-------------------------------------------------------------------

Fri Feb 17 19:34:34 UTC 2012 - cs@linux-administrator.com

​

- update to release 2.2.22 

​

-------------------------------------------------------------------

Wed Sep 14 20:25:02 UTC 2011 - cs@linux-administrator.com

​

- update to release 2.2.21 

​

-------------------------------------------------------------------

Wed Aug 31 11:05:30 UTC 2011 - cs@linux-administrator.com

​

- update to release 2.2.20 

​

-------------------------------------------------------------------

Thu Jun 16 09:39:58 UTC 2011 - cs@linux-administrator.com

​

- update to release 2.2.19 

​

-------------------------------------------------------------------

Wed Feb  9 20:08:55 UTC 2011 - cs@linux-administrator.com

​

- update to release 2.2.17 

​

-------------------------------------------------------------------

Fri Oct  8 09:03:49 UTC 2010 - cs@linux-administrator.com

​

- update to release 2.2.16 

​

-------------------------------------------------------------------

Tue Apr 09 10:58:00 CET 2010 - cs@linux-administrator.com

​

- update to release 2.2.15

​

-------------------------------------------------------------------

Thu Dec 03 17:25:00 CET 2009 - cs@linux-administrator.com

​

- update to release 2.2.14

​

-------------------------------------------------------------------

Fri Nov 21 12:01:00 CET 2008 - skh@suse.de

​

- apache2-server-tuning.conf:

  Enclose module-specific configuration in IfModule tags [bnc#440584]

​

-------------------------------------------------------------------

Fri Nov 14 09:40:05 CET 2008 - poeml@suse.de

​

- apply Dirks fix for [bnc#444878], making the packaging of per-mpm

  modules more deterministic. They'll reliably put into the

  subpackage or main package now, which varied in a ping-pong way

  from build to build in the past.

​

-------------------------------------------------------------------

Wed Oct 29 18:38:17 CET 2008 - poeml@suse.de

​

- update year of copyright in rc.apache2

​

-------------------------------------------------------------------

Wed Oct 29 00:13:58 CET 2008 - poeml@suse.de

​

- update to 2.2.10:

  SECURITY: CVE-2008-2939 (cve.mitre.org)

     mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of

     the FTP URL. Discovered by Marc Bevand of Rapid7. 

  core:

   - Support chroot on Unix-family platforms. PR 43596 

  mod_authn_alias: 

   - Detect during startup when AuthDigestProvider is configured to

     use an incompatible provider via AuthnProviderAlias.  PR 45196 

  mod_cgid: 

   - Pass along empty command line arguments from an ISINDEX query

     that has consecutive '+' characters in the QUERY_STRING,

     matching the behavior of mod_cgi.

  mod_charset_lite: 

   - Avoid dropping error responses by handling meta buckets

     correctly. PR 45687 

  mod_dav_fs: 

   - Retrieve minimal system information about directory entries

     when walking a DAV fs, resolving a performance degradation on

     Windows.  PR 45464.  

  mod_headers: 

   - Prevent Header edit from processing only the first header of

     possibly multiple headers with the same name and deleting the

     remaining ones. PR 45333.  

  mod_proxy:

   - Allow for smax to be 0 for balancer members so that all idle

     connections are able to be dropped should they exceed ttl. PR 43371 

   - Add 'scolonpathdelim' parameter to allow for ';' to also be

     used as a session path separator/delim  PR 45158. 

   - Add connectiontimeout parameter for proxy workers in order to

     be able to set the timeout for connecting to the backend separately.

     PR 45445. 

  mod_proxy_http: 

   - Don't trigger a retry by the client if a failure to

     read the response line was the result of a timeout.

   - Introduce environment variable proxy-initial-not-pooled to

     avoid reusing pooled connections if the client connection is an initial

     connection. PR 37770. 

   - Do not forward requests with 'Expect: 100-continue' to

     known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.

  mod_proxy_balancer: 

   - Move nonce field in the balancer manager page inside

     the html form where it belongs. PR 45578. 

   - Add 'bybusyness' load balance method.

  mod_rewrite: 

   - Allow Cookie option to set secure and HttpOnly flags.  PR 44799 

   - Preserve the query string when [proxy,noescape]. PR 45247.

  mod_ssl: 

   - implement dynamic mutex callbacks for the benefit of OpenSSL.  

   - Rewrite shmcb to avoid memory alignment issues.  PR 42101.

- drop obsolete patch httpd-2.2.x-CVE-2008-2939.patch

​

-------------------------------------------------------------------

Fri Oct 24 13:23:41 CEST 2008 - skh@suse.de

​

- apache2.firewall, apache2.ssl-firewall

  Use unique name tags "HTTP Server" and "HTTPS Server" in for

  SuSEFirewall2 configuration [bnc#414962]

​

-------------------------------------------------------------------

Fri Sep 19 16:18:39 CEST 2008 - skh@suse.de

​

- add httpd-2.x.x-logresolve.patch again [bnc#210904]

- add httpd-2.2.x-CVE-2008-2939.patch [bnc#415061]:

  mod_proxy_ftp: Prevent XSS attacks when using wildcards in

  the path of the FTP URL. Discovered by Marc Bevand of Rapid7. 

  [Ruediger Pluem]

​

-------------------------------------------------------------------

Tue Aug 26 22:59:55 CEST 2008 - poeml@suse.de

​

- drop rc.config handling (was removed in or after SuSE Linux 8.0)

- don't use fillup_insserv options which have been removed lately

​

-------------------------------------------------------------------

Fri Aug 15 11:25:47 CEST 2008 - poeml@suse.de

​

- fix init script LSB headers

​

-------------------------------------------------------------------

Wed Jun 25 14:36:06 CEST 2008 - poeml@suse.de

​

- add note to /etc/sysconfig/apache2 and /etc/init.d/apache2 about

  how to set ulimits when starting the server

- undocument APACHE_BUFFERED_LOGS and APACHE_TIMEOUT in the

  sysconfig template. They still work but I think it is good to

  keep this stuff out of the beginner's config, first because both

  features are sophisticated enough to not being tweaked in most

  cases, second because it only confuses people I guess, and makes

  the sysconfig file larger than necessary.

​

-------------------------------------------------------------------

Sun Jun 15 19:39:46 CEST 2008 - poeml@suse.de

​

- update to 2.2.9:

  SECURITY: CVE-2008-2364 (cve.mitre.org)

     mod_proxy_http: Better handling of excessive interim responses

     from origin server to prevent potential denial of service and

     high memory usage. Reported by Ryujiro Shibuya. 

  SECURITY: CVE-2007-6420 (cve.mitre.org)

     mod_proxy_balancer: Prevent CSRF attacks against the

     balancer-manager interface.  

   - htpasswd: Fix salt generation weakness. PR 31440

  worker/event MPM:

   - Fix race condition in pool recycling that leads to

     segmentation faults under load.  PR 44402

  core:

   - Fix address-in-use startup failure on some platforms caused by

     creating an IPv4 listener which overlaps with an existing IPv6

     listener.  

   - Add the filename of the configuration file to the warning

     message about the useless use of AllowOverride. PR 39992.

   - Do not allow Options ALL if not all options are allowed to be

     overwritten. PR 44262 

   - reinstate location walk to fix config for subrequests PR 41960 

   - Fix garbled TRACE response on EBCDIC platforms.

   - gen_test_char: add double-quote to the list of

     T_HTTP_TOKEN_STOP.  PR 9727 

  http_filters:

   - Don't return 100-continue on redirects. PR 43711

   - Don't return 100-continue on client error PR 43711 

   - Don't spin if get an error when reading the next chunk. PR 44381 

   - Don't add bogus duplicate Content-Language entries

  suexec:

   - When group is given as a numeric gid, validate it by looking up

     the actual group name such that the name can be used in log entries.

     PR 7862 

  mod_authn_dbd:

   - Disambiguate and tidy database authentication error messages.  PR 43210.  

  mod_cache:

   - Handle If-Range correctly if the cached resource was stale.  PR 44579 

   - Revalidate cache entities which have Cache-Control: no-cache

     set in their response headers. PR 44511 

  mod_cgid:

   - Explicitly set permissions of the socket (ScriptSock) shared

     by mod_cgid and request processing threads, for OS'es such as

     HPUX and AIX that do not use umask for AF_UNIX socket permissions.

