summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2012-08-21 18:18:24 +0200
committerRemi Collet <fedora@famillecollet.com>2012-08-21 18:18:24 +0200
commite6cc70b01f04726bec55199ef2cfe9d29a5924b9 (patch)
tree7ec52cea31dd6d49401b15ac3480ef807c93f501
parent65e03b2d11ed6e42a421636e29b936edf78459d3 (diff)
httpd: sync with rawhide, update to 2.4.3
-rw-r--r--httpd-2.4.2-r1326980+.patch65
-rw-r--r--httpd-2.4.2-r1327036+.patch80
-rw-r--r--httpd-2.4.2-r1337344+.patch7
-rw-r--r--httpd-2.4.2-r1346905.patch65
-rw-r--r--httpd-2.4.2-r1357685.patch38
-rw-r--r--httpd-2.4.2-r1365604.patch15
-rw-r--r--httpd-2.4.2-r1366693.patch252
-rw-r--r--httpd-2.4.2-r1374214+.patch45
-rw-r--r--httpd-2.4.2-restart.patch31
-rw-r--r--httpd-2.4.3-apxs.patch (renamed from httpd-2.4.1-apxs.patch)12
-rw-r--r--httpd-2.4.3-layout.patch (renamed from httpd-2.4.1-layout.patch)16
-rw-r--r--httpd-2.4.3-release.patch (renamed from httpd-2.0.48-release.patch)6
-rw-r--r--httpd.spec43
13 files changed, 85 insertions, 590 deletions
diff --git a/httpd-2.4.2-r1326980+.patch b/httpd-2.4.2-r1326980+.patch
deleted file mode 100644
index 3d37c3f..0000000
--- a/httpd-2.4.2-r1326980+.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-
-http://svn.apache.org/viewvc?view=revision&revision=1326980
-http://svn.apache.org/viewvc?view=revision&revision=1326984
-http://svn.apache.org/viewvc?view=revision&revision=1326991
-
---- httpd-2.4.2/modules/loggers/mod_log_debug.c
-+++ httpd-2.4.2/modules/loggers/mod_log_debug.c
-@@ -35,8 +35,8 @@
- apr_array_header_t *entries;
- } log_debug_dirconf;
-
--const char *allhooks = "all";
--const char * const hooks[] = {
-+static const char *allhooks = "all";
-+static const char * const hooks[] = {
- "log_transaction", /* 0 */
- "quick_handler", /* 1 */
- "handler", /* 2 */
---- httpd-2.4.2/modules/filters/sed1.c
-+++ httpd-2.4.2/modules/filters/sed1.c
-@@ -25,7 +25,7 @@
- #include "apr_strings.h"
- #include "regexp.h"
-
--char *trans[040] = {
-+static const char *const trans[040] = {
- "\\01",
- "\\02",
- "\\03",
-@@ -58,7 +58,7 @@
- "\\36",
- "\\37"
- };
--char rub[] = {"\\177"};
-+static const char rub[] = {"\\177"};
-
- extern int sed_step(char *p1, char *p2, int circf, step_vars_storage *vars);
- static int substitute(sed_eval_t *eval, sed_reptr_t *ipc,
-@@ -692,7 +692,8 @@
- step_vars_storage *step_vars)
- {
- int i;
-- char *p1, *p2, *p3;
-+ char *p1, *p2;
-+ const char *p3;
- int length;
- char sz[32]; /* 32 bytes enough to store 64 bit integer in decimal */
- apr_status_t rv = APR_SUCCESS;
---- httpd-2.4.2/modules/filters/config.m4
-+++ httpd-2.4.2/modules/filters/config.m4
-@@ -16,7 +16,13 @@
- APACHE_MODULE(substitute, response content rewrite-like filtering, , , most)
-
- sed_obj="mod_sed.lo sed0.lo sed1.lo regexp.lo"
--APACHE_MODULE(sed, filter request and/or response bodies through sed, $sed_obj, , most)
-+APACHE_MODULE(sed, filter request and/or response bodies through sed, $sed_obj, , most, [
-+ if test "x$enable_sed" = "xshared"; then
-+ # The only symbol which needs to be exported is the module
-+ # structure, so ask libtool to hide libsed internals:
-+ APR_ADDTO(MOD_SED_LDADD, [-export-symbols-regex sed_module])
-+ fi
-+])
-
- if test "$ac_cv_ebcdic" = "yes"; then
- # mod_charset_lite can be very useful on an ebcdic system,
diff --git a/httpd-2.4.2-r1327036+.patch b/httpd-2.4.2-r1327036+.patch
deleted file mode 100644
index 63ef401..0000000
--- a/httpd-2.4.2-r1327036+.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-
-http://svn.apache.org/viewvc?view=revision&revision=1327036
-http://svn.apache.org/viewvc?view=revision&revision=1327080
-
---- httpd-2.4.2/server/mpm_unix.c
-+++ httpd-2.4.2/server/mpm_unix.c
-@@ -501,14 +501,14 @@
- return rv;
- }
-
--/* This function connects to the server, then immediately closes the connection.
