Package Release Info

apache2-event-2.4.58-150600.5.3.1

Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-1963
Available in Package Hub : 15 SP5 Subpackages Updates

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

apache2-event

Change Logs

* Tue May 28 2024 pgajdos@suse.com
- security update
- added patches
  fix CVE-2023-38709 [bsc#1222330], HTTP response splitting
  + apache2-CVE-2023-38709.patch
  fix CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
  + apache2-CVE-2024-24795.patch
  fix CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + apache2-CVE-2024-27316.patch
* Thu Mar 28 2024 david.anes@suse.com
- Add patches to improve FIPS compatibility (bsc#1220681):
  * apache2-fips-compatibility-01.patch
  * apache2-fips-compatibility-02.patch
  * apache2-fips-compatibility-03.patch
* Fri Mar 22 2024 eugenio.paolantonio@suse.com
- SLE-only: forward-port compatibility symlinks (e.g. httpd2-prefork,
  apache2ctl, htpasswd2) change, including the relative
  manpages (bsc#1221880)
* Mon Mar 18 2024 eugenio.paolantonio@suse.com
- SLE-only: forward-port gensslcert change to generate dhparams certificate
  using a valid FIPS method (bsc#1198913)
* Tue Feb 20 2024 dimstar@opensuse.org
- Use %autosetup macro. Allows to eliminate the usage of deprecated
  %patchN.
* Mon Jan 29 2024 dmueller@suse.com
- use grep -E for egrep
* Thu Oct 19 2023 david.anes@suse.com
- Update to 2.4.58:
  * ) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
    memory not reclaimed right away on RST (cve.mitre.org)
    When a HTTP/2 stream was reset (RST frame) by a client, there
    was a time window were the request's memory resources were not
    reclaimed immediately. Instead, de-allocation was deferred to
    connection close. A client could send new requests and resets,
    keeping the connection busy and open and causing the memory
    footprint to keep on growing. On connection close, all resources
    were reclaimed, but the process might run out of memory before
    that.
    This was found by the reporter during testing of CVE-2023-44487
    (HTTP/2 Rapid Reset Exploit) with their own test client. During
    "normal" HTTP/2 use, the probability to hit this bug is very
    low. The kept memory would not become noticeable before the
    connection closes or times out.
    Users are recommended to upgrade to version 2.4.58, which fixes
    the issue.
    Credits: Will Dormann of Vul Labs
  * ) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
    initial windows size 0 (cve.mitre.org)
    An attacker, opening a HTTP/2 connection with an initial window
    size of 0, was able to block handling of that connection
    indefinitely in Apache HTTP Server. This could be used to
    exhaust worker resources in the server, similar to the well
    known "slow loris" attack pattern.
    This has been fixed in version 2.4.58, so that such connection
    are terminated properly after the configured connection timeout.
    This issue affects Apache HTTP Server: from 2.4.55 through
    2.4.57.
    Users are recommended to upgrade to version 2.4.58, which fixes
    the issue.
    Credits: Prof. Sven Dietrich (City University of New York)
  * ) SECURITY: CVE-2023-31122: mod_macro buffer over-read
    (cve.mitre.org)
    Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
    Server.This issue affects Apache HTTP Server: through 2.4.57.
    Credits: David Shoon (github/davidshoon)
  * ) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
    SSL routines::unexpected eof while reading" when using
    OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
    available. [Rainer Jung]
  * ) mod_http2: improved early cleanup of streams.
    [Stefan Eissing]
  * ) mod_proxy_http2: improved error handling on connection errors while
    response is already underway.
    [Stefan Eissing]
  * ) mod_http2: fixed a bug that could lead to a crash in main connection
    output handling. This occured only when the last request on a HTTP/2
    connection had been processed and the session decided to shut down.
    This could lead to an attempt to send a final GOAWAY while the previous
    write was still in progress. See PR 66646.
    [Stefan Eissing]
  * ) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
    Fixes PR66752.
    [Stefan Eissing]
  * ) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
    described in RFC 8441. A new directive 'H2WebSockets on|off' has been
    added. The feature is by default not enabled.
    As also discussed in the manual, this feature should work for setups
    using "ProxyPass backend-url upgrade=websocket" without further changes.
    Special server modules for WebSockets will have to be adapted,
    most likely, as the handling if IO events is different with HTTP/2.
