diff --git a/SOURCES/httpd-2.4.6-CVE-2013-6438.patch b/SOURCES/httpd-2.4.6-CVE-2013-6438.patch new file mode 100644 index 0000000..1b154f5 --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2013-6438.patch @@ -0,0 +1,14 @@ +--- a/modules/dav/main/util.c 2014/01/09 14:28:39 1556815 ++++ b/modules/dav/main/util.c 2014/01/09 14:29:47 1556816 +@@ -396,8 +396,10 @@ + + if (strip_white) { + /* trim leading whitespace */ +- while (apr_isspace(*cdata)) /* assume: return false for '\0' */ ++ while (apr_isspace(*cdata)) { /* assume: return false for '\0' */ + ++cdata; ++ --len; ++ } + + /* trim trailing whitespace */ + while (len-- > 0 && apr_isspace(cdata[len])) diff --git a/SOURCES/httpd-2.4.6-CVE-2014-0098.patch b/SOURCES/httpd-2.4.6-CVE-2014-0098.patch new file mode 100644 index 0000000..64d5064 --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2014-0098.patch @@ -0,0 +1,41 @@ +--- a/modules/loggers/mod_log_config.c 2013/11/15 17:07:52 1542329 ++++ b/modules/loggers/mod_log_config.c 2014/03/10 11:23:47 1575904 +@@ -543,14 +543,24 @@ + + while ((cookie = apr_strtok(cookies, ";", &last1))) { + char *name = apr_strtok(cookie, "=", &last2); +- if (name) { +- char *value = name + strlen(name) + 1; +- apr_collapse_spaces(name, name); ++ /* last2 points to the next char following an '=' delim, ++ or the trailing NUL char of the string */ ++ char *value = last2; ++ if (name && *name && value && *value) { ++ char *last = value - 2; ++ /* Move past leading WS */ ++ name += strspn(name, " \t"); ++ while (last >= name && apr_isspace(*last)) { ++ *last = '\0'; ++ --last; ++ } + + if (!strcasecmp(name, a)) { +- char *last; +- value += strspn(value, " \t"); /* Move past leading WS */ +- last = value + strlen(value) - 1; ++ /* last1 points to the next char following the ';' delim, ++ or the trailing NUL char of the string */ ++ last = last1 - (*last1 ? 2 : 1); ++ /* Move past leading WS */ ++ value += strspn(value, " \t"); + while (last >= value && apr_isspace(*last)) { + *last = '\0'; + --last; +@@ -559,6 +569,7 @@ + return ap_escape_logitem(r->pool, value); + } + } ++ /* Iterate the remaining tokens using apr_strtok(NULL, ...) */ + cookies = NULL; + } + } diff --git a/SOURCES/httpd-2.4.6-r1507681+.patch b/SOURCES/httpd-2.4.6-r1507681+.patch new file mode 100644 index 0000000..82a3b41 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1507681+.patch @@ -0,0 +1,62 @@ +# ./pullrev.sh 1507681 1533447 + +https://bugzilla.redhat.com/show_bug.cgi?id=1004046 + +http://svn.apache.org/viewvc?view=revision&revision=1507681 +http://svn.apache.org/viewvc?view=revision&revision=1533447 + +--- httpd-2.4.6/modules/dav/main/mod_dav.c ++++ httpd-2.4.6/modules/dav/main/mod_dav.c +@@ -2756,7 +2756,7 @@ + * The multistatus responses will contain the information about any + * resource that fails the validation. + * +- * We check the parent resource, too, since this is a MOVE. Moving the ++ * We check the parent resource, too, if this is a MOVE. Moving the + * resource effectively removes it from the parent collection, so we + * must ensure that we have met the appropriate conditions. + * +@@ -2765,7 +2765,9 @@ + */ + if ((err = dav_validate_request(r, resource, depth, NULL, + &multi_response, +- DAV_VALIDATE_PARENT ++ (is_move ? DAV_VALIDATE_PARENT ++ : DAV_VALIDATE_RESOURCE ++ | DAV_VALIDATE_NO_MODIFY) + | DAV_VALIDATE_USE_424, + NULL)) != NULL) { + err = dav_push_error(r->pool, err->status, 0, +--- httpd-2.4.6/modules/dav/main/util.c ++++ httpd-2.4.6/modules/dav/main/util.c +@@ -954,13 +954,16 @@ + /* + ** For methods other than LOCK: + ** +- ** If we have no locks, then can be set to true -- ++ ** If we have no locks or if the resource is not being modified ++ ** (per RFC 4918 the lock token is not required on resources ++ ** we are not changing), then can be set to true -- + ** pretending that we've already met the requirement of seeing one + ** of the resource's locks in the If: header. + ** + ** Otherwise, it must be cleared and we'll look for one. + */ +- seen_locktoken = (lock_list == NULL); ++ seen_locktoken = (lock_list == NULL ++ || flags & DAV_VALIDATE_NO_MODIFY); + } + + /* +--- httpd-2.4.6/modules/dav/main/mod_dav.h ++++ httpd-2.4.6/modules/dav/main/mod_dav.h +@@ -1297,6 +1297,9 @@ + the 424 DAV:response */ + #define DAV_VALIDATE_USE_424 0x0080 /* return 424 status, not 207 */ + #define DAV_VALIDATE_IS_PARENT 0x0100 /* for internal use */ ++#define DAV_VALIDATE_NO_MODIFY 0x0200 /* resource is not being modified ++ so allow even if lock token ++ is not provided */ + + /* Lock-null related public lock functions */ + DAV_DECLARE(int) dav_get_resource_state(request_rec *r, diff --git a/SOURCES/httpd-2.4.6-r1542327.patch b/SOURCES/httpd-2.4.6-r1542327.patch new file mode 100644 index 0000000..b11b535 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1542327.patch @@ -0,0 +1,868 @@ +# ./pullrev.sh 1542327 +http://svn.apache.org/viewvc?view=revision&revision=1542327 + +--- httpd-2.4.6/LAYOUT.r1542327 ++++ httpd-2.4.6/LAYOUT +@@ -108,7 +108,6 @@ modules/ ................ Manditory and + mod_ssl.c ............... main source file containing API structures + mod_ssl.h ............... common header file of mod_ssl + ssl_engine_config.c ..... module configuration handling +- ssl_engine_dh.c ......... DSA/DH support + ssl_engine_init.c ....... module initialization + ssl_engine_io.c ......... I/O support + ssl_engine_kernel.c ..... SSL engine kernel +--- httpd-2.4.6/modules/ssl/config.m4.r1542327 ++++ httpd-2.4.6/modules/ssl/config.m4 +@@ -20,7 +20,6 @@ dnl # list of module object files + ssl_objs="dnl + mod_ssl.lo dnl + ssl_engine_config.lo dnl +-ssl_engine_dh.lo dnl + ssl_engine_init.lo dnl + ssl_engine_io.lo dnl + ssl_engine_kernel.lo dnl +--- httpd-2.4.6/modules/ssl/mod_ssl.c.r1542327 ++++ httpd-2.4.6/modules/ssl/mod_ssl.c +@@ -515,15 +515,6 @@ int ssl_init_ssl_connection(conn_rec *c, + + sslconn->ssl = ssl; + +- /* +- * Configure callbacks for SSL connection +- */ +- SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); +- SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); +-#ifndef OPENSSL_NO_EC +- SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH); +-#endif +- + SSL_set_verify_result(ssl, X509_V_OK); + + ssl_io_filter_init(c, r, ssl); +--- httpd-2.4.6/modules/ssl/mod_ssl.dsp.r1542327 ++++ httpd-2.4.6/modules/ssl/mod_ssl.dsp +@@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c + # End Source File + # Begin Source File + +-SOURCE=.\ssl_engine_dh.c +-# End Source File +-# Begin Source File +- + SOURCE=.\ssl_engine_init.c + # End Source File + # Begin Source File +--- httpd-2.4.6/modules/ssl/ssl_engine_config.c.r1542327 ++++ httpd-2.4.6/modules/ssl/ssl_engine_config.c +@@ -76,8 +76,6 @@ SSLModConfigRec *ssl_config_global_creat + mc->stapling_mutex = NULL; + #endif + +- memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys)); +- + apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY, + apr_pool_cleanup_null, + pool); +--- httpd-2.4.6/modules/ssl/ssl_engine_dh.c.r1542327 ++++ httpd-2.4.6/modules/ssl/ssl_engine_dh.c +@@ -1,244 +0,0 @@ +-#if 0 +-=pod +-#endif +- +-/* Licensed to the Apache Software Foundation (ASF) under one or more +- * contributor license agreements. See the NOTICE file distributed with +- * this work for additional information regarding copyright ownership. +- * The ASF licenses this file to You under the Apache License, Version 2.0 +- * (the "License"); you may not use this file except in compliance with +- * the License. You may obtain a copy of the License at +- * +- * http://www.apache.org/licenses/LICENSE-2.0 +- * +- * Unless required by applicable law or agreed to in writing, software +- * distributed under the License is distributed on an "AS IS" BASIS, +- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +- * See the License for the specific language governing permissions and +- * limitations under the License. +- */ +- +-/* _ _ +- * _ __ ___ ___ __| | ___ ___| | mod_ssl +- * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL +- * | | | | | | (_) | (_| | \__ \__ \ | +- * |_| |_| |_|\___/ \__,_|___|___/___/_| +- * |_____| +- * ssl_engine_dh.c +- * Diffie-Hellman Built-in Temporary Parameters +- */ +- +-#include "ssl_private.h" +- +-/* ----BEGIN GENERATED SECTION-------- */ +- +-/* +-** Diffie-Hellman-Parameters: (512 bit) +-** prime: +-** 00:9f:db:8b:8a:00:45:44:f0:04:5f:17:37:d0:ba: +-** 2e:0b:27:4c:df:1a:9f:58:82:18:fb:43:53:16:a1: +-** 6e:37:41:71:fd:19:d8:d8:f3:7c:39:bf:86:3f:d6: +-** 0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70: +-** e6:aa:87:10:33 +-** generator: 2 (0x2) +-** Diffie-Hellman-Parameters: (1024 bit) +-** prime: +-** 00:d6:7d:e4:40:cb:bb:dc:19:36:d6:93:d3:4a:fd: +-** 0a:d5:0c:84:d2:39:a4:5f:52:0b:b8:81:74:cb:98: +-** bc:e9:51:84:9f:91:2e:63:9c:72:fb:13:b4:b4:d7: +-** 17:7e:16:d5:5a:c1:79:ba:42:0b:2a:29:fe:32:4a: +-** 46:7a:63:5e:81:ff:59:01:37:7b:ed:dc:fd:33:16: +-** 8a:46:1a:ad:3b:72:da:e8:86:00:78:04:5b:07:a7: +-** db:ca:78:74:08:7d:15:10:ea:9f:cc:9d:dd:33:05: +-** 07:dd:62:db:88:ae:aa:74:7d:e0:f4:d6:e2:bd:68: +-** b0:e7:39:3e:0f:24:21:8e:b3 +-** generator: 2 (0x2) +-*/ +- +-static unsigned char dh512_p[] = { +- 0x9F, 0xDB, 0x8B, 0x8A, 0x00, 0x45, 0x44, 0xF0, 0x04, 0x5F, 0x17, 0x37, +- 0xD0, 0xBA, 0x2E, 0x0B, 0x27, 0x4C, 0xDF, 0x1A, 0x9F, 0x58, 0x82, 0x18, +- 0xFB, 0x43, 0x53, 0x16, 0xA1, 0x6E, 0x37, 0x41, 0x71, 0xFD, 0x19, 0xD8, +- 0xD8, 0xF3, 0x7C, 0x39, 0xBF, 0x86, 0x3F, 0xD6, 0x0E, 0x3E, 0x30, 0x06, +- 0x80, 0xA3, 0x03, 0x0C, 0x6E, 0x4C, 0x37, 0x57, 0xD0, 0x8F, 0x70, 0xE6, +- 0xAA, 0x87, 0x10, 0x33, +-}; +-static unsigned char dh512_g[] = { +- 0x02, +-}; +- +-static DH *get_dh512(void) +-{ +- DH *dh; +- +- if (!