From e6cc70b01f04726bec55199ef2cfe9d29a5924b9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 21 Aug 2012 18:18:24 +0200 Subject: httpd: sync with rawhide, update to 2.4.3 --- httpd-2.0.48-release.patch | 16 --- httpd-2.4.1-apxs.patch | 56 ---------- httpd-2.4.1-layout.patch | 29 ----- httpd-2.4.2-r1326980+.patch | 65 ------------ httpd-2.4.2-r1327036+.patch | 80 -------------- httpd-2.4.2-r1337344+.patch | 7 -- httpd-2.4.2-r1346905.patch | 65 ------------ httpd-2.4.2-r1357685.patch | 38 ------- httpd-2.4.2-r1365604.patch | 15 --- httpd-2.4.2-r1366693.patch | 252 -------------------------------------------- httpd-2.4.2-r1374214+.patch | 45 ++++++++ httpd-2.4.2-restart.patch | 31 ------ httpd-2.4.3-apxs.patch | 56 ++++++++++ httpd-2.4.3-layout.patch | 33 ++++++ httpd-2.4.3-release.patch | 16 +++ httpd.spec | 43 ++++---- 16 files changed, 171 insertions(+), 676 deletions(-) delete mode 100644 httpd-2.0.48-release.patch delete mode 100644 httpd-2.4.1-apxs.patch delete mode 100644 httpd-2.4.1-layout.patch delete mode 100644 httpd-2.4.2-r1326980+.patch delete mode 100644 httpd-2.4.2-r1327036+.patch delete mode 100644 httpd-2.4.2-r1346905.patch delete mode 100644 httpd-2.4.2-r1357685.patch delete mode 100644 httpd-2.4.2-r1365604.patch delete mode 100644 httpd-2.4.2-r1366693.patch create mode 100644 httpd-2.4.2-r1374214+.patch delete mode 100644 httpd-2.4.2-restart.patch create mode 100644 httpd-2.4.3-apxs.patch create mode 100644 httpd-2.4.3-layout.patch create mode 100644 httpd-2.4.3-release.patch diff --git a/httpd-2.0.48-release.patch b/httpd-2.0.48-release.patch deleted file mode 100644 index fd6fd2b..0000000 --- a/httpd-2.0.48-release.patch +++ /dev/null @@ -1,16 +0,0 @@ - -Upstream-HEAD: vendor -Upstream-2.0: vendor -Upstream-Status: vendor-specific change - ---- httpd-2.0.48/server/core.c.release -+++ httpd-2.0.48/server/core.c -@@ -2758,7 +2758,7 @@ - ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION); - } - else { -- ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")"); -+ ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (@RELEASE@)"); - } - - /* diff --git a/httpd-2.4.1-apxs.patch b/httpd-2.4.1-apxs.patch deleted file mode 100644 index 62003ec..0000000 --- a/httpd-2.4.1-apxs.patch +++ /dev/null @@ -1,56 +0,0 @@ ---- httpd-2.4.1/support/apxs.in.apxs -+++ httpd-2.4.1/support/apxs.in -@@ -25,7 +25,18 @@ package apxs; - - my %config_vars = (); - --my $installbuilddir = "@exp_installbuilddir@"; -+# Awful hack to make apxs libdir-agnostic: -+my $pkg_config = "/usr/bin/pkg-config"; -+if (! -x "$pkg_config") { -+ error("$pkg_config not found!"); -+ exit(1); -+} -+ -+my $libdir = `pkg-config --variable=libdir apr-1`; -+chomp $libdir; -+ -+my $installbuilddir = $libdir . "/httpd/build"; -+ - get_config_vars("$installbuilddir/config_vars.mk",\%config_vars); - - # read the configuration variables once -@@ -273,7 +284,7 @@ if ($opt_g) { - $data =~ s|%NAME%|$name|sg; - $data =~ s|%TARGET%|$CFG_TARGET|sg; - $data =~ s|%PREFIX%|$prefix|sg; -- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; -+ $data =~ s|%LIBDIR%|$libdir|sg; - - my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); - -@@ -450,11 +461,11 @@ if ($opt_c) { - - if ($opt_p == 1) { - -- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`; -+ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`; - chomp($apr_libs); - my $apu_libs=""; - if ($apr_major_version < 2) { -- $apu_libs=`$apu_config --ldflags --link-libtool --libs`; -+ $apu_libs=`$apu_config --ldflags --link-libtool`; - chomp($apu_libs); - } - -@@ -669,8 +680,8 @@ __DATA__ - - builddir=. - top_srcdir=%PREFIX% --top_builddir=%PREFIX% --include %INSTALLBUILDDIR%/special.mk -+top_builddir=%LIBDIR%/httpd -+include %LIBDIR%/httpd/build/special.mk - - # the used tools - APXS=apxs diff --git a/httpd-2.4.1-layout.patch b/httpd-2.4.1-layout.patch deleted file mode 100644 index 57cf13b..0000000 --- a/httpd-2.4.1-layout.