- add patch: httpd-2.4.12-lua-5.2.patch
* lua_dump introduced a new strip option in 5.3, set it to 0
to get the old behavior
* luaL_register was deprecated in 5.2, use luaL_setfuncs and
luaL_newlib instead
* luaL_optint was deprecated in 5.3, use luaL_optinteger instead
* lua_strlen and lua_objlen wad deprecated in 5.2, use lua_rawlen
instead
OBS-URL: https://build.opensuse.org/request/show/317328
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=455
- change Provides: from suse_maintenance_mmn = # to
suse_maintenance_mmn_#
- apache2 Suggests:, not Recommends: apache2-prefork; that means
for example, that `zypper in apache2-worker` will not pull
apache2-prefork also
- installing /usr/sbin/httpd link:
* do not try to install it in '%post <MPM>' when apache2 (which
includes /usr/share/apache2/script-helpers) is not installed
yet (fixes installation on 11sp3)
* install it in '%post' if apache2 is installed after
apache2-<MPM> to be sure it is there
OBS-URL: https://build.opensuse.org/request/show/317068
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=454
- access_compat shared also for 11sp3
- apache2-implicit-pointer-decl.patch renamed to
httpd-implicit-pointer-decl.patch to align with other
patches names
- apachectl is now wrapper to start_apache2; therefore, it honors
HTTPD_INSTANCE variable, see README-instances.txt for details
+ httpd-apachectl.patch
- httpd-2.4.10-apachectl.patch
- a2enmod/a2dismod and a2enflag/a2disflag now respect
HTTPD_INSTANCE=<instance_name> environment variable, which can be
used to specify apache instance name; sysconfig file is expected
at /etc/sysconfig/apache2@<instance_name>
(see README-instances.txt for details)
- provides suse_maintenance_mmn symbol [bnc#915666] (internal)
- credits to Roman Drahtmueller:
* add reference to /etc/permissions.local to output of %post if
setting the permissions of suexec2 fails
* do not enable mod_php5 by default any longer
* httpd-2.0.49-log_server_status.dif obsoleted
* apache2-mod_ssl_npn.patch removed because not used
* include mod_reqtimeout.conf in httpd.conf
* added cgid-timeout.conf, include
it in httpd.conf
- fix default value APACHE_MODULES in sysconfig file
- %service_* macros for apache2@.service
OBS-URL: https://build.opensuse.org/request/show/316550
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=453
- allow to run multiple instances of Apache on one system
[fate#317786] (internal)
* distributed httpd.conf no longer includes sysconfig.d, nor this
directory is shipped. httpd.conf includes loadmodule.conf and
global.conf which are former sysconfig.d/loadmodule.conf and
sysconfig.d/global.conf for default /etc/sysconfig/apache2
global.conf and loadmodule.conf are not included when
sysconfig variables could have been read by start_apache2
startup script (run with systemd services). Therefore, when
starting server via /usr/sbin/httpd, sysconfig variables
are not taken into account.
* some not-maintained scripts are moved from
/usr/share/apache2 to /usr/share/apache2/deprecated-scripts
* all modules comment in sysconfig file is not generated
anymore
* added README-instances.txt
* removed Sources:
load_configuration
find_mpm
get_module_list
get_includes
find_httpd_includes
apache-find-directives
* added Sources:
deprecated-scripts.tar.xz
apache2-README-instances.txt
apache2-loadmodule.conf
apache2-global.conf
apache2-find-directives
apache2@.service
OBS-URL: https://build.opensuse.org/request/show/314699
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=452
*) mpm_winnt: Accept utf-8 (Unicode) service names and descriptions for
internationalization. [William Rowe]
*) mpm_winnt: Normalize the error and status messages emitted by service.c,
the service control interface for Windows. [William Rowe]
*) configure: Fix --enable-v4-mapped configuration on *BSD. PR 53824.
[ olli hauer <ohauer gmx.de>, Yann Ylavic ]
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=437
- remove obsolete patches
* httpd-2.4.10-check_null_pointer_dereference.patch
* httpd-event-deadlock.patch
* httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch
* httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch
- Apache 2.4.11
*) SECURITY: CVE-2014-3583 (cve.mitre.org)
mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
*) SECURITY: CVE-2014-3581 (cve.mitre.org)
mod_cache: Avoid a crash when Content-Type has an empty value.
PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
*) SECURITY: CVE-2014-8109 (cve.mitre.org)
mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
used in multiple Require directives with different arguments.
PR57204 [Edward Lu <Chaosed0 gmail.com>]
*) SECURITY: CVE-2013-5704 (cve.mitre.org)
core: HTTP trailers could be used to replace HTTP headers
late during request processing, potentially undoing or
otherwise confusing modules that examined or modified
request headers earlier. Adds "MergeTrailers" directive to restore
legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
*) mod_ssl: New directive SSLSessionTickets (On|Off).
The directive controls the use of TLS session tickets (RFC 5077),
default value is "On" (unchanged behavior).
Session ticket creation uses a random key created during web
server startup and recreated during restarts. No other key
recreation mechanism is available currently. Therefore using session
tickets without restarting the web server with an appropriate frequency
OBS-URL: https://build.opensuse.org/request/show/281475
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=429
- added httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_\
requests.patch to fix flaw in the way mod_headers handled chunked
requests. Adds "MergeTrailers" directive to restore legacy
behavior [bnc#871310], [CVE-2013-5704].
- added httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_\
Require_line.patch that fixes handling of the Require line when
a LuaAuthzProvider is used in multiple Require directives with
different arguments [bnc#909715], [CVE-2014-8109].
OBS-URL: https://build.opensuse.org/request/show/265358
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=424
- update to apache 2.4.7, important changes:
* This release requires both apr and apr-util 1.5.x series
and therefore will no longer build in older released products
* mod_ssl: Improve handling of ephemeral DH and ECDH keys
(obsoletes httpd-mod_ssl_ephemeralkeyhandling.patch)
* event MPM: Fix possible crashes
* mod_deflate: Improve error detection
* core: Add open_htaccess hook in conjunction with dirwalk_stat.
* mod_rewrite: Make rewrite websocket-aware to allow proxying.
* mod_ssl: drop support for export-grade ciphers with ephemeral RSA
keys, and unconditionally disable aNULL, eNULL and EXP ciphers
(not overridable via SSLCipherSuite)
* see CHANGES for more details
OBS-URL: https://build.opensuse.org/request/show/208347
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=399
- mod_ssl: improve ephemeral key handling in particular, support DH params
with more than 1024 bits, and allow custom configuration.
This patch adjust DH parameters according to the relevant RFC
recommendations and permanently disables the usage of "export"
and "NULL" ciphers no matter what the user configuration is
(mod_ssl-2.4.x-ekh.diff, to be in 2.4.7)
OBS-URL: https://build.opensuse.org/request/show/204244
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=394
- provide and obsolete mod_macro
- upgrade: some people complain that log_config module
is not enabled by default sometimes, fix that.
- upgrade : "SSLMutex" no longer exists.
- Toogle EnableSendfile on because now apache defaults to off
due to kernel bugs. that's a silly thing to do here
as kernel bugs have to be fixed at their source, not worked around
in applications.
OBS-URL: https://build.opensuse.org/request/show/184902
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=384
- Update to version 2.4.6
* SECURITY: CVE-2013-1896 (cve.mitre.org)
* SECURITY: CVE-2013-2249 (cve.mitre.org)
* Major updates to mod_lua
* Support for proxying websocket requests
* Higher performant shm-based cache implementation
* Addition of mod_macro for easier configuration management
* As well as several exciting fixes, especially those related to RFC edge
cases in mod_cache and mod_proxy.
- IMPORTANT : With the current packaging scheme, we can no longer
Include the ITK MPM, therefore it has been disabled. This is because
this MPM can now only be provided as a loadable module but we do
not currently build MPMs as shared modules but as independant
binaries and all helpers/startup scripts depend on that behaviour.
It will be fixed in the upcoming weeks/months.
OBS-URL: https://build.opensuse.org/request/show/184014
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=382
- remove After=mysql.service php-fpm.service postgresql.service
which were added in the previous change, those must be added
as Before=apache2.service in the respective services.
