Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2017-10-23 16:42:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Mon Oct 23 16:42:00 2017 rev:137 rq:535888 version:2.4.29 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2017-10-10 11:37:51.104994283 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2017-10-23 16:42:08.116012366 +0200 @@ -1,0 +2,35 @@ +Wed Oct 18 09:22:41 UTC 2017 - [email protected] + +- updated to 2.4.29: + *) mod_unique_id: Use output of the PRNG rather than IP address and + pid, avoiding sleep() call and possible DNS issues at startup, + plus improving randomness for IPv6-only hosts. [Jan Kaluza] + *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST + is used in a condition that evaluates to true. PR 58231 [Luca Toscano] + *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket + beams that could lead to assertion failure in edge cases. + [Stefan Eissing] + *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced + in 2.4.28. [Jim Jagielski] + *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set. + PR 61546. [Lubos Uhliarik <luhliari redhat.com>] + *) mod_rewrite: Add support for starting External Rewriting Programs + as non-root user on UNIX systems by specifying username and group + name as third argument of RewriteMap directive. [Jan Kaluza] + *) core: Rewrite the Content-Length filter to avoid excessive memory + consumption. Chunked responses will be generated in more cases + than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem] + *) mod_ssl: Fix SessionTicket callback return value, which does seem to + matter with OpenSSL 1.1. [Yann Ylavic] + +------------------------------------------------------------------- +Tue Oct 17 12:41:23 UTC 2017 - [email protected] + +- gensslcert: + * set also SAN [bsc#1045159] + * drop -C argument, it was not mapped to CN actually + * consider also case when hostname does return empty string or + does not exist [bsc#1057406] + * do not consider environment ROOT variable + +------------------------------------------------------------------- Old: ---- httpd-2.4.28.tar.bz2 httpd-2.4.28.tar.bz2.asc New: ---- httpd-2.4.29.tar.bz2 httpd-2.4.29.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.TcfTih/_old 2017-10-23 16:42:21.327394085 +0200 +++ /var/tmp/diff_new_pack.TcfTih/_new 2017-10-23 16:42:21.331393898 +0200 @@ -53,7 +53,7 @@ %define mods_static unixd %endif Name: apache2 -Version: 2.4.28 +Version: 2.4.29 Release: 0 Summary: The Apache Web Server Version 2.4 License: Apache-2.0 ++++++ gensslcert ++++++ --- /var/tmp/diff_new_pack.TcfTih/_old 2017-10-23 16:42:21.987363199 +0200 +++ /var/tmp/diff_new_pack.TcfTih/_new 2017-10-23 16:42:21.987363199 +0200 @@ -16,7 +16,6 @@ These options are recognized: Default: - -C Common name "$name" -N comment "$comment" -c country (two letters, e.g. DE) $C -s state $ST @@ -38,18 +37,23 @@ function error { echo $RED$@$NORMAL; } function myexit { error something ugly seems to have happened in line $1...; exit $2; } -r=$ROOT -. $r/etc/sysconfig/network/config -FQHOSTNAME=`hostname -f` - -fqlength=`echo $FQHOSTNAME|wc -c` -if [ $fqlength -gt 63 ]; then - FQHOSTNAME=`hostname` +hostname=/usr/bin/hostname +FQHOSTNAME="" +if [ -x $hostname ]; then + FQHOSTNAME=`$hostname -f 2>/dev/null` + # bsc#1035829 + fqlength=`echo -n $FQHOSTNAME|wc -c` + if [ $fqlength -gt 64 ]; then + FQHOSTNAME=`$hostname 2>/dev/null` + fi +fi +# bsc#1057406 +if [ -z $FQHOSTNAME ]; then + FQHOSTNAME='localhost' fi # defaults comment="mod_ssl server certificate" - name= C=XY ST=unknown L=unknown @@ -62,7 +66,6 @@ while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do case $OPT in - C) name=$OPTARG-;; N) comment=$OPTARG;; c) C=$OPTARG;; s) ST=$OPTARG;; @@ -81,24 +84,26 @@ GO_LEFT="\033[80D" GO_MIDDLE="$GO_LEFT\033[15C" -for i in comment name C ST L U O CN email srvdays CAdays; do +for i in comment C ST L U O CN email srvdays CAdays; do eval "echo -e $i\"$GO_MIDDLE\" \$$i;" done -openssl=$r/usr/bin/openssl -sslcrtdir=$r/etc/apache2/ssl.crt -sslcsrdir=$r/etc/apache2/ssl.csr -sslkeydir=$r/etc/apache2/ssl.key -sslprmdir=$r/etc/apache2/ssl.prm +openssl=/usr/bin/openssl +sslcrtdir=/etc/apache2/ssl.crt +sslcsrdir=/etc/apache2/ssl.csr +sslkeydir=/etc/apache2/ssl.key +sslprmdir=/etc/apache2/ssl.prm + +name="$CN-" # # CA # echo;myecho creating CA key ... -(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?) +(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?) -cat >$r/root/.mkcert.cfg <<EOT +cat >/root/.mkcert.cfg <<EOT [ req ] default_bits = 2048 default_keyfile = keyfile.pem @@ -121,17 +126,17 @@ EOT echo;myecho creating CA request/certificate ... -(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?) +(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?) -cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt +cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt # # Server CERT # echo;myecho creating server key ... -(umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?) +(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?) -cat >$r/root/.mkcert.cfg <<EOT +cat >/root/.mkcert.cfg <<EOT [ req ] default_bits = 2048 default_keyfile = keyfile.pem @@ -139,6 +144,7 @@ attributes = req_attributes prompt = no output_password = mypass +req_extensions = x509v3 [ req_distinguished_name ] C = $C @@ -149,35 +155,40 @@ CN = $CN emailAddress = $email +[ x509v3 ] +subjectAltName = DNS:$CN +nsComment = $comment +nsCertType = server + [ req_attributes ] challengePassword = $RANDOM$RANDOMA challenge password EOT echo;myecho creating server request ... -(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?) +(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?) -cat >$r/root/.mkcert.cfg <<EOT +cat >/root/.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] -subjectAltName = email:copy +subjectAltName = DNS:$CN nsComment = $comment nsCertType = server EOT -test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial +test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial myecho "creating server certificate ..." (umask 0377 ; $openssl x509 \ - -extfile $r/root/.mkcert.cfg \ + -extfile /root/.mkcert.cfg \ -days $srvdays \ - -CAserial $r/root/.mkcert.serial \ + -CAserial /root/.mkcert.serial \ -CA $sslcrtdir/${name}ca.crt \ -CAkey $sslkeydir/${name}ca.key \ -in $sslcsrdir/${name}server.csr -req \ -out $sslcrtdir/${name}server.crt || myexit $LINENO $?) -rm -f $r/root/.mkcert.cfg +rm -f /root/.mkcert.cfg ++++++ httpd-2.4.28.tar.bz2 -> httpd-2.4.29.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/apache2/httpd-2.4.28.tar.bz2 /work/SRC/openSUSE:Factory/.apache2.new/httpd-2.4.29.tar.bz2 differ: char 11, line 1 ++++++ sysconfig.apache2 ++++++ --- /var/tmp/diff_new_pack.TcfTih/_old 2017-10-23 16:42:22.103357771 +0200 +++ /var/tmp/diff_new_pack.TcfTih/_new 2017-10-23 16:42:22.103357771 +0200 @@ -53,7 +53,7 @@ # 1. Before you can use mod_ssl, you need a server certificate. # A test certificate can be created by entering e. g. # -# $ gensslcert -n a.com -C a.com -e [email protected] +# $ gensslcert -n a.com # # See gensslcert -h for or gensslcert script itself for details. # 2. Also, you need to set the ServerName inside the <VirtualHost _default_:443>
