Accepting request 535888 from Apache

- updated to 2.4.29: *) mod_unique_id: Use output of the PRNG rather than IP address and pid, avoiding sleep() call and possible DNS issues at startup, plus improving randomness for IPv6-only hosts. [Jan Kaluza] *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST is used in a condition that evaluates to true. PR 58231 [Luca Toscano] *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket beams that could lead to assertion failure in edge cases. [Stefan Eissing] *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced in 2.4.28. [Jim Jagielski] *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set. PR 61546. [Lubos Uhliarik <luhliari redhat.com>] *) mod_rewrite: Add support for starting External Rewriting Programs as non-root user on UNIX systems by specifying username and group name as third argument of RewriteMap directive. [Jan Kaluza] *) core: Rewrite the Content-Length filter to avoid excessive memory consumption. Chunked responses will be generated in more cases than in previous releases. PR 61222. [Joe Orton, Ruediger Pluem] *) mod_ssl: Fix SessionTicket callback return value, which does seem to matter with OpenSSL 1.1. [Yann Ylavic] - gensslcert: * set also SAN [bsc#1045159] * drop -C argument, it was not mapped to CN actually * consider also case when hostname does return empty string or does not exist [bsc#1057406] * do not consider environment ROOT variable OBS-URL: https://build.opensuse.org/request/show/535888 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=137
2017-10-23 14:42:00 +00:00
parent 06a8f464b4 fd7f9d1515
commit 6c08d74648
8 changed files with 96 additions and 50 deletions
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,38 @@
+-------------------------------------------------------------------
+Wed Oct 18 09:22:41 UTC 2017 - pgajdos@suse.com
+
+- updated to 2.4.29:
+  *) mod_unique_id: Use output of the PRNG rather than IP address and
+     pid, avoiding sleep() call and possible DNS issues at startup,
+     plus improving randomness for IPv6-only hosts.  [Jan Kaluza]
+  *) mod_rewrite, core: Avoid the 'Vary: Host' response header when HTTP_HOST
+     is used in a condition that evaluates to true. PR 58231 [Luca Toscano]
+  *) mod_http2: v0.10.12, removed optimization for mutex handling in bucket
+     beams that could lead to assertion failure in edge cases.
+     [Stefan Eissing]
+  *) mod_proxy: Fix regression for non decimal loadfactor parameter introduced
+     in 2.4.28.  [Jim Jagielski]
+  *) mod_authz_dbd: fix a segmentation fault if AuthzDBDQuery is not set.
+     PR 61546.  [Lubos Uhliarik <luhliari redhat.com>]
+  *) mod_rewrite: Add support for starting External Rewriting Programs
+     as non-root user on UNIX systems by specifying username and group
+     name as third argument of RewriteMap directive.  [Jan Kaluza]
+  *) core: Rewrite the Content-Length filter to avoid excessive memory
+     consumption. Chunked responses will be generated in more cases
+     than in previous releases.  PR 61222.  [Joe Orton, Ruediger Pluem]
+  *) mod_ssl: Fix SessionTicket callback return value, which does seem to
+     matter with OpenSSL 1.1. [Yann Ylavic]
+
+-------------------------------------------------------------------
+Tue Oct 17 12:41:23 UTC 2017 - pgajdos@suse.com
+
+- gensslcert:
+  * set also SAN [bsc#1045159]
+  * drop -C argument, it was not mapped to CN actually
+  * consider also case when hostname does return empty string or 
+    does not exist [bsc#1057406]
+  * do not consider environment ROOT variable
+
 -------------------------------------------------------------------
 Fri Oct  6 07:45:55 UTC 2017 - pgajdos@suse.com

--- a/apache2.spec
+++ b/apache2.spec
@@ -53,7 +53,7 @@
 %define mods_static unixd
 %endif
 Name:           apache2
-Version:        2.4.28
+Version:        2.4.29
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0
--- a/69
+++ b/69
@@ -16,7 +16,6 @@ function usage

 	These options are recognized:		Default:

-	-C 	Common name 			"$name"
 	-N	comment				"$comment"
 	-c	country (two letters, e.g. DE)	$C
 	-s	state				$ST
@@ -38,18 +37,23 @@ function myecho { echo $BRIGHT$@$NORMAL; }
 function error { echo $RED$@$NORMAL; }
 function myexit { error something ugly seems to have happened in line $1...; exit $2; }

