diff --git a/apache2.changes b/apache2.changes index 0e8f993..8b0e57f 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Mon Jan 2 09:50:00 UTC 2017 - pgajdos@suse.com + +- update to 2.4.25: fixed several security issues (CVE-2016-8740, + CVE-2016-5387, CVE-2016-2161, CVE-2016-0736, CVE-2016-8743), many + fixes and improvements of mod_http2 and other modules; see CHANGES + for full change log + ------------------------------------------------------------------- Fri Dec 9 12:21:27 UTC 2016 - pgajdos@suse.com diff --git a/apache2.spec b/apache2.spec index 1e6ed8c..5c9d05e 100644 --- a/apache2.spec +++ b/apache2.spec @@ -1,7 +1,7 @@ # # spec file for package apache2 # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -51,7 +51,7 @@ %endif Name: apache2 -Version: 2.4.23 +Version: 2.4.25 Release: 0 Summary: The Apache Web Server Version 2.4 License: Apache-2.0 @@ -312,7 +312,7 @@ to administrators of web servers in general. %endif %patch111 -p1 %patch114 -p1 -%patch115 +%patch115 -p1 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{SOURCE22}) diff --git a/httpd-2.4.23.tar.bz2 b/httpd-2.4.23.tar.bz2 deleted file mode 100644 index bc4062c..0000000 --- a/httpd-2.4.23.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58 -size 6351875 diff --git a/httpd-2.4.25.tar.bz2 b/httpd-2.4.25.tar.bz2 new file mode 100644 index 0000000..afdeb40 --- /dev/null +++ b/httpd-2.4.25.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2 +size 6398218 diff --git a/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff b/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff index 16e8a20..3472f7d 100644 --- a/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff +++ b/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff @@ -42,39 +42,19 @@ Conflicts: server/protocol.c | 25 +++++++++++++++++-------- 6 files changed, 77 insertions(+), 10 deletions(-) -Index: include/http_core.h +Index: httpd-2.4.25/modules/http/http_filters.c =================================================================== ---- include/http_core.h.orig 2016-01-20 15:10:51.651189219 +0100 -+++ include/http_core.h 2016-01-20 15:12:18.983188213 +0100 -@@ -694,6 +694,15 @@ - #define AP_MERGE_TRAILERS_DISABLE 2 - int merge_trailers; - -+#define AP_HTTP_CL_HEAD_ZERO_UNSET 0 -+#define AP_HTTP_CL_HEAD_ZERO_ENABLE 1 -+#define AP_HTTP_CL_HEAD_ZERO_DISABLE 2 -+ int http_cl_head_zero; -+ -+#define AP_HTTP_EXPECT_STRICT_UNSET 0 -+#define AP_HTTP_EXPECT_STRICT_ENABLE 1 -+#define AP_HTTP_EXPECT_STRICT_DISABLE 2 -+ int http_expect_strict; - - - apr_array_header_t *protocols; -Index: modules/http/http_filters.c -=================================================================== ---- modules/http/http_filters.c.orig 2015-07-08 10:59:36.000000000 +0200 -+++ modules/http/http_filters.c 2016-01-20 15:10:51.651189219 +0100 -@@ -1175,6 +1175,7 @@ - header_filter_ctx *ctx = f->ctx; +--- httpd-2.4.25.orig/modules/http/http_filters.c 2016-12-15 13:18:59.000000000 +0100 ++++ httpd-2.4.25/modules/http/http_filters.c 2017-01-02 10:54:37.608517377 +0100 +@@ -1260,6 +1260,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ const char *ctype; ap_bucket_error *eb = NULL; + apr_bucket *eos = NULL; + core_server_config *conf; AP_DEBUG_ASSERT(!r->main); -@@ -1315,10 +1316,17 @@ +@@ -1441,10 +1442,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ * zero C-L to the client. We can't just remove the C-L filter, * because well behaved 2.0 handlers will send their data down the stack, * and we will compute a real C-L for the head request. RBB @@ -93,13 +73,13 @@ Index: modules/http/http_filters.c apr_table_unset(r->headers_out, "Content-Length"); } -Index: server/core.c +Index: httpd-2.4.25/server/core.c =================================================================== ---- server/core.c.orig 2015-11-19 20:55:25.000000000 +0100 -+++ server/core.c 2016-01-20 15:13:29.575187399 +0100 -@@ -503,6 +503,12 @@ - if (virt->trace_enable != AP_TRACE_UNSET) - conf->trace_enable = virt->trace_enable; +--- httpd-2.4.25.orig/server/core.c 2016-12-05 15:34:29.000000000 +0100 ++++ httpd-2.4.25/server/core.c 2017-01-02 10:54:37.608517377 +0100 +@@ -528,6 +528,12 @@ static void *merge_core_server_configs(a + if (virt->http_methods != AP_HTTP_METHODS_UNSET) + conf->http_methods = virt->http_methods; + if (virt->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_UNSET) + conf->http_cl_head_zero = virt->http_cl_head_zero; @@ -110,7 +90,7 @@ Index: server/core.c /* no action for virt->accf_map, not allowed per-vhost */ if (virt->protocol) -@@ -3756,6 +3762,32 @@ +@@ -3955,6 +3961,32 @@ static const char *set_http_method(cmd_p return NULL; } @@ -143,7 +123,7 @@ Index: server/core.c static apr_hash_t *errorlog_hash; static int log_constant_item(const ap_errorlog_info *info, const char *arg, -@@ -4273,6 +4305,10 @@ +@@ -4474,6 +4506,10 @@ AP_INIT_TAKE1("TraceEnable", set_trace_e "'on' (default), 'off' or 'extended' to trace request body content"), AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF, "merge request trailers into request headers or not"), @@ -154,11 +134,11 @@ Index: server/core.c AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF, "Controls which protocols are allowed"), AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF, -Index: server/protocol.c +Index: httpd-2.4.25/server/protocol.c =================================================================== ---- server/protocol.c.orig 2015-11-26 14:42:42.000000000 +0100 -+++ server/protocol.c 2016-01-20 15:10:51.651189219 +0100 -@@ -1144,14 +1144,23 @@ +--- httpd-2.4.25.orig/server/protocol.c 2016-12-12 16:22:49.000000000 +0100 ++++ httpd-2.4.25/server/protocol.c 2017-01-02 10:54:37.608517377 +0100 +@@ -1416,14 +1416,23 @@ request_rec *ap_read_request(conn_rec *c r->expecting_100 = 1; } else { @@ -190,3 +170,32 @@ Index: server/protocol.c } } +Index: httpd-2.4.25/include/http_core.h +=================================================================== +--- httpd-2.4.25.orig/include/http_core.h 2016-12-05 15:34:29.000000000 +0100 ++++ httpd-2.4.25/include/http_core.h 2017-01-02 10:55:18.613603512 +0100 +@@ -723,6 +723,16 @@ typedef struct { + #define AP_MERGE_TRAILERS_DISABLE 2 + int merge_trailers; + ++#define AP_HTTP_CL_HEAD_ZERO_UNSET 0 ++#define AP_HTTP_CL_HEAD_ZERO_ENABLE 1 ++#define AP_HTTP_CL_HEAD_ZERO_DISABLE 2 ++ int http_cl_head_zero; ++ ++#define AP_HTTP_EXPECT_STRICT_UNSET 0 ++#define AP_HTTP_EXPECT_STRICT_ENABLE 1 ++#define AP_HTTP_EXPECT_STRICT_DISABLE 2 ++ int http_expect_strict; ++ + apr_array_header_t *protocols; + int protocols_honor_order; + +@@ -762,7 +772,6 @@ apr_status_t ap_core_input_filter(ap_fil + apr_off_t readbytes); + apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b); + +- + AP_DECLARE(const char*) ap_get_server_protocol(server_rec* s); + AP_DECLARE(void) ap_set_server_protocol(server_rec* s, const char* proto); + diff --git a/httpd-visibility.patch b/httpd-visibility.patch index ece25b3..ba5f72a 100644 --- a/httpd-visibility.patch +++ b/httpd-visibility.patch @@ -1,5 +1,7 @@ ---- httpd-2.4.6.orig/include/ap_config.h -+++ httpd-2.4.6/include/ap_config.h +Index: httpd-2.4.25/include/ap_config.h +=================================================================== +--- httpd-2.4.25.orig/include/ap_config.h 2012-08-15 01:59:24.000000000 +0200 ++++ httpd-2.4.25/include/ap_config.h 2017-01-02 10:33:40.411244315 +0100 @@ -64,7 +64,7 @@ * AP_DECLARE(rettype) ap_func(args) * @endcode @@ -41,8 +43,10 @@ #else /** * AP_MODULE_DECLARE_EXPORT is a no-op. Unless contradicted by the ---- httpd-2.4.6.orig/modules/cache/mod_cache.h -+++ httpd-2.4.6/modules/cache/mod_cache.h +Index: httpd-2.4.25/modules/cache/mod_cache.h +=================================================================== +--- httpd-2.4.25.orig/modules/cache/mod_cache.h 2011-12-03 19:02:24.000000000 +0100 ++++ httpd-2.4.25/modules/cache/mod_cache.h 2017-01-02 10:33:40.411244315 +0100 @@ -37,9 +37,9 @@ * CACHE_DECLARE_DATA with appropriate export and import tags for the platform */ @@ -56,9 +60,11 @@ #elif defined(CACHE_DECLARE_STATIC) #define CACHE_DECLARE(type) type __stdcall #define CACHE_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/proxy/mod_proxy.h -+++ httpd-2.4.6/modules/proxy/mod_proxy.h -@@ -475,9 +475,9 @@ struct proxy_balancer_method { +Index: httpd-2.4.25/modules/proxy/mod_proxy.h +=================================================================== +--- httpd-2.4.25.orig/modules/proxy/mod_proxy.h 2016-10-24 12:06:41.000000000 +0200 ++++ httpd-2.4.25/modules/proxy/mod_proxy.h 2017-01-02 10:33:40.411244315 +0100 +@@ -535,9 +535,9 @@ struct proxy_balancer_method { * PROXY_DECLARE_DATA with appropriate export and import tags for the platform */ #if !defined(WIN32) @@ -71,8 +77,10 @@ #elif defined(PROXY_DECLARE_STATIC) #define PROXY_DECLARE(type) type __stdcall #define PROXY_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/lua/mod_lua.h -+++ httpd-2.4.6/modules/lua/mod_lua.h +Index: httpd-2.4.25/modules/lua/mod_lua.h +=================================================================== +--- httpd-2.4.25.orig/modules/lua/mod_lua.h 2013-06-10 16:36:56.000000000 +0200 ++++ httpd-2.4.25/modules/lua/mod_lua.h 2017-01-02 10:33:40.411244315 +0100 @@ -58,9 +58,9 @@ * AP_LUA_DECLARE_DATA with appropriate export and import tags for the platform */ @@ -86,8 +94,10 @@ #elif defined(AP_LUA_DECLARE_STATIC) #define AP_LUA_DECLARE(type) type __stdcall #define AP_LUA_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/core/mod_watchdog.h -+++ httpd-2.4.6/modules/core/mod_watchdog.h +Index: httpd-2.4.25/modules/core/mod_watchdog.h +=================================================================== +--- httpd-2.4.25.orig/modules/core/mod_watchdog.h 2014-09-05 16:19:29.000000000 +0200 ++++ httpd-2.4.25/modules/core/mod_watchdog.h 2017-01-02 10:33:40.411244315 +0100 @@ -83,9 +83,9 @@ typedef struct ap_watchdog_t ap_watchdog */ #if !defined(AP_WD_DECLARE) @@ -101,8 +111,10 @@ #elif defined(AP_WD_DECLARE_STATIC) #define AP_WD_DECLARE(type) type __stdcall #define AP_WD_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/generators/mod_status.h -+++ httpd-2.4.6/modules/generators/mod_status.h +Index: httpd-2.4.25/modules/generators/mod_status.h +=================================================================== +--- httpd-2.4.25.orig/modules/generators/mod_status.h 2006-07-11 22:33:53.000000000 +0200 ++++ httpd-2.4.25/modules/generators/mod_status.h 2017-01-02 10:33:40.411244315 +0100 @@ -34,9 +34,9 @@ #define AP_STATUS_EXTENDED (0x4) /* detailed report */ @@ -116,8 +128,10 @@ #elif defined(STATUS_DECLARE_STATIC) #define STATUS_DECLARE(type) type __stdcall #define STATUS_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/dav/main/mod_dav.h -+++ httpd-2.4.6/modules/dav/main/mod_dav.h +Index: httpd-2.4.25/modules/dav/main/mod_dav.h +=================================================================== +--- httpd-2.4.25.orig/modules/dav/main/mod_dav.h 2016-10-26 15:44:36.000000000 +0200 ++++ httpd-2.4.25/modules/dav/main/mod_dav.h 2017-01-02 10:33:40.411244315 +0100 @@ -82,9 +82,9 @@ extern "C" { * DAV_DECLARE_DATA with appropriate export and import tags for the platform */ @@ -131,8 +145,10 @@ #elif defined(DAV_DECLARE_STATIC) #define DAV_DECLARE(type) type __stdcall #define DAV_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/session/mod_session.h -+++ httpd-2.4.6/modules/session/mod_session.h +Index: httpd-2.4.25/modules/session/mod_session.h +=================================================================== +--- httpd-2.4.25.orig/modules/session/mod_session.h 2011-12-02 18:51:27.000000000 +0100 ++++ httpd-2.4.25/modules/session/mod_session.h 2017-01-02 10:33:40.411244315 +0100 @@ -21,9 +21,9 @@ * SESSION_DECLARE_DATA with appropriate export and import tags for the platform */ @@ -146,8 +162,10 @@ #elif defined(SESSION_DECLARE_STATIC) #define SESSION_DECLARE(type) type __stdcall #define SESSION_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/database/mod_dbd.h -+++ httpd-2.4.6/modules/database/mod_dbd.h +Index: httpd-2.4.25/modules/database/mod_dbd.h +=================================================================== +--- httpd-2.4.25.orig/modules/database/mod_dbd.h 2011-09-23 15:38:09.000000000 +0200 ++++ httpd-2.4.25/modules/database/mod_dbd.h 2017-01-02 10:33:40.411244315 +0100 @@ -35,9 +35,9 @@ * DBD_DECLARE_DATA with appropriate export and import tags for the platform */ @@ -161,8 +179,10 @@ #elif defined(DBD_DECLARE_STATIC) #define DBD_DECLARE(type) type __stdcall #define DBD_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/filters/mod_xml2enc.h -+++ httpd-2.4.6/modules/filters/mod_xml2enc.h +Index: httpd-2.4.25/modules/filters/mod_xml2enc.h +=================================================================== +--- httpd-2.4.25.orig/modules/filters/mod_xml2enc.h 2012-04-04 22:11:57.000000000 +0200 ++++ httpd-2.4.25/modules/filters/mod_xml2enc.h 2017-01-02 10:33:40.411244315 +0100 @@ -25,9 +25,9 @@ /* declarations to deal with WIN32 compile-flag-in-source-code crap */ @@ -176,8 +196,10 @@ #elif defined(XML2ENC_DECLARE_STATIC) #define XML2ENC_DECLARE(type) type __stdcall #define XML2ENC_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/filters/mod_ratelimit.h -+++ httpd-2.4.6/modules/filters/mod_ratelimit.h +Index: httpd-2.4.25/modules/filters/mod_ratelimit.h +=================================================================== +--- httpd-2.4.25.orig/modules/filters/mod_ratelimit.h 2012-04-04 22:11:57.000000000 +0200 ++++ httpd-2.4.25/modules/filters/mod_ratelimit.h 2017-01-02 10:33:40.415244421 +0100 @@ -21,9 +21,9 @@ * AP_RL_DECLARE_DATA with appropriate export and import tags for the platform */ @@ -191,8 +213,10 @@ #elif defined(AP_RL_DECLARE_STATIC) #define AP_RL_DECLARE(type) type __stdcall #define AP_RL_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/modules/aaa/mod_authz_dbd.h -+++ httpd-2.4.6/modules/aaa/mod_authz_dbd.h +Index: httpd-2.4.25/modules/aaa/mod_authz_dbd.h +=================================================================== +--- httpd-2.4.25.orig/modules/aaa/mod_authz_dbd.h 2011-09-23 15:38:09.000000000 +0200 ++++ httpd-2.4.25/modules/aaa/mod_authz_dbd.h 2017-01-02 10:33:40.415244421 +0100 @@ -22,9 +22,9 @@ * AUTHZ_DBD_DECLARE_DATA with appropriate export and import tags */ @@ -206,9 +230,11 @@ #elif defined(AUTHZ_DBD_DECLARE_STATIC) #define AUTHZ_DBD_DECLARE(type) type __stdcall #define AUTHZ_DBD_DECLARE_NONSTD(type) type ---- httpd-2.4.6.orig/include/httpd.h -+++ httpd-2.4.6/include/httpd.h -@@ -341,7 +341,7 @@ extern "C" { +Index: httpd-2.4.25/include/httpd.h +=================================================================== +--- httpd-2.4.25.orig/include/httpd.h 2016-12-05 15:34:29.000000000 +0100 ++++ httpd-2.4.25/include/httpd.h 2017-01-02 10:33:40.415244421 +0100 +@@ -345,7 +345,7 @@ extern "C" { * by modules. Its purpose is to allow us to add attributes that * particular platforms or compilers require to every exported function. */ @@ -217,9 +243,9 @@ #endif #ifndef AP_DECLARE_NONSTD -@@ -352,20 +352,20 @@ extern "C" { +@@ -356,20 +356,20 @@ extern "C" { * which use varargs or are used via indirect function call. This - * is to accomodate the two calling conventions in windows dlls. + * is to accommodate the two calling conventions in windows dlls. */ -# define AP_DECLARE_NONSTD(type) type +# define AP_DECLARE_NONSTD(type) __attribute__ ((visibility ("default"))) type @@ -243,8 +269,10 @@ #endif /** ---- httpd-2.4.6.orig/include/util_ldap.h -+++ httpd-2.4.6/include/util_ldap.h +Index: httpd-2.4.25/include/util_ldap.h +=================================================================== +--- httpd-2.4.25.orig/include/util_ldap.h 2016-08-25 14:48:18.000000000 +0200 ++++ httpd-2.4.25/include/util_ldap.h 2017-01-02 10:33:40.415244421 +0100 @@ -66,9 +66,9 @@ * and import tags for the platform */