Package Release Info

apache2-2.4.58-150600.5.6.1

Update Info: SUSE-SLE-Module-Packagehub-Subpackages-15-SP6-2024-2229
Available in Package Hub : 15 SP5 Subpackages Updates

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

Change Logs

Version: 2.4.58-150600.5.18.1
* Wed Jul 17 2024 martin.schreiner@suse.com
- Security fix:
  - CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2
  * Added apache2-CVE-2024-36387.patch
Version: 2.4.51-150400.6.29.1
* Mon Jul 08 2024 david.anes@suse.com
- Security fix:
  - CVE-2024-39573, bsc#1227271: potential SSRF in mod_rewrite
  * Added apache2-CVE-2024-39573.patch
  - CVE-2024-38477, bsc#1227270: null pointer dereference in mod_proxy
  * Added apache2-CVE-2024-38477.patch
  - CVE-2024-38475, bsc#1227268: Improper escaping of output in mod_rewrite
  * Added apache2-CVE-2024-38475-1.patch
  * Added apache2-CVE-2024-38475-2.patch
  * Added apache2-CVE-2024-38475-3.patch
  - CVE-2024-38476, bsc#1227269: Server may use exploitable/malicious
  backend application output to run local handlers via internal
  redirect
  * Added apache2-CVE-2024-38476-1.patch
  * Added apache2-CVE-2024-38476-2.patch
  * Added apache2-CVE-2024-38476-3.patch
  * Added apache2-CVE-2024-38476-4.patch
  * Added apache2-CVE-2024-38476-5.patch
  * Added apache2-CVE-2024-38476-6.patch
  * Added apache2-CVE-2024-38476-7.patch
  * Added apache2-CVE-2024-38476-8.patch
  * Added apache2-CVE-2024-38476-9.patch
  * Added apache2-CVE-2024-38476-10.patch
  * Added apache2-CVE-2024-38476-11.patch
Version: 2.4.58-150600.5.3.1
* Tue May 28 2024 pgajdos@suse.com
- security update
- added patches
  fix CVE-2023-38709 [bsc#1222330], HTTP response splitting
  + apache2-CVE-2023-38709.patch
  fix CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
  + apache2-CVE-2024-24795.patch
  fix CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + apache2-CVE-2024-27316.patch
* Thu Mar 28 2024 david.anes@suse.com
- Add patches to improve FIPS compatibility (bsc#1220681):
  * apache2-fips-compatibility-01.patch
  * apache2-fips-compatibility-02.patch
  * apache2-fips-compatibility-03.patch
* Fri Mar 22 2024 eugenio.paolantonio@suse.com
- SLE-only: forward-port compatibility symlinks (e.g. httpd2-prefork,
  apache2ctl, htpasswd2) change, including the relative
  manpages (bsc#1221880)
* Mon Mar 18 2024 eugenio.paolantonio@suse.com
- SLE-only: forward-port gensslcert change to generate dhparams certificate
  using a valid FIPS method (bsc#1198913)
* Tue Feb 20 2024 dimstar@opensuse.org
- Use %autosetup macro. Allows to eliminate the usage of deprecated
  %patchN.
* Mon Jan 29 2024 dmueller@suse.com
- use grep -E for egrep
* Thu Oct 19 2023 david.anes@suse.com
- Update to 2.4.58:
  * ) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
    memory not reclaimed right away on RST (cve.mitre.org)
    When a HTTP/2 stream was reset (RST frame) by a client, there
    was a time window were the request's memory resources were not
    reclaimed immediately. Instead, de-allocation was deferred to
    connection close. A client could send new requests and resets,
    keeping the connection busy and open and causing the memory
    footprint to keep on growing. On connection close, all resources
    were reclaimed, but the process might run out of memory before
    that.
    This was found by the reporter during testing of CVE-2023-44487
    (HTTP/2 Rapid Reset Exploit) with their own test client. During
    "normal" HTTP/2 use, the probability to hit this bug is very
    low. The kept memory would not become noticeable before the
    connection closes or times out.
    Users are recommended to upgrade to version 2.4.58, which fixes
    the issue.
    Credits: Will Dormann of Vul Labs
  * ) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
    initial windows size 0 (cve.mitre.org)
    An attacker, opening a HTTP/2 connection with an initial window
    size of 0, was able to block handling of that connection
    indefinitely in Apache HTTP Server. This could be used to
    exhaust worker resources in the server, similar to the well
    known "slow loris" attack pattern.
    This has been fixed in version 2.4.58, so that such connection
    are terminated properly after the configured connection timeout.
    This issue affects Apache HTTP Server: from 2.4.55 through
    2.4.57.
    Users are recommended to upgrade to version 2.4.58, which fixes
    the issue.
    Credits: Prof. Sven Dietrich (City University of New York)
  * ) SECURITY: CVE-2023-31122: mod_macro buffer over-read
    (cve.mitre.org)
    Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
    Server.This issue affects Apache HTTP Server: through 2.4.57.
    Credits: David Shoon (github/davidshoon)
  * ) mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
    SSL routines::unexpected eof while reading" when using
    OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
    available. [Rainer Jung]
  * ) mod_http2: improved early cleanup of streams.
    [Stefan Eissing]
  * ) mod_proxy_http2: improved error handling on connection errors while
    response is already underway.
    [Stefan Eissing]
  * ) mod_http2: fixed a bug that could lead to a crash in main connection
    output handling. This occured only when the last request on a HTTP/2
    connection had been processed and the session decided to shut down.
    This could lead to an attempt to send a final GOAWAY while the previous
    write was still in progress. See PR 66646.
    [Stefan Eissing]
  * ) mod_proxy_http2: fix `X-Forward-Host` header to carry the correct value.
    Fixes PR66752.
    [Stefan Eissing]
  * ) mod_http2: added support for bootstrapping WebSockets via HTTP/2, as
    described in RFC 8441. A new directive 'H2WebSockets on|off' has been
    added. The feature is by default not enabled.
    As also discussed in the manual, this feature should work for setups
    using "ProxyPass backend-url upgrade=websocket" without further changes.
    Special server modules for WebSockets will have to be adapted,
    most likely, as the handling if IO events is different with HTTP/2.
    HTTP/2 WebSockets are supported on platforms with native pipes. This
    excludes Windows.
    [Stefan Eissing]
  * ) mod_rewrite: Fix a regression with both a trailing ? and [QSA].
    in OCSP stapling. PR 66672. [Frank Meier <frank.meier ergon.ch>, covener]
  * ) mod_http2: fixed a bug in flushing pending data on an already closed
    connection that could lead to a busy loop, preventing the HTTP/2 session
    to close down successfully. Fixed PR 66624.
