Hello community, here is the log from the commit of package apache2 for openSUSE:11.4 checked in at Thu Feb 16 18:09:39 CET 2012.
-------- --- old-versions/11.4/UPDATES/all/apache2/apache2.changes 2011-11-29 16:53:50.000000000 +0100 +++ 11.4/apache2/apache2.changes 2012-02-14 03:29:38.000000000 +0100 @@ -1,0 +2,42 @@ +Tue Feb 14 02:48:09 CET 2012 - [email protected] + +- /etc/init.d/apache2: new argument "check-reload". Exits 1 if + httpd2 runs on deleted binaries such as after package update, + else 0. This is used by equally modified /etc/logrotate.d/apache2, + which uses "/etc/init.d/apache2 check-reload" in its prerotate + script. + These changes prevent httpd2 from being (gracefully) reloaded + by logrotate, executed by cron, if new binaries have been + installed. Instead, a warning is printed on stdout and is being + logged to the syslogs. If this happens, apache's logs are NOT + rotated, and the running processes are left untouched. This + limits the maximum damage of log rotation to unrotated logs. + "/etc/init.d/apache2 restart" (or "rcapache2 restart") must be + executed manually in such a case. [bnc#728876] +- httpd-2.2.x-bnc738855-CVE-2007-6750-mod_reqtimeout-*.diff: + disallow keepalives. +- enable build and configuration of mod_reqtimeout.c module by + default in /etc/sysconfig/apache2 (APACHE_MODULES=...). This + does not change already existing sysconfig files, the module + is only activated via sysconfig if this package is installed + without pre-existing sysconfig file. See new file + /etc/apache2/mod_reqtimeout.conf for configurables. + Helps against Slowloris.pl DoS vulnerability that consists of + eating up request slots by very slowly submitting the request. + Note that mod_reqtimeout limits requests based on a lower + boundary of request speed, not an upper boundary! + CVE-2007-6750 [bnc#738855]. +- httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff: + scoreboard corruption (shared mem segment) by child causes + crash of privileged parent (invalid free()) during shutdown. + This is rated low impact. Notice: + https://svn.apache.org/viewvc?view=revision&revision=1230065 + makes a change to the struct global_score, which causes binary + incompatibility. The change in above patch only goes as far as + the binary compatibility allows; the vulnerability is completely + fixed, though. CVE-2012-0031 [bnc#741243] +- httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff + addresses CVE-2012-0053: error responses can expose cookies when + no custom 400 error code ErrorDocument is configured. [bnc#743743] + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- apache2-mod_reqtimeout.conf httpd-2.2.x-bnc738855-CVE-2007-6750-mod_reqtimeout-020-modules_filters_mod_reqtimeout_c.diff httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.v7CyiZ/_old 2012-02-16 18:09:19.000000000 +0100 +++ /var/tmp/diff_new_pack.v7CyiZ/_new 2012-02-16 18:09:19.000000000 +0100 @@ -1,7 +1,7 @@ # # spec file for package apache2 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -69,7 +69,7 @@ Group: Productivity/Networking/Web/Servers %define realver 2.2.17 Version: 2.2.17 -Release: 4.<RELEASE11> +Release: 4.