Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2012-08-07 11:03:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2012-08-05 15:13:43.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2012-08-07 11:03:43.000000000 +0200 @@ -2,25 +1,0 @@ -Wed Aug 1 04:10:13 UTC 2012 - [email protected] - -- Fix factory-auto (aka r2dbag) complains about URL. -- Provide a symlink for apxs2 new location otherwise - all buggy spec files of external modules will break. - -------------------------------------------------------------------- -Wed Aug 1 02:21:34 UTC 2012 - [email protected] - -- BuildRequire xz explicitly, fix build in !Factory -- Drop more old, unused patches - -------------------------------------------------------------------- -Wed Aug 1 01:14:35 UTC 2012 - [email protected] - -- Upgrade to apache 2.4.2 -** ATTENTION, before installing this update YOU MUST -READ http://httpd.apache.org/docs/2.4/upgrading.html -CAREFULLY otherwise your server will most likely -fail to start due to backward incompatible changes. - -* You can read the huge complete list of changes - at http://httpd.apache.org/docs/2.4/new_features_2_4.html - -------------------------------------------------------------------- Old: ---- apache2.4-mpm-itk-2.4.2-01.patch httpd-2.4.2.tar.xz New: ---- apache2.2-mpm-itk-20090414-00.patch httpd-2.2.22.tar.bz2 httpd-2.2.22.tar.bz2.asc httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff httpd-keepalivetimeout-millisecs.patch httpd-mod_deflate_head.patch httpd-new_pcre.patch ssl-mode-release-buffers.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.QBj9gP/_old 2012-08-07 11:03:45.000000000 +0200 +++ /var/tmp/diff_new_pack.QBj9gP/_new 2012-08-07 11:03:45.000000000 +0200 @@ -25,7 +25,6 @@ BuildRequires: openldap2-devel BuildRequires: openssl-devel BuildRequires: pcre-devel -BuildRequires: xz BuildRequires: zlib-devel %if %{?suse_version:1}0 && 0%{?sles_version} == 9 BuildRequires: libcap @@ -48,7 +47,7 @@ %define pname apache2 %define vers 2 %define httpd httpd2 -%define apache_mmn %(test -s %{S:0} && { echo -n apache_mmn_; xzcat %{S:0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; }) +%define apache_mmn %(test -s %{S:0} && { echo -n apache_mmn_; bzcat %{S:0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; }) %define default_mpm prefork %{!?prefork:%define prefork 1} %{!?worker:%define worker 1} @@ -75,13 +74,14 @@ # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -%define realver 2.4.2 -Version: 2.4.2 +%define realver 2.2.22 +Version: 2.2.22 Release: 0 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 -Source0: httpd-%{realver}.tar.xz +Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 # Add file to take mtime from it in prep section Source1: apache2.changes +Source5: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2.asc Source6: 60C5442D.key Source10: SUSE-NOTICE Source11: rc.%{pname} @@ -139,8 +139,14 @@ Patch67: httpd-2.2.0-apxs-a2enmod.dif Patch68: httpd-2.x.x-logresolve.patch Patch69: httpd-2.2.x-bnc690734.patch -Patch100: apache2.4-mpm-itk-2.4.2-01.patch +Patch100: apache2.2-mpm-itk-20090414-00.patch Patch101: httpd-2.2.19-linux3.patch +Patch102: httpd-keepalivetimeout-millisecs.patch +Patch104: httpd-mod_deflate_head.patch +Patch105: ssl-mode-release-buffers.patch +Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff +# PATCH-FIX-UPSTREAM https://issues.apache.org/bugzilla/show_bug.cgi?id=52623 +Patch107: httpd-new_pcre.patch # PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch [email protected] -- Add npn support to mod_ssl (needed for spdy) Patch108: apache2-mod_ssl_npn.patch Provides: apache2(mod_ssl+npn) @@ -356,15 +362,22 @@ # %setup -q -n httpd-%{realver} %patch2 -p1 -%patch23 +%patch23 -p1 %patch65 -p1 -%patch66 +%patch66 -p1 %patch67 -p1 %patch68 -p1 %patch69 -%patch100 -p1 +%patch100 %patch101 -%patch108 -p1 +%patch102 +%patch104 +%patch105 +%patch106 +%if 0%{?suse_version} >= 1220 +%patch107 +%endif +%patch108 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE @@ -467,8 +480,7 @@ --with-suexec-userdir=%{userdir} \ --with-suexec-uidmin=96 \ --with-suexec-gidmin=96 \ - --with-suexec-safepath=%{suexec_safepath} \ - --disable-heartbeat + --with-suexec-safepath=%{suexec_safepath} } # @@ -725,21 +737,17 @@ mv $i ${i%.*}%{vers}.${i#*.*.} || true done popd - -pushd $RPM_BUILD_ROOT/%{_bindir} -for i in ab dbmmanage htdbm htdigest htpasswd logresolve;do -mv $i ${i}%{vers} || true -done -popd - pushd $RPM_BUILD_ROOT/%{_sbindir} - for i in rotatelogs suexec; do + for i in ab dbmmanage htdbm htdigest htpasswd logresolve rotatelogs suexec; do mv $i ${i}%{vers} || true done mv apachectl apachectl.tmp; mv apachectl.tmp apache%{vers}ctl + for i in dbmmanage htdbm htdigest htpasswd; do + mv ${i}%{vers} ../bin/ + done popd # fix up apxs -pushd $RPM_BUILD_ROOT/%{_bindir} +pushd $RPM_BUILD_ROOT/%{_sbindir} for mpm in %{mpms_to_build}; do cat <<-EOT_ED | ed -s apxs H @@ -768,7 +776,7 @@ install -d $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/ install -m 644 %{S:49} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name} install -m 644 %{S:50} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/%{name}-ssl -ln -sf %{_bindir}/apxs%{vers} %{buildroot}%{_sbindir} + # # filelists # @@ -777,7 +785,7 @@ echo %dir %{_libdir}/%{pname}-$mpm >> filelist ( echo %dir %{includedir}-$mpm - echo %{_bindir}/apxs%{vers}-$mpm + echo %{_sbindir}/apxs%{vers}-$mpm ) >> filelist-devel done find $RPM_BUILD_ROOT/%{includedir}/.. -type f -o -type l \ @@ -819,7 +827,6 @@ -e 's+%{sysconfdir}+'$RPM_BUILD_ROOT'%{sysconfdir}+' \ -e 's+%{datadir}+'$RPM_BUILD_ROOT'%{datadir}+' \ -e 's+\.conf$+&.test+' \ - -e 's+/var/log+'$RPM_BUILD_ROOT'/var/log+' \ httpd.conf > httpd.conf.test sed -e 's+%{sysconfdir}+'$RPM_BUILD_ROOT'%{sysconfdir}+' \ default-server.conf > default-server.conf.test @@ -966,7 +973,6 @@ %dir %{_prefix}/share/%{pname} %dir %{installbuilddir} %dir %{includedir} -%{_bindir}/apxs%{vers} %{_sbindir}/apxs%{vers} %files doc @@ -993,8 +999,6 @@ %doc %{_mandir}/man?/logresolve%{vers}.?.* %doc %{_mandir}/man?/rotatelogs%{vers}.?.* %doc %{_mandir}/man?/suexec%{vers}.?.* -%{_sbindir}/fcgistarter -%{_mandir}/man8/fcgistarter2.8.* %{_bindir}/check_forensic%{vers} %{_bindir}/dbmmanage%{vers} %{_bindir}/gensslcert @@ -1002,10 +1006,10 @@ %{_bindir}/htdigest%{vers} %{_bindir}/htpasswd%{vers} %{_bindir}/split-logfile%{vers} -%{_bindir}/ab%{vers} -%{_bindir}/httxt2dbm +%{_sbindir}/ab%{vers} +%{_sbindir}/httxt2dbm %{_sbindir}/logresolve.pl%{vers} -%{_bindir}/logresolve%{vers} +%{_sbindir}/logresolve%{vers} %{_sbindir}/rotatelogs%{vers} %verify(not mode) %attr(0755,root,root) %_sbindir/suexec2 %if %prefork ++++++ apache-20-22-upgrade ++++++ --- /var/tmp/diff_new_pack.QBj9gP/_old 2012-08-07 11:03:45.000000000 +0200 +++ /var/tmp/diff_new_pack.QBj9gP/_new 2012-08-07 11:03:45.000000000 +0200 @@ -13,6 +13,7 @@ a2enmod authz_groupfile a2enmod authz_default a2enmod authz_user + cat <<-EOF @@ -60,11 +61,4 @@ a2enmod mod_authnz_ldap fi -for module in mod_authn_default mod_authz_default mod_mem_cache; do - if a2enmod -q "$module"; then - echo "!!ATTENTION! $module was removed from apache version 2.4 or later, CHECK YOUR CONFIGURATION!!!" - a2dismod "$module" - fi -done - echo 'Done.' ++++++ apache2-default-server.conf ++++++ --- /var/tmp/diff_new_pack.QBj9gP/_old 2012-08-07 11:03:45.000000000 +0200 +++ /var/tmp/diff_new_pack.QBj9gP/_new 2012-08-07 11:03:45.000000000 +0200 @@ -102,5 +102,5 @@ Include /etc/apache2/conf.d/*.conf # The manual... if it is installed ('?' means it won't complain) -IncludeOptional /etc/apache2/conf.d/apache2-manual?conf +Include /etc/apache2/conf.d/apache2-manual?conf ++++++ apache2-httpd.conf ++++++ --- /var/tmp/diff_new_pack.QBj9gP/_old 2012-08-07 11:03:45.000000000 +0200 +++ /var/tmp/diff_new_pack.QBj9gP/_new 2012-08-07 11:03:45.000000000 +0200 @@ -202,7 +202,7 @@ # You may use the command line option '-S' to verify your virtual host # configuration. # -IncludeOptional /etc/apache2/vhosts.d/*.conf +Include /etc/apache2/vhosts.d/*.conf # Note: instead of adding your own configuration here, consider ++++++ apache2-mod_ssl_npn.patch ++++++ ++++ 1487 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/apache2/apache2-mod_ssl_npn.patch ++++ and /work/SRC/openSUSE:Factory/.apache2.new/apache2-mod_ssl_npn.patch ++++++ apache2.4-mpm-itk-2.4.2-01.patch -> apache2.2-mpm-itk-20090414-00.patch ++++++ ++++ 2159 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/apache2/apache2.4-mpm-itk-2.4.2-01.patch ++++ and /work/SRC/openSUSE:Factory/.apache2.new/apache2.2-mpm-itk-20090414-00.patch ++++++ httpd-2.0.54-envvars.dif ++++++ --- /var/tmp/diff_new_pack.QBj9gP/_old 2012-08-07 11:03:45.000000000 +0200 +++ /var/tmp/diff_new_pack.QBj9gP/_new 2012-08-07 11:03:45.000000000 +0200 @@ -1,17 +1,11 @@ ---- support/envvars-std.in.orig -+++ support/envvars-std.in -@@ -18,11 +18,9 @@ - # +diff -uNr httpd-2.0.54.orig/support/envvars-std.in httpd-2.0.54/support/envvars-std.in +--- httpd-2.0.54.orig/support/envvars-std.in 2005-02-04 21:21:18.000000000 +0100 ++++ httpd-2.0.54/support/envvars-std.in 2005-10-07 13:56:49.223546288 +0200 +@@ -19,6 +19,6 @@ # This file is generated from envvars-std.in # --if test "x$@SHLIBPATH_VAR@" != "x" ; then -- @SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" --else -- @SHLIBPATH_VAR@="@exp_libdir@" --fi -+ +-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" +@SHLIBPATH_VAR@="@exp_libdir@${@SHLIBPATH_VAR@+:$@SHLIBPATH_VAR@}" -+ export @SHLIBPATH_VAR@ # @OS_SPECIFIC_VARS@ ++++++ httpd-2.1.9-apachectl.dif ++++++ --- /var/tmp/diff_new_pack.QBj9gP/_old 2012-08-07 11:03:45.000000000 +0200 +++ /var/tmp/diff_new_pack.QBj9gP/_new 2012-08-07 11:03:45.000000000 +0200 @@ -1,6 +1,7 @@ ---- support/apachectl.in.orig -+++ support/apachectl.in -@@ -42,17 +42,32 @@ ARGV="$@" +diff -uNr httpd-2.1.3-alpha.orig/support/apachectl.in httpd-2.1.3-alpha/support/apachectl.in +--- httpd-2.1.3-alpha.orig/support/apachectl.in 2005-02-04 21:28:49.000000000 +0100 ++++ httpd-2.1.3-alpha/support/apachectl.in 2005-02-25 02:52:49.203566813 +0100 +@@ -41,17 +41,32 @@ # -------------------- -------------------- # # the path to your httpd binary, including options if necessary @@ -35,16 +36,16 @@ # # the URL to your server's mod_status status page. If you do not # have one, then status and fullstatus will not work. -@@ -78,7 +93,7 @@ fi +@@ -77,7 +92,7 @@ - case $ACMD in + case $ARGV in