new version 2.4.29

This commit is contained in:
Luboš Uhliarik 2017-10-25 14:31:34 +02:00
parent d2370fbd7d
commit 317bdd7eb8
5 changed files with 6 additions and 448 deletions

View File

@ -1,65 +0,0 @@
From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Tue, 22 Mar 2016 13:09:17 +0000
Subject: [PATCH] mod_ssl: return non ambigous value in
ssl_callback_SessionTicket() for encryption mode (we used to return 0,
OpenSSL documents returning 1 instead).
Practically this does not change anything since OpenSSL will only check for
>= 0 return value (non error) for encryption mode (the other possible return
values are only relevant for decryption mode).
However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
states:
"
The return value of the cb function is used by OpenSSL to determine what
further processing will occur. The following return values have meaning:
2
This indicates that the ctx and hctx have been set and the session can
continue on those parameters. Additionally it indicates that the session
ticket is in a renewal period and should be replaced. The OpenSSL library
will call cb again with an enc argument of 1 to set the new ticket (see
RFC5077 3.3 paragraph 2).
1
This indicates that the ctx and hctx have been set and the session can
continue on those parameters.
0
This indicates that it was not possible to set/retrieve a session ticket
and the SSL/TLS session will continue by by negotiating a set of
cryptographic parameters or using the alternate SSL/TLS resumption
mechanism, session ids.
If called with enc equal to 0 the library will call the cb again to get a
new set of parameters.
less than 0
This indicates an error.
"
So 0 is not appropriate in our code, 1 is what we really want (and it won't
break if OpenSSL later changes its checks on the callback return value).
Reported by: oknet on github, pull request #18.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
---
modules/ssl/ssl_engine_kernel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 91da94c4f58..91d5e926d66 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
"TLS session ticket key for %s successfully set, "
"creating new session ticket", sc->vhost_id);
- return 0;
+ return 1;
}
else if (mode == 0) {
/*

View File

@ -1,131 +0,0 @@
# ./pullrev.sh 1808230
http://svn.apache.org/viewvc?view=revision&revision=1808230
--- httpd-2.4.27/server/protocol.c
+++ httpd-2.4.27/server/protocol.c
@@ -1708,62 +1708,88 @@
ctx->tmpbb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
}
- /* Loop through this set of buckets to compute their length
- */
+ /* Loop through the brigade to count the length. To avoid
+ * arbitrary memory consumption with morphing bucket types, this
+ * loop will stop and pass on the brigade when necessary. */
e = APR_BRIGADE_FIRST(b);
while (e != APR_BRIGADE_SENTINEL(b)) {
+ apr_status_t rv;
+
if (APR_BUCKET_IS_EOS(e)) {
eos = 1;
break;
}
- if (e->length == (apr_size_t)-1) {
+ /* For a flush bucket, fall through to pass the brigade and
+ * flush now. */
+ else if (APR_BUCKET_IS_FLUSH(e)) {
+ e = APR_BUCKET_NEXT(e);
+ }
+ /* For metadata bucket types other than FLUSH, loop. */
+ else if (APR_BUCKET_IS_METADATA(e)) {
+ e = APR_BUCKET_NEXT(e);
+ continue;
+ }
+ /* For determinate length data buckets, count the length and
+ * continue. */
+ else if (e->length != (apr_size_t)-1) {
+ r->bytes_sent += e->length;
+ e = APR_BUCKET_NEXT(e);
+ continue;
+ }
+ /* For indeterminate length data buckets, perform one read. */
+ else /* e->length == (apr_size_t)-1 */ {
apr_size_t len;
const char *ignored;
- apr_status_t rv;
-
- /* This is probably a pipe bucket. Send everything
- * prior to this, and then read the data for this bucket.
- */
+
rv = apr_bucket_read(e, &ignored, &len, eblock);
+ if ((rv != APR_SUCCESS) && !APR_STATUS_IS_EAGAIN(rv)) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00574)
+ "ap_content_length_filter: "
+ "apr_bucket_read() failed");
+ return rv;
+ }
if (rv == APR_SUCCESS) {
- /* Attempt a nonblocking read next time through */
eblock = APR_NONBLOCK_READ;
+ e = APR_BUCKET_NEXT(e);
r->bytes_sent += len;
}
else if (APR_STATUS_IS_EAGAIN(rv)) {
- /* Output everything prior to this bucket, and then
- * do a blocking read on the next batch.
- */
- if (e != APR_BRIGADE_FIRST(b)) {
- apr_bucket *flush;
- apr_brigade_split_ex(b, e, ctx->tmpbb);
- flush = apr_bucket_flush_create(r->connection->bucket_alloc);
+ apr_bucket *flush;
- APR_BRIGADE_INSERT_TAIL(b, flush);
- rv = ap_pass_brigade(f->next, b);
- if (rv != APR_SUCCESS || f->c->aborted) {
- return rv;
- }
- apr_brigade_cleanup(b);
- APR_BRIGADE_CONCAT(b, ctx->tmpbb);
- e = APR_BRIGADE_FIRST(b);
+ /* Next read must block. */
+ eblock = APR_BLOCK_READ;
- ctx->data_sent = 1;
- }
- eblock = APR_BLOCK_READ;
- continue;
+ /* Ensure the last bucket to pass down is a flush if
+ * the next read will block. */
+ flush = apr_bucket_flush_create(f->c->bucket_alloc);
+ APR_BUCKET_INSERT_BEFORE(e, flush);
}
- else {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00574)
- "ap_content_length_filter: "
- "apr_bucket_read() failed");
- return rv;
- }
}
- else {
- r->bytes_sent += e->length;
+
+ /* Optimization: if the next bucket is EOS (directly after a
+ * bucket morphed to the heap, or a flush), short-cut to
+ * handle EOS straight away - allowing C-L to be determined
+ * for content which is already entirely in memory. */
+ if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) {
+ continue;
}
- e = APR_BUCKET_NEXT(e);
+
+ /* On reaching here, pass on everything in the brigade up to
+ * this point. */
+ apr_brigade_split_ex(b, e, ctx->tmpbb);
+
+ rv = ap_pass_brigade(f->next, b);
+ if (rv != APR_SUCCESS) {
+ return rv;
+ }
+ else if (f->c->aborted) {
+ return APR_ECONNABORTED;
+ }
+ apr_brigade_cleanup(b);
+ APR_BRIGADE_CONCAT(b, ctx->tmpbb);
+ e = APR_BRIGADE_FIRST(b);
+
+ ctx->data_sent = 1;
}
/* If we've now seen the entire response and it's otherwise

