commit: 692a27baa1b889755b928d2766f9efee17462291 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> AuthorDate: Wed Nov 2 14:38:57 2016 +0000 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> CommitDate: Wed Nov 2 14:39:15 2016 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=692a27ba
www-servers/apache: Security revbumps for CVE-2016-5387 (bug #589226). Also fixes fcgi bug in apache-2.4.23 (bug #591288). Package-Manager: portage-2.3.2 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> www-servers/apache/Manifest | 1 + www-servers/apache/apache-2.2.31-r1.ebuild | 119 +++++++++++ www-servers/apache/apache-2.4.23-r2.ebuild | 245 ++++++++++++++++++++++ www-servers/apache/files/apache-asf-httpoxy.patch | 20 ++ 4 files changed, 385 insertions(+) diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest index 5482f14..a266c24 100644 --- a/www-servers/apache/Manifest +++ b/www-servers/apache/Manifest @@ -1,3 +1,4 @@ +DIST apache-2.4.23-fcgi_fix.patch 1186 SHA256 2943092f4d16f998bed1839d762be6b12254bb59b54e027ae17a2f8042c0eac7 SHA512 5dd1d2eee99322d7af398e7e9c46da4275b83d47bbdac663c022fab734715aabaf5cf0e7abe9bf7b90b69a7b6456f4df55ec33519844124906ad9021f0331e01 WHIRLPOOL 80b03d44e861b08ade36fb317a7aa8cb13a7b79b80b6d59d90d404c9ce99590d8466cb098812b4e2fbb85e69fc7a69ce973269b1ec6ce516e2ad835566534f8e DIST gentoo-apache-2.2.29-20140922.tar.bz2 64135 SHA256 8c69c36c2f40fb81ee905b4dd72ab74aab4563c75149d302f372a451498e2678 SHA512 1d9aa12aa3ab79b5f80ee3fda020b33ff6798e5b1abbcbc138acea06a1ab9968ad240d2bdf9c5dbb9640fa9fb6718eec7175df7cc0fb8574cc4d7d5cdfb5bcc4 WHIRLPOOL f655300f0dcd2f4503cbdb25983fed902e4b717ff57e06f66486bebd0ed7cb8df56387be74b4259bfffad949bb446c5ec28f89065b6d5239585324b610be7b88 DIST gentoo-apache-2.4.18-r1-20160303.tar.bz2 24505 SHA256 d81e32d876594b48a7ff6d9123bf776c5bea5453eddd2fe40f4a9b79c11537aa SHA512 68f0c4de38ae05c45839fe692cbb7de641e331ca133b8aaaf69f3659dec15833cda95e6e074edb3a5b6b6d59b3fc5a4ee3589fff810707fe27417a25cd8a4c4d WHIRLPOOL fb61224b2104e611237e1d09eb4dfb3d2b8f023348c9622f7f19434b6b77d63786c41af17a300d994c14d983676f3753ab6fa52f7a7fcd07b9cea3d7eeacc9b9 DIST httpd-2.2.31.tar.bz2 5610489 SHA256 f32f9d19f535dac63b06cb55dfc023b40dcd28196b785f79f9346779e22f26ac SHA512 5aa47d4b76f692bbd8b309135ff99152df98cf69b505b9daf3f13f7f2a31443eaf4995161adfbc47a133b4d0e091fda2d95fc6b87a956f0ada18d7466ee28e74 WHIRLPOOL a2e3e53c51719cb6f7e641b41788cd89ce7b4d2ea105b403bfa3b3d4479b69c5604228269062f66722594e105e91121d05b1c9f27ca7dc4ecfcf339da8b8375c diff --git a/www-servers/apache/apache-2.2.31-r1.ebuild b/www-servers/apache/apache-2.2.31-r1.ebuild new file mode 100644 index 00000000..5e2b8c7 --- /dev/null +++ b/www-servers/apache/apache-2.2.31-r1.ebuild @@ -0,0 +1,119 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +# latest gentoo apache files +GENTOO_PATCHSTAMP="20140922" +GENTOO_DEVELOPER="polynomial-c" +GENTOO_PATCHNAME="gentoo-apache-2.2.29" + +# IUSE/USE_EXPAND magic +IUSE_MPMS_FORK="itk peruser prefork" +IUSE_MPMS_THREAD="event worker" + +IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon +authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default +authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta +charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache dumpio +env expires ext_filter file_cache filter headers ident imagemap include info +log_config log_forensic logio mem_cache mime mime_magic negotiation proxy +proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite +reqtimeout setenvif speling status substitute unique_id userdir usertrack +version vhost_alias" +# The following are also in the source as of this version, but are not available +# for user selection: +# bucketeer case_filter case_filter_in echo http isapi optional_fn_export +# optional_fn_import optional_hook_export optional_hook_import + +# inter-module dependencies +# TODO: this may still be incomplete +MODULE_DEPENDS=" + dav_fs:dav + dav_lock:dav + deflate:filter + disk_cache:cache + ext_filter:filter + file_cache:cache + log_forensic:log_config + logio:log_config + mem_cache:cache + mime_magic:mime + proxy_ajp:proxy + proxy_balancer:proxy + proxy_connect:proxy + proxy_ftp:proxy + proxy_http:proxy + proxy_scgi:proxy + substitute:filter +" + +# module<->define mappings +MODULE_DEFINES=" + auth_digest:AUTH_DIGEST + authnz_ldap:AUTHNZ_LDAP + cache:CACHE + dav:DAV + dav_fs:DAV + dav_lock:DAV + disk_cache:CACHE + file_cache:CACHE + info:INFO + ldap:LDAP + mem_cache:CACHE + proxy:PROXY + proxy_ajp:PROXY + proxy_balancer:PROXY + proxy_connect:PROXY + proxy_ftp:PROXY + proxy_http:PROXY + ssl:SSL + status:STATUS + suexec:SUEXEC + userdir:USERDIR +" + +# critical modules for the default config +MODULE_CRITICAL=" + authz_host + dir + mime +" + +inherit apache-2 systemd toolchain-funcs + +DESCRIPTION="The Apache Web Server" +HOMEPAGE="https://httpd.apache.org/"; + +# some helper scripts are Apache-1.1, thus both are here +LICENSE="Apache-2.0 Apache-1.1" +SLOT="2" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd" +IUSE="" + +PATCHES=( + "${FILESDIR}/${PN}-asf-httpoxy.patch" +) + +src_configure() { + # Brain dead check. + tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" + + apache-2_src_configure +} + +src_install() { + apache-2_src_install + + # install apxs in /usr/bin (bug #502384) and put a symlink into the + # old location until all ebuilds and eclasses have been modified to + # use the new location. + local apxs_dir="/usr/bin" + dodir ${apxs_dir} + mv "${D}"/usr/sbin/apxs "${D}"${apxs_dir} || die + ln -s ../bin/apxs "${D}"/usr/sbin/apxs || die + + systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service" + systemd_dotmpfilesd "${FILESDIR}/apache.conf" +} diff --git a/www-servers/apache/apache-2.4.23-r2.ebuild b/www-servers/apache/apache-2.4.23-r2.ebuild new file mode 100644 index 00000000..80874b3 --- /dev/null +++ b/www-servers/apache/apache-2.4.23-r2.ebuild @@ -0,0 +1,245 @@ +# Copyright 1999-2016 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +EAPI=5 + +# latest gentoo apache files +GENTOO_PATCHSTAMP="20160303" +GENTOO_DEVELOPER="polynomial-c" +GENTOO_PATCHNAME="gentoo-apache-2.4.18-r1" + +# IUSE/USE_EXPAND magic +IUSE_MPMS_FORK="prefork" +IUSE_MPMS_THREAD="event worker" + +# << obsolete modules: +# authn_default authz_default mem_cache +# mem_cache is replaced by cache_disk +# ?? buggy modules +# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found +# >> added modules for reason: +# compat: compatibility with 2.2 access control +# authz_host: new module for access control +# authn_core: functionality provided by authn_alias in previous versions +# authz_core: new module, provides core authorization capabilities +# cache_disk: replacement for mem_cache +# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3 +# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3 +# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3 +# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3 +# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests). +# socache_shmcb: shared object cache provider. Default config with ssl needs it +# unixd: fixes startup error: Invalid command 'User' +IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest +authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core +authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex +cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate +dir dumpio env expires ext_filter file_cache filter headers http2 ident imagemap +include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness +lbmethod_heartbeat log_config log_forensic logio macro mime mime_magic negotiation +proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi +proxy_fcgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif +slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack +unixd version vhost_alias" +# The following are also in the source as of this version, but are not available +# for user selection: +# bucketeer case_filter case_filter_in echo http isapi optional_fn_export +# optional_fn_import optional_hook_export optional_hook_import + +# inter-module dependencies +# TODO: this may still be incomplete +MODULE_DEPENDS=" + dav_fs:dav + dav_lock:dav + deflate:filter + cache_disk:cache + ext_filter:filter + file_cache:cache + lbmethod_byrequests:proxy_balancer + lbmethod_byrequests:slotmem_shm + lbmethod_bytraffic:proxy_balancer + lbmethod_bybusyness:proxy_balancer + lbmethod_heartbeat:proxy_balancer + log_forensic:log_config + logio:log_config + cache_disk:cache + mime_magic:mime + proxy_ajp:proxy + proxy_balancer:proxy + proxy_balancer:slotmem_shm + proxy_connect:proxy + proxy_ftp:proxy + proxy_html:proxy + proxy_http:proxy + proxy_scgi:proxy + proxy_fcgi:proxy + proxy_wstunnel:proxy + substitute:filter +" + +# module<->define mappings +MODULE_DEFINES=" + auth_digest:AUTH_DIGEST + authnz_ldap:AUTHNZ_LDAP + cache:CACHE + cache_disk:CACHE + dav:DAV + dav_fs:DAV + dav_lock:DAV + file_cache:CACHE + http2:HTTP2 + info:INFO + ldap:LDAP + proxy:PROXY + proxy_ajp:PROXY + proxy_balancer:PROXY + proxy_connect:PROXY + proxy_ftp:PROXY + proxy_html:PROXY + proxy_http:PROXY + proxy_fcgi:PROXY + proxy_scgi:PROXY + proxy_wstunnel:PROXY + socache_shmcb:SSL + ssl:SSL + status:STATUS + suexec:SUEXEC + userdir:USERDIR +" + +# critical modules for the default config +MODULE_CRITICAL=" + authn_core + authz_core + authz_host + dir + mime + unixd +" +inherit eutils apache-2 systemd toolchain-funcs + +DESCRIPTION="The Apache Web Server" +HOMEPAGE="https://httpd.apache.org/"; + +# some helper scripts are Apache-1.1, thus both are here +LICENSE="Apache-2.0 Apache-1.1" +SLOT="2" +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris" + +# Upstream fixes +SRC_URI+=" http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1751970&r2=1751969&pathrev=1751970&view=patch -> ${PN}-2.4.23-fcgi_fix.patch" + +DEPEND+="apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )" + +REQUIRED_USE="apache2_modules_http2? ( ssl )" + +PATCHES=( + "${DISTDIR}"/${P}-fcgi_fix.patch + "${FILESDIR}"/apache-asf-httpoxy.patch +) + +pkg_setup() { + # dependend critical modules which are not allowed in global scope due + # to USE flag conditionals (bug #499260) + use ssl && MODULE_CRITICAL+=" socache_shmcb" + use doc && MODULE_CRITICAL+=" alias negotiation setenvif" + apache-2_pkg_setup +} + +src_configure() { + # Brain dead check. + tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" + + apache-2_src_configure +} + +src_compile() { + if tc-is-cross-compiler; then + # This header is the same across targets, so use the build compiler. + pushd server >/dev/null + emake gen_test_char + tc-export_build_env BUILD_CC + ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \ + gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die + popd >/dev/null + fi + + default +} + +src_install() { + apache-2_src_install + for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do + rm "${ED}"/$i || die "Failed to prune apache-tools bits" + done + for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do + rm "${ED}"/$i || die "Failed to prune apache-tools bits" + done + for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do + rm "${ED}"/$i || die "Failed to prune apache-tools bits" + done + for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do + rm "${ED}/"$i || die "Failed to prune apache-tools bits" + done + + # install apxs in /usr/bin (bug #502384) and put a symlink into the + # old location until all ebuilds and eclasses have been modified to + # use the new location. + local apxs="/usr/bin/apxs" + cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs" + ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die + chmod 0755 "${ED}"${apxs} || die + + # Note: wait for mod_systemd to be included in the next release, + # then apache2.4.service can be used and systemd support controlled + # through --enable-systemd + systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service" + systemd_dotmpfilesd "${FILESDIR}/apache.conf" + #insinto /etc/apache2/modules.d + #doins "${FILESDIR}/00_systemd.conf" + + # Install http2 module config + insinto /etc/apache2/modules.d + doins "${FILESDIR}"/41_mod_http2.conf +} + +pkg_postinst() +{ + apache-2_pkg_postinst || die "apache-2_pkg_postinst failed" + # warnings that default config might not work out of the box + for mod in $MODULE_CRITICAL; do + if ! use "apache2_modules_${mod}"; then + echo + ewarn "Warning: Critical module not installed!" + ewarn "Modules 'authn_core', 'authz_core' and 'unixd'" + ewarn "are highly recomended but might not be in the base profile yet." + ewarn "Default config for ssl needs module 'socache_shmcb'." + ewarn "Enabling the following flags is highly recommended:" + for cmod in $MODULE_CRITICAL; do + use "apache2_modules_${cmod}" || \ + ewarn "+ apache2_modules_${cmod}" + done + echo + break + fi + done + # warning for proxy_balancer and missing load balancing scheduler + if use apache2_modules_proxy_balancer; then + local lbset= + for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do + if use "apache2_modules_${mod}"; then + lbset=1 && break + fi + done + if [ ! $lbset ]; then + echo + ewarn "Info: Missing load balancing scheduler algorithm module" + ewarn "(They were split off from proxy_balancer in 2.3)" + ewarn "In order to get the ability of load balancing, at least" + ewarn "one of these modules has to be present:" + ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat" + echo + fi + fi +} diff --git a/www-servers/apache/files/apache-asf-httpoxy.patch b/www-servers/apache/files/apache-asf-httpoxy.patch new file mode 100644 index 00000000..68e3d86 --- /dev/null +++ b/www-servers/apache/files/apache-asf-httpoxy.patch @@ -0,0 +1,20 @@ +https://bugs.gentoo.org/589226 +https://www.apache.org/security/asf-httpoxy-response.txt + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them
