Accepting request 408555 from Apache

1 OBS-URL: https://build.opensuse.org/request/show/408555 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=124
2016-07-18 19:23:04 +00:00 · 2016-07-18 19:23:04 +00:00 · 7075d67623
commit 7075d67623
parent 291aac546f 97bf0fc49e
5 changed files with 224 additions and 4 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,24 @@
+-------------------------------------------------------------------
+Tue Jul 12 14:49:09 UTC 2016 - kstreitova@suse.com
+
+- add httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
+  Introduces directives to control two protocol options:
+   * HttpContentLengthHeadZero - allow Content-Length of 0 to be
+     returned on HEAD
+   * HttpExpectStrict - allow admin to control whether we must 
+     see "100-continue"
+  [bsc#894225], [fate#317766]
+
+-------------------------------------------------------------------
+Wed Jul  6 16:16:57 UTC 2016 - crrodriguez@opensuse.org
+
+- version 2.4.23 
+*  Fixes CVE-2016-4979 [bsc#987365]
+* mod_proxy_hcheck was missing due to upstream bug.
+* mod_proxy_fdpass needs explicit configure line now.
+* Full list of changes:
+  http://www-eu.apache.org/dist//httpd/CHANGES_2.4.23
+
 -------------------------------------------------------------------
 Thu May 26 08:13:16 UTC 2016 - pgajdos@suse.com

--- a/apache2.spec
+++ b/apache2.spec
@ -51,7 +51,7 @@
 %endif

 Name:           apache2
-Version:        2.4.20
+Version:        2.4.23
 Release:        0
 Summary:        The Apache Web Server Version 2.4
 License:        Apache-2.0
@ -124,6 +124,8 @@ Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch111:       httpd-visibility.patch
 # PATCH-FIX-UPSTREAM marguerite@opensuse.org -- compability for lua 5.2+ https://bz.apache.org/bugzilla/show_bug.cgi?id=58188
 Patch114:       httpd-2.4.12-lua-5.2.patch
+# PATCH-FEATURE-UPSTREAM kstreitova@suse.com -- backport of HttpContentLengthHeadZero and HttpExpectStrict
+Patch115:       httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
 BuildRequires:  apache-rpm-macros-control
 BuildRequires:  automake
 BuildRequires:  db-devel
@ -311,6 +313,7 @@ to administrators of web servers in general.
 %endif
 %patch111 -p1
 %patch114 -p1
+%patch115
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{SOURCE22})
@ -379,6 +382,7 @@ function configure {
 		--enable-proxy-connect \
 		--enable-proxy-ftp \
 		--enable-proxy-http \
+		--enable-proxy-fdpass \
 		--enable-cache \
 		--enable-disk-cache \
 		--enable-mem-cache \
@ -916,6 +920,7 @@ mv %{buildroot}/%{sysconfdir}/original .
 %{_libdir}/%{name}-prefork/mod_proxy_fcgi.so
 %{_libdir}/%{name}-prefork/mod_proxy_fdpass.so
 %{_libdir}/%{name}-prefork/mod_proxy_ftp.so
+%{_libdir}/%{name}-prefork/mod_proxy_hcheck.so
 %{_libdir}/%{name}-prefork/mod_proxy_html.so
 %{_libdir}/%{name}-prefork/mod_proxy_http.so
 %{_libdir}/%{name}-prefork/mod_proxy_scgi.so
@ -1040,6 +1045,7 @@ mv %{buildroot}/%{sysconfdir}/original .
 %{_libdir}/%{name}-worker/mod_proxy_fcgi.so
 %{_libdir}/%{name}-worker/mod_proxy_fdpass.so
 %{_libdir}/%{name}-worker/mod_proxy_ftp.so
+%{_libdir}/%{name}-worker/mod_proxy_hcheck.so
 %{_libdir}/%{name}-worker/mod_proxy_html.so
 %{_libdir}/%{name}-worker/mod_proxy_http.so
 %{_libdir}/%{name}-worker/mod_proxy_scgi.so
@ -1164,6 +1170,7 @@ mv %{buildroot}/%{sysconfdir}/original .
