[Foresight-commits] Source: httpd=2.2.9-4
0 views
Skip to first unread message
repos-...@foresightlinux.org
Feb 12, 2013, 3:38:58 PM2/12/13
to foresigh...@lists.foresightlinux.org
================================
httpd:source=2.2.9-4
cvc rdiff httpd -1 /foresight.rpath.org@rpl:2-qa/2.2.9-4
================================
2.2.9-4 Michael K. Johnson (http://danlj.org/mkj/) Tue Feb 12 15:38:25 2013
automated promote to re-root on foresight.rpath.org@rpl:2-qa
httpd.conf.openoffice.patch: new
--- /dev/null
+++ httpd.conf.openoffice.patch
@@ -0,0 +25 @@
+--- httpd-2.2.3/httpd.conf.openoffice 2006-02-03 05:06:08.000000000 -0500
++++ httpd-2.2.3/httpd.conf 2006-12-20 16:53:24.000000000 -0500
+@@ -766,6 +766,22 @@
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+
++# These are for OpenOffice 2 files:
++AddType application/vnd.oasis.opendocument.chart .odc
++AddType application/vnd.oasis.opendocument.database .odb
++AddType application/vnd.oasis.opendocument.formula .odf
++AddType application/vnd.oasis.opendocument.graphics .odg
++AddType application/vnd.oasis.opendocument.graphics-template .otg
++AddType application/vnd.oasis.opendocument.image .odi
++AddType application/vnd.oasis.opendocument.presentation .odp
++AddType application/vnd.oasis.opendocument.presentation-template .otp
++AddType application/vnd.oasis.opendocument.spreadsheet .ods
++AddType application/vnd.oasis.opendocument.spreadsheet-template .ots
++AddType application/vnd.oasis.opendocument.text .odt
++AddType application/vnd.oasis.opendocument.text-master .odm
++AddType application/vnd.oasis.opendocument.text-template .ott
++AddType application/vnd.oasis.opendocument.text-web .oth
++
+ #
+ # AddHandler allows you to map certain file extensions to "handlers":
+ # actions unrelated to filetype. These can be either built into the server
httpd-2.2.9-CVE-2009-1195.patch: new
--- /dev/null
+++ httpd-2.2.9-CVE-2009-1195.patch
@@ -0,0 +136 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=489436
+
+http://svn.apache.org/viewvc?view=rev&revision=652885
+http://svn.apache.org/viewvc?rev=772997&view=rev
+http://svn.apache.org/viewvc?rev=773322&view=rev
+http://svn.apache.org/viewvc?rev=773342&view=rev
+
+--- httpd-2.2.3/include/http_core.h.cve1195
++++ httpd-2.2.3/include/http_core.h
+@@ -65,7 +65,7 @@ extern "C" {
+ #define OPT_NONE 0
+ /** Indexes directive */
+ #define OPT_INDEXES 1
+-/** Includes directive */
++/** SSI is enabled without exec= permission */
+ #define OPT_INCLUDES 2
+ /** FollowSymLinks directive */
+ #define OPT_SYM_LINKS 4
+@@ -73,14 +73,14 @@ extern "C" {
+ #define OPT_EXECCGI 8
+ /** directive unset */
+ #define OPT_UNSET 16
+-/** IncludesNOEXEC directive */
+-#define OPT_INCNOEXEC 32
++/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
++#define OPT_INC_WITH_EXEC 32
+ /** SymLinksIfOwnerMatch directive */
+ #define OPT_SYM_OWNER 64
+ /** MultiViews directive */
+ #define OPT_MULTI 128
+ /** All directives */
+-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
++#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
+ /** @} */
+
+ /**
+--- httpd-2.2.3/modules/filters/mod_include.c.cve1195
++++ httpd-2.2.3/modules/filters/mod_include.c
+@@ -3524,7 +3524,7 @@ static apr_status_t includes_filter(ap_f
+ intern->seen_eos = 0;
+ intern->state = PARSE_PRE_HEAD;
+ ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
+- if (ap_allow_options(r) & OPT_INCNOEXEC) {
++ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
+ ctx->flags |= SSI_FLAG_NO_EXEC;
+ }
+
+--- httpd-2.2.3/server/config.c.cve1195
++++ httpd-2.2.3/server/config.c
+@@ -1492,7 +1492,7 @@ static const char *process_command_confi
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
+ &arr_parms, NULL,
+@@ -1599,7 +1599,7 @@ static const char *process_resource_conf
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ rv = ap_pcfg_openfile(&cfp, p, fname);
+ if (rv != APR_SUCCESS) {
+@@ -1737,7 +1737,7 @@ AP_DECLARE(int) ap_process_config_tree(s
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ parms.limited = -1;
+
+ errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
+--- httpd-2.2.3/server/core.c.cve1195
++++ httpd-2.2.3/server/core.c
+@@ -110,8 +110,7 @@ static void *create_core_dir_config(apr_
+ conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
+ conf->opts_add = conf->opts_remove = OPT_NONE;
+ conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
+- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
+- | OPT_MULTI;
++ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ conf->content_md5 = 2;
+ conf->accept_path_info = 3;
+@@ -245,8 +244,15 @@ static void *merge_core_dir_configs(apr_
+ conf->opts_remove = (conf->opts_remove & ~new->opts_add)
+ | new->opts_remove;
+ conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
+- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
+- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
++
++ /* If Includes was enabled with exec in the base config, but
++ * was enabled without exec in the new config, then disable
++ * exec in the merged set. */
++ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ == OPT_INCLUDES)) {
++ conf->opts &= ~OPT_INC_WITH_EXEC;
+ }
+ }
+ else {
+@@ -1306,10 +1312,12 @@ static const char *set_allow_opts(cmd_pa
+ opt = OPT_INDEXES;
+ }
+ else if (!strcasecmp(w, "Includes")) {
+- opt = OPT_INCLUDES;
++ /* If Includes is permitted, both Includes and
++ * IncludesNOEXEC may be changed. */
++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+ }
+ else if (!strcasecmp(w, "IncludesNOEXEC")) {
+- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++ opt = OPT_INCLUDES;
+ }
+ else if (!strcasecmp(w, "FollowSymLinks")) {
+ opt = OPT_SYM_LINKS;
+@@ -1430,10 +1438,10 @@ static const char *set_options(cmd_parms
+ opt = OPT_INDEXES;
+ }
+ else if (!strcasecmp(w, "Includes")) {
+- opt = OPT_INCLUDES;
++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+ }
+ else if (!strcasecmp(w, "IncludesNOEXEC")) {
+- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++ opt = OPT_INCLUDES;
+ }
+ else if (!strcasecmp(w, "FollowSymLinks")) {
+ opt = OPT_SYM_LINKS;
+
mod_proxy_http.c?r1=768504&r2=790914&view=patch: new
core_filters.c?r1=421103&r2=791454&pathrev=791454&view=patch: new
httpd-2.2.3-43.el5_5.3.src.rpm: new
httpd.init.patch: new
--- /dev/null
+++ httpd.init.patch
@@ -0,0 +50 @@
+diff -r 6c2cedb3c44f httpd.init
+--- a/httpd.init Sun Jul 20 20:26:39 2008 -0800
++++ b/httpd.init Sun Jul 20 20:28:23 2008 -0800
+@@ -2,7 +2,7 @@
+ #
+ # httpd Startup script for the Apache HTTP Server
+ #
+-# chkconfig: - 85 15
++# chkconfig: 345 23 15
+ # description: The Apache HTTP Server is an efficient and extensible \
+ # server implementing the current HTTP standards.
+ # processname: httpd
+@@ -34,6 +34,29 @@
+ # mod_ssl needs a pass-phrase from the user.
+ INITLOG_ARGS=""
+
++# checks if mod_ssl can start successfully
++SSLCONF="%(htconfdir)s/conf.d/ssl.conf"
++PEMDIR="%(sysconfdir)s/ssl/pem"
++function check_modssl() {
++ if [ ! -f $SSLCONF ] ; then return 0 ; fi
++ if [ ! -d $PEMDIR ] ; then return 1 ; fi
++
++ # we only check for the default configuration, one certificate and
++ # one key in separate files, named localhost.{crt,key}
++ certfile=$(egrep '^\s*SSLCertificateFile' $SSLCONF | awk '{print $2}' | head -1)
++ keyfile=$(egrep '^\s*SSLCertificateKeyFile' $SSLCONF | awk '{print $2}' | head -1)
++ if [ -z "$certfile" -o -z "$keyfile" ] ; then return 0 ; fi
++ if [ -f $certfile -o -f $keyfile ] ; then return 0 ; fi
++ if [ "$(basename $certfile)" != "localhost.crt" ] ; then return 0 ; fi
++ if [ "$(basename $keyfile)" != "localhost.key" ] ; then return 0 ; fi
++
++ # create the dummy self signed certificate
++ make dummy-localhost.crt -C $PEMDIR >/dev/null 2>&1
++ install -m 0640 -g apache -D $PEMDIR/localhost.key $keyfile
++ install -m 0644 -g apache -D $PEMDIR/localhost.crt $certfile
++ return 0
++}
++
+ # Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
+ # with the thread-based "worker" MPM; BE WARNED that some modules may not
+ # work correctly with a thread-based MPM; notably PHP will refuse to start.
+@@ -52,6 +75,7 @@
+ # are expected to behave here.
+ start() {
+ echo -n $"Starting $prog: "
++ check_modssl
+ LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
+ RETVAL=$?
+ echo
httpd-2.2.3-CVE-2009-3555.patch: new
--- /dev/null
+++ httpd-2.2.3-CVE-2009-3555.patch
@@ -0,0 +282 @@
+
+http://svn.apache.org/viewvc?rev=833622&view=rev
+
+--- httpd-2.2.3/modules/ssl/ssl_engine_init.c.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_engine_init.c
+@@ -492,10 +492,7 @@ static void ssl_init_ctx_callbacks(serve
+ SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+
+- if (s->loglevel >= APLOG_DEBUG) {
+- /* this callback only logs if LogLevel >= info */
+- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
+- }
++ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+ }
+
+ static void ssl_init_ctx_verify(server_rec *s,
+--- httpd-2.2.3/modules/ssl/ssl_engine_io.c.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_engine_io.c
+@@ -102,6 +102,7 @@ typedef struct {
+ ap_filter_t *pInputFilter;
+ ap_filter_t *pOutputFilter;
+ int nobuffer; /* non-zero to prevent buffering */
++ SSLConnRec *config;
+ } ssl_filter_ctx_t;
+
+ typedef struct {
+@@ -192,7 +193,13 @@ static int bio_filter_out_read(BIO *bio,
+ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
+ {
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+-
++
++ /* Abort early if the client has initiated a renegotiation. */
++ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
++ outctx->rc = APR_ECONNABORTED;
++ return -1;
++ }
++
+ /* when handshaking we'll have a small number of bytes.
+ * max size SSL will pass us here is about 16k.
+ * (16413 bytes to be exact)
+@@ -465,6 +472,12 @@ static int bio_filter_in_read(BIO *bio,
+ if (!in)
+ return 0;
+
++ /* Abort early if the client has initiated a renegotiation. */
++ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
++ inctx->rc = APR_ECONNABORTED;
++ return -1;
++ }
++
+ /* XXX: flush here only required for SSLv2;
+ * OpenSSL calls BIO_flush() at the appropriate times for
+ * the other protocols.
+@@ -1678,6 +1691,8 @@ void ssl_io_filter_init(conn_rec *c, SSL
+
+ filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
+
++ filter_ctx->config = myConnConfig(c);
++
+ filter_ctx->nobuffer = 0;
+ filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
+ filter_ctx, NULL, c);
+--- httpd-2.2.3/modules/ssl/ssl_engine_kernel.c.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_engine_kernel.c
+@@ -630,6 +630,10 @@ int ssl_hook_Access(request_rec *r)
+ (unsigned char *)&id,
+ sizeof(id));
+
++ /* Toggle the renegotiation state to allow the new
++ * handshake to proceed. */
++ sslconn->reneg_state = RENEG_ALLOW;
++
+ SSL_renegotiate(ssl);
+ SSL_do_handshake(ssl);
+
+@@ -651,6 +655,8 @@ int ssl_hook_Access(request_rec *r)
+ SSL_set_state(ssl, SSL_ST_ACCEPT);
+ SSL_do_handshake(ssl);
+
++ sslconn->reneg_state = RENEG_REJECT;
++
+ if (SSL_get_state(ssl) != SSL_ST_OK) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Re-negotiation handshake failed: "
+@@ -1730,76 +1736,55 @@ void ssl_callback_DelSessionCacheEntry(S
+ return;
+ }
+
+-/*
+- * This callback function is executed while OpenSSL processes the
+- * SSL handshake and does SSL record layer stuff. We use it to
+- * trace OpenSSL's processing in out SSL logfile.
+- */
+-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
++/* Dump debugginfo trace to the log file. */
++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
++ server_rec *s, int where, int rc)
+ {
+- conn_rec *c;
+- server_rec *s;
+- SSLSrvConfigRec *sc;
+-
+ /*
+- * find corresponding server
++ * create the various trace messages
+ */
+- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
+- return;
++ if (where & SSL_CB_HANDSHAKE_START) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Handshake: start", SSL_LIBRARY_NAME);
+ }
+-
+- s = c->base_server;
+- if (!(sc = mySrvConfig(s))) {
+- return;
++ else if (where & SSL_CB_HANDSHAKE_DONE) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Handshake: done", SSL_LIBRARY_NAME);
+ }
+-
+- /*
+- * create the various trace messages
+- */
+- if (s->loglevel >= APLOG_DEBUG) {
+- if (where & SSL_CB_HANDSHAKE_START) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Handshake: start", SSL_LIBRARY_NAME);
+- }
+- else if (where & SSL_CB_HANDSHAKE_DONE) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Handshake: done", SSL_LIBRARY_NAME);
+- }
+- else if (where & SSL_CB_LOOP) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Loop: %s",
+- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+- }
+- else if (where & SSL_CB_READ) {
++ else if (where & SSL_CB_LOOP) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Loop: %s",
++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++ }
++ else if (where & SSL_CB_READ) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Read: %s",
++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++ }
++ else if (where & SSL_CB_WRITE) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Write: %s",
++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++ }
++ else if (where & SSL_CB_ALERT) {
++ char *str = (where & SSL_CB_READ) ? "read" : "write";
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Alert: %s:%s:%s",
++ SSL_LIBRARY_NAME, str,
++ SSL_alert_type_string_long(rc),
++ SSL_alert_desc_string_long(rc));
++ }
++ else if (where & SSL_CB_EXIT) {
++ if (rc == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Read: %s",
++ "%s: Exit: failed in %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+- else if (where & SSL_CB_WRITE) {
++ else if (rc < 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Write: %s",
++ "%s: Exit: error in %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+- else if (where & SSL_CB_ALERT) {
+- char *str = (where & SSL_CB_READ) ? "read" : "write";
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Alert: %s:%s:%s",
+- SSL_LIBRARY_NAME, str,
+- SSL_alert_type_string_long(rc),
+- SSL_alert_desc_string_long(rc));
+- }
+- else if (where & SSL_CB_EXIT) {
+- if (rc == 0) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Exit: failed in %s",
+- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+- }
+- else if (rc < 0) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Exit: error in %s",
+- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+- }
+- }
+ }
+
+ /*
+@@ -1819,3 +1804,49 @@ void ssl_callback_LogTracingState(MODSSL
+ }
+ }
+
++/*
++ * This callback function is executed while OpenSSL processes the SSL
++ * handshake and does SSL record layer stuff. It's used to trap
++ * client-initiated renegotiations, and for dumping everything to the
++ * log.
++ */
++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
++{
++ conn_rec *c;
++ server_rec *s;
++ SSLConnRec *scr;
++
++ /* Retrieve the conn_rec and the associated SSLConnRec. */
++ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
++ return;
++ }
++
++ if ((scr = myConnConfig(c)) == NULL) {
++ return;
++ }
++
++ /* If the reneg state is to reject renegotiations, check the SSL
++ * state machine and move to ABORT if a Client Hello is being
++ * read. */
++ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
++ int state = SSL_get_state(ssl);
++
++ if (state == SSL3_ST_SR_CLNT_HELLO_A
++ || state == SSL23_ST_SR_CLNT_HELLO_A) {
++ scr->reneg_state = RENEG_ABORT;
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
++ "rejecting client initiated renegotiation");
++ }
++ }
++ /* If the first handshake is complete, change state to reject any
++ * subsequent client-initated renegotiation. */
++ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
++ scr->reneg_state = RENEG_REJECT;
++ }
++
++ s = c->base_server;
++ if (s && s->loglevel >= APLOG_DEBUG) {
++ log_tracing_state(ssl, c, s, where, rc);
++ }
++}
++
+--- httpd-2.2.3/modules/ssl/ssl_private.h.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_private.h
+@@ -352,6 +352,19 @@ typedef struct {
+ int is_proxy;
+ int disabled;
+ int non_ssl_request;
++
++ /* Track the handshake/renegotiation state for the connection so
++ * that all client-initiated renegotiations can be rejected, as a
++ * partial fix for CVE-2009-3555. */
++ enum {
++ RENEG_INIT = 0, /* Before initial handshake */
++ RENEG_REJECT, /* After initial handshake; any client-initiated
++ * renegotiation should be rejected */
++ RENEG_ALLOW, /* A server-initated renegotiation is taking
++ * place (as dictated by configuration) */
++ RENEG_ABORT /* Renegotiation initiated by client, abort the
++ * connection */
++ } reneg_state;
+ } SSLConnRec;
+
+ typedef struct {
+@@ -561,7 +574,7 @@ int ssl_callback_proxy_cert(SSL
+ int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
+ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
+
+ /** Session Cache Support */
+ void ssl_scache_init(server_rec *, apr_pool_t *);
httpd-2.2.9-4.src.rpm: new
082_CVE-2011-3192.dpatch?revision=1343&view=co: new
httpd-2.2.3-5.src.rpm: new
Makefile.ssl: new
--- /dev/null
+++ Makefile.ssl
@@ -0,0 +48 @@
+# -*- Makefile -*-
+# Makefile for generating self signed, passwordless all-in-one
+# key+cert files (.pem files)
+#
+
+RANPROC_FILES = uptime interrupts ioports pci cpuinfo
+RANDPROC = $(shell for f in $(RANPROC_FILES) ; do echo -n "/proc/$$f:" ; done)
+RAND = "$(RANDPROC)/dev/urandom"
+
+FQDN = $(shell if [ -z "$$(hostname)" ] ; then echo "localhost.localdomain" ; else hostname ; fi)
+REQCONF = modssl-req.conf
+
+define DUMMY
+{ \
+echo "--" ; \
+echo "SomeState" ; \
+echo "SomeCity" ; \
+echo "AutoGenerated" ; \
+echo "SelfSignedCertificate" ; \
+echo "$(FQDN)" ; \
+echo "root@$(FQDN)" ; \
+}
+endef
+
+all :
+ echo $(RAND)
+
+%.key : Makefile
+ umask 077
+ /usr/bin/openssl genrsa -rand $(RAND) 1024 -text > $@
+
+%.crt : %.key $(REQCONF) Makefile
+ umask 022
+ /usr/bin/openssl req -new -config $(REQCONF) \
+ -key $< -text -x509 -days 365 -set_serial $(shell echo $$RANDOM) \
+ -out $@
+
+%.pem : %.crt %.key Makefile
+ cat $*.crt $*.key > $@
+
+dummy-%.key : %.key
+
+dummy-%.crt : $(REQCONF)
+ $(DUMMY) | $(MAKE) $*.key $*.crt
+
+dummy-%.pem : $(REQCONF) Makefile
+ $(DUMMY) | $(MAKE) $*.key $*.crt
+ cat $*.crt $*.key >> $*.pem && rm -f $*.key $*.crt
modssl-req.conf: new
--- /dev/null
+++ modssl-req.conf
@@ -0,0 +30 @@
+# dummy config file for openssl that facilitates the generation of a
+# (restricted usage) self signed certificate
+
+HOME = .