    [Stefan Eissing]
  * ) mod_http2: v2.0.15 with the following fixes and improvements
  - New directive 'H2EarlyHint name value' to add headers to a response,
    picked up already when a "103 Early Hints" response is sent. 'name' and
    'value' must comply to the HTTP field restrictions.
    This directive can be repeated several times and header fields of the
    same names add. Sending a 'Link' header with 'preload' relation will
    also cause a HTTP/2 PUSH if enabled and supported by the client.
  - Fixed an issue where requests were not logged and accounted in a timely
    fashion when the connection returns to "keepalive" handling, e.g. when
    the request served was the last outstanding one.
    This led to late appearance in access logs with wrong duration times
    reported.
  - Accurately report the bytes sent for a request in the '%O' Log format.
    This addresses #203, a long outstanding issue where mod_h2 has reported
    numbers over-eagerly from internal buffering and not what has actually
    been placed on the connection.
    The numbers are now the same with and without H2CopyFiles enabled.
    [Stefan Eissing]
  * ) mod_proxy_http2: fix retry handling to not leak temporary errors.
    On detecting that that an existing connection was shutdown by the other
    side, a 503 response leaked even though the request was retried on a
    fresh connection.
    [Stefan Eissing]
  * ) mod_rewrite: Add server directory to include path as mod_rewrite requires
    test_char.h. PR 66571 [Valeria Petrov <valeria.petrov@spinetix.com>]
  * ) mod_http2: new directive `H2ProxyRequests on|off` to enable handling
    of HTTP/2 requests in a forward proxy configuration.
    General forward proxying is enabled via `ProxyRequests`. If the
    HTTP/2 protocol is also enabled for such a server/host, this new
    directive is needed in addition.
    [Stefan Eissing]
  * ) core: Updated conf/mime.types:
  - .js moved from 'application/javascript' to 'text/javascript'
  - .mjs was added as 'text/javascript'
  - add .opus ('audio/ogg')
  - add 'application/vnd.geogebra.slides'
  - add WebAssembly MIME types and extension
    [Mathias Bynens <@mathiasbynens> via PR 318,
    Richard de Boer <richard tubul.net>, Dave Hodder <dmh dmh.org.uk>,
    Zbynek Konecny <zbynek1729 gmail.com>]
  * ) mod_proxy_http2: fixed using the wrong "bucket_alloc" from the backend
    connection when sending data on the frontend one. This caused crashes
    or infinite loops in rare situations.
  * ) mod_proxy_http2: fixed a bug in retry/response handling that could lead
    to wrong status codes or HTTP messages send at the end of response bodies
    exceeding the announced content-length.
  * ) mod_proxy_http2: fix retry handling to not leak temporary errors.
    On detecting that that an existing connection was shutdown by the other
    side, a 503 response leaked even though the request was retried on a
    fresh connection.
  * ) mod_http2: fixed a bug that did cleanup of consumed and pending buckets in
    the wrong order when a bucket_beam was destroyed.
    [Stefan Eissing]
  * ) mod_http2: avoid double chunked-encoding on internal redirects.
    PR 66597 [Yann Ylavic, Stefan Eissing]
  * ) mod_http2: Fix reporting of `Total Accesses` in server-status to not count
    HTTP/2 requests twice. Fixes PR 66801.
    [Stefan Eissing]
  * ) mod_ssl: Fix handling of Certificate Revoked messages
    in OCSP stapling. PR 66626. [<gmoniker gmail.com>]
  * ) mod_http2: fixed a bug in handling of stream timeouts.
    [Stefan Eissing]
  * ) mod_tls: updating to rustls-ffi version 0.9.2 or higher.
    Checking in configure for proper version installed. Code
    fixes for changed clienthello member name.
    [Stefan Eissing]
  * ) mod_md:
  - New directive `MDMatchNames all|servernames` to allow more control over how
    MDomains are matched to VirtualHosts.
  - New directive `MDChallengeDns01Version`. Setting this to `2` will provide
    the command also with the challenge value on `teardown` invocation. In version
    1, the default, only the `setup` invocation gets this parameter.
    Refs #312. Thanks to @domrim for the idea.
  - For Managed Domain in "manual" mode, the checks if all used ServerName and
    ServerAlias are part of the MDomain now reports a warning instead of an error
    (AH10040) when not all names are present.
  - MDChallengeDns01 can now be configured for individual domains.
    Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
  - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
    teardown not being invoked as it should.
  * ) mod_ldap: Avoid performance overhead of APR-util rebind cache for
    OpenLDAP 2.2+.  PR 64414.  [Joe Orton]
  * ) mod_http2: new directive 'H2MaxDataFrameLen n' to limit the maximum
    amount of response body bytes put into a single HTTP/2 DATA frame.
    Setting this to 0 places no limit (but the max size allowed by the
    protocol is observed).
    The module, by default, tries to use the maximum size possible, which is
    somewhat around 16KB. This sets the maximum. When less response data is
    available, smaller frames will be sent.
  * ) mod_md: fixed passing of the server environment variables to programs
    started via MDMessageCmd and MDChallengeDns01 on *nix system.
    See <https://github.com/icing/mod_md/issues/319>.
    [Stefan Eissing]
  * ) mod_dav: Add DavBasePath directive to configure the repository root
    path.  PR 35077.  [Joe Orton]
  * ) mod_alias: Add AliasPreservePath directive to map the full
    path after the alias in a location. [Graham Leggett]
  * ) mod_alias: Add RedirectRelative to allow relative redirect targets to be
    issued as-is. [Eric Covener, Graham Leggett]
  * ) core: Add formats %{z} and %{strftime-format} to ErrorLogFormat, and make
    sure that if the format is configured early enough it applies to every log
    line.  PR 62161.  [Yann Ylavic]
  * ) mod_deflate: Add DeflateAlterETag to control how the ETag
    is modified. The 'NoChange' parameter mimics 2.2.x behavior.
    PR 45023, PR 39727. [Eric Covener]
  * ) core: Optimize send_brigade_nonblocking(). [Yann Ylavic, Christophe Jaillet]
  * ) mod_status: Remove duplicate keys "BusyWorkers" and "IdleWorkers".
    Resolve inconsistency between the previous two occurrences by
    counting workers in state SERVER_GRACEFUL no longer as busy,
    but instead in a new counter "GracefulWorkers" (or on HTML
    view as "workers gracefully restarting"). Also add the graceful
    counter as a new column to the existing HTML per process table
    for async MPMs. PR 63300. [Rainer Jung]
* Sat Aug 05 2023 opensuse@dstoecker.de
- Enable building of mod_md
* Fri Apr 07 2023 suse+build@de-korte.org
- Update to 2.4.57:
  * ) mod_proxy: Check before forwarding that a nocanon path has not been
    rewritten with spaces during processing.  [Yann Ylavic]
  * ) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
    double encode encoded slashes in the URL sent by the reverse proxy to the
    backend. [Ruediger Pluem]
  * ) mod_http2: fixed a crash during connection termination. See PR 66539.
