Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2026-05-16 19:24:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Sat May 16 19:24:39 2026 rev:225 rq:1353166 version:2.4.67 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2026-05-04 12:48:23.996838245 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new.1966/apache2.changes 2026-05-16 19:25:43.416981471 +0200 @@ -1,0 +2,124 @@ +Thu May 7 11:01:24 UTC 2026 - Martin Schreiner <[email protected]> + +- Remove last remnants of update-alternatives. + +------------------------------------------------------------------- +Wed May 6 19:36:59 UTC 2026 - Arjen de Korte <[email protected]> + +- version update to 2.4.67 + *) SECURITY: CVE-2026-34059: Apache HTTP Server: mod_proxy_ajp: + Heap Over-Read and memory disclosure in ajp_parse_data() + [boo#1263950] + Buffer Over-read vulnerability in Apache HTTP Server. + This issue affects Apache HTTP Server: through 2.4.66. + Users are recommended to upgrade to version 2.4.67, which fixes + the issue. + *) SECURITY: CVE-2026-34032: Apache HTTP Server: mod_proxy_ajp: + Heap Buffer Over-Read Due to Missing Null-Termination Check + (ajp_msg_get_string) [boo#1263951] + Improper Null Termination, Out-of-bounds Read vulnerability in + Apache HTTP Server. + This issue affects Apache HTTP Server: through 2.4.66. + Users are recommended to upgrade to version 2.4.67, which fixes + the issue. + *) SECURITY: CVE-2026-33857: Apache HTTP Server: Off-by-one OOB + reads in AJP getter functions [boo#1263952] + Out-of-bounds Read vulnerability in mod_proxy_ajp of + Apache HTTP Server. + This issue affects Apache HTTP Server: through 2.4.66. + Users are recommended to upgrade to version 2.4.67, which fixes + the issue. + *) SECURITY: CVE-2026-33523: Apache HTTP Server: multiple modules: + HTTP response splitting forwarding malicious status line + [boo#1263953] + HTTP response splitting vulnerability in multiple Apache HTTP + Server modules with untrusted or compromised backend servers. + This issue affects Apache HTTP Server: from through 2.4.66. + Users are recommended to upgrade to version 2.4.67, which fixes + the issue. + *) SECURITY: CVE-2026-33007: Apache HTTP Server: mod_authn_socache + crash [boo#1263954] + A NULL pointer dereference in the mod_authn_socache in Apache + HTTP Server 2.4.66 and earlier allows an unauthenticated remote + user to crash a child process in a caching forward proxy + configuration. + Users are recommended to upgrade to version 2.4.67, which fixes + this issue. + *) SECURITY: CVE-2026-33006: Apache HTTP Server: mod_auth_digest + timing attack [boo#1263955] + A timing attack against mod_auth_digest in Apache HTTP Server + 2.4.66 allows a bypass of Digest authentication by a remote + attacker. + Users are recommended to upgrade to version 2.4.67, which fixes + this issue. + *) SECURITY: CVE-2026-29169: Apache HTTP Server: mod_dav_lock + indirect lock crash [boo#1263956] + A NULL pointer dereference in mod_dav_lock in Apache HTTP Server + 2.4.66 and earlier may allow an attacker to crash the server + with a malicious request.mod_dav_lock is not used internally by + mod_dav or mod_dav_fs. + The only known use-case for mod_dav_lock was mod_dav_svn from + Apache Subversion earlier than version 1.2.0. + Users are recommended to upgrade to version 2.4.66, which fixes + this issue, or remove mod_dav_lock. + *) SECURITY: CVE-2026-29168: Apache HTTP Server: mod_md + unrestricted OCSP response [boo#1264150] + Allocation of Resources Without Limits or Throttling + vulnerability in Apache HTTP Server's mod_md via OCSP response + data. + This issue affects Apache HTTP Server: from 2.4.30 through + 2.4.66. + Users are recommended to upgrade to version 2.4.67, which fixes + the issue. + *) SECURITY: CVE-2026-28780: Apache HTTP Server: buffer overflow in + mod_proxy_ajp via ajp_msg_check_header() [boo#1264163] + Heap-based Buffer Overflow vulnerability in mod_proxy_ajp of + Apache HTTP Server. + If mod_proxy_ajp connects