forked from pool/apache2
Accepting request 1059452 from home:david.anes:branches:Apache
- Update to 2.4.55:
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
*) mod_dav: Open the lock database read-only when possible.
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
*) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
OBS-URL: https://build.opensuse.org/request/show/1059452
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=682
This commit is contained in:
David Anes
Git OBS Bridge
parent
5c0c75bfa3
commit
7daefa5b80
135
apache2.changes
135
apache2.changes
@ -1,3 +1,138 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Jan 18 21:54:41 UTC 2023 - David Anes <david.anes@suse.com>
|
||||
|
||||
- Update to 2.4.55:
|
||||
*) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
|
||||
2.4.55 allows a backend to trigger HTTP response splitting
|
||||
(cve.mitre.org)
|
||||
Prior to Apache HTTP Server 2.4.55, a malicious backend can
|
||||
cause the response headers to be truncated early, resulting in
|
||||
some headers being incorporated into the response body. If the
|
||||
later headers have any security purpose, they will not be
|
||||
interpreted by the client.
|
||||
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
|
||||
|
||||
*) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
|
||||
Possible request smuggling (cve.mitre.org)
|
||||
Inconsistent Interpretation of HTTP Requests ('HTTP Request
|
||||
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
|
||||
allows an attacker to smuggle requests to the AJP server it
|
||||
forwards requests to. This issue affects Apache HTTP Server
|
||||
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
|
||||
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
|
||||
at Qi'anxin Group
|
||||
|
||||
*) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
|
||||
of zero byte (cve.mitre.org)
|
||||
A carefully crafted If: request header can cause a memory read,
|
||||
or write of a single zero byte, in a pool (heap) memory location
|
||||
beyond the header value sent. This could cause the process to
|
||||
crash.
|
||||
This issue affects Apache HTTP Server 2.4.54 and earlier.
|
||||
|
||||
*) mod_dav: Open the lock database read-only when possible.
|
||||
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
|
||||
|
||||
*) mod_proxy_http2: apply the standard httpd content type handling
|
||||
to responses from the backend, as other proxy modules do. Fixes PR 66391.
|
||||
Thanks to Jérôme Billiras for providing the patch.
|
||||
[Stefan Eissing]
|
||||
|
||||
*) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
|
||||
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
|
||||
<alejandro.alvarez.ayllon cern.ch>]
|
||||
|
||||
*) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
|
||||
|
||||
*) mod_http2: version 2.0.10 of the module, synchronizing changes
|
||||
with the gitgub version. This is a partial rewrite of how connections
|
||||
and streams are handled.
|
||||
- an APR pollset and pipes (where supported) are used to monitor
|
||||
the main connection and react to IO for request/response handling.
|
||||
This replaces the stuttered timed waits of earlier versions.
|
||||
- H2SerializeHeaders directive still exists, but has no longer an effect.
|
||||
- Clients that seemingly misbehave still get less resources allocated,
|
||||
but ongoing requests are no longer disrupted.
|
||||
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
|
||||
were overwritten instead of preserved. [PR by @daum3ns]
|
||||
- A regression in v1.15.24 was fixed that could lead to httpd child
|
||||
processes not being terminated on a graceful reload or when reaching
|
||||
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
|
||||
the time, these could stall. See #212.
|
||||
- Improved information displayed in 'server-status' for H2 connections when
|
||||
Extended Status is enabled. Now one can see the last request that IO
|
||||
operations happened on and transferred IO stats are updated as well.
|
||||
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
|
||||
send a GOAWAY frame much too early on new connections, leading to invalid
|
||||
protocol state and a client failing the request. See PR65731 at
|
||||
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
|
||||
The module now initializes the HTTP/2 protocol correctly and allows the
|
||||
client to submit one request before the shutdown via a GOAWAY frame
|
||||
is being announced.
|
||||
- :scheme pseudo-header values, not matching the
|
||||
connection scheme, are forwarded via absolute uris to the
|
||||
http protocol processing to preserve semantics of the request.
|
||||
Checks on combinations of pseudo-headers values/absence
|
||||
have been added as described in RFC 7540. Fixes #230.
|
||||
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
|
||||
generated in certain cases was fixed. See #233 where it prevented
|
||||
gRPC responses to be properly generated.
|
||||
- Request and response header values are automatically stripped of leading
|
||||
and trialing space/tab characters. This is equivalent behaviour to what
|
||||
Apache httpd's http/1.1 parser does.
|
||||
The checks for this in nghttp2 v1.50.0+ are disabled.
|
||||
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
|
||||
on the v2.0.x versions for stability. Many thanks!
|
||||
*) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
|
||||
request ':authority' is known. Improved test case that did not catch that
|
||||
the previous 'fix' was incorrect.
