Accepting request 961736 from Apache

OBS-URL: https://build.opensuse.org/request/show/961736
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=193

apache-test-DirectorySlash-NotFound-logic.patch

@@ -1,19 +0,0 @@
---- a/httpd-framework/t/modules/dir.t.orig	2021-11-24 10:37:58.688525957 +0000
-+++ b/httpd-framework/t/modules/dir.t	2021-11-24 10:38:15.568621991 +0000
-@@ -98,12 +98,12 @@ $res = GET "/modules/dir/htaccess", redi
- ok ($res->code == 403);
- 
- if (have_min_apache_version('2.5.1')) { 
--    skip("missing DirectorySlash NotFound");
--}
--else { 
-     $res = GET "/modules/dir/htaccess/sub1", redirect_ok => 0;
-     ok ($res->code == 404);
- }
-+else { 
-+    skip("missing DirectorySlash NotFound");
-+}
- 
- 
- sub write_htaccess {
-

apache2-perl-io-socket.patch

@@ -1,37 +0,0 @@
---- httpd/test/framework/trunk/t/ssl/ocsp.t	2022/01/10 15:44:45	1896888
-+++ httpd/test/framework/trunk/t/ssl/ocsp.t	2022/01/10 18:08:12	1896889
-@@ -32,13 +32,21 @@ sok {
-     $r = GET $url, cert => undef;
-     my $message = $r->content() || '';
-     my $warning = $r->header('Client-Warning') || '';
-+    print "warning: $warning\n";
-+    print "message: $message";
-+    print "response:\n";
-     print $r->as_string;
-     $r->code == 500 && $warning =~ 'Internal response' &&
--        $message =~ /alert handshake failure|read failed/;
-+        $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
- };
- 
- sok {
-     $r = GET $url, cert => 'client_ok';
-+    my $warning = $r->header('Client-Warning') || '';
-+    my $message = $r->content() || '';
-+    print "warning: $warning\n";
-+    print "message: $message";
-+    print "response:\n";
-     print $r->as_string;
-     $r->code == 200;
- };
-@@ -47,7 +55,10 @@ sok {
-     $r = GET $url, cert => 'client_revoked';
-     my $message = $r->content() || '';
-     my $warning = $r->header('Client-Warning') || '';
-+    print "warning: $warning\n";
-+    print "message: $message";
-+    print "response:\n";
-     print $r->as_string;
-     $r->code == 500 && $warning =~ 'Internal response' &&
--        $message =~ /alert certificate revoked|read failed/;
-+        $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
- };

