Package Release Info

apache2-2.4.51-3.37.1

Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-91
Available in Package Hub : 15 SP3 Subpackages Updates

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

apache2-event

Change Logs

* Wed Dec 22 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-44224 [bsc#1193943], NULL dereference or SSRF in forward proxy configurations
  + apache2-CVE-2021-44224.patch
  fix CVE-2021-44790 [bsc#1193942], buffer overflow when parsing multipart content in mod_lua
  + apache2-CVE-2021-44790.patch
* Thu Nov 18 2021 pgajdos@suse.com
- version update to 2.4.51: fixes also
  CVE-2020-11984 [bsc#1175074] -- mod_proxy_uwsgi info disclosure and possible RCE
  CVE-2020-13950 [bsc#1187040] -- mod_proxy NULL pointer dereference
  CVE-2020-35452 [bsc#1186922] -- Single zero byte stack overflow in mod_auth_digest
  CVE-2021-26690 [bsc#1186923] -- mod_session NULL pointer dereference in parser
  CVE-2021-26691 [bsc#1187017] -- Heap overflow in mod_session
  CVE-2021-30641 [bsc#1187174] -- MergeSlashes regression
  CVE-2021-31618 [bsc#1186924] -- NULL pointer dereference on specially crafted HTTP/2 request
  CVE-2021-33193 [bsc#1189387] -- Request splitting via HTTP/2 method injection and mod_proxy
  CVE-2021-34798 [bsc#1190669] -- NULL pointer dereference via malformed requests
  CVE-2021-36160 [bsc#1190702] -- out-of-bounds read via a crafted request uri-path
  CVE-2021-39275 [bsc#1190666] -- out-of-bounds write in ap_escape_quotes() via malicious input
  CVE-2021-40438 [bsc#1190703] -- SSRF via a crafted request uri-path
  CVE-2020-11993 [bsc#1175070] -- when trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection
  CVE-2020-9490 [bsc#1175071] -- specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash
- modified patches
  % httpd-2.4.x-fate317766-config-control-two-protocol-options.diff (refreshed)
- deleted patches
  - apache2-CVE-2020-11984.patch (upstreamed)
  - apache2-CVE-2020-13950.patch (upstreamed)
  - apache2-CVE-2020-35452.patch (upstreamed)
  - apache2-CVE-2021-26690.patch (upstreamed)
  - apache2-CVE-2021-26691.patch (upstreamed)
  - apache2-CVE-2021-30641.patch (upstreamed)
  - apache2-CVE-2021-31618.patch (upstreamed)
  - apache2-CVE-2021-33193.patch (upstreamed)
  - apache2-CVE-2021-34798.patch (upstreamed)
  - apache2-CVE-2021-36160.patch (upstreamed)
  - apache2-CVE-2021-39275.patch (upstreamed)
  - apache2-CVE-2021-40438.patch (upstreamed)
  - apache2-mod_http2-1.15.14.patch (upstreamed)
  - apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
Version: 2.4.43-3.22.1
* Fri Jun 11 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-30641 [bsc#1187174], MergeSlashes regression
  + apache2-CVE-2021-30641.patch
* Wed Jun 09 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-31618 [bsc#1186924], NULL pointer dereference on specially crafted HTTP/2 request
  + apache2-CVE-2021-31618.patch
* Wed Jun 09 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2020-13950 [bsc#1187040], mod_proxy NULL pointer dereference
  + apache2-CVE-2020-13950.patch
* Tue Jun 08 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2020-35452 [bsc#1186922], Single zero byte stack overflow in mod_auth_digest
  + apache2-CVE-2020-35452.patch
  fix CVE-2021-26690 [bsc#1186923], mod_session NULL pointer dereference in parser
  + apache2-CVE-2021-26690.patch
  fix CVE-2021-26691 [bsc#1187017], Heap overflow in mod_session
  + apache2-CVE-2021-26691.patch
* Tue Jan 12 2021 pgajdos@suse.com
- gensslcert sets CA:TRUE in basic constrains of CA cert [bsc#1180530]
- modified sources
  % gensslcert
* Wed Oct 14 2020 fbui@suse.com
- systemd-ask-password is located in /usr/bin
* Mon Aug 31 2020 jtomasiak@suse.com
- gensslcert: add -a argument to override default SAN value
* Tue Aug 11 2020 pgajdos@suse.com
- security update
- added patches
  fix CVE-2020-11984 [bsc#1175074], mod_proxy_uwsgi info disclosure and possible RCE
  + apache2-CVE-2020-11984.patch
  fix CVE-2020-11993 [bsc#1175070], CVE-2020-9490 [bsc#1175071]
  + apache2-mod_http2-1.15.14.patch
* Wed Jul 15 2020 pgajdos@suse.com
- fix crash in mod_proxy_uwsgi for empty values of environment
  variables [bsc#1174052]
- added patches
  fix https://svn.apache.org/viewvc?view=revision
  + apache2-mod_proxy_uwsgi-fix-crash.patch
* Fri Apr 03 2020 pgajdos@suse.com
- declare ap_sock_disable_nagle to fix loading mod_proxy_http2
  (thanks to mliska@suse.com)
- modified patches
  % httpd-visibility.patch (refreshed)
* Thu Apr 02 2020 pgajdos@suse.com
- version update to 2.4.43
  * ) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
  * ) mod_proxy_http: Fix the forwarding of requests with content body when a
    balancer member is unavailable; the retry on the next member was issued
    with an empty body (regression introduced in 2.4.41). PR63891.
    [Yann Ylavic]
  * ) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
    identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
    [Michael Kaufmann, Stefan Eissing]
  * ) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
    PR64140. [Renier Velazco <renier.velazco upr.edu>]
  * ) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
    PR64172.
  * ) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
    to allow customization of the usertrack cookie. PR64077.
    [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
  * ) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
    AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
  * ) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
    [Eric Covener, Yann Ylavic]
  * ) Add a config layout for OpenWRT. [Graham Leggett]
  * ) Add support for cross compiling to apxs. If apxs is being executed from
    somewhere other than its target location, add that prefix to includes and
    library directories. Without this, apxs would fail to find config_vars.mk
    and exit. [Graham Leggett]
  * ) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
    issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
    [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
  * ) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
    [Graham Leggett]
  * ) mod_ssl: Support use of private keys and certificates from an
    OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
    [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
  * ) mod_md:
  - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
    thanks to Timothe Litt (@tlhackque).
  - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
    check all matching virtual hosts for protocol support. Thanks to @mkauf.
  - Corrected a check when OCSP stapling was configured for hosts
    where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
  - Softening the restrictions where mod_md configuration directives may appear. This should
    allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
    you wanted in the first place, is another matter.
    [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
    Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
  * ) test: Added continuous testing with Travis CI.
    This tests various scenarios on Ubuntu with the full test suite.
    Architectures tested: amd64, s390x, ppc64le, arm64
    The tests pass successfully.
    [Luca Toscano, Joe Orton, Mike Rumph, and others]
  * ) core: Be stricter in parsing of Transfer-Encoding headers.
    [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
  * ) mod_ssl: negotiate the TLS protocol version per name based vhost
    configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
    SSLProtocol (from the first vhost declared on the IP:port) is now only
    relevant if no SSLProtocol is declared for the vhost or globally,
    otherwise the vhost or global value apply.  [Yann Ylavic]
  * ) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
    output.  PR 64096.  [Joe Orton]
  * ) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
    [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
  * ) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]
  * ) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
    r:notes_table, r:subprocess_env_table as read-only native table alternatives
    that can be iterated over. [Eric Covener]
  * ) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
    [Yann Ylavic, Stefan Eissing]
  * ) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
    r.headers_out, etc) to remove the key from the table. PR63971.
    [Eric Covener]
  * ) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
    ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
    always `on`, regardless of configuration. Found and reported by
    <Armin.Abfalterer@united-security-providers.ch> and
    <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
  * ) mod_http2: Multiple field length violations in the same request no longer cause
    several log entries to be written. [@mkauf]
  * ) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
    [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
  * ) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
    [Jim Jagielski]
  * ) mod_authn_socache: Increase the maximum length of strings that can be cached by
    the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]
  * ) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
    [Ruediger Pluem, Eric Covener]
  * ) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
    valid (For example, testing for a file on a flash drive that is not mounted)
    [Christophe Jaillet]
  * ) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
    means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]
  * ) mod_md v2.2.3:
  - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
    had been additive before which was not the intended behaviour. [@mkauf]
  - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
    documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
  - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
  - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
    "transfer-encoding" to POST requests. This failed in directy communication with
    Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
  * ) mod_md: Adding the several new features.
