From ce537de3bc2b83cce14d0a5de4717f6bd833ff0754b58b6ce7e7055f8683fef7 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 20 Dec 2021 11:46:23 +0000 Subject: [PATCH 1/3] Accepting request 941644 from home:david.anes:branches:Apache Update to 2.4.52 OBS-URL: https://build.opensuse.org/request/show/941644 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=660 --- apache2.changes | 94 ++++++++++++++++++++++++++++++++++++++++ apache2.spec | 2 +- httpd-2.4.52.tar.bz2 | 3 ++ httpd-2.4.52.tar.bz2.asc | 17 ++++++++ 4 files changed, 115 insertions(+), 1 deletion(-) create mode 100644 httpd-2.4.52.tar.bz2 create mode 100644 httpd-2.4.52.tar.bz2.asc diff --git a/apache2.changes b/apache2.changes index 575da05..0f26367 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,97 @@ +------------------------------------------------------------------- +Mon Dec 20 11:26:49 UTC 2021 - David Anes + +- version update to 2.4.52: + *) http: Enforce that fully qualified uri-paths not to be forward-proxied + have an http(s) scheme, and that the ones to be forward proxied have a + hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic] + *) OpenSSL autoconf detection improvement: pick up openssl.pc in the + specified openssl path. [Joe Orton] + *) mod_proxy_connect, mod_proxy: Do not change the status code after we + already sent it to the client. + *) mod_http: Correctly sent a 100 Continue status code when sending an interim + response as result of an Expect: 100-Continue in the request and not the + current status code of the request. PR 65725 [Ruediger Pluem] + *) mod_dav: Some DAV extensions, like CalDAV, specify both document + elements and property elements that need to be taken into account + when generating a property. The document element and property element + are made available in the dav_liveprop_elem structure by calling + dav_get_liveprop_element(). [Graham Leggett] + *) mod_dav: Add utility functions dav_validate_root_ns(), + dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and + dav_find_attr() so that other modules get to play too. + [Graham Leggett] + *) mpm_event: Restart stopping of idle children after a load peak. PR 65626. + [Yann Ylavic, Ruediger Pluem] + *) mod_http2: fixes 2 regressions in server limit handling. + 1. When reaching server limits, such as MaxRequestsPerChild, the + HTTP/2 connection send a GOAWAY frame much too early on new + connections, leading to invalid protocol state and a client + failing the request. See PR65731. + The module now initializes the HTTP/2 protocol correctly and + allows the client to submit one request before the shutdown + via a GOAWAY frame is being announced. + 2. A regression in v1.15.24 was fixed that could lead to httpd + child processes not being terminated on a graceful reload or + when reaching MaxConnectionsPerChild. When unprocessed h2 + requests were queued at the time, these could stall. + See . + [Stefan Eissing] + *) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung, + Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton, + Giovanni Bechis] + *) mod_proxy_connect: Honor the smallest of the backend or client timeout + while tunneling. [Yann Ylavic] + *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP + half-close forwarding when tunneling protocols. [Yann Ylavic] + + *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by + a third-party module. PR 65627. + [acmondor , Yann Ylavic] + + *) mod_md: Fix memory leak in case of failures to load the private key. + PR 65620 [ Filipe Casal ] + + *) mod_md: adding v2.4.8 with the following changes + - Added support for ACME External Account Binding (EAB). + Use the new directive `MDExternalAccountBinding` to provide the + server with the value for key identifier and hmac as provided by + your CA. + While working on some servers, EAB handling is not uniform + across CAs. First tests with a Sectigo Certificate Manager in + demo mode are successful. But ZeroSSL, for example, seems to + regard EAB values as a one-time-use-only thing, which makes them + fail if you create a seconde account or retry the creation of the + first account with the same EAB. + - The directive 'MDCertificateAuthority' now checks if its parameter + is a http/https url or one of a set of known names. Those are + 'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test' + for now and they are not case-sensitive. + The default of LetsEncrypt is unchanged. + - `MDContactEmail` can