1238d9e94c
- Include a sane HTTPD_SYSCONFIG_FILE env. variable when invoking /usr/sbin/httpd. The appropriate MPM was not being located when calling /usr/sbin/httpd directly. - Rename event's 'mod_cgi' to 'mod_cgid' in loadmodule.conf, as that's what the event MPM ships.
Martin Schreiner2026-01-04 21:20:48 +00:00
5051842ca9
- version update to 2.4.66 *) SECURITY: CVE-2025-66200: Apache HTTP Server: mod_userdir+suexec bypass via AllowOverride FileInfo (cve.mitre.org) mod_userdir+suexec bypass via AllowOverride FileInfo vulnerability in Apache HTTP Server. Users with access to use the RequestHeader directive in htaccess can cause some CGI scripts to run under an unexpected userid. This issue affects Apache HTTP Server: from 2.4.7 through 2.4.65. *) SECURITY: CVE-2025-65082: Apache HTTP Server: CGI environment variable override (cve.mitre.org) Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache HTTP Server through environment variables set via the Apache configuration unexpectedly superseding variables calculated by the server for CGI programs. This issue affects Apache HTTP Server from 2.4.0 through 2.4.65. *) SECURITY: CVE-2025-59775: Apache HTTP Server: NTLM Leakage on Windows through UNC SSRF (cve.mitre.org) Server-Side Request Forgery (SSRF) vulnerability  in Apache HTTP Server on Windows with AllowEncodedSlashes On and MergeSlashes Off allows to potentially leak NTLM hashes to a malicious server via SSRF and malicious requests or content *) SECURITY: CVE-2025-58098: Apache HTTP Server: Server Side Includes adds query string to #exec cmd=... (cve.mitre.org) Apache HTTP Server 2.4.65 and earlier with Server Side Includes (SSI) enabled and mod_cgid (but not mod_cgi) passes the shell-escaped query string to #exec cmd="..." directives. This issue affects Apache HTTP Server before 2.4.66. *) SECURITY: CVE-2025-55753: Apache HTTP Server: mod_md (ACME), unintended retry intervals (cve.mitre.org) An integer overflow in the case of failed ACME certificate renewal leads, after a number of failures (~30 days in default configurations), to the backoff timer becoming 0. Attempts to renew the certificate then are repeated without delays until it succeeds. This issue affects Apache HTTP Server: from 2.4.30 before 2.4.66. *) mod_http2: Fix handling of 304 responses from mod_cache. *) mod_http2/mod_proxy_http2: fix a bug in calculating the log2 value of integers, used in push diaries and proxy window size calculations. *) mod_md: update to version 2.6.5 - New directive MDInitialDelay, controlling how longer to wait after a server restart before checking certificates for renewal. [Michael Kaufmann] - Hardening: when build with OpenSSL older than 1.0.2 or old libressl versions, the parsing of ASN.1 time strings did not do a length check. - Hardening: when reading back OCSP responses stored in the local JSON store, missing 'valid' key led to uninitialized values, resulting in wrong refresh behaviour. *) mod_md: update to version 2.6.6 - Fix a small memory leak when using OpenSSL's BIGNUMs. - Fix reuse of curl easy handles by resetting them. *) mod_http2: update to version 2.0.35 New directive H2MaxStreamErrors to control how much bad behaviour by clients is tolerated before the connection is closed. *) mod_proxy_http2: add support for ProxyErrorOverride directive. *) mpm_common: Add new ListenTCPDeferAccept directive that allows to specify the value set for the TCP_DEFER_ACCEPT socket option on listen sockets. *) mod_ssl: Add SSLVHostSNIPolicy directive to control the virtual host compatibility policy. *) mod_md: update to version 2.6.2 - Fix error retry delay calculation to not already doubling the wait on the first error. *) mod_md: update to version 2.6.1 - Increasing default MDRetryDelay to 30 seconds to generate less bursty traffic on errored renewals for the ACME CA. This leads to error retries of 30s, 1 minute, 2, 4, etc. up to daily attempts. - Checking that configuring MDRetryDelay will result in a positive duration. A delay of 0 is not accepted. - Fix a bug in checking Content-Type of responses from the ACME server. - Added ACME ARI support (rfc9773) to the module. Enabled by default. New directive "MDRenewViaARI on|off" for controlling this. - Removing tailscale support. It has not been working for a long time as the company decided to change their APIs. Away with the dead code, documentation and tests. - Fixed a compilation issue with pre-industrial versions of libcurl. - httpd testsuite of svn revision 1929573
Martin Schreiner2025-12-08 20:36:56 +00:00
e9e8bec142
- Make /usr/sbin/httpd a dedicated script again, this fixes building modules while still making Apache free of update-alternatives, relying entirely on sysconfig to dispatch the appropriate MPM.