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- httpd-2.4.1/config.layout.layout -+++ httpd-2.4.1/config.layout -@@ -347,3 +347,26 @@ - proxycachedir: ${localstatedir}/proxy - - -+# Fedora/RHEL layout -+ -+ prefix: /usr -+ exec_prefix: ${prefix} -+ bindir: ${prefix}/bin -+ sbindir: ${prefix}/sbin -+ libdir: ${prefix}/lib -+ libexecdir: ${prefix}/libexec -+ mandir: ${prefix}/man -+ sysconfdir: /etc/httpd/conf -+ datadir: ${prefix}/share/httpd -+ installbuilddir: ${libdir}/httpd/build -+ errordir: ${datadir}/error -+ iconsdir: ${datadir}/icons -+ htdocsdir: /var/www/html -+ manualdir: ${datadir}/manual -+ cgidir: /var/www/cgi-bin -+ includedir: ${prefix}/include/httpd -+ localstatedir: /var -+ runtimedir: /run/httpd -+ logfiledir: ${localstatedir}/log/httpd -+ proxycachedir: ${localstatedir}/cache/httpd -+ diff --git a/httpd-2.4.2-r1326980+.patch b/httpd-2.4.2-r1326980+.patch deleted file mode 100644 index 3d37c3f..0000000 --- a/httpd-2.4.2-r1326980+.patch +++ /dev/null @@ -1,65 +0,0 @@ - -http://svn.apache.org/viewvc?view=revision&revision=1326980 -http://svn.apache.org/viewvc?view=revision&revision=1326984 -http://svn.apache.org/viewvc?view=revision&revision=1326991 - ---- httpd-2.4.2/modules/loggers/mod_log_debug.c -+++ httpd-2.4.2/modules/loggers/mod_log_debug.c -@@ -35,8 +35,8 @@ - apr_array_header_t *entries; - } log_debug_dirconf; - --const char *allhooks = "all"; --const char * const hooks[] = { -+static const char *allhooks = "all"; -+static const char * const hooks[] = { - "log_transaction", /* 0 */ - "quick_handler", /* 1 */ - "handler", /* 2 */ ---- httpd-2.4.2/modules/filters/sed1.c -+++ httpd-2.4.2/modules/filters/sed1.c -@@ -25,7 +25,7 @@ - #include "apr_strings.h" - #include "regexp.h" - --char *trans[040] = { -+static const char *const trans[040] = { - "\\01", - "\\02", - "\\03", -@@ -58,7 +58,7 @@ - "\\36", - "\\37" - }; --char rub[] = {"\\177"}; -+static const char rub[] = {"\\177"}; - - extern int sed_step(char *p1, char *p2, int circf, step_vars_storage *vars); - static int substitute(sed_eval_t *eval, sed_reptr_t *ipc, -@@ -692,7 +692,8 @@ - step_vars_storage *step_vars) - { - int i; -- char *p1, *p2, *p3; -+ char *p1, *p2; -+ const char *p3; - int length; - char sz[32]; /* 32 bytes enough to store 64 bit integer in decimal */ - apr_status_t rv = APR_SUCCESS; ---- httpd-2.4.2/modules/filters/config.m4 -+++ httpd-2.4.2/modules/filters/config.m4 -@@ -16,7 +16,13 @@ - APACHE_MODULE(substitute, response content rewrite-like filtering, , , most) - - sed_obj="mod_sed.lo sed0.lo sed1.lo regexp.lo" --APACHE_MODULE(sed, filter request and/or response bodies through sed, $sed_obj, , most) -+APACHE_MODULE(sed, filter request and/or response bodies through sed, $sed_obj, , most, [ -+ if test "x$enable_sed" = "xshared"; then -+ # The only symbol which needs to be exported is the module -+ # structure, so ask libtool to hide libsed internals: -+ APR_ADDTO(MOD_SED_LDADD, [-export-symbols-regex sed_module]) -+ fi -+]) - - if test "$ac_cv_ebcdic" = "yes"; then - # mod_charset_lite can be very useful on an ebcdic system, diff --git a/httpd-2.4.2-r1327036+.patch b/httpd-2.4.2-r1327036+.patch deleted file mode 100644 index 63ef401..0000000 --- a/httpd-2.4.2-r1327036+.patch +++ /dev/null @@ -1,80 +0,0 @@ - -http://svn.apache.org/viewvc?view=revision&revision=1327036 -http://svn.apache.org/viewvc?view=revision&revision=1327080 - ---- httpd-2.4.2/server/mpm_unix.c -+++ httpd-2.4.2/server/mpm_unix.c -@@ -501,14 +501,14 @@ - return rv; - } - --/* This function connects to the server, then immediately closes the connection. -- * This permits the MPM to skip the poll when there is only one listening -- * socket, because it provides a alternate way to unblock an accept() when -- * the pod is used. -- */ -+/* This function connects to the server and sends enough data to -+ * ensure the child wakes up and processes a new connection. This -+ * permits the MPM to skip the poll when there is only one listening -+ * socket, because it provides a alternate way to unblock an accept() -+ * when the pod is used. */ - static apr_status_t dummy_connection(ap_pod_t *pod) - { -- char *srequest; -+ const char *data; - apr_status_t rv; - apr_socket_t *sock; - apr_pool_t *p; -@@ -574,24 +574,37 @@ - return rv; - } - -- /* Create the request string. We include a User-Agent so that -- * adminstrators can track down the cause of the odd-looking -- * requests in their logs. -- */ -- srequest = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ", -+ if (lp->protocol && strcasecmp(lp->protocol, "https") == 0) { -+ /* Send a TLS 1.0 close_notify alert. This is perhaps the -+ * "least wrong" way to open and cleanly terminate an SSL -+ * connection. It should "work" without noisy error logs if -+ * the server actually expects SSLv3/TLSv1. With -+ * SSLv23_server_method() OpenSSL's SSL_accept() fails -+ * ungracefully on receipt of this message, since it requires -+ * an 11-byte ClientHello message and this is too short. */ -+ static const unsigned char tls10_close_notify[7] = { -+ '\x15', /* TLSPlainText.type = Alert (21) */ -+ '\x03', '\x01', /* TLSPlainText.version = {3, 1} */ -+ '\x00', '\x02', /* TLSPlainText.length = 2 */ -+ '\x01', /* Alert.level = warning (1) */ -+ '\x00' /* Alert.description = close_notify (0) */ -+ }; -+ data = (const char *)tls10_close_notify; -+ len = sizeof(tls10_close_notify); -+ } -+ else /* ... XXX other request types here? */ { -+ /* Create an HTTP request string. We include a User-Agent so -+ * that adminstrators can track down the cause of the -+ * odd-looking requests in their logs. A complete request is -+ * used since kernel-level filtering may require that much -+ * data before returning from accept(). */ -+ data = apr_pstrcat(p, "OPTIONS * HTTP/1.0\r\nUser-Agent: ", - ap_get_server_description(), - " (internal dummy connection)\r\n\r\n", NULL); -+ len = strlen(data); -+ } - -- /* Since some operating systems support buffering of data or entire -- * requests in the kernel, we send a simple request, to make sure -- * the server pops out of a blocking accept(). -- */ -- /* XXX: This is HTTP specific. We should look at the Protocol for each -- * listener, and send the correct type of request to trigger any Accept -- * Filters. -- */ -- len = strlen(srequest); -- apr_socket_send(sock, srequest, &len); -+ apr_socket_send(sock, data, &len); - apr_socket_close(sock); - apr_pool_destroy(p); - diff --git a/httpd-2.4.2-r1337344+.patch b/httpd-2.4.2-r1337344+.patch index 69bb40f..60c77bb 100644 --- a/httpd-2.4.2-r1337344+.patch +++ b/httpd-2.4.2-r1337344+.patch @@ -109,13 +109,6 @@ http://svn.apache.org/viewvc?view=revision&revision=1344712
top
-@@ -615,4 +639,4 @@ -
-- -\ No newline at end of file -+ --- httpd-2.4.2/Makefile.in.r1337344+ +++ httpd-2.4.2/Makefile.in @@ -236,11 +236,22 @@ install-man: diff --git a/httpd-2.4.2-r1346905.patch b/httpd-2.4.2-r1346905.patch deleted file mode 100644 index e94558e..0000000 --- a/httpd-2.4.2-r1346905.patch +++ /dev/null @@ -1,65 +0,0 @@ -# ./pullrev.sh 1346905 - -https://bugzilla.redhat.com/show_bug.cgi?id=818684 - -http://svn.apache.org/viewvc?view=revision&revision=1346905 - ---- httpd-2.4.2/support/htdbm.c -+++ httpd-2.4.2/support/htdbm.c -@@ -288,6 +288,9 @@ - { - char cpw[MAX_STRING_LEN]; - char salt[9]; -+#if (!(defined(WIN32) || defined(NETWARE))) -+ char *cbuf; -+#endif - - switch (htdbm->alg) { - case ALG_APSHA: -@@ -315,7 +318,15 @@ - (void) srand((int) time((time_t *) NULL)); - to64(&salt[0], rand(), 8); - salt[8] = '\0'; -- apr_cpystrn(cpw, crypt(htdbm->userpass, salt), sizeof(cpw) - 1); -+ cbuf = crypt(htdbm->userpass, salt); -+ if (cbuf == NULL) { -+ char errbuf[128]; -+ -+ fprintf(stderr, "crypt() failed: %s\n", -+ apr_strerror(errno, errbuf, sizeof errbuf)); -+ exit(ERR_PWMISMATCH); -+ } -+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1); - fprintf(stderr, "CRYPT is now deprecated, use MD5 instead!