Changelog for
httpd2-manual-2.2.34-1.1.x86_64.rpm :
Sat Nov 11 13:00:00 2017 mkubecekAATTsuse.cz
- update to version 2.2.34
* bug in token list parsing, which allows ap_find_token() to
search past the end of its input string (CVE-2017-7668)
* mod_ssl may dereference a NULL pointer when third-party modules
call ap_hook_process_connection() during an HTTP request to an
HTTPS port (CVE-2017-3169)
* use of the ap_get_basic_auth_pw() by third-party modules
outside of the authentication phase may lead to authentication
requirements being bypassed (CVE-2017-3167)
* mod_mime can read one byte past the end of a buffer when
sending a malicious Content-Type response header
(CVE-2017-7679)
* mod_auth_digest: uninitialized memory reflection; the value
placeholder in [Proxy-]Authorization headers type \'Digest\' was
not initialized or reset before or between successive key=value
assignments (CVE-2017-9788)
Tue Mar 14 13:00:00 2017 mkubecekAATTsuse.cz
- update to version 2.2.32
* enforce HTTP request grammar corresponding to RFC7230 for
request lines and request headers, to prevent response
splitting and cache pollution by malicious clients or
downstream proxies (CVE-2016-8743)
* validate HTTP response header grammar defined by RFC7230,
resulting in a 500 error in the event that invalid response
header contents are detected when serving the response, to
avoid response splitting and cache pollution by malicious
clients, upstream servers or faulty modules
* core: mitigate [f]cgi CVE-2016-5387 \"httpoxy\" issues
* mod_ssl: support compilation against libssl built with
OPENSSL_NO_SSL3
- add explicit insserv requirements
- specfile cleanup
Wed Sep 30 14:00:00 2015 mikeAATTmk-sys.cz
- update to version 2.2.31
* core: Fix chunk header parsing defect (CVE-2015-3183)
* mod_ssl: Improve handling of ephemeral DH and ECDH keys by
allowing custom parameters to be configured via
SSLCertificateFile, and by adding standardized DH parameters
for 1024/2048/3072/4096 bits
* mod_ssl: drop support for export-grade ciphers with ephemeral
RSA keys, and unconditionally disable aNULL, eNULL and EXP
ciphers (not overridable via SSLCipherSuite)
* mod_ssl: New directive SSLSessionTickets (On|Off)
Tue Nov 4 13:00:00 2014 mikeAATTmk-sys.cz
- update to version 2.2.29
* mod_ssl: Change default for SSLCompression to off, as
compression causes security issues in most setups (The so
called \"CRIME\" attack)
* mod_ssl: Fix compilation error when OpenSSL does not contain
support for SSLv2
* Clean up cookie logging with fewer redundant string parsing
passes. Log only cookies with a value assignment. Prevents
segfaults when logging truncated cookies. (CVE-2014-0098)
* mod_dav: Keep track of length of cdata properly when removing
leading spaces. Eliminates a potential denial of service from
specifically crafted DAV WRITE requests (CVE-2013-6438)
* mod_deflate: The DEFLATE input filter (inflates request bodies)
now limits the length and compression ratio of inflated request
bodies to avoid denial of service via highly compressed bodies.
See directives DeflateInflateLimitRequestBody,
DeflateInflateRatioLimit, and DeflateInflateRatioBurst
(CVE-2014-0118)
* mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child
processes filling up the scoreboard and eventually hanging the
server. By default, the client I/O timeout (Timeout directive)
now applies to communication with scripts. The
CGIDScriptTimeout directive can be used to set a different
timeout for communication with scripts. (CVE-2014-0231)
* Fix a race condition in scoreboard handling, which could lead
to a heap buffer overflow. (CVE-2014-0226)
* core: HTTP trailers could be used to replace HTTP headers late
during request processing, potentially undoing or otherwise
confusing modules that examined or modified request headers
earlier. Adds \"MergeTrailers\" directive to restore legacy
behavior. (CVE-2013-5704)
Fri Jul 19 14:00:00 2013 mikeAATTmk-sys.cz
- update to version 2.2.25
* mod_dav: Sending a MERGE request against a URI handled by
mod_dav_svn with the source href (sent as part of the request
body as XML) pointing to a URI that is not configured for DAV
will trigger a segfault.