   - Don't try to restart the daemon if it fails to initialize the socket.  

  mod_charset_lite:

   - Add TranslateAllMimeTypes sub-option to CharsetOptions,

     allowing the administrator to skip the mimetype checking that

     precedes translation.

  mod_dav:

   - Return "method not allowed" if the destination URI of a WebDAV

     copy / move operation is no DAV resource. PR 44734 

  mod_headers:

   - Add 'merge' option to avoid duplicate values within the same header. 

  mod_include:

   - Correctly handle SSI directives split over multiple filter

  mod_log_config:

   - Add format options for %p so that the actual local or remote

     port can be logged.  PR 43415.  

  mod_logio:

   - Provide optional function to allow modules to adjust the 

     bytes_in count

  mod_proxy:

   - Make all proxy modules nocanon aware and do not add the

     query string again in this case. PR 44803.

   - scoreboard: Remove unused proxy load balancer elements from scoreboard

     image (not scoreboard memory itself).  

   - Support environment variable interpolation in reverse

     proxying directives. 

   - Do not try a direct connection if the connection via a

     remote proxy failed before and the request has a request body.

   - ProxyPassReverse is now balancer aware. 

   - Lower memory consumption for short lived connections.

     PR 44026. 

   - Keep connections to the backend persistent in the HTTPS case.

  mod_proxy_ajp:

   - Do not retry request in the case that we either failed to

     sent a part of the request body or if the request is not idempotent.

     PR 44334 

  mod_proxy_ftp:

   - Fix base for directory listings.  PR 27834 

  mod_proxy_http:

   - Fix processing of chunked responses if Connection:

     Transfer-Encoding is set in the response of the proxied

     system. PR 44311 

   - Return HTTP status codes instead of apr_status_t values for

     errors encountered while forwarding the request body PR 44165 

  mod_rewrite: 

   - Initialize hash needed by ap_register_rewrite_mapfunc early

     enough. PR 44641 

   - Check all files used by DBM maps for freshness, mod_rewrite

     didn't pick up on updated sdbm maps due to this.  PR41190 

   - Don't canonicalise URLs with [P,NE] PR 43319 

  mod_speling:

   - remove regression from 1.3/2.0 behavior and drop dependency

     between mod_speling and AcceptPathInfo.

  mod_ssl:

   - Fix a memory leak with connections that have zlib compression

     turned on. PR 44975 

  mod_substitute:

   - The default is now flattening the buckets after each

     substitution. The newly added 'q' flag allows for the quicker,

     more efficient bucket-splitting if the user so

  mod_unique_id:

   - Fix timestamp value in UNIQUE_ID.  PR 37064 

  ab (apache benchmark):

   - Include <limits.h> earlier if available since we may need

     INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS.

   - Improve client performance by clearing connection pool instead

   - Don't stop sending a request if EAGAIN is returned, which

     will only happen if both the write and subsequent wait are

     returning EAGAIN, and count posted bytes correctly when the initial

     write of a request is not complete. PR 10038, 38861, 39679

   - Overhaul stats collection and reporting to avoid integer

     truncation and time divisions within the test loop, retain

     native time resolution until output, remove unused data,

     consistently round milliseconds, and generally avoid losing

     accuracy of calculation due to type casts. PR 44878, 44931.

   - Add -r option to continue after socket receive errors.

   - Do not try to read non existing response bodies of HEAD requests.

   - Use a 64 bit unsigned int instead of a signed long to count the

  rotatelogs:

   - Log the current file size and error code/description when

     failing to write to the log file.  

   - Added '-f' option to force rotatelogs to create the logfile as

     soon as started, and not wait until it reads the first entry. 

   - Don't leak memory when reopening the logfile.  PR 40183 

   - Improve atomicity when using -l and cleaup code.  PR 44004 

- drop obsolete patches httpd-2.1.3alpha-autoconf-2.59.dif

                        httpd-2.2.x-CVE-2008-1678.patch

- don't run autoreconf on SLES9

- remove the addition of -g to the CFLAGS, since the build service

  handles debuginfo packages now

​

-------------------------------------------------------------------

Mon Jun  9 17:18:03 CEST 2008 - poeml@suse.de

​

- build service supports the debuginfo flag in metadata now; remove

  debug_package macro from the specfile therefore.

​

-------------------------------------------------------------------

Mon May 26 16:55:37 CEST 2008 - skh@suse.de

​

- CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): 

  Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a 

  per-connection memory leak which occurs if the client indicates 

  support for a compression algorithm in the initial handshake, and 

  mod_ssl is linked against OpenSSL >= 0.9.8f.  [bnc#392096]

  httpd-2.2.x-CVE-2008-1678.patch

​

-------------------------------------------------------------------

Thu May 15 01:58:08 CEST 2008 - poeml@suse.de

​

- fix build on Mandriva 2007, by escaping commented %build macro

- make filelist of man pages independant of the compression method

  (gz, bz2, lzma)

​

-------------------------------------------------------------------

Fri Apr 18 11:55:14 CEST 2008 - poeml@suse.de

​

- fix from Factory:

  - remove dir /usr/share/omc/svcinfo.d as it is provided now

    by filesystem 

- remove obsolete httpd-2.2.x.doublefree.patch file, which isn't

  used since quite some time since the issue is resolved.

​

-------------------------------------------------------------------

Thu Apr 17 17:58:02 CEST 2008 - poeml@suse.de

​

- new implementation of sysconf_addword, using sed instead of ed.

  Moving it from the -utils subpackage into the parent package,

  where it's actually needed. If sysconf_addword is already present

  in the system, it is preferred (by PATH). That's because the tool

  has been integrated into aaa_base.rpm with openSUSE 11.0.

  Removing the requires on the ed package. [bnc#377131]

​

-------------------------------------------------------------------

Wed Mar 12 14:29:04 CET 2008 - poeml@suse.de

​

- require ed package, since ed is needed by sysconf_addword, which

  in turn is used by a2enmod/a2enflag

​

-------------------------------------------------------------------

Fri Feb 29 14:06:52 CET 2008 - poeml@suse.de

​

- better documentation how to enable SSL in /etc/sysconfig/apache2

- quickstart readme: the link to the openSUSE wiki is about to move

​

-------------------------------------------------------------------

Tue Feb 19 13:14:45 CET 2008 - poeml@suse.de

​

- add "127.0.0.1" to the local access list in mod_status.conf,

  because on some systems "localhost" seems to resolve only to IPv6

  localhost

​

-------------------------------------------------------------------

Sat Feb  2 05:37:34 CET 2008 - crrodriguez@suse.de

​

- upstream 2.2.8

  SECURITY: CVE-2007-6421 (cve.mitre.org)

     mod_proxy_balancer: Correctly escape the worker route and the worker

     redirect string in the HTML output of the balancer manager.

     Reported by SecurityReason.

  SECURITY: CVE-2007-6422 (cve.mitre.org)

     Prevent crash in balancer manager if invalid balancer name is passed

     as parameter. Reported by SecurityReason.

  SECURITY: CVE-2007-6388 (cve.mitre.org)

     mod_status: Ensure refresh parameter is numeric to prevent

     a possible XSS attack caused by redirecting to other URLs.

     Reported by SecurityReason.

  SECURITY: CVE-2007-5000 (cve.mitre.org)

     mod_imagemap: Fix a cross-site scripting issue.  Reported by JPCERT.

