Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2021-06-04 22:42:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new.1898 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Fri Jun 4 22:42:34 2021 rev:183 rq:896869 version:2.4.48 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2021-02-04 20:24:20.218850268 +0100 +++ /work/SRC/openSUSE:Factory/.apache2.new.1898/apache2.changes 2021-06-04 22:42:40.583070544 +0200 @@ -1,0 +2,270 @@ +Wed Jun 2 07:31:14 UTC 2021 - [email protected] + +- version update to 2.4.48 + + Changes with Apache 2.4.48 + + *) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the + fallback to mod_proxy_http for WebSocket upgrade and tunneling. + [Yann Ylavic] + + *) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling. + BZ 65294. [Yann Ylavic] + + *) core: Fix a regression that stripped the ETag header from 304 responses. + PR 61820 [Ruediger Pluem, Roy T. Fielding] + + *) core: Adding SSL related inquiry functions to the server API. + These function are always available, even when no module providing + SSL is loaded. They provide their own "shadowing" implementation for + the optional functions of similar name that mod_ssl and impersonators + of mod_ssl provide. + This enables loading of several SSL providing modules when all but + one of them registers itself into the new hooks. Two old-style SSL + modules will not work, as they replace the others optional functions + with their own. + Modules using the old-style optional functions will continue to work + as core supplies its own versions of those. + The following has been added so far: + - ap_ssl_conn_is_ssl() to query if a connection is using SSL. + - ap_ssl_var_lookup() to query SSL related variables for a + server/connection/request. + - Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules + providing SSL can install their own value supplying functions. + - ap_ssl_add_cert_files() to enable other modules like mod_md to provide + certificate and keys for an SSL module like mod_ssl. + - ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to + provide a fallback certificate in case no 'proper' certificate is + available for an SSL module like mod_ssl. + - ap_ssl_answer_challenge() to enable other modules like mod_md to + provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge + for the ACME protocol for an SSL module like mod_ssl. The function + and its hook provide PEM encoded data instead of file names. + - Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and + 'ssl_answer_challenge' where modules like mod_md can provide providers + to the above mentioned functions. + - These functions reside in the new 'http_ssl.h' header file. + [Stefan Eissing] + *) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This + allows modules to access and provide OCSP response data without being tied + of each other. The data is exchanged in standard, portable formats (PEM encoded + certificates and DER encoded responses), so that the actual SSL/crypto + implementations used by the modules are independant of each other. + Registration and retrieval happen in the context of a server (server_rec) + which modules may use to decide if they are configured for this or not. + The area of changes: + 1. core: defines 2 functions in include/http_ssl.h, so that modules may + register a certificate, together with its issuer certificate for OCSP + response provisioning and ask for current response data (DER