Changes - j0ke.net Open Build Service

Changes of Revision 26

[-] [+]	Added	apache2.changes
@@ -0,0 +1,2985 @@ +------------------------------------------------------------------- +Fri Nov 21 12:01:00 CET 2008 - skh@suse.de + +- apache2-server-tuning.conf: + Enclose module-specific configuration in IfModule tags [bnc#440584] + +------------------------------------------------------------------- +Fri Nov 14 09:40:05 CET 2008 - poeml@suse.de + +- apply Dirks fix for [bnc#444878], making the packaging of per-mpm + modules more deterministic. They'll reliably put into the + subpackage or main package now, which varied in a ping-pong way + from build to build in the past. + +------------------------------------------------------------------- +Wed Oct 29 18:38:17 CET 2008 - poeml@suse.de + +- update year of copyright in rc.apache2 + +------------------------------------------------------------------- +Wed Oct 29 00:13:58 CET 2008 - poeml@suse.de + +- update to 2.2.10: + SECURITY: CVE-2008-2939 (cve.mitre.org) + mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of + the FTP URL. Discovered by Marc Bevand of Rapid7. + core: + - Support chroot on Unix-family platforms. PR 43596 + mod_authn_alias: + - Detect during startup when AuthDigestProvider is configured to + use an incompatible provider via AuthnProviderAlias. PR 45196 + mod_cgid: + - Pass along empty command line arguments from an ISINDEX query + that has consecutive '+' characters in the QUERY_STRING, + matching the behavior of mod_cgi. + mod_charset_lite: + - Avoid dropping error responses by handling meta buckets + correctly. PR 45687 + mod_dav_fs: + - Retrieve minimal system information about directory entries + when walking a DAV fs, resolving a performance degradation on + Windows. PR 45464. + mod_headers: + - Prevent Header edit from processing only the first header of + possibly multiple headers with the same name and deleting the + remaining ones. PR 45333. + mod_proxy: + - Allow for smax to be 0 for balancer members so that all idle + connections are able to be dropped should they exceed ttl. PR 43371 + - Add 'scolonpathdelim' parameter to allow for ';' to also be + used as a session path separator/delim PR 45158. + - Add connectiontimeout parameter for proxy workers in order to + be able to set the timeout for connecting to the backend separately. + PR 45445. + mod_proxy_http: + - Don't trigger a retry by the client if a failure to + read the response line was the result of a timeout. + - Introduce environment variable proxy-initial-not-pooled to + avoid reusing pooled connections if the client connection is an initial + connection. PR 37770. + - Do not forward requests with 'Expect: 100-continue' to + known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. + mod_proxy_balancer: + - Move nonce field in the balancer manager page inside + the html form where it belongs. PR 45578. + - Add 'bybusyness' load balance method. + mod_rewrite: + - Allow Cookie option to set secure and HttpOnly flags. PR 44799 + - Preserve the query string when [proxy,noescape]. PR 45247. + mod_ssl: + - implement dynamic mutex callbacks for the benefit of OpenSSL. + - Rewrite shmcb to avoid memory alignment issues. PR 42101. +- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch + +------------------------------------------------------------------- +Fri Oct 24 13:23:41 CEST 2008 - skh@suse.de + +- apache2.firewall, apache2.ssl-firewall + Use unique name tags "HTTP Server" and "HTTPS Server" in for + SuSEFirewall2 configuration [bnc#414962] + +------------------------------------------------------------------- +Fri Sep 19 16:18:39 CEST 2008 - skh@suse.de + +- add httpd-2.x.x-logresolve.patch again [bnc#210904] +- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]: + mod_proxy_ftp: Prevent XSS attacks when using wildcards in + the path of the FTP URL. Discovered by Marc Bevand of Rapid7. + [Ruediger Pluem] + +------------------------------------------------------------------- +Tue Aug 26 22:59:55 CEST 2008 - poeml@suse.de + +- drop rc.config handling (was removed in or after SuSE Linux 8.0) +- don't use fillup_insserv options which have been removed lately + +------------------------------------------------------------------- +Fri Aug 15 11:25:47 CEST 2008 - poeml@suse.de + +- fix init script LSB headers + +------------------------------------------------------------------- +Wed Jun 25 14:36:06 CEST 2008 - poeml@suse.de + +- add note to /etc/sysconfig/apache2 and /etc/init.d/apache2 about + how to set ulimits