Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2024-08-08 10:57:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2" Thu Aug 8 10:57:11 2024 rev:211 rq:1192286 version:2.4.62 Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2024-07-09 20:03:30.151615477 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new.7232/apache2.changes 2024-08-08 10:57:29.041364772 +0200 @@ -1,0 +2,46 @@ +Sat Aug 3 17:27:07 UTC 2024 - Arjen de Korte <suse+build@de-korte.org> + +- Update to 2.4.62 + + *) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with + mod_rewrite in server/vhost context on Windows (cve.mitre.org) + [boo#1228098] + SSRF in Apache HTTP Server on Windows with mod_rewrite in + server/vhost context, allows to potentially leak NTML hashes to + a malicious server via SSRF and malicious requests. + Users are recommended to upgrade to version 2.4.62 which fixes + this issue. + Credits: Smi1e (DBAPPSecurity Ltd.) + + *) SECURITY: CVE-2024-40725: Apache HTTP Server: source code + disclosure with handlers configured via AddType (cve.mitre.org) + [boo#1228097] + A partial fix for CVE-2024-39884 in the core of Apache HTTP + Server 2.4.61 ignores some use of the legacy content-type based + configuration of handlers. "AddType" and similar configuration, + under some circumstances where files are requested indirectly, + result in source code disclosure of local content. For example, + PHP scripts may be served instead of interpreted. + Users are recommended to upgrade to version 2.4.62, which fixes + this issue. + + *) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for + "balancer:" URLs set via SetHandler, also allowing for "unix:" sockets + with BalancerMember(s). PR 69168. [Yann Ylavic] + + *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs. + PR 69160 [Yann Ylavic] + + *) mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2. + [Joe Orton] + + *) mod_ssl: Add support for loading certs/keys from pkcs11: URIs + via OpenSSL 3.x providers. [Ingo Franzki <ifranzki linux.ibm.com>] + + *) mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= 3.0. + [Ruediger Pluem, Yann Ylavic] + + *) mpm_worker: Fix possible warning (AH00045) about children processes not + terminating timely. [Yann Ylavic] + +------------------------------------------------------------------- Old: ---- httpd-2.4.61.tar.bz2 httpd-2.4.61.tar.bz2.asc New: ---- httpd-2.4.62.tar.bz2 httpd-2.4.62.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.4e8xaq/_old 2024-08-08 10:57:30.469423480 +0200 +++ /var/tmp/diff_new_pack.4e8xaq/_new 2024-08-08 10:57:30.473423644 +0200 @@ -107,7 +107,7 @@ %define build_http2 1 Name: apache2%{psuffix} -Version: 2.4.61 +Version: 2.4.62 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 ++++++ httpd-2.4.61.tar.bz2 -> httpd-2.4.62.tar.bz2 ++++++ /work/SRC/openSUSE:Factory/apache2/httpd-2.4.61.tar.bz2 /work/SRC/openSUSE:Factory/.apache2.new.7232/httpd-2.4.62.tar.bz2 differ: char 11, line 1