View File

@ -1,239 +0,0 @@
--- trunk/modules/metadata/mod_unique_id.c 2011/12/02 23:02:04 1209766
+++ trunk/modules/metadata/mod_unique_id.c 2013/07/10 16:20:31 1501827
@@ -31,14 +31,11 @@
#include "http_log.h"
#include "http_protocol.h" /* for ap_hook_post_read_request */
-#if APR_HAVE_UNISTD_H
-#include <unistd.h> /* for getpid() */
-#endif
+#define ROOT_SIZE 10
typedef struct {
unsigned int stamp;
- unsigned int in_addr;
- unsigned int pid;
+ char root[ROOT_SIZE];
unsigned short counter;
unsigned int thread_index;
} unique_id_rec;
@@ -64,20 +61,15 @@
* gethostbyname (gethostname()) is unique across all the machines at the
* "site".
*
- * We also further assume that pids fit in 32-bits. If something uses more
- * than 32-bits, the fix is trivial, but it requires the unrolled uuencoding
- * loop to be extended. * A similar fix is needed to support multithreaded
- * servers, using a pid/tid combo.
- *
- * Together, the in_addr and pid are assumed to absolutely uniquely identify
- * this one child from all other currently running children on all servers
- * (including this physical server if it is running multiple httpds) from each
+ * The root is assumed to absolutely uniquely identify this one child
+ * from all other currently running children on all servers (including
+ * this physical server if it is running multiple httpds) from each
* other.
*
- * The stamp and counter are used to distinguish all hits for a particular
- * (in_addr,pid) pair. The stamp is updated using r->request_time,
- * saving cpu cycles. The counter is never reset, and is used to permit up to
- * 64k requests in a single second by a single child.
+ * The stamp and counter are used to distinguish all hits for a
+ * particular root. The stamp is updated using r->request_time,
+ * saving cpu cycles. The counter is never reset, and is used to
+ * permit up to 64k requests in a single second by a single child.
*
* The 144-bits of unique_id_rec are encoded using the alphabet
* [A-Za-z0-9@-], resulting in 24 bytes of printable characters. That is then
@@ -92,7 +84,7 @@
* module change.
*
* It is highly desirable that identifiers exist for "eternity". But future
- * needs (such as much faster webservers, moving to 64-bit pids, or moving to a
+ * needs (such as much faster webservers, or moving to a
* multithreaded server) may dictate a need to change the contents of
* unique_id_rec. Such a future implementation should ensure that the first
* field is still a time_t stamp. By doing that, it is possible for a site to
@@ -100,7 +92,15 @@
* wait one entire second, and then start all of their new-servers. This
* procedure will ensure that the new space of identifiers is completely unique
* from the old space. (Since the first four unencoded bytes always differ.)
+ *
+ * Note: previous implementations used 32-bits of IP address plus pid
+ * in place of the PRNG output in the "root" field. This was
+ * insufficient for IPv6-only hosts, required working DNS to determine
+ * a unique IP address (fragile), and needed a [0, 1) second sleep
+ * call at startup to avoid pid reuse. Use of the PRNG avoids all
+ * these issues.
*/
+
/*
* Sun Jun 7 05:43:49 CEST 1998 -- Alvaro
* More comments:
@@ -116,8 +116,6 @@
* htonl/ntohl. Well, this shouldn't be a problem till year 2106.
*/
-static unsigned global_in_addr;
-
/*
* XXX: We should have a per-thread counter and not use cur_unique_id.counter
* XXX: in all threads, because this is bad for performance on multi-processor
@@ -129,7 +127,7 @@
/*
* Number of elements in the structure unique_id_rec.
*/
-#define UNIQUE_ID_REC_MAX 5
+#define UNIQUE_ID_REC_MAX 4
static unsigned short unique_id_rec_offset[UNIQUE_ID_REC_MAX],
unique_id_rec_size[UNIQUE_ID_REC_MAX],
@@ -138,113 +136,32 @@
static int unique_id_global_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server)
{
- char str[APRMAXHOSTLEN + 1];
- apr_status_t rv;
- char *ipaddrstr;
- apr_sockaddr_t *sockaddr;
-
/*
* Calculate the sizes and offsets in cur_unique_id.
*/
unique_id_rec_offset[0] = APR_OFFSETOF(unique_id_rec, stamp);
unique_id_rec_size[0] = sizeof(cur_unique_id.stamp);
- unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, in_addr);
- unique_id_rec_size[1] = sizeof(cur_unique_id.in_addr);
- unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, pid);
- unique_id_rec_size[2] = sizeof(cur_unique_id.pid);
- unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, counter);
- unique_id_rec_size[3] = sizeof(cur_unique_id.counter);
- unique_id_rec_offset[4] = APR_OFFSETOF(unique_id_rec, thread_index);