-- * This permits the MPM to skip the poll when there is only one listening
-- * socket, because it provides a alternate way to unblock an accept() when
-- * the pod is used.
-- */
-+/* This function connects to the server and sends enough data to
-+ * ensure the child wakes up and processes a new connection. This
-+ * permits the MPM to skip the poll when there is only one listening
-+ * socket, because it provides a alternate way to unblock an accept()
-+ * when the pod is used. */
- static apr_status_t dummy_connection(ap_pod_t *pod)
- {
-- char *srequest;
-+ const char *data;
- apr_status_t rv;
- apr_socket_t *sock;
- apr_pool_t *p;
-@@ -574,24 +574,37 @@
- return rv;
- }
-
-- /* Create the request string. We include a User-Agent so that
-- * adminstrators can track down the cause of the odd-looking
-- * requests in their logs.
-- */
-- srequest = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ",
-+ if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) {
-+ /* Send a TLS 1.0 close_notify alert. This is perhaps the
-+ * "least wrong" way to open and cleanly terminate an SSL
-+ * connection. It should "work" without noisy error logs if
-+ * the server actually expects SSLv3/TLSv1. With
-+ * SSLv23_server_method() OpenSSL's SSL_accept() fails
-+ * ungracefully on receipt of this message, since it requires
-+ * an 11-byte ClientHello message and this is too short. */
-+ static const unsigned char tls10_close_notify[7] = {
-+ '\x15', /* TLSPlainText.type = Alert (21) */
-+ '\x03', '\x01', /* TLSPlainText.version = {3, 1} */
-+ '\x00', '\x02', /* TLSPlainText.length = 2 */
-+ '\x01', /* Alert.level = warning (1) */
-+ '\x00' /* Alert.description = close_notify (0) */
-+ };
-+ data = (const char *)tls10_close_notify;
-+ len = sizeof(tls10_close_notify);
-+ }
-+ else /* ... XXX other request types here? */ {
-+ /* Create an HTTP request string. We include a User-Agent so
-+ * that adminstrators can track down the cause of the
-+ * odd-looking requests in their logs. A complete request is
-+ * used since kernel-level filtering may require that much
-+ * data before returning from accept(). */
-+ data = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ",
- ap_get_server_description(),
- " (internal dummy connection)\r\n\r\n", NULL);
-+ len = strlen(data);
-+ }
-
-- /* Since some operating systems support buffering of data or entire
-- * requests in the kernel, we send a simple request, to make sure
-- * the server pops out of a blocking accept().
-- */
-- /* XXX: This is HTTP specific. We should look at the Protocol for each
-- * listener, and send the correct type of request to trigger any Accept
-- * Filters.
