Accepting request 316550 from home:pgajdos

- access_compat shared also for 11sp3

- apache2-implicit-pointer-decl.patch renamed to 
  httpd-implicit-pointer-decl.patch to align with other
  patches names

- apachectl is now wrapper to start_apache2; therefore, it honors 
  HTTPD_INSTANCE variable, see README-instances.txt for details 
  + httpd-apachectl.patch
  - httpd-2.4.10-apachectl.patch

- a2enmod/a2dismod and a2enflag/a2disflag now respect 
  HTTPD_INSTANCE=<instance_name> environment variable, which can be 
  used to specify apache instance name; sysconfig file is expected 
  at /etc/sysconfig/apache2@<instance_name> 
 (see README-instances.txt for details)

- provides suse_maintenance_mmn symbol [bnc#915666] (internal)

- credits to Roman Drahtmueller:
  * add reference to /etc/permissions.local to output of %post if
    setting the permissions of suexec2 fails
  * do not enable mod_php5 by default any longer
  * httpd-2.0.49-log_server_status.dif obsoleted
  * apache2-mod_ssl_npn.patch removed because not used
  * include mod_reqtimeout.conf in httpd.conf
  * added cgid-timeout.conf, include
    it in httpd.conf
- fix default value APACHE_MODULES in sysconfig file
- %service_* macros for apache2@.service

OBS-URL: https://build.opensuse.org/request/show/316550
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=453

a2enflag

@@ -8,20 +8,26 @@
 # (at your option) any later version.
 
 
-sysconf=/etc/sysconfig/apache2
-var=APACHE_SERVER_FLAGS
-PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2"
-
-debug=true
-
 function usage() {
-	echo "$(basename $0): enable/disable a flag in $var in $sysconf"
-	echo
+        echo "$(basename $0): enable/disable a flag in $var in $sysconf"
+        echo
         echo "usage: $(basename $0) [-d] flag"
-        #echo "       $(basename $0) -h runtests"
+        echo
+        echo "HTTPD_INSTANCE=<instance_name> environment variable can be used to specify"
+        echo "apache instance (see README-instances.txt); sysconfig file is expected" 
+        echo "at /etc/sysconfig/apache2@<instance_name> ."
         exit 1
 }
 
+unset instance_suffix
+if [ -n "$HTTPD_INSTANCE" ]; then
+  instance_suffix="@$HTTPD_INSTANCE"
+fi
+
+sysconf=/etc/sysconfig/apache2$instance_suffix
+var=APACHE_SERVER_FLAGS
+PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2"
+
 if [ $# -lt 1 ]; then
         usage
 fi

a2enmod

@@ -8,22 +8,28 @@
 # (at your option) any later version.
 
 
-sysconf=/etc/sysconfig/apache2
-var=APACHE_MODULES
-PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2"
-
-debug=true
-
 function usage() {
-	echo "$(basename $0): enable/disable an apache module in $var in $sysconf"
-	echo
+        echo "$(basename $0): enable/disable an apache module in $var in $sysconf"
+        echo
         echo "usage: $(basename $0) [-d] module"
         echo "       $(basename $0) -l                    list modules"
         echo "       $(basename $0) -q module             query if module is installed"
-        #echo "       $(basename $0) -h runtests"
+        echo
+        echo "HTTPD_INSTANCE=<instance_name> environment variable can be used to specify"
+        echo "apache instance (see README-instances.txt); sysconfig file is expected" 
+        echo "at /etc/sysconfig/apache2@<instance_name> ."
         exit 1
 }
 
