Accepting request 1060451 from Apache

OBS-URL: https://build.opensuse.org/request/show/1060451
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=200

apache2.changes

@@ -1,3 +1,138 @@
+-------------------------------------------------------------------
+Wed Jan 18 21:54:41 UTC 2023 - David Anes <david.anes@suse.com>
+
+- Update to 2.4.55:
+    *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
+      2.4.55 allows a backend to trigger HTTP response splitting
+      (cve.mitre.org)
+      Prior to Apache HTTP Server 2.4.55, a malicious backend can
+      cause the response headers to be truncated early, resulting in
+      some headers being incorporated into the response body. If the
+      later headers have any security purpose, they will not be
+      interpreted by the client.
+      Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
+
+    *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
+      Possible request smuggling (cve.mitre.org)
+      Inconsistent Interpretation of HTTP Requests ('HTTP Request
+      Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
+      allows an attacker to smuggle requests to the AJP server it
+      forwards requests to.  This issue affects Apache HTTP Server
+      Apache HTTP Server 2.4 version 2.4.54 and prior versions.
+      Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
+      at Qi'anxin Group
+
+    *) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
+      of zero byte (cve.mitre.org)
+      A carefully crafted If: request header can cause a memory read,
+      or write of a single zero byte, in a pool (heap) memory location
+      beyond the header value sent. This could cause the process to
+      crash.
+      This issue affects Apache HTTP Server 2.4.54 and earlier.
+
+    *) mod_dav: Open the lock database read-only when possible.
+      PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
+
+    *) mod_proxy_http2: apply the standard httpd content type handling
+      to responses from the backend, as other proxy modules do. Fixes PR 66391.
+      Thanks to Jérôme Billiras for providing the patch.
+      [Stefan Eissing]
+
+    *) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
+      [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
+      <alejandro.alvarez.ayllon cern.ch>]
+
+    *) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]
+
+    *) mod_http2: version 2.0.10 of the module, synchronizing changes
+      with the gitgub version. This is a partial rewrite of how connections
+      and streams are handled.
+      - an APR pollset and pipes (where supported) are used to monitor
+        the main connection and react to IO for request/response handling.
+        This replaces the stuttered timed waits of earlier versions.
+      - H2SerializeHeaders directive still exists, but has no longer an effect.
+      - Clients that seemingly misbehave still get less resources allocated,
+        but ongoing requests are no longer disrupted.
+      - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
+        were overwritten instead of preserved. [PR by @daum3ns]
+      - A regression in v1.15.24 was fixed that could lead to httpd child
+        processes not being terminated on a graceful reload or when reaching
+        MaxConnectionsPerChild. When unprocessed h2 requests were queued at
+        the time, these could stall. See #212.
+      - Improved information displayed in 'server-status' for H2 connections when
+        Extended Status is enabled. Now one can see the last request that IO
+        operations happened on and transferred IO stats are updated as well.
+      - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
+        send a GOAWAY frame much too early on new connections, leading to invalid
+        protocol state and a client failing the request. See PR65731 at
+        <https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
+        The module now initializes the HTTP/2 protocol correctly and allows the
+        client to submit one request before the shutdown via a GOAWAY frame
+        is being announced.
+      - :scheme pseudo-header values, not matching the
+        connection scheme, are forwarded via absolute uris to the
+        http protocol processing to preserve semantics of the request.
+        Checks on combinations of pseudo-headers values/absence
+        have been added as described in RFC 7540. Fixes #230.
+      - A bug that prevented trailers (e.g. HEADER frame at the end) to be
+        generated in certain cases was fixed. See #233 where it prevented
+        gRPC responses to be properly generated.
+      - Request and response header values are automatically stripped of leading
+        and trialing space/tab characters. This is equivalent behaviour to what
+        Apache httpd's http/1.1 parser does.
+        The checks for this in nghttp2 v1.50.0+ are disabled.
+      - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
+        on the v2.0.x versions for stability. Many thanks!
+    *) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
+      request ':authority' is known. Improved test case that did not catch that
+      the previous 'fix' was incorrect.
+
+    *) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
+      using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
+
+    *) mod_proxy: The AH03408 warning for a forcibly closed backend
+      connection is now logged at INFO level.  [Yann Ylavic]
+
+    *) mod_ssl: When dumping the configuration, the existence of
+      certificate/key files is no longer tested.  [Joe Orton]
+
+    *) mod_authn_core: Add expression support to AuthName and AuthType.
+      [Graham Leggett]
+
+    *) mod_ssl: when a proxy connection had handled a request using SSL, an
+      error was logged when "SSLProxyEngine" was only configured in the
+      location/proxy section and not the overall server. The connection
+      continued to work, the error log was in error. Fixed PR66190.
+      [Stefan Eissing]
+
+    *) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
+      [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
+
+    *) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
+      [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
+
+    *) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
+
+    *) mod_md: a new directive `MDStoreLocks` can be used on cluster
+      setups with a shared file system for `MDStoreDir` to order
+      activation of renewed certificates when several cluster nodes are
+      restarted at the same time. Store locks are not enabled by default.
+      Restored curl_easy cleanup behaviour from v2.4.14 and refactored
+      the use of curl_multi for OCSP requests to work with that.
+      Fixes <https://github.com/icing/mod_md/issues/293>.
+
+    *) core: Avoid an overflow on large inputs in ap_is_matchexp.  PR 66033
+      [Ruediger Pluem]
+
+    *) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
+      storage instead of slotmem. Needed after setting
+      HeartbeatMaxServers default to the documented value 10 in 2.4.54.
+      PR 66131.  [Jérôme Billiras]
+
+    *) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
+      This is a game changer for performances if client use PROPFIND a lot,
+      PR 66313. [Emmanuel Dreyfus]
+
 -------------------------------------------------------------------
 Mon Dec 12 08:58:58 UTC 2022 - Dirk Müller <dmueller@suse.com>
 