    [Stefan Eissing]
  * ) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
    in a question mark. PR66547. [Eric Covener]
  * ) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
    characters on redirections without the "NE" flag.
    [Yann Ylavic, Eric Covener]
  * ) mod_proxy: Fix double encoding of the uri-path of the request forwarded
    to the origin server, when using mapping=encoded|servlet.  [Yann Ylavic]
  * ) mod_mime: Do not match the extention against possible query string
    parameters in case ProxyPass was used with the nocanon option.
    [Ruediger Pluem]
* Wed Mar 08 2023 david.anes@suse.com
- This update fixes the following security issues:
  * CVE-2023-27522 [bsc#1209049]: mod_proxy_uwsgi HTTP response splitting
  * CVE-2023-25690 [bsc#1209047]: HTTP request splitting with mod_rewrite and mod_proxy
- Update to 2.4.56:
  * ) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be
    truncated without the initial logfile being truncated.  [Eric Covener]
  * ) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to
    allow connections of any age to be reused. Up to now, a negative value
    was handled as an error when parsing the configuration file.  PR 66421.
    [nailyk <bzapache nailyk.fr>, Christophe Jaillet]
  * ) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number
    of headers. [Ruediger Pluem]
  * ) mod_md:
  - Enabling ED25519 support and certificate transparency information when
    building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis.
  - MDChallengeDns01 can now be configured for individual domains.
    Thanks to Jérôme Billiras (@bilhackmac) for the initial PR.
  - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
    teardown not being invoked as it should.
    [Stefan Eissing]
  * ) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors
    reported in access logs and error documents. The processing of the
    reset was correct, only unneccesary reporting was caused.
    [Stefan Eissing]
  * ) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation.
    [Yann Ylavic]
* Wed Jan 18 2023 david.anes@suse.com
- This update fixes the following security issues:
  * CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting
  * CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling
  * CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
- Update to 2.4.55:
  * ) SECURITY: CVE-2022-37436: Apache HTTP Server: mod_proxy prior to
    2.4.55 allows a backend to trigger HTTP response splitting
    (cve.mitre.org)
    Prior to Apache HTTP Server 2.4.55, a malicious backend can
    cause the response headers to be truncated early, resulting in
    some headers being incorporated into the response body. If the
    later headers have any security purpose, they will not be
    interpreted by the client.
    Credits: Dimas Fariski Setyawan Putra (@nyxsorcerer)
  * ) SECURITY: CVE-2022-36760: Apache HTTP Server: mod_proxy_ajp
    Possible request smuggling (cve.mitre.org)
    Inconsistent Interpretation of HTTP Requests ('HTTP Request
    Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
    allows an attacker to smuggle requests to the AJP server it
    forwards requests to.  This issue affects Apache HTTP Server
    Apache HTTP Server 2.4 version 2.4.54 and prior versions.
    Credits: ZeddYu_Lu from Qi'anxin Research Institute of Legendsec
    at Qi'anxin Group
  * ) SECURITY: CVE-2006-20001: mod_dav out of  bounds read, or write
    of zero byte (cve.mitre.org)
    A carefully crafted If: request header can cause a memory read,
    or write of a single zero byte, in a pool (heap) memory location
    beyond the header value sent. This could cause the process to
    crash.
    This issue affects Apache HTTP Server 2.4.54 and earlier.
  * ) mod_dav: Open the lock database read-only when possible.
    PR 36636 [Wilson Felipe <wfelipe gmail.com>, manu]
  * ) mod_proxy_http2: apply the standard httpd content type handling
    to responses from the backend, as other proxy modules do. Fixes PR 66391.
    Thanks to Jérôme Billiras for providing the patch.
    [Stefan Eissing]
  * ) mod_dav: mod_dav overrides dav_fs response on PUT failure. PR 35981
    [Basant Kumar Kukreja <basant.kukreja sun.com>, Alejandro Alvarez
    <alejandro.alvarez.ayllon cern.ch>]
  * ) mod_proxy_hcheck: Honor worker timeout settings.  [Yann Ylavic]
  * ) mod_http2: version 2.0.10 of the module, synchronizing changes
    with the gitgub version. This is a partial rewrite of how connections
    and streams are handled.
  - an APR pollset and pipes (where supported) are used to monitor
    the main connection and react to IO for request/response handling.
    This replaces the stuttered timed waits of earlier versions.
  - H2SerializeHeaders directive still exists, but has no longer an effect.
  - Clients that seemingly misbehave still get less resources allocated,
    but ongoing requests are no longer disrupted.
  - Fixed an issue since 1.15.24 that "Server" headers in proxied requests
    were overwritten instead of preserved. [PR by @daum3ns]
  - A regression in v1.15.24 was fixed that could lead to httpd child
    processes not being terminated on a graceful reload or when reaching
    MaxConnectionsPerChild. When unprocessed h2 requests were queued at
    the time, these could stall. See #212.
  - Improved information displayed in 'server-status' for H2 connections when
    Extended Status is enabled. Now one can see the last request that IO
    operations happened on and transferred IO stats are updated as well.
  - When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
    send a GOAWAY frame much too early on new connections, leading to invalid
    protocol state and a client failing the request. See PR65731 at
    <https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
    The module now initializes the HTTP/2 protocol correctly and allows the
    client to submit one request before the shutdown via a GOAWAY frame
    is being announced.
  - :scheme pseudo-header values, not matching the
    connection scheme, are forwarded via absolute uris to the
    http protocol processing to preserve semantics of the request.
    Checks on combinations of pseudo-headers values/absence
    have been added as described in RFC 7540. Fixes #230.
  - A bug that prevented trailers (e.g. HEADER frame at the end) to be
    generated in certain cases was fixed. See #233 where it prevented
    gRPC responses to be properly generated.
  - Request and response header values are automatically stripped of leading
    and trialing space/tab characters. This is equivalent behaviour to what
    Apache httpd's http/1.1 parser does.
    The checks for this in nghttp2 v1.50.0+ are disabled.
  - Extensive testing in production done by Alessandro Bianchi (@alexskynet)
    on the v2.0.x versions for stability. Many thanks!
  * ) mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
    request ':authority' is known. Improved test case that did not catch that
    the previous 'fix' was incorrect.
  * ) mod_proxy_hcheck: hcmethod now allows for HTTP/1.1 requests
    using GET11, HEAD11 and/or OPTIONS11. [Jim Jagielski]
  * ) mod_proxy: The AH03408 warning for a forcibly closed backend
    connection is now logged at INFO level.  [Yann Ylavic]
  * ) mod_ssl: When dumping the configuration, the existence of
    certificate/key files is no longer tested.  [Joe Orton]
  * ) mod_authn_core: Add expression support to AuthName and AuthType.