+unset instance_suffix
+if [ -n "$HTTPD_INSTANCE" ]; then
+  instance_suffix="@$HTTPD_INSTANCE"
+fi
+
+sysconf=/etc/sysconfig/apache2$instance_suffix
+var=APACHE_MODULES
+PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2"
+
 if [ $# -lt 1 ]; then
         usage
 fi

apache2-README-instances.txt

@@ -27,4 +27,15 @@ NOTES:
 * /etc/sysconfig/apache2@<instancename> can hold any sysconfig variable
   /etc/sysconfig/apache2 can, including module loading and MPM setting, 
 * default instance do not have to run when running other instances
+* a2enmod, a2dismod and apachectl operates over default instance if
+  not specified otherwise via HTTPD_INSTANCE. For example,
+
+    export HTTPD_INSTANCE=myweb.org
+    a2enmod access_compat
+    a2enmod status
+    apachectl start
+
+  will add access_compat and status modules to APACHE_MODULES 
+  variable of /etc/sysconfig/apache2@myweb.org and then starts
+  myweb.org instance.
 

apache2-httpd.conf

@@ -30,6 +30,8 @@
 #  |-- global.conf . . . . . . . . . . . . .  [*] server-wide general settings
 #  |-- mod_status.conf . . . . . . . . . . .  restrict access to mod_status (server monitoring)
 #  |-- mod_info.conf . . . . . . . . . . . .  restrict access to mod_info
+#  |-- mod_reqtimeout.conf . . . . . . . . .  set timeout and minimum data rate for receiving requests
+#  |-- mod_cgid-timeout.conf . . . . . . . .  set CGIDScriptTimeout if mod_cgid is loaded/active
 #  |-- mod_usertrack.conf  . . . . . . . . .  defaults for cookie-based user tracking
 #  |-- mod_autoindex-defaults.conf . . . . .  defaults for displaying of server-generated directory listings
 #  |-- mod_mime-defaults.conf  . . . . . . .  defaults for mod_mime configuration
@@ -107,7 +109,7 @@ Include /etc/apache2/server-tuning.conf
 # container, that host's errors will be logged there and not here.
 ErrorLog /var/log/apache2/error_log
 
-# generated from APACHE_MODULES in /etc/sysconfig/apache2
+# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2
 <IfDefine !SYSCONFIG>
   Include /etc/apache2/loadmodule.conf
 </IfDefine>
@@ -118,7 +120,7 @@ Include /etc/apache2/listen.conf
 # predefined logging formats
 Include /etc/apache2/mod_log_config.conf
 
-# generated from global settings in /etc/sysconfig/apache2
+# generated from default values of global settings in /etc/sysconfig/apache2
 <IfDefine !SYSCONFIG>
   Include /etc/apache2/global.conf
 </IfDefine>
@@ -127,6 +129,20 @@ Include /etc/apache2/mod_log_config.conf
 Include /etc/apache2/mod_status.conf
 Include /etc/apache2/mod_info.conf
 
+# mod_reqtimeout protects the server from the so-called "slowloris"
+# attack: The server is not swamped with requests in fast succession,
+# but with slowly transmitted request headers and body, thereby filling up
+# the request slots until the server runs out of them.
+# mod_reqtimeout is lightweight and should deliver good results
+# with the configured default values. You shouldn't notice it at all.
+Include /etc/apache2/mod_reqtimeout.conf
+
+# Fix for CVE-2014-0231 introduces new configuration parameter 
+# CGIDScriptTimeout. This directive and its effect prevent request 
+# workers to be eaten until starvation if cgi programs do not send 
+# output back to the server within the timout set by CGIDScriptTimeout.
+Include /etc/apache2/mod_cgid-timeout.conf
+
 # optional cookie-based user tracking
 # read the documentation before using it!!
 Include /etc/apache2/mod_usertrack.conf

apache2-mod_cgid-timeout.conf

@@ -0,0 +1,15 @@
+#
+# The length of time in seconds to wait for more output
+# from a CGI program.
+#
+# This will prevent a DoS if too many CGI's don't send their output quickly
+# enough.
+# The value for CGIDScriptTimeout defaults to the value of Timeout.
+# CGIDScriptTimeout is used by mod_cgid only!
+#
+
+<IfModule mod_cgid.c>
+  CGIDScriptTimeout 60
+</IfModule>
+
+