when starting the server +- undocument APACHE_BUFFERED_LOGS and APACHE_TIMEOUT in the + sysconfig template. They still work but I think it is good to + keep this stuff out of the beginner's config, first because both + features are sophisticated enough to not being tweaked in most + cases, second because it only confuses people I guess, and makes + the sysconfig file larger than necessary. + +------------------------------------------------------------------- +Sun Jun 15 19:39:46 CEST 2008 - poeml@suse.de + +- update to 2.2.9: + SECURITY: CVE-2008-2364 (cve.mitre.org) + mod_proxy_http: Better handling of excessive interim responses + from origin server to prevent potential denial of service and + high memory usage. Reported by Ryujiro Shibuya. + SECURITY: CVE-2007-6420 (cve.mitre.org) + mod_proxy_balancer: Prevent CSRF attacks against the + balancer-manager interface. + - htpasswd: Fix salt generation weakness. PR 31440 + worker/event MPM: + - Fix race condition in pool recycling that leads to + segmentation faults under load. PR 44402 + core: + - Fix address-in-use startup failure on some platforms caused by + creating an IPv4 listener which overlaps with an existing IPv6 + listener. + - Add the filename of the configuration file to the warning + message about the useless use of AllowOverride. PR 39992. + - Do not allow Options ALL if not all options are allowed to be + overwritten. PR 44262 + - reinstate location walk to fix config for subrequests PR 41960 + - Fix garbled TRACE response on EBCDIC platforms. + - gen_test_char: add double-quote to the list of + T_HTTP_TOKEN_STOP. PR 9727 + http_filters: + - Don't return 100-continue on redirects. PR 43711 + - Don't return 100-continue on client error PR 43711 + - Don't spin if get an error when reading the next chunk. PR 44381 + - Don't add bogus duplicate Content-Language entries + suexec: + - When group is given as a numeric gid, validate it by looking up + the actual group name such that the name can be used in log entries. + PR 7862 + mod_authn_dbd: + - Disambiguate and tidy database authentication error messages. PR 43210. + mod_cache: + - Handle If-Range correctly if the cached resource was stale. PR 44579 + - Revalidate cache entities which have Cache-Control: no-cache + set in their response headers. PR 44511 + mod_cgid: + - Explicitly set permissions of the socket (ScriptSock) shared + by mod_cgid and request processing threads, for OS'es such as + HPUX and AIX that do not use umask for AF_UNIX socket permissions. + - Don't try to restart the daemon if it fails to initialize the socket. + mod_charset_lite: + - Add TranslateAllMimeTypes sub-option to CharsetOptions, + allowing the administrator to skip the mimetype checking that + precedes translation. + mod_dav: + - Return "method not allowed" if the destination URI of a WebDAV + copy / move operation is no DAV resource. PR 44734 + mod_headers: + - Add 'merge' option to avoid duplicate values within the same header. + mod_include: + - Correctly handle SSI directives split over multiple filter + mod_log_config: + - Add format options for %p so that the actual local or remote + port can be logged. PR 43415. + mod_logio: + - Provide optional function to allow modules to adjust the + bytes_in count + mod_proxy: + - Make all proxy modules nocanon aware and do not add the + query string again in this case. PR 44803. + - scoreboard: Remove unused proxy load balancer elements from scoreboard + image (not scoreboard memory itself). + - Support environment variable interpolation in reverse + proxying directives. + - Do not try a direct connection if the connection via a + remote proxy failed before and the request has a request body. + - ProxyPassReverse is now balancer aware. + - Lower memory consumption for short lived connections. + PR 44026. + - Keep connections to the backend persistent in the HTTPS case. + mod_proxy_ajp: + - Do not retry request in the case that we either failed to + sent a part of the request body or if the request is not idempotent. + PR 44334 + mod_proxy_ftp: + - Fix base for directory listings. PR 27834 + mod_proxy_http: + - Fix processing of chunked responses if Connection: + Transfer-Encoding is set in the response of the proxied x 1 @@ -0,0 +1,2985 @@ 2 +------------------------------------------------------------------- 3 +Fri Nov 21 12:01:00 CET 2008 - skh@suse.de 4 + 5 +- apache2-server-tuning.conf: 6 + Enclose module-specific configuration in IfModule tags [bnc#440584] 7 + 8 +------------------------------------------------------------------- 