diff --git a/.gitignore b/.gitignore index 260a2d6..9969f1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ SOURCES/httpd-2.4.6.tar.bz2 -SOURCES/centos-noindex.tar.gz diff --git a/.httpd.metadata b/.httpd.metadata index 17ede1b..d335a99 100644 --- a/.httpd.metadata +++ b/.httpd.metadata @@ -1,2 +1 @@ 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2 -6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz diff --git a/SOURCES/httpd-2.4.6-ab-ssl-error.patch b/SOURCES/httpd-2.4.6-ab-ssl-error.patch new file mode 100644 index 0000000..8f169f7 --- /dev/null +++ b/SOURCES/httpd-2.4.6-ab-ssl-error.patch @@ -0,0 +1,27 @@ +diff --git a/support/ab.c b/support/ab.c +index bf76406..80c1b74 100644 +--- a/support/ab.c ++++ b/support/ab.c +@@ -1346,11 +1346,21 @@ static void read_connection(struct connection * c) + && good == 0) { + return; + } ++ else if (scode == SSL_ERROR_SYSCALL ++ && status == 0 ++ && c->read != 0) { ++ /* connection closed, but in violation of the protocol, after ++ * some data has already been read; this commonly happens, so ++ * let the length check catch any response errors ++ */ ++ good++; ++ close_connection(c); ++ } + else if (scode != SSL_ERROR_WANT_WRITE + && scode != SSL_ERROR_WANT_READ) { + /* some fatal error: */ + c->read = 0; +- BIO_printf(bio_err, "SSL read failed (%d) - closing connection\n", scode); ++ BIO_printf(bio_err, "SSL read failed (%d) - closing connection\n", scode); + ERR_print_errors(bio_err); + close_connection(c); + } diff --git a/SOURCES/httpd-2.4.6-dhparams-free.patch b/SOURCES/httpd-2.4.6-dhparams-free.patch new file mode 100644 index 0000000..2319ff8 --- /dev/null +++ b/SOURCES/httpd-2.4.6-dhparams-free.patch @@ -0,0 +1,31 @@ +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index ee46db4..c560422 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -915,7 +915,7 @@ static void ssl_init_server_certs(server_rec *s, + const char *rsa_id, *dsa_id; + #ifndef OPENSSL_NO_EC + const char *ecc_id; +- EC_GROUP *ecparams; ++ EC_GROUP *ecparams = NULL; + int nid; + EC_KEY *eckey = NULL; + #endif +@@ -988,6 +988,7 @@ static void ssl_init_server_certs(server_rec *s, + "Custom DH parameters (%d bits) for %s loaded from %s", + BN_num_bits(dhparams->p), vhost_id, + mctx->pks->cert_files[0]); ++ DH_free(dhparams); + } + + #ifndef OPENSSL_NO_EC +@@ -1012,6 +1013,9 @@ static void ssl_init_server_certs(server_rec *s, + SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); + #endif + } ++ if (ecparams) { ++ EC_GROUP_free(ecparams); ++ } + EC_KEY_free(eckey); + #endif + } diff --git a/SOURCES/httpd-2.4.6-r1610396.patch b/SOURCES/httpd-2.4.6-r1610396.patch new file mode 100644 index 0000000..39edd6b --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1610396.patch @@ -0,0 +1,189 @@ +Index: modules/ldap/util_ldap.c +=================================================================== +--- a/modules/ldap/util_ldap.c (revision 1610395) ++++ b/modules/ldap/util_ldap.c (revision 1610396) +@@ -157,10 +157,12 @@ + */ + if (!ldc->keep) { + uldap_connection_unbind(ldc); ++ ldc->r = NULL; + } + else { + /* mark our connection as available for reuse */ + ldc->freed = apr_time_now(); ++ ldc->r = NULL; + #if APR_HAS_THREADS + apr_thread_mutex_unlock(ldc->lock); + #endif +@@ -179,6 +181,9 @@ + + if (ldc) { + if (ldc->ldap) { ++ if (ldc->r) { ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, ldc->r, "LDC %pp unbind", ldc); ++ } + ldap_unbind_s(ldc->ldap); + ldc->ldap = NULL; + } +@@ -319,6 +324,8 @@ + return(result->rc); + } + ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, "LDC %pp init", ldc); ++ + if (ldc->ChaseReferrals == AP_LDAP_CHASEREFERRALS_ON) { + /* Now that we have an ldap struct, add it to the referral list for rebinds. */ + rc = apr_ldap_rebind_add(ldc->rebind_pool, ldc->ldap, ldc->binddn, ldc->bindpw); +@@ -516,6 +523,10 @@ + ldc->reason = "LDAP: ldap_simple_bind() parse result failed"; + return uldap_ld_errno(ldc); + } ++ else { ++ ldc->last_backend_conn = ldc->r->request_time; ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, ldc->r, "LDC %pp bind", ldc); ++ } + return rc; + } + +@@ -540,7 +551,7 @@ + + /* If the connection is already bound, return + */ +- if (ldc->bound) ++ if (ldc->bound && !ldc->must_rebind) + { + ldc->reason = "LDAP: connection open successful (already bound)"; + return LDAP_SUCCESS; +@@ -621,6 +632,7 @@ + } + else { + ldc->bound = 1; ++ ldc->must_rebind = 0; + ldc->reason = "LDAP: connection open successful"; + } + +@@ -718,13 +730,17 @@ + && !compare_client_certs(dc->client_certs, l->client_certs)) + { + if (st->connection_pool_ttl > 0) { +- if (l->bound && (now - l->freed) > st->connection_pool_ttl) { ++ if (l->bound && (now - l->last_backend_conn) > st->connection_pool_ttl) { + ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, + "Removing LDAP connection last used %" APR_TIME_T_FMT " seconds ago", +- (now - l->freed) / APR_USEC_PER_SEC); ++ (now - l->last_backend_conn) / APR_USEC_PER_SEC); ++ l->r = r; + uldap_connection_unbind(l); + /* Go ahead (by falling through) and use it, so we don't create more just to unbind some other old ones */ + } ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, ++ "Reuse %s LDC %pp", ++ l->bound ? "bound" : "unbound", l); + } + break; + } +@@ -751,12 +767,25 @@ + (l->deref == deref) && (l->secure == secureflag) && + !compare_client_certs(dc->client_certs, l->client_certs)) + { ++ if (st->connection_pool_ttl > 0) { ++ if (l->bound && (now - l->last_backend_conn) > st->connection_pool_ttl) { ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, ++ "Removing LDAP connection last used %" APR_TIME_T_FMT " seconds ago", ++ (now - l->last_backend_conn) / APR_USEC_PER_SEC); ++ l->r = r; ++ uldap_connection_unbind(l); ++ /* Go ahead (by falling through) and use it, so we don't create more just to unbind some other old ones */ ++ } ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, ++ "Reuse %s LDC %pp (will rebind)", ++ l->bound ? "bound" : "unbound", l); ++ } ++ + /* the bind credentials have changed */ +- /* no check for connection_pool_ttl, since we are unbinding any way */ +- uldap_connection_unbind(l); +- ++ l->must_rebind = 1; + util_ldap_strdup((char**)&(l->binddn), binddn); + util_ldap_strdup((char**)&(l->bindpw), bindpw); ++ + break; + } + #if APR_HAS_THREADS +@@ -846,6 +875,7 @@ + #if APR_HAS_THREADS + apr_thread_mutex_unlock(st->mutex); + #endif ++ l->r = r; + return l; + } + +@@ -965,6 +995,7 @@ + return result; + } + ++ ldc->last_backend_conn = r->request_time; + entry = ldap_first_entry(ldc->ldap, res); + searchdn = ldap_get_dn(ldc->ldap, entry); + +@@ -1116,6 +1147,7 @@ + goto start_over; + } + ++ ldc->last_backend_conn = r->request_time; + ldc->reason = "Comparison complete"; + if ((LDAP_COMPARE_TRUE == result) || + (LDAP_COMPARE_FALSE == result) || +@@ -1241,6 +1273,7 @@ + return res; + } + ++ ldc->last_backend_conn = r->request_time; + entry = ldap_first_entry(ldc->ldap, sga_res); + + /* +@@ -1723,6 +1756,7 @@ + * We should have found exactly one entry; to find a different + * number is an error. + */ ++ ldc->last_backend_conn = r->request_time; + count = ldap_count_entries(ldc->ldap, res); + if (count != 1) + { +@@ -1788,10 +1822,10 @@ + /* + * We have just bound the connection to a different user and password + * combination, which might be reused unintentionally next time this +- * connection is used from the connection pool. To ensure no confusion, +- * we mark the connection as unbound. ++ * connection is used from the connection pool. + */ +- ldc->bound = 0; ++ ldc->must_rebind = 0; ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE5, 0, r, "LDC %pp used for authn, must be rebound", ldc); + } + + /* +@@ -1983,6 +2017,7 @@ + * We