diff --git a/apache2.changes b/apache2.changes index 1173650..067faef 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,146 @@ +------------------------------------------------------------------- +Wed Jun 8 11:26:13 UTC 2022 - pgajdos@suse.com + +- update httpd-framework to svn revision 1898917 + +------------------------------------------------------------------- +Wed Jun 8 10:06:34 UTC 2022 - pgajdos@suse.com + +- version update to 2.4.54 + Changes with Apache 2.4.54 + *) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by + hop-by-hop mechanism (cve.mitre.org) + Apache HTTP Server 2.4.53 and earlier may not send the + X-Forwarded-* headers to the origin server based on client side + Connection header hop-by-hop mechanism. + This may be used to bypass IP based authentication on the origin + server/application. + Credits: The Apache HTTP Server project would like to thank + Gaetan Ferry (Synacktiv) for reporting this issue + *) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with + websockets (cve.mitre.org) + Apache HTTP Server 2.4.53 and earlier may return lengths to + applications calling r:wsread() that point past the end of the + storage allocated for the buffer. + Credits: The Apache HTTP Server project would like to thank + Ronald Crane (Zippenhop LLC) for reporting this issue + *) SECURITY: CVE-2022-30522: mod_sed denial of service + (cve.mitre.org) + If Apache HTTP Server 2.4.53 is configured to do transformations + with mod_sed in contexts where the input to mod_sed may be very + large, mod_sed may make excessively large memory allocations and + trigger an abort. + Credits: This issue was found by Brian Moussalli from the JFrog + Security Research team + *) SECURITY: CVE-2022-29404: Denial of service in mod_lua + r:parsebody (cve.mitre.org) + In Apache HTTP Server 2.4.53 and earlier, a malicious request to + a lua script that calls r:parsebody(0) may cause a denial of + service due to no default limit on possible input size. + Credits: The Apache HTTP Server project would like to thank + Ronald Crane (Zippenhop LLC) for reporting this issue + *) SECURITY: CVE-2022-28615: Read beyond bounds in + ap_strcmp_match() (cve.mitre.org) + Apache HTTP Server 2.4.53 and earlier may crash or disclose + information due to a read beyond bounds in ap_strcmp_match() + when provided with an extremely large input buffer. While no + code distributed with the server can be coerced into such a + call, third-party modules or lua scripts that use + ap_strcmp_match() may hypothetically be affected. + Credits: The Apache HTTP Server project would like to thank + Ronald Crane (Zippenhop LLC) for reporting this issue + *) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite() + (cve.mitre.org) + The ap_rwrite() function in Apache HTTP Server 2.4.53 and + earlier may read unintended memory if an attacker can cause the + server to reflect very large input using ap_rwrite() or + ap_rputs(), such as with mod_luas r:puts() function. + Credits: The Apache HTTP Server project would like to thank + Ronald Crane (Zippenhop LLC) for reporting this issue + *) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi + (cve.mitre.org) + Apache HTTP Server 2.4.53 and earlier on Windows may read beyond + bounds when configured to process requests with the mod_isapi + module. + Credits: The Apache HTTP Server project would like to thank + Ronald Crane (Zippenhop LLC) for reporting this issue + *) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request + smuggling (cve.mitre.org) + Inconsistent Interpretation of HTTP Requests ('HTTP Request + Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server + allows an attacker to smuggle requests to the AJP server it + forwards requests to. This issue affects Apache HTTP Server + Apache HTTP Server 2.4 version 2.4.53 and prior versions. + Credits: Ricter Z @ 360 Noah Lab + *) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063. + [Petr Sumbera , Yann Ylavic] + *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. + PR 65666. [Yann Ylavic] + *) mod_md: a bug was fixed that caused very large MDomains + with the combined DNS names exceeding ~7k to fail, as + request bodies would contain partially wrong data from + uninitialized memory. This would have appeared as failure + in signing-up/renewing such configurations. + [Stefan Eissing, Ronald Crane (Zippenhop LLC)] + *) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue. + PR 65666. [Yann Ylavic] + *) MPM event: Restart children processes killed before idle maintenance. + PR 65769. [Yann Ylavic, Ruediger Pluem] + *) ab: Allow for TLSv1.3 when the SSL library supports it. + [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic] + *) core: Disable TCP_NOPUSH optimization on OSX since it might introduce + transmission delays. PR 66019. [Yann Ylavic] + *) MPM event: Fix accounting of active/total processes on ungraceful restart, + PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic] + *) core: make ap_escape_quotes() work correctly on strings + with more than MAX_INT/2 characters, counting quotes double. + Credit to for finding this. + [Stefan Eissing] + *) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of + an ACME CA. This gives a failover for renewals when several consecutive attempts + to get a certificate failed. + A new directive was added: `MDRetryDelay` sets the delay of retries. + A new directive was added: `MDRetryFailover` sets the number of errored + attempts before an alternate CA is selected for certificate renewals. + [Stefan Eissing] + *) mod_http2: remove unused and insecure code. Fixes PR66037. + Thanks to Ronald Crane (Zippenhop LLC) for reporting this. + [Stefan Eissing] + *) mod_proxy: Add backend port to log messages to + ease identification of involved service. [Rainer Jung] + *) mod_http2: removing unscheduling of ongoing tasks when + connection shows potential abuse by a client. This proved + counter-productive and the abuse detection can false flag + requests using server-side-events. + Fixes . + [Stefan Eissing] + *) mod_md: Implement full auto status ("key: value" type status output). + Especially not only status summary counts for certificates and + OCSP stapling but also lists. Auto status format is similar to + what was used for mod_proxy_balancer. + [Rainer Jung] + *) mod_md: fixed a bug leading to failed transfers for OCSP + stapling information when more than 6 certificates needed + updates in the same run. [Stefan Eissing] + *) mod_proxy: Set a status code of 502 in case the backend just closed the + connection in reply to our forwarded request. [Ruediger Pluem] + *) mod_md: a possible NULL pointer deref was fixed in + the JSON code for persisting time periods (start+end). + Fixes #282 on mod_md's github. + Thanks to @marcstern for finding this. [Stefan Eissing] + *) mod_heartmonitor: Set the documented default value + "10" for HeartbeatMaxServers instead of "0". With "0" + no shared memory slotmem was initialized. [Rainer Jung] + *) mod_md: added support for managing certificates via a + local tailscale daemon for users of that secure networking. + This gives trusted certificates for tailscale assigned + domain names in the *.ts.net space. + [Stefan Eissing] +- modified patches + % apache-test-application-xml-type.patch (refreshed) + % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed) + % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed) + ------------------------------------------------------------------- Mon Mar 14 12:19:36 UTC 2022 - pgajdos@suse.com diff --git a/apache2.spec b/apache2.spec index dc52eca..9edd7ed 100644 --- a/apache2.spec +++ b/apache2.spec @@ -18,7 +18,7 @@ %global upstream_name