    [Graham Leggett]
  * ) mod_ssl: when a proxy connection had handled a request using SSL, an
    error was logged when "SSLProxyEngine" was only configured in the
    location/proxy section and not the overall server. The connection
    continued to work, the error log was in error. Fixed PR66190.
    [Stefan Eissing]
  * ) mod_proxy_hcheck: Re-enable workers in standard ERROR state. PR 66302.
    [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
  * ) mod_proxy_hcheck: Detect AJP/CPING support correctly. PR 66300.
    [Alessandro Cavaliere <alessandro.cavalier7 unibo.it>]
  * ) mod_http2: Export mod_http2.h as public header. [Stefan Eissing]
  * ) mod_md: a new directive `MDStoreLocks` can be used on cluster
    setups with a shared file system for `MDStoreDir` to order
    activation of renewed certificates when several cluster nodes are
    restarted at the same time. Store locks are not enabled by default.
    Restored curl_easy cleanup behaviour from v2.4.14 and refactored
    the use of curl_multi for OCSP requests to work with that.
    Fixes <https://github.com/icing/mod_md/issues/293>.
  * ) core: Avoid an overflow on large inputs in ap_is_matchexp.  PR 66033
    [Ruediger Pluem]
  * ) mod_heartmonitor: Allow "HeartbeatMaxServers 0" to use file based
    storage instead of slotmem. Needed after setting
    HeartbeatMaxServers default to the documented value 10 in 2.4.54.
    PR 66131.  [Jérôme Billiras]
  * ) mod_dav: DAVlockDiscovery option to disable WebDAV lock discovery
    This is a game changer for performances if client use PROPFIND a lot,
    PR 66313. [Emmanuel Dreyfus]
* Mon Dec 12 2022 dmueller@suse.com
- switch to pkgconfig(zlib) so that alternative providers can be
  used
* Fri Sep 23 2022 coolo@suse.com
- The 2.4.54 release brought support for PCRE2, but for that we also
  need to change buildrequires to pcre2-devel
* Tue Sep 20 2022 david.anes@suse.com
- Remove references to README.QUICKSTART and point them to
  https://en.opensuse.org/SDB:Apache_installation (bsc#1203573)
* Thu Sep 01 2022 schubi@suse.com
- Migration to /usr/etc: Saving user changed configuration files
  in /etc and restoring them while an RPM update.
* Tue Jun 28 2022 schubi@intern
- Moved logrotate files from user specific directory /etc/logrotate.d
  to vendor specific directory /usr/etc/logrotate.d.
* Wed Jun 08 2022 pgajdos@suse.com
- update httpd-framework to svn revision 1898917
* Wed Jun 08 2022 pgajdos@suse.com
- version update to 2.4.54
  Changes with Apache 2.4.54
  * ) SECURITY: CVE-2022-31813: mod_proxy X-Forwarded-For dropped by
    hop-by-hop mechanism (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier may not send the
    X-Forwarded-* headers to the origin server based on client side
    Connection header hop-by-hop mechanism.
    This may be used to bypass IP based authentication on the origin
    server/application.
    Credits: The Apache HTTP Server project would like to thank
    Gaetan Ferry (Synacktiv) for reporting this issue
  * ) SECURITY: CVE-2022-30556: Information Disclosure in mod_lua with
    websockets (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier may return lengths to
    applications calling r:wsread() that point past the end of the
    storage allocated for the buffer.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-30522: mod_sed denial of service
    (cve.mitre.org)
    If Apache HTTP Server 2.4.53 is configured to do transformations
    with mod_sed in contexts where the input to mod_sed may be very
    large, mod_sed may make excessively large memory allocations and
    trigger an abort.
    Credits: This issue was found by Brian Moussalli from the JFrog
    Security Research team
  * ) SECURITY: CVE-2022-29404: Denial of service in mod_lua
    r:parsebody (cve.mitre.org)
    In Apache HTTP Server 2.4.53 and earlier, a malicious request to
    a lua script that calls r:parsebody(0) may cause a denial of
    service due to no default limit on possible input size.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-28615: Read beyond bounds in
    ap_strcmp_match() (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier may crash or disclose
    information due to a read beyond bounds in ap_strcmp_match()
    when provided with an extremely large input buffer.  While no
    code distributed with the server can be coerced into such a
    call, third-party modules or lua scripts that use
    ap_strcmp_match() may hypothetically be affected.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-28614: read beyond bounds via ap_rwrite()
    (cve.mitre.org)
    The ap_rwrite() function in Apache HTTP Server 2.4.53 and
    earlier may read unintended memory if an attacker can cause the
    server to reflect very large input using ap_rwrite() or
    ap_rputs(), such as with mod_luas r:puts() function.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-28330: read beyond bounds in mod_isapi
    (cve.mitre.org)
    Apache HTTP Server 2.4.53 and earlier on Windows may read beyond
    bounds when configured to process requests with the mod_isapi
    module.
    Credits: The Apache HTTP Server project would like to thank
    Ronald Crane (Zippenhop LLC) for reporting this issue
  * ) SECURITY: CVE-2022-26377: mod_proxy_ajp: Possible request
    smuggling (cve.mitre.org)
    Inconsistent Interpretation of HTTP Requests ('HTTP Request
    Smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server
    allows an attacker to smuggle requests to the AJP server it
    forwards requests to.  This issue affects Apache HTTP Server
    Apache HTTP Server 2.4 version 2.4.53 and prior versions.
    Credits: Ricter Z @ 360 Noah Lab
  * ) mod_ssl: SSLFIPS compatible with OpenSSL 3.0.  PR 66063.
    [Petr Sumbera <petr.sumbera oracle.com>, Yann Ylavic]
  * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
    PR 65666.  [Yann Ylavic]
  * ) mod_md:  a bug was fixed that caused very large MDomains
    with the combined DNS names exceeding ~7k to fail, as
    request bodies would contain partially wrong data from
    uninitialized memory. This would have appeared as failure
    in signing-up/renewing such configurations.
    [Stefan Eissing, Ronald Crane (Zippenhop LLC)]
  * ) mod_proxy_http: Avoid 417 responses for non forwardable 100-continue.
    PR 65666.  [Yann Ylavic]
  * ) MPM event: Restart children processes killed before idle maintenance.
    PR 65769.  [Yann Ylavic, Ruediger Pluem]
  * ) ab: Allow for TLSv1.3 when the SSL library supports it.
