Hello community, here is the log from the commit of package apache2 for openSUSE:11.3 checked in at Mon Dec 5 17:54:37 CET 2011.
-------- --- old-versions/11.3/UPDATES/all/apache2/apache2.changes 2011-10-26 15:52:56.000000000 +0200 +++ 11.3/apache2/apache2.changes 2011-11-29 16:51:01.000000000 +0100 @@ -1,0 +2,23 @@ +Tue Nov 29 16:50:30 CET 2011 - [email protected] + +- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff re-worked: + len needs to be unsigned. int -> apr_size_t. [bnc#729181] + +------------------------------------------------------------------- +Fri Nov 25 14:43:52 CET 2011 - [email protected] + +- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff fixes an + integer overflow in server/util.c also known as CVE-2011-3607. + [bnc#729181] +- httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff: make non-ascii + eg UTF8 passwords work with mod_authnz_ldap. [bnc#727071] +- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff is a fix + for CVE-2011-4317, which is to be seen a variant of CVE-2011-3368 + which was addressed below in + httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff. [bnc#722545] +- new template file: /etc/apache2/vhosts.d/vhost-ssl.template + allow TLSv1 only, browser match stuff commented out. +- rc script /etc/init.d/apache2: handle reload with deleted binaries + by message to stdout only, but refrain from sending signals. + +------------------------------------------------------------------- calling whatdependson for 11.3-i586 New: ---- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100 +++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100 @@ -64,7 +64,7 @@ Group: Productivity/Networking/Web/Servers %define realver 2.2.15 Version: 2.2.15 -Release: 4.<RELEASE7> +Release: 4.<RELEASE9> #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 # Add file to take mtime from it in prep section @@ -127,6 +127,9 @@ Patch104: httpd-2.2.x-bnc713966-CVE-2011-3192.patch Patch105: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff Patch106: httpd-2.2.x-CVE-2011-3348-mod_proxy_ajp.patch +Patch107: httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff +Patch108: httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff +Patch109: httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -405,6 +408,9 @@ %patch104 -p0 %patch105 -p0 %patch106 -p0 +%patch107 -p0 +%patch108 -p0 +%patch109 -p0 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # ++++++ apache2-vhost-ssl.template ++++++ --- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100 +++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100 @@ -13,20 +13,11 @@ # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # -# For the moment, see <URL:http://www.modssl.org/docs/> for this info. -# The documents are still being prepared from material donated by the -# modssl project. -# # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # -# Until documentation is completed, please check http://www.modssl.org/ -# for additional config examples and module docmentation. Directives -# and features of mod_ssl are largely unchanged from the mod_ssl project -# for Apache 1.3. - <IfDefine SSL> <IfDefine !NOSSL> @@ -47,10 +38,21 @@ # Enable/Disable SSL for this virtual host. SSLEngine on + # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only: + SSLProtocol all -SSLv2 -SSLv3 + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + # + # formerly, this was set to the following: + # ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + # + # We now disable weak ciphers by default. + # Please see the documentation via the links above, and + # "openssl ciphers -v" for a complete list of ciphers that are + # available. + SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If @@ -185,9 +187,12 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 + # remark: The below configuration snippet is here for illustration purposes. + # Browser specific deficiencies exist, but generally all of them + # should handle SSL/TLS encapsulated connections well. + #SetEnvIf User-Agent ".*MSIE.*" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a ++++++ httpd-2.2.x-CVE-2011-3348-mod_proxy_ajp.patch ++++++ --- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100 +++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100 @@ -1,37 +1,7 @@ -diff -rNU 50 ../httpd-2.2.17-o/modules/proxy/mod_proxy_ajp.c ./modules/proxy/mod_proxy_ajp.c ---- ../httpd-2.2.17-o/modules/proxy/mod_proxy_ajp.c 2010-08-25 16:16:25.000000000 +0200 -+++ ./modules/proxy/mod_proxy_ajp.c 2011-10-24 23:37:12.000000000 +0200 -@@ -166,101 +166,103 @@ - { - apr_status_t status; - int result; - apr_bucket *e; - apr_bucket_brigade *input_brigade; - apr_bucket_brigade *output_brigade; - ajp_msg_t *msg; - apr_size_t bufsiz = 0; - char *buff; - char *send_body_chunk_buff; - apr_uint16_t size; - const char *tenc; - int havebody = 1; - int output_failed = 0; - int backend_failed = 0; - apr_off_t bb_len; - int data_sent = 0; - int request_ended = 0; - int