+
+[ req ]
+default_bits = 1024
+default_keyfile = dummy.pem
+distinguished_name = req_name
+x509_extensions = req_extensions
+
+[ req_name ]
+countryName = Country
+stateOrProvinceName = State
+localityName = City (eg, city)
+0.organizationName = Company
+organizationalUnitName = Department
+commonName = FQDN
+emailAddress = Email
+
+[ req_extensions ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+subjectAltName = email:copy
+issuerAltName = issuer:copy
+extendedKeyUsage = serverAuth,clientAuth
+nsCertType = server
+nsComment = Auto-generated self signed test certificate
httpd-2.2.3-cachehardmax.patch: new
--- /dev/null
+++ httpd-2.2.3-cachehardmax.patch
@@ -0,0 +83 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=379811
+
+--- httpd-2.2.3/modules/cache/mod_cache.c.cachehardmax
++++ httpd-2.2.3/modules/cache/mod_cache.c
+@@ -736,6 +736,11 @@ static int cache_save_filter(ap_filter_t
+ exp = date + conf->defex;
+ }
+ }
++ /* else, forcibly cap the expiry date if required */
++ else if (conf->hardmaxex && (date + conf->maxex) < exp) {
++ exp = date + conf->maxex;
++ }
++
+ info->expire = exp;
+
+ /* We found a stale entry which wasn't really stale. */
+@@ -926,6 +931,9 @@ static void * create_cache_config(apr_po
+ /* flag indicating that query-string should be ignored when caching */
+ ps->ignorequerystring = 0;
+ ps->ignorequerystring_set = 0;
++ /* flag; treat maxex as hard limit */
++ ps->hardmaxex = 0;
++ ps->hardmaxex_set = 0;
+ return ps;
+ }
+
+@@ -975,6 +983,12 @@ static void * merge_cache_config(apr_poo
+ (overrides->ignorequerystring_set == 0)
+ ? base->ignorequerystring
+ : overrides->ignorequerystring;
++
++ ps->hardmaxex =
++ (overrides->hardmaxex_set == 0)
++ ? base->hardmaxex
++ : overrides->hardmaxex;
++
+ return ps;
+ }
+ static const char *set_cache_ignore_no_last_mod(cmd_parms *parms, void *dummy,
+@@ -1111,7 +1125,7 @@ static const char *add_cache_disable(cmd
+ }
+
+ static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
+- const char *arg)
++ const char *arg, const char *hard)
+ {
+ cache_server_conf *conf;
+
+@@ -1120,6 +1134,12 @@ static const char *set_cache_maxex(cmd_p
+ &cache_module);
+ conf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC);
+ conf->maxex_set = 1;
++
++ if (hard && strcasecmp(hard, "hard") == 0) {
++ conf->hardmaxex = 1;
++ conf->hardmaxex_set = 1;
++ }
++
+ return NULL;
+ }
+
+@@ -1196,7 +1216,7 @@ static const command_rec cache_cmds[] =
+ "caching is enabled"),
+ AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF,
+ "A partial URL prefix below which caching is disabled"),
+- AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF,
++ AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF,
+ "The maximum time in seconds to cache a document"),
+ AP_INIT_TAKE1("CacheDefaultExpire", set_cache_defex, NULL, RSRC_CONF,
+ "The default time in seconds to cache a document"),
+--- httpd-2.2.3/modules/cache/mod_cache.h.cachehardmax
++++ httpd-2.2.3/modules/cache/mod_cache.h
+@@ -153,6 +153,9 @@ typedef struct {
+ /** ignore query-string when caching */
+ int ignorequerystring;
+ int ignorequerystring_set;
++ /* treat maxex as hard limit */
++ int hardmaxex;
++ int hardmaxex_set;
+ } cache_server_conf;
+
+ /* cache info information */
mod_proxy_ftp.c?r1=682870&r2=682869&pathrev=682870&view=patch: new
httpd-2.2.9.tar.bz2: new
index.html: new
--- /dev/null
+++ index.html
@@ -0,0 +124 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>Test Page for the Apache HTTP Server</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <style type="text/css">
+ /*<![CDATA[*/
+ body {
+ background-color: #fff;
+ color: #000;
+ font-size: 0.9em;
+ font-family: sans-serif,helvetica;
+ margin: 0;
+ padding: 0;
+ }
+ :link {
+ color: #c00;
+ }
+ :visited {
+ color: #c00;
+ }
+ a:hover {
+ color: #f50;
+ }
+ h1 {
+ text-align: center;
+ margin: 0;
+ padding: 0.6em 2em 0.4em;
+ background-color: #22437f;
+ color: #fff;
+ font-weight: normal;
+ font-size: 1.75em;
+ border-bottom: 2px solid #000;
+ }
+ h1 strong {
+ font-weight: bold;
+ }
+ h2 {
+ font-size: 1.1em;
+ font-weight: bold;
+ }
+ hr {
+ display: none;
+ }
+ .content {
+ padding: 1em 5em;
+ }
+ .content-columns {
+ /* Setting relative positioning allows for
+ absolute positioning for sub-classes */
+ position: relative;
+ padding-top: 1em;
+ }
+ .content-column-left {
+ /* Value for IE/Win; will be overwritten for other browsers */
+ width: 47%;
+ padding-right: 3%;
+ float: left;
+ padding-bottom: 2em;
+ }
+ .content-column-left hr {
+ display: none;
+ }
+ .content-column-right {
+ /* Values for IE/Win; will be overwritten for other browsers */
+ width: 47%;
+ padding-left: 3%;
+ float: left;
+ padding-bottom: 2em;
+ }
+ .content-columns>.content-column-left, .content-columns>.content-column-right {
+ /* Non-IE/Win */
+ }
+ img {
+ border: 2px solid #fff;
+ padding: 2px;
+ margin: 2px;
+ }
+ a:hover img {
+ border: 2px solid #f50;
+ }
+ /*]]>*/
+ </style>
+ </head>
+
+ <body>
+ <h1><strong>HTTP Server Test Page</strong></h1>
+
+ <div class="content">
+ <div class="content-middle">
+ <p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the Apache HTTP server installed at this site is working properly.</p>
+ </div>
+ <hr />
+
+ <div class="content-columns">
+ <div class="content-column-left">
+ <h2>If you are a member of the general public:</h2>
+
+ <p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.</p>
+
+ <p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>
+
+ <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webm...@example.com".</p>
+
+ <p>This system is using rPath Linux or one of its derivatives; visit <a href="http://www.rpath.com/">www.rpath.com</a> for more information.</p>
+ <hr />
+ </div>
+
+ <div class="content-column-right">
+ <h2>If you are the website administrator:</h2>
+
+ <p>You may now add content to the directory <tt>/srv/www/html/</tt>. Note that until you do so, people visiting your website will see this page, and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>
+
+ <div class="logos">
+ <p>You are free to use the images below on Apache and rpath Linux powered HTTP servers. Thanks for using Apache and rpath Linux!</p>
+
+ <p><a href="http://httpd.apache.org/"><img src="/icons/apache_pb2.gif" alt="[ Powered by Apache ]"/></a> </p>
+ </div>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
httpd.recipe: new
--- /dev/null
+++ httpd.recipe
@@ -0,0 +339 @@
+#
+# Copyright (c) 2004-2008 rPath, Inc.
+# This file is distributed under the terms of the MIT License.
+# A copy is available at http://www.rpath.com/permanent/mit-license.html
+#
+
+loadSuperClass('rpmpackage')
+class Httpd(RPMPackageRecipe, CPackageRecipe):
+ name = 'httpd'
+ version = '2.2.9'
+
+ buildRequires = [ 'db:devel', 'expat:devel', 'findutils:runtime',
+ 'perl:runtime', 'pkgconfig:devel', 'e2fsprogs:devel',
+ 'xmlto:runtime', 'autoconf:runtime', 'krb5:devel',
+ 'apr:devel', 'openldap:devel', 'sed:runtime',
+ 'apr-util:devel', 'pcre:devel', 'rsync:runtime',
+ 'distcache:devel', 'ed:runtime', 'sqlite:devel',
+ 'openssl:devel', 'zlib:devel', 'libtool:runtime',
+ 'which:runtime', 'openssl:runtime', 'perl:lib',
+ 'lynx:runtime', 'initscripts:runtime', ]
+
+
+ # httpd has a runtime req on mailcap:config, adding it as a buildreq to
+ # work around issues in rmake.
+ buildRequires.append('mailcap:config')
+
+ rpmRelease = '4'
+ rpmUpVer = '2.2.9'
+ externalArchive = 'http://www.apache.org/dist/httpd/'
+ rpmPatches = []
+
+ oldrpm = 'http://download.fedora.redhat.com/pub/fedora/linux/core/6/source/SRPMS/httpd-2.2.3-5.src.rpm'
+ rhel5rpm = 'ftp://ftp.redhat.com/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-43.el5_5.3.src.rpm'
+
+ def setup(r):
+ r.unpack()
+ r.macros.contentdir = '%(servicedir)s/www'
+ r.macros.suexec_caller = 'apache'
+ r.macros.mmn = '20051115'
+ r.macros.vstring = 'rPath'
+ r.macros.distro = 'rPath Release 2'
+ r.macros.htconfdir = '%(sysconfdir)s/httpd'
+ r.macros.cflags += " -DSSL_EXPERIMENTAL_ENGINE"
+ # point to the correct libtool
+ r.macros.apr_libtool = "$(apr-1-config --apr-libtool | sed -e 's|/bin/sh ||')"
+ r.macros.oldapachedir = '/usr/local/apache2'
+ r.macros.cflags += " $(pkg-config --cflags openssl)"
+ r.macros.ssl_libs = " $(pkg-config --libs openssl)"
+
+ r.addSource("Makefile.ssl")
+ r.addSource("modssl-req.conf")
+
+ r.addSource('index.html')
+ r.addSource('httpd.logrotate', rpm=r.srpm)
+ r.addSource("httpd.init.patch", macros=True)
+ r.addSource('httpd.init', rpm=r.srpm,
+ apply="patch httpd.init httpd.init.patch")
+ r.addSource('httpd.conf', rpm=r.srpm)
+ r.addSource('ssl.conf', rpm=r.srpm,
+ apply="sed -i -e 's,/etc/pki/tls,/etc/ssl,g' ssl.conf")
+ r.addSource('welcome.conf', rpm=r.srpm)
+ r.addSource('migration.xml', rpm=r.oldrpm)
+ r.addSource('migration.css', rpm=r.oldrpm)
+ r.addSource('html.xsl', rpm=r.oldrpm)
+ r.addSource('README.confd', rpm=r.srpm)
+ r.addSource('httpd-2.0.48-release.patch', rpm=r.srpm)
+ r.addPatch('config.layout.rpath', level=0, macros=True)
+ r.addPatch('httpd.conf.openoffice.patch', backup='.openoffice')
+ r.addPatch('httpd-2.2.0-authnoprov.patch', rpm=r.srpm) # RPL-2263
+
+ # RPL-2708 CVE-2008-2939
+ r.addPatch('http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c?r1=682870&r2=682869&pathrev=682870&view=patch', level=4)
+
+ # RPL-3107 (CVE-2009-1891)
+ r.addPatch('http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454&view=patch', level=4)
+
+ # RPL-3079 (CVE-2009-1890)
+ r.addPatch('http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c?r1=768504&r2=790914&view=patch', level=4)
+
+ # RPL-3061 (CVE-2009-1195)
+ r.addPatch('httpd-2.2.9-CVE-2009-1195.patch')
+
+ # Modified patches from RHEL5
+ r.addPatch('httpd-2.2.3-CVE-2009-3555.patch')
+
+ # Unmodified patches from RHEL5
+ r.addPatch('httpd-2.2.3-CVE-2009-3094.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2009-3095.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-ssicompat.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2009-3555-p2.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-0408.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-0434.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-1452.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-2791.patch', rpm=r.rhel5rpm)
+
+ # RPL-3280
+ r.addPatch('http://anonscm.debian.org/viewvc/pkg-apache/branches/lenny-apache2/patches/'
+ '082_CVE-2011-3192.dpatch?revision=1343&view=co',
+ extraArgs = '-F3')
+ r.addPatch('httpd-2.2.3-cachehardmax.patch')
+
+ r.Replace(r'@RELEASE@', '%(vstring)s', 'httpd-2.0.48-release.patch')
+ r.Run('patch -p1 < httpd-2.0.48-release.patch')
+
+ r.Replace('/var', '%(servicedir)s', 'httpd.conf')
+
+ # Touch mod_ssl expression parser sources to prevent regenerating it
+ r.Run("touch modules/ssl/ssl_expr_*.[chyl]")
+
+ # Safety check: prevent build if defined MMN does not equal upstream MMN
+ r.Run("""
+ vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
+ if test "${vmmn}" != "%(mmn)s"; then
+ echo Error: Upstream MMN is now ${vmmn}, packaged MMN is %(mmn)s.
+ echo Update the mmn macro and rebuild.
+ exit 1
+ fi""")
+
+ r.Run("echo Building for '%(distro)s' with MMN %(mmn)s and vendor string '%(vstring)s'")
+
+ r.Run('./buildconf')
+ # Before configure; fix location of build dir in generated apxs
+ r.Replace(r'\@exp_installbuilddir\@', '%(libdir)s/httpd/build',
+ 'support/apxs.in')
+
+ # forcibly prevent use of bundled apr, apr-util
+ r.Remove('srclib/{apr,apr-util}', recursive=True)
+
+ # Build the migration guide
+ # update location of migration guide in apachectl
+ r.Replace(r'@DISTRO@', '%(distro)s', 'migration.xml')
+ r.Run("xmlto --skip-validation -x html.xsl html-nochunks migration.xml")
+
+ # enable optional modules only for main build
+ r.mpmbuild('prefork',
+ ' --enable-mods-shared=all'
+ ' --enable-ssl --with-ssl'
+ ' --enable-distcache'
+ ' --enable-deflate'
+ ' --enable-proxy --enable-proxy-connect'
+ ' --enable-proxy-http --enable-proxy-ftp'
+ ' --enable-cache --enable-mem-cache'
+ ' --enable-file-cache --enable-disk-cache'
+ ' --enable-ldap --enable-auth-ldap'
+ ' --enable-pie --with-pcre'
+ ' --enable-logio'
+ ' --enable-so'
+ ' --enable-authn-alias'
+ ' --enable-authnz-ldap')
+
+ # To prevent most modules being built statically into httpd.worker,
+ # easiest way seems to be enable them shared.
+ r.mpmbuild('worker', '--enable-mods-shared=all')
+
+ # Verify that the same modules were built into the two httpd binaries
+ r.Run('./prefork/httpd -l | grep -v prefork > prefork.mods')
+ r.Run('./worker/httpd -l | grep -v worker > worker.mods')
+ r.Run('''if ! diff -u prefork.mods worker.mods; then
+ echo Different modules built into httpd binaries, will not proceed
+ exit 1
+ fi''')
+
+ r.MakeInstall(dir='prefork')
+ # install worker binary
+ r.Install('worker/httpd', '%(sbindir)s/httpd.worker', mode=0755)
+ # install conf file/directory
+ r.Install('README.confd', '%(sysconfdir)s/httpd/conf.d/README')
+ r.Install('welcome.conf', '%(sysconfdir)s/httpd/conf.d/')
+ r.Install('httpd.conf', '%(htconfdir)s/conf/')
+
+ # modssl tasks
+ r.Install('ssl.conf', '%(sysconfdir)s/httpd/conf.d/')
+ # create a prototype session cache, zero-byte config files
+ # never put data in these files in the recipe!