\n"); - #endif - default: ---- httpd-2.4.2/support/htpasswd.c -+++ httpd-2.4.2/support/htpasswd.c -@@ -174,6 +174,9 @@ - char pwv[MAX_STRING_LEN]; - char salt[9]; - apr_size_t bufsize; -+#if CRYPT_ALGO_SUPPORTED -+ char *cbuf; -+#endif - - if (passwd != NULL) { - pw = passwd; -@@ -226,7 +229,16 @@ - to64(&salt[0], rand(), 8); - salt[8] = '\0'; - -- apr_cpystrn(cpw, crypt(pw, salt), sizeof(cpw) - 1); -+ cbuf = crypt(pw, salt); -+ if (cbuf == NULL) { -+ char errbuf[128]; -+ -+ apr_snprintf(record, rlen-1, "crypt() failed: %s", -+ apr_strerror(errno, errbuf, sizeof errbuf)); -+ return ERR_PWMISMATCH; -+ } -+ -+ apr_cpystrn(cpw, cbuf, sizeof(cpw) - 1); - if (strlen(pw) > 8) { - char *truncpw = strdup(pw); - truncpw[8] = '\0'; diff --git a/httpd-2.4.2-r1357685.patch b/httpd-2.4.2-r1357685.patch deleted file mode 100644 index 189a089..0000000 --- a/httpd-2.4.2-r1357685.patch +++ /dev/null @@ -1,38 +0,0 @@ -# ./pullrev.sh 1357685 - -http://svn.apache.org/viewvc?view=revision&revision=1357685 - ---- httpd-2.4.2/modules/filters/mod_ext_filter.c -+++ httpd-2.4.2/modules/filters/mod_ext_filter.c -@@ -66,7 +66,7 @@ - apr_procattr_t *procattr; - ef_dir_t *dc; - ef_filter_t *filter; -- int noop; -+ int noop, hit_eos; - #if APR_FILES_AS_SOCKETS - apr_pollset_t *pollset; - #endif -@@ -827,6 +827,7 @@ - if (eos) { - b = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, b); -+ ctx->hit_eos = 1; - } - - return APR_SUCCESS; -@@ -910,6 +911,14 @@ - ctx = f->ctx; - } - -+ if (ctx->hit_eos) { -+ /* Match behaviour of HTTP_IN if filter is re-invoked after -+ * hitting EOS: give back another EOS. */ -+ apr_bucket *e = apr_bucket_eos_create(f->c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(bb, e); -+ return APR_SUCCESS; -+ } -+ - if (ctx->noop) { - ap_remove_input_filter(f); - return ap_get_brigade(f->next, bb, mode, block, readbytes); diff --git a/httpd-2.4.2-r1365604.patch b/httpd-2.4.2-r1365604.patch deleted file mode 100644 index d7b962f..0000000 --- a/httpd-2.4.2-r1365604.patch +++ /dev/null @@ -1,15 +0,0 @@ -# ./pullrev.sh 1365604 - -http://svn.apache.org/viewvc?view=revision&revision=1365604 - ---- httpd-2.4.2/modules/proxy/proxy_util.c -+++ httpd-2.4.2/modules/proxy/proxy_util.c -@@ -852,7 +852,7 @@ - (balancer = ap_proxy_get_balancer(r->pool, sconf, real, 1))) { - int n, l3 = 0; - proxy_worker **worker = (proxy_worker **)balancer->workers->elts; -- const char *urlpart = ap_strchr_c(real, '/'); -+ const char *urlpart = ap_strchr_c(real + sizeof(BALANCER_PREFIX) - 1, '/'); - if (urlpart) { - if (!urlpart[1]) - urlpart = NULL; diff --git a/httpd-2.4.2-r1366693.patch b/httpd-2.4.2-r1366693.patch deleted file mode 100644 index 674decf..0000000 --- a/httpd-2.4.2-r1366693.patch +++ /dev/null @@ -1,252 +0,0 @@ -# ./pullrev.sh 1366693 - -http://svn.apache.org/viewvc?view=revision&revision=1366693 - ---- httpd-2.4.2/modules/proxy/mod_proxy_connect.c -+++ httpd-2.4.2/modules/proxy/mod_proxy_connect.c -@@ -205,7 +205,7 @@ - conn_rec *backconn; - - apr_bucket_brigade *bb = apr_brigade_create(p, c->bucket_alloc); -- apr_status_t err, rv; -+ apr_status_t rv; - apr_size_t nbytes; - char buffer[HUGE_STRING_LEN]; - apr_socket_t *client_socket = ap_get_conn_socket(c); -@@ -216,7 +216,7 @@ - const apr_pollfd_t *signalled; - apr_int32_t pollcnt, pi; - apr_int16_t pollevent; -- apr_sockaddr_t *uri_addr, *connect_addr; -+ apr_sockaddr_t *nexthop; - - apr_uri_t uri; - const char *connectname; -@@ -246,37 +246,32 @@ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01019) - "connecting %s to %s:%d", url, uri.hostname, uri.port); - -- /* do a DNS lookup for the destination host */ -- err = apr_sockaddr_info_get(&uri_addr, uri.hostname, APR_UNSPEC, uri.port, -- 0, p); -- if (APR_SUCCESS != err) { -+ /* Determine host/port of next hop; from request URI or of a proxy. */ -+ connectname = proxyname ? proxyname : uri.hostname; -+ connectport = proxyname ? proxyport : uri.port; -+ -+ /* Do a DNS lookup for the next hop */ -+ rv = apr_sockaddr_info_get(&nexthop, connectname, APR_UNSPEC, -+ connectport, 0, p); -+ if (rv != APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO() -+ "failed to resolve hostname '%s'", connectname); - return ap_proxyerror(r, HTTP_BAD_GATEWAY, - apr_pstrcat(p, "DNS lookup failure for: ", -- uri.hostname, NULL)); -+ connectname, NULL)); - } - -- /* are we connecting directly, or via a proxy? */ -- if (proxyname) { -- connectname = proxyname; -- connectport = proxyport; -- err = apr_sockaddr_info_get(&connect_addr, proxyname, APR_UNSPEC, -- proxyport, 0, p); -+ /* Check ProxyBlock directive on the hostname/address. */ -+ if (ap_proxy_checkproxyblock2(r, conf, uri.hostname, -+ proxyname ? NULL : nexthop) != OK) { -+ return ap_proxyerror(r, HTTP_FORBIDDEN, -+ "Connect to remote machine blocked"); - } -- else { -- connectname = uri.hostname; -- connectport = uri.port; -- connect_addr = uri_addr; -- } -+ - ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, - "connecting to remote proxy %s on port %d", - connectname, connectport); - -- /* check if ProxyBlock directive on this host */ -- if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) { -- return ap_proxyerror(r, HTTP_FORBIDDEN, -- "Connect to remote machine blocked"); -- } -- - /* Check if it is an allowed port */ - if(!allowed_port(c_conf, uri.port)) { - return ap_proxyerror(r, HTTP_FORBIDDEN, -@@ -289,15 +284,6 @@ - * We have determined who to connect to. Now make the connection. - */ - -- /* get all the possible IP addresses for the destname and loop through them -- * until we get a successful connection -- */ -- if (APR_SUCCESS != err) { -- return ap_proxyerror(r, HTTP_BAD_GATEWAY, -- apr_pstrcat(p, "DNS lookup failure for: ", -- connectname, NULL)); -- } -- - /* - * At this point we have a list of one or more IP addresses of - * the machine to connect to. If configured, reorder this -@@ -308,7 +294,7 @@ - * For now we do nothing, ie we get DNS round robin. - * XXX FIXME - */ -- failed = ap_proxy_connect_to_backend(&sock, "CONNECT", connect_addr, -+ failed = ap_proxy_connect_to_backend(&sock, "CONNECT", nexthop, - connectname, conf, r); - - /* handle a permanent error from the above loop */ -@@ -355,7 +341,7 @@ - /* peer reset */ - ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01021) - "an error occurred creating a new connection " -- "to %pI (%s)", connect_addr, connectname); -+ "to %pI (%s)", nexthop, connectname); - apr_socket_close(sock); - return HTTP_INTERNAL_SERVER_ERROR; - } -@@ -370,7 +356,7 @@ - - ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, - "connection complete to %pI (%s)", -- connect_addr, connectname); -+ nexthop, connectname); - apr_table_setn(r->notes, "proxy-source-port", apr_psprintf(r->pool, "%hu", - backconn->local_addr->port)); - ---- httpd-2.4.2/modules/proxy/proxy_util.c -+++ httpd-2.4.2/modules/proxy/proxy_util.c -@@ -759,48 +759,63 @@ - return host != NULL && ap_strstr_c(host, This->name) != NULL; - } - --/* checks whether a host in uri_addr matches proxyblock */ -+/* Backwards-compatible interface. */ - PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf, - apr_sockaddr_t *uri_addr) - { -+ return ap_proxy_checkproxyblock2(r, conf, uri_addr->hostname, uri_addr); -+} -+ -+#define MAX_IP_STR_LEN (46) -+ -+PROXY_DECLARE(int) ap_proxy_checkproxyblock2(request_rec *r, proxy_server_conf *conf, -+ const char *hostname, apr_sockaddr_t *addr) -+{ - int j; -- apr_sockaddr_t * src_uri_addr = uri_addr; -+ - /* XXX FIXME: conf->noproxies->elts is part of an opaque structure */ - for (j = 0; j < conf->noproxies->nelts; j++) { - struct noproxy_entry *npent = (struct noproxy_entry *) conf->noproxies->elts; -- struct apr_sockaddr_t *conf_addr = npent[j].addr; -- uri_addr = src_uri_addr; -+ struct apr_sockaddr_t *conf_addr; -+ - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "checking remote machine [%s] against [%s]", -- uri_addr->hostname, npent[j].name); -- if (ap_strstr_c(uri_addr->hostname, npent[j].name) -- || npent[j].name[0] == '*') { -+ hostname, npent[j].name); -+ if (ap_strstr_c(hostname, npent[j].name) || npent[j].name[0] == '*') { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(00916) - "connect