Accepting request 667841 from Apache

- updated to 2.4.38
  * mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
    PR 63052 [Joe Orton]
  * mod_negotiation: Treat LanguagePriority as case-insensitive to match
    AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
  * mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
    have been fixed. [Michael Kaufmann, Stefan Eissing]
  * mod_setenvif: We can have expressions that become true if a regex pattern
    in the expression does NOT match. In this case val is NULL
    and we should just set the value for the environment variable 
    like in the pattern case. [Ruediger Pluem]
  * mod_session: Always decode session attributes early. [Hank Ibell]
  * core: Incorrect values for environment variables are substituted when
    multiple environment variables are specified in a directive. [Hank Ibell]
  * mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
    this type of map is present in the configuration.  PR62311.  
    [Hank Ibell <hwibell gmail.com>]
  * mod_dav: Fix invalid Location header when a resource is created by
    passing an absolute URI on the request line [Jim Jagielski]
  * mod_session_cookie: avoid duplicate Set-Cookie header in the response.
    [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
  * mod_ssl: clear *SSL errors before loading certificates and checking
    afterwards. Otherwise errors are reported when other SSL using modules
    are in play. Fixes PR 62880. [Michael Kaufmann]
  * mod_ssl: Fix the error code returned in an error path of
    'ssl_io_filter_handshake()'. This messes-up error handling performed
    in 'ssl_io_filter_error()' [Yann Ylavic]
  * mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
    authz provider so "Require ssl" works correctly in HTTP/2.
    PR 61519, 62654.  [Joe Orton, Stefan Eissing]
  * mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
    redirects, subsequent ProxyPassReverse statements, whether they are
    relative or absolute, may fail.  PR 60408.  [Peter Haworth <pmh1wheel gmail.com>]
  * mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1] (forwarded request 667015 from mmanu84)

OBS-URL: https://build.opensuse.org/request/show/667841
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=153

apache2-ssl-global.conf

@@ -85,16 +85,16 @@
 	#SSLRandomSeed startup file:/dev/urandom 512
 	#SSLRandomSeed connect file:/dev/urandom 512
 
-	# SSL protocols
-	# Allow TLS version 1.2 only, which is a recommended default these days
-	# by international information security standards.
-	SSLProtocol TLSv1.2
+	#   SSL protocols
+	#   Allow TLS version 1.2 or higher, which is a recommended default
+    #   these days by international information security standards.
+	SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
 
 	#   SSL Cipher Suite:
 	#   List the ciphers that the client is permitted to negotiate.
 	#   See the mod_ssl documentation for a complete list.
-        #   The magic string "DEFAULT_SUSE" expands to an openssl defined
-        #   secure list of default ciphers.
+	#   The magic string "DEFAULT_SUSE" expands to an openssl defined
+	#   secure list of default ciphers.
 	SSLCipherSuite DEFAULT_SUSE
 