-r=$ROOT
-. $r/etc/sysconfig/network/config
-FQHOSTNAME=`hostname -f`
-
-fqlength=`echo $FQHOSTNAME|wc -c`
-if [ $fqlength -gt 63 ]; then
-       FQHOSTNAME=`hostname`
+hostname=/usr/bin/hostname
+FQHOSTNAME=""
+if [ -x $hostname ]; then
+    FQHOSTNAME=`$hostname -f 2>/dev/null`
+    # bsc#1035829
+    fqlength=`echo -n $FQHOSTNAME|wc -c`
+    if [ $fqlength -gt 64 ]; then
+        FQHOSTNAME=`$hostname 2>/dev/null`
+    fi
+fi
+# bsc#1057406
+if [ -z $FQHOSTNAME ]; then
+    FQHOSTNAME='localhost'
 fi

 # defaults
  comment="mod_ssl server certificate"
-     name=
        C=XY
       ST=unknown
        L=unknown
@@ -62,7 +66,6 @@ fi

 while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
    case $OPT in
-        C) name=$OPTARG-;;
        N) comment=$OPTARG;;
        c) C=$OPTARG;;
        s) ST=$OPTARG;;
@@ -81,24 +84,26 @@ done

 GO_LEFT="\033[80D"
 GO_MIDDLE="$GO_LEFT\033[15C"
-for i in comment name C ST L U O CN email srvdays CAdays; do 
+for i in comment C ST L U O CN email srvdays CAdays; do 
 	eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
 done


-openssl=$r/usr/bin/openssl
-sslcrtdir=$r/etc/apache2/ssl.crt
-sslcsrdir=$r/etc/apache2/ssl.csr
-sslkeydir=$r/etc/apache2/ssl.key
-sslprmdir=$r/etc/apache2/ssl.prm
+openssl=/usr/bin/openssl
+sslcrtdir=/etc/apache2/ssl.crt
+sslcsrdir=/etc/apache2/ssl.csr
+sslkeydir=/etc/apache2/ssl.key
+sslprmdir=/etc/apache2/ssl.prm
+
+name="$CN-"

 #
 # CA
 #
 echo;myecho creating CA key ...
-(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
+(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)

-cat >$r/root/.mkcert.cfg <<EOT
+cat >/root/.mkcert.cfg <<EOT
 [ req ]
 default_bits           = 2048
 default_keyfile        = keyfile.pem
@@ -121,17 +126,17 @@ challengePassword              = $RANDOM$RANDOMA challenge password
 EOT

 echo;myecho creating CA request/certificate ...
-(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)
+(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?)

-cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt
+cp -pv $sslcrtdir/${name}ca.crt /srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt

 #
 # Server CERT
 #
 echo;myecho creating server key ...
-(umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)
+(umask 0377 ; $openssl genrsa -rand /dev/urandom -out $sslkeydir/${name}server.key 2048 || myexit $LINENO $?)

-cat >$r/root/.mkcert.cfg <<EOT
+cat >/root/.mkcert.cfg <<EOT
 [ req ]
 default_bits           = 2048
 default_keyfile        = keyfile.pem
@@ -139,6 +144,7 @@ distinguished_name     = req_distinguished_name
 attributes             = req_attributes
 prompt                 = no
 output_password        = mypass
+req_extensions         = x509v3

 [ req_distinguished_name ]
 C                      = $C
@@ -149,35 +155,40 @@ OU                     = $U
 CN                     = $CN
 emailAddress           = $email

+[ x509v3 ]
+subjectAltName         = DNS:$CN
+nsComment              = $comment
+nsCertType             = server
+
 [ req_attributes ]
 challengePassword              = $RANDOM$RANDOMA challenge password
 EOT

 echo;myecho creating server request ...
-(umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)
+(umask 0377 ; $openssl req -config /root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?)


-cat >$r/root/.mkcert.cfg <<EOT
+cat >/root/.mkcert.cfg <<EOT
 extensions = x509v3
 [ x509v3 ]
-subjectAltName   = email:copy
+subjectAltName   = DNS:$CN
 nsComment        = $comment
 nsCertType       = server
 EOT


-test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial
+test -f /root/.mkcert.serial || echo 01 >/root/.mkcert.serial
 myecho "creating server certificate ..."
 (umask 0377 ; $openssl x509 					\
-	-extfile $r/root/.mkcert.cfg 			\
+	-extfile /root/.mkcert.cfg 			\
 	-days $srvdays 				\
-	-CAserial $r/root/.mkcert.serial 		\
+	-CAserial /root/.mkcert.serial 		\
 	-CA $sslcrtdir/${name}ca.crt       	\
 	-CAkey $sslkeydir/${name}ca.key   	\
 	-in $sslcsrdir/${name}server.csr -req 	\
        -out $sslcrtdir/${name}server.crt || myexit $LINENO $?)