    HTTP/2 WebSockets are supported on platforms with native pipes. This
    excludes Windows.
    [Stefan Eissing]
  * ) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
    in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
  * ) mod_http2: fixed a bug in flushing pending data on an already closed
    connection that could lead to a busy loop, preventing the HTTP/2 session
    to close down successfully. Fixed PR 66624.
    [Stefan Eissing]
  * ) mod_http2: v2.0.15 with the following fixes and improvements
  - New directive 'H2EarlyHint name value' to add headers to a response,
    picked up already when a "103 Early Hints" response is sent. 'name' and
    'value' must comply to the HTTP field restrictions.
    This directive can be repeated several times and header fields of the
    same names add. Sending a 'Link' header with 'preload' relation will
    also cause a HTTP/2 PUSH if enabled and supported by the client.
  - Fixed an issue where requests were not logged and accounted in a timely
    fashion when the connection returns to "keepalive" handling, e.g. when
    the request served was the last outstanding one.
    This led to late appearance in access logs with wrong duration times
    reported.
  - Accurately report the bytes sent for a request in the '%O' Log format.
    This addresses #203, a long outstanding issue where mod_h2 has reported
    numbers over-eagerly from internal buffering and not what has actually
    been placed on the connection.
    The numbers are now the same with and without H2CopyFiles enabled.
    [Stefan Eissing]
  * ) mod_proxy_http2: fix retry handling to not leak temporary errors.
    On detecting that that an existing connection was shutdown by the other
    side, a 503 response leaked even though the request was retried on a
    fresh connection.
    [Stefan Eissing]
  * ) mod_rewrite: Add server directory to include path as mod_rewrite requires
    test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]
  * ) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
    of HTTP/2 requests in a forward proxy configuration.
    General forward proxying is enabled via `ProxyRequests`. If the
    HTTP/2 protocol is also enabled for such a server/host, this new
    directive is needed in addition.
    [Stefan Eissing]
  * ) core: Updated conf/mime.types:
  - .js moved from 'application/javascript' to 'text/javascript'
  - .mjs was added as 'text/javascript'
  - add .opus ('audio/ogg')
  - add 'application/vnd.geogebra.slides'
  - add WebAssembly MIME types and extension
    [Mathias Bynens <@mathiasbynens> via PR 318,
    Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
    Zbynek Konecny <zbynek1729 gmail.com>]
  * ) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
    connection when sending data on the frontend one. This caused crashes
    or infinite loops in rare situations.
  * ) mod_proxy_http2: fixed a bug in retry/response handling that could lead
    to wrong status codes or HTTP messages send at the end of response bodies
    exceeding the announced content-length.
  * ) mod_proxy_http2: fix retry handling to not leak temporary errors.
    On detecting that that an existing connection was shutdown by the other
    side, a 503 response leaked even though the request was retried on a
    fresh connection.
  * ) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
    the wrong order when a bucket_beam was destroyed.
    [Stefan Eissing]
  * ) mod_http2: avoid double chunked-encoding on internal redirects.
    PR 66597 [Yann Ylavic, Stefan Eissing]
  * ) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
    HTTP/2 requests twice. Fixes PR 66801.
    [Stefan Eissing]
  * ) mod_ssl: Fix handling of Certificate Revoked messages
    in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
  * ) mod_http2: fixed a bug in handling of stream timeouts.
    [Stefan Eissing]
  * ) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
    Checking in configure for proper version installed. Code
    fixes for changed clienthello member name.
    [Stefan Eissing]
  * ) mod_md:
  - New directive `MDMatchNames all|servernames` to allow more control over how
    MDomains are matched to VirtualHosts.
  - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
    the command also with the challenge value on `teardown` invocation. In version
    1, the default, only the `setup` invocation gets this parameter.
    Refs #312. Thanks to @domrim for the idea.
  - For Managed Domain in "manual" mode, the checks if all used ServerName and
    ServerAlias are part of the MDomain now reports a warning instead of an error
    (AH10040) when not all names are present.
  - MDChallengeDns01 can now be configured for individual domains.
    Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
  - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
    teardown not being invoked as it should.
  * ) mod_ldap: Avoid performance overhead of APR-util rebind cache for
    OpenLDAP 2.2+.  PR 64414.  [Joe Orton]
  * ) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
    amount of response body bytes put into a single HTTP/2 DATA frame.