-- */
-- len = strlen(srequest);
-- apr_socket_send(sock, srequest, &len);
-+ apr_socket_send(sock, data, &len);
- apr_socket_close(sock);
- apr_pool_destroy(p);
-
diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch
index 69bb40f..60c77bb 100644
--- a/httpd-2.4.2-r1337344+.patch
+++ b/httpd-2.4.2-r1337344+.patch
@@ -109,13 +109,6 @@ http://svn.apache.org/viewvc?view=revision&revision=1344712
</div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
<div class="section">
-@@ -615,4 +639,4 @@
- </div><div id="footer">
- <p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
- <p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div>
--</body></html>
-\ No newline at end of file
-+</body></html>
--- httpd-2.4.2/Makefile.in.r1337344+
+++ httpd-2.4.2/Makefile.in
@@ -236,11 +236,22 @@ install-man:
diff --git a/httpd-2.4.2-r1346905.patch b/httpd-2.4.2-r1346905.patch
deleted file mode 100644
index e94558e..0000000
--- a/httpd-2.4.2-r1346905.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-# ./pullrev.sh 1346905
-
-https://bugzilla.redhat.com/show_bug.cgi?id=818684
-
-http://svn.apache.org/viewvc?view=revision&revision=1346905
-
---- httpd-2.4.2/support/htdbm.c
-+++ httpd-2.4.2/support/htdbm.c
-@@ -288,6 +288,9 @@
- {
- char cpw[MAX_STRING_LEN];
- char salt[9];
-+#if (!(defined(WIN32) || defined(NETWARE)))
-+ char *cbuf;
-+#endif
-
- switch (htdbm->alg) {
- case ALG_APSHA:
-@@ -315,7 +318,15 @@
- (void) srand((int) time((time_t *) NULL));
- to64(&salt[0], rand(), 8);
- salt[8] = '\0';
-- apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1);
-+ cbuf = crypt(htdbm->userpass, salt);
-+ if (cbuf == NULL) {
-+ char errbuf[128];
-+
-+ fprintf(stderr, "crypt() failed: %s\n",
-+ apr_strerror(errno, errbuf, sizeof errbuf));
-+ exit(ERR_PWMISMATCH);
-+ }
-+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
- fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n");
- #endif
- default:
---- httpd-2.4.2/support/htpasswd.c
-+++ httpd-2.4.2/support/htpasswd.c
-@@ -174,6 +174,9 @@
- char pwv[MAX_STRING_LEN];
- char salt[9];
- apr_size_t bufsize;
-+#if CRYPT_ALGO_SUPPORTED
-+ char *cbuf;
-+#endif
-
- if (passwd != NULL) {
- pw = passwd;
-@@ -226,7 +229,16 @@
- to64(&salt[0], rand(), 8);
- salt[8] = '\0';
-
-- apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1);
-+ cbuf = crypt(pw, salt);
-+ if (cbuf == NULL) {
-+ char errbuf[128];
-+
-+ apr_snprintf(record, rlen-1, "crypt() failed: %s",
-+ apr_strerror(errno, errbuf, sizeof errbuf));
-+ return ERR_PWMISMATCH;
-+ }
-+
-+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1);
- if (strlen(pw) > 8) {
- char *truncpw = strdup(pw);
- truncpw[8] = '\0';
diff --git a/httpd-2.4.2-r1357685.patch b/httpd-2.4.2-r1357685.patch
deleted file mode 100644
index 189a089..0000000
--- a/httpd-2.4.2-r1357685.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-# ./pullrev.sh 1357685
-
-http://svn.apache.org/viewvc?view=revision&revision=1357685
-
---- httpd-2.4.2/modules/filters/mod_ext_filter.c
-+++ httpd-2.4.2/modules/filters/mod_ext_filter.c
-@@ -66,7 +66,7 @@
- apr_procattr_t *procattr;
- ef_dir_t *dc;
- ef_filter_t *filter;
-- int noop;
-+ int noop, hit_eos;
- #if APR_FILES_AS_SOCKETS
- apr_pollset_t *pollset;
- #endif
-@@ -827,6 +827,7 @@
- if (eos) {
- b = apr_bucket_eos_create(c->bucket_alloc);
- APR_BRIGADE_INSERT_TAIL(bb, b);
-+ ctx->hit_eos = 1;
- }
-
- return APR_SUCCESS;
-@@ -910,6 +911,14 @@
- ctx = f->ctx;
- }
-
-+ if (ctx->hit_eos) {
-+ /* Match behaviour of HTTP_IN if filter is re-invoked after
-+ * hitting EOS: give back another EOS. */
-+ apr_bucket *e = apr_bucket_eos_create(f->c->bucket_alloc);
-+ APR_BRIGADE_INSERT_TAIL(bb, e);
-+ return APR_SUCCESS;
-+ }
-+
