diff --git a/apache2.changes b/apache2.changes index 833f125..4c9c148 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,12 +1,167 @@ ------------------------------------------------------------------- -Thu Aug 28 01:16:28 CEST 2008 - ro@suse.de +Tue Aug 26 22:59:55 CEST 2008 - poeml@suse.de -- remove deprecated options from fillup and insserv call +- drop rc.config handling (was removed in or after SuSE Linux 8.0) +- don't use fillup_insserv options which have been removed lately ------------------------------------------------------------------- -Mon Aug 25 01:20:45 CEST 2008 - ro@suse.de +Fri Aug 15 11:25:47 CEST 2008 - poeml@suse.de -- initscript: copy Should-Start to Should-Stop to fix build +- fix init script LSB headers + +------------------------------------------------------------------- +Wed Jun 25 14:36:06 CEST 2008 - poeml@suse.de + +- add note to /etc/sysconfig/apache2 and /etc/init.d/apache2 about + how to set ulimits when starting the server +- undocument APACHE_BUFFERED_LOGS and APACHE_TIMEOUT in the + sysconfig template. They still work but I think it is good to + keep this stuff out of the beginner's config, first because both + features are sophisticated enough to not being tweaked in most + cases, second because it only confuses people I guess, and makes + the sysconfig file larger than necessary. + +------------------------------------------------------------------- +Sun Jun 15 19:39:46 CEST 2008 - poeml@suse.de + +- update to 2.2.9: + SECURITY: CVE-2008-2364 (cve.mitre.org) + mod_proxy_http: Better handling of excessive interim responses + from origin server to prevent potential denial of service and + high memory usage. Reported by Ryujiro Shibuya. + SECURITY: CVE-2007-6420 (cve.mitre.org) + mod_proxy_balancer: Prevent CSRF attacks against the + balancer-manager interface. + - htpasswd: Fix salt generation weakness. PR 31440 + worker/event MPM: + - Fix race condition in pool recycling that leads to + segmentation faults under load. PR 44402 + core: + - Fix address-in-use startup failure on some platforms caused by + creating an IPv4 listener which overlaps with an existing IPv6 + listener. + - Add the filename of the configuration file to the warning + message about the useless use of AllowOverride. PR 39992. + - Do not allow Options ALL if not all options are allowed to be + overwritten. PR 44262 + - reinstate location walk to fix config for subrequests PR 41960 + - Fix garbled TRACE response on EBCDIC platforms. + - gen_test_char: add double-quote to the list of + T_HTTP_TOKEN_STOP. PR 9727 + http_filters: + - Don't return 100-continue on redirects. PR 43711 + - Don't return 100-continue on client error PR 43711 + - Don't spin if get an error when reading the next chunk. PR 44381 + - Don't add bogus duplicate Content-Language entries + suexec: + - When group is given as a numeric gid, validate it by looking up + the actual group name such that the name can be used in log entries. + PR 7862 + mod_authn_dbd: + - Disambiguate and tidy database authentication error messages. PR 43210. + mod_cache: + - Handle If-Range correctly if the cached resource was stale. PR 44579 + - Revalidate cache entities which have Cache-Control: no-cache + set in their response headers. PR 44511 + mod_cgid: + - Explicitly set permissions of the socket (ScriptSock) shared + by mod_cgid and request processing threads, for OS'es such as + HPUX and AIX that do not use umask for AF_UNIX socket permissions. + - Don't try to restart the daemon if it fails to initialize the socket. + mod_charset_lite: + - Add TranslateAllMimeTypes sub-option to CharsetOptions, + allowing the administrator to skip the mimetype checking that + precedes translation. + mod_dav: + - Return "method not allowed" if the destination URI of a WebDAV + copy / move operation is no DAV resource. PR 44734 + mod_headers: + - Add 'merge' option to avoid duplicate values within the same header. + mod_include: + - Correctly handle SSI directives split over multiple filter + mod_log_config: + - Add format options for %p so that the actual local or remote + port can be logged. PR 43415. + mod_logio: + - Provide optional function to allow modules to adjust the + bytes_in count + mod_proxy: + - Make all proxy modules nocanon aware and do not add the + query string again in this case. PR 44803. + - scoreboard: Remove unused proxy load balancer elements from scoreboard + image (not scoreboard memory itself). + - Support environment variable interpolation in reverse + proxying directives. + - Do not try a direct connection if the connection via a + remote proxy failed before and the request has a request body. + - ProxyPassReverse is now balancer aware. + - Lower memory consumption for short lived connections. + PR 44026. + - Keep connections to the backend persistent in the HTTPS case. + mod_proxy_ajp: + - Do not retry request in the case that we either failed to + sent a part of the request body or if the request is not idempotent. + PR 44334 + mod_proxy_ftp: + - Fix base for directory listings. PR 27834 + mod_proxy_http: + - Fix processing of chunked responses if Connection: + Transfer-Encoding is set in the response of the proxied + system. PR 44311 + - Return HTTP status codes instead of apr_status_t values for + errors encountered while forwarding the request body PR 44165 + mod_rewrite: + - Initialize hash needed by ap_register_rewrite_mapfunc early + enough. PR 44641 + - Check all files used by DBM maps for freshness, mod_rewrite + didn't pick up on updated sdbm maps due to this. PR41190 + - Don't canonicalise URLs with [P,NE] PR 43319 + mod_speling: + - remove regression from 1.3/2.0 behavior and drop dependency + between mod_speling and AcceptPathInfo. + mod_ssl: + - Fix a memory leak with connections that have zlib compression + turned on. PR 44975 + mod_substitute: + - The default is now flattening the buckets after each + substitution. The newly added 'q' flag allows for the quicker, + more efficient bucket-splitting if the user so + mod_unique_id: + - Fix timestamp value in UNIQUE_ID. PR 37064 + ab (apache benchmark): + - Include earlier if available since we may need + INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS. + - Improve client performance by clearing connection pool instead + - Don't stop sending a request if EAGAIN is returned, which + will only happen if both the write and subsequent wait are + returning EAGAIN, and count posted bytes correctly when the initial + write of a request is not complete. PR 10038, 38861, 39679 + - Overhaul stats collection and reporting to avoid integer + truncation and time divisions within the test loop, retain + native time resolution until output, remove unused data, + consistently round milliseconds, and generally avoid losing + accuracy of calculation due to type casts. PR 44878, 44931. + - Add -r option to continue after socket receive errors. + - Do not try to read non existing response bodies of HEAD requests. + - Use a 64 bit unsigned int instead of a signed long to count the + rotatelogs: + - Log the current file size and error code/description when + failing to write to the log file. + - Added '-f' option to force rotatelogs to create the logfile as + soon as started, and not wait until it reads the first entry. + - Don't leak memory when reopening the logfile. PR 40183 + - Improve atomicity when using -l and cleaup code. PR 44004 +- drop obsolete patches httpd-2.1.3alpha-autoconf-2.59.dif + httpd-2.2.x-CVE-2008-1678.patch +- don't run autoreconf on SLES9 +- remove the addition of -g to the CFLAGS, since the build service + handles debuginfo packages now + +------------------------------------------------------------------- +Mon Jun 9 17:18:03 CEST 2008 - poeml@suse.de + +- build service supports the debuginfo flag in metadata now; remove + debug_package macro from the specfile therefore. ------------------------------------------------------------------- Mon May 26 16:55:37 CEST 2008 - skh@suse.de @@ -19,62 +174,429 @@ Mon May 26 16:55:37 CEST 2008 - skh@suse.de httpd-2.2.x-CVE-2008-1678.patch ------------------------------------------------------------------- -Fri Apr 18 14:17:31 CEST 2008 - poeml@suse.de +Thu May 15 01:58:08 CEST 2008 - poeml@suse.de -- sync up with changes from Build Service: - - new implementation of sysconf_addword, using sed instead of ed. - Moving it from the -utils subpackage into the parent package, - where it's actually needed. If sysconf_addword is already present - in the system, it is preferred (by PATH). That's because the tool - has been integrated into aaa_base.rpm with openSUSE 11.0. - Removing the requires on the ed package. [bnc#377131] - - better documentation how to enable SSL in /etc/sysconfig/apache2 - - quickstart readme: the link to the openSUSE wiki is about to move - - add "127.0.0.1" to the local access list in mod_status.conf, - because on some systems "localhost" seems to resolve only to IPv6 - localhost - - /etc/init.d/apache2: implement restart-graceful, stop-graceful - - fix graceful-restart. Wait until the pidfile is gone, but don't - wait for the parent to disappear. It stays there, after closing - the listen ports. - - don't configure in maintainer-mode. It not only enables compile - time warnings, but also adds AP_DEBUG into the mix which causes - enablement of debug code which is not wanted in production - builds. - - drop obsolete patches mod_dbd.c-issue18989-autoconnect.dif and - mod_dbd.c-r571441, as the 2.2.8 mod_dbd is just fine. +- fix build on Mandriva 2007, by escaping commented %build macro +- make filelist of man pages independant of the compression method + (gz, bz2, lzma) ------------------------------------------------------------------- -Tue