    [abhilash1232 gmail.com, xiaolongx.jiang intel.com, Yann Ylavic]
  * ) core: Disable TCP_NOPUSH optimization on OSX since it might introduce
    transmission delays.  PR 66019.  [Yann Ylavic]
  * ) MPM event: Fix accounting of active/total processes on ungraceful restart,
    PR 66004 (follow up to PR 65626 from 2.4.52).  [Yann Ylavic]
  * ) core: make ap_escape_quotes() work correctly on strings
    with more than MAX_INT/2 characters, counting quotes double.
    Credit to <generalbugs@zippenhop.com> for finding this.
    [Stefan Eissing]
  * ) mod_md: the `MDCertificateAuthority` directive can take more than one URL/name of
    an ACME CA. This gives a failover for renewals when several consecutive attempts
    to get a certificate failed.
    A new directive was added: `MDRetryDelay` sets the delay of retries.
    A new directive was added: `MDRetryFailover` sets the number of errored
    attempts before an alternate CA is selected for certificate renewals.
    [Stefan Eissing]
  * ) mod_http2: remove unused and insecure code. Fixes PR66037.
    Thanks to Ronald Crane (Zippenhop LLC) for reporting this.
    [Stefan Eissing]
  * ) mod_proxy: Add backend port to log messages to
    ease identification of involved service.  [Rainer Jung]
  * ) mod_http2: removing unscheduling of ongoing tasks when
    connection shows potential abuse by a client. This proved
    counter-productive and the abuse detection can false flag
    requests using server-side-events.
    Fixes <https://github.com/icing/mod_h2/issues/231>.
    [Stefan Eissing]
  * ) mod_md: Implement full auto status ("key: value" type status output).
    Especially not only status summary counts for certificates and
    OCSP stapling but also lists. Auto status format is similar to
    what was used for mod_proxy_balancer.
    [Rainer Jung]
  * ) mod_md: fixed a bug leading to failed transfers for OCSP
    stapling information when more than 6 certificates needed
    updates in the same run.  [Stefan Eissing]
  * ) mod_proxy: Set a status code of 502 in case the backend just closed the
    connection in reply to our forwarded request.  [Ruediger Pluem]
  * ) mod_md: a possible NULL pointer deref was fixed in
    the JSON code for persisting time periods (start+end).
    Fixes #282 on mod_md's github.
    Thanks to @marcstern for finding this.  [Stefan Eissing]
  * ) mod_heartmonitor: Set the documented default value
    "10" for HeartbeatMaxServers instead of "0". With "0"
    no shared memory slotmem was initialized.  [Rainer Jung]
  * ) mod_md: added support for managing certificates via a
    local tailscale daemon for users of that secure networking.
    This gives trusted certificates for tailscale assigned
    domain names in the *.ts.net space.
    [Stefan Eissing]
- modified patches
  % apache-test-application-xml-type.patch (refreshed)
  % apache-test-turn-off-variables-in-ssl-var-lookup.patch (refreshed)
  % apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch (refreshed)
* Mon Mar 14 2022 pgajdos@suse.com
- httpd-framework updated to svn1898917
- deleted patches
  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
  - apache2-perl-io-socket.patch (upstreamed)
* Mon Mar 14 2022 pgajdos@suse.com
- httpd-framework updated to svn1898917
- deleted patches
  - apache-test-DirectorySlash-NotFound-logic.patch (upstreamed)
  - apache2-perl-io-socket.patch (upstreamed)
Version: 2.4.51-150400.6.20.1
* Thu Jun 13 2024 pgajdos@suse.com
- added patches [bsc#1226217]
  https://github.com/apache/httpd/pull/444/commits/c2fffd29b0f58bdc9caaaff4fec68e17a676f182
  + apache2-issue-444.patch
Version: 2.4.51-150400.6.17.1
* Tue Apr 30 2024 pgajdos@suse.com
- security update
- added patches
  fix CVE-2023-38709 [bsc#1222330], HTTP response splitting
  + apache2-CVE-2023-38709.patch
  fix CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
  + apache2-CVE-2024-24795.patch
  fix CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
  + apache2-CVE-2024-27316.patch
Version: 2.4.51-150400.6.14.1
* Fri Oct 27 2023 david.anes@suse.com
- Security update:
  * Fix CVE-2023-31122 [bsc#1216424] mod_macro buffer over-read
  * Added apache2-CVE-2023-31122.patch
- Fix for bsc#1214357: apply the standard httpd content type handling
  to responses from the backend.
  * Added apache2-bsc1214357-mod_proxy_http2_apply-standard-content-type.patch
* Wed Jul 05 2023 jcejka@suse.com
- Fix for SG#65054, bsc#1207399:
  Terminate threads before child exit.
  * apache2-core-mpm-add-hook-child_stopped-that-gets-called-whe.patch
  * apache2-core-prefork-run-new-hook-child_stopped-only-on-clea.patch
  * apache2-mod_watchdog-add-assertions-to-cleanup-code.patch
  * apache2-mod_watchdog-do-not-call-a-watchdog-instance-for.patch
  * apache2-mod_watchdog-replace-the-new-volatile-with-atomic-ac.patch
  * apache2-mod_watchdog-use-hook-child_stopping-to-signal-watch.patch
  * apache2-mod_watchdog-use-the-child_stopping-and-child_stoppe.patch
  * apache2-mpm-winnt-add-running-the-child_stopping-hook.patch
Version: 2.4.51-150400.6.11.1
* Thu Mar 09 2023 david.anes@suse.com
- Security update:
  * fix CVE-2023-27522 [bsc#1209049], mod_proxy_uwsgi HTTP response splitting
    + Added patch apache2-CVE-2023-27522.patch
  * fix CVE-2023-25690 [bsc#1209047], HTTP request splitting with mod_rewrite and mod_proxy
    + Added patch apache2-CVE-2023-25690.patch
* Fri Mar 03 2023 david.anes@suse.com
- Rename patches to use proper naming:
  * Rename patch:
  - Removed bsc1207327-fix-mod_proxy-handling-long-urls.patch
  - Added apache2-bsc1207327-fix-mod_proxy-handling-long-urls.patch
- [bsc#1208708] fix passing health check does not recover worker
  from its error state:
  * Added: apache2-bsc1208708-fix-passing-health-check-recover-worker-from-error-state.patch
* Fri Feb 03 2023 david.anes@suse.com
- [bsc#1207327] fix mod_proxy handling of very long urls