(dh = DH_new())) { +- return NULL; +- } +- +- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); +- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); +- if (!(dh->p && dh->g)) { +- DH_free(dh); +- return NULL; +- } +- +- return dh; +-} +- +-static unsigned char dh1024_p[] = { +- 0xD6, 0x7D, 0xE4, 0x40, 0xCB, 0xBB, 0xDC, 0x19, 0x36, 0xD6, 0x93, 0xD3, +- 0x4A, 0xFD, 0x0A, 0xD5, 0x0C, 0x84, 0xD2, 0x39, 0xA4, 0x5F, 0x52, 0x0B, +- 0xB8, 0x81, 0x74, 0xCB, 0x98, 0xBC, 0xE9, 0x51, 0x84, 0x9F, 0x91, 0x2E, +- 0x63, 0x9C, 0x72, 0xFB, 0x13, 0xB4, 0xB4, 0xD7, 0x17, 0x7E, 0x16, 0xD5, +- 0x5A, 0xC1, 0x79, 0xBA, 0x42, 0x0B, 0x2A, 0x29, 0xFE, 0x32, 0x4A, 0x46, +- 0x7A, 0x63, 0x5E, 0x81, 0xFF, 0x59, 0x01, 0x37, 0x7B, 0xED, 0xDC, 0xFD, +- 0x33, 0x16, 0x8A, 0x46, 0x1A, 0xAD, 0x3B, 0x72, 0xDA, 0xE8, 0x86, 0x00, +- 0x78, 0x04, 0x5B, 0x07, 0xA7, 0xDB, 0xCA, 0x78, 0x74, 0x08, 0x7D, 0x15, +- 0x10, 0xEA, 0x9F, 0xCC, 0x9D, 0xDD, 0x33, 0x05, 0x07, 0xDD, 0x62, 0xDB, +- 0x88, 0xAE, 0xAA, 0x74, 0x7D, 0xE0, 0xF4, 0xD6, 0xE2, 0xBD, 0x68, 0xB0, +- 0xE7, 0x39, 0x3E, 0x0F, 0x24, 0x21, 0x8E, 0xB3, +-}; +-static unsigned char dh1024_g[] = { +- 0x02, +-}; +- +-static DH *get_dh1024(void) +-{ +- DH *dh; +- +- if (!(dh = DH_new())) { +- return NULL; +- } +- +- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); +- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); +- if (!(dh->p && dh->g)) { +- DH_free(dh); +- return NULL; +- } +- +- return dh; +-} +- +-/* ----END GENERATED SECTION---------- */ +- +-DH *ssl_dh_GetTmpParam(int nKeyLen) +-{ +- DH *dh; +- +- if (nKeyLen == 512) +- dh = get_dh512(); +- else if (nKeyLen == 1024) +- dh = get_dh1024(); +- else +- dh = get_dh1024(); +- return dh; +-} +- +-DH *ssl_dh_GetParamFromFile(char *file) +-{ +- DH *dh = NULL; +- BIO *bio; +- +- if ((bio = BIO_new_file(file, "r")) == NULL) +- return NULL; +- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); +- BIO_free(bio); +- return (dh); +-} +- +-/* +-=cut +-## +-## Embedded Perl script for generating the temporary DH parameters +-## +- +-require 5.003; +-use strict; +- +-# configuration +-my $file = $0; +-my $begin = '----BEGIN GENERATED SECTION--------'; +-my $end = '----END GENERATED SECTION----------'; +- +-# read ourself and keep a backup +-open(FP, "<$file") || die; +-my $source = ''; +-$source .= $_ while (); +-close(FP); +-open(FP, ">$file.bak") || die; +-print FP $source; +-close(FP); +- +-# generate the DH parameters +-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n"; +-my $rand = ''; +-foreach $file (qw(/var/log/messages /var/adm/messages +- /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) { +- if (-f $file) { +- $rand = $file if ($rand eq ''); +- $rand .= ":$file" if ($rand ne ''); +- } +-} +-$rand = "-rand $rand" if ($rand ne ''); +-system("openssl gendh $rand -out dh512.pem 512"); +-system("openssl gendh $rand -out dh1024.pem 1024"); +- +-# generate DH param info +-my $dhinfo = ''; +-open(FP, "openssl dh -noout -text -in dh512.pem |") || die; +-$dhinfo .= $_ while (); +-close(FP); +-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die; +-$dhinfo .= $_ while (); +-close(FP); +-$dhinfo =~ s|^|** |mg; +-$dhinfo = "\n\/\*\n$dhinfo\*\/\n\n"; +- +-my $indent_args = "-i4 -npsl -di0 -br -nce -d0 -cli0 -npcs -nfc1"; +- +-# generate C source from DH params +-my $dhsource = ''; +-open(FP, "openssl dh -noout -C -in dh512.pem | indent $indent_args | expand |") || die; +-$dhsource .= $_ while (); +-close(FP); +-open(FP, "openssl dh -noout -C -in dh1024.pem | indent $indent_args | expand |") || die; +-$dhsource .= $_ while (); +-close(FP); +-$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void) +-{ +- DH *dh; +- +- if (!(dh = DH_new())) { +- return NULL; +- } +- +- dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL); +- dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL); +- if (!(dh->p && dh->g)) { +- DH_free(dh); +- return NULL; +- } +- +- return dh; +-} +-|sg; +- +-# generate output +-my $o = $dhinfo . $dhsource; +- +-# insert the generated code at the target location +-$source =~ s|(\/\* $begin.