Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package apache2 for openSUSE:Factory checked
in at 2025-07-20 15:28:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
and /work/SRC/openSUSE:Factory/.apache2.new.8875 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2"
Sun Jul 20 15:28:01 2025 rev:217 rq:1294249 version:2.4.64
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2025-03-11
20:43:49.358447878 +0100
+++ /work/SRC/openSUSE:Factory/.apache2.new.8875/apache2.changes
2025-07-20 15:28:12.741935022 +0200
@@ -1,0 +2,73 @@
+Fri Jul 18 03:25:25 UTC 2025 - Martin Schreiner <martin.schrei...@suse.com>
+
+* Refresh patches:
+ - apache-test-application-xml-type.patch
+ - apache-test-turn-off-variables-in-ssl-var-lookup.patch
+ - apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch
+ - apache2-LimitRequestFieldSize-limits-headers.patch
+* Update to 2.4.64.
+* CVE-2025-53020: Apache HTTP Server: HTTP/2 DoS by Memory Increase
+* CVE-2025-49812: Apache HTTP Server: mod_ssl TLS upgrade attack
+* CVE-2025-49630: Apache HTTP Server: mod_proxy_http2 denial of service
+* CVE-2025-23048: Apache HTTP Server: mod_ssl access control bypass with
session resumption
+* CVE-2024-47252: Apache HTTP Server: mod_ssl error log variable escaping
+* CVE-2024-43394: Apache HTTP Server: SSRF on Windows due to UNC paths
+* CVE-2024-43204: Apache HTTP Server: SSRF with mod_headers setting
Content-Type header
+* CVE-2024-42516: Apache HTTP Server: HTTP response splitting
+* mod_proxy_ajp: Use iobuffersize set on worker level for the IO buffer
+ size.
+* mod_ssl: Drop $SSLKEYLOGFILE handling internally for OpenSSL 3.5
+ builds which enable it in libssl natively.
+* mod_asis: Fix the log level of the message AH01236.
+* mod_session_dbd: ensure format used with SessionDBDCookieName and
+ SessionDBDCookieName2 are correct.
+* mod_headers: 'RequestHeader set|edit|edit_r Content-Type X' could
+ inadvertently modify the Content-Type _response_ header. Applies to
+ Content-Type only and likely to only affect static file responses.
+* mod_ssl: Remove warning over potential uninitialised value
+ for ssl protocol prior to protocol selection.
+* mod_proxy: Reuse ProxyRemote connections when possible, like prior
+ to 2.4.59.
+* mod_systemd: Add systemd socket activation support.
+* mod_systemd: Log the SELinux context at startup if available and
+ enabled.
+* mod_http2: update to version 2.0.32
+ The code setting the connection window size was set wrong,
+ preventing `H2WindowSize` to work.
+* mod_http2: update to version 2.0.30
+- Fixed bug in handling over long response headers. When the 64 KB limit
+ of nghttp2 was exceeded, the request was not reset and the client was
+ left hanging, waiting for it. Now the stream is reset.
+- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
+ header sizes.
+- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
+ connection was reset.
+* mod_lua: Fix memory handling in LuaOutputFilter.
+* mod_proxy_http2: revert r1912193 for detecting broken backend connections
+ as this interferes with backend selection who a node is unresponsive.
+* mod_proxy_balancer: Fix a regression that caused stickysession keys no
+ longer be recognized if they are provided as query parameter in the URL.
+* mod_md: update to version 2.5.2
+- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
+ with EC keys before RSA ones.
+- Fixed missing newlines in the status page output.
+* mod_dav: Add API to expose DavBasePath setting.
+* mod_md: update to version 2.5.1
+ - Added support for ACME profiles with new directives MDProfile and
+ MDProfileMandatory.
+ - When installing a custom CA file via `MDCACertificateFile`, also set the
+ libcurl option CURLSSLOPT_NO_REVOKE that suppresses complains by Schannel
+ (when curl is linked with it) about missing CRL/OCSP in certificates.
+ - Fixed handling of corrupted httpd.json and added test 300_30 for it.
+ File is removed on error and written again. Fixes #369.
+ - Added explanation in log for how to proceed when md_store.json could not be
+ parsed and prevented the server start.
+ - restored fixed to #336 and #337 which got lost in a sync with Apache svn
+ - Add Issue Name/Uris to certificate information in md-status handler
+ - MDomains with static certificate files have MDRenewMode "manual", unless
+ "always" is configured.
+* core: Report invalid Options= argument when parsing AllowOverride
+ directives.
+* scoreboard/mod_http2: record durations of HTTP/2 requests.
