From cce4bc78cf77fec7ff4e15093bce3efefb6b374b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Aug 01 2017 03:26:26 +0000 Subject: import httpd-2.4.6-67.el7 --- diff --git a/.gitignore b/.gitignore index 260a2d6..9969f1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ SOURCES/httpd-2.4.6.tar.bz2 -SOURCES/centos-noindex.tar.gz diff --git a/.httpd.metadata b/.httpd.metadata index 17ede1b..d335a99 100644 --- a/.httpd.metadata +++ b/.httpd.metadata @@ -1,2 +1 @@ 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2 -6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz diff --git a/SOURCES/httpd-2.4.6-http-protocol-options-define.patch b/SOURCES/httpd-2.4.6-http-protocol-options-define.patch new file mode 100644 index 0000000..eb6e5e5 --- /dev/null +++ b/SOURCES/httpd-2.4.6-http-protocol-options-define.patch @@ -0,0 +1,17 @@ +diff --git a/server/main.c b/server/main.c +index 28d1872..544882d 100644 +--- a/server/main.c ++++ b/server/main.c +@@ -478,6 +478,12 @@ int main(int argc, const char * const argv[]) + ap_server_post_read_config = apr_array_make(pcommands, 1, sizeof(char *)); + ap_server_config_defines = apr_array_make(pcommands, 1, sizeof(char *)); + ++ { ++ char **new = (char **)apr_array_push(ap_server_config_defines); ++ ++ *new = "_RH_HAS_HTTPPROTOCOLOPTIONS"; ++ } ++ + error = ap_setup_prelinked_modules(process); + if (error) { + ap_log_error(APLOG_MARK, APLOG_STARTUP|APLOG_EMERG, 0, NULL, APLOGNO(00012) diff --git a/SOURCES/httpd-2.4.6-mpm-segfault.patch b/SOURCES/httpd-2.4.6-mpm-segfault.patch new file mode 100644 index 0000000..d42be44 --- /dev/null +++ b/SOURCES/httpd-2.4.6-mpm-segfault.patch @@ -0,0 +1,10 @@ +--- a/server/mpm/event/event.c ++++ a/server/mpm/event/event.c +@@ -2735,6 +2735,7 @@ static int event_run(apr_pool_t * _pconf, apr_pool_t * plog, server_rec * s) + + /* we've been told to restart */ + apr_signal(SIGHUP, SIG_IGN); ++ apr_signal(AP_SIG_GRACEFUL, SIG_IGN); + + if (one_process) { + /* not worth thinking about */ diff --git a/SOURCES/httpd-2.4.6-r1348019.patch b/SOURCES/httpd-2.4.6-r1348019.patch new file mode 100644 index 0000000..b8cca1c --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1348019.patch @@ -0,0 +1,77 @@ +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index 2121892..6f904b2 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -2838,33 +2838,48 @@ PROXY_DECLARE(int) ap_proxy_connect_backend(const char *proxy_function, + + connected = 1; + } +- /* +- * Put the entire worker to error state if +- * the PROXY_WORKER_IGNORE_ERRORS flag is not set. +- * Altrough some connections may be alive +- * no further connections to the worker could be made +- */ +- if (!connected && PROXY_WORKER_IS_USABLE(worker) && +- !(worker->s->status & PROXY_WORKER_IGNORE_ERRORS)) { +- worker->s->error_time = apr_time_now(); +- worker->s->status |= PROXY_WORKER_IN_ERROR; +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00959) +- "ap_proxy_connect_backend disabling worker for (%s) for %" +- APR_TIME_T_FMT "s", +- worker->s->hostname, apr_time_sec(worker->s->retry)); ++ ++ if (PROXY_WORKER_IS_USABLE(worker)) { ++ /* ++ * Put the entire worker to error state if ++ * the PROXY_WORKER_IGNORE_ERRORS flag is not set. ++ * Although some connections may be alive ++ * no further connections to the worker could be made ++ */ ++ if (!connected) { ++ if (!(worker->s->status & PROXY_WORKER_IGNORE_ERRORS)) { ++ worker->s->error_time = apr_time_now(); ++ worker->s->status |= PROXY_WORKER_IN_ERROR; ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00959) ++ "ap_proxy_connect_backend disabling worker for (%s) for %" ++ APR_TIME_T_FMT "s", ++ worker->s->hostname, apr_time_sec(worker->s->retry)); ++ } ++ } ++ else { ++ if (worker->s->retries) { ++ /* ++ * A worker came back. So here is where we need to ++ * either reset all params to initial conditions or ++ * apply some sort of aging ++ */ ++ } ++ worker->s->error_time = 0; ++ worker->s->retries = 0; ++ } ++ return connected ? OK : DECLINED; + } + else { +- if (worker->s->retries) { +- /* +- * A worker came back. So here is where we need to +- * either reset all params to initial conditions or +- * apply some sort of aging +- */ +- } +- worker->s->error_time = 0; +- worker->s->retries = 0; ++ /* ++ * The worker is in error likely done by a different thread / process ++ * e.g. for a timeout or bad status. We should respect this and should ++ * not continue with a connection via this worker even if we got one. ++ */ ++ if (connected) { ++ socket_cleanup(conn); ++ } ++ return DECLINED; + } +- return connected ? OK : DECLINED; + } + + PROXY_DECLARE(int) ap_proxy_connection_create(const char *proxy_function, diff --git a/SOURCES/httpd-2.4.6-r1593002.patch b/SOURCES/httpd-2.4.6-r1593002.patch new file mode 100644 index 0000000..6aa0688 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1593002.patch @@ -0,0 +1,35 @@ +--- a/modules/ssl/ssl_util_stapling.c 2014/05/07 12:51:38 1593001 ++++ b/modules/ssl/ssl_util_stapling.c 2014/05/07 12:52:13 1593002 +@@ -145,14 +145,15 @@ + X509_digest(x, EVP_sha1(), cinf->idx, NULL); + + aia = X509_get1_ocsp(x); +- if (aia) ++ if (aia) { + cinf->uri = sk_OPENSSL_STRING_pop(aia); ++ X509_email_free(aia); ++ } + if (!cinf->uri && !mctx->stapling_force_url) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) + "ssl_stapling_init_cert: no responder URL"); ++ return 0; + } +- if (aia) +- X509_email_free(aia); + return 1; + } + +@@ -403,6 +404,13 @@ + else + ocspuri = cinf->uri; + ++ if (!ocspuri) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02621) ++ "stapling_renew_response: no uri for responder"); ++ rv = FALSE; ++ goto done; ++ } ++ + /* Create a temporary pool to constrain memory use */ + apr_pool_create(&vpool, conn->pool); + diff --git a/SOURCES/httpd-2.4.6-r1634529.patch b/SOURCES/httpd-2.4.6-r1634529.patch new file mode 100644 index 0000000..9b831c6 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1634529.patch @@ -0,0 +1,275 @@ +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 9811af8..568627f 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -276,7 +276,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + return HTTP_INTERNAL_SERVER_ERROR; + } + #ifdef HAVE_OCSP_STAPLING +- ssl_stapling_ex_init(); ++ ssl_stapling_certinfo_hash_init(p); + #endif + + /* +@@ -899,6 +899,8 @@ static void ssl_init_ctx(server_rec *s, + } + + static int ssl_server_import_cert(server_rec *s, ++ apr_pool_t *p, ++ apr_pool_t *ptemp, + modssl_ctx_t *mctx, + const char *id, + int idx) +@@ -933,7 +935,7 @@ static int ssl_server_import_cert(server_rec *s, + + #ifdef HAVE_OCSP_STAPLING + if ((mctx->pkp == FALSE) && (mctx->stapling_enabled == TRUE)) { +- if (!ssl_stapling_init_cert(s, mctx, cert)) { ++ if (!ssl_stapling_init_cert(s, p, ptemp, mctx, cert)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02235) + "Unable to configure server certificate for stapling"); + } +@@ -1081,10 +1083,10 @@ static void ssl_init_server_certs(server_rec *s, + ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); + #endif + +- have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); +- have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); ++ have_rsa = ssl_server_import_cert(s, p, ptemp, mctx, rsa_id, SSL_AIDX_RSA); ++ have_dsa = ssl_server_import_cert(s, p, ptemp, mctx, dsa_id, SSL_AIDX_DSA); + #ifndef OPENSSL_NO_EC +- have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); ++ have_ecc = ssl_server_import_cert(s, p, ptemp, mctx, ecc_id, SSL_AIDX_ECC); + #endif + + if (!(have_rsa || have_dsa +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index 80e1e8e..0cc6d3f 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -132,6 +132,13 @@ + #if OPENSSL_VERSION_NUMBER >= 0x00908080 && !defined(OPENSSL_NO_OCSP) \ + && !defined(OPENSSL_NO_TLSEXT) + #define HAVE_OCSP_STAPLING ++/* backward compatibility with OpenSSL < 1.0 */ ++#ifndef sk_OPENSSL_STRING_num ++#define sk_OPENSSL_STRING_num sk_num ++#endif ++#ifndef sk_OPENSSL_STRING_value ++#define sk_OPENSSL_STRING_value sk_value ++#endif + #if (OPENSSL_VERSION_NUMBER < 0x10000000) + #define sk_OPENSSL_STRING_pop sk_pop + #endif +@@ -862,10 +869,10 @@ const char *ssl_cmd_SSLStaplingErrorCacheTimeout(cmd_parms *, void *, const char + const char *ssl_cmd_SSLStaplingReturnResponderErrors(cmd_parms *, void *, int); + const char *ssl_cmd_SSLStaplingFakeTryLater(cmd_parms *, void *, int); + const char *ssl_cmd_SSLStaplingResponderTimeout(cmd_parms *, void *, const char *); +-const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); ++const char *ssl_cmd_SSLStaplingForceURL(cmd_parms *, void *, const char *); + void modssl_init_stapling(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *); +-void ssl_stapling_ex_init(void); +-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); ++void ssl_stapling_certinfo_hash_init(apr_pool_t *); ++int ssl_stapling_init_cert(server_rec *, apr_pool_t *, apr_pool_t *, modssl_ctx_t *, X509 *); + #endif + #ifndef OPENSSL_NO_SRP + int ssl_callback_SRPServerParams(SSL *, int *, void *); +diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c +index 2be2c36..2387ae1 100644 +--- a/modules/ssl/ssl_util_stapling.c ++++ b/modules/ssl/ssl_util_stapling.c +@@ -43,36 +43,32 @@ + + #define MAX_STAPLING_DER 10240 + +-/* Cached info stored in certificate ex_info. */ ++/* Cached info stored in the global stapling_certinfo hash. */ + typedef struct { +- /* Index in session cache SHA1 hash of certificate */ +- UCHAR idx[20]; +- /* Certificate ID for OCSP requests or NULL if ID cannot be determined */ ++ /* Index in session cache (SHA-1 digest of DER encoded certificate) */ ++ UCHAR idx[SHA_DIGEST_LENGTH]; ++ /* Certificate ID for OCSP request */ + OCSP_CERTID *cid; +- /* Responder details */ ++ /* URI of the OCSP responder */ + char *uri; + } certinfo; + +-static void certinfo_free(void *parent, void *ptr, CRYPTO_EX_DATA *ad, +- int idx, long argl, void *argp) ++static apr_status_t ssl_stapling_certid_free(void *data) + { +- certinfo *cinf = ptr; ++ OCSP_CERTID *cid = data; + +- if (!cinf) +- return; +- if (cinf->uri) +- OPENSSL_free(cinf->uri); +- OPENSSL_free(cinf); ++ if (cid) { ++ OCSP_CERTID_free(cid); ++ } ++ ++ return APR_SUCCESS; + } + +-static int stapling_ex_idx = -1; ++static apr_hash_t *stapling_certinfo; + +-void ssl_stapling_ex_init(void) ++void ssl_stapling_certinfo_hash_init(apr_pool_t *p) + { +- if (stapling_ex_idx != -1) +- return; +- stapling_ex_idx = X509_get_ex_new_index(0, "X509 cached OCSP info", 0, 0, +- certinfo_free); ++ stapling_certinfo = apr_hash_make(p); + } + + static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) +@@ -106,70 +102,97 