OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=26

apache2.changes

@@ -1,3 +1,63 @@
+-------------------------------------------------------------------
+Wed Oct 29 18:38:17 CET 2008 - poeml@suse.de
+
+- update year of copyright in rc.apache2
+
+-------------------------------------------------------------------
+Wed Oct 29 00:13:58 CET 2008 - poeml@suse.de
+
+- update to 2.2.10:
+  SECURITY: CVE-2008-2939 (cve.mitre.org)
+     mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
+     the FTP URL. Discovered by Marc Bevand of Rapid7. 
+  core:
+   - Support chroot on Unix-family platforms. PR 43596 
+  mod_authn_alias: 
+   - Detect during startup when AuthDigestProvider is configured to
+     use an incompatible provider via AuthnProviderAlias.  PR 45196 
+  mod_cgid: 
+   - Pass along empty command line arguments from an ISINDEX query
+     that has consecutive '+' characters in the QUERY_STRING,
+     matching the behavior of mod_cgi.
+  mod_charset_lite: 
+   - Avoid dropping error responses by handling meta buckets
+     correctly. PR 45687 
+  mod_dav_fs: 
+   - Retrieve minimal system information about directory entries
+     when walking a DAV fs, resolving a performance degradation on
+     Windows.  PR 45464.  
+  mod_headers: 
+   - Prevent Header edit from processing only the first header of
+     possibly multiple headers with the same name and deleting the
+     remaining ones. PR 45333.  
+  mod_proxy:
+   - Allow for smax to be 0 for balancer members so that all idle
+     connections are able to be dropped should they exceed ttl. PR 43371 
+   - Add 'scolonpathdelim' parameter to allow for ';' to also be
+     used as a session path separator/delim  PR 45158. 
+   - Add connectiontimeout parameter for proxy workers in order to
+     be able to set the timeout for connecting to the backend separately.
+     PR 45445. 
+  mod_proxy_http: 
+   - Don't trigger a retry by the client if a failure to
+     read the response line was the result of a timeout.
+   - Introduce environment variable proxy-initial-not-pooled to
+     avoid reusing pooled connections if the client connection is an initial
+     connection. PR 37770. 
+   - Do not forward requests with 'Expect: 100-continue' to
+     known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
+  mod_proxy_balancer: 
+   - Move nonce field in the balancer manager page inside
+     the html form where it belongs. PR 45578. 
+   - Add 'bybusyness' load balance method.
+  mod_rewrite: 
+   - Allow Cookie option to set secure and HttpOnly flags.  PR 44799 
+   - Preserve the query string when [proxy,noescape]. PR 45247.
+  mod_ssl: 
+   - implement dynamic mutex callbacks for the benefit of OpenSSL.  
+   - Rewrite shmcb to avoid memory alignment issues.  PR 42101.
+- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch
+
 -------------------------------------------------------------------
 Fri Oct 24 13:23:41 CEST 2008 - skh@suse.de
 

apache2.spec

@@ -1,5 +1,5 @@
 #
-# spec file for package apache2 (Version 2.2.9)
+# spec file for package apache2 (Version 2.2.10)
 #
 # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
@@ -61,9 +61,9 @@ BuildRequires:  expat-devel
 %define platform_string	Linux/%VENDOR
 License:        The Apache Software License
 Group:          Productivity/Networking/Web/Servers
-%define realver 2.2.9
+%define realver 2.2.10
-Version:        2.2.9
+Version:        2.2.10
-Release:        5
+Release:        1
 #Source0:      http://www.apache.org/dist/httpd-%{version}.tar.bz2
 Source0:        http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
 Source10:       SUSE-NOTICE
@@ -116,7 +116,6 @@ Patch65:        httpd-2.0.49-log_server_status.dif
 Patch66:        httpd-2.0.54-envvars.dif
 Patch67:        httpd-2.2.0-apxs-a2enmod.dif
 Patch68:        httpd-2.x.x-logresolve.patch
-Patch69:        httpd-2.2.x-CVE-2008-2939.patch
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
 Summary:        The Apache Web Server Version 2.0
@@ -335,7 +334,6 @@ Authors:
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
-%patch69 -p4
 #
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 #
@@ -1025,6 +1023,60 @@ if ! test -f /.buildenv; then
 fi
 