    The module offers an implementation of OCSP Stapling that can replace fully or
    for a limited set of domains the existing one from mod_ssl. OCSP handling
    is part of mod_md's monitoring and message notifications. If can be used
    for sites that do not have ACME certificates.
    The url for a CTLog Monitor can be configured. It is used in the server-status
    to link to the external status page of a certicate.
    The MDMessageCmd is called with argument "installed" when a new certificate
    has been activated on server restart/reload. This allows for processing of
    the new certificate, for example to applications that require it in different
    locations or formats.
    [Stefan Eissing]
  * ) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
    protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
- deleted patches
  - apache2-load-private-keys-from-pkcs11.patch (upstreamed)
  - httpd-2.4.3-mod_systemd.patch (upstreamed)
* Wed Feb 26 2020 pgajdos@suse.com
- use r1874196 [SLE-7472] [bsc#1164820c#6]
- modified patches
  % apache2-load-private-keys-from-pkcs11.patch (upstream 2.4.x port)
- deleted patches
  - apache2-load-certificates-from-pkcs11.patch (merged to above)
* Tue Feb 18 2020 pgajdos@suse.com
- require just libbrotli-devel
* Thu Feb 13 2020 pgajdos@suse.com
- build mod_proxy_http2 extension
* Wed Feb 12 2020 pgajdos@suse.com
- fix build for older distributions
* Fri Jan 31 2020 crrodriguez@opensuse.org
- define DEFAULT_LISTENBACKLOG=APR_INT32_MAX. We want apache
  to honour net.core.somaxconn sysctl as the mandatory limit.
  the old value of 511 was never used as until v5.4-rc6 it was
  clamped to 128, in current kernels the default limit is 4096.
  Cannot use the apr_socket_listen(.., -1) idiom because the function
  expects a positive integer argument.
* Mon Jan 20 2020 pgajdos@suse.com
- apache2-devel now provides httpd-devel [bsc#1160100]
* Wed Dec 18 2019 pgajdos@suse.com
- add openssl call to DEFAULT_SUSE comment [bsc#1159480]
- modified sources
  % apache2-ssl-global.conf
* Fri Nov 08 2019 pgajdos@suse.com
- use %license [bsc#1156171]
* Tue Oct 22 2019 pgajdos@suse.com
- load private keys and certificates from pkcs11 token [SLE-7653]
- added patches
  load certificates from openssl engine
  + apache2-load-certificates-from-pkcs11.patch
  load private keys from openssl engine
  + apache2-load-private-keys-from-pkcs11.patch
Version: 2.4.43-3.25.1
* Fri Aug 13 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-33193 [bsc#1189387], Request splitting via HTTP/2 method injection and mod_proxy
  + apache2-CVE-2021-33193.patch
Version: 2.4.43-3.32.1
* Wed Sep 22 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-40438 [bsc#1190703], SSRF via a crafted request uri-path
  + apache2-CVE-2021-40438.patch
  fix CVE-2021-36160 [bsc#1190702], out-of-bounds read via a crafted request uri-path
  + apache2-CVE-2021-36160.patch
  fix CVE-2021-39275 [bsc#1190666], out-of-bounds write in ap_escape_quotes() via malicious input
  + apache2-CVE-2021-39275.patch
  fix CVE-2021-34798 [bsc#1190669], NULL pointer dereference via malformed requests
  + apache2-CVE-2021-34798.patch
Version: 2.4.51-150200.3.42.1
* Thu Mar 17 2022 pgajdos@suse.com
- security update
- modified patches
  % apache2-CVE-2022-23943.patch (extended by r1898772 [bsc#1197095c#10])
* Wed Mar 16 2022 david.anes@suse.com