+?\n).*\n(.*?\/\* $end)|$1$o$2|s; +- +-# and update the source on disk +-print "Updating file `$file'\n"; +-open(FP, ">$file") || die; +-print FP $source; +-close(FP); +- +-# cleanup +-unlink("dh512.pem"); +-unlink("dh1024.pem"); +- +-=pod +-*/ +--- httpd-2.4.6/modules/ssl/ssl_engine_init.c.r1542327 ++++ httpd-2.4.6/modules/ssl/ssl_engine_init.c +@@ -56,180 +56,6 @@ static void ssl_add_version_components(a + modver, AP_SERVER_BASEVERSION, incver); + } + +- +-/* +- * Handle the Temporary RSA Keys and DH Params +- */ +- +-#define MODSSL_TMP_KEY_FREE(mc, type, idx) \ +- if (mc->pTmpKeys[idx]) { \ +- type##_free((type *)mc->pTmpKeys[idx]); \ +- mc->pTmpKeys[idx] = NULL; \ +- } +- +-#define MODSSL_TMP_KEYS_FREE(mc, type) \ +- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \ +- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024) +- +-static void ssl_tmp_keys_free(server_rec *s) +-{ +- SSLModConfigRec *mc = myModConfig(s); +- +- MODSSL_TMP_KEYS_FREE(mc, RSA); +- MODSSL_TMP_KEYS_FREE(mc, DH); +-#ifndef OPENSSL_NO_EC +- MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256); +-#endif +-} +- +-static int ssl_tmp_key_init_rsa(server_rec *s, +- int bits, int idx) +-{ +- SSLModConfigRec *mc = myModConfig(s); +- +-#ifdef HAVE_FIPS +- +- if (FIPS_mode() && bits < 1024) { +- mc->pTmpKeys[idx] = NULL; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01877) +- "Init: Skipping generating temporary " +- "%d bit RSA private key in FIPS mode", bits); +- return OK; +- } +- +-#endif +-#ifdef HAVE_GENERATE_EX +- { +- RSA *tkey; +- BIGNUM *bn_f4; +- if (!(tkey = RSA_new()) +- || !(bn_f4 = BN_new()) +- || !BN_set_word(bn_f4, RSA_F4) +- || !RSA_generate_key_ex(tkey, bits, bn_f4, NULL)) +- { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01878) +- "Init: Failed to generate temporary " +- "%d bit RSA private key", bits); +- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); +- return !OK; +- } +- BN_free(bn_f4); +- mc->pTmpKeys[idx] = tkey; +- } +-#else +- if (!(mc->pTmpKeys[idx] = +- RSA_generate_key(bits, RSA_F4, NULL, NULL))) +- { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01879) +- "Init: Failed to generate temporary " +- "%d bit RSA private key", bits); +- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); +- return !OK; +- } +-#endif +- +- return OK; +-} +- +-static int ssl_tmp_key_init_dh(server_rec *s, +- int bits, int idx) +-{ +- SSLModConfigRec *mc = myModConfig(s); +- +-#ifdef HAVE_FIPS +- +- if (FIPS_mode() && bits < 1024) { +- mc->pTmpKeys[idx] = NULL; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01880) +- "Init: Skipping generating temporary " +- "%d bit DH parameters in FIPS mode", bits); +- return OK; +- } +- +-#endif +- +- if (!(mc->pTmpKeys[idx] = +- ssl_dh_GetTmpParam(bits))) +- { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01881) +- "Init: Failed to generate temporary " +- "%d bit DH parameters", bits); +- return !OK; +- } +- +- return OK; +-} +- +-#ifndef OPENSSL_NO_EC +-static int ssl_tmp_key_init_ec(server_rec *s, +- int bits, int idx) +-{ +- SSLModConfigRec *mc = myModConfig(s); +- EC_KEY *ecdh = NULL; +- +- /* XXX: Are there any FIPS constraints we should enforce? */ +- +- if (bits != 256) { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02298) +- "Init: Failed to generate temporary " +- "%d bit EC parameters, only 256 bits supported", bits); +- return !OK; +- } +- +- if ((ecdh = EC_KEY_new()) == NULL || +- EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1) +- { +- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02299) +- "Init: Failed to generate temporary " +- "%d bit EC parameters", bits); +- return !OK; +- } +- +- mc->pTmpKeys[idx] = ecdh; +- return OK; +-} +- +-#define MODSSL_TMP_KEY_INIT_EC(s, bits) \ +- ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits) +- +-#endif +- +-#define MODSSL_TMP_KEY_INIT_RSA(s, bits) \ +- ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits) +- +-#define MODSSL_TMP_KEY_INIT_DH(s, bits) \ +- ssl_tmp_key_init_dh(s, bits, SSL_TMP_KEY_DH_##bits) +- +-static int ssl_tmp_keys_init(server_rec *s) +-{ +- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, +- "Init: Generating temporary RSA private keys (512/1024 bits)"); +- +- if (MODSSL_TMP_KEY_INIT_RSA(s, 512) || +- MODSSL_TMP_KEY_INIT_RSA(s, 1024)) { +- return !OK; +- } +- +- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, +- "Init: Generating temporary DH parameters (512/1024 bits)"); +- +- if (MODSSL_TMP_KEY_INIT_DH(s, 512) || +- MODSSL_TMP_KEY_INIT_DH(s, 1024)) { +- return !OK; +- } +- +-#ifndef