- updated to 2.4.28:

*) SECURITY: CVE-2017-9798 (cve.mitre.org)
     Corrupted or freed memory access. <Limit[Except]> must now be used in the
     main configuration file (httpd.conf) to register HTTP methods before the
     .htaccess files.  [Yann Ylavic]
  *) event: Avoid possible blocking in the listener thread when shutting down
     connections. PR 60956.  [Yann Ylavic]
  *) mod_speling: Don't embed referer data in a link in error page.
     PR 38923 [Nick Kew]
  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
     length in a password file.
     [Luca Toscano, Hanno Böck <hanno hboeck de>]
  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
     [Jim Jagielski]
  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
     PR 61142.
  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
  *) mod_http2: Fix for stalling when more than 32KB are written to a
     suspended stream.  [Stefan Eissing]
  *) build: allow configuration without APR sources.  [Jacob Champion]
  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
      Yann Ylavic]
  *) core/log: Support use of optional "tag" in syslog entries.
     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
  *) core: Disallow multiple Listen on the same IP:port when listener buckets
     are configured (ListenCoresBucketsRatio > 0), consistently with the single

OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=527

apache2.changes

@@ -1,3 +1,44 @@
+-------------------------------------------------------------------
+Fri Oct  6 07:45:55 UTC 2017 - pgajdos@suse.com
+
+- updated to 2.4.28:
+  *) SECURITY: CVE-2017-9798 (cve.mitre.org)
+     Corrupted or freed memory access. <Limit[Except]> must now be used in the
+     main configuration file (httpd.conf) to register HTTP methods before the
+     .htaccess files.  [Yann Ylavic]
+  *) event: Avoid possible blocking in the listener thread when shutting down
+     connections. PR 60956.  [Yann Ylavic]
+  *) mod_speling: Don't embed referer data in a link in error page.
+     PR 38923 [Nick Kew]
+  *) htdigest: prevent a buffer overflow when a string exceeds the allowed max
+     length in a password file.
+     [Luca Toscano, Hanno Böck <hanno hboeck de>]
+  *) mod_proxy: loadfactor parameter can now be a decimal number (eg: 1.25).
+     [Jim Jagielski]
+  *) mod_proxy_wstunnel: Allow upgrade to any protocol dynamically.
+     PR 61142.
+  *) mod_watchdog/mod_proxy_hcheck: Time intervals can now be spefified
+     down to the millisecond. Supports 'mi' (minute), 'ms' (millisecond),
+     's' (second) and 'hr' (hour!) time suffixes. [Jim Jagielski]
+  *) mod_http2: Fix for stalling when more than 32KB are written to a
+     suspended stream.  [Stefan Eissing]
+  *) build: allow configuration without APR sources.  [Jacob Champion]
+  *) mod_ssl, ab: Fix compatibility with LibreSSL.  PR 61184.
+     [Bernard Spil <brnrd freebsd.org>, Michael Schlenker <msc contact.de>,
+      Yann Ylavic]
+  *) core/log: Support use of optional "tag" in syslog entries.
+     PR 60525. [Ben Rubson <ben.rubson gmail.com>, Jim Jagielski]
+  *) mod_proxy: Fix ProxyAddHeaders merging.  [Joe Orton]
+  *) core: Disallow multiple Listen on the same IP:port when listener buckets
+     are configured (ListenCoresBucketsRatio > 0), consistently with the single
+     bucket case (default), thus avoiding the leak of the corresponding socket
+     descriptors on graceful restart.  [Yann Ylavic]
+  *) event: Avoid listener periodic wake ups by using the pollset wake-ability
+     when available.  PR 57399.  [Yann Ylavic, Luca Toscano]
+  *) mod_proxy_wstunnel: Fix detection of unresponded request which could have
+     led to spurious HTTP 502 error messages sent on upgrade connections.
+     PR 61283.  [Yann Ylavic]
+
 -------------------------------------------------------------------
 Thu Oct  5 12:57:56 UTC 2017 - pgajdos@suse.com
 

