diff options
| author | Luboš Uhliarik <luhliari@redhat.com> | 2017-10-25 14:28:47 +0200 |
|---|---|---|
| committer | Luboš Uhliarik <luhliari@redhat.com> | 2017-10-25 14:28:47 +0200 |
| commit | 16b03b20d8a2c18913e94ab6653c66deb5922ace (patch) | |
| tree | 615ab431ec5c0c7a8ef1213d7206c5b2586853e0 | |
| parent | 082f3536aa8b73283eede9cf867eefd01c8597fb (diff) | |
| download | httpd-16b03b20d8a2c18913e94ab6653c66deb5922ace.tar.gz httpd-16b03b20d8a2c18913e94ab6653c66deb5922ace.tar.xz httpd-16b03b20d8a2c18913e94ab6653c66deb5922ace.zip | |
Removed patches, which are already included in upstream source
| -rw-r--r-- | httpd-2.4.27-fixticketkeys.patch | 65 | ||||
| -rw-r--r-- | httpd-2.4.27-r1808230.patch | 131 | ||||
| -rw-r--r-- | httpd-2.4.4-mod_unique_id.patch | 239 | ||||
| -rw-r--r-- | httpd.spec | 12 |
4 files changed, 2 insertions, 445 deletions
diff --git a/httpd-2.4.27-fixticketkeys.patch b/httpd-2.4.27-fixticketkeys.patch deleted file mode 100644 index 3769da9..0000000 --- a/httpd-2.4.27-fixticketkeys.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 4171fbfcb249e63f934471054d7a0752272fb8ee Mon Sep 17 00:00:00 2001 -From: Yann Ylavic <ylavic@apache.org> -Date: Tue, 22 Mar 2016 13:09:17 +0000 -Subject: [PATCH] mod_ssl: return non ambigous value in - ssl_callback_SessionTicket() for encryption mode (we used to return 0, - OpenSSL documents returning 1 instead). - -Practically this does not change anything since OpenSSL will only check for ->= 0 return value (non error) for encryption mode (the other possible return -values are only relevant for decryption mode). - -However the OpenSSL documentation for SSL_CTX_set_tlsext_ticket_key_cb() -states: -" -The return value of the cb function is used by OpenSSL to determine what -further processing will occur. The following return values have meaning: - -2 - This indicates that the ctx and hctx have been set and the session can - continue on those parameters. Additionally it indicates that the session - ticket is in a renewal period and should be replaced. The OpenSSL library - will call cb again with an enc argument of 1 to set the new ticket (see - RFC5077 3.3 paragraph 2). - -1 - This indicates that the ctx and hctx have been set and the session can - continue on those parameters. - -0 - This indicates that it was not possible to set/retrieve a session ticket - and the SSL/TLS session will continue by by negotiating a set of - cryptographic parameters or using the alternate SSL/TLS resumption - mechanism, session ids. - If called with enc equal to 0 the library will call the cb again to get a - new set of parameters. - -less than 0 - This indicates an error. -" - -So 0 is not appropriate in our code, 1 is what we really want (and it won't -break if OpenSSL later changes its checks on the callback return value). - -Reported by: oknet on github, pull request #18. - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1736186 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/ssl/ssl_engine_kernel.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c -index 91da94c4f58..91d5e926d66 100644 ---- a/modules/ssl/ssl_engine_kernel.c -+++ b/modules/ssl/ssl_engine_kernel.c -@@ -2303,7 +2303,7 @@ int ssl_callback_SessionTicket(SSL *ssl, - "TLS session ticket key for %s successfully set, " - "creating new session ticket", sc->vhost_id); - -- return 0; -+ return 1; - } - else if (mode == 0) { - /* diff --git a/httpd-2.4.27-r1808230.patch b/httpd-2.4.27-r1808230.patch deleted file mode 100644 index e4062ea..0000000 --- a/httpd-2.4.27-r1808230.patch +++ /dev/null @@ -1,131 +0,0 @@ -# ./pullrev.sh 