OPENSSL_NO_EC +- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, +- "Init: Generating temporary EC parameters (256 bits)"); +- +- if (MODSSL_TMP_KEY_INIT_EC(s, 256)) { +- return !OK; +- } +-#endif +- +- return OK; +-} +- + /* + * Per-module initialization + */ +@@ -370,10 +196,6 @@ int ssl_init_Module(apr_pool_t *p, apr_p + */ + ssl_pphrase_Handle(base_server, ptemp); + +- if (ssl_tmp_keys_init(base_server)) { +- return !OK; +- } +- + /* + * initialize the mutex handling + */ +@@ -681,6 +503,9 @@ static void ssl_init_ctx_protocol(server + * Configure additional context ingredients + */ + SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); ++#ifndef OPENSSL_NO_EC ++ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); ++#endif + + #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION + /* +@@ -721,11 +546,7 @@ static void ssl_init_ctx_callbacks(serve + { + SSL_CTX *ctx = mctx->ssl_ctx; + +- SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); +-#ifndef OPENSSL_NO_EC +- SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH); +-#endif + + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + +@@ -1165,12 +986,16 @@ static void ssl_init_server_certs(server + modssl_ctx_t *mctx) + { + const char *rsa_id, *dsa_id; +-#ifndef OPENSSL_NO_EC ++#ifndef OPENSSL_NO_EC + const char *ecc_id; ++ EC_GROUP *ecparams; ++ int nid; ++ EC_KEY *eckey; + #endif + const char *vhost_id = mctx->sc->vhost_id; + int i; + int have_rsa, have_dsa; ++ DH *dhparams; + #ifndef OPENSSL_NO_EC + int have_ecc; + #endif +@@ -1217,6 +1042,40 @@ static void ssl_init_server_certs(server + "Oops, no " KEYTYPES " server private key found?!"); + ssl_die(s); + } ++ ++ /* ++ * Try to read DH parameters from the (first) SSLCertificateFile ++ */ ++ if ((mctx->pks->cert_files[0] != NULL) && ++ (dhparams = ssl_dh_GetParamFromFile(mctx->pks->cert_files[0]))) { ++ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) ++ "Custom DH parameters (%d bits) for %s loaded from %s", ++ BN_num_bits(dhparams->p), vhost_id, ++ mctx->pks->cert_files[0]); ++ } ++ ++#ifndef OPENSSL_NO_EC ++ /* ++ * Similarly, try to read the ECDH curve name from SSLCertificateFile... ++ */ ++ if ((mctx->pks->cert_files[0] != NULL) && ++ (ecparams = ssl_ec_GetParamFromFile(mctx->pks->cert_files[0])) && ++ (nid = EC_GROUP_get_curve_name(ecparams)) && ++ (eckey = EC_KEY_new_by_curve_name(nid))) { ++ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541) ++ "ECDH curve %s for %s specified in %s", ++ OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]); ++ } ++ /* ++ * ...otherwise, configure NIST P-256 (required to enable ECDHE) ++ */ ++ else { ++ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, ++ EC_KEY_new_by_curve_name(NID_X9_62_prime256v1)); ++ } ++#endif + } + + #ifdef HAVE_TLS_SESSION_TICKETS +@@ -1754,11 +1613,6 @@ apr_status_t ssl_init_ModuleKill(void *d + ssl_scache_kill(base_server); + + /* +- * Destroy the temporary keys and params +- */ +- ssl_tmp_keys_free(base_server); +- +- /* + * Free the non-pool allocated structures + * in the per-server configurations + */ +--- httpd-2.4.6/modules/ssl/ssl_engine_kernel.c.r1542327 ++++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c +@@ -1289,117 +1289,70 @@ const authz_provider ssl_authz_provider_ + */ + + /* +- * Handle out temporary RSA private keys on demand +- * +- * The background of this as the TLSv1 standard explains it: +- * +- * | D.1. Temporary RSA keys +- * | +- * | US Export restrictions limit RSA keys used for encryption to 512 +- * | bits, but do not place any limit on lengths of RSA keys used for +- * | signing operations. Certificates often need to be larger than 512 +- * | bits, since 512-bit RSA keys are not secure enough for high-value +- * | transactions or for applications requiring long-term security. Some +- * | certificates are also designated signing-only, in which case they +- * | cannot be used for key exchange. +- * | +- * | When the public key in the certificate cannot be used for encryption, +- * | the server signs a temporary RSA key, which is then exchanged. In +- * | exportable applications, the temporary RSA key should be the maximum +- * | allowable length (i.e., 512 bits). Because 512-bit RSA keys are +- * | relatively insecure, they should be changed often. For typical +- * | electronic commerce applications, it is suggested that keys be +- * | changed daily or every 500 transactions, and more often if possible. +- * | Note that while it is acceptable to use the same temporary key for +- * | multiple transactions, it must be signed each time it is