|
||||
|
||||
*) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
|
||||
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
|
||||
|
||||
*) mod_proxy: The AH03408 warning for a forcibly closed backend
|
||||
connection is now logged at INFO level. [Yann Ylavic]
|
||||
|
||||
*) mod_ssl: When dumping the configuration, the existence of
|
||||
certificate/key files is no longer tested. [Joe Orton]
|
||||
|
||||
*) mod_authn_core: Add expression support to AuthName and AuthType.
|
||||
[Graham Leggett]
|
||||
|
||||
*) mod_ssl: when a proxy connection had handled a request using SSL, an
|
||||
error was logged when "SSLProxyEngine" was only configured in the
|
||||
location/proxy section and not the overall server. The connection
|
||||
continued to work, the error log was in error. Fixed PR66190.
|
||||
[Stefan Eissing]
|
||||
|
||||
*) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
|
||||
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
|
||||
|
||||
*) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
|
||||
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
|
||||
|
||||
*) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
|
||||
|
||||
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
|
||||
setups with a shared file system for `MDStoreDir` to order
|
||||
activation of renewed certificates when several cluster nodes are
|
||||
restarted at the same time. Store locks are not enabled by default.
|
||||
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
|
||||
the use of curl_multi for OCSP requests to work with that.
|
||||
Fixes <https://github.com/icing/mod_md/issues/293>.
|
||||
|
||||
*) core: Avoid an overflow on large inputs in ap_is_matchexp. PR 66033
|
||||
[Ruediger Pluem]
|
||||
|
||||
*) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
|
||||
storage instead of slotmem. Needed after setting
|
||||
HeartbeatMaxServers default to the documented value 10 in 2.4.54.
|
||||
PR 66131. [Jérôme Billiras]
|
||||
|
||||
*) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
|
||||
This is a game changer for performances if client use PROPFIND a lot,
|
||||
PR 66313. [Emmanuel Dreyfus]
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Dec 12 08:58:58 UTC 2022 - Dirk Müller <dmueller@suse.com>
|
||||
|
||||
|
||||
9092
apache2.keyring
9092
apache2.keyring
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file
|
||||
#
|
||||
# Copyright (c) 2022 SUSE LLC
|
||||
# Copyright (c) 2023 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@ -107,7 +107,7 @@
|
||||
%define build_http2 1
|
||||
|
||||
Name: apache2%{psuffix}
|
||||
Version: 2.4.54
|
||||
Version: 2.4.55
|
||||
Release: 0
|
||||
Summary: The Apache HTTPD Server
|
||||
License: Apache-2.0
|
||||
|
||||
3
httpd-2.4.55.tar.bz2
Normal file
3
httpd-2.4.55.tar.bz2
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac
|
||||
size 7456187
|
||||
16
httpd-2.4.55.tar.bz2.asc
Normal file
16
httpd-2.4.55.tar.bz2.asc
Normal file
@ -0,0 +1,16 @@
|
||||
-----BEGIN PGP SIGNATURE-----
|
||||
|
||||
iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmO9aoMACgkQgngd5G1Z
|
||||
VPpJrw//fJaMh9b5EdKeOZZXXjMNqn3+SM6HxivWNvfnB3vuhFodInWpAeojJTON
|
||||
0VArc+VGDykFJX8bT0FtBOqAWZl72iX8Jrqv0rLarX7TdFKHJYIc068tpGpjDA+S
|
||||
qJqueKA4rwSmv8hwVzHmqyucLuUPZSxMZ/SU0+sOv0vR3+t3aNSZ0ZyIwUTGgTMx
|
||||
fC4h89yC9AoFRPg3Xly9EzLRpajGAcnCjflxTSx9s9UWvyokMEkhO3KuEVJsimIK
|
||||
8EkTEnProrWV4uGQxX2Igbw8bmhQZ913vA6UoH4KR4PA05GDqmtZBpOVcHppkNG7
|
||||
Z2oTvdAVXYgb2ssieBnO6NJ6Xud5X1Btxr3Oy08F5kngCvBjM2NT7hXrHcbUW/fO
|
||||
rygL3OLx9lNHAWXfYgGtY9YHqzf6n6mWcedbzH9OJj722RGkvnUIWxsGNbo1WHa4
|
||||
EFciU8pkNhgEUTn/qWdCYINxv112BQH5Y4KmDjt7avAGAGc/m4vHYDpFhKHeDuw6
|
||||
HICAMMs/Lu5qMzW7aQ/FttHXqtE3lMxLwqB2ml63lzB4sBVYiuUJ2Lj0+UdTk3PG
|
||||
keZo+U2QnWi4DgdH6RV6dyNIs8OAdMlE8lfUDouo5i+r+MKkbmsOZdlK0HvnXEWg
|
||||
95aYnIbmyQ3rHdLI+ex45jNnU7wM0KFGEPq7P08GeBsfdC/MqZQ=
|
||||
=xtRh
|
||||
-----END PGP SIGNATURE-----
|
||||
Loading…
x
Reference in New Issue
Block a user