+ r.Create('%(localstatedir)s/cache/mod_ssl/scache.{dir,pag,sem}')
+ r.Config('%(localstatedir)s/cache/mod_ssl/scache.(dir|pag|sem)')
+ # self signed certificate generation
+ r.MakeDirs("%(sysconfdir)s/ssl/pem")
+ r.Install('Makefile.ssl', "%(sysconfdir)s/ssl/pem/Makefile")
+ r.Install("modssl-req.conf", "%(sysconfdir)s/ssl/pem/")
+
+ # for holding mod_dav lock database
+ r.MakeDirs('%(localstatedir)s/lib/dav')
+ r.ComponentSpec('runtime', '%(localstatedir)s/lib/dav')
+
+ # create cache root
+ r.MakeDirs('%(localstatedir)s/cache/mod_proxy')
+
+ # move utilities to /usr/bin
+ r.Move('%(sbindir)s/{ab,htdbm,logresolve,htpasswd,htdigest}',
+ '%(bindir)s/')
+
+ # Make the MMN accessible to module packages
+ r.Run('echo %(mmn)s > %(destdir)s%(includedir)s/httpd/.mmn')
+ r.Install('prefork/build/config_vars.mk',
+ '%(libdir)s/httpd/build/config_vars.mk')
+ r.Install('build/special.mk', '%(libdir)s/httpd/build/special.mk')
+ # Symlink won't work because %(apr_libtool) is a shell script
+ r.Run('ln -s %(apr_libtool)s'
+ ' %(destdir)s/%(libdir)s/httpd/build/libtool')
+
+ r.Install('index.html', '%(contentdir)s/error/noindex.html')
+ r.Install('httpd.init', '%(initdir)s/httpd')
+ r.Install('httpd.logrotate', '%(sysconfdir)s/logrotate.d/httpd')
+
+ # symlinks for /etc/httpd
+ r.MakeDirs('%(localstatedir)s/log/httpd')
+ r.Remove('%(sysconfdir)s/httpd/logs', recursive=True)
+ r.Symlink('%(localstatedir)s/log/httpd', '%(sysconfdir)s/httpd/logs')
+ r.Symlink('%(localstatedir)s/run', '%(sysconfdir)s/httpd/run')
+ r.Symlink('%(libdir)s/httpd/modules', '%(sysconfdir)s/httpd/modules')
+ r.Symlink('%(libdir)s/httpd/build', '%(sysconfdir)s/httpd/build')
+
+ r.Run('sed -i -e "s:\@docdir\@:%(thisdocdir)s:g" '
+ ' %(destdir)s%(initdir)s/httpd')
+
+ # fix manfile
+ r.Replace('%(oldapachedir)s', '/etc/httpd', '%(mandir)s/man8/httpd.8')
+
+ # sanitize config_vars file: relocate the build directory
+ # into libdir; reference correct libtool; fix EXTRA_INCLUDES
+ # needs to be sed for deleting lines
+ r.Run('sed -i'
+ ' -e "s|%(contentdir)s/build|%(libdir)s/httpd/build|g"'
+ ' -e "/AP_LIBS/d"'
+ ' -e "/abs_srcdir/d"'
+ ' -e "/^LIBTOOL/s|/bin/sh /[^ ]*/libtool|/bin/sh %(apr_libtool)s|"'
+ ' -e "/^installbuilddir/s| = .*$| = /etc/httpd/build|"'
+ ' -e "s|^EXTRA_INCLUDES.*$|EXTRA_INCLUDES = -I\$(includedir) '
+ '-I\$(APR_INCLUDEDIR) -I%(includedir)s/openssl|g"'
+ ' %(destdir)s%(libdir)s/httpd/build/config_vars.mk')
+
+ r.Doc('migration.html', 'migration.css')
+ r.Doc('ABOUT_APACHE', 'VERSIONING')
+
+ r.SetModes('%(sbindir)s/suexec', 04510)
+ r.SetModes('%(localstatedir)s/{log/httpd,lib/dav,cache/mod_proxy}',
+ '%(sysconfdir)s/httpd/conf/ssl.*',
+ 0700)
+ r.Ownership('root', 'apache', '%(sbindir)s/suexec')
+ r.Ownership('apache', 'apache',
+ '%(localstatedir)s/lib/dav',
+ '%(localstatedir)s/cache/mod_proxy')
+
+ r.ComponentSpec('manual', '%(contentdir)s/manual/')
+ r.ByDefault(exceptions=[':manual'])
+
+ # PACKAGE: mod_ssl
+ r.PackageSpec('mod_ssl',
+ '%(libdir)s/httpd/modules/mod_ssl.so',
+ '%(sysconfdir)s/httpd/conf.d/ssl.conf',
+ '%(sysconfdir)s/httpd/conf/Makefile',
+ '%(sysconfdir)s/httpd/conf/ssl\..*',
+ '%(localstatedir)s/cache/mod_ssl/',
+ '%(sysconfdir)s/ssl/pem/',
+ )
+ r.ComponentSpec('runtime', '.*/mod_ssl.so')
+ r.Requires("make:runtime", "%(sysconfdir)s/ssl/pem/Makefile")
+ r.Requires("openssl:runtime", "%(sysconfdir)s/ssl/pem/Makefile")
+
+ # Remove unpackaged files
+ r.Run("find %(destdir)s/%(contentdir)s/manual \( "
+ " -name \*.xml -o -name \*.xml.* -o -name \*.ent"
+ " -o -name \*.xsl -o -name \*.dtd "
+ " \) -print0 | xargs -0 rm -f")
+
+ r.Remove('%(htconfdir)s/conf/extra/',
+ '%(htconfdir)s/conf/original/', recursive=True)
+
+ r.Remove('%(libdir)s/*.exp',
+ '%(libdir)s/httpd/modules/*.exp',
+ '%(libdir)s/httpd/build/config.nice',
+ '%(htconfdir)s/conf/mime.types',
+ '%(bindir)s/ap?-config',
+ '%(sbindir)s/{checkgid,dbmmanage}',
+ '%(contentdir)s/{htdocs,cgi-bin}/*',
+ '%(mandir)s/man1/dbmmanage.*')
+
+ # Create /var/www since it is the homedir for the apache user even
+ # though it is not the document root (RPL-2947)
+ r.MakeDirs('%(localstatedir)s/www')
+ r.ExcludeDirectories(exceptions='%(localstatedir)s/www')
+
+ # points to /var/run
+ r.DanglingSymlinks(exceptions='%(htconfdir)s/run')
+ # points to ssl certificate
+ r.DanglingSymlinks(exceptions='%(htconfdir)s/conf/Makefile')
+ # points to apr-utils libtool
+ r.DanglingSymlinks(exceptions='%(libdir)s/httpd/build/libtool')
+ # make sure permissions are correct
+ r.ExcludeDirectories(exceptions='%(contentdir)s/cgi-bin')
+ r.TagSpec('initscript', '%(initdir)s/')
+ r.Requires('grep:runtime', '%(initdir)s/')
+ r.Requires('make:runtime', '%(initdir)s/')
+
+ # Require mailcap (need /etc/mime.types)
+ r.Requires('mailcap:config', '%(initdir)s/')
+
+ # Requires bzip2:runtime because compresssion is turned on in logrotate
+ r.Requires('bzip2:runtime', '%(sysconfdir)s/logrotate.d/%(name)s')
+
+ # We remove the bundled apr functionality, so we must require
+ # the external version(s): <httpd/ap_config.h> #include's files
+ # from both of these troves. (RPL-798)
+ r.Requires('apr:devel', '%(includedir)s/%(name)s/ap_config.h')
+ r.Requires('apr-util:devel', '%(includedir)s/%(name)s/ap_config.h')
+
+ # modules are shared libraries, but aren't linked to
+ r.Provides(exceptions='%(libdir)s/httpd/modules/')
+
+ # need empty html directory
+ r.MakeDirs('%(contentdir)s/html')
+ r.ExcludeDirectories(exceptions='%(contentdir)s/html')
+
+ # apxs and envvars are tools for building httpd modules
+ r.ComponentSpec('devel', '%(sbindir)s/(envvars.*|apxs)')
+ r.ComponentSpec('devel', '%(libdir)s/httpd/build/')
+ r.ComponentSpec('devel', '%(htconfdir)s/build')
+
+ r.SetModes('%(sbindir)s/envvars', '%(sbindir)s/envvars-std', 0755)
+
+ def mpmbuild(r, target, extraConfig):
+ r.Run('mkdir ' + target)
+ r.ManualConfigure(
+ ' --enable-layout=rPath'
+ ' --with-mpm=' + target +
+ ' --with-apr=%(prefix)s --with-apr-util=%(prefix)s'
+ ' --enable-suexec --with-suexec'
+ ' --with-suexec-caller=%(suexec_caller)s'
+ ' --with-suexec-docroot=%(contentdir)s'
+ ' --with-suexec-logfile=%(localstatedir)s/log/httpd/suexec.log'
+ ' --with-suexec-bin=%(sbindir)s/suexec'
+ ' --with-suexec-uidmin=500 --with-suexec-gidmin=100 '
+ + extraConfig,
+ configureName='../configure',
+ dir=target,
+ preConfigure='SSL_LIBS="%(ssl_libs)s" '
+ 'CFLAGS=$(echo "%(cflags)s")')
+ r.Make(dir=target, preMake="SSL_LIBS='%(ssl_libs)s'")
config.layout.rpath: new
--- /dev/null
+++ config.layout.rpath
@@ -0,0 +29 @@
+--- config.layout.rpath 2004-11-21 13:50:36.000000000 -0500
++++ config.layout 2006-11-23 20:09:45.000000000 -0500
+@@ -322,3 +322,26 @@
+ installbuilddir: ${prefix}/etc/apache2/build
+ errordir: ${datadir}/error
+ </Layout>
++
++<Layout rPath>
++ prefix: %(sysconfdir)s/httpd
++ exec_prefix: %(exec_prefix)s
++ bindir: %(bindir)s
++ sbindir: %(sbindir)s
++ libdir: %(libdir)s
++ libexecdir: %(libdir)s/httpd/modules
++ mandir: %(mandir)s
++ sysconfdir: ${prefix}/conf
++ datadir: %(contentdir)s
++ installbuilddir: ${libdir}/httpd/build
++ errordir: ${datadir}/error
++ iconsdir: ${datadir}/icons
++ htdocsdir: ${datadir}/htdocs
++ manualdir: ${datadir}/manual
++ cgidir: ${datadir}/cgi-bin
++ includedir: %(includedir)s/httpd
++ localstatedir: %(localstatedir)s
++ runtimedir: ${localstatedir}/run
++ logfiledir: ${localstatedir}/log/httpd
++ proxycachedir: ${localstatedir}/cache/mod_proxy
++</Layout>
Committed by: johnsonm
_______________________________________________
Foresight-commits mailing list
Foresigh...@lists.foresightlinux.org
https://lists.foresightlinux.org/mailman/listinfo/foresight-commits
httpd:source=2.2.9-4
cvc rdiff httpd -1 /foresight.rpath.org@rpl:2-qa/2.2.9-4
================================
2.2.9-4 Michael K. Johnson (http://danlj.org/mkj/) Tue Feb 12 15:38:25 2013
automated promote to re-root on foresight.rpath.org@rpl:2-qa
httpd.conf.openoffice.patch: new
--- /dev/null
+++ httpd.conf.openoffice.patch
@@ -0,0 +25 @@
+--- httpd-2.2.3/httpd.conf.openoffice 2006-02-03 05:06:08.000000000 -0500
++++ httpd-2.2.3/httpd.conf 2006-12-20 16:53:24.000000000 -0500
+@@ -766,6 +766,22 @@
+ AddType application/x-compress .Z
+ AddType application/x-gzip .gz .tgz
+
++# These are for OpenOffice 2 files:
++AddType application/vnd.oasis.opendocument.chart .odc
++AddType application/vnd.oasis.opendocument.database .odb
++AddType application/vnd.oasis.opendocument.formula .odf
++AddType application/vnd.oasis.opendocument.graphics .odg
++AddType application/vnd.oasis.opendocument.graphics-template .otg
++AddType application/vnd.oasis.opendocument.image .odi
++AddType application/vnd.oasis.opendocument.presentation .odp
++AddType application/vnd.oasis.opendocument.presentation-template .otp
++AddType application/vnd.oasis.opendocument.spreadsheet .ods
