Merge branch 'master' into f27

2017-10-10 15:44:20 +01:00 · 2017-10-10 15:44:20 +01:00 · d2370fbd7d
commit d2370fbd7d
parent a69b9e522a 596b5fc517
2 changed files with 88 additions and 133 deletions
--- a/httpd-2.4.27-fixticketkeys.patch
+++ b/httpd-2.4.27-fixticketkeys.patch
@ -0,0 +1,65 @@
+From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Tue, 22 Mar 2016 13:09:17 +0000
+Subject: [PATCH] mod_ssl: return non ambigous value in
+ ssl_callback_SessionTicket() for encryption mode (we used to return 0,
+ OpenSSL documents returning 1 instead).
+
+Practically this does not change anything since OpenSSL will only check for
+>= 0 return value (non error) for encryption mode (the other possible return
+values are only relevant for decryption mode).
+
+However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb()
+states:
+"
+The return value of the cb function is used by OpenSSL to determine what
+further processing will occur. The following return values have meaning:
+
+2
+    This indicates that the ctx and hctx have been set and the session can
+    continue on those parameters. Additionally it indicates that the session
+    ticket is in a renewal period and should be replaced. The OpenSSL library
+    will call cb again with an enc argument of 1 to set the new ticket (see
+    RFC5077 3.3 paragraph 2).
+
+1
+    This indicates that the ctx and hctx have been set and the session can
+    continue on those parameters.
+
+0
+    This indicates that it was not possible to set/retrieve a session ticket
+    and the SSL/TLS session will continue by by negotiating a set of
+    cryptographic parameters or using the alternate SSL/TLS resumption
+    mechanism, session ids.
+    If called with enc equal to 0 the library will call the cb again to get a
+    new set of parameters.
+
+less than 0
+    This indicates an error.
+"
+
+So 0 is not appropriate in our code, 1 is what we really want (and it won't
+break if OpenSSL later changes its checks on the callback return value).
+
+Reported by: oknet on github, pull request #18.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/ssl/ssl_engine_kernel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index 91da94c4f58..91d5e926d66 100644
+--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
+@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl,
+                       "TLS session ticket key for %s successfully set, "
+                       "creating new session ticket", sc->vhost_id);
+ 
+-        return 0;
+        return 1;
+     }
+     else if (mode == 0) {
+         /* 
--- a/httpd.spec
+++ b/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.28
-Release: 1%{?dist}
+Release: 3%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@ -76,6 +76,9 @@ Patch58: httpd-2.4.25-r1738878.patch
 Patch60: httpd-2.4.27-r1808230.patch
 # Security fixes

+# https://github.com/apache/httpd/commit/4171fbfcb249e63f934471054d7a0752272fb8ee
+Patch61: httpd-2.4.27-fixticketkeys.patch
+
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@ -103,8 +106,7 @@ web server.

 %package devel
 Group: Development/Libraries
-Summary: Development interfaces for the Apache HTTP server
-Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
+Summary: Development interfaces for the Apache HTTP Server
 Requires: apr-devel, apr-util-devel, pkgconfig
 Requires: httpd = %{version}-%{release}

@ -113,31 +115,30 @@ The httpd-devel package contains the APXS binary and other files
 that you need to build Dynamic Shared Objects (DSOs) for the
 Apache HTTP Server.

-If you are installing the Apache HTTP server and you want to be
+If you are installing the Apache HTTP Server and you want to be
 able to compile or develop additional modules for Apache, you need
 to install this package.

 %package manual
 Group: Documentation
-Summary: Documentation for the Apache HTTP server
+Summary: Documentation for the Apache HTTP Server
 Requires: httpd = %{version}-%{release}
-Obsoletes: secureweb-manual, apache-manual
 BuildArch: noarch

 %description manual
 The httpd-manual package contains the complete manual and
-reference guide for the Apache HTTP server. The information can
-also be found at http://httpd.apache.org/docs/2.2/.
+reference guide for the Apache HTTP Server. The information can
+also be found at https://httpd.apache.org/docs/2.4/.

