Please note that this mail was generated by a script.
The described changes are computed based on the x86_64 DVD.
The full online repo contains too many changes to be listed here.
Please check the known defects of this snapshot before upgrading:
https://openqa.opensuse.org/tests/overview?distri=opensuse&groupid=1&version=Tumbleweed&build=20210604
Please do not reply to this email to report issues, rather file a bug
on bugzilla.opensuse.org. For more information on filing bugs please
see https://en.opensuse.org/openSUSE:Submitting_bug_reports
Packages changed:
Mesa (21.1.1 -> 21.1.2)
Mesa-drivers (21.1.1 -> 21.1.2)
apache2 (2.4.46 -> 2.4.48)
apache2-manual (2.4.46 -> 2.4.48)
apache2-prefork (2.4.46 -> 2.4.48)
apache2-utils (2.4.46 -> 2.4.48)
bolt (0.9 -> 0.9.1)
fetchmail
grub2
hwdata (0.347 -> 0.348)
libinput (1.17.3 -> 1.18.0)
libxml2 (2.9.10 -> 2.9.12)
libxslt
libyui (4.2.11 -> 4.2.13)
libyui-ncurses (4.2.11 -> 4.2.13)
libyui-ncurses-pkg (4.2.11 -> 4.2.13)
libyui-qt (4.2.11 -> 4.2.13)
libyui-qt-graph (4.2.11 -> 4.2.13)
libyui-qt-pkg (4.2.11 -> 4.2.13)
libzypp (17.25.10 -> 17.26.0)
patterns-base
python-libxml2 (2.9.10 -> 2.9.12)
python-lxml
redis (6.2.3 -> 6.2.4)
remmina (1.4.16 -> 1.4.18)
systemd-presets-common-SUSE
xapps (2.0.7 -> 2.2.0)
xf86-video-nouveau
zypper (1.14.44 -> 1.14.45)
=== Details ===
==== Mesa ====
Version update (21.1.1 -> 21.1.2)
Subpackages: Mesa-dri-devel Mesa-libEGL1 Mesa-libGL1 Mesa-libglapi0 libgbm1
- update to 21.1.2
* second bugfix
* mostly AMD and Intel changes as usual, but also a decent amount
of ARM fixes and more.
- no longer autoselect Mesa-dri-nouveau at all; autoselect
libvdpau_nouveau depending on PCI ID (boo#1186721)
==== Mesa-drivers ====
Version update (21.1.1 -> 21.1.2)
Subpackages: Mesa-dri Mesa-gallium Mesa-libva libvdpau_r300 libvdpau_r600 libvdpau_radeonsi libvulkan_intel libvulkan_radeon libxatracker2
- update to 21.1.2
* second bugfix
* mostly AMD and Intel changes as usual, but also a decent amount
of ARM fixes and more.
- no longer autoselect Mesa-dri-nouveau at all; autoselect
libvdpau_nouveau depending on PCI ID (boo#1186721)
==== apache2 ====
Version update (2.4.46 -> 2.4.48)
- version update to 2.4.48
Changes with Apache 2.4.48
* ) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
* ) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
BZ 65294. [Yann Ylavic]
* ) core: Fix a regression that stripped the ETag header from 304 responses.
PR 61820 [Ruediger Pluem, Roy T. Fielding]
* ) core: Adding SSL related inquiry functions to the server API.
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl. The function
and its hook provide PEM encoded data instead of file names.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
- These functions reside in the new 'http_ssl.h' header file.
[Stefan Eissing]
* ) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certificates or none.
[Stefan Eissing]
* ) mod_md: v2.4.0 with improvements and bugfixes
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (https://github.com/root360-AndreasUlm) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exceed CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
[Stefan Eissing, @tlhackque, Andreas Ulm]
Changes with Apache 2.4.47
* ) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
* ) mod_http2: Fixed a race condition that could lead to streams being
aborted (RST to the client), although a response had been produced.
[Stefan Eissing]
* ) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
* ) MPM event/worker: Fix possible crash in child process on early signal
delivery. PR 64533. [Ruediger Pluem]
* ) mod_http2: sync with github standalone version 1.15.17
- Log requests and sent the configured error response in case of early detected
errors like too many or too long headers. [Ruediger Pluem]
- new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
The default is on, which is the behaviour of older mod-h2 versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC, see
also https://github.com/icing/mod_h2/issues/207.
[Stefan Eissing]
* ) mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159
[Jonas Müntener , Christophe Jaillet]
* ) "[mod_dav_fs etag handling] should really honor the FileETag setting".
- It now does.
- Add "Digest" to FileETag directive, allowing a strong ETag to be
generated using a file digest.
- Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
ETag generation.
- Add concept of "binary notes" to request_rec, allowing packed bit flags
to be added to a request.
- First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
the ETag to a strong ETag to comply with RFC requirements, such as those
mandated by various WebDAV extensions.
[Graham Leggett]
* ) mod_proxy_http: Fix a possibly crash when the origin connection gets
interrupted before completion. PR 64234.
[Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
* ) mod_ssl: Do not keep connections to OCSP responders alive when doing
OCSP requests. PR 64135. [Ruediger Pluem]
* ) mod_ssl: Improve the coalescing filter to buffer into larger TLS
records, and avoid revealing the HTTP header size via TLS record
boundaries (for common response generators).