++AddType application/vnd.oasis.opendocument.spreadsheet-template .ots
++AddType application/vnd.oasis.opendocument.text .odt
++AddType application/vnd.oasis.opendocument.text-master .odm
++AddType application/vnd.oasis.opendocument.text-template .ott
++AddType application/vnd.oasis.opendocument.text-web .oth
++
+ #
+ # AddHandler allows you to map certain file extensions to "handlers":
+ # actions unrelated to filetype. These can be either built into the server
httpd-2.2.9-CVE-2009-1195.patch: new
--- /dev/null
+++ httpd-2.2.9-CVE-2009-1195.patch
@@ -0,0 +136 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=489436
+
+http://svn.apache.org/viewvc?view=rev&revision=652885
+http://svn.apache.org/viewvc?rev=772997&view=rev
+http://svn.apache.org/viewvc?rev=773322&view=rev
+http://svn.apache.org/viewvc?rev=773342&view=rev
+
+--- httpd-2.2.3/include/http_core.h.cve1195
++++ httpd-2.2.3/include/http_core.h
+@@ -65,7 +65,7 @@ extern "C" {
+ #define OPT_NONE 0
+ /** Indexes directive */
+ #define OPT_INDEXES 1
+-/** Includes directive */
++/** SSI is enabled without exec= permission */
+ #define OPT_INCLUDES 2
+ /** FollowSymLinks directive */
+ #define OPT_SYM_LINKS 4
+@@ -73,14 +73,14 @@ extern "C" {
+ #define OPT_EXECCGI 8
+ /** directive unset */
+ #define OPT_UNSET 16
+-/** IncludesNOEXEC directive */
+-#define OPT_INCNOEXEC 32
++/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
++#define OPT_INC_WITH_EXEC 32
+ /** SymLinksIfOwnerMatch directive */
+ #define OPT_SYM_OWNER 64
+ /** MultiViews directive */
+ #define OPT_MULTI 128
+ /** All directives */
+-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
++#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
+ /** @} */
+
+ /**
+--- httpd-2.2.3/modules/filters/mod_include.c.cve1195
++++ httpd-2.2.3/modules/filters/mod_include.c
+@@ -3524,7 +3524,7 @@ static apr_status_t includes_filter(ap_f
+ intern->seen_eos = 0;
+ intern->state = PARSE_PRE_HEAD;
+ ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
+- if (ap_allow_options(r) & OPT_INCNOEXEC) {
++ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
+ ctx->flags |= SSI_FLAG_NO_EXEC;
+ }
+
+--- httpd-2.2.3/server/config.c.cve1195
++++ httpd-2.2.3/server/config.c
+@@ -1492,7 +1492,7 @@ static const char *process_command_confi
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
+ &arr_parms, NULL,
+@@ -1599,7 +1599,7 @@ static const char *process_resource_conf
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ rv = ap_pcfg_openfile(&cfp, p, fname);
+ if (rv != APR_SUCCESS) {
+@@ -1737,7 +1737,7 @@ AP_DECLARE(int) ap_process_config_tree(s
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ parms.limited = -1;
+
+ errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
+--- httpd-2.2.3/server/core.c.cve1195
++++ httpd-2.2.3/server/core.c
+@@ -110,8 +110,7 @@ static void *create_core_dir_config(apr_
+ conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
+ conf->opts_add = conf->opts_remove = OPT_NONE;
+ conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
+- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
+- | OPT_MULTI;
++ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ conf->content_md5 = 2;
+ conf->accept_path_info = 3;
+@@ -245,8 +244,15 @@ static void *merge_core_dir_configs(apr_
+ conf->opts_remove = (conf->opts_remove & ~new->opts_add)
+ | new->opts_remove;
+ conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
+- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
+- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
++
++ /* If Includes was enabled with exec in the base config, but
++ * was enabled without exec in the new config, then disable
++ * exec in the merged set. */
++ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ == OPT_INCLUDES)) {
++ conf->opts &= ~OPT_INC_WITH_EXEC;
+ }
+ }
+ else {
+@@ -1306,10 +1312,12 @@ static const char *set_allow_opts(cmd_pa
+ opt = OPT_INDEXES;
+ }
+ else if (!strcasecmp(w, "Includes")) {
+- opt = OPT_INCLUDES;
++ /* If Includes is permitted, both Includes and
++ * IncludesNOEXEC may be changed. */
++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+ }
+ else if (!strcasecmp(w, "IncludesNOEXEC")) {
+- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++ opt = OPT_INCLUDES;
+ }
+ else if (!strcasecmp(w, "FollowSymLinks")) {
+ opt = OPT_SYM_LINKS;
+@@ -1430,10 +1438,10 @@ static const char *set_options(cmd_parms
+ opt = OPT_INDEXES;
+ }
+ else if (!strcasecmp(w, "Includes")) {
+- opt = OPT_INCLUDES;
++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+ }
+ else if (!strcasecmp(w, "IncludesNOEXEC")) {
+- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++ opt = OPT_INCLUDES;
+ }
+ else if (!strcasecmp(w, "FollowSymLinks")) {
+ opt = OPT_SYM_LINKS;
+
mod_proxy_http.c?r1=768504&r2=790914&view=patch: new
core_filters.c?r1=421103&r2=791454&pathrev=791454&view=patch: new
httpd-2.2.3-43.el5_5.3.src.rpm: new
httpd.init.patch: new
--- /dev/null
+++ httpd.init.patch
@@ -0,0 +50 @@
+diff -r 6c2cedb3c44f httpd.init
+--- a/httpd.init Sun Jul 20 20:26:39 2008 -0800
++++ b/httpd.init Sun Jul 20 20:28:23 2008 -0800
+@@ -2,7 +2,7 @@
+ #
+ # httpd Startup script for the Apache HTTP Server
+ #
+-# chkconfig: - 85 15
++# chkconfig: 345 23 15
+ # description: The Apache HTTP Server is an efficient and extensible \
+ # server implementing the current HTTP standards.
+ # processname: httpd
+@@ -34,6 +34,29 @@
+ # mod_ssl needs a pass-phrase from the user.
+ INITLOG_ARGS=""
+
++# checks if mod_ssl can start successfully
++SSLCONF="%(htconfdir)s/conf.d/ssl.conf"
++PEMDIR="%(sysconfdir)s/ssl/pem"
++function check_modssl() {
++ if [ ! -f $SSLCONF ] ; then return 0 ; fi
++ if [ ! -d $PEMDIR ] ; then return 1 ; fi
++
++ # we only check for the default configuration, one certificate and
++ # one key in separate files, named localhost.{crt,key}
++ certfile=$(egrep '^\s*SSLCertificateFile' $SSLCONF | awk '{print $2}' | head -1)
++ keyfile=$(egrep '^\s*SSLCertificateKeyFile' $SSLCONF | awk '{print $2}' | head -1)
++ if [ -z "$certfile" -o -z "$keyfile" ] ; then return 0 ; fi
++ if [ -f $certfile -o -f $keyfile ] ; then return 0 ; fi
++ if [ "$(basename $certfile)" != "localhost.crt" ] ; then return 0 ; fi
++ if [ "$(basename $keyfile)" != "localhost.key" ] ; then return 0 ; fi
++
++ # create the dummy self signed certificate
++ make dummy-localhost.crt -C $PEMDIR >/dev/null 2>&1
++ install -m 0640 -g apache -D $PEMDIR/localhost.key $keyfile
++ install -m 0644 -g apache -D $PEMDIR/localhost.crt $certfile
++ return 0
++}
++
+ # Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
+ # with the thread-based "worker" MPM; BE WARNED that some modules may not
+ # work correctly with a thread-based MPM; notably PHP will refuse to start.
+@@ -52,6 +75,7 @@
+ # are expected to behave here.
+ start() {
+ echo -n $"Starting $prog: "
++ check_modssl
+ LANG=$HTTPD_LANG daemon --pidfile=${pidfile} $httpd $OPTIONS
+ RETVAL=$?
+ echo
httpd-2.2.3-CVE-2009-3555.patch: new
--- /dev/null
+++ httpd-2.2.3-CVE-2009-3555.patch
@@ -0,0 +282 @@
+
+http://svn.apache.org/viewvc?rev=833622&view=rev
+
+--- httpd-2.2.3/modules/ssl/ssl_engine_init.c.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_engine_init.c
+@@ -492,10 +492,7 @@ static void ssl_init_ctx_callbacks(serve
+ SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+
+- if (s->loglevel >= APLOG_DEBUG) {
+- /* this callback only logs if LogLevel >= info */
+- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
+- }
++ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+ }
+
+ static void ssl_init_ctx_verify(server_rec *s,
+--- httpd-2.2.3/modules/ssl/ssl_engine_io.c.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_engine_io.c
+@@ -102,6 +102,7 @@ typedef struct {
+ ap_filter_t *pInputFilter;
+ ap_filter_t *pOutputFilter;
+ int nobuffer; /* non-zero to prevent buffering */
++ SSLConnRec *config;
+ } ssl_filter_ctx_t;
+
+ typedef struct {
+@@ -192,7 +193,13 @@ static int bio_filter_out_read(BIO *bio,
+ static int bio_filter_out_write(BIO *bio, const char *in, int inl)
+ {
+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
+-
++
++ /* Abort early if the client has initiated a renegotiation. */
++ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
++ outctx->rc = APR_ECONNABORTED;
++ return -1;
++ }
++
+ /* when handshaking we'll have a small number of bytes.
+ * max size SSL will pass us here is about 16k.
+ * (16413 bytes to be exact)
+@@ -465,6 +472,12 @@ static int bio_filter_in_read(BIO *bio,
+ if (!in)
+ return 0;
+
++ /* Abort early if the client has initiated a renegotiation. */
++ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
++ inctx->rc = APR_ECONNABORTED;
++ return -1;
++ }
++
+ /* XXX: flush here only required for SSLv2;
+ * OpenSSL calls BIO_flush() at the appropriate times for
+ * the other protocols.
