File httpd24.changes of Package httpd24
-------------------------------------------------------------------
Sat May 10 01:26:39 UTC 2025 - Michal Kubecek <mkubecek@suse.cz>
- update the keyring
-------------------------------------------------------------------
Sat May 10 00:35:47 UTC 2025 - Michal Kubecek <mkubecek@suse.cz>
- update to version 2.4.63
- update specfile for "modern" %patch syntax (fix 16.0 build)
-------------------------------------------------------------------
Thu Nov 24 10:34:12 UTC 2022 - Michal Kubecek <mkubecek@suse.cz>
- more Factory workarounds
- make devel and manual subpackages noarch where possible
-------------------------------------------------------------------
Thu Nov 24 10:10:35 UTC 2022 - Michal Kubecek <mkubecek@suse.cz>
- update to version 2.4.54
- rename rpmlintrc to httpd24-rpmlintrc and update to keeep up
with latest whims
-------------------------------------------------------------------
Tue Apr 27 15:11:05 UTC 2021 - Michal Kubecek <mkubecek@suse.cz>
- update to version 2.4.46
* see upstream changelog
- refresh patches and rename them to more descriptive names:
* httpd-2.4.3-layout.patch -> adjust-layout-to-follow-FHS.patch
* httpd-2.4.1-config.patch -> adjust-default-config.patch
- rename also other files from ancient naming scheme
httpd-2.4.1-init -> httpd.init
httpd-2.4.1-rpmlintrc -> rpmlintrc
- update rpmlintrc to work around bogus Factory build checks
- add tarball signature and keyring with upstream maintener key
- add version to libapr1-devel build time dependency
-------------------------------------------------------------------
Sun May 27 18:14:27 UTC 2018 - mkubecek@suse.cz
- update to version 2.4.33
* mod_authnz_ldap: out of bound write with AuthLDAPCharsetConfig
enabled (CVE-2017-15710)
* mod_session: CGI-like applications that intend to read from
mod_session's 'SessionEnv ON' could be fooled into reading
user-supplied data instead (CVE-2018-1283)
* mod_cache_socache: Fix request headers parsing to avoid a
possible crash with specially crafted input data
(CVE-2018-1303)
* core: Possible crash with excessively long HTTP request headers
(CVE-2018-1301)
* core: Configure the regular expression engine to match '$' to
the end of the input string only, excluding matching the end of
any embedded newline characters; behavior can be changed with
new directive 'RegexDefaultOptions' (CVE-2017-15715)
* mod_auth_digest: Fix generation of nonce values to prevent
replay attacks across servers using a common Digest domain
(CVE-2018-1312)
* mod_http2: Potential crash w/ mod_http2 (CVE-2018-1302)
* many other fixes
-------------------------------------------------------------------
Sat Nov 11 17:05:17 UTC 2017 - mkubecek@suse.cz
- update to version 2.4.29
* mod_mime can read one byte past the end of a buffer when
sending a malicious Content-Type response header
(CVE-2017-7679)
* bug in token list parsing, which allows ap_find_token() to
search past the end of its input string (CVE-2017-7668)
* a maliciously constructed HTTP/2 request could cause mod_http2
to dereference a NULL pointer and crash the server process
(CVE-2017-7659)
* mod_ssl may dereference a NULL pointer when third-party modules
call ap_hook_process_connection() during an HTTP request to an
HTTPS port (CVE-2017-3169)
* use of the ap_get_basic_auth_pw() by third-party modules
outside of the authentication phase may lead to authentication
requirements being bypassed (CVE-2017-3167)
* mod_http2: read after free; when under stress, closing many
connections, the HTTP/2 handling code would sometimes access
memory after it has been freed, resulting in potentially
erratic behaviour (CVE-2017-9789)
* mod_auth_digest: Uninitialized memory reflection. The value
placeholder in [Proxy-]Authorization headers type 'Digest' was
not initialized or reset before or between successive key=value
assignments (CVE-2017-9788)
* corrupted or freed memory access. <Limit[Except]> must now be
used in the main configuration file (httpd.conf) to register
HTTP methods before the .htaccess files (CVE-2017-9798)
* HTTP/2 support no longer tagged as "experimental" but is
instead considered fully production ready
* mod_http2: Disable and give warning when using Prefork; the
server will continue to run, but HTTP/2 will no longer be
negotiated
-------------------------------------------------------------------
Tue Mar 14 06:39:18 UTC 2017 - mkubecek@suse.cz
- update to version 2.4.25
* mod_http2: mitigate DoS memory exhaustion via endless
CONTINUATION frames
* core: mitigate [f]cgi "httpoxy" issues (CVE-2016-5387)
* mod_auth_digest: prevent segfaults during client entry
allocation when the shared memory space is exhausted
(CVE-2016-2161)
* mod_session_crypto: authenticate the session data/cookie with a
MAC (SipHash) to prevent deciphering or tampering with a
padding oracle attack
* enforce HTTP request grammar corresponding to RFC7230 for
request lines and request headers, to prevent response
splitting and cache pollution by malicious clients or
downstream proxies (CVE-2016-8743)
* validate HTTP response header grammar defined by RFC7230,
resulting in a 500 error in the event that invalid response
header contents are detected when serving the response, to
avoid response splitting and cache pollution by malicious
clients, upstream servers or faulty modules
* core: new directive HttpProtocolOptions to control httpd
enforcement of various RFC7230 requirements
* mod_http2: new directive 'H2PushResource' to enable early
pushes before processing of the main request starts
* mod_proxy_http2: adding support for newly proposed 103 status
code
- add explicit insserv prerequisities
-------------------------------------------------------------------
Mon Sep 5 08:00:58 UTC 2016 - mkubecek@suse.cz
- update to version 2.4.23
* mod_ssl: Add "no_crl_for_cert_ok" flag to SSLCARevocationCheck
directive to opt-in previous behaviour (2.2) with CRLs
verification when checking certificate(s) with no corresponding
CRL.
