- update to 2.4.25: fixed several security issues (CVE-2016-8740,

CVE-2016-5387, CVE-2016-2161, CVE-2016-0736, CVE-2016-8743), many fixes and improvements of mod_http2 and other modules; see CHANGES for full change log OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=494
2017-01-02 10:31:04 +00:00 · 2017-01-02 10:31:04 +00:00 · 1403855591
commit 1403855591
parent 259521aeb2
6 changed files with 121 additions and 76 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Mon Jan  2 09:50:00 UTC 2017 - pgajdos@suse.com
+
+- update to 2.4.25: fixed several security issues (CVE-2016-8740, 
+  CVE-2016-5387, CVE-2016-2161, CVE-2016-0736, CVE-2016-8743), many
+  fixes and improvements of mod_http2 and other modules; see CHANGES 
+  for full change log
+
 -------------------------------------------------------------------
 Fri Dec  9 12:21:27 UTC 2016 - pgajdos@suse.com

--- a/apache2.spec
+++ b/apache2.spec
@ -1,7 +1,7 @@
 #
 # spec file for package apache2
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -51,7 +51,7 @@
 %endif

 Name:           apache2
-Version:        2.4.23
+Version:        2.4.25
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0
@ -312,7 +312,7 @@ to administrators of web servers in general.
 %endif
 %patch111 -p1
 %patch114 -p1
-%patch115
+%patch115 -p1
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{SOURCE22})
--- a/httpd-2.4.23.tar.bz2
+++ b/httpd-2.4.23.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58
-size 6351875
--- a/httpd-2.4.25.tar.bz2
+++ b/httpd-2.4.25.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2
+size 6398218
--- a/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
+++ b/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
@ -42,39 +42,19 @@ Conflicts:
 server/protocol.c           | 25 +++++++++++++++++--------
 6 files changed, 77 insertions(+), 10 deletions(-)

-Index: include/http_core.h
+Index: httpd-2.4.25/modules/http/http_filters.c
 ===================================================================
--- include/http_core.h.orig	2016-01-20 15:10:51.651189219 +0100
-+++ include/http_core.h	2016-01-20 15:12:18.983188213 +0100
-@@ -694,6 +694,15 @@
- #define AP_MERGE_TRAILERS_DISABLE  2
-     int merge_trailers;
- 
-+#define AP_HTTP_CL_HEAD_ZERO_UNSET    0
-+#define AP_HTTP_CL_HEAD_ZERO_ENABLE   1
-+#define AP_HTTP_CL_HEAD_ZERO_DISABLE  2
-+    int http_cl_head_zero;
-+
-+#define AP_HTTP_EXPECT_STRICT_UNSET    0
-+#define AP_HTTP_EXPECT_STRICT_ENABLE   1
-+#define AP_HTTP_EXPECT_STRICT_DISABLE  2
-+    int http_expect_strict;
- 
- 
-     apr_array_header_t *protocols;
-Index: modules/http/http_filters.c
-===================================================================
--- modules/http/http_filters.c.orig	2015-07-08 10:59:36.000000000 +0200
-+++ modules/http/http_filters.c	2016-01-20 15:10:51.651189219 +0100
-@@ -1175,6 +1175,7 @@
-     header_filter_ctx *ctx = f->ctx;
+--- httpd-2.4.25.orig/modules/http/http_filters.c	2016-12-15 13:18:59.000000000 +0100
+++ httpd-2.4.25/modules/http/http_filters.c	2017-01-02 10:54:37.608517377 +0100
+@@ -1260,6 +1260,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
     const char *ctype;
     ap_bucket_error *eb = NULL;
+     apr_bucket *eos = NULL;
 +    core_server_config *conf;
 
     AP_DEBUG_ASSERT(!r->main);
 
