Accepting request 941819 from Apache

changlog update for 2.4.52:
CVE-2021-44224 boo#1193943
CVE-2021-44790 boo#1193942 (forwarded request 941816 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/941819
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=189

apache2.changes

@@ -1,3 +1,85 @@
+-------------------------------------------------------------------
+Mon Dec 20 11:26:49 UTC 2021 - David Anes <david.anes@suse.com>
+
+- version update to 2.4.52:
+  * fix CVE-2021-44224: NULL dereference or SSRF in forward proxy
+    configurations [boo#1193943]
+  * fix CVE-2021-44790: buffer overflow when parsing multipart
+    content in mod_lua [boo#1193942]
+  *) http: Enforce that fully qualified uri-paths not to be forward-proxied
+     have an http(s) scheme, and that the ones to be forward proxied have a
+     hostname, per HTTP specifications.
+  *) OpenSSL autoconf detection improvement: pick up openssl.pc in the
+     already sent it to the client.
+  *) mod_http: Correctly sent a 100 Continue status code when sending an interim
+     response as result of an Expect: 100-Continue in the request and not the
+     current status code of the request
+  *) mod_dav: Some DAV extensions, like CalDAV, specify both document
+     elements and property elements that need to be taken into account
+     when generating a property. The document element and property element
+     are made available in the dav_liveprop_elem structure by calling
+     dav_get_liveprop_element()
+  *) mod_dav: Add utility functions dav_validate_root_ns(),
+     dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and
+     dav_find_attr() so that other modules get to play too.
+  *) mpm_event: Restart stopping of idle children after a load peak
+  *) mod_http2: fixes 2 regressions in server limit handling.
+     1. When reaching server limits, such as MaxRequestsPerChild, the
+        HTTP/2 connection send a GOAWAY frame much too early on new
+        connections, leading to invalid protocol state and a client
+        failing the request
+        The module now initializes the HTTP/2 protocol correctly and
+        allows the client to submit one request before the shutdown
+        via a GOAWAY frame is being announced.
+     2. A regression in v1.15.24 was fixed that could lead to httpd
+        child processes not being terminated on a graceful reload or
+        when reaching MaxConnectionsPerChild. When unprocessed h2
+        requests were queued at the time, these could stall.
+        See <https://github.com/icing/mod_h2/issues/212>.
+  *) mod_ssl: Add build support for OpenSSL v3
+  *) mod_proxy_connect: Honor the smallest of the backend or client timeout
+     while tunneling
+  *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP
+     half-close forwarding when tunneling protocols
+  *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by
+     a third-party module.  PR 65627.
+  *) mod_md: Fix memory leak in case of failures to load the private key.
+  *) mod_md: adding v2.4.8 with the following changes
+    - Added support for ACME External Account Binding (EAB).
+      Use the new directive `MDExternalAccountBinding` to provide the
+      server with the value for key identifier and hmac as provided by
+      your CA.
+      While working on some servers, EAB handling is not uniform
+      across CAs. First tests with a Sectigo Certificate Manager in
+      demo mode are successful. But ZeroSSL, for example, seems to
+      regard EAB values as a one-time-use-only thing, which makes them
+      fail if you create a seconde account or retry the creation of the
+      first account with the same EAB.
+    - The directive 'MDCertificateAuthority' now checks if its parameter
+      is a http/https url or one of a set of known names. Those are
+      'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
+      for now and they are not case-sensitive.
+      The default of LetsEncrypt is unchanged.
+    - `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
+      section.
+    - Treating 401 HTTP status codes for orders like 403, since some ACME
+      servers seem to prefer that for accessing oders from other accounts.
+    - When retrieving certificate chains, try to read the repsonse even
+      if the HTTP Content-Type is unrecognized.
+    - Fixed a bug that reset the error counter of a certificate renewal
+      and prevented the increasing delays in further attempts.
+    - Fixed the renewal process giving up every time on an already existing
+      order with some invalid domains. Now, if such are seen in a previous
+      order, a new order is created for a clean start over again.
+      See <https://github.com/icing/mod_md/issues/268>
+    - Fixed a mixup in md-status handler when static certificate files
+      and renewal was configured at the same time.
+  *) mod_md: values for External Account Binding (EAB) can
+     now also be configured to be read from a separate JSON
+     file. This allows to keep server configuration permissions
+     world readable without exposing secrets.
+  *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
+
 -------------------------------------------------------------------
 Wed Nov 24 11:04:43 UTC 2021 - pgajdos@suse.com
 