    Setting this to 0 places no limit (but the max size allowed by the
    protocol is observed).
    The module, by default, tries to use the maximum size possible, which is
    somewhat around 16KB. This sets the maximum. When less response data is
    available, smaller frames will be sent.
  * ) mod_md: fixed passing of the server environment variables to programs
    started via MDMessageCmd and MDChallengeDns01 on *nix system.
    See <https://github.com/icing/mod_md/issues/319>.
    [Stefan Eissing]
  * ) mod_dav: Add DavBasePath directive to configure the repository root
    path.  PR 35077.  [Joe Orton]
  * ) mod_alias: Add AliasPreservePath directive to map the full
    path after the alias in a location. [Graham Leggett]
  * ) mod_alias: Add RedirectRelative to allow relative redirect targets to be
    issued as-is. [Eric Covener, Graham Leggett]
  * ) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
    sure that if the format is configured early enough it applies to every log
    line.  PR 62161.  [Yann Ylavic]
  * ) mod_deflate: Add DeflateAlterETag to control how the ETag
    is modified. The 'NoChange' parameter mimics 2.2.x behavior.
    PR 45023, PR 39727. [Eric Covener]
  * ) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]
  * ) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
    Resolve inconsistency between the previous two occurrences by
    counting workers in state SERVER_GRACEFUL no longer as busy,
    but instead in a new counter "GracefulWorkers" (or on HTML
    view as "workers gracefully restarting"). Also add the graceful
    counter as a new column to the existing HTML per process table
    for async MPMs. PR 63300. [Rainer Jung]
* Sat Aug 05 2023 opensuse@dstoecker.de
- Enable building of mod_md
* Fri Apr 07 2023 suse+build@de-korte.org
- Update to 2.4.57:
  * ) mod_proxy: Check before forwarding that a nocanon path has not been
    rewritten with spaces during processing.  [Yann Ylavic]
  * ) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
    double encode encoded slashes in the URL sent by the reverse proxy to the
    backend. [Ruediger Pluem]
  * ) mod_http2: fixed a crash during connection termination. See PR 66539.
    [Stefan Eissing]
  * ) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
    in a question mark. PR66547. [Eric Covener]
  * ) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
    characters on redirections without the "NE" flag.
    [Yann Ylavic, Eric Covener]
  * ) mod_proxy: Fix double encoding of the uri-path of the request forwarded
    to the origin server, when using mapping=encoded|servlet.  [Yann Ylavic]
  * ) mod_mime: Do not match the extention against possible query string
    parameters in case ProxyPass was used with the nocanon option.
    [Ruediger Pluem]
* Wed Mar 08 2023 david.anes@suse.com
- This update fixes the following security issues:
  * CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting
  * CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy
- Update to 2.4.56:
  * ) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
    truncated without the initial logfile being truncated.  [Eric Covener]
  * ) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
    allow connections of any age to be reused. Up to now, a negative value
    was handled as an error when parsing the configuration file.  PR 66421.
    [nailyk <bzapache nailyk.fr>, Christophe Jaillet]
  * ) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
    of headers. [Ruediger Pluem]
  * ) mod_md:
  - Enabling ED25519 support and certificate transparency information when
    building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
  - MDChallengeDns01 can now be configured for individual domains.
    Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
  - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
    teardown not being invoked as it should.
    [Stefan Eissing]
  * ) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
    reported in access logs and error documents. The processing of the
    reset was correct, only unneccesary reporting was caused.
    [Stefan Eissing]
  * ) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
    [Yann Ylavic]
* Wed Jan 18 2023 david.anes@suse.com
- This update fixes the following security issues:
  * CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting
  * CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling
  * CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
- Update to 2.4.55:
  * ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
    2.4.55 allows a backend to trigger HTTP response splitting
    (cve.mitre.org)
    Prior to Apache HTTP Server 2.4.55, a malicious backend can
    cause the response headers to be truncated early, resulting in
    some headers being incorporated into the response body. If the
    later headers have any security purpose, they will not be
    interpreted by the client.
    Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
  * ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
    Possible request smuggling (cve.mitre.org)
    Inconsistent Interpretation of HTTP Requests ('HTTP Request
    Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
    allows an attacker to smuggle requests to the AJP server it
    forwards requests to.  This issue affects Apache HTTP Server
    Apache HTTP Server 2.4 version 2.4.54 and prior versions.
    Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
    at Qi'anxin Group
  * ) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
    of zero byte (cve.mitre.org)
    A carefully crafted If: request header can cause a memory read,
    or write of a single zero byte, in a pool (heap) memory location
    beyond the header value sent. This could cause the process to
    crash.
    This issue affects Apache HTTP Server 2.4.54 and earlier.
  * ) mod_dav: Open the lock database read-only when possible.
    PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
  * ) mod_proxy_http2: apply the standard httpd content type handling
    to responses from the backend, as other proxy modules do. Fixes PR 66391.
    Thanks to Jérôme Billiras for providing the patch.
    [Stefan Eissing]
  * ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
    [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
    <alejandro.alvarez.ayllon cern.ch>]
  * ) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]
  * ) mod_http2: version 2.0.10 of the module, synchronizing changes
    with the gitgub version. This is a partial rewrite of how connections
    and streams are handled.
  - an APR pollset and pipes (where supported) are used to monitor
    the main connection and react to IO for request/response handling.
    This replaces the stuttered timed waits of earlier versions.
  - H2SerializeHeaders directive still exists, but has no longer an effect.
  - Clients that seemingly misbehave still get less resources allocated,
    but ongoing requests are no longer disrupted.
  - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
    were overwritten instead of preserved. [PR by @daum3ns]
  - A regression in v1.15.24 was fixed that could lead to httpd child
    processes not being terminated on a graceful reload or when reaching
    MaxConnectionsPerChild. When unprocessed h2 requests were queued at
    the time, these could stall. See #212.
  - Improved information displayed in 'server-status' for H2 connections when
    Extended Status is enabled. Now one can see the last request that IO
    operations happened on and transferred IO stats are updated as well.
  - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
    send a GOAWAY frame much too early on new connections, leading to invalid
    protocol state and a client failing the request. See PR65731 at
    <https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
    The module now initializes the HTTP/2 protocol correctly and allows the
    client to submit one request before the shutdown via a GOAWAY frame
    is being announced.
  - :scheme pseudo-header values, not matching the
    connection scheme, are forwarded via absolute uris to the
    http protocol processing to preserve semantics of the request.
    Checks on combinations of pseudo-headers values/absence
    have been added as described in RFC 7540. Fixes #230.
  - A bug that prevented trailers (e.g. HEADER frame at the end) to be
    generated in certain cases was fixed. See #233 where it prevented
    gRPC responses to be properly generated.
  - Request and response header values are automatically stripped of leading
    and trialing space/tab characters. This is equivalent behaviour to what
    Apache httpd's http/1.1 parser does.
    The checks for this in nghttp2 v1.50.0+ are disabled.
  - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
    on the v2.0.x versions for stability. Many thanks!
  * ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
    request ':authority' is known. Improved test case that did not catch that
    the previous 'fix' was incorrect.
  * ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
    using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
  * ) mod_proxy: The AH03408 warning for a forcibly closed backend
    connection is now logged at INFO level.  [Yann Ylavic]
  * ) mod_ssl: When dumping the configuration, the existence of
    certificate/key files is no longer tested.  [Joe Orton]
  * ) mod_authn_core: Add expression support to AuthName and AuthType.
    [Graham Leggett]
  * ) mod_ssl: when a proxy connection had handled a request using SSL, an
    error was logged when "SSLProxyEngine" was only configured in the
    location/proxy section and not the overall server. The connection
    continued to work, the error log was in error. Fixed PR66190.
    [Stefan Eissing]
  * ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
    [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
  * ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
    [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
  * ) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
  * ) mod_md: a new directive `MDStoreLocks` can be used on cluster
    setups with a shared file system for `MDStoreDir` to order
    activation of renewed certificates when several cluster nodes are
    restarted at the same time. Store locks are not enabled by default.
    Restored curl_easy cleanup behaviour from v2.4.14 and refactored
    the use of curl_multi for OCSP requests to work with that.
    Fixes <https://github.com/icing/mod_md/issues/293>.
  * ) core: Avoid an overflow on large inputs in ap_is_matchexp.  PR 66033
    [Ruediger Pluem]
  * ) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
    storage instead of slotmem. Needed after setting
    HeartbeatMaxServers default to the documented value 10 in 2.4.54.