-@@ -1315,10 +1316,17 @@
+@@ -1441,10 +1442,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
      * zero C-L to the client.  We can't just remove the C-L filter,
      * because well behaved 2.0 handlers will send their data down the stack,
      * and we will compute a real C-L for the head request. RBB
@ -93,13 +73,13 @@ Index: modules/http/http_filters.c
         apr_table_unset(r->headers_out, "Content-Length");
     }
 
-Index: server/core.c
+Index: httpd-2.4.25/server/core.c
 ===================================================================
--- server/core.c.orig	2015-11-19 20:55:25.000000000 +0100
-+++ server/core.c	2016-01-20 15:13:29.575187399 +0100
-@@ -503,6 +503,12 @@
-     if (virt->trace_enable != AP_TRACE_UNSET)
-         conf->trace_enable = virt->trace_enable;
+--- httpd-2.4.25.orig/server/core.c	2016-12-05 15:34:29.000000000 +0100
+++ httpd-2.4.25/server/core.c	2017-01-02 10:54:37.608517377 +0100
+@@ -528,6 +528,12 @@ static void *merge_core_server_configs(a
+     if (virt->http_methods != AP_HTTP_METHODS_UNSET)
+         conf->http_methods = virt->http_methods;
 
 +    if (virt->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_UNSET)
 +        conf->http_cl_head_zero = virt->http_cl_head_zero;
@ -110,7 +90,7 @@ Index: server/core.c
     /* no action for virt->accf_map, not allowed per-vhost */
 
     if (virt->protocol)
-@@ -3756,6 +3762,32 @@
+@@ -3955,6 +3961,32 @@ static const char *set_http_method(cmd_p
     return NULL;
 }
 
@ -143,7 +123,7 @@ Index: server/core.c
 static apr_hash_t *errorlog_hash;
 
 static int log_constant_item(const ap_errorlog_info *info, const char *arg,
-@@ -4273,6 +4305,10 @@
+@@ -4474,6 +4506,10 @@ AP_INIT_TAKE1("TraceEnable", set_trace_e
               "'on' (default), 'off' or 'extended' to trace request body content"),
 AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
               "merge request trailers into request headers or not"),
@ -154,11 +134,11 @@ Index: server/core.c
 AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF,
                 "Controls which protocols are allowed"),
 AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF,
-Index: server/protocol.c
+Index: httpd-2.4.25/server/protocol.c
 ===================================================================
--- server/protocol.c.orig	2015-11-26 14:42:42.000000000 +0100
-+++ server/protocol.c	2016-01-20 15:10:51.651189219 +0100
-@@ -1144,14 +1144,23 @@
+--- httpd-2.4.25.orig/server/protocol.c	2016-12-12 16:22:49.000000000 +0100
+++ httpd-2.4.25/server/protocol.c	2017-01-02 10:54:37.608517377 +0100
+@@ -1416,14 +1416,23 @@ request_rec *ap_read_request(conn_rec *c
             r->expecting_100 = 1;
         }
         else {
@ -190,3 +170,32 @@ Index: server/protocol.c
         }
     }
 