bytes) later. + Also, 2 hooks are defined that allow modules to implement this OCSP + provisioning. + 2. mod_ssl uses the new functions, in addition to what it did already, to + register its certificates this way. If no one is interested in providing + OCSP, it falls back to its own (if configured) stapling implementation. + 3. mod_md registers itself at the core hooks for OCSP provisioning. Depending + on configuration, it will accept registrations of its own certificates only, + all certificates or none. + [Stefan Eissing] + *) mod_md: v2.4.0 with improvements and bugfixes + - MDPrivateKeys allows the specification of several types. Beside "RSA" plus + optional key lengths elliptic curves can be configured. This means you can + have multiple certificates for a Managed Domain with different key types. + With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA + certificate and all modern client will use the shorter ECDSA, while older + client will get the RSA certificate. + Many thanks to @tlhackque who pushed and helped on this. + - Support added for MDomains consisting of a wildcard. Configuring + ```MDomain *.host.net``` will match all virtual hosts matching that pattern + and obtain one certificate for it (assuming you have 'dns-01' challenge + support configured). Addresses #239. + - Removed support for ACMEv1 servers. The only known installation used to + be Let's Encrypt which has disabled that version more than a year ago for + new accounts. + - Andreas Ulm (<https://github.com/root360-AndreasUlm>) implemented the + ```renewing``` call to ```MDMessageCmd``` that can deny a certificate + renewal attempt. This is useful in clustered installations, as + discussed in #233). + - New event ```challenge-setup:<type>:<domain>```, triggered when the + challenge data for a domain has been created. This is invoked before the + ACME server is told to check for it. The type is one of the ACME challenge + types. This is invoked for every DNS name in a MDomain. + - The max delay for retries has been raised to daily (this is like all + retries jittered somewhat to avoid repeats at fixed time of day). + - Certain error codes reported by the ACME server that indicate a problem + with the configured data now immediately switch to daily retries. For + example: if the ACME server rejects a contact email or a domain name, + frequent retries will most likely not solve the problem. But daily retries + still make sense as there might be an error at the server and un-supervised + certificate renewal is the goal. Refs #222. + - Test case and work around for domain names > 64 octets. Fixes #227. + When the first DNS name of an MD is longer than 63 octets, the certificate + request will not contain a CN field, but leave it up to the CA to choose one. + Currently, Lets Encrypt looks for a shorter name in the SAN list given and + fails the request if none is found. But it is really up to the CA (and what + browsers/libs accept here) and may change over the years. That is why + the decision is best made at the CA. + - Retry delays now have a random +/-[0-50]% modification applied to let + retries from several servers spread out more, should they have been + restarted at the same time of day. + - Fixed several places where the 'badNonce' return code from an ACME server + was not handled correctly. The test server 'pebble' simulates this behaviour + by default and helps nicely in verifying this