Accepting request 1325323 from Apache

OBS-URL: https://build.opensuse.org/request/show/1325323
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=223

apache2-httpd

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
+# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
+# Copyright (c) 2002, 2003, (2004?) SuSE Linux AG
+# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
+#
+# Authors: Rolf Haberrecker <apache@suse.de>, 2001
+#          Peter Poeml <apache@suse.de>, 2002, 2003, 2004, 2005, 2006, 2007, 
+#                                        2008, 2009, 2010
+#
+#
+
+export HTTPD_SYSCONFIG_FILE="/etc/sysconfig/apache2"
+. /usr/share/apache2/script-helpers
+find_mpm
+
+apache_bin="$HTTPD_SBIN_BASE-$HTTPD_MPM"
+if ! [ -x $apache_bin ]; then
+	echo >&2 "$apache_bin is not a valid httpd binary."
+	echo >&2 "Check your APACHE_MPM setting in /etc/sysconfig/apache2."
+	exit 1
+fi
+
+exec $apache_bin "$@"

apache2-loadmodule.conf

@@ -57,7 +57,7 @@
     LoadModule authz_groupfile_module         /usr/lib64/apache2-event/mod_authz_groupfile.so
     LoadModule authz_user_module              /usr/lib64/apache2-event/mod_authz_user.so
     LoadModule autoindex_module               /usr/lib64/apache2-event/mod_autoindex.so
-    LoadModule cgi_module                     /usr/lib64/apache2-event/mod_cgi.so
+    LoadModule cgid_module                    /usr/lib64/apache2-event/mod_cgid.so
     LoadModule dir_module                     /usr/lib64/apache2-event/mod_dir.so
     LoadModule env_module                     /usr/lib64/apache2-event/mod_env.so
     LoadModule expires_module                 /usr/lib64/apache2-event/mod_expires.so

apache2-script-helpers

@@ -32,13 +32,23 @@ function find_mpm
 
   # try to read from sysconfig's APACHE_MPM
   HTTPD_MPM="$APACHE_MPM"
-  # if empty, then choose the one chosen by
-  # update alternatives
+
+  # if the value is empty, we try to determine the MPM based on what's
+  # installed, with the priority that is encoded below
   if [ -z "$HTTPD_MPM" ]; then
-     HTTPD_MPM=$(readlink $(readlink /usr/sbin/httpd) | sed "s:/usr/sbin/httpd-::")
+	if [ -x "$HTTPD_SBIN_BASE-prefork" ]; then
+		HTTPD_MPM="prefork"
+	elif [ -x "$HTTPD_SBIN_BASE-worker" ]; then
+		HTTPD_MPM="worker"
+	elif [ -x "$HTTPD_SBIN_BASE-event" ]; then
+		HTTPD_MPM="event"
+	else
+		echo >&2 "No usable APACHE_MPM was found."
+		echo >&2 "Check your APACHE_MPM setting in /etc/sysconfig/apache2."
+		exit 1
+	fi
   fi
 
-  # in case no 
   export HTTPD_MPM
 }
 

apache2-start_apache2

@@ -49,17 +49,11 @@ fi
 # /usr/sbin/httpd-worker, etc.) and serverflags
 #
 find_mpm
-if [ -n "$HTTPD_MPM" ]; then
-    apache_bin="$HTTPD_SBIN_BASE-$HTTPD_MPM"
-    if ! [ -x $apache_bin ]; then
-        echo >&2 "$apache_bin-$APACHE_MPM is not a valid httpd binary."
+apache_bin="$HTTPD_SBIN_BASE-$HTTPD_MPM"
+if ! [ -x $apache_bin ]; then
+	echo >&2 "$apache_bin is not a valid httpd binary."
 	echo >&2 "Check your APACHE_MPM setting in /etc/sysconfig/apache2."
 	exit 1
-    fi
-else
-    # take /usr/sbin/httpd, which will
-    # exist thanks to update alternatives
-    apache_bin="$HTTPD_SBIN_BASE"
 fi
 
