Accepting request 981544 from home:david.anes:branches:Apache

Merge sroeder (details about CVEs) and pgajdos requests.

- update httpd-framework to svn revision 1898917

- version update to 2.4.54
  Changes with Apache 2.4.54
    *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
       hop-by-hop mechanism (cve.mitre.org)
       Apache HTTP Server 2.4.53 and earlier may not send the
       X-Forwarded-* headers to the origin server based on client side
       Connection header hop-by-hop mechanism.
       This may be used to bypass IP based authentication on the origin
       server/application.
       Credits: The Apache HTTP Server project would like to thank
       Gaetan Ferry (Synacktiv) for reporting this issue
    *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
       websockets (cve.mitre.org)
       Apache HTTP Server 2.4.53 and earlier may return lengths to
       applications calling r:wsread() that point past the end of the
       storage allocated for the buffer.
       Credits: The Apache HTTP Server project would like to thank
       Ronald Crane (Zippenhop LLC) for reporting this issue
    *) SECURITY: CVE-2022-30522: mod_sed denial of service
       (cve.mitre.org)
       If Apache HTTP Server 2.4.53 is configured to do transformations
       with mod_sed in contexts where the input to mod_sed may be very
       large, mod_sed may make excessively large memory allocations and
       trigger an abort.
       Credits: This issue was found by Brian Moussalli from the JFrog
       Security Research team
    *) SECURITY: CVE-2022-29404: Denial of service in mod_lua
       r:parsebody (cve.mitre.org)

OBS-URL: https://build.opensuse.org/request/show/981544
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=670

