Hello community, here is the log from the commit of package apache2 checked in at Wed Dec 20 18:01:14 CET 2006. -------- --- apache2/apache2.changes 2006-09-26 11:28:32.000000000 +0200 +++ /mounts/work_src_done/STABLE/apache2/apache2.changes 2006-12-20 16:01:04.000000000 +0100 @@ -1,0 +2,9 @@ +Wed Dec 20 15:58:35 CET 2006 - poeml@suse.de + +- set a proper HOME (/var/lib/apache2), otherwise the server might + end up HOME=/root and some script might try to use that [#132769] +- add two notes to the QUICKSTART readmes +- don't install /etc/apache2/extra configuration since this is only + serving as an example and installed with the documentation anyway + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.Ted7X4/_old 2006-12-20 17:56:37.000000000 +0100 +++ /var/tmp/diff_new_pack.Ted7X4/_new 2006-12-20 17:56:37.000000000 +0100 @@ -50,11 +50,11 @@ # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -License: Apache +License: The Apache Software License Group: Productivity/Networking/Web/Servers %define realver 2.2.3 Version: 2.2.3 -Release: 6 +Release: 23 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -684,6 +684,7 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/%{pname}-*/*.exp # needed only on AIX rm -f $RPM_BUILD_ROOT/%{_libdir}/%{pname}/*.exp # needed only on AIX rm -f $RPM_BUILD_ROOT/%{_sbindir}/checkgid # needed only for user installations from tarball +rm -r $RPM_BUILD_ROOT/%{sysconfdir}/extra # it is already in the documentation directory # @@ -801,7 +802,6 @@ %endif %config /etc/init.d/%{pname} # -%config %{sysconfdir}/extra %{_sbindir}/rc%{pname} %{_sbindir}/ab%{vers} %{_sbindir}/apache%{vers}ctl @@ -1005,6 +1005,12 @@ fi %changelog -n apache2 +* Wed Dec 20 2006 - poeml@suse.de +- set a proper HOME (/var/lib/apache2), otherwise the server might + end up HOME=/root and some script might try to use that [#132769] +- add two notes to the QUICKSTART readmes +- don't install /etc/apache2/extra configuration since this is only + serving as an example and installed with the documentation anyway * Tue Sep 26 2006 - poeml@suse.de - add rpm macro for suexec_safepath - use _bindir/_sbindir in a few places [#202355] @@ -1358,7 +1364,7 @@ "malicious" CRL. PR 35081. [#95709] * Mon Jun 20 2005 - poeml@suse.de - add httpd-2.0.47-pie.patch from from 2.1.3-dev to compile with --fpie and link with -pie + -fpie and link with -pie * Wed May 18 2005 - poeml@suse.de - update to 2.0.54. Relevant changes: | mod_cache: @@ -1539,9 +1545,9 @@ * Fri Oct 15 2004 - poeml@suse.de - fix SSLCipherSuite bypass CAN-2004-0885 (cve.mitre.org) [#47117] - update the TLS upgrade patch [#47207] -- mod_ssl returned invalid method on TLS upgraded connections -- additional checks for httpd_method and default_port hooks -- fixed typo in upgrade header + - mod_ssl returned invalid method on TLS upgraded connections + - additional checks for httpd_method and default_port hooks + - fixed typo in upgrade header - add patches from Ruediger Pluem for the experimental modules mod_disk_cache, mod_cache PR 21492: mod_disk_cache: Do not store aborted content. @@ -1865,8 +1871,8 @@ enabled by building via rpmbuild --define 'build_with_LFS 1' * Thu Mar 18 2004 - poeml@suse.de - update to proposed 2.0.49 tarball -- mod_cgid: Fix storage corruption caused by use of incorrect pool. -- docs update + - mod_cgid: Fix storage corruption caused by use of incorrect pool. + - docs update - remove APACHE_DOCUMENT_ROOT from sysconfig.apache2 [#32635] - fix a comment in default-server.conf - remove obsolete ssl_scache_cleanup support script and ftok helper @@ -2103,27 +2109,27 @@ mod_rewrite which occurred if one configured a regular expression with more than 9 captures. mod_rewrite: -- Don't die silently when failing to open RewriteLogs. PR 23416 -- Fix support of the [P] option to send rewritten request using + - Don't die silently when failing to open RewriteLogs. PR 23416 + - Fix support of the [P] option to send rewritten request using "proxy:". The code was adding multiple "proxy:" fields in the rewritten URI. PR: 13946. -- Ignore RewriteRules in .htaccess files if the directory + - Ignore RewriteRules in .htaccess files if the directory containing the .htaccess file is requested without a trailing slash. PR 20195. mod_include: -- Fix a trio of bugs that would cause various unusual sequences + - Fix a trio of bugs that would cause various unusual sequences of parsed bytes to omit portions of the output stream. PR 21095 -- fix