diff --git a/apache2.changes b/apache2.changes index 9b88c76..822bcbb 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,63 @@ +------------------------------------------------------------------- +Wed Oct 29 18:38:17 CET 2008 - poeml@suse.de + +- update year of copyright in rc.apache2 + +------------------------------------------------------------------- +Wed Oct 29 00:13:58 CET 2008 - poeml@suse.de + +- update to 2.2.10: + SECURITY: CVE-2008-2939 (cve.mitre.org) + mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of + the FTP URL. Discovered by Marc Bevand of Rapid7. + core: + - Support chroot on Unix-family platforms. PR 43596 + mod_authn_alias: + - Detect during startup when AuthDigestProvider is configured to + use an incompatible provider via AuthnProviderAlias. PR 45196 + mod_cgid: + - Pass along empty command line arguments from an ISINDEX query + that has consecutive '+' characters in the QUERY_STRING, + matching the behavior of mod_cgi. + mod_charset_lite: + - Avoid dropping error responses by handling meta buckets + correctly. PR 45687 + mod_dav_fs: + - Retrieve minimal system information about directory entries + when walking a DAV fs, resolving a performance degradation on + Windows. PR 45464. + mod_headers: + - Prevent Header edit from processing only the first header of + possibly multiple headers with the same name and deleting the + remaining ones. PR 45333. + mod_proxy: + - Allow for smax to be 0 for balancer members so that all idle + connections are able to be dropped should they exceed ttl. PR 43371 + - Add 'scolonpathdelim' parameter to allow for ';' to also be + used as a session path separator/delim PR 45158. + - Add connectiontimeout parameter for proxy workers in order to + be able to set the timeout for connecting to the backend separately. + PR 45445. + mod_proxy_http: + - Don't trigger a retry by the client if a failure to + read the response line was the result of a timeout. + - Introduce environment variable proxy-initial-not-pooled to + avoid reusing pooled connections if the client connection is an initial + connection. PR 37770. + - Do not forward requests with 'Expect: 100-continue' to + known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. + mod_proxy_balancer: + - Move nonce field in the balancer manager page inside + the html form where it belongs. PR 45578. + - Add 'bybusyness' load balance method. + mod_rewrite: + - Allow Cookie option to set secure and HttpOnly flags. PR 44799 + - Preserve the query string when [proxy,noescape]. PR 45247. + mod_ssl: + - implement dynamic mutex callbacks for the benefit of OpenSSL. + - Rewrite shmcb to avoid memory alignment issues. PR 42101. +- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch + ------------------------------------------------------------------- Fri Oct 24 13:23:41 CEST 2008 - skh@suse.de diff --git a/apache2.spec b/apache2.spec index 21d80d4..f6c2501 100644 --- a/apache2.spec +++ b/apache2.spec @@ -1,5 +1,5 @@ # -# spec file for package apache2 (Version 2.2.9) +# spec file for package apache2 (Version 2.2.10) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -61,9 +61,9 @@ BuildRequires: expat-devel %define platform_string Linux/%VENDOR License: The Apache Software License Group: Productivity/Networking/Web/Servers -%define realver 2.2.9 -Version: 2.2.9 -Release: 5 +%define realver 2.2.10 +Version: 2.2.10 +Release: 1 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -116,7 +116,6 @@ Patch65: httpd-2.0.49-log_server_status.dif Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif Patch68: httpd-2.x.x-logresolve.patch -Patch69: httpd-2.2.x-CVE-2008-2939.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.0 @@ -335,7 +334,6 @@ Authors: %patch66 -p1 %patch67 -p1 %patch68 -p1 -%patch69 -p4 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -1025,6 +1023,60 @@ if ! test -f /.buildenv; then fi %changelog +* Wed Oct 29 2008 poeml@suse.de +- update year of copyright in rc.apache2 +* Wed Oct 29 2008 poeml@suse.de +- update to 2.2.10: + SECURITY: CVE-2008-2939 (cve.mitre.org) + mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of + the FTP URL. Discovered by Marc Bevand of Rapid7. + core: + - Support chroot on Unix-family platforms. PR 43596 + mod_authn_alias: + - Detect during startup when AuthDigestProvider is configured to + use an incompatible provider via AuthnProviderAlias. PR 45196 + mod_cgid: + - Pass along empty command line arguments from an ISINDEX query + that has consecutive '+' characters in the QUERY_STRING, + matching the behavior of mod_cgi. + mod_charset_lite: + - Avoid dropping error responses by handling