Apr 1 16:05:07 CEST 2008 - mkoenig@suse.de +Fri Apr 18 11:55:14 CEST 2008 - poeml@suse.de -- remove dir /usr/share/omc/svcinfo.d as it is provided now - by filesystem +- fix from Factory: + - remove dir /usr/share/omc/svcinfo.d as it is provided now + by filesystem +- remove obsolete httpd-2.2.x.doublefree.patch file, which isn't + used since quite some time since the issue is resolved. ------------------------------------------------------------------- -Fri Mar 14 15:28:13 CET 2008 - skh@suse.de +Thu Apr 17 17:58:02 CEST 2008 - poeml@suse.de -- update to upstream 2.2.8 --> see CHANGES in package for details -- removed obsolete patches: - - apache2-mod_cache-CVE-2007-1863.patch - - apache2-mod_status-CVE-2006-5752.patch - - httpd-2.2.4-mod_autoindex-charset-r570962.patch - - httpd-2.2.x.doublefree.patch +- new implementation of sysconf_addword, using sed instead of ed. + Moving it from the -utils subpackage into the parent package, + where it's actually needed. If sysconf_addword is already present + in the system, it is preferred (by PATH). That's because the tool + has been integrated into aaa_base.rpm with openSUSE 11.0. + Removing the requires on the ed package. [bnc#377131] ------------------------------------------------------------------- -Thu Dec 13 16:58:03 CET 2007 - ro@suse.de +Wed Mar 12 14:29:04 CET 2008 - poeml@suse.de -- remove sysconf_addword, now in aaa_base (#328599) +- require ed package, since ed is needed by sysconf_addword, which + in turn is used by a2enmod/a2enflag ------------------------------------------------------------------- -Mon Oct 22 17:38:19 CEST 2007 - sbrabec@suse.cz +Fri Feb 29 14:06:52 CET 2008 - poeml@suse.de -- Use correct SuSEfirewall2 rule directory. +- better documentation how to enable SSL in /etc/sysconfig/apache2 +- quickstart readme: the link to the openSUSE wiki is about to move + +------------------------------------------------------------------- +Tue Feb 19 13:14:45 CET 2008 - poeml@suse.de + +- add "127.0.0.1" to the local access list in mod_status.conf, + because on some systems "localhost" seems to resolve only to IPv6 + localhost + +------------------------------------------------------------------- +Sat Feb 2 05:37:34 CET 2008 - crrodriguez@suse.de + +- upstream 2.2.8 + SECURITY: CVE-2007-6421 (cve.mitre.org) + mod_proxy_balancer: Correctly escape the worker route and the worker + redirect string in the HTML output of the balancer manager. + Reported by SecurityReason. + SECURITY: CVE-2007-6422 (cve.mitre.org) + Prevent crash in balancer manager if invalid balancer name is passed + as parameter. Reported by SecurityReason. + SECURITY: CVE-2007-6388 (cve.mitre.org) + mod_status: Ensure refresh parameter is numeric to prevent + a possible XSS attack caused by redirecting to other URLs. + Reported by SecurityReason. + SECURITY: CVE-2007-5000 (cve.mitre.org) + mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. + SECURITY: CVE-2008-0005 (cve.mitre.org) + Introduce the ProxyFtpDirCharset directive, allowing the administrator + to identify a default, or specific servers or paths which list their + contents in other-than ISO-8859-1 charset (e.g. utf-8). + mod_autoindex: + - Generate valid XHTML output by adding the xhtml namespace. PR 43649 + mod_charset_lite: + - Don't crash when the request has no associated filename. + mod_dav: + - Fix evaluation of If-Match * and If-None-Match * conditionals. PR 38034 + - Adjust etag generation to produce identical results on 32-bit + and 64-bit platforms and avoid a regression with conditional PUT's on lock + and etag. PR 44152. + mod_deflate: + - initialise inflate-out filter correctly when the first brigade + contains no data buckets. PR 43512 + mod_disk_cache: + - Delete temporary files if they cannot be renamed to their final + name. + mod_filter: + - Don't segfault on (unsupported) chained FilterProvider usage. PR 43956 + mod_include: + - Add an "if" directive syntax to test whether an URL is + accessible, and if so, conditionally display content. This + allows a webmaster to hide a link to a private page when the + user has no access to that page. + mod_ldap: + - Try to establish a new backend LDAP connection when the + Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. + after the LDAP server has closed the connection due to a + timeout. PR 39095 + - Give callers a reference to data copied into the request pool + instead of references directly into the cache PR 43786 + - Stop passing a reference to pconf around for (limited) use + during request processing, avoiding possible memory corruption + and crashes. + mod_proxy: + - Canonicalisation improvements. Add "nocanon" keyword to + ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also, + don't escape/unescape forward-proxied URLs. PR 41798, 42592 + - Don't by default violate RFC2616 by setting Max-Forwards when + the client didn't send it to us. Leave that as a + configuration option. PR 16137 + - Fix persistent backend connections. PR 43472 + - escape error-notes correctly PR 40952 + - check ProxyBlock for all blocked addresses PR 36987 + - Don't lose bytes when a response line arrives in small chunks. + PR 40894 + mod_proxy_ajp: + - Use 64K as maximum AJP packet size. This is the maximum length + we can squeeze inside the AJP message packet. + - Ignore any ajp13 flush packets received before we send the + response headers. See Tomcat PR 43478. + - Differentiate within AJP between GET and HEAD requests. PR 43060 + mod_proxy_balancer: + - Do not reset lbstatus, lbfactor and lbset when starting a new + child. PR 39907 + mod_proxy_http: + - Remove Warning headers with wrong date PR 16138 + - Correctly parse all Connection headers in proxy. PR 43509 + - add Via header correctly (if enabled) to response, even where + other Via headers exist. PR 19439 + - Correctly forward unexpected interim (HTTP 1xx) responses from + the backend according to RFC2616. But make it configurable in + case something breaks on it. PR 16518 + - strip hop-by-hop response headers PR 43455 + - Propagate Proxy-Authorization header correctly. PR 25947 + - Don't segfault on bad line in FTP listing PR 40733 + mod_rewrite: + - Add option to suppress URL unescaping PR 34602 + - Add the novary flag to RewriteCond. + mod_substitute: + - Added a new output filter, which performs inline response + content pattern matching (including regex) and substitution. + mod_ssl: + - Fix handling of the buffered request body during a per-location + renegotiation, when an internal redirect occurs. PR 43738. + - Fix SSL client certificate extensions parsing bug. PR 44073. + - Prevent memory corruption of version string. PR 43865, 43334 + mod_status: + - Add SeeRequestTail directive, which determines if + ExtendedStatus displays the 1st 63 characters of the request + or the last 63. Useful for those requests with large string + lengths and which only vary with the last several characters. + event MPM: + - Add support for running under mod_ssl, by reverting to the + Worker MPM behaviors, when run under an input filter that buffers + its own data. + core: + - Fix regression in 2.2.7 in chunk filtering with massively + chunked requests. + - Lower memory consumption of ap_r* functions by reusing the + brigade instead of recreating it during each filter pass. + - Lower memory consumption in case that flush buckets are passed + thru the chunk filter as last bucket of a brigade. PR 23567. + - Fix broken chunk filtering that causes all non blocking reads + to be converted into blocking reads. PR 19954, 41056. + - Change etag generation to produce identical results on 32-bit + and 64-bit platforms. PR 40064. + - Handle unrecognised transfer-encodings. PR 43882 + - Avoid some unexpected connection closes by telling the client + that the connection is not persistent if the MPM process + handling the request is already exiting when the response + header is built. + - fix possible crash at startup in case of nonexistent + DocumentRoot. PR 39722 + - http_core: OPTIONS * no longer maps to local storage or URI + space. Note that unlike previous versions, OPTIONS * no longer + returns an Allow: header. PR 43519 + - scoreboard: improve error message on apr_shm_create failure PR + 40037 + - Don't send spurious "100 Continue" response lines. PR 38014 + - http_protocol: + - Escape request method in 413 error reporting. Determined to + be not generally exploitable, but a flaw in any case. PR + 44014 + - Add "DefaultType none" option. PR 13986 and PR 16139 + - Escape request method in 405 error reporting. This has no + security impact since the browser cannot be tricked into + sending arbitrary method strings. + - Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009 + - Add explicit charset to the output of various modules to work + around possible cross-site scripting flaws affecting web + browsers that do not derive the response character set as + required by RFC2616. One of these reported by SecurityReason + - rotatelogs: Change command-line parsing to report more types + of errors. Allow local timestamps to be used when rotating based + on file size. + +------------------------------------------------------------------- +Wed Sep 12 20:11:37 CEST 2007 - poeml@suse.de + +- fix graceful-restart. Wait until the pidfile is gone, but don't + wait for the parent to disappear. It stays there, after closing + the listen ports. + +------------------------------------------------------------------- +Wed Sep 12 15:49:15 CEST 2007 - poeml@suse.de + +- use debug_package macro only on suse, because it breaks the build + on Mandriva + +------------------------------------------------------------------- +Wed Sep 12 13:41:16 CEST 2007 - poeml@suse.de + +- don't