From 9c0ce392a924cea8080151199fd5d5b6e98ec3fe Mon Sep 17 00:00:00 2001 From: jorton Date: Thu, 3 Dec 2009 14:23:28 +0000 Subject: [PATCH] - update to 2.2.14 - relax permissions on /var/run/httpd (#495780) - Requires(pre): httpd in mod_ssl subpackage (#543275) - add partial security fix for CVE-2009-3555 (#533125) --- .cvsignore | 2 +- httpd-2.2.13.tar.gz.asc | 17 -- httpd-2.2.14-CVE-2009-3555.patch | 284 +++++++++++++++++++++++++++++++ httpd-2.2.14.tar.gz.asc | 7 + httpd.spec | 17 +- sources | 2 +- upstream | 2 +- 7 files changed, 308 insertions(+), 23 deletions(-) delete mode 100644 httpd-2.2.13.tar.gz.asc create mode 100644 httpd-2.2.14-CVE-2009-3555.patch create mode 100644 httpd-2.2.14.tar.gz.asc diff --git a/.cvsignore b/.cvsignore index 08db694..a59898a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -httpd-2.2.13.tar.gz +httpd-2.2.14.tar.gz diff --git a/httpd-2.2.13.tar.gz.asc b/httpd-2.2.13.tar.gz.asc deleted file mode 100644 index c407881..0000000 --- a/httpd-2.2.13.tar.gz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.9 (GNU/Linux) - -iQIcBAABAgAGBQJKely6AAoJEBk/GAq1XZl3RCcP/Ar22Dn4gHe0dVVv5lTQOia0 -7Tp4S8clhJCVWInVPcUfHBDPHCqgapot5h3NjV9VVqFvxuIhSuTb3Wtzx1Eyh+9Y -hIOLLTnUdAJ/1knjiOOUcmDwDn8UantaGgjKUaRwyuJX6DwdQt4RK52gyRfompJ2 -pjaXAAig6oalXBBZWpBwwtRcs0hAU0OrmRriZdVrbtZCcAjJNReBeZTIWJycKsM/ -UuGyxLGm4NjaRv6vuiLj02EvBQlMmF3EAvyidTXrF9LGZPTwC3PMZxkoUk+AlgIh -jH7BsiRJmA7bwH2l1L/mpKOj0+GoMXboYPb9t0sNRv7qVS8/62aVx2pmZ0RraPsk -qSpo+N4SdmGRZ9eVHRlGqitz/1a5GpFUJiCjPgRAmmqYxcvOTspCzCAxd+3e9HNu -z2oV2MHhdfmW4wuOyZjtoG4/eCJWQOOl6L0fKmfmZ0QAAe/LFJjoleW6Ebf1Px6w -LRuCWcXhlKR8EQsOv6mJirfRXrK6uV01U74CMnmzaqjHMEsmUQ7Hh/jWUJ5C4Otb -Rf5+20PmSWVaf5sd+u7S/zNPFL0XNk2PUnWW/SShiC6bSDNCBFAwRa4vipDIVRBN -SxifPTjvGJ3bQ+F+4Se6R3c1H8hy83VGLxYmenY03Tebq5wWGJupbu3JIibBKb0s -qvzcW/b7rotkyW6YGFBX -=0OK6 ------END PGP SIGNATURE----- diff --git a/httpd-2.2.14-CVE-2009-3555.patch b/httpd-2.2.14-CVE-2009-3555.patch new file mode 100644 index 0000000..60f5763 --- /dev/null +++ b/httpd-2.2.14-CVE-2009-3555.patch @@ -0,0 +1,284 @@ +--- httpd-2.2.14/modules/ssl/ssl_engine_init.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_init.c +@@ -501,10 +501,7 @@ static void ssl_init_ctx_callbacks(serve + SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); + +- if (s->loglevel >= APLOG_DEBUG) { +- /* this callback only logs if LogLevel >= info */ +- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); +- } ++ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + } + + static void ssl_init_ctx_verify(server_rec *s, +--- httpd-2.2.14/modules/ssl/ssl_engine_io.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_io.c +@@ -103,6 +103,7 @@ typedef struct { + ap_filter_t *pInputFilter; + ap_filter_t *pOutputFilter; + int nobuffer; /* non-zero to prevent buffering */ ++ SSLConnRec *config; + } ssl_filter_ctx_t; + + typedef struct { +@@ -193,7 +194,13 @@ static int bio_filter_out_read(BIO *bio, + static int bio_filter_out_write(BIO *bio, const char *in, int inl) + { + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); +- ++ ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ outctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* when handshaking we'll have a small number of bytes. + * max size SSL will pass us here is about 16k. + * (16413 bytes to be exact) +@@ -466,6 +473,12 @@ static int bio_filter_in_read(BIO *bio, + if (!in) + return 0; + ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ inctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* XXX: flush here only required for SSLv2; + * OpenSSL calls BIO_flush() at the appropriate times for + * the other protocols. +@@ -1724,6 +1737,8 @@ void ssl_io_filter_init(conn_rec *c, SSL + + filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); + ++ filter_ctx->config = myConnConfig(c); ++ + filter_ctx->nobuffer = 0; + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, NULL, c); +--- httpd-2.2.14/modules/ssl/ssl_engine_kernel.