 # server flags from APACHE_SERVER_FLAGS

apache2.changes

@@ -1,3 +1,130 @@
+-------------------------------------------------------------------
+Sun Jan  4 20:47:09 UTC 2026 - Martin Schreiner <martin.schreiner@suse.com>
+
+- Include a sane HTTPD_SYSCONFIG_FILE env. variable when invoking
+  /usr/sbin/httpd.
+  The appropriate MPM was not being located when calling /usr/sbin/httpd
+  directly.
+- Rename event's 'mod_cgi' to 'mod_cgid' in loadmodule.conf, as that's what
+  the event MPM ships.
+
+-------------------------------------------------------------------
+Thu Dec  4 18:37:34 UTC 2025 - Arjen de Korte <suse+build@de-korte.org>
+
+- version update to 2.4.66
+  *) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec
+     bypass via AllowOverride FileInfo (cve.mitre.org)
+     mod_userdir+suexec bypass via AllowOverride FileInfo
+     vulnerability in Apache HTTP Server. Users with access to use
+     the RequestHeader directive in htaccess can cause some CGI
+     scripts to run under an unexpected userid.
+     This issue affects Apache HTTP Server: from 2.4.7 through
+     2.4.65.
+  *) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment
+     variable override (cve.mitre.org)
+     Improper Neutralization of Escape, Meta, or Control Sequences
+     vulnerability in Apache HTTP Server through environment
+     variables set via the Apache configuration unexpectedly
+     superseding variables calculated by the server for CGI programs.
+     This issue affects Apache HTTP Server from 2.4.0 through 2.4.65.
+  *) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on
+     Windows through UNC SSRF (cve.mitre.org)
+     Server-Side Request Forgery (SSRF) vulnerability
+     Â in Apache HTTP Server on Windows
+     with AllowEncodedSlashes On and MergeSlashes Off  allows to
+     potentially leak NTLM
+     hashes to a malicious server via SSRF and malicious requests or
+     content
+  *) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side
+     Includes adds query string to #exec cmd=... (cve.mitre.org)
+     Apache HTTP Server 2.4.65 and earlier with Server Side Includes
+     (SSI) enabled and mod_cgid (but not mod_cgi) passes the
+     shell-escaped query string to #exec cmd="..." directives.
+     This issue affects Apache HTTP Server before 2.4.66.
+  *) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME),
+     unintended retry intervals (cve.mitre.org)
+     An integer overflow in the case of failed ACME certificate
+     renewal leads, after a number of failures (~30 days in default
+     configurations), to the backoff timer becoming 0. Attempts to
+     renew the certificate then are repeated without delays until it
+     succeeds.
+     This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66.
+  *) mod_http2: Fix handling of 304 responses from mod_cache.
+  *) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of
+     integers, used in push diaries and proxy window size calculations.
+  *) mod_md: update to version 2.6.5
+     - New directive `MDInitialDelay`, controlling how longer to wait after
+       a server restart before checking certificates for renewal.
+       [Michael Kaufmann]
+     - Hardening: when build with OpenSSL older than 1.0.2 or old libressl
+       versions, the parsing of ASN.1 time strings did not do a length check.
+     - Hardening: when reading back OCSP responses stored in the local JSON
+       store, missing 'valid' key led to uninitialized values, resulting in