apache2.changes

@@ -1,3 +1,82 @@
+-------------------------------------------------------------------
+Mon Mar 14 12:19:36 UTC 2022 - pgajdos@suse.com
+
+- httpd-framework updated to svn1898917
+- deleted patches
+  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
+  - apache2-perl-io-socket.patch (upstreamed)
+
+-------------------------------------------------------------------
+Mon Mar 14 11:20:53 UTC 2022 - pgajdos@suse.com
+
+- version update to 2.4.53
+  *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
+     (cve.mitre.org)
+     Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
+     Server allows an attacker to overwrite heap memory with possibly
+     attacker provided data.
+     This issue affects Apache HTTP Server 2.4 version 2.4.52 and
+     prior versions.
+     Credits: Ronald Crane (Zippenhop LLC)
+  *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
+     very large or unlimited LimitXMLRequestBody (cve.mitre.org)
+     If LimitXMLRequestBody is set to allow request bodies larger
+     than 350MB (defaults to 1M) on 32 bit systems an integer
+     overflow happens which later causes out of bounds writes.
+     This issue affects Apache HTTP Server 2.4.52 and earlier.
+     Credits: Anonymous working with Trend Micro Zero Day Initiative
+  *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
+     in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
+     Apache HTTP Server 2.4.52 and earlier fails to close inbound
+     connection when errors are encountered discarding the request
+     body, exposing the server to HTTP Request Smuggling
+     Credits: James Kettle <james.kettle portswigger.net>
+  *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
+     in r:parsebody (cve.mitre.org)
+     A carefully crafted request body can cause a read to a random
+     memory area which could cause the process to crash.
+     This issue affects Apache HTTP Server 2.4.52 and earlier.
+     Credits: Chamal De Silva
+  *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
+     [Ruediger Pluem, Yann Ylavic]
+  *) core: Simpler connection close logic if discarding the request body fails.
+     [Yann Ylavic, Ruediger Pluem]
+  *) mod_http2: preserve the port number given in a HTTP/1.1
+     request that was Upgraded to HTTP/2. Fixes PR65881.
+     [Stefan Eissing]
+  *) mod_proxy: Allow for larger worker name.  PR 53218.  [Yann Ylavic]
+  *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
+     an attempt to load a dbm driver fails, log clearly which driver triggered
+     the error (not "default"), and what the error was. [Graham Leggett]
+  *) mod_proxy: Use the maxium of front end and backend timeouts instead of the
+     minimum when tunneling requests (websockets, CONNECT requests).
+     Backend timeouts can be configured more selectively (per worker if needed)
+     as front end timeouts and typically the backend timeouts reflect the
+     application requirements better.  PR 65886 [Ruediger Pluem]
+  *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
+     when an efficient TLS implementation is available. [Yann Ylavic]
+  *) core, mod_info: Add compiled and loaded PCRE versions to version
+     number display.  [Rainer Jung]
+  *) mod_md: do not interfere with requests to /.well-known/acme-challenge/
+     resources if challenge type 'http-01' is not configured for a domain.
+     Fixes <https://github.com/icing/mod_md/issues/279>.
+     [Stefan Eissing]
+  *) mod_dav: Fix regression when gathering properties which could lead to huge
+     memory consumption proportional to the number of resources.
+     [Evgeny Kotkov, Ruediger Pluem]
+  *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
+     for regular expression evaluation. This depends on locating pcre2-config.
+     [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]
+  *) Add the ldap function to the expression API, allowing LDAP filters and
+     distinguished names based on expressions to be escaped correctly to
+     guard against LDAP injection. [Graham Leggett]
+  *) mod_md: the status description in MDomain's JSON, exposed in the
+     md-status handler (if configured) did sometimes not carry the correct
+     message when certificates needed renew.
+     [Stefan Eissing]
+  *) mpm_event: Fix a possible listener deadlock on heavy load when restarting
+     and/or reaching MaxConnectionsPerChild.  PR 65769.  [Yann Ylavic]
+
 -------------------------------------------------------------------
 Thu Jan 27 13:57:47 UTC 2022 - pgajdos@suse.com
 

apache2.spec

@@ -18,7 +18,7 @@
 
 %global upstream_name   httpd
 %global testsuite_name  %{upstream_name}-framework
-%global tversion        svn1894461
+%global tversion        svn1898917
 %global flavor          @BUILD_FLAVOR@%{nil}
 %define mpm             %{nil}
 %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork"
@@ -115,7 +115,7 @@
 %endif
 
 Name:           apache2%{psuffix}
-Version:        2.4.52
+Version:        2.4.53
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0
@@ -198,10 +198,6 @@ Patch100:       apache-test-application-xml-type.patch
 # even if in live system I do not experience this inconsistency, let's turn off
 # these variables from the test
 Patch101:       apache-test-turn-off-variables-in-ssl-var-lookup.patch
-# PATCH:    reverted logic, DirectorySlash NotFound is available in trunk onlyyet
-Patch102:       apache-test-DirectorySlash-NotFound-logic.patch
-# https://svn.apache.org/viewvc?view=revision&revision=1896889
-Patch103:       apache2-perl-io-socket.patch
 BuildRequires:  apache-rpm-macros-control
 #Since 2.4.7 the event MPM requires apr 1.5.0 or later.
 BuildRequires:  apr-devel >= 1.5.0
@@ -330,10 +326,6 @@ provides HTTP services in sync with the current HTTP standards.
 %patch4 -p1
 %patch100 -p1
 %patch101 -p1
-%patch102 -p1
-(cd httpd-framework
-%patch103 -p4
-)
 