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_kernel.c +@@ -729,6 +729,10 @@ int ssl_hook_Access(request_rec *r) + (unsigned char *)&id, + sizeof(id)); + ++ /* Toggle the renegotiation state to allow the new ++ * handshake to proceed. */ ++ sslconn->reneg_state = RENEG_ALLOW; ++ + SSL_renegotiate(ssl); + SSL_do_handshake(ssl); + +@@ -750,6 +754,8 @@ int ssl_hook_Access(request_rec *r) + SSL_set_state(ssl, SSL_ST_ACCEPT); + SSL_do_handshake(ssl); + ++ sslconn->reneg_state = RENEG_REJECT; ++ + if (SSL_get_state(ssl) != SSL_ST_OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Re-negotiation handshake failed: " +@@ -1844,76 +1850,55 @@ void ssl_callback_DelSessionCacheEntry(S + return; + } + +-/* +- * This callback function is executed while OpenSSL processes the +- * SSL handshake and does SSL record layer stuff. We use it to +- * trace OpenSSL's processing in out SSL logfile. +- */ +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++/* Dump debugginfo trace to the log file. */ ++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, ++ server_rec *s, int where, int rc) + { +- conn_rec *c; +- server_rec *s; +- SSLSrvConfigRec *sc; +- +- /* +- * find corresponding server +- */ +- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { +- return; +- } +- +- s = mySrvFromConn(c); +- if (!(sc = mySrvConfig(s))) { +- return; +- } +- + /* + * create the various trace messages + */ +- if (s->loglevel >= APLOG_DEBUG) { +- if (where & SSL_CB_HANDSHAKE_START) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: start", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_HANDSHAKE_DONE) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: done", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_LOOP) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Loop: %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (where & SSL_CB_READ) { ++ if (where & SSL_CB_HANDSHAKE_START) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: start", SSL_LIBRARY_NAME); ++ } ++ else if (where & SSL_CB_HANDSHAKE_DONE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: done", SSL_LIBRARY_NAME); ++ } ++ else if (where & SSL_CB_LOOP) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Loop: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_READ) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Read: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_WRITE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Write: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_ALERT) { ++ char *str = (where & SSL_CB_READ) ? "read" : "write"; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Alert: %s:%s:%s", ++ SSL_LIBRARY_NAME, str, ++ SSL_alert_type_string_long(rc), ++ SSL_alert_desc_string_long(rc)); ++ } ++ else if (where & SSL_CB_EXIT) { ++ if (rc == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Read: %s", ++ "%s: Exit: failed in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_WRITE) { ++ else if (rc < 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Write: %s", ++ "%s: Exit: error in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_ALERT) { +- char *str = (where & SSL_CB_READ) ? "read" : "write"; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Alert: %s:%s:%s", +- SSL_LIBRARY_NAME, str, +- SSL_alert_type_string_long(rc), +- SSL_alert_desc_string_long(rc)); +- } +- else if (where & SSL_CB_EXIT) { +- if (rc == 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: failed in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (rc < 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: error in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- } + } + + /* +@@ -1933,6 +1918,52 @@ void ssl_callback_LogTracingState(MODSSL + } + } + ++/* ++ * This callback function is executed while OpenSSL processes the SSL ++ * handshake and does SSL record layer stuff. It's used to trap ++ * client-initiated renegotiations, and for dumping everything to the ++ * log. ++ */ ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++{ ++ conn_rec *c; ++ server_rec *s; ++ SSLConnRec *scr; ++ ++ /* Retrieve the conn_rec and the associated SSLConnRec. */ ++ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { ++ return; ++ } ++ ++ if ((scr = myConnConfig(c)) == NULL) { ++ return; ++ } ++ ++ /* If the reneg state is to reject renegotiations, check the SSL ++ * state machine and move to ABORT if a Client Hello is being ++ * read. */ ++ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { ++ int state = SSL_get_state(ssl); ++ ++ if (state == SSL3_ST_SR_CLNT_HELLO_A ++ || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ scr->reneg_state = RENEG_ABORT; ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, ++ "rejecting client initiated renegotiation"); ++ } ++ } ++ /* If the first handshake is complete, change state to reject any ++ * subsequent client-initated renegotiation. */ ++ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { ++ scr->reneg_state = RENEG_REJECT; ++ } ++ ++ s = mySrvFromConn(c); ++ if (s && s->loglevel >= APLOG_DEBUG) { ++ log_tracing_state(ssl, c, s, where, rc); ++ } ++} ++ + #ifndef OPENSSL_NO_TLSEXT + /* + * This callback function is executed when OpenSSL encounters an extended +--- httpd-2.2.14/modules/ssl/ssl_private.h.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_private.h +@@ -356,6 +356,20 @@ typedef struct { + int is_proxy; + int disabled; + int non_ssl_request; ++ ++ /* Track the handshake/renegotiation state for the connection so ++ * that all client-initiated renegotiations can be rejected, as a ++ * partial fix for CVE-2009-3555. */ ++ enum { ++ RENEG_INIT = 0, /* Before initial handshake */ ++ RENEG_REJECT, /* After initial handshake; any client-initiated ++ * renegotiation should be rejected */ ++ RENEG_ALLOW, /* A server-initated renegotiation is taking ++ * place (as dictated by configuration) */ ++ RENEG_ABORT /* Renegotiation initiated by client, abort the ++ * connection */ ++ } reneg_state; ++ + server_rec *server; + } SSLConnRec; + +@@ -574,7 +588,7 @@ int ssl_callback_proxy_cert(SSL + int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); + #ifndef OPENSSL_NO_TLSEXT + int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); + #endif diff --git a/httpd-2.2.14.tar.gz.asc b/httpd-2.2.14.tar.gz.asc new file mode 100644 index 0000000..12a09ea --- /dev/null +++ b/httpd-2.2.14.tar.gz.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (Darwin) + +iD8DBQBKuq+ENEqETXUdfycRAt+lAKCBA8IJnjaV416wdym0//EHlOjO8ACdFLOD +K4ODFOVg9S1rvewVwER0VM4= +=R/uW +-----END PGP SIGNATURE----- diff --git a/httpd.spec b/httpd.spec index b69f8b8..d99c487 100644 --- a/httpd.spec +++ b/httpd.spec @@ -6,8 +6,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.2.13 -Release: 4%{?dist} +Version: 2.2.14 +Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source1: index.html @@ -37,6 +37,8 @@ Patch25: httpd-2.2.11-selinux.patch Patch26: httpd-2.2.9-suenable.patch # Bug fixes Patch54: httpd-2.2.0-authnoprov.patch +# Security fixes +Patch90: httpd-2.2.14-CVE-2009-3555.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -101,6 +103,7 @@ Summary: SSL/TLS module for the Apache HTTP Server Epoch: 1 BuildRequires: openssl-devel, distcache-devel Requires(post): openssl >= 0.9.7f-4, /bin/cat +Requires(pre): httpd Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn} Obsoletes: stronghold-mod_ssl @@ -126,6 +129,8 @@ Security (TLS) protocols. %patch54 -p1 -b .authnoprov +%patch90 -p1 -b .cve3555 + # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -446,7 +451,7 @@ rm -rf $RPM_BUILD_ROOT %config %{contentdir}/error/*.var %config %{contentdir}/error/include/*.html -%attr(0700,root,root) %dir %{_localstatedir}/run/httpd +%attr(0710,root,apache) %dir %{_localstatedir}/run/httpd %attr(0700,root,root) %dir %{_localstatedir}/log/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/lib/dav %attr(0700,apache,apache) %dir %{_localstatedir}/cache/mod_proxy @@ -484,6 +489,12 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Thu Dec 3 2009 Joe Orton - 2.2.14-1 +- update to 2.2.14 +- relax permissions on /var/run/httpd (#495780) +- Requires(pre): httpd in mod_ssl subpackage (#543275) +- add partial security fix for CVE-2009-3555 (#533125) + * Tue Oct 27 2009 Tom "spot" Callaway 2.2.13-4 - add additional explanatory text to test page to help prevent legal emails to Fedora diff --git a/sources b/sources index 21fdcfd..10a5750 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2803e35be6650f5b739e6e91faa824dd httpd-2.2.13.tar.gz +2c1e3c7ba00bcaa0163da7b3e66aaa1e httpd-2.2.14.tar.gz diff --git a/upstream b/upstream index 08db694..a59898a 100644 --- a/upstream +++ b/upstream @@ -1 +1 @@ -httpd-2.2.13.tar.gz +httpd-2.2.14.tar.gz