[Joe Orton, Ruediger Pluem]
* ) mod_proxy_hcheck: Don't pile up health checks if the previous one did
not finish before hcinterval. PR 63010. [Yann Ylavic]
* ) mod_session: Improve session parsing. [Yann Yalvic]
* ) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
* ) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
the format can't match anyway. [Yann Ylavic]
* ) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
* ) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
proxy_util. [Yann Ylavic]
* ) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
* ) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
and switched protocol forwarding. [Yann Ylavic]
* ) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
* ) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
codes. PR63628. [Martin Drößler <mail martindroessler.de>]
* ) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
directives. [Yann Ylavic]
* ) core: Ensure that aborted connections are logged as such. PR 62823
[Arnaud Grandville ]
* ) http: Allow unknown response status' lines returned in the form of
"HTTP/x.x xxx Status xxx". [Yann Ylavic]
* ) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
* ) core: Remove headers on 304 Not Modified as specified by RFC7234, as
opposed to passing an explicit subset of headers. PR 61820.
[Giovanni Bechis]
* ) mpm_event: Don't reset connections after lingering close, restoring prior
to 2.4.28 behaviour. [Yann Ylavic]
* ) mpm_event: Kill connections in keepalive state only when there is no more
workers available, not when the maximum number of connections is reached,
restoring prior to 2.4.30 behaviour. [Yann Ylavic]
* ) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
avoiding the use of '@'. PR 57044.
[Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
* ) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
SameSite attribute. [Eric Covener]
* ) mod_proxy: Add proxy check_trans hook. This allows proxy
modules to decline request handling at early stage.
* ) mod_proxy_wstunnel: Decline requests without an Upgrade
header so ws/wss can be enabled overlapping with later
http/https.
* ) mod_http2: Log requests and sent the configured error response in case of
early detected errors like too many or too long headers.
[Ruediger Pluem, Stefan Eissing]
* ) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
as proposed by . [Stefan Eissing]
* ) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
* ) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
value. PR 64598 [Ruediger Pluem]
* ) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
substitution, such that they apply to the backend connection. Note that
connection reuse is disabled by default to avoid compatibility issues.
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
- modified sources
% apache2.keyring
- deleted patches
- apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
- lua54.patch (upstreamed)
==== apache2-manual ====
Version update (2.4.46 -> 2.4.48)
- version update to 2.4.48
Changes with Apache 2.4.48
* ) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
* ) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
BZ 65294. [Yann Ylavic]
* ) core: Fix a regression that stripped the ETag header from 304 responses.
PR 61820 [Ruediger Pluem, Roy T. Fielding]
* ) core: Adding SSL related inquiry functions to the server API.
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl. The function
and its hook provide PEM encoded data instead of file names.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
- These functions reside in the new 'http_ssl.h' header file.
[Stefan Eissing]
* ) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certificates or none.
[Stefan Eissing]
* ) mod_md: v2.4.0 with improvements and bugfixes
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (https://github.com/root360-AndreasUlm) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exceed CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
[Stefan Eissing, @tlhackque, Andreas Ulm]
Changes with Apache 2.4.47
* ) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
* ) mod_http2: Fixed a race condition that could lead to streams being
aborted (RST to the client), although a response had been produced.
[Stefan Eissing]
* ) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
* ) MPM event/worker: Fix possible crash in child process on early signal
delivery. PR 64533. [Ruediger Pluem]
* ) mod_http2: sync with github standalone version 1.15.17
- Log requests and sent the configured error response in case of early detected
errors like too many or too long headers. [Ruediger Pluem]
- new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
The default is on, which is the behaviour of older mod-h2 versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC, see
also https://github.com/icing/mod_h2/issues/207.
[Stefan Eissing]
* ) mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159
[Jonas Müntener , Christophe Jaillet]
* ) "[mod_dav_fs etag handling] should really honor the FileETag setting".
- It now does.
- Add "Digest" to FileETag directive, allowing a strong ETag to be
generated using a file digest.
- Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
ETag generation.
- Add concept of "binary notes" to request_rec, allowing packed bit flags
to be added to a request.
- First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
the ETag to a strong ETag to comply with RFC requirements, such as those
mandated by various WebDAV extensions.
[Graham Leggett]
* ) mod_proxy_http: Fix a possibly crash when the origin connection gets
interrupted before completion. PR 64234.
[Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
* ) mod_ssl: Do not keep connections to OCSP responders alive when doing
OCSP requests. PR 64135. [Ruediger Pluem]
* ) mod_ssl: Improve the coalescing filter to buffer into larger TLS
records, and avoid revealing the HTTP header size via TLS record
boundaries (for common response generators).
[Joe Orton, Ruediger Pluem]
* ) mod_proxy_hcheck: Don't pile up health checks if the previous one did
not finish before hcinterval. PR 63010. [Yann Ylavic]
* ) mod_session: Improve session parsing. [Yann Yalvic]
* ) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
* ) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
the format can't match anyway. [Yann Ylavic]
* ) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
* ) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
proxy_util. [Yann Ylavic]
* ) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
* ) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
and switched protocol forwarding. [Yann Ylavic]
* ) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
* ) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
codes. PR63628. [Martin Drößler <mail martindroessler.de>]
* ) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
directives. [Yann Ylavic]
* ) core: Ensure that aborted connections are logged as such. PR 62823
[Arnaud Grandville ]
* ) http: Allow unknown response status' lines returned in the form of
"HTTP/x.x xxx Status xxx". [Yann Ylavic]
* ) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
* ) core: Remove headers on 304 Not Modified as specified by RFC7234, as
opposed to passing an explicit subset of headers. PR 61820.
[Giovanni Bechis]
* ) mpm_event: Don't reset connections after lingering close, restoring prior
to 2.4.28 behaviour. [Yann Ylavic]
* ) mpm_event: Kill connections in keepalive state only when there is no more
workers available, not when the maximum number of connections is reached,
restoring prior to 2.4.30 behaviour. [Yann Ylavic]
* ) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
avoiding the use of '@'. PR 57044.
[Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
* ) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
SameSite attribute. [Eric Covener]
* ) mod_proxy: Add proxy check_trans hook. This allows proxy
modules to decline request handling at early stage.
* ) mod_proxy_wstunnel: Decline requests without an Upgrade
header so ws/wss can be enabled overlapping with later
http/https.
* ) mod_http2: Log requests and sent the configured error response in case of
early detected errors like too many or too long headers.
[Ruediger Pluem, Stefan Eissing]
* ) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
as proposed by . [Stefan Eissing]
* ) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
* ) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
value. PR 64598 [Ruediger Pluem]
* ) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
substitution, such that they apply to the backend connection. Note that
connection reuse is disabled by default to avoid compatibility issues.
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
- modified sources
% apache2.keyring
- deleted patches
- apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
- lua54.patch (upstreamed)
==== apache2-prefork ====
Version update (2.4.46 -> 2.4.48)
- version update to 2.4.48
Changes with Apache 2.4.48
* ) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
* ) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
BZ 65294. [Yann Ylavic]
* ) core: Fix a regression that stripped the ETag header from 304 responses.
PR 61820 [Ruediger Pluem, Roy T. Fielding]
* ) core: Adding SSL related inquiry functions to the server API.
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl. The function
and its hook provide PEM encoded data instead of file names.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
- These functions reside in the new 'http_ssl.h' header file.
[Stefan Eissing]
* ) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certificates or none.
[Stefan Eissing]
* ) mod_md: v2.4.0 with improvements and bugfixes
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (https://github.com/root360-AndreasUlm) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exceed CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
[Stefan Eissing, @tlhackque, Andreas Ulm]
Changes with Apache 2.4.47
* ) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
* ) mod_http2: Fixed a race condition that could lead to streams being
aborted (RST to the client), although a response had been produced.
[Stefan Eissing]
* ) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
* ) MPM event/worker: Fix possible crash in child process on early signal
delivery. PR 64533. [Ruediger Pluem]
* ) mod_http2: sync with github standalone version 1.15.17
- Log requests and sent the configured error response in case of early detected
errors like too many or too long headers. [Ruediger Pluem]
- new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
The default is on, which is the behaviour of older mod-h2 versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC, see
also https://github.com/icing/mod_h2/issues/207.
[Stefan Eissing]
* ) mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159
[Jonas Müntener , Christophe Jaillet]
* ) "[mod_dav_fs etag handling] should really honor the FileETag setting".
- It now does.
- Add "Digest" to FileETag directive, allowing a strong ETag to be
generated using a file digest.
- Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
ETag generation.
- Add concept of "binary notes" to request_rec, allowing packed bit flags
to be added to a request.
- First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
the ETag to a strong ETag to comply with RFC requirements, such as those
mandated by various WebDAV extensions.
[Graham Leggett]
* ) mod_proxy_http: Fix a possibly crash when the origin connection gets
interrupted before completion. PR 64234.
[Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
* ) mod_ssl: Do not keep connections to OCSP responders alive when doing
OCSP requests. PR 64135. [Ruediger Pluem]
* ) mod_ssl: Improve the coalescing filter to buffer into larger TLS
records, and avoid revealing the HTTP header size via TLS record
boundaries (for common response generators).
[Joe Orton, Ruediger Pluem]
* ) mod_proxy_hcheck: Don't pile up health checks if the previous one did
not finish before hcinterval. PR 63010. [Yann Ylavic]
* ) mod_session: Improve session parsing. [Yann Yalvic]
* ) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
* ) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
the format can't match anyway. [Yann Ylavic]
* ) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
* ) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
proxy_util. [Yann Ylavic]
* ) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
* ) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
and switched protocol forwarding. [Yann Ylavic]
* ) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
* ) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
codes. PR63628. [Martin Drößler <mail martindroessler.de>]
* ) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
directives. [Yann Ylavic]
* ) core: Ensure that aborted connections are logged as such. PR 62823
[Arnaud Grandville ]
* ) http: Allow unknown response status' lines returned in the form of
"HTTP/x.x xxx Status xxx". [Yann Ylavic]
* ) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
* ) core: Remove headers on 304 Not Modified as specified by RFC7234, as
opposed to passing an explicit subset of headers. PR 61820.
[Giovanni Bechis]
* ) mpm_event: Don't reset connections after lingering close, restoring prior
to 2.4.28 behaviour. [Yann Ylavic]
* ) mpm_event: Kill connections in keepalive state only when there is no more
workers available, not when the maximum number of connections is reached,
restoring prior to 2.4.30 behaviour. [Yann Ylavic]
* ) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
avoiding the use of '@'. PR 57044.
[Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
* ) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
SameSite attribute. [Eric Covener]
* ) mod_proxy: Add proxy check_trans hook. This allows proxy
modules to decline request handling at early stage.
* ) mod_proxy_wstunnel: Decline requests without an Upgrade
header so ws/wss can be enabled overlapping with later
http/https.
* ) mod_http2: Log requests and sent the configured error response in case of
early detected errors like too many or too long headers.
[Ruediger Pluem, Stefan Eissing]
* ) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
as proposed by . [Stefan Eissing]
* ) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
* ) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
value. PR 64598 [Ruediger Pluem]
* ) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
substitution, such that they apply to the backend connection. Note that
connection reuse is disabled by default to avoid compatibility issues.