 	#   SSLHonorCipherOrder

apache2.changes

@@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Fri Jan 18 15:12:08 UTC 2019 - Manu Maier <mmanu84@outlook.de>
+
+- updated to 2.4.38
+  * mod_ssl: Clear retry flag before aborting client-initiated renegotiation.
+    PR 63052 [Joe Orton]
+  * mod_negotiation: Treat LanguagePriority as case-insensitive to match
+    AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet]
+  * mod_md: incorrect behaviour when synchronizing ongoing ACME challenges
+    have been fixed. [Michael Kaufmann, Stefan Eissing]
+  * mod_setenvif: We can have expressions that become true if a regex pattern
+    in the expression does NOT match. In this case val is NULL
+    and we should just set the value for the environment variable 
+    like in the pattern case. [Ruediger Pluem]
+  * mod_session: Always decode session attributes early. [Hank Ibell]
+  * core: Incorrect values for environment variables are substituted when
+    multiple environment variables are specified in a directive. [Hank Ibell]
+  * mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when
+    this type of map is present in the configuration.  PR62311.  
+    [Hank Ibell <hwibell gmail.com>]
+  * mod_dav: Fix invalid Location header when a resource is created by
+    passing an absolute URI on the request line [Jim Jagielski]
+  * mod_session_cookie: avoid duplicate Set-Cookie header in the response.
+    [Emmanuel Dreyfus <manu@netbsd.org>, Luca Toscano]
+  * mod_ssl: clear *SSL errors before loading certificates and checking
+    afterwards. Otherwise errors are reported when other SSL using modules
+    are in play. Fixes PR 62880. [Michael Kaufmann]
+  * mod_ssl: Fix the error code returned in an error path of
+    'ssl_io_filter_handshake()'. This messes-up error handling performed
+    in 'ssl_io_filter_error()' [Yann Ylavic]
+  * mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix
+    authz provider so "Require ssl" works correctly in HTTP/2.
+    PR 61519, 62654.  [Joe Orton, Stefan Eissing]
+  * mod_proxy: If ProxyPassReverse is used for reverse mapping of relative
+    redirects, subsequent ProxyPassReverse statements, whether they are
+    relative or absolute, may fail.  PR 60408.  [Peter Haworth <pmh1wheel gmail.com>]
+  * mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1]
+
+-------------------------------------------------------------------
+Wed Jan 16 08:56:20 UTC 2019 - Arjen de Korte <suse+build@de-korte.org>
+
+- SSLProtocol use TLSv1.2 or higher
+
 -------------------------------------------------------------------
 Wed Jan  9 10:26:46 UTC 2019 - Petr Gajdos <pgajdos@suse.com>
 

apache2.spec

@@ -65,7 +65,7 @@
 %define build_http2 0
 %endif
 Name:           apache2
-Version:        2.4.37
+Version:        2.4.38
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0

httpd-2.4.37.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3498dc5c6772fac2eb7307dc7963122ffe243b5e806e0be4fb51974ff759d726
-size 7031632

httpd-2.4.37.tar.bz2.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iQEcBAABCAAGBQJbyJnxAAoJEJleNSIa2E3/gXYH/jwUT8Tdc6oFwIWe0r9oK97T
-KF+kbU6LoqezVJ8Fk5a0/JVPqgqQkaoipBAe7udtYXRyWr4+8ouSv6JEWH2K9Htr
-BoeDCTALBqO5TmtBqUtpSqy9jRVNRCDfrGS2Th6hEMZXtOMsumBaZrG0xn03jEdc
-ULXwIOPzNpp40E4GhALFDHR+qRLCa/+FDRjgggDSlhRwVC9Emz0wsD0SF0RmpHlM
-l9BoeKLu1ohvgeJrcLQKCsNCTEdEIJcXp8ZnfWiuHs1PY9TEO7z2YQPw2FjAsyic
-BSBC8HkTY8fHCblg5VP7UCfN9w0EDJIyQ7pE2sEWAhxHNsRKeXn0Tjgt8aAYz2g=
-=uhMF
------END PGP SIGNATURE-----

httpd-2.4.38.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7dc65857a994c98370dc4334b260101a7a04be60e6e74a5c57a6dee1bc8f394a
+size 7035030

httpd-2.4.38.tar.bz2.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCAAdFiEEueghOu+4Ya81pB8smV41IhrYTf8FAlxAzY0ACgkQmV41IhrY
+Tf8KCAf8CjlyLRwVKCeqgZJRthebKCr+liUH2+IFIoIX8erbvlx6wXN9lgb9O16R
+JmWBK7TLIFRxDfb68j3aS7OqM4/aZ2aIh5XJmFevmcmH+7CJYLVfQF5XLwIYUNj+
+L+BiUYjpwJb7MPiaXNi5/7A9XIdbCdOIuInnQKsgonmlOZRniaQOWQRel7CTwWP5
+SPOxThkeBK8zdqlFZ8og+uqDSZ5CbmRJgyN1O67MCHp13hX6WMtTLyd5+KF2gxr2
+4Ilrv2ryvl6hV+lDthW1D7u3SVAZ3NBvAW+4qpPTmCxMfW4TLl8hfQA1licnEXOl
+WEWJ/rSMVYoNelM3qPGz4gRy2yRp7A==
+=b8GF
+-----END PGP SIGNATURE-----