- version update to 2.4.39

* mod_proxy/ssl: Cleanup per-request SSL configuration anytime a
    backend connection is recycled/reused to avoid a possible crash
    with some SSLProxy configurations in <Location> or <Proxy>
    context. PR 63256. [Yann Ylavic]
  * mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA
    failure. [Michael Kaufmann <mail michael-kaufmann.ch>]
  * mod_log_config: Support %{c}h for conn-hostname, %h for
    useragent_host PR 55348
  * mod_socache_redis: Support for Redis as socache storage
    provider.
  * core: new configuration option 'MergeSlashes on|off' that
    controls handling of multiple, consecutive slash ('/')
    characters in the path component of the request URL. [Eric
    Covener]
  * mod_http2: when SSL renegotiation is inhibited and a 403
    ErrorDocument is in play, the proper HTTP/2 stream reset did
    not trigger with H2_ERR_HTTP_1_1_REQUIRED. Fixed. [Michael
    Kaufmann]
  * mod_http2: new configuration directive: `H2Padding numbits` to
    control padding of HTTP/2 payload frames. 'numbits' is a number
    from 0-8, controlling the range of padding bytes added to a
    frame. The actual number added is chosen randomly per frame.
    This applies to HEADERS, DATA and PUSH_PROMISE frames equally.
    The default continues to be 0, e.g. no padding. [Stefan
    Eissing]
  * mod_http2: ripping out all the h2_req_engine internal features
    now that mod_proxy_http2 has no more need for it. Optional
    functions are still declared but no longer implemented. While
    previous mod_proxy_http2 will work with this, it is

OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=581

apache2-mod_http2-issue-167.patch

@@ -1,39 +0,0 @@
-Index: httpd-2.4.34/modules/http2/h2_from_h1.c
-===================================================================
---- httpd-2.4.34.orig/modules/http2/h2_from_h1.c	2018-05-29 23:16:29.000000000 +0200
-+++ httpd-2.4.34/modules/http2/h2_from_h1.c	2019-02-27 12:39:19.503285243 +0100
-@@ -22,6 +22,8 @@
- #include <apr_strings.h>
- 
- #include <httpd.h>
-+#define AP_STATUS_IS_HEADER_ONLY(x) ((x) == HTTP_NO_CONTENT || \
-+                                     (x) == HTTP_NOT_MODIFIED)
- #include <http_core.h>
- #include <http_log.h>
- #include <http_connection.h>
-@@ -586,18 +588,20 @@ apr_status_t h2_filter_headers_out(ap_fi
-         }
-     }
-     
--    if (r->header_only) {
-+    if (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)) {
-         ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, f->c,
--                      "h2_task(%s): header_only, cleanup output brigade", 
-+                      "h2_task(%s): headers only, cleanup output brigade", 
-                       task->id);
-         b = body_bucket? body_bucket : APR_BRIGADE_FIRST(bb);
-         while (b != APR_BRIGADE_SENTINEL(bb)) {
-             next = APR_BUCKET_NEXT(b);
-             if (APR_BUCKET_IS_EOS(b) || AP_BUCKET_IS_EOR(b)) {
-                 break;
--            } 
--            APR_BUCKET_REMOVE(b);
--            apr_bucket_destroy(b);
-+            }
-+            if (!H2_BUCKET_IS_HEADERS(b)) {
-+                APR_BUCKET_REMOVE(b);
-+                apr_bucket_destroy(b);
-+            }
-             b = next;
-         }
-     }