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
- modified sources
% apache2.keyring
- deleted patches
- apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
- lua54.patch (upstreamed)
==== apache2-utils ====
Version update (2.4.46 -> 2.4.48)
- version update to 2.4.48
Changes with Apache 2.4.48
* ) mod_proxy_wstunnel: Add ProxyWebsocketFallbackToProxyHttp to opt-out the
fallback to mod_proxy_http for WebSocket upgrade and tunneling.
[Yann Ylavic]
* ) mod_proxy: Fix flushing of THRESHOLD_MIN_WRITE data while tunneling.
BZ 65294. [Yann Ylavic]
* ) core: Fix a regression that stripped the ETag header from 304 responses.
PR 61820 [Ruediger Pluem, Roy T. Fielding]
* ) core: Adding SSL related inquiry functions to the server API.
These function are always available, even when no module providing
SSL is loaded. They provide their own "shadowing" implementation for
the optional functions of similar name that mod_ssl and impersonators
of mod_ssl provide.
This enables loading of several SSL providing modules when all but
one of them registers itself into the new hooks. Two old-style SSL
modules will not work, as they replace the others optional functions
with their own.
Modules using the old-style optional functions will continue to work
as core supplies its own versions of those.
The following has been added so far:
- ap_ssl_conn_is_ssl() to query if a connection is using SSL.
- ap_ssl_var_lookup() to query SSL related variables for a
server/connection/request.
- Hooks for 'ssl_conn_is_ssl' and 'ssl_var_lookup' where modules
providing SSL can install their own value supplying functions.
- ap_ssl_add_cert_files() to enable other modules like mod_md to provide
certificate and keys for an SSL module like mod_ssl.
- ap_ssl_add_fallback_cert_files() to enable other modules like mod_md to
provide a fallback certificate in case no 'proper' certificate is
available for an SSL module like mod_ssl.
- ap_ssl_answer_challenge() to enable other modules like mod_md to
provide a certificate as used in the RFC 8555 'tls-alpn-01' challenge
for the ACME protocol for an SSL module like mod_ssl. The function
and its hook provide PEM encoded data instead of file names.
- Hooks for 'ssl_add_cert_files', 'ssl_add_fallback_cert_files' and
'ssl_answer_challenge' where modules like mod_md can provide providers
to the above mentioned functions.
- These functions reside in the new 'http_ssl.h' header file.
[Stefan Eissing]
* ) core/mod_ssl/mod_md: adding OCSP response provisioning as core feature. This
allows modules to access and provide OCSP response data without being tied
of each other. The data is exchanged in standard, portable formats (PEM encoded
certificates and DER encoded responses), so that the actual SSL/crypto
implementations used by the modules are independant of each other.
Registration and retrieval happen in the context of a server (server_rec)
which modules may use to decide if they are configured for this or not.
The area of changes:
1. core: defines 2 functions in include/http_ssl.h, so that modules may
register a certificate, together with its issuer certificate for OCSP
response provisioning and ask for current response data (DER bytes) later.
Also, 2 hooks are defined that allow modules to implement this OCSP
provisioning.
2. mod_ssl uses the new functions, in addition to what it did already, to
register its certificates this way. If no one is interested in providing
OCSP, it falls back to its own (if configured) stapling implementation.
3. mod_md registers itself at the core hooks for OCSP provisioning. Depending
on configuration, it will accept registrations of its own certificates only,
all certificates or none.
[Stefan Eissing]
* ) mod_md: v2.4.0 with improvements and bugfixes
- MDPrivateKeys allows the specification of several types. Beside "RSA" plus
optional key lengths elliptic curves can be configured. This means you can
have multiple certificates for a Managed Domain with different key types.
With ```MDPrivateKeys secp384r1 rsa2048``` you get one ECDSA and one RSA
certificate and all modern client will use the shorter ECDSA, while older
client will get the RSA certificate.
Many thanks to @tlhackque who pushed and helped on this.
- Support added for MDomains consisting of a wildcard. Configuring
```MDomain *.host.net``` will match all virtual hosts matching that pattern
and obtain one certificate for it (assuming you have 'dns-01' challenge
support configured). Addresses #239.
- Removed support for ACMEv1 servers. The only known installation used to
be Let's Encrypt which has disabled that version more than a year ago for
new accounts.
- Andreas Ulm (https://github.com/root360-AndreasUlm) implemented the
```renewing``` call to ```MDMessageCmd``` that can deny a certificate
renewal attempt. This is useful in clustered installations, as
discussed in #233).
- New event ```challenge-setup:<type>:<domain>```, triggered when the
challenge data for a domain has been created. This is invoked before the
ACME server is told to check for it. The type is one of the ACME challenge
types. This is invoked for every DNS name in a MDomain.
- The max delay for retries has been raised to daily (this is like all
retries jittered somewhat to avoid repeats at fixed time of day).
- Certain error codes reported by the ACME server that indicate a problem
with the configured data now immediately switch to daily retries. For
example: if the ACME server rejects a contact email or a domain name,
frequent retries will most likely not solve the problem. But daily retries
still make sense as there might be an error at the server and un-supervised
certificate renewal is the goal. Refs #222.
- Test case and work around for domain names > 64 octets. Fixes #227.
When the first DNS name of an MD is longer than 63 octets, the certificate
request will not contain a CN field, but leave it up to the CA to choose one.
Currently, Lets Encrypt looks for a shorter name in the SAN list given and
fails the request if none is found. But it is really up to the CA (and what
browsers/libs accept here) and may change over the years. That is why
the decision is best made at the CA.
- Retry delays now have a random +/-[0-50]% modification applied to let
retries from several servers spread out more, should they have been
restarted at the same time of day.