segfault which occured if the filename was not set, for + - fix segfault which occured if the filename was not set, for example, when processing some error conditions. mod_cgid: fix a hash table corruption problem which could result in the wrong script being cleaned up at the end of a request. mod_ssl: Fix segfaults after renegotiation failure. PR 21370 -- Fix a problem setting variables that represent the client + - Fix a problem setting variables that represent the client certificate chain. PR 21371 -- Fix FakeBasicAuth for subrequest. Log an error when an + - Fix FakeBasicAuth for subrequest. Log an error when an identity spoof is encountered. -- Assure that we block properly when reading input bodies with + - Assure that we block properly when reading input bodies with SSL. PR 19242. mod_autoindex: If a directory contains a file listed in the DirectoryIndex directive, the folder icon is no longer replaced @@ -2131,16 +2137,16 @@ mod_usertrack: do not get false positive matches on the user-tracking cookie's name. PR 16661. mod_cache: -- Fix the cache code so that responses can be cached if they + - Fix the cache code so that responses can be cached if they have an Expires header but no Etag or Last-Modified headers. PR 23130. cache_util: Fix ap_check_cache_freshness to check max_age, smax_age, and expires as directed in RFC 2616. mod_deflate: -- fix to not call deflate() without checking first whether it + - fix to not call deflate() without checking first whether it has something to deflate. (Currently this causes deflate to generate a fatal error according to the zlib spec.) PR 22259. -- Don't attempt to hold all of the response until we're done. -- Fix a bug, where mod_deflate sometimes unconditionally + - Don't attempt to hold all of the response until we're done. + - Fix a bug, where mod_deflate sometimes unconditionally compressed the content if the Accept-Encoding header contained only other tokens than "gzip" (such as "deflate"). PR 21523. @@ -2153,32 +2159,32 @@ mod_ext_filter: Set additional environment variables for use by the external filter. PR 20944. core: -- allow <Foo>..</Foo> containers (no arguments in the opening + - allow <Foo>..</Foo> containers (no arguments in the opening tag), as in 1.3. Needed by mod_perl <Perl> sections -- Fix a misleading message from the some of the threaded MPMs + - Fix a misleading message from the some of the threaded MPMs when MaxClients has to be lowered due to the setting of ServerLimit. -- Avoid an infinite recursion, which occured if the name of an + - Avoid an infinite recursion, which occured if the name of an included config file or directory contained a wildcard character. PR 22194. -- MPMs: The bucket brigades subsystem now honors the MaxMemFree + - MPMs: The bucket brigades subsystem now honors the MaxMemFree setting. -- Lower the severity of the "listener thread didn't exit" + - Lower the severity of the "listener thread didn't exit" message to debug, as it is of interest only to developers. miscellaneous: -- Update the header token parsing code to allow LWS between the + - Update the header token parsing code to allow LWS between the token word and the ':' seperator. [PR 16520] -- Remember an authenticated user during internal redirects if + - Remember an authenticated user during internal redirects if the redirection target is not access protected and pass it to scripts using the REDIRECT_REMOTE_USER environment variable. PR 10678, 11602. -- Update mime.types to include latest IANA and W3C types. -- Modify ap_get_client_block() to note if it has seen EOS. + - Update mime.types to include latest IANA and W3C types. + - Modify ap_get_client_block() to note if it has seen EOS. ab: -- Overlong credentials given via command line no longer clobber + - Overlong credentials given via command line no longer clobber the buffer. -- Work over non-loopback on Unix again. PR 21495. -- Fix NULL-pointer issue in ab when parsing an incomplete or + - Work over non-loopback on Unix again. PR 21495. + - Fix NULL-pointer issue in ab when parsing an incomplete or non-HTTP response. PR 21085. - add another example to apache2-listen.conf - update apache2-mod_mime-defaults.conf according to 2.0.48 changes @@ -2238,17 +2244,17 @@ DocumentRoot in default-server.conf * Fri Aug 15 2003 - poeml@suse.de - revamped configuration -- add some CustomLog formats -- AddDefaultCharset UTF-8 [#22427] -- add activation metadata to sysconfig template [#28834] -- default APACHE_MODULES: add mod_ssl, remove mod_status -- new sysconfig variables: APACHE_USE_CANONICAL_NAME, + - add some CustomLog formats + - AddDefaultCharset UTF-8 [#22427] + - add activation metadata to sysconfig template [#28834] + - default APACHE_MODULES: add mod_ssl, remove mod_status + - new sysconfig variables: APACHE_USE_CANONICAL_NAME, APACHE_DOCUMENT_ROOT -- get rid of the "suse_" prefix in generated config snippets, and + - get rid of the "suse_" prefix in generated config snippets, and place them below /etc/apache2/sysconfig.d/. On update, convert the Include statements in httpd.conf for the new locations -- add /etc/apache2/vhosts.d and virtual host templates -- the configuration for the manual is now seperate and installed + - add /etc/apache2/vhosts.d and virtual host templates + - the configuration for the manual is now seperate and installed together with apache2-doc (conf.d/apache2-manual.conf) - add distilled wisdom in form of README.QUICKSTART - change group of wwwrun user: nogroup -> www [#21782] @@ -2278,7 +2284,7 @@ - build with -D_FILE_OFFSET_BITS=64 when presumably the kernel supports sendfile64 [#22191, #22018]. Define APR_HAS_LARGE_FILES (which is unconditionally off, otherwise). Keep --D_LARGEFILE_SOURCE since some modules might need it. + -D_LARGEFILE_SOURCE since some modules might need it. - make sure the package can be built as ordinary user - special case mod_auth_mysql since its module_id is reversed - don't increase DYNAMIC_MODULE_LIMIT (64 should be copious) @@ -2286,7 +2292,7 @@ keep the stripped information somewhere - reformat the header of the spec file - allow to pass a number-of-jobs parameter into spec file via rpm ---define 'jobs N' + --define 'jobs N' * Thu Jul 10 2003 - poeml@suse.de - update to 2.0.47. relevant / user visible changes: Security [CAN-2003-0192]: Fixed a bug whereby certain sequences @@ -2331,32 +2337,32 @@ vulnerability affecting basic authentication Security: forward port of buffer overflow fixes for htdigest. mod_ssl: -- SSL session caching(shmht) : Fix a SEGV problem with SHMHT + - SSL session caching(shmht) : Fix a SEGV problem with SHMHT session caching. mod_deflate: -- Add another check for already compressed content -- Check also err_headers_out for an already set + - Add another check for already compressed content + - Check also err_headers_out for an already set Content-Encoding: gzip header. This prevents gzip compressed content from a CGI script from being compressed once more. mod_mime_magic: -- If mod_mime_magic does not know the content-type, do not + - If mod_mime_magic does not know the content-type, do not attempt to guess. mod_rewrite: -- Fix handling of absolute URIs. + - Fix handling of absolute URIs. mod_log_config: -- Add the ability to log the id of the thread processing the + - Add the ability to log the id of the thread processing the request via new %%P formats. mod_auth_ldap: -- Use generic whitespace character class when parsing "require" + - Use generic whitespace character class when parsing "require" directives, instead of literal spaces only. mod_proxy: -- Fixed a segfault when multiple ProxyBlock directives were used. -- Added AllowEncodedSlashes directive to permit control of + - Fixed a segfault when multiple ProxyBlock directives were used. + - Added AllowEncodedSlashes directive to permit control of whether the server will accept encoded slashes ('%%2f') in the URI path. Default condition is off (the historical behaviour). -- If Apache is started as root and you code CoreDumpDirectory, + - If Apache is started as root and you code CoreDumpDirectory, coredumps are enabled via the prctl() syscall. -- htpasswd: Check the processed file on validity; add a delete flag. + - htpasswd: Check the processed file on validity; add a delete flag. - httpd-2.0.45-libtool-1.5.dif is obsolete - mark suse_include.conf as %%ghost - note the rebirth of the httpd and apachectl man pages (thanks to @@ -2382,21 +2388,21 @@ vulnerability identified by David Endler <DEndler@iDefense.com> on all platforms. General: -- Fix segfault which occurred when a section in an included + - Fix segfault which occurred when a section in an included configuration file was not closed. PR 17093. -- Fix a nasty segfault in mmap_bucket_setaside() caused by + - Fix a nasty segfault in mmap_bucket_setaside() caused by passing an incompatible pointer type to mmap_bucket_destroy(void*). -- prevent filters (such as mod_deflate) from