update to 2.4.17 (#1271224)

- build, load mod_http2 - don't build mod_asis, mod_file_cache - load mod_cache_socache, mod_proxy_wstunnel by default - check every built mod_* is configured - synch ssl.conf with upstream; disable SSLv3 by default Resolves: rhbz#1271224
2015-10-14 09:06:30 +01:00 · 2015-10-14 09:06:30 +01:00 · 91a2788bce
commit 91a2788bce
parent c119a5ba7a
9 changed files with 74 additions and 44 deletions
--- a/.gitignore
+++ b/.gitignore
@ -20,3 +20,4 @@ x86_64
 /httpd-2.4.10.tar.bz2
 /httpd-2.4.12.tar.bz2
 /httpd-2.4.16.tar.bz2
 /httpd-2.4.17.tar.bz2
--- a/00-base.conf
+++ b/00-base.conf
@ -25,6 +25,7 @@ LoadModule authz_user_module modules/mod_authz_user.so
 LoadModule autoindex_module modules/mod_autoindex.so
 LoadModule cache_module modules/mod_cache.so
 LoadModule cache_disk_module modules/mod_cache_disk.so
 LoadModule cache_socache_module modules/mod_cache_socache.so
 LoadModule data_module modules/mod_data.so
 LoadModule dbd_module modules/mod_dbd.so
 LoadModule deflate_module modules/mod_deflate.so
@ -36,6 +37,7 @@ LoadModule expires_module modules/mod_expires.so
 LoadModule ext_filter_module modules/mod_ext_filter.so
 LoadModule filter_module modules/mod_filter.so
 LoadModule headers_module modules/mod_headers.so
 LoadModule http2_module modules/mod_http2.so
 LoadModule include_module modules/mod_include.so
 LoadModule info_module modules/mod_info.so
 LoadModule log_config_module modules/mod_log_config.so
--- a/00-optional.conf
+++ b/00-optional.conf
@ -11,6 +11,7 @@
 #LoadModule dialup_module modules/mod_dialup.so
 #LoadModule charset_lite_module modules/mod_charset_lite.so
 #LoadModule log_debug_module modules/mod_log_debug.so
 #LoadModule log_forensic_module modules/mod_log_forensic.so
 #LoadModule ratelimit_module modules/mod_ratelimit.so
 #LoadModule reflector_module modules/mod_reflector.so
 #LoadModule sed_module modules/mod_sed.so
--- a/00-proxy.conf
+++ b/00-proxy.conf
@ -13,3 +13,4 @@ LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
 LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
 LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
--- a/httpd-2.4.10-sslciphdefault.patch
+++ b/httpd-2.4.10-sslciphdefault.patch
@ -1,20 +0,0 @@
 https://bugzilla.redhat.com/show_bug.cgi?id=1109119
 Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
 --- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault
 +++ httpd-2.4.10/modules/ssl/ssl_engine_config.c
@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
 -    /* always disable null and export ciphers */
 -    arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
 +    /* Disable null and export ciphers by default, except for PROFILE=
 +     * configs where the parser doesn't cope. */
 +    if (strncmp(arg, "PROFILE=", 8) != 0)
 +        arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL);
     if (cmd->path) {
         dc->szCipherSuite = arg;
--- a/httpd-2.4.17-sslciphdefault.patch
+++ b/httpd-2.4.17-sslciphdefault.patch
@ -0,0 +1,33 @@
 https://bugzilla.redhat.com/show_bug.cgi?id=1109119
 Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite.
 --- httpd-2.4.17/modules/ssl/ssl_engine_config.c.sslciphdefault
 +++ httpd-2.4.17/modules/ssl/ssl_engine_config.c
@@ -708,8 +708,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
     SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg;
 -    /* always disable null and export ciphers */
 -    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
 +    /* Disable null and export ciphers by default, except for PROFILE=
 +     * configs where the parser doesn't cope. */
 +    if (strncmp(arg, "PROFILE=", 8) != 0)
 +        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
     if (cmd->path) {
         dc->szCipherSuite = arg;
@@ -1428,8 +1430,10 @@ const char *ssl_cmd_SSLProxyCipherSuite(
 {
     SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
 -    /* always disable null and export ciphers */
 -    arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
 +    /* Disable null and export ciphers by default, except for PROFILE=
 +     * configs where the parser doesn't cope. */
 +    if (strncmp(arg, "PROFILE=", 8) != 0)
 +        arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL);
     sc->proxy->auth.cipher_suite = arg;
--- a/httpd.spec
+++ b/httpd.spec
@ -7,7 +7,7 @@
 Summary: Apache HTTP Server
 Name: httpd
-Version: 2.4.16
+Version: 2.4.17
 Release: 1%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -61,7 +61,7 @@ Patch29: httpd-2.4.10-mod_systemd.patch
 Patch30: httpd-2.4.4-cachehardmax.patch
 Patch31: httpd-2.4.6-sslmultiproxy.patch
 Patch34: httpd-2.4.9-socket-activation.patch
-Patch35: httpd-2.4.10-sslciphdefault.patch
+Patch35: httpd-2.4.17-sslciphdefault.patch
 # Bug fixes
 Patch55: httpd-2.4.4-malformed-host.patch
 Patch56: httpd-2.4.4-mod_unique_id.patch
@ -73,7 +73,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
 BuildRequires: autoconf, perl, pkgconfig, findutils, xmlto
 BuildRequires: zlib-devel, libselinux-devel, lua-devel
 BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0
-BuildRequires: systemd-devel
+BuildRequires: systemd-devel, libnghttp2-devel
 Requires: /etc/mime.types, system-logos-httpd
 Obsoletes: httpd-suexec
 Provides: webserver
@ -204,7 +204,7 @@ interface for storing and accessing per-user session data.