1808230 -http://svn.apache.org/viewvc?view=revision&revision=1808230 - ---- httpd-2.4.27/server/protocol.c -+++ httpd-2.4.27/server/protocol.c -@@ -1708,62 +1708,88 @@ - ctx->tmpbb = apr_brigade_create(r->pool, r->connection->bucket_alloc); - } - -- /* Loop through this set of buckets to compute their length -- */ -+ /* Loop through the brigade to count the length. To avoid -+ * arbitrary memory consumption with morphing bucket types, this -+ * loop will stop and pass on the brigade when necessary. */ - e = APR_BRIGADE_FIRST(b); - while (e != APR_BRIGADE_SENTINEL(b)) { -+ apr_status_t rv; -+ - if (APR_BUCKET_IS_EOS(e)) { - eos = 1; - break; - } -- if (e->length == (apr_size_t)-1) { -+ /* For a flush bucket, fall through to pass the brigade and -+ * flush now. */ -+ else if (APR_BUCKET_IS_FLUSH(e)) { -+ e = APR_BUCKET_NEXT(e); -+ } -+ /* For metadata bucket types other than FLUSH, loop. */ -+ else if (APR_BUCKET_IS_METADATA(e)) { -+ e = APR_BUCKET_NEXT(e); -+ continue; -+ } -+ /* For determinate length data buckets, count the length and -+ * continue. */ -+ else if (e->length != (apr_size_t)-1) { -+ r->bytes_sent += e->length; -+ e = APR_BUCKET_NEXT(e); -+ continue; -+ } -+ /* For indeterminate length data buckets, perform one read. */ -+ else /* e->length == (apr_size_t)-1 */ { - apr_size_t len; - const char *ignored; -- apr_status_t rv; -- -- /* This is probably a pipe bucket. Send everything -- * prior to this, and then read the data for this bucket. -- */ -+ - rv = apr_bucket_read(e, &ignored, &len, eblock); -+ if ((rv != APR_SUCCESS) && !APR_STATUS_IS_EAGAIN(rv)) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00574) -+ "ap_content_length_filter: " -+ "apr_bucket_read() failed"); -+ return rv; -+ } - if (rv == APR_SUCCESS) { -- /* Attempt a nonblocking read next time through */ - eblock = APR_NONBLOCK_READ; -+ e = APR_BUCKET_NEXT(e); - r->bytes_sent += len; - } - else if (APR_STATUS_IS_EAGAIN(rv)) { -- /* Output everything prior to this bucket, and then -- * do a blocking read on the next batch. -- */ -- if (e != APR_BRIGADE_FIRST(b)) { -- apr_bucket *flush; -- apr_brigade_split_ex(b, e, ctx->tmpbb); -- flush = apr_bucket_flush_create(r->connection->bucket_alloc); -+ apr_bucket *flush; - -- APR_BRIGADE_INSERT_TAIL(b, flush); -- rv = ap_pass_brigade(f->next, b); -- if (rv != APR_SUCCESS || f->c->aborted) { -- return rv; -- } -- apr_brigade_cleanup(b); -- APR_BRIGADE_CONCAT(b, ctx->tmpbb); -- e = APR_BRIGADE_FIRST(b); -+ /* Next read must block. */ -+ eblock = APR_BLOCK_READ; - -- ctx->data_sent = 1; -- } -- eblock = APR_BLOCK_READ; -- continue; -+ /* Ensure the last bucket to pass down is a flush if -+ * the next read will block. */ -+ flush = apr_bucket_flush_create(f->c->bucket_alloc); -+ APR_BUCKET_INSERT_BEFORE(e, flush); - } -- else { -- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(00574) -- "ap_content_length_filter: " -- "apr_bucket_read() failed"); -- return rv; -- } - } -- else { -- r->bytes_sent += e->length; -+ -+ /* Optimization: if the next bucket is EOS (directly after a -+ * bucket morphed to the heap, or a flush), short-cut to -+ * handle EOS straight away - allowing C-L to be determined -+ * for content which is already entirely in memory. */ -+ if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) { -+ continue; - } -- e = APR_BUCKET_NEXT(e); -+ -+ /* On reaching here, pass on everything in the brigade up to -+ * this point. */ -+ apr_brigade_split_ex(b, e, ctx->tmpbb); -+ -+ rv = ap_pass_brigade(f->next, b); -+ if (rv != APR_SUCCESS) { -+ return rv; -+ } -+ else if (f->c->aborted) { -+ return