Accepting request 961736 from Apache

OBS-URL: https://build.opensuse.org/request/show/961736 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=193
2022-03-15 18:04:18 +00:00 · 2022-03-15 18:04:18 +00:00 · a542458269
commit a542458269
parent 45237a9f55 76648b0e0d
10 changed files with 104 additions and 89 deletions
--- a/apache-test-DirectorySlash-NotFound-logic.patch
+++ b/apache-test-DirectorySlash-NotFound-logic.patch
@ -1,19 +0,0 @@
 --- a/httpd-framework/t/modules/dir.t.orig	2021-11-24 10:37:58.688525957 +0000
 +++ b/httpd-framework/t/modules/dir.t	2021-11-24 10:38:15.568621991 +0000
@@ -98,12 +98,12 @@ $res = GET "/modules/dir/htaccess", redi
 ok ($res->code == 403);
 if (have_min_apache_version('2.5.1')) { 
 -    skip("missing DirectorySlash NotFound");
 -}
 -else { 
     $res = GET "/modules/dir/htaccess/sub1", redirect_ok => 0;
     ok ($res->code == 404);
 }
 +else { 
 +    skip("missing DirectorySlash NotFound");
 +}
 sub write_htaccess {
--- a/apache2-perl-io-socket.patch
+++ b/apache2-perl-io-socket.patch
@ -1,37 +0,0 @@
 --- httpd/test/framework/trunk/t/ssl/ocsp.t	2022/01/10 15:44:45	1896888
 +++ httpd/test/framework/trunk/t/ssl/ocsp.t	2022/01/10 18:08:12	1896889
@@ -32,13 +32,21 @@ sok {
     $r = GET $url, cert => undef;
     my $message = $r->content() || '';
     my $warning = $r->header('Client-Warning') || '';
 +    print "warning: $warning\n";
 +    print "message: $message";
 +    print "response:\n";
     print $r->as_string;
     $r->code == 500 && $warning =~ 'Internal response' &&
 -        $message =~ /alert handshake failure|read failed/;
 +        $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
 };
 sok {
     $r = GET $url, cert => 'client_ok';
 +    my $warning = $r->header('Client-Warning') || '';
 +    my $message = $r->content() || '';
 +    print "warning: $warning\n";
 +    print "message: $message";
 +    print "response:\n";
     print $r->as_string;
     $r->code == 200;
 };
@@ -47,7 +55,10 @@ sok {
     $r = GET $url, cert => 'client_revoked';
     my $message = $r->content() || '';
     my $warning = $r->header('Client-Warning') || '';
 +    print "warning: $warning\n";
 +    print "message: $message";
 +    print "response:\n";
     print $r->as_string;
     $r->code == 500 && $warning =~ 'Internal response' &&
 -        $message =~ /alert certificate revoked|read failed/;
 +        $message =~ /alert handshake failure|read failed|closed connection without sending any data/;
 };
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,82 @@
 -------------------------------------------------------------------
 Mon Mar 14 12:19:36 UTC 2022 - pgajdos@suse.com
 - httpd-framework updated to svn1898917
 - deleted patches
  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
  - apache2-perl-io-socket.patch (upstreamed)
 -------------------------------------------------------------------
 Mon Mar 14 11:20:53 UTC 2022 - pgajdos@suse.com
 - version update to 2.4.53
  *) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
     (cve.mitre.org)
     Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
     Server allows an attacker to overwrite heap memory with possibly
     attacker provided data.
     This issue affects Apache HTTP Server 2.4 version 2.4.52 and
     prior versions.
     Credits: Ronald Crane (Zippenhop LLC)
  *) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
     very large or unlimited LimitXMLRequestBody (cve.mitre.org)
     If LimitXMLRequestBody is set to allow request bodies larger
     than 350MB (defaults to 1M) on 32 bit systems an integer
     overflow happens which later causes out of bounds writes.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Anonymous working with Trend Micro Zero Day Initiative
  *) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
     in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
     Apache HTTP Server 2.4.52 and earlier fails to close inbound
     connection when errors are encountered discarding the request
     body, exposing the server to HTTP Request Smuggling
     Credits: James Kettle <james.kettle portswigger.net>
  *) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
     in r:parsebody (cve.mitre.org)
     A carefully crafted request body can cause a read to a random
     memory area which could cause the process to crash.
     This issue affects Apache HTTP Server 2.4.52 and earlier.
     Credits: Chamal De Silva
  *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
     [Ruediger Pluem, Yann Ylavic]
  *) core: Simpler connection close logic if discarding the request body fails.
