Hello community,
here is the log from the commit of package apache2 for openSUSE:Factory checked
in at 2015-01-22 21:48:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
and /work/SRC/openSUSE:Factory/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2"
Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2015-01-15
16:00:44.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2015-01-22
21:48:23.000000000 +0100
@@ -1,0 +2,209 @@
+Fri Jan 16 04:24:04 UTC 2015 - crrodrig...@opensuse.org
+
+- remove obsolete patches
+* httpd-2.4.10-check_null_pointer_dereference.patch
+* httpd-event-deadlock.patch
+* httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch
+* httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch
+
+-------------------------------------------------------------------
+Fri Jan 16 04:13:59 UTC 2015 - crrodrig...@opensuse.org
+
+- Apache 2.4.11
+
+ *) SECURITY: CVE-2014-3583 (cve.mitre.org)
+ mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with
+ response headers' size above 8K. [Yann Ylavic, Jeff Trawick]
+
+ *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+ mod_cache: Avoid a crash when Content-Type has an empty value.
+ PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza]
+
+ *) SECURITY: CVE-2014-8109 (cve.mitre.org)
+ mod_lua: Fix handling of the Require line when a LuaAuthzProvider is
+ used in multiple Require directives with different arguments.
+ PR57204 [Edward Lu <Chaosed0 gmail.com>]
+
+ *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+ core: HTTP trailers could be used to replace HTTP headers
+ late during request processing, potentially undoing or
+ otherwise confusing modules that examined or modified
+ request headers earlier. Adds "MergeTrailers" directive to restore
+ legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+
+ *) mod_ssl: New directive SSLSessionTickets (On|Off).
+ The directive controls the use of TLS session tickets (RFC 5077),
+ default value is "On" (unchanged behavior).
+ Session ticket creation uses a random key created during web
+ server startup and recreated during restarts. No other key
+ recreation mechanism is available currently. Therefore using session
+ tickets without restarting the web server with an appropriate frequency
+ (e.g. daily) compromises perfect forward secrecy. [Rainer Jung]
+
+ *) mod_proxy_fcgi: Provide some basic alternate options for specifying
+ how PATH_INFO is passed to FastCGI backends by adding significance to
+ the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener]
+
+ *) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule
+ to opt-in to connection reuse and other Proxy options via explicitly
+ declared "proxy workers" (<Proxy unix:... enablereuse=on max=...)
+ [Eric Covener]
+
+ *) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse".
+ [Eric Covener]
+
+ *) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly
+ setting proxy option disablereuse=off. [Eric Covener] PR 57378.
+
+ *) event: Update the internal "connection id" when requests
+ move from thread to thread. Reuse can confuse modules like
+ mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>]
+
+ *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME
+ passed to fastcgi backends. [Eric Covener]
+
+ *) core: Configuration files with long lines and continuation characters
+ are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>]
+
+ *) mod_include: the 'env' function was incorrectly handled as 'getenv' if the
+ leading 'e' was written in upper case in <!--#if expr="..." -->
+ statements. [Christophe Jaillet]
+
+ *) split-logfile: Fix perl error: 'Can't use string ("example.org:80")
+ as a symbol ref while "strict refs"'. PR 56329.
+ [Holger Mauermann <mauermann gmail.com>]
+
+ *) mod_proxy: Prevent ProxyPassReverse from doing a substitution when
+ the URL parameter interpolates to an empty string. PR 56603.
+ [<ajprout hotmail.com>]
+
+ *) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts.
+ PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic].
+
+ *) mod_proxy: Preserve original request headers even if they differ
+ from the ones to be forwarded to the backend. PR 45387.
+ [Yann Ylavic]
+
+ *) mod_ssl: dump SSL IO/state for the write side of the connection(s),
+ like reads (level TRACE4). [Yann Ylavic]
+
+ *) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198.
+ [Jan Kaluza]
+
+ *) mod_ssl: Do not crash when looking up SSL related variables during
+ expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem]
+
+ *) mod_proxy_ajp: Fix handling of the default port (8009) in the
+ ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic]
+
+ *) mpm_event: Avoid a possible use after free when notifying the end of
+ connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic]
+
+ *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded
+ improperly or too large. [Jeff Trawick]
+
+ *) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers.
+ [Jeff Trawick]
+
+ *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an
+ error when parsing or forwarding the response fails. [Yann Ylavic]
+
+ *) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >=
0.9.8e
+ PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi
frubar.net>]
+
+ *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read
+ determine whether it is a normal close or a real error. PR 57168. [Yann
+ Ylavic]
+
+ *) mod_proxy_wstunnel: abort backend connection on polling error to avoid
+ further processing. [Yann Ylavic]
+
+ *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes.
+ PR 57167 [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC
+ systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>]
+
+ *) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752
+ CacheLock error occurs during cache revalidation. [Eric Covener]
+
+ *) mod_ssl: Move OCSP stapling information from a per-certificate store to
+ a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>,
+ Yann Ylavic, Kaspar Brand]
+
+ *) mod_cache_socache: Change average object size hint from 32 bytes to
+ 2048 bytes. [Rainer Jung]
+
+ *) mod_cache_socache: Add cache status to server-status. [Rainer Jung]
+
+ *) event: Fix worker-listener deadlock in graceful restart.