- if (ctx->noop) {
- ap_remove_input_filter(f);
- return ap_get_brigade(f->next, bb, mode, block, readbytes);
diff --git a/httpd-2.4.2-r1365604.patch b/httpd-2.4.2-r1365604.patch
deleted file mode 100644
index d7b962f..0000000
--- a/httpd-2.4.2-r1365604.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-# ./pullrev.sh 1365604
-
-http://svn.apache.org/viewvc?view=revision&revision=1365604
-
---- httpd-2.4.2/modules/proxy/proxy_util.c
-+++ httpd-2.4.2/modules/proxy/proxy_util.c
-@@ -852,7 +852,7 @@
- (balancer = ap_proxy_get_balancer(r->pool, sconf, real, 1))) {
- int n, l3 = 0;
- proxy_worker **worker = (proxy_worker **)balancer->workers->elts;
-- const char *urlpart = ap_strchr_c(real, '/');
-+ const char *urlpart = ap_strchr_c(real + sizeof(BALANCER_PREFIX) - 1, '/');
- if (urlpart) {
- if (!urlpart[1])
- urlpart = NULL;
diff --git a/httpd-2.4.2-r1366693.patch b/httpd-2.4.2-r1366693.patch
deleted file mode 100644
index 674decf..0000000
--- a/httpd-2.4.2-r1366693.patch
+++ /dev/null
@@ -1,252 +0,0 @@
-# ./pullrev.sh 1366693
-
-http://svn.apache.org/viewvc?view=revision&revision=1366693
-
---- httpd-2.4.2/modules/proxy/mod_proxy_connect.c
-+++ httpd-2.4.2/modules/proxy/mod_proxy_connect.c
-@@ -205,7 +205,7 @@
- conn_rec *backconn;
-
- apr_bucket_brigade *bb = apr_brigade_create(p, c->bucket_alloc);
-- apr_status_t err, rv;
-+ apr_status_t rv;
- apr_size_t nbytes;
- char buffer[HUGE_STRING_LEN];
- apr_socket_t *client_socket = ap_get_conn_socket(c);
-@@ -216,7 +216,7 @@
- const apr_pollfd_t *signalled;
- apr_int32_t pollcnt, pi;
- apr_int16_t pollevent;
-- apr_sockaddr_t *uri_addr, *connect_addr;
-+ apr_sockaddr_t *nexthop;
-
- apr_uri_t uri;
- const char *connectname;
-@@ -246,37 +246,32 @@
- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01019)
- "connecting %s to %s:%d", url, uri.hostname, uri.port);
-
-- /* do a DNS lookup for the destination host */
-- err = apr_sockaddr_info_get(&uri_addr, uri.hostname, APR_UNSPEC, uri.port,
-- 0, p);
-- if (APR_SUCCESS != err) {
-+ /* Determine host/port of next hop; from request URI or of a proxy. */
-+ connectname = proxyname ? proxyname : uri.hostname;
-+ connectport = proxyname ? proxyport : uri.port;
-+
-+ /* Do a DNS lookup for the next hop */
-+ rv = apr_sockaddr_info_get(&nexthop, connectname, APR_UNSPEC,
-+ connectport, 0, p);
-+ if (rv != APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO()
-+ "failed to resolve hostname '%s'", connectname);
- return ap_proxyerror(r, HTTP_BAD_GATEWAY,
- apr_pstrcat(p, "DNS lookup failure for: ",
-- uri.hostname, NULL));
-+ connectname, NULL));
- }
-
-- /* are we connecting directly, or via a proxy? */
-- if (proxyname) {
-- connectname = proxyname;
-- connectport = proxyport;
-- err = apr_sockaddr_info_get(&connect_addr, proxyname, APR_UNSPEC,
-- proxyport, 0, p);
-+ /* Check ProxyBlock directive on the hostname/address. */
-+ if (ap_proxy_checkproxyblock2(r, conf, uri.hostname,
-+ proxyname ? NULL : nexthop) != OK) {
-+ return ap_proxyerror(r, HTTP_FORBIDDEN,
-+ "Connect to remote machine blocked");
- }
-- else {
-- connectname = uri.hostname;
-- connectport = uri.port;
-- connect_addr = uri_addr;
-- }
-+
- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
- "connecting to remote proxy %s on port %d",
- connectname, connectport);
-
-- /* check if ProxyBlock directive on this host */
-- if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
-- return ap_proxyerror(r, HTTP_FORBIDDEN,
-- "Connect to remote machine blocked");
-- }
--
- /* Check if it is an allowed port */
- if(!allowed_port(c_conf, uri.port)) {
- return ap_proxyerror(r, HTTP_FORBIDDEN,
-@@ -289,15 +284,6 @@
- * We have determined who to connect to. Now make the connection.
