hiawatha-10.9-bp152.3.23

- Allow read only access with ProtectHome=read-only to enable UserWebsites=yes
  Modified harden_hiawatha.service.patch and hiawatha.service

- Added hardening to systemd service(s) (bsc#1181400). Added patch(es):
  * harden_hiawatha.service.patch
  Modified:
  * hiawatha.service

- Update to version 10.9:
  * Let's Encrypt script installed via CMake.
  * Bugfix: Directory traversal when AllowDotFiles is enabled.
  * Small improvements.

- Update to version 10.8.3:
  * Several fixes in build system
  * Added build system for nghttp2
  * New style for directory index
  * uri_depth added to XML for directory index

- Update to 10.8.4:
  * CVE-2019-8358: Fixed a vulnerability which allowed a remote atacker to perform directory traversal
    when AllowDotFiles was enabled (bsc#1125751).
  * Several fixes in build system
  * Added build system for nghttp2
  * New style for directory index
  * uri_depth added to XML for directory index

- Update to version 10.8.1.:
  * Removed support for secp192r1 and secp192k1 curves, to make it PCI DSS
    compliant out of the box.
  * Small improvements to Let's Encrypt ACMEv2 script.

- Ship Let's Encrypt script within subpackage.

- Add firewalld config files for Leap/SLE >= 15 and TW.

- Update to version 10.8:
  * New Let's Encrypt script that supports ACME v2.
  * Added Syslog option.
  * Added GZipExtensions option.
  * AllowDotFiles now used to show hidden files in directory listings.
  * Removed support for static RSA ciphers.
  * Hiawatha log format changed.
  * Small improvements.
  * Bugfix: certain characters in filenames disrupted directory index output.
  * Bugfix: requesting non-regular files now results in a 403 instead of
    blocking that thread.

- Fix build with mbedtls 2.7.0.

- Update to version 10.7:
  * Connect to a Unix socket via a reverse proxy.
  * Added BlockExtensions setting.
  * Small improvements.
  * Bugfix: error in handling renewal scripts in Let's Encrypt script.

- Update to version 10.6:
  * Added PublicKeyPins option.
  * Added renewal-scripts to Let's Encrypt script.
  * Small changes to CMake build system.
  * Added CustomHeaderBackend option.
  * Renamed CustomHeader option to CustomHeaderClient. Old name still works.
  * Hiawatha ignores FileHashes and ReverseProxy for Let's Encrypt
    authentication requests.
  * Small improvements and bugfixes.

- Update to version 10.4:
  * SkipCacheCookie option added.
  * Added Systemd init script to Debian package.
  * Small improvements and bugfixes.
- Small packaging changes and requirements update

- Build fails with mbedtls < 2.

- Update to version 10.3:
  * PreventCSRF, PreventSQLi and PreventXSS improved.
  * Prevention of MySQL data mining via SQL injection.
  * Added revoke option to Let's Encrypt script.
  * Hiawatha ignores RequireTLS for Let's Encrypt authentication
    requests.
  * Small bugfixes and improvements.
  * Bugfix: possible HTTP request pipelining error after CSRF
    prevented.
- Changes for version 10.2:
  * Added Let's Encrypt script (see extra/letsencrypt).
  * Added support for requesting Let's Encrypt certificates (see
    AccessList and PasswordFile settings in manual page).
  * Small improvements.
  * Bugfix: HideProxy not working for Forwarded header.
- Changes for 10.1:
  * Added Extensions setting.
  * Added support for X-Sendfile header.
  * mbed TLS updated to 2.2.1.
  * Improved SQL injection detection.
  * Small bugfixes and improvements.
- Changes for 10.0:
  * Usage of Directory sections changed.
  * Added support for RFC 5785.
  * Added support for GZip compression. Removed the UseGZfile
    option.
  * Added ECDSA support for TLS 1.0 and TLS 1.1.
  * Replaced UrlToolkit Expire option with ExpirePeriod in
    Directory section.
  * Replaced IgnoreDotHiawatha option with UseLocalConfig.
  * Removed the VolatileObject option.
  * Improved SQL injection detection.
  * mbed TLS updated to 2.2.0.
  * Small improvements.
- Changes for 9.15:
  * Support for WebSockets via reverse proxy.
  * UNIX socket support for connections to WebSockets.
  * Responsive design for directory index and error message.
  * mbed TLS updated to 2.1.2.
  * Fixed mbed TLS linking in CMake configuration.
  * ListenBacklog option added.
  * Small bugfixes.
- Changes for 9.14:
  * mbed TLS updated to 2.0.0.
  * Small bugfixes.
  * Bugfix: crash when sending very large request to FastCGI
    server.