apache2.changes

@@ -1,3 +1,146 @@
+-------------------------------------------------------------------
+Wed Jun  8 11:26:13 UTC 2022 - pgajdos@suse.com
+
+- update httpd-framework to svn revision 1898917
+
+-------------------------------------------------------------------
+Wed Jun  8 10:06:34 UTC 2022 - pgajdos@suse.com
+
+- version update to 2.4.54
+  Changes with Apache 2.4.54
+    *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
+       hop-by-hop mechanism (cve.mitre.org)
+       Apache HTTP Server 2.4.53 and earlier may not send the
+       X-Forwarded-* headers to the origin server based on client side
+       Connection header hop-by-hop mechanism.
+       This may be used to bypass IP based authentication on the origin
+       server/application.
+       Credits: The Apache HTTP Server project would like to thank
+       Gaetan Ferry (Synacktiv) for reporting this issue
+    *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
+       websockets (cve.mitre.org)
+       Apache HTTP Server 2.4.53 and earlier may return lengths to
+       applications calling r:wsread() that point past the end of the
+       storage allocated for the buffer.
+       Credits: The Apache HTTP Server project would like to thank
+       Ronald Crane (Zippenhop LLC) for reporting this issue
+    *) SECURITY: CVE-2022-30522: mod_sed denial of service
+       (cve.mitre.org)
+       If Apache HTTP Server 2.4.53 is configured to do transformations
+       with mod_sed in contexts where the input to mod_sed may be very
+       large, mod_sed may make excessively large memory allocations and
+       trigger an abort.
+       Credits: This issue was found by Brian Moussalli from the JFrog
+       Security Research team
+    *) SECURITY: CVE-2022-29404: Denial of service in mod_lua
+       r:parsebody (cve.mitre.org)
+       In Apache HTTP Server 2.4.53 and earlier, a malicious request to
+       a lua script that calls r:parsebody(0) may cause a denial of
+       service due to no default limit on possible input size.
+       Credits: The Apache HTTP Server project would like to thank
+       Ronald Crane (Zippenhop LLC) for reporting this issue
+    *) SECURITY: CVE-2022-28615: Read beyond bounds in
+       ap_strcmp_match() (cve.mitre.org)
+       Apache HTTP Server 2.4.53 and earlier may crash or disclose
+       information due to a read beyond bounds in ap_strcmp_match()
+       when provided with an extremely large input buffer.  While no
+       code distributed with the server can be coerced into such a
+       call, third-party modules or lua scripts that use
+       ap_strcmp_match() may hypothetically be affected.
+       Credits: The Apache HTTP Server project would like to thank
+       Ronald Crane (Zippenhop LLC) for reporting this issue
+    *) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
+       (cve.mitre.org)
+       The ap_rwrite() function in Apache HTTP Server 2.4.53 and
+       earlier may read unintended memory if an attacker can cause the
+       server to reflect very large input using ap_rwrite() or
+       ap_rputs(), such as with mod_luas r:puts() function.
+       Credits: The Apache HTTP Server project would like to thank
+       Ronald Crane (Zippenhop LLC) for reporting this issue
+    *) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
+       (cve.mitre.org)
+       Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
+       bounds when configured to process requests with the mod_isapi
+       module.
+       Credits: The Apache HTTP Server project would like to thank
+       Ronald Crane (Zippenhop LLC) for reporting this issue
+    *) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
+       smuggling (cve.mitre.org)
+       Inconsistent Interpretation of HTTP Requests ('HTTP Request
+       Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
+       allows an attacker to smuggle requests to the AJP server it
+       forwards requests to.  This issue affects Apache HTTP Server
+       Apache HTTP Server 2.4 version 2.4.53 and prior versions.
+       Credits: Ricter Z @ 360 Noah Lab
+    *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
+       [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
+    *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
+       PR 65666.  [Yann Ylavic]
+    *) mod_md:  a bug was fixed that caused very large MDomains
+       with the combined DNS names exceeding ~7k to fail, as
+       request bodies would contain partially wrong data from
+       uninitialized memory. This would have appeared as failure
+       in signing-up/renewing such configurations.
+       [Stefan Eissing, Ronald Crane (Zippenhop LLC)]
+    *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
+       PR 65666.  [Yann Ylavic]
+    *) MPM event: Restart children processes killed before idle maintenance.
+       PR 65769.  [Yann Ylavic, Ruediger Pluem]
+    *) ab: Allow for TLSv1.3 when the SSL library supports it.
+       [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
+    *) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
+       transmission delays.  PR 66019.  [Yann Ylavic]
+    *) MPM event: Fix accounting of active/total processes on ungraceful restart,
+       PR 66004 (follow up to PR 65626 from 2.4.52).  [Yann Ylavic]
+    *) core: make ap_escape_quotes() work correctly on strings
+       with more than MAX_INT/2 characters, counting quotes double.
+       Credit to <generalbugs@zippenhop.com> for finding this.
+       [Stefan Eissing]
+    *) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
+       an ACME CA. This gives a failover for renewals when several consecutive attempts
+       to get a certificate failed.
+       A new directive was added: `MDRetryDelay` sets the delay of retries.
+       A new directive was added: `MDRetryFailover` sets the number of errored
+       attempts before an alternate CA is selected for certificate renewals.
+       [Stefan Eissing]
+    *) mod_http2: remove unused and insecure code. Fixes PR66037.
+       Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
+       [Stefan Eissing]
+    *) mod_proxy: Add backend port to log messages to
+       ease identification of involved service.  [Rainer Jung]
+    *) mod_http2: removing unscheduling of ongoing tasks when
+       connection shows potential abuse by a client. This proved
+       counter-productive and the abuse detection can false flag
+       requests using server-side-events.
+       Fixes <https://github.com/icing/mod_h2/issues/231>.
+       [Stefan Eissing]
+    *) mod_md: Implement full auto status ("key: value" type status output).
+       Especially not only status summary counts for certificates and
+       OCSP stapling but also lists. Auto status format is similar to
+       what was used for mod_proxy_balancer.
+       [Rainer Jung]
+    *) mod_md: fixed a bug leading to failed transfers for OCSP
+       stapling information when more than 6 certificates needed
+       updates in the same run.  [Stefan Eissing]
+    *) mod_proxy: Set a status code of 502 in case the backend just closed the
+       connection in reply to our forwarded request.  [Ruediger Pluem]
+    *) mod_md: a possible NULL pointer deref was fixed in
+       the JSON code for persisting time periods (start+end).
+       Fixes #282 on mod_md's github.
+       Thanks to @marcstern for finding this.  [Stefan Eissing]
+    *) mod_heartmonitor: Set the documented default value
+       "10" for HeartbeatMaxServers instead of "0". With "0"
+       no shared memory slotmem was initialized.  [Rainer Jung]
+    *) mod_md: added support for managing certificates via a
+       local tailscale daemon for users of that secure networking.
+       This gives trusted certificates for tailscale assigned
+       domain names in the *.ts.net space.
+       [Stefan Eissing]
+- modified patches
+  % apache-test-application-xml-type.patch (refreshed)
+  % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed)
+  % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
+
 -------------------------------------------------------------------
 Mon Mar 14 12:19:36 UTC 2022 - pgajdos@suse.com
 

apache2.spec

@@ -18,7 +18,7 @@
 
 %global upstream_name   httpd
 %global testsuite_name  %{upstream_name}-framework
-%global tversion        svn1898917
+%global tversion        svn1901574
 %global flavor          @BUILD_FLAVOR@%{nil}
 %define mpm             %{nil}
 %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork"
@@ -103,19 +103,11 @@
 %define psuffix      -%{flavor}
 %endif
 
