diff options
| author | jorton <jorton@fedoraproject.org> | 2009-12-03 16:11:27 +0000 |
|---|---|---|
| committer | jorton <jorton@fedoraproject.org> | 2009-12-03 16:11:27 +0000 |
| commit | 0c6af9aa6f4404ba74b7023e753c47b54aa4bccf (patch) | |
| tree | 1b0448e78648d693f0615ddbacae4b1fc2c6b668 | |
| parent | 2e7611919c560c9a742a09873add3408c7dec16e (diff) | |
- update to 2.2.14httpd-2_2_14-1_fc10
- Requires(pre): httpd in mod_ssl subpackage (#543275)
- add partial security fix for CVE-2009-3555 (#533125)
- add condrestart in posttrans (#491567)
| -rw-r--r-- | httpd-2.0.40-xfsz.patch | 20 | ||||
| -rw-r--r-- | httpd-2.2.11-corelimit.patch (renamed from httpd-2.0.48-corelimit.patch) | 16 | ||||
| -rw-r--r-- | httpd-2.2.11-selinux.patch (renamed from httpd-2.0.54-selinux.patch) | 38 | ||||
| -rw-r--r-- | httpd-2.2.11-xfsz.patch | 11 | ||||
| -rw-r--r-- | httpd-2.2.14-CVE-2009-3555.patch | 284 | ||||
| -rw-r--r-- | httpd-2.2.4-oldflush.patch | 27 | ||||
| -rw-r--r-- | httpd.spec | 30 | ||||
| -rw-r--r-- | sources | 2 |
8 files changed, 337 insertions, 91 deletions
diff --git a/httpd-2.0.40-xfsz.patch b/httpd-2.0.40-xfsz.patch deleted file mode 100644 index 2af7384..0000000 --- a/httpd-2.0.40-xfsz.patch +++ /dev/null @@ -1,20 +0,0 @@ - -Set SIGXFSZ to be ignored, so a write() beyond 2gb will fail with -E2BIG rather than killing the process - -Upstream-HEAD: needed -Upstream-2.0: omit -Upstream-Status: Obsoleted by proper LFS support in APR, do it anyway -Upstream-PR: 13511 - ---- ./server/mpm/prefork/prefork.c.xfsz Wed Jul 17 22:39:55 2002 -+++ ./server/mpm/prefork/prefork.c Mon Aug 26 15:40:24 2002 -@@ -461,7 +461,7 @@ - ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXCPU)"); - #endif - #ifdef SIGXFSZ -- sa.sa_handler = SIG_DFL; -+ sa.sa_handler = SIG_IGN; - if (sigaction(SIGXFSZ, &sa, NULL) < 0) - ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXFSZ)"); - #endif diff --git a/httpd-2.0.48-corelimit.patch b/httpd-2.2.11-corelimit.patch index 583db39..ea9f857 100644 --- a/httpd-2.0.48-corelimit.patch +++ b/httpd-2.2.11-corelimit.patch @@ -1,16 +1,8 @@ - -Automatically raise the core file size limit if CoreDumpDirectory -is configured. - -Upstream-HEAD: submitted -Upstream-Status: Not so useful on Solaris, discussed -Upstream-Discuss: http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=107831370002083&w=2 - ---- httpd-2.0.48/server/core.c.corelimit -+++ httpd-2.0.48/server/core.c -@@ -4233,6 +4233,25 @@ +--- httpd-2.2.11/server/core.c.corelimit ++++ httpd-2.2.11/server/core.c +@@ -3777,6 +3779,25 @@ static int core_post_config(apr_pool_t * - ap_set_version(pconf); + set_banner(pconf); ap_setup_make_content_type(pconf); + +#ifdef RLIMIT_CORE diff --git a/httpd-2.0.54-selinux.patch b/httpd-2.2.11-selinux.patch index 6ba8737..7b1b3cb 100644 --- a/httpd-2.0.54-selinux.patch +++ b/httpd-2.2.11-selinux.patch @@ -1,11 +1,18 @@ - -If SELinux is enabled, log the context on startup. - -Upstream-Status: not submitted, needs #ifdef-goodness, probably - not worth the battle - ---- httpd-2.1.10/server/core.c.selinux -+++ httpd-2.1.10/server/core.c +--- httpd-2.2.11/configure.in.selinux ++++ httpd-2.2.11/configure.in +@@ -412,6 +412,10 @@ getpgid + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + ++AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ APR_ADDTO(AP_LIBS, [-lselinux]) ++]) ++ + dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs + AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff, + [AC_TRY_COMPILE([#include <sys/types.h> +--- httpd-2.2.11/server/core.c.selinux ++++ httpd-2.2.11/server/core.c @@ -51,6 +51,8 @@ #include "mod_so.h" /* for ap_find_loaded_module_symbol */ @@ -15,7 +22,7 @@ Upstream-Status: not submitted, needs #ifdef-goodness, probably /* LimitRequestBody handling */ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -3745,6 +3747,26 @@ +@@ -3796,6 +3798,26 @@ static int core_post_config(apr_pool_t * } #endif @@ -42,16 +49,3 @@ Upstream-Status: not submitted, needs #ifdef-goodness, probably return OK; } ---- httpd-2.1.10/configure.in.selinux -+++ httpd-2.1.10/configure.in -@@ -382,6 +382,10 @@ - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ APR_ADDTO(AP_LIBS, [-lselinux]) -+]) -+ - dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs - AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff, - [AC_TRY_COMPILE([#include <sys/types.h> diff --git a/httpd-2.2.11-xfsz.patch b/httpd-2.2.11-xfsz.patch new file mode 100644 index 0000000..7f9e16a --- /dev/null +++ b/httpd-2.2.11-xfsz.patch @@ -0,0 +1,11 @@ +--- httpd-2.2.11/server/mpm/prefork/prefork.c.xfsz ++++ httpd-2.2.11/server/mpm/prefork/prefork.c +@@ -399,7 +399,7 @@ static void set_signals(void) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXCPU)"); + #endif + #ifdef SIGXFSZ +- sa.sa_handler = SIG_DFL; ++ sa.sa_handler = SIG_IGN; + if (sigaction(SIGXFSZ, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXFSZ)"); + #endif diff --git a/httpd-2.2.14-CVE-2009-3555.patch b/httpd-2.2.14-CVE-2009-3555.patch new file mode 100644 index 0000000..60f5763 --- /dev/null +++ b/httpd-2.2.14-CVE-2009-3555.patch @@ -0,0 +1,284 @@ +--- httpd-2.2.14/modules/ssl/ssl_engine_init.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_init.c +@@ -501,10 +501,7 @@ static void ssl_init_ctx_callbacks(serve + SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); + +- if (s->loglevel >= APLOG_DEBUG) { +- /* this callback only logs if LogLevel >= info */ +- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); +- } ++ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + } + + static void ssl_init_ctx_verify(server_rec *s, +--- httpd-2.2.14/modules/ssl/ssl_engine_io.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_io.c +@@ -103,6 +103,7 @@ typedef struct { + ap_filter_t *pInputFilter; + ap_filter_t *pOutputFilter; + int nobuffer; /* non-zero to prevent buffering */ ++ SSLConnRec *config; + } ssl_filter_ctx_t; + + typedef struct { +@@ -193,7 +194,13 @@ static int bio_filter_out_read(BIO *bio, + static int bio_filter_out_write(BIO *bio, const char *in, int inl) + { + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); +- ++ ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ outctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* when handshaking we'll have a small number of bytes. + * max size SSL will pass us here is about 16k. + * (16413 bytes to be exact) +@@ -466,6 +473,12 @@ static int bio_filter_in_read(BIO *bio, + if (!in) + return 0; + ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ inctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* XXX: flush here only required for SSLv2; + * OpenSSL calls BIO_flush() at the appropriate times for + * the other protocols. +@@ -1724,6 +1737,8 @@ void ssl_io_filter_init(conn_rec *c, SSL + + filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); + ++ filter_ctx->config = myConnConfig(c); ++ + filter_ctx->nobuffer = 0; + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, NULL, c); +--- httpd-2.2.14/modules/ssl/ssl_engine_kernel.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_kernel.c +@@ -729,6 +729,10 @@ int ssl_hook_Access(request_rec *r) + (unsigned char *)&id, + sizeof(id)); + ++ /* Toggle the renegotiation state to allow the new ++ * handshake to proceed. */ ++ sslconn->reneg_state = RENEG_ALLOW; ++ + SSL_renegotiate(ssl); + SSL_do_handshake(ssl); + +@@ -750,6 +754,8 @@ int ssl_hook_Access(request_rec *r) + SSL_set_state(ssl, SSL_ST_ACCEPT); + SSL_do_handshake(ssl); + ++ sslconn->reneg_state = RENEG_REJECT; ++ + if (SSL_get_state(ssl) != SSL_ST_OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Re-negotiation handshake failed: " +@@ -1844,76 +1850,55 @@ void ssl_callback_DelSessionCacheEntry(S + return; + } + +-/* +- * This callback function is executed while OpenSSL processes the +- * SSL handshake and does SSL record layer stuff. We use it to +- * trace OpenSSL's processing in out SSL logfile. +- */ +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++/* Dump debugginfo trace to the log file. */ ++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, ++ server_rec *s, int where, int rc) + { +- conn_rec *c; +- server_rec *s; +- SSLSrvConfigRec *sc; +- +- /* +- * find corresponding server +- */ +- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { +- return; +- } +- +- s = mySrvFromConn(c); +- if (!