From 1dab303134104e5da4bf2ce01c2927435dbf67422ed549ddc90914bb55347dd0 Mon Sep 17 00:00:00 2001
From: David Anes <david.anes@suse.com>
Date: Mon, 14 Mar 2022 12:02:14 +0000
Subject: [PATCH 1/2] Accepting request 961671 from home:pgajdos

- version update to 2.4.53
  *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
     (cve.mitre.org)
     Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
     Server allows an attacker to overwrite heap memory with possibly
     attacker provided data.
     This issue affects Apache HTTP Server 2.4 version 2.4.52 and
     prior versions.
     Credits: Ronald Crane (Zippenhop LLC)
  *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
     very large or unlimited LimitXMLRequestBody (cve.mitre.org)
     If LimitXMLRequestBody is set to allow request bodies larger
     than 350MB (defaults to 1M) on 32 bit systems an integer
     overflow happens which later causes out of bounds writes.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Anonymous working with Trend Micro Zero Day Initiative
  *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
     in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
     Apache HTTP Server 2.4.52 and earlier fails to close inbound
     connection when errors are encountered discarding the request
     body, exposing the server to HTTP Request Smuggling
     Credits: James Kettle <james.kettle portswigger.net>
  *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
     in r:parsebody (cve.mitre.org)
     A carefully crafted request body can cause a read to a random
     memory area which could cause the process to crash.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Chamal De Silva
  *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
     [Ruediger Pluem, Yann Ylavic]

OBS-URL: https://build.opensuse.org/request/show/961671
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=667
---
 apache2.changes          | 71 ++++++++++++++++++++++++++++++++++++++++
 apache2.spec             |  2 +-
 httpd-2.4.52.tar.bz2     |  3 --
 httpd-2.4.52.tar.bz2.asc | 17 ----------
 httpd-2.4.53.tar.bz2     |  3 ++
 httpd-2.4.53.tar.bz2.asc | 17 ++++++++++
 6 files changed, 92 insertions(+), 21 deletions(-)
 delete mode 100644 httpd-2.4.52.tar.bz2
 delete mode 100644 httpd-2.4.52.tar.bz2.asc
 create mode 100644 httpd-2.4.53.tar.bz2
 create mode 100644 httpd-2.4.53.tar.bz2.asc

diff --git a/apache2.changes b/apache2.changes
index a19efae..2972b8b 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,74 @@
+-------------------------------------------------------------------
+Mon Mar 14 11:20:53 UTC 2022 - pgajdos@suse.com
+
+- version update to 2.4.53
+  *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
+     (cve.mitre.org)
+     Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
+     Server allows an attacker to overwrite heap memory with possibly
+     attacker provided data.
+     This issue affects Apache HTTP Server 2.4 version 2.4.52 and
+     prior versions.
+     Credits: Ronald Crane (Zippenhop LLC)
+  *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
+     very large or unlimited LimitXMLRequestBody (cve.mitre.org)
+     If LimitXMLRequestBody is set to allow request bodies larger
+     than 350MB (defaults to 1M) on 32 bit systems an integer
+     overflow happens which later causes out of bounds writes.
+     This issue affects Apache HTTP Server 2.4.52 and earlier.
+     Credits: Anonymous working with Trend Micro Zero Day Initiative
+  *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
+     in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
+     Apache HTTP Server 2.4.52 and earlier fails to close inbound
+     connection when errors are encountered discarding the request
+     body, exposing the server to HTTP Request Smuggling
+     Credits: James Kettle <james.kettle portswigger.net>
+  *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
+     in r:parsebody (cve.mitre.org)
+     A carefully crafted request body can cause a read to a random
+     memory area which could cause the process to crash.
+     This issue affects Apache HTTP Server 2.4.52 and earlier.
+     Credits: Chamal De Silva
+  *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
+     [Ruediger Pluem, Yann Ylavic]
+  *) core: Simpler connection close logic if discarding the request body fails.
+     [Yann Ylavic, Ruediger Pluem]
+  *) mod_http2: preserve the port number given in a HTTP/1.1
+     request that was Upgraded to HTTP/2. Fixes PR65881.
+     [Stefan Eissing]
+  *) mod_proxy: Allow for larger worker name.  PR 53218.  [Yann Ylavic]
+  *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
+     an attempt to load a dbm driver fails, log clearly which driver triggered
+     the error (not "default"), and what the error was. [Graham Leggett]
+  *) mod_proxy: Use the maxium of front end and backend timeouts instead of the
+     minimum when tunneling requests (websockets, CONNECT requests).
+     Backend timeouts can be configured more selectively (per worker if needed)
+     as front end timeouts and typically the backend timeouts reflect the
+     application requirements better.  PR 65886 [Ruediger Pluem]
+  *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
+     when an efficient TLS implementation is available. [Yann Ylavic]
+  *) core, mod_info: Add compiled and loaded PCRE versions to version
+     number display.  [Rainer Jung]
+  *) mod_md: do not interfere with requests to /.well-known/acme-challenge/
+     resources if challenge type 'http-01' is not configured for a domain.
+     Fixes <https://github.com/icing/mod_md/issues/279>.
+     [Stefan Eissing]
+  *) mod_dav: Fix regression when gathering properties which could lead to huge
+     memory consumption proportional to the number of resources.
+     [Evgeny Kotkov, Ruediger Pluem]
+  *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
+     for regular expression evaluation. This depends on locating pcre2-config.
+     [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]
+  *) Add the ldap function to the expression API, allowing LDAP filters and
+     distinguished names based on expressions to be escaped correctly to
+     guard against LDAP injection. [Graham Leggett]
+  *) mod_md: the status description in MDomain's JSON, exposed in the
+     md-status handler (if configured) did sometimes not carry the correct
+     message when certificates needed renew.
+     [Stefan Eissing]
+  *) mpm_event: Fix a possible listener deadlock on heavy load when restarting
+     and/or reaching MaxConnectionsPerChild.  PR 65769.  [Yann Ylavic]
+
 -------------------------------------------------------------------
 Thu Jan 27 13:57:47 UTC 2022 - pgajdos@suse.com
 