  SECURITY: CVE-2008-0005 (cve.mitre.org)

     Introduce the ProxyFtpDirCharset directive, allowing the administrator

     to identify a default, or specific servers or paths which list their

     contents in other-than ISO-8859-1 charset (e.g. utf-8).

  mod_autoindex: 

   - Generate valid XHTML output by adding the xhtml namespace. PR 43649

  mod_charset_lite: 

   - Don't crash when the request has no associated filename.

  mod_dav: 

   - Fix evaluation of If-Match * and If-None-Match * conditionals.  PR 38034

   - Adjust etag generation to produce identical results on 32-bit

     and 64-bit platforms and avoid a regression with conditional PUT's on lock

     and etag. PR 44152.

  mod_deflate: 

   - initialise inflate-out filter correctly when the first brigade

     contains no data buckets.  PR 43512

  mod_disk_cache: 

  - Delete temporary files if they cannot be renamed to their final

    name.

  mod_filter: 

   - Don't segfault on (unsupported) chained FilterProvider usage.  PR 43956

  mod_include: 

   - Add an "if" directive syntax to test whether an URL is

     accessible, and if so, conditionally display content. This

     allows a webmaster to hide a link to a private page when the

     user has no access to that page.

  mod_ldap: 

   - Try to establish a new backend LDAP connection when the

     Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g.

     after the LDAP server has closed the connection due to a

     timeout.  PR 39095

   - Give callers a reference to data copied into the request pool

     instead of references directly into the cache PR 43786

   - Stop passing a reference to pconf around for (limited) use

     during request processing, avoiding possible memory corruption

     and crashes.

  mod_proxy: 

   - Canonicalisation improvements. Add "nocanon" keyword to

     ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also,

     don't escape/unescape forward-proxied URLs.  PR 41798, 42592

   - Don't by default violate RFC2616 by setting Max-Forwards when

     the client didn't send it to us.  Leave that as a

     configuration option.  PR 16137

   - Fix persistent backend connections.  PR 43472

   - escape error-notes correctly PR 40952

   - check ProxyBlock for all blocked addresses PR 36987

   - Don't lose bytes when a response line arrives in small chunks.

     PR 40894

  mod_proxy_ajp: 

   - Use 64K as maximum AJP packet size. This is the maximum length

     we can squeeze inside the AJP message packet.

   - Ignore any ajp13 flush packets received before we send the

     response headers. See Tomcat PR 43478.

   - Differentiate within AJP between GET and HEAD requests. PR 43060

  mod_proxy_balancer: 

   - Do not reset lbstatus, lbfactor and lbset when starting a new

     child.  PR 39907

  mod_proxy_http: 

   - Remove Warning headers with wrong date PR 16138

   - Correctly parse all Connection headers in proxy.  PR 43509

   - add Via header correctly (if enabled) to response, even where

     other Via headers exist.  PR 19439

   - Correctly forward unexpected interim (HTTP 1xx) responses from

     the backend according to RFC2616.  But make it configurable in

     case something breaks on it.  PR 16518

   - strip hop-by-hop response headers PR 43455

   - Propagate Proxy-Authorization header correctly.  PR 25947

   - Don't segfault on bad line in FTP listing PR 40733

  mod_rewrite: 

   - Add option to suppress URL unescaping PR 34602

   - Add the novary flag to RewriteCond.

  mod_substitute: 

   - Added a new output filter, which performs inline response

     content pattern matching (including regex) and substitution.

  mod_ssl: 

   - Fix handling of the buffered request body during a per-location

     renegotiation, when an internal redirect occurs.  PR 43738.

   - Fix SSL client certificate extensions parsing bug. PR 44073.

   - Prevent memory corruption of version string.  PR 43865, 43334

  mod_status: 

   - Add SeeRequestTail directive, which determines if

     ExtendedStatus displays the 1st 63 characters of the request

     or the last 63. Useful for those requests with large string

     lengths and which only vary with the last several characters.

  event MPM: 

   - Add support for running under mod_ssl, by reverting to the

     Worker MPM behaviors, when run under an input filter that buffers

     its own data.

  core: 

   - Fix regression in 2.2.7 in chunk filtering with massively

     chunked requests.

   - Lower memory consumption of ap_r* functions by reusing the

     brigade instead of recreating it during each filter pass.

   - Lower memory consumption in case that flush buckets are passed

     thru the chunk filter as last bucket of a brigade. PR 23567.

   - Fix broken chunk filtering that causes all non blocking reads

     to be converted into blocking reads.  PR 19954, 41056.

   - Change etag generation to produce identical results on 32-bit

     and 64-bit platforms.  PR 40064.

   - Handle unrecognised transfer-encodings.  PR 43882

   - Avoid some unexpected connection closes by telling the client

     that the connection is not persistent if the MPM process

     handling the request is already exiting when the response

     header is built.

   - fix possible crash at startup in case of nonexistent

     DocumentRoot.  PR 39722

   - http_core: OPTIONS * no longer maps to local storage or URI

     space. Note that unlike previous versions, OPTIONS * no longer

     returns an Allow: header. PR 43519

   - scoreboard: improve error message on apr_shm_create failure PR

     40037

   - Don't send spurious "100 Continue" response lines.  PR 38014

   - http_protocol: 

     - Escape request method in 413 error reporting.  Determined to

       be not generally exploitable, but a flaw in any case.  PR

       44014

     - Add "DefaultType none" option.  PR 13986 and PR 16139

     - Escape request method in 405 error reporting.  This has no

       security impact since the browser cannot be tricked into

       sending arbitrary method strings.

  - Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009

  - Add explicit charset to the output of various modules to work

    around possible cross-site scripting flaws affecting web

    browsers that do not derive the response character set as

    required by  RFC2616.  One of these reported by SecurityReason

  - rotatelogs: Change command-line parsing to report more types

     of errors.  Allow local timestamps to be used when rotating based

     on file size.

​

-------------------------------------------------------------------

Wed Sep 12 20:11:37 CEST 2007 - poeml@suse.de

​

- fix graceful-restart. Wait until the pidfile is gone, but don't

  wait for the parent to disappear. It stays there, after closing

  the listen ports.

​

-------------------------------------------------------------------

Wed Sep 12 15:49:15 CEST 2007 - poeml@suse.de

​

- use debug_package macro only on suse, because it breaks the build

  on Mandriva

​

-------------------------------------------------------------------

Wed Sep 12 13:41:16 CEST 2007 - poeml@suse.de

​

- don't configure in maintainer-mode. It not only enables compile

  time warnings, but also adds AP_DEBUG into the mix which causes

  enablement of debug code which is not wanted in production

  builds.

​

-------------------------------------------------------------------

Mon Sep 10 17:32:56 CEST 2007 - poeml@suse.de

​

- upstream 2.2.6

  SECURITY: CVE-2007-3847 (cve.mitre.org)

     mod_proxy: Prevent reading past the end of a buffer when parsing

     date-related headers.  PR 41144.

  SECURITY: CVE-2007-1863 (cve.mitre.org)

     mod_cache: Prevent a segmentation fault if attributes are listed in a 

     Cache-Control header without any value. 

  SECURITY: CVE-2007-3304 (cve.mitre.org)

     prefork, worker, event MPMs: Ensure that the parent process cannot

     be forced to kill processes outside its process group. 

  SECURITY: CVE-2006-5752 (cve.mitre.org)

     mod_status: Fix a possible XSS attack against a site with a public

     server-status page and ExtendedStatus enabled, for browsers which

     perform charset "detection".  Reported by Stefan Esser.

  SECURITY: CVE-2007-1862 (cve.mitre.org)

     mod_mem_cache: Copy headers into longer lived storage; header names and

     values could previously point to cleaned up storage.  PR 41551.

  mod_alias: 

   - Accept path components (URL part) in Redirects. PR 35314.

  mod_authnz_ldap: 

   - Don't return HTTP_UNAUTHORIZED during authorization when

     LDAP authentication is configured but we haven't seen any 

     'Require ldap-*' directives, allowing authorization to be passed to lower 

     level modules (e.g. Require valid-user) PR 43281 

  mod_autoindex: 

   - Add in Type and Charset options to IndexOptions

     directive. This allows the admin to explicitly set the 

     content-type and charset of the generated page and is therefore

     a viable workaround for buggy browsers affected by CVE-2007-4465

  mod_cache:

   - Remove expired content from cache that cannot be revalidated.

     PR 30370. 

   - Do not set Date or Expires when they are missing from the

     original response or are invalid.  

   - Correctly handle HEAD requests on expired cache content.  PR

     41230.  

   - Let Cache-Control max-age set the expiration of the cached

     representation if Expires is not set.  

   - Allow caching of requests with query arguments when

     Cache-Control max-age is explicitly specified.  

   - Use the same cache key throughout the whole request processing

     to handle escaped URLs correctly.  PR 41475.  

   - Add CacheIgnoreQueryString directive. PR 41484.

   - While serving a cached entity ensure that filters that have

     been applied to this cached entity before saving it to the

     cache are not applied again. PR 40090.  