(sc = mySrvConfig(s))) { +- return; +- } +- + /* + * create the various trace messages + */ +- if (s->loglevel >= APLOG_DEBUG) { +- if (where & SSL_CB_HANDSHAKE_START) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: start", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_HANDSHAKE_DONE) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: done", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_LOOP) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Loop: %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (where & SSL_CB_READ) { ++ if (where & SSL_CB_HANDSHAKE_START) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: start", SSL_LIBRARY_NAME); ++ } ++ else if (where & SSL_CB_HANDSHAKE_DONE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: done", SSL_LIBRARY_NAME); ++ } ++ else if (where & SSL_CB_LOOP) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Loop: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_READ) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Read: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_WRITE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Write: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_ALERT) { ++ char *str = (where & SSL_CB_READ) ? "read" : "write"; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Alert: %s:%s:%s", ++ SSL_LIBRARY_NAME, str, ++ SSL_alert_type_string_long(rc), ++ SSL_alert_desc_string_long(rc)); ++ } ++ else if (where & SSL_CB_EXIT) { ++ if (rc == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Read: %s", ++ "%s: Exit: failed in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_WRITE) { ++ else if (rc < 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Write: %s", ++ "%s: Exit: error in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_ALERT) { +- char *str = (where & SSL_CB_READ) ? "read" : "write"; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Alert: %s:%s:%s", +- SSL_LIBRARY_NAME, str, +- SSL_alert_type_string_long(rc), +- SSL_alert_desc_string_long(rc)); +- } +- else if (where & SSL_CB_EXIT) { +- if (rc == 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: failed in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (rc < 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: error in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- } + } + + /* +@@ -1933,6 +1918,52 @@ void ssl_callback_LogTracingState(MODSSL + } + } + ++/* ++ * This callback function is executed while OpenSSL processes the SSL ++ * handshake and does SSL record layer stuff. It's used to trap ++ * client-initiated renegotiations, and for dumping everything to the ++ * log. ++ */ ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++{ ++ conn_rec *c; ++ server_rec *s; ++ SSLConnRec *scr; ++ ++ /* Retrieve the conn_rec and the associated SSLConnRec. */ ++ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { ++ return; ++ } ++ ++ if ((scr = myConnConfig(c)) == NULL) { ++ return; ++ } ++ ++ /* If the reneg state is to reject renegotiations, check the SSL ++ * state machine and move to ABORT if a Client Hello is being ++ * read. */ ++ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { ++ int state = SSL_get_state(ssl); ++ ++ if (state == SSL3_ST_SR_CLNT_HELLO_A ++ || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ scr->reneg_state = RENEG_ABORT; ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, ++ "rejecting client initiated renegotiation"); ++ } ++ } ++ /* If the first handshake is complete, change state to reject any ++ * subsequent client-initated renegotiation. */ ++ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { ++ scr->reneg_state = RENEG_REJECT; ++ } ++ ++ s = mySrvFromConn(c); ++ if (s && s->loglevel >= APLOG_DEBUG) { ++ log_tracing_state(ssl, c, s, where, rc); ++ } ++} ++ + #ifndef OPENSSL_NO_TLSEXT + /* + * This callback function is executed when OpenSSL encounters an extended +--- httpd-2.2.14/modules/ssl/ssl_private.h.