commit apache2 for openSUSE:Factory

[h_root]

Hello community,

here is the log from the commit of package apache2 for openSUSE:Factory checked 
in at 2015-05-16 20:07:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
 and      /work/SRC/openSUSE:Factory/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "apache2"

Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes  2015-05-06 
11:18:11.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes     2015-05-16 
20:07:24.000000000 +0200
@@ -1,0 +2,8 @@
+Mon May 11 13:34:40 UTC 2015 - h...@suse.com
+
+- add httpd-2.4.12-CVE-2015-0253.patch to fix SECURITY: CVE-2015-0253
+  (cve.mitre.org) core: Fix a crash introduced in with ErrorDocument
+  400 pointing to a local URL-path with the INCLUDES filter active,
+  introduced in 2.4.11. PR 57531. [Yann Ylavic]
+
+-------------------------------------------------------------------

New:
----
  httpd-2.4.12-CVE-2015-0253.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.Z7zxBu/_old  2015-05-16 20:07:25.000000000 +0200
+++ /var/tmp/diff_new_pack.Z7zxBu/_new  2015-05-16 20:07:25.000000000 +0200
@@ -126,6 +126,7 @@
 Patch111:       httpd-visibility.patch
 # PATCH-FIX-UPSTREAM bnc#918352 kstreit...@suse.com -- fix mod_lua - 
maliciously crafted websockets PING after a script calls r:wsupgrade() can 
cause a child process crash
 Patch112:       httpd-2.4.x-mod_lua_websocket_DoS.patch
+Patch113:       httpd-2.4.12-CVE-2015-0253.patch
 BuildRequires:  automake
 BuildRequires:  db-devel
 BuildRequires:  ed
@@ -309,6 +310,7 @@
 %endif
 %patch111 -p1
 %patch112 -p1
+%patch113 -p3
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{SOURCE22})




++++++ httpd-2.4.12-CVE-2015-0253.patch ++++++
SECURITY: CVE-2015-0253 (cve.mitre.org)
core: Fix a crash introduced in with ErrorDocument 400 pointing
to a local URL-path with the INCLUDES filter active, introduced
in 2.4.11. PR 57531. [Yann Ylavic]
--- httpd/httpd/trunk/server/protocol.c 2015/03/05 02:31:42     1664204
+++ httpd/httpd/trunk/server/protocol.c 2015/03/05 02:33:16     1664205
@@ -606,8 +606,6 @@
              */
             if (APR_STATUS_IS_ENOSPC(rv)) {
                 r->status    = HTTP_REQUEST_URI_TOO_LARGE;
-                r->proto_num = HTTP_VERSION(1,0);
-                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             }
             else if (APR_STATUS_IS_TIMEUP(rv)) {
                 r->status = HTTP_REQUEST_TIME_OUT;
@@ -615,6 +613,8 @@
             else if (APR_STATUS_IS_EINVAL(rv)) {
                 r->status = HTTP_BAD_REQUEST;
             }
+            r->proto_num = HTTP_VERSION(1,0);
+            r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
             return 0;
         }
     } while ((len <= 0) && (++num_blank_lines < max_blank_lines));