- unique_id_rec_size[4] = sizeof(cur_unique_id.thread_index);
+ unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, root);
+ unique_id_rec_size[1] = sizeof(cur_unique_id.root);
+ unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, counter);
+ unique_id_rec_size[2] = sizeof(cur_unique_id.counter);
+ unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, thread_index);
+ unique_id_rec_size[3] = sizeof(cur_unique_id.thread_index);
unique_id_rec_total_size = unique_id_rec_size[0] + unique_id_rec_size[1] +
- unique_id_rec_size[2] + unique_id_rec_size[3] +
- unique_id_rec_size[4];
+ unique_id_rec_size[2] + unique_id_rec_size[3];
/*
* Calculate the size of the structure when encoded.
*/
unique_id_rec_size_uu = (unique_id_rec_total_size*8+5)/6;
- /*
- * Now get the global in_addr. Note that it is not sufficient to use one
- * of the addresses from the main_server, since those aren't as likely to
- * be unique as the physical address of the machine
- */
- if ((rv = apr_gethostname(str, sizeof(str) - 1, p)) != APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01563)
- "unable to find hostname of the server");
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p)) == APR_SUCCESS) {
- global_in_addr = sockaddr->sa.sin.sin_addr.s_addr;
- }
- else {
- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01564)
- "unable to find IPv4 address of \"%s\"", str);
-#if APR_HAVE_IPV6
- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET6, 0, 0, p)) == APR_SUCCESS) {
- memcpy(&global_in_addr,
- (char *)sockaddr->ipaddr_ptr + sockaddr->ipaddr_len - sizeof(global_in_addr),
- sizeof(global_in_addr));
- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01565)
- "using low-order bits of IPv6 address "
- "as if they were unique");
- }
- else
-#endif
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- apr_sockaddr_ip_get(&ipaddrstr, sockaddr);
- ap_log_error(APLOG_MARK, APLOG_INFO, 0, main_server, APLOGNO(01566) "using ip addr %s",
- ipaddrstr);
-
- /*
- * If the server is pummelled with restart requests we could possibly end
- * up in a situation where we're starting again during the same second
- * that has been used in previous identifiers. Avoid that situation.
- *
- * In truth, for this to actually happen not only would it have to restart
- * in the same second, but it would have to somehow get the same pids as
- * one of the other servers that was running in that second. Which would
- * mean a 64k wraparound on pids ... not very likely at all.
- *
- * But protecting against it is relatively cheap. We just sleep into the
- * next second.
- */
- apr_sleep(apr_time_from_sec(1) - apr_time_usec(apr_time_now()));
return OK;
}
static void unique_id_child_init(apr_pool_t *p, server_rec *s)
{
- pid_t pid;
-
- /*
- * Note that we use the pid because it's possible that on the same
- * physical machine there are multiple servers (i.e. using Listen). But
- * it's guaranteed that none of them will share the same pids between
- * children.
- *
- * XXX: for multithread this needs to use a pid/tid combo and probably
- * needs to be expanded to 32 bits
- */
- pid = getpid();
- cur_unique_id.pid = pid;
-
- /*
- * Test our assumption that the pid is 32-bits. It's possible that
- * 64-bit machines will declare pid_t to be 64 bits but only use 32
- * of them. It would have been really nice to test this during
- * global_init ... but oh well.
- */
- if ((pid_t)cur_unique_id.pid != pid) {
- ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(01567)
- "oh no! pids are greater than 32-bits! I'm broken!");
- }
-
- cur_unique_id.in_addr = global_in_addr;
+ ap_random_insecure_bytes(&cur_unique_id.root,
+ sizeof(cur_unique_id.root));
/*
* If we use 0 as the initial counter we have a little less protection
@@ -253,13 +170,6 @@
*/
ap_random_insecure_bytes(&cur_unique_id.counter,
sizeof(cur_unique_id.counter));
-
- /*
- * We must always use network ordering for these bytes, so that
- * identifiers are comparable between machines of different byte
- * orderings. Note in_addr is already in network order.
- */
- cur_unique_id.pid = htonl(cur_unique_id.pid);
}
/* NOTE: This is *NOT* the same encoding used by base64encode ... the last two
@@ -291,10 +201,8 @@
unsigned short counter;
int i,j,k;
- new_unique_id.in_addr = cur_unique_id.in_addr;
- new_unique_id.pid = cur_unique_id.pid;
+ memcpy(&new_unique_id.root, &cur_unique_id.root, ROOT_SIZE);
new_unique_id.counter = cur_unique_id.counter;
-
new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time));
new_unique_id.thread_index = htonl((unsigned int)r->connection->id);