   - Correctly cache objects whose URL query string has been

     modified by mod_rewrite. PR 40805.  

  mod_cgi, mod_cgid: 

   - Fix use of CGI scripts as ErrorDocuments.  PR 39710.  

  mod_dbd: 

   - Introduce configuration groups to allow inheritance by virtual

     hosts of database configurations from the main server.

     Determine the minimal set of distinct configurations and share

     connection pools whenever possible.  Allow virtual hosts to

     override inherited SQL statements.  PR 41302.  

   - Create memory sub-pools for each DB connection and close DB

     connections in a pool cleanup function.  Ensure prepared

     statements are destroyed before DB connection is closed.  When

     using reslists, prevent segfaults when child processes exit,

     and stop memory leakage of ap_dbd_t structures.  Avoid use of

     global s->process->pool, which isn't destroyed by exiting

     child processes in most multi-process MPMs.  PR 39985.  

   - Handle error conditions in dbd_construct() properly.  Simplify

     ap_dbd_open() and use correct arguments to apr_dbd_error()

     when non-threaded.  Register correct cleanup data in

     non-threaded ap_dbd_acquire() and ap_dbd_cacquire().  Clean up

     configuration data and merge function.  Use ap_log_error()

     wherever possible.

   - Stash DBD connections in request_config of initial request

     only, or else sub-requests and internal redirections may cause

     entire DBD pool to be stashed in a single HTTP request.  

  mod_deflate: 

   - don't try to process metadata buckets as data.  what should

     have been a 413 error was logged as a 500 and a blank screen

     appeared at the browser.

   - fix protocol handling in deflate input filter PR 23287 

  mod_disk_cache: 

   - Allow Vary'd responses to be refreshed properly.

  mod_dumpio: 

   - Fix for correct dumping of traffic on EBCDIC hosts Data had

     been incorrectly converted twice, resulting in garbled log

     output. 

  mod_expires: 

   - don't crash on bad configuration data PR 43213 

  mod_filter: 

   - fix integer comparisons in dispatch rules PR 41835 

   - fix merging of ! and = in FilterChain PR 42186 

  mod_headers: 

   - Allow % at the end of a Header value. PR 36609.

  mod_info: 

   - mod_info outputs invalid XHTML 1.0 transitional.  PR 42847 

  mod_ldap: 

   - Avoid possible crashes, hangs, and busy loops due to improper

     merging of the cache lock in vhost config PR 43164 

  mod_ldap: 

   - Remove the hardcoded size limit parameter for

     ldap_search_ext_s and replace it with an APR_ defined value

     that is set according to the LDAP SDK being used.

  mod_mem_cache: 

   - Increase the minimum and default value for MCacheMinObjectSize

     from 0 to 1, as a MCacheMinObjectSize of 0 does not make sense

     and leads to a division by zero.  PR 40576.

  mod_negotiation: 

   - preserve Query String in resolving a type map PR 33112 

  mod_proxy:

   -  mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as

      synonymous.  PR 43183 

   -  Ensure that at least scheme://hostname[:port] matches between

      worker and URL when searching for the best fitting worker for

      a given URL.  PR 40910 

   -  Improve network performance by setting APR_TCP_NODELAY

      (disable Nagle algorithm) on sockets if implemented.  PR 42871 

   -  Add a missing assignment in an error checking code path.  PR 40865 

   -  don't URLencode tilde in path component PR 38448 

   -  enable Ignore Errors option on ProxyPass Status.  PR 43167 

   - Allow to use different values for sessionid in url encoded id

     and cookies. PR 41897. 

   - Fix the 503 returned when session route does not match any of

     the balancer members. 

   - Added ProxyPassMatch directive, which is similar to ProxyPass

     but takes a regex local path prefix. 

   - Print the correct error message for erroneous configured

     ProxyPass directives. PR 40439.  

   - Fix some proxy setting inheritance problems (eg:

     ProxyTimeout). PR 11540.  

   - proxy/ajp_header.c: Fixed header token string comparisons

     Matching of header tokens failed to include the trailing NIL

     byte and could misinterpret a longer header token for a

     shorter.  Additionally, a "Content-Type" comparison was made

     case insensitive.

   - proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC

     On EBCDIC machines, the status_line string was incorrectly

     converted twice. 

  mod_proxy_connect: 

   - avoid segfault on DNS lookup failure.  PR 40756 

  mod_proxy_http:

   - HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses

     alone.  Only processing of error responses (4xx, 5xx) will be

     altered. PR 39245.

   - Don't try to read body of a HEAD request before responding. PR 41644 

   - Handle request bodies larger than 2 GB by converting the

     Content-Length header of the request correctly. PR 40883.

  mod_ssl: 

   - Fix spurious hostname mismatch warning for valid wildcard

     certificates.  PR 37911.  

   - Version reporting update; displays 'compiled against' Apache

     and build-time SSL Library versions at loglevel [info], while

     reporting the run-time SSL Library version in the server info

     tags.  Helps to identify a mod_ssl built against one flavor of

     OpenSSL but running against another (also adds SSL-C version

     number reporting.)  

   - initialize thread locks before initializing the hardware

     acceleration library, so the latter can make use of the

     former.  PR 20951.  

  core:

   - Do not replace a Date header set by a proxied backend server. PR 40232 

   - log core: ensure we use a special pool for stderr logging, so that

     the stderr channel remains valid from the time plog is destroyed,

     until the time the open_logs hook is called again.

   - main core: Emit errors during the initial apr_app_initialize()

     or apr_pool_create() (when apr-based error reporting is not ready).

   - log core: fix the new piped logger case where we couldn't connect 

     the replacement stderr logger's stderr to the NULL stdout stream.  

     Continue in this case, since the previous alternative of no error 

     logging at all (/dev/null) is far worse. 

   - Correct a regression since 2.0.x in the handling of AllowOverride 

     Options. PR 41829.  

   - Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory

     can work after that terminating signal.

   -  mod_so: Provide more helpful LoadModule feedback when an error occurs.

  misc:

   - mime.types: Many updates to sync with IANA registry and common

     unregistered types that the owners refuse to register.  Admins

     are encouraged to update their installed mime.types file.  PR:

     35550, 37798, 39317, 31483 

   - mime.types: add Registered Javascript/ECMAScript MIME types

     (RFC4329) PR 40299 

   - htdbm: Enable crypt support on platforms with crypt() but not

     <crypt.h>, such as z/OS.  

   - ab.c: Correct behavior of HTTP request headers sent by ab in

     presence of -H command-line overrides. PR 31268, 26554.

   - ab.c: The apr_port_t type is unsigned, but ab was using a

     signed format code in its reports. PR 42070.

- drop obsolete patches apache2-mod_cache-CVE-2007-1863.patch

                        apache2-mod_status-CVE-2006-5752.patch

                        httpd-2.2.4-mod_autoindex-charset-r570962.patch

                        mod_dbd.c-issue18989-autoconnect.dif

                        mod_dbd.c-r571441

​

-------------------------------------------------------------------

Mon Sep  3 13:43:22 CEST 2007 - skh@suse.de

​

- get_module_list: replace loadmodule.conf atomically [bnc #214863]

​

-------------------------------------------------------------------

Sat Sep  1 01:49:37 CEST 2007 - poeml@suse.de

​

- /etc/init.d/apache2: implement restart-graceful, stop-graceful

​

-------------------------------------------------------------------

Fri Aug 31 14:21:27 CEST 2007 - poeml@suse.de

​

- update mod_dbd to trunk version (r571441)

  * apr_dbd_check_conn() just returns APR_SUCCESS or

    APR_EGENERAL, so we don't actually have a driver-specific value

    to pass to apr_dbd_error(), but that's OK because most/all

    drivers just ignore this value anyway

​

-------------------------------------------------------------------

Fri Aug 31 12:37:27 CEST 2007 - poeml@suse.de

​

- replace httpd-2.2.3-AddDirectoryIndexCharset.patch with the upstream

  solution, httpd-2.2.4-mod_autoindex-charset-r570962.patch [#153557]

  (backport from 2.2.6)

  * Merge r570532, r570535, r570558 from trunk:

    IndexOptions ContentType=text/html Charset=UTF-8 magic.

    http://svn.apache.org/viewvc?rev=570962&view=rev

    http://issues.apache.org/bugzilla/show_bug.cgi?id=42105

  This means that the AddDirectoryIndexCharset is no longer

  available. Instead, IndexOptions Charset=xyz can be used.