+ PR 56960.
+
+ *) Concat strings at compile time when possible. PR 53741.
+
+ *) mod_substitute: Restrict configuration in .htaccess to
+ FileInfo as documented. [Rainer Jung]
+
+ *) mod_substitute: Make maximum line length configurable. [Rainer Jung]
+
+ *) mod_substitute: Fix line length limitation in case of regexp plus flatten.
+ [Rainer Jung]
+
+ *) mod_proxy: Truncated character worker names are no longer fatal
+ errors. PR53218. [Jim Jagielski]
+
+ *) mod_dav: Set r->status_line in dav_error_response. PR 55426.
+
+ *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory.
+ [Yann Ylavic, Christophe Jaillet]
+
+ *) http_protocol: fix logic in ap_method_list_(add|remove) in order:
+ - to correctly reset bits
+ - not to modify the 'method_mask' bitfield unnecessarily
+ [Christophe Jaillet]
+
+ *) mod_slotmem_shm: Increase log level for some originally debug messages.
+ [Jim Jagielski]
+
+ *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with
+ the wrong credentials when a backend connection is reused.
+ [Eric Covener]
+
+ *) mod_macro: Add missing APLOGNO for some Warning log messages.
+ [Christophe Jaillet]
+
+ *) mod_cache: Avoid sending 304 responses during failed revalidations
+ PR56881. [Eric Covener]
+
+ *) mod_status: Honor client IP address using mod_remoteip. PR 55886.
+ [Jim Jagielski]
+
+ *) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12
+ and later. PR 56615. [Chuck Liu <cliu81 gmail.com>, Jeff Trawick]
+
+ *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade
+ failed) messages from ERROR to TRACE1. Other filters do not bother
+ re-reporting failures from lower level filters. PR56832. [Eric Covener]
+
+ *) core: Avoid useless warning message when parsing a section guarded by
+ <IfDefine foo> if $(foo) is used within the section.
+ PR 56503 [Christophe Jaillet]
+
+ *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the
+ application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>]
+
+ *) mod_proxy_http: Proxy responses with error status and
+ "ProxyErrorOverride On" hang until proxy timeout.
+ PR53420 [Rainer Jung]
++++ 12 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/apache2/apache2.changes
++++ and /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes
Old:
----
httpd-2.4.10-check_null_pointer_dereference.patch
httpd-2.4.10.tar.bz2
httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch
httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch
httpd-event-deadlock.patch
New:
----
httpd-2.4.11.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.yFnCuM/_old 2015-01-22 21:48:26.000000000 +0100
+++ /var/tmp/diff_new_pack.yFnCuM/_new 2015-01-22 21:48:26.000000000 +0100
@@ -92,8 +92,8 @@
# "Server:" header
%define VENDOR SUSE
%define platform_string Linux/%VENDOR
-%define realver 2.4.10
-Version: 2.4.10
+%define realver 2.4.11
+Version: 2.4.11
Release: 0
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: httpd-%{realver}.tar.bz2
@@ -157,19 +157,12 @@
Patch68: httpd-2.x.x-logresolve.patch
Patch69: httpd-2.2.x-bnc690734.patch
Patch70: apache2-implicit-pointer-decl.patch
-Patch71: httpd-event-deadlock.patch
# PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch dims...@opensuse.org -- Add
npn support to mod_ssl (needed for spdy)
#Patch108: apache2-mod_ssl_npn.patch
#Provides: apache2(mod_ssl+npn)
# PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch
crrodrig...@opensuse.org simple module provides systemd integration.
Patch109: httpd-2.4.3-mod_systemd.patch
Patch111: httpd-visibility.patch
-# PATCH-FIX-UPSTREAM bnc#899836 kstreit...@suse.com -- avoid a crash when
Content-Type has an empty value
-Patch112: httpd-2.4.10-check_null_pointer_dereference.patch
-# PATCH-FIX-UPSTREAM bnc#909715 kstreit...@suse.com -- Fix handling of the
Require line when a LuaAuthzProvider is used in multiple Require directives
with different arguments.
-Patch113:
httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch
-# PATCH-FIX-UPSTREAM bnc#871310 kstreit...@suse.com -- Fix the flaw in the way
mod_headers handled chunked requests.
-Patch114:
httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch
Url: http://httpd.apache.org/
Icon: Apache.xpm
Summary: The Apache Web Server Version 2.4
@@ -345,13 +338,9 @@
%patch68 -p1
#%patch69
%patch70 -p1
-%patch71 -p1
#%patch108 -p1
%patch109 -p1
%patch111 -p1
-%patch112 -p1
-%patch113 -p1
-%patch114 -p1
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
# install READMEs
a=$(basename %{S:22})
++++++ httpd-2.4.10.tar.bz2 -> httpd-2.4.11.tar.bz2 ++++++
++++ 35799 lines of diff (skipped)
--
To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org
For additional commands, e-mail: opensuse-commit+h...@opensuse.org
