* Tue May 28 2024 pgajdos@suse.com
- security update
- added patches
fix CVE-2023-38709 [bsc#1222330], HTTP response splitting
+ apache2-CVE-2023-38709.patch
fix CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
+ apache2-CVE-2024-24795.patch
fix CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ apache2-CVE-2024-27316.patch
* Thu Mar 28 2024 david.anes@suse.com
- Add patches to improve FIPS compatibility (bsc#1220681):
* apache2-fips-compatibility-01.patch
* apache2-fips-compatibility-02.patch
* apache2-fips-compatibility-03.patch
* Fri Mar 22 2024 eugenio.paolantonio@suse.com
- SLE-only: forward-port compatibility symlinks (e.g. httpd2-prefork,
apache2ctl, htpasswd2) change, including the relative
manpages (bsc#1221880)
* Mon Mar 18 2024 eugenio.paolantonio@suse.com
- SLE-only: forward-port gensslcert change to generate dhparams certificate
using a valid FIPS method (bsc#1198913)
* Tue Feb 20 2024 dimstar@opensuse.org
- Use %autosetup macro. Allows to eliminate the usage of deprecated
%patchN.
* Mon Jan 29 2024 dmueller@suse.com
- use grep -E for egrep
* Thu Oct 19 2023 david.anes@suse.com
- Update to 2.4.58:
* ) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs
* ) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Prof. Sven Dietrich (City University of New York)
* ) SECURITY: CVE-2023-31122: mod_macro buffer over-read
(cve.mitre.org)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
Server.This issue affects Apache HTTP Server: through 2.4.57.
Credits: David Shoon (github/davidshoon)
* ) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
SSL routines::unexpected eof while reading" when using
OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
available. [Rainer Jung]
* ) mod_http2: improved early cleanup of streams.
[Stefan Eissing]
* ) mod_proxy_http2: improved error handling on connection errors while
response is already underway.
[Stefan Eissing]
* ) mod_http2: fixed a bug that could lead to a crash in main connection
output handling. This occured only when the last request on a HTTP/2
connection had been processed and the session decided to shut down.
This could lead to an attempt to send a final GOAWAY while the previous
write was still in progress. See PR 66646.
[Stefan Eissing]
* ) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
Fixes PR66752.
[Stefan Eissing]
* ) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
described in RFC 8441. A new directive 'H2WebSockets on|off' has been
added. The feature is by default not enabled.
As also discussed in the manual, this feature should work for setups
using "ProxyPass backend-url upgrade=websocket" without further changes.
Special server modules for WebSockets will have to be adapted,
most likely, as the handling if IO events is different with HTTP/2.
HTTP/2 WebSockets are supported on platforms with native pipes. This
excludes Windows.
[Stefan Eissing]
* ) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
* ) mod_http2: fixed a bug in flushing pending data on an already closed
connection that could lead to a busy loop, preventing the HTTP/2 session
to close down successfully. Fixed PR 66624.
[Stefan Eissing]
* ) mod_http2: v2.0.15 with the following fixes and improvements
- New directive 'H2EarlyHint name value' to add headers to a response,
picked up already when a "103 Early Hints" response is sent. 'name' and
'value' must comply to the HTTP field restrictions.
This directive can be repeated several times and header fields of the
same names add. Sending a 'Link' header with 'preload' relation will
also cause a HTTP/2 PUSH if enabled and supported by the client.
- Fixed an issue where requests were not logged and accounted in a timely
fashion when the connection returns to "keepalive" handling, e.g. when
the request served was the last outstanding one.
This led to late appearance in access logs with wrong duration times
reported.
- Accurately report the bytes sent for a request in the '%O' Log format.
This addresses #203, a long outstanding issue where mod_h2 has reported
numbers over-eagerly from internal buffering and not what has actually
been placed on the connection.
The numbers are now the same with and without H2CopyFiles enabled.
[Stefan Eissing]
* ) mod_proxy_http2: fix retry handling to not leak temporary errors.
On detecting that that an existing connection was shutdown by the other
side, a 503 response leaked even though the request was retried on a
fresh connection.
[Stefan Eissing]
* ) mod_rewrite: Add server directory to include path as mod_rewrite requires
test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]
* ) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
of HTTP/2 requests in a forward proxy configuration.