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) + + } + +-int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x) ++int ssl_stapling_init_cert(server_rec *s, apr_pool_t *p, apr_pool_t *ptemp, ++ modssl_ctx_t *mctx, X509 *x) + { +- certinfo *cinf; ++ UCHAR idx[SHA_DIGEST_LENGTH]; ++ certinfo *cinf = NULL; + X509 *issuer = NULL; ++ OCSP_CERTID *cid = NULL; + STACK_OF(OPENSSL_STRING) *aia = NULL; + +- if (x == NULL) ++ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) + return 0; +- cinf = X509_get_ex_data(x, stapling_ex_idx); ++ ++ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); + if (cinf) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02215) +- "ssl_stapling_init_cert: certificate already initialized!"); +- return 0; +- } +- cinf = OPENSSL_malloc(sizeof(certinfo)); +- if (!cinf) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02216) +- "ssl_stapling_init_cert: error allocating memory!"); +- return 0; ++ /* ++ * We already parsed the certificate, and no OCSP URI was found. ++ * The certificate might be used for multiple vhosts, though, ++ * so we check for a ForceURL for this vhost. ++ */ ++ if (!cinf->uri && !mctx->stapling_force_url) { ++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, ++ APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI " ++ "in certificate and no SSLStaplingForceURL " ++ "configured for server %s", mctx->sc->vhost_id); ++ return 0; ++ } ++ return 1; + } +- cinf->cid = NULL; +- cinf->uri = NULL; +- X509_set_ex_data(x, stapling_ex_idx, cinf); +- +- issuer = stapling_get_issuer(mctx, x); + +- if (issuer == NULL) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02217) +- "ssl_stapling_init_cert: Can't retrieve issuer certificate!"); ++ if (!(issuer = stapling_get_issuer(mctx, x))) { ++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02217) ++ "ssl_stapling_init_cert: can't retrieve issuer " ++ "certificate!"); + return 0; + } + +- cinf->cid = OCSP_cert_to_id(NULL, x, issuer); ++ cid = OCSP_cert_to_id(NULL, x, issuer); + X509_free(issuer); +- if (!cinf->cid) ++ if (!cid) { ++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815) ++ "ssl_stapling_init_cert: can't create CertID " ++ "for OCSP request"); + return 0; +- X509_digest(x, EVP_sha1(), cinf->idx, NULL); ++ } + + aia = X509_get1_ocsp(x); +- if (aia) { +- cinf->uri = sk_OPENSSL_STRING_pop(aia); +- X509_email_free(aia); +- } +- if (!cinf->uri && !mctx->stapling_force_url) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02218) +- "ssl_stapling_init_cert: no responder URL"); ++ ++ if (!aia && !mctx->stapling_force_url) { ++ OCSP_CERTID_free(cid); ++ ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, ++ APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI " ++ "in certificate and no SSLStaplingForceURL set"); + return 0; + } ++ ++ /* At this point, we have determined that there's something to store */ ++ cinf = apr_pcalloc(p, sizeof(certinfo)); ++ memcpy (cinf->idx, idx, sizeof(idx)); ++ cinf->cid = cid; ++ /* make sure cid is also freed at pool cleanup */ ++ apr_pool_cleanup_register(p, cid, ssl_stapling_certid_free, ++ apr_pool_cleanup_null); ++ if (aia) { ++ /* allocate uri from the pconf pool */ ++ cinf->uri = apr_pstrdup(p, sk_OPENSSL_STRING_value(aia, 0)); ++ X509_email_free(aia); ++ } ++ ++ ssl_log_xerror(SSLLOG_MARK, APLOG_TRACE1, 0, ptemp, s, x, ++ "ssl_stapling_init_cert: storing certinfo for server %s", ++ mctx->sc->vhost_id); ++ ++ apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf); ++ + return 1; + } + +-static certinfo *stapling_get_cert_info(server_rec *s, modssl_ctx_t *mctx, ++static certinfo *stapling_get_certinfo(server_rec *s, modssl_ctx_t *mctx, + SSL *ssl) + { + certinfo *cinf; + X509 *x; ++ UCHAR idx[SHA_DIGEST_LENGTH]; + x = SSL_get_certificate(ssl); +- if (x == NULL) ++ if ((x == NULL) || (X509_digest(x, EVP_sha1(), idx, NULL) != 1)) + return NULL; +- cinf = X509_get_ex_data(x, stapling_ex_idx); ++ cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx)); + if (cinf && cinf->cid) + return cinf; + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01926) +- "stapling_get_cert_info: stapling not supported for certificate"); ++ "stapling_get_certinfo: stapling not supported for certificate"); + return NULL; + } + +@@ -585,7 +608,7 @@ static int stapling_cb(SSL *ssl, void *arg) + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01951) + "stapling_cb: OCSP Stapling callback called"); + +- cinf = stapling_get_cert_info(s, mctx, ssl); ++ cinf = stapling_get_certinfo(s, mctx, ssl); + if (cinf == NULL) { + return SSL_TLSEXT_ERR_NOACK; + } diff --git a/SOURCES/httpd-2.4.6-r1651653.patch b/SOURCES/httpd-2.4.6-r1651653.patch new file mode 100644 index 0000000..a67093e --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1651653.patch @@ -0,0 +1,100 @@ +diff --git a/server/util.c b/server/util.c +index e0ba5c2..a6516d4 100644 +--- a/server/util.c ++++ b/server/util.c +@@ -968,20 +968,20 @@ AP_DECLARE(const char *) ap_pcfg_strerror(apr_pool_t *p, ap_configfile_t *cfp, + /* Read one line from open ap_configfile_t, strip LF, increase line number */ + /* If custom handler does not define a getstr() function, read char by char */ + static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize, +- ap_configfile_t *cfp) ++ apr_size_t offset, ap_configfile_t *cfp) + { + apr_status_t rc; + /* If a "get string" function is defined, use