 %{_libdir}/%{name}-event/mod_proxy_fcgi.so
 %{_libdir}/%{name}-event/mod_proxy_fdpass.so
 %{_libdir}/%{name}-event/mod_proxy_ftp.so
+%{_libdir}/%{name}-event/mod_proxy_hcheck.so
 %{_libdir}/%{name}-event/mod_proxy_html.so
 %{_libdir}/%{name}-event/mod_proxy_http.so
 %{_libdir}/%{name}-event/mod_proxy_scgi.so
--- a/httpd-2.4.20.tar.bz2
+++ b/httpd-2.4.20.tar.bz2
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:0e76a375ed3dbac636f50ac39de966ece443751fe4d62392f9a360a19d94d0da
-size 6331344
--- a/httpd-2.4.23.tar.bz2
+++ b/httpd-2.4.23.tar.bz2
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58
+size 6351875
--- a/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
+++ b/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff
@ -0,0 +1,192 @@
+From 530b5797af919d6d7ab7d6418d9feeb1abb914ae Mon Sep 17 00:00:00 2001
+From: Justin Erenkrantz <jerenkrantz@apache.org>
+Date: Mon, 30 Dec 2013 20:01:14 +0000
+Subject: [PATCH] Add directives to control two protocol options:
+
+ HttpContentLengthHeadZero - allow Content-Length of 0 to be returned on HEAD
+ HttpExpectStrict - allow admin to control whether we must see "100-continue"
+
+This is helpful when using Ceph's radosgw and httpd.
+
+Inspired by: Yehuda Sadeh <yehuda@inktank.com>
+See https://github.com/ceph/apache2/commits/precise
+
+* include/http_core.h
+  (core_server_config): Add http_cl_head_zero and http_expect_strict fields.
+* modules/http/http_filters.c
+  (ap_http_header_filter): Only clear out the C-L if http_cl_head_zero is not
+  explictly set.
+* server/core.c
+  (merge_core_server_configs): Add new fields.
+  (set_cl_head_zero, set_expect_strict): New config helpers.
+  (HttpContentLengthHeadZero, HttpExpectStrict): Declare new directives.
+* server/protocol.c
+  (ap_read_request): Allow http_expect_strict to control if we return 417.
+* include/ap_mmn.h
+  (MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR): Bump.
+* CHANGES: Add a brief description.
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1554303 13f79535-47bb-0310-9956-ffa450edef68
+
+Conflicts:
+	CHANGES
+	include/ap_mmn.h
+	include/http_core.h
+	server/core.c
+---
+ CHANGES                     |  3 +++
+ include/ap_mmn.h            |  4 +++-
+ include/http_core.h         |  9 +++++++++
+ modules/http/http_filters.c | 10 +++++++++-
+ server/core.c               | 36 ++++++++++++++++++++++++++++++++++++
+ server/protocol.c           | 25 +++++++++++++++++--------
+ 6 files changed, 77 insertions(+), 10 deletions(-)
+
+Index: include/http_core.h
+===================================================================
+--- include/http_core.h.orig	2016-01-20 15:10:51.651189219 +0100
+++ include/http_core.h	2016-01-20 15:12:18.983188213 +0100
+@@ -694,6 +694,15 @@
+ #define AP_MERGE_TRAILERS_DISABLE  2
+     int merge_trailers;
+ 
+#define AP_HTTP_CL_HEAD_ZERO_UNSET    0
+#define AP_HTTP_CL_HEAD_ZERO_ENABLE   1
+#define AP_HTTP_CL_HEAD_ZERO_DISABLE  2
+    int http_cl_head_zero;
+
+#define AP_HTTP_EXPECT_STRICT_UNSET    0
+#define AP_HTTP_EXPECT_STRICT_ENABLE   1
+#define AP_HTTP_EXPECT_STRICT_DISABLE  2
+    int http_expect_strict;
+ 
+ 
+     apr_array_header_t *protocols;
+Index: modules/http/http_filters.c
+===================================================================
+--- modules/http/http_filters.c.orig	2015-07-08 10:59:36.000000000 +0200
+++ modules/http/http_filters.c	2016-01-20 15:10:51.651189219 +0100
+@@ -1175,6 +1175,7 @@
+     header_filter_ctx *ctx = f->ctx;
+     const char *ctype;
+     ap_bucket_error *eb = NULL;
+    core_server_config *conf;
+ 
+     AP_DEBUG_ASSERT(!r->main);
+ 
+@@ -1315,10 +1316,17 @@
+      * zero C-L to the client.  We can't just remove the C-L filter,
+      * because well behaved 2.0 handlers will send their data down the stack,
+      * and we will compute a real C-L for the head request. RBB
+     *
+     * Allow modification of this behavior through the
+     * HttpContentLengthHeadZero directive.