  + bsc1207327-fix-mod_proxy-handling-long-urls.patch
Version: 2.4.51-3.37.1
* Wed Dec 22 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-44224 [bsc#1193943], NULL dereference or SSRF in forward proxy configurations
  + apache2-CVE-2021-44224.patch
  fix CVE-2021-44790 [bsc#1193942], buffer overflow when parsing multipart content in mod_lua
  + apache2-CVE-2021-44790.patch
* Thu Nov 18 2021 pgajdos@suse.com
- version update to 2.4.51: fixes also
  CVE-2020-11984 [bsc#1175074] -- mod_proxy_uwsgi info disclosure and possible RCE
  CVE-2020-13950 [bsc#1187040] -- mod_proxy NULL pointer dereference
  CVE-2020-35452 [bsc#1186922] -- Single zero byte stack overflow in mod_auth_digest
  CVE-2021-26690 [bsc#1186923] -- mod_session NULL pointer dereference in parser
  CVE-2021-26691 [bsc#1187017] -- Heap overflow in mod_session
  CVE-2021-30641 [bsc#1187174] -- MergeSlashes regression
  CVE-2021-31618 [bsc#1186924] -- NULL pointer dereference on specially crafted HTTP/2 request
  CVE-2021-33193 [bsc#1189387] -- Request splitting via HTTP/2 method injection and mod_proxy
  CVE-2021-34798 [bsc#1190669] -- NULL pointer dereference via malformed requests
  CVE-2021-36160 [bsc#1190702] -- out-of-bounds read via a crafted request uri-path
  CVE-2021-39275 [bsc#1190666] -- out-of-bounds write in ap_escape_quotes() via malicious input
  CVE-2021-40438 [bsc#1190703] -- SSRF via a crafted request uri-path
  CVE-2020-11993 [bsc#1175070] -- when trace/debug was enabled for the HTTP/2 module logging statements were made on the wrong connection
  CVE-2020-9490 [bsc#1175071] -- specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash
- modified patches
  % httpd-2.4.x-fate317766-config-control-two-protocol-options.diff (refreshed)
- deleted patches
  - apache2-CVE-2020-11984.patch (upstreamed)
  - apache2-CVE-2020-13950.patch (upstreamed)
  - apache2-CVE-2020-35452.patch (upstreamed)
  - apache2-CVE-2021-26690.patch (upstreamed)
  - apache2-CVE-2021-26691.patch (upstreamed)
  - apache2-CVE-2021-30641.patch (upstreamed)
  - apache2-CVE-2021-31618.patch (upstreamed)
  - apache2-CVE-2021-33193.patch (upstreamed)
  - apache2-CVE-2021-34798.patch (upstreamed)
  - apache2-CVE-2021-36160.patch (upstreamed)
  - apache2-CVE-2021-39275.patch (upstreamed)
  - apache2-CVE-2021-40438.patch (upstreamed)
  - apache2-mod_http2-1.15.14.patch (upstreamed)
  - apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
Version: 2.4.51-150400.6.6.1
* Fri Jan 20 2023 david.anes@suse.com
- security update
- added patches:
  fix CVE-2022-37436 [bsc#1207251], mod_proxy backend HTTP response splitting
  + apache2-CVE-2022-37436.patch
  fix CVE-2022-36760 [bsc#1207250], mod_proxy_ajp Possible request smuggling
  + apache2-CVE-2022-36760.patch
  fix CVE-2006-20001 [bsc#1207247], mod_dav out of bounds read, or write of zero byte
  + apache2-CVE-2006-20001.patch
Version: 2.4.51-150400.6.3.1
* Thu May 05 2022 david.anes@suse.com
- fix gensslcert to generate dhparams certificate using a valid
  FIPS method [bsc#1198913]
* Wed Mar 02 2022 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-44224 [bsc#1193943], NULL dereference or SSRF in forward proxy configurations
  + apache2-CVE-2021-44224.patch
  fix CVE-2021-44790 [bsc#1193942], buffer overflow when parsing multipart content in mod_lua
  + apache2-CVE-2021-44790.patch
* Thu Jan 27 2022 pgajdos@suse.com
- ssl-global.conf: set SSLCipherSuite to PROFILE=SYSTEM instead of
  DEFAULT_SUSE [jsc#SLE-22561]
- set also SSLProxyCipherSuite to PROFILE=SYSTEM
- modified sources
  % apache2-ssl-global.conf
* Mon Nov 08 2021 pgajdos@suse.com
- version update to 2.4.51
  * ) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
    unused AP_NORMALIZE_DROP_PARAMETERS flag.
    [Yann Ylavic, Ruediger Pluem, Stefan Eissing, Joe Orton]
* Fri Sep 10 2021 pgajdos@suse.com
- version update to 2.4.50
  * fixes CVE-2020-11984, CVE-2020-13950, CVE-2020-35452,
    CVE-2021-26690, CVE-2021-26691, CVE-2021-30641,
    CVE-2021-31618, CVE-2021-33193, CVE-2021-34798,
    CVE-2021-36160, CVE-2021-39275, CVE-2021-40438
  * see CHANGES for more details
- deleted patches
  - apache2-CVE-2020-11984.patch (upstreamed)
  - apache2-CVE-2020-13950.patch (upstreamed)
  - apache2-CVE-2020-35452.patch (upstreamed)
  - apache2-CVE-2021-26690.patch (upstreamed)
  - apache2-CVE-2021-26691.patch (upstreamed)
  - apache2-CVE-2021-30641.patch (upstreamed)
  - apache2-CVE-2021-31618.patch (upstreamed)
  - apache2-CVE-2021-33193.patch (upstreamed)
  - apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
  - apache2-mod_http2-1.15.14.patch (upstreamed)
Version: 2.4.51-150200.3.48.1
* Fri Jun 10 2022 david.anes@suse.com
- security update
- added patches:
  fix CVE-2022-26377 [bsc#1200338], possible request smuggling in mod_proxy_ajp
  + apache2-CVE-2022-26377.patch
  fix CVE-2022-28614 [bsc#1200340], read beyond bounds via ap_rwrite()
  + apache2-CVE-2022-28614.patch
  fix CVE-2022-28615 [bsc#1200341], read beyond bounds in ap_strcmp_match()
  + apache2-CVE-2022-28615.patch
  fix CVE-2022-29404 [bsc#1200345], denial of service in mod_lua r:parsebody
  + apache2-CVE-2022-29404.patch
  fix CVE-2022-30556 [bsc#1200350], information disclosure in mod_lua with websockets
  + apache2-CVE-2022-30556.patch
  fix CVE-2022-30522 [bsc#1200352], mod_sed denial of service
  + apache2-CVE-2022-30522.patch
  fix CVE-2022-31813 [bsc#1200348], mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism
  + apache2-CVE-2022-31813.patch
Version: 2.4.51-150200.3.45.1
* Fri Jan 08 2021 pgajdos@suse.com
- mod_php8 provides php_module [bsc#1195130]
- modified sources
  % apache2-script-helpers
Version: 2.4.51-150200.3.42.1
* Thu Mar 17 2022 pgajdos@suse.com
- security update
- modified patches
  % apache2-CVE-2022-23943.patch (extended by r1898772 [bsc#1197095c#10])
* Wed Mar 16 2022 david.anes@suse.com