used. +- * | +- * | RSA key generation is a time-consuming process. In many cases, a +- * | low-priority process can be assigned the task of key generation. +- * | Whenever a new key is completed, the existing temporary key can be +- * | replaced with the new one. +- * +- * XXX: base on comment above, if thread support is enabled, +- * we should spawn a low-priority thread to generate new keys +- * on the fly. +- * +- * So we generated 512 and 1024 bit temporary keys on startup +- * which we now just hand out on demand.... ++ * Grab well-defined DH parameters from OpenSSL, see ++ * (get_rfc*) for all available primes. + */ +- +-RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen) +-{ +- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); +- SSLModConfigRec *mc = myModConfigFromConn(c); +- int idx; +- +- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, +- "handing out temporary %d bit RSA key", keylen); +- +- /* doesn't matter if export flag is on, +- * we won't be asked for keylen > 512 in that case. +- * if we are asked for a keylen > 1024, it is too expensive +- * to generate on the fly. +- * XXX: any reason not to generate 2048 bit keys at startup? +- */ +- +- switch (keylen) { +- case 512: +- idx = SSL_TMP_KEY_RSA_512; +- break; +- +- case 1024: +- default: +- idx = SSL_TMP_KEY_RSA_1024; +- } +- +- return (RSA *)mc->pTmpKeys[idx]; ++#define make_get_dh(rfc,size,gen) \ ++static DH *get_dh##size(void) \ ++{ \ ++ DH *dh; \ ++ if (!(dh = DH_new())) { \ ++ return NULL; \ ++ } \ ++ dh->p = get_##rfc##_prime_##size(NULL); \ ++ BN_dec2bn(&dh->g, #gen); \ ++ if (!dh->p || !dh->g) { \ ++ DH_free(dh); \ ++ return NULL; \ ++ } \ ++ return dh; \ + } + + /* +- * Hand out the already generated DH parameters... ++ * Prepare DH parameters from 1024 to 4096 bits, in 1024-bit increments ++ */ ++make_get_dh(rfc2409, 1024, 2) ++make_get_dh(rfc3526, 2048, 2) ++make_get_dh(rfc3526, 3072, 2) ++make_get_dh(rfc3526, 4096, 2) ++ ++/* ++ * Hand out standard DH parameters, based on the authentication strength + */ + DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen) + { + conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); +- SSLModConfigRec *mc = myModConfigFromConn(c); +- int idx; +- +- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, +- "handing out temporary %d bit DH key", keylen); ++ EVP_PKEY *pkey = SSL_get_privatekey(ssl); ++ int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; + +- switch (keylen) { +- case 512: +- idx = SSL_TMP_KEY_DH_512; +- break; +- +- case 1024: +- default: +- idx = SSL_TMP_KEY_DH_1024; ++ /* ++ * OpenSSL will call us with either keylen == 512 or keylen == 1024 ++ * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h). ++ * Adjust the DH parameter length according to the size of the ++ * RSA/DSA private key used for the current connection, and always ++ * use at least 1024-bit parameters. ++ * Note: This may cause interoperability issues with implementations ++ * which limit their DH support to 1024 bit - e.g. Java 7 and earlier. ++ * In this case, SSLCertificateFile can be used to specify fixed ++ * 1024-bit DH parameters (with the effect that OpenSSL skips this ++ * callback). ++ */ ++ if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) { ++ keylen = EVP_PKEY_bits(pkey); + } + +- return (DH *)mc->pTmpKeys[idx]; +-} +- +-#ifndef OPENSSL_NO_EC +-EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen) +-{ +- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); +- SSLModConfigRec *mc = myModConfigFromConn(c); +- int idx; +- +- /* XXX Uses 256-bit key for now. TODO: support other sizes. */ + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, +- "handing out temporary 256 bit ECC key"); +- +- switch (keylen) { +- case 256: +- default: +- idx = SSL_TMP_KEY_EC_256; +- } ++ "handing out built-in DH parameters for %d-bit authenticated connection", keylen); + +- return (EC_KEY *)mc->pTmpKeys[idx]; ++ if (keylen >= 4096) ++ return get_dh4096(); ++ else if (keylen >= 3072) ++ return get_dh3072(); ++ else if (keylen >= 2048) ++ return get_dh2048(); ++ else ++ return get_dh1024(); + } +-#endif + + /* + * This OpenSSL callback function is called when OpenSSL +--- httpd-2.4.6/modules/ssl/ssl_private.h.r1542327 ++++ httpd-2.4.6/modules/ssl/ssl_private.h +@@ -310,22 +310,6 @@ typedef int ssl_algo_t; + #define SSL_AIDX_MAX (2) + #endif + +- +-/** +- * Define IDs for the temporary RSA keys and DH params +- */ +- +-#define SSL_TMP_KEY_RSA_512 (0) +-#define SSL_TMP_KEY_RSA_1024 (1) +-#define SSL_TMP_KEY_DH_512 (2) +-#define SSL_TMP_KEY_DH_1024 (3) +-#ifndef