Accepting request 317647 from home:kstreitova:branches:Apache

- update to 2.4.16 * changes http://www.apache.org/dist/httpd/CHANGES_2.4.16 * remove the following patches (fixed in 2.4.16) * httpd-2.4.x-mod_lua_websocket_DoS.patch * httpd-2.4.12-CVE-2015-0253.patch * update httpd-2.4.12-lua-5.2.patch OBS-URL: https://build.opensuse.org/request/show/317647 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=456
2015-07-22 10:42:42 +00:00 · 2015-07-22 10:42:42 +00:00 · e357708a58
commit e357708a58
parent a4429e9aee
7 changed files with 32 additions and 107 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Mon Jul 20 13:35:21 UTC 2015 - kstreitova@suse.com
+
+- update to 2.4.16
+  * changes http://www.apache.org/dist/httpd/CHANGES_2.4.16
+  * remove the following patches (fixed in 2.4.16)
+      * httpd-2.4.x-mod_lua_websocket_DoS.patch
+      * httpd-2.4.12-CVE-2015-0253.patch
+  * update httpd-2.4.12-lua-5.2.patch
+
 -------------------------------------------------------------------
 Sat Jul 18 03:50:24 UTC 2015 - i@marguerite.su

--- a/apache2.spec
+++ b/apache2.spec
@ -50,7 +50,7 @@
 %define mods_static unixd
 %endif
 Name:           apache2
-Version:        2.4.12
+Version:        2.4.16
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0
@ -120,9 +120,6 @@ Patch70:        httpd-implicit-pointer-decl.patch
 # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration.
 Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch111:       httpd-visibility.patch
-# PATCH-FIX-UPSTREAM bnc#918352 kstreitova@suse.com -- fix mod_lua - maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash
-Patch112:       httpd-2.4.x-mod_lua_websocket_DoS.patch
-Patch113:       httpd-2.4.12-CVE-2015-0253.patch
 # PATCH-FIX-UPSTREAM marguerite@opensuse.org -- compability for lua 5.2+
 Patch114:	httpd-2.4.12-lua-5.2.patch
 BuildRequires:  automake
@ -306,8 +303,6 @@ to administrators of web servers in general.
 %patch109 -p1
 %endif
 %patch111 -p1
-%patch112 -p1
-%patch113 -p3
 %patch114 -p1
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
--- a/httpd-2.4.12-CVE-2015-0253.patch
+++ b/httpd-2.4.12-CVE-2015-0253.patch
@ -1,24 +0,0 @@
-SECURITY: CVE-2015-0253 (cve.mitre.org)
-core: Fix a crash introduced in with ErrorDocument 400 pointing
-to a local URL-path with the INCLUDES filter active, introduced
-in 2.4.11. PR 57531. [Yann Ylavic]
--- httpd/httpd/trunk/server/protocol.c	2015/03/05 02:31:42	1664204
-+++ httpd/httpd/trunk/server/protocol.c	2015/03/05 02:33:16	1664205
-@@ -606,8 +606,6 @@
-              */
-             if (APR_STATUS_IS_ENOSPC(rv)) {
-                 r->status    = HTTP_REQUEST_URI_TOO_LARGE;
-                r->proto_num = HTTP_VERSION(1,0);
-                r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
-             }
-             else if (APR_STATUS_IS_TIMEUP(rv)) {
-                 r->status = HTTP_REQUEST_TIME_OUT;
-@@ -615,6 +613,8 @@
-             else if (APR_STATUS_IS_EINVAL(rv)) {
-                 r->status = HTTP_BAD_REQUEST;
-             }
-+            r->proto_num = HTTP_VERSION(1,0);
-+            r->protocol  = apr_pstrdup(r->pool, "HTTP/1.0");
-             return 0;
-         }
-     } while ((len <= 0) && (++num_blank_lines < max_blank_lines));
--- a/httpd-2.4.12-lua-5.2.patch
+++ b/httpd-2.4.12-lua-5.2.patch
@ -1,29 +1,23 @@
-Index: httpd-2.4.12/modules/lua/mod_lua.c
+Index: httpd-2.4.16/modules/lua/mod_lua.c
 ===================================================================
--- httpd-2.4.12.orig/modules/lua/mod_lua.c
-+++ httpd-2.4.12/modules/lua/mod_lua.c
-@@ -1072,9 +1072,17 @@ static const char *register_named_block_
-         else {
-             luaL_Buffer b;
-             luaL_buffinit(lvm, &b);
-+#if LUA_VERSION_NUM < 503
+--- httpd-2.4.16.orig/modules/lua/mod_lua.c
+++ httpd-2.4.16/modules/lua/mod_lua.c
+@@ -1078,7 +1078,11 @@ static const char *register_named_block_
             lua_dump(lvm, ldump_writer, &b);
-+#else
-+	    lua_dump(lvm, ldump_writer, &b, 0);
-+#endif
+ #endif
             luaL_pushresult(&b);
 +#if LUA_VERSION_NUM < 502
             spec->bytecode_len = lua_strlen(lvm, -1);
 +#else
-+	    spec->bytecode_len = lua_rawlen(lvm, -1);
+            spec->bytecode_len = lua_rawlen(lvm, -1);
 +#endif
             spec->bytecode = apr_pstrmemdup(cmd->pool, lua_tostring(lvm, -1),
                                             spec->bytecode_len);
             lua_close(lvm);
-Index: httpd-2.4.12/modules/lua/lua_apr.c
+Index: httpd-2.4.16/modules/lua/lua_apr.c
 ===================================================================
--- httpd-2.4.12.orig/modules/lua/lua_apr.c
-+++ httpd-2.4.12/modules/lua/lua_apr.c
+--- httpd-2.4.16.orig/modules/lua/lua_apr.c
+++ httpd-2.4.16/modules/lua/lua_apr.c
@@ -82,7 +82,11 @@ static const luaL_Reg lua_table_methods[
 int ap_lua_init(lua_State *L, apr_pool_t *p)
 {
@ -36,10 +30,10 @@ Index: httpd-2.4.12/modules/lua/lua_apr.c
     lua_pushstring(L, "__index");
     lua_pushstring(L, "get");
     lua_gettable(L, 2);
-Index: httpd-2.4.12/modules/lua/lua_config.c
+Index: httpd-2.4.16/modules/lua/lua_config.c
 ===================================================================
--- httpd-2.4.12.orig/modules/lua/lua_config.c
-+++ httpd-2.4.12/modules/lua/lua_config.c
+--- httpd-2.4.16.orig/modules/lua/lua_config.c
+++ httpd-2.4.16/modules/lua/lua_config.c
@@ -263,13 +263,20 @@ void ap_lua_load_config_lmodule(lua_Stat
     lua_pushvalue(L, -1);
 