diff --git a/apache2.spec b/apache2.spec
index 27c3a16..49350dd 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -115,7 +115,7 @@
 %endif
 
 Name:           apache2%{psuffix}
-Version:        2.4.52
+Version:        2.4.53
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0
diff --git a/httpd-2.4.52.tar.bz2 b/httpd-2.4.52.tar.bz2
deleted file mode 100644
index 800aa18..0000000
--- a/httpd-2.4.52.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
-size 7439184
diff --git a/httpd-2.4.52.tar.bz2.asc b/httpd-2.4.52.tar.bz2.asc
deleted file mode 100644
index 98bc581..0000000
--- a/httpd-2.4.52.tar.bz2.asc
+++ /dev/null
@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmG7Q+8ACgkQ03fJ59GU
-TGbpCA/+Ne63eHZTIxNF86FN6rOXgCvoIGPcc8SCpJ3h9k3rfCdltB/Mwnmz93R8
-Eo0djI/jCdfQsrmw+4IALIVpH6WsVHLnFbR2gk5wY9Kv5SDoMNs8iNUKAa23yQ9y
-JNN3W9Bw3O3q7RhfK8a5jSCAVkKw4gxNPGu+4x6QwHZOCrCoXJdKjoWAPSdE6L2p
-RQDBAW+wHmqwh2HBrM4WZhWaj6Eer7UbV1ir7nIGXmCz0f5ekiADJA4c6aWHV5PL
-EBIHbRsSzhgvK0ZtLeR1oOQAZfsNJT2BMjk5M/8yanAyUxnOGcNdRRSBMk1XPbxa
-EhBujT9KuSAq1jk5FbwgzP1l+Yq2Gxxsh2a4UK7K7AaJV8macQtVDUq4TfYKIk8R
-hnXweflKw9nonxaYOiNwhtLE3FFMg7XozrNPImc2abLT/wDE/N6LPI2NMf4FWAkm
-XkQ5yzy5Nxs/MybIJs/YJQjLCrfDD8hbUcqPp6445YqJsiXAQ3vhMy755maI2ciz
-xXBe0xhq9kEILIUCynCpPZE8eCKEGjFr/hWfaYZR32GVceAmHV9GiDoD5K6dqk6z
-00TCNbfjY5hXzEkigLd1g2ZKp/d8tsG0NUw1SoXfXSdlK0ugMTkmqqZxcekvGOk9
-UcpKyzkxdqCywfwYFKmYsLi6cKFBXAlRq0K89vg4glC2cedVu9Y=
-=Fz0f
------END PGP SIGNATURE-----
diff --git a/httpd-2.4.53.tar.bz2 b/httpd-2.4.53.tar.bz2
new file mode 100644
index 0000000..2421609
--- /dev/null
+++ b/httpd-2.4.53.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63
+size 7431942
diff --git a/httpd-2.4.53.tar.bz2.asc b/httpd-2.4.53.tar.bz2.asc
new file mode 100644
index 0000000..c863a0c
--- /dev/null
+++ b/httpd-2.4.53.tar.bz2.asc
@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmIotxoACgkQ03fJ59GU
+TGbaAQ//TeVio63uLRIhyhW4qoUlGCL4KfCyY3aj5Yh6JGea9lYdioZ4JdHJan2y
+IYRuF7B2S/MgfWESsEkPq8Nh0+ym78ZObdTFsskUF9so3+3WN9szQwTP/9suNd4+
+fv1vOKKGdy2h4hakR+E182A8gJ9FO6FabiETLvPvYVma3+5Zd2duzyvAOAQUDvkj
+JhFXYVQCrWfiJN7gARePAzZyxbfWd5QVQMuCiWSIQ2PG0SkfQa07CsEiDiN8r8fZ
+NGpNmyfUNqz4aUkBssNr0rVfmLzG2vicrfWaOgyS0rAEqn7fYhgF3s9k5y2htgOu
+mdv2TPYl39NBf3uQNtR5tTUCPaop2GvH1GMJnz18W2fpessscHsuWiqeVVNUDmvV
+zrFWlH2ehYPIOt07moP80nWJzpP7F5BGSG3DqcXPSG1JM/TM8uC3dgbC7k26i3vh
++8ypE1unHjop4nGff4cSkGeC5W2PkXrYNJC8xyjwbT098Q+Z8kAcO8TLpdaSx6tf
+fI/9IwX+2uOhGx+ZHok0BSX0EpGK+i51Kspih++AcNaf6T4urXKdrpEgNm4jdHw7
+maCHPDelUMyxffBM/Jl8/VZD+SHuhK2LzPBFGOJdNhbNKzdkfg5TaxhfIywvV1T6
+JzRtvx/HoglaqCNFsBqflWpctC5dS2DeKEbP9FaDbqfxLmxp/G8=
+=7fpY
+-----END PGP SIGNATURE-----

