Hello community,
here is the log from the commit of package apache2 for openSUSE:Factory checked
in at 2012-02-22 12:02:04
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
and /work/SRC/openSUSE:Factory/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2", Maintainer is "dr...@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2012-02-15
16:15:41.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2012-02-22
12:02:05.000000000 +0100
@@ -1,0 +2,49 @@
+Sat Feb 18 21:15:08 UTC 2012 - po...@cmdline.net
+
+- update to 2.2.22
+ *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+ Reject requests where the request-URI does not match the HTTP
+ specification, preventing unexpected expansion of target URLs in
+ some reverse proxy configurations.
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+ is enabled, could allow local users to gain privileges via a .htaccess
+ file.
+ *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+ *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+ mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+ string is in use and a client sends a nameless, valueless cookie, causing
+ a denial of service. The issue existed since version 2.2.17. PR 52256.
+ *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+ Fix scoreboard issue which could allow an unprivileged child process
+ could cause the parent to crash at shutdown rather than terminate
+ cleanly.
+ *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+ Fix an issue in error responses that could expose "httpOnly" cookies
+ when no custom ErrorDocument is specified for status code 400.
+ *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
+ in error.
+ *) config: Update the default mod_ssl configuration: Disable SSLv2, only
+ allow >= 128bit ciphers, add commented example for speed optimized cipher
+ list, limit MSIE workaround to MSIE <= 5.
+ *) core: Fix segfault in ap_send_interim_response(). PR 52315.
+ *) mod_log_config: Prevent segfault. PR 50861.
+ *) mod_win32: Invert logic for env var UTF-8 fixing.
+ Now we exclude a list of vars which we know for sure they dont hold UTF-8
+ chars; all other vars will be fixed. This has the benefit that now also
+ all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
+ *) core: Fix hook sorting for Perl modules, a regression introduced in
+ 2.2.21. PR: 45076.
+ *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
+ A range of '0-' will now return 206 instead of 200. PR 51878.
+ *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
+ of "0").
+ *) mod_substitute: Fix buffer overrun.
+- adjusted SSL template/default config for upstream changes, and added
+ MaxRanges example to apache2-server-tuning.conf
+- fixed installation of (moved) man pages
+
+-------------------------------------------------------------------
Old:
----
httpd-2.2.21.tar.bz2
httpd-2.2.21.tar.bz2.asc
New:
----
httpd-2.2.22.tar.bz2
httpd-2.2.22.tar.bz2.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:07.000000000 +0100
+++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:07.000000000 +0100
@@ -15,6 +15,8 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
+
Name: apache2
BuildRequires: automake
BuildRequires: db-devel
@@ -73,8 +75,8 @@
# "Server:" header
%define VENDOR SUSE
%define platform_string Linux/%VENDOR
-%define realver 2.2.21
-Version: 2.2.21
+%define realver 2.2.22
+Version: 2.2.22
Release: 0
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
@@ -850,10 +852,10 @@
%defattr(-,root,root)
%doc INSTALL READM* LICENSE ABOUT_APACHE CHANGES
%doc support/SHA1
-%doc %{_mandir}/man8/apachectl%{vers}.8.*
-%doc %{_mandir}/man8/htcacheclean%{vers}.8.*
-%doc %{_mandir}/man8/%{httpd}.8.*
-%doc %{_mandir}/man8/apxs%{vers}.8.*
+%doc %{_mandir}/man?/apachectl%{vers}.?.*
+%doc %{_mandir}/man?/htcacheclean%{vers}.?.*
+%doc %{_mandir}/man?/%{httpd}.?.*
+%doc %{_mandir}/man?/apxs%{vers}.?.*
%doc robots.txt
%doc printenv
%doc test-cgi
@@ -976,14 +978,15 @@
%files utils
%defattr(-,root,root)
-%doc %{_mandir}/man8/ab%{vers}.8.*
-%doc %{_mandir}/man1/dbmmanage%{vers}.1.*
-%doc %{_mandir}/man1/htdbm%{vers}.1.*
-%doc %{_mandir}/man1/htdigest%{vers}.1.*
-%doc %{_mandir}/man1/htpasswd%{vers}.1.*
-%doc %{_mandir}/man8/logresolve%{vers}.8.*
-%doc %{_mandir}/man8/rotatelogs%{vers}.8.*
-%doc %{_mandir}/man8/suexec%{vers}.8.*
+%doc %{_mandir}/man?/ab%{vers}.?.*
+%doc %{_mandir}/man?/dbmmanage%{vers}.?.*
+%doc %{_mandir}/man?/htdbm%{vers}.?.*
+%doc %{_mandir}/man?/htdigest%{vers}.?.*
+%doc %{_mandir}/man?/htpasswd%{vers}.?.*
+%doc %{_mandir}/man?/httxt2dbm%{vers}.?.*
+%doc %{_mandir}/man?/logresolve%{vers}.?.*
+%doc %{_mandir}/man?/rotatelogs%{vers}.?.*
+%doc %{_mandir}/man?/suexec%{vers}.?.*
%{_bindir}/check_forensic%{vers}
%{_bindir}/dbmmanage%{vers}
%{_bindir}/gensslcert
++++++ apache2-default-vhost-ssl.conf ++++++
--- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:07.000000000 +0100
+++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:07.000000000 +0100
@@ -36,17 +36,17 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
- # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
- SSLProtocol all -SSLv2 -SSLv3
-
+ # SSL Protocol support:
+ # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
+ # List the protocol versions which clients are allowed to
+ # connect with. Disable SSLv2 by default (cf. RFC 6176).
+ SSLProtocol all -SSLv2
+
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#
- # formerly, this was set to the following:
- # ### SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- #
- # We now disable weak ciphers by default.