behaviour. Thanks, pebble! + - Set the default `MDActivationDelay` to 0. This was confusing to users that + new certificates were deemed not usably before a day of delay. When clocks are + correct, using a new certificate right away should not pose a problem. + - When handling ACME authorization resources, the module no longer requires + the server to return a "Location" header, as was necessary in ACMEv1. + Fixes #216. + - Fixed a theoretical uninitialized read when testing for JSON error responses + from the ACME CA. Reported at <https://bz.apache.org/bugzilla/show_bug.cgi?id=64297>. + - ACME problem reports from CAs that include parameters in the Content-Type + header are handled correctly. (Previously, the problem text would not be + reported and retries could exceed CA limits.) + - Account Update transactions to V2 CAs now use the correct POST-AS-GET method. + Previously, an empty JSON object was sent - which apparently LE accepted, + but others reject. + [Stefan Eissing, @tlhackque, Andreas Ulm] + + Changes with Apache 2.4.47 + + *) mod_dav_fs: Improve logging output when failing to open files for + writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>] + + *) mod_http2: Fixed a race condition that could lead to streams being + aborted (RST to the client), although a response had been produced. + [Stefan Eissing] + + *) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem] + + *) MPM event/worker: Fix possible crash in child process on early signal + delivery. PR 64533. [Ruediger Pluem] + + *) mod_http2: sync with github standalone version 1.15.17 + - Log requests and sent the configured error response in case of early detected + errors like too many or too long headers. [Ruediger Pluem] + - new option 'H2OutputBuffering on/off' which controls the buffering of stream output. + The default is on, which is the behaviour of older mod-h2 versions. When off, all + bytes are made available immediately to the main connection for sending them + out to the client. This fixes interop issues with certain flavours of gRPC, see + also <https://github.com/icing/mod_h2/issues/207>. + [Stefan Eissing] + + *) mod_unique_id: Fix potential duplicated ID generation under heavy load. + PR 65159 + [Jonas M??ntener <jonas.muentener ergon.ch>, Christophe Jaillet] + + *) "[mod_dav_fs etag handling] should really honor the FileETag setting". + - It now does. + - Add "Digest" to FileETag directive, allowing a strong ETag to be + generated using a file digest. + - Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over + ETag generation. + - Add concept of "binary notes" to request_rec, allowing packed bit flags + to be added to a request. + - First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force + the ETag to a strong ETag to comply with RFC requirements, such as those + mandated by various WebDAV extensions. + [Graham Leggett] + + *) mod_proxy_http: Fix a possibly crash when the origin connection gets + interrupted before completion. PR 64234. + [Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem] + + *) mod_ssl: Do not keep connections to OCSP responders alive when doing + OCSP requests. PR 64135. [Ruediger Pluem] + + *) mod_ssl: Improve the coalescing filter to buffer into larger TLS + records, and avoid revealing the HTTP header size via TLS record + boundaries (for common response generators). + [Joe Orton, Ruediger Pluem] + + *) mod_proxy_hcheck: Don't pile up health checks if the