View File

@ -12,8 +12,8 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.28
Release: 3%{?dist}
Version: 2.4.29
Release: 1%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@ -70,15 +70,10 @@ Patch31: httpd-2.4.18-sslmultiproxy.patch
Patch34: httpd-2.4.17-socket-activation.patch
Patch35: httpd-2.4.17-sslciphdefault.patch
# Bug fixes
Patch56: httpd-2.4.4-mod_unique_id.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch58: httpd-2.4.25-r1738878.patch
Patch60: httpd-2.4.27-r1808230.patch
# Security fixes
# https://github.com/apache/httpd/commit/4171fbfcb249e63f934471054d7a0752272fb8ee
Patch61: httpd-2.4.27-fixticketkeys.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -216,12 +211,7 @@ interface for storing and accessing per-user session data.
%patch31 -p1 -b .sslmultiproxy
%patch34 -p1 -b .socketactivation
%patch35 -p1 -b .sslciphdefault
%patch56 -p1 -b .uniqueid
%patch58 -p1 -b .r1738878
%patch60 -p1 -b .r1808230
%patch61 -p1 -b .ticketkeys
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -689,6 +679,9 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Wed Oct 25 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.29-1
- new version 2.4.29
* Tue Oct 10 2017 Joe Orton <jorton@redhat.com> - 2.4.28-3
- drop obsolete Obsoletes
- update docs, Summary

View File

@ -1 +1 @@
SHA512 (httpd-2.4.28.tar.bz2) = 8de8e32b87e6de220e492e74db9df0882fae11c3b9732f3d3316da048c04767ac4429c0433c36f87d8705263e3376f97a7e1f66a9d7a518632a67b6fe617590a
SHA512 (httpd-2.4.29.tar.bz2) = 840982fd3d21463bc5c1747f211dfacf3abdf634d149e49bb49fd2e5deda140de602dbdf31e1bbe5337a48f718ab2261c408e83a8dd39a9291ee7b6b7a85639a