From a7a85e96b3283de03274c4f73a15d175120860a09409d083740900339d47642d Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.com>
Date: Tue, 17 Oct 2017 12:46:25 +0000
Subject: [PATCH 1/2] - gensslcert:   * set also SAN [bsc#1045159]   * drop -C
 argument, it was not mapped to CN actually   * consider also case when
 hostname does return empty string or     does not exist [bsc#1057406]   * do
 not consider environment ROOT variable

OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=529
---
 apache2.changes   | 10 +++++++
 gensslcert        | 69 +++++++++++++++++++++++++++--------------------
 sysconfig.apache2 |  2 +-
 3 files changed, 51 insertions(+), 30 deletions(-)

diff --git a/apache2.changes b/apache2.changes
index 3796f28..b1a075d 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Oct 17 12:41:23 UTC 2017 - pgajdos@suse.com
+
+- gensslcert:
+  * set also SAN [bsc#1045159]
+  * drop -C argument, it was not mapped to CN actually
+  * consider also case when hostname does return empty string or 
+    does not exist [bsc#1057406]
+  * do not consider environment ROOT variable
+
 -------------------------------------------------------------------
 Fri Oct  6 07:45:55 UTC 2017 - pgajdos@suse.com
 
diff --git a/gensslcert b/gensslcert
index a71bda9..0682c0d 100644
--- a/gensslcert
+++ b/gensslcert
@@ -16,7 +16,6 @@ function usage
 
 	These options are recognized:		Default:
 
-	-C 	Common name 			"$name"
 	-N	comment				"$comment"
 	-c	country (two letters, e.g. DE)	$C
 	-s	state				$ST
@@ -38,18 +37,23 @@ function myecho { echo $BRIGHT$@$NORMAL; }
 function error { echo $RED$@$NORMAL; }
 function myexit { error something ugly seems to have happened in line $1...; exit $2; }
 
-r=$ROOT
-. $r/etc/sysconfig/network/config
-FQHOSTNAME=`hostname -f`
-
-fqlength=`echo $FQHOSTNAME|wc -c`
-if [ $fqlength -gt 63 ]; then
-       FQHOSTNAME=`hostname`
+hostname=/usr/bin/hostname
+FQHOSTNAME=""
+if [ -x $hostname ]; then
+    FQHOSTNAME=`$hostname -f 2>/dev/null`
+    # bsc#1035829
+    fqlength=`echo -n $FQHOSTNAME|wc -c`
+    if [ $fqlength -gt 64 ]; then
+        FQHOSTNAME=`$hostname 2>/dev/null`
+    fi
+fi
+# bsc#1057406
+if [ -z $FQHOSTNAME ]; then
+    FQHOSTNAME='localhost'
 fi
 
 # defaults
   comment="mod_ssl server certificate"
-     name=
         C=XY
        ST=unknown
         L=unknown
@@ -62,7 +66,6 @@ fi
 
 while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
     case $OPT in
-        C) name=$OPTARG-;;
         N) comment=$OPTARG;;
         c) C=$OPTARG;;
         s) ST=$OPTARG;;
@@ -81,24 +84,26 @@ done
 
 GO_LEFT="\033[80D"
 GO_MIDDLE="$GO_LEFT\033[15C"
-for i in comment name C ST L U O CN email srvdays CAdays; do 
+for i in comment C ST L U O CN email srvdays CAdays; do 
 	eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
 done
 
 
-openssl=$r/usr/bin/openssl
-sslcrtdir=$r/etc/apache2/ssl.crt
-sslcsrdir=$r/etc/apache2/ssl.csr
-sslkeydir=$r/etc/apache2/ssl.key
-sslprmdir=$r/etc/apache2/ssl.prm
+openssl=/usr/bin/openssl
+sslcrtdir=/etc/apache2/ssl.crt
+sslcsrdir=/etc/apache2/ssl.csr
+sslkeydir=/etc/apache2/ssl.key
+sslprmdir=/etc/apache2/ssl.prm
+
+name="$CN-"
 
