From 0c6af9aa6f4404ba74b7023e753c47b54aa4bccf Mon Sep 17 00:00:00 2001 From: jorton Date: Dec 03 2009 16:11:27 +0000 Subject: - update to 2.2.14 - Requires(pre): httpd in mod_ssl subpackage (#543275) - add partial security fix for CVE-2009-3555 (#533125) - add condrestart in posttrans (#491567) --- diff --git a/httpd-2.0.40-xfsz.patch b/httpd-2.0.40-xfsz.patch deleted file mode 100644 index 2af7384..0000000 --- a/httpd-2.0.40-xfsz.patch +++ /dev/null @@ -1,20 +0,0 @@ - -Set SIGXFSZ to be ignored, so a write() beyond 2gb will fail with -E2BIG rather than killing the process - -Upstream-HEAD: needed -Upstream-2.0: omit -Upstream-Status: Obsoleted by proper LFS support in APR, do it anyway -Upstream-PR: 13511 - ---- ./server/mpm/prefork/prefork.c.xfsz Wed Jul 17 22:39:55 2002 -+++ ./server/mpm/prefork/prefork.c Mon Aug 26 15:40:24 2002 -@@ -461,7 +461,7 @@ - ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXCPU)"); - #endif - #ifdef SIGXFSZ -- sa.sa_handler = SIG_DFL; -+ sa.sa_handler = SIG_IGN; - if (sigaction(SIGXFSZ, &sa, NULL) < 0) - ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXFSZ)"); - #endif diff --git a/httpd-2.0.48-corelimit.patch b/httpd-2.0.48-corelimit.patch deleted file mode 100644 index 583db39..0000000 --- a/httpd-2.0.48-corelimit.patch +++ /dev/null @@ -1,36 +0,0 @@ - -Automatically raise the core file size limit if CoreDumpDirectory -is configured. - -Upstream-HEAD: submitted -Upstream-Status: Not so useful on Solaris, discussed -Upstream-Discuss: http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=107831370002083&w=2 - ---- httpd-2.0.48/server/core.c.corelimit -+++ httpd-2.0.48/server/core.c -@@ -4233,6 +4233,25 @@ - - ap_set_version(pconf); - ap_setup_make_content_type(pconf); -+ -+#ifdef RLIMIT_CORE -+ if (ap_coredumpdir_configured) { -+ struct rlimit lim; -+ -+ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) { -+ lim.rlim_cur = lim.rlim_max; -+ if (setrlimit(RLIMIT_CORE, &lim) == 0) { -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "core dump file size limit raised to %lu bytes", -+ lim.rlim_cur); -+ } else { -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL, -+ "core dump file size is zero, setrlimit failed"); -+ } -+ } -+ } -+#endif -+ - return OK; - } - diff --git a/httpd-2.0.54-selinux.patch b/httpd-2.0.54-selinux.patch deleted file mode 100644 index 6ba8737..0000000 --- a/httpd-2.0.54-selinux.patch +++ /dev/null @@ -1,57 +0,0 @@ - -If SELinux is enabled, log the context on startup. - -Upstream-Status: not submitted, needs #ifdef-goodness, probably - not worth the battle - ---- httpd-2.1.10/server/core.c.selinux -+++ httpd-2.1.10/server/core.c -@@ -51,6 +51,8 @@ - - #include "mod_so.h" /* for ap_find_loaded_module_symbol */ - -+#include -+ - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -3745,6 +3747,26 @@ - } - #endif - -+ { -+ static int already_warned = 0; -+ int is_enabled = is_selinux_enabled() > 0; -+ -+ if (is_enabled && !already_warned) { -+ security_context_t con; -+ -+ if (getcon(&con) == 0) { -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "SELinux policy enabled; " -+ "httpd running as context %s", con); -+ -+ already_warned = 1; -+ -+ freecon(con); -+ } -+ } -+ } -+ - return OK; - } - ---- httpd-2.1.10/configure.in.selinux -+++ httpd-2.1.10/configure.in -@@ -382,6 +382,10 @@ - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ APR_ADDTO(AP_LIBS, [-lselinux]) -+]) -+ - dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs - AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff, - [AC_TRY_COMPILE([#include diff --git a/httpd-2.2.11-corelimit.patch b/httpd-2.2.11-corelimit.patch new file mode 100644 index 0000000..ea9f857 --- /dev/null +++ b/httpd-2.2.11-corelimit.patch @@ -0,0 +1,28 @@ +--- httpd-2.2.11/server/core.c.corelimit ++++ httpd-2.2.11/server/core.c +@@ -3777,6 +3779,25 @@ static int core_post_config(apr_pool_t * + + set_banner(pconf); + ap_setup_make_content_type(pconf); ++ ++#ifdef RLIMIT_CORE ++ if (ap_coredumpdir_configured) { ++ struct rlimit lim; ++ ++ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) { ++ lim.rlim_cur = lim.rlim_max; ++ if (setrlimit(RLIMIT_CORE, &lim) == 0) { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "core dump file size limit raised to %lu bytes", ++ lim.rlim_cur); ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL, ++ "core dump file size is zero, setrlimit failed"); ++ } ++ } ++ } ++#endif ++ + return OK; + } + diff --git a/httpd-2.2.11-selinux.patch b/httpd-2.2.11-selinux.patch new file mode 100644 index 0000000..7b1b3cb --- /dev/null +++ b/httpd-2.2.11-selinux.patch @@ -0,0 +1,51 @@ +--- httpd-2.2.11/configure.in.selinux ++++ httpd-2.2.11/configure.in +@@ -412,6 +412,10 @@ getpgid + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + ++AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ APR_ADDTO(AP_LIBS, [-lselinux]) ++]) ++ + dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs + AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff, + [AC_TRY_COMPILE([#include +--- httpd-2.2.11/server/core.c.selinux ++++ httpd-2.2.11/server/core.c +@@ -51,6 +51,8 @@ + + #include "mod_so.h" /* for ap_find_loaded_module_symbol */ + ++#include ++ + /* LimitRequestBody handling */ + #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) +@@ -3796,6 +3798,26 @@ static int core_post_config(apr_pool_t * + } + #endif + ++ { ++ static int already_warned = 0; ++ int is_enabled = is_selinux_enabled() > 0; ++ ++ if (is_enabled && !already_warned) { ++ security_context_t con; ++ ++ if (getcon(&con) == 0) { ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "SELinux policy enabled; " ++ "httpd running as context %s", con); ++ ++ already_warned = 1; ++ ++ freecon(con); ++ } ++ } ++ } ++ + return OK; + } + diff --git a/httpd-2.2.11-xfsz.patch b/httpd-2.2.11-xfsz.patch new file mode 100644 index 0000000..7f9e16a --- /dev/null +++ b/httpd-2.2.11-xfsz.patch @@ -0,0 +1,11 @@ +--- httpd-2.2.11/server/mpm/prefork/prefork.c.xfsz ++++ httpd-2.2.11/server/mpm/prefork/prefork.c +@@ -399,7 +399,7 @@ static void set_signals(void) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXCPU)"); + #endif + #ifdef SIGXFSZ +- sa.sa_handler = SIG_DFL; ++ sa.sa_handler = SIG_IGN; + if (sigaction(SIGXFSZ, &sa, NULL) < 0) + ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXFSZ)"); + #endif diff --git a/httpd-2.2.14-CVE-2009-3555.patch b/httpd-2.2.14-CVE-2009-3555.patch new file mode 100644 index 0000000..60f5763 --- /dev/null +++ b/httpd-2.2.14-CVE-2009-3555.patch @@ -0,0 +1,284 @@ +--- httpd-2.2.14/modules/ssl/ssl_engine_init.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_init.c +@@ -501,10 +501,7 @@ static void ssl_init_ctx_callbacks(serve + SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); + +- if (s->loglevel >= APLOG_DEBUG) { +- /* this callback only logs if LogLevel >= info */ +- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); +- } ++ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + } + + static void ssl_init_ctx_verify(server_rec *s, +--- httpd-2.2.14/modules/ssl/ssl_engine_io.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_io.c +@@ -103,6 +103,7 @@ typedef struct { + ap_filter_t *pInputFilter; + ap_filter_t *pOutputFilter; + int nobuffer; /* non-zero to prevent buffering */ ++ SSLConnRec *config; + } ssl_filter_ctx_t; + + typedef struct { +@@ -193,7 +194,13 @@ static int bio_filter_out_read(BIO *bio, + static int bio_filter_out_write(BIO *bio, const char *in, int inl) + { + bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); +- ++ ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ outctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* when handshaking we'll have a small number of bytes. + * max size SSL will pass us here is about 16k. + * (16413 bytes