From 76648b0e0d57c585f6f327573a1d76c7269c8e144af41ee75304af07edee8bf8 Mon Sep 17 00:00:00 2001
From: David Anes <david.anes@suse.com>
Date: Mon, 14 Mar 2022 19:29:42 +0000
Subject: [PATCH 2/2] Accepting request 961683 from home:pgajdos

- httpd-framework updated to svn1898917
- deleted patches
  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
  - apache2-perl-io-socket.patch (upstreamed)

OBS-URL: https://build.opensuse.org/request/show/961683
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=668
---
 ...e-test-DirectorySlash-NotFound-logic.patch | 19 ----------
 apache2-perl-io-socket.patch                  | 37 -------------------
 apache2.changes                               |  8 ++++
 apache2.spec                                  | 10 +----
 httpd-framework-svn1894461.tar.bz2            |  3 --
 httpd-framework-svn1898917.tar.bz2            |  3 ++
 6 files changed, 12 insertions(+), 68 deletions(-)
 delete mode 100644 apache-test-DirectorySlash-NotFound-logic.patch
 delete mode 100644 apache2-perl-io-socket.patch
 delete mode 100644 httpd-framework-svn1894461.tar.bz2
 create mode 100644 httpd-framework-svn1898917.tar.bz2

diff --git a/apache-test-DirectorySlash-NotFound-logic.patch b/apache-test-DirectorySlash-NotFound-logic.patch
deleted file mode 100644
index 9ab66aa..0000000
--- a/apache-test-DirectorySlash-NotFound-logic.patch
+++ /dev/null
@@ -1,19 +0,0 @@
---- a/httpd-framework/t/modules/dir.t.orig	2021-11-24 10:37:58.688525957 +0000
-+++ b/httpd-framework/t/modules/dir.t	2021-11-24 10:38:15.568621991 +0000
-@@ -98,12 +98,12 @@ $res = GET "/modules/dir/htaccess", redi
- ok ($res->code == 403);
- 
- if (have_min_apache_version('2.5.1')) { 
--    skip("missing DirectorySlash NotFound");
--}
--else { 
-     $res = GET "/modules/dir/htaccess/sub1", redirect_ok => 0;
-     ok ($res->code == 404);
- }
-+else { 
-+    skip("missing DirectorySlash NotFound");
-+}
- 
- 
- sub write_htaccess {
-
diff --git a/apache2-perl-io-socket.patch b/apache2-perl-io-socket.patch
deleted file mode 100644
index 23e9514..0000000
--- a/apache2-perl-io-socket.patch
+++ /dev/null
@@ -1,37 +0,0 @@
---- httpd/test/framework/trunk/t/ssl/ocsp.t	2022/01/10 15:44:45	1896888
-+++ httpd/test/framework/trunk/t/ssl/ocsp.t	2022/01/10 18:08:12	1896889
-@@ -32,13 +32,21 @@ sok {
-     $r = GET $url, cert => undef;
-     my $message = $r->content() || '';
-     my $warning = $r->header('Client-Warning') || '';
-+    print "warning: $warning\n";
-+    print "message: $message";
-+    print "response:\n";
-     print $r->as_string;
-     $r->code == 500 && $warning =~ 'Internal response' &&
--        $message =~ /alert handshake failure|read failed/;
-+        $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
- };
- 
- sok {
-     $r = GET $url, cert => 'client_ok';
-+    my $warning = $r->header('Client-Warning') || '';
-+    my $message = $r->content() || '';
-+    print "warning: $warning\n";