headers_sent = 0; - int rv = 0; - apr_int32_t conn_poll_fd; - apr_pollfd_t *conn_poll; - proxy_server_conf *psf = - ap_get_module_config(r->server->module_config, &proxy_module); - apr_size_t maxsize = AJP_MSG_BUFFER_SZ; - int send_body = 0; - apr_off_t content_length = 0; - - if (psf->io_buffer_size_set) - maxsize = psf->io_buffer_size; +diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy_ajp.c ./modules/proxy/mod_proxy_ajp.c +--- ../httpd-2.2.12-o/modules/proxy/mod_proxy_ajp.c 2011-10-07 14:35:30.000000000 +0200 ++++ ./modules/proxy/mod_proxy_ajp.c 2011-10-07 15:04:51.000000000 +0200 +@@ -196,41 +196,43 @@ if (maxsize > AJP_MAX_BUFFER_SZ) maxsize = AJP_MAX_BUFFER_SZ; else if (maxsize < AJP_MSG_BUFFER_SZ) @@ -76,33 +46,3 @@ conn->close++; ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "proxy: ajp_alloc_data_msg failed"); - return HTTP_INTERNAL_SERVER_ERROR; - } - - /* read the first bloc of data */ - input_brigade = apr_brigade_create(p, r->connection->bucket_alloc); - tenc = apr_table_get(r->headers_in, "Transfer-Encoding"); - if (tenc && (strcasecmp(tenc, "chunked") == 0)) { - /* The AJP protocol does not want body data yet */ - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "proxy: request is chunked"); - } else { - /* Get client provided Content-Length header */ - content_length = get_content_length(r); - status = ap_get_brigade(r->input_filters, input_brigade, - AP_MODE_READBYTES, APR_BLOCK_READ, - maxsize - AJP_HEADER_SZ); - - if (status != APR_SUCCESS) { - /* We had a failure: Close connection to backend */ - conn->close++; - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "proxy: ap_get_brigade failed"); - apr_brigade_destroy(input_brigade); - return HTTP_BAD_REQUEST; - } - - /* have something */ - if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(input_brigade))) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, - "proxy: APR_BUCKET_IS_EOS"); ++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++ --- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100 +++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100 @@ -1,6 +1,6 @@ -diff -rNU 50 ../httpd-2.2.15-o/server/protocol.c ./server/protocol.c ---- ../httpd-2.2.15-o/server/protocol.c 2011-10-26 15:50:45.000000000 +0200 -+++ ./server/protocol.c 2011-10-26 15:50:54.000000000 +0200 +diff -rNU 50 ../httpd-2.2.12-o/server/protocol.c ./server/protocol.c +--- ../httpd-2.2.12-o/server/protocol.c 2011-10-26 15:08:02.000000000 +0200 ++++ ./server/protocol.c 2011-10-26 15:08:13.000000000 +0200 @@ -590,100 +590,125 @@ apr_status_t rv; ++++++ httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff ++++++ diff -rNU 20 ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c ./modules/mappers/mod_rewrite.c --- ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c 2009-07-10 14:20:45.000000000 +0200 +++ ./modules/mappers/mod_rewrite.c 2011-11-24 04:08:35.000000000 +0100 @@ -4230,40 +4230,47 @@ /* * only do something under runtime if the engine is really enabled, * else return immediately! */ if (conf->state == ENGINE_DISABLED) { return DECLINED; } /* * check for the ugly API case of a virtual host section where no * mod_rewrite directives exists. In this situation we became no chance * by the API to setup our default per-server config so we have to * on-the-fly assume we have the default config. But because the default * config has a disabled rewriting engine we are lucky because can * just stop operating now. */ if (conf->server != r->server) { return DECLINED; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects */ if (r->main == NULL) { var = apr_table_get(r->subprocess_env, REDIRECT_ENVVAR_SCRIPT_URL); if (var == NULL) { apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, r->uri); } else { apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var); } } else { var = apr_table_get(r->main->subprocess_env, ENVVAR_SCRIPT_URL); apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var); } /* diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy.c ./modules/proxy/mod_proxy.c --- ../httpd-2.2.12-o/modules/proxy/mod_proxy.c 2009-01-31 21:58:07.000000000 +0100 +++ ./modules/proxy/mod_proxy.c 2011-11-24 04:08:35.000000000 +0100 @@ -527,40 +527,47 @@ proxy_server_conf *conf = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module); int i, len; struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts; proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config, &proxy_module); const char *fake; const char *real; ap_regmatch_t regm[AP_MAX_REG_MATCH]; ap_regmatch_t reg1[AP_MAX_REG_MATCH]; char *found = NULL; int mismatch = 0; if (r->proxyreq) { /* someone has already set up the proxy, it was possibly ourselves * in proxy_detect */ return OK; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* XXX: since r->uri has been manipulated already we're not really * compliant with RFC1945 at this point. But this probably isn't * an issue because this is a hybrid proxy/origin server. */ for (i = 0; i < conf->aliases->nelts; i++) { unsigned int nocanon = ent[i].flags & PROXYPASS_NOCANON; const char *use_uri = nocanon ? r->unparsed_uri : r->uri; if ((dconf->interpolate_env == 1) && (ent[i].flags & PROXYPASS_INTERPOLATE)) { fake = proxy_interpolate(r, ent[i].fake); real = proxy_interpolate(r, ent[i].real); } else { fake = ent[i].fake; real = ent[i].real; } if (ent[i].regex) { if (!ap_regexec(ent[i].regex, r->uri, AP_MAX_REG_MATCH, regm, 0)) { if ((real[0] == '!') && (real[1] == '\0')) { ++++++ httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff ++++++ diff -rNU 30 ../httpd-2.2.15-o/modules/aaa/mod_authnz_ldap.c ./modules/aaa/mod_authnz_ldap.c --- ../httpd-2.2.15-o/modules/aaa/mod_authnz_ldap.c 2010-02-25 03:25:35.000000000 +0100 +++ ./modules/aaa/mod_authnz_ldap.c 2011-11-29 16:46:58.000000000 +0100 @@ -126,60 +126,82 @@ charset = apr_pstrdup(p, charset); } return charset; } static apr_xlate_t* get_conv_set (request_rec *r) { char *lang_line = (char*)apr_table_get(r->headers_in, "accept-language"); char *lang; apr_xlate_t *convset; if (lang_line) { lang_line = apr_pstrdup(r->pool, lang_line); for (lang = lang_line;*lang;lang++) { if ((*lang == ',') || (*lang == ';')) { *lang = '\0'; break; } } lang = derive_codepage_from_lang(r->pool, lang_line); if (lang && (apr_xlate_open(&convset, to_charset, lang, r->pool) == APR_SUCCESS)) { return convset; } } return NULL; } +static const char* authn_ldap_xlate_password(request_rec *r, + const char* sent_password) +{ + apr_xlate_t *convset = NULL; + apr_size_t inbytes; + apr_size_t outbytes; + char *outbuf; + + if (charset_conversions && (convset = get_conv_set(r)) ) { + inbytes = strlen(sent_password); + outbytes = (inbytes+1)*3; + outbuf = apr_pcalloc(r->pool, outbytes); + + /* Convert the password to UTF-8. */ + if (apr_xlate_conv_buffer(convset, sent_password, &inbytes, outbuf, + &outbytes) == APR_SUCCESS) + return outbuf; + } + + return sent_password; +} + /* * Build the search filter, or at least as much of the search filter that * will fit in the buffer. We don't worry about the buffer not being able * to hold the entire filter. If the buffer wasn't big enough to hold the * filter, ldap_search_s will complain, but the only situation where this * is likely to happen is if the client sent a really, really long * username, most likely as part of an attack. * * The search filter consists of the filter provided with the URL, * combined with a filter made up of the attribute provided with the URL, * and the actual username passed by the HTTP client. For example, assume * that the LDAP URL is * * ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*) * * Further, assume that the userid passed by the client was `userj'. The * search filter will be (&(posixid=*)(uid=userj)). */ #define FILTER_LENGTH MAX_STRING_LEN static void authn_ldap_build_filter(char *filtbuf, request_rec *r, const char* sent_user, const char* sent_filter, authn_ldap_config_t *sec) { char *p, *q, *filtbuf_end; char *user, *filter; apr_xlate_t *convset = NULL; apr_size_t inbytes; @@ -317,116 +339,120 @@ { util_ldap_connection_t *ldc = param; util_ldap_connection_close(ldc); return APR_SUCCESS; } /* * Authentication Phase * -------------------- * * This phase authenticates the credentials the user has sent with * the request (ie the username and password are checked). This is done * by making an attempt to bind to the LDAP server using this user's * DN and the supplied password. * */ static authn_status authn_ldap_check_password(request_rec *r, const char *user, const char *password) { int failures = 0; const char **vals = NULL; char filtbuf[FILTER_LENGTH]; authn_ldap_config_t *sec = (authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module); util_ldap_connection_t *ldc = NULL; int result = 0; int remote_user_attribute_set = 0; const char *dn = NULL; + const char *utfpassword; authn_ldap_request_t *req = (authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t)); ap_set_module_config(r->request_config, &authnz_ldap_module, req); /* if (!sec->enabled) { return AUTH_USER_NOT_FOUND; } */ /* * Basic sanity checks before any LDAP operations even happen. */ if (!sec->have_ldap_url) { return AUTH_GENERAL_ERROR; } start_over: /* There is a good AuthLDAPURL, right? */ if (sec->host) { ldc = util_ldap_connection_find(r, sec->host, sec->port, sec->binddn, sec->bindpw, sec->deref, sec->secure); } else { ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: no sec->host - weird...?", getpid()); return AUTH_GENERAL_ERROR; } ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url); /* Get the password that the client sent */ if (password == NULL) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid()); util_ldap_connection_close(ldc); return AUTH_GENERAL_ERROR; } if (user == NULL) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: no user specified", getpid()); util_ldap_connection_close(ldc); return AUTH_GENERAL_ERROR; } /* build the username filter */ authn_ldap_build_filter(filtbuf, r, user, NULL, sec); + /* convert