+
+-------------------------------------------------------------------
Old:
----
httpd-2.4.63.tar.bz2
httpd-2.4.63.tar.bz2.asc
New:
----
httpd-2.4.64.tar.bz2
httpd-2.4.64.tar.bz2.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.oavcdu/_old 2025-07-20 15:28:18.470172063 +0200
+++ /var/tmp/diff_new_pack.oavcdu/_new 2025-07-20 15:28:18.486172725 +0200
@@ -107,7 +107,7 @@
%define build_http2 1
Name: apache2%{psuffix}
-Version: 2.4.63
+Version: 2.4.64
Release: 0
Summary: The Apache HTTPD Server
License: Apache-2.0
++++++ apache-test-application-xml-type.patch ++++++
--- /var/tmp/diff_new_pack.oavcdu/_old 2025-07-20 15:28:18.654179677 +0200
+++ /var/tmp/diff_new_pack.oavcdu/_new 2025-07-20 15:28:18.662180008 +0200
@@ -1,8 +1,8 @@
-Index: httpd-framework/t/conf/extra.conf.in
+Index: httpd-2.4.64/httpd-framework/t/conf/extra.conf.in
===================================================================
---- a/httpd-framework/t/conf/extra.conf.in 2020-06-15 10:43:26.156701553
+0200
-+++ b/httpd-framework/t/conf/extra.conf.in 2020-06-15 10:46:16.141693081
+0200
-@@ -875,6 +875,7 @@ LimitRequestFields 32
+--- httpd-2.4.64.orig/httpd-framework/t/conf/extra.conf.in
++++ httpd-2.4.64/httpd-framework/t/conf/extra.conf.in
+@@ -983,6 +983,7 @@ LimitRequestFields 32
</IfModule>
</Directory>
<Directory @SERVERROOT@/htdocs/modules/filter/bytype>
++++++ apache-test-turn-off-variables-in-ssl-var-lookup.patch ++++++
--- /var/tmp/diff_new_pack.oavcdu/_old 2025-07-20 15:28:18.678180670 +0200
+++ /var/tmp/diff_new_pack.oavcdu/_new 2025-07-20 15:28:18.678180670 +0200
@@ -1,8 +1,8 @@
-Index: httpd-framework/t/ssl/varlookup.t
+Index: httpd-2.4.64/httpd-framework/t/ssl/varlookup.t
===================================================================
---- a/httpd-framework/t/ssl/varlookup.t 2016-10-25 14:30:54.250707932
+0200
-+++ b/httpd-framework/t/ssl/varlookup.t 2016-10-27 15:38:52.440667690
+0200
-@@ -210,9 +210,7 @@ SSL_SERVER_S_DN_UID
+--- httpd-2.4.64.orig/httpd-framework/t/ssl/varlookup.t
++++ httpd-2.4.64/httpd-framework/t/ssl/varlookup.t
+@@ -227,9 +227,7 @@ SSL_SERVER_S_DN_UID
SSL_CLIENT_S_DN_Email "$client_dn{$email_field}"
SSL_SERVER_S_DN_Email "$server_dn{$email_field}"
SSL_CLIENT_SAN_Email_0 "$san_email"
++++++ apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch ++++++
--- /var/tmp/diff_new_pack.oavcdu/_old 2025-07-20 15:28:18.694181333 +0200
+++ /var/tmp/diff_new_pack.oavcdu/_new 2025-07-20 15:28:18.698181498 +0200
@@ -42,11 +42,11 @@
server/protocol.c | 25 +++++++++++++++++--------
6 files changed, 77 insertions(+), 10 deletions(-)
-Index: httpd-2.4.49/modules/http/http_filters.c
+Index: httpd-2.4.64/modules/http/http_filters.c
===================================================================
---- httpd-2.4.49.orig/modules/http/http_filters.c 2021-05-11
17:21:43.000000000 +0200
-+++ httpd-2.4.49/modules/http/http_filters.c 2021-09-17 09:33:49.496853894
+0200
-@@ -1488,10 +1488,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
+--- httpd-2.4.64.orig/modules/http/http_filters.c
++++ httpd-2.4.64/modules/http/http_filters.c
+@@ -1409,10 +1409,17 @@ static void merge_response_headers(reque
* zero C-L to the client. We can't just remove the C-L filter,
* because well behaved 2.0 handlers will send their data down the stack,
* and we will compute a real C-L for the head request. RBB
@@ -64,12 +64,12 @@
+ && conf->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_ENABLE) {
apr_table_unset(r->headers_out, "Content-Length");
}
-
-Index: httpd-2.4.49/server/core.c
+ }
+Index: httpd-2.4.64/server/core.c
===================================================================
---- httpd-2.4.49.orig/server/core.c 2021-05-27 15:08:21.000000000 +0200
-+++ httpd-2.4.49/server/core.c 2021-09-17 09:33:49.496853894 +0200
-@@ -551,6 +551,12 @@ static void *merge_core_server_configs(a
+--- httpd-2.4.64.orig/server/core.c
++++ httpd-2.4.64/server/core.c
+@@ -564,6 +564,12 @@ static void *merge_core_server_configs(a
if (virt->http_methods != AP_HTTP_METHODS_UNSET)
conf->http_methods = virt->http_methods;
