Hello community, here is the log from the commit of package apache2 for openSUSE:12.1:Update:Test checked in at 2012-02-16 10:34:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/apache2 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/apache2/apache2.changes 2011-11-28 18:42:47.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.apache2.new/apache2.changes 2012-02-16 10:34:49.000000000 +0100 @@ -1,0 +2,47 @@ +Tue Feb 14 02:31:25 CET 2012 - [email protected] + +- httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff + addresses CVE-2012-0053: error responses can expose cookies when + no custom 400 error code ErrorDocument is configured. [bnc#743743] +- httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff: + scoreboard corruption (shared mem segment) by child causes + crash of privileged parent (invalid free()) during shutdown. + This is rated low impact. Notice: + https://svn.apache.org/viewvc?view=revision&revision=1230065 + makes a change to the struct global_score, which causes binary + incompatibility. The change in above patch only goes as far as + the binary compatibility allows; the vulnerability is completely + fixed, though. CVE-2012-0031 [bnc#741243] + +------------------------------------------------------------------- +Tue Feb 14 01:50:26 CET 2012 - [email protected] + +- /etc/init.d/apache2: new argument "check-reload". Exits 1 if + httpd2 runs on deleted binaries such as after package update, + else 0. This is used by equally modified /etc/logrotate.d/apache2, + which uses "/etc/init.d/apache2 check-reload" in its prerotate + script. + These changes prevent httpd2 from being (gracefully) reloaded + by logrotate, executed by cron, if new binaries have been + installed. Instead, a warning is printed on stdout and is being + logged to the syslogs. If this happens, apache's logs are NOT + rotated, and the running processes are left untouched. This + limits the maximum damage of log rotation to unrotated logs. + "/etc/init.d/apache2 restart" (or "rcapache2 restart") must be + executed manually in such a case. [bnc#728876] +- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff: Fix for + integer overflow in server/util.c also known as CVE-2011-3607. + [bnc#729181] +- enable build and configuration of mod_reqtimeout.c module by + default in /etc/sysconfig/apache2 (APACHE_MODULES=...). This + does not change already existing sysconfig files, the module + is only activated via sysconfig if this package is installed + without pre-existing sysconfig file. See new file + /etc/apache2/mod_reqtimeout.conf for configurables. + Helps against Slowloris.pl DoS vulnerability that consists of + eating up request slots by very slowly submitting the request. + Note that mod_reqtimeout limits requests based on a lower + boundary of request speed, not an upper boundary! + CVE-2007-6750 [bnc#738855]. + +------------------------------------------------------------------- New: ---- apache2-mod_reqtimeout.conf httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.jG6g4m/_old 2012-02-16 10:34:50.000000000 +0100 +++ /var/tmp/diff_new_pack.jG6g4m/_new 2012-02-16 10:34:50.000000000 +0100 @@ -118,6 +118,7 @@ Source111: apache2-server-tuning.conf Source113: apache2-ssl-global.conf Source114: apache2-mod_usertrack.conf +Source115: apache2-mod_reqtimeout.conf Source130: apache2-vhost.template Source131: apache2-vhost-ssl.template Source140: apache2-check_forensic @@ -138,6 +139,9 @@ Patch105: ssl-mode-release-buffers.patch Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff Patch107: httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff +Patch108: httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff +Patch109: httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff +Patch110: httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -362,6 +366,9 @@ %patch105 %patch106 %patch107 +%patch108 +%patch109 +%patch110 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -426,6 +433,7 @@ --enable-bucketeer \ --enable-case_filter \ --enable-case_filter_in \ + --enable-reqtimeout \ \ --with-ldap \ --enable-ldap \ @@ -665,6 +673,7 @@ mod_status.conf \ mod_userdir.conf \ mod_usertrack.conf \ + mod_reqtimeout.conf \ server-tuning.conf \ ssl-global.conf