- security update
- added patches
  fix CVE-2022-23943 [bsc#1197098], heap out-of-bounds write in mod_sed
  + apache2-CVE-2022-23943.patch
  fix CVE-2022-22720 [bsc#1197095], HTTP request smuggling due to incorrect error handling
  + apache2-CVE-2022-22720.patch
  fix CVE-2022-22719 [bsc#1197091], use of uninitialized value of in r:parsebody in mod_lua
  + apache2-CVE-2022-22719.patch
  fix CVE-2022-22721 [bsc#1197096], possible buffer overflow with very large or unlimited LimitXMLRequestBody
  + apache2-CVE-2022-22721.patch
- apply correctly patches for CVE-2021-44790 [bsc#1193942] and CVE-2021-44224 [bsc#1193943]
Version: 2.4.43-3.32.1
* Wed Sep 22 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-40438 [bsc#1190703], SSRF via a crafted request uri-path
  + apache2-CVE-2021-40438.patch
  fix CVE-2021-36160 [bsc#1190702], out-of-bounds read via a crafted request uri-path
  + apache2-CVE-2021-36160.patch
  fix CVE-2021-39275 [bsc#1190666], out-of-bounds write in ap_escape_quotes() via malicious input
  + apache2-CVE-2021-39275.patch
  fix CVE-2021-34798 [bsc#1190669], NULL pointer dereference via malformed requests
  + apache2-CVE-2021-34798.patch
Version: 2.4.43-3.25.1
* Fri Aug 13 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-33193 [bsc#1189387], Request splitting via HTTP/2 method injection and mod_proxy
  + apache2-CVE-2021-33193.patch
Version: 2.4.43-3.22.1
* Fri Jun 11 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-30641 [bsc#1187174], MergeSlashes regression
  + apache2-CVE-2021-30641.patch
* Wed Jun 09 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-31618 [bsc#1186924], NULL pointer dereference on specially crafted HTTP/2 request
  + apache2-CVE-2021-31618.patch
* Wed Jun 09 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2021-31618 [bsc#1186924], NULL pointer dereference on specially crafted HTTP/2 request
  + apache2-CVE-2021-31618.patch
* Tue Jun 08 2021 pgajdos@suse.com
- security update
- added patches
  fix CVE-2020-35452 [bsc#1186922], Single zero byte stack overflow in mod_auth_digest
  + apache2-CVE-2020-35452.patch
  fix CVE-2021-26690 [bsc#1186923], mod_session NULL pointer dereference in parser
  + apache2-CVE-2021-26690.patch
  fix CVE-2021-26691 [bsc#1187017], Heap overflow in mod_session
  + apache2-CVE-2021-26691.patch
* Tue Jan 12 2021 pgajdos@suse.com
- gensslcert sets CA:TRUE in basic constrains of CA cert [bsc#1180530]
- modified sources
  % gensslcert
* Wed Oct 14 2020 fbui@suse.com
- systemd-ask-password is located in /usr/bin
* Mon Aug 31 2020 jtomasiak@suse.com
- gensslcert: add -a argument to override default SAN value
* Tue Aug 11 2020 pgajdos@suse.com
- security update
- added patches
  fix CVE-2020-11984 [bsc#1175074], mod_proxy_uwsgi info disclosure and possible RCE
  + apache2-CVE-2020-11984.patch
  fix CVE-2020-11993 [bsc#1175070], CVE-2020-9490 [bsc#1175071]
  + apache2-mod_http2-1.15.14.patch
* Wed Jul 15 2020 pgajdos@suse.com
- fix crash in mod_proxy_uwsgi for empty values of environment
  variables [bsc#1174052]
- added patches
  fix https://svn.apache.org/viewvc?view=revision
  + apache2-mod_proxy_uwsgi-fix-crash.patch
* Fri Apr 03 2020 pgajdos@suse.com
- declare ap_sock_disable_nagle to fix loading mod_proxy_http2
  (thanks to mliska@suse.com)
- modified patches
  % httpd-visibility.patch (refreshed)
* Thu Apr 02 2020 pgajdos@suse.com
- version update to 2.4.43
  * ) mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
  * ) mod_proxy_http: Fix the forwarding of requests with content body when a
    balancer member is unavailable; the retry on the next member was issued
    with an empty body (regression introduced in 2.4.41). PR63891.
    [Yann Ylavic]
  * ) mod_http2: Fixes issue where mod_unique_id would generate non-unique request
    identifier under load, see <https://github.com/icing/mod_h2/issues/195>.
    [Michael Kaufmann, Stefan Eissing]
  * ) mod_proxy_hcheck: Allow healthcheck expressions to use %{Content-Type}.
    PR64140. [Renier Velazco <renier.velazco upr.edu>]
  * ) mod_authz_groupfile: Drop AH01666 from loglevel "error" to "info".
    PR64172.
  * ) mod_usertrack: Add CookieSameSite, CookieHTTPOnly, and CookieSecure
    to allow customization of the usertrack cookie. PR64077.
    [Prashant Keshvani <prashant2400 gmail.com>, Eric Covener]
  * ) mod_proxy_ajp: Add "secret" parameter to proxy workers to implement legacy
    AJP13 authentication.  PR 53098. [Dmitry A. Bakshaev <dab1818 gmail com>]
  * ) mpm_event: avoid possible KeepAliveTimeout off by -100 ms.
    [Eric Covener, Yann Ylavic]
  * ) Add a config layout for OpenWRT. [Graham Leggett]
  * ) Add support for cross compiling to apxs. If apxs is being executed from
    somewhere other than its target location, add that prefix to includes and
    library directories. Without this, apxs would fail to find config_vars.mk
    and exit. [Graham Leggett]
  * ) mod_ssl: Disable client verification on ACME ALPN challenges. Fixes github
    issue mod_md#172 (https://github.com/icing/mod_md/issues/172).
    [Michael Kaufmann <mail michael-kaufmann.ch>, Stefan Eissing]
  * ) mod_ssl: use OPENSSL_init_ssl() to initialise OpenSSL on versions 1.1+.
    [Graham Leggett]
  * ) mod_ssl: Support use of private keys and certificates from an
    OpenSSL ENGINE via PKCS#11 URIs in SSLCertificateFile/KeyFile.
    [Anderson Sasaki <ansasaki redhat.com>, Joe Orton]
  * ) mod_md:
  - Prefer MDContactEmail directive to ServerAdmin for registration. New directive
    thanks to Timothe Litt (@tlhackque).
  - protocol check for pre-configured "tls-alpn-01" challenge has been improved. It will now
    check all matching virtual hosts for protocol support. Thanks to @mkauf.
  - Corrected a check when OCSP stapling was configured for hosts
    where the responsible MDomain is not clear, by Michal Karm Babacek (@Karm).