start|stop|restart|graceful|graceful-stop) - $HTTPD -k $ARGV + $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV ERROR=$? ;; startssl|sslstart|start-SSL) -@@ -88,7 +103,7 @@ startssl|sslstart|start-SSL) +@@ -87,7 +102,7 @@ ERROR=2 ;; configtest) @@ -53,3 +54,12 @@ ERROR=$? ;; status) +@@ -97,7 +112,7 @@ + $LYNX $STATUSURL + ;; + *) +- $HTTPD $ARGV ++ $HTTPD ${httpd_conf+-f $httpd_conf} $ARGV + ERROR=$? + esac + ++++++ httpd-2.4.2.tar.xz -> httpd-2.2.22.tar.bz2 ++++++ ++++ 911115 lines of diff (skipped) ++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++ diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c --- ../httpd-2.2.21-o/server/protocol.c 2011-05-07 13:39:29.000000000 +0200 +++ ./server/protocol.c 2011-10-07 17:10:46.000000000 +0200 @@ -623,40 +623,64 @@ #if 0 /* XXX If we want to keep track of the Method, the protocol module should do * it. That support isn't in the scoreboard yet. Hopefully next week * sometime. rbb */ ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method", r->method); #endif uri = ap_getword_white(r->pool, &ll); /* Provide quick information about the request method as soon as known */ r->method_number = ap_method_number_of(r->method); if (r->method_number == M_GET && r->method[0] == 'H') { r->header_only = 1; } ap_parse_uri(r, uri); +/* + https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch + This is the fix for CVE-2011-3368; via bnc#722545. + */ + + /* RFC 2616: + * Request-URI = "*" | absoluteURI | abs_path | authority + * + * authority is a special case for CONNECT. If the request is not + * using CONNECT, and the parsed URI does not have scheme, and + * it does not begin with '/', and it is not '*', then, fail + * and give a 400 response. */ + if (r->method_number != M_CONNECT + && !r->parsed_uri.scheme + && uri[0] != '/' + && !(uri[0] == '*' && uri[1] == '\0')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "invalid request-URI %s", uri); + r->args = NULL; + r->hostname = NULL; + r->status = HTTP_BAD_REQUEST; + r->uri = apr_pstrdup(r->pool, uri); + } + if (ll[0]) { r->assbackwards = 0; pro = ll; len = strlen(ll); } else { r->assbackwards = 1; pro = "HTTP/0.9"; len = 8; } r->protocol = apr_pstrmemdup(r->pool, pro, len); /* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */ /* Avoid sscanf in the common case */ if (len == 8 && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P' && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.' && apr_isdigit(pro[7])) { r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0'); } ++++++ httpd-2.2.x-bnc690734.patch ++++++ --- /var/tmp/diff_new_pack.QBj9gP/_old 2012-08-07 11:03:46.000000000 +0200 +++ /var/tmp/diff_new_pack.QBj9gP/_new 2012-08-07 11:03:46.000000000 +0200 @@ -1,6 +1,7 @@ ---- server/util_script.c.orig -+++ server/util_script.c -@@ -415,6 +415,7 @@ AP_DECLARE(int) ap_scan_script_header_er +diff -ruN ../httpd-2.2.17-o/server/util_script.c ./server/util_script.c +--- ../httpd-2.2.17-o/server/util_script.c 2009-01-12 14:59:56.000000000 +0100 ++++ ./server/util_script.c 2011-07-26 15:39:50.000000000 +0200 +@@ -406,6 +406,7 @@ { char x[MAX_STRING_LEN]; char *w, *l; @@ -8,7 +9,7 @@ int p; int cgi_status = HTTP_UNSET; apr_table_t *merge; -@@ -425,7 +426,14 @@ AP_DECLARE(int) ap_scan_script_header_er +@@ -414,7 +415,14 @@ if (buffer) { *buffer = '\0'; } @@ -24,17 +25,17 @@ /* temporary place to hold headers to merge in later */ merge = apr_table_make(r->pool, 10); -@@ -441,7 +449,7 @@ AP_DECLARE(int) ap_scan_script_header_er +@@ -430,7 +438,7 @@ while (1) { - int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data); + int rv = (*getsfunc) (w, wlen - 1, getsfunc_data); if (rv == 0) { - const char *msg = "Premature end of script headers"; - if (first_header) -@@ -553,9 +561,12 @@ AP_DECLARE(int) ap_scan_script_header_er - if (!