 %package filesystem
 Group: System Environment/Daemons
-Summary: The basic directory layout for the Apache HTTP server
+Summary: The basic directory layout for the Apache HTTP Server
 BuildArch: noarch
 Requires(pre): /usr/sbin/useradd

 %description filesystem
 The httpd-filesystem package contains the basic directory layout
-for the Apache HTTP server including the correct permissions
+for the Apache HTTP Server including the correct permissions
 for the directories.

 %package tools
@ -156,7 +157,6 @@ BuildRequires: openssl-devel
 Requires(pre): httpd-filesystem
 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
 Requires: sscg >= 2.2.0
-Obsoletes: stronghold-mod_ssl
 # Require an OpenSSL which supports PROFILE=SYSTEM
 Conflicts: openssl-libs < 1:1.0.1h-4

@ -221,6 +221,8 @@ interface for storing and accessing per-user session data.
 %patch58 -p1 -b .r1738878
 %patch60 -p1 -b .r1808230

+%patch61 -p1 -b .ticketkeys
+
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h

@ -687,6 +689,14 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Tue Oct 10 2017 Joe Orton <jorton@redhat.com> - 2.4.28-3
+- drop obsolete Obsoletes
+- update docs, Summary
+- trim %%changelog
+
+* Tue Oct 10 2017 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.4.28-2
+- Backport patch for fixing ticket key usage
+
 * Fri Oct 06 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.28-1
 - new version 2.4.28

@ -714,8 +724,9 @@ rm -rf $RPM_BUILD_ROOT

 * Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.4.27-8.1
 - Generate SSL certificates on service start, not %%posttrans
+- Generate SSL certificates on service start, not %%posttrans

-* Tue Sep 19 2017 Joe Orton <jorton@redhat.com> - 2.4.27-8.1
+* Tue Sep 19 2017 Joe Orton <jorton@redhat.com> - 2.4.27-8
 - move httpd.service.d, httpd.socket.d dirs to -filesystem