@ -62,10 +56,10 @@ Index: httpd-2.4.12/modules/lua/lua_config.c
 +#endif
 
 }
-Index: httpd-2.4.12/modules/lua/lua_request.c
+Index: httpd-2.4.16/modules/lua/lua_request.c
 ===================================================================
--- httpd-2.4.12.orig/modules/lua/lua_request.c
-+++ httpd-2.4.12/modules/lua/lua_request.c
+--- httpd-2.4.16.orig/modules/lua/lua_request.c
+++ httpd-2.4.16/modules/lua/lua_request.c
@@ -149,7 +149,11 @@ static int req_aprtable2luatable_cb(void
         }
     case LUA_TTABLE:{
@ -126,7 +120,7 @@ Index: httpd-2.4.12/modules/lua/lua_request.c
         lua_pop(L, 1);
         
         /* secure */
-@@ -2878,7 +2886,11 @@ void ap_lua_load_request_lmodule(lua_Sta
+@@ -2889,7 +2897,11 @@ void ap_lua_load_request_lmodule(lua_Sta
     lua_pushvalue(L, -1);
 
     lua_setfield(L, -2, "__index");
@ -138,7 +132,7 @@ Index: httpd-2.4.12/modules/lua/lua_request.c
 
     lua_pop(L, 2);
 
-@@ -2886,7 +2898,11 @@ void ap_lua_load_request_lmodule(lua_Sta
+@@ -2897,7 +2909,11 @@ void ap_lua_load_request_lmodule(lua_Sta
     lua_pushvalue(L, -1);
 
     lua_setfield(L, -2, "__index");
@ -150,7 +144,7 @@ Index: httpd-2.4.12/modules/lua/lua_request.c
 
     lua_pop(L, 2);
 
-@@ -2894,7 +2910,11 @@ void ap_lua_load_request_lmodule(lua_Sta
+@@ -2905,7 +2921,11 @@ void ap_lua_load_request_lmodule(lua_Sta
     lua_pushvalue(L, -1);
 
     lua_setfield(L, -2, "__index");
--- a/httpd-2.4.12.tar.bz2
+++ b/httpd-2.4.12.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4
-size 5054838
--- a/httpd-2.4.16.tar.bz2
+++ b/httpd-2.4.16.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743
+size 5101005
--- a/httpd-2.4.x-mod_lua_websocket_DoS.patch
+++ b/httpd-2.4.x-mod_lua_websocket_DoS.patch
@ -1,50 +0,0 @@
-From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001
-From: Eric Covener <covener@apache.org>
-Date: Wed, 4 Feb 2015 14:44:23 +0000
-Subject: [PATCH]   *) SECURITY: CVE-2015-0228 (cve.mitre.org)      mod_lua: A
- maliciously crafted websockets PING after a script      calls r:wsupgrade()
- can cause a child process crash.      [Edward Lu <Chaosed0 gmail.com>]
-
-Discovered by Guido Vranken <guidovranken gmail.com>
-
-Submitted by: Edward Lu
-Committed by: covener
-
-
-
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68
---
-diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
-index dded599..1200c55 100644
--- a/modules/lua/lua_request.c
-+++ b/modules/lua/lua_request.c
-@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L)
- {
-     apr_socket_t *sock;
-     apr_status_t rv;
-+    int do_read = 1;
-     int n = 0;
-     apr_size_t len = 1;
-     apr_size_t plen = 0;
-@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L)
-     mask_bytes = apr_pcalloc(r->pool, 4);
-     sock = ap_get_conn_socket(r->connection);
- 
-+    while (do_read) { 
-+    do_read = 0;
-     /* Get opcode and FIN bit */
-     if (plaintext) {
-         rv = apr_socket_recv(sock, &byte, &len);
-@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L)
-                 frame[0] = 0x8A;
-                 frame[1] = 0;
-                 apr_socket_send(sock, frame, &plen); /* Pong! */
-                lua_websocket_read(L); /* read the next frame instead */
-+                do_read = 1;
-             }
-         }
-     }
-+    }
-     return 0;
- }
-