@@ -82,7 +82,7 @@
/* no action for virt->accf_map, not allowed per-vhost */
if (virt->protocol)
-@@ -4142,6 +4148,32 @@ static const char *set_http_method(cmd_p
+@@ -4166,6 +4172,32 @@ static const char *set_http_method(cmd_p
return NULL;
}
@@ -115,7 +115,7 @@
static apr_hash_t *errorlog_hash;
static int log_constant_item(const ap_errorlog_info *info, const char *arg,
-@@ -4685,6 +4717,10 @@ AP_INIT_TAKE1("TraceEnable", set_trace_e
+@@ -4732,6 +4764,10 @@ AP_INIT_TAKE1("TraceEnable", set_trace_e
"'on' (default), 'off' or 'extended' to trace request body
content"),
AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
"merge request trailers into request headers or not"),
@@ -126,11 +126,11 @@
AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF,
"Controls which protocols are allowed"),
AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL,
RSRC_CONF,
-Index: httpd-2.4.49/server/protocol.c
+Index: httpd-2.4.64/server/protocol.c
===================================================================
---- httpd-2.4.49.orig/server/protocol.c 2021-09-17 09:33:49.496853894
+0200
-+++ httpd-2.4.49/server/protocol.c 2021-09-17 10:15:28.643596021 +0200
-@@ -1056,6 +1056,11 @@ AP_DECLARE(int) ap_check_request_header(
+--- httpd-2.4.64.orig/server/protocol.c
++++ httpd-2.4.64/server/protocol.c
+@@ -1058,6 +1058,11 @@ AP_DECLARE(int) ap_check_request_header(
if (ap_cstr_casecmp(expect, "100-continue") == 0) {
r->expecting_100 = 1;
}
@@ -142,11 +142,11 @@
else {
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570)
"client sent an unrecognized expectation value "
-Index: httpd-2.4.49/include/http_core.h
+Index: httpd-2.4.64/include/http_core.h
===================================================================
---- httpd-2.4.49.orig/include/http_core.h 2021-05-27 15:08:21.000000000
+0200
-+++ httpd-2.4.49/include/http_core.h 2021-09-17 09:33:49.496853894 +0200
-@@ -733,6 +733,16 @@ typedef struct {
+--- httpd-2.4.64.orig/include/http_core.h
++++ httpd-2.4.64/include/http_core.h
+@@ -734,6 +734,16 @@ typedef struct {
#define AP_MERGE_TRAILERS_DISABLE 2
int merge_trailers;
@@ -163,7 +163,7 @@
apr_array_header_t *protocols;
int protocols_honor_order;
-@@ -776,7 +786,6 @@ apr_status_t ap_core_input_filter(ap_fil
+@@ -780,7 +790,6 @@ apr_status_t ap_core_input_filter(ap_fil
apr_off_t readbytes);
apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b);
++++++ apache2-LimitRequestFieldSize-limits-headers.patch ++++++
--- /var/tmp/diff_new_pack.oavcdu/_old 2025-07-20 15:28:18.710181994 +0200
+++ /var/tmp/diff_new_pack.oavcdu/_new 2025-07-20 15:28:18.718182326 +0200
@@ -1,8 +1,8 @@
-Index: httpd-2.4.46/server/util_script.c
+Index: httpd-2.4.64/server/util_script.c
===================================================================
---- httpd-2.4.46.orig/server/util_script.c 2020-07-20 07:58:49.000000000
+0200
-+++ httpd-2.4.46/server/util_script.c 2020-11-10 16:10:54.525476516 +0100
-@@ -468,11 +468,20 @@ AP_DECLARE(int) ap_scan_script_header_er
+--- httpd-2.4.64.orig/server/util_script.c
++++ httpd-2.4.64/server/util_script.c
+@@ -472,11 +472,20 @@ AP_DECLARE(int) ap_scan_script_header_er
apr_table_t *cookie_table;
int trace_log = APLOG_R_MODULE_IS_LEVEL(r, module_index, APLOG_TRACE1);
int first_header = 1;
@@ -24,7 +24,7 @@
/* temporary place to hold headers to merge in later */
merge = apr_table_make(r->pool, 10);
-@@ -488,7 +497,7 @@ AP_DECLARE(int) ap_scan_script_header_er
+@@ -492,7 +501,7 @@ AP_DECLARE(int) ap_scan_script_header_er
while (1) {
@@ -33,7 +33,7 @@
if (rv == 0) {
const char *msg = "Premature end of script headers";
if (first_header)
-@@ -603,10 +612,13 @@ AP_DECLARE(int) ap_scan_script_header_er
+@@ -607,10 +616,13 @@ AP_DECLARE(int) ap_scan_script_header_er
if (!(l = strchr(w, ':'))) {
if (!buffer) {
/* Soak up all the script output - may save an outright kill
*/
++++++ httpd-2.4.63.tar.bz2 -> httpd-2.4.64.tar.bz2 ++++++
/work/SRC/openSUSE:Factory/apache2/httpd-2.4.63.tar.bz2
/work/SRC/openSUSE:Factory/.apache2.new.8875/httpd-2.4.64.tar.bz2 differ: char
11, line 1