<RELEASE13> #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 # Add file to take mtime from it in prep section @@ -114,6 +114,7 @@ Source111: apache2-server-tuning.conf Source113: apache2-ssl-global.conf Source114: apache2-mod_usertrack.conf +Source115: apache2-mod_reqtimeout.conf Source130: apache2-vhost.template Source131: apache2-vhost-ssl.template Source140: apache2-check_forensic @@ -131,6 +132,9 @@ Patch103: httpd-2.2.x-CVE-2011-3348-mod_proxy_ajp.patch Patch104: httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff Patch105: httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff +Patch106: httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff +Patch107: httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff +Patch108: httpd-2.2.x-bnc738855-CVE-2007-6750-mod_reqtimeout-020-modules_filters_mod_reqtimeout_c.diff Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -362,6 +366,9 @@ %patch103 -p0 %patch104 -p0 %patch105 -p0 +%patch106 -p0 +%patch107 -p0 +%patch108 -p0 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -429,6 +436,7 @@ --enable-bucketeer \ --enable-case_filter \ --enable-case_filter_in \ + --enable-reqtimeout \ \ --with-ldap \ --enable-ldap \ @@ -663,6 +671,7 @@ mod_status.conf \ mod_userdir.conf \ mod_usertrack.conf \ + mod_reqtimeout.conf \ server-tuning.conf \ ssl-global.conf do ++++++ apache2-mod_reqtimeout.conf ++++++ # # Set timeout and minimum data rate for receiving requests to limit # the effects of denial of service attacks that connect, but let the # server wait for the completion of the request, thereby allocating # resources. # # mod_reqtimeout.c must be loaded. # # see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html # or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en # # Note: # the RequestReadTimeout directive can also be placed into a # virtual host context. # # Play around with variations of the below values if you are # under attack from slowloris or a similar tool. <IfModule mod_reqtimeout.c> # allow 10s timeout for the headers and allow 1s more until 20s upon # receipt of 1000 bytes. # almost the same with the body, except that it is tricky to # limit the request timeout within the body at all - it may take # time to generate the body. RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000 </IfModule> ++++++ apache2.logrotate ++++++ --- /var/tmp/diff_new_pack.v7CyiZ/_old 2012-02-16 18:09:19.000000000 +0100 +++ /var/tmp/diff_new_pack.v7CyiZ/_new 2012-02-16 18:09:19.000000000 +0100 @@ -7,6 +7,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -21,6 +24,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -35,6 +41,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -49,6 +58,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript @@ -63,6 +75,9 @@ notifempty missingok create 644 root root + prerotate + /etc/init.d/apache2 check-reload + endscript postrotate /etc/init.d/apache2 reload endscript ++++++ httpd-2.2.x-bnc738855-CVE-2007-6750-mod_reqtimeout-020-modules_filters_mod_reqtimeout_c.diff ++++++ diff -rNU 30 ../httpd-2.2.17-o/modules/filters/mod_reqtimeout.c ./modules/filters/mod_reqtimeout.c --- ../httpd-2.2.17-o/modules/filters/mod_reqtimeout.c 2010-10-08 01:51:55.000000000 +0200 +++ ./modules/filters/mod_reqtimeout.c 2011-08-29 17:25:12.000000000 +0200 @@ -280,60 +280,67 @@ MIN(time_left, saved_sock_timeout)); AP_DEBUG_ASSERT(rv == APR_SUCCESS); } while (1); if (ccfg->tmpbb) APR_BRIGADE_PREPEND(bb, ccfg->tmpbb); } else { /* mode != AP_MODE_GETLINE */ rv = ap_get_brigade(f->next, bb, mode, block, readbytes); if (ccfg->min_rate > 0 && rv == APR_SUCCESS) { extend_timeout(ccfg, bb); } } apr_socket_timeout_set(ccfg->socket, saved_sock_timeout); out: if (APR_STATUS_IS_TIMEUP(rv)) { ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, "Request %s read timeout", ccfg->type); /* * If we allow a normal lingering close, the client may keep this * process/thread busy for another 30s (MAX_SECS_TO_LINGER). * Therefore we tell ap_lingering_close() to shorten this period to * 2s (SECONDS_TO_LINGER). */ apr_table_setn(f->c->notes, "short-lingering-close", "1"); + + /* + * Also, we must not allow keep-alive requests, as + * ap_finalize_protocol() may ignore our error status (if the timeout + * happened on a request body that is discarded). + */ + f->c->keepalive = AP_CONN_CLOSE; } return rv; } static int reqtimeout_init(conn_rec *c) { reqtimeout_con_cfg *ccfg; reqtimeout_srv_cfg *cfg; cfg = ap_get_module_config(c->base_server->module_config, &reqtimeout_module); AP_DEBUG_ASSERT(cfg != NULL); if (cfg->header_timeout <= 0 && cfg->body_timeout <= 0) { /* not configured for this vhost */ return DECLINED; } ccfg = apr_pcalloc(c->pool, sizeof(reqtimeout_con_cfg)); ccfg->new_timeout = cfg->header_timeout; ccfg->new_max_timeout = cfg->header_max_timeout; ccfg->type = "header"; ccfg->min_rate = cfg->header_min_rate; ccfg->rate_factor = cfg->header_rate_factor; ap_set_module_config(c->conn_config, &reqtimeout_module, ccfg); ap_add_input_filter("reqtimeout", ccfg, NULL, c); /* we are not handling the connection, we just do initialization */ return DECLINED; } ++++++ httpd-2.2.x-bnc741243-CVE-2012-0031-scoreboard_handling.diff ++++++ http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/ (credits: halfdog) upstream changeset: https://svn.apache.org/viewvc?view=revision&revision=1230065 not implemented from upstream due to binary incompatibility: change of struct global_score The change below is sufficient to fix the bug. This vulnerability is rated low impact. Tue Feb 14 02:37:14 CET 2012 Roman. diff -rNU 30 ../httpd-2.2.21-o/server/scoreboard.c ./server/scoreboard.c --- ../httpd-2.2.21-o/server/scoreboard.c 2010-10-07 18:56:54.000000000 +0200 +++ ./server/scoreboard.c 2012-02-14 02:35:30.000000000 +0100 @@ -14,60 +14,61 @@ * limitations under the License. */ #include "apr.h" #include "apr_strings.h" #include "apr_portable.h" #include "apr_lib.h" #define APR_WANT_STRFUNC #include "apr_want.h" #if APR_HAVE_SYS_TYPES_H #include <sys/types.h> #endif #include "ap_config.h" #include "httpd.h" #include "http_log.h" #include "http_main.h" #include "http_core.h" #include "http_config.h" #include "ap_mpm.h" #include "mpm.h" #include "scoreboard.h" AP_DECLARE_DATA scoreboard *ap_scoreboard_image = NULL; AP_DECLARE_DATA const char *ap_scoreboard_fname = NULL; AP_DECLARE_DATA int ap_extended_status = 0; AP_DECLARE_DATA int ap_mod_status_reqtail = 0; +static ap_scoreboard_e scoreboard_type; #if APR_HAS_SHARED_MEMORY #include "apr_shm.h" #ifndef WIN32 static /* but must be exported to mpm_winnt */ #endif apr_shm_t *ap_scoreboard_shm = NULL; #endif APR_HOOK_STRUCT( APR_HOOK_LINK(pre_mpm) ) AP_IMPLEMENT_HOOK_RUN_ALL(int,pre_mpm, (apr_pool_t *p, ap_scoreboard_e sb_type), (p, sb_type),OK,DECLINED) static APR_OPTIONAL_FN_TYPE(ap_proxy_lb_workers) *proxy_lb_workers; struct ap_sb_handle_t { int child_num; int thread_num; }; static int server_limit, thread_limit, lb_limit; static apr_size_t scoreboard_size; @@ -223,61 +224,61 @@ /* If detach is non-zero, this is a seperate child process, * if zero, it is a forked child. */ apr_status_t ap_reopen_scoreboard(apr_pool_t *p, apr_shm_t **shm, int detached) { #if APR_HAS_SHARED_MEMORY if (!detached) { return APR_SUCCESS; } if (apr_shm_size_get(ap_scoreboard_shm) < scoreboard_size) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, "Fatal error: shared scoreboard too small for child!"); apr_shm_detach(ap_scoreboard_shm); ap_scoreboard_shm = NULL; return APR_EINVAL; } /* everything will be cleared shortly */ if (*shm) { *shm = ap_scoreboard_shm; } #endif return APR_SUCCESS; } apr_status_t ap_cleanup_scoreboard(void *d) { if (ap_scoreboard_image == NULL) { return