 #
 # BUILD

httpd-2.4.52.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
-size 7439184

httpd-2.4.52.tar.bz2.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmG7Q+8ACgkQ03fJ59GU
-TGbpCA/+Ne63eHZTIxNF86FN6rOXgCvoIGPcc8SCpJ3h9k3rfCdltB/Mwnmz93R8
-Eo0djI/jCdfQsrmw+4IALIVpH6WsVHLnFbR2gk5wY9Kv5SDoMNs8iNUKAa23yQ9y
-JNN3W9Bw3O3q7RhfK8a5jSCAVkKw4gxNPGu+4x6QwHZOCrCoXJdKjoWAPSdE6L2p
-RQDBAW+wHmqwh2HBrM4WZhWaj6Eer7UbV1ir7nIGXmCz0f5ekiADJA4c6aWHV5PL
-EBIHbRsSzhgvK0ZtLeR1oOQAZfsNJT2BMjk5M/8yanAyUxnOGcNdRRSBMk1XPbxa
-EhBujT9KuSAq1jk5FbwgzP1l+Yq2Gxxsh2a4UK7K7AaJV8macQtVDUq4TfYKIk8R
-hnXweflKw9nonxaYOiNwhtLE3FFMg7XozrNPImc2abLT/wDE/N6LPI2NMf4FWAkm
-XkQ5yzy5Nxs/MybIJs/YJQjLCrfDD8hbUcqPp6445YqJsiXAQ3vhMy755maI2ciz
-xXBe0xhq9kEILIUCynCpPZE8eCKEGjFr/hWfaYZR32GVceAmHV9GiDoD5K6dqk6z
-00TCNbfjY5hXzEkigLd1g2ZKp/d8tsG0NUw1SoXfXSdlK0ugMTkmqqZxcekvGOk9
-UcpKyzkxdqCywfwYFKmYsLi6cKFBXAlRq0K89vg4glC2cedVu9Y=
-=Fz0f
------END PGP SIGNATURE-----

httpd-2.4.53.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63
+size 7431942

httpd-2.4.53.tar.bz2.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmIotxoACgkQ03fJ59GU
+TGbaAQ//TeVio63uLRIhyhW4qoUlGCL4KfCyY3aj5Yh6JGea9lYdioZ4JdHJan2y
+IYRuF7B2S/MgfWESsEkPq8Nh0+ym78ZObdTFsskUF9so3+3WN9szQwTP/9suNd4+
+fv1vOKKGdy2h4hakR+E182A8gJ9FO6FabiETLvPvYVma3+5Zd2duzyvAOAQUDvkj
+JhFXYVQCrWfiJN7gARePAzZyxbfWd5QVQMuCiWSIQ2PG0SkfQa07CsEiDiN8r8fZ
+NGpNmyfUNqz4aUkBssNr0rVfmLzG2vicrfWaOgyS0rAEqn7fYhgF3s9k5y2htgOu
+mdv2TPYl39NBf3uQNtR5tTUCPaop2GvH1GMJnz18W2fpessscHsuWiqeVVNUDmvV
+zrFWlH2ehYPIOt07moP80nWJzpP7F5BGSG3DqcXPSG1JM/TM8uC3dgbC7k26i3vh
++8ypE1unHjop4nGff4cSkGeC5W2PkXrYNJC8xyjwbT098Q+Z8kAcO8TLpdaSx6tf
+fI/9IwX+2uOhGx+ZHok0BSX0EpGK+i51Kspih++AcNaf6T4urXKdrpEgNm4jdHw7
+maCHPDelUMyxffBM/Jl8/VZD+SHuhK2LzPBFGOJdNhbNKzdkfg5TaxhfIywvV1T6
+JzRtvx/HoglaqCNFsBqflWpctC5dS2DeKEbP9FaDbqfxLmxp/G8=
+=7fpY
+-----END PGP SIGNATURE-----

httpd-framework-svn1894461.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8536f6794f8ca000c2722e227c7ad6e17b33f8aeb0a5ce7662b4be110877733d
-size 1581270

httpd-framework-svn1898917.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e0b49ceac5780f010a6695608fc0e62d45101a8efc395ea656b47ae225a3dfb1
+size 729713