+       wrong refresh behaviour.
+  *) mod_md: update to version 2.6.6
+     - Fix a small memory leak when using OpenSSL's BIGNUMs.
+     - Fix reuse of curl easy handles by resetting them.
+  *) mod_http2: update to version 2.0.35
+     New directive `H2MaxStreamErrors` to control how much bad behaviour
+     by clients is tolerated before the connection is closed.
+  *) mod_proxy_http2: add support for ProxyErrorOverride directive.
+  *) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify
+     the value set for the TCP_DEFER_ACCEPT socket option on listen sockets.
+  *) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual
+     host compatibility policy.
+  *) mod_md: update to version 2.6.2
+     - Fix error retry delay calculation to not already doubling the wait
+       on the first error.
+  *) mod_md: update to version 2.6.1
+     - Increasing default `MDRetryDelay` to 30 seconds to generate less bursty
+       traffic on errored renewals for the ACME CA. This leads to error retries
+        of 30s, 1 minute, 2, 4, etc. up to daily attempts.
+     - Checking that configuring `MDRetryDelay` will result in a positive
+       duration. A delay of 0 is not accepted.
+     - Fix a bug in checking Content-Type of responses from the ACME server.
+     - Added ACME ARI support (rfc9773) to the module. Enabled by default. New
+       directive "MDRenewViaARI on|off" for controlling this.
+     - Removing tailscale support. It has not been working for a long time
+       as the company decided to change their APIs. Away with the dead code,
+       documentation and tests.
+     - Fixed a compilation issue with pre-industrial versions of libcurl.
+- httpd testsuite of svn revision 1929573
+
+-------------------------------------------------------------------
+Tue Nov  4 20:41:23 UTC 2025 - Martin Schreiner <martin.schreiner@suse.com>
+
+- Make /usr/sbin/httpd a dedicated script again, this fixes building modules
+  while still making Apache free of update-alternatives, relying entirely
+  on sysconfig to dispatch the appropriate MPM.
+
+-------------------------------------------------------------------
+Fri Oct 31 07:40:53 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Ensure the mpm subpackages sync their rebuild counter with the
+  main package to have the installations work reliably.
+
+-------------------------------------------------------------------
+Tue Oct 21 11:31:28 UTC 2025 - Martin Schreiner <martin.schreiner@suse.com>
+
+- Re-introduce /usr/sbin/httpd
+- Links to start_apache2, which now contains the logic to dispatch
+  to the appropriate MPM respecting sysconfig's decision.
+
+-------------------------------------------------------------------
+Mon Oct 13 13:22:43 UTC 2025 - Martin Schreiner <martin.schreiner@suse.com>
+
+- Migrate from update-alternatives (bsc#1245830).
+- The APACHE_MPM environment variable now controls which MPM will be used.
+  If an empty string is provided, the script-helpers file implements its own logic
+  to pick an MPM from the currently installed ones.
+  As at least one MPM is always required, this will work just fine.
+
+-------------------------------------------------------------------
+Tue Sep 23 13:37:34 UTC 2025 - pgajdos@suse.com
+
+- httpd testsuite of svn revision 1928711, fixes the failure
+  caused by libxml2 version update to 2.14
+
 -------------------------------------------------------------------
 Wed Jul 23 12:39:31 UTC 2025 - pgajdos@suse.com
 

apache2.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package apache2
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,9 +16,11 @@
 #
 
 
+%global apache2_evr %{?epoch:%{epoch}:}%{version}-%{release}
+
 %global upstream_name   httpd
 %global testsuite_name  %{upstream_name}-framework
-%global tversion        svn1921782
+%global tversion        svn1929573
 %global flavor          @BUILD_FLAVOR@%{nil}
 %define mpm             %{nil}
 %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork"
@@ -38,14 +40,9 @@
 %define unittest        1
 %endif
 %endif
-%if "%{mpm}" == "prefork"
-%define mpm_alt_prio    10
-%endif
-%if "%{mpm}" == "worker"
-%define mpm_alt_prio    20
-%endif
-%if "%{mpm}" == "event"
-%define mpm_alt_prio    30
+%if "%{flavor}" == "prefork" || "%{flavor}" == "worker" || "%{flavor}" == "event"
+# Ensure the mpm packages have a synced rebuild counter, as we insisit on requiring the package = %apache2_evr
+#!BcntSyncTag:  apache2
 %endif
 %define default_mpm     prefork
 %define suse_maintenance_mmn  0
@@ -107,7 +104,7 @@
 %define build_http2 1
 
 Name:           apache2%{psuffix}
-Version:        2.4.65
+Version:        2.4.66
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0
@@ -141,6 +138,7 @@ Source101:      apache2-a2enflag
 Source102:      apache2-systemd-ask-pass
 Source103:      apache2-start_apache2
 Source104:      apache2-script-helpers
+Source105:      apache2-httpd
 # additional support
 Source130:      apache2-gensslcert
 Source131:      apache2-check_forensic
@@ -262,12 +260,12 @@ BuildRequires:  netcfg
 # /SECTION
 %if "%{mpm}" != ""
 Provides:       apache2-MPM
-Requires:       apache2
+Requires:       apache2 = %{apache2_evr}
 %endif
 %if "%{flavor}" == ""
 Requires:       %{_sysconfdir}/mime.types
 Requires:       apache2-MPM
-Suggests:       apache2-%{default_mpm}
+Suggests:       apache2-%{default_mpm} = %{apache2_evr}
 Recommends:     apache2-utils
 Requires:       logrotate
 Provides:       %{apache_mmn}
@@ -298,7 +296,6 @@ Obsoletes:      apache2-doc <= %{version}
 Requires(pre):  permissions
 Requires(post): %fillup_prereq
 Requires(post): grep
-Requires(post): update-alternatives
 Requires(postun): update-alternatives
 %endif
 %if %{test} || "%{flavor}" == "manual"
@@ -484,18 +481,9 @@ make DESTDIR=%{buildroot} program-install
 pushd modules
 make DESTDIR=%{buildroot} install -j1
 popd
-# install alternative links (httpd binary, modules)
-mkdir -p %{buildroot}%{_sysconfdir}/alternatives
-ln -sf %{_sysconfdir}/alternatives/httpd %{buildroot}%{_sbindir}/httpd
-mkdir -p %{buildroot}%{_libdir}/apache2/
-for module in %{dynamic_modules}; do
-  if [ -e %{buildroot}%{libexecdir}/mod_$module.so ]; then
-    ln -sf %{_sysconfdir}/alternatives/mod_$module.so %{buildroot}%{_libdir}/apache2/mod_$module.so
-  fi
-done
 %endif
 
-# main packge install
+# main package install
 %if "%{flavor}" == ""
 mkdir -p %{buildroot}%{logfiledir} \
          %{buildroot}%{proxycachedir} \
@@ -531,6 +519,7 @@ install -m 755 %{SOURCE100} %{buildroot}%{_sbindir}/a2enmod
 ln -s a2enmod %{buildroot}%{_sbindir}/a2dismod
 install -m 755 %{SOURCE101} %{buildroot}%{_sbindir}/a2enflag
 ln -s a2enflag %{buildroot}%{_sbindir}/a2disflag
+install -m 755 %{SOURCE105} %{buildroot}%{_sbindir}/httpd
 install -m 744 %{SOURCE103} %{buildroot}%{_sbindir}/start_apache2
 mkdir -p %{buildroot}/%{_datadir}/apache2/
 install -m 644 %{SOURCE104} %{buildroot}/%{_datadir}/apache2/script-helpers
@@ -822,14 +811,8 @@ exit 0
 # MPMs files
 %if ! %{test} && "%{mpm}" != ""
 %files
-%{_sbindir}/httpd
 %{_sbindir}/httpd-%{mpm}
-%ghost %{_sysconfdir}/alternatives/httpd
-# %%ghost %%{_sysconfdir}/alternatives/mod_*.so does not work
-%(for module in %{dynamic_modules}; do echo "%ghost %{_sysconfdir}/alternatives/mod_$module.so"; done)
 %dir %{_libdir}/apache2-%{mpm}
-%dir %{_libdir}/apache2
-%{_libdir}/apache2/*.so
 %{libexecdir}/mod_*.so
 %endif
 
@@ -874,6 +857,7 @@ exit 0
 %{_sbindir}/a2enmod
 %{_sbindir}/a2disflag
 %{_sbindir}/a2dismod
+%{_sbindir}/httpd
 %{_sbindir}/start_apache2
 %{_sbindir}/rcapache2
 %{_datadir}/apache2/script-helpers
@@ -927,21 +911,7 @@ exit 0
 
 # MPMs scriptlets
 %if ! %{test} && "%{mpm}" != ""
-%post
-%{_sbindir}/update-alternatives --quiet --force \
-    --install %{_sbindir}/httpd httpd %{_sbindir}/httpd-%{mpm} %{mpm_alt_prio}
-for module in %{dynamic_modules}; do
-  if [ -e %{libexecdir}/mod_$module.so ]; then
-    %{_sbindir}/update-alternatives --quiet --force \
-        --install %{_libdir}/apache2/mod_$module.so mod_$module.so %{libexecdir}/mod_$module.so %{mpm_alt_prio}
-  fi
-done
-exit 0
-
-%postun
-if [ "$1" = 1 ]; then
-  %apache_request_restart
-fi
+%pre
 if [ "$1" = 0 ]; then
   %{_sbindir}/update-alternatives --quiet --force --remove httpd %{_sbindir}/httpd
   for module in %{dynamic_modules}; do
@@ -950,6 +920,12 @@ if [ "$1" = 0 ]; then
 fi
 exit 0
 