configure in maintainer-mode. It not only enables compile + time warnings, but also adds AP_DEBUG into the mix which causes + enablement of debug code which is not wanted in production + builds. + +------------------------------------------------------------------- +Mon Sep 10 17:32:56 CEST 2007 - poeml@suse.de + +- upstream 2.2.6 + SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset "detection". Reported by Stefan Esser. + SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + mod_alias: + - Accept path components (URL part) in Redirects. PR 35314. + mod_authnz_ldap: + - Don't return HTTP_UNAUTHORIZED during authorization when + LDAP authentication is configured but we haven't seen any + 'Require ldap-*' directives, allowing authorization to be passed to lower + level modules (e.g. Require valid-user) PR 43281 + mod_autoindex: + - Add in Type and Charset options to IndexOptions + directive. This allows the admin to explicitly set the + content-type and charset of the generated page and is therefore + a viable workaround for buggy browsers affected by CVE-2007-4465 + mod_cache: + - Remove expired content from cache that cannot be revalidated. + PR 30370. + - Do not set Date or Expires when they are missing from the + original response or are invalid. + - Correctly handle HEAD requests on expired cache content. PR + 41230. + - Let Cache-Control max-age set the expiration of the cached + representation if Expires is not set. + - Allow caching of requests with query arguments when + Cache-Control max-age is explicitly specified. + - Use the same cache key throughout the whole request processing + to handle escaped URLs correctly. PR 41475. + - Add CacheIgnoreQueryString directive. PR 41484. + - While serving a cached entity ensure that filters that have + been applied to this cached entity before saving it to the + cache are not applied again. PR 40090. + - Correctly cache objects whose URL query string has been + modified by mod_rewrite. PR 40805. + mod_cgi, mod_cgid: + - Fix use of CGI scripts as ErrorDocuments. PR 39710. + mod_dbd: + - Introduce configuration groups to allow inheritance by virtual + hosts of database configurations from the main server. + Determine the minimal set of distinct configurations and share + connection pools whenever possible. Allow virtual hosts to + override inherited SQL statements. PR 41302. + - Create memory sub-pools for each DB connection and close DB + connections in a pool cleanup function. Ensure prepared + statements are destroyed before DB connection is closed. When + using reslists, prevent segfaults when child processes exit, + and stop memory leakage of ap_dbd_t structures. Avoid use of + global s->process->pool, which isn't destroyed by exiting + child processes in most multi-process MPMs. PR 39985. + - Handle error conditions in dbd_construct() properly. Simplify + ap_dbd_open() and use correct arguments to apr_dbd_error() + when non-threaded. Register correct cleanup data in + non-threaded ap_dbd_acquire() and ap_dbd_cacquire(). Clean up + configuration data and merge function. Use ap_log_error() + wherever possible. + - Stash DBD connections in request_config of initial request + only, or else sub-requests and internal redirections may cause + entire DBD pool to be stashed in a single HTTP request. + mod_deflate: + - don't try to process metadata buckets as data. what should + have been a 413 error was logged as a 500 and a blank screen + appeared at the browser. + - fix protocol handling in deflate input filter PR 23287 + mod_disk_cache: + - Allow Vary'd responses to be refreshed properly. + mod_dumpio: + - Fix for correct dumping of traffic on EBCDIC hosts Data had + been incorrectly converted twice, resulting in garbled log + output. + mod_expires: + - don't crash on bad configuration data PR 43213 + mod_filter: + - fix integer comparisons in dispatch rules PR 41835 + - fix merging of ! and = in FilterChain PR 42186 + mod_headers: + - Allow % at the end of a Header value. PR 36609. + mod_info: + - mod_info outputs invalid XHTML 1.0 transitional. PR 42847 + mod_ldap: + - Avoid possible crashes, hangs, and busy loops due to improper + merging of the cache lock in vhost config PR 43164 + mod_ldap: + - Remove the hardcoded size limit parameter for + ldap_search_ext_s and replace it with an APR_ defined value + that is set according to the LDAP SDK being used. + mod_mem_cache: + - Increase the minimum and default value for MCacheMinObjectSize + from 0 to 1, as a MCacheMinObjectSize of 0 does not make sense + and leads to a division by zero. PR 40576. + mod_negotiation: + - preserve Query String in resolving a type map PR 33112 + mod_proxy: + - mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as + synonymous. PR 43183 + - Ensure that at least scheme://hostname[:port] matches between + worker and URL when searching for the best fitting worker for + a given URL. PR 40910 + - Improve network performance by setting APR_TCP_NODELAY + (disable Nagle algorithm) on sockets if implemented. PR 42871 + - Add a missing assignment in an error checking code path. PR 40865 + - don't URLencode tilde in path component PR 38448 + - enable Ignore Errors option on ProxyPass Status. PR 43167 + - Allow to use different values for sessionid in url encoded id + and cookies. PR 41897. + - Fix the 503 returned when session route does not match any of + the balancer members. + - Added ProxyPassMatch directive, which is similar to ProxyPass + but takes a regex local path prefix. + - Print the correct error message for erroneous configured + ProxyPass directives. PR 40439. + - Fix some proxy setting inheritance problems (eg: + ProxyTimeout). PR 11540. + - proxy/ajp_header.c: Fixed header token string comparisons + Matching of header tokens failed to include the trailing NIL + byte and could misinterpret a longer header token for a + shorter. Additionally, a "Content-Type" comparison was made + case insensitive. + - proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC + On EBCDIC machines, the status_line string was incorrectly + converted twice. + mod_proxy_connect: + - avoid segfault on DNS lookup failure. PR 40756 + mod_proxy_http: + - HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses + alone. Only processing of error responses (4xx, 5xx) will be + altered. PR 39245. + - Don't try to read body of a HEAD request before responding. PR 41644 + - Handle request bodies larger than 2 GB by converting the + Content-Length header of the request correctly. PR 40883. + mod_ssl: + - Fix spurious hostname mismatch warning for valid wildcard + certificates. PR 37911. + - Version reporting update; displays 'compiled against' Apache + and build-time SSL Library versions at loglevel [info], while + reporting the run-time SSL Library version in the server info + tags. Helps to identify a mod_ssl built against one flavor of + OpenSSL but running against another (also adds SSL-C version + number reporting.) + - initialize thread locks before initializing the hardware + acceleration library, so the latter can make use of the + former. PR 20951. + core: + - Do not replace a Date header set by a proxied backend server. PR 40232 + - log core: ensure we use a special pool for stderr logging, so that + the stderr channel remains valid from the time plog is destroyed, + until the time the open_logs hook is called again. + - main core: Emit errors during the initial apr_app_initialize() + or apr_pool_create() (when apr-based error reporting is not ready). + - log core: fix the new piped logger case where we couldn't connect + the replacement stderr logger's stderr to the NULL stdout stream. + Continue in this case, since the previous alternative of no error + logging at all (/dev/null) is far worse. + - Correct a regression since 2.0.x in the handling of AllowOverride + Options. PR 41829. + - Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory + can work after that terminating signal. + - mod_so: Provide more helpful LoadModule feedback when an error occurs. + misc: + - mime.types: Many updates to sync with IANA registry and common + unregistered types that the owners refuse to register. Admins + are encouraged to update their installed mime.types file. PR: + 35550, 37798, 39317, 31483 + - mime.types: add Registered Javascript/ECMAScript MIME types + (RFC4329) PR 40299 + - htdbm: Enable crypt support on platforms with crypt() but not + , such as z/OS. + - ab.c: Correct behavior of HTTP request headers sent by ab in + presence of -H command-line overrides. PR 31268, 26554. + - ab.c: The apr_port_t type is unsigned, but ab was using a + signed format code in its reports. PR 42070. +- drop obsolete patches apache2-mod_cache-CVE-2007-1863.patch + apache2-mod_status-CVE-2006-5752.patch + httpd-2.2.4-mod_autoindex-charset-r570962.patch + mod_dbd.c-issue18989-autoconnect.dif + mod_dbd.c-r571441 ------------------------------------------------------------------- Mon Sep 3 13:43:22 CEST 2007 - skh@suse.de - get_module_list: replace loadmodule.conf atomically [bnc #214863] +------------------------------------------------------------------- +Sat Sep 1 01:49:37 CEST 2007 - poeml@suse.de + +- /etc/init.d/apache2: implement restart-graceful, stop-graceful + +------------------------------------------------------------------- +Fri Aug 31 14:21:27 CEST 2007 - poeml@suse.de + +- update mod_dbd to trunk version (r571441) + * apr_dbd_check_conn() just returns APR_SUCCESS or + APR_EGENERAL, so we don't actually have a driver-specific value + to pass to apr_dbd_error(), but that's OK because most/all + drivers just ignore this value anyway + ------------------------------------------------------------------- Fri Aug 31 12:37:27 CEST 2007 - poeml@suse.de diff --git a/apache2.spec b/apache2.spec index 49aab93..1f34778 100644 --- a/apache2.spec +++ b/apache2.spec @@ -1,5 +1,5 @@ # -# spec file for package apache2 (Version 2.2.8) +# spec file for package apache2 (Version 2.2.9) # # Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -61,9 +61,9 @@ BuildRequires: expat-devel %define platform_string Linux/%VENDOR License: The Apache Software License Group: Productivity/Networking/Web/Servers -%define realver 2.2.8 -Version: 2.2.8 -Release: 50 +%define realver 2.2.9 +Version: 2.2.9 +Release: 1 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -111,12 +111,10 @@ Source131: apache2-vhost-ssl.template Source140: apache2-check_forensic Source141: apache-20-22-upgrade Patch2: httpd-2.1.3alpha-layout.dif -Patch10: httpd-2.1.3alpha-autoconf-2.59.dif Patch23: httpd-2.1.9-apachectl.dif Patch65: httpd-2.0.49-log_server_status.dif Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif -Patch68: httpd-2.2.x-CVE-2008-1678.