commit apache2 for openSUSE:Factory

Thu, 13 Nov 2014 00:22:45 -0800 

Hello community,

here is the log from the commit of package apache2 for openSUSE:Factory checked 
in at 2014-11-13 09:21:36
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/apache2 (Old)
 and      /work/SRC/openSUSE:Factory/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "apache2"

Changes:
--------
--- /work/SRC/openSUSE:Factory/apache2/apache2.changes  2014-11-05 
16:26:45.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes     2014-11-13 
09:21:37.000000000 +0100
@@ -1,0 +2,12 @@
+Sun Nov 09 00:57:00 UTC 2014 - Led <[email protected]>
+
+- fix bashisms in post scripts
+
+-------------------------------------------------------------------
+Fri Nov  7 15:52:47 UTC 2014 - [email protected]
+
+- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid
+  a crash when Content-Type has an empty value [bnc#899836], 
+  CVE-2014-3581
+
+-------------------------------------------------------------------
@@ -5,0 +18,6 @@
+
+-------------------------------------------------------------------
+Sat Oct 18 16:21:00 UTC 2014 - Led <[email protected]>
+
+- httpd-2.1.9-apachectl.dif renamed to httpd-2.4.10-apachectl.patch 
+  and updated (fixed bashism).

Old:
----
  httpd-2.1.9-apachectl.dif

New:
----
  httpd-2.4.10-apachectl.patch
  httpd-2.4.10-check_null_pointer_dereference.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.UJxwV3/_old  2014-11-13 09:21:40.000000000 +0100
+++ /var/tmp/diff_new_pack.UJxwV3/_new  2014-11-13 09:21:40.000000000 +0100
@@ -150,7 +150,7 @@
 Source143:      apache2-systemd-ask-pass
 Source144:      apache2.service
 Patch2:         httpd-2.1.3alpha-layout.dif
-Patch23:        httpd-2.1.9-apachectl.dif
+Patch23:        httpd-2.4.10-apachectl.patch
 #Patch65:        httpd-2.0.49-log_server_status.dif
 Patch66:        httpd-2.0.54-envvars.dif
 Patch67:        httpd-2.2.0-apxs-a2enmod.dif
@@ -164,6 +164,8 @@
 # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch 
[email protected] simple module provides systemd integration.
 Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch111:       httpd-visibility.patch
+# PATCH-FIX-UPSTREAM bnc#899836 [email protected] -- avoid a crash when 
Content-Type has an empty value
+Patch112:       httpd-2.4.10-check_null_pointer_dereference.patch
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
 Summary:        The Apache Web Server Version 2.4
@@ -343,6 +345,7 @@
 #%patch108 -p1
 %patch109 -p1
 %patch111 -p1
+%patch112 -p1
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{S:22})
@@ -981,19 +984,19 @@
 %if %prefork
 
 %post prefork
-/usr/share/%{pname}/get_module_list &>/dev/null
+/usr/share/%{pname}/get_module_list >/dev/null 2>&1
 exit 0
 %endif
 %if %worker
 
 %post worker
-/usr/share/%{pname}/get_module_list &>/dev/null
+/usr/share/%{pname}/get_module_list >/dev/null 2>&1
 exit 0
 %endif
 %if %event
 
 %post event
-/usr/share/%{pname}/get_module_list &>/dev/null
+/usr/share/%{pname}/get_module_list >/dev/null 2>&1
 exit 0
 %endif
 
@@ -1006,7 +1009,7 @@
 %pre
 %if %{?suse_version:0}%{!?suse_version:1}
 # on Fedora, add the "apache" user
-if ! /usr/bin/getent passwd %httpduser &>/dev/null; then
+if ! /usr/bin/getent passwd %httpduser >/dev/null 2>&1; then
   echo "Creating %httpduser user"
   /usr/sbin/useradd -c "Apache" -u 48 \
         -s /sbin/nologin -r -d %{localstatedir} %httpduser 2> /dev/null || :
@@ -1086,7 +1089,7 @@
 
 rm -rf $tmpdir
 /usr/share/%{pname}/apache-20-22-upgrade
-/usr/share/%{pname}/get_module_list &>/dev/null
+/usr/share/%{pname}/get_module_list >/dev/null 2>&1
 %if 0%{?suse_version} >= 1210
 %service_add_post apache2.service
 %endif




