Hello community,
here is the log from the commit of package apache2 for openSUSE:Factory
checked in at Fri Mar 19 08:32:28 CET 2010.
--------
--- apache2/apache2.changes 2010-03-05 10:29:24.000000000 +0100
+++ /mounts/work_src_done/STABLE/apache2/apache2.changes 2010-03-08 13:50:16.000000000 +0100
@@ -1,0 +2,103 @@
+Mon Mar 8 12:34:18 UTC 2010 - poeml@cmdline.net
+
+- update to 2.2.15:
+ SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
+ attack when compiled against OpenSSL version 0.9.8m or later. Introduces
+ the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and
+ offer unsafe legacy renegotiation with clients which do not yet support
+ the new secure renegotiation protocol, RFC 5746.
+ SECURITY: CVE-2009-3555 (cve.mitre.org)
+ mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
+ by rejecting any client-initiated renegotiations. Forcibly disable
+ keepalive for the connection if there is any buffered data readable. Any
+ configuration which requires renegotiation for per-directory/location
+ access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
+ SECURITY: CVE-2010-0408 (cve.mitre.org)
+ mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
+ when request headers indicate a request body is incoming; not a case of
+ HTTP_INTERNAL_SERVER_ERROR.
+ SECURITY: CVE-2010-0425 (cve.mitre.org)
+ mod_isapi: Do not unload an isapi .dll module until the request processing
+ is completed, avoiding orphaned callback pointers.
+ SECURITY: CVE-2010-0434 (cve.mitre.org)
+ Ensure each subrequest has a shallow copy of headers_in so that the parent
+ request headers are not corrupted. Elimiates a problematic optimization
+ in the case of no request body. PR 48359
+ mod_reqtimeout:
+ - New module to set timeouts and minimum data rates for receiving requests
+ from the client.
+ core:
+ - Fix potential memory leaks by making sure to not destroy bucket brigades
+ that have been created by earlier filters.
+ - Return APR_EOF if request body is shorter than the length announced by the
+ client. PR 33098
+ - Preserve Port information over internal redirects PR 35999
+ - Build: fix --with-module to work as documented PR 43881
+ worker:
+ - Don't report server has reached MaxClients until it has. Add message when
+ server gets within MinSpareThreads of MaxClients. PR 46996.
+ ab, mod_ssl:
+ - Restore compatibility with OpenSSL < 0.9.7g.
+ mod_authnz_ldap:
+ - Add AuthLDAPBindAuthoritative to allow Authentication to try other
+ providers in the case of an LDAP bind failure. PR 46608
+ - Failures to map a username to a DN, or to check a user password now result
+ in an informational level log entry instead of warning level.
+ mod_cache:
+ - Introduce the thundering herd lock, a mechanism to keep the flood of
+ requests at bay that strike a backend webserver as a cached entity goes
+ stale.
+ - correctly consider s-maxage in cacheability decisions.
+ mod_disk_cache, mod_mem_cache:
+ - don't cache incomplete responses, per RFC 2616, 13.8. PR15866.
+ mod_charset_lite:
+ - Honor 'CharsetOptions NoImplicitAdd'.
+ mod_filter:
+ - fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054
+ mod_include:
+ - Allow fine control over the removal of Last-Modified and ETag headers
+ within the INCLUDES filter, making it possible to cache responses if
+ desired. Fix the default value of the SSIAccessEnable directive.
+ mod_ldap:
+ - If LDAPSharedCacheSize is too small, try harder to purge some cache
+ entries and log a warning. Also increase the default LDAPSharedCacheSize
+ to 500000. This is a more realistic size suitable for the default values
+ of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749.
+ mod_log_config:
+ - Add the R option to log the handler used within the request.
+ mod_mime:
+ - Make RemoveType override the info from TypesConfig. PR 38330.
+ - Detect invalid use of MultiviewsMatch inside Location and LocationMatch
+ sections. PR 47754.
+ mod_negotiation:
+ - Preserve query string over multiviews negotiation. This buglet was fixed
+ for type maps in 2.2.6, but the same issue affected multiviews and was
+ overlooked. PR 33112
+ mod_proxy:
+ - unable to connect to a backend is SERVICE_UNAVAILABLE, rather than
+ BAD_GATEWAY or (especially) NOT_FOUND. PR 46971
+ mod_proxy, mod_proxy_http:
+ - Support remote https proxies by using HTTP CONNECT. PR 19188.
+ mod_proxy_http:
+ - Make sure that when an ErrorDocument is served from a reverse proxied URL,
+ that the subrequest respects the status of the original request. This
+ brings the behaviour of proxy_handler in line with default_handler. PR
+ 47106.
+ mod_proxy_ajp:
+ - Really regard the operation a success, when the client aborted the
+ connection. In addition adjust the log message if the client aborted the
+ connection.
+ mod_rewrite:
+ - Make sure that a hostname:port isn't fully qualified if the request is a
+ CONNECT request. PR 47928
+ - Add scgi scheme detection.
+ mod_ssl:
+ - Fix a potential I/O hang if a long list of trusted CAs is configured for
+ client cert auth. PR 46952.
+ - When extracting certificate subject/issuer names to the SSL_*_DN_*
+ variables, handle RDNs with duplicate tags by exporting multiple
+ varialables with an "_n" integer suffix. PR 45875.
+- obsolete patch CVE-2009-3555-2.2.patch removed
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
CVE-2009-3555-2.2.patch
httpd-2.2.14.tar.bz2
New:
----
httpd-2.2.15.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.JNF8Dc/_old 2010-03-19 08:23:58.000000000 +0100
+++ /var/tmp/diff_new_pack.JNF8Dc/_new 2010-03-19 08:23:58.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package apache2 (Version 2.2.14)
+# spec file for package apache2 (Version 2.2.15)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -62,9 +62,9 @@
%define platform_string Linux/%VENDOR
License: ASLv..
Group: Productivity/Networking/Web/Servers
-%define realver 2.2.14
-Version: 2.2.14
-Release: 2
+%define realver 2.2.15
+Version: 2.2.15
+Release: 1
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
Source10: SUSE-NOTICE
@@ -112,7 +112,6 @@
Source140: apache2-check_forensic
Source141: apache-20-22-upgrade
Patch2: httpd-2.1.3alpha-layout.dif
-Patch10: CVE-2009-3555-2.2.patch
Patch23: httpd-2.1.9-apachectl.dif
Patch65: httpd-2.0.49-log_server_status.dif
Patch66: httpd-2.0.54-envvars.dif
@@ -381,7 +380,6 @@
#
%setup -q -n httpd-%{realver}
%patch2 -p1
-%patch10 -p0
%patch23 -p1
%patch65 -p1
%patch66 -p1
++++++ httpd-2.2.14.tar.bz2 -> httpd-2.2.15.tar.bz2 ++++++
++++ 127871 lines of diff (skipped)
++++++ rc.apache2 ++++++
--- /var/tmp/diff_new_pack.JNF8Dc/_old 2010-03-19 08:24:03.000000000 +0100
+++ /var/tmp/diff_new_pack.JNF8Dc/_new 2010-03-19 08:24:03.000000000 +0100
@@ -6,7 +6,8 @@
# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
#
# Authors: Rolf Haberrecker