adding garbage to + - prevent filters (such as mod_deflate) from adding garbage to the response. PR 14451. -- Simpler, faster code path for request header scanning -- Try to log an error if a piped log program fails. Try to + - Simpler, faster code path for request header scanning + - Try to log an error if a piped log program fails. Try to restart a piped log program in more failure situations. -- Fix bug where 'Satisfy Any' without an AuthType lost all MIME + - Fix bug where 'Satisfy Any' without an AuthType lost all MIME information (and more). Related to PR 9076. -- Fix If header parsing when a non-mod_dav lock token is passed to it. -- Fix apxs to insert LoadModule directives only outside of + - Fix If header parsing when a non-mod_dav lock token is passed to it. + - Fix apxs to insert LoadModule directives only outside of sections. -- apxs: Include any special APR ld flags when linking the DSO. + - apxs: Include any special APR ld flags when linking the DSO. suexec: Be more pedantic when cleaning environment. Clean it immediately after startup. PR 2790, 10449. Use saner default config values for suexec. PR 15713. @@ -2405,10 +2411,10 @@ bad shebang line, etc. Fix possible segfaults under obscure error conditions within the cgid daemon. mod_deflate: -- you can now specify the compression level. -- Extend the DeflateFilterNote directive to allow accurate + - you can now specify the compression level. + - Extend the DeflateFilterNote directive to allow accurate logging of the filter's in- and outstream. -- Fix potential memory leaks in mod_deflate on malformed data. PR 16046. + - Fix potential memory leaks in mod_deflate on malformed data. PR 16046. mod_ssl: Allow SSLMutex to select/use the full range of APR locking mechanisms available to it. Also, fix the bug that SSLMutex @@ -2416,38 +2422,38 @@ mod_autoindex no longer forgets output format and enabled version sort in linked column headers. mod_rewrite: -- Prevent endless loops of internal redirects in mod_rewrite by + - Prevent endless loops of internal redirects in mod_rewrite by aborting after exceeding a limit of internal redirects. The limit defaults to 10 and can be changed using the RewriteOptions directive. PR 17462. -- Allow "RewriteEngine Off" even if no "Options FollowSymlinks" + - Allow "RewriteEngine Off" even if no "Options FollowSymlinks" (or SymlinksIfOwnermatch) is set. PR 12395. mod_ldap: -- Updated mod_ldap and mod_auth_ldap to support the Novell LDAP + - Updated mod_ldap and mod_auth_ldap to support the Novell LDAP SDK SSL and standardized the LDAP SSL support across the various LDAP SDKs. Isolated the SSL functionality to mod_ldap rather than speading it across mod_auth_ldap and mod_ldap. Also added LDAPTrustedCA and LDAPTrustedCAType directives to mod_ldap to allow for a more common method of specifying the SSL certificate. -- fix fault when caching was disabled, and some memory leaks -- Fix mod_ldap to open an existing shared memory file should + - fix fault when caching was disabled, and some memory leaks + - Fix mod_ldap to open an existing shared memory file should one already exist. PR 12757. -- Added character set support to mod_auth_LDAP to allow it to + - Added character set support to mod_auth_LDAP to allow it to convert extended characters used in the user ID to UTF-8 before authenticating against the LDAP directory. The new directive AuthLDAPCharsetConfig is used to specify the config file that contains the character set conversion table. mod_ssl: -- Fixed mod_ssl's SSLCertificateChain initialization to no + - Fixed mod_ssl's SSLCertificateChain initialization to no longer skip the first cert of the chain by default. This misbehavior was introduced in 2.0.34. PR 14560 -- Fix 64-bit problem in mod_ssl input logic. + - Fix 64-bit problem in mod_ssl input logic. mod_proxy: -- Hook mod_proxy's fixup before mod_rewrite's fixup, so that by + - Hook mod_proxy's fixup before mod_rewrite's fixup, so that by mod_rewrite proxied URLs will not be escaped accidentally by mod_proxy's fixup. PR 16368 -- Don't remove the Content-Length from responses in mod_proxy PR: 8677 + - Don't remove the Content-Length from responses in mod_proxy PR: 8677 mod_auth_digest no longer tries to guess AuthDigestDomain, if it's not specified. Now it assumes "/" as already documented. PR 16937. mod_file_cache: fix segfaults @@ -2508,11 +2514,11 @@ - update README.SuSE * Tue Jan 28 2003 - poeml@suse.de - rc.apache2 -- add