++++++ httpd-2.4.10-apachectl.patch ++++++
diff -Ndurp httpd-2.4.10/support/apachectl.in 
httpd-2.4.10-apachectl/support/apachectl.in
--- httpd-2.4.10/support/apachectl.in   2012-02-01 05:47:28.000000000 +0200
+++ httpd-2.4.10-apachectl/support/apachectl.in 2014-10-18 19:18:51.203692588 
+0300
@@ -42,17 +42,32 @@ ARGV="$@"
 # --------------------                              --------------------
 # 
 # the path to your httpd binary, including options if necessary
-HTTPD='@exp_sbindir@/@progname@'
+HTTPD='@exp_sbindir@/httpd2'
 #
 # pick up any necessary environment variables
 if test -f @exp_sbindir@/envvars; then
   . @exp_sbindir@/envvars
 fi
+
+pname=apache2
+sysconfig_apache=/etc/sysconfig/$pname
+sysconfdir=/etc/$pname
+
+test -s $sysconfig_apache && . $sysconfig_apache
+httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf}
+
 #
 # a command that outputs a formatted text version of the HTML at the
 # url given on the command line.  Designed for lynx, however other
 # programs may work.  
-LYNX="@LYNX_PATH@ -dump"
+
+if [ -x "`which w3m`" ]; then
+        LYNX="w3m -dump -cols ${COLUMNS:-80}"
+elif [ -x "`which lynx`" ]; then
+        LYNX="lynx -dump -width=${COLUMNS:-80}"
+fi
+
+
 #
 # the URL to your server's mod_status status page.  If you do not
 # have one, then status and fullstatus will not work.
@@ -78,7 +93,7 @@ fi
 
 case $ACMD in
 start|stop|restart|graceful|graceful-stop)
-    $HTTPD -k $ARGV
+    $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV
     ERROR=$?
     ;;
 startssl|sslstart|start-SSL)
@@ -88,7 +103,7 @@ startssl|sslstart|start-SSL)
     ERROR=2
     ;;
 configtest)
-    $HTTPD -t
+    $HTTPD ${httpd_conf+-f $httpd_conf} -t
     ERROR=$?
     ;;
 status)
++++++ httpd-2.4.10-check_null_pointer_dereference.patch ++++++
Index: httpd-2.4.10/CHANGES
===================================================================
--- httpd-2.4.10.orig/CHANGES
+++ httpd-2.4.10/CHANGES
@@ -1,6 +1,9 @@
                                                          -*- coding: utf-8 -*-
 
 Changes with Apache 2.4.10
+  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+     mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
+     [Mark Montague <mark catseye.org>, Jan Kaluza]
 
   *) SECURITY: CVE-2014-0117 (cve.mitre.org)
      mod_proxy: Fix crash in Connection header handling which 
Index: httpd-2.4.10/modules/cache/cache_util.c
===================================================================
--- httpd-2.4.10.orig/modules/cache/cache_util.c
+++ httpd-2.4.10/modules/cache/cache_util.c
@@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
 
     if (r->content_type
             && !apr_table_get(headers_out, "Content-Type")) {
-        apr_table_setn(headers_out, "Content-Type",
-                       ap_make_content_type(r, r->content_type));
+        const char *ctype = ap_make_content_type(r, r->content_type);
+        if (ctype) {
+                       apr_table_setn(headers_out, "Content-Type", ctype);
+               }
     }
 
     if (r->content_encoding
-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to