it */ + if (cfp->getstr != NULL) { + char *cp; +- char *cbuf = buf; +- apr_size_t cbufsize = bufsize; ++ char *cbuf = buf + offset; ++ apr_size_t cbufsize = bufsize - offset; + + while (1) { + ++cfp->line_number; + rc = cfp->getstr(cbuf, cbufsize, cfp->param); + if (rc == APR_EOF) { +- if (cbuf != buf) { ++ if (cbuf != buf + offset) { + *cbuf = '\0'; + break; + } +@@ -999,11 +999,11 @@ static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize, + */ + cp = cbuf; + cp += strlen(cp); +- if (cp > cbuf && cp[-1] == LF) { ++ if (cp > buf && cp[-1] == LF) { + cp--; +- if (cp > cbuf && cp[-1] == CR) ++ if (cp > buf && cp[-1] == CR) + cp--; +- if (cp > cbuf && cp[-1] == '\\') { ++ if (cp > buf && cp[-1] == '\\') { + cp--; + /* + * line continuation requested - +@@ -1021,19 +1021,19 @@ static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize, + } + } else { + /* No "get string" function defined; read character by character */ +- apr_size_t i = 0; ++ apr_size_t i = offset; + + if (bufsize < 2) { + /* too small, assume caller is crazy */ + return APR_EINVAL; + } +- buf[0] = '\0'; ++ buf[offset] = '\0'; + + while (1) { + char c; + rc = cfp->getch(&c, cfp->param); + if (rc == APR_EOF) { +- if (i > 0) ++ if (i > offset) + break; + else + return APR_EOF; +@@ -1051,11 +1051,11 @@ static apr_status_t ap_cfg_getline_core(char *buf, apr_size_t bufsize, + break; + } + } +- else if (i >= bufsize - 2) { +- return APR_ENOSPC; +- } + buf[i] = c; + ++i; ++ if (i >= bufsize - 1) { ++ return APR_ENOSPC; ++ } + } + buf[i] = '\0'; + } +@@ -1089,7 +1089,7 @@ static int cfg_trim_line(char *buf) + AP_DECLARE(apr_status_t) ap_cfg_getline(char *buf, apr_size_t bufsize, + ap_configfile_t *cfp) + { +- apr_status_t rc = ap_cfg_getline_core(buf, bufsize, cfp); ++ apr_status_t rc = ap_cfg_getline_core(buf, bufsize, 0, cfp); + if (rc == APR_SUCCESS) + cfg_trim_line(buf); + return rc; +@@ -1116,7 +1116,7 @@ AP_DECLARE(apr_status_t) ap_varbuf_cfg_getline(struct ap_varbuf *vb, + } + + for (;;) { +- rc = ap_cfg_getline_core(vb->buf + vb->strlen, vb->avail - vb->strlen, cfp); ++ rc = ap_cfg_getline_core(vb->buf, vb->avail, vb->strlen, cfp); + if (rc == APR_ENOSPC || rc == APR_SUCCESS) + vb->strlen += strlen(vb->buf + vb->strlen); + if (rc != APR_ENOSPC) diff --git a/SOURCES/httpd-2.4.6-r1662640.patch b/SOURCES/httpd-2.4.6-r1662640.patch new file mode 100644 index 0000000..3d1f726 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1662640.patch @@ -0,0 +1,40 @@ +--- a/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:05:11 1662639 ++++ b/modules/ssl/ssl_engine_kernel.c 2015/02/27 06:18:31 1662640 +@@ -80,7 +80,8 @@ + + if (SSL_get_state(ssl) != SSL_ST_OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) +- "TLS upgrade handshake failed: not accepted by client!?"); ++ "TLS upgrade handshake failed"); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + + return APR_ECONNABORTED; + } +@@ -314,6 +315,16 @@ + int depth, verify_old, verify, n; + + if (ssl) { ++ /* ++ * We should have handshaken here (on handshakeserver), ++ * otherwise we are being redirected (ErrorDocument) from ++ * a renegotiation failure below. The access is still ++ * forbidden in the latter case, let ap_die() handle ++ * this recursive (same) error. ++ */ ++ if (SSL_get_state(ssl) != SSL_ST_OK) { ++ return HTTP_FORBIDDEN; ++ } + ctx = SSL_get_SSL_CTX(ssl); + } + +@@ -828,8 +839,8 @@ + + if (SSL_get_state(ssl) != SSL_ST_OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) +- "Re-negotiation handshake failed: " +- "Not accepted by client!?"); ++ "Re-negotiation handshake failed"); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); + + r->connection->keepalive = AP_CONN_CLOSE; + return HTTP_FORBIDDEN; diff --git a/SOURCES/httpd-2.4.6-r1681114.patch b/SOURCES/httpd-2.4.6-r1681114.patch new file mode 100644 index 0000000..d112972 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1681114.patch @@ -0,0 +1,157 @@ +diff --git a/modules/http/http_request.c b/modules/http/http_request.c +index cdfec8b..c97dc77 100644 +--- a/modules/http/http_request.c ++++ b/modules/http/http_request.c +@@ -73,19 +73,22 @@ static void update_r_in_filters(ap_filter_t *f, + } + } + +-AP_DECLARE(void) ap_die(int type, request_rec *r) ++static void ap_die_r(int type, request_rec *r, int recursive_error) + { +- int error_index = ap_index_of_response(type); +- char *custom_response = ap_response_code_string(r, error_index); +- int recursive_error = 0; ++ char *custom_response; + request_rec *r_1st_err = r; + +- if (type == AP_FILTER_ERROR) { ++ if (type == OK || type == DONE){ ++ ap_finalize_request_protocol(r); ++ return; ++ } ++ ++ if (!ap_is_HTTP_VALID_RESPONSE(type)) { + ap_filter_t *next; + + /* + * Check if we still have the ap_http_header_filter in place. If +- * this is the case we should not ignore AP_FILTER_ERROR here because ++ * this is the case we should not ignore the error here because + * it means that we have not sent any response at all and never + * will. This is bad. Sent an internal server error instead. + */ +@@ -99,8 +102,14 @@ AP_DECLARE(void) ap_die(int type, request_rec *r) + * next->frec == ap_http_header_filter + */ + if (next) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01579) +- "Custom error page caused AP_FILTER_ERROR"); ++ if (type != AP_FILTER_ERROR) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01579) ++ "Invalid response status %i", type); ++ } ++ else { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(02831) ++ "Response from AP_FILTER_ERROR"); ++ } + type = HTTP_INTERNAL_SERVER_ERROR; + } + else { +@@ -108,20 +117,13 @@ AP_DECLARE(void) ap_die(int type, request_rec *r) + } + } + +- if (type == DONE) { +- ap_finalize_request_protocol(r); +- return; +- } +- + /* + * The following takes care of Apache redirects to custom response URLs + * Note that if we are already dealing with the response to some other + * error condition, we just report on the original error, and give up on + * any attempt to handle the other thing "intelligently"... + */ +- if (r->status != HTTP_OK) { +- recursive_error = type; +- ++ if (recursive_error != HTTP_OK) { + while (r_1st_err->prev && (r_1st_err->prev->status != HTTP_OK)) + r_1st_err = r_1st_err->prev; /* Get back to original error */ + +@@ -140,6 +142,10 @@ AP_DECLARE(void) ap_die(int type, request_rec *r) + } + + custom_response = NULL; /* Do NOT retry the custom thing! */ ++ } else { ++ int error_index = ap_index_of_response(type); ++ custom_response = ap_response_code_string(r, error_index); ++ recursive_error = 0; + } + + r->status = type; +@@ -216,6 +222,11 @@ AP_DECLARE(void) ap_die(int type, request_rec *r) + ap_send_error_response(r_1st_err, recursive_error); + } + ++AP_DECLARE(void) ap_die(int type, request_rec *r) ++{ ++ ap_die_r(type, r, r->status); ++} ++ + static void check_pipeline(conn_rec *c) + { + if (c->keepalive != AP_CONN_CLOSE) { +@@ -337,18 +348,7 @@ void ap_process_async_request(request_rec *r) + apr_thread_mutex_unlock(r->invoke_mtx); + #endif + +- if (access_status == DONE) { +- /* e.g., something not in storage like TRACE */ +- access_status = OK; +- } +- +- if (access_status == OK) { +- ap_finalize_request_protocol(r); +- } +- else { +- r->status = HTTP_OK; +- ap_die(access_status, r); +- } ++ ap_die_r(access_status, r, HTTP_OK); + + ap_process_request_after_handler(r); + } +@@ -631,8 +631,8 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r) + + AP_DECLARE(void) ap_internal_redirect(const char *new_uri, request_rec *r) + { +- request_rec *new = internal_internal_redirect(new_uri, r); + int access_status; ++ request_rec *new = internal_internal_redirect(new_uri, r); + + AP_INTERNAL_REDIRECT(r->uri, new_uri); + +@@ -648,12 +648,7 @@ AP_DECLARE(void) ap_internal_redirect(const char *new_uri, request_rec *r) + access_status = ap_invoke_handler(new); + } + } +- if (access_status == OK) { +- ap_finalize_request_protocol(new); +- } +- else { +- ap_die(access_status, new); +- } ++ ap_die(access_status, new); + } + + /* This function is designed for things like actions or CGI scripts, when +@@ -674,15 +669,9 @@ AP_DECLARE(void) ap_internal_redirect_handler(const char *new_uri, request_rec * + ap_set_content_type(new, r->content_type); + access_status = ap_process_request_internal(new); + if (access_status == OK) { +- if ((access_status = ap_invoke_handler(new)) != 0) { +- ap_die(access_status, new); +- return; +- } +- ap_finalize_request_protocol(new); +- } +- else { +- ap_die(access_status, new); ++ access_status = ap_invoke_handler(new); + } ++ ap_die(access_status, new); + } + + AP_DECLARE(void) ap_allow_methods(request_rec *r, int reset, ...) diff --git a/SOURCES/httpd-2.4.6-r1683112.patch b/SOURCES/httpd-2.4.6-r1683112.patch new file mode 100644 index 0000000..bb412c9 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1683112.patch @@ -0,0 +1,45 @@ +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index 7f96aff..5517e08 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1118,7 +1118,7 @@ static int proxy_handler(request_rec *r) + AP_PROXY_RUN(r, worker, conf, url, attempts); + access_status = proxy_run_scheme_handler(r, worker, conf, + url, NULL, 0); +- if (access_status == OK) ++ if (access_status == OK || apr_table_get(r->notes, "proxy-error-override")) + break; + else if (access_status == HTTP_INTERNAL_SERVER_ERROR) { + /* Unrecoverable server error. +diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c +index cf52a7d..380b870 100644 +--- a/modules/proxy/mod_proxy_ajp.c ++++ b/modules/proxy/mod_proxy_ajp.c +@@ -636,6 +636,11 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + */ + rv = r->status; + r->status = HTTP_OK; ++ /* ++ * prevent proxy_handler() from treating this as an ++ * internal error. ++ */ ++ apr_table_setn(r->notes, "proxy-error-override", "1"); + } + else { + rv = OK; +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index 89b5d15..bb5cdf9 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -1648,6 +1648,11 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, + } + ap_discard_request_body(backend->r); + } ++ /* ++ * prevent proxy_handler() from treating this as an ++ * internal error. ++ */ ++ apr_table_setn(r->notes, "proxy-error-override", "1"); + return proxy_status; + } + diff --git a/SOURCES/httpd-2.4.6-r1726019.patch b/SOURCES/httpd-2.4.6-r1726019.patch new file mode 100644 index 0000000..4408d8c --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1726019.patch @@ -0,0 +1,20 @@ +diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c +index 19fed62..7889b0e 100644 +--- a/modules/proxy/mod_proxy_fcgi.c ++++ b/modules/proxy/mod_proxy_fcgi.c +@@ -927,6 +927,15 @@ static int fcgi_do_request(apr_pool_t *p, request_rec *r, + /* Step 3: Read records from the back end server and handle them. */ + rv = dispatch(conn, conf, r, request_id); + if (rv != APR_SUCCESS) { ++ /* If the client aborted the connection during retrieval or (partially) ++ * sending the response, dont't return a HTTP_SERVICE_UNAVAILABLE, since ++ * this is not a backend problem. */ ++ if (r->connection->aborted) { ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, rv, r, ++ "The client aborted the connection."); ++ conn->close = 1; ++ return OK; ++ } + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01075) + "Error dispatching request to %s:", server_portstr); + conn->close = 1; diff --git a/SOURCES/httpd-2.4.6-r1738878.patch b/SOURCES/httpd-2.4.6-r1738878.patch new file mode 100644 index 0000000..0aab1c4 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1738878.patch @@ -0,0 +1,139 @@ +diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h +index c65ebe5..330573b 100644 +--- a/modules/proxy/ajp.h ++++ b/modules/proxy/ajp.h +@@ -413,11 +413,13 @@ apr_status_t ajp_ilink_receive(apr_socket_t *sock, ajp_msg_t *msg); + * @param r current request + * @param buffsize max size of the AJP packet. + * @param uri requested uri ++ * @param secret authentication secret + * @return APR_SUCCESS or error + */ + apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri); ++ apr_uri_t *uri, ++ const char *secret); + + /** + * Read the ajp message and return the type of the message. +diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c +index 074f0a8..53571ee 100644 +--- a/modules/proxy/ajp_header.c ++++ b/modules/proxy/ajp_header.c +@@ -213,7 +213,8 @@ AJPV13_REQUEST/AJPV14_REQUEST= + + static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, + request_rec *r, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + int method; + apr_uint32_t i, num_headers = 0; +@@ -293,17 +294,15 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, + i, elts[i].key, elts[i].val); + } + +-/* XXXX need to figure out how to do this +- if (s->secret) { ++ if (secret) { + if (ajp_msg_append_uint8(msg, SC_A_SECRET) || +- ajp_msg_append_string(msg, s->secret)) { ++ ajp_msg_append_string(msg, secret)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, +- "Error ajp_marshal_into_msgb - " ++ "ajp_marshal_into_msgb: " + "Error appending secret"); + return APR_EGENERAL; + } + } +- */ + + if (r->user) { + if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || +@@ -628,7 +627,8 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg, + apr_status_t ajp_send_header(apr_socket_t *sock, + request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + ajp_msg_t *msg; + apr_status_t rc; +@@ -640,7 +640,7 @@ apr_status_t ajp_send_header(apr_socket_t *sock, + return rc; + } + +- rc = ajp_marshal_into_msgb(msg, r, uri); ++ rc = ajp_marshal_into_msgb(msg, r, uri, secret); + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) + "ajp_send_header: ajp_marshal_into_msgb failed"); +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index 5517e08..e998f58 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -260,6 +260,12 @@ static const char *set_worker_param(apr_pool_t *p, + return "flusher name length must be < 16 characters"; + PROXY_STRNCPY(worker->s->flusher, val); + } ++ else if (!strcasecmp(key, "secret")) { ++ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { ++ return apr_psprintf(p, "Secret length must be < %d characters", ++ (int)sizeof(worker->s->secret)); ++ } ++ } + else { + return "unknown Worker parameter"; + } +diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h +index b702028..06f2b17 100644 +--- a/modules/proxy/mod_proxy.h ++++ b/modules/proxy/mod_proxy.h +@@ -317,6 +317,7 @@ PROXY_WORKER_DISABLED | PROXY_WORKER_STOPPED | PROXY_WORKER_IN_ERROR ) + #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 + #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE + #define PROXY_BALANCER_MAX_STICKY_SIZE 64 ++#define PROXY_WORKER_MAX_SECRET_SIZE 64 + + #define PROXY_MAX_PROVIDER_NAME_SIZE 16 + +@@ -394,6 +395,7 @@ typedef struct { + unsigned int disablereuse_set:1; + unsigned int was_malloced:1; + unsigned int is_name_matchable:1; ++ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ + } proxy_worker_shared; + + #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) +diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c +index 380b870..81039bf 100644 +--- a/modules/proxy/mod_proxy_ajp.c ++++ b/modules/proxy/mod_proxy_ajp.c +@@ -196,6 +196,7 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + apr_off_t content_length = 0; + int original_status = r->status; + const char *original_status_line = r->status_line; ++ const char *secret = NULL; + + if (psf->io_buffer_size_set) + maxsize = psf->io_buffer_size; +@@ -205,12 +206,15 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + maxsize = AJP_MSG_BUFFER_SZ; + maxsize = APR_ALIGN(maxsize, 1024); + ++ if (*conn->worker->s->secret) ++ secret = conn->worker->s->secret; ++ + /* + * Send the AJP request to the remote server + */ + + /* send request headers */ +- status = ajp_send_header(conn->sock, r, maxsize, uri); ++ status = ajp_send_header(conn->sock, r, maxsize, uri, secret); + if (status != APR_SUCCESS) { + conn->close = 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) diff --git a/SOURCES/httpd-2.4.6-r1775832.patch b/SOURCES/httpd-2.4.6-r1775832.patch new file mode 100644 index 0000000..97c5f5f --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1775832.patch @@ -0,0 +1,16 @@ +--- a/modules/filters/mod_ext_filter.c 2016/12/23 12:35:43 1775831 ++++ b/modules/filters/mod_ext_filter.c 2016/12/23 12:36:26 1775832 +@@ -757,6 +757,13 @@ + break; + } + ++ if (AP_BUCKET_IS_ERROR(b)) { ++ apr_bucket *cpy; ++ apr_bucket_copy(b, &cpy); ++ APR_BRIGADE_INSERT_TAIL(bb_tmp, cpy); ++ break; ++ } ++ + rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ); + if (rv != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01463) "apr_bucket_read()"); diff --git a/SOURCES/httpd-2.4.6-statements-comment.patch b/SOURCES/httpd-2.4.6-statements-comment.patch new file mode 100644 index 0000000..fd56e11 --- /dev/null +++ b/SOURCES/httpd-2.4.6-statements-comment.patch @@ -0,0 +1,16 @@ +diff --git a/modules/aaa/mod_access_compat.c b/modules/aaa/mod_access_compat.c +index 46d8da0..0a5d5a1 100644 +--- a/modules/aaa/mod_access_compat.c ++++ b/modules/aaa/mod_access_compat.c +@@ -152,6 +152,11 @@ static const char *allow_cmd(cmd_parms *cmd, void *dv, const char *from, + if (strcasecmp(from, "from")) + return "allow and deny must be followed by 'from'"; + ++ s = ap_strchr(where, '#'); ++ if (s) { ++ *s = '\0'; ++ } ++ + a = (allowdeny *) apr_array_push(cmd->info ? d->allows : d->denys); + a->x.from = where; + a->limited = cmd->limited; diff --git a/SOURCES/manual.conf b/SOURCES/manual.conf index d09757d..cf626ac 100644 --- a/SOURCES/manual.conf +++ b/SOURCES/manual.conf @@ -2,10 +2,12 @@ # This configuration file allows the manual to be accessed at # http://localhost/manual/ # -AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/usr/share/httpd/manual$1" +Alias /manual /usr/share/httpd/manual Options Indexes AllowOverride None Require all granted + + RedirectMatch 301 ^/manual/(?:de|en|fr|ja|ko|ru)(/.*)$ "/manual$1" diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf index c1b6c11..5d1e452 100644 --- a/SOURCES/welcome.conf +++ b/SOURCES/welcome.conf @@ -16,7 +16,3 @@ Alias /.noindex.html /usr/share/httpd/noindex/index.html -Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css -Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css -Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif -Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index d385291..cc1763c 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -4,7 +4,7 @@ %define mmn 20120211 %define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits} %define mmnisa %{mmn}%{__isa_name}%{__isa_bits} -%define vstring CentOS +%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT}) # Drop automatic provides for module DSOs %{?filter_setup: @@ -15,10 +15,10 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.6 -Release: 45%{?dist}.4 +Release: 67%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -Source1: centos-noindex.tar.gz +Source1: index.html Source2: httpd.logrotate Source3: httpd.sysconf Source4: httpd-ssl-pass-dialog @@ -126,7 +126,35 @@ Patch105: httpd-2.4.6-r1560093.patch Patch106: httpd-2.4.6-r1748212.patch Patch107: httpd-2.4.6-r1570327.patch Patch108: httpd-2.4.6-r1631119.patch -Patch109: httpd-2.4.6-r1587053.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1406184 +Patch109: httpd-2.4.6-r1593002.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1389535 +Patch110: httpd-2.4.6-r1662640.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1348019 +Patch111: httpd-2.4.6-r1348019.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1396197 +Patch112: httpd-2.4.6-r1587053.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1376835 +Patch113: httpd-2.4.6-mpm-segfault.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1372692 +Patch114: httpd-2.4.6-r1681114.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1371876 +Patch115: httpd-2.4.6-r1775832.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1353740 +Patch116: httpd-2.4.6-r1726019.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1364604 +Patch117: httpd-2.4.6-r1683112.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1378946 +Patch118: httpd-2.4.6-r1651653.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1414258 +Patch119: httpd-2.4.6-r1634529.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1397241 +Patch120: httpd-2.4.6-r1738878.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1445885 +Patch121: httpd-2.4.6-http-protocol-options-define.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1332242 +Patch122: httpd-2.4.6-statements-comment.patch + # Security fixes Patch200: httpd-2.4.6-CVE-2013-6438.patch Patch201: httpd-2.4.6-CVE-2014-0098.patch @@ -331,7 +359,20 @@ rm modules/ssl/ssl_engine_dh.c %patch106 -p1 -b .r1748212 %patch107 -p1 -b .r1570327 %patch108 -p1 -b .r1631119 -%patch109 -p1 -b .r1587053 +%patch109 -p1 -b .r1593002 +%patch110 -p1 -b .r1662640 +%patch111 -p1 -b .r1348019 +%patch112 -p1 -b .r1587053 +%patch113 -p1 -b .mpmsegfault +%patch114 -p1 -b .r1681114 +%patch115 -p1 -b .r1371876 +%patch116 -p1 -b .r1726019 +%patch117 -p1 -b .r1683112 +%patch118 -p1 -b .r1651653 +%patch119 -p1 -b .r1634529 +%patch120 -p1 -b .r1738878 +%patch121 -p1 -b .httpprotdefine +%patch122 -p1 -b .statement-comment %patch200 -p1 -b .cve6438 %patch201 -p1 -b .cve0098 @@ -501,10 +542,8 @@ EOF # Handle contentdir mkdir $RPM_BUILD_ROOT%{contentdir}/noindex -tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \ - -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \ - --strip-components=1 - +install -m 644 -p $RPM_SOURCE_DIR/index.html \ + $RPM_BUILD_ROOT%{contentdir}/noindex/index.html rm -rf %{contentdir}/htdocs # remove manual sources @@ -527,7 +566,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \ $RPM_BUILD_ROOT%{docroot}/cgi-bin/* # Symlink for the powered-by-$DISTRO image: -ln -s ../noindex/images/poweredby.png \ +ln -s ../../pixmaps/poweredby.png \ $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png # symlinks for /etc/httpd @@ -587,7 +626,7 @@ rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra} %pre # Add the "apache" group and user /usr/sbin/groupadd -g 48 -r apache 2> /dev/null || : -/usr/sbin/useradd -c "Apache" -u 48 -g 48 \ +/usr/sbin/useradd -c "Apache" -u 48 -g apache \ -s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || : %post @@ -713,7 +752,7 @@ rm -rf $RPM_BUILD_ROOT %{contentdir}/error/README %{contentdir}/error/*.var %{contentdir}/error/include/*.html -%{contentdir}/noindex/* +%{contentdir}/noindex/index.html %dir %{docroot} %dir %{docroot}/cgi-bin @@ -779,26 +818,92 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog -* Wed Apr 12 2017 CentOS Sources - 2.4.6-45.el7.centos.4 -- Remove index.html, add centos-noindex.tar.gz -- change vstring -- change symlink for poweredby.png -- update welcome.conf with proper aliases +* Tue May 09 2017 Luboš Uhliarik - 2.4.6-67 +- Related: #1332242 - Explicitly disallow the '#' character in allow,deny + directives + +* Tue May 09 2017 Luboš Uhliarik - 2.4.6-66 +- Related: #1332242 - Explicitly disallow the '#' character in allow,deny + directives + +* Thu Apr 27 2017 Luboš Uhliarik - 2.4.6-65 +- Resolves: #1445885 - define _RH_HAS_HTTPPROTOCOLOPTIONS + +* Tue Apr 18 2017 Luboš Uhliarik - 2.4.6-64 +- Resolves: #1442872 - apache user is not created during httpd installation + when apache group already exist with GID other than 48 + +* Wed Mar 22 2017 Luboš Uhliarik - 2.4.6-63 +- Related: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743 + httpd: various flaws + +* Wed Mar 15 2017 Luboš Uhliarik - 2.4.6-62 +- Resolves: #1397241 - Backport Apache Bug 53098 - mod_proxy_ajp: + patch to set worker secret passed to tomcat + +* Wed Mar 15 2017 Luboš Uhliarik - 2.4.6-61 +- Related: #1414258 - Crash during restart or at startup in mod_ssl, + in certinfo_free() function registered by ssl_stapling_ex_init() + +* Tue Mar 14 2017 Luboš Uhliarik - 2.4.6-60 +- Resolves: #1414258 - Crash during restart or at startup in mod_ssl, + in certinfo_free() function registered by ssl_stapling_ex_init() + +* Mon Mar 13 2017 Luboš Uhliarik - 2.4.6-59 +- Resolves: #1378946 - Backport of apache bug 55910: Continuation lines + are broken during buffer resize + +* Fri Mar 10 2017 Luboš Uhliarik - 2.4.6-58 +- Resolves: #1364604 - Upstream Bug 56925 - ErrorDocument directive misbehaves + with mod_proxy_http and mod_proxy_ajp -* Wed Mar 08 2017 Luboš Uhliarik - 2.4.6-45.4 +* Thu Mar 09 2017 Luboš Uhliarik - 2.4.6-57 +- Resolves: #1324416 - Error 404 when switching language in HTML manual + more than once + +* Wed Mar 08 2017 Luboš Uhliarik - 2.4.6-56 +- Resolves: #1353740 - Backport Apache PR58118 to fix mod_proxy_fcgi + spamming non-errors: AH01075: Error dispatching request to : (passing + brigade to output filters) + +* Wed Mar 08 2017 Luboš Uhliarik - 2.4.6-55 +- Resolves: #1371876 - Apache httpd returns "200 OK" for a request + exceeding LimitRequestBody when enabling mod_ext_filter + +* Tue Mar 07 2017 Luboš Uhliarik - 2.4.6-54 +- Resolves: #1372692 - Apache httpd does not log status code "413" in + access_log when exceeding LimitRequestBody + +* Tue Mar 07 2017 Luboš Uhliarik - 2.4.6-53 +- Resolves: #1376835 - httpd with worker/event mpm segfaults after multiple + successive graceful reloads + +* Tue Mar 07 2017 Luboš Uhliarik - 2.4.6-52 +- Resolves: #1332242 - Explicitly disallow the '#' character in allow,deny + directives + +* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-51 - Resolves: #1396197 - Backport: mod_proxy_wstunnel - AH02447: err/hup on backconn -* Tue Feb 14 2017 Joe Orton - 2.4.6-45.3 +* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-50 +- Resolves: #1348019 - mod_proxy: Fix a race condition that caused a failed + worker to be retried before the retry period is over + +* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-49 +- Resolves: #1389535 - Segmentation fault in SSL_renegotiate + +* Mon Mar 06 2017 Luboš Uhliarik - 2.4.6-48 +- Resolves: #1406184 - stapling_renew_response: abort early + (before apr_uri_parse) if ocspuri is empty + +* Tue Feb 7 2017 Joe Orton - 2.4.6-47 - prefork: fix delay completing graceful restart (#1327624) - mod_ldap: fix authz regression, failing to rebind (#1415257) -* Tue Feb 14 2017 Joe Orton - 2.4.6-45.2 -- updated patch for CVE-2016-8743 - -* Mon Jan 30 2017 Luboš Uhliarik - 2.4.6-45.1 -- Resolves: #1412975 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743 httpd: various - flaws +* Thu Jan 26 2017 Luboš Uhliarik - 2.4.6-46 +- Resolves: #1412976 - CVE-2016-0736 CVE-2016-2161 CVE-2016-8743 + httpd: various flaws * Wed Aug 03 2016 Luboš Uhliarik - 2.4.6-45 - RFE: run mod_rewrite external mapping program as non-root (#1316900)