- add security fix for CVE CAN-2004-0942 (memory consumption DoS)httpd-2_0_52-6

- SELinux: run httpd -t under runcon in configtest (Steven Smalley)
- fix SSLSessionCache comment for distcache in ssl.conf
- restart using SIGHUP not SIGUSR1 after logrotate
- add ap_save_brigade fix (upstream #31247)
- mod_ssl: fix possible segfault in auth hook (upstream #31848)
- add htsslpass(1) and configure as default SSLPassPhraseDialog (#128677)
- apachectl: restore use of $OPTIONS
- apachectl, httpd.init: refuse to restart if $HTTPD -t fails
- apachectl: run $HTTPD -t in user SELinux context for configtest
- update for pcre-5.0 header locations

6 files changed, 62 insertions, 22 deletions

diff --git a/Makefile b/Makefile
index 8376717..19bec5d 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 # Makefile for source rpm: httpd
-# $Id: Makefile,v 1.4 2004/10/13 10:44:51 jorton Exp $
+# $Id: Makefile,v 1.5 2004/10/13 16:35:07 jorton Exp $
 NAME := httpd
 SPECFILE = $(firstword $(wildcard *.spec))
 UPSTREAM_CHECKS = asc
@@ -21,4 +21,4 @@ status.html: status.xml status-html.xsl
 	@xsltproc status-html.xsl $< > $@
 
 view-status: status.html
-	gnome-moz-remote `pwd`/$<
+	firefox -remote 'openFile($(shell pwd)/$<)'
diff --git a/httpd-2.0.40-xfsz.patch b/httpd-2.0.40-xfsz.patch
index f3bcfbf..2af7384 100644
--- a/httpd-2.0.40-xfsz.patch
+++ b/httpd-2.0.40-xfsz.patch
@@ -2,9 +2,9 @@
 Set SIGXFSZ to be ignored, so a write() beyond 2gb will fail with
 E2BIG rather than killing the process
 
-Upstream-HEAD: omit
+Upstream-HEAD: needed
 Upstream-2.0: omit
-Upstream-Status: Obsoleted by proper LFS support in APR
+Upstream-Status: Obsoleted by proper LFS support in APR, do it anyway
 Upstream-PR: 13511
 
 --- ./server/mpm/prefork/prefork.c.xfsz	Wed Jul 17 22:39:55 2002
diff --git a/httpd.init b/httpd.init
index 68f0e40..0624e06 100755
--- a/httpd.init
+++ b/httpd.init
@@ -73,11 +73,15 @@ stop() {
 	[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
 }
 reload() {
-	echo -n $"Reloading $prog: "
-	check13 || exit 1
-	killproc $httpd -HUP
-	RETVAL=$?
-	echo
+    if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t; then
+        failure $"Configuration syntax check for $httpd, will not reload"
+        RETVAL=$?
+    else
+        echo -n $"Reloading $prog: "
+        killproc $httpd -HUP
+        RETVAL=$?
+        echo
+    fi
 }
 
