7f28caabda
- Make /usr/sbin/httpd a dedicated script again, this fixes building modules while still making Apache free of update-alternatives, relying entirely on sysconfig to dispatch the appropriate MPM.
Martin Schreiner2025-11-04 20:43:03 +00:00
369b30c142
Accepting request 1314641 from home:dimstar:Factory
Martin Schreiner2025-11-04 18:42:23 +00:00
d069dfd19f
- Re-introduce /usr/sbin/httpd - Links to start_apache2, which now contains the logic to dispatch to the appropriate MPM respecting sysconfig's decision.
Martin Schreiner2025-10-21 11:32:54 +00:00
2cd34b5fd0
Accepting request 1311136 from home:mschreiner:branches:Apache
Martin Schreiner2025-10-13 20:58:48 +00:00
1177533e53
- version update to 2.4.65 *) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64 (cve.mitre.org) A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.
Kristyna Streitova2025-07-23 12:56:49 +00:00
4300bba466
Accepting request 1294247 from home:mschreiner:branches:Apache
Martin Schreiner2025-07-18 03:49:15 +00:00
e4531db3a3
* Refresh patches: - apache-test-application-xml-type.patch - apache-test-turn-off-variables-in-ssl-var-lookup.patch - apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch - apache2-LimitRequestFieldSize-limits-headers.patch * Update to 2.4.64. * CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by Memory Increase * CVE-2025-49812: Apache HTTP Server: mod_ssl TLS upgrade attack * CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 denial of service * CVE-2025-23048: Apache HTTP Server: mod_ssl access control bypass with session resumption * CVE-2024-47252: Apache HTTP Server: mod_ssl error log variable escaping * CVE-2024-43394: Apache HTTP Server: SSRF on Windows due to UNC paths * CVE-2024-43204: Apache HTTP Server: SSRF with mod_headers setting Content-Type header * CVE-2024-42516: Apache HTTP Server: HTTP response splitting * mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer size. * mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5 builds which enable it in libssl natively. * mod_asis: Fix the log level of the message AH01236. * mod_session_dbd: ensure format used with SessionDBDCookieName and SessionDBDCookieName2 are correct. * mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could inadvertently modify the Content-Type _response_ header. Applies to Content-Type only and likely to only affect static file responses. * mod_ssl: Remove warning over potential uninitialised value for ssl protocol prior to protocol selection. * mod_proxy: Reuse ProxyRemote connections when possible, like prior to 2.4.59. * mod_systemd: Add systemd socket activation support. * mod_systemd: Log the SELinux context at startup if available and
Martin Schreiner2025-07-18 03:49:15 +00:00
d2fe688ea4
Accepting request 1251624 from home:mschreiner:branches:Apache
Martin Schreiner2025-03-10 05:09:18 +00:00
285b0fe9bf
- Update to 2.4.63: * mod_dav: Update redirect-carefully example BrowserMatch config to match more recent client versions. * mod_cache_socache: Fix possible crash on error path. * mod_ssl: Fail cleanly at startup if OpenSSL initialization fails. * mod_md: update to version 2.4.31 - Improved error reporting when waiting for ACME server to verify domains or finalizing the order fails, e.g. times out. - Increasing the timeouts to wait for ACME server to verify domain names and issue the certificate from 30 seconds to 5 minutes. - Change a log level from error to debug when Stapling is enabled but a certificate carries no OCSP responder URL. * mod_proxy_balancer: Fix the handling of the stickysession configuration parameter by the balancer manager. * Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username. Make sure that when ldap searches are too long, we explicitly log the error. * mod_proxy: Honor parameters of ProxyPassMatch workers with substitution in the host name or port. * mod_log_config: Fix merging for the "LogFormat" directive. * mod_lua: Make r.ap_auth_type writable. * mod_md: update to version 2.4.29 - Fixed HTTP-01 challenges to not carry a final newline, as some ACME server fail to ignore it. - Fixed missing label+newline in server-status plain text output when MDStapling is enabled. * mod_ssl: Restore support for loading PKCS#11 keys via ENGINE without "SSLCryptoDevice" configured. * mod_authnz_ldap: Fix possible memory corruption if the
Martin Schreiner2025-03-10 05:09:18 +00:00
6e2193fc73
Accepting request 1237660 from home:dimstar:Factory
Petr Gajdos2025-01-14 10:27:27 +00:00
7e57f4d1e3
- Fix builds of test package with RPM 4.20: + noarch packages cannot rely on libdir, which is an arch-dependent variable. Rely on apxs -q libdir to extract the correct information instead.
Petr Gajdos2025-01-14 10:27:27 +00:00
3684930e1f
- Add /srv/www directories to filelist [bsc#1231027] (apache2 will not start since default config uses this directory)
Martin Schreiner2024-10-02 19:42:36 +00:00
129fff1b8c
Accepting request 1191452 from home:adkorte:branches:Apache
David Anes2024-08-07 12:48:58 +00:00
9ac936a203
- Update to 2.4.62 *) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows (cve.mitre.org) [boo#1228098] SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. Credits: Smi1e (DBAPPSecurity Ltd.) *) SECURITY: CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType (cve.mitre.org) [boo#1228097] A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue. *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets with BalancerMember(s). PR 69168. [Yann Ylavic] *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs. PR 69160 [Yann Ylavic] *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2. [Joe Orton] *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>] *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0. [Ruediger Pluem, Yann Ylavic] *) mpm_worker: Fix possible warning (AH00045) about children processes not terminating timely. [Yann Ylavic]
David Anes2024-08-07 12:48:58 +00:00
Ana Guerrero
Martin Schreiner
Adrian Schröter
Dominique Leuenberger
Kristyna Streitova
Petr Gajdos
David Anes