SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for httpd2-manual-2.2.34-lp150.1.2.x86_64.rpm :

* Sat Nov 11 2017 mkubecekAATTsuse.cz- update to version 2.2.34
* bug in token list parsing, which allows ap_find_token() to search past the end of its input string (CVE-2017-7668)
* mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port (CVE-2017-3169)
* use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed (CVE-2017-3167)
* mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header (CVE-2017-7679)
* mod_auth_digest: uninitialized memory reflection; the value placeholder in [Proxy-]Authorization headers type \'Digest\' was not initialized or reset before or between successive key=value assignments (CVE-2017-9788)
* Tue Mar 14 2017 mkubecekAATTsuse.cz- update to version 2.2.32
* enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies (CVE-2016-8743)
* validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules
* core: mitigate [f]cgi CVE-2016-5387 \"httpoxy\" issues
* mod_ssl: support compilation against libssl built with OPENSSL_NO_SSL3- add explicit insserv requirements- specfile cleanup
* Wed Sep 30 2015 mikeAATTmk-sys.cz- update to version 2.2.31
* core: Fix chunk header parsing defect (CVE-2015-3183)
* mod_ssl: Improve handling of ephemeral DH and ECDH keys by allowing custom parameters to be configured via SSLCertificateFile, and by adding standardized DH parameters for 1024/2048/3072/4096 bits
* mod_ssl: drop support for export-grade ciphers with ephemeral RSA keys, and unconditionally disable aNULL, eNULL and EXP ciphers (not overridable via SSLCipherSuite)
* mod_ssl: New directive SSLSessionTickets (On|Off)
* Tue Nov 04 2014 mikeAATTmk-sys.cz- update to version 2.2.29
* mod_ssl: Change default for SSLCompression to off, as compression causes security issues in most setups (The so called \"CRIME\" attack)
* mod_ssl: Fix compilation error when OpenSSL does not contain support for SSLv2
* Clean up cookie logging with fewer redundant string parsing passes. Log only cookies with a value assignment. Prevents segfaults when logging truncated cookies. (CVE-2014-0098)
* mod_dav: Keep track of length of cdata properly when removing leading spaces. Eliminates a potential denial of service from specifically crafted DAV WRITE requests (CVE-2013-6438)
* mod_deflate: The DEFLATE input filter (inflates request bodies) now limits the length and compression ratio of inflated request bodies to avoid denial of service via highly compressed bodies. See directives DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, and DeflateInflateRatioBurst (CVE-2014-0118)
* mod_cgid: Fix a denial of service against CGI scripts that do not consume stdin that could lead to lingering HTTPD child processes filling up the scoreboard and eventually hanging the server. By default, the client I/O timeout (Timeout directive) now applies to communication with scripts. The CGIDScriptTimeout directive can be used to set a different timeout for communication with scripts. (CVE-2014-0231)
* Fix a race condition in scoreboard handling, which could lead to a heap buffer overflow. (CVE-2014-0226)
* core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds \"MergeTrailers\" directive to restore legacy behavior. (CVE-2013-5704)
* Fri Jul 19 2013 mikeAATTmk-sys.cz- update to version 2.2.25
* mod_dav: Sending a MERGE request against a URI handled by mod_dav_svn with the source href (sent as part of the request body as XML) pointing to a URI that is not configured for DAV will trigger a segfault. (CVE-2013-1896)
* mod_rewrite: Ensure that client data written to the RewriteLog is escaped to prevent terminal escape sequences from entering the log file (CVE-2013-1862)
* Sat Jun 22 2013 mikeAATTmk-sys.cz- add zlib-devel and openssl-devel to BuildRequires to fix build in Factory
* Mon Mar 18 2013 mikeAATTmk-sys.cz- update to version 2.2.24
* various XSS flaws due to unescaped hostnames and URIs HTML output in mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp (CVE-2012-3499)
* a XSS flaw affected the mod_proxy_balancer manager interface (CVE-2012-4558)- fix License tag in specfile
* Fri Sep 14 2012 mikeAATTmk-sys.cz- apxs manual page moved to section 8
* Fri Sep 14 2012 mikeAATTmk-sys.cz- update to version 2.2.23
* envvars: Fix insecure handling of LD_LIBRARY_PATH that could lead to the current working directory to be searched for DSOs. (CVE-2012-0883)
* mod_negotiation: Escape filenames in variant list to prevent a possible XSS for a site where untrusted users can upload files to a location with MultiViews enabled. (CVE-2012-2687)- httpd-2.2.23-layout.patch: refresh- httpd-2.2.23-config.patch: refresh
* Wed Feb 01 2012 mikeAATTmk-sys.cz- update to version 2.2.22
* mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is not recognized (CVE-2011-3348)
* fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20 (PR 51748)
* mod_filter: Instead of dropping the Accept-Ranges header when a filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set the header value to \"none\"
* core: Allow MaxRanges none|unlimited|default and set \'Accept-Ranges: none\' in the case Ranges are being ignored with MaxRanges none.
* apxs man page moved to section 1- refreshed httpd-2.2.21-config.patch- add restart_on_update to postun scriptlet
* Thu Jan 12 2012 mikeAATTmk-sys.cz- move package to BuildService- don\'t use version macro in patch filenames
* Mon Sep 19 2011 mikeAATTmk-sys.cz- update to version 2.2.21- use _smp_mflags instead of _jobs- include rchttpd symlink
* Wed Aug 31 2011 mikeAATTmk-sys.cz- fix for byterange DoS vulnerability (CVE-2011-3192)
* Tue May 24 2011 mikeAATTmk-sys.cz- update to version 2.2.19
* revert ABI breakage
* Tue May 17 2011 mikeAATTmk-sys.cz- update to version 2.2.18
* Sun Apr 17 2011 mikeAATTmk-sys.cz- create /var/run/httpd on start- ignore \"invalid\" file names
* Tue Nov 02 2010 mikeAATTmk-sys.cz- update to version 2.2.17
* Wed Aug 04 2010 mikeAATTmk-sys.cz- fixed typo in specfile (BuildRoot)
* Sun Aug 01 2010 mikeAATTmk-sys.cz- update to version 2.2.16
* Sat Mar 20 2010 mikeAATTmk-sys.cz- update to version 2.2.15
* Sun Oct 11 2009 mikeAATTmk-sys.cz- update to version 2.2.14
* Sun Aug 30 2009 mikeAATTmk-sys.cz- update to version 2.2.13
* Thu Mar 05 2009 mikeAATTmk-sys.cz- build modules as dynamic
* Wed Mar 04 2009 mikeAATTmk-sys.cz- httpd2-devel depends on httpd2- defattr for subpackages- add %%{_libdir}/httpd into package- don\'t remove buildroot- cleanup %%files sections- move logresolve to %%{_bindir}- move envvars to /etc/httpd/support- changed group for httpd2-devel- removed checkgid and httpd.exp- enable ssl, expires, headers, deflate
  
ICM