diff --git a/httpd-2.4.59-engine-finish.patch b/httpd-2.4.59-engine-finish.patch new file mode 100644 index 0000000..3ea0b85 --- /dev/null +++ b/httpd-2.4.59-engine-finish.patch @@ -0,0 +1,83 @@ + +https://issues.redhat.com/browse/RHEL-36755 + +--- httpd-2.4.59/modules/ssl/ssl_engine_init.c.pkcs11 ++++ httpd-2.4.59/modules/ssl/ssl_engine_init.c +@@ -1439,7 +1439,7 @@ + if (modssl_is_engine_id(keyfile)) { + apr_status_t rv; + +- if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id, ++ if ((rv = modssl_load_engine_keypair(s, p, ptemp, vhost_id, + engine_certfile, keyfile, + &cert, &pkey))) { + return rv; +--- httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c.pkcs11 ++++ httpd-2.4.59/modules/ssl/ssl_engine_pphrase.c +@@ -826,8 +826,19 @@ + } + #endif + ++#if MODSSL_HAVE_ENGINE_API ++static apr_status_t modssl_engine_cleanup(void *engine) ++{ ++ ENGINE *e = engine; ++ ++ ENGINE_finish(e); ++ ++ return APR_SUCCESS; ++} ++#endif + +-apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, ++apr_status_t modssl_load_engine_keypair(server_rec *s, ++ apr_pool_t *pconf, apr_pool_t *ptemp, + const char *vhostid, + const char *certid, const char *keyid, + X509 **pubkey, EVP_PKEY **privkey) +@@ -835,12 +846,12 @@ + #if MODSSL_HAVE_ENGINE_API + const char *c, *scheme; + ENGINE *e; +- UI_METHOD *ui_method = get_passphrase_ui(p); ++ UI_METHOD *ui_method = get_passphrase_ui(ptemp); + pphrase_cb_arg_t ppcb; + + memset(&ppcb, 0, sizeof ppcb); + ppcb.s = s; +- ppcb.p = p; ++ ppcb.p = ptemp; + ppcb.bPassPhraseDialogOnce = TRUE; + ppcb.key_id = vhostid; + ppcb.pkey_file = keyid; +@@ -853,7 +864,7 @@ + return ssl_die(s); + } + +- scheme = apr_pstrmemdup(p, keyid, c - keyid); ++ scheme = apr_pstrmemdup(ptemp, keyid, c - keyid); + if (!(e = ENGINE_by_id(scheme))) { + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) + "Init: Failed to load engine for private key %s", +@@ -902,7 +913,8 @@ + return ssl_die(s); + } + +- ENGINE_finish(e); ++ apr_pool_cleanup_register(pconf, e, modssl_engine_cleanup, modssl_engine_cleanup); ++ + ENGINE_free(e); + + return APR_SUCCESS; +--- httpd-2.4.59/modules/ssl/ssl_private.h.pkcs11 ++++ httpd-2.4.59/modules/ssl/ssl_private.h +@@ -1076,7 +1076,8 @@ + /* Load public and/or private key from the configured ENGINE. Private + * key returned as *pkey. certid can be NULL, in which case *pubkey + * is not altered. Errors logged on failure. */ +-apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, ++apr_status_t modssl_load_engine_keypair(server_rec *s, ++ apr_pool_t *pconf, apr_pool_t *ptemp, + const char *vhostid, + const char *certid, const char *keyid, + X509 **pubkey, EVP_PKEY **privkey); diff --git a/httpd.spec b/httpd.spec index f624e9b..34b0e3d 100644 --- a/httpd.spec +++ b/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.59 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -98,6 +98,7 @@ Patch100: httpd-2.4.43-enable-sslv3.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1932442 Patch101: httpd-2.4.48-full-release.patch Patch102: httpd-2.4.59-r1916863.patch +Patch103: httpd-2.4.59-engine-finish.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=... @@ -262,6 +263,7 @@ written in the Lua programming language. %patch100 -p1 -b .enable-sslv3 %patch101 -p1 -b .full-release %patch102 -p1 -b .r1916863 +%patch103 -p1 -b .engine-cleanup # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -823,6 +825,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue May 21 2024 Joe Orton - 2.4.59-5 +- mod_ssl: defer ENGINE_finish() calls to a cleanup + Resolves: RHEL-36755 + * Mon May 20 2024 Luboš Uhliarik - 2.4.59-4 - Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers