From 9b65a485e913959652fbb5d9ad66f6470692c38ee28edfcdde34c879880695a1 Mon Sep 17 00:00:00 2001 From: Marcus Rueckert Date: Thu, 26 May 2011 10:16:29 +0000 Subject: [PATCH 1/6] Accepting request 71347 from home:elvigia:branches:Apache - Update to 2.2.19, only one bugfix. *) Revert ABI breakage in 2.2.18 caused by the function signature change of ap_unescape_url_keep2f(). This release restores the signature from 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). [Eric Covener] - Remove SSLv2 disabled patch, already in upstream. - Update to version 2.2.18 * mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. * core: Treat timeout reading request as 408 error, not 400. * core: Only log a 408 if it is no keepalive timeout. * mod_rewrite: Allow to unset environment variables. * prefork: Update MPM state in children during a graceful restart. * Other fixes in mod_cache,mod_dav,mod_proxy se NEWS for detail. - Fix regular expression in vhost ssl template IE workaround it is obsolete see https://issues.apache.org/bugzilla/show_bug.cgi?id=49484 You should apply this update to fix painfully slow SSL connections when using IE. - Allow usage of an openSSL library compiled without SSlv2 OBS-URL: https://build.opensuse.org/request/show/71347 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=331 --- apache2-vhost-ssl.template | 2 +- apache2.2-mpm-itk-20090414-00.patch | 88 ++++++++++++----------------- apache2.changes | 34 +++++++++++ apache2.spec | 6 +- httpd-2.2.17.tar.bz2 | 3 - httpd-2.2.19.tar.bz2 | 3 + 6 files changed, 76 insertions(+), 60 deletions(-) delete mode 100644 httpd-2.2.17.tar.bz2 create mode 100644 httpd-2.2.19.tar.bz2 diff --git a/apache2-vhost-ssl.template b/apache2-vhost-ssl.template index 4976128..cf4d277 100644 --- a/apache2-vhost-ssl.template +++ b/apache2-vhost-ssl.template @@ -182,7 +182,7 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - SetEnvIf User-Agent ".*MSIE.*" \ + SetEnvIf User-Agent ".*MSIE [1-5].*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 diff --git a/apache2.2-mpm-itk-20090414-00.patch b/apache2.2-mpm-itk-20090414-00.patch index cdc97cf..f3c17d4 100644 --- a/apache2.2-mpm-itk-20090414-00.patch +++ b/apache2.2-mpm-itk-20090414-00.patch @@ -1,22 +1,20 @@ unchanged: ---- httpd-2.2.11/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:38:54.000000000 +0100 -+++ httpd-2.2.11/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:39:03.000000000 +0100 +--- /dev/null ++++ server/mpm/experimental/itk/Makefile.in @@ -0,0 +1,5 @@ + +LTLIBRARY_NAME = libitk.la +LTLIBRARY_SOURCES = itk.c + +include $(top_srcdir)/build/ltlib.mk -unchanged: ---- httpd-2.2.11/server/mpm/experimental/itk/config.m4 2009-03-17 21:38:53.000000000 +0100 -+++ httpd-2.2.11/server/mpm/experimental/itk/config.m4 2009-03-17 21:39:03.000000000 +0100 +--- /dev/null ++++ server/mpm/experimental/itk/config.m4 @@ -0,0 +1,3 @@ +if test "$MPM_NAME" = "itk" ; then -+ APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile) ++ APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile) +fi -diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/experimental/itk/itk.c ---- httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:29:16.000000000 +0200 -+++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:31:05.000000000 +0200 +--- /dev/null ++++ server/mpm/experimental/itk/itk.c @@ -0,0 +1,1740 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with @@ -1758,9 +1756,8 @@ diff -u httpd-2.2.11/server/mpm/experimental/itk/itk.c httpd-2.2.11/server/mpm/e + itk_cmds, /* command apr_table_t */ + itk_hooks, /* register hooks */ +}; -unchanged: ---- httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-17 21:39:03.000000000 +0100 -+++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-21 13:02:33.000000000 +0100 +--- /dev/null ++++ server/mpm/experimental/itk/mpm.h @@ -0,0 +1,68 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with @@ -1830,9 +1827,8 @@ unchanged: +extern server_rec *ap_server_conf; +#endif /* APACHE_MPM_ITK_H */ +/** @} */ -unchanged: ---- httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:39:03.000000000 +0100 -+++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-21 13:02:33.000000000 +0100 +--- /dev/null ++++ server/mpm/experimental/itk/mpm_default.h @@ -0,0 +1,80 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with @@ -1914,19 +1910,18 @@ unchanged: + +#endif /* AP_MPM_DEFAULT_H */ +/** @} */ -unchanged: ---- apache2.2.orig/server/mpm/config.m4 2007-01-29 21:30:26.000000000 +0100 -+++ apache2.2/server/mpm/config.m4 2007-01-29 21:30:35.000000000 +0100 +--- server/mpm/config.m4.orig ++++ server/mpm/config.m4 @@ -1,7 +1,7 @@ AC_MSG_CHECKING(which MPM to use) AC_ARG_WITH(mpm, APACHE_HELP_STRING(--with-mpm=MPM,Choose the process model for Apache to use. -- MPM={beos|event|worker|prefork|mpmt_os2}),[ -+ MPM={beos|event|worker|prefork|mpmt_os2|itk}),[ +- MPM={beos|event|worker|prefork|mpmt_os2|winnt}),[ ++ MPM={beos|event|worker|prefork|mpmt_os2|winnt|itk}),[ APACHE_MPM=$withval ],[ if test "x$APACHE_MPM" = "x"; then -@@ -23,7 +23,7 @@ +@@ -23,7 +23,7 @@ ap_mpm_is_threaded () ap_mpm_is_experimental () { @@ -1935,17 +1930,20 @@ unchanged: return 0 else return 1 -unchanged: ---- apache2.2.orig/server/mpm/experimental/itk/config.m4 2007-01-29 21:03:51.000000000 +0100 -+++ apache2.2/server/mpm/experimental/itk/config.m4 2007-01-29 21:03:57.000000000 +0100 -@@ -1,3 +1,3 @@ - if test "$MPM_NAME" = "itk" ; then -- APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile) -+ APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile) +@@ -66,6 +66,11 @@ if ap_mpm_is_experimental; then + else + MPM_SUBDIR_NAME=$MPM_NAME fi -unchanged: ---- httpd-2.2.11/include/http_request.h 2009-03-21 13:03:31.000000000 +0100 -+++ httpd-2.2.11/include/http_request.h 2009-03-21 13:03:41.000000000 +0100 ++ ++if test "$apache_cv_mpm" = "itk" ; then ++ AC_CHECK_LIB(cap, cap_init) ++fi ++ + MPM_DIR=server/mpm/$MPM_SUBDIR_NAME + MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la + +--- include/http_request.h.orig ++++ include/http_request.h @@ -12,6 +12,12 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and @@ -1959,7 +1957,7 @@ unchanged: */ /** -@@ -350,6 +356,15 @@ +@@ -350,6 +356,15 @@ AP_DECLARE_HOOK(int,auth_checker,(reques */ AP_DECLARE_HOOK(void,insert_filter,(request_rec *r)) @@ -1975,9 +1973,8 @@ unchanged: AP_DECLARE(int) ap_location_walk(request_rec *r); AP_DECLARE(int) ap_directory_walk(request_rec *r); AP_DECLARE(int) ap_file_walk(request_rec *r); -unchanged: ---- httpd-2.2.11/server/request.c 2009-03-21 13:03:13.000000000 +0100 -+++ httpd-2.2.11/server/request.c 2009-03-21 13:03:41.000000000 +0100 +--- server/request.c.orig ++++ server/request.c @@ -12,6 +12,12 @@ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and @@ -1991,7 +1988,7 @@ unchanged: */ /* -@@ -61,6 +67,7 @@ +@@ -61,6 +67,7 @@ APR_HOOK_STRUCT( APR_HOOK_LINK(auth_checker) APR_HOOK_LINK(insert_filter) APR_HOOK_LINK(create_request) @@ -1999,7 +1996,7 @@ unchanged: ) AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name, -@@ -80,6 +87,8 @@ +@@ -80,6 +87,8 @@ AP_IMPLEMENT_HOOK_RUN_FIRST(int,auth_che AP_IMPLEMENT_HOOK_VOID(insert_filter, (request_rec *r), (r)) AP_IMPLEMENT_HOOK_RUN_ALL(int, create_request, (request_rec *r), (r), OK, DECLINED) @@ -2008,7 +2005,7 @@ unchanged: static int decl_die(int status, char *phase, request_rec *r) -@@ -158,6 +167,13 @@ +@@ -158,6 +167,13 @@ AP_DECLARE(int) ap_process_request_inter return access_status; } @@ -2022,18 +2019,3 @@ unchanged: /* Only on the main request! */ if (r->main == NULL) { if ((access_status = ap_run_header_parser(r))) { -unchanged: ---- httpd-2.2.11.orig/server/mpm/config.m4 2009-04-14 23:26:41.000000000 +0200 -+++ httpd-2.2.11/server/mpm/config.m4 2009-04-14 23:28:03.000000000 +0200 -@@ -66,6 +66,11 @@ - else - MPM_SUBDIR_NAME=$MPM_NAME - fi -+ -+if test "$apache_cv_mpm" = "itk" ; then -+ AC_CHECK_LIB(cap, cap_init) -+fi -+ - MPM_DIR=server/mpm/$MPM_SUBDIR_NAME - MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la - diff --git a/apache2.changes b/apache2.changes index 3e4f9ac..dfe28ac 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,37 @@ +------------------------------------------------------------------- +Thu May 26 03:35:05 UTC 2011 - crrodriguez@opensuse.org + +- Update to 2.2.19, only one bugfix. +*) Revert ABI breakage in 2.2.18 caused by the function signature change + of ap_unescape_url_keep2f(). This release restores the signature from + 2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex(). + [Eric Covener] + +------------------------------------------------------------------- +Fri May 20 19:28:03 UTC 2011 - crrodriguez@opensuse.org + +- Remove SSLv2 disabled patch, already in upstream. +- Update to version 2.2.18 +* mod_ssl, ab: Support OpenSSL compiled without SSLv2 support. +* core: Treat timeout reading request as 408 error, not 400. +* core: Only log a 408 if it is no keepalive timeout. +* mod_rewrite: Allow to unset environment variables. +* prefork: Update MPM state in children during a graceful restart. +* Other fixes in mod_cache,mod_dav,mod_proxy se NEWS for detail. + +------------------------------------------------------------------- +Wed Apr 20 23:24:26 UTC 2011 - crrodriguez@opensuse.org + +- Fix regular expression in vhost ssl template IE workaround + it is obsolete see https://issues.apache.org/bugzilla/show_bug.cgi?id=49484 + You should apply this update to fix painfully slow SSL + connections when using IE. + +------------------------------------------------------------------- +Mon Apr 11 16:19:14 UTC 2011 - crrodriguez@opensuse.org + +- Allow usage of an openSSL library compiled without SSlv2 + ------------------------------------------------------------------- Fri Apr 8 13:41:48 UTC 2011 - lnussel@suse.de diff --git a/apache2.spec b/apache2.spec index 6a6b54d..335af59 100644 --- a/apache2.spec +++ b/apache2.spec @@ -67,8 +67,8 @@ BuildRequires: expat-devel %define platform_string Linux/%VENDOR License: ASLv.. Group: Productivity/Networking/Web/Servers -%define realver 2.2.17 -Version: 2.2.17 +%define realver 2.2.19 +Version: 2.2.19 Release: 1 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 @@ -339,7 +339,7 @@ to administrators of web servers in general. %patch66 -p1 %patch67 -p1 %patch68 -p1 -%patch100 -p1 +%patch100 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # diff --git a/httpd-2.2.17.tar.bz2 b/httpd-2.2.17.tar.bz2 deleted file mode 100644 index 494bfc2..0000000 --- a/httpd-2.2.17.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:868af11e3ed8fa9aade15241ea4f51971b3ef71104292ca2625ef2065e61fb04 -size 4951247 diff --git a/httpd-2.2.19.tar.bz2 b/httpd-2.2.19.tar.bz2 new file mode 100644 index 0000000..0735f01 --- /dev/null +++ b/httpd-2.2.19.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:a1c1185371ef6b5bb9dbeaff9cd6d6e82c566f1cb472d247d212245ceacc7f1e +size 5322082 From c1c1dc6994aeae8e7e77911f2bd6b89f310767ff5b786dfa7805b81c935e0b97 Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 30 May 2011 13:40:12 +0000 Subject: [PATCH 2/6] merged OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=333 --- apache2.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apache2.spec b/apache2.spec index 335af59..d93f2cc 100644 --- a/apache2.spec +++ b/apache2.spec @@ -1,7 +1,7 @@ # -# spec file for package apache2 (Version 2.2.17) +# spec file for package apache2 # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed From 90508856d0d8e557b7fd69ff969ac218199e42a7f5a7b86da345ace281b6d827 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Wed, 31 Aug 2011 13:46:57 +0000 Subject: [PATCH 3/6] Accepting request 80399 from home:elvigia:branches:Apache - Update to version 2.2.20, fix CVE-2011-3192 mod_deflate D.o.S. - Fix apache PR 45076 - Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage - Add 2 patches from the "low hanging fruit" warnings in apache STATUS page. * mod_deflate: Stop compressing HEAD