 #
 # CA
 #
 echo;myecho creating CA key ...
-(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
+(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
 
-cat >$r/root/.mkcert.cfg <<EOT
+cat >/root/.mkcert.cfg <<EOT
 [ req ]
 default_bits           = 2048
 default_keyfile        = keyfile.pem
@@ -121,17 +126,17 @@ challengePassword              = $RANDOM$RANDOMA challenge password
 EOT
 
 echo;myecho creating CA request/certificate ...
-(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
+(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
 
-cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
+cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
 
 #
 # Server CERT
 #
 echo;myecho creating server key ...
-(umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
+(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
 
-cat >$r/root/.mkcert.cfg <<EOT
+cat >/root/.mkcert.cfg <<EOT
 [ req ]
 default_bits           = 2048
 default_keyfile        = keyfile.pem
@@ -139,6 +144,7 @@ distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = mypass
+req_extensions         = x509v3
 
 [ req_distinguished_name ]
 C                      = $C
@@ -149,35 +155,40 @@ OU                     = $U
 CN                     = $CN
 emailAddress           = $email
 
+[ x509v3 ]
+subjectAltName         = DNS:$CN
+nsComment              = $comment
+nsCertType             = server
+
 [ req_attributes ]
 challengePassword              = $RANDOM$RANDOMA challenge password
 EOT
 
 echo;myecho creating server request ...
-(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
+(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
 
 
-cat >$r/root/.mkcert.cfg <<EOT
+cat >/root/.mkcert.cfg <<EOT
 extensions = x509v3
 [ x509v3 ]
-subjectAltName   = email:copy
+subjectAltName   = DNS:$CN
 nsComment        = $comment
 nsCertType       = server
 EOT
 
 
-test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial
+test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
 myecho "creating server certificate ..."
 (umask 0377 ; $openssl x509 					\
-	-extfile $r/root/.mkcert.cfg 			\
+	-extfile /root/.mkcert.cfg 			\
 	-days $srvdays 				\
-	-CAserial $r/root/.mkcert.serial 		\
+	-CAserial /root/.mkcert.serial 		\
 	-CA $sslcrtdir/${name}ca.crt       	\
 	-CAkey $sslkeydir/${name}ca.key   	\
 	-in $sslcsrdir/${name}server.csr -req 	\
         -out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
 
-rm -f $r/root/.mkcert.cfg
+rm -f /root/.mkcert.cfg
 
 
 
diff --git a/sysconfig.apache2 b/sysconfig.apache2
index 59ea115..70065d4 100644
--- a/sysconfig.apache2
+++ b/sysconfig.apache2
@@ -53,7 +53,7 @@ APACHE_CONF_INCLUDE_DIRS=""
 #   1. Before you can use mod_ssl, you need a server certificate. 
 #      A test certificate can be created by entering e. g.
 #
-#      $ gensslcert -n a.com -C a.com -e webmaster@a.com
+#      $ gensslcert -n a.com
 #
 #      See gensslcert -h for or gensslcert script itself for details.
 #   2. Also, you need to set the ServerName inside the <VirtualHost _default_:443> 

From fd7f9d1515bc16d4ee68d2412b1d67710ac5c2a0e1ae6f1ece75e12ea28142a2 Mon Sep 17 00:00:00 2001
From: Petr Gajdos <pgajdos@suse.com>
Date: Wed, 18 Oct 2017 09:23:58 +0000
Subject: [PATCH 2/2] - updated to 2.4.29:   *) mod_unique_id: Use output of
 the PRNG rather than IP address and      pid, avoiding sleep() call and
 possible DNS issues at startup,      plus improving randomness for IPv6-only
 hosts.  [Jan Kaluza]   *) mod_rewrite, core: Avoid the 'Vary: Host' response
 header when HTTP_HOST      is used in a condition that evaluates to true. PR
 58231 [Luca Toscano]   *) mod_http2: v0.10.12, removed optimization for mutex
 handling in bucket      beams that could lead to assertion failure in edge
 cases.      [Stefan Eissing]   *) mod_proxy: Fix regression for non decimal
 loadfactor parameter introduced      in 2.4.28.  [Jim Jagielski]   *)
 mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.      PR
 61546.  [Lubos Uhliarik <luhliari redhat.com>]   *) mod_rewrite: Add support
 for starting External Rewriting Programs      as non-root user on UNIX
 systems by specifying username and group      name as third argument of
 RewriteMap directive.  [Jan Kaluza]   *) core: Rewrite the Content-Length
 filter to avoid excessive memory      consumption. Chunked responses will be
 generated in more cases      than in previous releases.  PR 61222.  [Joe
 Orton, Ruediger Pluem]   *) mod_ssl: Fix SessionTicket callback return value,
 which does seem to      matter with OpenSSL 1.1. [Yann Ylavic]

OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=530
---
 apache2.changes          | 25 +++++++++++++++++++++++++
 apache2.spec             |  2 +-
 httpd-2.4.28.tar.bz2     |  3 ---
 httpd-2.4.28.tar.bz2.asc | 16 ----------------
 httpd-2.4.29.tar.bz2     |  3 +++
 httpd-2.4.29.tar.bz2.asc | 16 ++++++++++++++++
 6 files changed, 45 insertions(+), 20 deletions(-)
 delete mode 100644 httpd-2.4.28.tar.bz2
 delete mode 100644 httpd-2.4.28.tar.bz2.asc
 create mode 100644 httpd-2.4.29.tar.bz2
 create mode 100644 httpd-2.4.29.tar.bz2.asc

diff --git a/apache2.changes b/apache2.changes
index b1a075d..4f04e68 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,28 @@
+-------------------------------------------------------------------
+Wed Oct 18 09:22:41 UTC 2017 - pgajdos@suse.com
+
+- updated to 2.4.29:
+  *) mod_unique_id: Use output of the PRNG rather than IP address and
+     pid, avoiding sleep() call and possible DNS issues at startup,
+     plus improving randomness for IPv6-only hosts.  [Jan Kaluza]
+  *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
+     is used in a condition that evaluates to true. PR 58231 [Luca Toscano]
+  *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
+     beams that could lead to assertion failure in edge cases.
+     [Stefan Eissing]
+  *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
+     in 2.4.28.  [Jim Jagielski]
+  *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
+     PR 61546.  [Lubos Uhliarik <luhliari redhat.com>]
+  *) mod_rewrite: Add support for starting External Rewriting Programs
+     as non-root user on UNIX systems by specifying username and group
+     name as third argument of RewriteMap directive.  [Jan Kaluza]
+  *) core: Rewrite the Content-Length filter to avoid excessive memory
+     consumption. Chunked responses will be generated in more cases
+     than in previous releases.  PR 61222.  [Joe Orton, Ruediger Pluem]
+  *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+     matter with OpenSSL 1.1. [Yann Ylavic]
+
 -------------------------------------------------------------------
 Tue Oct 17 12:41:23 UTC 2017 - pgajdos@suse.com
 