​

-------------------------------------------------------------------

Fri Aug 31 11:42:58 CEST 2007 - poeml@suse.de

​

- remove libexpat-devel in the build service version of the package

- apply apache2-mod_cache-CVE-2007-1863.patch (patch 152) in the

  buildservice package

- don't apply mod_dbd.c-issue18989-autoconnect.dif, since it

  patches only modules/database/mod_dbd.c which is replaced with

  trunk version anyway

​

-------------------------------------------------------------------

Thu Aug 23 11:27:19 CEST 2007 - mskibbe@suse.de

​

- Bug 289996 - VUL-0: mod_status XSS in public server status page 

- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service

​

-------------------------------------------------------------------

Wed Jul 18 16:04:05 CEST 2007 - skh@suse.de

​

- split off apache2-utils subpackage, containing all helper tools that

  are useful for system administrators in general (b.n.c. #272292 and

  FATE #302059)

​

-------------------------------------------------------------------

Thu Mar 29 19:14:16 CEST 2007 - dmueller@suse.de

​

- add zlib-devel to BuildRequires

​

-------------------------------------------------------------------

Fri Mar 23 08:55:47 CET 2007 - poeml@suse.de

​

- add mod_dbd.c from trunk (r512038), the version we run ourselves

  http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/database/mod_dbd.c?view=log

- add mod_dbd.c-issue18989-autoconnect.dif, but disabled. It

  applies to 2.2.4 mod_dbd.c but not to the trunk version

- build mod_version

- fix documentation link in apache2-httpd.conf

​

-------------------------------------------------------------------

Tue Mar 20 10:47:18 CET 2007 - mskibbe@suse.de

​

- add firewall file for ssl (#246929) 

​

-------------------------------------------------------------------

Mon Mar 19 12:44:22 CET 2007 - mskibbe@suse.de

​

- Apache - Support for FATE #300687: Ports for SuSEfirewall added

  via packages (#246929)

​

-------------------------------------------------------------------

Fri Jan 26 12:44:04 CET 2007 - poeml@suse.de

​

- the QUICKSTART Readmes have been moved to 

  http://www.opensuse.org/Apache

​

-------------------------------------------------------------------

Mon Jan 22 11:24:32 CET 2007 - poeml@suse.de

​

- point out better in README.QUICKSTART.SSL that a vhost needs to

  be created

- fixes to README.QUICKSTART.WebDAV

- updated email addresses (now there is apache@suse.de)

​

-------------------------------------------------------------------

Sat Jan 20 17:16:20 CET 2007 - poeml@suse.de

​

- add httpd-2.2.x.doublefree.patch, backport of 

  http://svn.apache.org/viewvc?diff_format=h&view=rev&revision=496831

  See http://issues.apache.org/bugzilla/show_bug.cgi?id=39985

​

-------------------------------------------------------------------

Thu Jan 18 22:00:48 CET 2007 - poeml@suse.de

​

- create debuginfo package in the buildservice

​

-------------------------------------------------------------------

Fri Jan 12 14:25:51 CET 2007 - mskibbe@suse.de

​

- change path to service cml document (fate #301708) 

​

-------------------------------------------------------------------

Tue Jan  9 15:59:42 CET 2007 - poeml@suse.de

​

- upstream 2.2.4

  mod_authnz_ldap: 

   - Add an AuthLDAPRemoteUserAttribute directive. If set,

     REMOTE_USER will be set to this attribute, rather than the

     username supplied by the user. Useful for example when you

     want users to log in using an email address, but need to

     supply a userid instead to the backend.

  mod_cache: 

   - From RFC3986 (section 6.2.3.) if a URI contains an authority

     component and an empty path, the empty path is to be

     equivalent to "/". It explicitly cites the following four URIs

     as equivalents:

       http://example.com

       http://example.com/

       http://example.com:/

       http://example.com:80/

   - Eliminate a bogus error in the log when a filter returns

     AP_FILTER_ERROR.

   - Don't cache requests with a expires date in the past;

     otherwise mod_cache will always try to cache the URL. This bug

     might lead to numerous rename() errors on win32 if the URL was

     previously cached.

  mod_cgi and mod_cgid:

   - Don't use apr_status_t error return from input filters as HTTP

     return value from the handler.  PR 31579.

  mod_dbd: 

   - share per-request database handles across subrequests and

     internal redirects

   - key connection pools to virtual hosts correctly even when

     ServerName is unset/unavailable

  mod_deflate: 

   - Rework inflate output and deflate output filter to fix several

     issues: Incorrect handling of flush buckets, potential memory

     leaks, excessive memory usage in inflate output filter for

     large compressed content. PR 39854.

  mod_disk_cache: 

   - Make sure that only positive integers are accepted for the

     CacheMaxFileSize and CacheMinFileSize parameters in the config

     file. PR39380.

  mod_dumpio:

   - Allow mod_dumpio to log at other than DEBUG levels via the new

     DumpIOLogLevel directive.

  mod_echo: 

   - Fix precedence problem in if statement. PR 40658.

  mod_ext_filter: 

   - Handle filter names which include capital letters.  PR 40323.

  mod_headers: 

   - Support regexp-based editing of HTTP headers.

  mod_mime_magic: 

   - Fix precedence problem in if statement. PR 40656.

  mod_mem_cache: 

   - Memory leak fix: Unconditionally free the buffer.

   - Convert mod_mem_cache to use APR memory pool functions by

     creating a root pool for object persistence across requests.

     This also eliminates the need for custom serialization code.

  mod_proxy: 

   - Don't try to use dead backend connection. PR 37770.

   - Add explicit flushing feature. When Servlet container sends

     AJP body message with size 0, this means that Servlet

     container has asked for an explicit flush. Create flush bucket

     in that case. This feature has been added to the recent Tomcat

     versions without breaking the AJP protocol.

  mod_proxy_ajp: 

   - Close connection to backend if reading of request body fails.

     PR 40310.

   - Added cping/cpong support for the AJP protocol.  A new worker

     directive ping=timeout will cause CPING packet to be send

     expecting CPONG packet within defined timeout.  In case the

     backend is too busy this will fail instead sending the full

     header.

  mod_proxy_balancer: 

   - Workers can now be defined as part of a balancer cluster "set"

     in which members of a lower-numbered set are preferred over

     higher numbered ones.

   - Workers can now be defined as "hot standby" which will only be

     used if all other workers are unusable (eg: in error or

     disabled). Also, the balancer-manager displays the election

     count and I/O counts of all workers.

   - Retry worker chosen by route / redirect worker if it is in

     error state before sending "Service Temporarily Unavailable".

     PR 38962.

   - Extract stickysession routing information contained as

     parameter in the URL correctly. PR 40400.

   - Set the new environment variable BALANCER_ROUTE_CHANGED if a

     worker with a route different from the one supplied by the

     client had been chosen or if the client supplied no routing

     information for a balancer with sticky sessions.

   - Add information about the route, the sticky session and the

     worker used during a request as environment variables. PR

     39806.

  core:

   - Fix issue which could cause piped loggers to be orphaned and

     never terminate after a graceful restart.  PR 40651.

   - Fix address-in-use startup failure caused by corruption of the

     list of listen sockets in some configurations with multiple

     generic Listen directives.

   - Fix NONBLOCK status of listening sockets on restart/graceful

     PR 37680.

   - Deal with the widespread use of apr_status_t return values as

     HTTP status codes, as documented in PR#31759 (a bug shared by

     the default handler, mod_cgi, mod_cgid, mod_proxy, and

     probably others). PR31759.

   - The full server version information is now included in the

     error log at startup as well as server status reports,

     irrespective of the setting of the ServerTokens directive.

     ap_get_server_version() is now deprecated, and is replaced by

     ap_get_server_banner() and ap_get_server_description().

  misc:

   - Allow htcacheclean, httxt2dbm, and fcgistarter to link

     apr/apr-util statically like the older support programs.

   - Better detection and clean up of ldap connection that has been

     terminated by the ldap server.  PR 40878.

   - rotatelogs: Improve error message for open failures.  PR

     39487.

