Revisions of apache2
buildservice-autocommit
accepted
request 1166934
from
David Anes (david.anes)
(revision 701)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1165100
from
Arjen de Korte (adkorte)
(revision 700)
- Update to 2.4.59: *) mod_deflate: Fixes and better logging for handling various error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton, Eric Norris <enorris etsy.com>] *) Add CGIScriptTimeout to mod_cgi. [Eric Covener] *) mod_xml2enc: Tolerate libxml2 2.12.0 and later. PR 68610 [ttachi <tachihara AT hotmail.com>] *) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable. [Jean-Frederic Clere] *) mod_ssl: Use OpenSSL-standard functions to assemble CA name lists for SSLCACertificatePath/SSLCADNRequestPath. Names will now be consistently sorted. PR 61574. [Joe Orton] *) mod_xml2enc: Update check to accept any text/ media type or any XML media type per RFC 7303, avoiding corruption of Microsoft OOXML formats. PR 64339. [Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton] *) mod_http2: v2.0.26 with the following fixes: - Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes <https://github.com/icing/mod_h2/issues/272>. - Fixed small memory leak in h2 header bucket free. Thanks to Michael Kaufmann for finding this and providing the fix. *) htcacheclean: In -a/-A mode, list all files per subdirectory rather than only one. PR 65091. [Artem Egorenkov <aegorenkov.91 gmail.com>] *) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files which include CA certificates; those CA certs are treated as if configured with SSLProxyMachineCertificateChainFile. [Joe Orton] *) htpasswd, htdbm, dbmmanage: Update help&docs to refer to "hashing", rather than "encrypting" passwords. [Michele Preziuso <mpreziuso kaosdynamics.com>] *) mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047. [Giovanni Bechis, Yann Ylavic] *) htpasswd: Add support for passwords using SHA-2. [Joe Orton, Yann Ylavic] *) core: Allow mod_env to override system environment vars. [Joe Orton] *) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an operation which removes a directory/file between apr_dir_read() and apr_stat(). Current behaviour is to abort the connection which seems inferior to tolerating (and logging) the error. [Joe Orton] *) mod_ldap: HTML-escape data in the ldap-status handler. [Eric Covener, Chamal De Silva] *) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available, notably with OpenSSL >= 3. PR 68080. [Yann Ylavic, Joe Orton] *) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice). [Yann Ylavic] *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when some dollar substitution (backreference) happens in the hostname or port part of the URL. [Yann Ylavic] *) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend systems are cached. [Yann Ylavic] *) mod_proxy: Add optional third argument for ProxyRemote, which configures Basic authentication credentials to pass to the remote proxy. PR 37355. [Joe Orton]
buildservice-autocommit
accepted
request 1152028
from
David Anes (david.anes)
(revision 699)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1147806
from
Dominique Leuenberger (dimstar)
(revision 698)
Prepare for RPM 4.20
buildservice-autocommit
accepted
request 1142753
from
David Anes (david.anes)
(revision 697)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1142224
from
Dirk Mueller (dirkmueller)
(revision 696)
- use grep -E for egrep characters on redirections without the "NE" flag. * CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting * CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy - Update to 2.4.56: - Remove references to README.QUICKSTART and point them to to vendor specific directory /usr/etc/logrotate.d. - Align some defaults in apache2-server-tuning.conf to upstream defaults: - httpd-2.4.x-fate317766-config-control-two-protocol-options.diff to honour net.core.somaxconn sysctl as the mandatory limit. the old value of 511 was never used as until v5.4-rc6 it was clamped to 128, in current kernels the default limit is 4096. and we should just set the value for the environment variable this type of map is present in the configuration. PR62311. missed to signal it the normal way (eos buckets). Addresses github issues and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing] * %check: do not load all modules, just use default loadmodule.conf; some - Add which and w3m as dependencies. poo#28406 - Replace references to /var/adm/fillup-templates with new * consider also case when hostname does return empty string or - make the package runable on non systemd systems - drop upstreamed patch: - updated to 2.4.26: This release of Apache is a security, feature, - update to 2.4.25: fixed several security issues (CVE-2016-8740, fixes and improvements of mod_http2 and other modules; see CHANGES - verify tarball: added httpd*.bz2.asc, apache2.keyring and remove - readd the support of multiple entries in APACHE_ACCESS_LOG * HttpExpectStrict - allow admin to control whether we must
buildservice-autocommit
accepted
request 1118995
from
David Anes (david.anes)
(revision 695)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1118994
from
David Anes (david.anes)
(revision 694)