(CVE-2013-1896)
* mod_rewrite: Ensure that client data written to the RewriteLog
is escaped to prevent terminal escape sequences from entering
the log file
(CVE-2013-1862)
Sat Jun 22 14:00:00 2013 mikeAATTmk-sys.cz
- add zlib-devel and openssl-devel to BuildRequires to fix build
in Factory
Mon Mar 18 13:00:00 2013 mikeAATTmk-sys.cz
- update to version 2.2.24
* various XSS flaws due to unescaped hostnames and URIs HTML
output in mod_info, mod_status, mod_imagemap, mod_ldap, and
mod_proxy_ftp
(CVE-2012-3499)
* a XSS flaw affected the mod_proxy_balancer manager interface
(CVE-2012-4558)
- fix License tag in specfile
Fri Sep 14 14:00:00 2012 mikeAATTmk-sys.cz
- apxs manual page moved to section 8
Fri Sep 14 14:00:00 2012 mikeAATTmk-sys.cz
- update to version 2.2.23
* envvars: Fix insecure handling of LD_LIBRARY_PATH that could
lead to the current working directory to be searched for DSOs.
(CVE-2012-0883)
* mod_negotiation: Escape filenames in variant list to prevent a
possible XSS for a site where untrusted users can upload files
to a location with MultiViews enabled.
(CVE-2012-2687)
- httpd-2.2.23-layout.patch: refresh
- httpd-2.2.23-config.patch: refresh
Wed Feb 1 13:00:00 2012 mikeAATTmk-sys.cz
- update to version 2.2.22
* mod_proxy_ajp: Respond with HTTP_NOT_IMPLEMENTED when the method is
not recognized (CVE-2011-3348)
* fix a regression introduced by the CVE-2011-3192 byterange fix in
2.2.20 (PR 51748)
* mod_filter: Instead of dropping the Accept-Ranges header when a
filter registered with AP_FILTER_PROTO_NO_BYTERANGE is present, set
the header value to \"none\"
* core: Allow MaxRanges none|unlimited|default and set \'Accept-Ranges:
none\' in the case Ranges are being ignored with MaxRanges none.
* apxs man page moved to section 1
- refreshed httpd-2.2.21-config.patch
- add restart_on_update to postun scriptlet
Thu Jan 12 13:00:00 2012 mikeAATTmk-sys.cz
- move package to BuildService
- don\'t use version macro in patch filenames
Mon Sep 19 14:00:00 2011 mikeAATTmk-sys.cz
- update to version 2.2.21
- use _smp_mflags instead of _jobs
- include rchttpd symlink
Wed Aug 31 14:00:00 2011 mikeAATTmk-sys.cz
- fix for byterange DoS vulnerability (CVE-2011-3192)
Tue May 24 14:00:00 2011 mikeAATTmk-sys.cz
- update to version 2.2.19
* revert ABI breakage
Tue May 17 14:00:00 2011 mikeAATTmk-sys.cz
- update to version 2.2.18
Sun Apr 17 14:00:00 2011 mikeAATTmk-sys.cz
- create /var/run/httpd on start
- ignore \"invalid\" file names
Tue Nov 2 13:00:00 2010 mikeAATTmk-sys.cz
- update to version 2.2.17
Wed Aug 4 14:00:00 2010 mikeAATTmk-sys.cz
- fixed typo in specfile (BuildRoot)
Sun Aug 1 14:00:00 2010 mikeAATTmk-sys.cz
- update to version 2.2.16
Sat Mar 20 13:00:00 2010 mikeAATTmk-sys.cz
- update to version 2.2.15
Sun Oct 11 14:00:00 2009 mikeAATTmk-sys.cz
- update to version 2.2.14
Sun Aug 30 14:00:00 2009 mikeAATTmk-sys.cz
- update to version 2.2.13
Thu Mar 5 13:00:00 2009 mikeAATTmk-sys.cz
- build modules as dynamic
Wed Mar 4 13:00:00 2009 mikeAATTmk-sys.cz
- httpd2-devel depends on httpd2
- defattr for subpackages
- add %%{_libdir}/httpd into package
- don\'t remove buildroot
- cleanup %%files sections
- move logresolve to %%{_bindir}
- move envvars to /etc/httpd/support
- changed group for httpd2-devel
- removed checkgid and httpd.exp
- enable ssl, expires, headers, deflate