​

-------------------------------------------------------------------

Mon Jan  8 11:57:04 CET 2007 - mskibbe@suse.de

​

- Apache XML Service Description Document (fate #301708) 

​

-------------------------------------------------------------------

Thu Dec 21 10:36:14 CET 2006 - poeml@suse.de

​

- add patch to add charset=utf-8 to directory listings generated by

  mod_autoindex, and add a directive to allow overriding the

  charset (testing, needs to be discussed with upstream) [#153557]

  httpd-2.2.3-AddDirectoryIndexCharset.patch 

​

-------------------------------------------------------------------

Wed Dec 20 15:58:35 CET 2006 - poeml@suse.de

​

- set a proper HOME (/var/lib/apache2), otherwise the server might

  end up HOME=/root and some script might try to use that [#132769]

- add two notes to the QUICKSTART readmes

- don't install /etc/apache2/extra configuration since this is only

  serving as an example and installed with the documentation anyway

​

-------------------------------------------------------------------

Tue Sep 26 11:13:52 CEST 2006 - poeml@suse.de

​

- add rpm macro for suexec_safepath

- use _bindir/_sbindir in a few places [#202355]

- remove unused /sbin/conf.d directory from build root

​

-------------------------------------------------------------------

Thu Aug 31 15:26:54 CEST 2006 - poeml@suse.de

​

- Enable fatal exception hook for use by diagnostic modules.

​

-------------------------------------------------------------------

Tue Aug 29 16:33:59 CEST 2006 - poeml@suse.de

​

- move some binaries, where calling by users makes sense (dbmmanage

  htdbm htdigest htpasswd), from /usr/sbin to /usr/bin [#140133]

​

-------------------------------------------------------------------

Wed Aug  9 16:13:07 CEST 2006 - poeml@suse.de

​

- upstream 2.2.3

  |SECURITY: CVE-2006-3747 (cve.mitre.org)

  |  mod_rewrite: Fix an off-by-one security problem in the ldap scheme

  |  handling.  For some RewriteRules this could lead to a pointer being

  |  written out of bounds.  Reported by Mark Dowd of McAfee.

  | mod_authn_alias: Add a check to make sure that the base provider and the

  |  alias names are different and also that the alias has not been registered

  |  before. PR 40051.

  | mod_authnz_ldap: Fix a problem with invalid auth error detection for LDAP

  |  client SDKs that don't support the LDAP_SECURITY_ERROR macro. PR 39529.

  | mod_autoindex: Fix filename escaping with FancyIndexing disabled.

  |  PR 38910.

  | mod_cache: 

  | - Make caching of reverse SSL proxies possible again. PR 39593.

  | - Do not overwrite the Content-Type in the cache, for

  |   successfully revalidated cached objects. PR 39647.

  | mod_charset_lite: Bypass translation when the source and dest charsets

  |  are the same.

  | mod_dbd: Fix dependence on virtualhost configuration in

  |  defining prepared statements (possible segfault at startup

  |  in user modules such as mod_authn_dbd).

  | mod_mem_cache: Set content type correctly when delivering data from

  |  cache. PR 39266.

  | mod_speling: Add directive to deal with case corrections only

  |  and ignore other misspellings

  | miscellaneous:

  |  - Add optional 'scheme://' prefix to ServerName directive,

  |    allowing correct determination of the canonical server URL

  |    for use behind a proxy or offload device handling SSL;

  |    fixing redirect generation in those cases. PR 33398.

  |  - Added server_scheme field to server_rec for above. Minor MMN bump.

  |  - Worker MPM: On graceless shutdown or restart, send signals

  |    to each worker thread to wake them up if they're polling on

  |    a Keep-Alive connection.  PR 38737.

  |  - worker and event MPMs: fix excessive forking if fork() or

  |    child_init take a long time.  PR 39275.

  |  - Respect GracefulShutdownTimeout in the worker and event MPMs.

  |  - configure: Add "--with-included-apr" flag to force use of

  |    the bundled version of APR at build time.

​

-------------------------------------------------------------------

Tue Jul  4 12:20:54 CEST 2006 - poeml@suse.de

​

- a2enmod, a2enflag: add /usr/sbin to PATH so sysconf_addword is

  found

​

-------------------------------------------------------------------

Fri Jun 23 09:52:17 CEST 2006 - poeml@suse.de

​

- fix typo in apache-20-22-upgrade script: mod_image_map ->

  mod_imagemap

​

-------------------------------------------------------------------

Mon Jun 12 11:28:59 CEST 2006 - poeml@suse.de

​

- enable logresolve processing of lines longer than 1024 characters

  by compiling with MAXLINE=4096 [#162806]

​

-------------------------------------------------------------------

Fri Jun  9 23:11:45 CEST 2006 - poeml@suse.de

​

- upstream 2.2.2

  | SECURITY: CVE-2005-3357 (cve.mitre.org)

  |   mod_ssl: Fix a possible crash during access control checks

  |   if a non-SSL request is processed for an SSL vhost (such as

  |   the "HTTP request received on SSL port" error message when

  |   an 400 ErrorDocument is configured, or if using "SSLEngine

  |   optional").  PR 37791.

  | SECURITY: CVE-2005-3352 (cve.mitre.org)

  |   mod_imagemap: Escape untrusted referer header before

  |   outputting in HTML to avoid potential cross-site scripting.

  |   Change also made to ap_escape_html so we escape quotes.

  |   Reported by JPCERT.

  | mod_cache: 

  |  - Make caching of reverse proxies possible again. PR 38017.

  | mod_disk_cache: 

  |  - Return the correct error codes from bucket read failures,

  |    instead of APR_EGENERAL.

  | mod_dbd:

  |  - Update defaults, improve error reporting.

  |  - Create own pool and mutex to avoid problem use of process

  |    pool in request processing.

  | mod_deflate: 

  |  - work correctly in an internal redirect

  | mod_proxy:

  |  - don't reuse a connection that may be to the wrong backend PR 39253

  |  - Do not release connections from connection pool twice.  PR 38793.

  |  - Fix KeepAlives not being allowed and set to backend servers.  PR 38602.

  |  - Fix incorrect usage of local and shared worker init.  PR 38403.

  |  - If we get an error reading the upstream response, close the

  |    connection.

  | mod_proxy_balancer: 

  |  - Initialize members of a balancer correctly.  PR 38227.

  | mod_proxy_ajp: 

  |  - Flushing of the output after each AJP chunk is now

  |    configurable at runtime via the 'flushpackets' and 'flushwait'

  |    worker params. Minor MMN bump.

  |  - Crosscheck the length of the body chunk with the length of the

  |    ajp message to prevent mod_proxy_ajp from reading beyond the

  |    buffer boundaries and thus revealing possibly sensitive memory

  |    contents to the client.

  |  - Support common headers of the AJP protocol in responses.  PR 38340.

  | mod_proxy_http: 

  |  - Do send keep-alive header if the client sent connection:

  |    keep-alive and do not close backend connection if the client

  |    sent connection: close. PR 38524.

  | mod_proxy_balancer: 

  |  - Do not overwrite the status of initialized workers and respect

  |    the configured status of uninitilized workers when creating a

  |    new child process.

  |  - Fix off-by-one error in proxy_balancer.  PR 37753.

  | mod_speling: 

  |  - Stop crashing with certain non-file requests.

  | mod_ssl: 

  |  - Fix possible crashes in shmcb with gcc 4 on platforms

  |    requiring word-aligned pointers.  PR 38838.

  | miscellaneous:

  |  - core: Prevent reading uninitialized memory while reading a line of

  |    protocol input.  PR 39282.

  |  - core: Reject invalid Expect header immediately. PR 38123.

  |  - Default handler: Don't return output filter apr_status_t values.

  |    PR 31759.

  |  - Add APR/APR-Util Compiled and Runtime Version numbers to the

  |    output of 'httpd -V'.

  |  - http: If a connection is aborted while waiting for a chunked line,

  |    flag the connection as errored out.

  |  - Don't hang on error return from post_read_request.  PR 37790.

  |  - Fix mis-shifted 32 bit scope, masked to 64 bits as a method.

  |  - Fix recursive ErrorDocument handling.  PR 36090.

  |  - Ensure that the proper status line is written to the client, fixing

  |    incorrect status lines caused by filters which modify r->status without

  |    resetting r->status_line, such as the built-in byterange filter.

  |  - HTML-escape the Expect error message.  Not classed as security as

  |    an attacker has no way to influence the Expect header a victim will

  |    send to a target site.

  |  - Chunk filter: Fix chunk filter to create correct chunks in the case that

  |    a flush bucket is surrounded by data buckets.

  |  - Avoid Server-driven negotiation when a script has emitted an

  |    explicit Status: header.  PR 38070.

  |  - htdbm: Fix crash processing -d option in 64-bit mode on HP-UX.

  |  - htdbm: Warn the user when adding a plaintext password on a platform

  |    where it wouldn't work with the server (i.e., anywhere that has

  |    crypt()).