apache2.changes

@@ -1,3 +1,65 @@
+-------------------------------------------------------------------
+Tue Jul 14 07:32:00 UTC 2015 - pgajdos@suse.com
+
+- access_compat shared also for 11sp3
+
+-------------------------------------------------------------------
+Mon Jul 13 15:14:20 UTC 2015 - pgajdos@suse.com
+
+- apache2-implicit-pointer-decl.patch renamed to 
+  httpd-implicit-pointer-decl.patch to align with other
+  patches names
+
+-------------------------------------------------------------------
+Mon Jul 13 15:12:29 UTC 2015 - pgajdos@suse.com
+
+- apachectl is now wrapper to start_apache2; therefore, it honors 
+  HTTPD_INSTANCE variable, see README-instances.txt for details 
+  + httpd-apachectl.patch
+  - httpd-2.4.10-apachectl.patch
+
+-------------------------------------------------------------------
+Mon Jul 13 13:37:53 UTC 2015 - pgajdos@suse.com
+
+- a2enmod/a2dismod and a2enflag/a2disflag now respect 
+  HTTPD_INSTANCE=<instance_name> environment variable, which can be 
+  used to specify apache instance name; sysconfig file is expected 
+  at /etc/sysconfig/apache2@<instance_name> 
+ (see README-instances.txt for details)
+
+-------------------------------------------------------------------
+Mon Jul 13 11:21:43 UTC 2015 - pgajdos@suse.com
+
+- provides suse_maintenance_mmn symbol [bnc#915666] (internal)
+
+-------------------------------------------------------------------
+Mon Jul 13 10:05:17 UTC 2015 - pgajdos@suse.com
+
+- credits to Roman Drahtmueller:
+  * add reference to /etc/permissions.local to output of %post if
+    setting the permissions of suexec2 fails
+  * do not enable mod_php5 by default any longer
+  * httpd-2.0.49-log_server_status.dif obsoleted
+  * apache2-mod_ssl_npn.patch removed because not used
+  * include mod_reqtimeout.conf in httpd.conf
+  * added cgid-timeout.conf, include
+    it in httpd.conf
+- fix default value APACHE_MODULES in sysconfig file
+- %service_* macros for apache2@.service
+
+-------------------------------------------------------------------
+Mon Jul 13 09:52:21 UTC 2015 - pgajdos@suse.com
+
+- reenable 690734.patch, it should be upstreamed by the author 
+  (Adrian Schroeter) though
+   + httpd-2.4.9-bnc690734.patch
+   - httpd-2.2.x-bnc690734.patch
+
+-------------------------------------------------------------------
+Mon Jul 13 09:51:34 UTC 2015 - pgajdos@suse.com
+
+- drop startssl from start_apache2
+
 -------------------------------------------------------------------
 Wed Jul  1 09:41:31 UTC 2015 - pgajdos@suse.com
 