apache2.spec

@@ -53,7 +53,7 @@
 %define mods_static unixd
 %endif
 Name:           apache2
-Version:        2.4.27
+Version:        2.4.28
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0

httpd-2.4.27.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a
-size 6527394

httpd-2.4.27.tar.bz2.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIVAwUAWV51rTTqduZ5FIWoAQpSYQ//dq6ZWySYFWcTvHW3dgvgrKHZYyrX+Sd1
-tk4lprsTEBIcx3DnCGp6DUJ5vpTW20biPjMfOqRgjX3YEJvzyPasebiSPlsb3Kfm
-AMSkRhd73rjzrJ34qsN9JBeenupUxcDWPjJxaXB1miys4S1GXgb9gH9lkVpq9w5I
-hXsyP9xh5y7ZWguaNmKpezmLK+D90pglhD+/6D7nR9r1MVCyVL/30ARAsryaevjA
-cGbDm0ZJ2SjWD9oCY7vVIYFTyTx6tTg0+vHsOsAyKyq82wEVr8NvNwzdWv2KygOB
-vx+vpJC6o1Lz5WaU7vVDndZJzJAZq9S1yH/D0mkQ35qTUDEB/4qGvChWnEvqCoeq
-sLQA2111fot/PpgiWFFpx47gZrytkG6vqE6YnDr5zYT2IYCsq4saCAxj5uIahios
-D70kE4RHyUN7ohAYMbCLqyCN/2IIIrFPzXDUOS3j7HkTM3j9ZtltlMtaQeFOo+u3
-uYsDxbKhlTFparj2wDFf8wl+M2/0sfeVzFNkUkVzYhnHQQ4ydaCVIk+CEhvCD/FZ
-oXRNALOnCkmMOK9pptaIe/Y/kmlAPGK2OLAjEuQsYI16SGv81FYmr3Cd/5lK80IJ
-IrLK7CP5jgoBhFzmbC2VfoCsEiewOD9bOggFMDiAewlVxF5007aK1acQdoMueN/s
-rB0+dG7ENno=
-=9qyb
------END PGP SIGNATURE-----

httpd-2.4.28.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666
+size 6553163

httpd-2.4.28.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIVAwUAWcjw5zTqduZ5FIWoAQr5EQ/7BXT4HjCD3eUJK9OymmpchCYZL1l4uZNy
+4oywYvn5THhWy4i9+sOxgju4LFQJCUlu/Cmqeh5bZgZIfdCAnxNANiNmtIaL0gum
+in0ZmLYeiJHLT1qkUYUhmUgRXoUTG5GBeHEhKaQUG36aywYlJK/OVRxEA/tqaLPX
+SyaUCHao98E0UjarDvSLwpH1/7KAA8GyknEaZnTXhnyFboEFGRiI2xpkeRM8NhNh
+ASIq0YfndBlneG4uHlsPoWLcFp5HttQ9YdpBo39sbSVLKFlUg9XYK/3n0mh3Xx5Z
+xowVOs2/5gP2sPjmC92ycx3LRlwK7ygw1/Dx/dImuhTtTAL7OG6i1/qFNY1utNCh
+LAddU/on5YQz5beV1LjZip9ef4yBikqBsRUtyu/fQG+EqiszzpxxHf+JfaWXl+hu
+NoFIALVtSEBf8LHT0cvIRWY3Id05nYDpknGiuNxuDIpYc4qdY7yDOa6lPeS3kGzC
+iPFh63B6nhzNudNWCT0YH2mLKGs6szDM4Hwh13Kotva3vus7UWv4O8jFAiSPvO8h
+aNpfy2IMcvjuXBu4oWbuu/X6l0FLZo/LKGzvUDZiG62Z1RCH/zg9f5OiBVIlEIWM
+INe6IsivQOM3DMNJX6U3VZUyx2hN4J5O31bkP4qMoNnHOzA7PD9JX4owirpxy4eZ
+Y2Ywbc9jeBk=
+=kUfO
+-----END PGP SIGNATURE-----