requests if there is not Content-Length header * mod_reqtimeout: Disable keep-alive after read timeout - Remove -fno-strict-aliasing from CFLAGS, no longer needed. - Allow KeepAliveTimeout to be expressed in miliseconds sometimes one second is too long, upstream r733557. - When linux changes to version 3.x configure tests are gonna break. remove version check, assuming kernel 2.2 or later. OBS-URL: https://build.opensuse.org/request/show/80399 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=334 --- apache2.changes | 43 ++++++++++++++++++++++++++ apache2.spec | 18 +++++++---- httpd-2.2.19-linux3.patch | 17 ++++++++++ httpd-2.2.19.tar.bz2 | 3 -- httpd-2.2.20.tar.bz2 | 3 ++ httpd-keepalivetimeout-millisecs.patch | 20 ++++++++++++ httpd-mod_deflate_head.patch | 23 ++++++++++++++ ssl-mode-release-buffers.patch | 13 ++++++++ 8 files changed, 131 insertions(+), 9 deletions(-) create mode 100644 httpd-2.2.19-linux3.patch delete mode 100644 httpd-2.2.19.tar.bz2 create mode 100644 httpd-2.2.20.tar.bz2 create mode 100644 httpd-keepalivetimeout-millisecs.patch create mode 100644 httpd-mod_deflate_head.patch create mode 100644 ssl-mode-release-buffers.patch diff --git a/apache2.changes b/apache2.changes index dfe28ac..0dcdefd 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,46 @@ +------------------------------------------------------------------- +Wed Aug 31 12:52:22 UTC 2011 - crrodriguez@opensuse.org + +- Update to version 2.2.20, fix CVE-2011-3192 + mod_deflate D.o.S. + + +------------------------------------------------------------------- +Fri Aug 5 06:02:35 UTC 2011 - crrodriguez@opensuse.org + +- Fix apache PR 45076 + +------------------------------------------------------------------- +Sun Jul 17 19:49:55 UTC 2011 - crrodriguez@opensuse.org + +- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage + +------------------------------------------------------------------- +Wed Jun 22 16:12:10 UTC 2011 - crrodriguez@opensuse.org + +- Add 2 patches from the "low hanging fruit" warnings in apache + STATUS page. + * mod_deflate: Stop compressing HEAD requests + if there is not Content-Length header + * mod_reqtimeout: Disable keep-alive after read timeout + +------------------------------------------------------------------- +Fri Jun 10 00:59:53 UTC 2011 - crrodriguez@opensuse.org + +- Remove -fno-strict-aliasing from CFLAGS, no longer needed. + +------------------------------------------------------------------- +Wed Jun 8 19:10:41 UTC 2011 - crrodriguez@opensuse.org + +- Allow KeepAliveTimeout to be expressed in miliseconds + sometimes one second is too long, upstream r733557. + +------------------------------------------------------------------- +Mon Jun 6 18:16:05 UTC 2011 - crrodriguez@opensuse.org + +- When linux changes to version 3.x configure tests are gonna break. + remove version check, assuming kernel 2.2 or later. + ------------------------------------------------------------------- Thu May 26 03:35:05 UTC 2011 - crrodriguez@opensuse.org diff --git a/apache2.spec b/apache2.spec index d93f2cc..a40a848 100644 --- a/apache2.spec +++ b/apache2.spec @@ -67,8 +67,8 @@ BuildRequires: expat-devel %define platform_string Linux/%VENDOR License: ASLv.. Group: Productivity/Networking/Web/Servers -%define realver 2.2.19 -Version: 2.2.19 +%define realver 2.2.20 +Version: 2.2.20 Release: 1 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 @@ -123,6 +123,10 @@ Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif Patch68: httpd-2.x.x-logresolve.patch Patch100: apache2.2-mpm-itk-20090414-00.patch +Patch101: httpd-2.2.19-linux3.patch +Patch102: httpd-keepalivetimeout-millisecs.patch +Patch104: httpd-mod_deflate_head.patch +Patch105: ssl-mode-release-buffers.