now be specified inside a `` + section. + - Treating 401 HTTP status codes for orders like 403, since some ACME + servers seem to prefer that for accessing oders from other accounts. + - When retrieving certificate chains, try to read the repsonse even + if the HTTP Content-Type is unrecognized. + - Fixed a bug that reset the error counter of a certificate renewal + and prevented the increasing delays in further attempts. + - Fixed the renewal process giving up every time on an already existing + order with some invalid domains. Now, if such are seen in a previous + order, a new order is created for a clean start over again. + See + - Fixed a mixup in md-status handler when static certificate files + and renewal was configured at the same time. + + *) mod_md: values for External Account Binding (EAB) can + now also be configured to be read from a separate JSON + file. This allows to keep server configuration permissions + world readable without exposing secrets. + [Stefan Eissing] + + *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. + PR 65616. [Ruediger Pluem] + ------------------------------------------------------------------- Wed Nov 24 11:04:43 UTC 2021 - pgajdos@suse.com diff --git a/apache2.spec b/apache2.spec index e9cf034..ab925f6 100644 --- a/apache2.spec +++ b/apache2.spec @@ -115,7 +115,7 @@ %endif Name: apache2%{psuffix} -Version: 2.4.51 +Version: 2.4.52 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 diff --git a/httpd-2.4.52.tar.bz2 b/httpd-2.4.52.tar.bz2 new file mode 100644 index 0000000..800aa18 --- /dev/null +++ b/httpd-2.4.52.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9 +size 7439184 diff --git a/httpd-2.4.52.tar.bz2.asc b/httpd-2.4.52.tar.bz2.asc new file mode 100644 index 0000000..98bc581 --- /dev/null +++ b/httpd-2.4.52.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmG7Q+8ACgkQ03fJ59GU +TGbpCA/+Ne63eHZTIxNF86FN6rOXgCvoIGPcc8SCpJ3h9k3rfCdltB/Mwnmz93R8 +Eo0djI/jCdfQsrmw+4IALIVpH6WsVHLnFbR2gk5wY9Kv5SDoMNs8iNUKAa23yQ9y +JNN3W9Bw3O3q7RhfK8a5jSCAVkKw4gxNPGu+4x6QwHZOCrCoXJdKjoWAPSdE6L2p +RQDBAW+wHmqwh2HBrM4WZhWaj6Eer7UbV1ir7nIGXmCz0f5ekiADJA4c6aWHV5PL +EBIHbRsSzhgvK0ZtLeR1oOQAZfsNJT2BMjk5M/8yanAyUxnOGcNdRRSBMk1XPbxa +EhBujT9KuSAq1jk5FbwgzP1l+Yq2Gxxsh2a4UK7K7AaJV8macQtVDUq4TfYKIk8R +hnXweflKw9nonxaYOiNwhtLE3FFMg7XozrNPImc2abLT/wDE/N6LPI2NMf4FWAkm +XkQ5yzy5Nxs/MybIJs/YJQjLCrfDD8hbUcqPp6445YqJsiXAQ3vhMy755maI2ciz +xXBe0xhq9kEILIUCynCpPZE8eCKEGjFr/hWfaYZR32GVceAmHV9GiDoD5K6dqk6z +00TCNbfjY5hXzEkigLd1g2ZKp/d8tsG0NUw1SoXfXSdlK0ugMTkmqqZxcekvGOk9 +UcpKyzkxdqCywfwYFKmYsLi6cKFBXAlRq0K89vg4glC2cedVu9Y= +=Fz0f +-----END PGP SIGNATURE----- From 91179b73e4f69ccbc1eff3fb18002d891b210bb52712a8614211eb57c6ebeb0d Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Mon, 20 Dec 2021 12:19:54 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=661 --- httpd-2.4.51.tar.bz2 | 3 --- httpd-2.4.51.tar.bz2.asc | 17 ----------------- 2 files changed, 20 deletions(-) delete mode 100644 httpd-2.4.51.tar.bz2 delete mode 100644 httpd-2.4.51.tar.bz2.asc diff --git a/httpd-2.4.51.tar.bz2 b/httpd-2.4.51.tar.bz2 deleted file mode 100644 index c6a0a84..0000000 --- a/httpd-2.4.51.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:20e01d81fecf077690a4439e3969a9b22a09a8d43c525356e863407741b838f4 -size 7653609 diff --git a/httpd-2.4.51.tar.bz2.asc b/httpd-2.4.51.tar.bz2.asc deleted file mode 100644 index d34b317..0000000 --- a/httpd-2.4.51.tar.bz2.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - https://gpgtools.org - -iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmFe8kEACgkQ03fJ59GU -TGatthAAtWzeOD1TCIEvf5f9bAIZDK9vjEEnBZDeYMMrH1wVJGNJm48XP08O/Kbq -qhvc9201RUwkAtWEUX811ZBAYd5A8lAqetfmIuCSHerYSOU0CbhvBjKsuIJVIKWD -Wo1uPUDWk068V0HBquQtW6AEB4oo16fKPMEr1aOOxFpR+F806daJN1gt3ubPzkNJ -rZd4E6dV00eEymeUIfk0BjDqSWKHmUr+08/dtWqc7kGYGcnJzu0e5pr6cc0hOV2o -mqYm28F7eMSe5JCnAOd1LnnqtOwV81mZLxiAxR40PoFhV7IoBLo0zAJ99AHxJfA2 -9RjCmZ/WYtleeDT7mC1cdATHKOPRaubklzK6Ntf7tMaRIO07hnIfIRXQveKG7h+G -Og6PGtfR9bwDGrg2f5Dr+R2fwUJO7EL31IxTYQFBUDe2Q82aNIWpdIFdte93nc+S -HqjWq3w6zq+jdSm3xvyLB0LLSOguXhcjj5VEqV+aExZPASbf+Q8bG51mSbMQhkaq -fEheFcdhu3Sm0x5xQXvEM3gX5XUr8vmrPWaacayPYfS7MinWukV0hXe5/DoYkFTt -a1pt6bHcyVfR0tB0Q3bvm59EeaxLVfogb6Eq74RlrfYiCU/Qx7bMUs3tSeIkHGmY -cNhpxzc/36i4Cf+fBDPKuJroXYV5wFoQmpnXVLAqRd6jWZcOizY= -=f5dx ------END PGP SIGNATURE----- From 24717da42a39812931bdfdc68815a0f65f5933b312a3ec0f3aa78afd60f0a5d2 Mon Sep 17 00:00:00 2001 