-%if 0%{?suse_version} >= 1500
 %define use_firewalld 1
-%else
-%define use_firewalld 0
-%endif
-%if 0%{?suse_version} >= 1500 || 0%{?is_opensuse}
 %define build_http2 1
-%else
-%define build_http2 0
-%endif
 
 Name:           apache2%{psuffix}
-Version:        2.4.53
+Version:        2.4.54
 Release:        0
 Summary:        The Apache HTTPD Server
 License:        Apache-2.0

httpd-2.4.53.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63
-size 7431942

httpd-2.4.53.tar.bz2.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - https://gpgtools.org
-
-iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmIotxoACgkQ03fJ59GU
-TGbaAQ//TeVio63uLRIhyhW4qoUlGCL4KfCyY3aj5Yh6JGea9lYdioZ4JdHJan2y
-IYRuF7B2S/MgfWESsEkPq8Nh0+ym78ZObdTFsskUF9so3+3WN9szQwTP/9suNd4+
-fv1vOKKGdy2h4hakR+E182A8gJ9FO6FabiETLvPvYVma3+5Zd2duzyvAOAQUDvkj
-JhFXYVQCrWfiJN7gARePAzZyxbfWd5QVQMuCiWSIQ2PG0SkfQa07CsEiDiN8r8fZ
-NGpNmyfUNqz4aUkBssNr0rVfmLzG2vicrfWaOgyS0rAEqn7fYhgF3s9k5y2htgOu
-mdv2TPYl39NBf3uQNtR5tTUCPaop2GvH1GMJnz18W2fpessscHsuWiqeVVNUDmvV
-zrFWlH2ehYPIOt07moP80nWJzpP7F5BGSG3DqcXPSG1JM/TM8uC3dgbC7k26i3vh
-+8ypE1unHjop4nGff4cSkGeC5W2PkXrYNJC8xyjwbT098Q+Z8kAcO8TLpdaSx6tf
-fI/9IwX+2uOhGx+ZHok0BSX0EpGK+i51Kspih++AcNaf6T4urXKdrpEgNm4jdHw7
-maCHPDelUMyxffBM/Jl8/VZD+SHuhK2LzPBFGOJdNhbNKzdkfg5TaxhfIywvV1T6
-JzRtvx/HoglaqCNFsBqflWpctC5dS2DeKEbP9FaDbqfxLmxp/G8=
-=7fpY
------END PGP SIGNATURE-----

httpd-2.4.54.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:eb397feeefccaf254f8d45de3768d9d68e8e73851c49afd5b7176d1ecf80c340
+size 7434530

httpd-2.4.54.tar.bz2.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Comment: GPGTools - https://gpgtools.org
+
+iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmKeDckACgkQ03fJ59GU
+TGZzxA/+PAjEiG34ZvJwlKfuGUUdn25V5UaNW7Mxms7Q+PM/hx1q8GyZ0j9dFfTJ
+F8qbB+39dAJDcj6QyJxXUQFooDJ00ZrA/qOQyWjKEvtYkvGePxOZBYdW2sxk1+O8
+Kl3AwLE6ijLYeNJfvJSspWOMknA8FA3gspWltaZ88rVB+Dqu5+hvis3SP1CSpVyx
+OedsxUrqdOa5LkXs9WoBNIR9anukf8vVncGlgo8veSwblUCYx2jW2KCqMKMEkR1j
+6ErMsiySMUhK3QpY5SXQjX0hocnV/2TSRrj9q/1ppX/IXRQOixiyAb4go3bOMsLq
+ixE0Cmokt4vAz5scaK74/tD+74rL/cKCh1f/OwNnm/LQch0XCoGU/kExm3aCYVPT
+gTdxGysKI4+0WKb2rP5JrfDQqjzPrUzpQ+Vc0h7+4dzvbDAptWLb7893VTs4weJY
+r6hpSsAZZwPHWv5dO21+rrExEyVup7Q6DeMg8QYtuVkAHeKPaitolI1yGMnPwPjO
+uwei49zC4vUiD9RX59KBxSGDf/+4iXVKRVgk46piSEOfYN4Q9YfM2LSEPth3QjaD
+sJwgHW+w4/B/z/LNLtr79H1dDVr2tfMb1GQ6wIkzKPxkevV5SbNB8MeAW+MH02wM
+0xJQgbl/lyCS/PHt04OgI28vg55CzrU5RdTJxs+KgH9x5Kat7d4=
+=pokb
+-----END PGP SIGNATURE-----

httpd-framework-svn1898917.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e0b49ceac5780f010a6695608fc0e62d45101a8efc395ea656b47ae225a3dfb1
-size 729713