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.0 @@ -322,9 +320,6 @@ Authors: -------- Too many to list here -- see /usr/share/doc/packages/apache2/ABOUT_APACHE -%if 0%{?opensuse_bs} -%endif - %prep # # O/ ._ .__ ._ @@ -333,12 +328,10 @@ Authors: # %setup -q -n httpd-%{realver} %patch2 -p1 -%patch10 -p1 %patch23 -p1 %patch65 -p1 %patch66 -p1 %patch67 -p1 -%patch68 -p3 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -351,8 +344,14 @@ sed 's/public_html/%{userdir}/g' docs/conf/extra/httpd-userdir.conf.in > tmp_fil # # now configure Apache # +%if 0%{?suse_version} > 910 aclocal autoreconf --force --install +%else +rm -rf aclocal.m4 autom4te*.cache +autoheader +autoconf +%endif %build # @@ -361,9 +360,6 @@ autoreconf --force --install # function configure { CFLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED" \ -%if 0%{?opensuse_bs} - CFLAGS="$CFLAGS -g" -%endif CPPFLAGS="-DSSL_EXPERIMENTAL_ENGINE -DMAX_SERVER_LIMIT=200000 -DLDAP_DEPRECATED -DMAXLINE=4096" \ ./configure \ --enable-layout=SuSE81%(test "%_lib" = lib64 && echo -n _64) \ @@ -450,9 +446,6 @@ for mpm in %{mpms_to_build}; do make CFLAGS="$RPM_OPT_FLAGS -fPIC \ -fno-strict-aliasing \ -Wall \ -%if 0%{?opensuse_bs} - -g \ -%endif -DDEFAULT_PIDLOG='\"%{runtimedir}/%{httpd}.pid\"' \ -DDEFAULT_ERRORLOG='\"%{logfiledir}/error_log\"' " \ %{?jobs:-j%jobs} @@ -532,7 +525,7 @@ done # /O || |_> |_(_||| # # -# (most installation (to build root) has already been done in %build) +# (most installation (to build root) has already been done in %%build) # # save MODULE_MAGIC_NUMBER cat > $RPM_BUILD_ROOT/%{_libdir}/%{pname}_MMN <<-EOF @@ -787,10 +780,10 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original . %doc support/SHA1 %doc %attr(755,root,root) certificate.sh %doc %attr(755,root,root) mkcert.sh -%doc %{_mandir}/man8/apachectl%{vers}.8.gz -%doc %{_mandir}/man8/htcacheclean%{vers}.8.gz -%doc %{_mandir}/man8/%{httpd}.8.gz -%doc %{_mandir}/man8/apxs%{vers}.8.gz +%doc %{_mandir}/man8/apachectl%{vers}.8.* +%doc %{_mandir}/man8/htcacheclean%{vers}.8.* +%doc %{_mandir}/man8/%{httpd}.8.* +%doc %{_mandir}/man8/apxs%{vers}.8.* %doc robots.txt %doc printenv %doc test-cgi @@ -906,14 +899,14 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original . %files utils %defattr(-,root,root) -%doc %{_mandir}/man8/ab%{vers}.8.gz -%doc %{_mandir}/man1/dbmmanage%{vers}.1.gz -%doc %{_mandir}/man1/htdbm%{vers}.1.gz -%doc %{_mandir}/man1/htdigest%{vers}.1.gz -%doc %{_mandir}/man1/htpasswd%{vers}.1.gz -%doc %{_mandir}/man8/logresolve%{vers}.8.gz -%doc %{_mandir}/man8/rotatelogs%{vers}.8.gz -%doc %{_mandir}/man8/suexec%{vers}.8.gz +%doc %{_mandir}/man8/ab%{vers}.8.* +%doc %{_mandir}/man1/dbmmanage%{vers}.1.* +%doc %{_mandir}/man1/htdbm%{vers}.1.* +%doc %{_mandir}/man1/htdigest%{vers}.1.* +%doc %{_mandir}/man1/htpasswd%{vers}.1.* +%doc %{_mandir}/man8/logresolve%{vers}.8.* +%doc %{_mandir}/man8/rotatelogs%{vers}.8.* +%doc %{_mandir}/man8/suexec%{vers}.8.* %{_bindir}/check_forensic%{vers} %{_bindir}/dbmmanage%{vers} %{_bindir}/gensslcert @@ -987,23 +980,11 @@ usermod -g %httpdgroup %httpduser 2>/dev/null ||: usermod -s /bin/false %httpduser 2>/dev/null ||: tmpdir=$(mktemp -d etc/%{pname}/%{pname}-post.XXXXXX); test $? = 0 || { echo >&2 Could not create tmpdir. Exiting; exit 1; } tmpfile=$tmpdir/tmpfile -RC_CONFIG=etc/rc.config -if [ -e $RC_CONFIG ]; then - . $RC_CONFIG - if [ "$START_HTTPD" = no -a "$START_HTTPSD" = yes ]; then - echo -n "removing obsolete START_HTTPSD from etc/rc.config ..." - sed -e 's+START_HTTPD=.*+START_HTTPD=yes+' \ - -e 's+START_HTTPSD=.*++' $RC_CONFIG > $tmpfile \ - && cp $tmpfile $RC_CONFIG - echo "done" - fi -fi if test -s etc/sysconfig/%{pname} && grep -q "^LOADMODULES" etc/sysconfig/%{pname}; then sed "s/LOADMODULES/APACHE_MODULES/" etc/sysconfig/%{pname} >| $tmpfile \ && cp $tmpfile etc/sysconfig/%{pname} fi -%{fillup_and_insserv -n apache2 apache2} -%{fillup_only -ans apache2 apache2} +%{fillup_and_insserv apache2} # Update ? if [ ${FIRST_ARG:-0} -gt 1 ]; then # update from package with the old near-monolithic conf file? @@ -1040,10 +1021,156 @@ if ! test -f /.buildenv; then fi %changelog -* Thu Aug 28 2008 ro@suse.de -- remove deprecated options from fillup and insserv call -* Mon Aug 25 2008 ro@suse.de -- initscript: copy Should-Start to Should-Stop to fix build +* Wed Aug 27 2008 poeml@suse.de +- drop rc.config handling (was removed in or after SuSE Linux 8.0) +- don't use fillup_insserv options which have been removed lately +* Fri Aug 15 2008 poeml@suse.de +- fix init script LSB headers +* Wed Jun 25 2008 poeml@suse.de +- add note to /etc/sysconfig/apache2 and /etc/init.d/apache2 about + how to set ulimits when starting the server +- undocument APACHE_BUFFERED_LOGS and APACHE_TIMEOUT in the + sysconfig template. They still work but I think it is good to + keep this stuff out of the beginner's config, first because both + features are sophisticated enough to not being tweaked in most + cases, second because it only confuses people I guess, and makes + the sysconfig file larger than necessary. +* Sun Jun 15 2008 poeml@suse.de +- update to 2.2.9: + SECURITY: CVE-2008-2364 (cve.mitre.org) + mod_proxy_http: Better handling of excessive interim responses + from origin server to prevent potential denial of service and + high memory usage. Reported by Ryujiro Shibuya. + SECURITY: CVE-2007-6420 (cve.mitre.org) + mod_proxy_balancer: Prevent CSRF attacks against the + balancer-manager interface. + - htpasswd: Fix salt generation weakness. PR 31440 + worker/event MPM: + - Fix race condition in pool recycling that leads to + segmentation faults under load. PR 44402 + core: + - Fix address-in-use startup failure on some platforms caused by + creating an IPv4 listener which overlaps with an existing IPv6 + listener. + - Add the filename of the configuration file to the warning + message about the useless use of AllowOverride. PR 39992. + - Do not allow Options ALL if not all options are allowed to be + overwritten. PR 44262 + - reinstate location walk to fix config for subrequests PR 41960 + - Fix garbled TRACE response on EBCDIC platforms. + - gen_test_char: add double-quote to the list of + T_HTTP_TOKEN_STOP. PR 9727 + http_filters: + - Don't return 100-continue on redirects. PR 43711 + - Don't return 100-continue on client error PR 43711 + - Don't spin if get an error when reading the next chunk. PR 44381 + - Don't add bogus duplicate Content-Language entries + suexec: + - When group is given as a numeric gid, validate it by looking up + the actual group name such that the name can be used in log entries. + PR 7862 + mod_authn_dbd: + - Disambiguate and tidy database authentication error messages. PR 43210. + mod_cache: + - Handle If-Range correctly if the cached resource was stale. PR 44579 + - Revalidate cache entities which have Cache-Control: no-cache + set in their response headers. PR 44511 + mod_cgid: + - Explicitly set permissions of the socket (ScriptSock) shared + by mod_cgid and request processing threads, for OS'es such as + HPUX and AIX that do not use umask for AF_UNIX socket permissions. + - Don't try to restart the daemon if it fails to initialize the socket. + mod_charset_lite: + - Add TranslateAllMimeTypes sub-option to CharsetOptions, + allowing the administrator to skip the mimetype checking that + precedes translation. + mod_dav: + - Return "method not allowed" if the destination URI of a WebDAV + copy / move operation is no DAV resource. PR 44734 + mod_headers: + - Add 'merge' option to avoid duplicate values within the same header. + mod_include: + - Correctly handle SSI directives split over multiple filter + mod_log_config: + - Add format options for %%p so that the actual local or remote + port can be logged. PR 43415. + mod_logio: + - Provide optional function to allow modules to adjust the + bytes_in count + mod_proxy: + - Make all proxy modules nocanon aware and do not add the + query string again in this case. PR 44803. + - scoreboard: Remove unused proxy load balancer elements from scoreboard + image (not scoreboard memory itself). + - Support environment variable interpolation in reverse + proxying directives. + - Do not try a direct connection if the connection via a + remote proxy failed before and the request has a request body. + - ProxyPassReverse is now balancer aware. + - Lower memory consumption for short lived connections. + PR 44026. + - Keep connections to the backend persistent in the HTTPS case. + mod_proxy_ajp: + - Do not retry request in the case that we either failed to + sent a part of the request body or if the request is not idempotent. + PR 44334 + mod_proxy_ftp: + - Fix base for directory listings. PR 27834 + mod_proxy_http: + - Fix processing