APR_SUCCESS; } - if (ap_scoreboard_image->global->sb_type == SB_SHARED) { + if (scoreboard_type == SB_SHARED) { ap_cleanup_shared_mem(NULL); } else { free(ap_scoreboard_image->global); free(ap_scoreboard_image); ap_scoreboard_image = NULL; } return APR_SUCCESS; } /* Create or reinit an existing scoreboard. The MPM can control whether * the scoreboard is shared across multiple processes or not */ int ap_create_scoreboard(apr_pool_t *p, ap_scoreboard_e sb_type) { int i; #if APR_HAS_SHARED_MEMORY apr_status_t rv; #endif if (ap_scoreboard_image) { ap_scoreboard_image->global->restart_time = apr_time_now(); memset(ap_scoreboard_image->parent, 0, sizeof(process_score) * server_limit); for (i = 0; i < server_limit; i++) { memset(ap_scoreboard_image->servers[i], 0, sizeof(worker_score) * thread_limit); } /* Clean up the lb workers data */ if (lb_limit) { @@ -286,60 +287,61 @@ } return OK; } ap_calc_scoreboard_size(); #if APR_HAS_SHARED_MEMORY if (sb_type == SB_SHARED) { void *sb_shared; rv = open_scoreboard(p); if (rv || !(sb_shared = apr_shm_baseaddr_get(ap_scoreboard_shm))) { return HTTP_INTERNAL_SERVER_ERROR; } memset(sb_shared, 0, scoreboard_size); ap_init_scoreboard(sb_shared); } else #endif { /* A simple malloc will suffice */ void *sb_mem = calloc(1, scoreboard_size); if (sb_mem == NULL) { ap_log_error(APLOG_MARK, APLOG_CRIT, 0, NULL, "(%d)%s: cannot allocate scoreboard", errno, strerror(errno)); return HTTP_INTERNAL_SERVER_ERROR; } ap_init_scoreboard(sb_mem); } ap_scoreboard_image->global->sb_type = sb_type; + scoreboard_type = sb_type; ap_scoreboard_image->global->running_generation = 0; ap_scoreboard_image->global->restart_time = apr_time_now(); apr_pool_cleanup_register(p, NULL, ap_cleanup_scoreboard, apr_pool_cleanup_null); return OK; } /* Routines called to deal with the scoreboard image * --- note that we do *not* need write locks, since update_child_status * only updates a *single* record in place, and only one process writes to * a given scoreboard slot at a time (either the child process owning that * slot, or the parent, noting that the child has died). * * As a final note --- setting the score entry to getpid() is always safe, * since when the parent is writing an entry, it's only noting SERVER_DEAD * anyway. */ AP_DECLARE(int) ap_exists_scoreboard_image(void) { return (ap_scoreboard_image ? 1 : 0); } AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r) { worker_score *ws; if (!sb) return; ++++++ httpd-2.2.x-bnc743743-CVE-2012-0053-server_protocol_c-cookie_exposure.diff ++++++ diff -rNU 30 ../httpd-2.2.12-o/server/protocol.c ./server/protocol.c --- ../httpd-2.2.12-o/server/protocol.c 2012-01-30 13:52:35.000000000 +0100 +++ ./server/protocol.c 2012-01-30 16:09:29.000000000 +0100 @@ -665,165 +665,188 @@ if (ll[0]) { r->assbackwards = 0; pro = ll; len = strlen(ll); } else { r->assbackwards = 1; pro = "HTTP/0.9"; len = 8; } r->protocol = apr_pstrmemdup(r->pool, pro, len); /* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */ /* Avoid sscanf in the common case */ if (len == 8 && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P' && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.' && apr_isdigit(pro[7])) { r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0'); } else if (3 == sscanf(r->protocol, "%4s/%u.