diff --git a/apache2.spec b/apache2.spec
index ba79b48..d401114 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -53,7 +53,7 @@
 %define mods_static unixd
 %endif
 Name:           apache2
-Version:        2.4.28
+Version:        2.4.29
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0
diff --git a/httpd-2.4.28.tar.bz2 b/httpd-2.4.28.tar.bz2
deleted file mode 100644
index 5a36f5a..0000000
--- a/httpd-2.4.28.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666
-size 6553163
diff --git a/httpd-2.4.28.tar.bz2.asc b/httpd-2.4.28.tar.bz2.asc
deleted file mode 100644
index e95ffa3..0000000
--- a/httpd-2.4.28.tar.bz2.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIVAwUAWcjw5zTqduZ5FIWoAQr5EQ/7BXT4HjCD3eUJK9OymmpchCYZL1l4uZNy
-4oywYvn5THhWy4i9+sOxgju4LFQJCUlu/Cmqeh5bZgZIfdCAnxNANiNmtIaL0gum
-in0ZmLYeiJHLT1qkUYUhmUgRXoUTG5GBeHEhKaQUG36aywYlJK/OVRxEA/tqaLPX
-SyaUCHao98E0UjarDvSLwpH1/7KAA8GyknEaZnTXhnyFboEFGRiI2xpkeRM8NhNh
-ASIq0YfndBlneG4uHlsPoWLcFp5HttQ9YdpBo39sbSVLKFlUg9XYK/3n0mh3Xx5Z
-xowVOs2/5gP2sPjmC92ycx3LRlwK7ygw1/Dx/dImuhTtTAL7OG6i1/qFNY1utNCh
-LAddU/on5YQz5beV1LjZip9ef4yBikqBsRUtyu/fQG+EqiszzpxxHf+JfaWXl+hu
-NoFIALVtSEBf8LHT0cvIRWY3Id05nYDpknGiuNxuDIpYc4qdY7yDOa6lPeS3kGzC
-iPFh63B6nhzNudNWCT0YH2mLKGs6szDM4Hwh13Kotva3vus7UWv4O8jFAiSPvO8h
-aNpfy2IMcvjuXBu4oWbuu/X6l0FLZo/LKGzvUDZiG62Z1RCH/zg9f5OiBVIlEIWM
-INe6IsivQOM3DMNJX6U3VZUyx2hN4J5O31bkP4qMoNnHOzA7PD9JX4owirpxy4eZ
-Y2Ywbc9jeBk=
-=kUfO
------END PGP SIGNATURE-----
diff --git a/httpd-2.4.29.tar.bz2 b/httpd-2.4.29.tar.bz2
new file mode 100644
index 0000000..c5dde2b
--- /dev/null
+++ b/httpd-2.4.29.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:777753a5a25568a2a27428b2214980564bc1c38c1abf9ccc7630b639991f7f00
+size 6567926
diff --git a/httpd-2.4.29.tar.bz2.asc b/httpd-2.4.29.tar.bz2.asc
new file mode 100644
index 0000000..b7ca703
--- /dev/null
+++ b/httpd-2.4.29.tar.bz2.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIVAwUAWeZRsjTqduZ5FIWoAQpkfBAAmw+wwCpBTWRErxmPss368OSX139b3bYe
+za6+PvbiZghj+K3btOC2pHcov+h6sb6kvsFA0D5f2Bk2oCiBgmN4IJYS3h9mUcNg
+vcGCb0P0rLPneFpHTt3SXFJCahTOwmxW22e8V/y/3pes/6VsVEMJ2Sx1hQcDkkjw
+FPPB5ElXbmLi+3dZnojwwshCGKyza6OVY5CrAHb3/Pr+wSo0RSNgrpA3qsCyhAn7
+f+dLlOc44KLCF8y/grwJRLsM+MHWog+YI0B5e+95alTgcbBvEg3n6RivOCDrkJr2
+trvM10fTBzj5Hs8Gh1yuA46qD6mvRjVm0OzJc7xJTXNmpvByfsQNHoxduI1OrPgq
+rL4rt4wuh8INa5PiD80RLL3o0K69mGzCqVzJJp6/XENiMSgSsesbtaOrw0lOiYwv
+rO/yzzR9WwkiXIQR934lduFfiOrf2A81Q5HpsfLaaP7Ezc5bIPlUVRzK68TPEe+u
+VGvSYqg4umQqCrNh3yX06UBJokB8UxzkOgY8bvvPEkHFv8AlqUKg1bVxkTIZypYL
+e6xnXrM/LQ/UuWo6n+Pb9balieXZg6SfrQ2tQmI2yMIuFhN+fGcXVt1l9miWoNy9
+fjEpLvUxW4HqXjaPEG0xwD/BX+5+uadGVkr2oIbFCeknXZES/fPdrbuC7XpZzYqH
+9trgC1ZLILg=
+=EwOe
+-----END PGP SIGNATURE-----