- adapted httpd-2.1.3alpha-autoconf-2.59.dif

- other user visible changes:

  * use a2enmod, a2enflag in apache2-README.QUICKSTART.*

  * add README.QUICKSTART link to httpd.conf

- when installing/updating, avoid irritating message in

  /var/log/messages ("group is unknown - group=wwwadmin") [#183071]

- build system changes:

  * clean up old cruft tight to suse_version macros

  * don't run buildconf, and thus don't need python.

  * don't ship uid.conf as source file, but create it dynamically

    instead, according to user/group defined via rpm macro

  * create wwwrun:www user on non-SUSE builds

  * work around missimg macros insserv_prereq and fillup_prereq on non-SUSE builds

  * add openssl-devel and expat-devel to Buildrequires for non-SUSE builds

  * make sure that the rpm macro sles_version is defined

  * remove obsolete VENDOR UnitedLinux macro

​

-------------------------------------------------------------------

Tue Apr 25 18:10:28 CEST 2006 - poeml@suse.de

​

- obsolete 'apache' package on SLES10 (obsolete it on all platforms

  except SLES9 and old SL releases)

​

-------------------------------------------------------------------

Wed Mar 29 11:54:00 CEST 2006 - poeml@suse.de

​

- remove php4 from default modules [#155333]

- fix comment in /etc/init.d/apache2 [#148559]

​

-------------------------------------------------------------------

Mon Feb 20 13:49:07 CET 2006 - poeml@suse.de

​

- fixed comment in init script which indicated wrong version [#148559]

​

-------------------------------------------------------------------

Mon Jan 30 12:41:20 CET 2006 - poeml@suse.de

​

- added Requires: libapr-util1-devel to apache2-devel package [#146496] 

​

-------------------------------------------------------------------

Fri Jan 27 15:10:15 CET 2006 - poeml@suse.de

​

- add a note about NameVirtualHost statements to the vhost template

  files [#145000]

​

-------------------------------------------------------------------

Wed Jan 25 21:34:16 CET 2006 - mls@suse.de

​

- converted neededforbuild to BuildRequires

​

-------------------------------------------------------------------

Fri Jan 20 13:20:04 CET 2006 - poeml@suse.de

​

- cleanup: remove obsolete metuxmpm patch

- improve informational text in apache-20-22-upgrade

​

-------------------------------------------------------------------

Wed Jan 18 10:11:12 CET 2006 - poeml@suse.de

​

- the new DYNAMIC_MODULE_LIMIT default in 2.2 is 128, so no need to

  increase it anymore (fixes [#143536])

​

-------------------------------------------------------------------

Mon Dec 19 13:25:20 CET 2005 - poeml@suse.de

​

- update to 2.2.0

- enable all new modules

- replaced modules "auth auth_dbm access" in default configuration 

  by "auth_basic authn_file authn_dbm authz_host authz_default

  authz_user""

- /usr/share/apache2/apache-20-22-upgrade will fix the module list

  on upgrade

- fix bug in sysconf_addword (used by a2enmod) to respect word

  boundaries when removing a word (but don't count slashes as word

  boundary)

- remove perchild mpm subpackage, add experimemtal event mpm

- remove obsolete tool apache2-reconfigure-mpm

- remove obsolete perchild config from apache2-server-tuning.conf

- remove libapr0 subpackage; add libapr1 and libapr-util1 to #neededforbuild

- build against system pcre

- build with --enable-pie

- don't modify which libraries are linked in

- adjust IndexIgnore setting to upstream default. Previously, the

  parent directory (..) was being ignored

- package the symlinks in ssl.crt

​

-------------------------------------------------------------------

Wed Dec  7 11:07:21 CET 2005 - poeml@suse.de

​

- patch apxs to use the new a2enmod tool, when called with -a

- add -l option to a2enmod, which gives a list of active modules

- adjust feedback address in the readmes

- update README.QUICKSTART.SSL (mention TinyCA)

- add more documentation in server-tuning.conf, and adjust defaults

- do not document the restart-hup action of the init script. It

  should not be used

- don't install the tool checkgid -- it is only usable during

  installation

​

-------------------------------------------------------------------

Fri Nov 18 13:22:21 CET 2005 - poeml@suse.de

​

- fix duplicated Source45 tag

​

-------------------------------------------------------------------

Mon Oct 24 14:17:08 CEST 2005 - poeml@suse.de

​

- update to 2.0.55. Relevant changes:

  | SECURITY: CAN-2005-2700 (cve.mitre.org)

  |    mod_ssl: Fix a security issue where "SSLVerifyClient" was

  |    not enforced in per-location context if "SSLVerifyClient

  |    optional" was configured in the vhost configuration.

  | SECURITY: CAN-2005-2491 (cve.mitre.org): 

  |    Fix integer overflows in PCRE in quantifier parsing which

  |    could be triggered by a local user through use of a

  |    carefully-crafted regex in an .htaccess file.

  | SECURITY: CAN-2005-2088 (cve.mitre.org)

  |    proxy: Correctly handle the Transfer-Encoding and

  |    Content-Length headers.  Discard the request Content-Length

  |    whenever T-E: chunked is used, always passing one of either

  |    C-L or T-E: chunked whenever the request includes a request

  |    body.  Resolves an entire class of proxy HTTP Request

  |    Splitting/Spoofing attacks.

  | SECURITY: CAN-2005-2728 (cve.mitre.org)

  |    Fix cases where the byterange filter would buffer responses

  |    into memory.  PR 29962.

  | SECURITY: CAN-2005-2088 (cve.mitre.org)

  |    core: If a request contains both Transfer-Encoding and

  |    Content-Length headers, remove the Content-Length,

  |    mitigating some HTTP Request Splitting/Spoofing attacks.

  | SECURITY: CAN-2005-1268 (cve.mitre.org)

  |    mod_ssl: Fix off-by-one overflow whilst printing CRL

  |    information at "LogLevel debug" which could be triggered if

  |    configured to use a "malicious" CRL.  PR 35081.

  | miscellaneous:

  |  - worker MPM: Fix a memory leak which can occur after an

  |    aborted connection in some limited circumstances.

  |  - worker mpm: don't take down the whole server for a transient

  |    thread creation failure. PR 34514

  |  - Added TraceEnable [on|off|extended] per-server directive to

  |    alter the behavior of the TRACE method.  This addresses a

  |    flaw in proxy conformance to RFC 2616 - previously the proxy

  |    server would accept a TRACE request body although the RFC

  |    prohibited it.  The default remains 'TraceEnable on'. 

  |  - Add ap_log_cerror() for logging messages associated with

  |    particular client connections.

  |  - Support the suppress-error-charset setting, as with Apache

  |    1.3.x.  PR 31274.

  |  - Fix bad globbing comparison which could result in getting a

  |    directory listing when a file was requested. PR 34512.

  |  - Fix a file descriptor leak when starting piped loggers.  PR

  |    33748. 

  |  - Prevent hangs of child processes when writing to piped

  |    loggers at the time of graceful restart.  PR 26467.

  | mod_cgid:

  |  - Correct mod_cgid's argv[0] so that the full path can be

  |    delved by the invoked cgi application, to conform to the

  |    behavior of mod_cgi.

  | mod_include:

  |  - Fix possible environment variable corruption when using

  |    nested includes.  PR 12655.

  | mod_ldap:

  |  - Fix PR 36563. Keep track of the number of attributes

  |    retrieved from LDAP so that all of the values can be

  |    properly cached even if the value is NULL. 

  |  - Fix core dump if mod_auth_ldap's

  |    mod_auth_ldap_auth_checker() was called even if

  |    mod_auth_ldap_check_user_id() was not (or if it didn't

  |    succeed) for non-authoritative cases.

  |  - Avoid segfaults when opening connections if using a version

  |    of OpenLDAP older than 2.2.21.  PR 34618.

  |  - Fix various shared memory cache handling bugs.  PR 34209.

  | mod_proxy:

  |  - Fix over-eager handling of '%' for reverse proxies.  PR

  |    15207.

  |  - proxy HTTP: If a response contains both Transfer-Encoding

  |    and a Content-Length, remove the Content-Length and don't

  |    reuse the connection, mitigating some HTTP Response

  |    Splitting attacks.

  |  - proxy HTTP: Rework the handling of request bodies to handle

  |    chunked input and input filters which modify content length,

  |    and avoid spooling arbitrary-sized request bodies in memory.

  |    PR 15859.

  | mod_ssl:

  |  - Fix build with OpenSSL 0.9.8.  PR 35757.

  | mod_rewrite:

  |  - use buffered I/O to improve performance with large

  |    RewriteMap txt: files.

  | mod_userdir:

  |  - Fix possible memory corruption issue.  PR 34588.