should have found exactly one entry; to find a different + * number is an error. + */ ++ ldc->last_backend_conn = r->request_time; + count = ldap_count_entries(ldc->ldap, res); + if (count != 1) + { +Index: include/util_ldap.h +=================================================================== +--- a/include/util_ldap.h (revision 1610395) ++++ b/include/util_ldap.h (revision 1610396) +@@ -133,6 +133,9 @@ + int ReferralHopLimit; /* # of referral hops to follow (default = AP_LDAP_DEFAULT_HOPLIMIT) */ + apr_time_t freed; /* the time this conn was placed back in the pool */ + apr_pool_t *rebind_pool; /* frequently cleared pool for rebind data */ ++ int must_rebind; /* The connection was last bound with other then binddn/bindpw */ ++ request_rec *r; /* request_rec used to find this util_ldap_connection_t */ ++ apr_time_t last_backend_conn; /* the approximate time of the last backend LDAP requst */ + } util_ldap_connection_t; + + typedef struct util_ldap_config_t { diff --git a/SOURCES/httpd-2.4.6-r1621601.patch b/SOURCES/httpd-2.4.6-r1621601.patch new file mode 100644 index 0000000..4296804 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1621601.patch @@ -0,0 +1,21 @@ +--- a/modules/proxy/mod_proxy_http.c 2014/08/31 16:06:36 1621600 ++++ b/modules/proxy/mod_proxy_http.c 2014/08/31 16:07:45 1621601 +@@ -1652,6 +1652,18 @@ + if (!r->header_only && /* not HEAD request */ + (proxy_status != HTTP_NO_CONTENT) && /* not 204 */ + (proxy_status != HTTP_NOT_MODIFIED)) { /* not 304 */ ++ const char *tmp; ++ /* Add minimal headers needed to allow http_in filter ++ * detecting end of body without waiting for a timeout. */ ++ if ((tmp = apr_table_get(r->headers_out, "Transfer-Encoding"))) { ++ apr_table_set(backend->r->headers_in, "Transfer-Encoding", tmp); ++ } ++ else if ((tmp = apr_table_get(r->headers_out, "Content-Length"))) { ++ apr_table_set(backend->r->headers_in, "Content-Length", tmp); ++ } ++ else if (te) { ++ apr_table_set(backend->r->headers_in, "Transfer-Encoding", te); ++ } + ap_discard_request_body(backend->r); + } + return proxy_status; diff --git a/SOURCES/httpd-2.4.6-r1650677.patch b/SOURCES/httpd-2.4.6-r1650677.patch new file mode 100644 index 0000000..6599d98 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1650677.patch @@ -0,0 +1,49 @@ +--- a/modules/proxy/mod_proxy_fcgi.c 2015/01/09 21:25:26 1650676 ++++ b/modules/proxy/mod_proxy_fcgi.c 2015/01/09 21:33:12 1650677 +@@ -367,7 +367,7 @@ + request_rec *r, int request_id) + { + apr_bucket_brigade *ib, *ob; +- int seen_end_of_headers = 0, done = 0; ++ int seen_end_of_headers = 0, done = 0, ignore_body = 0; + apr_status_t rv = APR_SUCCESS; + int script_error_status = HTTP_OK; + conn_rec *c = r->connection; +@@ -577,9 +577,16 @@ + APR_BRIGADE_INSERT_TAIL(ob, tmp_b); + r->status = status; + ap_pass_brigade(r->output_filters, ob); +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01070) +- "Error parsing script headers"); +- rv = APR_EINVAL; ++ if (status == HTTP_NOT_MODIFIED) { ++ /* The 304 response MUST NOT contain ++ * a message-body, ignore it. */ ++ ignore_body = 1; ++ } ++ else { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01070) ++ "Error parsing script headers"); ++ rv = APR_EINVAL; ++ } + break; + } + +@@ -598,7 +605,7 @@ + r->status = HTTP_OK; + } + +- if (script_error_status == HTTP_OK) { ++ if (script_error_status == HTTP_OK && !ignore_body) { + rv = ap_pass_brigade(r->output_filters, ob); + if (rv != APR_SUCCESS) { + break; +@@ -626,7 +633,7 @@ + * but that could be a huge amount of data; so we pass + * along smaller chunks + */ +- if (script_error_status == HTTP_OK) { ++ if (script_error_status == HTTP_OK && !ignore_body) { + rv = ap_pass_brigade(r->output_filters, ob); + if (rv != APR_SUCCESS) { + break; diff --git a/SOURCES/httpd-2.4.6-r1651658.patch b/SOURCES/httpd-2.4.6-r1651658.patch new file mode 