General forward proxying is enabled via `ProxyRequests`. If the
HTTP/2 protocol is also enabled for such a server/host, this new
directive is needed in addition.
[Stefan Eissing]
* ) core: Updated conf/mime.types:
- .js moved from 'application/javascript' to 'text/javascript'
- .mjs was added as 'text/javascript'
- add .opus ('audio/ogg')
- add 'application/vnd.geogebra.slides'
- add WebAssembly MIME types and extension
[Mathias Bynens <@mathiasbynens> via PR 318,
Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
Zbynek Konecny <zbynek1729 gmail.com>]
* ) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
connection when sending data on the frontend one. This caused crashes
or infinite loops in rare situations.
* ) mod_proxy_http2: fixed a bug in retry/response handling that could lead
to wrong status codes or HTTP messages send at the end of response bodies
exceeding the announced content-length.
* ) mod_proxy_http2: fix retry handling to not leak temporary errors.
On detecting that that an existing connection was shutdown by the other
side, a 503 response leaked even though the request was retried on a
fresh connection.
* ) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
the wrong order when a bucket_beam was destroyed.
[Stefan Eissing]
* ) mod_http2: avoid double chunked-encoding on internal redirects.
PR 66597 [Yann Ylavic, Stefan Eissing]
* ) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
HTTP/2 requests twice. Fixes PR 66801.
[Stefan Eissing]
* ) mod_ssl: Fix handling of Certificate Revoked messages
in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
* ) mod_http2: fixed a bug in handling of stream timeouts.
[Stefan Eissing]
* ) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
Checking in configure for proper version installed. Code
fixes for changed clienthello member name.
[Stefan Eissing]
* ) mod_md:
- New directive `MDMatchNames all|servernames` to allow more control over how
MDomains are matched to VirtualHosts.
- New directive `MDChallengeDns01Version`. Setting this to `2` will provide
the command also with the challenge value on `teardown` invocation. In version
1, the default, only the `setup` invocation gets this parameter.
Refs #312. Thanks to @domrim for the idea.
- For Managed Domain in "manual" mode, the checks if all used ServerName and
ServerAlias are part of the MDomain now reports a warning instead of an error
(AH10040) when not all names are present.
- MDChallengeDns01 can now be configured for individual domains.
Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
* ) mod_ldap: Avoid performance overhead of APR-util rebind cache for
OpenLDAP 2.2+. PR 64414. [Joe Orton]
* ) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
amount of response body bytes put into a single HTTP/2 DATA frame.
Setting this to 0 places no limit (but the max size allowed by the
protocol is observed).
The module, by default, tries to use the maximum size possible, which is
somewhat around 16KB. This sets the maximum. When less response data is
available, smaller frames will be sent.
* ) mod_md: fixed passing of the server environment variables to programs
started via MDMessageCmd and MDChallengeDns01 on *nix system.
See <https://github.com/icing/mod_md/issues/319>.
[Stefan Eissing]
* ) mod_dav: Add DavBasePath directive to configure the repository root
path. PR 35077. [Joe Orton]
* ) mod_alias: Add AliasPreservePath directive to map the full
path after the alias in a location. [Graham Leggett]
* ) mod_alias: Add RedirectRelative to allow relative redirect targets to be
issued as-is. [Eric Covener, Graham Leggett]
* ) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
sure that if the format is configured early enough it applies to every log
line. PR 62161. [Yann Ylavic]
* ) mod_deflate: Add DeflateAlterETag to control how the ETag
is modified. The 'NoChange' parameter mimics 2.2.x behavior.
PR 45023, PR 39727. [Eric Covener]
* ) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]
* ) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
Resolve inconsistency between the previous two occurrences by
counting workers in state SERVER_GRACEFUL no longer as busy,
but instead in a new counter "GracefulWorkers" (or on HTML
view as "workers gracefully restarting"). Also add the graceful
counter as a new column to the existing HTML per process table
for async MPMs. PR 63300. [Rainer Jung]
* Sat Aug 05 2023 opensuse@dstoecker.de
- Enable building of mod_md
* Fri Apr 07 2023 suse+build@de-korte.org
- Update to 2.4.57:
* ) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
* ) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
* ) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
* ) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
* ) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
* ) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
* ) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]
* Wed Mar 08 2023 david.anes@suse.com
- This update fixes the following security issues:
* CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting
* CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy
- Update to 2.4.56:
* ) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
truncated without the initial logfile being truncated. [Eric Covener]
* ) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
allow connections of any age to be reused. Up to now, a negative value
was handled as an error when parsing the configuration file. PR 66421.