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.0 @@ -340,6 +344,10 @@ to administrators of web servers in general. %patch67 -p1 %patch68 -p1 %patch100 +%patch101 +%patch102 +%patch104 +%patch105 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -354,8 +362,7 @@ sed -i -e "s/__DATE__ \" \" __TIME__;/\"$CHANGES\";/" server/buildmark.c # now configure Apache # %if 0%{?suse_version} > 910 -aclocal -autoreconf --force --install +autoreconf -fiv %else rm -rf aclocal.m4 autom4te*.cache autoheader @@ -368,7 +375,7 @@ autoconf # /O |_)|_|||(_| # function configure { - CFLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing -DLDAP_DEPRECATED" \ + CFLAGS="$RPM_OPT_FLAGS -fPIC -Wall -DLDAP_DEPRECATED" \ CPPFLAGS="-DSSL_EXPERIMENTAL_ENGINE -DMAX_SERVER_LIMIT=200000 -DLDAP_DEPRECATED -DMAXLINE=4096" \ ./configure \ --enable-layout=SuSE81%(test "%_lib" = lib64 && echo -n _64) \ @@ -455,7 +462,6 @@ for mpm in %{mpms_to_build}; do mv include/ap_config_auto.h.new include/ap_config_auto.h make CFLAGS="$RPM_OPT_FLAGS -fPIC \ - -fno-strict-aliasing \ -Wall \ -DDEFAULT_PIDLOG='\"%{runtimedir}/%{httpd}.pid\"' \ -DDEFAULT_ERRORLOG='\"%{logfiledir}/error_log\"' " \ diff --git a/httpd-2.2.19-linux3.patch b/httpd-2.2.19-linux3.patch new file mode 100644 index 0000000..57ef1c5 --- /dev/null +++ b/httpd-2.2.19-linux3.patch @@ -0,0 +1,17 @@ +--- configure.in.orig ++++ configure.in +@@ -274,13 +274,7 @@ case $host in + APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) + ;; + *-linux-*) +- case `uname -r` in +- 2.[[2-9]]* ) +- APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) +- ;; +- * ) +- ;; +- esac ++ APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) + ;; + *486-*-bsdi* | *-netbsd* | *-freebsd* | *-apple-darwin* | *-dec-osf* | *-qnx) + APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) diff --git a/httpd-2.2.19.tar.bz2 b/httpd-2.2.19.tar.bz2 deleted file mode 100644 index 0735f01..0000000 --- a/httpd-2.2.19.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:a1c1185371ef6b5bb9dbeaff9cd6d6e82c566f1cb472d247d212245ceacc7f1e -size 5322082 diff --git a/httpd-2.2.20.tar.bz2 b/httpd-2.2.20.tar.bz2 new file mode 100644 index 0000000..cd5e7bc --- /dev/null +++ b/httpd-2.2.20.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1ee914855249b09d9cd2e20e98a0ab02f15c270fe277d4a5c9b62975479fc81e +size 5174611 diff --git a/httpd-keepalivetimeout-millisecs.patch b/httpd-keepalivetimeout-millisecs.patch new file mode 100644 index 0000000..2970a91 --- /dev/null +++ b/httpd-keepalivetimeout-millisecs.patch @@ -0,0 +1,20 @@ +--- modules/http/http_core.c.orig ++++ modules/http/http_core.c +@@ -47,12 +47,15 @@ static int ap_process_http_connection(co + static const char *set_keep_alive_timeout(cmd_parms *cmd, void *dummy, + const char *arg) + { ++ apr_interval_time_t timeout; + const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT); + if (err != NULL) { + return err; + } +- +- cmd->server->keep_alive_timeout = apr_time_from_sec(atoi(arg)); ++ /* Stolen from mod_proxy.c */ ++ if (ap_timeout_parameter_parse(arg, &timeout, "s") != APR_SUCCESS) ++ return "KeepAliveTimeout has wrong format"; ++ cmd->server->keep_alive_timeout = timeout; + return NULL; + } + diff --git a/httpd-mod_deflate_head.patch b/httpd-mod_deflate_head.patch new file mode 100644 index 0000000..6d4011a --- /dev/null +++ b/httpd-mod_deflate_head.patch @@ -0,0 +1,23 @@ +--- modules/filters/mod_deflate.c.orig ++++ modules/filters/mod_deflate.c +@@ -582,6 +582,20 @@ static apr_status_t deflate_out_filter(a + apr_bucket *b; + apr_size_t len; + ++ /* ++ * Optimization: If we are a HEAD request and bytes_sent is not zero ++ * it means that we have passed the content-length filter once and ++ * have more data to sent. This means that the content-length filter ++ * could not determine our content-length for the response to the ++ * HEAD request anyway (the associated GET request would deliver the ++ * body in chunked encoding) and we can stop compressing. ++ */ ++ if (r->header_only && r->bytes_sent) { ++ ap_remove_output_filter(f); ++ return ap_pass_brigade(f->next, bb); ++ } ++ ++ + e = APR_BRIGADE_FIRST(bb); + + if (APR_BUCKET_IS_EOS(e)) { diff --git a/ssl-mode-release-buffers.patch b/ssl-mode-release-buffers.patch new file mode 100644 index 0000000..5898966 --- /dev/null +++ b/ssl-mode-release-buffers.patch @@ -0,0 +1,13 @@ +--- modules/ssl/ssl_engine_init.c.orig ++++ modules/ssl/ssl_engine_init.c +@@ -482,7 +482,9 @@ static void ssl_init_ctx_protocol(server + } + + mctx->ssl_ctx = ctx; +- ++#ifdef SSL_MODE_RELEASE_BUFFERS ++ SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); ++#endif + SSL_CTX_set_options(ctx, SSL_OP_ALL); + + if (!