- security update
- added patches
  fix CVE-2022-23943 [bsc#1197098], heap out-of-bounds write in mod_sed
  + apache2-CVE-2022-23943.patch
  fix CVE-2022-22720 [bsc#1197095], HTTP request smuggling due to incorrect error handling
  + apache2-CVE-2022-22720.patch
  fix CVE-2022-22719 [bsc#1197091], use of uninitialized value of in r:parsebody in mod_lua
  + apache2-CVE-2022-22719.patch
  fix CVE-2022-22721 [bsc#1197096], possible buffer overflow with very large or unlimited LimitXMLRequestBody
  + apache2-CVE-2022-22721.patch
- apply correctly patches for CVE-2021-44790 [bsc#1193942] and CVE-2021-44224 [bsc#1193943]
Version: 2.4.51-150200.3.45.1
* Fri Jan 08 2021 pgajdos@suse.com
- mod_php8 provides php_module [bsc#1195130]
- modified sources
  % apache2-script-helpers
Version: 2.4.51-150400.6.3.1
* Thu May 05 2022 david.anes@suse.com
- fix gensslcert to generate dhparams certificate using a valid
  FIPS method [bsc#1198913]
* Wed Mar 02 2022 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-44224 [bsc#1193943], NULL dereference or SSRF in forward proxy configurations
  + apache2-CVE-2021-44224.patch
  fix CVE-2021-44790 [bsc#1193942], buffer overflow when parsing multipart content in mod_lua
  + apache2-CVE-2021-44790.patch
* Thu Jan 27 2022 pgajdos@suse.com
- ssl-global.conf: set SSLCipherSuite to PROFILE=SYSTEM instead of
  DEFAULT_SUSE [jsc#SLE-22561]
- set also SSLProxyCipherSuite to PROFILE=SYSTEM
- modified sources
  % apache2-ssl-global.conf
* Mon Nov 08 2021 pgajdos@suse.com
- version update to 2.4.51
  * ) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
    unused AP_NORMALIZE_DROP_PARAMETERS flag.
    [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
* Fri Sep 10 2021 pgajdos@suse.com
- version update to 2.4.50
  * fixes CVE-2020-11984, CVE-2020-13950, CVE-2020-35452,
    CVE-2021-26690, CVE-2021-26691, CVE-2021-30641,
    CVE-2021-31618, CVE-2021-33193, CVE-2021-34798,
    CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
  * see CHANGES for more details
- deleted patches
  - apache2-CVE-2020-11984.patch (upstreamed)
  - apache2-CVE-2020-13950.patch (upstreamed)
  - apache2-CVE-2020-35452.patch (upstreamed)
  - apache2-CVE-2021-26690.patch (upstreamed)
  - apache2-CVE-2021-26691.patch (upstreamed)
  - apache2-CVE-2021-30641.patch (upstreamed)
  - apache2-CVE-2021-31618.patch (upstreamed)
  - apache2-CVE-2021-33193.patch (upstreamed)
  - apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
  - apache2-mod_http2-1.15.14.patch (upstreamed)
Version: 2.4.51-150200.3.48.1
* Fri Jun 10 2022 david.anes@suse.com
- security update
- added patches:
  fix CVE-2022-26377 [bsc#1200338], possible request smuggling in mod_proxy_ajp
  + apache2-CVE-2022-26377.patch
  fix CVE-2022-28614 [bsc#1200340], read beyond bounds via ap_rwrite()
  + apache2-CVE-2022-28614.patch
  fix CVE-2022-28615 [bsc#1200341], read beyond bounds in ap_strcmp_match()
  + apache2-CVE-2022-28615.patch
  fix CVE-2022-29404 [bsc#1200345], denial of service in mod_lua r:parsebody
  + apache2-CVE-2022-29404.patch
  fix CVE-2022-30556 [bsc#1200350], information disclosure in mod_lua with websockets
  + apache2-CVE-2022-30556.patch
  fix CVE-2022-30522 [bsc#1200352], mod_sed denial of service
  + apache2-CVE-2022-30522.patch
  fix CVE-2022-31813 [bsc#1200348], mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
  + apache2-CVE-2022-31813.patch