- */
-
-- /* get all the possible IP addresses for the destname and loop through them
-- * until we get a successful connection
-- */
-- if (APR_SUCCESS != err) {
-- return ap_proxyerror(r, HTTP_BAD_GATEWAY,
-- apr_pstrcat(p, "DNS lookup failure for: ",
-- connectname, NULL));
-- }
--
- /*
- * At this point we have a list of one or more IP addresses of
- * the machine to connect to. If configured, reorder this
-@@ -308,7 +294,7 @@
- * For now we do nothing, ie we get DNS round robin.
- * XXX FIXME
- */
-- failed = ap_proxy_connect_to_backend(&sock, "CONNECT", connect_addr,
-+ failed = ap_proxy_connect_to_backend(&sock, "CONNECT", nexthop,
- connectname, conf, r);
-
- /* handle a permanent error from the above loop */
-@@ -355,7 +341,7 @@
- /* peer reset */
- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01021)
- "an error occurred creating a new connection "
-- "to %pI (%s)", connect_addr, connectname);
-+ "to %pI (%s)", nexthop, connectname);
- apr_socket_close(sock);
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-@@ -370,7 +356,7 @@
-
- ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
- "connection complete to %pI (%s)",
-- connect_addr, connectname);
-+ nexthop, connectname);
- apr_table_setn(r->notes, "proxy-source-port", apr_psprintf(r->pool, "%hu",
- backconn->local_addr->port));
-
---- httpd-2.4.2/modules/proxy/proxy_util.c
-+++ httpd-2.4.2/modules/proxy/proxy_util.c
-@@ -759,48 +759,63 @@
- return host != NULL && ap_strstr_c(host, This->name) != NULL;
- }
-
--/* checks whether a host in uri_addr matches proxyblock */
-+/* Backwards-compatible interface. */
- PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf,
- apr_sockaddr_t *uri_addr)
- {
-+ return ap_proxy_checkproxyblock2(r, conf, uri_addr->hostname, uri_addr);
-+}
-+
-+#define MAX_IP_STR_LEN (46)
-+
-+PROXY_DECLARE(int) ap_proxy_checkproxyblock2(request_rec *r, proxy_server_conf *conf,
-+ const char *hostname, apr_sockaddr_t *addr)
-+{
- int j;
-- apr_sockaddr_t * src_uri_addr = uri_addr;
-+
- /* XXX FIXME: conf->noproxies->elts is part of an opaque structure */
- for (j = 0; j < conf->noproxies->nelts; j++) {
- struct noproxy_entry *npent = (struct noproxy_entry *) conf->noproxies->elts;
-- struct apr_sockaddr_t *conf_addr = npent[j].addr;
-- uri_addr = src_uri_addr;
-+ struct apr_sockaddr_t *conf_addr;
-+
- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
- "checking remote machine [%s] against [%s]",
-- uri_addr->hostname, npent[j].name);
-- if (ap_strstr_c(uri_addr->hostname, npent[j].name)
-- || npent[j].name[0] == '*') {
-+ hostname, npent[j].name);
-+ if (ap_strstr_c(hostname, npent[j].name) || npent[j].name[0] == '*') {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(00916)
- "connect to remote machine %s blocked: name %s "
-- "matched", uri_addr->hostname, npent[j].name);
-+ "matched", hostname, npent[j].name);
- return HTTP_FORBIDDEN;
- }
-- while (conf_addr) {
-- uri_addr = src_uri_addr;
-- while (uri_addr) {
-- char *conf_ip;
-- char *uri_ip;
-- apr_sockaddr_ip_get(&conf_ip, conf_addr);
-- apr_sockaddr_ip_get(&uri_ip, uri_addr);
-+
-+ /* No IP address checks if no IP address was passed in,
-+ * i.e. the forward address proxy case, where this server does
-+ * not resolve the hostname. */
-+ if (!addr)
-+ continue;
-+
-+ for (conf_addr = npent[j].addr; conf_addr; conf_addr = conf_addr->next) {