password to utf-8 */ + utfpassword = authn_ldap_xlate_password(r, password); + /* do the user search */ result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope, - sec->attributes, filtbuf, password, &dn, &vals); + sec->attributes, filtbuf, utfpassword, &dn, &vals); util_ldap_connection_close(ldc); /* sanity check - if server is down, retry it up to 5 times */ if (AP_LDAP_IS_SERVER_DOWN(result)) { if (failures++ <= 5) { goto start_over; } } /* handle bind failure */ if (result != LDAP_SUCCESS) { if (!sec->bind_authoritative) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: " "user %s authentication failed; URI %s [%s][%s] (not authoritative)", getpid(), user, r->uri, ldc->reason, ldap_err2string(result)); return AUTH_USER_NOT_FOUND; } ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "[%" APR_PID_T_FMT "] auth_ldap authenticate: " "user %s authentication failed; URI %s [%s][%s]", getpid(), user, r->uri, ldc->reason, ldap_err2string(result)); return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND #ifdef LDAP_SECURITY_ERROR : (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED #else : (LDAP_INAPPROPRIATE_AUTH == result) ? AUTH_DENIED : (LDAP_INVALID_CREDENTIALS == result) ? AUTH_DENIED ++++++ httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff ++++++ diff -rNU 20 ../httpd-2.2.12-o/server/util.c ./server/util.c --- ../httpd-2.2.12-o/server/util.c 2011-11-29 16:27:42.000000000 +0100 +++ ./server/util.c 2011-11-29 16:29:03.000000000 +0100 @@ -349,72 +349,81 @@ * passed ap_regexec(). pmatch should not be greater than the maximum number * of subexpressions - i.e. one more than the re_nsub member of ap_regex_t. * * input should be the string with the $-expressions, source should be the * string that was matched against. * * It returns the substituted string, or NULL on error. * * Parts of this code are based on Henry Spencer's regsub(), from his * AT&T V8 regexp package. */ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input, const char *source, size_t nmatch, ap_regmatch_t pmatch[]) { const char *src = input; char *dest, *dst; char c; size_t no; - int len; + apr_size_t len; if (!source) return NULL; if (!nmatch) return apr_pstrdup(p, src); /* First pass, find the size */ len = 0; while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else no = 10; if (no > 9) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) c = *src++; len++; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { + if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { + ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL, + "integer overflow or out of memory condition." ); + return NULL; + } len += pmatch[no].rm_eo - pmatch[no].rm_so; } } dest = dst = apr_pcalloc(p, len + 1); + if(!dest) + return NULL; + + /* Now actually fill in the string */ src = input; while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else no = 10; if (no > 9) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) c = *src++; *dst++ = c; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { len = pmatch[no].rm_eo - pmatch[no].rm_so; memcpy(dst, source + pmatch[no].rm_so, len); ++++++ rc.apache2 ++++++ --- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100 +++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100 @@ -6,9 +6,8 @@ # Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH # # Authors: Rolf Haberrecker <[email protected]>, 2001 -# Peter Poeml <[email protected]>, 2002, 2003, 2004, 2005, 2006, 2007, -# 2008, 2009, 2010 -# +# Peter Poeml <[email protected]>, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# Roman Drahtmueller <[email protected]>, 2009-2012 # # /etc/init.d/apache2 # @@ -161,6 +160,8 @@ echo -n "(not running)" else pid=$(<$pidfile) + # re-read exe symlink, it could be (deleted) in the meanwhile. + apache_bin=$(readlink /proc/$pid/exe 2>/dev/null) kill -TERM $pid 2>/dev/null case $? in 1) echo -n "(not running)";; @@ -174,7 +175,7 @@ if ! test -f /proc/$pid/exe; then break fi - if test "$(readlink /proc/$pid/exe 2>/dev/null)" = $apache_bin; then + if test "$(readlink /proc/$pid/exe 2>/dev/null)" = "$apache_bin"; then usleep 500000 else break @@ -260,7 +261,24 @@ rc_status ;; reload|force-reload|graceful) + # check if there is a deleted binary. If there is, then logrotate + # or other occasions will fail to reload, as dlopen(3) of apache + # modules is prone to fail due to symbol mismatches. + # in this case, we only complain and fail. + if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi + executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null ) + case "$executable" in + *httpd*delete*) + echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! " + rc_failed 1 + rc_status -v + rc_exit + ;; + *) + ;; + esac echo -n "Reload httpd2 (graceful restart)" + cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t &> $logdir/rc$pname.out; then killproc -USR1 $apache_bin || return=$rc_failed continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