+Index: httpd-2.4.25/include/http_core.h
+===================================================================
+--- httpd-2.4.25.orig/include/http_core.h	2016-12-05 15:34:29.000000000 +0100
+++ httpd-2.4.25/include/http_core.h	2017-01-02 10:55:18.613603512 +0100
+@@ -723,6 +723,16 @@ typedef struct {
+ #define AP_MERGE_TRAILERS_DISABLE  2
+     int merge_trailers;
+ 
+#define AP_HTTP_CL_HEAD_ZERO_UNSET    0
+#define AP_HTTP_CL_HEAD_ZERO_ENABLE   1
+#define AP_HTTP_CL_HEAD_ZERO_DISABLE  2
+    int http_cl_head_zero;
+
+#define AP_HTTP_EXPECT_STRICT_UNSET    0
+#define AP_HTTP_EXPECT_STRICT_ENABLE   1
+#define AP_HTTP_EXPECT_STRICT_DISABLE  2
+    int http_expect_strict;
+
+     apr_array_header_t *protocols;
+     int protocols_honor_order;
+ 
+@@ -762,7 +772,6 @@ apr_status_t ap_core_input_filter(ap_fil
+                                   apr_off_t readbytes);
+ apr_status_t ap_core_output_filter(ap_filter_t *f, apr_bucket_brigade *b);
+ 
+-
+ AP_DECLARE(const char*) ap_get_server_protocol(server_rec* s);
+ AP_DECLARE(void) ap_set_server_protocol(server_rec* s, const char* proto);
+ 
--- a/httpd-visibility.patch
+++ b/httpd-visibility.patch
@ -1,5 +1,7 @@
--- httpd-2.4.6.orig/include/ap_config.h
-+++ httpd-2.4.6/include/ap_config.h
+Index: httpd-2.4.25/include/ap_config.h
+===================================================================
+--- httpd-2.4.25.orig/include/ap_config.h	2012-08-15 01:59:24.000000000 +0200
+++ httpd-2.4.25/include/ap_config.h	2017-01-02 10:33:40.411244315 +0100
@@ -64,7 +64,7 @@
  * AP_DECLARE(rettype) ap_func(args)
  * @endcode
@ -41,8 +43,10 @@
 #else
 /**
  * AP_MODULE_DECLARE_EXPORT is a no-op.  Unless contradicted by the
--- httpd-2.4.6.orig/modules/cache/mod_cache.h
-+++ httpd-2.4.6/modules/cache/mod_cache.h
+Index: httpd-2.4.25/modules/cache/mod_cache.h
+===================================================================
+--- httpd-2.4.25.orig/modules/cache/mod_cache.h	2011-12-03 19:02:24.000000000 +0100
+++ httpd-2.4.25/modules/cache/mod_cache.h	2017-01-02 10:33:40.411244315 +0100
@@ -37,9 +37,9 @@
  * CACHE_DECLARE_DATA with appropriate export and import tags for the platform
  */
@ -56,9 +60,11 @@
 #elif defined(CACHE_DECLARE_STATIC)
 #define CACHE_DECLARE(type)            type __stdcall
 #define CACHE_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/proxy/mod_proxy.h
-+++ httpd-2.4.6/modules/proxy/mod_proxy.h
-@@ -475,9 +475,9 @@ struct proxy_balancer_method {
+Index: httpd-2.4.25/modules/proxy/mod_proxy.h
+===================================================================
+--- httpd-2.4.25.orig/modules/proxy/mod_proxy.h	2016-10-24 12:06:41.000000000 +0200
+++ httpd-2.4.25/modules/proxy/mod_proxy.h	2017-01-02 10:33:40.411244315 +0100
+@@ -535,9 +535,9 @@ struct proxy_balancer_method {
  * PROXY_DECLARE_DATA with appropriate export and import tags for the platform
  */
 #if !defined(WIN32)
@ -71,8 +77,10 @@
 #elif defined(PROXY_DECLARE_STATIC)
 #define PROXY_DECLARE(type)            type __stdcall
 #define PROXY_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/lua/mod_lua.h
-+++ httpd-2.4.6/modules/lua/mod_lua.h
+Index: httpd-2.4.25/modules/lua/mod_lua.h
+===================================================================
+--- httpd-2.4.25.orig/modules/lua/mod_lua.h	2013-06-10 16:36:56.000000000 +0200
+++ httpd-2.4.25/modules/lua/mod_lua.h	2017-01-02 10:33:40.411244315 +0100
@@ -58,9 +58,9 @@
  * AP_LUA_DECLARE_DATA with appropriate export and import tags for the platform
  */
@ -86,8 +94,10 @@
 #elif defined(AP_LUA_DECLARE_STATIC)
 #define AP_LUA_DECLARE(type)            type __stdcall
 #define AP_LUA_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/core/mod_watchdog.h
-+++ httpd-2.4.6/modules/core/mod_watchdog.h
+Index: httpd-2.4.25/modules/core/mod_watchdog.h
+===================================================================
+--- httpd-2.4.25.orig/modules/core/mod_watchdog.h	2014-09-05 16:19:29.000000000 +0200
+++ httpd-2.4.25/modules/core/mod_watchdog.h	2017-01-02 10:33:40.411244315 +0100
@@ -83,9 +83,9 @@ typedef struct ap_watchdog_t ap_watchdog
  */
 #if !defined(AP_WD_DECLARE)
@ -101,8 +111,10 @@
 #elif defined(AP_WD_DECLARE_STATIC)
 #define AP_WD_DECLARE(type)            type __stdcall
 #define AP_WD_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/generators/mod_status.h
-+++ httpd-2.4.6/modules/generators/mod_status.h
+Index: httpd-2.4.25/modules/generators/mod_status.h
+===================================================================
+--- httpd-2.4.25.orig/modules/generators/mod_status.h	2006-07-11 22:33:53.000000000 +0200
+++ httpd-2.4.25/modules/generators/mod_status.h	2017-01-02 10:33:40.411244315 +0100
@@ -34,9 +34,9 @@
 #define AP_STATUS_EXTENDED (0x4)  /* detailed report */
 