 %changelog
+* Wed Oct 29 2008 poeml@suse.de
+- update year of copyright in rc.apache2
+* Wed Oct 29 2008 poeml@suse.de
+- update to 2.2.10:
+  SECURITY: CVE-2008-2939 (cve.mitre.org)
+  mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
+  the FTP URL. Discovered by Marc Bevand of Rapid7.
+  core:
+   - Support chroot on Unix-family platforms. PR 43596
+  mod_authn_alias:
+   - Detect during startup when AuthDigestProvider is configured to
+  use an incompatible provider via AuthnProviderAlias.  PR 45196
+  mod_cgid:
+   - Pass along empty command line arguments from an ISINDEX query
+  that has consecutive '+' characters in the QUERY_STRING,
+  matching the behavior of mod_cgi.
+  mod_charset_lite:
+   - Avoid dropping error responses by handling meta buckets
+  correctly. PR 45687
+  mod_dav_fs:
+   - Retrieve minimal system information about directory entries
+  when walking a DAV fs, resolving a performance degradation on
+  Windows.  PR 45464.
+  mod_headers:
+   - Prevent Header edit from processing only the first header of
+  possibly multiple headers with the same name and deleting the
+  remaining ones. PR 45333.
+  mod_proxy:
+   - Allow for smax to be 0 for balancer members so that all idle
+  connections are able to be dropped should they exceed ttl. PR 43371
+   - Add 'scolonpathdelim' parameter to allow for ';' to also be
+  used as a session path separator/delim  PR 45158.
+   - Add connectiontimeout parameter for proxy workers in order to
+  be able to set the timeout for connecting to the backend separately.
+  PR 45445.
+  mod_proxy_http:
+   - Don't trigger a retry by the client if a failure to
+  read the response line was the result of a timeout.
+   - Introduce environment variable proxy-initial-not-pooled to
+  avoid reusing pooled connections if the client connection is an initial
+  connection. PR 37770.
+   - Do not forward requests with 'Expect: 100-continue' to
+  known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
+  mod_proxy_balancer:
+   - Move nonce field in the balancer manager page inside
+  the html form where it belongs. PR 45578.
+   - Add 'bybusyness' load balance method.
+  mod_rewrite:
+   - Allow Cookie option to set secure and HttpOnly flags.  PR 44799
+   - Preserve the query string when [proxy,noescape]. PR 45247.
+  mod_ssl:
+   - implement dynamic mutex callbacks for the benefit of OpenSSL.
+   - Rewrite shmcb to avoid memory alignment issues.  PR 42101.
+- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch
 * Fri Oct 24 2008 skh@suse.de
 - apache2.firewall, apache2.ssl-firewall
   Use unique name tags "HTTP Server" and "HTTPS Server" in for
@@ -1035,7 +1087,7 @@ fi
   mod_proxy_ftp: Prevent XSS attacks when using wildcards in
   the path of the FTP URL. Discovered by Marc Bevand of Rapid7.
   [Ruediger Pluem]
-* Wed Aug 27 2008 poeml@suse.de
+* Tue Aug 26 2008 poeml@suse.de
 - drop rc.config handling (was removed in or after SuSE Linux 8.0)
 - don't use fillup_insserv options which have been removed lately
 * Fri Aug 15 2008 poeml@suse.de
@@ -1624,7 +1676,7 @@ fi
 - add httpd-2.2.x.doublefree.patch, backport of
   http://svn.apache.org/viewvc?diff_format=h&view=rev&revision=496831
   See http://issues.apache.org/bugzilla/show_bug.cgi?id=39985
-* Fri Jan 19 2007 poeml@suse.de
+* Thu Jan 18 2007 poeml@suse.de
 - create debuginfo package in the buildservice
 * Fri Jan 12 2007 mskibbe@suse.de
 - change path to service cml document (fate #301708)
@@ -3288,7 +3340,7 @@ fi
 - disable httpd-2.0.36-64bit.dif
 - rename apachectl2 to apache2ctl
 - write the startup log to /var/tmp instead of /var/log/apache2
-* Mon Jan 13 2003 poeml@suse.de
+* Sun Jan 12 2003 poeml@suse.de
 - fix last fix (rpm macro before hash wasn't expanded)
 * Fri Jan 10 2003 poeml@suse.de
 - fix lib64 path in SuSEconfig

httpd-2.2.10.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:681d5787288e4e527877f415acce198be96ce7de0dc6e354646b1df4aae21383
+size 5068069

httpd-2.2.9.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d76599fbcf8b3bcff2779f880fb10e4a2bc4af60f64232083c06863e40850b61
-size 4943462

httpd-2.2.x-CVE-2008-2939.patch

@@ -1,13 +0,0 @@
-Taken from: http://svn.apache.org/viewvc?view=rev&revision=682870
-
---- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c	2008/08/05 19:00:05	682869
-+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c	2008/08/05 19:01:50	682870
-@@ -383,6 +383,7 @@
-                                                            c->bucket_alloc));
-         }
-         if (wildcard != NULL) {
-+            wildcard = ap_escape_html(p, wildcard);
-             APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard,
-                                                            strlen(wildcard), p,
-                                                            c->bucket_alloc));
-

rc.apache2

@@ -3,10 +3,10 @@
 # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
 # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
 # Copyright (c) 2002, 2003, (2004?) SuSE Linux AG
-# Copyright (c) 2004(?), 2005, 2006, 2007 SUSE Linux Products GmbH
+# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
 #
 # Authors: Rolf Haberrecker <apache@suse.de>, 2001
-#          Peter Poeml <apache@suse.de>, 2002, 2003, 2004, 2005, 2006, 2007
+#          Peter Poeml <apache@suse.de>, 2002, 2003, 2004, 2005, 2006, 2007, 2008
 #
 #
 # /etc/init.d/apache2