+ # Weak ciphers are disabled by default.
# Please see the documentation via the links above, and
# "openssl ciphers -v" for a complete list of ciphers that are
# available.
@@ -58,8 +58,21 @@
# For more information, please have a look at
# /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
# package.
- SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
-
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+ # Speed-optimized SSL Cipher configuration:
+ # If speed is your main concern (on busy HTTPS servers e.g.),
+ # you might want to force clients to specific, performance
+ # optimized ciphers. In this case, prepend those ciphers
+ # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+ # Caveat: by giving precedence to RC4-SHA and AES128-SHA
+ # (as in the example below), most connections will no longer
+ # have perfect forward secrecy - if the server's key is
+ # compromised, captures of past or future traffic must be
+ # considered compromised, too.
+ #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+ #SSLHonorCipherOrder on
+
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
@@ -150,10 +163,6 @@
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
- # o CompatEnvVars:
- # This exports obsolete environment variables for backward
compatibility
- # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use
this
- # to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is
denied
@@ -161,15 +170,15 @@
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
- #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
- <Files ~ "\.(cgi|shtml|phtml|php3?)$">
- SSLOptions +StdEnvVars
- </Files>
-
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+ <FilesMatch "\.(cgi|shtml|phtml|php)$">
+ SSLOptions +StdEnvVars
+ </FilesMatch>
+
<Directory "/srv/www/cgi-bin">
- SSLOptions +StdEnvVars
+ SSLOptions +StdEnvVars
</Directory>
-
+
<Directory "/srv/www/htdocs">
AllowOverride None
#Options +Indexes +MultiViews +FollowSymLinks
@@ -218,13 +227,10 @@
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
- # remark: The below configuration snippet is here for illustration
purposes.
- # Browser specific deficiencies exist, but generally all of them
- # should handle SSL/TLS encapsulated connections well.
- #SetEnvIf User-Agent ".*MSIE.*" \
- # nokeepalive ssl-unclean-shutdown \
- # downgrade-1.0 force-response-1.0
-
+ BrowserMatch "MSIE [2-5]" \
+ nokeepalive ssl-unclean-shutdown \
+ downgrade-1.0 force-response-1.0
+
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
++++++ apache2-server-tuning.conf ++++++
--- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:08.000000000 +0100
+++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:08.000000000 +0100
@@ -91,6 +91,13 @@
KeepAliveTimeout 15
#
+# MaxRanges: Maximum number of Ranges in a request before
+# returning the entire resource, or one of the special
+# values 'default', 'none' or 'unlimited'.
+# Default setting is to accept 200 Ranges.
+#MaxRanges unlimited
+
+#
# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
++++++ apache2-ssl-global.conf ++++++
--- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:08.000000000 +0100
+++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:08.000000000 +0100
@@ -46,14 +46,12 @@
#SSLSessionCache dbm:/var/lib/apache2/ssl_scache
#SSLSessionCache shmht:/var/lib/apache2/ssl_scache(512000)
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
- SSLSessionCacheTimeout 600
+ SSLSessionCacheTimeout 300
- # This configures the SSL engine's semaphore (aka. lock) which is
- # used for mutual exclusion of operations which have to be done in a
- # synchronized way between the pre-forked Apache server processes.
- # "default" tells the SSL Module to pick the default locking
- # implementation as determined by the platform and APR.
- SSLMutex default
+ # Semaphore:
+ # Configure the path to the mutual exclusion semaphore the
+ # SSL engine uses internally for inter-process synchronization.
+ SSLMutex "file:/var/lib/apache2/ssl_mutex"
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
++++++ apache2-vhost-ssl.template ++++++
--- /var/tmp/diff_new_pack.ZoObeJ/_old 2012-02-22 12:02:08.000000000 +0100
+++ /var/tmp/diff_new_pack.ZoObeJ/_new 2012-02-22 12:02:08.000000000 +0100
@@ -40,14 +40,25 @@
# SSL protocols
# Supporting TLS only is adequate nowadays
- SSLProtocol all -SSLv2 -SSLv3
+ SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
- # We disable weak ciphers by default.
- # See the mod_ssl documentation or "openssl ciphers -v" for a
- # complete list.
- SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
+ # See the mod_ssl documentation for a complete list.
+ SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
+
+ # Speed-optimized SSL Cipher configuration:
+ # If speed is your main concern (on busy HTTPS servers e.g.),
+ # you might want to force clients to specific, performance
+ # optimized ciphers. In this case, prepend those ciphers
+ # to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
+ # Caveat: by giving precedence to RC4-SHA and AES128-SHA
+ # (as in the example below), most connections will no longer
+ # have perfect forward secrecy - if the server's key is
+ # compromised, captures of past or future traffic must be
+ # considered compromised, too.
+ #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
+ #SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
@@ -139,10 +150,6 @@
# because the extraction step is an expensive operation and is
usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
- # o CompatEnvVars:
- # This exports obsolete environment variables for backward
compatibility
- # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x.
Use this
- # to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied
even
# under a "Satisfy any" situation, i.e. when it applies access is
denied
@@ -150,10 +157,10 @@
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when
SSL
# directives are used in per-directory context.
- #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
- <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+ #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+ <FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
- </Files>
+ </FilesMatch>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
@@ -182,7 +189,7 @@
# Similarly, one has to force some clients to use HTTP/1.0 to
workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0"
and
# "force-response-1.0" for this.
- SetEnvIf User-Agent ".*MSIE [1-5].*" \
+ BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
++++++ httpd-2.2.21.tar.bz2 -> httpd-2.2.22.tar.bz2 ++++++
++++ 49281 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