[nailyk <bzapache nailyk.fr>, Christophe Jaillet]
* ) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
of headers. [Ruediger Pluem]
* ) mod_md:
- Enabling ED25519 support and certificate transparency information when
building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
- MDChallengeDns01 can now be configured for individual domains.
Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
[Stefan Eissing]
* ) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
reported in access logs and error documents. The processing of the
reset was correct, only unneccesary reporting was caused.
[Stefan Eissing]
* ) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
[Yann Ylavic]
* Wed Jan 18 2023 david.anes@suse.com
- This update fixes the following security issues:
* CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting
* CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling
* CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
- Update to 2.4.55:
* ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
2.4.55 allows a backend to trigger HTTP response splitting
(cve.mitre.org)
Prior to Apache HTTP Server 2.4.55, a malicious backend can
cause the response headers to be truncated early, resulting in
some headers being incorporated into the response body. If the
later headers have any security purpose, they will not be
interpreted by the client.
Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
* ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
Possible request smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.54 and prior versions.
Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
at Qi'anxin Group
* ) SECURITY: CVE-2006-20001: mod_dav out of bounds read, or write
of zero byte (cve.mitre.org)
A carefully crafted If: request header can cause a memory read,
or write of a single zero byte, in a pool (heap) memory location
beyond the header value sent. This could cause the process to
crash.
This issue affects Apache HTTP Server 2.4.54 and earlier.
* ) mod_dav: Open the lock database read-only when possible.
PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
* ) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
[Stefan Eissing]
* ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
[Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
<alejandro.alvarez.ayllon cern.ch>]
* ) mod_proxy_hcheck: Honor worker timeout settings. [Yann Ylavic]
* ) mod_http2: version 2.0.10 of the module, synchronizing changes
with the gitgub version. This is a partial rewrite of how connections
and streams are handled.
- an APR pollset and pipes (where supported) are used to monitor
the main connection and react to IO for request/response handling.
This replaces the stuttered timed waits of earlier versions.
- H2SerializeHeaders directive still exists, but has no longer an effect.
- Clients that seemingly misbehave still get less resources allocated,
but ongoing requests are no longer disrupted.
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- A regression in v1.15.24 was fixed that could lead to httpd child
processes not being terminated on a graceful reload or when reaching
MaxConnectionsPerChild. When unprocessed h2 requests were queued at
the time, these could stall. See #212.
- Improved information displayed in 'server-status' for H2 connections when
Extended Status is enabled. Now one can see the last request that IO
operations happened on and transferred IO stats are updated as well.
- When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
- :scheme pseudo-header values, not matching the
connection scheme, are forwarded via absolute uris to the
http protocol processing to preserve semantics of the request.
Checks on combinations of pseudo-headers values/absence
have been added as described in RFC 7540. Fixes #230.
- A bug that prevented trailers (e.g. HEADER frame at the end) to be
generated in certain cases was fixed. See #233 where it prevented
gRPC responses to be properly generated.
- Request and response header values are automatically stripped of leading
and trialing space/tab characters. This is equivalent behaviour to what
Apache httpd's http/1.1 parser does.
The checks for this in nghttp2 v1.50.0+ are disabled.
- Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
* ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
* ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
* ) mod_proxy: The AH03408 warning for a forcibly closed backend
connection is now logged at INFO level. [Yann Ylavic]
* ) mod_ssl: When dumping the configuration, the existence of
certificate/key files is no longer tested. [Joe Orton]
* ) mod_authn_core: Add expression support to AuthName and AuthType.
[Graham Leggett]
* ) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
[Stefan Eissing]
* ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
[Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
* ) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
* ) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
restarted at the same time. Store locks are not enabled by default.
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that.
Fixes <https://github.com/icing/mod_md/issues/293>.
* ) core: Avoid an overflow on large inputs in ap_is_matchexp. PR 66033
[Ruediger Pluem]
* ) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
storage instead of slotmem. Needed after setting
HeartbeatMaxServers default to the documented value 10 in 2.4.54.
