Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2016-07-18 21:23:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2016-06-03 16:35:24.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2016-07-18 21:23:06.000000000 +0200 @@ -1,0 +2,21 @@ +Tue Jul 12 14:49:09 UTC 2016 - [email protected] + +- add httpd-2.4.x-fate317766-config-control-two-protocol-options.diff + Introduces directives to control two protocol options: + * HttpContentLengthHeadZero - allow Content-Length of 0 to be + returned on HEAD + * HttpExpectStrict - allow admin to control whether we must + see "100-continue" + [bsc#894225], [fate#317766] + +------------------------------------------------------------------- +Wed Jul 6 16:16:57 UTC 2016 - [email protected] + +- version 2.4.23 +* Fixes CVE-2016-4979 [bsc#987365] +* mod_proxy_hcheck was missing due to upstream bug. +* mod_proxy_fdpass needs explicit configure line now. +* Full list of changes: + http://www-eu.apache.org/dist//httpd/CHANGES_2.4.23 + +------------------------------------------------------------------- Old: ---- httpd-2.4.20.tar.bz2 New: ---- httpd-2.4.23.tar.bz2 httpd-2.4.x-fate317766-config-control-two-protocol-options.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.3wqG5t/_old 2016-07-18 21:23:08.000000000 +0200 +++ /var/tmp/diff_new_pack.3wqG5t/_new 2016-07-18 21:23:08.000000000 +0200 @@ -51,7 +51,7 @@ %endif Name: apache2 -Version: 2.4.20 +Version: 2.4.23 Release: 0 Summary: The Apache Web Server Version 2.4 License: Apache-2.0 @@ -124,6 +124,8 @@ Patch111: httpd-visibility.patch # PATCH-FIX-UPSTREAM [email protected] -- compability for lua 5.2+ https://bz.apache.org/bugzilla/show_bug.cgi?id=58188 Patch114: httpd-2.4.12-lua-5.2.patch +# PATCH-FEATURE-UPSTREAM [email protected] -- backport of HttpContentLengthHeadZero and HttpExpectStrict +Patch115: httpd-2.4.x-fate317766-config-control-two-protocol-options.diff BuildRequires: apache-rpm-macros-control BuildRequires: automake BuildRequires: db-devel @@ -311,6 +313,7 @@ %endif %patch111 -p1 %patch114 -p1 +%patch115 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{SOURCE22}) @@ -379,6 +382,7 @@ --enable-proxy-connect \ --enable-proxy-ftp \ --enable-proxy-http \ + --enable-proxy-fdpass \ --enable-cache \ --enable-disk-cache \ --enable-mem-cache \ @@ -916,6 +920,7 @@ %{_libdir}/%{name}-prefork/mod_proxy_fcgi.so %{_libdir}/%{name}-prefork/mod_proxy_fdpass.so %{_libdir}/%{name}-prefork/mod_proxy_ftp.so +%{_libdir}/%{name}-prefork/mod_proxy_hcheck.so %{_libdir}/%{name}-prefork/mod_proxy_html.so %{_libdir}/%{name}-prefork/mod_proxy_http.so %{_libdir}/%{name}-prefork/mod_proxy_scgi.so @@ -1040,6 +1045,7 @@ %{_libdir}/%{name}-worker/mod_proxy_fcgi.so %{_libdir}/%{name}-worker/mod_proxy_fdpass.so %{_libdir}/%{name}-worker/mod_proxy_ftp.so +%{_libdir}/%{name}-worker/mod_proxy_hcheck.so %{_libdir}/%{name}-worker/mod_proxy_html.so %{_libdir}/%{name}-worker/mod_proxy_http.so %{_libdir}/%{name}-worker/mod_proxy_scgi.so @@ -1164,6 +1170,7 @@ %{_libdir}/%{name}-event/mod_proxy_fcgi.so %{_libdir}/%{name}-event/mod_proxy_fdpass.so %{_libdir}/%{name}-event/mod_proxy_ftp.so +%{_libdir}/%{name}-event/mod_proxy_hcheck.so %{_libdir}/%{name}-event/mod_proxy_html.so %{_libdir}/%{name}-event/mod_proxy_http.so %{_libdir}/%{name}-event/mod_proxy_scgi.so ++++++ httpd-2.4.20.tar.bz2 -> httpd-2.4.23.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/apache2/httpd-2.4.20.tar.bz2 /work/SRC/openSUSE:Factory/.apache2.new/httpd-2.4.23.tar.bz2 differ: char 11, line 1 ++++++ httpd-2.4.x-fate317766-config-control-two-protocol-options.diff ++++++ >From 530b5797af919d6d7ab7d6418d9feeb1abb914ae Mon Sep 17 00:00:00 2001 From: Justin Erenkrantz <[email protected]> Date: Mon, 30 Dec 2013 20:01:14 +0000 Subject: [PATCH] Add directives to control two protocol options: HttpContentLengthHeadZero - allow Content-Length of 0 to be returned on HEAD HttpExpectStrict - allow admin to control whether we must see "100-continue" This is helpful when using Ceph's radosgw and httpd. Inspired by: Yehuda Sadeh <[email protected]> See https://github.com/ceph/apache2/commits/precise * include/http_core.h (core_server_config): Add http_cl_head_zero and http_expect_strict fields. * modules/http/http_filters.c (ap_http_header_filter): Only clear out the C-L if http_cl_head_zero is not explictly set. * server/core.c (merge_core_server_configs): Add new fields. (set_cl_head_zero, set_expect_strict): New config helpers. (HttpContentLengthHeadZero, HttpExpectStrict): Declare new directives. * server/protocol.c (ap_read_request): Allow http_expect_strict to control if we return 417. * include/ap_mmn.h (MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR): Bump. * CHANGES: Add a brief description. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1554303 13f79535-47bb-0310-9956-ffa450edef68 Conflicts: CHANGES include/ap_mmn.h include/http_core.h server/core.c --- CHANGES | 3 +++ include/ap_mmn.h | 4 +++- include/http_core.h | 9 +++++++++ modules/http/http_filters.c | 10 +++++++++- server/core.c | 36 ++++++++++++++++++++++++++++++++++++ server/protocol.c | 25 +++++++++++++++++-------- 6 files changed, 77 insertions(+), 10 deletions(-) Index: include/http_core.h =================================================================== --- include/http_core.h.orig 2016-01-20 15:10:51.651189219 +0100 +++ include/http_core.h 2016-01-20 15:12:18.983188213 +0100 @@ -694,6 +694,15 @@ #define AP_MERGE_TRAILERS_DISABLE 2 int merge_trailers; +#define AP_HTTP_CL_HEAD_ZERO_UNSET 0 +#define AP_HTTP_CL_HEAD_ZERO_ENABLE 1 +#define AP_HTTP_CL_HEAD_ZERO_DISABLE 2 + int http_cl_head_zero; + +#define AP_HTTP_EXPECT_STRICT_UNSET 0 +#define AP_HTTP_EXPECT_STRICT_ENABLE 1 +#define AP_HTTP_EXPECT_STRICT_DISABLE 2 + int http_expect_strict; apr_array_header_t *protocols; Index: modules/http/http_filters.c =================================================================== --- modules/http/http_filters.c.orig 2015-07-08 10:59:36.000000000 +0200 +++ modules/http/http_filters.c 2016-01-20 15:10:51.651189219 +0100 @@ -1175,6 +1175,7 @@ header_filter_ctx *ctx = f->ctx; const char *ctype; ap_bucket_error *eb = NULL; + core_server_config *conf; AP_DEBUG_ASSERT(!r->main); @@ -1315,10 +1316,17 @@ * zero C-L to the client. We can't just remove the C-L filter, * because well behaved 2.0 handlers will send their data down the stack, * and we will compute a real C-L for the head request. RBB + * + * Allow modification of this behavior through the + * HttpContentLengthHeadZero directive. + * + * The default (unset) behavior is to squelch the C-L in this case. */ + conf = ap_get_core_module_config(r->server->module_config); if (r->header_only && (clheader = apr_table_get(r->headers_out, "Content-Length")) - && !strcmp(clheader, "0")) { + && !strcmp(clheader, "0") + && conf->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_ENABLE) { apr_table_unset(r->headers_out, "Content-Length"); } Index: server/core.c =================================================================== --- server/core.c.orig 2015-11-19 20:55:25.000000000 +0100 +++ server/core.c 2016-01-20 15:13:29.575187399 +0100 @@ -503,6 +503,12 @@ if (virt->trace_enable != AP_TRACE_UNSET) conf->trace_enable = virt->trace_enable; + if (virt->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_UNSET) + conf->http_cl_head_zero = virt->http_cl_head_zero; + + if (virt->http_expect_strict != AP_HTTP_EXPECT_STRICT_UNSET) + conf->http_expect_strict = virt->http_expect_strict; + /* no action for virt->accf_map, not allowed per-vhost */ if (virt->protocol) @@ -3756,6 +3762,32 @@ return NULL; } +static const char *set_cl_head_zero(cmd_parms *cmd, void *dummy, int arg) +{ + core_server_config *conf = + ap_get_core_module_config(cmd->server->module_config); + + if (arg) { + conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_ENABLE; + } else { + conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_DISABLE; + } + return NULL; +} + +static const char *set_expect_strict(cmd_parms *cmd, void *dummy, int arg) +{ + core_server_config *conf = + ap_get_core_module_config(cmd->server->module_config); + + if (arg) { + conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_ENABLE; + } else { + conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_DISABLE; + } + return NULL; +} + static apr_hash_t *errorlog_hash; static int log_constant_item(const ap_errorlog_info *info, const char *arg, @@ -4273,6 +4305,10 @@ "'on' (default), 'off' or 'extended' to trace request body content"), AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF, "merge request trailers into request headers or not"), +AP_INIT_FLAG("HttpContentLengthHeadZero", set_cl_head_zero, NULL, OR_OPTIONS, + "whether to permit Content-Length of 0 responses to HEAD requests"), +AP_INIT_FLAG("HttpExpectStrict", set_expect_strict, NULL, OR_OPTIONS, + "whether to return a 417 if a client doesn't send 100-Continue"), AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF, "Controls which protocols are allowed"), AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF, Index: server/protocol.c =================================================================== --- server/protocol.c.orig 2015-11-26 14:42:42.000000000 +0100 +++ server/protocol.c 2016-01-20 15:10:51.651189219 +0100 @@ -1144,14 +1144,23 @@ r->expecting_100 = 1; } else { - r->status = HTTP_EXPECTATION_FAILED; - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570) - "client sent an unrecognized expectation value of " - "Expect: %s", expect); - ap_send_error_response(r, 0); - ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); - ap_run_log_transaction(r); - goto traceout; + core_server_config *conf; + + conf = ap_get_core_module_config(r->server->module_config); + if (conf->http_expect_strict != AP_HTTP_EXPECT_STRICT_DISABLE) { + r->status = HTTP_EXPECTATION_FAILED; + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570) + "client sent an unrecognized expectation value " + "of Expect: %s", expect); + ap_send_error_response(r, 0); + ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); + ap_run_log_transaction(r); + goto traceout; + } else { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00570) + "client sent an unrecognized expectation value " + "of Expect (not fatal): %s", expect); + } } }