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_private.h +@@ -356,6 +356,20 @@ typedef struct { + int is_proxy; + int disabled; + int non_ssl_request; ++ ++ /* Track the handshake/renegotiation state for the connection so ++ * that all client-initiated renegotiations can be rejected, as a ++ * partial fix for CVE-2009-3555. */ ++ enum { ++ RENEG_INIT = 0, /* Before initial handshake */ ++ RENEG_REJECT, /* After initial handshake; any client-initiated ++ * renegotiation should be rejected */ ++ RENEG_ALLOW, /* A server-initated renegotiation is taking ++ * place (as dictated by configuration) */ ++ RENEG_ABORT /* Renegotiation initiated by client, abort the ++ * connection */ ++ } reneg_state; ++ + server_rec *server; + } SSLConnRec; + +@@ -574,7 +588,7 @@ int ssl_callback_proxy_cert(SSL + int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); + #ifndef OPENSSL_NO_TLSEXT + int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); + #endif diff --git a/httpd-2.2.4-oldflush.patch b/httpd-2.2.4-oldflush.patch deleted file mode 100644 index 66d8e93..0000000 --- a/httpd-2.2.4-oldflush.patch +++ /dev/null @@ -1,27 +0,0 @@ - -http://issues.apache.org/bugzilla/show_bug.cgi?id=36780 - -Upstream-Status: committed to trunk, r583817 - ---- httpd-2.2.4/server/util_filter.c.oldflush -+++ httpd-2.2.4/server/util_filter.c -@@ -578,8 +578,18 @@ AP_DECLARE_NONSTD(apr_status_t) ap_filte - void *ctx) - { - ap_filter_t *f = ctx; -+ apr_status_t rv; - -- return ap_pass_brigade(f, bb); -+ rv = ap_pass_brigade(f, bb); -+ -+ /* apr_brigade_write* require that the flush function ensures that -+ * the brigade is empty upon return; otherwise the brigade may be -+ * left with a transient bucket whose contents have fallen out of -+ * scope. Call cleanup here unconditionally to avoid the issue in -+ * all cases. */ -+ apr_brigade_cleanup(bb); -+ -+ return rv; - } - - AP_DECLARE(apr_status_t) ap_fflush(ap_filter_t *f, apr_bucket_brigade *bb) @@ -4,11 +4,9 @@ %define vstring Fedora %define mpms worker event -%define _default_patch_fuzz 2 - Summary: Apache HTTP Server Name: httpd -Version: 2.2.13 +Version: 2.2.14 Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz @@ -31,19 +29,21 @@ Patch4: httpd-2.1.10-disablemods.patch Patch5: httpd-2.1.10-layout.patch # Features/functional changes Patch20: httpd-2.0.48-release.patch -Patch21: httpd-2.0.40-xfsz.patch +Patch21: httpd-2.2.11-xfsz.patch Patch22: httpd-2.1.10-pod.patch Patch23: httpd-2.0.45-export.patch -Patch24: httpd-2.0.48-corelimit.patch -Patch25: httpd-2.0.54-selinux.patch +Patch24: httpd-2.2.11-corelimit.patch +Patch25: httpd-2.2.11-selinux.patch Patch26: httpd-2.2.9-suenable.patch # Bug fixes Patch54: httpd-2.2.0-authnoprov.patch +# Security fixes +Patch90: httpd-2.2.14-CVE-2009-3555.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root -BuildRequires: autoconf, perl, pkgconfig, findutils, ed -BuildRequires: db4-devel, expat-devel, zlib-devel, libselinux-devel +BuildRequires: autoconf, perl, pkgconfig, findutils +BuildRequires: zlib-devel, libselinux-devel BuildRequires: apr-devel >= 1.2.0, apr-util-devel >= 1.2.0, pcre-devel >= 5.0 Requires: initscripts >= 8.36, /etc/mime.types, system-logos >= 7.92.1-1 Obsoletes: httpd-suexec @@ -102,6 +102,7 @@ Summary: SSL/TLS module for the Apache HTTP Server Epoch: 1 BuildRequires: openssl-devel, distcache-devel Requires(post): openssl >= 0.9.7f-4, /bin/cat +Requires(pre): httpd Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn} Obsoletes: stronghold-mod_ssl @@ -118,7 +119,7 @@ Security (TLS) protocols. %patch4 -p1 -b .disablemods %patch5 -p1 -b .layout -%patch21 -p0 -b .xfsz +%patch21 -p1 -b .xfsz %patch22 -p1 -b .pod %patch23 -p1 -b .export %patch24 -p1 -b .corelimit @@ -127,6 +128,8 @@ Security (TLS) protocols. %patch54 -p1 -b .authnoprov +%patch90 -p1 -b .cve3555 + # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -349,6 +352,9 @@ if [ $1 = 0 ]; then /sbin/chkconfig --del httpd fi +%posttrans +/sbin/service httpd condrestart >/dev/null 2>&1 || : + %define sslcert %{_sysconfdir}/pki/tls/certs/localhost.crt %define sslkey %{_sysconfdir}/pki/tls/private/localhost.key @@ -480,6 +486,12 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Thu Dec 3 2009 Joe Orton <jorton@redhat.com> - 2.2.14-1 +- update to 2.2.14 +- Requires(pre): httpd in mod_ssl subpackage (#543275) +- add partial security fix for CVE-2009-3555 (#533125) +- add condrestart in posttrans (#491567) + * Sun Aug 23 2009 Joe Orton <jorton@redhat.com> 2.2.13-1 - update to 2.2.13 - add delaycompress to logrotate config @@ -1 +1 @@ -2803e35be6650f5b739e6e91faa824dd httpd-2.2.13.tar.gz +2c1e3c7ba00bcaa0163da7b3e66aaa1e httpd-2.2.14.tar.gz |