(l = strchr(w, ':'))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r, + "Premature end of script headers: %s", +@@ -537,9 +545,12 @@ + if (!buffer) { /* Soak up all the script output - may save an outright kill */ - while ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data)) { @@ -46,4 +47,4 @@ + buffer[MAX_STRING_LEN - 1] = 0; } - ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r, + ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r, ++++++ httpd-keepalivetimeout-millisecs.patch ++++++ --- modules/http/http_core.c.orig +++ modules/http/http_core.c @@ -47,12 +47,15 @@ static int ap_process_http_connection(co static const char *set_keep_alive_timeout(cmd_parms *cmd, void *dummy, const char *arg) { + apr_interval_time_t timeout; const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT); if (err != NULL) { return err; } - - cmd->server->keep_alive_timeout = apr_time_from_sec(atoi(arg)); + /* Stolen from mod_proxy.c */ + if (ap_timeout_parameter_parse(arg, &timeout, "s") != APR_SUCCESS) + return "KeepAliveTimeout has wrong format"; + cmd->server->keep_alive_timeout = timeout; return NULL; } ++++++ httpd-mod_deflate_head.patch ++++++ --- modules/filters/mod_deflate.c.orig +++ modules/filters/mod_deflate.c @@ -582,6 +582,20 @@ static apr_status_t deflate_out_filter(a apr_bucket *b; apr_size_t len; + /* + * Optimization: If we are a HEAD request and bytes_sent is not zero + * it means that we have passed the content-length filter once and + * have more data to sent. This means that the content-length filter + * could not determine our content-length for the response to the + * HEAD request anyway (the associated GET request would deliver the + * body in chunked encoding) and we can stop compressing. + */ + if (r->header_only && r->bytes_sent) { + ap_remove_output_filter(f); + return ap_pass_brigade(f->next, bb); + } + + e = APR_BRIGADE_FIRST(bb); if (APR_BUCKET_IS_EOS(e)) { ++++++ httpd-new_pcre.patch ++++++ Index: server/util_pcre.c =================================================================== --- server/util_pcre.c.orig 2012-02-11 10:07:31.000000000 +0100 +++ server/util_pcre.c 2012-02-11 10:08:23.062838133 +0100 @@ -128,6 +128,7 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t *p const char *errorptr; int erroffset; int options = 0; +int nsub; if ((cflags & AP_REG_ICASE) != 0) options |= PCRE_CASELESS; if ((cflags & AP_REG_NEWLINE) != 0) options |= PCRE_MULTILINE; @@ -137,7 +138,9 @@ preg->re_erroffset = erroffset; if (preg->re_pcre == NULL) return AP_REG_INVARG; -preg->re_nsub = pcre_info((const pcre *)preg->re_pcre, NULL, NULL); +pcre_fullinfo((const pcre *)preg->re_pcre, NULL, + PCRE_INFO_CAPTURECOUNT, &nsub); +preg->re_nsub = nsub; return 0; } ++++++ ssl-mode-release-buffers.patch ++++++ --- modules/ssl/ssl_engine_init.c.orig +++ modules/ssl/ssl_engine_init.c @@ -482,7 +482,9 @@ static void ssl_init_ctx_protocol(server } mctx->ssl_ctx = ctx; - +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); +#endif SSL_CTX_set_options(ctx, SSL_OP_ALL); if (!(protocol & SSL_PROTOCOL_SSLV2)) { -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