@ -116,8 +128,10 @@
 #elif defined(STATUS_DECLARE_STATIC)
 #define STATUS_DECLARE(type)            type __stdcall
 #define STATUS_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/dav/main/mod_dav.h
-+++ httpd-2.4.6/modules/dav/main/mod_dav.h
+Index: httpd-2.4.25/modules/dav/main/mod_dav.h
+===================================================================
+--- httpd-2.4.25.orig/modules/dav/main/mod_dav.h	2016-10-26 15:44:36.000000000 +0200
+++ httpd-2.4.25/modules/dav/main/mod_dav.h	2017-01-02 10:33:40.411244315 +0100
@@ -82,9 +82,9 @@ extern "C" {
  * DAV_DECLARE_DATA with appropriate export and import tags for the platform
  */
@ -131,8 +145,10 @@
 #elif defined(DAV_DECLARE_STATIC)
 #define DAV_DECLARE(type)            type __stdcall
 #define DAV_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/session/mod_session.h
-+++ httpd-2.4.6/modules/session/mod_session.h
+Index: httpd-2.4.25/modules/session/mod_session.h
+===================================================================
+--- httpd-2.4.25.orig/modules/session/mod_session.h	2011-12-02 18:51:27.000000000 +0100
+++ httpd-2.4.25/modules/session/mod_session.h	2017-01-02 10:33:40.411244315 +0100
@@ -21,9 +21,9 @@
  * SESSION_DECLARE_DATA with appropriate export and import tags for the platform
  */
@ -146,8 +162,10 @@
 #elif defined(SESSION_DECLARE_STATIC)
 #define SESSION_DECLARE(type)        type __stdcall
 #define SESSION_DECLARE_NONSTD(type) type
--- httpd-2.4.6.orig/modules/database/mod_dbd.h
-+++ httpd-2.4.6/modules/database/mod_dbd.h
+Index: httpd-2.4.25/modules/database/mod_dbd.h
+===================================================================
+--- httpd-2.4.25.orig/modules/database/mod_dbd.h	2011-09-23 15:38:09.000000000 +0200
+++ httpd-2.4.25/modules/database/mod_dbd.h	2017-01-02 10:33:40.411244315 +0100
@@ -35,9 +35,9 @@
  * DBD_DECLARE_DATA with appropriate export and import tags for the platform
  */
@ -161,8 +179,10 @@
 #elif defined(DBD_DECLARE_STATIC)
 #define DBD_DECLARE(type)            type __stdcall
 #define DBD_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/filters/mod_xml2enc.h
-+++ httpd-2.4.6/modules/filters/mod_xml2enc.h
+Index: httpd-2.4.25/modules/filters/mod_xml2enc.h
+===================================================================
+--- httpd-2.4.25.orig/modules/filters/mod_xml2enc.h	2012-04-04 22:11:57.000000000 +0200
+++ httpd-2.4.25/modules/filters/mod_xml2enc.h	2017-01-02 10:33:40.411244315 +0100
@@ -25,9 +25,9 @@
 