From: Petr Gajdos Date: Tue, 21 Dec 2021 10:28:15 +0000 Subject: [PATCH 3/3] Accepting request 941816 from home:AndreasStieger:branches:Apache changlog update for 2.4.52: CVE-2021-44224 boo#1193943 CVE-2021-44790 boo#1193942 OBS-URL: https://build.opensuse.org/request/show/941816 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=662 --- apache2.changes | 36 ++++++++++++------------------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/apache2.changes b/apache2.changes index 0f26367..0a54890 100644 --- a/apache2.changes +++ b/apache2.changes @@ -2,32 +2,32 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes - version update to 2.4.52: + * fix CVE-2021-44224: NULL dereference or SSRF in forward proxy + configurations [boo#1193943] + * fix CVE-2021-44790: buffer overflow when parsing multipart + content in mod_lua [boo#1193942] *) http: Enforce that fully qualified uri-paths not to be forward-proxied have an http(s) scheme, and that the ones to be forward proxied have a - hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic] + hostname, per HTTP specifications. *) OpenSSL autoconf detection improvement: pick up openssl.pc in the - specified openssl path. [Joe Orton] - *) mod_proxy_connect, mod_proxy: Do not change the status code after we already sent it to the client. *) mod_http: Correctly sent a 100 Continue status code when sending an interim response as result of an Expect: 100-Continue in the request and not the - current status code of the request. PR 65725 [Ruediger Pluem] + current status code of the request *) mod_dav: Some DAV extensions, like CalDAV, specify both document elements and property elements that need to be taken into account when generating a property. The document element and property element are made available in the dav_liveprop_elem structure by calling - dav_get_liveprop_element(). [Graham Leggett] + dav_get_liveprop_element() *) mod_dav: Add utility functions dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() and dav_find_attr() so that other modules get to play too. - [Graham Leggett] - *) mpm_event: Restart stopping of idle children after a load peak. PR 65626. - [Yann Ylavic, Ruediger Pluem] + *) mpm_event: Restart stopping of idle children after a load peak *) mod_http2: fixes 2 regressions in server limit handling. 1. When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection send a GOAWAY frame much too early on new connections, leading to invalid protocol state and a client - failing the request. See PR65731. + failing the request The module now initializes the HTTP/2 protocol correctly and allows the client to submit one request before the shutdown via a GOAWAY frame is being announced. @@ -36,22 +36,14 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes when reaching MaxConnectionsPerChild. When unprocessed h2 requests were queued at the time, these could stall. See . - [Stefan Eissing] - *) mod_ssl: Add build support for OpenSSL v3. [Rainer Jung, - Stefan Fritsch, Yann Ylavic, Stefan Eissing, Joe Orton, - Giovanni Bechis] + *) mod_ssl: Add build support for OpenSSL v3 *) mod_proxy_connect: Honor the smallest of the backend or client timeout - while tunneling. [Yann Ylavic] + while tunneling *) mod_proxy: SetEnv proxy-nohalfclose (or alike) allows to disable TCP - half-close forwarding when tunneling protocols. [Yann Ylavic] - + half-close forwarding when tunneling protocols *) core: Be safe with ap_lingering_close() called with a socket NULL-ed by a third-party module. PR 65627. - [acmondor , Yann Ylavic] - *) mod_md: Fix memory leak in case of failures to load the private key. - PR 65620 [ Filipe Casal ] - *) mod_md: adding v2.4.8 with the following changes - Added support for ACME External Account Binding (EAB). Use the new directive `MDExternalAccountBinding` to provide the @@ -82,15 +74,11 @@ Mon Dec 20 11:26:49 UTC 2021 - David Anes See - Fixed a mixup in md-status handler when static certificate files and renewal was configured at the same time. - *) mod_md: values for External Account Binding (EAB) can now also be configured to be read from a separate JSON file. This allows to keep server configuration permissions world readable without exposing secrets. - [Stefan Eissing] - *) mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO. - PR 65616. [Ruediger Pluem] ------------------------------------------------------------------- Wed Nov 24 11:04:43 UTC 2021 - pgajdos@suse.com