previous one did + not finish before hcinterval. PR 63010. [Yann Ylavic] + + *) mod_session: Improve session parsing. [Yann Yalvic] + + *) mod_authnz_ldap: Prevent authentications with empty passwords for the + initial bind to fail with status 500. [Ruediger Pluem] + + *) mod_auth_digest: Fast validation of the nonce's base64 to fail early if + the format can't match anyway. [Yann Ylavic] + + *) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked + Transfer-Encoding from the client, spooling the request body when needed + to provide a Content-Length to the backend. PR 57087. [Yann Ylavic] + + *) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in + proxy_util. [Yann Ylavic] ++++ 73 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/apache2/apache2.changes ++++ and /work/SRC/openSUSE:Factory/.apache2.new.1898/apache2.changes Old: ---- apache2-mod_proxy_uwsgi-fix-crash.patch httpd-2.4.46.tar.bz2 httpd-2.4.46.tar.bz2.asc lua54.patch New: ---- httpd-2.4.48.tar.bz2 httpd-2.4.48.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.u9rzWe/_old 2021-06-04 22:42:42.623072796 +0200 +++ /var/tmp/diff_new_pack.u9rzWe/_new 2021-06-04 22:42:42.623072796 +0200 @@ -1,5 +1,5 @@ # -# spec file for package apache2 +# spec file for package apache2%{psuffix} # # Copyright (c) 2021 SUSE LLC # @@ -115,7 +115,7 @@ %endif Name: apache2%{psuffix} -Version: 2.4.46 +Version: 2.4.48 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 @@ -189,10 +189,6 @@ Patch3: apache2-LimitRequestFieldSize-limits-headers.patch # [fate317766] backport of an upstream commit Patch4: apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch -# [bsc#1174052] picked upstream commit -Patch5: apache2-mod_proxy_uwsgi-fix-crash.patch -# PATCH: https://svn.apache.org/viewvc?view=revision&revision=1880678 -Patch6: lua54.patch # PATCH: https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2 Patch100: apache-test-application-xml-type.patch # PATCH: /test_ssl_var_lookup?SSL_SERVER_SAN_DNS_0 returns <build-host-name> @@ -309,7 +305,7 @@ Requires(post): %fillup_prereq Requires(post): grep Requires(post): update-alternatives -Requires(postun): update-alternatives +Requires(postun):update-alternatives %endif %if %{test} || "%{flavor}" == "manual" BuildArch: noarch @@ -329,8 +325,6 @@ %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch5 -p1 -%patch6 -p1 %patch100 -p1 %patch101 -p1 @@ -358,7 +352,7 @@ cat > config.layout <<-EOF # SUSE Layout <Layout SUSE> - prefix: %{datadir} +Prefix: %{datadir} exec_prefix: %{_prefix} bindir: %{_bindir} sbindir: %{_sbindir} @@ -720,6 +714,7 @@ cp %{_sysconfdir}/sysconfig/apache2 $PWD%{_sysconfdir}/sysconfig/ sed -i -e "s:\(APACHE_HTTPD_CONF=\).*:\1$PWD%{sysconfdir}/httpd.conf:" \ -e "s:\(%{_localstatedir}\):$PWD\1:" $PWD%{_sysconfdir}/sysconfig/apache2 +sed -i 's:\(APACHE_MPM=\).*:\1"prefork":' $PWD%{_sysconfdir}/sysconfig/apache2 # copy and adjust configuration (paths and Listen) cp -r %{_sysconfdir}/apache2/ %{_sysconfdir}/mime.types etc 2>/dev/null || true find etc/apache2 -name *.conf | xargs sed -i "s:\(%{_localstatedir}\):$PWD\1:" @@ -981,6 +976,7 @@ %posttrans %apache_restart_if_needed + %verifyscript %verify_permissions -e %{_sbindir}/suexec ++++++ apache2.keyring ++++++ --- /var/tmp/diff_new_pack.u9rzWe/_old 2021-06-04 22:42:42.959073167 +0200 +++ /var/tmp/diff_new_pack.u9rzWe/_new 2021-06-04 22:42:42.959073167 +0200 @@ -389,3 +389,55 @@ =w/hc -----END PGP PUBLIC KEY