+@@ -1678,6 +1691,8 @@ void ssl_io_filter_init(conn_rec *c, SSL
+
+ filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
+
++ filter_ctx->config = myConnConfig(c);
++
+ filter_ctx->nobuffer = 0;
+ filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
+ filter_ctx, NULL, c);
+--- httpd-2.2.3/modules/ssl/ssl_engine_kernel.c.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_engine_kernel.c
+@@ -630,6 +630,10 @@ int ssl_hook_Access(request_rec *r)
+ (unsigned char *)&id,
+ sizeof(id));
+
++ /* Toggle the renegotiation state to allow the new
++ * handshake to proceed. */
++ sslconn->reneg_state = RENEG_ALLOW;
++
+ SSL_renegotiate(ssl);
+ SSL_do_handshake(ssl);
+
+@@ -651,6 +655,8 @@ int ssl_hook_Access(request_rec *r)
+ SSL_set_state(ssl, SSL_ST_ACCEPT);
+ SSL_do_handshake(ssl);
+
++ sslconn->reneg_state = RENEG_REJECT;
++
+ if (SSL_get_state(ssl) != SSL_ST_OK) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "Re-negotiation handshake failed: "
+@@ -1730,76 +1736,55 @@ void ssl_callback_DelSessionCacheEntry(S
+ return;
+ }
+
+-/*
+- * This callback function is executed while OpenSSL processes the
+- * SSL handshake and does SSL record layer stuff. We use it to
+- * trace OpenSSL's processing in out SSL logfile.
+- */
+-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
++/* Dump debugginfo trace to the log file. */
++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
++ server_rec *s, int where, int rc)
+ {
+- conn_rec *c;
+- server_rec *s;
+- SSLSrvConfigRec *sc;
+-
+ /*
+- * find corresponding server
++ * create the various trace messages
+ */
+- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
+- return;
++ if (where & SSL_CB_HANDSHAKE_START) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Handshake: start", SSL_LIBRARY_NAME);
+ }
+-
+- s = c->base_server;
+- if (!(sc = mySrvConfig(s))) {
+- return;
++ else if (where & SSL_CB_HANDSHAKE_DONE) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Handshake: done", SSL_LIBRARY_NAME);
+ }
+-
+- /*
+- * create the various trace messages
+- */
+- if (s->loglevel >= APLOG_DEBUG) {
+- if (where & SSL_CB_HANDSHAKE_START) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Handshake: start", SSL_LIBRARY_NAME);
+- }
+- else if (where & SSL_CB_HANDSHAKE_DONE) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Handshake: done", SSL_LIBRARY_NAME);
+- }
+- else if (where & SSL_CB_LOOP) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Loop: %s",
+- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+- }
+- else if (where & SSL_CB_READ) {
++ else if (where & SSL_CB_LOOP) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Loop: %s",
++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++ }
++ else if (where & SSL_CB_READ) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Read: %s",
++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++ }
++ else if (where & SSL_CB_WRITE) {
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Write: %s",
++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
++ }
++ else if (where & SSL_CB_ALERT) {
++ char *str = (where & SSL_CB_READ) ? "read" : "write";
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
++ "%s: Alert: %s:%s:%s",
++ SSL_LIBRARY_NAME, str,
++ SSL_alert_type_string_long(rc),
++ SSL_alert_desc_string_long(rc));
++ }
++ else if (where & SSL_CB_EXIT) {
++ if (rc == 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Read: %s",
++ "%s: Exit: failed in %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+- else if (where & SSL_CB_WRITE) {
++ else if (rc < 0) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Write: %s",
++ "%s: Exit: error in %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+- else if (where & SSL_CB_ALERT) {
+- char *str = (where & SSL_CB_READ) ? "read" : "write";
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Alert: %s:%s:%s",
+- SSL_LIBRARY_NAME, str,
+- SSL_alert_type_string_long(rc),
+- SSL_alert_desc_string_long(rc));
+- }
+- else if (where & SSL_CB_EXIT) {
+- if (rc == 0) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Exit: failed in %s",
+- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+- }
+- else if (rc < 0) {
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+- "%s: Exit: error in %s",
+- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+- }
+- }
+ }
+
+ /*
+@@ -1819,3 +1804,49 @@ void ssl_callback_LogTracingState(MODSSL
+ }
+ }
+
++/*
++ * This callback function is executed while OpenSSL processes the SSL
++ * handshake and does SSL record layer stuff. It's used to trap
++ * client-initiated renegotiations, and for dumping everything to the
++ * log.
++ */
++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
++{
++ conn_rec *c;
++ server_rec *s;
++ SSLConnRec *scr;
++
++ /* Retrieve the conn_rec and the associated SSLConnRec. */
++ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
++ return;
++ }
++
++ if ((scr = myConnConfig(c)) == NULL) {
++ return;
++ }
++
++ /* If the reneg state is to reject renegotiations, check the SSL
++ * state machine and move to ABORT if a Client Hello is being
++ * read. */
++ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
++ int state = SSL_get_state(ssl);
++
++ if (state == SSL3_ST_SR_CLNT_HELLO_A
++ || state == SSL23_ST_SR_CLNT_HELLO_A) {
++ scr->reneg_state = RENEG_ABORT;
++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
++ "rejecting client initiated renegotiation");
++ }
++ }
++ /* If the first handshake is complete, change state to reject any
++ * subsequent client-initated renegotiation. */
++ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
++ scr->reneg_state = RENEG_REJECT;
++ }
++
++ s = c->base_server;
++ if (s && s->loglevel >= APLOG_DEBUG) {
++ log_tracing_state(ssl, c, s, where, rc);
++ }
++}
++
+--- httpd-2.2.3/modules/ssl/ssl_private.h.cve3555
++++ httpd-2.2.3/modules/ssl/ssl_private.h
+@@ -352,6 +352,19 @@ typedef struct {
+ int is_proxy;
+ int disabled;
+ int non_ssl_request;
++
++ /* Track the handshake/renegotiation state for the connection so
++ * that all client-initiated renegotiations can be rejected, as a
++ * partial fix for CVE-2009-3555. */
++ enum {
++ RENEG_INIT = 0, /* Before initial handshake */
++ RENEG_REJECT, /* After initial handshake; any client-initiated
++ * renegotiation should be rejected */
++ RENEG_ALLOW, /* A server-initated renegotiation is taking
++ * place (as dictated by configuration) */
++ RENEG_ABORT /* Renegotiation initiated by client, abort the
++ * connection */
++ } reneg_state;
+ } SSLConnRec;
+
+ typedef struct {
+@@ -561,7 +574,7 @@ int ssl_callback_proxy_cert(SSL
+ int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
+ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
+
+ /** Session Cache Support */
+ void ssl_scache_init(server_rec *, apr_pool_t *);
httpd-2.2.9-4.src.rpm: new
082_CVE-2011-3192.dpatch?revision=1343&view=co: new
httpd-2.2.3-5.src.rpm: new
Makefile.ssl: new
--- /dev/null
+++ Makefile.ssl
@@ -0,0 +48 @@
+# -*- Makefile -*-
+# Makefile for generating self signed, passwordless all-in-one
+# key+cert files (.pem files)
+#
+
+RANPROC_FILES = uptime interrupts ioports pci cpuinfo
+RANDPROC = $(shell for f in $(RANPROC_FILES) ; do echo -n "/proc/$$f:" ; done)
+RAND = "$(RANDPROC)/dev/urandom"
+
+FQDN = $(shell if [ -z "$$(hostname)" ] ; then echo "localhost.localdomain" ; else hostname ; fi)
+REQCONF = modssl-req.conf
+
+define DUMMY
+{ \
+echo "--" ; \
+echo "SomeState" ; \
+echo "SomeCity" ; \
+echo "AutoGenerated" ; \
+echo "SelfSignedCertificate" ; \
+echo "$(FQDN)" ; \
+echo "root@$(FQDN)" ; \
+}
+endef
+
+all :
+ echo $(RAND)
+
+%.key : Makefile
+ umask 077
+ /usr/bin/openssl genrsa -rand $(RAND) 1024 -text > $@
+
+%.crt : %.key $(REQCONF) Makefile
+ umask 022
+ /usr/bin/openssl req -new -config $(REQCONF) \
+ -key $< -text -x509 -days 365 -set_serial $(shell echo $$RANDOM) \
+ -out $@
+
+%.pem : %.crt %.key Makefile
+ cat $*.crt $*.key > $@
+
+dummy-%.key : %.key
+
+dummy-%.crt : $(REQCONF)
+ $(DUMMY) | $(MAKE) $*.key $*.crt
+
+dummy-%.pem : $(REQCONF) Makefile
+ $(DUMMY) | $(MAKE) $*.key $*.crt
+ cat $*.crt $*.key >> $*.pem && rm -f $*.key $*.crt
modssl-req.conf: new
--- /dev/null
+++ modssl-req.conf
@@ -0,0 +30 @@
+# dummy config file for openssl that facilitates the generation of a
+# (restricted usage) self signed certificate
+
+HOME = .