of chunked responses if Connection: + Transfer-Encoding is set in the response of the proxied + system. PR 44311 + - Return HTTP status codes instead of apr_status_t values for + errors encountered while forwarding the request body PR 44165 + mod_rewrite: + - Initialize hash needed by ap_register_rewrite_mapfunc early + enough. PR 44641 + - Check all files used by DBM maps for freshness, mod_rewrite + didn't pick up on updated sdbm maps due to this. PR41190 + - Don't canonicalise URLs with [P,NE] PR 43319 + mod_speling: + - remove regression from 1.3/2.0 behavior and drop dependency + between mod_speling and AcceptPathInfo. + mod_ssl: + - Fix a memory leak with connections that have zlib compression + turned on. PR 44975 + mod_substitute: + - The default is now flattening the buckets after each + substitution. The newly added 'q' flag allows for the quicker, + more efficient bucket-splitting if the user so + mod_unique_id: + - Fix timestamp value in UNIQUE_ID. PR 37064 + ab (apache benchmark): + - Include earlier if available since we may need + INT_MAX (defined there on Windows) for the definition of MAX_REQUESTS. + - Improve client performance by clearing connection pool instead + - Don't stop sending a request if EAGAIN is returned, which + will only happen if both the write and subsequent wait are + returning EAGAIN, and count posted bytes correctly when the initial + write of a request is not complete. PR 10038, 38861, 39679 + - Overhaul stats collection and reporting to avoid integer + truncation and time divisions within the test loop, retain + native time resolution until output, remove unused data, + consistently round milliseconds, and generally avoid losing + accuracy of calculation due to type casts. PR 44878, 44931. + - Add -r option to continue after socket receive errors. + - Do not try to read non existing response bodies of HEAD requests. + - Use a 64 bit unsigned int instead of a signed long to count the + rotatelogs: + - Log the current file size and error code/description when + failing to write to the log file. + - Added '-f' option to force rotatelogs to create the logfile as + soon as started, and not wait until it reads the first entry. + - Don't leak memory when reopening the logfile. PR 40183 + - Improve atomicity when using -l and cleaup code. PR 44004 +- drop obsolete patches httpd-2.1.3alpha-autoconf-2.59.dif + httpd-2.2.x-CVE-2008-1678.patch +- don't run autoreconf on SLES9 +- remove the addition of -g to the CFLAGS, since the build service + handles debuginfo packages now +* Mon Jun 09 2008 poeml@suse.de +- build service supports the debuginfo flag in metadata now; remove + debug_package macro from the specfile therefore. * Mon May 26 2008 skh@suse.de - CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a @@ -1051,45 +1178,388 @@ fi support for a compression algorithm in the initial handshake, and mod_ssl is linked against OpenSSL >= 0.9.8f. [bnc#392096] httpd-2.2.x-CVE-2008-1678.patch +* Thu May 15 2008 poeml@suse.de +- fix build on Mandriva 2007, by escaping commented %%build macro +- make filelist of man pages independant of the compression method + (gz, bz2, lzma) * Fri Apr 18 2008 poeml@suse.de -- sync up with changes from Build Service: - - new implementation of sysconf_addword, using sed instead of ed. +- fix from Factory: + - remove dir /usr/share/omc/svcinfo.d as it is provided now + by filesystem +- remove obsolete httpd-2.2.x.doublefree.patch file, which isn't + used since quite some time since the issue is resolved. +* Thu Apr 17 2008 poeml@suse.de +- new implementation of sysconf_addword, using sed instead of ed. Moving it from the -utils subpackage into the parent package, where it's actually needed. If sysconf_addword is already present in the system, it is preferred (by PATH). That's because the tool has been integrated into aaa_base.rpm with openSUSE 11.0. Removing the requires on the ed package. [bnc#377131] - - better documentation how to enable SSL in /etc/sysconfig/apache2 - - quickstart readme: the link to the openSUSE wiki is about to move - - add "127.0.0.1" to the local access list in mod_status.conf, +* Wed Mar 12 2008 poeml@suse.de +- require ed package, since ed is needed by sysconf_addword, which + in turn is used by a2enmod/a2enflag +* Fri Feb 29 2008 poeml@suse.de +- better documentation how to enable SSL in /etc/sysconfig/apache2 +- quickstart readme: the link to the openSUSE wiki is about to move +* Tue Feb 19 2008 poeml@suse.de +- add "127.0.0.1" to the local access list in mod_status.conf, because on some systems "localhost" seems to resolve only to IPv6 localhost - - /etc/init.d/apache2: implement restart-graceful, stop-graceful - - fix graceful-restart. Wait until the pidfile is gone, but don't +* Sat Feb 02 2008 crrodriguez@suse.de +- upstream 2.2.8 + SECURITY: CVE-2007-6421 (cve.mitre.org) + mod_proxy_balancer: Correctly escape the worker route and the worker + redirect string in the HTML output of the balancer manager. + Reported by SecurityReason. + SECURITY: CVE-2007-6422 (cve.mitre.org) + Prevent crash in balancer manager if invalid balancer name is passed + as parameter. Reported by SecurityReason. + SECURITY: CVE-2007-6388 (cve.mitre.org) + mod_status: Ensure refresh parameter is numeric to prevent + a possible XSS attack caused by redirecting to other URLs. + Reported by SecurityReason. + SECURITY: CVE-2007-5000 (cve.mitre.org) + mod_imagemap: Fix a cross-site scripting issue. Reported by JPCERT. + SECURITY: CVE-2008-0005 (cve.mitre.org) + Introduce the ProxyFtpDirCharset directive, allowing the administrator + to identify a default, or specific servers or paths which list their + contents in other-than ISO-8859-1 charset (e.g. utf-8). + mod_autoindex: + - Generate valid XHTML output by adding the xhtml namespace. PR 43649 + mod_charset_lite: + - Don't crash when the request has no associated filename. + mod_dav: + - Fix evaluation of If-Match * and If-None-Match * conditionals. PR 38034 + - Adjust etag generation to produce identical results on 32-bit + and 64-bit platforms and avoid a regression with conditional PUT's on lock + and etag. PR 44152. + mod_deflate: + - initialise inflate-out filter correctly when the first brigade + contains no data buckets. PR 43512 + mod_disk_cache: + - Delete temporary files if they cannot be renamed to their final + name. + mod_filter: + - Don't segfault on (unsupported) chained FilterProvider usage. PR 43956 + mod_include: + - Add an "if" directive syntax to test whether an URL is + accessible, and if so, conditionally display content. This + allows a webmaster to hide a link to a private page when the + user has no access to that page. + mod_ldap: + - Try to establish a new backend LDAP connection when the + Microsoft LDAP client library returns LDAP_UNAVAILABLE, e.g. + after the LDAP server has closed the connection due to a + timeout. PR 39095 + - Give callers a reference to data copied into the request pool + instead of references directly into the cache PR 43786 + - Stop passing a reference to pconf around for (limited) use + during request processing, avoiding possible memory corruption + and crashes. + mod_proxy: + - Canonicalisation improvements. Add "nocanon" keyword to + ProxyPass, to suppress URI-canonicalisation in a reverse proxy. Also, + don't escape/unescape forward-proxied URLs. PR 41798, 42592 + - Don't by default violate RFC2616 by setting Max-Forwards when + the client didn't send it to us. Leave that as a + configuration option. PR 16137 + - Fix persistent backend connections. PR 43472 + - escape error-notes correctly PR 40952 + - check ProxyBlock for all blocked addresses PR 36987 + - Don't lose bytes when a response line arrives in small chunks. + PR 40894 + mod_proxy_ajp: + - Use 64K as maximum AJP packet size. This is the maximum length + we can squeeze inside the AJP message packet. + - Ignore any ajp13 flush packets received before we send the + response headers. See Tomcat PR 43478. + - Differentiate within AJP between GET and HEAD requests. PR 43060 + mod_proxy_balancer: + - Do not reset lbstatus, lbfactor and lbset when starting a new + child. PR 39907 + mod_proxy_http: + - Remove Warning headers with wrong date PR 16138 + - Correctly parse all Connection headers in proxy. PR 43509 + - add Via header correctly (if enabled) to response, even where + other Via headers exist. PR 19439 + - Correctly forward unexpected interim (HTTP 1xx) responses from + the backend according to RFC2616. But make it configurable in + case something breaks on it. PR 16518 + - strip hop-by-hop response headers PR 43455 + - Propagate Proxy-Authorization header correctly. PR 25947 + - Don't segfault on bad line in FTP listing PR 40733 + mod_rewrite: + - Add option to suppress URL unescaping PR 34602 + - Add the novary flag to RewriteCond. + mod_substitute: + - Added a new output filter, which performs inline response + content pattern matching (including regex) and substitution. + mod_ssl: + - Fix handling of the buffered request body during a per-location + renegotiation, when an internal redirect occurs. PR 43738. + - Fix SSL client certificate extensions parsing bug. PR 44073. + - Prevent memory corruption of version string. PR 43865, 43334 + mod_status: + - Add SeeRequestTail directive, which determines if + ExtendedStatus displays the 1st 63 characters of the request + or the last 63. Useful for those requests with large string + lengths and which only vary with the last several characters. + event MPM: + - Add support for running under mod_ssl, by reverting to the + Worker MPM behaviors, when run under an input filter that buffers + its own data. + core: + - Fix regression in 2.2.7 in chunk filtering with