APR_ECONNABORTED; -+ } -+ apr_brigade_cleanup(b); -+ APR_BRIGADE_CONCAT(b, ctx->tmpbb); -+ e = APR_BRIGADE_FIRST(b); -+ -+ ctx->data_sent = 1; - } - - /* If we've now seen the entire response and it's otherwise diff --git a/httpd-2.4.4-mod_unique_id.patch b/httpd-2.4.4-mod_unique_id.patch deleted file mode 100644 index 30bdfe0..0000000 --- a/httpd-2.4.4-mod_unique_id.patch +++ /dev/null @@ -1,239 +0,0 @@ ---- trunk/modules/metadata/mod_unique_id.c 2011/12/02 23:02:04 1209766 -+++ trunk/modules/metadata/mod_unique_id.c 2013/07/10 16:20:31 1501827 -@@ -31,14 +31,11 @@ - #include "http_log.h" - #include "http_protocol.h" /* for ap_hook_post_read_request */ - --#if APR_HAVE_UNISTD_H --#include <unistd.h> /* for getpid() */ --#endif -+#define ROOT_SIZE 10 - - typedef struct { - unsigned int stamp; -- unsigned int in_addr; -- unsigned int pid; -+ char root[ROOT_SIZE]; - unsigned short counter; - unsigned int thread_index; - } unique_id_rec; -@@ -64,20 +61,15 @@ - * gethostbyname (gethostname()) is unique across all the machines at the - * "site". - * -- * We also further assume that pids fit in 32-bits. If something uses more -- * than 32-bits, the fix is trivial, but it requires the unrolled uuencoding -- * loop to be extended. * A similar fix is needed to support multithreaded -- * servers, using a pid/tid combo. -- * -- * Together, the in_addr and pid are assumed to absolutely uniquely identify -- * this one child from all other currently running children on all servers -- * (including this physical server if it is running multiple httpds) from each -+ * The root is assumed to absolutely uniquely identify this one child -+ * from all other currently running children on all servers (including -+ * this physical server if it is running multiple httpds) from each - * other. - * -- * The stamp and counter are used to distinguish all hits for a particular -- * (in_addr,pid) pair. The stamp is updated using r->request_time, -- * saving cpu cycles. The counter is never reset, and is used to permit up to -- * 64k requests in a single second by a single child. -+ * The stamp and counter are used to distinguish all hits for a -+ * particular root. The stamp is updated using r->request_time, -+ * saving cpu cycles. The counter is never reset, and is used to -+ * permit up to 64k requests in a single second by a single child. - * - * The 144-bits of unique_id_rec are encoded using the alphabet - * [A-Za-z0-9@-], resulting in 24 bytes of printable characters. That is then -@@ -92,7 +84,7 @@ - * module change. - * - * It is highly desirable that identifiers exist for "eternity". But future -- * needs (such as much faster webservers, moving to 64-bit pids, or moving to a -+ * needs (such as much faster webservers, or moving to a - * multithreaded server) may dictate a need to change the contents of - * unique_id_rec. Such a future implementation should ensure that the first - * field is still a time_t stamp. By doing that, it is possible for a site to -@@ -100,7 +92,15 @@ - * wait one entire second, and then start all of their new-servers. This - * procedure will ensure that the new space of identifiers is completely unique - * from the old space. (Since the first four unencoded bytes always differ.) -+ * -+ * Note: previous implementations used 32-bits of IP address plus pid -+ * in place of the PRNG output in the "root" field. This was -+ * insufficient for IPv6-only hosts, required working DNS to determine -+ * a unique IP address (fragile), and needed a [0, 1) second sleep -+ * call at startup to avoid pid reuse. Use of the PRNG avoids all -+ * these issues. - */ -+ - /* - * Sun Jun 7 05:43:49 CEST 1998 -- Alvaro - * More comments: -@@ -116,8 +116,6 @@ - * htonl/ntohl. Well, this shouldn't be a problem till year 2106. - */ - --static unsigned global_in_addr; -- - /* - * XXX: We should have a per-thread counter and not use cur_unique_id.counter - * XXX: in all threads, because this is bad for performance on multi-processor -@@ -129,7 +127,7 @@ - /* - * Number of elements in the structure unique_id_rec. - */ --#define UNIQUE_ID_REC_MAX 5 -+#define UNIQUE_ID_REC_MAX 4 - - static unsigned short unique_id_rec_offset[UNIQUE_ID_REC_MAX], - unique_id_rec_size[UNIQUE_ID_REC_MAX], -@@ -138,113 +136,32 @@ - - static int unique_id_global_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server) - { -- char str[APRMAXHOSTLEN + 1]; -- apr_status_t rv; -- char *ipaddrstr; -- apr_sockaddr_t *sockaddr; -- - /* - * Calculate the sizes and offsets in cur_unique_id. - */ - unique_id_rec_offset[0] = APR_OFFSETOF(unique_id_rec, stamp); - unique_id_rec_size[0] = sizeof(cur_unique_id.stamp); -- unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, in_addr); -- unique_id_rec_size[1] = sizeof(cur_unique_id.in_addr); -- unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, pid); -- unique_id_rec_size[2] = sizeof(cur_unique_id.pid); -- unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, counter); -- unique_id_rec_size[3] = sizeof(cur_unique_id.counter); -- unique_id_rec_offset[4] = APR_OFFSETOF(unique_id_rec, thread_index); -- unique_id_rec_size[4] = sizeof(cur_unique_id.thread_index); -+ unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, root); -+ unique_id_rec_size[1] = sizeof(cur_unique_id.root); -+ unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, counter); -+ unique_id_rec_size[2] = sizeof(cur_unique_id.counter); -+ unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, thread_index); -+ unique_id_rec_size[3] = sizeof(cur_unique_id.thread_index); - unique_id_rec_total_size = unique_id_rec_size[0] + unique_id_rec_size[1] + -- unique_id_rec_size[2] + unique_id_rec_size[3] + -- unique_id_rec_size[4]; -+ unique_id_rec_size[2] + unique_id_rec_size[3]; - - /* - * Calculate the size of the structure when encoded. - */ - unique_id_rec_size_uu = (unique_id_rec_total_size*8+5)/6; - -- /* -- * Now get the global in_addr. Note that it is not sufficient to use one -- * of the addresses from the main_server, since those aren't as likely to -- * be unique as the physical address of the machine -- */ -- if ((rv = apr_gethostname(str, sizeof(str) - 1, p)) != APR_SUCCESS) { -- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01563) -- "unable to find hostname of the server"); -- return HTTP_INTERNAL_SERVER_ERROR; -- } -- -- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p)) == APR_SUCCESS) { -- global_in_addr = sockaddr->sa.sin.sin_addr.s_addr; -- } -- else { -- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01564) -- "unable to find IPv4 address of \"%s\"", str); --#if APR_HAVE_IPV6 -- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET6, 0, 0, p)) == APR_SUCCESS) { -- memcpy(&global_in_addr, -- (char *)sockaddr->ipaddr_ptr + sockaddr->ipaddr_len - sizeof(global_in_addr), -- sizeof(global_in_addr)); -- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01565) -- "using low-order bits of IPv6 address " -- "as if they were unique"); -- } -- else --#endif -- return HTTP_INTERNAL_SERVER_ERROR; -- } -- -- apr_sockaddr_ip_get(&ipaddrstr, sockaddr); -- ap_log_error(APLOG_MARK, APLOG_INFO, 0, main_server, APLOGNO(01566) "using ip addr %s", -- ipaddrstr); -- -- /* -- * If