9 +Fri Nov 14 09:40:05 CET 2008 - poeml@suse.de 10 + 11 +- apply Dirks fix for [bnc#444878], making the packaging of per-mpm 12 + modules more deterministic. They'll reliably put into the 13 + subpackage or main package now, which varied in a ping-pong way 14 + from build to build in the past. 15 + 16 +------------------------------------------------------------------- 17 +Wed Oct 29 18:38:17 CET 2008 - poeml@suse.de 18 + 19 +- update year of copyright in rc.apache2 20 + 21 +------------------------------------------------------------------- 22 +Wed Oct 29 00:13:58 CET 2008 - poeml@suse.de 23 + 24 +- update to 2.2.10: 25 + SECURITY: CVE-2008-2939 (cve.mitre.org) 26 + mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of 27 + the FTP URL. Discovered by Marc Bevand of Rapid7. 28 + core: 29 + - Support chroot on Unix-family platforms. PR 43596 30 + mod_authn_alias: 31 + - Detect during startup when AuthDigestProvider is configured to 32 + use an incompatible provider via AuthnProviderAlias. PR 45196 33 + mod_cgid: 34 + - Pass along empty command line arguments from an ISINDEX query 35 + that has consecutive '+' characters in the QUERY_STRING, 36 + matching the behavior of mod_cgi. 37 + mod_charset_lite: 38 + - Avoid dropping error responses by handling meta buckets 39 + correctly. PR 45687 40 + mod_dav_fs: 41 + - Retrieve minimal system information about directory entries 42 + when walking a DAV fs, resolving a performance degradation on 43 + Windows. PR 45464. 44 + mod_headers: 45 + - Prevent Header edit from processing only the first header of 46 + possibly multiple headers with the same name and deleting the 47 + remaining ones. PR 45333. 48 + mod_proxy: 49 + - Allow for smax to be 0 for balancer members so that all idle 50 + connections are able to be dropped should they exceed ttl. PR 43371 51 + - Add 'scolonpathdelim' parameter to allow for ';' to also be 52 + used as a session path separator/delim PR 45158. 53 + - Add connectiontimeout parameter for proxy workers in order to 54 + be able to set the timeout for connecting to the backend separately. 55 + PR 45445. 56 + mod_proxy_http: 57 + - Don't trigger a retry by the client if a failure to 58 + read the response line was the result of a timeout. 59 + - Introduce environment variable proxy-initial-not-pooled to 60 + avoid reusing pooled connections if the client connection is an initial 61 + connection. PR 37770. 62 + - Do not forward requests with 'Expect: 100-continue' to 63 + known HTTP/1.0 servers. Return 'Expectation failed' (417) instead. 64 + mod_proxy_balancer: 65 + - Move nonce field in the balancer manager page inside 66 + the html form where it belongs. PR 45578. 67 + - Add 'bybusyness' load balance method. 68 + mod_rewrite: 69 + - Allow Cookie option to set secure and HttpOnly flags. PR 44799 70 + - Preserve the query string when [proxy,noescape]. PR 45247. 71 + mod_ssl: 72 + - implement dynamic mutex callbacks for the benefit of OpenSSL. 73 + - Rewrite shmcb to avoid memory alignment issues. PR 42101. 74 +- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch 75 + 76 +------------------------------------------------------------------- 77 +Fri Oct 24 13:23:41 CEST 2008 - skh@suse.de 78 + 79 +- apache2.firewall, apache2.ssl-firewall 80 + Use unique name tags "HTTP Server" and "HTTPS Server" in for 81 + SuSEFirewall2 configuration [bnc#414962] 82 + 83 +------------------------------------------------------------------- 84 +Fri Sep 19 16:18:39 CEST 2008 - skh@suse.de 85 + 86 +- add httpd-2.x.x-logresolve.patch again [bnc#210904] 87 +- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]: 88 + mod_proxy_ftp: Prevent XSS attacks when using wildcards in 89 + the path of the FTP URL. Discovered by Marc Bevand of Rapid7. 90 + [Ruediger Pluem] 91 + 92 +------------------------------------------------------------------- 93 +Tue Aug 26 22:59:55 CEST 2008 - poeml@suse.de 94 + 95 +- drop rc.config handling (was removed in or after SuSE Linux 8.0) 96 +- don't use fillup_insserv options which have been removed lately 97 + 98 +------------------------------------------------------------------- 99 +Fri Aug 15 11:25:47 CEST 2008 - poeml@suse.de 100 + 101 +- fix init script LSB headers 102 + 103 +------------------------------------------------------------------- 104 +Wed Jun 25 14:36:06 CEST 2008 - poeml@suse.de 105 + 106 +- add note to /etc/sysconfig/apache2 and /etc/init.d/apache2 about 107 + how to set ulimits when starting the server 108 +- undocument APACHE_BUFFERED_LOGS and APACHE_TIMEOUT in the 109 + sysconfig template. They still work but I think it is good to 110 + keep this stuff out of the beginner's config, first because both 111 + features are sophisticated enough to not being tweaked in most 112 + cases, second because it only confuses people I guess, and makes 113 + the sysconfig file larger than necessary. 