OPENSSL_NO_EC +-#define SSL_TMP_KEY_EC_256 (4) +-#define SSL_TMP_KEY_MAX (5) +-#else +-#define SSL_TMP_KEY_MAX (4) +-#endif +- + /** + * Define the SSL options + */ +@@ -547,7 +531,6 @@ typedef struct { + apr_global_mutex_t *pMutex; + apr_array_header_t *aRandSeed; + apr_hash_t *tVHostKeys; +- void *pTmpKeys[SSL_TMP_KEY_MAX]; + + /* Two hash tables of pointers to ssl_asn1_t structures. The + * structures are used to store certificates and private keys +@@ -837,11 +820,7 @@ extern const authz_provider ssl_authz_pr + extern const authz_provider ssl_authz_provider_verify_client; + + /** OpenSSL callbacks */ +-RSA *ssl_callback_TmpRSA(SSL *, int, int); + DH *ssl_callback_TmpDH(SSL *, int, int); +-#ifndef OPENSSL_NO_EC +-EC_KEY *ssl_callback_TmpECDH(SSL *, int, int); +-#endif + int ssl_callback_SSLVerify(int, X509_STORE_CTX *); + int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *); + int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey); +@@ -921,8 +900,10 @@ int ssl_init_ssl_connection(con + void ssl_pphrase_Handle(server_rec *, apr_pool_t *); + + /** Diffie-Hellman Parameter Support */ +-DH *ssl_dh_GetTmpParam(int); +-DH *ssl_dh_GetParamFromFile(char *); ++DH *ssl_dh_GetParamFromFile(const char *); ++#ifndef OPNESSL_NO_EC ++EC_GROUP *ssl_ec_GetParamFromFile(const char *); ++#endif + + unsigned char *ssl_asn1_table_set(apr_hash_t *table, + const char *key, +--- httpd-2.4.6/modules/ssl/ssl_util_ssl.c.r1542327 ++++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c +@@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t + + /* _________________________________________________________________ + ** ++** Custom (EC)DH parameter support ++** _________________________________________________________________ ++*/ ++ ++DH *ssl_dh_GetParamFromFile(const char *file) ++{ ++ DH *dh = NULL; ++ BIO *bio; ++ ++ if ((bio = BIO_new_file(file, "r")) == NULL) ++ return NULL; ++ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); ++ BIO_free(bio); ++ return (dh); ++} ++ ++#ifndef OPENSSL_NO_EC ++EC_GROUP *ssl_ec_GetParamFromFile(const char *file) ++{ ++ EC_GROUP *group = NULL; ++ BIO *bio; ++ ++ if ((bio = BIO_new_file(file, "r")) == NULL) ++ return NULL; ++ group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); ++ BIO_free(bio); ++ return (group); ++} ++#endif ++ ++/* _________________________________________________________________ ++** + ** Extra Server Certificate Chain Support + ** _________________________________________________________________ + */ diff --git a/SOURCES/httpd-2.4.6-r1553540.patch b/SOURCES/httpd-2.4.6-r1553540.patch new file mode 100644 index 0000000..6677cbb --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1553540.patch @@ -0,0 +1,28 @@ +# ./pullrev.sh 1553540 + +https://bugzilla.redhat.com/show_bug.cgi?id=1040447 + +http://svn.apache.org/viewvc?view=revision&revision=1553540 + +--- httpd-2.4.6/modules/proxy/mod_proxy_http.c ++++ httpd-2.4.6/modules/proxy/mod_proxy_http.c +@@ -710,7 +710,7 @@ + force10 = 0; + } + +- header_brigade = apr_brigade_create(p, origin->bucket_alloc); ++ header_brigade = apr_brigade_create(p, bucket_alloc); + rv = ap_proxy_create_hdrbrgd(p, header_brigade, r, p_conn, + worker, conf, uri, url, server_portstr, + &old_cl_val, &old_te_val); +@@ -1813,6 +1813,10 @@ + } + } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES)); + ++ /* We have to cleanup bb brigade, because buckets inserted to it could be ++ * created from scpool and this pool can be freed before this brigade. */ ++ apr_brigade_cleanup(bb); ++ + /* See define of AP_MAX_INTERIM_RESPONSES for why */ + if (interim_response >= AP_MAX_INTERIM_RESPONSES) { + return ap_proxyerror(r, HTTP_BAD_GATEWAY, diff --git a/SOURCES/httpd-2.4.6-r1556473.patch b/SOURCES/httpd-2.4.6-r1556473.patch new file mode 100644 index 0000000..009baa7 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1556473.patch @@ -0,0 +1,31 @@ +# ./pullrev.sh 1556473 + +https://bugzilla.redhat.com/show_bug.cgi?id=1036666 + +http://svn.apache.org/viewvc?view=revision&revision=1556473 + +--- httpd-2.4.6/modules/ssl/ssl_engine_config.c ++++ httpd-2.4.6/modules/ssl/ssl_engine_config.c +@@ -699,9 +699,20 @@ + #ifndef SSL_OP_NO_COMPRESSION + const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); + if (err) +- return "This version of openssl does not support configuring " +- "compression within sections."; ++ return "This version of OpenSSL does not support enabling " ++ "SSLCompression within sections."; + #endif ++ if (flag) { ++ /* Some (packaged) versions of OpenSSL do not support ++ * compression by default. Enabling this directive would not ++ * have the desired effect, so fail with an error. */ ++ STACK_OF(SSL_COMP) *meths = SSL_COMP_get_compression_methods(); ++ ++ if (sk_SSL_COMP_num(meths) == 0) { ++ return "This version of OpenSSL does not have any compression methods " ++ "available, cannot enable SSLCompression."; ++ } ++ } + sc->compression = flag ? TRUE : FALSE; + return NULL; + #else diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 2afd8db..6fd7f3b 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -2,7 +2,8 @@ %define docroot /var/www %define suexec_caller apache %define mmn 20120211 -%define mmnisa %{mmn}-%{__isa_name}-%{__isa_bits} +%define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits} +%define mmnisa %{mmn}%{__isa_name}%{__isa_bits} %define vstring Red Hat # Drop automatic provides for module DSOs @@ -14,7 +15,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.6 -Release: 7%{?dist} +Release: 17%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -63,11 +64,18 @@ Patch29: httpd-2.4.3-mod_systemd.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.6-sslmultiproxy.patch Patch32: httpd-2.4.6-r1537535.patch +Patch33: httpd-2.4.6-r1542327.patch # Bug fixes Patch51: httpd-2.4.3-sslsninotreq.patch Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch Patch57: httpd-2.4.6-ldaprefer.patch +Patch58: httpd-2.4.6-r1507681+.patch +Patch59: httpd-2.4.6-r1556473.patch +Patch60: httpd-2.4.6-r1553540.patch +# Security fixes +Patch200: httpd-2.4.6-CVE-2013-6438.patch +Patch201: httpd-2.4.6-CVE-2014-0098.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -79,7 +87,7 @@ Requires: /etc/mime.types, system-logos >= 7.92.1-1 Obsoletes: httpd-suexec Provides: webserver Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} -Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} +Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}, httpd-mmn = %{oldmmnisa} Requires: httpd-tools = %{version}-%{release} Requires(pre): /usr/sbin/useradd Requires(preun): systemd-units @@ -191,11 +199,19 @@ interface for storing and accessing per-user session data. %patch30 -p1 -b .cachehardmax %patch31 -p1 -b .sslmultiproxy %patch32 -p1 -b .r1537535 +%patch33 -p1 -b .r1542327 +rm modules/ssl/ssl_engine_dh.c %patch51 -p1 -b .sninotreq %patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid %patch57 -p1 -b .ldaprefer +%patch58 -p1 -b .r1507681+ +%patch59 -p1 -b .r1556473 +%patch60 -p1 -b .r1553540 + +%patch200 -p1 -b .cve6438 +%patch201 -p1 -b .cve0098 # Patch in the vendor string and the release string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -228,6 +244,10 @@ autoheader && autoconf || exit 1 export CFLAGS=$RPM_OPT_FLAGS export LDFLAGS="-Wl,-z,relro,-z,now" +%ifarch ppc64 +CFLAGS="$CFLAGS -O3" +%endif + # Hard-code path to links to avoid unnecessary builddep export LYNX_PATH=/usr/bin/links @@ -465,7 +485,7 @@ if [ -f %{sslkey} -o -f %{sslcert} ]; then exit 0 fi -%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{sslkey} 2> /dev/null +%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > %{sslkey} 2> /dev/null FQDN=`hostname` if [ "x${FQDN}" = "x" ]; then @@ -473,7 +493,7 @@ if [ "x${FQDN}" = "x" ]; then fi cat << EOF | %{_bindir}/openssl req -new -key %{sslkey} \ - -x509 -days 365 -set_serial $RANDOM -extensions v3_req \ + -x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \ -out %{sslcert} 2>/dev/null -- SomeState @@ -620,6 +640,38 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Thu Mar 20 2014 Jan Kaluza - 2.4.6-17 +- mod_dav: add security fix for CVE-2013-6438 (#1077907) +- mod_log_config: add security fix for CVE-2014-0098 (#1077907) + +* Wed Mar 5 2014 Joe Orton - 2.4.6-16 +- mod_ssl: improve DH temp key handling (#1057687) + +* Wed Mar 5 2014 Joe Orton - 2.4.6-15 +- mod_ssl: use 2048-bit RSA key with SHA-256 signature in dummy certificate (#1071276) + +* Fri Jan 24 2014 Daniel Mach - 2.4.6-14 +- Mass rebuild 2014-01-24 + +* Mon Jan 13 2014 Joe Orton - 2.4.6-13 +- mod_ssl: sanity-check use of "SSLCompression" (#1036666) +- mod_proxy_http: fix brigade memory usage (#1040447) + +* Fri Jan 10 2014 Joe Orton - 2.4.6-12 +- rebuild + +* Thu Jan 9 2014 Joe Orton - 2.4.6-11 +- build with -O3 on ppc64 (#1051066) + +* Tue Jan 7 2014 Joe Orton - 2.4.6-10 +- mod_dav: fix locktoken handling (#1004046) + +* Fri Dec 27 2013 Daniel Mach - 2.4.6-9 +- Mass rebuild 2013-12-27 + +* Fri Dec 20 2013 Joe Orton - 2.4.6-8 +- use unambiguous httpd-mmn (#1029360) + * Fri Nov 1 2013 Jan Kaluza - 2.4.6-7 - mod_ssl: allow SSLEngine to override Listen-based default (#1023168)