From 66fc0a512cc9d8833890f17dafcdbb0b94a81dd22a35aabd65b49e274b173fab Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Wed, 16 Jan 2019 10:16:44 +0000 Subject: [PATCH 1/2] Accepting request 666416 from home:adkorte:branches:openSUSE:Factory - SSLProtocol use TLSv1.2 or higher OBS-URL: https://build.opensuse.org/request/show/666416 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=575 --- apache2-ssl-global.conf | 12 ++++++------ apache2.changes | 5 +++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/apache2-ssl-global.conf b/apache2-ssl-global.conf index 2765439..1872336 100644 --- a/apache2-ssl-global.conf +++ b/apache2-ssl-global.conf @@ -85,16 +85,16 @@ #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/urandom 512 - # SSL protocols - # Allow TLS version 1.2 only, which is a recommended default these days - # by international information security standards. - SSLProtocol TLSv1.2 + # SSL protocols + # Allow TLS version 1.2 or higher, which is a recommended default + # these days by international information security standards. + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - # The magic string "DEFAULT_SUSE" expands to an openssl defined - # secure list of default ciphers. + # The magic string "DEFAULT_SUSE" expands to an openssl defined + # secure list of default ciphers. SSLCipherSuite DEFAULT_SUSE # SSLHonorCipherOrder diff --git a/apache2.changes b/apache2.changes index 1c002b6..76f1b58 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Jan 16 08:56:20 UTC 2019 - Arjen de Korte + +- SSLProtocol use TLSv1.2 or higher + ------------------------------------------------------------------- Wed Jan 9 10:26:46 UTC 2019 - Petr Gajdos From 25ee9e91e1dd966fe757e6597ced0cb297d2617391e1e97aae6c7ae272312116 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 22 Jan 2019 17:35:29 +0000 Subject: [PATCH 2/2] Accepting request 667015 from home:mmanu84:branches:Apache - updated to 2.4.38 * mod_ssl: Clear retry flag before aborting client-initiated renegotiation. PR 63052 [Joe Orton] * mod_negotiation: Treat LanguagePriority as case-insensitive to match AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet] * mod_md: incorrect behaviour when synchronizing ongoing ACME challenges have been fixed. [Michael Kaufmann, Stefan Eissing] * mod_setenvif: We can have expressions that become true if a regex pattern in the expression does NOT match. In this case val is NULL and we should just set the value for the environment variable like in the pattern case. [Ruediger Pluem] * mod_session: Always decode session attributes early. [Hank Ibell] * core: Incorrect values for environment variables are substituted when multiple environment variables are specified in a directive. [Hank Ibell] * mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when this type of map is present in the configuration. PR62311. [Hank Ibell ] * mod_dav: Fix invalid Location header when a resource is created by passing an absolute URI on the request line [Jim Jagielski] * mod_session_cookie: avoid duplicate Set-Cookie header in the response. [Emmanuel Dreyfus , Luca Toscano] * mod_ssl: clear *SSL errors before loading certificates and checking afterwards. Otherwise errors are reported when other SSL using modules are in play. Fixes PR 62880. [Michael Kaufmann] * mod_ssl: Fix the error code returned in an error path of 'ssl_io_filter_handshake()'. This messes-up error handling performed in 'ssl_io_filter_error()' [Yann Ylavic] * mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix authz provider so "Require ssl" works correctly in HTTP/2. PR 61519, 62654. [Joe Orton, Stefan Eissing] * mod_proxy: If ProxyPassReverse is used for reverse mapping of relative redirects, subsequent ProxyPassReverse statements, whether they are relative or absolute, may fail. PR 60408. [Peter Haworth ] * mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1] OBS-URL: https://build.opensuse.org/request/show/667015 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=576 --- apache2.changes | 38 ++++++++++++++++++++++++++++++++++++++ apache2.spec | 2 +- httpd-2.4.37.tar.bz2 | 3 --- httpd-2.4.37.tar.bz2.asc | 11 ----------- httpd-2.4.38.tar.bz2 | 3 +++ httpd-2.4.38.tar.bz2.asc | 11 +++++++++++ 6 files changed, 53 insertions(+), 15 deletions(-) delete mode 100644 httpd-2.4.37.tar.bz2 delete mode 100644 httpd-2.4.37.tar.bz2.asc create mode 100644 httpd-2.4.38.tar.bz2 create mode 100644 httpd-2.4.38.tar.bz2.asc diff --git a/apache2.changes b/apache2.changes index 76f1b58..97cdfb0 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Fri Jan 18 15:12:08 UTC 2019 - Manu Maier + +- updated to 2.4.38 + * mod_ssl: Clear retry flag before aborting client-initiated renegotiation. + PR 63052 [Joe Orton] + * mod_negotiation: Treat LanguagePriority as case-insensitive to match + AddLanguage behavior and HTTP specification. PR 39730 [Christophe Jaillet] + * mod_md: incorrect behaviour when synchronizing ongoing ACME challenges + have been fixed. [Michael Kaufmann, Stefan Eissing] + * mod_setenvif: We can have expressions that become true if a regex pattern + in the expression does NOT match. In this case val is NULL + and we should just set the value for the environment variable + like in the pattern case. [Ruediger Pluem] + * mod_session: Always decode session attributes early. [Hank Ibell] + * core: Incorrect values for environment variables are substituted when + multiple environment variables are specified in a directive. [Hank Ibell] + * mod_rewrite: Only create the global mutex used by "RewriteMap prg:" when + this type of map is present in the configuration. PR62311. + [Hank Ibell ] + * mod_dav: Fix invalid Location header when a resource is created by + passing an absolute URI on the request line [Jim Jagielski] + * mod_session_cookie: avoid duplicate Set-Cookie header in the response. + [Emmanuel Dreyfus , Luca Toscano] + * mod_ssl: clear *SSL errors before loading certificates and checking + afterwards. Otherwise errors are reported when other SSL using modules + are in play. Fixes PR 62880. [Michael Kaufmann] + * mod_ssl: Fix the error code returned in an error path of + 'ssl_io_filter_handshake()'. This messes-up error handling performed + in 'ssl_io_filter_error()' [Yann Ylavic] + * mod_ssl: Fix $HTTPS definition for "SSLEngine optional" case, and fix + authz provider so "Require ssl" works correctly in HTTP/2. + PR 61519, 62654. [Joe Orton, Stefan Eissing] + * mod_proxy: If ProxyPassReverse is used for reverse mapping of relative + redirects, subsequent ProxyPassReverse statements, whether they are + relative or absolute, may fail. PR 60408. [Peter Haworth ] + * mod_lua: Now marked as a stable module [https://s.apache.org/Xnh1] + ------------------------------------------------------------------- Wed Jan 16 08:56:20 UTC 2019 - Arjen de Korte diff --git a/apache2.spec b/apache2.spec index c1df922..2fa1c27 100644 --- a/apache2.spec +++ b/apache2.spec @@ -65,7 +65,7 @@ %define build_http2 0 %endif Name: apache2 -Version: 2.4.37 +Version: 2.4.38 Release: 0 Summary: The Apache Web Server Version 2.4 License: Apache-2.0 diff --git a/httpd-2.4.37.tar.bz2 b/httpd-2.4.37.tar.bz2 deleted file mode 100644 index 38c803d..0000000 --- a/httpd-2.4.37.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3498dc5c6772fac2eb7307dc7963122ffe243b5e806e0be4fb51974ff759d726 -size 7031632 diff --git a/httpd-2.4.37.tar.bz2.asc b/httpd-2.4.37.tar.bz2.asc deleted file mode 100644 index 8e5163c..0000000 --- a/httpd-2.4.37.tar.bz2.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iQEcBAABCAAGBQJbyJnxAAoJEJleNSIa2E3/gXYH/jwUT8Tdc6oFwIWe0r9oK97T -KF+kbU6LoqezVJ8Fk5a0/JVPqgqQkaoipBAe7udtYXRyWr4+8ouSv6JEWH2K9Htr -BoeDCTALBqO5TmtBqUtpSqy9jRVNRCDfrGS2Th6hEMZXtOMsumBaZrG0xn03jEdc -ULXwIOPzNpp40E4GhALFDHR+qRLCa/+FDRjgggDSlhRwVC9Emz0wsD0SF0RmpHlM -l9BoeKLu1ohvgeJrcLQKCsNCTEdEIJcXp8ZnfWiuHs1PY9TEO7z2YQPw2FjAsyic -BSBC8HkTY8fHCblg5VP7UCfN9w0EDJIyQ7pE2sEWAhxHNsRKeXn0Tjgt8aAYz2g= -=uhMF ------END PGP SIGNATURE----- diff --git a/httpd-2.4.38.tar.bz2 b/httpd-2.4.38.tar.bz2 new file mode 100644 index 0000000..d03078e --- /dev/null +++ b/httpd-2.4.38.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7dc65857a994c98370dc4334b260101a7a04be60e6e74a5c57a6dee1bc8f394a +size 7035030 diff --git a/httpd-2.4.38.tar.bz2.asc b/httpd-2.4.38.tar.bz2.asc new file mode 100644 index 0000000..80f31cb --- /dev/null +++ b/httpd-2.4.38.tar.bz2.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCAAdFiEEueghOu+4Ya81pB8smV41IhrYTf8FAlxAzY0ACgkQmV41IhrY +Tf8KCAf8CjlyLRwVKCeqgZJRthebKCr+liUH2+IFIoIX8erbvlx6wXN9lgb9O16R +JmWBK7TLIFRxDfb68j3aS7OqM4/aZ2aIh5XJmFevmcmH+7CJYLVfQF5XLwIYUNj+ +L+BiUYjpwJb7MPiaXNi5/7A9XIdbCdOIuInnQKsgonmlOZRniaQOWQRel7CTwWP5 +SPOxThkeBK8zdqlFZ8og+uqDSZ5CbmRJgyN1O67MCHp13hX6WMtTLyd5+KF2gxr2 +4Ilrv2ryvl6hV+lDthW1D7u3SVAZ3NBvAW+4qpPTmCxMfW4TLl8hfQA1licnEXOl +WEWJ/rSMVYoNelM3qPGz4gRy2yRp7A== +=b8GF +-----END PGP SIGNATURE-----