Revisions of apache2
buildservice-autocommit
accepted
request 1221591
from
Martin Schreiner (mschreiner)
(revision 712)
Martin Schreiner (mschreiner)
(revision 712)
baserev update by copy to link target
Martin Schreiner (mschreiner)
accepted
request 1221590
from
Martin Schreiner (mschreiner)
(revision 711)
- Update httpd-framework to svn1921782. - Fixes Apache's impact on bsc#1218342.
Martin Schreiner (mschreiner)
accepted
request 1221258
from
Jan Engelhardt (jengelh)
(revision 710)
- Explicitly mark start_apache2 as bash-dependent.
If you have dash-sh installed, apache2 completely fails to start:
Nov 04 21:52:14 f3 start_apache2[55066]: /usr/sbin/start_apache2: 158: Syntax error: "(" unexpected
buildservice-autocommit
accepted
request 1205314
from
Martin Schreiner (mschreiner)
(revision 709)
Martin Schreiner (mschreiner)
(revision 709)
baserev update by copy to link target
Martin Schreiner (mschreiner)
accepted
request 1204794
from
Thorsten Kukuk (kukuk)
(revision 708)
- Add /srv/www directories to filelist [bsc#1231027] (apache2 will not start since default config uses this directory)
buildservice-autocommit
accepted
request 1192286
from
David Anes (david.anes)
(revision 707)
David Anes (david.anes)
(revision 707)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1191452
from
Arjen de Korte (adkorte)
(revision 706)
- Update to 2.4.62
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
[boo#1228098]
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
[boo#1228097]
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs.
PR 69160 [Yann Ylavic]
*) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
[Joe Orton]
*) mod_ssl: Add support for loading certs/keys from pkcs11: URIs
via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>]
*) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0.
[Ruediger Pluem, Yann Ylavic]
*) mpm_worker: Fix possible warning (AH00045) about children processes not
terminating timely. [Yann Ylavic]
buildservice-autocommit
accepted
request 1186139
from
David Anes (david.anes)
(revision 705)
David Anes (david.anes)
(revision 705)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1185778
from
Arjen de Korte (adkorte)
(revision 704)
- Update to 2.4.61
*) SECURITY: CVE-2024-39884: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
[boo#1227353]
A regression in the core of Apache HTTP Server 2.4.60 ignores
some use of the legacy content-type based configuration of
handlers. "AddType" and similar configuration, under some
circumstances where files are requested indirectly, result in
source code disclosure of local content. For example, PHP
scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.61, which fixes
this issue.
- Update to 2.4.60
*) SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
handler substitution (cve.mitre.org) [boo#1227271]
Potential SSRF in mod_rewrite in Apache HTTP Server 2.4.59 and
earlier allows an attacker to cause unsafe RewriteRules to
unexpectedly setup URL's to be handled by mod_proxy.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
Denial of Service in mod_proxy via a malicious request
(cve.mitre.org) [boo#1227270]
null pointer dereference in mod_proxy in Apache HTTP Server
2.4.59 and earlier allows an attacker to crash the server via a
malicious request.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org) [boo#1227269]
Vulnerability in core of Apache HTTP Server 2.4.59 and earlier
are vulnerably to information disclosure, SSRF or local script
execution via backend applications whose response headers are
malicious or exploitable.
Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'AddHandler' after this fix.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
mod_rewrite when first segment of substitution matches
filesystem path. (cve.mitre.org) [boo#1227268]
Improper escaping of output in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows an attacker to map URLs to filesystem
locations that are permitted to be served by the server but are
not intentionally/directly reachable by any URL, resulting in
code execution or source code disclosure.
Substitutions in server context that use a backreferences or
variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change and the
rewrite flag "UnsafePrefixStat" can be used to opt back in once
ensuring the substitution is appropriately constrained.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38474: Apache HTTP Server weakness with
encoded question marks in backreferences (cve.mitre.org)
[boo#1227278]
Substitution encoding issue in mod_rewrite in Apache HTTP Server
2.4.59 and earlier allows attacker to execute scripts in
directories permitted by the configuration but not directly
reachable by any URL or source disclosure of scripts meant to
only to be executed as CGI.
Note: Some RewriteRules that capture and substitute unsafely will now
fail unless rewrite flag "UnsafeAllow3F" is specified.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
problem (cve.mitre.org) [boo#1227276]
Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and
earlier allows request URLs with incorrect encoding to be sent
to backend services, potentially bypassing authentication via
crafted requests.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
(cve.mitre.org) [boo#1227267]
SSRF in Apache HTTP Server on Windows allows to potentially leak
NTML hashes to a malicious server via SSRF and malicious
requests or content
Note: Existing configurations that access UNC paths
will have to configure new directive "UNCList" to allow access
during request processing.
Credits: Orange Tsai (@orange_8361) from DEVCORE
*) SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
pointer in websocket over HTTP/2 (cve.mitre.org) [boo#1227272]
Serving WebSocket protocol upgrades over a HTTP/2 connection
could result in a Null Pointer dereference, leading to a crash
of the server process, degrading performance.