-+    print "message: $message";
-+    print "response:\n";
-     print $r->as_string;
-     $r->code == 200;
- };
-@@ -47,7 +55,10 @@ sok {
-     $r = GET $url, cert => 'client_revoked';
-     my $message = $r->content() || '';
-     my $warning = $r->header('Client-Warning') || '';
-+    print "warning: $warning\n";
-+    print "message: $message";
-+    print "response:\n";
-     print $r->as_string;
-     $r->code == 500 && $warning =~ 'Internal response' &&
--        $message =~ /alert certificate revoked|read failed/;
-+        $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
- };
diff --git a/apache2.changes b/apache2.changes
index 2972b8b..1173650 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Mar 14 12:19:36 UTC 2022 - pgajdos@suse.com
+
+- httpd-framework updated to svn1898917
+- deleted patches
+  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
+  - apache2-perl-io-socket.patch (upstreamed)
+
 -------------------------------------------------------------------
 Mon Mar 14 11:20:53 UTC 2022 - pgajdos@suse.com
 
diff --git a/apache2.spec b/apache2.spec
index 49350dd..dc52eca 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -18,7 +18,7 @@
 
 %global upstream_name   httpd
 %global testsuite_name  %{upstream_name}-framework
-%global tversion        svn1894461
+%global tversion        svn1898917
 %global flavor          @BUILD_FLAVOR@%{nil}
 %define mpm             %{nil}
 %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork"
@@ -198,10 +198,6 @@ Patch100:       apache-test-application-xml-type.patch
 # even if in live system I do not experience this inconsistency, let's turn off
 # these variables from the test
 Patch101:       apache-test-turn-off-variables-in-ssl-var-lookup.patch
-# PATCH:    reverted logic, DirectorySlash NotFound is available in trunk onlyyet
-Patch102:       apache-test-DirectorySlash-NotFound-logic.patch
-# https://svn.apache.org/viewvc?view=revision&revision=1896889
-Patch103:       apache2-perl-io-socket.patch
 BuildRequires:  apache-rpm-macros-control
 #Since 2.4.7 the event MPM requires apr 1.5.0 or later.
 BuildRequires:  apr-devel >= 1.5.0
@@ -330,10 +326,6 @@ provides HTTP services in sync with the current HTTP standards.
 %patch4 -p1
 %patch100 -p1
 %patch101 -p1
-%patch102 -p1
-(cd httpd-framework
-%patch103 -p4
-)
 
 #
 # BUILD
diff --git a/httpd-framework-svn1894461.tar.bz2 b/httpd-framework-svn1894461.tar.bz2
deleted file mode 100644
index dc6b856..0000000
--- a/httpd-framework-svn1894461.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8536f6794f8ca000c2722e227c7ad6e17b33f8aeb0a5ce7662b4be110877733d
-size 1581270
diff --git a/httpd-framework-svn1898917.tar.bz2 b/httpd-framework-svn1898917.tar.bz2
new file mode 100644
index 0000000..75b7ddf
--- /dev/null
+++ b/httpd-framework-svn1898917.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e0b49ceac5780f010a6695608fc0e62d45101a8efc395ea656b47ae225a3dfb1
+size 729713