From 90508856d0d8e557b7fd69ff969ac218199e42a7f5a7b86da345ace281b6d827 Mon Sep 17 00:00:00 2001
From: Roman Drahtmueller <draht@schaltsekun.de>
Date: Wed, 31 Aug 2011 13:46:57 +0000
Subject: [PATCH] Accepting request 80399 from home:elvigia:branches:Apache

- Update to version 2.2.20, fix CVE-2011-3192
  mod_deflate D.o.S.

-  Fix apache PR 45076

- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage

- Add 2 patches from the "low hanging fruit" warnings in apache
  STATUS page.
 * mod_deflate: Stop compressing HEAD requests
  if there is not Content-Length header
 * mod_reqtimeout: Disable keep-alive after read timeout

- Remove -fno-strict-aliasing from CFLAGS, no longer needed.

- Allow KeepAliveTimeout to be expressed in miliseconds
  sometimes one second is too long, upstream r733557.

- When linux changes to version 3.x configure tests are gonna break.
  remove version check, assuming kernel 2.2 or later.

OBS-URL: https://build.opensuse.org/request/show/80399
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=334
---
 apache2.changes                        | 43 ++++++++++++++++++++++++++
 apache2.spec                           | 18 +++++++----
 httpd-2.2.19-linux3.patch              | 17 ++++++++++
 httpd-2.2.19.tar.bz2                   |  3 --
 httpd-2.2.20.tar.bz2                   |  3 ++
 httpd-keepalivetimeout-millisecs.patch | 20 ++++++++++++
 httpd-mod_deflate_head.patch           | 23 ++++++++++++++
 ssl-mode-release-buffers.patch         | 13 ++++++++
 8 files changed, 131 insertions(+), 9 deletions(-)
 create mode 100644 httpd-2.2.19-linux3.patch
 delete mode 100644 httpd-2.2.19.tar.bz2
 create mode 100644 httpd-2.2.20.tar.bz2
 create mode 100644 httpd-keepalivetimeout-millisecs.patch
 create mode 100644 httpd-mod_deflate_head.patch
 create mode 100644 ssl-mode-release-buffers.patch

diff --git a/apache2.changes b/apache2.changes
index dfe28ac..0dcdefd 100644
--- a/apache2.changes
+++ b/apache2.changes
@@ -1,3 +1,46 @@
+-------------------------------------------------------------------
+Wed Aug 31 12:52:22 UTC 2011 - crrodriguez@opensuse.org
+
+- Update to version 2.2.20, fix CVE-2011-3192 
+  mod_deflate D.o.S.
+
+
+-------------------------------------------------------------------
+Fri Aug  5 06:02:35 UTC 2011 - crrodriguez@opensuse.org
+
+-  Fix apache PR 45076 
+
+-------------------------------------------------------------------
+Sun Jul 17 19:49:55 UTC 2011 - crrodriguez@opensuse.org
+
+- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage
+
+-------------------------------------------------------------------
+Wed Jun 22 16:12:10 UTC 2011 - crrodriguez@opensuse.org
+
+- Add 2 patches from the "low hanging fruit" warnings in apache
+  STATUS page.
+ * mod_deflate: Stop compressing HEAD requests 
+  if there is not Content-Length header 
+ * mod_reqtimeout: Disable keep-alive after read timeout
+
+-------------------------------------------------------------------
+Fri Jun 10 00:59:53 UTC 2011 - crrodriguez@opensuse.org
+
+- Remove -fno-strict-aliasing from CFLAGS, no longer needed.
+
+-------------------------------------------------------------------
+Wed Jun  8 19:10:41 UTC 2011 - crrodriguez@opensuse.org
+
+- Allow KeepAliveTimeout to be expressed in miliseconds
+  sometimes one second is too long, upstream r733557.
+
+-------------------------------------------------------------------
+Mon Jun  6 18:16:05 UTC 2011 - crrodriguez@opensuse.org
+
+- When linux changes to version 3.x configure tests are gonna break.
+  remove version check, assuming kernel 2.2 or later.
+
 -------------------------------------------------------------------
 Thu May 26 03:35:05 UTC 2011 - crrodriguez@opensuse.org
 
diff --git a/apache2.spec b/apache2.spec
index d93f2cc..a40a848 100644
--- a/apache2.spec
+++ b/apache2.spec
@@ -67,8 +67,8 @@ BuildRequires:  expat-devel
 %define platform_string	Linux/%VENDOR
 License:        ASLv..
 Group:          Productivity/Networking/Web/Servers
-%define realver 2.2.19
-Version:        2.2.19
+%define realver 2.2.20
+Version:        2.2.20
 Release:        1
 #Source0:      http://www.apache.org/dist/httpd-%{version}.tar.bz2
 Source0:        http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
@@ -123,6 +123,10 @@ Patch66:        httpd-2.0.54-envvars.dif
 Patch67:        httpd-2.2.0-apxs-a2enmod.dif
 Patch68:        httpd-2.x.x-logresolve.patch
 Patch100:       apache2.2-mpm-itk-20090414-00.patch
+Patch101:       httpd-2.2.19-linux3.patch
+Patch102:       httpd-keepalivetimeout-millisecs.patch
+Patch104:       httpd-mod_deflate_head.patch
+Patch105:       ssl-mode-release-buffers.patch
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
 Summary:        The Apache Web Server Version 2.0
@@ -340,6 +344,10 @@ to administrators of web servers in general.
 %patch67 -p1
 %patch68 -p1
 %patch100
+%patch101
+%patch102
+%patch104
+%patch105
 #
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 #
@@ -354,8 +362,7 @@ sed -i -e "s/__DATE__ \" \" __TIME__;/\"$CHANGES\";/" server/buildmark.c
 # now configure Apache 
 #
 %if 0%{?suse_version} > 910
-aclocal
-autoreconf --force --install
+autoreconf -fiv
 %else
 rm -rf aclocal.m4 autom4te*.cache
 autoheader
@@ -368,7 +375,7 @@ autoconf
 #  /O |_)|_|||(_|
 #
 function configure {
-	CFLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED" \
+	CFLAGS="$RPM_OPT_FLAGS -fPIC -Wall -DLDAP_DEPRECATED" \
 	CPPFLAGS="-DSSL_EXPERIMENTAL_ENGINE -DMAX_SERVER_LIMIT=200000 -DLDAP_DEPRECATED -DMAXLINE=4096" \
 	./configure \
 		--enable-layout=SuSE81%(test "%_lib" = lib64 && echo -n _64) \
@@ -455,7 +462,6 @@ for mpm in %{mpms_to_build}; do
 	mv include/ap_config_auto.h.new include/ap_config_auto.h
 