(protocol & SSL_PROTOCOL_SSLV2)) { From f247c8cfd7549aeaaf3855beff4090ef804ef80f6f69fca35feeae8fb9ab99df Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Mon, 12 Sep 2011 12:20:52 +0000 Subject: [PATCH 4/6] Accepting request 81909 from home:fcrozat:systemd - Add apache2-systemd-ask-pass / apache2.service / start_apache2 and modify apache2-ssl-global.conf for systemd support (bnc#697137). OBS-URL: https://build.opensuse.org/request/show/81909 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=335 --- apache2-ssl-global.conf | 5 ++++ apache2-systemd-ask-pass | 2 ++ apache2.changes | 7 ++++++ apache2.service | 16 +++++++++++++ apache2.spec | 10 ++++++++ start_apache2 | 51 ++++++++++++++++++++++++++++++++++++++++ 6 files changed, 91 insertions(+) create mode 100644 apache2-systemd-ask-pass create mode 100644 apache2.service create mode 100644 start_apache2 diff --git a/apache2-ssl-global.conf b/apache2-ssl-global.conf index 16b9ddc..ed88bce 100644 --- a/apache2-ssl-global.conf +++ b/apache2-ssl-global.conf @@ -29,7 +29,12 @@ # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. + + SSLPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass + + SSLPassPhraseDialog builtin + # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism diff --git a/apache2-systemd-ask-pass b/apache2-systemd-ask-pass new file mode 100644 index 0000000..f9b8973 --- /dev/null +++ b/apache2-systemd-ask-pass @@ -0,0 +1,2 @@ +#!/bin/sh +exec /bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2): " diff --git a/apache2.changes b/apache2.changes index 0dcdefd..fd5643e 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Sep 1 09:43:49 UTC 2011 - fcrozat@suse.com + +- Add apache2-systemd-ask-pass / apache2.service / start_apache2 + and modify apache2-ssl-global.conf for systemd support + (bnc#697137). + ------------------------------------------------------------------- Wed Aug 31 12:52:22 UTC 2011 - crrodriguez@opensuse.org diff --git a/apache2.service b/apache2.service new file mode 100644 index 0000000..9e30d6c --- /dev/null +++ b/apache2.service @@ -0,0 +1,16 @@ +[Unit] +Description=apache +After=syslog.target network.target +Before=getty@tty1.service + +[Service] +Type=forking +PIDFile=/var/run/httpd2.pid +EnvironmentFile=/etc/sysconfig/apache2 +ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -k start +ExecReload=/usr/sbin/start_apache2 -D SYSTEMD -t +ExecReload=/bin/kill -HUP $MAINPID +ExecStop=/usr/sbin/httpd2 -D SYSTEMD -k stop + +[Install] +WantedBy=multi-user.target diff --git a/apache2.spec b/apache2.spec index a40a848..ed514eb 100644 --- a/apache2.spec +++ b/apache2.spec @@ -116,6 +116,9 @@ Source130: apache2-vhost.template Source131: apache2-vhost-ssl.template Source140: apache2-check_forensic Source141: apache-20-22-upgrade +Source142: start_apache2 +Source143: apache2-systemd-ask-pass +Source144: apache2.service Patch2: httpd-2.1.3alpha-layout.dif Patch23: httpd-2.1.9-apachectl.dif Patch65: httpd-2.0.49-log_server_status.dif @@ -595,7 +598,11 @@ tar xjf %{SOURCE29} -C $RPM_BUILD_ROOT/%{sysconfdir} # # init script and friends mkdir -p $RPM_BUILD_ROOT/etc/init.d +mkdir -p $RPM_BUILD_ROOT/etc/init.d $RPM_BUILD_ROOT/lib/systemd/system/ install -m 744 $RPM_SOURCE_DIR/rc.