extreme-configtest (trying to run server as nobody, which + - add extreme-configtest (trying to run server as nobody, which detects _all_ config errors) -- evaluate LOADMODULES from sysconfig.apache2 on-the-fly from + - evaluate LOADMODULES from sysconfig.apache2 on-the-fly from rcapache2 instead of SuSEconfig -- when restarting, do something useful instead of 'sleep 3': wait + - when restarting, do something useful instead of 'sleep 3': wait just as long until the server has terminated all children * Sun Jan 26 2003 - poeml@suse.de - build mod_logio, mod_case_filter, mod_case_filter_in @@ -2546,27 +2552,27 @@ httpd.conf-std.in * Wed Dec 18 2002 - poeml@suse.de - sysconfig.apache2: -- add APACHE_SERVER_FLAGS variable -- change default: APACHE_SERVERSIGNATURE=on to match apache deflt -- add APACHE_CONF_INCLUDE_DIRS -- drop bogus APACHE_ACCESS_SERVERINFO variable -- adapt to our new sysconfig template + - add APACHE_SERVER_FLAGS variable + - change default: APACHE_SERVERSIGNATURE=on to match apache deflt + - add APACHE_CONF_INCLUDE_DIRS + - drop bogus APACHE_ACCESS_SERVERINFO variable + - adapt to our new sysconfig template - SuSEconfig.apache2: -- understand LOADMODULES also if it is not an array [#21816] -- be very flexible with regard to LOADMODULE input (e.g., say + - understand LOADMODULES also if it is not an array [#21816] + - be very flexible with regard to LOADMODULE input (e.g., say mod_php4 and it will find libphp4.so with ID php4_module) -- also ignore *,v files -- include APACHE_CONF_INCLUDE_DIRS -- dump some files: suse_define.conf (not needed) & suse_text.conf + - also ignore *,v files + - include APACHE_CONF_INCLUDE_DIRS + - dump some files: suse_define.conf (not needed) & suse_text.conf (too much overhead) - rc.apache2: -- implement most of apachectl's commands (graceful, configtest) -- use server_flags from sysconfig.apache2 -- pass server flags like -DSTATUS from the command line through + - implement most of apachectl's commands (graceful, configtest) + - use server_flags from sysconfig.apache2 + - pass server flags like -DSTATUS from the command line through to httpd2 -- add commmands to show the server status -- don't quit silently when no apache MPM is installed -- handle ServerSignature and other stuff on the command line + - add commmands to show the server status + - don't quit silently when no apache MPM is installed + - handle ServerSignature and other stuff on the command line (save modifications to httpd.conf) - fix the /manual Alias that points to the documentation - configure /cgi-bin for cgi execution ++++++ apache2-README.QUICKSTART ++++++ --- apache2/apache2-README.QUICKSTART 2006-06-08 15:29:49.000000000 +0200 +++ /mounts/work_src_done/STABLE/apache2/apache2-README.QUICKSTART 2006-11-07 20:12:02.000000000 +0100 @@ -53,6 +53,7 @@ NameVirtualHost directives. - copy the commented template /etc/apache2/vhosts.d/vhost.template to /etc/apache2/vhosts.d/yourhost.conf + (note, it must end in .conf to be automatically read) - edit /etc/apache2/vhosts.d/yourhost.conf to suit your needs - alternative approach: simply append the NameVirtualHost directive and the <VirtualHost> container to your local configuration (httpd.conf.local -- ++++++ apache2-README.QUICKSTART.SSL ++++++ --- apache2/apache2-README.QUICKSTART.SSL 2006-06-08 15:24:59.000000000 +0200 +++ /mounts/work_src_done/STABLE/apache2/apache2-README.QUICKSTART.SSL 2006-11-07 20:11:31.000000000 +0100 @@ -30,7 +30,8 @@ /etc/apache2/ssl.csr/server.csr - a copy of ca.crt will be installed as /srv/www/htdocs/CA.crt for download. - cp vhosts.d/vhost-ssl.template vhosts.d/vhost-ssl.conf - - adapt vhosts.d/vhost-ssl.conf and default-server.conf al gusto + and adapt vhosts.d/vhost-ssl.conf al gusto + (note it must end in .conf to be read automatically) o to check your vhost setup, use "httpd2 -S -DSSL" ++++++ rc.apache2 ++++++ --- apache2/rc.apache2 2006-04-28 17:00:48.000000000 +0200 +++ /mounts/work_src_done/STABLE/apache2/rc.apache2 2006-12-20 15:58:33.000000000 +0100 @@ -28,6 +28,7 @@ : ${sysconfig_apache:=/etc/sysconfig/$pname} : ${pidfile:=/var/run/httpd2.pid} : ${logdir:=/var/log/$pname} +: ${homedir:=/var/lib/$pname} # # load the configuration @@ -55,6 +56,10 @@ rc_exit fi +# a proper home should be set, otherwise the server might end up +# with HOME=/root and some script might try to use that +HOME=$homedir + get_server_flags() { unset server_flags ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org