+%postun
+if [ "$1" = 1 ]; then
+  %apache_request_restart
+fi
+exit 0
+
 %posttrans
 %apache_restart_if_needed
 exit 0

httpd-2.4.65.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:58b8be97d9940ec17f7656c0c6b9f41b618aac468b894b534148e3296c53b8b3
-size 7506711

httpd-2.4.65.tar.bz2.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmh+LjAACgkQgngd5G1Z
-VPpCEBAAhEV+nx6pMPZ1AKIbJ8forT54bs2ZGyCycWPRxWF34gq9fiaIcNyFbNRi
-3ziOqAJPt3sphorZYvcZ7K8Wx/tQbXdnKy+HkYzTgjb4JJU/NJZiiDcEcEVKoCXj
-4dBPCgGflZji0lljP65SbdmelwCzjGZPbkKGTtWyN0HiOI7kcrh0F1Q7Mz2E63sW
-ZxN9r2zmOEzTkxFvWm+JMoAQi5stf2XlNLIKmjg5sbhFu2qdbQ6RadkMEsXuSJbi
-quzTmAVPDPFEwhSV4qtJDz8Dj2chLV+26f0sbaSSYa5G+ic4w6Vvyco4gE3K/yDz
-tmPuQcH1nJIPMrglMEJnYWYXrkBBRWYXgWGVZPYvlahu86Vx0h9bZKmG4rxkSOsE
-KGM4PebzhWxP9LKykY05X5AZgvrVuUaUo8WVIIvdIifX4GNzCdZFFwQTrO1AkQQY
-2T4/2BuyS/Hx1hIdVnMY3uMYaIXemJDl2rid9h/pfYxfBqnvP03yV3Xb5t+0Nq8V
-smdihF2G4Escts+WHTXyxBhG70QvBob6xYt9juu5UMX0PDrPNf61Dhnlur4aSA0u
-NhlO+Z0KCdXexRZUdKFeNuXShfaVaGm5ouZ0NQPB0NIOlzhvDLeHJdyn6G5AkajP
-r3A5DKDQmmd/bJqmi5y619o9hKx9lnmrhxj2LAGUqGycC5NBVUc=
-=hWqc
------END PGP SIGNATURE-----

httpd-2.4.66.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:94d7ff2b42acbb828e870ba29e4cbad48e558a79c623ad3596e4116efcfea25a
+size 7504564

httpd-2.4.66.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmktjZ4ACgkQgngd5G1Z
+VPqmbA/9FHUJgIj9awZMhhzr3s7FVSL5fKnOxd/IFIZWn7iDRnEexAoX3QWbwbiu
+jD31GVidPBSTNph+5LHe/wHYe6mwwaohQ8egpqtuclOk8ct9kxbbbBFIWcg+wy7h
+xGHukI4FqY32PKAtCFsoNpbApwjZY8i8vL/5v9BEzY7FVWkviamXw3KsjB5GWLC9
+Nf3PrhonMDkHbLqFh8bohJXxzV/1sqKYu5CJ/HJshxCcNU98wSQ7ToUsaI7RHKn8
+l60MN92n2ziaD/ziskVsNS/xyvuv1Timf+QCWEr0k7lL6j2Kx0PRikqsm4BySMbh
+clGgswxQL1rhjPn6JFG1Ez+DharvVD+gDSlQfVS+ZiHhqNxvqR/rI/n780acXxeq
+nJUjjqKfoulq8FkxfSsMDvmS8c4QaZMjb6jCG5DoCMaxHcqH2DUADnYRikUTTKrm
+uhsjnSj5hBm1+h/gceOfxKgOSTTXzEyqHqG/aTwGqJDnMpZ0rYMe1kFjWQ2UMk/Q
+ak1A617ukMvmM6D1ReB+uewOVdneMTr26S5xjPtuc7IQtfOFWnlznWHF2pUPokAM
+NX+W0A9VbS6EmcI2HT2usH3iA3yx3fpJgm3KUCV3lGal3kRJYz+xedY3P25Q9PGn
+1lahIAbehWLUC2nLUBTRE5YQXLii1bvNKOXbfMUP0rtOI3o7ZZE=
+=IxDB
+-----END PGP SIGNATURE-----

httpd-framework-svn1929573.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2904b51b05b5f718966f11b4aeed0905d3a17ed9d53825a3caa4d3d3c569b246
+size 838260