PR 66131. [Jérôme Billiras]
* ) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
This is a game changer for performances if client use PROPFIND a lot,
PR 66313. [Emmanuel Dreyfus]
* Mon Dec 12 2022 dmueller@suse.com
- switch to pkgconfig(zlib) so that alternative providers can be
used
* Fri Sep 23 2022 coolo@suse.com
- The 2.4.54 release brought support for PCRE2, but for that we also
need to change buildrequires to pcre2-devel
* Tue Sep 20 2022 david.anes@suse.com
- Remove references to README.QUICKSTART and point them to
https://en.opensuse.org/SDB:Apache_installation (bsc#1203573)
* Thu Sep 01 2022 schubi@suse.com
- Migration to /usr/etc: Saving user changed configuration files
in /etc and restoring them while an RPM update.
* Tue Jun 28 2022 schubi@intern
- Moved logrotate files from user specific directory /etc/logrotate.d
to vendor specific directory /usr/etc/logrotate.d.
* Wed Jun 08 2022 pgajdos@suse.com
- update httpd-framework to svn revision 1898917
* Wed Jun 08 2022 pgajdos@suse.com
- version update to 2.4.54
Changes with Apache 2.4.54
* ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
hop-by-hop mechanism (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may not send the
X-Forwarded-* headers to the origin server based on client side
Connection header hop-by-hop mechanism.
This may be used to bypass IP based authentication on the origin
server/application.
Credits: The Apache HTTP Server project would like to thank
Gaetan Ferry (Synacktiv) for reporting this issue
* ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
websockets (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may return lengths to
applications calling r:wsread() that point past the end of the
storage allocated for the buffer.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
* ) SECURITY: CVE-2022-30522: mod_sed denial of service
(cve.mitre.org)
If Apache HTTP Server 2.4.53 is configured to do transformations
with mod_sed in contexts where the input to mod_sed may be very
large, mod_sed may make excessively large memory allocations and
trigger an abort.
Credits: This issue was found by Brian Moussalli from the JFrog
Security Research team
* ) SECURITY: CVE-2022-29404: Denial of service in mod_lua
r:parsebody (cve.mitre.org)
In Apache HTTP Server 2.4.53 and earlier, a malicious request to
a lua script that calls r:parsebody(0) may cause a denial of
service due to no default limit on possible input size.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
* ) SECURITY: CVE-2022-28615: Read beyond bounds in
ap_strcmp_match() (cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier may crash or disclose
information due to a read beyond bounds in ap_strcmp_match()
when provided with an extremely large input buffer. While no
code distributed with the server can be coerced into such a
call, third-party modules or lua scripts that use
ap_strcmp_match() may hypothetically be affected.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
* ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
(cve.mitre.org)
The ap_rwrite() function in Apache HTTP Server 2.4.53 and
earlier may read unintended memory if an attacker can cause the
server to reflect very large input using ap_rwrite() or
ap_rputs(), such as with mod_luas r:puts() function.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
* ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
(cve.mitre.org)
Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
bounds when configured to process requests with the mod_isapi
module.
Credits: The Apache HTTP Server project would like to thank
Ronald Crane (Zippenhop LLC) for reporting this issue
* ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
smuggling (cve.mitre.org)
Inconsistent Interpretation of HTTP Requests ('HTTP Request
Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
allows an attacker to smuggle requests to the AJP server it
forwards requests to. This issue affects Apache HTTP Server
Apache HTTP Server 2.4 version 2.4.53 and prior versions.
Credits: Ricter Z @ 360 Noah Lab
* ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0. PR 66063.
[Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
* ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
PR 65666. [Yann Ylavic]
* ) mod_md: a bug was fixed that caused very large MDomains
with the combined DNS names exceeding ~7k to fail, as
request bodies would contain partially wrong data from
uninitialized memory. This would have appeared as failure
in signing-up/renewing such configurations.
[Stefan Eissing, Ronald Crane (Zippenhop LLC)]
* ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
PR 65666. [Yann Ylavic]
* ) MPM event: Restart children processes killed before idle maintenance.
PR 65769. [Yann Ylavic, Ruediger Pluem]
* ) ab: Allow for TLSv1.3 when the SSL library supports it.
[abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
* ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
transmission delays. PR 66019. [Yann Ylavic]
* ) MPM event: Fix accounting of active/total processes on ungraceful restart,
PR 66004 (follow up to PR 65626 from 2.4.52). [Yann Ylavic]
* ) core: make ap_escape_quotes() work correctly on strings
with more than MAX_INT/2 characters, counting quotes double.
Credit to <generalbugs@zippenhop.com> for finding this.
[Stefan Eissing]
* ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
an ACME CA. This gives a failover for renewals when several consecutive attempts
to get a certificate failed.
A new directive was added: `MDRetryDelay` sets the delay of retries.
A new directive was added: `MDRetryFailover` sets the number of errored
attempts before an alternate CA is selected for certificate renewals.
[Stefan Eissing]
* ) mod_http2: remove unused and insecure code. Fixes PR66037.
Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
[Stefan Eissing]
* ) mod_proxy: Add backend port to log messages to
ease identification of involved service. [Rainer Jung]
* ) mod_http2: removing unscheduling of ongoing tasks when
connection shows potential abuse by a client. This proved
counter-productive and the abuse detection can false flag
requests using server-side-events.
Fixes <https://github.com/icing/mod_h2/issues/231>.
[Stefan Eissing]
* ) mod_md: Implement full auto status ("key: value" type status output).
Especially not only status summary counts for certificates and
OCSP stapling but also lists. Auto status format is similar to
what was used for mod_proxy_balancer.
[Rainer Jung]
* ) mod_md: fixed a bug leading to failed transfers for OCSP
stapling information when more than 6 certificates needed
updates in the same run. [Stefan Eissing]
* ) mod_proxy: Set a status code of 502 in case the backend just closed the
connection in reply to our forwarded request. [Ruediger Pluem]
* ) mod_md: a possible NULL pointer deref was fixed in
the JSON code for persisting time periods (start+end).
Fixes #282 on mod_md's github.
Thanks to @marcstern for finding this. [Stefan Eissing]
* ) mod_heartmonitor: Set the documented default value
"10" for HeartbeatMaxServers instead of "0". With "0"
no shared memory slotmem was initialized. [Rainer Jung]
* ) mod_md: added support for managing certificates via a
local tailscale daemon for users of that secure networking.
This gives trusted certificates for tailscale assigned
domain names in the *.ts.net space.
[Stefan Eissing]
- modified patches
% apache-test-application-xml-type.patch (refreshed)
% apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed)
% apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
* Mon Mar 14 2022 pgajdos@suse.com
- httpd-framework updated to svn1898917
- deleted patches
- apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
- apache2-perl-io-socket.patch (upstreamed)
* Mon Mar 14 2022 pgajdos@suse.com
- httpd-framework updated to svn1898917
- deleted patches
- apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
- apache2-perl-io-socket.patch (upstreamed)
Version: 2.4.51-150400.6.3.1
* Thu May 05 2022 david.anes@suse.com
- fix gensslcert to generate dhparams certificate using a valid
FIPS method [bsc#1198913]
* Wed Mar 02 2022 pgajdos@suse.com
- security update
- added patches
fix CVE-2021-44224 [bsc#1193943], NULL dereference or SSRF in forward proxy configurations
+ apache2-CVE-2021-44224.patch
fix CVE-2021-44790 [bsc#1193942], buffer overflow when parsing multipart content in mod_lua
+ apache2-CVE-2021-44790.patch
* Thu Jan 27 2022 pgajdos@suse.com
- ssl-global.conf: set SSLCipherSuite to PROFILE=SYSTEM instead of
DEFAULT_SUSE [jsc#SLE-22561]
- set also SSLProxyCipherSuite to PROFILE=SYSTEM
- modified sources
% apache2-ssl-global.conf
* Mon Nov 08 2021 pgajdos@suse.com
- version update to 2.4.51
* ) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
unused AP_NORMALIZE_DROP_PARAMETERS flag.
[Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
* Fri Sep 10 2021 pgajdos@suse.com
- version update to 2.4.50
* fixes CVE-2020-11984, CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641,
CVE-2021-31618, CVE-2021-33193, CVE-2021-34798,
CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
* see CHANGES for more details
- deleted patches
- apache2-CVE-2020-11984.patch (upstreamed)
- apache2-CVE-2020-13950.patch (upstreamed)
- apache2-CVE-2020-35452.patch (upstreamed)
- apache2-CVE-2021-26690.patch (upstreamed)
- apache2-CVE-2021-26691.patch (upstreamed)
- apache2-CVE-2021-30641.patch (upstreamed)
- apache2-CVE-2021-31618.patch (upstreamed)
- apache2-CVE-2021-33193.patch (upstreamed)
- apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
- apache2-mod_http2-1.15.14.patch (upstreamed)
Version: 2.4.43-3.22.1
* Fri Jun 11 2021 pgajdos@suse.com
- security update
- added patches
fix CVE-2021-30641 [bsc#1187174], MergeSlashes regression
+ apache2-CVE-2021-30641.patch
* Wed Jun 09 2021 pgajdos@suse.com
- security update
- added patches
fix CVE-2021-31618 [bsc#1186924], NULL pointer dereference on specially crafted HTTP/2 request
+ apache2-CVE-2021-31618.patch
* Wed Jun 09 2021 pgajdos@suse.com
- security update
- added patches
fix CVE-2021-31618 [bsc#1186924], NULL pointer dereference on specially crafted HTTP/2 request
+ apache2-CVE-2021-31618.patch
* Tue Jun 08 2021 pgajdos@suse.com
- security update
- added patches
fix CVE-2020-35452 [bsc#1186922], Single zero byte stack overflow in mod_auth_digest
+ apache2-CVE-2020-35452.patch
fix CVE-2021-26690 [bsc#1186923], mod_session NULL pointer dereference in parser
+ apache2-CVE-2021-26690.patch
fix CVE-2021-26691 [bsc#1187017], Heap overflow in mod_session
+ apache2-CVE-2021-26691.patch
* Tue Jan 12 2021 pgajdos@suse.com
- gensslcert sets CA:TRUE in basic constrains of CA cert [bsc#1180530]
- modified sources
% gensslcert
* Wed Oct 14 2020 fbui@suse.com
- systemd-ask-password is located in /usr/bin
* Mon Aug 31 2020 jtomasiak@suse.com
- gensslcert: add -a argument to override default SAN value
* Tue Aug 11 2020 pgajdos@suse.com
- security update
- added patches
fix CVE-2020-11984 [bsc#1175074], mod_proxy_uwsgi info disclosure and possible RCE
+ apache2-CVE-2020-11984.patch
fix CVE-2020-11993 [bsc#1175070], CVE-2020-9490 [bsc#1175071]
+ apache2-mod_http2-1.15.14.patch
* Wed Jul 15 2020 pgajdos@suse.com
- fix crash in mod_proxy_uwsgi for empty values of environment
variables [bsc#1174052]
- added patches
fix https://svn.apache.org/viewvc?view=revision
+ apache2-mod_proxy_uwsgi-fix-crash.patch
* Fri Apr 03 2020 pgajdos@suse.com
- declare ap_sock_disable_nagle to fix loading mod_proxy_http2
(thanks to mliska@suse.com)
- modified patches
% httpd-visibility.patch (refreshed)
* Thu Apr 02 2020 pgajdos@suse.com
- version update to 2.4.43
* ) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
* ) mod_proxy_http: Fix the forwarding of requests with content body when a
balancer member is unavailable; the retry on the next member was issued
with an empty body (regression introduced in 2.4.41). PR63891.
[Yann Ylavic]
* ) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
[Michael Kaufmann, Stefan Eissing]
* ) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
PR64140. [Renier Velazco <renier.velazco upr.edu>]
* ) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
PR64172.
* ) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
to allow customization of the usertrack cookie. PR64077.
[Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
* ) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
AJP13 authentication. PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
* ) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
[Eric Covener, Yann Ylavic]
* ) Add a config layout for OpenWRT. [Graham Leggett]
* ) Add support for cross compiling to apxs. If apxs is being executed from
somewhere other than its target location, add that prefix to includes and
library directories. Without this, apxs would fail to find config_vars.mk
and exit. [Graham Leggett]
* ) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
[Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
* ) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
[Graham Leggett]
* ) mod_ssl: Support use of private keys and certificates from an
OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
[Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
* ) mod_md:
- Prefer MDContactEmail directive to ServerAdmin for registration. New directive
thanks to Timothe Litt (@tlhackque).
- protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
check all matching virtual hosts for protocol support. Thanks to @mkauf.
- Corrected a check when OCSP stapling was configured for hosts
where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
- Softening the restrictions where mod_md configuration directives may appear. This should
allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
you wanted in the first place, is another matter.
[Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
* ) test: Added continuous testing with Travis CI.
This tests various scenarios on Ubuntu with the full test suite.
Architectures tested: amd64, s390x, ppc64le, arm64
The tests pass successfully.
[Luca Toscano, Joe Orton, Mike Rumph, and others]
* ) core: Be stricter in parsing of Transfer-Encoding headers.
[ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
* ) mod_ssl: negotiate the TLS protocol version per name based vhost
configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
SSLProtocol (from the first vhost declared on the IP:port) is now only
relevant if no SSLProtocol is declared for the vhost or globally,
otherwise the vhost or global value apply. [Yann Ylavic]
* ) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
output. PR 64096. [Joe Orton]
* ) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
[Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
* ) mod_systemd: New module providing integration with systemd. [Jan Kaluza]
* ) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
r:notes_table, r:subprocess_env_table as read-only native table alternatives
that can be iterated over. [Eric Covener]
* ) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
[Yann Ylavic, Stefan Eissing]
* ) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
r.headers_out, etc) to remove the key from the table. PR63971.
[Eric Covener]
* ) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
always `on`, regardless of configuration. Found and reported by
<Armin.Abfalterer@united-security-providers.ch> and
<Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
* ) mod_http2: Multiple field length violations in the same request no longer cause
several log entries to be written. [@mkauf]
* ) mod_ssl: OCSP does not apply to proxy mode. PR 63679.
[Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
* ) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
[Jim Jagielski]
* ) mod_authn_socache: Increase the maximum length of strings that can be cached by
the module from 100 to 256. PR 62149 [<thorsten.meinl knime.com>]
* ) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
[Ruediger Pluem, Eric Covener]
* ) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
valid (For example, testing for a file on a flash drive that is not mounted)
[Christophe Jaillet]
* ) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
means 'foo' is "not acceptable". PR 58158 [Chistophe Jaillet]
* ) mod_md v2.2.3:
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in directy communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
* ) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
[Stefan Eissing]
* ) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
- deleted patches
- apache2-load-private-keys-from-pkcs11.patch (upstreamed)
- httpd-2.4.3-mod_systemd.patch (upstreamed)
* Wed Feb 26 2020 pgajdos@suse.com
- use r1874196 [SLE-7472] [bsc#1164820c#6]
- modified patches
% apache2-load-private-keys-from-pkcs11.patch (upstream 2.4.x port)
- deleted patches
- apache2-load-certificates-from-pkcs11.patch (merged to above)
* Tue Feb 18 2020 pgajdos@suse.com
- require just libbrotli-devel
* Thu Feb 13 2020 pgajdos@suse.com
- build mod_proxy_http2 extension
* Wed Feb 12 2020 pgajdos@suse.com
- fix build for older distributions
* Fri Jan 31 2020 crrodriguez@opensuse.org
- define DEFAULT_LISTENBACKLOG=APR_INT32_MAX. We want apache
to honour net.core.somaxconn sysctl as the mandatory limit.
the old value of 511 was never used as until v5.4-rc6 it was
clamped to 128, in current kernels the default limit is 4096.
Cannot use the apr_socket_listen(.., -1) idiom because the function
expects a positive integer argument.
* Mon Jan 20 2020 pgajdos@suse.com
- apache2-devel now provides httpd-devel [bsc#1160100]
* Wed Dec 18 2019 pgajdos@suse.com
- add openssl call to DEFAULT_SUSE comment [bsc#1159480]
- modified sources
% apache2-ssl-global.conf
* Fri Nov 08 2019 pgajdos@suse.com
- use %license [bsc#1156171]
* Tue Oct 22 2019 pgajdos@suse.com
- load private keys and certificates from pkcs11 token [SLE-7653]
- added patches
load certificates from openssl engine
+ apache2-load-certificates-from-pkcs11.patch
load private keys from openssl engine
+ apache2-load-private-keys-from-pkcs11.patch