-+ char caddr[MAX_IP_STR_LEN], uaddr[MAX_IP_STR_LEN];
-+ apr_sockaddr_t *uri_addr;
-+
-+ if (apr_sockaddr_ip_getbuf(caddr, sizeof caddr, conf_addr))
-+ continue;
-+
-+ for (uri_addr = addr; uri_addr; uri_addr = uri_addr->next) {
-+ if (apr_sockaddr_ip_getbuf(uaddr, sizeof uaddr, uri_addr))
-+ continue;
- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
-- "ProxyBlock comparing %s and %s", conf_ip,
-- uri_ip);
-- if (!apr_strnatcasecmp(conf_ip, uri_ip)) {
-+ "ProxyBlock comparing %s and %s", caddr, uaddr);
-+ if (!strcmp(caddr, uaddr)) {
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(00917)
-- "connect to remote machine %s blocked: "
-- "IP %s matched", uri_addr->hostname, conf_ip);
-+ "connect to remote machine %s blocked: "
-+ "IP %s matched", hostname, caddr);
- return HTTP_FORBIDDEN;
- }
-- uri_addr = uri_addr->next;
- }
-- conf_addr = conf_addr->next;
- }
- }
-+
- return OK;
- }
-
-@@ -2128,7 +2143,8 @@
- }
- }
- /* check if ProxyBlock directive on this host */
-- if (OK != ap_proxy_checkproxyblock(r, conf, conn->addr)) {
-+ if (OK != ap_proxy_checkproxyblock2(r, conf, uri->hostname,
-+ proxyname ? NULL : conn->addr)) {
- return ap_proxyerror(r, HTTP_FORBIDDEN,
- "Connect to remote machine blocked");
- }
---- httpd-2.4.2/modules/proxy/mod_proxy.h
-+++ httpd-2.4.2/modules/proxy/mod_proxy.h
-@@ -534,6 +534,18 @@
- char **passwordp, char **hostp, apr_port_t *port);
- PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message);
- PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf, apr_sockaddr_t *uri_addr);
-+
-+/** Test whether the hostname/address of the request are blocked by the ProxyBlock
-+ * configuration.
-+ * @param r request
-+ * @param conf server configuration
-+ * @param hostname hostname from request URI
-+ * @param addr resolved address of hostname, or NULL if not known
-+ * @return OK on success, or else an errro
-+ */
-+PROXY_DECLARE(int) ap_proxy_checkproxyblock2(request_rec *r, proxy_server_conf *conf,
-+ const char *hostname, apr_sockaddr_t *addr);
-+
- PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec *c, request_rec *r);
- /* DEPRECATED (will be replaced with ap_proxy_connect_backend */
- PROXY_DECLARE(int) ap_proxy_connect_to_backend(apr_socket_t **, const char *, apr_sockaddr_t *, const char *, proxy_server_conf *, request_rec *);
---- httpd-2.4.2/modules/proxy/mod_proxy_ftp.c
-+++ httpd-2.4.2/modules/proxy/mod_proxy_ftp.c
-@@ -1143,7 +1143,7 @@
- }
-
- /* check if ProxyBlock directive on this host */
-- if (OK != ap_proxy_checkproxyblock(r, conf, connect_addr)) {
-+ if (OK != ap_proxy_checkproxyblock2(r, conf, connectname, connect_addr)) {
- return ap_proxyerror(r, HTTP_FORBIDDEN,
- "Connect to remote machine blocked");
- }
diff --git a/httpd-2.4.2-r1374214+.patch b/httpd-2.4.2-r1374214+.patch
new file mode 100644
index 0000000..af5d2ab
--- /dev/null
+++ b/httpd-2.4.2-r1374214+.patch
@@ -0,0 +1,45 @@
+# ./pullrev.sh 1374214 1375445
+
+http://svn.apache.org/viewvc?view=revision&revision=1374214
+http://svn.apache.org/viewvc?view=revision&revision=1375445
+
+--- httpd-2.4.2/modules/ssl/ssl_engine_init.c
++++ httpd-2.4.2/modules/ssl/ssl_engine_init.c
+@@ -1381,7 +1381,7 @@
+ for (n = 0; n < ncerts; n++) {
+ X509_INFO *inf = sk_X509_INFO_value(sk, n);
+
+- if (!inf->x509 || !inf->x_pkey) {
++ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) {
+ sk_X509_INFO_free(sk);
+ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252)
+ "incomplete client cert configured for SSL proxy "
+@@ -1389,6 +1389,15 @@
+ ssl_die(s);
+ return;
+ }
++
++ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) {
++ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509,
++ APLOGNO(02326) "proxy client certificate and "
++ "private key do not match");
++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
++ ssl_die(s);
++ return;
++ }
+ }
+
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207)
+@@ -1401,7 +1410,11 @@
+ return;
+ }
+
+- /* Load all of the CA certs and construct a chain */
++ /* If SSLProxyMachineCertificateChainFile is configured, load all
++ * the CA certs and have OpenSSL attempt to construct a full chain
++ * from each configured end-entity cert up to a root. This will
++ * allow selection of the correct cert given a list of root CA
++ * names in the certificate request from the server. */
+ pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk));
+ sctx = X509_STORE_CTX_new();
+
diff --git a/httpd-2.4.2-restart.patch b/httpd-2.4.2-restart.patch
deleted file mode 100644
index b4f9942..0000000
--- a/httpd-2.4.2-restart.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-
-https://bugzilla.redhat.com/show_bug.cgi?id=814645
-
-http://svn.apache.org/viewvc?rev=1331847&view=rev
-
---- httpd-2.4.2/server/main.c.restart
-+++ httpd-2.4.2/server/main.c
-@@ -671,6 +671,11 @@ int main(int argc, const char * const ar
- }
- }
-
-+ /* If our config failed, deal with that here. */
-+ if (rv != OK) {
-+ destroy_and_exit_process(process, 1);
-+ }
-+
- signal_server = APR_RETRIEVE_OPTIONAL_FN(ap_signal_server);
- if (signal_server) {
- int exit_status;
-@@ -680,11 +685,6 @@ int main(int argc, const char * const ar
- }
- }
-
-- /* If our config failed, deal with that here. */
-- if (rv != OK) {
-- destroy_and_exit_process(process, 1);
-- }
--
- apr_pool_clear(plog);
-
- if ( ap_run_open_logs(pconf, plog, ptemp, ap_server_conf) != OK) {
diff --git a/httpd-2.4.1-apxs.patch b/httpd-2.4.3-apxs.patch
index 62003ec..f4d2a87 100644
--- a/httpd-2.4.1-apxs.patch
+++ b/httpd-2.4.3-apxs.patch
@@ -1,5 +1,5 @@
---- httpd-2.4.1/support/apxs.in.apxs
-+++ httpd-2.4.1/support/apxs.in
+--- httpd-2.4.3/support/apxs.in.apxs
++++ httpd-2.4.3/support/apxs.in
@@ -25,7 +25,18 @@ package apxs;
my %config_vars = ();
@@ -20,7 +20,7 @@
get_config_vars("$installbuilddir/config_vars.mk",\%config_vars);
# read the configuration variables once
-@@ -273,7 +284,7 @@ if ($opt_g) {
+@@ -275,7 +286,7 @@ if ($opt_g) {
$data =~ s|%NAME%|$name|sg;
$data =~ s|%TARGET%|$CFG_TARGET|sg;
$data =~ s|%PREFIX%|$prefix|sg;
@@ -29,8 +29,8 @@
my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
-@@ -450,11 +461,11 @@ if ($opt_c) {
-
+@@ -453,11 +464,11 @@ if ($opt_c) {
+ my $ldflags = "$CFG_LDFLAGS";
if ($opt_p == 1) {
- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`;
@@ -43,7 +43,7 @@
chomp($apu_libs);
}
-@@ -669,8 +680,8 @@ __DATA__
+@@ -672,8 +683,8 @@ __DATA__
builddir=.
top_srcdir=%PREFIX%
diff --git a/httpd-2.4.1-layout.patch b/httpd-2.4.3-layout.patch
index 57cf13b..163c66b 100644
--- a/httpd-2.4.1-layout.patch
+++ b/httpd-2.4.3-layout.patch
@@ -1,9 +1,13 @@
---- httpd-2.4.1/config.layout.layout
-+++ httpd-2.4.1/config.layout
-@@ -347,3 +347,26 @@
- proxycachedir: ${localstatedir}/proxy
+
+Add layout for Fedora.