100644 index 0000000..d0de5d5 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1651658.patch @@ -0,0 +1,22 @@ +--- a/modules/proxy/mod_proxy_fcgi.c 2015/01/14 13:22:50 1651657 ++++ b/modules/proxy/mod_proxy_fcgi.c 2015/01/14 13:24:10 1651658 +@@ -204,9 +204,19 @@ + apr_status_t rv; + apr_size_t len; + int i, numenv; ++ char *proxyfilename = r->filename; ++ ++ /* Strip balancer prefix */ ++ if (r->filename && !strncmp(r->filename, "proxy:balancer://", 17)) { ++ char *newfname = apr_pstrdup(r->pool, r->filename+17); ++ newfname = ap_strchr(newfname, '/'); ++ r->filename = newfname; ++ } + + ap_add_common_vars(r); + ap_add_cgi_vars(r); ++ ++ r->filename = proxyfilename; + + /* XXX are there any FastCGI specific env vars we need to send? */ + diff --git a/SOURCES/httpd-2.4.6-r1664565.patch b/SOURCES/httpd-2.4.6-r1664565.patch new file mode 100644 index 0000000..65f9a99 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1664565.patch @@ -0,0 +1,68 @@ +--- httpd/modules/mappers/mod_rewrite.c 2015/03/06 08:55:34 1664564 ++++ httpd/modules/mappers/mod_rewrite.c 2015/03/06 09:14:07 1664565 +@@ -267,6 +267,8 @@ + const char *dbdq; /* SQL SELECT statement for rewritemap */ + const char *checkfile2; /* filename to check for map existence + NULL if only one file */ ++ const char *user; /* run RewriteMap program as this user */ ++ const char *group; /* run RewriteMap program as this group */ + } rewritemap_entry; + + /* special pattern types for RewriteCond */ +@@ -1171,6 +1173,7 @@ + + static apr_status_t rewritemap_program_child(apr_pool_t *p, + const char *progname, char **argv, ++ const char *user, const char *group, + apr_file_t **fpout, + apr_file_t **fpin) + { +@@ -1183,6 +1186,8 @@ + APR_FULL_BLOCK, APR_NO_PIPE)) + && APR_SUCCESS == (rc=apr_procattr_dir_set(procattr, + ap_make_dirstr_parent(p, argv[0]))) ++ && (!user || APR_SUCCESS == (rc=apr_procattr_user_set(procattr, user, ""))) ++ && (!group || APR_SUCCESS == (rc=apr_procattr_group_set(procattr, group))) + && APR_SUCCESS == (rc=apr_procattr_cmdtype_set(procattr, APR_PROGRAM)) + && APR_SUCCESS == (rc=apr_procattr_child_errfn_set(procattr, + rewrite_child_errfn)) +@@ -1240,6 +1245,7 @@ + } + + rc = rewritemap_program_child(p, map->argv[0], map->argv, ++ map->user, map->group, + &fpout, &fpin); + if (rc != APR_SUCCESS || fpin == NULL || fpout == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, APLOGNO(00654) +@@ -3018,7 +3024,7 @@ + } + + static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1, +- const char *a2) ++ const char *a2, const char *a3) + { + rewrite_server_conf *sconf; + rewritemap_entry *newmap; +@@ -3124,6 +3130,11 @@ + + newmap->type = MAPTYPE_PRG; + newmap->checkfile = newmap->argv[0]; ++ if (a3) { ++ char *tok_cntx; ++ newmap->user = apr_strtok(apr_pstrdup(cmd->pool, a3), ":", &tok_cntx); ++ newmap->group = apr_strtok(NULL, ":", &tok_cntx); ++ } + } + else if (strncasecmp(a2, "int:", 4) == 0) { + newmap->type = MAPTYPE_INT; +@@ -5205,8 +5216,8 @@ + "an input string and a to be applied regexp-pattern"), + AP_INIT_RAW_ARGS("RewriteRule", cmd_rewriterule, NULL, OR_FILEINFO, + "an URL-applied regexp-pattern and a substitution URL"), +- AP_INIT_TAKE2( "RewriteMap", cmd_rewritemap, NULL, RSRC_CONF, +- "a mapname and a filename"), ++ AP_INIT_TAKE23( "RewriteMap", cmd_rewritemap, NULL, RSRC_CONF, ++ "a mapname and a filename and options"), + { NULL } + }; + diff --git a/SOURCES/httpd-2.4.6-r1681107.patch b/SOURCES/httpd-2.4.6-r1681107.patch new file mode 100644 index 0000000..9a02995 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1681107.patch @@ -0,0 +1,84 @@ +Index: modules/aaa/mod_authz_dbd.c +=================================================================== +--- a/modules/aaa/mod_authz_dbd.c (revision 1681106) ++++ b/modules/aaa/mod_authz_dbd.c (revision 1681107) +@@ -174,7 +174,9 @@ + action, r->user, message?message:noerror); + } + else if (newuri == NULL) { +- newuri = apr_dbd_get_entry(dbd->driver, row, 0); ++ newuri = ++ apr_pstrdup(r->pool, ++ apr_dbd_get_entry(dbd->driver, row, 0)); + } + /* we can't break out here or row won't get cleaned up */ + } +@@ -204,7 +206,6 @@ + apr_dbd_prepared_t *query; + apr_dbd_results_t *res = NULL; + apr_dbd_row_t *row = NULL; +- const char **group; + + if (cfg->query == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01649) +@@ -224,8 +225,9 @@ + rv != -1; + rv = apr_dbd_get_row(dbd->driver, r->pool, res, &row, -1)) { + if (rv == 0) { +- group = apr_array_push(groups); +- *group = apr_dbd_get_entry(dbd->driver, row, 0); ++ APR_ARRAY_PUSH(groups, const char *) = ++ apr_pstrdup(r->pool, ++ apr_dbd_get_entry(dbd->driver, row, 0)); + } + else { + message = apr_dbd_error(dbd->driver, dbd->handle, rv); +Index: modules/session/mod_session_dbd.c +=================================================================== +--- a/modules/session/mod_session_dbd.c (revision 1681106) ++++ b/modules/session/mod_session_dbd.c (revision 1681107) +@@ -138,7 +138,8 @@ + return APR_EGENERAL; + } + if (*val == NULL) { +- *val = apr_dbd_get_entry(dbd->driver, row, 0); ++ *val = apr_pstrdup(r->pool, ++ apr_dbd_get_entry(dbd->driver, row, 0)); + } + /* we can't break out here or row won't get cleaned up */ + } +Index: modules/mappers/mod_rewrite.c +=================================================================== +--- a/modules/mappers/mod_rewrite.c (revision 1681106) ++++ b/modules/mappers/mod_rewrite.c (revision 1681107) +@@ -1352,12 +1352,14 @@ + while ((rv = apr_dbd_get_row(db->driver, r->pool, res, &row, -1)) == 0) { + ++n; + if (ret == NULL) { +- ret = apr_dbd_get_entry(db->driver, row, 0); ++ ret = apr_pstrdup(r->pool, ++ apr_dbd_get_entry(db->driver, row, 0)); + } + else { + /* randomise crudely amongst multiple results */ + if ((double)rand() < (double)RAND_MAX/(double)n) { +- ret = apr_dbd_get_entry(db->driver, row, 0); ++ ret = apr_pstrdup(r->pool, ++ apr_dbd_get_entry(db->driver, row, 0)); + } + } + } +@@ -1370,11 +1372,11 @@ + case 0: + return NULL; + case 1: +- return apr_pstrdup(r->pool, ret); ++ return ret; + default: + /* what's a fair rewritelog level for this? */ + rewritelog((r, 3, NULL, "Multiple values found for %s", key)); +- return apr_pstrdup(r->pool, ret); ++ return ret; + } + } + diff --git a/SOURCES/httpd-2.4.6-r1684462.patch b/SOURCES/httpd-2.4.6-r1684462.patch new file mode 100644 index 0000000..ff5fe4b --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1684462.patch @@ -0,0 +1,34 @@ +--- a/modules/ssl/ssl_engine_kernel.c 2015/06/09 15:55:41 1684461 ++++ b/modules/ssl/ssl_engine_kernel.c 2015/06/09 16:09:28 1684462 +@@ -1940,7 +1940,7 @@ + #ifndef OPENSSL_NO_TLSEXT + /* + * This callback function is executed when OpenSSL encounters an extended +- * client hello with a server name indication extension ("SNI", cf. RFC 4366). ++ * client hello with a server name indication extension ("SNI", cf. RFC 6066). + */ + int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) + { +@@ -1962,7 +1962,21 @@ + "No matching SSL virtual host for servername " + "%s found (using default/first virtual host)", + servername); +- return SSL_TLSEXT_ERR_ALERT_WARNING; ++ /* ++ * RFC 6066 section 3 says "It is NOT RECOMMENDED to send ++ * a warning-level unrecognized_name(112) alert, because ++ * the client's behavior in response to warning-level alerts ++ * is unpredictable." ++ * ++ * To maintain backwards compatibility in mod_ssl, we ++ * no longer send any alert (neither warning- nor fatal-level), ++ * i.e. we take the second action suggested in RFC 6066: ++ * "If the server understood the ClientHello extension but ++ * does not recognize the server name, the server SHOULD take ++ * one of two actions: either abort the handshake by sending ++ * a fatal-level