diff --git a/CVE-2009-3555-2.2.patch b/CVE-2009-3555-2.2.patch deleted file mode 100644 index 7e6a7d2..0000000 --- a/CVE-2009-3555-2.2.patch +++ /dev/null @@ -1,300 +0,0 @@ - - SECURITY: CVE-2009-3555 (cve.mitre.org) - - A partial fix for the TLS renegotiation prefix injection attack by - rejecting any client-initiated renegotiations. Any configuration - which requires renegotiation for per-directory/location access - control is still vulnerable, unless using OpenSSL >= 0.9.8l. - [Joe Orton, Ruediger Pluem] - -Index: modules/ssl/ssl_private.h -=================================================================== ---- modules/ssl/ssl_private.h (revision 833621) -+++ modules/ssl/ssl_private.h (revision 833622) -@@ -356,6 +356,20 @@ - int is_proxy; - int disabled; - int non_ssl_request; -+ -+ /* Track the handshake/renegotiation state for the connection so -+ * that all client-initiated renegotiations can be rejected, as a -+ * partial fix for CVE-2009-3555. */ -+ enum { -+ RENEG_INIT = 0, /* Before initial handshake */ -+ RENEG_REJECT, /* After initial handshake; any client-initiated -+ * renegotiation should be rejected */ -+ RENEG_ALLOW, /* A server-initated renegotiation is taking -+ * place (as dictated by configuration) */ -+ RENEG_ABORT /* Renegotiation initiated by client, abort the -+ * connection */ -+ } reneg_state; -+ - server_rec *server; - } SSLConnRec; - -@@ -574,7 +588,7 @@ - int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); --void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); -+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); - #ifndef OPENSSL_NO_TLSEXT - int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); - #endif -Index: modules/ssl/ssl_engine_init.c -=================================================================== ---- modules/ssl/ssl_engine_init.c (revision 833621) -+++ modules/ssl/ssl_engine_init.c (revision 833622) -@@ -501,10 +501,7 @@ - SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); - SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); - -- if (s->loglevel >= APLOG_DEBUG) { -- /* this callback only logs if LogLevel >= info */ -- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); -- } -+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); - } - - static void ssl_init_ctx_verify(server_rec *s, -Index: modules/ssl/ssl_engine_io.c -=================================================================== ---- modules/ssl/ssl_engine_io.c (revision 833621) -+++ modules/ssl/ssl_engine_io.c (revision 833622) -@@ -103,6 +103,7 @@ - ap_filter_t *pInputFilter; - ap_filter_t *pOutputFilter; - int nobuffer; /* non-zero to prevent buffering */ -+ SSLConnRec *config; - } ssl_filter_ctx_t; - - typedef struct { -@@ -193,7 +194,13 @@ - static int bio_filter_out_write(BIO *bio, const char *in, int inl) - { - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); -- -+ -+ /* Abort early if the client has initiated a renegotiation. */ -+ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { -+ outctx->rc = APR_ECONNABORTED; -+ return -1; -+ } -+ - /* when handshaking we'll have a small number of bytes. - * max size SSL will pass us here is about 16k. - * (16413 bytes to be exact) -@@ -466,6 +473,12 @@ - if (!in) - return 0; - -+ /* Abort early if the client has initiated a renegotiation. */ -+ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { -+ inctx->rc = APR_ECONNABORTED; -+ return -1; -+ } -+ - /* XXX: flush here only required for SSLv2; - * OpenSSL calls BIO_flush() at the appropriate times for - * the other protocols. -@@ -1724,6 +1737,8 @@ - - filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); - -+ filter_ctx->config = myConnConfig(c); -+ - filter_ctx->nobuffer = 0; - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, - filter_ctx, NULL, c); -Index: modules/ssl/ssl_engine_kernel.c -=================================================================== ---- modules/ssl/ssl_engine_kernel.c (revision 833621) -+++ modules/ssl/ssl_engine_kernel.c (revision 833622) -@@ -729,6 +729,10 @@ - (unsigned char *)&id, - sizeof(id)); - -+ /* Toggle the