apache2.spec

@@ -115,7 +115,7 @@
 %endif
 
 Name:           apache2%{psuffix}
-Version:        2.4.51
+Version:        2.4.52
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0

httpd-2.4.51.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:20e01d81fecf077690a4439e3969a9b22a09a8d43c525356e863407741b838f4
-size 7653609

httpd-2.4.51.tar.bz2.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmFe8kEACgkQ03fJ59GU
-TGatthAAtWzeOD1TCIEvf5f9bAIZDK9vjEEnBZDeYMMrH1wVJGNJm48XP08O/Kbq
-qhvc9201RUwkAtWEUX811ZBAYd5A8lAqetfmIuCSHerYSOU0CbhvBjKsuIJVIKWD
-Wo1uPUDWk068V0HBquQtW6AEB4oo16fKPMEr1aOOxFpR+F806daJN1gt3ubPzkNJ
-rZd4E6dV00eEymeUIfk0BjDqSWKHmUr+08/dtWqc7kGYGcnJzu0e5pr6cc0hOV2o
-mqYm28F7eMSe5JCnAOd1LnnqtOwV81mZLxiAxR40PoFhV7IoBLo0zAJ99AHxJfA2
-9RjCmZ/WYtleeDT7mC1cdATHKOPRaubklzK6Ntf7tMaRIO07hnIfIRXQveKG7h+G
-Og6PGtfR9bwDGrg2f5Dr+R2fwUJO7EL31IxTYQFBUDe2Q82aNIWpdIFdte93nc+S
-HqjWq3w6zq+jdSm3xvyLB0LLSOguXhcjj5VEqV+aExZPASbf+Q8bG51mSbMQhkaq
-fEheFcdhu3Sm0x5xQXvEM3gX5XUr8vmrPWaacayPYfS7MinWukV0hXe5/DoYkFTt
-a1pt6bHcyVfR0tB0Q3bvm59EeaxLVfogb6Eq74RlrfYiCU/Qx7bMUs3tSeIkHGmY
-cNhpxzc/36i4Cf+fBDPKuJroXYV5wFoQmpnXVLAqRd6jWZcOizY=
-=f5dx
------END PGP SIGNATURE-----

httpd-2.4.52.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
+size 7439184

httpd-2.4.52.tar.bz2.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmG7Q+8ACgkQ03fJ59GU
+TGbpCA/+Ne63eHZTIxNF86FN6rOXgCvoIGPcc8SCpJ3h9k3rfCdltB/Mwnmz93R8
+Eo0djI/jCdfQsrmw+4IALIVpH6WsVHLnFbR2gk5wY9Kv5SDoMNs8iNUKAa23yQ9y
+JNN3W9Bw3O3q7RhfK8a5jSCAVkKw4gxNPGu+4x6QwHZOCrCoXJdKjoWAPSdE6L2p
+RQDBAW+wHmqwh2HBrM4WZhWaj6Eer7UbV1ir7nIGXmCz0f5ekiADJA4c6aWHV5PL
+EBIHbRsSzhgvK0ZtLeR1oOQAZfsNJT2BMjk5M/8yanAyUxnOGcNdRRSBMk1XPbxa
+EhBujT9KuSAq1jk5FbwgzP1l+Yq2Gxxsh2a4UK7K7AaJV8macQtVDUq4TfYKIk8R
+hnXweflKw9nonxaYOiNwhtLE3FFMg7XozrNPImc2abLT/wDE/N6LPI2NMf4FWAkm
+XkQ5yzy5Nxs/MybIJs/YJQjLCrfDD8hbUcqPp6445YqJsiXAQ3vhMy755maI2ciz
+xXBe0xhq9kEILIUCynCpPZE8eCKEGjFr/hWfaYZR32GVceAmHV9GiDoD5K6dqk6z
+00TCNbfjY5hXzEkigLd1g2ZKp/d8tsG0NUw1SoXfXSdlK0ugMTkmqqZxcekvGOk9
+UcpKyzkxdqCywfwYFKmYsLi6cKFBXAlRq0K89vg4glC2cedVu9Y=
+=Fz0f
+-----END PGP SIGNATURE-----