    PR 66131.  [Jérôme Billiras]
  * ) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
    This is a game changer for performances if client use PROPFIND a lot,
    PR 66313. [Emmanuel Dreyfus]
* Mon Dec 12 2022 dmueller@suse.com
- switch to pkgconfig(zlib) so that alternative providers can be
  used
* Fri Sep 23 2022 coolo@suse.com
- The 2.4.54 release brought support for PCRE2, but for that we also
  need to change buildrequires to pcre2-devel
* Tue Sep 20 2022 david.anes@suse.com
- Remove references to README.QUICKSTART and point them to
  https://en.opensuse.org/SDB:Apache_installation (bsc#1203573)
* Thu Sep 01 2022 schubi@suse.com
- Migration to /usr/etc: Saving user changed configuration files
  in /etc and restoring them while an RPM update.
* Tue Jun 28 2022 schubi@intern
- Moved logrotate files from user specific directory /etc/logrotate.d
  to vendor specific directory /usr/etc/logrotate.d.
* Wed Jun 08 2022 pgajdos@suse.com
- update httpd-framework to svn revision 1898917
* Wed Jun 08 2022 pgajdos@suse.com
- version update to 2.4.54
  Changes with Apache 2.4.54
  * ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
    hop-by-hop mechanism (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier may not send the
    X-Forwarded-* headers to the origin server based on client side
    Connection header hop-by-hop mechanism.
    This may be used to bypass IP based authentication on the origin
    server/application.
    Credits: The Apache HTTP Server project would like to thank
    Gaetan Ferry (Synacktiv) for reporting this issue
  * ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
    websockets (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier may return lengths to
    applications calling r:wsread() that point past the end of the
    storage allocated for the buffer.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-30522: mod_sed denial of service
    (cve.mitre.org)
    If Apache HTTP Server 2.4.53 is configured to do transformations
    with mod_sed in contexts where the input to mod_sed may be very
    large, mod_sed may make excessively large memory allocations and
    trigger an abort.
    Credits: This issue was found by Brian Moussalli from the JFrog
    Security Research team
  * ) SECURITY: CVE-2022-29404: Denial of service in mod_lua
    r:parsebody (cve.mitre.org)
    In Apache HTTP Server 2.4.53 and earlier, a malicious request to
    a lua script that calls r:parsebody(0) may cause a denial of
    service due to no default limit on possible input size.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-28615: Read beyond bounds in
    ap_strcmp_match() (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier may crash or disclose
    information due to a read beyond bounds in ap_strcmp_match()
    when provided with an extremely large input buffer.  While no
    code distributed with the server can be coerced into such a
    call, third-party modules or lua scripts that use
    ap_strcmp_match() may hypothetically be affected.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
    (cve.mitre.org)
    The ap_rwrite() function in Apache HTTP Server 2.4.53 and
    earlier may read unintended memory if an attacker can cause the
    server to reflect very large input using ap_rwrite() or
    ap_rputs(), such as with mod_luas r:puts() function.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
    (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
    bounds when configured to process requests with the mod_isapi
    module.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
    smuggling (cve.mitre.org)
    Inconsistent Interpretation of HTTP Requests ('HTTP Request
    Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
    allows an attacker to smuggle requests to the AJP server it
    forwards requests to.  This issue affects Apache HTTP Server
    Apache HTTP Server 2.4 version 2.4.53 and prior versions.
    Credits: Ricter Z @ 360 Noah Lab
  * ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
    [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
  * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
    PR 65666.  [Yann Ylavic]
  * ) mod_md:  a bug was fixed that caused very large MDomains
    with the combined DNS names exceeding ~7k to fail, as
    request bodies would contain partially wrong data from
    uninitialized memory. This would have appeared as failure
    in signing-up/renewing such configurations.
    [Stefan Eissing, Ronald Crane (Zippenhop LLC)]
  * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
    PR 65666.  [Yann Ylavic]
  * ) MPM event: Restart children processes killed before idle maintenance.
    PR 65769.  [Yann Ylavic, Ruediger Pluem]
  * ) ab: Allow for TLSv1.3 when the SSL library supports it.
    [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
  * ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
    transmission delays.  PR 66019.  [Yann Ylavic]
  * ) MPM event: Fix accounting of active/total processes on ungraceful restart,
    PR 66004 (follow up to PR 65626 from 2.4.52).  [Yann Ylavic]
  * ) core: make ap_escape_quotes() work correctly on strings
    with more than MAX_INT/2 characters, counting quotes double.