Credits: Marc Stern (<marc.stern AT approach-cyber.com>)
buildservice-autocommit
accepted
request 1181737
from
David Anes (david.anes)
(revision 703)
David Anes (david.anes)
(revision 703)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1180827
from
Petr Gajdos (pgajdos)
(revision 702)
- added patches [bsc#1226217] https://github.com/apache/httpd/pull/444/commits/c2fffd29b0f58bdc9caaaff4fec68e17a676f182 + apache2-issue-444.patch
buildservice-autocommit
accepted
request 1166934
from
David Anes (david.anes)
(revision 701)
David Anes (david.anes)
(revision 701)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1165100
from
Arjen de Korte (adkorte)
(revision 700)
- Update to 2.4.59:
*) mod_deflate: Fixes and better logging for handling various
error and edge cases. [Eric Covener, Yann Ylavic, Joe Orton,
Eric Norris <enorris etsy.com>]
*) Add CGIScriptTimeout to mod_cgi. [Eric Covener]
*) mod_xml2enc: Tolerate libxml2 2.12.0 and later. PR 68610
[ttachi <tachihara AT hotmail.com>]
*) mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
[Jean-Frederic Clere]
*) mod_ssl: Use OpenSSL-standard functions to assemble CA
name lists for SSLCACertificatePath/SSLCADNRequestPath.
Names will now be consistently sorted. PR 61574.
[Joe Orton]
*) mod_xml2enc: Update check to accept any text/ media type
or any XML media type per RFC 7303, avoiding
corruption of Microsoft OOXML formats. PR 64339.
[Joseph Heenan <joseph.heenan fintechlabs.io>, Joe Orton]
*) mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1 (h2c). Fixes
<https://github.com/icing/mod_h2/issues/272>.
- Fixed small memory leak in h2 header bucket free. Thanks to
Michael Kaufmann for finding this and providing the fix.
*) htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one. PR 65091.
[Artem Egorenkov <aegorenkov.91 gmail.com>]
*) mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile. [Joe Orton]
*) htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
[Michele Preziuso <mpreziuso kaosdynamics.com>]
*) mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047.
[Giovanni Bechis, Yann Ylavic]
*) htpasswd: Add support for passwords using SHA-2. [Joe Orton,
Yann Ylavic]
*) core: Allow mod_env to override system environment vars. [Joe Orton]
*) Allow mod_dav_fs to tolerate race conditions between PROPFIND and an
operation which removes a directory/file between apr_dir_read() and
apr_stat(). Current behaviour is to abort the connection which seems
inferior to tolerating (and logging) the error. [Joe Orton]
*) mod_ldap: HTML-escape data in the ldap-status handler.
[Eric Covener, Chamal De Silva]
*) mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set.
Allow for "SSLCryptoDevice builtin" if the ENGINE API is not available,
notably with OpenSSL >= 3. PR 68080. [Yann Ylavic, Joe Orton]
*) mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings about
deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting while defaulting
to compatibitily with version 1.1.1 (including ENGINEs / SSLCryptoDevice).
[Yann Ylavic]
*) mod_ssl: release memory to the OS when needed. [Giovanni Bechis]
*) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname or port
part of the URL. [Yann Ylavic]
*) mod_proxy: Allow to set a TTL for how long DNS resolutions to backend
systems are cached. [Yann Ylavic]
*) mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy. PR 37355. [Joe Orton]
buildservice-autocommit
accepted
request 1152028
from
David Anes (david.anes)
(revision 699)
David Anes (david.anes)
(revision 699)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1147806
from
Dominique Leuenberger (dimstar)
(revision 698)
Prepare for RPM 4.20
buildservice-autocommit
accepted
request 1142753
from
David Anes (david.anes)
(revision 697)
David Anes (david.anes)
(revision 697)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1142224
from
Dirk Mueller (dirkmueller)
(revision 696)
- use grep -E for egrep
characters on redirections without the "NE" flag.
* CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting
* CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy
- Update to 2.4.56:
- Remove references to README.QUICKSTART and point them to
to vendor specific directory /usr/etc/logrotate.d.
- Align some defaults in apache2-server-tuning.conf to upstream
defaults:
- httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
to honour net.core.somaxconn sysctl as the mandatory limit.
the old value of 511 was never used as until v5.4-rc6 it was
clamped to 128, in current kernels the default limit is 4096.
and we should just set the value for the environment variable
this type of map is present in the configuration. PR62311.
missed to signal it the normal way (eos buckets). Addresses github issues
and https://github.com/icing/mod_h2/issues/170. [Stefan Eissing]
* %check: do not load all modules, just use default loadmodule.conf; some
- Add which and w3m as dependencies. poo#28406
- Replace references to /var/adm/fillup-templates with new
* consider also case when hostname does return empty string or
- make the package runable on non systemd systems
- drop upstreamed patch:
- updated to 2.4.26: This release of Apache is a security, feature,
- update to 2.4.25: fixed several security issues (CVE-2016-8740,
fixes and improvements of mod_http2 and other modules; see CHANGES
- verify tarball: added httpd*.bz2.asc, apache2.keyring and remove
- readd the support of multiple entries in APACHE_ACCESS_LOG
* HttpExpectStrict - allow admin to control whether we must
buildservice-autocommit
accepted
request 1118995
from
David Anes (david.anes)
(revision 695)
David Anes (david.anes)
(revision 695)
baserev update by copy to link target
David Anes (david.anes)
accepted
request 1118994
from
David Anes (david.anes)
(revision 694)
- Update to 2.4.58:
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
buildservice-autocommit
accepted
request 1104179
from
David Anes (david.anes)
(revision 693)
David Anes (david.anes)
(revision 693)
baserev update by copy to link target
Displaying revisions 1 - 20 of 712