to a malicious AJP server this AJP + server can send a malicious AJP message back to mod_proxy_ajp + and cause it to write 4 attacker controlled bytes after the end + of a heap based buffer. + This issue affects Apache HTTP Server: through 2.4.66. + Users are recommended to upgrade to version 2.4.67, which fixes + the issue. + *) SECURITY: CVE-2026-24072: Apache HTTP Server: mod_rewrite + elevation of privileges via ap_expr [boo#1263935] + An escalation of privilege bug in various modules in Apache HTTP + 2.4.66 and earlier allows local .htaccess authors to read files + with the privileges of the httpd user. + Users are recommended to upgrade to version 2.4.67, which fixes + this issue. + *) SECURITY: CVE-2026-23918: Apache HTTP Server: http2: double free + and possible RCE on early reset [boo#1263957] + Double Free and possible RCE vulnerability in Apache HTTP Server + with the HTTP/2 protocol. + This issue affects Apache HTTP Server: 2.4.66. + Users are recommended to upgrade to version 2.4.67, which fixes + the issue. + *) mod_md: update to version 2.6.10 + - Fix issue #420 <https://github.com/icing/mod_md/issues/420> by ignoring + job.json files that claim to have completely finished a certificate + renewal, but have not produced the necessary result files. + *) mod_http2: update to version 2.0.39 + Remove streams own memory allocator after reports of memory problems + with third party modules. + *) mod_http2: update to version 2.0.38 + Source sync with mod_h2 github repository. No functional change. + *) Updated conf/mime.types: added vnd.sqlite3, HEIC, HEIF + *) mod_md: update to version 2.6.7 + - Fix a regression in `MDStapleOthers` which broke in v2.6.0 and no longer + applied, no matter the configuration. + *) mod_md: update to version 2.6.9 + - Pebble 2.9+ reports another error when terms of service agreement is + not set. Treating all "userActionRequired" errors as permanent now. + *) mod_md: update to version 2.6.8 + - Fix the ARI related `replaces` property in ACME order creation to only + be used when the CA supports ARI and it is enabled in the menu config. + - Fix compatibility with APR versions before 1.6.0 which do not have + `apr_cstr_casecmp` and should use `apr_strnatcasecmp` instead. + *) mod_http2: update to version 2.0.37 + Prevent double purge of a stream, resulting in a double free. + Fixes PR 69899. + *) mod_md: Use correct function name when compiling against APR < 1.6.0. + +------------------------------------------------------------------- Old: ---- httpd-2.4.66.tar.bz2 httpd-2.4.66.tar.bz2.asc New: ---- httpd-2.4.67.tar.bz2 httpd-2.4.67.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.Me2EOp/_old 2026-05-16 19:25:45.649072993 +0200 +++ /var/tmp/diff_new_pack.Me2EOp/_new 2026-05-16 19:25:45.653073157 +0200 @@ -104,7 +104,7 @@ %define build_http2 1 Name: apache2%{psuffix} -Version: 2.4.66 +Version: 2.4.67 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 @@ -297,7 +297,6 @@ Requires(pre): permissions Requires(post): %fillup_prereq Requires(post): grep -Requires(postun): update-alternatives %endif %if %{test} || "%{flavor}" == "manual" BuildArch: noarch @@ -822,7 +821,7 @@ # main package files %if "%{flavor}" == "" %files -%doc INSTALL READM* ABOUT_APACHE CHANGES +%doc READM* ABOUT_APACHE CHANGES %license LICENSE %{_tmpfilesdir}/apache2.conf %ghost %dir %{datadir} @@ -915,15 +914,6 @@ # MPMs scriptlets %if ! %{test} && "%{mpm}" != "" -%pre -if [ "$1" = 0 ]; then - %{_sbindir}/update-alternatives --quiet --force --remove httpd %{_sbindir}/httpd - for module in %{dynamic_modules}; do - %{_sbindir}/update-alternatives --quiet --force --remove mod_$module.so %{_libdir}/apache2/mod_$module.so - done -fi -exit 0 - %postun if [ "$1" = 1 ]; then %apache_request_restart ++++++ httpd-2.4.66.tar.bz2 -> httpd-2.4.67.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/apache2/httpd-2.4.66.tar.bz2 /work/SRC/openSUSE:Factory/.apache2.new.1966/httpd-2.4.67.tar.bz2 differ: char 11, line 1