 %patch29 -p1 -b .systemd
 %patch30 -p1 -b .cachehardmax
 %patch31 -p1 -b .sslmultiproxy
-%patch34 -p1 -b .socketactivation
+#patch34 -p1 -b .socketactivation
 %patch35 -p1 -b .sslciphdefault
 %patch55 -p1 -b .malformedhost
@ -278,7 +278,8 @@ export LYNX_PATH=/usr/bin/links
        --enable-ldap --enable-authnz-ldap \
        --enable-cgid --enable-cgi \
        --enable-authn-anon --enable-authn-alias \
-        --disable-imagemap  \
+        --disable-imagemap --disable-file-cache \
        --disable-asis
 	$*
 make %{?_smp_mflags}
@ -529,6 +530,14 @@ if readelf -d $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so | grep TEXTREL; then
   : modules contain non-relocatable code
   exit 1
 fi
 # Ensure every mod_* that's built is loaded.
 for f in $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so; do
  m=${f##*/}
  if ! grep -q $m $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/*.conf; then
    echo ERROR: Module $m not configured.  Disable it, or load it.
    exit 1
  fi
 done
 %clean
 rm -rf $RPM_BUILD_ROOT
@ -665,6 +674,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Tue Oct 13 2015 Joe Orton <jorton@redhat.com> - 2.4.17-1
 - update to 2.4.17 (#1271224)
 - build, load mod_http2
 - don't build mod_asis, mod_file_cache
 - load mod_cache_socache, mod_proxy_wstunnel by default
 - check every built mod_* is configured
 - synch ssl.conf with upstream; disable SSLv3 by default
 * Wed Jul 15 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.12-4
 - update to 2.4.16
--- a/2
+++ b/2
@ -1 +1 @@
-2b19cd338fd526dd5a63c57b1e9bfee2  httpd-2.4.16.tar.bz2
+cf4dfee11132cde836022f196611a8b7  httpd-2.4.17.tar.bz2
--- a/ssl.conf
+++ b/ssl.conf
@ -69,31 +69,26 @@ LogLevel warn
 #   Enable/Disable SSL for this virtual host.
 SSLEngine on
-#   SSL Protocol support:
+#   List the protocol versions which clients are allowed to connect with.
-# List the enable protocol levels with which clients will be able to
+#   Disable SSLv3 by default (cf. RFC 7525 3.1.1).  TLSv1 (1.0) should be
-# connect.  Disable SSLv2 access by default:
+#   disabled as quickly as practical.  By the end of 2016, only the TLSv1.2
-SSLProtocol all -SSLv2
+#   protocol or later should remain in use.
 SSLProtocol all -SSLv3
 SSLProxyProtocol all -SSLv3
 #   User agents such as web browsers are not configured for the user's
 #   own preference of either security or performance, therefore this
 #   must be the prerogative of the web server administrator who manages
 #   cpu load versus confidentiality, so enforce the server's cipher order.
 SSLHonorCipherOrder on
 #   SSL Cipher Suite:
 # List the ciphers that the client is permitted to negotiate.
 # See the mod_ssl documentation for a complete list.
 # The OpenSSL system profile is configured by default.  See
 # update-crypto-policies(8) for more details.
 #SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
 SSLCipherSuite PROFILE=SYSTEM
-
+SSLProxyCipherSuite PROFILE=SYSTEM
 #   Speed-optimized SSL Cipher configuration:
 #   If speed is your main concern (on busy HTTPS servers e.g.),
 #   you might want to force clients to specific, performance
 #   optimized ciphers. In this case, prepend those ciphers
 #   to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
 #   Caveat: by giving precedence to RC4-SHA and AES128-SHA
 #   (as in the example below), most connections will no longer
 #   have perfect forward secrecy - if the server's key is
 #   compromised, captures of past or future traffic must be
 #   considered compromised, too.
 #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
 #SSLHonorCipherOrder on 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
`@ -1 +1 @@`
	`2b19cd338fd526dd5a63c57b1e9bfee2 httpd-2.4.16.tar.bz2`	`cf4dfee11132cde836022f196611a8b7 httpd-2.4.17.tar.bz2`