the server is pummelled with restart requests we could possibly end -- * up in a situation where we're starting again during the same second -- * that has been used in previous identifiers. Avoid that situation. -- * -- * In truth, for this to actually happen not only would it have to restart -- * in the same second, but it would have to somehow get the same pids as -- * one of the other servers that was running in that second. Which would -- * mean a 64k wraparound on pids ... not very likely at all. -- * -- * But protecting against it is relatively cheap. We just sleep into the -- * next second. -- */ -- apr_sleep(apr_time_from_sec(1) - apr_time_usec(apr_time_now())); - return OK; - } - - static void unique_id_child_init(apr_pool_t *p, server_rec *s) - { -- pid_t pid; -- -- /* -- * Note that we use the pid because it's possible that on the same -- * physical machine there are multiple servers (i.e. using Listen). But -- * it's guaranteed that none of them will share the same pids between -- * children. -- * -- * XXX: for multithread this needs to use a pid/tid combo and probably -- * needs to be expanded to 32 bits -- */ -- pid = getpid(); -- cur_unique_id.pid = pid; -- -- /* -- * Test our assumption that the pid is 32-bits. It's possible that -- * 64-bit machines will declare pid_t to be 64 bits but only use 32 -- * of them. It would have been really nice to test this during -- * global_init ... but oh well. -- */ -- if ((pid_t)cur_unique_id.pid != pid) { -- ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(01567) -- "oh no! pids are greater than 32-bits! I'm broken!"); -- } -- -- cur_unique_id.in_addr = global_in_addr; -+ ap_random_insecure_bytes(&cur_unique_id.root, -+ sizeof(cur_unique_id.root)); - - /* - * If we use 0 as the initial counter we have a little less protection -@@ -253,13 +170,6 @@ - */ - ap_random_insecure_bytes(&cur_unique_id.counter, - sizeof(cur_unique_id.counter)); -- -- /* -- * We must always use network ordering for these bytes, so that -- * identifiers are comparable between machines of different byte -- * orderings. Note in_addr is already in network order. -- */ -- cur_unique_id.pid = htonl(cur_unique_id.pid); - } - - /* NOTE: This is *NOT* the same encoding used by base64encode ... the last two -@@ -291,10 +201,8 @@ - unsigned short counter; - int i,j,k; - -- new_unique_id.in_addr = cur_unique_id.in_addr; -- new_unique_id.pid = cur_unique_id.pid; -+ memcpy(&new_unique_id.root, &cur_unique_id.root, ROOT_SIZE); - new_unique_id.counter = cur_unique_id.counter; -- - new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time)); - new_unique_id.thread_index = htonl((unsigned int)r->connection->id); - @@ -69,15 +69,12 @@ Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.18-sslmultiproxy.patch Patch34: httpd-2.4.17-socket-activation.patch Patch35: httpd-2.4.17-sslciphdefault.patch + # Bug fixes -Patch56: httpd-2.4.4-mod_unique_id.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch58: httpd-2.4.25-r1738878.patch -Patch60: httpd-2.4.27-r1808230.patch -# Security fixes -# https://github.com/apache/httpd/commit/4171fbfcb249e63f934471054d7a0752272fb8ee -Patch61: httpd-2.4.27-fixticketkeys.patch +# Security fixes License: ASL 2.0 Group: System Environment/Daemons @@ -216,12 +213,7 @@ interface for storing and accessing per-user session data. %patch31 -p1 -b .sslmultiproxy %patch34 -p1 -b .socketactivation %patch35 -p1 -b .sslciphdefault - -%patch56 -p1 -b .uniqueid %patch58 -p1 -b .r1738878 -%patch60 -p1 -b .r1808230 - -%patch61 -p1 -b .ticketkeys # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h |