- Include mod_systemd for more complete integration with
systemd, turn the service to Typé=notify as required
- Disable SSL NPN patch for now, it is required for mod_spdy
but mod_spdy does not support apache 2.4
- apache 2.4.4
* fix for CVE-2012-3499
* fix for the CRIME attack (disable ssl compression by default)
* many other bugfies
* build access_compat amd unixd as static modules and solve
some other upgrade quirks (bnc#813705)
OBS-URL: https://build.opensuse.org/request/show/179374
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=379
* re-worked CVE-2011-3192 (byterange_filter.c) with a regression
fix. New config option: MaxRanges (PR 51748)
* multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs,
mod_alias, mod_rewrite. As always, see CHANGES file.
- added httpd-%{realver}.tar.bz2.asc to source, along with
60C5442D.key which the tarball was signed with.
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=337
- Update to version 2.2.20, fix CVE-2011-3192
mod_deflate D.o.S.
- Fix apache PR 45076
- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage
- Add 2 patches from the "low hanging fruit" warnings in apache
STATUS page.
* mod_deflate: Stop compressing HEAD requests
if there is not Content-Length header
* mod_reqtimeout: Disable keep-alive after read timeout
- Remove -fno-strict-aliasing from CFLAGS, no longer needed.
- Allow KeepAliveTimeout to be expressed in miliseconds
sometimes one second is too long, upstream r733557.
- When linux changes to version 3.x configure tests are gonna break.
remove version check, assuming kernel 2.2 or later.
OBS-URL: https://build.opensuse.org/request/show/80399
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=334
- Update to 2.2.19, only one bugfix.
*) Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
- Remove SSLv2 disabled patch, already in upstream.
- Update to version 2.2.18
* mod_ssl, ab: Support OpenSSL compiled without SSLv2 support.
* core: Treat timeout reading request as 408 error, not 400.
* core: Only log a 408 if it is no keepalive timeout.
* mod_rewrite: Allow to unset environment variables.
* prefork: Update MPM state in children during a graceful restart.
* Other fixes in mod_cache,mod_dav,mod_proxy se NEWS for detail.
- Fix regular expression in vhost ssl template IE workaround
it is obsolete see https://issues.apache.org/bugzilla/show_bug.cgi?id=49484
You should apply this update to fix painfully slow SSL
connections when using IE.
- Allow usage of an openSSL library compiled without SSlv2
OBS-URL: https://build.opensuse.org/request/show/71347
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=331
create listen port). But I hope it'll be fine in the "real" build service build
environment, as it used to be.
- update to 2.2.17:
SECURITY: CVE-2010-1623 (cve.mitre.org)
Fix a denial of service attack against apr_brigade_split_line().
[Actual fix is in the libapr 1.3 line, which we don't use // poeml]
SECURITY: CVE-2009-3560, CVE-2009-3720 (cve.mitre.org)
Fix two buffer over-read flaws in the bundled copy of expat which could
cause applications to crash while parsing specially-crafted XML documents.
[We build with system expat library // poeml]
prefork MPM: Run cleanups for final request when process exits gracefully
to work around a flaw in apr-util. PR 43857
core:
- check symlink ownership if both FollowSymlinks and
SymlinksIfOwnerMatch are set
- fix origin checking in SymlinksIfOwnerMatch PR 36783
- (re)-introduce -T commandline option to suppress documentroot
check at startup. PR 41887
vhost:
- A purely-numeric Host: header should not be treated as a port. PR 44979
rotatelogs:
- Fix possible buffer overflow if admin configures a
mongo log file path.
Proxy balancer: support setting error status according to HTTP response
code from a backend. PR 48939.
mod_authnz_ldap:
- If AuthLDAPCharsetConfig is set, also convert the
password to UTF-8. PR 45318.
mod_dir, mod_negotiation:
- Pass the output filter information to newly created sub requests; as these
are later on used as true requests with an internal redirect. This allows
for mod_cache et.al. to trap the results of the redirect. PR 17629, 43939
mod_headers:
- Enable multi-match-and-replace edit option PR 46594
mod_log_config:
- Make ${cookie}C correctly match whole cookie names
instead of substrings. PR 28037.
mod_reqtimeout:
- Do not wrongly enforce timeouts for mod_proxy's backend
connections and other protocol handlers (like mod_ftp). Enforce the
timeout for AP_MODE_GETLINE. If there is a timeout, shorten the lingering
close time from 30 to 2 seconds.
mod_ssl:
- Do not do overlapping memcpy. PR 45444
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=326