renegotiation state to allow the new -+ * handshake to proceed. */ -+ sslconn->reneg_state = RENEG_ALLOW; -+ - SSL_renegotiate(ssl); - SSL_do_handshake(ssl); - -@@ -750,6 +754,8 @@ - SSL_set_state(ssl, SSL_ST_ACCEPT); - SSL_do_handshake(ssl); - -+ sslconn->reneg_state = RENEG_REJECT; -+ - if (SSL_get_state(ssl) != SSL_ST_OK) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Re-negotiation handshake failed: " -@@ -1844,76 +1850,55 @@ - return; - } - --/* -- * This callback function is executed while OpenSSL processes the -- * SSL handshake and does SSL record layer stuff. We use it to -- * trace OpenSSL's processing in out SSL logfile. -- */ --void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) -+/* Dump debugginfo trace to the log file. */ -+static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, -+ server_rec *s, int where, int rc) - { -- conn_rec *c; -- server_rec *s; -- SSLSrvConfigRec *sc; -- - /* -- * find corresponding server -+ * create the various trace messages - */ -- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { -- return; -+ if (where & SSL_CB_HANDSHAKE_START) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Handshake: start", SSL_LIBRARY_NAME); - } -- -- s = mySrvFromConn(c); -- if (!(sc = mySrvConfig(s))) { -- return; -+ else if (where & SSL_CB_HANDSHAKE_DONE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Handshake: done", SSL_LIBRARY_NAME); - } -- -- /* -- * create the various trace messages -- */ -- if (s->loglevel >= APLOG_DEBUG) { -- if (where & SSL_CB_HANDSHAKE_START) { -+ else if (where & SSL_CB_LOOP) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Loop: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_READ) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Read: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_WRITE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Write: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_ALERT) { -+ char *str = (where & SSL_CB_READ) ? "read" : "write"; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Alert: %s:%s:%s", -+ SSL_LIBRARY_NAME, str, -+ SSL_alert_type_string_long(rc), -+ SSL_alert_desc_string_long(rc)); -+ } -+ else if (where & SSL_CB_EXIT) { -+ if (rc == 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Handshake: start", SSL_LIBRARY_NAME); -- } -- else if (where & SSL_CB_HANDSHAKE_DONE) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Handshake: done", SSL_LIBRARY_NAME); -- } -- else if (where & SSL_CB_LOOP) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Loop: %s", -+ "%s: Exit: failed in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - } -- else if (where & SSL_CB_READ) { -+ else if (rc < 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Read: %s", -+ "%s: Exit: error in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - } -- else if (where & SSL_CB_WRITE) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Write: %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- else if (where & SSL_CB_ALERT) { -- char *str = (where & SSL_CB_READ) ? "read" : "write"; -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Alert: %s:%s:%s", -- SSL_LIBRARY_NAME, str, -- SSL_alert_type_string_long(rc), -- SSL_alert_desc_string_long(rc)); -- } -- else if (where & SSL_CB_EXIT) { -- if (rc == 0) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Exit: failed in %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- else if (rc < 0) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Exit: error in %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- } - } - - /* -@@ -1933,6 +1918,52 @@ - } - } - -+/* -+ * This callback function is executed while OpenSSL processes the SSL -+ * handshake and does SSL record layer stuff. It's used to trap -+ * client-initiated renegotiations, and for dumping everything to the -+ * log. -+ */ -+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) -+{ -+ conn_rec *c; -+ server_rec *s; -+ SSLConnRec *scr; -+ -+ /* Retrieve the conn_rec and the associated SSLConnRec. */ -+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { -+ return; -+ } -+ -+ if ((scr = myConnConfig(c)) == NULL) { -+ return; -+ } -+ -+ /* If the reneg state is to reject renegotiations, check the SSL -+ * state machine and move to ABORT if a Client Hello is being -+ * read. */ -+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { -+ int state = SSL_get_state(ssl); -+ -+ if (state == SSL3_ST_SR_CLNT_HELLO_A -+ || state == SSL23_ST_SR_CLNT_HELLO_A) { -+ scr->reneg_state = RENEG_ABORT; -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, -+ "rejecting client initiated renegotiation"); -+ } -+ } -+ /* If the first handshake is complete, change state to reject any -+ * subsequent client-initated renegotiation. */ -+ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { -+ scr->reneg_state = RENEG_REJECT; -+ } -+ -+ s = mySrvFromConn(c); -+ if (s && s->loglevel >= APLOG_DEBUG) { -+ log_tracing_state(ssl, c, s, where, rc); -+ } -+} -+ - #ifndef OPENSSL_NO_TLSEXT - /* - * This callback function is executed when OpenSSL encounters an extended diff --git a/apache2.changes b/apache2.changes index a8f8b6c..25f8b36 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,106 @@ +------------------------------------------------------------------- +Mon Mar 8 12:34:18 UTC 2010 - poeml@cmdline.net + +- update to 2.2.15: + SECURITY: CVE-2009-3555 (cve.mitre.org) + mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection + attack when compiled against OpenSSL version 0.9.8m or later. Introduces + the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and + offer unsafe legacy renegotiation with clients which do not yet support + the new secure renegotiation protocol, RFC 5746. + SECURITY: CVE-2009-3555 (cve.mitre.org) + mod_ssl: A partial fix for the TLS renegotiation prefix injection attack + by rejecting any client-initiated renegotiations. Forcibly disable + keepalive for the connection if there is any buffered data readable. Any + configuration which requires renegotiation for per-directory/location + access control is still vulnerable, unless using OpenSSL >= 0.9.8l. + SECURITY: CVE-2010-0408 (cve.mitre.org) + mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent + when request headers indicate a request body is incoming; not a case of + HTTP_INTERNAL_SERVER_ERROR. + SECURITY: CVE-2010-0425 (cve.mitre.org) + mod_isapi: Do not unload an isapi .dll module until the request processing + is completed, avoiding orphaned callback pointers. + SECURITY: CVE-2010-0434 (cve.mitre.org) + Ensure each subrequest has a shallow copy of headers_in so that the parent + request headers are not corrupted. Elimiates a problematic optimization + in the case of no request body. PR 48359 + mod_reqtimeout: + - New module to set timeouts and minimum data rates for receiving requests + from the client. + core: + - Fix potential memory leaks by making sure to not destroy bucket brigades + that have been created by earlier filters. + - Return APR_EOF if request body is shorter than the length announced by the + client. PR 33098 + - Preserve Port information over internal redirects PR 35999 + - Build: fix --with-module to work as documented PR 43881 + worker: + - Don't report server has reached MaxClients until it has. Add message when + server gets within MinSpareThreads of MaxClients. PR 46996. + ab, mod_ssl: + - Restore compatibility with OpenSSL < 0.9.7g. + mod_authnz_ldap: + - Add AuthLDAPBindAuthoritative to allow Authentication to try other + providers in the case of an LDAP bind failure. PR 46608 + - Failures to map a username to a DN, or to check a user password now result + in an informational level log entry instead of warning level. + mod_cache: + - Introduce the thundering herd lock, a mechanism to keep the flood of + requests at bay that strike a backend webserver as a cached entity goes + stale. + - correctly consider s-maxage in cacheability decisions. + mod_disk_cache, mod_mem_cache: + - don't cache incomplete responses, per RFC 2616, 13.8. PR15866. + mod_charset_lite: + - Honor 'CharsetOptions NoImplicitAdd'. + mod_filter: + - fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054 + mod_include: + - Allow fine control over the removal of Last-Modified and ETag headers + within the INCLUDES filter, making it possible to cache responses if + desired. Fix the default value of the SSIAccessEnable directive. + mod_ldap: + - If LDAPSharedCacheSize is too small, try harder to purge some cache + entries and log a warning. Also increase the default LDAPSharedCacheSize + to 500000. This is a more realistic size suitable for the default values + of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749. + mod_log_config: + - Add the R option to log the handler used within the request. + mod_mime: + - Make RemoveType override the info from TypesConfig. PR 38330. + - Detect invalid use of MultiviewsMatch inside Location and LocationMatch + sections. PR 47754. + mod_negotiation: + - Preserve query string over multiviews negotiation. This buglet was fixed + for type maps in 2.2.6, but the same issue affected multiviews and was + overlooked. PR 33112 + mod_proxy: + - unable to connect to a backend is SERVICE_UNAVAILABLE, rather than + BAD_GATEWAY or (especially) NOT_FOUND. PR 46971 + mod_proxy, mod_proxy_http: + - Support remote https proxies by using HTTP CONNECT. PR 19188. + mod_proxy_http: + - Make sure that when an ErrorDocument is served from a reverse proxied URL, + that the subrequest respects the status of the original request. This + brings the behaviour of proxy_handler in line with default_handler. PR + 47106. + mod_proxy_ajp: + - Really regard the operation a success, when the client aborted the + connection. In addition adjust the log message if the client aborted the + connection. + mod_rewrite: + - Make sure that a hostname:port isn't fully qualified if the request is a + CONNECT request. PR 47928 + - Add scgi scheme detection. + mod_ssl: + - Fix a potential I/O hang if a long list of trusted CAs is configured for + client cert auth. PR 46952. + - When extracting certificate subject/issuer names to the SSL_*_DN_* + variables, handle RDNs with duplicate tags by exporting multiple + varialables with an "_n" integer suffix. PR 45875. +- obsolete patch CVE-2009-3555-2.2.patch removed + ------------------------------------------------------------------- Fri Mar 5 09:29:10 UTC 2010 - coolo@novell.com diff --git a/apache2.spec b/apache2.spec index ee9e63c..74e5169 100644 --- a/apache2.spec +++ b/apache2.spec @@ -1,5 +1,5 @@ # -# spec file for package apache2 (Version 2.2.14) +# spec file for package apache2 (Version 2.2.15) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -62,9 +62,9 @@ BuildRequires: expat-devel %define platform_string Linux/%VENDOR License: ASLv.. Group: Productivity/Networking/Web/Servers -%define realver 2.2.14 -Version: 2.2.14 -Release: 2 +%define realver 2.2.15 +Version: 2.2.15 +Release: 1 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -112,7 +112,6 @@ Source131: apache2-vhost-ssl.template Source140: apache2-check_forensic Source141: apache-20-22-upgrade Patch2: httpd-2.1.3alpha-layout.dif -Patch10: CVE-2009-3555-2.2.patch Patch23: httpd-2.1.9-apachectl.dif Patch65: httpd-2.0.49-log_server_status.dif Patch66: httpd-2.0.54-envvars.dif @@ -381,7 +380,6 @@ Authors: # %setup -q -n httpd-%{realver} %patch2 -p1 -%patch10 -p0 %patch23 -p1 %patch65 -p1 %patch66 -p1 diff --git a/httpd-2.2.14.tar.bz2 b/httpd-2.2.14.tar.bz2 deleted file mode 100644 index 0a78a40..0000000 --- a/httpd-2.2.14.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:b2deab8a5e797fde7a04fb4a5ebfa9c80f767d064dd19dcd2857c94838ae3ac6 -size 5147171 diff --git a/httpd-2.2.15.tar.bz2 b/httpd-2.2.15.tar.bz2 new file mode 100644 index 0000000..4026f5b --- /dev/null +++ b/httpd-2.2.15.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5ae0c428e7abd87eecbac8564d90a7182104325bae7086c21db7b3a1e3140ca7 +size 4959582 diff --git a/rc.apache2 b/rc.apache2 index a7cfa8d..1de2126 100644 --- a/rc.apache2 +++ b/rc.apache2 @@ -6,7 +6,8 @@ # Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH # # Authors: Rolf Haberrecker , 2001 -# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007, +# 2008, 2009, 2010 # # # /etc/init.d/apache2