apache2.spec

@@ -17,6 +17,7 @@
 
 
 %define apache_mmn	%(test -s %{SOURCE0} && { echo -n apache_mmn_; bzcat %{SOURCE0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; })
+%define suse_maintenance_mmn  0
 %define	default_mpm	prefork
 %{!?prefork:%define prefork 1}
 %{!?worker:%define worker 1}
@@ -46,7 +47,7 @@
 %define mods_static unixd systemd
 %else
 %define runtimedir	%{_localstatedir}/run
-%define mods_static access_compat unixd
+%define mods_static unixd
 %endif
 Name:           apache2
 Version:        2.4.12
@@ -98,6 +99,7 @@ Source114:      apache2-mod_usertrack.conf
 Source115:      apache2-mod_reqtimeout.conf
 Source116:      apache2-loadmodule.conf
 Source117:      apache2-global.conf
+Source118:      apache2-mod_cgid-timeout.conf
 Source130:      apache2-vhost.template
 Source131:      apache2-vhost-ssl.template
 Source140:      apache2-check_forensic
@@ -109,16 +111,12 @@ Source145:      apache2-find-directives
 Source146:      apache2@.service
 Source147:      apache2-script-helpers
 Patch2:         httpd-2.1.3alpha-layout.dif
-Patch23:        httpd-2.4.10-apachectl.patch
-#Patch65:        httpd-2.0.49-log_server_status.dif
+Patch23:        httpd-apachectl.patch
 Patch66:        httpd-2.0.54-envvars.dif
 Patch67:        httpd-2.2.0-apxs-a2enmod.dif
 Patch68:        httpd-2.x.x-logresolve.patch
-Patch69:        httpd-2.2.x-bnc690734.patch
-Patch70:        apache2-implicit-pointer-decl.patch
-# PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch dimstar@opensuse.org -- Add npn support to mod_ssl (needed for spdy)
-#Patch108:       apache2-mod_ssl_npn.patch
-#Provides:       apache2(mod_ssl+npn)
+Patch69:        httpd-2.4.9-bnc690734.patch
+Patch70:        httpd-implicit-pointer-decl.patch
 # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration.
 Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch111:       httpd-visibility.patch
@@ -151,6 +149,7 @@ Requires(post): sed
 Requires(post): textutils
 Recommends:     apache2-%{default_mpm}
 Provides:       %{apache_mmn}
+Provides:       suse_maintenance_mmn = %{suse_maintenance_mmn}
 Provides:       http_daemon
 Provides:       httpd
 Provides:       suse_help_viewer
@@ -294,14 +293,12 @@ to administrators of web servers in general.
 %prep
 %setup -q -n httpd-%{version} -a30
 %patch2 -p1
-%patch23 -p1
-#%patch65 -p1
+%patch23
 %patch66 -p1
 %patch67 -p1
 %patch68 -p1
-#%patch69
+%patch69
 %patch70 -p1
-#%patch108 -p1
 # Systemd module enabling patch                                                
 %if 0%{?suse_version} >= 1210 
 %patch109 -p1
@@ -572,6 +569,8 @@ for i in default-server.conf \
 	 mod_userdir.conf \
 	 mod_usertrack.conf \
 	 server-tuning.conf \
+	 mod_reqtimeout.conf \
+         mod_cgid-timeout.conf \
 	 ssl-global.conf
 do
 	install -m 644 $RPM_SOURCE_DIR/apache2-$i %{buildroot}/%{sysconfdir}/$i
@@ -1273,11 +1272,13 @@ exit 0
 %pre
 %if 0%{?suse_version} >= 1210
 %service_add_pre apache2.service
+%service_add_pre apache2@.service
 %endif
 
 %preun
 %if 0%{?suse_version} >= 1210
 %service_del_preun apache2.service
+%service_del_preun apache2@.service
 %endif
 for i in %{_sbindir}/httpd \
 	 %{installbuilddir}/config_vars.mk
@@ -1289,6 +1290,7 @@ exit 0
 %postun
 %if 0%{?suse_version} >= 1210
 %service_del_postun apache2.service
+%service_del_postun apache2@.service
 %else
 %insserv_cleanup
 %endif
@@ -1297,7 +1299,7 @@ exit 0
 %if 0%{?suse_version} <= 1130
 %run_permissions
 %else
-%set_permissions %{_sbindir}/suexec
+%set_permissions %{_sbindir}/suexec || echo "Please check /etc/permissions.local for settings of /usr/sbin/suexec2 ."
 %endif
 # wwwadmin group existed in past remove after openSUSE-13.2 out of support scope
 if grep -q "^wwwadmin:" %{_sysconfdir}/group; then
@@ -1314,6 +1316,7 @@ fi
 %{fillup_only apache2}
 %if 0%{?suse_version} >= 1210
 %service_add_post apache2.service
+%service_add_post apache2@.service
 %else
 %{fillup_and_insserv apache2}
 %endif

