mod_ssl: fix leak in OCSP stapling code (PR 63687, r1876548)

mod_systemd: restore descriptive startup logging

httpd-2.4.43-mod_systemd.patch

@@ -0,0 +1,96 @@
+
+More verbose startup logging for mod_systemd.
+
+--- httpd-2.4.43/modules/arch/unix/mod_systemd.c.mod_systemd
++++ httpd-2.4.43/modules/arch/unix/mod_systemd.c
+@@ -29,11 +29,14 @@
+ #include "mpm_common.h"
+ 
+ #include "systemd/sd-daemon.h"
++#include "systemd/sd-journal.h"
+ 
+ #if APR_HAVE_UNISTD_H
+ #include <unistd.h>
+ #endif
+ 
++static char describe_listeners[30];
++
+ static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
+                               apr_pool_t *ptemp)
+ {
+@@ -44,6 +47,20 @@
+     return OK;
+ }
+ 
++static char *dump_listener(ap_listen_rec *lr, apr_pool_t *p)
++{
++    apr_sockaddr_t *sa = lr->bind_addr;
++    char addr[128];
++
++    if (apr_sockaddr_is_wildcard(sa)) {
++        return apr_pstrcat(p, "port ", apr_itoa(p, sa->port), NULL);
++    }
++
++    apr_sockaddr_ip_getbuf(addr, sizeof addr, sa);
++
++    return apr_psprintf(p, "%s port %u", addr, sa->port);
++}
++
+ /* Report the service is ready in post_config, which could be during
+  * startup or after a reload.  The server could still hit a fatal
+  * startup error after this point during ap_run_mpm(), so this is
+@@ -51,19 +68,51 @@
+  * the TCP ports so new connections will not be rejected.  There will
+  * always be a possible async failure event simultaneous to the
+  * service reporting "ready", so this should be good enough. */
+-static int systemd_post_config(apr_pool_t *p, apr_pool_t *plog,
++static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog,
+                                apr_pool_t *ptemp, server_rec *main_server)
+ {
++    ap_listen_rec *lr;
++    apr_size_t plen = sizeof describe_listeners;
++    char *p = describe_listeners;
++
++    if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
++        return OK;
++
++    for (lr = ap_listeners; lr; lr = lr->next) {
++        char *s = dump_listener(lr, ptemp);
++
++        if (strlen(s) + 3 < plen) {
++            char *newp = apr_cpystrn(p, s, plen);
++            if (lr->next)
++                newp = apr_cpystrn(newp, ", ", 3);
++            plen -= newp - p;
++            p = newp;
++        }
++        else {
++            if (plen < 4) {
++                p = describe_listeners + sizeof describe_listeners - 4;
++                plen = 4;
++            }
++            apr_cpystrn(p, "...", plen);
++            break;
++        }
++    }
++
+     sd_notify(0, "READY=1\n"
+               "STATUS=Configuration loaded.\n");
++
++    sd_journal_print(LOG_INFO, "Server configured, listening on: %s",
++                     describe_listeners);
++
+     return OK;
+ }
+ 
+ static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type)
+ {
+     sd_notifyf(0, "READY=1\n"
+-               "STATUS=Processing requests...\n"
+-               "MAINPID=%" APR_PID_T_FMT, getpid());
++               "STATUS=Started, listening on: %s\n"
++               "MAINPID=%" APR_PID_T_FMT,
++               describe_listeners, getpid());
+ 
+     return OK;
+ }