%{pname} $RPM_BUILD_ROOT/etc/init.d/%{pname} +install -m 744 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2 +install -m 744 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass +install -m 744 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT/lib/systemd/system/apache2.service ln -sf ../../etc/init.d/%{pname} $RPM_BUILD_ROOT/%{_sbindir}/rc%{pname} install -m 755 $RPM_SOURCE_DIR/load_configuration $RPM_BUILD_ROOT/%{_prefix}/share/%{pname}/ install -m 755 $RPM_SOURCE_DIR/find_mpm $RPM_BUILD_ROOT/%{_prefix}/share/%{pname}/ @@ -853,6 +860,7 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original . %config(noreplace) /etc/permissions.d/%{pname} %endif %config /etc/init.d/%{pname} +/lib/systemd/system/%{pname}.service # %{_sbindir}/rc%{pname} %{_sbindir}/apache%{vers}ctl @@ -863,6 +871,8 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original . %{_sbindir}/a2enmod %{_sbindir}/a2disflag %{_sbindir}/a2dismod +%{_sbindir}/start_apache2 +%{_sbindir}/apache2-systemd-ask-pass %{_bindir}/log_server_status%{vers} %{iconsdir} %{errordir} diff --git a/start_apache2 b/start_apache2 new file mode 100644 index 0000000..48ff11b --- /dev/null +++ b/start_apache2 @@ -0,0 +1,51 @@ +#!/bin/sh +# +# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH +# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH +# Copyright (c) 2002, 2003, (2004?) SuSE Linux AG +# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH +# +# Authors: Rolf Haberrecker , 2001 +# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007, +# 2008, 2009, 2010 +# +# +pname=apache2 +. /usr/share/$pname/load_configuration + +export ${!APACHE_*} + +apache_link=/usr/sbin/httpd2 +apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null) +httpd_conf=${APACHE_HTTPD_CONF:-/etc/apache2/httpd.conf} + +test -L $apache_link && apache_bin=$(readlink $apache_link) + +if [ -z "$APACHE_MPM" ]; then + APACHE_MPM=${apache_bin##*-} +fi + +if ! [ -x $apache_bin ]; then + echo >&2 $apache_bin-$APACHE_MPM is not a valid httpd2 binary. + echo >&2 Check your APACHE_MPM setting in /etc/sysconfig/$pname. + exit 5 +fi + +# a proper home should be set, otherwise the server might end up +# with HOME=/root and some script might try to use that +HOME=/var/lib/apache2 + +unset server_flags +case "$action" in startssl) server_flags="-DSSL";; esac +for i in $APACHE_SERVER_FLAGS; do + case $i in + -D) ;; + -D*) server_flags="$server_flags $i";; + *) server_flags="$server_flags -D$i";; + esac +done +${get_module_list_done:=false} || /usr/share/$pname/get_module_list && export get_module_list_done=true +${get_includes:=false} || /usr/share/$pname/get_includes && export get_includes_done=true + +export -n ${!APACHE_*} +exec $apache_bin -f $httpd_conf $server_flags $@ From c54ff27d1d55af943eedde9e2b33a52e7b8111469167abffed32fac0f49c2400 Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Tue, 13 Sep 2011 08:38:39 +0000 Subject: [PATCH 5/6] - need to add %ghost /lib/systemd to satisfy distributions that have no systemd yet. OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=336 --- apache2.changes | 6 ++++++ apache2.spec | 3 +++ 2 files changed, 9 insertions(+) diff --git a/apache2.changes b/apache2.changes index fd5643e..8d6f0fb 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Sep 13 10:37:37 CEST 2011 - draht@suse.de + +- need to add %ghost /lib/systemd to satisfy distributions that + have no systemd yet. + ------------------------------------------------------------------- Thu Sep 1 09:43:49 UTC 2011 - fcrozat@suse.com diff --git a/apache2.spec b/apache2.spec index ed514eb..3a6b13c 100644 --- a/apache2.spec +++ b/apache2.spec @@ -891,6 +891,9 @@ mv $RPM_BUILD_ROOT/%{sysconfdir}/original . %{_prefix}/share/%{pname}/sysconf_addword %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}-ssl +%ghost /lib/systemd +%ghost /lib/systemd/system + %if %prefork %files prefork From afd986fb8ff7e49d6ed6770a743649bcfe7aebad64f29922d25a4a233f76e7fc Mon Sep 17 00:00:00 2001 From: Roman Drahtmueller Date: Tue, 13 Sep 2011 23:17:22 +0000 Subject: [PATCH 6/6] - Update to 2.2.21. News therein: * re-worked CVE-2011-3192 (byterange_filter.c) with a regression fix. New config option: MaxRanges (PR 51748) * multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs, mod_alias, mod_rewrite. As