 # See how we were called.
diff --git a/httpd.logrotate b/httpd.logrotate
index 8be0f0e..dd0ce1b 100644
--- a/httpd.logrotate
+++ b/httpd.logrotate
@@ -3,6 +3,6 @@
     notifempty
     sharedscripts
     postrotate
-	/bin/kill -USR1 `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
+	/bin/kill -HUP `cat /var/run/httpd.pid 2>/dev/null` 2> /dev/null || true
     endscript
 }
diff --git a/httpd.spec b/httpd.spec
index f7ab30c..c9733eb 100644
--- a/httpd.spec
+++ b/httpd.spec
@@ -7,7 +7,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.0.52
-Release: 5
+Release: 6
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
 Source1: index.html
@@ -23,11 +23,13 @@ Source12: welcome.conf
 Source13: manual.conf
 Source14: mod_ssl-Makefile.crt
 Source15: mod_ssl-Makefile.crl
+Source16: htsslpass.c
 # Documentation
 Source30: migration.xml
 Source31: migration.css
 Source32: html.xsl
 Source33: README.confd
+Source34: htsslpass.xml
 # build/scripts patches
 Patch1: httpd-2.0.40-apctl.patch
 Patch2: httpd-2.0.36-apxs.patch
@@ -49,6 +51,8 @@ Patch28: httpd-2.0.48-worker.patch
 Patch29: httpd-2.0.48-workerhup.patch
 Patch30: httpd-2.0.48-davmisc.patch
 Patch39: httpd-2.0.50-reclaim.patch
+Patch40: httpd-2.0.52-sslauth.patch
+Patch41: httpd-2.0.52-savebrigade.patch
 # Features/functional changes
 Patch70: httpd-2.0.48-release.patch
 Patch71: httpd-2.0.40-xfsz.patch
@@ -70,11 +74,13 @@ Patch91: httpd-2.0.46-testhook.patch
 Patch92: httpd-2.0.46-dumpcerts.patch
 # Security fixes
 Patch120: httpd-2.0.52-CAN-2004-0885.patch
+Patch121: httpd-2.0.52-CAN-2004-0942.patch
 License: Apache Software License
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-root
 BuildRequires: db4-devel, expat-devel, findutils, perl, pkgconfig, xmlto >= 0.0.11
-BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel, zlib-devel
+BuildRequires: apr-devel >= 0.9.4-20, apr-util-devel, pcre-devel >= 5.0, 
+BuildRequires: zlib-devel
 Requires: /etc/mime.types, gawk, /usr/share/magic.mime, /usr/bin/find
 Requires: httpd-suexec
 Prereq: /sbin/chkconfig, /bin/mktemp, /bin/rm, /bin/mv
@@ -86,19 +92,20 @@ Obsoletes: mod_put, mod_roaming
 Conflicts: pcre < 4.0
 
 %description
-Apache is a powerful, full-featured, efficient, and freely-available
-Web server. Apache is also the most popular Web server on the
-Internet.
+The Apache HTTP Server is a powerful, full-featured, efficient, and
+freely-available Web server. The Apache HTTP Server is also the
+most popular Web server on the Internet.
 
 %package devel
 Group: Development/Libraries
 Summary: Development tools for the Apache HTTP server.
 Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
-Requires: apr-devel, apr-util-devel, httpd = %{version}, pcre-devel
+Requires: apr-devel, apr-util-devel, httpd = %{version}, pcre-devel >= 5.0
 
 %description devel
 The httpd-devel package contains the APXS binary and other files
-that you need to build Dynamic Shared Objects (DSOs) for Apache.
+that you need to build Dynamic Shared Objects (DSOs) for the
+Apache HTTP Server.
 
 If you are installing the Apache HTTP server and you want to be
 able to compile or develop additional modules for Apache, you need
@@ -161,6 +168,8 @@ executed by SSI pages) as a user other than the 'apache' user.
 %patch29 -p1 -b .workerhup
 %patch30 -p1 -b .davmisc
 %patch39 -p1 -b .reclaim
+%patch40 -p1 -b .sslauth
+%patch41 -p1 -b .savebrigade
 
 %patch71 -p0 -b .xfsz
 %patch72 -p1 -b .pod
@@ -181,6 +190,7 @@ executed by SSI pages) as a user other than the 'apache' user.
 %patch92 -p1 -b .dumpcerts
 
 %patch120 -p1 -b .can0885
+%patch121 -p1 -b .can0942
 
 # Patch in vendor/release string
 sed "s/@RELEASE@/%{vstring}/" < %{PATCH70} | patch -p1
@@ -231,8 +241,15 @@ sed 's/@DISTRO@/%{distro}/' < $RPM_SOURCE_DIR/migration.xml > migration.xml
 xmlto -x $RPM_SOURCE_DIR/html.xsl html-nochunks migration.xml
 cp $RPM_SOURCE_DIR/migration.css . # make %%doc happy
 