- Fixed several places where the 'badNonce' return code from an ACME server
was not handled correctly. The test server 'pebble' simulates this behaviour
by default and helps nicely in verifying this behaviour. Thanks, pebble!
- Set the default `MDActivationDelay` to 0. This was confusing to users that
new certificates were deemed not usably before a day of delay. When clocks are
correct, using a new certificate right away should not pose a problem.
- When handling ACME authorization resources, the module no longer requires
the server to return a "Location" header, as was necessary in ACMEv1.
Fixes #216.
- Fixed a theoretical uninitialized read when testing for JSON error responses
from the ACME CA. Reported at https://bz.apache.org/bugzilla/show_bug.cgi?id=64297.
- ACME problem reports from CAs that include parameters in the Content-Type
header are handled correctly. (Previously, the problem text would not be
reported and retries could exceed CA limits.)
- Account Update transactions to V2 CAs now use the correct POST-AS-GET method.
Previously, an empty JSON object was sent - which apparently LE accepted,
but others reject.
[Stefan Eissing, @tlhackque, Andreas Ulm]
Changes with Apache 2.4.47
* ) mod_dav_fs: Improve logging output when failing to open files for
writing. PR 64413. [Bingyu Shen <ahshenbingyu gmail.com>]
* ) mod_http2: Fixed a race condition that could lead to streams being
aborted (RST to the client), although a response had been produced.
[Stefan Eissing]
* ) mod_lua: Add support to Lua 5.4 [Joe Orton, Giovanni Bechis, Ruediger Pluem]
* ) MPM event/worker: Fix possible crash in child process on early signal
delivery. PR 64533. [Ruediger Pluem]
* ) mod_http2: sync with github standalone version 1.15.17
- Log requests and sent the configured error response in case of early detected
errors like too many or too long headers. [Ruediger Pluem]
- new option 'H2OutputBuffering on/off' which controls the buffering of stream output.
The default is on, which is the behaviour of older mod-h2 versions. When off, all
bytes are made available immediately to the main connection for sending them
out to the client. This fixes interop issues with certain flavours of gRPC, see
also https://github.com/icing/mod_h2/issues/207.
[Stefan Eissing]
* ) mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159
[Jonas Müntener , Christophe Jaillet]
* ) "[mod_dav_fs etag handling] should really honor the FileETag setting".
- It now does.
- Add "Digest" to FileETag directive, allowing a strong ETag to be
generated using a file digest.
- Add ap_make_etag_ex() and ap_set_etag_fd() to allow full control over
ETag generation.
- Add concept of "binary notes" to request_rec, allowing packed bit flags
to be added to a request.
- First binary note - AP_REQUEST_STRONG_ETAG - allows modules to force
the ETag to a strong ETag to comply with RFC requirements, such as those
mandated by various WebDAV extensions.
[Graham Leggett]
* ) mod_proxy_http: Fix a possibly crash when the origin connection gets
interrupted before completion. PR 64234.
[Barnim Dzwillo <dzwillo strato.de>, Ruediger Pluem]
* ) mod_ssl: Do not keep connections to OCSP responders alive when doing
OCSP requests. PR 64135. [Ruediger Pluem]
* ) mod_ssl: Improve the coalescing filter to buffer into larger TLS
records, and avoid revealing the HTTP header size via TLS record
boundaries (for common response generators).
[Joe Orton, Ruediger Pluem]
* ) mod_proxy_hcheck: Don't pile up health checks if the previous one did
not finish before hcinterval. PR 63010. [Yann Ylavic]
* ) mod_session: Improve session parsing. [Yann Yalvic]
* ) mod_authnz_ldap: Prevent authentications with empty passwords for the
initial bind to fail with status 500. [Ruediger Pluem]
* ) mod_auth_digest: Fast validation of the nonce's base64 to fail early if
the format can't match anyway. [Yann Ylavic]
* ) mod_proxy_fcgi: Honor "SetEnv proxy-sendcl" to forward a chunked
Transfer-Encoding from the client, spooling the request body when needed
to provide a Content-Length to the backend. PR 57087. [Yann Ylavic]
* ) mod_proxy: Put mod_proxy_{connect,wstunnel} tunneling code in common in
proxy_util. [Yann Ylavic]
* ) mod_proxy: Improve tunneling loop to support half closed connections and
pending data draining (for protocols like rsync). PR 61616. [Yann Ylavic]
* ) mod_proxy_http: handle Upgrade request, 101 (Switching Protocol) response
and switched protocol forwarding. [Yann Ylavic]
* ) mod_proxy_wstunnel: Leave Upgrade requests handling to mod_proxy_http,
allowing for (non-)Upgrade negotiation with the origin server.
[Yann Ylavic]
* ) mod_proxy: Allow ProxyErrorOverride to be restricted to specific status
codes. PR63628. [Martin Drößler <mail martindroessler.de>]
* ) core: Add ReadBufferSize, FlushMaxThreshold and FlushMaxPipelined
directives. [Yann Ylavic]
* ) core: Ensure that aborted connections are logged as such. PR 62823
[Arnaud Grandville ]
* ) http: Allow unknown response status' lines returned in the form of
"HTTP/x.x xxx Status xxx". [Yann Ylavic]
* ) mod_proxy_http: Fix 100-continue deadlock for spooled request bodies,
leading to Request Timeout (408). PR 63855. [Yann Ylavic]
* ) core: Remove headers on 304 Not Modified as specified by RFC7234, as
opposed to passing an explicit subset of headers. PR 61820.