  - Softening the restrictions where mod_md configuration directives may appear. This should
    allow for use in <If> and <Macro> sections. If all possible variations lead to the configuration
    you wanted in the first place, is another matter.
    [Michael Kaufmann <mail michael-kaufmann.ch>, Timothe Litt (@tlhackque),
    Michal Karm Babacek (@Karm), Stefan Eissing (@icing)]
  * ) test: Added continuous testing with Travis CI.
    This tests various scenarios on Ubuntu with the full test suite.
    Architectures tested: amd64, s390x, ppc64le, arm64
    The tests pass successfully.
    [Luca Toscano, Joe Orton, Mike Rumph, and others]
  * ) core: Be stricter in parsing of Transfer-Encoding headers.
    [ZeddYu <zeddyu.lu gmail.com>, Eric Covener]
  * ) mod_ssl: negotiate the TLS protocol version per name based vhost
    configuration, when linked with OpenSSL-1.1.1 or later. The base vhost's
    SSLProtocol (from the first vhost declared on the IP:port) is now only
    relevant if no SSLProtocol is declared for the vhost or globally,
    otherwise the vhost or global value apply.  [Yann Ylavic]
  * ) mod_cgi, mod_cgid: Fix a memory leak in some error cases with large script
    output.  PR 64096.  [Joe Orton]
  * ) config: Speed up graceful restarts by using pre-hashed command table. PR 64066.
    [Giovanni Bechis <giovanni paclan.it>, Jim Jagielski]
  * ) mod_systemd: New module providing integration with systemd.  [Jan Kaluza]
  * ) mod_lua: Add r:headers_in_table, r:headers_out_table, r:err_headers_out_table,
    r:notes_table, r:subprocess_env_table as read-only native table alternatives
    that can be iterated over. [Eric Covener]
  * ) mod_http2: Fixed rare cases where a h2 worker could deadlock the main connection.
    [Yann Ylavic, Stefan Eissing]
  * ) mod_lua: Accept nil assignments to the exposed tables (r.subprocess_env,
    r.headers_out, etc) to remove the key from the table. PR63971.
    [Eric Covener]
  * ) mod_http2: Fixed interaction with mod_reqtimeout. A loaded mod_http2 was disabling the
    ssl handshake timeouts. Also, fixed a mistake of the last version that made `H2Direct`
    always `on`, regardless of configuration. Found and reported by
    <Armin.Abfalterer@united-security-providers.ch> and
    <Marcial.Rion@united-security-providers.ch>. [Stefan Eissing]
  * ) mod_http2: Multiple field length violations in the same request no longer cause
    several log entries to be written. [@mkauf]
  * ) mod_ssl: OCSP does not apply to proxy mode.  PR 63679.
    [Lubos Uhliarik <luhliari redhat.com>, Yann Ylavic]
  * ) mod_proxy_html, mod_xml2enc: Fix build issues with macOS due to r1864469
    [Jim Jagielski]
  * ) mod_authn_socache: Increase the maximum length of strings that can be cached by
    the module from 100 to 256.  PR 62149 [<thorsten.meinl knime.com>]
  * ) mod_proxy: Fix crash by resolving pool concurrency problems. PR 63503
    [Ruediger Pluem, Eric Covener]
  * ) core: On Windows, fix a start-up crash if <IfFile ...> is used with a path that is not
    valid (For example, testing for a file on a flash drive that is not mounted)
    [Christophe Jaillet]
  * ) mod_deflate, mod_brotli: honor "Accept-Encoding: foo;q=0" as per RFC 7231; which
    means 'foo' is "not acceptable".  PR 58158 [Chistophe Jaillet]
  * ) mod_md v2.2.3:
  - Configuring MDCAChallenges replaces any previous existing challenge configuration. It
    had been additive before which was not the intended behaviour. [@mkauf]
  - Fixing order of ACME challenges used when nothing else configured. Code now behaves as
    documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
  - Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
  - Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
    "transfer-encoding" to POST requests. This failed in directy communication with
    Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing. [Stefan Eissing]
  * ) mod_md: Adding the several new features.
    The module offers an implementation of OCSP Stapling that can replace fully or
    for a limited set of domains the existing one from mod_ssl. OCSP handling
    is part of mod_md's monitoring and message notifications. If can be used
    for sites that do not have ACME certificates.
    The url for a CTLog Monitor can be configured. It is used in the server-status
    to link to the external status page of a certicate.
    The MDMessageCmd is called with argument "installed" when a new certificate
    has been activated on server restart/reload. This allows for processing of
    the new certificate, for example to applications that require it in different
    locations or formats.
    [Stefan Eissing]
  * ) mod_proxy_balancer: Fix case-sensitive referer check related to CSRF/XSS
    protection. PR 63688. [Armin Abfalterer <a.abfalterer gmail.com>]
- deleted patches
  - apache2-load-private-keys-from-pkcs11.patch (upstreamed)
  - httpd-2.4.3-mod_systemd.patch (upstreamed)
* Wed Feb 26 2020 pgajdos@suse.com
- use r1874196 [SLE-7472] [bsc#1164820c#6]
- modified patches
  % apache2-load-private-keys-from-pkcs11.patch (upstream 2.4.x port)
- deleted patches
  - apache2-load-certificates-from-pkcs11.patch (merged to above)
* Tue Feb 18 2020 pgajdos@suse.com
- require just libbrotli-devel
* Thu Feb 13 2020 pgajdos@suse.com
- build mod_proxy_http2 extension
* Wed Feb 12 2020 pgajdos@suse.com
- fix build for older distributions
* Fri Jan 31 2020 crrodriguez@opensuse.org
- define DEFAULT_LISTENBACKLOG=APR_INT32_MAX. We want apache
  to honour net.core.somaxconn sysctl as the mandatory limit.
  the old value of 511 was never used as until v5.4-rc6 it was
  clamped to 128, in current kernels the default limit is 4096.
  Cannot use the apr_socket_listen(.., -1) idiom because the function
  expects a positive integer argument.
* Mon Jan 20 2020 pgajdos@suse.com
- apache2-devel now provides httpd-devel [bsc#1160100]
* Wed Dec 18 2019 pgajdos@suse.com
- add openssl call to DEFAULT_SUSE comment [bsc#1159480]
- modified sources
  % apache2-ssl-global.conf
* Fri Nov 08 2019 pgajdos@suse.com
- use %license [bsc#1156171]
* Tue Oct 22 2019 pgajdos@suse.com
- load private keys and certificates from pkcs11 token [SLE-7653]
- added patches
  load certificates from openssl engine
  + apache2-load-certificates-from-pkcs11.patch
  load private keys from openssl engine
  + apache2-load-private-keys-from-pkcs11.patch