- Update to 2.4.58: *) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream memory not reclaimed right away on RST (cve.mitre.org) When a HTTP/2 stream was reset (RST frame) by a client, there was a time window were the request's memory resources were not reclaimed immediately. Instead, de-allocation was deferred to connection close. A client could send new requests and resets, keeping the connection busy and open and causing the memory footprint to keep on growing. On connection close, all resources were reclaimed, but the process might run out of memory before that. This was found by the reporter during testing of CVE-2023-44487 (HTTP/2 Rapid Reset Exploit) with their own test client. During "normal" HTTP/2 use, the probability to hit this bug is very low. The kept memory would not become noticeable before the connection closes or times out. Users are recommended to upgrade to version 2.4.58, which fixes the issue. Credits: Will Dormann of Vul Labs *) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with initial windows size 0 (cve.mitre.org) An attacker, opening a HTTP/2 connection with an initial window size of 0, was able to block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. This has been fixed in version 2.4.58, so that such connection are terminated properly after the configured connection timeout. This issue affects Apache HTTP Server: from 2.4.55 through 2.4.57.
buildservice-autocommit
accepted
request 1104179
from
David Anes (david.anes)
(revision 693)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1102468
from
Dirk Stoecker (dstoecker)
(revision 692)
- Enable building of mod_md
buildservice-autocommit
accepted
request 1078453
from
David Anes (david.anes)
(revision 691)
baserev update by copy to link target
buildservice-autocommit
accepted
request 1070268
from
David Anes (david.anes)
(revision 689)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1070261
from
David Anes (david.anes)
(revision 688)
- This update fixes the following security issues: * CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting * CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy - Update to 2.4.56: *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be truncated without the initial logfile being truncated. [Eric Covener] *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to allow connections of any age to be reused. Up to now, a negative value was handled as an error when parsing the configuration file. PR 66421. [nailyk <bzapache nailyk.fr>, Christophe Jaillet] *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number of headers. [Ruediger Pluem] *) mod_md: - Enabling ED25519 support and certificate transparency information when building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis. - MDChallengeDns01 can now be configured for individual domains. Thanks to Jérôme Billiras (@bilhackmac) for the initial PR. - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge teardown not being invoked as it should. [Stefan Eissing] *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors reported in access logs and error documents. The processing of the reset was correct, only unneccesary reporting was caused. [Stefan Eissing] *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. [Yann Ylavic] * CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting * CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling * CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
buildservice-autocommit
accepted
request 1060992
from
David Anes (david.anes)
(revision 687)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1060991
from
David Anes (david.anes)
(revision 686)
- This update fixes the following security issues:
David Anes (david.anes)
accepted
request 1060983
from
David Anes (david.anes)
(revision 685)
- This update fixes te following security issues. * fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting * fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling * fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
buildservice-autocommit
accepted
request 1060451
from
David Anes (david.anes)
(revision 684)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1059452
from
David Anes (david.anes)
(revision 682)
- Update to 2.4.55: *) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to 2.4.55 allows a backend to trigger HTTP response splitting (cve.mitre.org) Prior to Apache HTTP Server 2.4.55, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client. Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer) *) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp Possible request smuggling (cve.mitre.org) Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server Apache HTTP Server 2.4 version 2.4.54 and prior versions. Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec at Qi'anxin Group *) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write of zero byte (cve.mitre.org) A carefully crafted If: request header can cause a memory read, or write of a single zero byte, in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server 2.4.54 and earlier. *) mod_dav: Open the lock database read-only when possible. PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu] *) mod_proxy_http2: apply the standard httpd content type handling to responses from the backend, as other proxy modules do. Fixes PR 66391.
Displaying revisions 1 - 20 of 701