114 + 115 +------------------------------------------------------------------- 116 +Sun Jun 15 19:39:46 CEST 2008 - poeml@suse.de 117 + 118 +- update to 2.2.9: 119 + SECURITY: CVE-2008-2364 (cve.mitre.org) 120 + mod_proxy_http: Better handling of excessive interim responses 121 + from origin server to prevent potential denial of service and 122 + high memory usage. Reported by Ryujiro Shibuya. 123 + SECURITY: CVE-2007-6420 (cve.mitre.org) 124 + mod_proxy_balancer: Prevent CSRF attacks against the 125 + balancer-manager interface. 126 + - htpasswd: Fix salt generation weakness. PR 31440 127 + worker/event MPM: 128 + - Fix race condition in pool recycling that leads to 129 + segmentation faults under load. PR 44402 130 + core: 131 + - Fix address-in-use startup failure on some platforms caused by 132 + creating an IPv4 listener which overlaps with an existing IPv6 133 + listener. 134 + - Add the filename of the configuration file to the warning 135 + message about the useless use of AllowOverride. PR 39992. 136 + - Do not allow Options ALL if not all options are allowed to be 137 + overwritten. PR 44262 138 + - reinstate location walk to fix config for subrequests PR 41960 139 + - Fix garbled TRACE response on EBCDIC platforms. 140 + - gen_test_char: add double-quote to the list of 141 + T_HTTP_TOKEN_STOP. PR 9727 142 + http_filters: 143 + - Don't return 100-continue on redirects. PR 43711 144 + - Don't return 100-continue on client error PR 43711 145 + - Don't spin if get an error when reading the next chunk. PR 44381 146 + - Don't add bogus duplicate Content-Language entries 147 + suexec: 148 + - When group is given as a numeric gid, validate it by looking up 149 + the actual group name such that the name can be used in log entries. 150 + PR 7862 151 + mod_authn_dbd: 152 + - Disambiguate and tidy database authentication error messages. PR 43210. 153 + mod_cache: 154 + - Handle If-Range correctly if the cached resource was stale. PR 44579 155 + - Revalidate cache entities which have Cache-Control: no-cache 156 + set in their response headers. PR 44511 157 + mod_cgid: 158 + - Explicitly set permissions of the socket (ScriptSock) shared 159 + by mod_cgid and request processing threads, for OS'es such as 160 + HPUX and AIX that do not use umask for AF_UNIX socket permissions. 161 + - Don't try to restart the daemon if it fails to initialize the socket. 162 + mod_charset_lite: 163 + - Add TranslateAllMimeTypes sub-option to CharsetOptions, 164 + allowing the administrator to skip the mimetype checking that 165 + precedes translation. 166 + mod_dav: 167 + - Return "method not allowed" if the destination URI of a WebDAV 168 + copy / move operation is no DAV resource. PR 44734 169 + mod_headers: 170 + - Add 'merge' option to avoid duplicate values within the same header. 171 + mod_include: 172 + - Correctly handle SSI directives split over multiple filter 173 + mod_log_config: 174 + - Add format options for %p so that the actual local or remote 175 + port can be logged. PR 43415. 176 + mod_logio: 177 + - Provide optional function to allow modules to adjust the 178 + bytes_in count 179 + mod_proxy: 180 + - Make all proxy modules nocanon aware and do not add the 181 + query string again in this case. PR 44803. 182 + - scoreboard: Remove unused proxy load balancer elements from scoreboard 183 + image (not scoreboard memory itself). 184 + - Support environment variable interpolation in reverse 185 + proxying directives. 186 + - Do not try a direct connection if the connection via a 187 + remote proxy failed before and the request has a request body. 188 + - ProxyPassReverse is now balancer aware. 189 + - Lower memory consumption for short lived connections. 190 + PR 44026. 191 + - Keep connections to the backend persistent in the HTTPS case. 192 + mod_proxy_ajp: 193 + - Do not retry request in the case that we either failed to 194 + sent a part of the request body or if the request is not idempotent. 195 + PR 44334 196 + mod_proxy_ftp: 197 + - Fix base for directory listings. PR 27834 198 + mod_proxy_http: 199 + - Fix processing of chunked responses if Connection: 200 + Transfer-Encoding is set in the response of the proxied 201