 * Wed Sep 13 2017 Joe Orton <jorton@redhat.com> - 2.4.27-7
@ -1198,124 +1209,3 @@ rm -rf $RPM_BUILD_ROOT
 - split all LoadModules to conf.modules.d/*.conf
 - include conf.d/*.conf at end of httpd.conf
 - trim %%changelog
-
-* Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2.2.22-2
- fix build against PCRE 8.30
-
-* Mon Feb 13 2012 Joe Orton <jorton@redhat.com> - 2.2.22-1
- update to 2.2.22
-
-* Fri Feb 10 2012 Petr Pisar <ppisar@redhat.com> - 2.2.21-8
- Rebuild against PCRE 8.30
-
-* Mon Jan 23 2012 Jan Kaluza <jkaluza@redhat.com> - 2.2.21-7
- fix #783629 - start httpd after named
-
-* Mon Jan 16 2012 Joe Orton <jorton@redhat.com> - 2.2.21-6
- complete conversion to systemd, drop init script (#770311)
- fix comments in /etc/sysconfig/httpd (#771024)
- enable PrivateTmp in service file (#781440)
- set LANG=C in /etc/sysconfig/httpd
-
-* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.21-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
-
-* Tue Dec 06 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.21-4
- fix #751591 - start httpd after remote-fs
-
-* Mon Oct 24 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.21-3
- allow change state of BalancerMember in mod_proxy_balancer web interface
-
-* Thu Sep 22 2011 Ville Skyttä <ville.skytta@iki.fi> - 2.2.21-2
- Make mmn available as %%{_httpd_mmn}.
- Add .svgz to AddEncoding x-gzip example in httpd.conf.
-
-* Tue Sep 13 2011 Joe Orton <jorton@redhat.com> - 2.2.21-1
- update to 2.2.21
-
-* Mon Sep  5 2011 Joe Orton <jorton@redhat.com> - 2.2.20-1
- update to 2.2.20
- fix MPM stub man page generation
-
-* Wed Aug 10 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.19-5
- fix #707917 - add httpd-ssl-pass-dialog to ask for SSL password using systemd
-
-* Fri Jul 22 2011 Iain Arnell <iarnell@gmail.com> 1:2.2.19-4
- rebuild while rpm-4.9.1 is untagged to remove trailing slash in provided
-  directory names
-
-* Wed Jul 20 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.19-3
- fix #716621 - suexec now works without setuid bit
-
-* Thu Jul 14 2011 Jan Kaluza <jkaluza@redhat.com> - 2.2.19-2
- fix #689091 - backported patch from 2.3 branch to support IPv6 in logresolve
-
-* Fri Jul  1 2011 Joe Orton <jorton@redhat.com> - 2.2.19-1
- update to 2.2.19
- enable dbd, authn_dbd in default config
-
-* Thu Apr 14 2011 Joe Orton <jorton@redhat.com> - 2.2.17-13
- fix path expansion in service files
-
-* Tue Apr 12 2011 Joe Orton <jorton@redhat.com> - 2.2.17-12
- add systemd service files (#684175, thanks to Jóhann B. Guðmundsson)
-
-* Wed Mar 23 2011 Joe Orton <jorton@redhat.com> - 2.2.17-11
- minor updates to httpd.conf
- drop old patches
-
-* Wed Mar  2 2011 Joe Orton <jorton@redhat.com> - 2.2.17-10
- rebuild
-
-* Wed Feb 23 2011 Joe Orton <jorton@redhat.com> - 2.2.17-9
- use arch-specific mmn
-
-* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.2.17-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
-
-* Mon Jan 31 2011 Joe Orton <jorton@redhat.com> - 2.2.17-7
- generate dummy mod_ssl cert with CA:FALSE constraint (#667841)
- add man page stubs for httpd.event, httpd.worker
- drop distcache support
- add STOP_TIMEOUT support to init script
-
-* Sat Jan  8 2011 Joe Orton <jorton@redhat.com> - 2.2.17-6
- update default SSLCipherSuite per upstream trunk
-
-* Wed Jan  5 2011 Joe Orton <jorton@redhat.com> - 2.2.17-5
- fix requires (#667397)
-
-* Wed Jan  5 2011 Joe Orton <jorton@redhat.com> - 2.2.17-4
- de-ghost /var/run/httpd
-
-* Tue Jan  4 2011 Joe Orton <jorton@redhat.com> - 2.2.17-3
- add tmpfiles.d configuration, ghost /var/run/httpd (#656600)
-
-* Sat Nov 20 2010 Joe Orton <jorton@redhat.com> - 2.2.17-2
- drop setuid bit, use capabilities for suexec binary
-
-* Wed Oct 27 2010 Joe Orton <jorton@redhat.com> - 2.2.17-1
- update to 2.2.17
-
-* Fri Sep 10 2010 Joe Orton <jorton@redhat.com> - 2.2.16-2
- link everything using -z relro and -z now
-
-* Mon Jul 26 2010 Joe Orton <jorton@redhat.com> - 2.2.16-1
- update to 2.2.16
-
-* Fri Jul  9 2010 Joe Orton <jorton@redhat.com> - 2.2.15-3
- default config tweaks:
- * harden httpd.conf w.r.t. .htaccess restriction (#591293)
- * load mod_substitute, mod_version by default
- * drop proxy_ajp.conf, load mod_proxy_ajp in httpd.conf
- * add commented list of shipped-but-unloaded modules
- * bump up worker defaults a little
- * drop KeepAliveTimeout to 5 secs per upstream
- fix LSB compliance in init script (#522074)
- bundle NOTICE in -tools
- use init script in logrotate postrotate to pick up PIDFILE
- drop some old Obsoletes/Conflicts
-
-* Sun Apr 04 2010 Robert Scheck <robert@fedoraproject.org> - 2.2.15-1
- update to 2.2.15 (#572404, #579311)
-