unrecognized_name(112) alert or continue ++ * the handshake." ++ */ + } + } + } diff --git a/SOURCES/httpd-2.4.6-r1705528.patch b/SOURCES/httpd-2.4.6-r1705528.patch new file mode 100644 index 0000000..0be0309 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1705528.patch @@ -0,0 +1,24 @@ +Index: modules/cache/cache_util.c +=================================================================== +--- a/modules/cache/cache_util.c (revision 1705527) ++++ b/modules/cache/cache_util.c (revision 1705528) +@@ -1254,7 +1254,6 @@ + headers_out = apr_table_overlay(r->pool, r->headers_out, + r->err_headers_out); + +- apr_table_clear(r->err_headers_out); + + headers_out = ap_cache_cacheable_headers(r->pool, headers_out, + r->server); +Index: modules/cache/mod_cache.c +=================================================================== +--- a/modules/cache/mod_cache.c (revision 1705527) ++++ b/modules/cache/mod_cache.c (revision 1705528) +@@ -1452,6 +1452,7 @@ + * headers that might have snuck in. + */ + r->headers_out = ap_cache_cacheable_headers_out(r); ++ apr_table_clear(r->err_headers_out); + + /* Merge in our cached headers. However, keep any updated values. */ + /* take output, overlay on top of cached */ diff --git a/SOURCES/httpd-2.4.6-r1723522.patch b/SOURCES/httpd-2.4.6-r1723522.patch new file mode 100644 index 0000000..83db1c8 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1723522.patch @@ -0,0 +1,13 @@ +diff --git a/docs/manual/mod/mod_log_debug.html.en b/docs/manual/mod/mod_log_debug.html.en +index d3d4bd7..1ffd37f 100644 +--- a/docs/manual/mod/mod_log_debug.html.en ++++ b/docs/manual/mod/mod_log_debug.html.en +@@ -61,7 +61,7 @@ + Log message if request to /foo/* is processed in a sub-request: +
+ <Location /foo/>
+-  LogMessage "subrequest to /foo/" hook=type_checker expr=%{IS_SUBREQ}
++  LogMessage "subrequest to /foo/" hook=type_checker "expr=-T %{IS_SUBREQ}"
+ </Location>
+         
+ diff --git a/SOURCES/httpd-2.4.6-rotatelog-timezone.patch b/SOURCES/httpd-2.4.6-rotatelog-timezone.patch new file mode 100644 index 0000000..2ef4f11 --- /dev/null +++ b/SOURCES/httpd-2.4.6-rotatelog-timezone.patch @@ -0,0 +1,97 @@ +diff --git a/support/rotatelogs.c b/support/rotatelogs.c +index d75d018..216bb12 100644 +--- a/support/rotatelogs.c ++++ b/support/rotatelogs.c +@@ -178,14 +178,14 @@ static void usage(const char *argv0, const char *reason) + exit(1); + } + +-/* +- * Get the unix time with timezone corrections +- * given in the config struct. +- */ +-static int get_now(rotate_config_t *config) ++/* This function returns the current Unix time (time_t) plus any ++ * configured or derived local time offset. The offset applied is ++ * returned via *offset. */ ++static int get_now(rotate_config_t *config, apr_int32_t *offset) + { + apr_time_t tNow = apr_time_now(); +- int utc_offset = config->utc_offset; ++ int utc_offset; ++ + if (config->use_localtime) { + /* Check for our UTC offset before using it, since it might + * change if there's a switch between standard and daylight +@@ -195,6 +195,13 @@ static int get_now(rotate_config_t *config) + apr_time_exp_lt(<, tNow); + utc_offset = lt.tm_gmtoff; + } ++ else { ++ utc_offset = config->utc_offset; ++ } ++ ++ if (offset) ++ *offset = utc_offset; ++ + return (int)apr_time_sec(tNow) + utc_offset; + } + +@@ -258,13 +265,13 @@ static void checkRotate(rotate_config_t *config, rotate_status_t *status) + status->rotateReason = ROTATE_SIZE; + } + else if (config->tRotation) { +- if (get_now(config) >= status->tLogEnd) { ++ if (get_now(config, NULL) >= status->tLogEnd) { + status->rotateReason = ROTATE_TIME; + } + } + } + else if (config->tRotation) { +- if (get_now(config) >= status->tLogEnd) { ++ if (get_now(config, NULL) >= status->tLogEnd) { + status->rotateReason = ROTATE_TIME; + } + } +@@ -371,12 +378,16 @@ static void post_rotate(apr_pool_t *pool, struct