%u", http, &major, &minor) && (strcasecmp("http", http) == 0) && (minor < HTTP_VERSION(1, 0)) ) /* don't allow HTTP/0.1000 */ r->proto_num = HTTP_VERSION(major, minor); else r->proto_num = HTTP_VERSION(1, 0); return 1; } + +/* get the length of the field name for logging, but no more than 80 bytes */ +#define LOG_NAME_MAX_LEN 80 +static int field_name_len(const char *field) +{ + const char *end = ap_strchr_c(field, ':'); + if (end == NULL || end - field > LOG_NAME_MAX_LEN) + return LOG_NAME_MAX_LEN; + return end - field; +} + + AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb) { char *last_field = NULL; apr_size_t last_len = 0; apr_size_t alloc_len = 0; char *field; char *value; apr_size_t len; int fields_read = 0; char *tmp_field; /* * Read header lines until we get the empty separator line, a read error, * the connection closes (EOF), reach the server limit, or we timeout. */ while(1) { apr_status_t rv; int folded = 0; field = NULL; rv = ap_rgetline(&field, r->server->limit_req_fieldsize + 2, &len, r, 0, bb); if (rv != APR_SUCCESS) { r->status = HTTP_BAD_REQUEST; /* ap_rgetline returns APR_ENOSPC if it fills up the buffer before * finding the end-of-line. This is only going to happen if it * exceeds the configured limit for a field size. */ if (rv == APR_ENOSPC && field) { /* insure ap_escape_html will terminate correctly */ field[len - 1] = '\0'; apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "exceeds server limit.<br />\n" - "<pre>\n", - ap_escape_html(r->pool, field), - "</pre>\n", NULL)); + "<pre>\n%.*s\n</pre>/n", + field_name_len(field), + ap_escape_html(r->pool, field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize: " + "%.*s", field_name_len(field), field); } return; } if (last_field != NULL) { if ((len > 0) && ((*field == '\t') || *field == ' ')) { /* This line is a continuation of the preceding line(s), * so append it to the line that we've set aside. * Note: this uses a power-of-two allocator to avoid * doing O(n) allocs and using O(n^2) space for * continuations that span many many lines. */ apr_size_t fold_len = last_len + len + 1; /* trailing null */ if (fold_len >= (apr_size_t)(r->server->limit_req_fieldsize)) { r->status = HTTP_BAD_REQUEST; /* report what we have accumulated so far before the * overflow (last_field) as the field with the problem */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Size of a request header field " "after folding " "exceeds server limit.<br />\n" - "<pre>\n", - ap_escape_html(r->pool, last_field), - "</pre>\n", NULL)); + "<pre>\n%.*s\n</pre>\n", + field_name_len(last_field), + ap_escape_html(r->pool, last_field))); + ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, + "Request header exceeds LimitRequestFieldSize " + "after folding: %.*s", + field_name_len(last_field), last_field); return; } if (fold_len > alloc_len) { char *fold_buf; alloc_len += alloc_len; if (fold_len > alloc_len) { alloc_len = fold_len; } fold_buf = (char *)apr_palloc(r->pool, alloc_len); memcpy(fold_buf, last_field, last_len); last_field = fold_buf; } memcpy(last_field + last_len, field, len +1); /* +1 for nul */ last_len += len; folded = 1; } else /* not a continuation line */ { if (r->server->limit_req_fields && (++fields_read > r->server->limit_req_fields)) { r->status = HTTP_BAD_REQUEST; apr_table_setn(r->notes, "error-notes", "The number of request header fields " "exceeds this server's limit."); return; } if (!(value = strchr(last_field, ':'))) { /* Find ':' or */ r->status = HTTP_BAD_REQUEST; /* abort bad request */ apr_table_setn(r->notes, "error-notes", - apr_pstrcat(r->pool, + apr_psprintf(r->pool, "Request header field is " "missing ':' separator.<br />\n" - "<pre>\n", + "<pre>\n%.*s</pre>\n", + (int)LOG_NAME_MAX_LEN, ap_escape_html(r->pool, - last_field), - "</pre>\n", NULL)); + last_field))); + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, + "Request header field is missing ':' " + "separator: %.