+
+[ req ]
+default_bits = 1024
+default_keyfile = dummy.pem
+distinguished_name = req_name
+x509_extensions = req_extensions
+
+[ req_name ]
+countryName = Country
+stateOrProvinceName = State
+localityName = City (eg, city)
+0.organizationName = Company
+organizationalUnitName = Department
+commonName = FQDN
+emailAddress = Email
+
+[ req_extensions ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+subjectAltName = email:copy
+issuerAltName = issuer:copy
+extendedKeyUsage = serverAuth,clientAuth
+nsCertType = server
+nsComment = Auto-generated self signed test certificate
httpd-2.2.3-cachehardmax.patch: new
--- /dev/null
+++ httpd-2.2.3-cachehardmax.patch
@@ -0,0 +83 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=379811
+
+--- httpd-2.2.3/modules/cache/mod_cache.c.cachehardmax
++++ httpd-2.2.3/modules/cache/mod_cache.c
+@@ -736,6 +736,11 @@ static int cache_save_filter(ap_filter_t
+ exp = date + conf->defex;
+ }
+ }
++ /* else, forcibly cap the expiry date if required */
++ else if (conf->hardmaxex && (date + conf->maxex) < exp) {
++ exp = date + conf->maxex;
++ }
++
+ info->expire = exp;
+
+ /* We found a stale entry which wasn't really stale. */
+@@ -926,6 +931,9 @@ static void * create_cache_config(apr_po
+ /* flag indicating that query-string should be ignored when caching */
+ ps->ignorequerystring = 0;
+ ps->ignorequerystring_set = 0;
++ /* flag; treat maxex as hard limit */
++ ps->hardmaxex = 0;
++ ps->hardmaxex_set = 0;
+ return ps;
+ }
+
+@@ -975,6 +983,12 @@ static void * merge_cache_config(apr_poo
+ (overrides->ignorequerystring_set == 0)
+ ? base->ignorequerystring
+ : overrides->ignorequerystring;
++
++ ps->hardmaxex =
++ (overrides->hardmaxex_set == 0)
++ ? base->hardmaxex
++ : overrides->hardmaxex;
++
+ return ps;
+ }
+ static const char *set_cache_ignore_no_last_mod(cmd_parms *parms, void *dummy,
+@@ -1111,7 +1125,7 @@ static const char *add_cache_disable(cmd
+ }
+
+ static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
+- const char *arg)
++ const char *arg, const char *hard)
+ {
+ cache_server_conf *conf;
+
+@@ -1120,6 +1134,12 @@ static const char *set_cache_maxex(cmd_p
+ &cache_module);
+ conf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC);
+ conf->maxex_set = 1;
++
++ if (hard && strcasecmp(hard, "hard") == 0) {
++ conf->hardmaxex = 1;
++ conf->hardmaxex_set = 1;
++ }
++
+ return NULL;
+ }
+
+@@ -1196,7 +1216,7 @@ static const command_rec cache_cmds[] =
+ "caching is enabled"),
+ AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF,
+ "A partial URL prefix below which caching is disabled"),
+- AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF,
++ AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF,
+ "The maximum time in seconds to cache a document"),
+ AP_INIT_TAKE1("CacheDefaultExpire", set_cache_defex, NULL, RSRC_CONF,
+ "The default time in seconds to cache a document"),
+--- httpd-2.2.3/modules/cache/mod_cache.h.cachehardmax
++++ httpd-2.2.3/modules/cache/mod_cache.h
+@@ -153,6 +153,9 @@ typedef struct {
+ /** ignore query-string when caching */
+ int ignorequerystring;
+ int ignorequerystring_set;
++ /* treat maxex as hard limit */
++ int hardmaxex;
++ int hardmaxex_set;
+ } cache_server_conf;
+
+ /* cache info information */
mod_proxy_ftp.c?r1=682870&r2=682869&pathrev=682870&view=patch: new
httpd-2.2.9.tar.bz2: new
index.html: new
--- /dev/null
+++ index.html
@@ -0,0 +124 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+ <head>
+ <title>Test Page for the Apache HTTP Server</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+ <style type="text/css">
+ /*<![CDATA[*/
+ body {
+ background-color: #fff;
+ color: #000;
+ font-size: 0.9em;
+ font-family: sans-serif,helvetica;
+ margin: 0;
+ padding: 0;
+ }
+ :link {
+ color: #c00;
+ }
+ :visited {
+ color: #c00;
+ }
+ a:hover {
+ color: #f50;
+ }
+ h1 {
+ text-align: center;
+ margin: 0;
+ padding: 0.6em 2em 0.4em;
+ background-color: #22437f;
+ color: #fff;
+ font-weight: normal;
+ font-size: 1.75em;
+ border-bottom: 2px solid #000;
+ }
+ h1 strong {
+ font-weight: bold;
+ }
+ h2 {
+ font-size: 1.1em;
+ font-weight: bold;
+ }
+ hr {
+ display: none;
+ }
+ .content {
+ padding: 1em 5em;
+ }
+ .content-columns {
+ /* Setting relative positioning allows for
+ absolute positioning for sub-classes */
+ position: relative;
+ padding-top: 1em;
+ }
+ .content-column-left {
+ /* Value for IE/Win; will be overwritten for other browsers */
+ width: 47%;
+ padding-right: 3%;
+ float: left;
+ padding-bottom: 2em;
+ }
+ .content-column-left hr {
+ display: none;
+ }
+ .content-column-right {
+ /* Values for IE/Win; will be overwritten for other browsers */
+ width: 47%;
+ padding-left: 3%;
+ float: left;
+ padding-bottom: 2em;
+ }
+ .content-columns>.content-column-left, .content-columns>.content-column-right {
+ /* Non-IE/Win */
+ }
+ img {
+ border: 2px solid #fff;
+ padding: 2px;
+ margin: 2px;
+ }
+ a:hover img {
+ border: 2px solid #f50;
+ }
+ /*]]>*/
+ </style>
+ </head>
+
+ <body>
+ <h1><strong>HTTP Server Test Page</strong></h1>
+
+ <div class="content">
+ <div class="content-middle">
+ <p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the Apache HTTP server installed at this site is working properly.</p>
+ </div>
+ <hr />
+
+ <div class="content-columns">
+ <div class="content-column-left">
+ <h2>If you are a member of the general public:</h2>
+
+ <p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.</p>
+
+ <p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>
+
+ <p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webm...@example.com".</p>
+
+ <p>This system is using rPath Linux or one of its derivatives; visit <a href="http://www.rpath.com/">www.rpath.com</a> for more information.</p>
+ <hr />
+ </div>
+
+ <div class="content-column-right">
+ <h2>If you are the website administrator:</h2>
+
+ <p>You may now add content to the directory <tt>/srv/www/html/</tt>. Note that until you do so, people visiting your website will see this page, and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>
+
+ <div class="logos">
+ <p>You are free to use the images below on Apache and rpath Linux powered HTTP servers. Thanks for using Apache and rpath Linux!</p>
+
+ <p><a href="http://httpd.apache.org/"><img src="/icons/apache_pb2.gif" alt="[ Powered by Apache ]"/></a> </p>
+ </div>
+ </div>
+ </div>
+ </div>
+ </body>
+</html>
httpd.recipe: new
--- /dev/null
+++ httpd.recipe
@@ -0,0 +339 @@
+#
+# Copyright (c) 2004-2008 rPath, Inc.
+# This file is distributed under the terms of the MIT License.
+# A copy is available at http://www.rpath.com/permanent/mit-license.html
+#
+
+loadSuperClass('rpmpackage')
+class Httpd(RPMPackageRecipe, CPackageRecipe):
+ name = 'httpd'
+ version = '2.2.9'
+
+ buildRequires = [ 'db:devel', 'expat:devel', 'findutils:runtime',
+ 'perl:runtime', 'pkgconfig:devel', 'e2fsprogs:devel',
+ 'xmlto:runtime', 'autoconf:runtime', 'krb5:devel',
+ 'apr:devel', 'openldap:devel', 'sed:runtime',
+ 'apr-util:devel', 'pcre:devel', 'rsync:runtime',
+ 'distcache:devel', 'ed:runtime', 'sqlite:devel',
+ 'openssl:devel', 'zlib:devel', 'libtool:runtime',
+ 'which:runtime', 'openssl:runtime', 'perl:lib',
+ 'lynx:runtime', 'initscripts:runtime', ]
+
+
+ # httpd has a runtime req on mailcap:config, adding it as a buildreq to
+ # work around issues in rmake.
+ buildRequires.append('mailcap:config')
+
+ rpmRelease = '4'
+ rpmUpVer = '2.2.9'
+ externalArchive = 'http://www.apache.org/dist/httpd/'
+ rpmPatches = []
+
+ oldrpm = 'http://download.fedora.redhat.com/pub/fedora/linux/core/6/source/SRPMS/httpd-2.2.3-5.src.rpm'
+ rhel5rpm = 'ftp://ftp.redhat.com/redhat/linux/enterprise/5Server/en/os/SRPMS/httpd-2.2.3-43.el5_5.3.src.rpm'
+
+ def setup(r):
+ r.unpack()
+ r.macros.contentdir = '%(servicedir)s/www'
+ r.macros.suexec_caller = 'apache'
+ r.macros.mmn = '20051115'
+ r.macros.vstring = 'rPath'
+ r.macros.distro = 'rPath Release 2'
+ r.macros.htconfdir = '%(sysconfdir)s/httpd'
+ r.macros.cflags += " -DSSL_EXPERIMENTAL_ENGINE"
+ # point to the correct libtool
+ r.macros.apr_libtool = "$(apr-1-config --apr-libtool | sed -e 's|/bin/sh ||')"
+ r.macros.oldapachedir = '/usr/local/apache2'
+ r.macros.cflags += " $(pkg-config --cflags openssl)"
+ r.macros.ssl_libs = " $(pkg-config --libs openssl)"
+
+ r.addSource("Makefile.ssl")
+ r.addSource("modssl-req.conf")
+
+ r.addSource('index.html')
+ r.addSource('httpd.logrotate', rpm=r.srpm)
+ r.addSource("httpd.init.patch", macros=True)
+ r.addSource('httpd.init', rpm=r.srpm,
+ apply="patch httpd.init httpd.init.patch")
+ r.addSource('httpd.conf', rpm=r.srpm)
+ r.addSource('ssl.conf', rpm=r.srpm,
+ apply="sed -i -e 's,/etc/pki/tls,/etc/ssl,g' ssl.conf")
+ r.addSource('welcome.conf', rpm=r.srpm)
+ r.addSource('migration.xml', rpm=r.oldrpm)
+ r.addSource('migration.css', rpm=r.oldrpm)
+ r.addSource('html.xsl', rpm=r.oldrpm)
+ r.addSource('README.confd', rpm=r.srpm)
+ r.addSource('httpd-2.0.48-release.patch', rpm=r.srpm)
+ r.addPatch('config.layout.rpath', level=0, macros=True)
+ r.addPatch('httpd.conf.openoffice.patch', backup='.openoffice')
+ r.addPatch('httpd-2.2.0-authnoprov.patch', rpm=r.srpm) # RPL-2263
+
+ # RPL-2708 CVE-2008-2939
+ r.addPatch('http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ftp.c?r1=682870&r2=682869&pathrev=682870&view=patch', level=4)
+
+ # RPL-3107 (CVE-2009-1891)
+ r.addPatch('http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/server/core_filters.c?r1=421103&r2=791454&pathrev=791454&view=patch', level=4)
+
+ # RPL-3079 (CVE-2009-1890)
+ r.addPatch('http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_http.c?r1=768504&r2=790914&view=patch', level=4)
+
+ # RPL-3061 (CVE-2009-1195)
+ r.addPatch('httpd-2.2.9-CVE-2009-1195.patch')
+
+ # Modified patches from RHEL5
+ r.addPatch('httpd-2.2.3-CVE-2009-3555.patch')
+
+ # Unmodified patches from RHEL5
+ r.addPatch('httpd-2.2.3-CVE-2009-3094.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2009-3095.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-ssicompat.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2009-3555-p2.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-0408.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-0434.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-1452.patch', rpm=r.rhel5rpm)
+ r.addPatch('httpd-2.2.3-CVE-2010-2791.patch', rpm=r.rhel5rpm)
+
+ # RPL-3280
+ r.addPatch('http://anonscm.debian.org/viewvc/pkg-apache/branches/lenny-apache2/patches/'
+ '082_CVE-2011-3192.dpatch?revision=1343&view=co',
+ extraArgs = '-F3')
+ r.addPatch('httpd-2.2.3-cachehardmax.patch')
+
+ r.Replace(r'@RELEASE@', '%(vstring)s', 'httpd-2.0.48-release.patch')
+ r.Run('patch -p1 < httpd-2.0.48-release.patch')
+
+ r.Replace('/var', '%(servicedir)s', 'httpd.conf')
+
+ # Touch mod_ssl expression parser sources to prevent regenerating it
+ r.Run("touch modules/ssl/ssl_expr_*.[chyl]")
+
+ # Safety check: prevent build if defined MMN does not equal upstream MMN
+ r.Run("""
+ vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
+ if test "${vmmn}" != "%(mmn)s"; then
+ echo Error: Upstream MMN is now ${vmmn}, packaged MMN is %(mmn)s.
+ echo Update the mmn macro and rebuild.
+ exit 1
+ fi""")
+
+ r.Run("echo Building for '%(distro)s' with MMN %(mmn)s and vendor string '%(vstring)s'")
+
+ r.Run('./buildconf')
+ # Before configure; fix location of build dir in generated apxs
+ r.Replace(r'\@exp_installbuilddir\@', '%(libdir)s/httpd/build',
+ 'support/apxs.in')
+
+ # forcibly prevent use of bundled apr, apr-util
+ r.Remove('srclib/{apr,apr-util}', recursive=True)
+
+ # Build the migration guide
+ # update location of migration guide in apachectl
+ r.Replace(r'@DISTRO@', '%(distro)s', 'migration.xml')
+ r.Run("xmlto --skip-validation -x html.xsl html-nochunks migration.xml")
+
+ # enable optional modules only for main build
+ r.mpmbuild('prefork',
+ ' --enable-mods-shared=all'
+ ' --enable-ssl --with-ssl'
+ ' --enable-distcache'
+ ' --enable-deflate'
+ ' --enable-proxy --enable-proxy-connect'
+ ' --enable-proxy-http --enable-proxy-ftp'
+ ' --enable-cache --enable-mem-cache'
+ ' --enable-file-cache --enable-disk-cache'
+ ' --enable-ldap --enable-auth-ldap'
+ ' --enable-pie --with-pcre'
+ ' --enable-logio'
+ ' --enable-so'
+ ' --enable-authn-alias'
+ ' --enable-authnz-ldap')
+
+ # To prevent most modules being built statically into httpd.worker,
+ # easiest way seems to be enable them shared.