-rm -f $r/root/.mkcert.cfg
+rm -f /root/.mkcert.cfg



--- a/httpd-2.4.28.tar.bz2
+++ b/httpd-2.4.28.tar.bz2
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c1197a3a62a4ab5c584ab89b249af38cf28b4adee9c0106b62999fd29f920666
-size 6553163
--- a/httpd-2.4.28.tar.bz2.asc
+++ b/httpd-2.4.28.tar.bz2.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIVAwUAWcjw5zTqduZ5FIWoAQr5EQ/7BXT4HjCD3eUJK9OymmpchCYZL1l4uZNy
-4oywYvn5THhWy4i9+sOxgju4LFQJCUlu/Cmqeh5bZgZIfdCAnxNANiNmtIaL0gum
-in0ZmLYeiJHLT1qkUYUhmUgRXoUTG5GBeHEhKaQUG36aywYlJK/OVRxEA/tqaLPX
-SyaUCHao98E0UjarDvSLwpH1/7KAA8GyknEaZnTXhnyFboEFGRiI2xpkeRM8NhNh
-ASIq0YfndBlneG4uHlsPoWLcFp5HttQ9YdpBo39sbSVLKFlUg9XYK/3n0mh3Xx5Z
-xowVOs2/5gP2sPjmC92ycx3LRlwK7ygw1/Dx/dImuhTtTAL7OG6i1/qFNY1utNCh
-LAddU/on5YQz5beV1LjZip9ef4yBikqBsRUtyu/fQG+EqiszzpxxHf+JfaWXl+hu
-NoFIALVtSEBf8LHT0cvIRWY3Id05nYDpknGiuNxuDIpYc4qdY7yDOa6lPeS3kGzC
-iPFh63B6nhzNudNWCT0YH2mLKGs6szDM4Hwh13Kotva3vus7UWv4O8jFAiSPvO8h
-aNpfy2IMcvjuXBu4oWbuu/X6l0FLZo/LKGzvUDZiG62Z1RCH/zg9f5OiBVIlEIWM
-INe6IsivQOM3DMNJX6U3VZUyx2hN4J5O31bkP4qMoNnHOzA7PD9JX4owirpxy4eZ
-Y2Ywbc9jeBk=
-=kUfO
-----END PGP SIGNATURE-----
--- a/httpd-2.4.29.tar.bz2
+++ b/httpd-2.4.29.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:777753a5a25568a2a27428b2214980564bc1c38c1abf9ccc7630b639991f7f00
+size 6567926
--- a/httpd-2.4.29.tar.bz2.asc
+++ b/httpd-2.4.29.tar.bz2.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIVAwUAWeZRsjTqduZ5FIWoAQpkfBAAmw+wwCpBTWRErxmPss368OSX139b3bYe
+za6+PvbiZghj+K3btOC2pHcov+h6sb6kvsFA0D5f2Bk2oCiBgmN4IJYS3h9mUcNg
+vcGCb0P0rLPneFpHTt3SXFJCahTOwmxW22e8V/y/3pes/6VsVEMJ2Sx1hQcDkkjw
+FPPB5ElXbmLi+3dZnojwwshCGKyza6OVY5CrAHb3/Pr+wSo0RSNgrpA3qsCyhAn7
+f+dLlOc44KLCF8y/grwJRLsM+MHWog+YI0B5e+95alTgcbBvEg3n6RivOCDrkJr2
+trvM10fTBzj5Hs8Gh1yuA46qD6mvRjVm0OzJc7xJTXNmpvByfsQNHoxduI1OrPgq
+rL4rt4wuh8INa5PiD80RLL3o0K69mGzCqVzJJp6/XENiMSgSsesbtaOrw0lOiYwv
+rO/yzzR9WwkiXIQR934lduFfiOrf2A81Q5HpsfLaaP7Ezc5bIPlUVRzK68TPEe+u
+VGvSYqg4umQqCrNh3yX06UBJokB8UxzkOgY8bvvPEkHFv8AlqUKg1bVxkTIZypYL
+e6xnXrM/LQ/UuWo6n+Pb9balieXZg6SfrQ2tQmI2yMIuFhN+fGcXVt1l9miWoNy9
+fjEpLvUxW4HqXjaPEG0xwD/BX+5+uadGVkr2oIbFCeknXZES/fPdrbuC7XpZzYqH
+9trgC1ZLILg=
+=EwOe
+-----END PGP SIGNATURE-----
--- a/sysconfig.apache2
+++ b/sysconfig.apache2
@@ -53,7 +53,7 @@ APACHE_CONF_INCLUDE_DIRS=""
 #   1. Before you can use mod_ssl, you need a server certificate. 
 #      A test certificate can be created by entering e. g.
 #
-#      $ gensslcert -n a.com -C a.com -e webmaster@a.com
+#      $ gensslcert -n a.com
 #
 #      See gensslcert -h for or gensslcert script itself for details.
 #   2. Also, you need to set the ServerName inside the <VirtualHost _default_:443>