    Credit to <generalbugs@zippenhop.com> for finding this.
    [Stefan Eissing]
  * ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
    an ACME CA. This gives a failover for renewals when several consecutive attempts
    to get a certificate failed.
    A new directive was added: `MDRetryDelay` sets the delay of retries.
    A new directive was added: `MDRetryFailover` sets the number of errored
    attempts before an alternate CA is selected for certificate renewals.
    [Stefan Eissing]
  * ) mod_http2: remove unused and insecure code. Fixes PR66037.
    Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
    [Stefan Eissing]
  * ) mod_proxy: Add backend port to log messages to
    ease identification of involved service.  [Rainer Jung]
  * ) mod_http2: removing unscheduling of ongoing tasks when
    connection shows potential abuse by a client. This proved
    counter-productive and the abuse detection can false flag
    requests using server-side-events.
    Fixes <https://github.com/icing/mod_h2/issues/231>.
    [Stefan Eissing]
  * ) mod_md: Implement full auto status ("key: value" type status output).
    Especially not only status summary counts for certificates and
    OCSP stapling but also lists. Auto status format is similar to
    what was used for mod_proxy_balancer.
    [Rainer Jung]
  * ) mod_md: fixed a bug leading to failed transfers for OCSP
    stapling information when more than 6 certificates needed
    updates in the same run.  [Stefan Eissing]
  * ) mod_proxy: Set a status code of 502 in case the backend just closed the
    connection in reply to our forwarded request.  [Ruediger Pluem]
  * ) mod_md: a possible NULL pointer deref was fixed in
    the JSON code for persisting time periods (start+end).
    Fixes #282 on mod_md's github.
    Thanks to @marcstern for finding this.  [Stefan Eissing]
  * ) mod_heartmonitor: Set the documented default value
    "10" for HeartbeatMaxServers instead of "0". With "0"
    no shared memory slotmem was initialized.  [Rainer Jung]
  * ) mod_md: added support for managing certificates via a
    local tailscale daemon for users of that secure networking.
    This gives trusted certificates for tailscale assigned
    domain names in the *.ts.net space.
    [Stefan Eissing]
- modified patches
  % apache-test-application-xml-type.patch (refreshed)
  % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed)
  % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
* Mon Mar 14 2022 pgajdos@suse.com
- httpd-framework updated to svn1898917
- deleted patches
  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
  - apache2-perl-io-socket.patch (upstreamed)
* Mon Mar 14 2022 pgajdos@suse.com
- httpd-framework updated to svn1898917
- deleted patches
  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
  - apache2-perl-io-socket.patch (upstreamed)
Version: 2.4.58-150600.5.18.1
* Wed Jul 17 2024 martin.schreiner@suse.com
- Security fix:
  - CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2
  * Added apache2-CVE-2024-36387.patch
Version: 2.4.58-150600.5.11.1
* Mon Jul 08 2024 david.anes@suse.com
- Security fix:
  - CVE-2024-39573, bsc#1227271: potential SSRF in mod_rewrite
  * Added apache2-CVE-2024-39573.patch
  - CVE-2024-38477, bsc#1227270: null pointer dereference in mod_proxy
  * Added apache2-CVE-2024-38477.patch
  - CVE-2024-38475, bsc#1227268: Improper escaping of output in mod_rewrite
  * Added apache2-CVE-2024-38475-1.patch
  * Added apache2-CVE-2024-38475-2.patch
  * Added apache2-CVE-2024-38475-3.patch
  - CVE-2024-38476, bsc#1227269: Server may use exploitable/malicious
  backend application output to run local handlers via internal
  redirect
  * Added apache2-CVE-2024-38476-1.patch
  * Added apache2-CVE-2024-38476-2.patch
  * Added apache2-CVE-2024-38476-3.patch
  * Added apache2-CVE-2024-38476-4.patch
  * Added apache2-CVE-2024-38476-5.patch
  * Added apache2-CVE-2024-38476-6.patch
  * Added apache2-CVE-2024-38476-7.patch
  * Added apache2-CVE-2024-38476-8.patch
  * Added apache2-CVE-2024-38476-9.patch
  * Added apache2-CVE-2024-38476-10.patch
  * Added apache2-CVE-2024-38476-11.patch