massively + chunked requests. + - Lower memory consumption of ap_r* functions by reusing the + brigade instead of recreating it during each filter pass. + - Lower memory consumption in case that flush buckets are passed + thru the chunk filter as last bucket of a brigade. PR 23567. + - Fix broken chunk filtering that causes all non blocking reads + to be converted into blocking reads. PR 19954, 41056. + - Change etag generation to produce identical results on 32-bit + and 64-bit platforms. PR 40064. + - Handle unrecognised transfer-encodings. PR 43882 + - Avoid some unexpected connection closes by telling the client + that the connection is not persistent if the MPM process + handling the request is already exiting when the response + header is built. + - fix possible crash at startup in case of nonexistent + DocumentRoot. PR 39722 + - http_core: OPTIONS * no longer maps to local storage or URI + space. Note that unlike previous versions, OPTIONS * no longer + returns an Allow: header. PR 43519 + - scoreboard: improve error message on apr_shm_create failure PR + 40037 + - Don't send spurious "100 Continue" response lines. PR 38014 + - http_protocol: + - Escape request method in 413 error reporting. Determined to + be not generally exploitable, but a flaw in any case. PR + 44014 + - Add "DefaultType none" option. PR 13986 and PR 16139 + - Escape request method in 405 error reporting. This has no + security impact since the browser cannot be tricked into + sending arbitrary method strings. + - Various code cleanups. PR 38699, 39518, 42005, 42006, 42007, 42008, 42009 + - Add explicit charset to the output of various modules to work + around possible cross-site scripting flaws affecting web + browsers that do not derive the response character set as + required by RFC2616. One of these reported by SecurityReason + - rotatelogs: Change command-line parsing to report more types + of errors. Allow local timestamps to be used when rotating based + on file size. +* Wed Sep 12 2007 poeml@suse.de +- fix graceful-restart. Wait until the pidfile is gone, but don't wait for the parent to disappear. It stays there, after closing the listen ports. - - don't configure in maintainer-mode. It not only enables compile +* Wed Sep 12 2007 poeml@suse.de +- use debug_package macro only on suse, because it breaks the build + on Mandriva +* Wed Sep 12 2007 poeml@suse.de +- don't configure in maintainer-mode. It not only enables compile time warnings, but also adds AP_DEBUG into the mix which causes enablement of debug code which is not wanted in production builds. - - drop obsolete patches mod_dbd.c-issue18989-autoconnect.dif and - mod_dbd.c-r571441, as the 2.2.8 mod_dbd is just fine. -* Tue Apr 01 2008 mkoenig@suse.de -- remove dir /usr/share/omc/svcinfo.d as it is provided now - by filesystem -* Fri Mar 14 2008 skh@suse.de -- update to upstream 2.2.8 --> see CHANGES in package for details -- removed obsolete patches: - - apache2-mod_cache-CVE-2007-1863.patch - - apache2-mod_status-CVE-2006-5752.patch - - httpd-2.2.4-mod_autoindex-charset-r570962.patch - - httpd-2.2.x.doublefree.patch -* Thu Dec 13 2007 ro@suse.de -- remove sysconf_addword, now in aaa_base (#328599) -* Mon Oct 22 2007 sbrabec@suse.cz -- Use correct SuSEfirewall2 rule directory. +* Mon Sep 10 2007 poeml@suse.de +- upstream 2.2.6 + SECURITY: CVE-2007-3847 (cve.mitre.org) + mod_proxy: Prevent reading past the end of a buffer when parsing + date-related headers. PR 41144. + SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent a segmentation fault if attributes are listed in a + Cache-Control header without any value. + SECURITY: CVE-2007-3304 (cve.mitre.org) + prefork, worker, event MPMs: Ensure that the parent process cannot + be forced to kill processes outside its process group. + SECURITY: CVE-2006-5752 (cve.mitre.org) + mod_status: Fix a possible XSS attack against a site with a public + server-status page and ExtendedStatus enabled, for browsers which + perform charset "detection". Reported by Stefan Esser. + SECURITY: CVE-2007-1862 (cve.mitre.org) + mod_mem_cache: Copy headers into longer lived storage; header names and + values could previously point to cleaned up storage. PR 41551. + mod_alias: + - Accept path components (URL part) in Redirects. PR 35314. + mod_authnz_ldap: + - Don't return HTTP_UNAUTHORIZED during authorization when + LDAP authentication is configured but we haven't seen any + 'Require ldap-*' directives, allowing authorization to be passed to lower + level modules (e.g. Require valid-user) PR 43281 + mod_autoindex: + - Add in Type and Charset options to IndexOptions + directive. This allows the admin to explicitly set the + content-type and charset of the generated page and is therefore + a viable workaround for buggy browsers affected by CVE-2007-4465 + mod_cache: + - Remove expired content from cache that cannot be revalidated. + PR 30370. + - Do not set Date or Expires when they are missing from the + original response or are invalid. + - Correctly handle HEAD requests on expired cache content. PR + 41230. + - Let Cache-Control max-age set the expiration of the cached + representation if Expires is not set. + - Allow caching of requests with query arguments when + Cache-Control max-age is explicitly specified. + - Use the same cache key throughout the whole request processing + to handle escaped URLs correctly. PR 41475. + - Add CacheIgnoreQueryString directive. PR 41484. + - While serving a cached entity ensure that filters that have + been applied to this cached entity before saving it to the + cache are not applied again. PR 40090. + - Correctly cache objects whose URL query string has been + modified by mod_rewrite. PR 40805. + mod_cgi, mod_cgid: + - Fix use of CGI scripts as ErrorDocuments. PR 39710. + mod_dbd: + - Introduce configuration groups to allow inheritance by virtual + hosts of database configurations from the main server. + Determine the minimal set of distinct configurations and share + connection pools whenever possible. Allow virtual hosts to + override inherited SQL statements. PR 41302. + - Create memory sub-pools for each DB connection and close DB + connections in a pool cleanup function. Ensure prepared + statements are destroyed before DB connection is closed. When + using reslists, prevent segfaults when child processes exit, + and stop memory leakage of ap_dbd_t structures. Avoid use of + global s->process->pool, which isn't destroyed by exiting + child processes in most multi-process MPMs. PR 39985. + - Handle error conditions in dbd_construct() properly. Simplify + ap_dbd_open() and use correct arguments to apr_dbd_error() + when non-threaded. Register correct cleanup data in + non-threaded ap_dbd_acquire() and ap_dbd_cacquire(). Clean up + configuration data and merge function. Use ap_log_error() + wherever possible. + - Stash DBD connections in request_config of initial request + only, or else sub-requests and internal redirections may cause + entire DBD pool to be stashed in a single HTTP request. + mod_deflate: + - don't try to process metadata buckets as data. what should + have been a 413 error was logged as a 500 and a blank screen + appeared at the browser. + - fix protocol handling in deflate input filter PR 23287 + mod_disk_cache: + - Allow Vary'd responses to be refreshed properly. + mod_dumpio: + - Fix for correct dumping of traffic on EBCDIC hosts Data had + been incorrectly converted twice, resulting in garbled log + output. + mod_expires: + - don't crash on bad configuration data PR 43213 + mod_filter: + - fix integer comparisons in dispatch rules PR 41835 + - fix merging of ! and = in FilterChain PR 42186 + mod_headers: + - Allow %% at the end of a Header value. PR 36609. + mod_info: + - mod_info outputs invalid XHTML 1.0 transitional. PR 42847 + mod_ldap: + - Avoid possible crashes, hangs, and busy loops due to improper + merging of the cache lock in vhost config PR 43164 + mod_ldap: + - Remove the hardcoded size limit parameter for + ldap_search_ext_s and replace it with an APR_ defined value + that is set according to the LDAP SDK being used. + mod_mem_cache: + - Increase the minimum and default value for MCacheMinObjectSize + from 0 to 1, as a MCacheMinObjectSize of 0 does not make sense + and leads to a division by zero. PR 40576. + mod_negotiation: + - preserve Query String in resolving a type map PR 33112 + mod_proxy: + - mod_proxy_http: accept proxy-sendchunked/proxy-sendchunks as + synonymous. PR 43183 + - Ensure that at least scheme://hostname[:port] matches between + worker and URL when searching for the best fitting worker for + a given URL. PR 40910 + - Improve network performance by setting APR_TCP_NODELAY + (disable Nagle algorithm) on sockets if implemented. PR 42871 + - Add a missing assignment in an error checking code path. PR 40865 + - don't URLencode tilde in path component PR 38448 + - enable Ignore Errors option on ProxyPass Status. PR 43167 + - Allow to use different values for sessionid in url encoded id + and cookies. PR 41897. + - Fix the 503 returned when session route does not match any of + the balancer members. + - Added ProxyPassMatch directive, which is similar to ProxyPass + but takes a regex local path prefix. + - Print the correct error message for erroneous configured + ProxyPass directives. PR 40439. + - Fix some proxy setting inheritance problems (eg: + ProxyTimeout). PR 11540. + - proxy/ajp_header.c: Fixed header token string comparisons + Matching of header tokens failed to include the trailing NIL + byte and could misinterpret a longer header token for a + shorter. Additionally, a "Content-Type" comparison was made + case insensitive. + - proxy/ajp_header.c: Backport of an AJP