Martin Schreiner2025-11-04 20:43:03 +00:00
829550ca66
- Ensure the mpm subpackages sync their rebuild counter with the main package to have the installations work reliably.
Martin Schreiner2025-11-04 18:42:23 +00:00
74bf3248c9
- Re-introduce /usr/sbin/httpd - Links to start_apache2, which now contains the logic to dispatch to the appropriate MPM respecting sysconfig's decision.
Martin Schreiner2025-10-21 11:32:54 +00:00
2d2e6834bc
Accepting request 1311136 from home:mschreiner:branches:Apache
Martin Schreiner2025-10-13 20:58:48 +00:00
1177533e53
- version update to 2.4.65 *) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64 (cve.mitre.org) A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue.
Kristyna Streitova2025-07-23 12:56:49 +00:00
e4531db3a3
* Refresh patches: - apache-test-application-xml-type.patch - apache-test-turn-off-variables-in-ssl-var-lookup.patch - apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch - apache2-LimitRequestFieldSize-limits-headers.patch * Update to 2.4.64. * CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by Memory Increase * CVE-2025-49812: Apache HTTP Server: mod_ssl TLS upgrade attack * CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 denial of service * CVE-2025-23048: Apache HTTP Server: mod_ssl access control bypass with session resumption * CVE-2024-47252: Apache HTTP Server: mod_ssl error log variable escaping * CVE-2024-43394: Apache HTTP Server: SSRF on Windows due to UNC paths * CVE-2024-43204: Apache HTTP Server: SSRF with mod_headers setting Content-Type header * CVE-2024-42516: Apache HTTP Server: HTTP response splitting * mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer size. * mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5 builds which enable it in libssl natively. * mod_asis: Fix the log level of the message AH01236. * mod_session_dbd: ensure format used with SessionDBDCookieName and SessionDBDCookieName2 are correct. * mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could inadvertently modify the Content-Type _response_ header. Applies to Content-Type only and likely to only affect static file responses. * mod_ssl: Remove warning over potential uninitialised value for ssl protocol prior to protocol selection. * mod_proxy: Reuse ProxyRemote connections when possible, like prior to 2.4.59. * mod_systemd: Add systemd socket activation support. * mod_systemd: Log the SELinux context at startup if available and
Martin Schreiner2025-07-18 03:49:15 +00:00
285b0fe9bf
- Update to 2.4.63: * mod_dav: Update redirect-carefully example BrowserMatch config to match more recent client versions. * mod_cache_socache: Fix possible crash on error path. * mod_ssl: Fail cleanly at startup if OpenSSL initialization fails. * mod_md: update to version 2.4.31 - Improved error reporting when waiting for ACME server to verify domains or finalizing the order fails, e.g. times out. - Increasing the timeouts to wait for ACME server to verify domain names and issue the certificate from 30 seconds to 5 minutes. - Change a log level from error to debug when Stapling is enabled but a certificate carries no OCSP responder URL. * mod_proxy_balancer: Fix the handling of the stickysession configuration parameter by the balancer manager. * Add the ldap-search option to mod_authnz_ldap, allowing authorization to be based on arbitrary expressions that do not include the username. Make sure that when ldap searches are too long, we explicitly log the error. * mod_proxy: Honor parameters of ProxyPassMatch workers with substitution in the host name or port. * mod_log_config: Fix merging for the "LogFormat" directive. * mod_lua: Make r.ap_auth_type writable. * mod_md: update to version 2.4.29 - Fixed HTTP-01 challenges to not carry a final newline, as some ACME server fail to ignore it. - Fixed missing label+newline in server-status plain text output when MDStapling is enabled. * mod_ssl: Restore support for loading PKCS#11 keys via ENGINE without "SSLCryptoDevice" configured. * mod_authnz_ldap: Fix possible memory corruption if the
Martin Schreiner2025-03-10 05:09:18 +00:00
7e57f4d1e3
- Fix builds of test package with RPM 4.20: + noarch packages cannot rely on libdir, which is an arch-dependent variable. Rely on apxs -q libdir to extract the correct information instead.