BLOCK----- +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBGCAei8BEADKUPoj6I2OjdZ44486xLrZoApbXP3hOadau8DgXXPO84b0dnCS +NqvV3aDSXULtSdh+48pVdv0yBtqCeo6pWNBR/aURxxh3vDJNyQVzhDZsdePITwmV +qkpICUXeuTpyow3ir1+05p0DU6F33TynhZsyHltKmu+GqvxYYrzud+bw9zTN0Z45 +Br/cKF/YE2uVEjq/x440qtSQmFhM7eSQvTv9lo9QgMO+eQXK0Dt4bsfyAZ1q2HAt +XGup0iwQpoxS1ofdkSxpvCBWklAiNXH0+qHGdVTJlqCp70xpsC2DXhbckCeLi2w7 +GGa3jCNuf6P5uxW+tPlyFm5aFBSDd/3gAsU8G/a3ng3+78peKjatpmTkBJmXpA1E +cDWFZNKLlS5eE1c2LG+Hgu0yZrvArsJ8dvjbAuYn7uCWLll/Pjy26L9mKwLlJdcl +TX2rgx7a+yi2nfJwtj0rWWqX95HudUcWRxBVtpCjg6NKzv97dm3wOUOm15xcp0r0 +QAzNtjllOjr3RwTgE4B3j4GFXof92HKS8H+B1/z9ZBbz399fs/wS9o/sDyMVevNP +88IGihaxPkfTw0UKZz5cR6X1BWlcH3404bVB/LHcq7+c1NUqvRfIlwwwsKGjMCWf +vv3cDVUvb3mMhvQs0rBEyb71bbKCe3qb10CvOJAmocp1c+YHo5vpQYeMJQARAQAB +tDJDaHJpc3RvcGhlIEpBSUxMRVQgPGNocmlzdG9waGUuamFpbGxldEB3YW5hZG9v +LmZyPokCTgQTAQoAOBYhBMVat7kTnrImPNGqvBmwM9F2DCJ7BQJggHovAhsDBQsJ +CAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEBmwM9F2DCJ7E4MP/iVC7ZglH2sLi5wv +YZaXqMib7dau1NmGUocaz57U6lR2WpfhTIiHELtFnmb8eVuJGzzmYaDwaIN/knOw +vudUGrMI5TjAmgAdj3BswXoJQNGhKhLwtf3yzvabFbp6oPfxq+PgXRMWnDojQ0cC ++VdfavJt4dOq1TrcH20B1GhJUiNxdkwAlVu3hcpdJ4pgIPVxxeozLAU3hLjMXxeo +j9eVmzTaM/fd0ykbIkMUHfPEdqnmbTPwk2lIMFwcoa7iUdcYIDDWbHvnvVZ+4Uae +pX6st8QHDva+etW/illgYRGMVsCL6FEtYRe+nTJLdvT81QoovVeoeyKtZNzCdNJb +WUfqoCoLDQza8ibRpHLleRIQS4zn/TtXpvVwMG5wjZCnEBypmBzriKSt9QrcvVKu +ROjR9Bizzwj1QUL3fMFoVWLLCt5TkGszZWvfmcjsq4gZhcgCrRp59BpuBa8Khvnf +l5OgVqttmM6PQcFwJTHKUc5Ltzh0xTXwYl6uSEGSn1DoDlmUSnK3R+x0u61FfiHh +KvkO/PIdTeA05ihkMRqMtDbPwsghmdXV2wlkcApdr4wXHsuYffvxN1daoUDQXDix +GgPFRG4eYORYY2hlAo7a4ahUzeCJJQGfrF/E3YojXsIgVIbp+UjlH4kkR9J6F/wl +NVgU2JF03YSZ9zyq4lSrP6lji2ehuQINBGCAei8BEACvQQIc89CwDOiKAeJCL9WW +U4O3XX1LwQCzz6W519PrFnQy3194ddT7L0E4gEB9cNBczxSpvMHUiYkynMLZ7i6a +X4BIVDzOyrN/5S6ZkOddpu9/zGJtupzN68SIpJrIry1zeXVm8Ex3VzfikVFDsxQg +OkTu4b0YWts4hJbJMa3cTh+pLQQ+vHqKe4z6L3hVfdL2LZ8W9xmDvCBh3Ysz/mZF +2dI47XdGGgGY/t50MpFJYrPy0JMfyeHdXHwF90pY/MwWr8QeHjlX589P1MMc/5UB +c1ScFfy40gUryUnRQudN12KEQZDMb4G/8Bz6t4mm8nOspDwwbdHjeZhyrWYZpEd/ +ZV6iywoZ7IBzrdaWzgVs5+DhvJZVudpKlqVip37E9pUYKgMJ2A/asD85HV+yODiF +uub9t7quSWgKKkP75BfBzKCp0T0y+wRnKWUdnlEg2wK0QJxOjkhKw3uC84tr2dlx +CHWF0TLKjkUBqnDT3uSY8DMwZxqEyAEQWzBeP7MFsAy2yZChSHrSKN4ZMx57KYxj +1lsxqFYZo9h9bpar5L77JMkgUtqh+reZYAhMSpk33rgRH5dPpfvn3nkCKgngsxtf +gD9fPpVQgANTEj6rdvtOIFn1Z1U4B4GonaFTGPr771+6ZolLmpylbJp5kviiAz3f +CMJ1cVWhIvr/5G88X4jEMQARAQABiQI2BBgBCgAgFiEExVq3uROesiY80aq8GbAz +0XYMInsFAmCAei8CGwwACgkQGbAz0XYMInsbqA/9HFdq+s1Tk6rluxM3hjnx1HQ8 +R9TStbZqBPrKllOPVNnBpjAShoBKCJ9XbSgzaGVlsDMOXe0wZMjW6TF18igVcA+T +wMTMcgy8Sq8vL7tv5JRtnhZzpM27Db3floWJMCmQtK7aGBC7MpyiHImRvieuDO9P +mwhx9mVDx6+VHb8PCnECg9TMQVEtP9Y0E8qgNy1R+axLShwgO1y/g+u3gPJwGr31 +xiR3icaoMuvb+PEFOZk5L1Dh8rIExqbMH5yH9MeJXiGC2w1QX8KH194UbWRtS3zq +6FrZJ0ZVgoYCvn42icBVt51Nrgl1sqHINBH8ysgK6WvZlw9x22g0tErx3AwGNkrl +lPZ4ctQOxMQ541nN3IJoywxGfsOst2M4je+wNj6USNmAkg1WaezjqyQScw/oIKYj +o18dtGUf6Q3MMHe4O550+upz9bJ0eksCYvC0X2jTNuGdfZo9ZDNh3dxBkoNNbHK5 +hc3m7qU68pdYPzqDkmDFIHyXSYXbmB1wTrrZZL1LQ6jE4a3mRT2v61CRglMUuQK7 +yrZTrPOyuBsZSC//PxK93RgH1xfYR8G8dJPlv0pqF6jD1OjBb6nyU8slRsYfataR +ekJ4VhpVUYgDv8+EzGS9SkgY/DpiyLvPtuhqLXos4ABSwQOEYfG3RhGy7h2B404e +Ot6BQHeyFl0mtrYT1mI= +=L7j3 +-----END PGP PUBLIC KEY BLOCK----- ++++++ httpd-2.4.46.tar.bz2 -> httpd-2.4.48.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/apache2/httpd-2.4.46.tar.bz2 /work/SRC/openSUSE:Factory/.apache2.new.1898/httpd-2.4.48.tar.bz2 differ: char 11, line 1