protocol fix for EBCDIC + On EBCDIC machines, the status_line string was incorrectly + converted twice. + mod_proxy_connect: + - avoid segfault on DNS lookup failure. PR 40756 + mod_proxy_http: + - HTTP proxy ProxyErrorOverride: Leave 1xx and 3xx responses + alone. Only processing of error responses (4xx, 5xx) will be + altered. PR 39245. + - Don't try to read body of a HEAD request before responding. PR 41644 + - Handle request bodies larger than 2 GB by converting the + Content-Length header of the request correctly. PR 40883. + mod_ssl: + - Fix spurious hostname mismatch warning for valid wildcard + certificates. PR 37911. + - Version reporting update; displays 'compiled against' Apache + and build-time SSL Library versions at loglevel [info], while + reporting the run-time SSL Library version in the server info + tags. Helps to identify a mod_ssl built against one flavor of + OpenSSL but running against another (also adds SSL-C version + number reporting.) + - initialize thread locks before initializing the hardware + acceleration library, so the latter can make use of the + former. PR 20951. + core: + - Do not replace a Date header set by a proxied backend server. PR 40232 + - log core: ensure we use a special pool for stderr logging, so that + the stderr channel remains valid from the time plog is destroyed, + until the time the open_logs hook is called again. + - main core: Emit errors during the initial apr_app_initialize() + or apr_pool_create() (when apr-based error reporting is not ready). + - log core: fix the new piped logger case where we couldn't connect + the replacement stderr logger's stderr to the NULL stdout stream. + Continue in this case, since the previous alternative of no error + logging at all (/dev/null) is far worse. + - Correct a regression since 2.0.x in the handling of AllowOverride + Options. PR 41829. + - Unix MPMs: Catch SIGFPE so that exception hooks and CoreDumpDirectory + can work after that terminating signal. + - mod_so: Provide more helpful LoadModule feedback when an error occurs. + misc: + - mime.types: Many updates to sync with IANA registry and common + unregistered types that the owners refuse to register. Admins + are encouraged to update their installed mime.types file. PR: + 35550, 37798, 39317, 31483 + - mime.types: add Registered Javascript/ECMAScript MIME types + (RFC4329) PR 40299 + - htdbm: Enable crypt support on platforms with crypt() but not + , such as z/OS. + - ab.c: Correct behavior of HTTP request headers sent by ab in + presence of -H command-line overrides. PR 31268, 26554. + - ab.c: The apr_port_t type is unsigned, but ab was using a + signed format code in its reports. PR 42070. +- drop obsolete patches apache2-mod_cache-CVE-2007-1863.patch + apache2-mod_status-CVE-2006-5752.patch + httpd-2.2.4-mod_autoindex-charset-r570962.patch + mod_dbd.c-issue18989-autoconnect.dif + mod_dbd.c-r571441 * Mon Sep 03 2007 skh@suse.de - get_module_list: replace loadmodule.conf atomically [bnc #214863] +* Sat Sep 01 2007 poeml@suse.de +- /etc/init.d/apache2: implement restart-graceful, stop-graceful +* Fri Aug 31 2007 poeml@suse.de +- update mod_dbd to trunk version (r571441) + * apr_dbd_check_conn() just returns APR_SUCCESS or + APR_EGENERAL, so we don't actually have a driver-specific value + to pass to apr_dbd_error(), but that's OK because most/all + drivers just ignore this value anyway * Fri Aug 31 2007 poeml@suse.de - replace httpd-2.2.3-AddDirectoryIndexCharset.patch with the upstream solution, httpd-2.2.4-mod_autoindex-charset-r570962.patch [#153557] diff --git a/httpd-2.1.3alpha-autoconf-2.59.dif b/httpd-2.1.3alpha-autoconf-2.59.dif deleted file mode 100644 index 78f398d..0000000 --- a/httpd-2.1.3alpha-autoconf-2.59.dif +++ /dev/null @@ -1,396 +0,0 @@ ---- httpd-2.1.3-alpha/acinclude.m4 -+++ httpd-2.1.3-alpha/acinclude.m4 -@@ -4,25 +4,25 @@ - dnl AC_HELP_STRING, so let's try to call it if we can. - dnl Note: this define must be on one line so that it can be properly returned - dnl as the help string. --AC_DEFUN(APACHE_HELP_STRING,[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl -+AC_DEFUN([APACHE_HELP_STRING],[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING($1,$2),[ ]$1 substr([ ],len($1))$2)])dnl - - dnl APACHE_SUBST(VARIABLE) - dnl Makes VARIABLE available in generated files - dnl (do not use @variable@ in Makefiles, but $(variable)) --AC_DEFUN(APACHE_SUBST,[ -+AC_DEFUN([APACHE_SUBST],[ - APACHE_VAR_SUBST="$APACHE_VAR_SUBST $1" - AC_SUBST($1) - ]) - - dnl APACHE_FAST_OUTPUT(FILENAME) - dnl Perform substitutions on FILENAME (Makefiles only) --AC_DEFUN(APACHE_FAST_OUTPUT,[ -+AC_DEFUN([APACHE_FAST_OUTPUT],[ - APACHE_FAST_OUTPUT_FILES="$APACHE_FAST_OUTPUT_FILES $1" - ]) - - dnl APACHE_GEN_CONFIG_VARS - dnl Creates config_vars.mk --AC_DEFUN(APACHE_GEN_CONFIG_VARS,[ -+AC_DEFUN([APACHE_GEN_CONFIG_VARS],[ - APACHE_SUBST(abs_srcdir) - APACHE_SUBST(bindir) - APACHE_SUBST(sbindir) -@@ -109,14 +109,14 @@ - - dnl APACHE_GEN_MAKEFILES - dnl Creates Makefiles --AC_DEFUN(APACHE_GEN_MAKEFILES,[ -+AC_DEFUN([APACHE_GEN_MAKEFILES],[ - $SHELL $srcdir/build/fastgen.sh $srcdir $ac_cv_mkdir_p $BSD_MAKEFILE $APACHE_FAST_OUTPUT_FILES - ]) - - dnl ## APACHE_OUTPUT(file) - dnl ## adds "file" to the list of files generated by AC_OUTPUT - dnl ## This macro can be used several times. --AC_DEFUN(APACHE_OUTPUT, [ -+AC_DEFUN([APACHE_OUTPUT], [ - APACHE_OUTPUT_FILES="$APACHE_OUTPUT_FILES $1" - ]) - -@@ -125,7 +125,7 @@ - dnl - dnl If rlim_t is not defined, define it to int - dnl --AC_DEFUN(APACHE_TYPE_RLIM_T, [ -+AC_DEFUN([APACHE_TYPE_RLIM_T], [ - AC_CACHE_CHECK([for rlim_t], ac_cv_type_rlim_t, [ - AC_TRY_COMPILE([ - #include -@@ -143,7 +143,7 @@ - ]) - - dnl APACHE_MODPATH_INIT(modpath) --AC_DEFUN(APACHE_MODPATH_INIT,[ -+AC_DEFUN([APACHE_MODPATH_INIT],[ - current_dir=$1 - modpath_current=modules/$1 - modpath_static= -@@ -152,7 +152,7 @@ - > $modpath_current/modules.mk - ])dnl - dnl --AC_DEFUN(APACHE_MODPATH_FINISH,[ -+AC_DEFUN([APACHE_MODPATH_FINISH],[ - echo "DISTCLEAN_TARGETS = modules.mk" >> $modpath_current/modules.mk - echo "static = $modpath_static" >> $modpath_current/modules.mk - echo "shared = $modpath_shared" >> $modpath_current/modules.mk -@@ -165,7 +165,7 @@ - ])dnl - dnl - dnl APACHE_MODPATH_ADD(name[, shared[, objects [, ldflags[, libs]]]]) --AC_DEFUN(APACHE_MODPATH_ADD,[ -+AC_DEFUN([APACHE_MODPATH_ADD],[ - if test -z "$3"; then - objects="mod_$1.lo" - else -@@ -209,7 +209,7 @@ - dnl setting. otherwise, fall under the "all" setting. - dnl explicit yes/no always overrides. - dnl --AC_DEFUN(APACHE_MODULE,[ -+AC_DEFUN([APACHE_MODULE],[ - AC_MSG_CHECKING(whether to enable mod_$1) - define([optname],[--]ifelse($5,yes,disable,enable)[-]translit($1,_,-))dnl - AC_ARG_ENABLE(translit($1,_,-),APACHE_HELP_STRING(optname(),$2),,enable_$1=ifelse($5,,maybe-all,$5)) -@@ -282,7 +282,7 @@ - dnl - dnl APACHE_ENABLE_MODULES - dnl --AC_DEFUN(APACHE_ENABLE_MODULES,[ -+AC_DEFUN([APACHE_ENABLE_MODULES],[ - module_selection=default - module_default=yes - -@@ -312,7 +312,7 @@ - ]) - ]) - --AC_DEFUN(APACHE_REQUIRE_CXX,[ -+AC_DEFUN([APACHE_REQUIRE_CXX],[ - if test -z "$apache_cxx_done"; then - AC_PROG_CXX - AC_PROG_CXXCPP -@@ -326,7 +326,7 @@ - dnl Configure for the detected openssl/ssl-c toolkit installation, giving - dnl preference to "--with-ssl=" if it was specified. - dnl --AC_DEFUN(APACHE_CHECK_SSL_TOOLKIT,[ -+AC_DEFUN([APACHE_CHECK_SSL_TOOLKIT],[ - if test "x$ap_ssltk_configured" = "x"; then - dnl initialise the variables we use - ap_ssltk_base="" -@@ -499,14 +499,14 @@ - dnl apache will use while generating scripts like autoconf and apxs and - dnl the default config file. - --AC_DEFUN(APACHE_SUBST_EXPANDED_ARG,[ -+AC_DEFUN([APACHE_SUBST_EXPANDED_ARG],[ - APR_EXPAND_VAR(exp_$1, [$]$1) - APACHE_SUBST(exp_$1) - APR_PATH_RELATIVE(rel_$1, [$]exp_$1, ${prefix}) - APACHE_SUBST(rel_$1) - ]) - --AC_DEFUN(APACHE_EXPORT_ARGUMENTS,[ -+AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[ - APACHE_SUBST_EXPANDED_ARG(exec_prefix) - APACHE_SUBST_EXPANDED_ARG(bindir) - APACHE_SUBST_EXPANDED_ARG(sbindir) ---- httpd-2.1.3-alpha/build/apr_common.m4 -+++ httpd-2.1.3-alpha/build/apr_common.m4 -@@ -22,7 +22,7 @@ - dnl - dnl Saves a snapshot of the configure command-line for later reuse - dnl --AC_DEFUN(APR_CONFIG_NICE,[ -+AC_DEFUN([APR_CONFIG_NICE],[ - rm -f $1 - cat >$1</dev/null 2>&1 -@@ -112,7 +112,7 @@ - dnl Trying to optimize this is left as an exercise to the reader who wants - dnl to put up with more autoconf craziness. I give up. - dnl --AC_DEFUN(APR_SUBDIR_CONFIG, [ -+AC_DEFUN([APR_SUBDIR_CONFIG], [ - # save our work to this point; this allows the sub-package to use it - AC_CACHE_SAVE - -@@ -180,7 +180,7 @@ - dnl - dnl Stores the variable (usually a Makefile macro) for later restoration - dnl --AC_DEFUN(APR_SAVE_THE_ENVIRONMENT,[ -+AC_DEFUN([APR_SAVE_THE_ENVIRONMENT],[ - apr_ste_save_$1="$$1" - ])dnl - -@@ -192,7 +192,7 @@ - dnl and restoring the original variable contents. This makes it possible - dnl for a user to override configure when it does something stupid. - dnl --AC_DEFUN(APR_RESTORE_THE_ENVIRONMENT,[ -+AC_DEFUN([APR_RESTORE_THE_ENVIRONMENT],[ - if test "x$apr_ste_save_$1" = "x"; then - $2$1="$$1" - $1= -@@ -216,7 +216,7 @@ - dnl - dnl Set variable iff it's currently null - dnl --AC_DEFUN(APR_SETIFNULL,[ -+AC_DEFUN([APR_SETIFNULL],[ - if test -z "$$1"; then - test "x$silent" != "xyes" && echo " setting $1 to \"$2\"" - $1="$2" -@@ -228,7 +228,7 @@ - dnl - dnl Set variable no matter what - dnl --AC_DEFUN(APR_SETVAR,[ -+AC_DEFUN([APR_SETVAR],[ - test "x$silent" != "xyes" && echo " forcing $1 to \"$2\"" - $1="$2" - ])dnl -@@ -238,7 +238,7 @@ - dnl - dnl Add value to variable - dnl --AC_DEFUN(APR_ADDTO,[ -+AC_DEFUN([APR_ADDTO],[ - if test "x$$1" = "x"; then - test "x$silent" != "xyes" && echo " setting $1 to \"$2\"" - $1="$2" -@@ -265,7 +265,7 @@ - dnl - dnl Remove a value from a variable - dnl --AC_DEFUN(APR_REMOVEFROM,[ -+AC_DEFUN([APR_REMOVEFROM],[ - if test "x$$1" = "x$2"; then - test "x$silent" != "xyes" && echo " nulling $1" - $1="" -@@ -289,7 +289,7 @@ - dnl - dnl APR_CHECK_DEFINE_FILES( symbol, header_file [header_file ...] ) - dnl --AC_DEFUN(APR_CHECK_DEFINE_FILES,[ -+AC_DEFUN([APR_CHECK_DEFINE_FILES],[ - AC_CACHE_CHECK([for $1 in $2],ac_cv_define_$1,[ - ac_cv_define_$1=no - for curhdr in $2 -@@ -311,7 +311,7 @@ - dnl - dnl APR_CHECK_DEFINE(symbol, header_file) - dnl --AC_DEFUN(APR_CHECK_DEFINE,[ -+AC_DEFUN([APR_CHECK_DEFINE],[ - AC_CACHE_CHECK([for $1 in $2],ac_cv_define_$1,[ - AC_EGREP_CPP(YES_IS_DEFINED, [ - #include <$2> -@@ -328,7 +328,7 @@ - dnl - dnl APR_CHECK_APR_DEFINE( symbol ) - dnl --AC_DEFUN(APR_CHECK_APR_DEFINE,[ -+AC_DEFUN([APR_CHECK_APR_DEFINE],[ - apr_old_cppflags=$CPPFLAGS - CPPFLAGS="$CPPFLAGS $INCLUDES" - AC_EGREP_CPP(YES_IS_DEFINED, [ -@@ -353,7 +353,7 @@ - fi]) - ]) - --define(APR_IFALLYES,[dnl -+define([APR_IFALLYES],[dnl - ac_rc=yes - for ac_spec in $1; do - ac_type=`echo "$ac_spec" | sed -e 's/:.