-------------------------------------------------------------------
Tue Feb 14 03:50:39 CET 2012 - draht@suse.de

- /etc/init.d/apache2: new argument "check-reload". Exits 1 if
httpd2 runs on deleted binaries such as after package update,
else 0. This is used by equally modified /etc/logrotate.d/apache2,
which uses "/etc/init.d/apache2 check-reload" in its prerotate
script.
These changes prevent httpd2 from being (gracefully) reloaded
by logrotate, executed by cron, if new binaries have been
installed. Instead, a warning is printed on stdout and is being
logged to the syslogs. If this happens, apache's logs are NOT
rotated, and the running processes are left untouched. This
limits the maximum damage of log rotation to unrotated logs.
"/etc/init.d/apache2 restart" (or "rcapache2 restart") must be
executed manually in such a case. [bnc#728876]
- httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff
addresses CVE-2012-0053: error responses can expose cookies when
no custom 400 error code ErrorDocument is configured. [bnc#743743]
- httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff:
scoreboard corruption (shared mem segment) by child causes
crash of privileged parent (invalid free()) during shutdown.
This is rated low impact. Notice:
https://svn.apache.org/viewvc?view=revision&revision=1230065
makes a change to the struct global_score, which causes binary
incompatibility. The change in above patch only goes as far as
the binary compatibility allows; the vulnerability is completely
fixed, though. CVE-2012-0031 [bnc#741243]
- httpd-2.2.x-bnc738855-CVE-2007-6750-mod_reqtimeout-0*.diff:
backport mod_reqtimeout module from 2.2.21 to help against
Slowloris.pl DoS vulnerability that consists of eating up
request slots by very slowly submitting the request. [bnc#738855]
Note that mod_reqtimeout limits requests based on a lower
boundary of speed, not an upper boundary!
mod_reqtimeout is enabled upon new installation of the package.
Existing configuration in /etc/sysconfig/apache2 is left untouched.