httpd-2.4.10-apachectl.patch

@@ -1,56 +0,0 @@
-diff -Ndurp httpd-2.4.10/support/apachectl.in httpd-2.4.10-apachectl/support/apachectl.in
---- httpd-2.4.10/support/apachectl.in	2012-02-01 05:47:28.000000000 +0200
-+++ httpd-2.4.10-apachectl/support/apachectl.in	2014-10-18 19:18:51.203692588 +0300
-@@ -42,17 +42,32 @@ ARGV="$@"
- # --------------------                              --------------------
- # 
- # the path to your httpd binary, including options if necessary
--HTTPD='@exp_sbindir@/@progname@'
-+HTTPD='@exp_sbindir@/httpd'
- #
- # pick up any necessary environment variables
- if test -f @exp_sbindir@/envvars; then
-   . @exp_sbindir@/envvars
- fi
-+
-+pname=apache2
-+sysconfig_apache=/etc/sysconfig/$pname
-+sysconfdir=/etc/$pname
-+
-+test -s $sysconfig_apache && . $sysconfig_apache
-+httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf}
-+
- #
- # a command that outputs a formatted text version of the HTML at the
- # url given on the command line.  Designed for lynx, however other
- # programs may work.  
--LYNX="@LYNX_PATH@ -dump"
-+
-+if [ -x "`which w3m`" ]; then
-+        LYNX="w3m -dump -cols ${COLUMNS:-80}"
-+elif [ -x "`which lynx`" ]; then
-+        LYNX="lynx -dump -width=${COLUMNS:-80}"
-+fi
-+
-+
- #
- # the URL to your server's mod_status status page.  If you do not
- # have one, then status and fullstatus will not work.
-@@ -78,7 +93,7 @@ fi
- 
- case $ACMD in
- start|stop|restart|graceful|graceful-stop)
--    $HTTPD -k $ARGV
-+    $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV
-     ERROR=$?
-     ;;
- startssl|sslstart|start-SSL)
-@@ -88,7 +103,7 @@ startssl|sslstart|start-SSL)
-     ERROR=2
-     ;;
- configtest)
--    $HTTPD -t
-+    $HTTPD ${httpd_conf+-f $httpd_conf} -t
-     ERROR=$?
-     ;;
- status)

httpd-2.4.9-bnc690734.patch

@@ -1,14 +1,13 @@
---- server/util_script.c.orig
-+++ server/util_script.c
-@@ -415,6 +415,7 @@ AP_DECLARE(int) ap_scan_script_header_er
- {
-     char x[MAX_STRING_LEN];
-     char *w, *l;
+Index: server/util_script.c
+===================================================================
+--- server/util_script.c.orig	2015-06-25 09:15:54.539638460 +0200
++++ server/util_script.c	2015-06-25 09:20:48.554424220 +0200
+@@ -422,11 +422,20 @@
+     apr_table_t *cookie_table;
+     int trace_log = APLOG_R_MODULE_IS_LEVEL(r, module_index, APLOG_TRACE1);
+     int first_header = 1;
 +    int wlen;
-     int p;
-     int cgi_status = HTTP_UNSET;
-     apr_table_t *merge;
-@@ -425,7 +426,14 @@ AP_DECLARE(int) ap_scan_script_header_er
+ 
      if (buffer) {
          *buffer = '\0';
      }
@@ -21,10 +20,11 @@
 +        w = buffer ? buffer : x;
 +        wlen = MAX_STRING_LEN;
 +    }
++
  
      /* temporary place to hold headers to merge in later */
      merge = apr_table_make(r->pool, 10);
-@@ -441,7 +449,7 @@ AP_DECLARE(int) ap_scan_script_header_er
+@@ -442,7 +451,7 @@
  
      while (1) {
  
@@ -33,17 +33,19 @@
          if (rv == 0) {
              const char *msg = "Premature end of script headers";
              if (first_header)
-@@ -553,9 +561,12 @@ AP_DECLARE(int) ap_scan_script_header_er
+@@ -555,10 +564,13 @@
          if (!(l = strchr(w, ':'))) {
              if (!buffer) {
                  /* Soak up all the script output - may save an outright kill */
--                while ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data)) {
+-                while ((*getsfunc)(w, MAX_STRING_LEN - 1, getsfunc_data) > 0) {
 +                while ((*getsfunc) (w, wlen - 1, getsfunc_data)) {
                      continue;
                  }
-+	    } else if (w != buffer) {
+-            }
++            } else if (w != buffer) {
 +		strncpy(buffer, w, MAX_STRING_LEN - 1);
 +		buffer[MAX_STRING_LEN - 1] = 0;
-             }
++	    }
  
              ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
+                           "malformed header from script '%s': Bad header: %.30s",

httpd-apachectl.patch

@@ -0,0 +1,27 @@
+
+Index: support/apachectl.in
+===================================================================
+--- support/apachectl.in.orig	2012-02-01 04:47:28.000000000 +0100
++++ support/apachectl.in	2015-07-13 17:09:06.651280087 +0200
+@@ -42,7 +42,7 @@
+ # --------------------                              --------------------
+ # 
+ # the path to your httpd binary, including options if necessary
+-HTTPD='@exp_sbindir@/@progname@'
++HTTPD='@exp_sbindir@/start_apache2'
+ #
+ # pick up any necessary environment variables
+ if test -f @exp_sbindir@/envvars; then
+@@ -52,7 +52,11 @@
+ # a command that outputs a formatted text version of the HTML at the
+ # url given on the command line.  Designed for lynx, however other
+ # programs may work.  
+-LYNX="@LYNX_PATH@ -dump"
++if [ -x "`which w3m`" ]; then
++        LYNX="w3m -dump -cols ${COLUMNS:-80}"
++elif [ -x "`which lynx`" ]; then
++        LYNX="lynx -dump -width=${COLUMNS:-80}"
++fi
+ #
+ # the URL to your server's mod_status status page.  If you do not
+ # have one, then status and fullstatus will not work.

start_apache2

@@ -31,13 +31,11 @@ load_sysconfig
 
 unset server_flags
 #
-# server_flags: -DSSL and -DSYSCONFIG
+# server_flags: -DSYSCONFIG
 #
 if [ -f "$SYSCONFIG_FILE" ]; then
   server_flags="$server_flags -DSYSCONFIG"
 fi
-case "$action" in startssl) server_flags="-DSSL";; esac
-
 
 #
 # figure out correct apache2 binary (/usr/sbin/httpd-prefork,
@@ -72,10 +70,11 @@ done
 httpd_conf=${APACHE_HTTPD_CONF:-/etc/apache2${instance_suffix}/httpd.conf}
 
 #
-# default values for some directives that should depend on instance
+# set PidFile to this file name; PidFile should not
+# be used in the configuration to change this, otherwise
+# stopping will not work
 #
-# PidFile
-default_pid_file=/var/run/httpd${instance_suffix}.pid
+pid_file=/var/run/httpd${instance_suffix}.pid
 
 unset sysconfig_setting
 #
@@ -141,12 +140,8 @@ HOME=/var/lib/apache2${instance_suffix}
 # run Apache
 #
 
-echo Running $apache_bin -f $httpd_conf $server_flags \
-        -C "PidFile $default_pid_file" \
-        "${sysconfig_setting[@]}" \
-        $@
 exec $apache_bin -f $httpd_conf $server_flags \
-        -C "PidFile $default_pid_file" \
+        -C "PidFile $pid_file" \
         "${sysconfig_setting[@]}" \
         $@
 

sysconfig.apache2

@@ -30,7 +30,7 @@ APACHE_CONF_INCLUDE_FILES=""
 APACHE_CONF_INCLUDE_DIRS=""
 
 ## Type:	string
-## Default:	"actions alias auth_basic authz_host authn_file authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5"
+## Default:	"actions alias auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout"
 ## ServiceRestart: apache2
 #
 # [It might look silly to not simply edit httpd.conf for the LoadModule statements.