- drop obsolete patches httpd-2.0.54-openssl-0.9.8.dif 

                        httpd-2.0.54-CAN-2005-1268-mod_ssl-crl.dif 

                        apache2-bundled-pcre-5.0-CAN-2005-2491.dif 

                        httpd-2.0.54-SSLVerifyClient-CAN-2005-2700.diff 

                        httpd-2.0.54-ap_byterange-CAN-2005-2728.diff

- add httpd-2.0.55-37145_2.0.x.diff (broken mod_proxy in 2.0.55)

​

-------------------------------------------------------------------

Thu Oct 20 15:50:35 CEST 2005 - poeml@suse.de

​

- rc.apache2: when stopping the server, wait for the actual binary

  of the parent process to disappear. Waiting for the pid file to

  disappear is not sufficient, because not all cleanup might be

  finished at the time of its removal. [#96492], [#85539]

​

-------------------------------------------------------------------

Wed Oct 12 15:42:47 CEST 2005 - poeml@suse.de

​

- fix security hole by wrongly initializing LD_LIBRARY_PATH in

  /usr/sbin/envvars (used by apache2ctl only) [#118188]

​

-------------------------------------------------------------------

Fri Sep 30 09:47:20 CEST 2005 - poeml@suse.de

​

- accomodate API changes to OpenSSL 0.9.8 (r209468 from 2.0.x branch)

​

-------------------------------------------------------------------

Mon Sep 26 01:24:18 CEST 2005 - ro@suse.de

​

- define LDAP_DEPRECATED in CFLAGS 

​

-------------------------------------------------------------------

Fri Sep  2 12:55:08 CEST 2005 - poeml@suse.de

​

- security fix [CAN-2005-2728 (cve.mitre.org)]:

  fix memory consumption bug in byterange handling

- security fix [CAN-2005-2700 (cve.mitre.org)]: [#114701]

  if "SSLVerifyClient optional" has been configured at the vhost

  context then "SSLVerifyClient require" is not enforced in a

  location context within that vhost; effectively allowing clients

  to bypass client-cert authentication checks. [#114701]

​

-------------------------------------------------------------------

Wed Aug 31 15:39:38 CEST 2005 - poeml@suse.de

​

- Security fix: fix integer overflows in PCRE in quantifier parsing which

  could be triggered by a local user through use of a carefully-crafted

  regex in an .htaccess file. CAN-2005-2491 [#112651] [#106209]

​

-------------------------------------------------------------------

Tue Aug 30 17:41:46 CEST 2005 - lmuelle@suse.de

​

- Escape also any forward slash while removing a word with sysconf_addword.

​

-------------------------------------------------------------------

Fri Aug 26 14:33:34 CEST 2005 - lmuelle@suse.de

​

- Escape any forward slash in the word argument of sysconf_addword.

​

-------------------------------------------------------------------

Sun Aug 14 00:20:26 CEST 2005 - ro@suse.de

​

- alingn suexec2 permissions with permissions.secure 

​

-------------------------------------------------------------------

Thu Aug 11 11:09:49 CEST 2005 - poeml@suse.de

​

- the permissions files are now maintained centrally and packaged

  in the permissions package. Package suexec2 with mode 0750. [#66304]

​

-------------------------------------------------------------------

Fri Aug  5 13:10:21 CEST 2005 - poeml@suse.de

​

- change SSLMutex "default" so APR always picks the best on the

  platform

- fix Source42 tag which was present twice

- add a2enmod/a2enflag to add/remove modules/flags conveniently

- add charset.conv table for mod_auth_ldap

- make sure that suse_version is defined (it might be unset by e.g.

  ISPs preinstallations)

​

-------------------------------------------------------------------

Tue Jul 12 23:49:29 CEST 2005 - poeml@suse.de

​

- security fix [CAN-2005-2088 (cve.mitre.org)]: core: If a request

  contains both Transfer-Encoding and a Content-Length, remove the

  Content-Length, stopping some HTTP Request smuggling attacks.

  mod_proxy: Reject chunked requests. [#95709]

- security fix [CAN-2005-1268 (cve.mitre.org)]: mod_ssl: fix

  off-by-one overflow whilst printing CRL information at "LogLevel

  debug" which could be triggered if configured to use a

  "malicious" CRL.  PR 35081. [#95709]

​

-------------------------------------------------------------------

Mon Jun 20 12:57:17 CEST 2005 - poeml@suse.de

​

- add httpd-2.0.47-pie.patch from from 2.1.3-dev to compile with

  -fpie and link with -pie

​

-------------------------------------------------------------------

Wed May 18 16:46:22 CEST 2005 - poeml@suse.de

​

- update to 2.0.54. Relevant changes:

  | mod_cache: 

  |  - Add CacheIgnoreHeaders directive.  PR 30399.

  | mod_dav:

  | - Correctly export all public functions.

  | mod_ldap:

  | - Added the directive LDAPConnectionTimeout to configure the

  |   ldap socket connection timeout value.

  | mod_ssl: 

  | - If SSLUsername is used, set r->user earlier.  PR 31418.

  | miscellaneous:

  | - Unix MPMs: Shut down the server more quickly when child

  |   processes are slow to exit.

  | - worker MPM: Fix a problem which could cause httpd processes

  |   to remain active after shutdown.

  | - Remove formatting characters from ap_log_error() calls.

  |   These were escaped as fallout from CAN-2003-0020.

  | - core_input_filter: Move buckets to a persistent brigade

  |   instead of creating a new brigade. This stop a memory leak

  |   when proxying a Streaming Media Server. PR 33382.

  | - htdigest: Fix permissions of created files.  PR 33765.

​

-------------------------------------------------------------------

Mon Mar 14 17:13:27 CET 2005 - poeml@suse.de

​

- revise README

​

-------------------------------------------------------------------

Mon Mar  7 17:14:16 CET 2005 - poeml@suse.de

​

- when building the suexec binary, set the "docroot" compile time

  option to the datadir (/srv/www) instead of the htdocsdir

  (/srv/www/htdocs), so it can be used with virtual hosts placed

  e.g. in /srv/www/vhosts [#63845] Suggested by Winfried Kuiper.

- add php5 to APACHE_MODULES by default, so it can be used simply

  by installing the package. Suppress warning about not-found

  module in the php4/php5 case. [#66729]

- remove a redundant get_module_list call from the init script

- add hints about vhost setup to README.QUICKSTART

- after a change of APACHE_MPM, apache2-reconfigure-mpm is no

  longer needed since SuSEconfig.apache2 is gone. Leave it for

  compatibility, because /etc/sysconfig/apache2 is probably not

  updated and yast may still use it.

- move the 4 most important variables in sysconfig.apache2 to the

  top of the file

- add note about the old monolithic configuration file and how to

  use it

- drop patch httpd-2.0.40-openssl-version.dif (we don't even have

  openssl-0.9.6e anywhere, any longer)

​

-------------------------------------------------------------------

Wed Mar  2 12:38:55 CET 2005 - poeml@suse.de

​

- fix TLS upgrade patch: with SSLEngine set to Optional, an

  additional token in an Upgrade: header before "TLS/1.0" could

  result into an infinite loop [#67126]

​