always, see CHANGES file. - added httpd-%{realver}.tar.bz2.asc to source, along with 60C5442D.key which the tarball was signed with. OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=337 --- .gitattributes | 1 + 60C5442D.key | 3 +++ apache2.changes | 11 +++++++++++ apache2.spec | 6 ++++-- httpd-2.2.20.tar.bz2 | 3 --- httpd-2.2.21.tar.bz2 | 3 +++ httpd-2.2.21.tar.bz2.asc | 17 +++++++++++++++++ 7 files changed, 39 insertions(+), 5 deletions(-) create mode 100644 60C5442D.key delete mode 100644 httpd-2.2.20.tar.bz2 create mode 100644 httpd-2.2.21.tar.bz2 create mode 100644 httpd-2.2.21.tar.bz2.asc diff --git a/.gitattributes b/.gitattributes index 6a7e248..8f5be96 100644 --- a/.gitattributes +++ b/.gitattributes @@ -22,4 +22,5 @@ *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text ## Specific LFS patterns +60C5442D.key filter=lfs diff=lfs merge=lfs -text Apache.xpm filter=lfs diff=lfs merge=lfs -text diff --git a/60C5442D.key b/60C5442D.key new file mode 100644 index 0000000..138c2aa --- /dev/null +++ b/60C5442D.key @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2d0f272a697be2b07f52f676817d8a07fb1715d0a1402ed4cff60cb3bb1ba907 +size 64309 diff --git a/apache2.changes b/apache2.changes index 8d6f0fb..7e75b3a 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Wed Sep 14 01:11:55 CEST 2011 - draht@suse.de + +- Update to 2.2.21. News therein: + * re-worked CVE-2011-3192 (byterange_filter.c) with a regression + fix. New config option: MaxRanges (PR 51748) + * multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs, + mod_alias, mod_rewrite. As always, see CHANGES file. +- added httpd-%{realver}.tar.bz2.asc to source, along with + 60C5442D.key which the tarball was signed with. + ------------------------------------------------------------------- Tue Sep 13 10:37:37 CEST 2011 - draht@suse.de diff --git a/apache2.spec b/apache2.spec index 3a6b13c..739a110 100644 --- a/apache2.spec +++ b/apache2.spec @@ -67,13 +67,15 @@ BuildRequires: expat-devel %define platform_string Linux/%VENDOR License: ASLv.. Group: Productivity/Networking/Web/Servers -%define realver 2.2.20 -Version: 2.2.20 +%define realver 2.2.21 +Version: 2.2.21 Release: 1 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 # Add file to take mtime from it in prep section Source1: apache2.changes +Source5: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2.asc +Source6: 60C5442D.key Source10: SUSE-NOTICE Source11: rc.%{pname} Source13: sysconfig.%{pname} diff --git a/httpd-2.2.20.tar.bz2 b/httpd-2.2.20.tar.bz2 deleted file mode 100644 index cd5e7bc..0000000 --- a/httpd-2.2.20.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1ee914855249b09d9cd2e20e98a0ab02f15c270fe277d4a5c9b62975479fc81e -size 5174611 diff --git a/httpd-2.2.21.tar.bz2 b/httpd-2.2.21.tar.bz2 new file mode 100644 index 0000000..599657a --- /dev/null +++ b/httpd-2.2.21.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:18d5591fe48cfbac44fc20316036ffe17456df60bc3a2aaad238d56c6445577f +size 5324905 diff --git a/httpd-2.2.21.tar.bz2.asc b/httpd-2.2.21.tar.bz2.asc new file mode 100644 index 0000000..d11ac68 --- /dev/null +++ b/httpd-2.2.21.tar.bz2.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iQIcBAABAgAGBQJOaiQfAAoJEFWTvKlgxUQtWu4P/j/xCzXtpb2h1H4gNQtakXjp +KFhfccvzlOGFpkUjauQ0so5Jj+wVVAgiElr7L0+YvmtXoUyNjCgToqqJTqT/3fwG +uxKDFfqB5ujbCstKbJ4yKhMy92aDjX1+uWWr8J/1WX//SOWY/uUl/GhJnhEFAB6p +YExuqqrQfrZcAfC6ME35Gbam6+I8OfHVIeT0m6hLOw6UaHaPXdoRj0CAKNy4NFEf +ckyw2ddlz83ivek9naGxVFg4v/jN8CoSw3zVfto1QaQ7P+FMA5CrYoCPiEI0A6KA +534L8xcXf02mN6Y2lgl3C6PYQYcGO198Zmd9xU3RCXsfaFgaOrV4D/fD9TVq1hLK +OSHPU3AOf7IdFiq99qo7EsXNYrxS0xurv67HaodKXvNNRg8D8TBxDNWO1NpbGp3A +/zDLm3wxpV2qSOSaZbIbyH8PhX2i4UurSo6y2AVrLENUmV4/bD51qJlitCL23YOo +5vnK99CnPsWHe36p/GyMMJW2d2fn2tUroLTo/ebCdICZlQJhhWYI7+GHNQNkhqMt +hp5m8so9Goabs+cKtdxiyARR6+AsyLh+2aRc35dgHpa95Tn3SkuAJ1KTM3ecbzgj +BxJbA0M3snO9RmNo2h88HELzaA5WaB0Z1kVgYW6gjYELnWRpu+iGMJxFpgXQ6guQ +CUiByAFuIQukRlpIU/qx +=AWI2 +-----END PGP SIGNATURE-----