Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2012-02-22 12:02:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2", Maintainer is "dr...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2012-02-15 16:15:41.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2012-02-22 12:02:05.000000000 +0100 @@ -1,0 +2,49 @@ +Sat Feb 18 21:15:08 UTC 2012 - po...@cmdline.net + +- update to 2.2.22 + *) SECURITY: CVE-2011-3368 (cve.mitre.org) + Reject requests where the request-URI does not match the HTTP + specification, preventing unexpected expansion of target URLs in + some reverse proxy configurations. + *) SECURITY: CVE-2011-3607 (cve.mitre.org) + Fix integer overflow in ap_pregsub() which, when the mod_setenvif module + is enabled, could allow local users to gain privileges via a .htaccess + file. + *) SECURITY: CVE-2011-4317 (cve.mitre.org) + Resolve additional cases of URL rewriting with ProxyPassMatch or + RewriteRule, where particular request-URIs could result in undesired + backend network exposure in some configurations. + *) SECURITY: CVE-2012-0021 (cve.mitre.org) + mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format + string is in use and a client sends a nameless, valueless cookie, causing + a denial of service. The issue existed since version 2.2.17. PR 52256. + *) SECURITY: CVE-2012-0031 (cve.mitre.org) + Fix scoreboard issue which could allow an unprivileged child process + could cause the parent to crash at shutdown rather than terminate + cleanly. + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + *) mod_proxy_ajp: Try to prevent a single long request from marking a worker + in error. + *) config: Update the default mod_ssl configuration: Disable SSLv2, only + allow >= 128bit ciphers, add commented example for speed optimized cipher + list, limit MSIE workaround to MSIE <= 5. + *) core: Fix segfault in ap_send_interim_response(). PR 52315. + *) mod_log_config: Prevent segfault. PR 50861. + *) mod_win32: Invert logic for env var UTF-8 fixing. + Now we exclude a list of vars which we know for sure they dont hold UTF-8 + chars; all other vars will be fixed. This has the benefit that now also + all vars from 3rd-party modules will be fixed. PR 13029 / 34985. + *) core: Fix hook sorting for Perl modules, a regression introduced in + 2.2.21. PR: 45076. + *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: + A range of '0-' will now return 206 instead of 200. PR 51878. + *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead + of "0"). + *) mod_substitute: Fix buffer overrun. +- adjusted SSL template/default config for upstream changes, and added + MaxRanges example to apache2-server-tuning.conf +- fixed installation of (moved) man pages + +------------------------------------------------------------------- Old: ---- httpd-2.2.21.tar.bz2 httpd-2.2.21.tar.bz2.asc New: ---- httpd-2.2.22.tar.bz2 httpd-2.2.22.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:07.000000000 +0100 +++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:07.000000000 +0100 @@ -15,6 +15,8 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + + Name: apache2 BuildRequires: automake BuildRequires: db-devel @@ -73,8 +75,8 @@ # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -%define realver 2.2.21 -Version: 2.2.21 +%define realver 2.2.22 +Version: 2.2.22 Release: 0 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 @@ -850,10 +852,10 @@ %defattr(-,root,root) %doc INSTALL READM* LICENSE ABOUT_APACHE CHANGES %doc support/SHA1 -%doc %{_mandir}/man8/apachectl%{vers}.8.* -%doc %{_mandir}/man8/htcacheclean%{vers}.8.* -%doc %{_mandir}/man8/%{httpd}.8.* -%doc %{_mandir}/man8/apxs%{vers}.8.* +%doc %{_mandir}/man?/apachectl%{vers}.?.* +%doc %{_mandir}/man?/htcacheclean%{vers}.?.* +%doc %{_mandir}/man?/%{httpd}.?.* +%doc %{_mandir}/man?/apxs%{vers}.?.* %doc robots.txt %doc printenv %doc test-cgi @@ -976,14 +978,15 @@ %files utils %defattr(-,root,root) -%doc %{_mandir}/man8/ab%{vers}.8.* -%doc %{_mandir}/man1/dbmmanage%{vers}.1.* -%doc %{_mandir}/man1/htdbm%{vers}.1.* -%doc %{_mandir}/man1/htdigest%{vers}.1.* -%doc %{_mandir}/man1/htpasswd%{vers}.1.* -%doc %{_mandir}/man8/logresolve%{vers}.8.* -%doc %{_mandir}/man8/rotatelogs%{vers}.8.* -%doc %{_mandir}/man8/suexec%{vers}.8.* +%doc %{_mandir}/man?/ab%{vers}.?.* +%doc %{_mandir}/man?/dbmmanage%{vers}.?.* +%doc %{_mandir}/man?/htdbm%{vers}.?.* +%doc %{_mandir}/man?/htdigest%{vers}.?.* +%doc %{_mandir}/man?/htpasswd%{vers}.?.* +%doc %{_mandir}/man?/httxt2dbm%{vers}.?.* +%doc %{_mandir}/man?/logresolve%{vers}.?.* +%doc %{_mandir}/man?/rotatelogs%{vers}.?.* +%doc %{_mandir}/man?/suexec%{vers}.?.* %{_bindir}/check_forensic%{vers} %{_bindir}/dbmmanage%{vers} %{_bindir}/gensslcert ++++++ apache2-default-vhost-ssl.conf ++++++ --- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:07.000000000 +0100 +++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:07.000000000 +0100 @@ -36,17 +36,17 @@ # Enable/Disable SSL for this virtual host. SSLEngine on - # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only: - SSLProtocol all -SSLv2 -SSLv3 - + # SSL Protocol support: + # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3: + # List the protocol versions which clients are allowed to + # connect with. Disable SSLv2 by default (cf. RFC 6176). + SSLProtocol all -SSLv2 + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # - # formerly, this was set to the following: - # ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL - # - # We now disable weak ciphers by default. + # Weak ciphers are disabled by default. # Please see the documentation via the links above, and # "openssl ciphers -v" for a complete list of ciphers that are # available. @@ -58,8 +58,21 @@ # For more information, please have a look at # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl # package. - SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH - + SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + + # Speed-optimized SSL Cipher configuration: + # If speed is your main concern (on busy HTTPS servers e.g.), + # you might want to force clients to specific, performance + # optimized ciphers. In this case, prepend those ciphers + # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. + # Caveat: by giving precedence to RC4-SHA and AES128-SHA + # (as in the example below), most connections will no longer + # have perfect forward secrecy - if the server's key is + # compromised, captures of past or future traffic must be + # considered compromised, too. + #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 + #SSLHonorCipherOrder on + # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a @@ -150,10 +163,6 @@ # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. - # o CompatEnvVars: - # This exports obsolete environment variables for backward compatibility - # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this - # to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied @@ -161,15 +170,15 @@ # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire - <Files ~ "\.(cgi|shtml|phtml|php3?)$"> - SSLOptions +StdEnvVars - </Files> - + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + <FilesMatch "\.(cgi|shtml|phtml|php)$"> + SSLOptions +StdEnvVars + </FilesMatch> + <Directory "/srv/www/cgi-bin"> - SSLOptions +StdEnvVars + SSLOptions +StdEnvVars </Directory> - + <Directory "/srv/www/htdocs"> AllowOverride None #Options +Indexes +MultiViews +FollowSymLinks @@ -218,13 +227,10 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - # remark: The below configuration snippet is here for illustration purposes. - # Browser specific deficiencies exist, but generally all of them - # should handle SSL/TLS encapsulated connections well. - #SetEnvIf User-Agent ".*MSIE.*" \ - # nokeepalive ssl-unclean-shutdown \ - # downgrade-1.0 force-response-1.0 - + BrowserMatch "MSIE [2-5]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. ++++++ apache2-server-tuning.conf ++++++ --- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:08.000000000 +0100 +++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:08.000000000 +0100 @@ -91,6 +91,13 @@ KeepAliveTimeout 15 # +# MaxRanges: Maximum number of Ranges in a request before +# returning the entire resource, or one of the special +# values 'default', 'none' or 'unlimited'. +# Default setting is to accept 200 Ranges. +#MaxRanges unlimited + +# # EnableMMAP: Control whether memory-mapping is used to deliver # files (assuming that the underlying OS supports it). # The default is on; turn this off if you serve from NFS-mounted ++++++ apache2-ssl-global.conf ++++++ --- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:08.000000000 +0100 +++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:08.000000000 +0100 @@ -46,14 +46,12 @@ #SSLSessionCache dbm:/var/lib/apache2/ssl_scache #SSLSessionCache shmht:/var/lib/apache2/ssl_scache(512000) SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000) - SSLSessionCacheTimeout 600 + SSLSessionCacheTimeout 300 - # This configures the SSL engine's semaphore (aka. lock) which is - # used for mutual exclusion of operations which have to be done in a - # synchronized way between the pre-forked Apache server processes. - # "default" tells the SSL Module to pick the default locking - # implementation as determined by the platform and APR. - SSLMutex default + # Semaphore: + # Configure the path to the mutual exclusion semaphore the + # SSL engine uses internally for inter-process synchronization. + SSLMutex "file:/var/lib/apache2/ssl_mutex" # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the ++++++ apache2-vhost-ssl.template ++++++ --- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:08.000000000 +0100 +++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:08.000000000 +0100 @@ -40,14 +40,25 @@ # SSL protocols # Supporting TLS only is adequate nowadays - SSLProtocol all -SSLv2 -SSLv3 + SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. - # We disable weak ciphers by default. - # See the mod_ssl documentation or "openssl ciphers -v" for a - # complete list. - SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH + # See the mod_ssl documentation for a complete list. + SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + + # Speed-optimized SSL Cipher configuration: + # If speed is your main concern (on busy HTTPS servers e.g.), + # you might want to force clients to specific, performance + # optimized ciphers. In this case, prepend those ciphers + # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. + # Caveat: by giving precedence to RC4-SHA and AES128-SHA + # (as in the example below), most connections will no longer + # have perfect forward secrecy - if the server's key is + # compromised, captures of past or future traffic must be + # considered compromised, too. + #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 + #SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If @@ -139,10 +150,6 @@ # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. - # o CompatEnvVars: - # This exports obsolete environment variables for backward compatibility - # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this - # to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied @@ -150,10 +157,10 @@ # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire - <Files ~ "\.(cgi|shtml|phtml|php3?)$"> + #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire + <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars - </Files> + </FilesMatch> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> @@ -182,7 +189,7 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - SetEnvIf User-Agent ".*MSIE [1-5].*" \ + BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ++++++ httpd-2.2.21.tar.bz2 -> httpd-2.2.22.tar.bz2 ++++++ ++++ 49281 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org