Accepting request 1070268 from Apache

OBS-URL: https://build.opensuse.org/request/show/1070268
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=202

apache2.changes

@@ -1,10 +1,41 @@
+-------------------------------------------------------------------
+Wed Mar  8 19:44:32 UTC 2023 - David Anes <david.anes@suse.com>
+
+- This update fixes the following security issues:
+  * CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting 
+  * CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy  
+
+- Update to 2.4.56: 
+    *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
+      truncated without the initial logfile being truncated.  [Eric Covener]
+    *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
+      allow connections of any age to be reused. Up to now, a negative value
+      was handled as an error when parsing the configuration file.  PR 66421.
+      [nailyk <bzapache nailyk.fr>, Christophe Jaillet]
+    *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
+      of headers. [Ruediger Pluem]
+    *) mod_md:
+      - Enabling ED25519 support and certificate transparency information when
+        building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
+      - MDChallengeDns01 can now be configured for individual domains.
+        Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
+      - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
+        teardown not being invoked as it should.
+      [Stefan Eissing]
+    *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
+      reported in access logs and error documents. The processing of the
+      reset was correct, only unneccesary reporting was caused.
+      [Stefan Eissing]
+    *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
+      [Yann Ylavic]
+
 -------------------------------------------------------------------
 Wed Jan 18 21:54:41 UTC 2023 - David Anes <david.anes@suse.com>
 
 - This update fixes the following security issues:
-  * fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting
-  * fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling
-  * fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
+  * CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting
+  * CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling
+  * CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
 
 - Update to 2.4.55:
     *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to

apache2.spec

@@ -107,7 +107,7 @@
 %define build_http2 1
 
 Name:           apache2%{psuffix}
-Version:        2.4.55
+Version:        2.4.56
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0

httpd-2.4.55.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac
-size 7456187

httpd-2.4.55.tar.bz2.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmO9aoMACgkQgngd5G1Z
-VPpJrw//fJaMh9b5EdKeOZZXXjMNqn3+SM6HxivWNvfnB3vuhFodInWpAeojJTON
-0VArc+VGDykFJX8bT0FtBOqAWZl72iX8Jrqv0rLarX7TdFKHJYIc068tpGpjDA+S
-qJqueKA4rwSmv8hwVzHmqyucLuUPZSxMZ/SU0+sOv0vR3+t3aNSZ0ZyIwUTGgTMx
-fC4h89yC9AoFRPg3Xly9EzLRpajGAcnCjflxTSx9s9UWvyokMEkhO3KuEVJsimIK
-8EkTEnProrWV4uGQxX2Igbw8bmhQZ913vA6UoH4KR4PA05GDqmtZBpOVcHppkNG7
-Z2oTvdAVXYgb2ssieBnO6NJ6Xud5X1Btxr3Oy08F5kngCvBjM2NT7hXrHcbUW/fO
-rygL3OLx9lNHAWXfYgGtY9YHqzf6n6mWcedbzH9OJj722RGkvnUIWxsGNbo1WHa4
-EFciU8pkNhgEUTn/qWdCYINxv112BQH5Y4KmDjt7avAGAGc/m4vHYDpFhKHeDuw6
-HICAMMs/Lu5qMzW7aQ/FttHXqtE3lMxLwqB2ml63lzB4sBVYiuUJ2Lj0+UdTk3PG
-keZo+U2QnWi4DgdH6RV6dyNIs8OAdMlE8lfUDouo5i+r+MKkbmsOZdlK0HvnXEWg
-95aYnIbmyQ3rHdLI+ex45jNnU7wM0KFGEPq7P08GeBsfdC/MqZQ=
-=xtRh
------END PGP SIGNATURE-----

httpd-2.4.56.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d8d45f1398ba84edd05bb33ca7593ac2989b17cb9c7a0cafe5442d41afdb2d7c
+size 7456418

httpd-2.4.56.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmQFCgEACgkQgngd5G1Z
+VPr0HhAAho+G5ExeMUPh7N8rDRJNswryTarzrphSO9kcll9cOcwPFxAsrp06aeaX
+PEnRh3iVIncHXy8i+Jgj4U+srnSNWoU6x0RbmUju4kv2xXYHXNJieOGRanmE03Hu
+hHq7Nv7KKb3GtYneof9pGboCR32LklJGSqEe8tpaW4f9y+HGOMflxpCLMqOAukyD
+i8buHUvQ9OEC5TKbefq+eSkL0ndi8993pNP8k2fw+AQi5oHZe4gcEeUXCh4Eo9Bj
++bfPnIjS2A9znQ3IkWk1zz5WAUJIz1FfokDFrIZvEFf7+Vv48Fg0h7YfwgtT3sAs
+Bz4ndUeG4DFKb0XwZ5uqnjeHkmRBn65FS+aXemhT1ilr3dx28O178BQ8gOv4FCYW
+ijrefUxyz0WJYeD1qxhvWewXCEyzwSdiNCItfkKAl0g0b2VJnWjhx302QSjwaRT/
+Qeh+bxGneDigyTy9eq2gdluUH/QoxwS+KVz+kp8xPoXJAkNT+2YOjpijOtnTMqQ0
+zTpTWS6f9WLXVBX38oOF3EM915RQcGmGWVp3RRaxh6WPmR1rlf/zIih4XqZn68NH
+qCjmRjE1ctG87ant/immcCrJ5GiSR9gHXhKMf7KLCUP3582fFuwvh0K9uO8z/Yfw
+j/Ppae3Y/4CPd8Yk6tB90eFFHWusMHtcUD/mMKMOnSdVWxR7IGA=
+=wk6o
+-----END PGP SIGNATURE-----