httpd %global testsuite_name %{upstream_name}-framework -%global tversion svn1898917 +%global tversion svn1901574 %global flavor @BUILD_FLAVOR@%{nil} %define mpm %{nil} %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork" @@ -103,19 +103,11 @@ %define psuffix -%{flavor} %endif -%if 0%{?suse_version} >= 1500 %define use_firewalld 1 -%else -%define use_firewalld 0 -%endif -%if 0%{?suse_version} >= 1500 || 0%{?is_opensuse} %define build_http2 1 -%else -%define build_http2 0 -%endif Name: apache2%{psuffix} -Version: 2.4.53 +Version: 2.4.54 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 diff --git a/httpd-2.4.53.tar.bz2 b/httpd-2.4.53.tar.bz2 deleted file mode 100644 index 2421609..0000000 --- a/httpd-2.4.53.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d0bbd1121a57b5f2a6ff92d7b96f8050c5a45d3f14db118f64979d525858db63 -size 7431942 diff --git a/httpd-2.4.53.tar.bz2.asc b/httpd-2.4.53.tar.bz2.asc deleted file mode 100644 index c863a0c..0000000 --- a/httpd-2.4.53.tar.bz2.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - https://gpgtools.org - -iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmIotxoACgkQ03fJ59GU -TGbaAQ//TeVio63uLRIhyhW4qoUlGCL4KfCyY3aj5Yh6JGea9lYdioZ4JdHJan2y -IYRuF7B2S/MgfWESsEkPq8Nh0+ym78ZObdTFsskUF9so3+3WN9szQwTP/9suNd4+ -fv1vOKKGdy2h4hakR+E182A8gJ9FO6FabiETLvPvYVma3+5Zd2duzyvAOAQUDvkj -JhFXYVQCrWfiJN7gARePAzZyxbfWd5QVQMuCiWSIQ2PG0SkfQa07CsEiDiN8r8fZ -NGpNmyfUNqz4aUkBssNr0rVfmLzG2vicrfWaOgyS0rAEqn7fYhgF3s9k5y2htgOu -mdv2TPYl39NBf3uQNtR5tTUCPaop2GvH1GMJnz18W2fpessscHsuWiqeVVNUDmvV -zrFWlH2ehYPIOt07moP80nWJzpP7F5BGSG3DqcXPSG1JM/TM8uC3dgbC7k26i3vh -+8ypE1unHjop4nGff4cSkGeC5W2PkXrYNJC8xyjwbT098Q+Z8kAcO8TLpdaSx6tf -fI/9IwX+2uOhGx+ZHok0BSX0EpGK+i51Kspih++AcNaf6T4urXKdrpEgNm4jdHw7 -maCHPDelUMyxffBM/Jl8/VZD+SHuhK2LzPBFGOJdNhbNKzdkfg5TaxhfIywvV1T6 -JzRtvx/HoglaqCNFsBqflWpctC5dS2DeKEbP9FaDbqfxLmxp/G8= -=7fpY ------END PGP SIGNATURE----- diff --git a/httpd-2.4.54.tar.bz2 b/httpd-2.4.54.tar.bz2 new file mode 100644 index 0000000..6f2a69b --- /dev/null +++ b/httpd-2.4.54.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:eb397feeefccaf254f8d45de3768d9d68e8e73851c49afd5b7176d1ecf80c340 +size 7434530 diff --git a/httpd-2.4.54.tar.bz2.asc b/httpd-2.4.54.tar.bz2.asc new file mode 100644 index 0000000..9156c59 --- /dev/null +++ b/httpd-2.4.54.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Comment: GPGTools - https://gpgtools.org + +iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmKeDckACgkQ03fJ59GU +TGZzxA/+PAjEiG34ZvJwlKfuGUUdn25V5UaNW7Mxms7Q+PM/hx1q8GyZ0j9dFfTJ +F8qbB+39dAJDcj6QyJxXUQFooDJ00ZrA/qOQyWjKEvtYkvGePxOZBYdW2sxk1+O8 +Kl3AwLE6ijLYeNJfvJSspWOMknA8FA3gspWltaZ88rVB+Dqu5+hvis3SP1CSpVyx +OedsxUrqdOa5LkXs9WoBNIR9anukf8vVncGlgo8veSwblUCYx2jW2KCqMKMEkR1j +6ErMsiySMUhK3QpY5SXQjX0hocnV/2TSRrj9q/1ppX/IXRQOixiyAb4go3bOMsLq +ixE0Cmokt4vAz5scaK74/tD+74rL/cKCh1f/OwNnm/LQch0XCoGU/kExm3aCYVPT +gTdxGysKI4+0WKb2rP5JrfDQqjzPrUzpQ+Vc0h7+4dzvbDAptWLb7893VTs4weJY +r6hpSsAZZwPHWv5dO21+rrExEyVup7Q6DeMg8QYtuVkAHeKPaitolI1yGMnPwPjO +uwei49zC4vUiD9RX59KBxSGDf/+4iXVKRVgk46piSEOfYN4Q9YfM2LSEPth3QjaD +sJwgHW+w4/B/z/LNLtr79H1dDVr2tfMb1GQ6wIkzKPxkevV5SbNB8MeAW+MH02wM +0xJQgbl/lyCS/PHt04OgI28vg55CzrU5RdTJxs+KgH9x5Kat7d4= +=pokb +-----END PGP SIGNATURE----- diff --git a/httpd-framework-svn1898917.tar.bz2 b/httpd-framework-svn1898917.tar.bz2 deleted file mode 100644 index 75b7ddf..0000000 --- a/httpd-framework-svn1898917.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e0b49ceac5780f010a6695608fc0e62d45101a8efc395ea656b47ae225a3dfb1 -size 729713 diff --git a/httpd-framework-svn1901574.tar.bz2 b/httpd-framework-svn1901574.tar.bz2 new file mode 100644 index 0000000..8348900 --- /dev/null +++ b/httpd-framework-svn1901574.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:3622bd4619ba0949bb61ec5dcd1f4e2271b40cfbed214f0f52f9b6bd0053803c +size 726259