httpd-2.4.43-r1876548.patch

@@ -0,0 +1,82 @@
+# ./pullrev.sh 1876548
+http://svn.apache.org/viewvc?view=revision&revision=1876548
+
+--- httpd-2.4.43/modules/ssl/ssl_util_stapling.c
++++ httpd-2.4.43/modules/ssl/ssl_util_stapling.c
+@@ -130,6 +130,7 @@
+     X509 *issuer = NULL;
+     OCSP_CERTID *cid = NULL;
+     STACK_OF(OPENSSL_STRING) *aia = NULL;
++    int rv = 1; /* until further notice */
+ 
+     if (x == NULL)
+         return 0;
+@@ -154,16 +155,18 @@
+             SSL_CTX_set_tlsext_status_cb(mctx->ssl_ctx, stapling_cb);
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(10177) "OCSP stapling added via hook");
+         }
+-        return 1;
++        goto cleanup;
+     }
+     
+     if (mctx->stapling_enabled != TRUE) {
+         /* mod_ssl's own implementation is not enabled */
+-        return 1;
++        goto cleanup;
+     }
+     
+-    if (X509_digest(x, EVP_sha1(), idx, NULL) != 1)
+-        return 0;
++    if (X509_digest(x, EVP_sha1(), idx, NULL) != 1) {
++        rv = 0;
++        goto cleanup;
++    }
+ 
+     cinf = apr_hash_get(stapling_certinfo, idx, sizeof(idx));
+     if (cinf) {
+@@ -177,18 +180,18 @@
+                            APLOGNO(02814) "ssl_stapling_init_cert: no OCSP URI "
+                            "in certificate and no SSLStaplingForceURL "
+                            "configured for server %s", mctx->sc->vhost_id);
+-            return 0;
++            rv = 0;
+         }
+-        return 1;
++        goto cleanup;
+     }
+ 
+     cid = OCSP_cert_to_id(NULL, x, issuer);
+-    X509_free(issuer);
+     if (!cid) {
+         ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x, APLOGNO(02815)
+                        "ssl_stapling_init_cert: can't create CertID "
+                        "for OCSP request");
+-        return 0;
++        rv = 0;
++        goto cleanup;
+     }
+ 
+     aia = X509_get1_ocsp(x);
+@@ -197,7 +200,8 @@
+         ssl_log_xerror(SSLLOG_MARK, APLOG_ERR, 0, ptemp, s, x,
+                        APLOGNO(02218) "ssl_stapling_init_cert: no OCSP URI "
+                        "in certificate and no SSLStaplingForceURL set");
+-        return 0;
++        rv = 0;
++        goto cleanup;
+     }
+ 
+     /* At this point, we have determined that there's something to store */
+@@ -218,8 +222,10 @@
+                    mctx->sc->vhost_id);
+ 
+     apr_hash_set(stapling_certinfo, cinf->idx, sizeof(cinf->idx), cinf);
+-    
+-    return 1;
++
++cleanup:
++    X509_free(issuer);
++    return rv;
+ }
+ 
+ static certinfo *stapling_get_certinfo(server_rec *s, X509 *x, modssl_ctx_t *mctx,

httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.43
-Release: 1%{?dist}
+Release: 2%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -68,6 +68,7 @@ Patch3: httpd-2.4.43-deplibs.patch
 Patch19: httpd-2.4.43-detect-systemd.patch
 # Features/functional changes
 Patch21: httpd-2.4.43-r1842929+.patch
+Patch22: httpd-2.4.43-mod_systemd.patch
 Patch23: httpd-2.4.43-export.patch
 Patch24: httpd-2.4.43-corelimit.patch
 Patch25: httpd-2.4.43-selinux.patch
@@ -85,6 +86,7 @@ Patch42: httpd-2.4.43-r1828172+.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
 Patch60: httpd-2.4.43-enable-sslv3.patch
 Patch62: httpd-2.4.43-r1870095+.patch
+Patch63: httpd-2.4.43-r1876548.patch
 
 # Security fixes
 
@@ -207,6 +209,7 @@ interface for storing and accessing per-user session data.
 %patch19 -p1 -b .detectsystemd
 
 %patch21 -p1 -b .r1842929+
+%patch22 -p1 -b .mod_systemd
 %patch23 -p1 -b .export
 %patch24 -p1 -b .corelimit
 %patch25 -p1 -b .selinux
@@ -222,6 +225,7 @@ interface for storing and accessing per-user session data.
 
 %patch60 -p1 -b .enable-sslv3
 %patch62 -p1 -b .r1870095
+%patch63 -p1 -b .r1876548
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -746,6 +750,10 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Apr 17 2020 Joe Orton <jorton@redhat.com> - 2.4.43-2
+- mod_ssl: fix leak in OCSP stapling code (PR 63687, r1876548)
+- mod_systemd: restore descriptive startup logging
+
 * Tue Mar 31 2020 Lubos Uhliarik <luhliari@redhat.com> - 2.4.43-1
 - new version 2.4.43 (#1819023)
 

pullrev.sh

@@ -7,7 +7,7 @@ fi
 
 repo="https://svn.apache.org/repos/asf/httpd/httpd/trunk"
 #repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x"
-ver=2.4.41
+ver=2.4.43
 prefix="httpd-${ver}"
 suffix="r$1${2:++}"
 fn="${prefix}-${suffix}.patch"