*s", (int)LOG_NAME_MAX_LEN, + last_field); return; } tmp_field = value - 1; /* last character of field-name */ *value++ = '\0'; /* NUL-terminate at colon */ while (*value == ' ' || *value == '\t') { ++value; /* Skip to start of value */ } /* Strip LWS after field-name: */ while (tmp_field > last_field && (*tmp_field == ' ' || *tmp_field == '\t')) { *tmp_field-- = '\0'; } /* Strip LWS after field-value: */ tmp_field = last_field + last_len - 1; while (tmp_field > value && (*tmp_field == ' ' || *tmp_field == '\t')) { *tmp_field-- = '\0'; } apr_table_addn(r->headers_in, last_field, value); /* reset the alloc_len so that we'll allocate a new * buffer if we have to do any more folding: we can't * use the previous buffer because its contents are * now part of r->headers_in ++++++ rc.apache2 ++++++ --- /var/tmp/diff_new_pack.v7CyiZ/_old 2012-02-16 18:09:19.000000000 +0100 +++ /var/tmp/diff_new_pack.v7CyiZ/_new 2012-02-16 18:09:19.000000000 +0100 @@ -160,7 +160,7 @@ echo -n "(not running)" else pid=$(<$pidfile) - # re-read exe symlink, it could be (deleted) in the meanwhile. + # re-read exe symlink, it could be (deleted) in the meanwhile with a package update. apache_bin=$(readlink /proc/$pid/exe 2>/dev/null) kill -TERM $pid 2>/dev/null case $? in @@ -180,7 +180,6 @@ else break fi - done ;; esac @@ -260,16 +259,26 @@ # Remember status and be quiet rc_status ;; - reload|force-reload|graceful) + check-reload) # check if there is a deleted binary. If there is, then logrotate # or other occasions will fail to reload, as dlopen(3) of apache # modules is prone to fail due to symbol mismatches. - # in this case, we only complain and fail. + # in this case, we complain and fail. + # + # check-reload is used by /etc/logrotate.d/apache2 by default. + # /etc/logrotate.d/apache2 will not be replaced upon update + # if the administrator has changed the file. if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null ) case "$executable" in *httpd*delete*) - echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! " + { + echo "httpd2 is running on deleted binaries and cannot reload the configuration." + echo -n "Please restart apache using \"rcapache2 restart\"! " + } | logger -p daemon.warn -t "/etc/init.d/apache2 check-reload" + # echo again to stderr, logger swallows \n + echo "httpd2 is running on deleted binaries and cannot reload the configuration." + echo -n "Please restart apache using \"rcapache2 restart\"! " rc_failed 1 rc_status -v rc_exit @@ -277,6 +286,13 @@ *) ;; esac + ;; # check-reload + + reload|force-reload|graceful) + $0 check-reload || { + # can't restart. abort here, do not risk operation. + rc_exit + } echo -n "Reload httpd2 (graceful restart)" cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") @@ -370,6 +386,8 @@ restart - stop httpd if running; start httpd restart-graceful - stop httpd gracefully if running; start httpd + check-reload - check if a reload is impossible due to deleted + binaries after a package update reload|graceful - do a graceful restart by sending a SIGUSR1, or start if not running stop-graceful - stop httpd (sending SIGWINCH to parent) ++++++ sysconfig.apache2 ++++++ --- /var/tmp/diff_new_pack.v7CyiZ/_old 2012-02-16 18:09:19.000000000 +0100 +++ /var/tmp/diff_new_pack.v7CyiZ/_new 2012-02-16 18:09:19.000000000 +0100 @@ -72,7 +72,7 @@ # apache's default installation # APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir" # your settings -APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5" +APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 reqtimeout" ## Type: string continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