- Fix rpmlint warnings
  * add rcsymlink
  * fix log directory permissions

- Update to 9.13:
  * Renamed SSLcertFile to TLScertFile.
  * Renamed RequireSSL to RequireTLS.
  * Renamed SSL_* CGI environment variables to TLS_*.
  * Renamed UrlToolkit option UseSSL to UseTLS.
  * Replaced MinSSLversion by MinTLSversion.
  * LogTimeouts option added.
  * Added 'skip directories' parameter to reverse proxy.
  * Failed logins sent to Hiawatha Monitor.
  * Small bugfix and improvements.

- Update to 9.12:
  * Bugfix: memory leak in SSL library.
  * Small bugfix.

- Update to 9.11:
  * ChallengeClient option added.
  * UrlToolkit options TotalConnections and OmitRequestLog added.
  * Improvements to UrlToolkit and reverse proxy swap.
  * UrlToolkit rules are also applied to PUT and DELETE.
  * Small improvements.

- Update to 9.10:
  * Support for banning bad clients who connect via a proxy.
  * UrlToolkit option Do added. Changed how Call and Skip should be called.
  * General UrlToolkit improvements. See config/toolkit.conf for syntax.
  * Hiawatha now prefers reverse proxies with a scheme matching the one of the
    client connection. See config/toolkit.conf for syntax.
  * Hiawatha will now first process UrlToolkit rules before using ReverseProxy.
  * Small bugfixes and improvements.

- Update to 9.9:
  * HTTPAuthToCGI option added.
  * BanByCGI option added.
  * Improved SSL ciphersuite selections.
  * CAcertificates options added.
  * Dropped support for SSL3.0.
  * Small bugfixes and improvements.

- Update to 9.8:
  * Added support for websockets. WebSocket option added.
  * SSL key and certificate checks added to wigwam.
  * Small bugfixes and improvements.

- Avoid generating libpolarssl.so.7, which led to "have choice
  for libpolarssl.so.7: libpolarssl7 hiawatha" and make other
  polarssl-using applications not run in practice because the
  library is in a non-standard directory, yet discovered by rpm
  as a provider.

- Update to 9.7:
  * UseToolkit now possible in .hiawatha file at root of website.
  * Method option added to URL Toolkit.
  * SetResourceLimit option added.
  * ThreadKillRate option added.
  * Improved SQL injection detection.
  * Default value for DHsize set to 2048.
  * PolarSSL updated to version 1.3.8.
  * Memory allocation debugger module added.
  * Small bugfixes and improvements.
  * Bugfix: incorrect file hash printing by wigwam with directory as symlink.

- Update to 9.6:
  * Logfile rotation for access logfiles.
  * HTTP Strict Transport Security header made optional for RequireSSL.
  * Support for chunked transfer encoded requests (not for PUT).
  * Support for improved server statistics in Hiawatha Monitor.
  * The Hiawatha Monitor is now supported without the need for XSLT.
  * PolarSSL updated to version 1.3.7.
  * A few bugfixes as reported by Coverity.
  * Bugfix: SQL injection detection was broken since 8.6.
  * Bugfix: XSS detection didn't work for reverse proxy.
  * Small bugfixes.

- Fixes for %_libexecdir changing to /usr/libexec (bsc#1174075)

- Update to version 10.11:
  * Default value of MinTLSversion set to 1.2.
  * Small bugfixes.
- Changes from 10.10:
  * Removed several build options. Functionalities are now always enabled.
  * Updated Let's Encrypt script due to changes in the API.
  * Bugfix: AlterMode not working correctly.

- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by
  firewalld, see [1].
  [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html