     [Yann Ylavic, Ruediger Pluem]
  *) mod_http2: preserve the port number given in a HTTP/1.1
     request that was Upgraded to HTTP/2. Fixes PR65881.
     [Stefan Eissing]
  *) mod_proxy: Allow for larger worker name.  PR 53218.  [Yann Ylavic]
  *) dbm: Split the loading of a dbm driver from the opening of a dbm file. When
     an attempt to load a dbm driver fails, log clearly which driver triggered
     the error (not "default"), and what the error was. [Graham Leggett]
  *) mod_proxy: Use the maxium of front end and backend timeouts instead of the
     minimum when tunneling requests (websockets, CONNECT requests).
     Backend timeouts can be configured more selectively (per worker if needed)
     as front end timeouts and typically the backend timeouts reflect the
     application requirements better.  PR 65886 [Ruediger Pluem]
  *) ap_regex: Use Thread Local Storage (TLS) to recycle ap_regexec() buffers
     when an efficient TLS implementation is available. [Yann Ylavic]
  *) core, mod_info: Add compiled and loaded PCRE versions to version
     number display.  [Rainer Jung]
  *) mod_md: do not interfere with requests to /.well-known/acme-challenge/
     resources if challenge type 'http-01' is not configured for a domain.
     Fixes <https://github.com/icing/mod_md/issues/279>.
     [Stefan Eissing]
  *) mod_dav: Fix regression when gathering properties which could lead to huge
     memory consumption proportional to the number of resources.
     [Evgeny Kotkov, Ruediger Pluem]
  *) Support pcre2 (10.x) library in place of the now end-of-life pcre (8.x)
     for regular expression evaluation. This depends on locating pcre2-config.
     [William Rowe, Petr Pisar <ppisar redhat.com>, Rainer Jung]
  *) Add the ldap function to the expression API, allowing LDAP filters and
     distinguished names based on expressions to be escaped correctly to
     guard against LDAP injection. [Graham Leggett]
  *) mod_md: the status description in MDomain's JSON, exposed in the
     md-status handler (if configured) did sometimes not carry the correct
     message when certificates needed renew.
     [Stefan Eissing]
  *) mpm_event: Fix a possible listener deadlock on heavy load when restarting
     and/or reaching MaxConnectionsPerChild.  PR 65769.  [Yann Ylavic]
 -------------------------------------------------------------------
 Thu Jan 27 13:57:47 UTC 2022 - pgajdos@suse.com
--- a/apache2.spec
+++ b/apache2.spec
@ -18,7 +18,7 @@
 %global upstream_name   httpd
 %global testsuite_name  %{upstream_name}-framework
-%global tversion        svn1894461
+%global tversion        svn1898917
 %global flavor          @BUILD_FLAVOR@%{nil}
 %define mpm             %{nil}
 %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork"
@ -115,7 +115,7 @@
 %endif
 Name:           apache2%{psuffix}
-Version:        2.4.52
+Version:        2.4.53
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0
@ -198,10 +198,6 @@ Patch100:       apache-test-application-xml-type.patch
 # even if in live system I do not experience this inconsistency, let's turn off
 # these variables from the test
 Patch101:       apache-test-turn-off-variables-in-ssl-var-lookup.patch
 # PATCH:    reverted logic, DirectorySlash NotFound is available in trunk onlyyet
 Patch102:       apache-test-DirectorySlash-NotFound-logic.patch
 # https://svn.apache.org/viewvc?view=revision&revision=1896889
 Patch103:       apache2-perl-io-socket.patch
 BuildRequires:  apache-rpm-macros-control
 #Since 2.4.7 the event MPM requires apr 1.5.0 or later.
 BuildRequires:  apr-devel >= 1.5.0
@ -330,10 +326,6 @@ provides HTTP services in sync with the current HTTP standards.