to remote machine %s blocked: name %s " -- "matched", uri_addr->hostname, npent[j].name); -+ "matched", hostname, npent[j].name); - return HTTP_FORBIDDEN; - } -- while (conf_addr) { -- uri_addr = src_uri_addr; -- while (uri_addr) { -- char *conf_ip; -- char *uri_ip; -- apr_sockaddr_ip_get(&conf_ip, conf_addr); -- apr_sockaddr_ip_get(&uri_ip, uri_addr); -+ -+ /* No IP address checks if no IP address was passed in, -+ * i.e. the forward address proxy case, where this server does -+ * not resolve the hostname. */ -+ if (!addr) -+ continue; -+ -+ for (conf_addr = npent[j].addr; conf_addr; conf_addr = conf_addr->next) { -+ char caddr[MAX_IP_STR_LEN], uaddr[MAX_IP_STR_LEN]; -+ apr_sockaddr_t *uri_addr; -+ -+ if (apr_sockaddr_ip_getbuf(caddr, sizeof caddr, conf_addr)) -+ continue; -+ -+ for (uri_addr = addr; uri_addr; uri_addr = uri_addr->next) { -+ if (apr_sockaddr_ip_getbuf(uaddr, sizeof uaddr, uri_addr)) -+ continue; - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, -- "ProxyBlock comparing %s and %s", conf_ip, -- uri_ip); -- if (!apr_strnatcasecmp(conf_ip, uri_ip)) { -+ "ProxyBlock comparing %s and %s", caddr, uaddr); -+ if (!strcmp(caddr, uaddr)) { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(00917) -- "connect to remote machine %s blocked: " -- "IP %s matched", uri_addr->hostname, conf_ip); -+ "connect to remote machine %s blocked: " -+ "IP %s matched", hostname, caddr); - return HTTP_FORBIDDEN; - } -- uri_addr = uri_addr->next; - } -- conf_addr = conf_addr->next; - } - } -+ - return OK; - } - -@@ -2128,7 +2143,8 @@ - } - } - /* check if ProxyBlock directive on this host */ -- if (OK != ap_proxy_checkproxyblock(r, conf, conn->addr)) { -+ if (OK != ap_proxy_checkproxyblock2(r, conf, uri->hostname, -+ proxyname ? NULL : conn->addr)) { - return ap_proxyerror(r, HTTP_FORBIDDEN, - "Connect to remote machine blocked"); - } ---- httpd-2.4.2/modules/proxy/mod_proxy.h -+++ httpd-2.4.2/modules/proxy/mod_proxy.h -@@ -534,6 +534,18 @@ - char **passwordp, char **hostp, apr_port_t *port); - PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message); - PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf, apr_sockaddr_t *uri_addr); -+ -+/** Test whether the hostname/address of the request are blocked by the ProxyBlock -+ * configuration. -+ * @param r request -+ * @param conf server configuration -+ * @param hostname hostname from request URI -+ * @param addr resolved address of hostname, or NULL if not known -+ * @return OK on success, or else an errro -+ */ -+PROXY_DECLARE(int) ap_proxy_checkproxyblock2(request_rec *r, proxy_server_conf *conf, -+ const char *hostname, apr_sockaddr_t *addr); -+ - PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec *c, request_rec *r); - /* DEPRECATED (will be replaced with ap_proxy_connect_backend */ - PROXY_DECLARE(int) ap_proxy_connect_to_backend(apr_socket_t **, const char *, apr_sockaddr_t *, const char *, proxy_server_conf *, request_rec *); ---- httpd-2.4.2/modules/proxy/mod_proxy_ftp.c -+++ httpd-2.4.2/modules/proxy/mod_proxy_ftp.c -@@ -1143,7 +1143,7 @@ - } - - /* check if ProxyBlock directive on this host */ -- if (OK != ap_proxy_checkproxyblock(r, conf, connect_addr)) { -+ if (OK != ap_proxy_checkproxyblock2(r, conf, connectname, connect_addr)) { - return ap_proxyerror(r, HTTP_FORBIDDEN, - "Connect to remote machine blocked"); - } diff --git a/httpd-2.4.2-r1374214+.patch b/httpd-2.4.2-r1374214+.patch new file mode 100644 index 0000000..af5d2ab --- /dev/null +++ b/httpd-2.4.2-r1374214+.patch @@ -0,0 +1,45 @@ +# ./pullrev.sh 1374214 1375445 + +http://svn.apache.org/viewvc?view=revision&revision=1374214 +http://svn.apache.org/viewvc?view=revision&revision=1375445 + +--- httpd-2.4.2/modules/ssl/ssl_engine_init.c ++++ httpd-2.4.2/modules/ssl/ssl_engine_init.c +@@ -1381,7 +1381,7 @@ + for (n = 0; n < ncerts; n++) { + X509_INFO *inf = sk_X509_INFO_value(sk, n); + +- if (!inf->x509 || !inf->x_pkey) { ++ if (!inf->x509 || !inf->x_pkey || !inf->x_pkey->dec_pkey) { + sk_X509_INFO_free(sk); + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, s, APLOGNO(02252) + "incomplete client cert configured for SSL proxy " +@@ -1389,6 +1389,15 @@ + ssl_die(s); + return; + } ++ ++ if (X509_check_private_key(inf->x509, inf->x_pkey->dec_pkey) != 1) { ++ ssl_log_xerror(SSLLOG_MARK, APLOG_STARTUP, 0, ptemp, s, inf->x509, ++ APLOGNO(02326) "proxy client certificate and " ++ "private key do not match"); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s); ++ ssl_die(s); ++ return; ++ } + } + + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02207) +@@ -1401,7 +1410,11 @@ + return; + } + +- /* Load all of the CA certs and construct a chain */ ++ /* If SSLProxyMachineCertificateChainFile is configured, load all ++ * the CA certs and have OpenSSL attempt to construct a full chain ++ * from each configured end-entity cert up to a root. This will ++ * allow selection of the correct cert given a list of root CA ++ * names in the certificate request from the server. */ + pkp->ca_certs = (STACK_OF(X509) **) apr_pcalloc(p, ncerts * sizeof(sk)); + sctx = X509_STORE_CTX_new(); + diff --git a/httpd-2.4.2-restart.patch b/httpd-2.4.2-restart.patch deleted file mode 100644 index b4f9942..0000000 --- a/httpd-2.4.2-restart.patch +++ /dev/null @@ -1,31 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=814645 - -http://svn.apache.org/viewvc?rev=1331847&view=rev - ---- httpd-2.4.2/server/main.c.restart -+++ httpd-2.4.2/server/main.c -@@ -671,6 +671,11 @@ int main(int argc, const char * const ar - } - } - -+ /* If our config failed, deal with that here. */ -+ if (rv != OK) { -+ destroy_and_exit_process(process, 1); -+ } -+ - signal_server = APR_RETRIEVE_OPTIONAL_FN(ap_signal_server); - if (signal_server) { - int exit_status; -@@ -680,11 +685,6 @@ int main(int argc, const char * const ar - } - } - -- /* If our config failed, deal with that here. */ -- if (rv != OK) { -- destroy_and_exit_process(process, 1); -- } -- - apr_pool_clear(plog); - - if ( ap_run_open_logs(pconf, plog, ptemp, ap_server_conf) != OK) { diff --git a/httpd-2.4.3-apxs.patch b/httpd-2.4.3-apxs.patch new file mode 100644 index 0000000..f4d2a87 --- /dev/null +++ b/httpd-2.4.3-apxs.patch @@ -0,0 +1,56 @@ +--- httpd-2.4.3/support/apxs.in.apxs ++++ httpd-2.4.3/support/apxs.in +@@ -25,7 +25,18 @@ package apxs; + + my %config_vars = (); + +-my $installbuilddir = "@exp_installbuilddir@"; ++# Awful hack to make apxs libdir-agnostic: ++my $pkg_config = "/usr/bin/pkg-config"; ++if (! -x "$pkg_config") { ++ error("$pkg_config not found!"); ++ exit(1); ++} ++ ++my $libdir = `pkg-config --variable=libdir apr-1`; ++chomp $libdir; ++ ++my $installbuilddir = $libdir . "/httpd/build"; ++ + get_config_vars("$installbuilddir/config_vars.mk",\%config_vars); + + # read the configuration variables once +@@ -275,7 +286,7 @@ if ($opt_g) { + $data =~ s|%NAME%|$name|sg; + $data =~ s|%TARGET%|$CFG_TARGET|sg; + $data =~ s|%PREFIX%|$prefix|sg; +- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; ++ $data =~ s|%LIBDIR%|$libdir|sg; + + my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); + +@@ -453,11 +464,11 @@ if ($opt_c) { + my $ldflags = "$CFG_LDFLAGS"; + if ($opt_p == 1) { + +- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`; ++ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`; + chomp($apr_libs); + my $apu_libs=""; + if ($apr_major_version < 2) { +- $apu_libs=`$apu_config --ldflags --link-libtool --libs`; ++ $apu_libs=`$apu_config --ldflags --link-libtool`; + chomp($apu_libs); + } + +@@ -672,8 +683,8 @@ __DATA__ + + builddir=. + top_srcdir=%PREFIX% +-top_builddir=%PREFIX% +-include %INSTALLBUILDDIR%/special.mk ++top_builddir=%LIBDIR%/httpd ++include %LIBDIR%/httpd/build/special.mk + + # the used tools + APXS=apxs diff --git a/httpd-2.4.3-layout.patch b/httpd-2.4.3-layout.patch new file mode 100644 index 0000000..163c66b --- /dev/null +++ b/httpd-2.4.3-layout.patch @@ -0,0 +1,33 @@ + +Add layout for Fedora. + +--- httpd-2.4.3/config.layout.layout ++++ httpd-2.4.3/config.layout +@@ -370,3 +370,27 @@ + logfiledir: ${localstatedir}/log/httpd + proxycachedir: ${localstatedir}/cache/httpd + ++ ++# Fedora/RHEL layout ++ ++ prefix: /usr ++ exec_prefix: ${prefix} ++ bindir: ${prefix}/bin ++ sbindir: ${prefix}/sbin ++ libdir: ${prefix}/lib ++ libexecdir: ${prefix}/libexec ++ mandir: ${prefix}/man ++ sysconfdir: /etc/httpd/conf ++ datadir: ${prefix}/share/httpd ++ installbuilddir: ${libdir}/httpd/build ++ errordir: ${datadir}/error ++ iconsdir: ${datadir}/icons ++ htdocsdir: /var/www/html ++ manualdir: ${datadir}/manual ++ cgidir: /var/www/cgi-bin ++ includedir: ${prefix}/include/httpd ++ localstatedir: /var ++ runtimedir: /run/httpd ++ logfiledir: ${localstatedir}/log/httpd ++ proxycachedir: ${localstatedir}/cache/httpd/proxy ++ diff --git a/httpd-2.4.3-release.patch b/httpd-2.4.3-release.patch new file mode 100644 index 0000000..0b2fb77 --- /dev/null +++ b/httpd-2.4.3-release.patch @@ -0,0 +1,16 @@ + +Upstream-HEAD: vendor +Upstream-2.0: vendor +Upstream-Status: vendor-specific change + +--- httpd-2.4.3/server/core.c.release ++++ httpd-2.4.3/server/core.c +@@ -3189,7 +3189,7 @@ static void set_banner(apr_pool_t *pconf + ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION); + } + else { +- ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")"); ++ ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (@RELEASE@)"); + } + + /* diff --git a/httpd.spec b/httpd.spec index 56fd486..41540b5 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,8 +7,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.2 -Release: 23%{?dist} +Version: 2.4.3 +Release: 2%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -37,25 +37,19 @@ Source23: manual.conf Source30: README.confd # build/scripts patches Patch1: httpd-2.4.1-apctl.patch -Patch2: httpd-2.4.1-apxs.patch +Patch2: httpd-2.4.3-apxs.patch Patch3: httpd-2.4.1-deplibs.patch -Patch5: httpd-2.4.1-layout.patch +Patch5: httpd-2.4.3-layout.patch # Features/functional changes -Patch20: httpd-2.0.48-release.patch +Patch20: httpd-2.4.3-release.patch Patch23: httpd-2.4.1-export.patch Patch24: httpd-2.4.1-corelimit.patch Patch25: httpd-2.4.1-selinux.patch Patch26: httpd-2.4.2-r1337344+.patch Patch27: httpd-2.4.2-icons.patch +Patch28: httpd-2.4.2-r1332643+.patch # Bug fixes -Patch40: httpd-2.4.2-restart.patch -Patch41: httpd-2.4.2-r1327036+.patch -Patch42: httpd-2.4.2-r1326980+.patch -Patch43: httpd-2.4.2-r1332643+.patch -Patch44: httpd-2.4.2-r1346905.patch -Patch45: httpd-2.4.2-r1357685.patch -Patch46: httpd-2.4.2-r1366693.patch -Patch47: httpd-2.4.2-r1365604.patch +Patch50: httpd-2.4.2-r1374214+.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -162,18 +156,12 @@ authentication to the Apache HTTP Server. %patch25 -p1 -b .selinux %patch26 -p1 -b .r1337344+ %patch27 -p1 -b .icons +%patch28 -p1 -b .r1332643+ -%patch40 -p1 -b .restart -%patch41 -p1 -b .r1327036+ -%patch42 -p1 -b .r1326980+ -%patch43 -p1 -b .r1332643+ -%patch44 -p1 -b .r1346905 -%patch45 -p1 -b .r1357685 -%patch46 -p1 -b .r1366693 -%patch47 -p1 -b .r1365604 +%patch50 -p1 -b .r1374214+ # Patch in vendor/release string -sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 +sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch --fuzz=%{_default_patch_fuzz} -p1 # Prevent use of setcap in "install-suexec-caps" target. sed -i '/suexec/s,setcap ,echo Skipping setcap for ,' Makefile.in @@ -530,6 +518,7 @@ rm -rf $RPM_BUILD_ROOT %{contentdir}/error/include/*.html %{contentdir}/noindex/index.html +%dir %{docroot} %dir %{docroot}/cgi-bin %dir %{docroot}/html @@ -585,6 +574,16 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Tue Aug 21 2012 Remi Collet - 2.4.3-2 +- sync with rawhide, rebuild for remi repo + +* Tue Aug 21 2012 Joe Orton - 2.4.3-2 +- mod_ssl: add check for proxy keypair match (upstream r1374214) + +* Tue Aug 21 2012 Joe Orton - 2.4.3-1 +- update to 2.4.3 (#849883) +- own the docroot (#848121) + * Mon Aug 6 2012 Remi Collet - 2.4.2-23 - sync with rawhide, rebuild for remi repo -- cgit