apache2.spec

@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -107,7 +107,7 @@
 %define build_http2 1
 
 Name:           apache2%{psuffix}
-Version:        2.4.54
+Version:        2.4.55
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0

httpd-2.4.54.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:eb397feeefccaf254f8d45de3768d9d68e8e73851c49afd5b7176d1ecf80c340
-size 7434530

httpd-2.4.54.tar.bz2.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmKeDckACgkQ03fJ59GU
-TGZzxA/+PAjEiG34ZvJwlKfuGUUdn25V5UaNW7Mxms7Q+PM/hx1q8GyZ0j9dFfTJ
-F8qbB+39dAJDcj6QyJxXUQFooDJ00ZrA/qOQyWjKEvtYkvGePxOZBYdW2sxk1+O8
-Kl3AwLE6ijLYeNJfvJSspWOMknA8FA3gspWltaZ88rVB+Dqu5+hvis3SP1CSpVyx
-OedsxUrqdOa5LkXs9WoBNIR9anukf8vVncGlgo8veSwblUCYx2jW2KCqMKMEkR1j
-6ErMsiySMUhK3QpY5SXQjX0hocnV/2TSRrj9q/1ppX/IXRQOixiyAb4go3bOMsLq
-ixE0Cmokt4vAz5scaK74/tD+74rL/cKCh1f/OwNnm/LQch0XCoGU/kExm3aCYVPT
-gTdxGysKI4+0WKb2rP5JrfDQqjzPrUzpQ+Vc0h7+4dzvbDAptWLb7893VTs4weJY
-r6hpSsAZZwPHWv5dO21+rrExEyVup7Q6DeMg8QYtuVkAHeKPaitolI1yGMnPwPjO
-uwei49zC4vUiD9RX59KBxSGDf/+4iXVKRVgk46piSEOfYN4Q9YfM2LSEPth3QjaD
-sJwgHW+w4/B/z/LNLtr79H1dDVr2tfMb1GQ6wIkzKPxkevV5SbNB8MeAW+MH02wM
-0xJQgbl/lyCS/PHt04OgI28vg55CzrU5RdTJxs+KgH9x5Kat7d4=
-=pokb
------END PGP SIGNATURE-----

httpd-2.4.55.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:11d6ba19e36c0b93ca62e47e6ffc2d2f2884942694bce0f23f39c71bdc5f69ac
+size 7456187

httpd-2.4.55.tar.bz2.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmO9aoMACgkQgngd5G1Z
+VPpJrw//fJaMh9b5EdKeOZZXXjMNqn3+SM6HxivWNvfnB3vuhFodInWpAeojJTON
+0VArc+VGDykFJX8bT0FtBOqAWZl72iX8Jrqv0rLarX7TdFKHJYIc068tpGpjDA+S
+qJqueKA4rwSmv8hwVzHmqyucLuUPZSxMZ/SU0+sOv0vR3+t3aNSZ0ZyIwUTGgTMx
+fC4h89yC9AoFRPg3Xly9EzLRpajGAcnCjflxTSx9s9UWvyokMEkhO3KuEVJsimIK
+8EkTEnProrWV4uGQxX2Igbw8bmhQZ913vA6UoH4KR4PA05GDqmtZBpOVcHppkNG7
+Z2oTvdAVXYgb2ssieBnO6NJ6Xud5X1Btxr3Oy08F5kngCvBjM2NT7hXrHcbUW/fO
+rygL3OLx9lNHAWXfYgGtY9YHqzf6n6mWcedbzH9OJj722RGkvnUIWxsGNbo1WHa4
+EFciU8pkNhgEUTn/qWdCYINxv112BQH5Y4KmDjt7avAGAGc/m4vHYDpFhKHeDuw6
+HICAMMs/Lu5qMzW7aQ/FttHXqtE3lMxLwqB2ml63lzB4sBVYiuUJ2Lj0+UdTk3PG
+keZo+U2QnWi4DgdH6RV6dyNIs8OAdMlE8lfUDouo5i+r+MKkbmsOZdlK0HvnXEWg
+95aYnIbmyQ3rHdLI+ex45jNnU7wM0KFGEPq7P08GeBsfdC/MqZQ=
+=xtRh
+-----END PGP SIGNATURE-----