[Giovanni Bechis]
* ) mpm_event: Don't reset connections after lingering close, restoring prior
to 2.4.28 behaviour. [Yann Ylavic]
* ) mpm_event: Kill connections in keepalive state only when there is no more
workers available, not when the maximum number of connections is reached,
restoring prior to 2.4.30 behaviour. [Yann Ylavic]
* ) mod_unique_id: Use base64url encoding for UNIQUE_ID variable,
avoiding the use of '@'. PR 57044.
[Michael Kaufmann <apache-bugzilla michael-kaufmann.ch>]
* ) mod_rewrite: Extend the [CO] (cookie) flag of RewriteRule to accept a
SameSite attribute. [Eric Covener]
* ) mod_proxy: Add proxy check_trans hook. This allows proxy
modules to decline request handling at early stage.
* ) mod_proxy_wstunnel: Decline requests without an Upgrade
header so ws/wss can be enabled overlapping with later
http/https.
* ) mod_http2: Log requests and sent the configured error response in case of
early detected errors like too many or too long headers.
[Ruediger Pluem, Stefan Eissing]
* ) mod_md: Lowered the required minimal libcurl version from 7.50 to 7.29
as proposed by . [Stefan Eissing]
* ) mod_ssl: Fix request body buffering with PHA in TLSv1.3. [Joe Orton]
* ) mod_proxy_uwsgi: Fix a crash when sending environment variables with no
value. PR 64598 [Ruediger Pluem]
* ) mod_proxy: Recognize parameters from ProxyPassMatch workers with dollar
substitution, such that they apply to the backend connection. Note that
connection reuse is disabled by default to avoid compatibility issues.
[Takashi Sato, Jan Kaluza, Eric Covener, Yann Ylavic, Jean-Frederic Clere]
- modified sources
% apache2.keyring
- deleted patches
- apache2-mod_proxy_uwsgi-fix-crash.patch (upstreamed)
- lua54.patch (upstreamed)
==== bolt ====
Version update (0.9 -> 0.9.1)
- Update to 0.9.1
* Support Ice Lake Thunderbolt 3 i/o subsystem
* Don't store domains where uuids change across reboots
* Fixes for the journal and the domain's acl-log
* Version the store and use that to clean up stale domains once
* Host identification for embedded thunderbolt controllers [!233]
* Various other small bug fixes and memory leak fixes.
==== fetchmail ====
Subpackages: fetchmailconf
- Backported support for OAUTH2 authentication from Fetchmail 7.0.
- add imap oauthbearer support
- support oauthbearer/xoauth2 with pop3
- add passwordfile and passwordfd options
- add contrib/fetchnmail-oauth2.py token acquisition utility
- FAQ: list gmail options including oauthbearer and app password
- give each ctl it's own copy of password
- re-read passwordfile on every poll
- add query_to64_outsize() utility function
- Chase and integrate interface change.
- oauth2.c: calculate and pass in correct buffer size to to64frombits()
- Increase max password length to handle oauth tokens
- Bump max. passwordlen to 10000 bytes.
- Add README.OAUTH2
- Added patches:
* fetchmail-add-imap-oauthbearer-support.patch
* fetchmail-support-oauthbearer-xoauth2-with-pop3.patch
* fetchmail-add-passwordfile-and-passwordfd-options.patch
* fetchmail-add-contrib-fetchnmail-oauth2.py-token-acquisition-u.patch
* fetchmail-FAQ-list-gmail-options-including-oauthbearer-and-app.patch
* fetchmail-give-each-ctl-it-s-own-copy-of-password.patch
* fetchmail-re-read-passwordfile-on-every-poll.patch
* fetchmail-add-query_to64_outsize-utility-function.patch
* fetchmail-chase-and-integrate-interface-change.patch
* fetchmail-oauth2-c-calculate-and-pass-in-correct-buffer-size-to-to64frombits.patch
* fetchmail-increase-max-password-length-to-handle-oauth-tokens.patch
* fetchmail-bump-max-passwordlen-to-1bytes.patch
* fetchmail-add-readme-oauth2-issue-27.patch
==== grub2 ====
Subpackages: grub2-i386-pc grub2-snapper-plugin grub2-systemd-sleep-plugin grub2-x86_64-efi grub2-x86_64-xen
- Fix crash in launching gfxmenu without theme file (bsc#1186481)
* grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch
==== hwdata ====
Version update (0.347 -> 0.348)
- Update to version 0.348 (bsc#1186749):
+ Updated pci, usb and vendor ids.
==== libinput ====
Version update (1.17.3 -> 1.18.0)
Subpackages: libinput-udev libinput10
- Update to release 1.18
* Gestures' unaccelerated motion now matches the accelerated
motion (without accel, obviously).
* Better gesture detection should reduce the amount of pinch
gestures detected as two-finger scrolling.
* Pressing the wheel button down now suppresses accidental
scroll wheel events.
* Reworked clickpad detection means we should be more robust
for devices with broken firmware.