meta buckets + correctly. PR 45687 + mod_dav_fs: + - Retrieve minimal system information about directory entries + when walking a DAV fs, resolving a performance degradation on + Windows. PR 45464. + mod_headers: + - Prevent Header edit from processing only the first header of + possibly multiple headers with the same name and deleting the + remaining ones. PR 45333. + mod_proxy: + - Allow for smax to be 0 for balancer members so that all idle + connections are able to be dropped should they exceed ttl. PR 43371 + - Add 'scolonpathdelim' parameter to allow for ';' to also be + used as a session path separator/delim PR 45158. + - Add connectiontimeout parameter for proxy workers in order to + be able to set the timeout for connecting to the backend separately. + PR 45445. + mod_proxy_http: + - Don't trigger a retry by the client if a failure to + read the response line was the result of a timeout. + - Introduce environment variable proxy-initial-not-pooled to + avoid reusing pooled connections if the client connection is an initial + connection. PR 37770. + - Do not forward requests with 'Expect: 100-continue' to + known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. + mod_proxy_balancer: + - Move nonce field in the balancer manager page inside + the html form where it belongs. PR 45578. + - Add 'bybusyness' load balance method. + mod_rewrite: + - Allow Cookie option to set secure and HttpOnly flags. PR 44799 + - Preserve the query string when [proxy,noescape]. PR 45247. + mod_ssl: + - implement dynamic mutex callbacks for the benefit of OpenSSL. + - Rewrite shmcb to avoid memory alignment issues. PR 42101. +- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch * Fri Oct 24 2008 skh@suse.de - apache2.firewall, apache2.ssl-firewall Use unique name tags "HTTP Server" and "HTTPS Server" in for @@ -1035,7 +1087,7 @@ fi mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem] -* Wed Aug 27 2008 poeml@suse.de +* Tue Aug 26 2008 poeml@suse.de - drop rc.config handling (was removed in or after SuSE Linux 8.0) - don't use fillup_insserv options which have been removed lately * Fri Aug 15 2008 poeml@suse.de @@ -1624,7 +1676,7 @@ fi - add httpd-2.2.x.doublefree.patch, backport of http://svn.apache.org/viewvc?diff_format=h&view=rev&revision=496831 See http://issues.apache.org/bugzilla/show_bug.cgi?id=39985 -* Fri Jan 19 2007 poeml@suse.de +* Thu Jan 18 2007 poeml@suse.de - create debuginfo package in the buildservice * Fri Jan 12 2007 mskibbe@suse.de - change path to service cml document (fate #301708) @@ -3288,7 +3340,7 @@ fi - disable httpd-2.0.36-64bit.dif - rename apachectl2 to apache2ctl - write the startup log to /var/tmp instead of /var/log/apache2 -* Mon Jan 13 2003 poeml@suse.de +* Sun Jan 12 2003 poeml@suse.de - fix last fix (rpm macro before hash wasn't expanded) * Fri Jan 10 2003 poeml@suse.de - fix lib64 path in SuSEconfig diff --git a/httpd-2.2.10.tar.bz2 b/httpd-2.2.10.tar.bz2 new file mode 100644 index 0000000..7ee528c --- /dev/null +++ b/httpd-2.2.10.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:681d5787288e4e527877f415acce198be96ce7de0dc6e354646b1df4aae21383 +size 5068069 diff --git a/httpd-2.2.9.tar.bz2 b/httpd-2.2.9.tar.bz2 deleted file mode 100644 index 44efb18..0000000 --- a/httpd-2.2.9.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d76599fbcf8b3bcff2779f880fb10e4a2bc4af60f64232083c06863e40850b61 -size 4943462 diff --git a/httpd-2.2.x-CVE-2008-2939.patch b/httpd-2.2.x-CVE-2008-2939.patch deleted file mode 100644 index 157dce5..0000000 --- a/httpd-2.2.x-CVE-2008-2939.patch +++ /dev/null @@ -1,13 +0,0 @@ -Taken from: http://svn.apache.org/viewvc?view=rev&revision=682870 - ---- httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c 2008/08/05 19:00:05 682869 -+++ httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c 2008/08/05 19:01:50 682870 -@@ -383,6 +383,7 @@ - c->bucket_alloc)); - } - if (wildcard != NULL) { -+ wildcard = ap_escape_html(p, wildcard); - APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(wildcard, - strlen(wildcard), p, - c->bucket_alloc)); - diff --git a/rc.apache2 b/rc.apache2 index 4bf710e..a7cfa8d 100644 --- a/rc.apache2 +++ b/rc.apache2 @@ -3,10 +3,10 @@ # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH # Copyright (c) 2002, 2003, (2004?) SuSE Linux AG -# Copyright (c) 2004(?), 2005, 2006, 2007 SUSE Linux Products GmbH +# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH # # Authors: Rolf Haberrecker , 2001 -# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007 +# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007, 2008 # # # /etc/init.d/apache2