 /* declarations to deal with WIN32 compile-flag-in-source-code crap */
@ -176,8 +196,10 @@
 #elif defined(XML2ENC_DECLARE_STATIC)
 #define XML2ENC_DECLARE(type)            type __stdcall
 #define XML2ENC_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/filters/mod_ratelimit.h
-+++ httpd-2.4.6/modules/filters/mod_ratelimit.h
+Index: httpd-2.4.25/modules/filters/mod_ratelimit.h
+===================================================================
+--- httpd-2.4.25.orig/modules/filters/mod_ratelimit.h	2012-04-04 22:11:57.000000000 +0200
+++ httpd-2.4.25/modules/filters/mod_ratelimit.h	2017-01-02 10:33:40.415244421 +0100
@@ -21,9 +21,9 @@
  * AP_RL_DECLARE_DATA with appropriate export and import tags for the platform
  */
@ -191,8 +213,10 @@
 #elif defined(AP_RL_DECLARE_STATIC)
 #define AP_RL_DECLARE(type)            type __stdcall
 #define AP_RL_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/modules/aaa/mod_authz_dbd.h
-+++ httpd-2.4.6/modules/aaa/mod_authz_dbd.h
+Index: httpd-2.4.25/modules/aaa/mod_authz_dbd.h
+===================================================================
+--- httpd-2.4.25.orig/modules/aaa/mod_authz_dbd.h	2011-09-23 15:38:09.000000000 +0200
+++ httpd-2.4.25/modules/aaa/mod_authz_dbd.h	2017-01-02 10:33:40.415244421 +0100
@@ -22,9 +22,9 @@
  * AUTHZ_DBD_DECLARE_DATA with appropriate export and import tags
  */
@ -206,9 +230,11 @@
 #elif defined(AUTHZ_DBD_DECLARE_STATIC)
 #define AUTHZ_DBD_DECLARE(type)            type __stdcall
 #define AUTHZ_DBD_DECLARE_NONSTD(type)     type
--- httpd-2.4.6.orig/include/httpd.h
-+++ httpd-2.4.6/include/httpd.h
-@@ -341,7 +341,7 @@ extern "C" {
+Index: httpd-2.4.25/include/httpd.h
+===================================================================
+--- httpd-2.4.25.orig/include/httpd.h	2016-12-05 15:34:29.000000000 +0100
+++ httpd-2.4.25/include/httpd.h	2017-01-02 10:33:40.415244421 +0100
+@@ -345,7 +345,7 @@ extern "C" {
  * by modules. Its purpose is to allow us to add attributes that
  * particular platforms or compilers require to every exported function.
  */
@ -217,9 +243,9 @@
 #endif
 
 #ifndef AP_DECLARE_NONSTD
-@@ -352,20 +352,20 @@ extern "C" {
+@@ -356,20 +356,20 @@ extern "C" {
  * which use varargs or are used via indirect function call.  This
-  * is to accomodate the two calling conventions in windows dlls.
+  * is to accommodate the two calling conventions in windows dlls.
  */
 -# define AP_DECLARE_NONSTD(type)    type
 +# define AP_DECLARE_NONSTD(type)    __attribute__ ((visibility ("default"))) type
@ -243,8 +269,10 @@
 #endif
 
 /**
--- httpd-2.4.6.orig/include/util_ldap.h
-+++ httpd-2.4.6/include/util_ldap.h
+Index: httpd-2.4.25/include/util_ldap.h
+===================================================================
+--- httpd-2.4.25.orig/include/util_ldap.h	2016-08-25 14:48:18.000000000 +0200
+++ httpd-2.4.25/include/util_ldap.h	2017-01-02 10:33:40.415244421 +0100
@@ -66,9 +66,9 @@
  * and import tags for the platform
  */