- add security fix for CVE CAN-2004-0942 (memory consumption DoS)

- SELinux: run httpd -t under runcon in configtest (Steven Smalley)
- fix SSLSessionCache comment for distcache in ssl.conf
- restart using SIGHUP not SIGUSR1 after logrotate
- add ap_save_brigade fix (upstream #31247)
- mod_ssl: fix possible segfault in auth hook (upstream #31848)
- add htsslpass(1) and configure as default SSLPassPhraseDialog (#128677)
- apachectl: restore use of $OPTIONS
- apachectl, httpd.init: refuse to restart if $HTTPD -t fails
- apachectl: run $HTTPD -t in user SELinux context for configtest
- update for pcre-5.0 header locations
This commit is contained in:
jorton 2004-11-18 11:59:52 +00:00
parent ff2220fd78
commit 7c0f3e466d
6 changed files with 62 additions and 22 deletions

View File

@ -1,5 +1,5 @@
# Makefile for source rpm: httpd
# $Id: Makefile,v 1.4 2004/10/13 10:44:51 jorton Exp $
# $Id: Makefile,v 1.5 2004/10/13 16:35:07 jorton Exp $
NAME := httpd
SPECFILE = $(firstword $(wildcard *.spec))
UPSTREAM_CHECKS = asc
@ -21,4 +21,4 @@ status.html: status.xml status-html.xsl
@xsltproc status-html.xsl $< > $@
view-status: status.html
gnome-moz-remote `pwd`/$<
firefox -remote 'openFile($(shell pwd)/$<)'

View File

@ -2,9 +2,9 @@
Set SIGXFSZ to be ignored, so a write() beyond 2gb will fail with
E2BIG rather than killing the process
Upstream-HEAD: omit
Upstream-HEAD: needed
Upstream-2.0: omit
Upstream-Status: Obsoleted by proper LFS support in APR
Upstream-Status: Obsoleted by proper LFS support in APR, do it anyway
Upstream-PR: 13511
--- ./server/mpm/prefork/prefork.c.xfsz Wed Jul 17 22:39:55 2002

View File

@ -73,11 +73,15 @@ stop() {
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
check13 || exit 1
killproc $httpd -HUP
RETVAL=$?
echo
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t; then
failure $"Configuration syntax check for $httpd, will not reload"
RETVAL=$?
else
echo -n $"Reloading $prog: "
killproc $httpd -HUP
RETVAL=$?
echo
fi
}
# See how we were called.

View File

@ -3,6 +3,6 @@
notifempty
sharedscripts
postrotate
/bin/kill -USR1 `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
endscript
}

