pool/apache2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=20

Browse Source
This commit is contained in:
OBS User unknown 2008-05-26 17:05:45 +00:00 committed by Git OBS Bridge
parent 9c1a724576
commit 510ad4116f
3 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
apache2.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Mon May 26 16:55:37 CEST 2008 - skh@suse.de
- CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config):
Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a
per-connection memory leak which occurs if the client indicates
support for a compression algorithm in the initial handshake, and
mod_ssl is linked against OpenSSL >= 0.9.8f. [bnc#392096]
httpd-2.2.x-CVE-2008-1678.patch
-------------------------------------------------------------------
Fri Apr 18 14:17:31 CEST 2008 - poeml@suse.de

11
apache2.spec
View File

@ -56,7 +56,7 @@ License: The Apache Software License
Group: Productivity/Networking/Web/Servers
%define realver 2.2.8
Version: 2.2.8
Release: 13
Release: 24
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
Source10: SUSE-NOTICE
@ -109,6 +109,7 @@ Patch23: httpd-2.1.9-apachectl.dif
Patch65: httpd-2.0.49-log_server_status.dif
Patch66: httpd-2.0.54-envvars.dif
Patch67: httpd-2.2.0-apxs-a2enmod.dif
Patch68: httpd-2.2.x-CVE-2008-1678.patch
Url: http://httpd.apache.org/
Icon: Apache.xpm
Summary: The Apache Web Server Version 2.0
@ -330,6 +331,7 @@ Authors:
%patch65 -p1
%patch66 -p1
%patch67 -p1
%patch68 -p3
#
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
#
@ -1031,6 +1033,13 @@ if ! test -f /.buildenv; then
fi
%changelog
* Mon May 26 2008 skh@suse.de
- CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config):
Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a
per-connection memory leak which occurs if the client indicates
support for a compression algorithm in the initial handshake, and
mod_ssl is linked against OpenSSL >= 0.9.8f. [bnc#392096]
httpd-2.2.x-CVE-2008-1678.patch
* Fri Apr 18 2008 poeml@suse.de
- sync up with changes from Build Service:
- new implementation of sysconf_addword, using sed instead of ed.

27
httpd-2.2.x-CVE-2008-1678.patch Normal file
View File

@ -0,0 +1,27 @@
--- httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:16:38 654118
+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:17:31 654119
@@ -218,17 +218,18 @@
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
ENGINE_cleanup();
#endif
-#ifdef HAVE_OPENSSL
-#if OPENSSL_VERSION_NUMBER >= 0x00907001
- CRYPTO_cleanup_all_ex_data();
-#endif
-#endif
ERR_remove_state(0);
/* Don't call ERR_free_strings here; ERR_load_*_strings only
* actually load the error strings once per process due to static
* variable abuse in OpenSSL. */
+ /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
+ * ex_data indices may have been cached in static variables in
+ * OpenSSL; removing them may cause havoc. Notably, with OpenSSL
+ * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
+ * could result in a per-connection memory leak (!). */
+
/*
* TODO: determine somewhere we can safely shove out diagnostics
* (when enabled) at this late stage in the game: