Ylavic] - *) mod_md: Fix memory leak in case of failures to load the private key. - PR 65620 [ Filipe Casal ] - *) mod_md: adding v2.4.8 with the following changes - Added support for ACME External Account Binding (EAB). Use the new directive `MDExternalAccountBinding` to provide the @@ -82,15 +74,11 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes See - Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. - *) mod_md: values for External Account Binding (EAB) can now also be configured to be read from a separate JSON file. This allows to keep server configuration permissions world readable without exposing secrets. - [Stefan Eissing] - *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. - PR 65616. [Ruediger Pluem] ------------------------------------------------------------------- Wed Nov 24 11:04:43 UTC 2021 - pgajdos@suse.com