View File

@ -7,7 +7,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.0.52
Release: 5
Release: 6
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
Source1: index.html
@ -23,11 +23,13 @@ Source12: welcome.conf
Source13: manual.conf
Source14: mod_ssl-Makefile.crt
Source15: mod_ssl-Makefile.crl
Source16: htsslpass.c
# Documentation
Source30: migration.xml
Source31: migration.css
Source32: html.xsl
Source33: README.confd
Source34: htsslpass.xml
# build/scripts patches
Patch1: httpd-2.0.40-apctl.patch
Patch2: httpd-2.0.36-apxs.patch
@ -49,6 +51,8 @@ Patch28: httpd-2.0.48-worker.patch
Patch29: httpd-2.0.48-workerhup.patch
Patch30: httpd-2.0.48-davmisc.patch
Patch39: httpd-2.0.50-reclaim.patch
Patch40: httpd-2.0.52-sslauth.patch
Patch41: httpd-2.0.52-savebrigade.patch
# Features/functional changes
Patch70: httpd-2.0.48-release.patch
Patch71: httpd-2.0.40-xfsz.patch
@ -70,11 +74,13 @@ Patch91: httpd-2.0.46-testhook.patch
Patch92: httpd-2.0.46-dumpcerts.patch
# Security fixes
Patch120: httpd-2.0.52-CAN-2004-0885.patch
Patch121: httpd-2.0.52-CAN-2004-0942.patch
License: Apache Software License
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-root
BuildRequires: db4-devel, expat-devel, findutils, perl, pkgconfig, xmlto >= 0.0.11
BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel, zlib-devel
BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0,
BuildRequires: zlib-devel
Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
Requires: httpd-suexec
Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
@ -86,19 +92,20 @@ Obsoletes: mod_put, mod_roaming
Conflicts: pcre < 4.0
%description
Apache is a powerful, full-featured, efficient, and freely-available
Web server. Apache is also the most popular Web server on the
Internet.
The Apache HTTP Server is a powerful, full-featured, efficient, and
freely-available Web server. The Apache HTTP Server is also the
most popular Web server on the Internet.
%package devel
Group: Development/Libraries
Summary: Development tools for the Apache HTTP server.
Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
Requires: apr-devel, apr-util-devel, httpd = %{version}, pcre-devel
Requires: apr-devel, apr-util-devel, httpd = %{version}, pcre-devel >= 5.0
%description devel
The httpd-devel package contains the APXS binary and other files
that you need to build Dynamic Shared Objects (DSOs) for Apache.
that you need to build Dynamic Shared Objects (DSOs) for the
Apache HTTP Server.
If you are installing the Apache HTTP server and you want to be
able to compile or develop additional modules for Apache, you need
@ -161,6 +168,8 @@ executed by SSI pages) as a user other than the 'apache' user.
%patch29 -p1 -b .workerhup
%patch30 -p1 -b .davmisc
%patch39 -p1 -b .reclaim
%patch40 -p1 -b .sslauth
%patch41 -p1 -b .savebrigade
%patch71 -p0 -b .xfsz
%patch72 -p1 -b .pod
@ -181,6 +190,7 @@ executed by SSI pages) as a user other than the 'apache' user.
%patch92 -p1 -b .dumpcerts
%patch120 -p1 -b .can0885
%patch121 -p1 -b .can0942
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH70} | patch -p1
@ -231,8 +241,15 @@ sed 's/@DISTRO@/%{distro}/' < $RPM_SOURCE_DIR/migration.xml > migration.xml
xmlto -x $RPM_SOURCE_DIR/html.xsl html-nochunks migration.xml
cp $RPM_SOURCE_DIR/migration.css . # make %%doc happy
# Build the htsslpass man page
xmlto man $RPM_SOURCE_DIR/htsslpass.xml
# Build htsslpass
cp $RPM_SOURCE_DIR/htsslpass.c . || exit 1
gcc $RPM_OPT_FLAGS -Wall -Werror htsslpass.c -o htsslpass
CFLAGS=$RPM_OPT_FLAGS
CPPFLAGS="-DSSL_EXPERIMENTAL_ENGINE -I/usr/include/pcre"
CPPFLAGS="-DSSL_EXPERIMENTAL_ENGINE"
export CFLAGS CPPFLAGS
function mpmbuild()
@ -302,7 +319,11 @@ popd
install -m 755 worker/httpd $RPM_BUILD_ROOT%{_sbindir}/httpd.worker
# link to system pcreposix.h
ln -s ../pcre/pcreposix.h $RPM_BUILD_ROOT%{_includedir}/httpd/pcreposix.h
ln -s ../pcreposix.h $RPM_BUILD_ROOT%{_includedir}/httpd/pcreposix.h
# install htsslpass(1) and man page
install -m 755 htsslpass $RPM_BUILD_ROOT%{_bindir}/htsslpass
install -m 644 htsslpass.1 $RPM_BUILD_ROOT%{_mandir}/man1/htsslpass.1
# install conf file/directory
mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
@ -519,6 +540,7 @@ rm -rf $RPM_BUILD_ROOT
%{_sbindir}/httpd.worker
%{_sbindir}/apachectl
%{_sbindir}/rotatelogs
%exclude %{_bindir}/htsslpass
%dir %{_libdir}/httpd
%dir %{_libdir}/httpd/modules
@ -544,6 +566,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man?/*
%exclude %{_mandir}/man8/apxs.8*
%exclude %{_mandir}/man8/suexec.8*
%exclude %{_mandir}/man1/htsslpass.1*
%files manual
%defattr(-,root,root)
@ -552,6 +575,8 @@ rm -rf $RPM_BUILD_ROOT
%files -n mod_ssl
%defattr(-,root,root)
%{_bindir}/htsslpass
%{_mandir}/man1/htsslpass.1*
%{_libdir}/httpd/modules/mod_ssl.so
%config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
%attr(0700,root,root) %dir %{_sysconfdir}/httpd/conf/ssl.*
@ -579,6 +604,19 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/suexec.8*
%changelog
* Tue Nov 16 2004 Joe Orton <jorton@redhat.com> 2.0.52-6
- add security fix for CVE CAN-2004-0942 (memory consumption DoS)
- SELinux: run httpd -t under runcon in configtest (Steven Smalley)
- fix SSLSessionCache comment for distcache in ssl.conf
- restart using SIGHUP not SIGUSR1 after logrotate
- add ap_save_brigade fix (upstream #31247)
- mod_ssl: fix possible segfault in auth hook (upstream #31848)
- add htsslpass(1) and configure as default SSLPassPhraseDialog (#128677)
- apachectl: restore use of $OPTIONS
- apachectl, httpd.init: refuse to restart if $HTTPD -t fails
- apachectl: run $HTTPD -t in user SELinux context for configtest
- update for pcre-5.0 header locations
* Sat Nov 13 2004 Jeff Johnson <jbj@redhat.com> 2.0.52-5
- rebuild against db-4.3.21 aware apr-util.

View File

@ -44,9 +44,7 @@ SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache dbm:/var/cache/mod_ssl/scache(512000)
#SSLSessionCache dc:UNIX/var/cache/mod_ssl/distcache
#SSLSessionCache dc:UNIX:/var/cache/mod_ssl/distcache
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300