* mod_ssl: reset client-verify state of ssl when aborting
renegotiations
* mod_httpd2: lot of fixes
- specfile cleanup
-------------------------------------------------------------------
Fri Jul 1 13:10:24 UTC 2016 - mike@mk-sys.cz
- update to version 2.4.20
* mod_log_config: Add GlobalLog to allow a globally defined log
to be inherited by virtual hosts that define a CustomLog
* mod_httpd2: lot of fixes
-------------------------------------------------------------------
Sat Dec 26 21:53:26 UTC 2015 - mike@mk-sys.cz
- update to version 2.4.18
* mod_http2: added donated HTTP/2 implementation via core module;
similar configuration options to mod_ssl
* mod_ssl: enable support for configuring the SUITEB* cipher
strings introduced in OpenSSL 1.0.2
* MPMs: support SO_REUSEPORT to create multiple duplicated
listener records for scalability
-------------------------------------------------------------------
Wed Sep 30 18:17:00 UTC 2015 - mike@mk-sys.cz
- update to version 2.4.16
* mod_proxy_fcgi: Fix a potential crash due to buffer over-read,
with response headers' size above 8K (CVE-2014-3583)
* mod_cache: Avoid a crash when Content-Type has an empty value
(CVE-2014-3581)
* mod_lua: Fix handling of the Require line when a
LuaAuthzProvider is used in multiple Require directives with
different arguments (CVE-2014-8109)
* core: HTTP trailers could be used to replace HTTP headers late
during request processing, potentially undoing or otherwise
confusing modules that examined or modified request headers
earlier. Adds "MergeTrailers" directive to restore legacy
behavior. (CVE-2013-5704)
* mod_ssl: New directive SSLSessionTickets (On|Off)
* core: Fix a crash with ErrorDocument 400 pointing to a local
URL-path qith the INCLUDES filter active, introduced in 2.4.11
(CVE-2015-0253)
* mod_lua: A maliciously crafted websockets PING after a script
calls r:wsupgrade() can cause a child process crash
(CVE-2015-0228)
* core: Fix chunk header parsing defect (CVE-2015-3183)
* Replacement of ap_some_auth_required (unusable in Apache httpd
2.4) with new ap_some_authn_required and ap_force_authn hook
(CVE-2015-3185)
-------------------------------------------------------------------
Thu Sep 4 08:16:27 UTC 2014 - mike@mk-sys.cz
- update to version 2.4.10
* mod_proxy: Fix crash in Connection header handling which
allowed a denial of service attack against a reverse proxy
with a threaded MPM.
(CVE-2014-0117)
* Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow.
(CVE-2014-0226)
* mod_deflate: The DEFLATE input filter (inflates request bodies)
now limits the length and compression ratio of inflated request
bodies to avoid denial of sevice via highly compressed bodies.
(CVE-2014-0118)
* mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child
processes filling up the scoreboard and eventually hanging the
server.
(CVE-2014-0231)
-------------------------------------------------------------------
Sun Mar 23 16:58:57 UTC 2014 - mike@mk-sys.cz
- update to version 2.4.9
* mod_session_dbd: Make sure that dirty flag is respected when
saving sessions, and ensure the session ID is changed each time
the session changes. This changes the format of the
updatesession SQL statement. Existing configurations must be
changed.
(CVE-2013-2249)
* mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request
body as XML) pointing to a URI that is not configured for DAV
will trigger a segfault.
(CVE-2013-1896)
* mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests
(CVE-2013-6438)
* Clean up cookie logging with fewer redundant string parsing
passes. Log only cookies with a value assignment. Prevents
segfaults when logging truncated cookies.
(CVE-2014-0098)
* APR 1.5.0 or later is now required for the event MPM.
-------------------------------------------------------------------
Sat Jun 22 01:32:53 UTC 2013 - mike@mk-sys.cz
- add zlib-devel and openssl-devel to BuildRequires to fix build
in Factory
-------------------------------------------------------------------
Mon Mar 18 08:13:25 UTC 2013 - mike@mk-sys.cz
- update to version 2.4.4
* various XSS flaws due to unescaped hostnames and URIs HTML
output in mod_info, mod_status, mod_imagemap, mod_ldap, and
mod_proxy_ftp
(CVE-2012-3499)
* a XSS flaw affected the mod_proxy_balancer manager interface
(CVE-2012-4558)
-------------------------------------------------------------------
Fri Sep 14 13:08:31 UTC 2012 - mike@mk-sys.cz
- update to version 2.4.3
* mod_proxy_ajp, mod_proxy_http: Fix an issue in back end
connection closing which could lead to privacy issues due
to a response mixup. PR 53727. (CVE-2012-3502)
* mod_negotiation: Escape filenames in variant list to prevent a
possible XSS for a site where untrusted users can upload files
to a location with MultiViews enabled. (CVE-2012-2687)
- httpd-2.4.3-layout.patch: refresh
-------------------------------------------------------------------
Tue Apr 17 18:51:19 UTC 2012 - mike@mk-sys.cz
- update to version 2.4.2
* envvars: Fix insecure handling of LD_LIBRARY_PATH that could
lead to the current working directory to be searched for DSOs
* Various bugfixes
-------------------------------------------------------------------
Sun Mar 18 12:42:25 UTC 2012 - mike@mk-sys.cz
- build as PIE to silence rpmlint/brp
-------------------------------------------------------------------
Mon Feb 27 17:28:08 UTC 2012 - mike@mk-sys.cz
- initial 2.4 package forked from 2.2 sources
-------------------------------------------------------------------