==== libxml2 ====
Version update (2.9.10 -> 2.9.12)
Subpackages: libxml2-2 libxml2-2-32bit libxml2-tools
- Fix python-lxml regression with libxml2 2.9.12:
* Work around lxml API abuse:
gitlab.gnome.org/GNOME/libxml2/issues/255
- Add upstream patches:
* libxml2-fix-lxml-corrupted-subtree-structures.patch
* libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch
- Update to version 2.9.12
* Fix CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517,
CVE-2021-3516, CVE-2020-7595, CVE-2019-20388, CVE-2020-24977,
and CVE-2019-19956
* Fix null deref in legacy SAX1 parser
* Fix handling of unexpected EOF in xmlParseContent
* Fix user-after-free
* Validate UTF8 in xmlEncodeEntities
* Fix memory leak in xmlParseElementMixedContentDecl
* Fix integer overflow in xmlSchemaGetParticleTotalRangeMin
* Fix SEGV in xmlSAXParseFileWithData
* Don't process siblings of root in xmlXIncludeProcess
* Full changes: http://xmlsoft.org/news.html
- Drop upstream fixed
* libxml2-CVE-2021-3541.patch
* libxml2-CVE-2021-3537.patch
* libxml2-CVE-2021-3518.patch
* libxml2-CVE-2021-3517.patch
* libxml2-CVE-2021-3516.patch
* libxml2-CVE-2020-7595.patch
* libxml2-CVE-2019-20388.patch
* libxml2-CVE-2020-24977.patch
* libxml2-CVE-2019-19956.patch
* libxml2-python39.patch
* libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
- Drop since 2.9.10 merged libxml2-xmlFreeNodeList-recursive.patch
- Drop since 2.8.0 merged fix-perl.diff
- Refresh libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch
- Security fix: [bsc#1186015, CVE-2021-3541]
* Exponential entity expansion attack bypasses all existing
protection mechanisms.
- Add libxml2-CVE-2021-3541.patch
==== libxslt ====
Subpackages: libxslt-tools libxslt1
- Fix build with libxml2 2.9.12 that removes maxParserDepth XPath limit
- Add upstream patches:
* libxslt-Stop-using-maxParserDepth-XPath-limit.patch
* libxslt-Do-not-set-maxDepth-in-XPath-contexts.patch
==== libyui ====
Version update (4.2.11 -> 4.2.13)
- Fixed build failure with latest GCC 11.1:
Added operator delete as counterpart to our custom operator new
in YWidget (bsc#1186741)
- 4.2.13
- Greatly improved visual appearance of tab widgets in the Qt UI
(bsc #1186705, GitHub issue #20)
- 4.2.12
==== libyui-ncurses ====
Version update (4.2.11 -> 4.2.13)
- Fixed build failure with latest GCC 11.1:
Added operator delete as counterpart to our custom operator new
in YWidget (bsc#1186741)
- 4.2.13
- Greatly improved visual appearance of tab widgets in the Qt UI
(bsc #1186705, GitHub issue #20)
- 4.2.12
==== libyui-ncurses-pkg ====
Version update (4.2.11 -> 4.2.13)
- Fixed build failure with latest GCC 11.1:
Added operator delete as counterpart to our custom operator new
in YWidget (bsc#1186741)
- 4.2.13
- Greatly improved visual appearance of tab widgets in the Qt UI
(bsc #1186705, GitHub issue #20)
- 4.2.12
==== libyui-qt ====
Version update (4.2.11 -> 4.2.13)
- Fixed build failure with latest GCC 11.1:
Added operator delete as counterpart to our custom operator new
in YWidget (bsc#1186741)
- 4.2.13
- Greatly improved visual appearance of tab widgets in the Qt UI
(bsc #1186705, GitHub issue #20)
- 4.2.12
==== libyui-qt-graph ====
Version update (4.2.11 -> 4.2.13)
- Fixed build failure with latest GCC 11.1:
Added operator delete as counterpart to our custom operator new
in YWidget (bsc#1186741)
- 4.2.13
- Greatly improved visual appearance of tab widgets in the Qt UI
(bsc #1186705, GitHub issue #20)
- 4.2.12
==== libyui-qt-pkg ====
Version update (4.2.11 -> 4.2.13)
- Fixed build failure with latest GCC 11.1:
Added operator delete as counterpart to our custom operator new
in YWidget (bsc#1186741)
- 4.2.13
- Greatly improved visual appearance of tab widgets in the Qt UI
(bsc #1186705, GitHub issue #20)
- 4.2.12
==== libzypp ====
Version update (17.25.10 -> 17.26.0)
- Work around download.o.o broken https redirects.
- Allow trusted repos to add additional signing keys (bsc#1184326)
Repositories signed with a trusted gpg key may import additional
package signing keys. This is needed if different keys were used
to sign the the packages shipped by the repository.
- MediaCurl: Fix logging of redirects.
- Use 15.3 resolver problem and solution texts on all distros.
- $ZYPP_LOCK_TIMEOUT: Let negative values wait forever for the
zypp lock (bsc#1184399)
Helps boot time services like 'zypper purge-kernels' to wait for
the zypp lock until other services using zypper have completed.
- Fix purge-kernels is broken in Leap 15.3 (bsc#1185325)
Leap 15.3 introduces a new kernel package called
kernel-flavour-extra, which contain kmp's. Currently kmp's are
detected by name ".*-kmp(-.*)?" but this does not work which
those new packages. This patch fixes the problem by checking
packages for kmod(*) and ksym(*) provides and only falls back to
name checking if the package in question does not provide one of
those.
- Introduce zypp-runpurge, a tool to run purge-kernels on
testcases.