 	make CFLAGS="$RPM_OPT_FLAGS -fPIC \
-		-fno-strict-aliasing \
 		-Wall \
 		-DDEFAULT_PIDLOG='\"%{runtimedir}/%{httpd}.pid\"' \
 		-DDEFAULT_ERRORLOG='\"%{logfiledir}/error_log\"' " \
diff --git a/httpd-2.2.19-linux3.patch b/httpd-2.2.19-linux3.patch
new file mode 100644
index 0000000..57ef1c5
--- /dev/null
+++ b/httpd-2.2.19-linux3.patch
@@ -0,0 +1,17 @@
+--- configure.in.orig
++++ configure.in
+@@ -274,13 +274,7 @@ case $host in
+       APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
+       ;;
+   *-linux-*)
+-      case `uname -r` in
+-        2.[[2-9]]* ) 
+-            APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
+-            ;;
+-        * )
+-            ;;
+-      esac
++			APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
+       ;;
+   *486-*-bsdi* | *-netbsd* | *-freebsd* | *-apple-darwin* | *-dec-osf* | *-qnx)
+       APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
diff --git a/httpd-2.2.19.tar.bz2 b/httpd-2.2.19.tar.bz2
deleted file mode 100644
index 0735f01..0000000
--- a/httpd-2.2.19.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a1c1185371ef6b5bb9dbeaff9cd6d6e82c566f1cb472d247d212245ceacc7f1e
-size 5322082
diff --git a/httpd-2.2.20.tar.bz2 b/httpd-2.2.20.tar.bz2
new file mode 100644
index 0000000..cd5e7bc
--- /dev/null
+++ b/httpd-2.2.20.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:1ee914855249b09d9cd2e20e98a0ab02f15c270fe277d4a5c9b62975479fc81e
+size 5174611
diff --git a/httpd-keepalivetimeout-millisecs.patch b/httpd-keepalivetimeout-millisecs.patch
new file mode 100644
index 0000000..2970a91
--- /dev/null
+++ b/httpd-keepalivetimeout-millisecs.patch
@@ -0,0 +1,20 @@
+--- modules/http/http_core.c.orig
++++ modules/http/http_core.c
+@@ -47,12 +47,15 @@ static int ap_process_http_connection(co
+ static const char *set_keep_alive_timeout(cmd_parms *cmd, void *dummy,
+                                           const char *arg)
+ {
++    apr_interval_time_t timeout;
+     const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
+     if (err != NULL) {
+         return err;
+     }
+-
+-    cmd->server->keep_alive_timeout = apr_time_from_sec(atoi(arg));
++    /* Stolen from mod_proxy.c */
++    if (ap_timeout_parameter_parse(arg, &timeout, "s") != APR_SUCCESS)
++        return "KeepAliveTimeout has wrong format";
++    cmd->server->keep_alive_timeout = timeout;
+     return NULL;
+ }
+ 
diff --git a/httpd-mod_deflate_head.patch b/httpd-mod_deflate_head.patch
new file mode 100644
index 0000000..6d4011a
--- /dev/null
+++ b/httpd-mod_deflate_head.patch
@@ -0,0 +1,23 @@
+--- modules/filters/mod_deflate.c.orig
++++ modules/filters/mod_deflate.c
+@@ -582,6 +582,20 @@ static apr_status_t deflate_out_filter(a
+         apr_bucket *b;
+         apr_size_t len;
+ 
++        /*
++         * Optimization: If we are a HEAD request and bytes_sent is not zero
++         * it means that we have passed the content-length filter once and
++         * have more data to sent. This means that the content-length filter
++         * could not determine our content-length for the response to the
++         * HEAD request anyway (the associated GET request would deliver the
++         * body in chunked encoding) and we can stop compressing.
++         */
++        if (r->header_only && r->bytes_sent) {
++            ap_remove_output_filter(f);
++            return ap_pass_brigade(f->next, bb);
++        }
++
++
+         e = APR_BRIGADE_FIRST(bb);
+ 
+         if (APR_BUCKET_IS_EOS(e)) {
diff --git a/ssl-mode-release-buffers.patch b/ssl-mode-release-buffers.patch
new file mode 100644
index 0000000..5898966
--- /dev/null
+++ b/ssl-mode-release-buffers.patch
@@ -0,0 +1,13 @@
+--- modules/ssl/ssl_engine_init.c.orig
++++ modules/ssl/ssl_engine_init.c
+@@ -482,7 +482,9 @@ static void ssl_init_ctx_protocol(server
+     }
+ 
+     mctx->ssl_ctx = ctx;
+-
++#ifdef SSL_MODE_RELEASE_BUFFERS
++    SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
++#endif
+     SSL_CTX_set_options(ctx, SSL_OP_ALL);
+ 
+     if (!(protocol & SSL_PROTOCOL_SSLV2)) {