do ++++++ apache2-mod_reqtimeout.conf ++++++ # # Set timeout and minimum data rate for receiving requests to limit # the effects of denial of service attacks that connect, but let the # server wait for the completion of the request, thereby allocating # resources. # # mod_reqtimeout.c must be loaded. # # see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html # or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en # # Note: # the RequestReadTimeout directive can also be placed into a # virtual host context. # # Play around with variations of the below values if you are # under attack from slowloris or a similar tool. <IfModule mod_reqtimeout.c> # allow 10s timeout for the headers and allow 1s more until 20s upon # receipt of 1000 bytes. # almost the same with the body, except that it is tricky to # limit the request timeout within the body at all - it may take # time to generate the body. RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000 </IfModule> ++++++ apache2.logrotate ++++++ --- /var/tmp/diff_new_pack.jG6g4m/_old 2012-02-16 10:34:50.000000000 +0100 +++ /var/tmp/diff_new_pack.jG6g4m/_new 2012-02-16 10:34:50.000000000 +0100 @@ -7,6 +7,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -21,6 +24,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -35,6 +41,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -49,6 +58,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -63,6 +75,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript ++++++ httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff ++++++ diff -rNU 20 ../httpd-2.2.21-o/server/util.c ./server/util.c --- ../httpd-2.2.21-o/server/util.c 2011-05-19 04:17:37.000000000 +0200 +++ ./server/util.c 2012-02-14 01:49:36.000000000 +0100 @@ -349,72 +349,80 @@ * passed ap_regexec(). pmatch should not be greater than the maximum number * of subexpressions - i.e. one more than the re_nsub member of ap_regex_t. * * input should be the string with the $-expressions, source should be the * string that was matched against. * * It returns the substituted string, or NULL on error. * * Parts of this code are based on Henry Spencer's regsub(), from his * AT&T V8 regexp package. */ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input, const char *source, size_t nmatch, ap_regmatch_t pmatch[]) { const char *src = input; char *dest, *dst; char c; size_t no; - int len; + apr_size_t len; if (!source) return NULL; if (!nmatch) return apr_pstrdup(p, src); /* First pass, find the size */ len = 0; while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else no = 10; if (no > 9) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) src++; len++; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { + if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { + ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL, + "integer overflow or out of memory condition." ); + } len += pmatch[no].rm_eo - pmatch[no].rm_so; } } dest = dst = apr_pcalloc(p, len + 1); + if(!dest) + return NULL; + + /* Now actually fill in the string */ src = input; while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else no = 10; if (no > 9) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) c = *src++; *dst++ = c; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { len = pmatch[no].rm_eo - pmatch[no].rm_so; memcpy(dst, source + pmatch[no].rm_so, len); ++++++ httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff ++++++ http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/ (credits: halfdog) upstream changeset: https://svn.apache.org/viewvc?view=revision&revision=1230065 not implemented from upstream due to binary incompatibility: change of struct global_score The change below is sufficient to fix the bug. This vulnerability is rated low impact. Tue Feb 14 02:37:14 CET 2012 Roman. diff -rNU 30 ../httpd-2.2.21-o/server/scoreboard.c ./server/scoreboard.c --- ../httpd-2.2.21-o/server/scoreboard.c 2010-10-07 18:56:54.000000000 +0200 +++ ./server/scoreboard.c 2012-02-14 02:35:30.000000000 +0100 @@ -14,60 +14,61 @@ * limitations under the License. */ #include "apr.h" #include "apr_strings.h" #include "apr_portable.h" #include "apr_lib.h" #define APR_WANT_STRFUNC #include "apr_want.h" #if APR_HAVE_SYS_TYPES_H #include <sys/types.h> #endif #include "ap_config.h" #include "httpd.h" #include "http_log.h" #include "http_main.h" #include "http_core.h" #include "http_config.h" #include "ap_mpm.h" #include "mpm.h" #include "scoreboard.h" AP_DECLARE_DATA scoreboard *ap_scoreboard_image = NULL; AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL; AP_DECLARE_DATA int ap_extended_status = 0; AP_DECLARE_DATA int ap_mod_status_reqtail = 0; +static ap_scoreboard_e scoreboard_type; #if APR_HAS_SHARED_MEMORY #include "apr_shm.h" #ifndef WIN32 static /* but must be exported to mpm_winnt */ #endif apr_shm_t *ap_scoreboard_shm = NULL; #endif APR_HOOK_STRUCT( APR_HOOK_LINK(pre_mpm) ) AP_IMPLEMENT_HOOK_RUN_ALL(int,pre_mpm, (apr_pool_t *p, ap_scoreboard_e sb_type), (p, sb_type),OK,DECLINED) static APR_OPTIONAL_FN_TYPE(ap_proxy_lb_workers) *proxy_lb_workers; struct ap_sb_handle_t { int child_num; int thread_num; }; static int server_limit, thread_limit, lb_limit; static apr_size_t scoreboard_size; @@ -223,61 +224,61 @@ /* If detach is non-zero, this is a seperate child process, * if zero, it is a forked child. */ apr_status_t ap_reopen_scoreboard(apr_pool_t *p, apr_shm_t **shm, int detached) { #if APR_HAS_SHARED_MEMORY if (!detached) { return APR_SUCCESS; } if (apr_shm_size_get(ap_scoreboard_shm) < scoreboard_size) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, "Fatal error: shared scoreboard too small for child!"); apr_shm_detach(ap_scoreboard_shm); ap_scoreboard_shm = NULL; return APR_EINVAL; } /* everything will be cleared shortly */ if (*shm) { *shm = ap_scoreboard_shm; } #endif return APR_SUCCESS; } apr_status_t ap_cleanup_scoreboard(void *d) { if (ap_scoreboard_image == NULL) { return APR_SUCCESS; } - if (ap_scoreboard_image->global->sb_type == SB_SHARED) { + if (scoreboard_type == SB_SHARED) { ap_cleanup_shared_mem(NULL); } else { free(ap_scoreboard_image->global); free(ap_scoreboard_image); ap_scoreboard_image = NULL; } return APR_SUCCESS; } /* Create or reinit an existing scoreboard. The MPM can control whether * the scoreboard is shared across multiple processes or not */ int ap_create_scoreboard(apr_pool_t *p, ap_scoreboard_e sb_type) { int i; #if APR_HAS_SHARED_MEMORY apr_status_t rv; #endif if (ap_scoreboard_image) { ap_scoreboard_image->global->restart_time = apr_time_now(); memset(ap_scoreboard_image->parent, 0, sizeof(process_score) * server_limit); for (i = 0; i < server_limit; i++) { memset(ap_scoreboard_image->servers[i], 0, sizeof(worker_score) * thread_limit); } /* Clean up the lb workers data */ if (lb_limit) { @@ -286,60 +287,61 @@ } return OK; } ap_calc_scoreboard_size(); #if APR_HAS_SHARED_MEMORY if (sb_type == SB_SHARED) { void *sb_shared; rv = open_scoreboard(p); if (rv || !(sb_shared = apr_shm_baseaddr_get(ap_scoreboard_shm))) { return HTTP_INTERNAL_SERVER_ERROR; } memset(sb_shared, 0, scoreboard_size); ap_init_scoreboard(sb_shared); } else #endif { /* A simple malloc will suffice */ void *sb_mem = calloc(1, scoreboard_size); if (sb_mem == NULL) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, "(%d)%s: cannot allocate scoreboard", errno, strerror(errno)); return HTTP_INTERNAL_SERVER_ERROR; } ap_init_scoreboard(sb_mem); } ap_scoreboard_image->global->sb_type = sb_type; + scoreboard_type = sb_type; ap_scoreboard_image->global->running_generation = 0; ap_scoreboard_image->global->restart_time = apr_time_now(); apr_pool_cleanup_register(p, NULL, ap_cleanup_scoreboard, apr_pool_cleanup_null); return OK; } /* Routines called to deal with the scoreboard image * --- note that we do *not* need write locks, since update_child_status * only updates a *single* record in place, and only one process writes to * a given scoreboard slot at a time (either the child process owning that * slot, or the parent, noting that the child has died). * * As a final note --- setting the score entry to getpid() is always safe, * since when the parent is writing an entry, it's only noting SERVER_DEAD * anyway. */ AP_DECLARE(int) ap_exists_scoreboard_image(void) { return (ap_scoreboard_image ? 