Petr Gajdos2025-01-14 10:27:27 +00:00
3684930e1f
- Add /srv/www directories to filelist [bsc#1231027] (apache2 will not start since default config uses this directory)
Martin Schreiner2024-10-02 19:42:36 +00:00
9ac936a203
- Update to 2.4.62 *) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with mod_rewrite in server/vhost context on Windows (cve.mitre.org) [boo#1228098] SSRF in Apache HTTP Server on Windows with mod_rewrite in server/vhost context, allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests. Users are recommended to upgrade to version 2.4.62 which fixes this issue. Credits: Smi1e (DBAPPSecurity Ltd.) *) SECURITY: CVE-2024-40725: Apache HTTP Server: source code disclosure with handlers configured via AddType (cve.mitre.org) [boo#1228097] A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content. For example, PHP scripts may be served instead of interpreted. Users are recommended to upgrade to version 2.4.62, which fixes this issue. *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets with BalancerMember(s). PR 69168. [Yann Ylavic] *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs. PR 69160 [Yann Ylavic] *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2. [Joe Orton] *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>] *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0. [Ruediger Pluem, Yann Ylavic] *) mpm_worker: Fix possible warning (AH00045) about children processes not terminating timely. [Yann Ylavic]
David Anes2024-08-07 12:48:58 +00:00
7ee7d2c634
- httpd-framework updated to svn1894461 - added patches fix reverted logic, DirectorySlash NotFound is available in trunk only + apache-test-DirectorySlash-NotFound-logic.patch - do not consider php tests, they do not run anyway
Petr Gajdos2021-11-24 11:09:35 +00:00
d8f7f70594
- version update to 2.4.49 *) core/mod_proxy/mod_ssl: Adding outgoing flag to conn_rec, indicating a connection is initiated by the server to somewhere, in contrast to incoming connections from clients. Adding 'ap_ssl_bind_outgoing() function that marks a connection as outgoing and is used by mod_proxy instead of the previous optional function ssl_engine_set. This enables other SSL module to secure proxy connections. The optional functions ssl_engine_set, ssl_engine_disable and ssl_proxy_enable are now provided by the core to have backward compatibility with non-httpd modules that might use them. mod_ssl itself no longer registers these functions, but keeps them in its header for backward compatibility. The core provided optional function wrap any registered function like it was done for ssl_is_ssl`. [Stefan Eissing] *) mod_ssl: Support logging private key material for use with wireshark via log file given by SSLKEYLOGFILE environment variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton] *) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and "ProxyPassInterpolateEnv On" are configured. PR 65549. [Joel Self <joelself gmail.com>] *) mpm_event: Fix children processes possibly not stopped on graceful restart. PR 63169. [Joel Self <joelself gmail.com>] *) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d) protocols from mod_proxy_http, and a timeout triggering falsely when using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with upgrade= setting. PRs 65521 and 65519. [Yann Ylavic] *) mod_unique_id: Reduce the time window where duplicates may be generated
Petr Gajdos2021-09-17 08:39:47 +00:00
2877b62871
Accepting request 911090 from Apache
Richard Brown
2021-08-12 07:01:11 +00:00
e9b1a4ca5d
- introduce APACHE_TACEENABLE sysconfig variable, which translates to /etc/apache2/sysconfig.d/global.conf:TraceEnable on/off - modified sources % apache2-global.conf % apache2-start_apache2 % sysconfig.apache2
Petr Gajdos2021-08-02 17:34:05 +00:00
Ana Guerrero
Martin Schreiner
Adrian Schröter
Dominique Leuenberger
Kristyna Streitova
Petr Gajdos
David Anes
Richard Brown