+     *
+     * The default (unset) behavior is to squelch the C-L in this case.
+      */
+    conf = ap_get_core_module_config(r->server->module_config);
+     if (r->header_only
+         && (clheader = apr_table_get(r->headers_out, "Content-Length"))
+-        && !strcmp(clheader, "0")) {
+        && !strcmp(clheader, "0")
+        && conf->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_ENABLE) {
+         apr_table_unset(r->headers_out, "Content-Length");
+     }
+ 
+Index: server/core.c
+===================================================================
+--- server/core.c.orig	2015-11-19 20:55:25.000000000 +0100
+++ server/core.c	2016-01-20 15:13:29.575187399 +0100
+@@ -503,6 +503,12 @@
+     if (virt->trace_enable != AP_TRACE_UNSET)
+         conf->trace_enable = virt->trace_enable;
+ 
+    if (virt->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_UNSET)
+        conf->http_cl_head_zero = virt->http_cl_head_zero;
+
+    if (virt->http_expect_strict != AP_HTTP_EXPECT_STRICT_UNSET)
+        conf->http_expect_strict = virt->http_expect_strict;
+
+     /* no action for virt->accf_map, not allowed per-vhost */
+ 
+     if (virt->protocol)
+@@ -3756,6 +3762,32 @@
+     return NULL;
+ }
+ 
+static const char *set_cl_head_zero(cmd_parms *cmd, void *dummy, int arg)
+{
+    core_server_config *conf =
+        ap_get_core_module_config(cmd->server->module_config);
+
+    if (arg) {
+        conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_ENABLE;
+    } else {
+        conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_DISABLE;
+    }
+    return NULL;
+}
+
+static const char *set_expect_strict(cmd_parms *cmd, void *dummy, int arg)
+{
+    core_server_config *conf =
+        ap_get_core_module_config(cmd->server->module_config);
+
+    if (arg) {
+        conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_ENABLE;
+    } else {
+        conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_DISABLE;
+    }
+    return NULL;
+}
+
+ static apr_hash_t *errorlog_hash;
+ 
+ static int log_constant_item(const ap_errorlog_info *info, const char *arg,
+@@ -4273,6 +4305,10 @@
+               "'on' (default), 'off' or 'extended' to trace request body content"),
+ AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF,
+               "merge request trailers into request headers or not"),
+AP_INIT_FLAG("HttpContentLengthHeadZero", set_cl_head_zero, NULL, OR_OPTIONS,
+             "whether to permit Content-Length of 0 responses to HEAD requests"),
+AP_INIT_FLAG("HttpExpectStrict", set_expect_strict, NULL, OR_OPTIONS,
+             "whether to return a 417 if a client doesn't send 100-Continue"),
+ AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF,
+                 "Controls which protocols are allowed"),
+ AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF,
+Index: server/protocol.c
+===================================================================
+--- server/protocol.c.orig	2015-11-26 14:42:42.000000000 +0100
+++ server/protocol.c	2016-01-20 15:10:51.651189219 +0100
+@@ -1144,14 +1144,23 @@
+             r->expecting_100 = 1;
+         }
+         else {
+-            r->status = HTTP_EXPECTATION_FAILED;
+-            ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570)
+-                          "client sent an unrecognized expectation value of "
+-                          "Expect: %s", expect);
+-            ap_send_error_response(r, 0);
+-            ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+-            ap_run_log_transaction(r);
+-            goto traceout;
+            core_server_config *conf;
+
+            conf = ap_get_core_module_config(r->server->module_config);
+            if (conf->http_expect_strict != AP_HTTP_EXPECT_STRICT_DISABLE) {
+                r->status = HTTP_EXPECTATION_FAILED;
+                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570)
+                              "client sent an unrecognized expectation value "
+                              "of Expect: %s", expect);
+                ap_send_error_response(r, 0);
+                ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+                ap_run_log_transaction(r);
+                goto traceout;
+            } else {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00570)
+                              "client sent an unrecognized expectation value "
+                              "of Expect (not fatal): %s", expect);
+            }
+         }
+     }
+