Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2015-01-22 21:48:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2015-01-15 16:00:44.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2015-01-22 21:48:23.000000000 +0100 @@ -1,0 +2,209 @@ +Fri Jan 16 04:24:04 UTC 2015 - crrodrig...@opensuse.org + +- remove obsolete patches +* httpd-2.4.10-check_null_pointer_dereference.patch +* httpd-event-deadlock.patch +* httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch +* httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch + +------------------------------------------------------------------- +Fri Jan 16 04:13:59 UTC 2015 - crrodrig...@opensuse.org + +- Apache 2.4.11 + + *) SECURITY: CVE-2014-3583 (cve.mitre.org) + mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with + response headers' size above 8K. [Yann Ylavic, Jeff Trawick] + + *) SECURITY: CVE-2014-3581 (cve.mitre.org) + mod_cache: Avoid a crash when Content-Type has an empty value. + PR 56924. [Mark Montague <mark catseye.org>, Jan Kaluza] + + *) SECURITY: CVE-2014-8109 (cve.mitre.org) + mod_lua: Fix handling of the Require line when a LuaAuthzProvider is + used in multiple Require directives with different arguments. + PR57204 [Edward Lu <Chaosed0 gmail.com>] + + *) SECURITY: CVE-2013-5704 (cve.mitre.org) + core: HTTP trailers could be used to replace HTTP headers + late during request processing, potentially undoing or + otherwise confusing modules that examined or modified + request headers earlier. Adds "MergeTrailers" directive to restore + legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] + + *) mod_ssl: New directive SSLSessionTickets (On|Off). + The directive controls the use of TLS session tickets (RFC 5077), + default value is "On" (unchanged behavior). + Session ticket creation uses a random key created during web + server startup and recreated during restarts. No other key + recreation mechanism is available currently. Therefore using session + tickets without restarting the web server with an appropriate frequency + (e.g. daily) compromises perfect forward secrecy. [Rainer Jung] + + *) mod_proxy_fcgi: Provide some basic alternate options for specifying + how PATH_INFO is passed to FastCGI backends by adding significance to + the value of proxy-fcgi-pathinfo. PR 55329. [Eric Covener] + + *) mod_proxy_fcgi: Enable UDS backends configured with SetHandler/RewriteRule + to opt-in to connection reuse and other Proxy options via explicitly + declared "proxy workers" (<Proxy unix:... enablereuse=on max=...) + [Eric Covener] + + *) mod_proxy: Add "enablereuse" option as the inverse of "disablereuse". + [Eric Covener] + + *) mod_proxy_fcgi: Enable opt-in to TCP connection reuse by explicitly + setting proxy option disablereuse=off. [Eric Covener] PR 57378. + + *) event: Update the internal "connection id" when requests + move from thread to thread. Reuse can confuse modules like + mod_cgid. PR 57435. [Michael Thorpe <mike gistnet.com>] + + *) mod_proxy_fcgi: Remove proxy:balancer:// prefix from SCRIPT_FILENAME + passed to fastcgi backends. [Eric Covener] + + *) core: Configuration files with long lines and continuation characters + are not read properly. PR 55910. [Manuel Mausz <manuel-as mausz.at>] + + *) mod_include: the 'env' function was incorrectly handled as 'getenv' if the + leading 'e' was written in upper case in <!--#if expr="..." --> + statements. [Christophe Jaillet] + + *) split-logfile: Fix perl error: 'Can't use string ("example.org:80") + as a symbol ref while "strict refs"'. PR 56329. + [Holger Mauermann <mauermann gmail.com>] + + *) mod_proxy: Prevent ProxyPassReverse from doing a substitution when + the URL parameter interpolates to an empty string. PR 56603. + [<ajprout hotmail.com>] + + *) core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. + PR 57328. [Armin Abfalterer <a.abfalterer gmail.com>, Yann Ylavic]. + + *) mod_proxy: Preserve original request headers even if they differ + from the ones to be forwarded to the backend. PR 45387. + [Yann Ylavic] + + *) mod_ssl: dump SSL IO/state for the write side of the connection(s), + like reads (level TRACE4). [Yann Ylavic] + + *) mod_proxy_fcgi: Ignore body data from backend for 304 responses. PR 57198. + [Jan Kaluza] + + *) mod_ssl: Do not crash when looking up SSL related variables during + expression evaluation on non SSL connections. PR 57070 [Ruediger Pluem] + + *) mod_proxy_ajp: Fix handling of the default port (8009) in the + ProxyPass and <Proxy> configurations. PR 57259. [Yann Ylavic] + + *) mpm_event: Avoid a possible use after free when notifying the end of + connection during lingering close. PR 57268. [Eric Covener, Yann Ylavic] + + *) mod_ssl: Fix recognition of OCSP stapling responses that are encoded + improperly or too large. [Jeff Trawick] + + *) core: Add ap_log_data(), ap_log_rdata(), etc. for logging buffers. + [Jeff Trawick] + + *) mod_proxy_fcgi, mod_authnz_fcgi: stop reading the response and issue an + error when parsing or forwarding the response fails. [Yann Ylavic] + + *) mod_ssl: Fix a memory leak in case of graceful restarts with OpenSSL >= 0.9.8e + PR 53435 [tadanori <tadanori2007 yahoo.com>, Sebastian Wiedenroth <wiedi frubar.net>] + + *) mod_proxy_connect: Don't issue AH02447 on sockets hangups, let the read + determine whether it is a normal close or a real error. PR 57168. [Yann + Ylavic] + + *) mod_proxy_wstunnel: abort backend connection on polling error to avoid + further processing. [Yann Ylavic] + + *) core: Support custom ErrorDocuments for HTTP 501 and 414 status codes. + PR 57167 [Edward Lu <Chaosed0 gmail.com>] + + *) mod_proxy_connect: Fix ProxyRemote to https:// backends on EBCDIC + systems. PR 57092 [Edward Lu <Chaosed0 gmail.com>] + + *) mod_cache: Avoid a 304 response to an unconditional requst when an AH00752 + CacheLock error occurs during cache revalidation. [Eric Covener] + + *) mod_ssl: Move OCSP stapling information from a per-certificate store to + a per-server hash. PR 54357, PR 56919. [Alex Bligh <alex alex.org.uk>, + Yann Ylavic, Kaspar Brand] + + *) mod_cache_socache: Change average object size hint from 32 bytes to + 2048 bytes. [Rainer Jung] + + *) mod_cache_socache: Add cache status to server-status. [Rainer Jung] + + *) event: Fix worker-listener deadlock in graceful restart. + PR 56960. + + *) Concat strings at compile time when possible. PR 53741. + + *) mod_substitute: Restrict configuration in .htaccess to + FileInfo as documented. [Rainer Jung] + + *) mod_substitute: Make maximum line length configurable. [Rainer Jung] + + *) mod_substitute: Fix line length limitation in case of regexp plus flatten. + [Rainer Jung] + + *) mod_proxy: Truncated character worker names are no longer fatal + errors. PR53218. [Jim Jagielski] + + *) mod_dav: Set r->status_line in dav_error_response. PR 55426. + + *) mod_proxy_http, mod_cache: Avoid (unlikely) accesses to freed memory. + [Yann Ylavic, Christophe Jaillet] + + *) http_protocol: fix logic in ap_method_list_(add|remove) in order: + - to correctly reset bits + - not to modify the 'method_mask' bitfield unnecessarily + [Christophe Jaillet] + + *) mod_slotmem_shm: Increase log level for some originally debug messages. + [Jim Jagielski] + + *) mod_ldap: In 2.4.10, some LDAP searches or comparisons might be done with + the wrong credentials when a backend connection is reused. + [Eric Covener] + + *) mod_macro: Add missing APLOGNO for some Warning log messages. + [Christophe Jaillet] + + *) mod_cache: Avoid sending 304 responses during failed revalidations + PR56881. [Eric Covener] + + *) mod_status: Honor client IP address using mod_remoteip. PR 55886. + [Jim Jagielski] + + *) cmake-based build for Windows: Fix incompatibility with cmake 2.8.12 + and later. PR 56615. [Chuck Liu <cliu81 gmail.com>, Jeff Trawick] + + *) mod_ratelimit: Drop severity of AH01455 and AH01457 (ap_pass_brigade + failed) messages from ERROR to TRACE1. Other filters do not bother + re-reporting failures from lower level filters. PR56832. [Eric Covener] + + *) core: Avoid useless warning message when parsing a section guarded by + <IfDefine foo> if $(foo) is used within the section. + PR 56503 [Christophe Jaillet] + + *) mod_proxy_fcgi: Fix faulty logging of large amounts of stderr from the + application. PR 56858. [Manuel Mausz <manuel-asf mausz.at>] + + *) mod_proxy_http: Proxy responses with error status and + "ProxyErrorOverride On" hang until proxy timeout. + PR53420 [Rainer Jung] ++++ 12 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/apache2/apache2.changes ++++ and /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes Old: ---- httpd-2.4.10-check_null_pointer_dereference.patch httpd-2.4.10.tar.bz2 httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch httpd-event-deadlock.patch New: ---- httpd-2.4.11.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.yFnCuM/_old 2015-01-22 21:48:26.000000000 +0100 +++ /var/tmp/diff_new_pack.yFnCuM/_new 2015-01-22 21:48:26.000000000 +0100 @@ -92,8 +92,8 @@ # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -%define realver 2.4.10 -Version: 2.4.10 +%define realver 2.4.11 +Version: 2.4.11 Release: 0 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: httpd-%{realver}.tar.bz2 @@ -157,19 +157,12 @@ Patch68: httpd-2.x.x-logresolve.patch Patch69: httpd-2.2.x-bnc690734.patch Patch70: apache2-implicit-pointer-decl.patch -Patch71: httpd-event-deadlock.patch # PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch dims...@opensuse.org -- Add npn support to mod_ssl (needed for spdy) #Patch108: apache2-mod_ssl_npn.patch #Provides: apache2(mod_ssl+npn) # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodrig...@opensuse.org simple module provides systemd integration. Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch -# PATCH-FIX-UPSTREAM bnc#899836 kstreit...@suse.com -- avoid a crash when Content-Type has an empty value -Patch112: httpd-2.4.10-check_null_pointer_dereference.patch -# PATCH-FIX-UPSTREAM bnc#909715 kstreit...@suse.com -- Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments. -Patch113: httpd-2.4.x-bnc909715-CVE-2014-8109-mod_lua_handling_of_Require_line.patch -# PATCH-FIX-UPSTREAM bnc#871310 kstreit...@suse.com -- Fix the flaw in the way mod_headers handled chunked requests. -Patch114: httpd-2.4.x-bnc871310-CVE-2013-5704-mod_headers_chunked_requests.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.4 @@ -345,13 +338,9 @@ %patch68 -p1 #%patch69 %patch70 -p1 -%patch71 -p1 #%patch108 -p1 %patch109 -p1 %patch111 -p1 -%patch112 -p1 -%patch113 -p1 -%patch114 -p1 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{S:22}) ++++++ httpd-2.4.10.tar.bz2 -> httpd-2.4.11.tar.bz2 ++++++ ++++ 35799 lines of diff (skipped) -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org