diff --git a/apache2.changes b/apache2.changes index f0f24e2..f2ed1af 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,10 +1,41 @@ +------------------------------------------------------------------- +Wed Mar 8 19:44:32 UTC 2023 - David Anes + +- This update fixes the following security issues: + * CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting + * CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy + +- Update to 2.4.56: + *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be + truncated without the initial logfile being truncated. [Eric Covener] + *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to + allow connections of any age to be reused. Up to now, a negative value + was handled as an error when parsing the configuration file. PR 66421. + [nailyk , Christophe Jaillet] + *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number + of headers. [Ruediger Pluem] + *) mod_md: + - Enabling ED25519 support and certificate transparency information when + building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis. + - MDChallengeDns01 can now be configured for individual domains. + Thanks to Jérôme Billiras (@bilhackmac) for the initial PR. + - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge + teardown not being invoked as it should. + [Stefan Eissing] + *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors + reported in access logs and error documents. The processing of the + reset was correct, only unneccesary reporting was caused. + [Stefan Eissing] + *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. + [Yann Ylavic] + ------------------------------------------------------------------- Wed Jan 18 21:54:41 UTC 2023 - David Anes - This update fixes the following security issues: - * fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting - * fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling - * fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte + * CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting + * CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling + * CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte - Update to 2.4.55: *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to diff --git a/apache2.spec b/apache2.spec index 84ae99f..ff36d5d 100644 --- a/apache2.spec +++ b/apache2.spec @@ -107,7 +107,7 @@ %define build_http2 1 Name: apache2%{psuffix} -Version: 2.4.55 +Version: 2.4.56 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 diff --git a/httpd-2.4.55.tar.bz2 b/httpd-2.4.55.tar.bz2 deleted file mode 100644 index d506de7..0000000 --- a/httpd-2.4.55.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac -size 7456187 diff --git a/httpd-2.4.55.tar.bz2.asc b/httpd-2.4.55.tar.bz2.asc deleted file mode 100644 index d4e4a1d..0000000 --- a/httpd-2.4.55.tar.bz2.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmO9aoMACgkQgngd5G1Z -VPpJrw//fJaMh9b5EdKeOZZXXjMNqn3+SM6HxivWNvfnB3vuhFodInWpAeojJTON -0VArc+VGDykFJX8bT0FtBOqAWZl72iX8Jrqv0rLarX7TdFKHJYIc068tpGpjDA+S -qJqueKA4rwSmv8hwVzHmqyucLuUPZSxMZ/SU0+sOv0vR3+t3aNSZ0ZyIwUTGgTMx -fC4h89yC9AoFRPg3Xly9EzLRpajGAcnCjflxTSx9s9UWvyokMEkhO3KuEVJsimIK -8EkTEnProrWV4uGQxX2Igbw8bmhQZ913vA6UoH4KR4PA05GDqmtZBpOVcHppkNG7 -Z2oTvdAVXYgb2ssieBnO6NJ6Xud5X1Btxr3Oy08F5kngCvBjM2NT7hXrHcbUW/fO -rygL3OLx9lNHAWXfYgGtY9YHqzf6n6mWcedbzH9OJj722RGkvnUIWxsGNbo1WHa4 -EFciU8pkNhgEUTn/qWdCYINxv112BQH5Y4KmDjt7avAGAGc/m4vHYDpFhKHeDuw6 -HICAMMs/Lu5qMzW7aQ/FttHXqtE3lMxLwqB2ml63lzB4sBVYiuUJ2Lj0+UdTk3PG -keZo+U2QnWi4DgdH6RV6dyNIs8OAdMlE8lfUDouo5i+r+MKkbmsOZdlK0HvnXEWg -95aYnIbmyQ3rHdLI+ex45jNnU7wM0KFGEPq7P08GeBsfdC/MqZQ= -=xtRh ------END PGP SIGNATURE----- diff --git a/httpd-2.4.56.tar.bz2 b/httpd-2.4.56.tar.bz2 new file mode 100644 index 0000000..b694014 --- /dev/null +++ b/httpd-2.4.56.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d8d45f1398ba84edd05bb33ca7593ac2989b17cb9c7a0cafe5442d41afdb2d7c +size 7456418 diff --git a/httpd-2.4.56.tar.bz2.asc b/httpd-2.4.56.tar.bz2.asc new file mode 100644 index 0000000..e4beaa8 --- /dev/null +++ b/httpd-2.4.56.tar.bz2.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmQFCgEACgkQgngd5G1Z +VPr0HhAAho+G5ExeMUPh7N8rDRJNswryTarzrphSO9kcll9cOcwPFxAsrp06aeaX +PEnRh3iVIncHXy8i+Jgj4U+srnSNWoU6x0RbmUju4kv2xXYHXNJieOGRanmE03Hu +hHq7Nv7KKb3GtYneof9pGboCR32LklJGSqEe8tpaW4f9y+HGOMflxpCLMqOAukyD +i8buHUvQ9OEC5TKbefq+eSkL0ndi8993pNP8k2fw+AQi5oHZe4gcEeUXCh4Eo9Bj ++bfPnIjS2A9znQ3IkWk1zz5WAUJIz1FfokDFrIZvEFf7+Vv48Fg0h7YfwgtT3sAs +Bz4ndUeG4DFKb0XwZ5uqnjeHkmRBn65FS+aXemhT1ilr3dx28O178BQ8gOv4FCYW +ijrefUxyz0WJYeD1qxhvWewXCEyzwSdiNCItfkKAl0g0b2VJnWjhx302QSjwaRT/ +Qeh+bxGneDigyTy9eq2gdluUH/QoxwS+KVz+kp8xPoXJAkNT+2YOjpijOtnTMqQ0 +zTpTWS6f9WLXVBX38oOF3EM915RQcGmGWVp3RRaxh6WPmR1rlf/zIih4XqZn68NH +qCjmRjE1ctG87ant/immcCrJ5GiSR9gHXhKMf7KLCUP3582fFuwvh0K9uO8z/Yfw +j/Ppae3Y/4CPd8Yk6tB90eFFHWusMHtcUD/mMKMOnSdVWxR7IGA= +=wk6o +-----END PGP SIGNATURE-----