+# Build the htsslpass man page
+xmlto man $RPM_SOURCE_DIR/htsslpass.xml
+
+# Build htsslpass
+cp $RPM_SOURCE_DIR/htsslpass.c . || exit 1
+gcc $RPM_OPT_FLAGS -Wall -Werror htsslpass.c -o htsslpass
+
 CFLAGS=$RPM_OPT_FLAGS
-CPPFLAGS="-DSSL_EXPERIMENTAL_ENGINE -I/usr/include/pcre"
+CPPFLAGS="-DSSL_EXPERIMENTAL_ENGINE"
 export CFLAGS CPPFLAGS
 
 function mpmbuild()
@@ -302,7 +319,11 @@ popd
 install -m 755 worker/httpd $RPM_BUILD_ROOT%{_sbindir}/httpd.worker
 
 # link to system pcreposix.h
-ln -s ../pcre/pcreposix.h $RPM_BUILD_ROOT%{_includedir}/httpd/pcreposix.h
+ln -s ../pcreposix.h $RPM_BUILD_ROOT%{_includedir}/httpd/pcreposix.h
+
+# install htsslpass(1) and man page
+install -m 755 htsslpass $RPM_BUILD_ROOT%{_bindir}/htsslpass
+install -m 644 htsslpass.1 $RPM_BUILD_ROOT%{_mandir}/man1/htsslpass.1
 
 # install conf file/directory
 mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d
@@ -519,6 +540,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_sbindir}/httpd.worker
 %{_sbindir}/apachectl
 %{_sbindir}/rotatelogs
+%exclude %{_bindir}/htsslpass
 
 %dir %{_libdir}/httpd
 %dir %{_libdir}/httpd/modules
@@ -544,6 +566,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man?/*
 %exclude %{_mandir}/man8/apxs.8*
 %exclude %{_mandir}/man8/suexec.8*
+%exclude %{_mandir}/man1/htsslpass.1*
 
 %files manual
 %defattr(-,root,root)
@@ -552,6 +575,8 @@ rm -rf $RPM_BUILD_ROOT
 
 %files -n mod_ssl
 %defattr(-,root,root)
+%{_bindir}/htsslpass
+%{_mandir}/man1/htsslpass.1*
 %{_libdir}/httpd/modules/mod_ssl.so
 %config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
 %attr(0700,root,root) %dir %{_sysconfdir}/httpd/conf/ssl.*
@@ -579,6 +604,19 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/suexec.8*
 
 %changelog
+* Tue Nov 16 2004 Joe Orton <jorton@redhat.com> 2.0.52-6
+- add security fix for CVE CAN-2004-0942 (memory consumption DoS)
+- SELinux: run httpd -t under runcon in configtest (Steven Smalley)
+- fix SSLSessionCache comment for distcache in ssl.conf
+- restart using SIGHUP not SIGUSR1 after logrotate
+- add ap_save_brigade fix (upstream #31247)
+- mod_ssl: fix possible segfault in auth hook (upstream #31848)
+- add htsslpass(1) and configure as default SSLPassPhraseDialog (#128677)
+- apachectl: restore use of $OPTIONS
+- apachectl, httpd.init: refuse to restart if $HTTPD -t fails
+- apachectl: run $HTTPD -t in user SELinux context for configtest
+- update for pcre-5.0 header locations
+
 * Sat Nov 13 2004 Jeff Johnson <jbj@redhat.com> 2.0.52-5
 - rebuild against db-4.3.21 aware apr-util.
 
diff --git a/ssl.conf b/ssl.conf
index 9e0a65a..332dc44 100644
--- a/ssl.conf
+++ b/ssl.conf
@@ -44,9 +44,7 @@ SSLPassPhraseDialog  builtin
 #   Inter-Process Session Cache:
 #   Configure the SSL Session Cache: First the mechanism 
 #   to use and second the expiring timeout (in seconds).
-#SSLSessionCache        none
-#SSLSessionCache        dbm:/var/cache/mod_ssl/scache(512000)
-#SSLSessionCache        dc:UNIX/var/cache/mod_ssl/distcache
+#SSLSessionCache        dc:UNIX:/var/cache/mod_ssl/distcache
 SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
 SSLSessionCacheTimeout  300