+ r.mpmbuild('worker', '--enable-mods-shared=all')
+
+ # Verify that the same modules were built into the two httpd binaries
+ r.Run('./prefork/httpd -l | grep -v prefork > prefork.mods')
+ r.Run('./worker/httpd -l | grep -v worker > worker.mods')
+ r.Run('''if ! diff -u prefork.mods worker.mods; then
+ echo Different modules built into httpd binaries, will not proceed
+ exit 1
+ fi''')
+
+ r.MakeInstall(dir='prefork')
+ # install worker binary
+ r.Install('worker/httpd', '%(sbindir)s/httpd.worker', mode=0755)
+ # install conf file/directory
+ r.Install('README.confd', '%(sysconfdir)s/httpd/conf.d/README')
+ r.Install('welcome.conf', '%(sysconfdir)s/httpd/conf.d/')
+ r.Install('httpd.conf', '%(htconfdir)s/conf/')
+
+ # modssl tasks
+ r.Install('ssl.conf', '%(sysconfdir)s/httpd/conf.d/')
+ # create a prototype session cache, zero-byte config files
+ # never put data in these files in the recipe!
+ r.Create('%(localstatedir)s/cache/mod_ssl/scache.{dir,pag,sem}')
+ r.Config('%(localstatedir)s/cache/mod_ssl/scache.(dir|pag|sem)')
+ # self signed certificate generation
+ r.MakeDirs("%(sysconfdir)s/ssl/pem")
+ r.Install('Makefile.ssl', "%(sysconfdir)s/ssl/pem/Makefile")
+ r.Install("modssl-req.conf", "%(sysconfdir)s/ssl/pem/")
+
+ # for holding mod_dav lock database
+ r.MakeDirs('%(localstatedir)s/lib/dav')
+ r.ComponentSpec('runtime', '%(localstatedir)s/lib/dav')
+
+ # create cache root
+ r.MakeDirs('%(localstatedir)s/cache/mod_proxy')
+
+ # move utilities to /usr/bin
+ r.Move('%(sbindir)s/{ab,htdbm,logresolve,htpasswd,htdigest}',
+ '%(bindir)s/')
+
+ # Make the MMN accessible to module packages
+ r.Run('echo %(mmn)s > %(destdir)s%(includedir)s/httpd/.mmn')
+ r.Install('prefork/build/config_vars.mk',
+ '%(libdir)s/httpd/build/config_vars.mk')
+ r.Install('build/special.mk', '%(libdir)s/httpd/build/special.mk')
+ # Symlink won't work because %(apr_libtool) is a shell script
+ r.Run('ln -s %(apr_libtool)s'
+ ' %(destdir)s/%(libdir)s/httpd/build/libtool')
+
+ r.Install('index.html', '%(contentdir)s/error/noindex.html')
+ r.Install('httpd.init', '%(initdir)s/httpd')
+ r.Install('httpd.logrotate', '%(sysconfdir)s/logrotate.d/httpd')
+
+ # symlinks for /etc/httpd
+ r.MakeDirs('%(localstatedir)s/log/httpd')
+ r.Remove('%(sysconfdir)s/httpd/logs', recursive=True)
+ r.Symlink('%(localstatedir)s/log/httpd', '%(sysconfdir)s/httpd/logs')
+ r.Symlink('%(localstatedir)s/run', '%(sysconfdir)s/httpd/run')
+ r.Symlink('%(libdir)s/httpd/modules', '%(sysconfdir)s/httpd/modules')
+ r.Symlink('%(libdir)s/httpd/build', '%(sysconfdir)s/httpd/build')
+
+ r.Run('sed -i -e "s:\@docdir\@:%(thisdocdir)s:g" '
+ ' %(destdir)s%(initdir)s/httpd')
+
+ # fix manfile
+ r.Replace('%(oldapachedir)s', '/etc/httpd', '%(mandir)s/man8/httpd.8')
+
+ # sanitize config_vars file: relocate the build directory
+ # into libdir; reference correct libtool; fix EXTRA_INCLUDES
+ # needs to be sed for deleting lines
+ r.Run('sed -i'
+ ' -e "s|%(contentdir)s/build|%(libdir)s/httpd/build|g"'
+ ' -e "/AP_LIBS/d"'
+ ' -e "/abs_srcdir/d"'
+ ' -e "/^LIBTOOL/s|/bin/sh /[^ ]*/libtool|/bin/sh %(apr_libtool)s|"'
+ ' -e "/^installbuilddir/s| = .*$| = /etc/httpd/build|"'
+ ' -e "s|^EXTRA_INCLUDES.*$|EXTRA_INCLUDES = -I\$(includedir) '
+ '-I\$(APR_INCLUDEDIR) -I%(includedir)s/openssl|g"'
+ ' %(destdir)s%(libdir)s/httpd/build/config_vars.mk')
+
+ r.Doc('migration.html', 'migration.css')
+ r.Doc('ABOUT_APACHE', 'VERSIONING')
+
+ r.SetModes('%(sbindir)s/suexec', 04510)
+ r.SetModes('%(localstatedir)s/{log/httpd,lib/dav,cache/mod_proxy}',
+ '%(sysconfdir)s/httpd/conf/ssl.*',
+ 0700)
+ r.Ownership('root', 'apache', '%(sbindir)s/suexec')
+ r.Ownership('apache', 'apache',
+ '%(localstatedir)s/lib/dav',
+ '%(localstatedir)s/cache/mod_proxy')
+
+ r.ComponentSpec('manual', '%(contentdir)s/manual/')
+ r.ByDefault(exceptions=[':manual'])
+
+ # PACKAGE: mod_ssl
+ r.PackageSpec('mod_ssl',
+ '%(libdir)s/httpd/modules/mod_ssl.so',
+ '%(sysconfdir)s/httpd/conf.d/ssl.conf',
+ '%(sysconfdir)s/httpd/conf/Makefile',
+ '%(sysconfdir)s/httpd/conf/ssl\..*',
+ '%(localstatedir)s/cache/mod_ssl/',
+ '%(sysconfdir)s/ssl/pem/',
+ )
+ r.ComponentSpec('runtime', '.*/mod_ssl.so')
+ r.Requires("make:runtime", "%(sysconfdir)s/ssl/pem/Makefile")
+ r.Requires("openssl:runtime", "%(sysconfdir)s/ssl/pem/Makefile")
+
+ # Remove unpackaged files
+ r.Run("find %(destdir)s/%(contentdir)s/manual \( "
+ " -name \*.xml -o -name \*.xml.* -o -name \*.ent"
+ " -o -name \*.xsl -o -name \*.dtd "
+ " \) -print0 | xargs -0 rm -f")
+
+ r.Remove('%(htconfdir)s/conf/extra/',
+ '%(htconfdir)s/conf/original/', recursive=True)
+
+ r.Remove('%(libdir)s/*.exp',
+ '%(libdir)s/httpd/modules/*.exp',
+ '%(libdir)s/httpd/build/config.nice',
+ '%(htconfdir)s/conf/mime.types',
+ '%(bindir)s/ap?-config',
+ '%(sbindir)s/{checkgid,dbmmanage}',
+ '%(contentdir)s/{htdocs,cgi-bin}/*',
+ '%(mandir)s/man1/dbmmanage.*')
+
+ # Create /var/www since it is the homedir for the apache user even
+ # though it is not the document root (RPL-2947)
+ r.MakeDirs('%(localstatedir)s/www')
+ r.ExcludeDirectories(exceptions='%(localstatedir)s/www')
+
+ # points to /var/run
+ r.DanglingSymlinks(exceptions='%(htconfdir)s/run')
+ # points to ssl certificate
+ r.DanglingSymlinks(exceptions='%(htconfdir)s/conf/Makefile')
+ # points to apr-utils libtool
+ r.DanglingSymlinks(exceptions='%(libdir)s/httpd/build/libtool')
+ # make sure permissions are correct
+ r.ExcludeDirectories(exceptions='%(contentdir)s/cgi-bin')
+ r.TagSpec('initscript', '%(initdir)s/')
+ r.Requires('grep:runtime', '%(initdir)s/')
+ r.Requires('make:runtime', '%(initdir)s/')
+
+ # Require mailcap (need /etc/mime.types)
+ r.Requires('mailcap:config', '%(initdir)s/')
+
+ # Requires bzip2:runtime because compresssion is turned on in logrotate
+ r.Requires('bzip2:runtime', '%(sysconfdir)s/logrotate.d/%(name)s')
+
+ # We remove the bundled apr functionality, so we must require
+ # the external version(s): <httpd/ap_config.h> #include's files
+ # from both of these troves. (RPL-798)
+ r.Requires('apr:devel', '%(includedir)s/%(name)s/ap_config.h')
+ r.Requires('apr-util:devel', '%(includedir)s/%(name)s/ap_config.h')
+
+ # modules are shared libraries, but aren't linked to
+ r.Provides(exceptions='%(libdir)s/httpd/modules/')
+
+ # need empty html directory
+ r.MakeDirs('%(contentdir)s/html')
+ r.ExcludeDirectories(exceptions='%(contentdir)s/html')
+
+ # apxs and envvars are tools for building httpd modules
+ r.ComponentSpec('devel', '%(sbindir)s/(envvars.*|apxs)')
+ r.ComponentSpec('devel', '%(libdir)s/httpd/build/')
+ r.ComponentSpec('devel', '%(htconfdir)s/build')
+
+ r.SetModes('%(sbindir)s/envvars', '%(sbindir)s/envvars-std', 0755)
+
+ def mpmbuild(r, target, extraConfig):
+ r.Run('mkdir ' + target)
+ r.ManualConfigure(
+ ' --enable-layout=rPath'
+ ' --with-mpm=' + target +
+ ' --with-apr=%(prefix)s --with-apr-util=%(prefix)s'
+ ' --enable-suexec --with-suexec'
+ ' --with-suexec-caller=%(suexec_caller)s'
+ ' --with-suexec-docroot=%(contentdir)s'
+ ' --with-suexec-logfile=%(localstatedir)s/log/httpd/suexec.log'
+ ' --with-suexec-bin=%(sbindir)s/suexec'
+ ' --with-suexec-uidmin=500 --with-suexec-gidmin=100 '
+ + extraConfig,
+ configureName='../configure',
+ dir=target,
+ preConfigure='SSL_LIBS="%(ssl_libs)s" '
+ 'CFLAGS=$(echo "%(cflags)s")')
+ r.Make(dir=target, preMake="SSL_LIBS='%(ssl_libs)s'")
config.layout.rpath: new
--- /dev/null
+++ config.layout.rpath
@@ -0,0 +29 @@
+--- config.layout.rpath 2004-11-21 13:50:36.000000000 -0500
++++ config.layout 2006-11-23 20:09:45.000000000 -0500
+@@ -322,3 +322,26 @@
+ installbuilddir: ${prefix}/etc/apache2/build
+ errordir: ${datadir}/error
+ </Layout>
++
++<Layout rPath>
++ prefix: %(sysconfdir)s/httpd
++ exec_prefix: %(exec_prefix)s
++ bindir: %(bindir)s
++ sbindir: %(sbindir)s
++ libdir: %(libdir)s
++ libexecdir: %(libdir)s/httpd/modules
++ mandir: %(mandir)s
++ sysconfdir: ${prefix}/conf
++ datadir: %(contentdir)s
++ installbuilddir: ${libdir}/httpd/build
++ errordir: ${datadir}/error
++ iconsdir: ${datadir}/icons
++ htdocsdir: ${datadir}/htdocs
++ manualdir: ${datadir}/manual
++ cgidir: ${datadir}/cgi-bin
++ includedir: %(includedir)s/httpd
++ localstatedir: %(localstatedir)s
++ runtimedir: ${localstatedir}/run
++ logfiledir: ${localstatedir}/log/httpd
++ proxycachedir: ${localstatedir}/cache/mod_proxy
++</Layout>
Committed by: johnsonm
_______________________________________________
Foresight-commits mailing list
Foresigh...@lists.foresightlinux.org
https://lists.foresightlinux.org/mailman/listinfo/foresight-commits
Reply all
Reply to author
Forward
0 new messages