apache2.changes

@@ -1,3 +1,84 @@
+-------------------------------------------------------------------
+Tue Apr  2 10:26:21 UTC 2019 - pgajdos@suse.com
+
+- version update to 2.4.39
+  * mod_proxy/ssl: Cleanup per-request SSL configuration anytime a
+    backend connection is recycled/reused to avoid a possible crash
+    with some SSLProxy configurations in <Location> or <Proxy>
+    context. PR 63256. [Yann Ylavic]
+  * mod_ssl: Correctly restore SSL verify state after TLSv1.3 PHA
+    failure. [Michael Kaufmann <mail michael-kaufmann.ch>]
+  * mod_log_config: Support %{c}h for conn-hostname, %h for
+    useragent_host PR 55348
+  * mod_socache_redis: Support for Redis as socache storage
+    provider.
+  * core: new configuration option 'MergeSlashes on|off' that
+    controls handling of multiple, consecutive slash ('/')
+    characters in the path component of the request URL. [Eric
+    Covener]
+  * mod_http2: when SSL renegotiation is inhibited and a 403
+    ErrorDocument is in play, the proper HTTP/2 stream reset did
+    not trigger with H2_ERR_HTTP_1_1_REQUIRED. Fixed. [Michael
+    Kaufmann]
+  * mod_http2: new configuration directive: `H2Padding numbits` to
+    control padding of HTTP/2 payload frames. 'numbits' is a number
+    from 0-8, controlling the range of padding bytes added to a
+    frame. The actual number added is chosen randomly per frame.
+    This applies to HEADERS, DATA and PUSH_PROMISE frames equally.
+    The default continues to be 0, e.g. no padding. [Stefan
+    Eissing]
+  * mod_http2: ripping out all the h2_req_engine internal features
+    now that mod_proxy_http2 has no more need for it. Optional
+    functions are still declared but no longer implemented. While
+    previous mod_proxy_http2 will work with this, it is
+    recommeneded to run the matching versions of both modules.
+    [Stefan Eissing]
+  * mod_proxy_http2: changed mod_proxy_http2 implementation and
+    fixed several bugs which resolve PR63170. The proxy module does
+    now a single h2 request on the (reused) connection and returns.
+    [Stefan Eissing]
+  * mod_http2/mod_proxy_http2: proxy_http2 checks correct master
+    connection aborted status to trigger immediate shutdown of
+    backend connections. This is now always signalled by mod_http2
+    when the the session is being released. proxy_http2 now only
+    sends a PING frame to the backend when there is not already one
+    in flight. [Stefan Eissing]
+  * mod_proxy_http2: fixed an issue where a proxy_http2 handler
+    entered an infinite loop when encountering certain errors on
+    the backend connection. See
+    <https://bz.apache.org/bugzilla/show_bug.cgi?id=63170>. [Stefan
+    Eissing]
+  * mod_http2: Configuration directives H2Push and H2Upgrade can
+    now be specified per Location/Directory, e.g. disabling PUSH
+    for a specific set of resources. [Stefan Eissing]
+  * mod_http2: HEAD requests to some module such as mod_cgid caused
+    the stream to terminate improperly and cause a HTTP/2
+    PROTOCOL_ERROR. Fixes
+    <https://github.com/icing/mod_h2/issues/167>. [Michael
+    Kaufmann]
+  * http: Fix possible empty response with mod_ratelimit for HEAD
+    requests. PR 63192. [Yann Ylavic]
+  * mod_cache_socache: Avoid reallocations and be safe with
+    outgoing data lifetime. [Yann Ylavic]
+  * MPMs unix: bind the bucket number of each child to its slot
+    number, for a more efficient per bucket maintenance. [Yann
+    Ylavic]
+  * mod_auth_digest: Fix a race condition. Authentication with
+    valid credentials could be refused in case of concurrent
+    accesses from different users. PR 63124. [Simon Kappel
+    <simon.kappel axis.com>]
+  * mod_http2: enable re-use of slave connections again. Fixed
+    slave connection keepalives counter. [Stefan Eissing]
+  * mod_reqtimeout: Allow to configure (TLS-)handshake timeouts. PR
+    61310. [Yann Ylavic]
+  * mod_proxy_wstunnel: Fix websocket proxy over UDS. PR 62932
+    <pavel dcmsys.com>
+  * mod_ssl: Don't unset FIPS mode on restart unless it's forced by
+    configuration (SSLFIPS on) and not active by default in
+    OpenSSL. PR 63136. [Yann Ylavic]
+- deleted patches
+  - apache2-mod_http2-issue-167.patch (upstreamed)
+
 -------------------------------------------------------------------
 Mon Mar 18 21:44:17 UTC 2019 - Jan Engelhardt <jengelh@inai.de>
 

apache2.spec

@@ -65,7 +65,7 @@
 %define build_http2 0
 %endif
 Name:           apache2
-Version:        2.4.38
+Version:        2.4.39
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0
@@ -145,8 +145,6 @@ Patch111:       httpd-visibility.patch
 # PATCH-FEATURE-UPSTREAM kstreitova@suse.com -- backport of HttpContentLengthHeadZero and HttpExpectStrict
 Patch115:       httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
 Patch116:       deprecated-scripts-arch.patch
-# fix https://github.com/icing/mod_h2/issues/167 [bsc#1125965]
-Patch117:       apache2-mod_http2-issue-167.patch
 BuildRequires:  apache-rpm-macros-control
 BuildRequires:  apr-util-devel
 #Since 2.4.7 the event MPM requires apr 1.5.0 or later.
@@ -339,7 +337,6 @@ to administrators of web servers in general.
 %if 0%{?suse_version} == 1110
 %patch116 -p1
 %endif
-%patch117 -p1
 cat %{_sourcedir}/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{SOURCE22})

httpd-2.4.38.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:7dc65857a994c98370dc4334b260101a7a04be60e6e74a5c57a6dee1bc8f394a
-size 7035030

httpd-2.4.38.tar.bz2.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCAAdFiEEueghOu+4Ya81pB8smV41IhrYTf8FAlxAzY0ACgkQmV41IhrY
-Tf8KCAf8CjlyLRwVKCeqgZJRthebKCr+liUH2+IFIoIX8erbvlx6wXN9lgb9O16R
-JmWBK7TLIFRxDfb68j3aS7OqM4/aZ2aIh5XJmFevmcmH+7CJYLVfQF5XLwIYUNj+
-L+BiUYjpwJb7MPiaXNi5/7A9XIdbCdOIuInnQKsgonmlOZRniaQOWQRel7CTwWP5
-SPOxThkeBK8zdqlFZ8og+uqDSZ5CbmRJgyN1O67MCHp13hX6WMtTLyd5+KF2gxr2
-4Ilrv2ryvl6hV+lDthW1D7u3SVAZ3NBvAW+4qpPTmCxMfW4TLl8hfQA1licnEXOl
-WEWJ/rSMVYoNelM3qPGz4gRy2yRp7A==
-=b8GF
------END PGP SIGNATURE-----

httpd-2.4.39.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b4ca9d05773aa59b54d66cd8f4744b945289f084d3be17d7981d1783a5decfa2
+size 7030539

httpd-2.4.39.tar.bz2.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEueghOu+4Ya81pB8smV41IhrYTf8FAlybkZUACgkQmV41IhrY
+Tf95uwgAxLwIsW7SFVXjYND69EBKwUPddPgvLTXCC8Qb7v49nkGLQbNp7Emiolsq
+CcgIjUNtKCgOSI/diAH0Ii2e3FpdvmZKgxWKqGXAn5xUSq4Sp9McQb1S46x925gU
+J+Qqm4e3+JiY3nBntPx3K2j8/33hX/QMDxOTqnYE+m/l5uyL713Ed2LeJe6Dc4oE
+PxAmNm2TEdWfAG0/ZIzhGkZEoEjLQLTKJ6MVpEFeF7UKVJVc2aeA6a8FOilIoCXX
+k0/fFc8ljjogy4tia3EiKZCW3VRVYeZa7IiSlTRo8UhUKPAF8h4/I8T35Mq1n3mV
+KPMrkTtxb9N3o91KFSJHaXuIKxrltw==
+=lnVM
+-----END PGP SIGNATURE-----