+
+--- httpd-2.4.3/config.layout.layout
++++ httpd-2.4.3/config.layout
+@@ -370,3 +370,27 @@
+ logfiledir: ${localstatedir}/log/httpd
+ proxycachedir: ${localstatedir}/cache/httpd
</Layout>
-
++
+# Fedora/RHEL layout
+<Layout Fedora>
+ prefix: /usr
@@ -25,5 +29,5 @@
+ localstatedir: /var
+ runtimedir: /run/httpd
+ logfiledir: ${localstatedir}/log/httpd
-+ proxycachedir: ${localstatedir}/cache/httpd
++ proxycachedir: ${localstatedir}/cache/httpd/proxy
+</Layout>
diff --git a/httpd-2.0.48-release.patch b/httpd-2.4.3-release.patch
index fd6fd2b..0b2fb77 100644
--- a/httpd-2.0.48-release.patch
+++ b/httpd-2.4.3-release.patch
@@ -3,9 +3,9 @@ Upstream-HEAD: vendor
Upstream-2.0: vendor
Upstream-Status: vendor-specific change
---- httpd-2.0.48/server/core.c.release
-+++ httpd-2.0.48/server/core.c
-@@ -2758,7 +2758,7 @@
+--- httpd-2.4.3/server/core.c.release
++++ httpd-2.4.3/server/core.c
+@@ -3189,7 +3189,7 @@ static void set_banner(apr_pool_t *pconf
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
}
else {
diff --git a/httpd.spec b/httpd.spec
index 56fd486..41540b5 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -7,8 +7,8 @@
Summary: Apache HTTP Server
Name: httpd
-Version: 2.4.2
-Release: 23%{?dist}
+Version: 2.4.3
+Release: 2%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -37,25 +37,19 @@ Source23: manual.conf
Source30: README.confd
# build/scripts patches
Patch1: httpd-2.4.1-apctl.patch
-Patch2: httpd-2.4.1-apxs.patch
+Patch2: httpd-2.4.3-apxs.patch
Patch3: httpd-2.4.1-deplibs.patch
-Patch5: httpd-2.4.1-layout.patch
+Patch5: httpd-2.4.3-layout.patch
# Features/functional changes
-Patch20: httpd-2.0.48-release.patch
+Patch20: httpd-2.4.3-release.patch
Patch23: httpd-2.4.1-export.patch
Patch24: httpd-2.4.1-corelimit.patch
Patch25: httpd-2.4.1-selinux.patch
Patch26: httpd-2.4.2-r1337344+.patch
Patch27: httpd-2.4.2-icons.patch
+Patch28: httpd-2.4.2-r1332643+.patch
# Bug fixes
-Patch40: httpd-2.4.2-restart.patch
-Patch41: httpd-2.4.2-r1327036+.patch
-Patch42: httpd-2.4.2-r1326980+.patch
-Patch43: httpd-2.4.2-r1332643+.patch
-Patch44: httpd-2.4.2-r1346905.patch
-Patch45: httpd-2.4.2-r1357685.patch
-Patch46: httpd-2.4.2-r1366693.patch
-Patch47: httpd-2.4.2-r1365604.patch
+Patch50: httpd-2.4.2-r1374214+.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -162,18 +156,12 @@ authentication to the Apache HTTP Server.
%patch25 -p1 -b .selinux
%patch26 -p1 -b .r1337344+
%patch27 -p1 -b .icons
+%patch28 -p1 -b .r1332643+
-%patch40 -p1 -b .restart
-%patch41 -p1 -b .r1327036+
-%patch42 -p1 -b .r1326980+
-%patch43 -p1 -b .r1332643+
-%patch44 -p1 -b .r1346905
-%patch45 -p1 -b .r1357685
-%patch46 -p1 -b .r1366693
-%patch47 -p1 -b .r1365604
+%patch50 -p1 -b .r1374214+
# Patch in vendor/release string
-sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
+sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch --fuzz=%{_default_patch_fuzz} -p1
# Prevent use of setcap in "install-suexec-caps" target.
sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in
@@ -530,6 +518,7 @@ rm -rf $RPM_BUILD_ROOT
%{contentdir}/error/include/*.html
%{contentdir}/noindex/index.html
+%dir %{docroot}
%dir %{docroot}/cgi-bin
%dir %{docroot}/html
@@ -585,6 +574,16 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
+* Tue Aug 21 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.3-2
+- sync with rawhide, rebuild for remi repo
+
+* Tue Aug 21 2012 Joe Orton <jorton@redhat.com> - 2.4.3-2
+- mod_ssl: add check for proxy keypair match (upstream r1374214)
+
+* Tue Aug 21 2012 Joe Orton <jorton@redhat.com> - 2.4.3-1
+- update to 2.4.3 (#849883)
+- own the docroot (#848121)
+
* Mon Aug 6 2012 Remi Collet <RPMS@FamilleCollet.com> - 2.4.2-23
- sync with rawhide, rebuild for remi repo