*$//'` -@@ -405,7 +405,7 @@ - ]) - - --define(APR_DECISION_OVERRIDE,[dnl -+define([APR_DECISION_OVERRIDE],[dnl - ac_decision='' - for ac_item in $1; do - eval "ac_decision_this=\$ac_decision_${ac_item}" -@@ -417,13 +417,13 @@ - ]) - - --define(APR_DECISION_FORCE,[dnl -+define([APR_DECISION_FORCE],[dnl - ac_decision="$1" - eval "ac_decision_msg=\"\$ac_decision_${ac_decision}_msg\"" - ]) - - --define(APR_END_DECISION,[dnl -+define([APR_END_DECISION],[dnl - if test ".$ac_decision" = .; then - echo "[$]0:Error: decision on $ac_decision_item failed" 1>&2 - exit 1 -@@ -443,7 +443,7 @@ - dnl A variant of AC_CHECK_SIZEOF which allows the checking of - dnl sizes of non-builtin types - dnl --AC_DEFUN(APR_CHECK_SIZEOF_EXTENDED, -+AC_DEFUN([APR_CHECK_SIZEOF_EXTENDED], - [changequote(<<,>>)dnl - dnl The name to #define - define(<>, translit(sizeof_$2, [a-z *], [A-Z_P]))dnl -@@ -515,7 +515,7 @@ - dnl string. - dnl - dnl --AC_DEFUN(APR_CHECK_STRERROR_R_RC,[ -+AC_DEFUN([APR_CHECK_STRERROR_R_RC],[ - AC_MSG_CHECKING(for type of return code from strerror_r) - AC_TRY_RUN([ - #include -@@ -550,7 +550,7 @@ - dnl structure on this platform. Single UNIX Spec says d_ino, - dnl BSD uses d_fileno. Undef to find the real beast. - dnl --AC_DEFUN(APR_CHECK_DIRENT_INODE, [ -+AC_DEFUN([APR_CHECK_DIRENT_INODE], [ - AC_CACHE_CHECK([for inode member of struct dirent], apr_cv_dirent_inode, [ - apr_cv_dirent_inode=no - AC_TRY_COMPILE([ -@@ -588,7 +588,7 @@ - dnl Note that this is worthless without DT_xxx macros, so - dnl look for one while we are at it. - dnl --AC_DEFUN(APR_CHECK_DIRENT_TYPE,[ -+AC_DEFUN([APR_CHECK_DIRENT_TYPE],[ - AC_CACHE_CHECK([for file type member of struct dirent], apr_cv_dirent_type,[ - apr_cv_dirent_type=no - AC_TRY_COMPILE([ -@@ -637,7 +637,7 @@ - dnl all "." and "-" chars. If the 3rd parameter is "yes" then instead of - dnl setting to 1 or 0, we set FLAG-TO-SET to yes or no. - dnl --AC_DEFUN(APR_FLAG_HEADERS,[ -+AC_DEFUN([APR_FLAG_HEADERS],[ - AC_CHECK_HEADERS($1) - for aprt_i in $1 - do -@@ -658,7 +658,7 @@ - dnl is "yes" then instead of setting to 1 or 0, we set FLAG-TO-SET - dnl to yes or no. - dnl --AC_DEFUN(APR_FLAG_FUNCS,[ -+AC_DEFUN([APR_FLAG_FUNCS],[ - AC_CHECK_FUNCS($1) - for aprt_j in $1 - do -@@ -683,7 +683,7 @@ - dnl APR_EXPAND_VAR(fraz, $baz) - dnl $fraz is now "1/2/3" - dnl --AC_DEFUN(APR_EXPAND_VAR,[ -+AC_DEFUN([APR_EXPAND_VAR],[ - ap_last= - ap_cur="$2" - while test "x${ap_cur}" != "x${ap_last}"; -@@ -702,7 +702,7 @@ - dnl orig_path="${prefix}/bar" - dnl APR_PATH_RELATIVE(final_path, $orig_path, $prefix) - dnl $final_path now contains "bar" --AC_DEFUN(APR_PATH_RELATIVE,[ -+AC_DEFUN([APR_PATH_RELATIVE],[ - ap_stripped=`echo $2 | sed -e "s#^$3##"` - # check if the stripping was successful - if test "x$2" != "x${ap_stripped}"; then -@@ -720,12 +720,12 @@ - dnl Note: this define must be on one line so that it can be properly returned - dnl as the help string. When using this macro with a multi-line RHS, ensure - dnl that you surround the macro invocation with []s --AC_DEFUN(APR_HELP_STRING,[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING([$1],[$2]),[ ][$1] substr([ ],len($1))[$2])]) -+AC_DEFUN([APR_HELP_STRING],[ifelse(regexp(AC_ACVERSION, 2\.1), -1, AC_HELP_STRING([$1],[$2]),[ ][$1] substr([ ],len($1))[$2])]) - - dnl - dnl APR_LAYOUT(configlayout, layoutname [, extravars]) - dnl --AC_DEFUN(APR_LAYOUT,[ -+AC_DEFUN([APR_LAYOUT],[ - if test ! -f $srcdir/config.layout; then - echo "** Error: Layout file $srcdir/config.layout not found" - echo "** Error: Cannot use undefined layout '$LAYOUT'" -@@ -781,7 +781,7 @@ - dnl - dnl APR_ENABLE_LAYOUT(default layout name [, extra vars]) - dnl --AC_DEFUN(APR_ENABLE_LAYOUT,[ -+AC_DEFUN([APR_ENABLE_LAYOUT],[ - AC_ARG_ENABLE(layout, - [ --enable-layout=LAYOUT],[ - LAYOUT=$enableval -@@ -802,7 +802,7 @@ - dnl a reimplementation of autoconf's argument parser, - dnl used here to allow us to co-exist layouts and argument based - dnl set ups. --AC_DEFUN(APR_PARSE_ARGUMENTS,[ -+AC_DEFUN([APR_PARSE_ARGUMENTS],[ - ac_prev= - for ac_option - do -@@ -924,7 +924,7 @@ - dnl - dnl Determine what program we can use to generate .deps-style dependencies - dnl --AC_DEFUN(APR_CHECK_DEPEND,[ -+AC_DEFUN([APR_CHECK_DEPEND],[ - dnl Try to determine what depend program we can use - dnl All GCC-variants should have -MM. - dnl If not, then we can check on those, too. diff --git a/httpd-2.2.8.tar.bz2 b/httpd-2.2.8.tar.bz2 deleted file mode 100644 index fcab92c..0000000 --- a/httpd-2.2.8.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2ad8d0db1e478838ba88a0ddaf538c7150027d937b017739fdcb3fabb96ebd39 -size 4799055 diff --git a/httpd-2.2.9.tar.bz2 b/httpd-2.2.9.tar.bz2 new file mode 100644 index 0000000..44efb18 --- /dev/null +++ b/httpd-2.2.9.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d76599fbcf8b3bcff2779f880fb10e4a2bc4af60f64232083c06863e40850b61 +size 4943462 diff --git a/httpd-2.2.x-CVE-2008-1678.patch b/httpd-2.2.x-CVE-2008-1678.patch deleted file mode 100644 index bb97718..0000000 --- a/httpd-2.2.x-CVE-2008-1678.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:16:38 654118 -+++ httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:17:31 654119 -@@ -218,17 +218,18 @@ - #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES - ENGINE_cleanup(); - #endif --#ifdef HAVE_OPENSSL --#if OPENSSL_VERSION_NUMBER >= 0x00907001 -- CRYPTO_cleanup_all_ex_data(); --#endif --#endif - ERR_remove_state(0); - - /* Don't call ERR_free_strings here; ERR_load_*_strings only - * actually load the error strings once per process due to static - * variable abuse in OpenSSL. */ - -+ /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered -+ * ex_data indices may have been cached in static variables in -+ * OpenSSL; removing them may cause havoc. Notably, with OpenSSL -+ * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which -+ * could result in a per-connection memory leak (!). */ -+ - /* - * TODO: determine somewhere we can safely shove out diagnostics - * (when enabled) at this late stage in the game: - diff --git a/rc.apache2 b/rc.apache2 index 3f6d06c..4bf710e 100644 --- a/rc.apache2 +++ b/rc.apache2 @@ -12,15 +12,15 @@ # /etc/init.d/apache2 # ### BEGIN INIT INFO -# Provides: apache2 httpd2 +# Provides: apache apache2 httpd # Required-Start: $local_fs $remote_fs $network # Should-Start: $named $time postgresql sendmail mysql ypclient dhcp radiusd -# Required-Stop: $local_fs $remote_fs $network # Should-Stop: $named $time postgresql sendmail mysql ypclient dhcp radiusd +# Required-Stop: $local_fs $remote_fs $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 -# Short-Description: Apache 2.2 httpd -# Description: Start the httpd daemon Apache +# Short-Description: Apache 2.2 HTTP Server +# Description: Start the Apache HTTP daemon ### END INIT INFO pname=apache2 @@ -34,6 +34,18 @@ pname=apache2 # # load the configuration # + +# +# Note about ulimits: +# if you want to set ulimits, e.g. to increase the max number of open file handle, +# or to allow core files, you can do so by editing /etc/sysconfig/apache2 and +# simply write the ulimit commands into that file. +# Example: +# ulimit -n 16384 +# ulimit -H -n 16384 +# ulimit -c unlimited +# See the output of "help ulimit" in the bash, or "man 1 ulimit". +# test -s /etc/rc.status && . /etc/rc.status && rc_reset . /usr/share/$pname/load_configuration diff --git a/sysconfig.apache2 b/sysconfig.apache2 index 4ef8125..41ebd6a 100644 --- a/sysconfig.apache2 +++ b/sysconfig.apache2 @@ -112,6 +112,16 @@ APACHE_SERVER_FLAGS="" # (if not set, /etc/apache2/httpd.conf is used.) # It is unusual to need to use this setting. # +# Note about ulimits: +# if you want to set ulimits, e.g. to increase the max number of open file handle, +# or to allow core files, you can do so by editing /etc/sysconfig/apache2 and +# simply write the ulimit commands into that file. +# Example: +# ulimit -n 16384 +# ulimit -H -n 16384 +# ulimit -c unlimited +# See the output of "help ulimit" in the bash, or "man 1 ulimit". +# APACHE_HTTPD_CONF="" ## Type: list(prefork,worker) @@ -252,20 +262,4 @@ APACHE_SERVERTOKENS="OS" # APACHE_EXTENDED_STATUS="off" -## Type: list(on,off) -## Default: "off" -## ServiceRestart: apache2 -# -# Enable buffered logging -# -APACHE_BUFFERED_LOGS="off" - -## Type: integer -## Default: 300 -## ServiceReload: apache2 -# -# Timeout: The number of seconds before receives and sends time out. -# It is a server wide setting. -# -APACHE_TIMEOUT="300"