logfile *newlog, + static void doRotate(rotate_config_t *config, rotate_status_t *status) + { + +- int now = get_now(config); ++ apr_int32_t offset; ++ int now; + int tLogStart; + apr_status_t rv; + struct logfile newlog; + int thisLogNum = -1; + ++ /* Retrieve local-time-adjusted-Unix-time. */ ++ now = get_now(config, &offset); ++ + status->rotateReason = ROTATE_NONE; + + if (config->tRotation) { +@@ -401,7 +412,13 @@ static void doRotate(rotate_config_t *config, rotate_status_t *status) + apr_time_exp_t e; + apr_size_t rs; + +- apr_time_exp_gmt(&e, tNow); ++ /* Explode the local-time-adjusted-Unix-time into a struct tm, ++ * first *reversing* local-time-adjustment applied by ++ * get_now() if we are using localtime. */ ++ if (config->use_localtime) ++ apr_time_exp_lt(&e, tNow - apr_time_from_sec(offset)); ++ else ++ apr_time_exp_gmt(&e, tNow); + apr_strftime(newlog.name, &rs, sizeof(newlog.name), config->szLogRoot, &e); + } + else { +@@ -648,7 +665,7 @@ int main (int argc, const char * const argv[]) + nRead = sizeof(buf); + #if APR_FILES_AS_SOCKETS + if (config.create_empty && config.tRotation) { +- polltimeout = status.tLogEnd ? status.tLogEnd - get_now(&config) : config.tRotation; ++ polltimeout = status.tLogEnd ? status.tLogEnd - get_now(&config, NULL) : config.tRotation; + if (polltimeout <= 0) { + pollret = APR_TIMEUP; + } diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf index c1b6c11..5d1e452 100644 --- a/SOURCES/welcome.conf +++ b/SOURCES/welcome.conf @@ -16,7 +16,3 @@ Alias /.noindex.html /usr/share/httpd/noindex/index.html -Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css -Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css -Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif -Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 248691b..e34b1c5 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -4,7 +4,7 @@ %define mmn 20120211 %define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits} %define mmnisa %{mmn}%{__isa_name}%{__isa_bits} -%define vstring CentOS +%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT}) # Drop automatic provides for module DSOs %{?filter_setup: @@ -15,10 +15,10 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.6 -Release: 40%{?dist}.4 +Release: 45%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -Source1: centos-noindex.tar.gz +Source1: index.html Source2: httpd.logrotate Source3: httpd.sysconf Source4: httpd-ssl-pass-dialog @@ -70,6 +70,7 @@ Patch35: httpd-2.4.6-pre_htaccess.patch Patch36: httpd-2.4.6-r1573626.patch Patch37: httpd-2.4.6-uds.patch Patch38: httpd-2.4.6-upn.patch +Patch39: httpd-2.4.6-r1664565.patch # Bug fixes Patch51: httpd-2.4.3-sslsninotreq.patch Patch55: httpd-2.4.4-malformed-host.patch @@ -110,6 +111,17 @@ Patch90: httpd-2.4.6-apachectl-status.patch Patch91: httpd-2.4.6-r1650655.patch Patch92: httpd-2.4.6-r1533448.patch Patch93: httpd-2.4.6-r1610013.patch +Patch94: httpd-2.4.6-r1705528.patch +Patch95: httpd-2.4.6-r1684462.patch +Patch96: httpd-2.4.6-r1650677.patch +Patch97: httpd-2.4.6-r1621601.patch +Patch98: httpd-2.4.6-r1610396.patch +Patch99: httpd-2.4.6-rotatelog-timezone.patch +Patch100: httpd-2.4.6-ab-ssl-error.patch +Patch101: httpd-2.4.6-r1723522.patch +Patch102: httpd-2.4.6-r1681107.patch +Patch103: httpd-2.4.6-dhparams-free.patch +Patch104: httpd-2.4.6-r1651658.patch Patch105: httpd-2.4.6-r1560093.patch Patch106: httpd-2.4.6-r1748212.patch # Security fixes @@ -257,6 +269,7 @@ rm modules/ssl/ssl_engine_dh.c %patch36 -p1 -b .r1573626 %patch37 -p1 -b .uds %patch38 -p1 -b .upn +%patch39 -p1 -b .r1664565 %patch51 -p1 -b .sninotreq %patch55 -p1 -b .malformedhost @@ -297,6 +310,17 @@ rm modules/ssl/ssl_engine_dh.c %patch91 -p1 -b .r1650655 %patch92 -p1 -b .r1533448 %patch93 -p1 -b .r1610013 +%patch94 -p1 -b .r1705528 +%patch95 -p1 -b .r1684462 +%patch96 -p1 -b .r1650677 +%patch97 -p1 -b .r1621601 +%patch98 -p1 -b .r1610396 +%patch99 -p1 -b .rotatelogtimezone +%patch100 -p1 -b .absslerror +%patch101 -p1 -b .r1723522 +%patch102 -p1 -b .r1681107 +%patch103 -p1 -b .dhparamsfree +%patch104 -p1 -b .r1651658 %patch105 -p1 -b .r1560093 %patch106 -p1 -b .r1748212 @@ -465,10 +489,8 @@ EOF # Handle contentdir mkdir $RPM_BUILD_ROOT%{contentdir}/noindex -tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \ - -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \ - --strip-components=1 - +install -m 644 -p $RPM_SOURCE_DIR/index.html \ + $RPM_BUILD_ROOT%{contentdir}/noindex/index.html rm -rf %{contentdir}/htdocs # remove manual sources @@ -491,7 +513,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \ $RPM_BUILD_ROOT%{docroot}/cgi-bin/* # Symlink for the powered-by-$DISTRO image: -ln -s ../noindex/images/poweredby.png \ +ln -s ../../pixmaps/poweredby.png \ $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png # symlinks for /etc/httpd @@ -591,7 +613,7 @@ fi %{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > %{sslkey} 2> /dev/null FQDN=`hostname` -if [ "x${FQDN}" = "x" ]; then +if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then FQDN=localhost.localdomain fi @@ -677,7 +699,7 @@ rm -rf $RPM_BUILD_ROOT %{contentdir}/error/README %{contentdir}/error/*.var %{contentdir}/error/include/*.html -%{contentdir}/noindex/* +%{contentdir}/noindex/index.html %dir %{docroot} %dir %{docroot}/cgi-bin @@ -743,23 +765,37 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog -* Mon Jul 18 2016 CentOS Sources - 2.4.6-40.el7.centos.4 -- Remove index.html, add centos-noindex.tar.gz -- change vstring -- change symlink for poweredby.png -- update welcome.conf with proper aliases +* Wed Aug 03 2016 Luboš Uhliarik - 2.4.6-45 +- RFE: run mod_rewrite external mapping program as non-root (#1316900) -* Tue Jul 12 2016 Joe Orton - 2.4.6-40.4 +* Tue Jul 12 2016 Joe Orton - 2.4.6-44 - add security fix for CVE-2016-5387 -* Thu Jul 7 2016 Joe Orton - 2.4.6-40.3 -- add 451 (Unavailable For Legal Reasons) response status-code (#1353269) - -* Fri Jun 17 2016 Joe Orton - 2.4.6-40.2 -- mod_cache: treat cache as valid with changed Expires in 304 (#1347648) - -* Mon Mar 21 2016 Jan Kaluza - 2.4.6-40.1 -- fix apache user creation when apache group already exists (#1319001) +* Tue Jul 5 2016 Joe Orton - 2.4.6-43 +- add 451 (Unavailable For Legal Reasons) response status-code (#1343582) + +* Fri Jun 17 2016 Joe Orton - 2.4.6-42 +- mod_cache: treat cache as valid with changed Expires in 304 (#1331341) + +* Wed Feb 24 2016 Jan Kaluza - 2.4.6-41 +- mod_cache: merge r->err_headers_out into r->headers when the response + is cached for the first time (#1264989) +- mod_ssl: Do not send SSL warning when SNI hostname is not found as per + RFC 6066 (#1298148) +- mod_proxy_fcgi: Ignore body data from backend for 304 responses (#1263038) +- fix apache user creation when apache group already exists (#1299889) +- fix apache user creation when USERGROUPS_ENAB is set to 'no' (#1288757) +- mod_proxy: fix slow response time for reponses with error status code + when using ProxyErrorOverride (#1283653) +- mod_ldap: Respect LDAPConnectionPoolTTL for authn connections (#1300149) +- mod_ssl: use "localhost" in the dummy SSL cert for long FQDNs (#1240495) +- rotatelogs: improve support for localtime (#1244545) +- ab: fix read failure when targeting SSL server (#1255331) +- mod_log_debug: fix LogMessage example in documentation (#1279465) +- mod_authz_dbd, mod_authn_dbd, mod_session_dbd, mod_rewrite: Fix lifetime + of DB lookup entries independently of the selected DB engine (#1287844) +- mod_ssl: fix hardware crypto support with custom DH parms (#1291865) +- mod_proxy_fcgi: fix SCRIPT_FILENAME when a balancer is used (#1302797) * Thu Sep 17 2015 Jan Kaluza - 2.4.6-40 - mod_dav: follow up fix for previous commit (#1263975)