- version 17.26.0 (22)
==== patterns-base ====
Subpackages: patterns-base-apparmor patterns-base-base patterns-base-basesystem patterns-base-basic_desktop patterns-base-console patterns-base-documentation patterns-base-enhanced_base patterns-base-minimal_base patterns-base-selinux patterns-base-sw_management patterns-base-transactional_base patterns-base-x11 patterns-base-x11_enhanced
- Suggest kernel-default from patterns-base-base
==== python-libxml2 ====
Version update (2.9.10 -> 2.9.12)
- Fix python-lxml regression with libxml2 2.9.12:
* Work around lxml API abuse:
gitlab.gnome.org/GNOME/libxml2/issues/255
- Add upstream patches:
* libxml2-fix-lxml-corrupted-subtree-structures.patch
* libxml2-fix-regression-in-xmlNodeDumpOutputInternal.patch
- Update to version 2.9.12
* Fix CVE-2021-3541, CVE-2021-3537, CVE-2021-3518, CVE-2021-3517,
CVE-2021-3516, CVE-2020-7595, CVE-2019-20388, CVE-2020-24977,
and CVE-2019-19956
* Fix null deref in legacy SAX1 parser
* Fix handling of unexpected EOF in xmlParseContent
* Fix user-after-free
* Validate UTF8 in xmlEncodeEntities
* Fix memory leak in xmlParseElementMixedContentDecl
* Fix integer overflow in xmlSchemaGetParticleTotalRangeMin
* Fix SEGV in xmlSAXParseFileWithData
* Don't process siblings of root in xmlXIncludeProcess
* Full changes: http://xmlsoft.org/news.html
- Drop upstream fixed
* libxml2-CVE-2021-3541.patch
* libxml2-CVE-2021-3537.patch
* libxml2-CVE-2021-3518.patch
* libxml2-CVE-2021-3517.patch
* libxml2-CVE-2021-3516.patch
* libxml2-CVE-2020-7595.patch
* libxml2-CVE-2019-20388.patch
* libxml2-CVE-2020-24977.patch
* libxml2-CVE-2019-19956.patch
* libxml2-python39.patch
* libxml2-Avoid-quadratic-checking-of-identity-constraints.patch
- Drop since 2.9.10 merged libxml2-xmlFreeNodeList-recursive.patch
- Drop since 2.8.0 merged fix-perl.diff
- Refresh libxml2-make-XPATH_MAX_NODESET_LENGTH-configurable.patch
- Security fix: [bsc#1186015, CVE-2021-3541]
* Exponential entity expansion attack bypasses all existing
protection mechanisms.
- Add libxml2-CVE-2021-3541.patch
==== python-lxml ====
- Adapt test_etree.py to a behavioural change in libxml2 2.9.11+
* Add python-lxml-test_etree.patch
==== redis ====
Version update (6.2.3 -> 6.2.4)
- redis 6.2.4:
* CVE-2021-32625: An integer overflow bug could be exploited by
using the STRALGO LCS command to cause remote remote code
execution (boo#1186722)
* Fix crash after a diskless replication fork child is terminated
* Fix redis-benchmark crash on unsupported configs
* Fix crash in UNLINK on a stream key with deleted consumer groups
* SINTERSTORE: Add missing keyspace del event when none of the
sources exist
* Sentinel: Fix CONFIG SET of empty string
sentinel-user/sentinel-pass configs
* Enforce client output buffer soft limit when no traffic
* Hide AUTH passwords in MIGRATE command from slowlog
==== remmina ====
Version update (1.4.16 -> 1.4.18)
Subpackages: remmina-lang remmina-plugin-rdp remmina-plugin-secret remmina-plugin-vnc remmina-plugin-xdmcp
- Update to 1.4.18
* Try more shells as launcher if default isn't found !2269
* Minor fixes for v1.4.17 !2270
* SSH session improvements !2271
* Fixes - Auto-start file created on tray icon disabled !2272
* RDP: Remove older usage of ClientHostname
* Fix libfreerdp version check
* Explicitly set user resolution to a multiple of 4
* Code refactoring - ASAN exceptions !2274
- Fixed remmina-plugin-nx dependencies
- Update to 1.4.17
* Fix build with musl libc
* Fix typos
* Improving CI cache
* Fix System Tray Icon Broken/Missing
* VNC quality deafults now to good
* Flatpak refactoring
* Adding Gateway websocket support
* Revert "Linking snap and flatpak to FreeRDP 2.3.1"
* Set FreeRDP config path to Remmina profiles path
- Fixed build-logic for NX, enable per default
- Enable kwallet and appindicator non SLE distributions
- Rename internal bcond from nx to remmina_nx
- Use cmake_build
- Use bcond for kwallet, which defaults to enabled
- Use bcond for appindicator, which defaults to disabled
GtkStatusIcon works everywhere, while Appindicator works just in KDE
==== systemd-presets-common-SUSE ====
- When installing the systemd-presets-common-SUSE package for the
first time in a new system, it might happen that some services
are installed before systemd so the %systemd_pre/post macros
would not work. This is handled by enabling all preset services
in this package's %posttrans section but it wasn't enabling
user services, just system services. Now it enables also the
user services installed before this package, thus fixing
boo#1186561
==== xapps ====
Version update (2.0.7 -> 2.2.0)
Subpackages: libxapp1 typelib-1_0-XApp-1_0 xapps-common xapps-common-lang
- Update to version 2.2.0.
* xapp-preferences-window.c: Hide the sidebar switcher initially
to prevent it showing even with single-page views.
* all: Add debug topics.
* xapp-favorites.c: Free the favorite list when building a GtkMenu.
* Add a class to programmatically set styling on a particular
widget.
* util: add a utility function to convert from a pango font
string to css (#135)
==== xf86-video-nouveau ====
- no longer autoinstall the package depending on PCI ID; we have
modesetting driver for X since a long time now (boo#1186721)
==== zypper ====
Version update (1.14.44 -> 1.14.45)
Subpackages: zypper-log zypper-needs-restarting
- Add hints to 'trust GPG key' prompt.
- Add report when receiving new package signing keys from a
trusted repo (bsc#1184326)
- Added translation using Weblate (Kabyle)
- version 1.14.45