1 : 0); } AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r) { worker_score *ws; if (!sb) return; ++++++ httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff ++++++ diff -rNU 30 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c --- ../httpd-2.2.21-o/server/protocol.c 2012-02-14 02:20:09.000000000 +0100 +++ ./server/protocol.c 2012-02-14 02:26:15.000000000 +0100 @@ -667,170 +667,192 @@ if (ll[0]) { r->assbackwards = 0; pro = ll; len = strlen(ll); } else { r->assbackwards = 1; pro = "HTTP/0.9"; len = 8; } r->protocol = apr_pstrmemdup(r->pool, pro, len); /* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */ /* Avoid sscanf in the common case */ if (len == 8 && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P' && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.' && apr_isdigit(pro[7])) { r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0'); } else if (3 == sscanf(r->protocol, "%4s/%u.%u", http, &major, &minor) && (strcasecmp("http", http) == 0) && (minor < HTTP_VERSION(1, 0)) ) /* don't allow HTTP/0.1000 */ r->proto_num = HTTP_VERSION(major, minor); else r->proto_num = HTTP_VERSION(1, 0); return 1; } +/* get the length of the field name for logging, but no more than 80 bytes */ +#define LOG_NAME_MAX_LEN 80 +static int field_name_len(const char *field) +{ + const char *end = ap_strchr_c(field, ':'); + if (end == NULL || end - field > LOG_NAME_MAX_LEN) + return LOG_NAME_MAX_LEN; + return end - field; +} + + AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) { char *last_field = NULL; apr_size_t last_len = 0; apr_size_t alloc_len = 0; char *field; char *value; apr_size_t len; int fields_read = 0; char *tmp_field; /* * Read header lines until we get the empty separator line, a read error, * the connection closes (EOF), reach the server limit, or we timeout. */ while(1) { apr_status_t rv; int folded = 0; field = NULL; rv = ap_rgetline(&field, r->server->limit_req_fieldsize + 2, &len, r, 0, bb); if (rv != APR_SUCCESS) { if (APR_STATUS_IS_TIMEUP(rv)) { r->status = HTTP_REQUEST_TIME_OUT; } else { r->status = HTTP_BAD_REQUEST; } /* ap_rgetline returns APR_ENOSPC if it fills up the buffer before * finding the end-of-line. This is only going to happen if it * exceeds the configured limit for a field size. */ if (rv == APR_ENOSPC && field) { /* insure ap_escape_html will terminate correctly */ field[len - 1] = '\0'; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "exceeds server limit.<br />\n" - "<pre>\n", - ap_escape_html(r->pool, field), - "</pre>\n", NULL)); + "<pre>\n%.*s\n</pre>/n", + field_name_len(field), + ap_escape_html(r->pool, field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize: " + "%.*s", field_name_len(field), field); } return; } if (last_field != NULL) { if ((len > 0) && ((*field == '\t') || *field == ' ')) { /* This line is a continuation of the preceding line(s), * so append it to the line that we've set aside. * Note: this uses a power-of-two allocator to avoid * doing O(n) allocs and using O(n^2) space for * continuations that span many many lines. */ apr_size_t fold_len = last_len + len + 1; /* trailing null */ if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) { r->status = HTTP_BAD_REQUEST; /* report what we have accumulated so far before the * overflow (last_field) as the field with the problem */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "after folding " "exceeds server limit.<br />\n" - "<pre>\n", - ap_escape_html(r->pool, last_field), - "</pre>\n", NULL)); + "<pre>\n%.*s\n</pre>\n", + field_name_len(last_field), + ap_escape_html(r->pool, last_field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize " + "after folding: %.*s", + field_name_len(last_field), last_field); return; } if (fold_len > alloc_len) { char *fold_buf; alloc_len += alloc_len; if (fold_len > alloc_len) { alloc_len = fold_len; } fold_buf = (char *)apr_palloc(r->pool, alloc_len); memcpy(fold_buf, last_field, last_len); last_field = fold_buf; } memcpy(last_field + last_len, field, len +1); /* +1 for nul */ last_len += len; folded = 1; } else /* not a continuation line */ { if (r->server->limit_req_fields && (++fields_read > r->server->limit_req_fields)) { r->status = HTTP_BAD_REQUEST; apr_table_setn(r->notes, "error-notes", "The number of request header fields " "exceeds this server's limit."); return; } if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Request header field is " "missing ':' separator.