 %patch4 -p1
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
 (cd httpd-framework
 %patch103 -p4
 )
 #
 # BUILD
--- a/httpd-2.4.52.tar.bz2
+++ b/httpd-2.4.52.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:0127f7dc497e9983e9c51474bed75e45607f2f870a7675a86dc90af6d572f5c9
 size 7439184
--- a/httpd-2.4.52.tar.bz2.asc
+++ b/httpd-2.4.52.tar.bz2.asc
@ -1,17 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 Comment: GPGTools - https://gpgtools.org
 iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmG7Q+8ACgkQ03fJ59GU
 TGbpCA/+Ne63eHZTIxNF86FN6rOXgCvoIGPcc8SCpJ3h9k3rfCdltB/Mwnmz93R8
 Eo0djI/jCdfQsrmw+4IALIVpH6WsVHLnFbR2gk5wY9Kv5SDoMNs8iNUKAa23yQ9y
 JNN3W9Bw3O3q7RhfK8a5jSCAVkKw4gxNPGu+4x6QwHZOCrCoXJdKjoWAPSdE6L2p
 RQDBAW+wHmqwh2HBrM4WZhWaj6Eer7UbV1ir7nIGXmCz0f5ekiADJA4c6aWHV5PL
 EBIHbRsSzhgvK0ZtLeR1oOQAZfsNJT2BMjk5M/8yanAyUxnOGcNdRRSBMk1XPbxa
 EhBujT9KuSAq1jk5FbwgzP1l+Yq2Gxxsh2a4UK7K7AaJV8macQtVDUq4TfYKIk8R
 hnXweflKw9nonxaYOiNwhtLE3FFMg7XozrNPImc2abLT/wDE/N6LPI2NMf4FWAkm
 XkQ5yzy5Nxs/MybIJs/YJQjLCrfDD8hbUcqPp6445YqJsiXAQ3vhMy755maI2ciz
 xXBe0xhq9kEILIUCynCpPZE8eCKEGjFr/hWfaYZR32GVceAmHV9GiDoD5K6dqk6z
 00TCNbfjY5hXzEkigLd1g2ZKp/d8tsG0NUw1SoXfXSdlK0ugMTkmqqZxcekvGOk9
 UcpKyzkxdqCywfwYFKmYsLi6cKFBXAlRq0K89vg4glC2cedVu9Y=
 =Fz0f
 -----END PGP SIGNATURE-----
--- a/httpd-2.4.53.tar.bz2
+++ b/httpd-2.4.53.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63
 size 7431942
--- a/httpd-2.4.53.tar.bz2.asc
+++ b/httpd-2.4.53.tar.bz2.asc
@ -0,0 +1,17 @@
 -----BEGIN PGP SIGNATURE-----
 Comment: GPGTools - https://gpgtools.org
 iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmIotxoACgkQ03fJ59GU
 TGbaAQ//TeVio63uLRIhyhW4qoUlGCL4KfCyY3aj5Yh6JGea9lYdioZ4JdHJan2y
 IYRuF7B2S/MgfWESsEkPq8Nh0+ym78ZObdTFsskUF9so3+3WN9szQwTP/9suNd4+
 fv1vOKKGdy2h4hakR+E182A8gJ9FO6FabiETLvPvYVma3+5Zd2duzyvAOAQUDvkj
 JhFXYVQCrWfiJN7gARePAzZyxbfWd5QVQMuCiWSIQ2PG0SkfQa07CsEiDiN8r8fZ
 NGpNmyfUNqz4aUkBssNr0rVfmLzG2vicrfWaOgyS0rAEqn7fYhgF3s9k5y2htgOu
 mdv2TPYl39NBf3uQNtR5tTUCPaop2GvH1GMJnz18W2fpessscHsuWiqeVVNUDmvV
 zrFWlH2ehYPIOt07moP80nWJzpP7F5BGSG3DqcXPSG1JM/TM8uC3dgbC7k26i3vh
 +8ypE1unHjop4nGff4cSkGeC5W2PkXrYNJC8xyjwbT098Q+Z8kAcO8TLpdaSx6tf
 fI/9IwX+2uOhGx+ZHok0BSX0EpGK+i51Kspih++AcNaf6T4urXKdrpEgNm4jdHw7
 maCHPDelUMyxffBM/Jl8/VZD+SHuhK2LzPBFGOJdNhbNKzdkfg5TaxhfIywvV1T6
 JzRtvx/HoglaqCNFsBqflWpctC5dS2DeKEbP9FaDbqfxLmxp/G8=
 =7fpY
 -----END PGP SIGNATURE-----
--- a/httpd-framework-svn1894461.tar.bz2
+++ b/httpd-framework-svn1894461.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:8536f6794f8ca000c2722e227c7ad6e17b33f8aeb0a5ce7662b4be110877733d
 size 1581270
--- a/httpd-framework-svn1898917.tar.bz2
+++ b/httpd-framework-svn1898917.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:e0b49ceac5780f010a6695608fc0e62d45101a8efc395ea656b47ae225a3dfb1
 size 729713