Changelog for
httpd24-manual-2.4.54-2.62.noarch.rpm :
* Thu Nov 24 2022 Michal Kubecek
- more Factory workarounds- make devel and manual subpackages noarch where possible
* Thu Nov 24 2022 Michal Kubecek - update to version 2.4.54- rename rpmlintrc to httpd24-rpmlintrc and update to keeep up with latest whims
* Tue Apr 27 2021 Michal Kubecek - update to version 2.4.46
* see upstream changelog- refresh patches and rename them to more descriptive names:
* httpd-2.4.3-layout.patch -> adjust-layout-to-follow-FHS.patch
* httpd-2.4.1-config.patch -> adjust-default-config.patch- rename also other files from ancient naming scheme httpd-2.4.1-init -> httpd.init httpd-2.4.1-rpmlintrc -> rpmlintrc- update rpmlintrc to work around bogus Factory build checks- add tarball signature and keyring with upstream maintener key- add version to libapr1-devel build time dependency
* Sun May 27 2018 mkubecekAATTsuse.cz- update to version 2.4.33
* mod_authnz_ldap: out of bound write with AuthLDAPCharsetConfig enabled (CVE-2017-15710)
* mod_session: CGI-like applications that intend to read from mod_session\'s \'SessionEnv ON\' could be fooled into reading user-supplied data instead (CVE-2018-1283)
* mod_cache_socache: Fix request headers parsing to avoid a possible crash with specially crafted input data (CVE-2018-1303)
* core: Possible crash with excessively long HTTP request headers (CVE-2018-1301)
* core: Configure the regular expression engine to match \'$\' to the end of the input string only, excluding matching the end of any embedded newline characters; behavior can be changed with new directive \'RegexDefaultOptions\' (CVE-2017-15715)
* mod_auth_digest: Fix generation of nonce values to prevent replay attacks across servers using a common Digest domain (CVE-2018-1312)
* mod_http2: Potential crash w/ mod_http2 (CVE-2018-1302)
* many other fixes
* Sat Nov 11 2017 mkubecekAATTsuse.cz- update to version 2.4.29
* mod_mime can read one byte past the end of a buffer when sending a malicious Content-Type response header (CVE-2017-7679)
* bug in token list parsing, which allows ap_find_token() to search past the end of its input string (CVE-2017-7668)
* a maliciously constructed HTTP/2 request could cause mod_http2 to dereference a NULL pointer and crash the server process (CVE-2017-7659)
* mod_ssl may dereference a NULL pointer when third-party modules call ap_hook_process_connection() during an HTTP request to an HTTPS port (CVE-2017-3169)
* use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed (CVE-2017-3167)
* mod_http2: read after free; when under stress, closing many connections, the HTTP/2 handling code would sometimes access memory after it has been freed, resulting in potentially erratic behaviour (CVE-2017-9789)
* mod_auth_digest: Uninitialized memory reflection. The value placeholder in [Proxy-]Authorization headers type \'Digest\' was not initialized or reset before or between successive key=value assignments (CVE-2017-9788)
* corrupted or freed memory access. must now be used in the main configuration file (httpd.conf) to register HTTP methods before the .htaccess files (CVE-2017-9798)
* HTTP/2 support no longer tagged as \"experimental\" but is instead considered fully production ready
* mod_http2: Disable and give warning when using Prefork; the server will continue to run, but HTTP/2 will no longer be negotiated
* Tue Mar 14 2017 mkubecekAATTsuse.cz- update to version 2.4.25
* mod_http2: mitigate DoS memory exhaustion via endless CONTINUATION frames
* core: mitigate [f]cgi \"httpoxy\" issues (CVE-2016-5387)
* mod_auth_digest: prevent segfaults during client entry allocation when the shared memory space is exhausted (CVE-2016-2161)
* mod_session_crypto: authenticate the session data/cookie with a MAC (SipHash) to prevent deciphering or tampering with a padding oracle attack
* enforce HTTP request grammar corresponding to RFC7230 for request lines and request headers, to prevent response splitting and cache pollution by malicious clients or downstream proxies (CVE-2016-8743)
* validate HTTP response header grammar defined by RFC7230, resulting in a 500 error in the event that invalid response header contents are detected when serving the response, to avoid response splitting and cache pollution by malicious clients, upstream servers or faulty modules
* core: new directive HttpProtocolOptions to control httpd enforcement of various RFC7230 requirements
* mod_http2: new directive \'H2PushResource\' to enable early pushes before processing of the main request starts
* mod_proxy_http2: adding support for newly proposed 103 status code- add explicit insserv prerequisities
* Mon Sep 05 2016 mkubecekAATTsuse.cz- update to version 2.4.23
* mod_ssl: Add \"no_crl_for_cert_ok\" flag to SSLCARevocationCheck directive to opt-in previous behaviour (2.2) with CRLs verification when checking certificate(s) with no corresponding CRL.
* mod_ssl: reset client-verify state of ssl when aborting renegotiations
* mod_httpd2: lot of fixes- specfile cleanup
* Fri Jul 01 2016 mikeAATTmk-sys.cz- update to version 2.4.20
* mod_log_config: Add GlobalLog to allow a globally defined log to be inherited by virtual hosts that define a CustomLog
* mod_httpd2: lot of fixes
* Sat Dec 26 2015 mikeAATTmk-sys.cz- update to version 2.4.18
* mod_http2: added donated HTTP/2 implementation via core module; similar configuration options to mod_ssl
* mod_ssl: enable support for configuring the SUITEB
* cipher strings introduced in OpenSSL 1.0.2
* MPMs: support SO_REUSEPORT to create multiple duplicated listener records for scalability
* Wed Sep 30 2015 mikeAATTmk-sys.cz- update to version 2.4.16
* mod_proxy_fcgi: Fix a potential crash due to buffer over-read, with response headers\' size above 8K (CVE-2014-3583)
* mod_cache: Avoid a crash when Content-Type has an empty value (CVE-2014-3581)
* mod_lua: Fix handling of the Require line when a LuaAuthzProvider is used in multiple Require directives with different arguments (CVE-2014-8109)
* core: HTTP trailers could be used to replace HTTP headers late during request processing, potentially undoing or otherwise confusing modules that examined or modified request headers earlier. Adds \"MergeTrailers\" directive to restore legacy behavior. (CVE-2013-5704)
* mod_ssl: New directive SSLSessionTickets (On|Off)
* core: Fix a crash with ErrorDocument 400 pointing to a local URL-path qith the INCLUDES filter active, introduced in 2.4.11 (CVE-2015-0253)
* mod_lua: A maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash (CVE-2015-0228)
* core: Fix chunk header parsing defect (CVE-2015-3183)
* Replacement of ap_some_auth_required (unusable in Apache httpd 2.4) with new ap_some_authn_required and ap_force_authn hook (CVE-2015-3185)