<br />\n" - "<pre>\n", + "<pre>\n%.*s</pre>\n", + (int)LOG_NAME_MAX_LEN, ap_escape_html(r->pool, - last_field), - "</pre>\n", NULL)); + last_field))); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Request header field is missing ':' " + "separator: %.*s", (int)LOG_NAME_MAX_LEN, + last_field); return; } tmp_field = value - 1; /* last character of field-name */ *value++ = '\0'; /* NUL-terminate at colon */ while (*value == ' ' || *value == '\t') { ++value; /* Skip to start of value */ } /* Strip LWS after field-name: */ while (tmp_field > last_field && (*tmp_field == ' ' || *tmp_field == '\t')) { *tmp_field-- = '\0'; } /* Strip LWS after field-value: */ tmp_field = last_field + last_len - 1; while (tmp_field > value && (*tmp_field == ' ' || *tmp_field == '\t')) { *tmp_field-- = '\0'; } apr_table_addn(r->headers_in, last_field, value); /* reset the alloc_len so that we'll allocate a new * buffer if we have to do any more folding: we can't * use the previous buffer because its contents are * now part of r->headers_in ++++++ rc.apache2 ++++++ --- /var/tmp/diff_new_pack.jG6g4m/_old 2012-02-16 10:34:50.000000000 +0100 +++ /var/tmp/diff_new_pack.jG6g4m/_new 2012-02-16 10:34:50.000000000 +0100 @@ -8,6 +8,7 @@ # Authors: Rolf Haberrecker <[email protected]>, 2001 # Peter Poeml <[email protected]>, 2002, 2003, 2004, 2005, 2006, 2007, # 2008, 2009, 2010 +# Roman Drahtmueller <[email protected]>, 2011, 2012 # # # /etc/init.d/apache2 @@ -162,7 +163,7 @@ echo -n "(not running)" else pid=$(<$pidfile) - # re-read exe symlink, it could be (deleted) in the meanwhile. + # re-read exe symlink, it could be (deleted) in the meanwhile with a package update. apache_bin=$(readlink /proc/$pid/exe 2>/dev/null) kill -TERM $pid 2>/dev/null case $? in @@ -182,7 +183,6 @@ else break fi - done ;; esac @@ -262,16 +262,26 @@ # Remember status and be quiet rc_status ;; - reload|force-reload|graceful) + check-reload) # check if there is a deleted binary. If there is, then logrotate # or other occasions will fail to reload, as dlopen(3) of apache # modules is prone to fail due to symbol mismatches. - # in this case, we only complain and fail. + # in this case, we complain and fail. + # + # check-reload is used by /etc/logrotate.d/apache2 by default. + # /etc/logrotate.d/apache2 will not be replaced upon update + # if the administrator has changed the file. if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null ) case "$executable" in *httpd*delete*) - echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! " + { + echo "httpd2 is running on deleted binaries and cannot reload the configuration." + echo -n "Please restart apache using \"rcapache2 restart\"! " + } | logger -p daemon.warn -t "/etc/init.d/apache2 check-reload" + # echo again to stderr, logger swallows \n + echo "httpd2 is running on deleted binaries and cannot reload the configuration." + echo -n "Please restart apache using \"rcapache2 restart\"! " rc_failed 1 rc_status -v rc_exit @@ -279,8 +289,16 @@ *) ;; esac + ;; # check-reload + + reload|force-reload|graceful) + $0 check-reload || { + # can't restart. abort here, do not risk operation. + rc_exit + } echo -n "Reload httpd2 (graceful restart)" + cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t &> $logdir/rc$pname.out; then killproc -USR1 $apache_bin || return=$rc_failed @@ -372,6 +390,8 @@ restart - stop httpd if running; start httpd restart-graceful - stop httpd gracefully if running; start httpd + check-reload - check if a reload is impossible due to deleted + binaries after a package update reload|graceful - do a graceful restart by sending a SIGUSR1, or start if not running stop-graceful - stop httpd (sending SIGWINCH to parent) ++++++ sysconfig.apache2 ++++++ --- /var/tmp/diff_new_pack.jG6g4m/_old 2012-02-16 10:34:50.000000000 +0100 +++ /var/tmp/diff_new_pack.jG6g4m/_new 2012-02-16 10:34:50.000000000 +0100 @@ -72,7 +72,7 @@ # apache's default installation # APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir" # your settings -APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5" +APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 reqtimeout" ## Type: string -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