to be exact) +@@ -466,6 +473,12 @@ static int bio_filter_in_read(BIO *bio, + if (!in) + return 0; + ++ /* Abort early if the client has initiated a renegotiation. */ ++ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { ++ inctx->rc = APR_ECONNABORTED; ++ return -1; ++ } ++ + /* XXX: flush here only required for SSLv2; + * OpenSSL calls BIO_flush() at the appropriate times for + * the other protocols. +@@ -1724,6 +1737,8 @@ void ssl_io_filter_init(conn_rec *c, SSL + + filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); + ++ filter_ctx->config = myConnConfig(c); ++ + filter_ctx->nobuffer = 0; + filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, + filter_ctx, NULL, c); +--- httpd-2.2.14/modules/ssl/ssl_engine_kernel.c.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_engine_kernel.c +@@ -729,6 +729,10 @@ int ssl_hook_Access(request_rec *r) + (unsigned char *)&id, + sizeof(id)); + ++ /* Toggle the renegotiation state to allow the new ++ * handshake to proceed. */ ++ sslconn->reneg_state = RENEG_ALLOW; ++ + SSL_renegotiate(ssl); + SSL_do_handshake(ssl); + +@@ -750,6 +754,8 @@ int ssl_hook_Access(request_rec *r) + SSL_set_state(ssl, SSL_ST_ACCEPT); + SSL_do_handshake(ssl); + ++ sslconn->reneg_state = RENEG_REJECT; ++ + if (SSL_get_state(ssl) != SSL_ST_OK) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Re-negotiation handshake failed: " +@@ -1844,76 +1850,55 @@ void ssl_callback_DelSessionCacheEntry(S + return; + } + +-/* +- * This callback function is executed while OpenSSL processes the +- * SSL handshake and does SSL record layer stuff. We use it to +- * trace OpenSSL's processing in out SSL logfile. +- */ +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++/* Dump debugginfo trace to the log file. */ ++static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, ++ server_rec *s, int where, int rc) + { +- conn_rec *c; +- server_rec *s; +- SSLSrvConfigRec *sc; +- +- /* +- * find corresponding server +- */ +- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { +- return; +- } +- +- s = mySrvFromConn(c); +- if (!(sc = mySrvConfig(s))) { +- return; +- } +- + /* + * create the various trace messages + */ +- if (s->loglevel >= APLOG_DEBUG) { +- if (where & SSL_CB_HANDSHAKE_START) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: start", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_HANDSHAKE_DONE) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Handshake: done", SSL_LIBRARY_NAME); +- } +- else if (where & SSL_CB_LOOP) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Loop: %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (where & SSL_CB_READ) { ++ if (where & SSL_CB_HANDSHAKE_START) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: start", SSL_LIBRARY_NAME); ++ } ++ else if (where & SSL_CB_HANDSHAKE_DONE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Handshake: done", SSL_LIBRARY_NAME); ++ } ++ else if (where & SSL_CB_LOOP) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Loop: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_READ) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Read: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_WRITE) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Write: %s", ++ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); ++ } ++ else if (where & SSL_CB_ALERT) { ++ char *str = (where & SSL_CB_READ) ? "read" : "write"; ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, ++ "%s: Alert: %s:%s:%s", ++ SSL_LIBRARY_NAME, str, ++ SSL_alert_type_string_long(rc), ++ SSL_alert_desc_string_long(rc)); ++ } ++ else if (where & SSL_CB_EXIT) { ++ if (rc == 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Read: %s", ++ "%s: Exit: failed in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_WRITE) { ++ else if (rc < 0) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Write: %s", ++ "%s: Exit: error in %s", + SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); + } +- else if (where & SSL_CB_ALERT) { +- char *str = (where & SSL_CB_READ) ? "read" : "write"; +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Alert: %s:%s:%s", +- SSL_LIBRARY_NAME, str, +- SSL_alert_type_string_long(rc), +- SSL_alert_desc_string_long(rc)); +- } +- else if (where & SSL_CB_EXIT) { +- if (rc == 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: failed in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- else if (rc < 0) { +- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, +- "%s: Exit: error in %s", +- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); +- } +- } + } + + /* +@@ -1933,6 +1918,52 @@ void ssl_callback_LogTracingState(MODSSL + } + } + ++/* ++ * This callback function is executed while OpenSSL processes the SSL ++ * handshake and does SSL record layer stuff. It's used to trap ++ * client-initiated renegotiations, and for dumping everything to the ++ * log. ++ */ ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) ++{ ++ conn_rec *c; ++ server_rec *s; ++ SSLConnRec *scr; ++ ++ /* Retrieve the conn_rec and the associated SSLConnRec. */ ++ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { ++ return; ++ } ++ ++ if ((scr = myConnConfig(c)) == NULL) { ++ return; ++ } ++ ++ /* If the reneg state is to reject renegotiations, check the SSL ++ * state machine and move to ABORT if a Client Hello is being ++ * read. */ ++ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { ++ int state = SSL_get_state(ssl); ++ ++ if (state == SSL3_ST_SR_CLNT_HELLO_A ++ || state == SSL23_ST_SR_CLNT_HELLO_A) { ++ scr->reneg_state = RENEG_ABORT; ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, ++ "rejecting client initiated renegotiation"); ++ } ++ } ++ /* If the first handshake is complete, change state to reject any ++ * subsequent client-initated renegotiation. */ ++ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { ++ scr->reneg_state = RENEG_REJECT; ++ } ++ ++ s = mySrvFromConn(c); ++ if (s && s->loglevel >= APLOG_DEBUG) { ++ log_tracing_state(ssl, c, s, where, rc); ++ } ++} ++ + #ifndef OPENSSL_NO_TLSEXT + /* + * This callback function is executed when OpenSSL encounters an extended +--- httpd-2.2.14/modules/ssl/ssl_private.h.cve3555 ++++ httpd-2.2.14/modules/ssl/ssl_private.h +@@ -356,6 +356,20 @@ typedef struct { + int is_proxy; + int disabled; + int non_ssl_request; ++ ++ /* Track the handshake/renegotiation state for the connection so ++ * that all client-initiated renegotiations can be rejected, as a ++ * partial fix for CVE-2009-3555. */ ++ enum { ++ RENEG_INIT = 0, /* Before initial handshake */ ++ RENEG_REJECT, /* After initial handshake; any client-initiated ++ * renegotiation should be rejected */ ++ RENEG_ALLOW, /* A server-initated renegotiation is taking ++ * place (as dictated by configuration) */ ++ RENEG_ABORT /* Renegotiation initiated by client, abort the ++ * connection */ ++ } reneg_state; ++ + server_rec *server; + } SSLConnRec; + +@@ -574,7 +588,7 @@ int ssl_callback_proxy_cert(SSL + int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); + SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); + void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); +-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); ++void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); + #ifndef OPENSSL_NO_TLSEXT + int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); + #endif diff --git a/httpd-2.2.4-oldflush.patch b/httpd-2.2.4-oldflush.patch deleted file mode 100644 index 66d8e93..0000000 --- a/httpd-2.2.4-oldflush.patch +++ /dev/null @@ -1,27 +0,0 @@ - -http://issues.apache.org/bugzilla/show_bug.cgi?id=36780 - -Upstream-Status: committed to trunk, r583817 - ---- httpd-2.2.4/server/util_filter.c.oldflush -+++ httpd-2.2.4/server/util_filter.c -@@ -578,8 +578,18 @@ AP_DECLARE_NONSTD(apr_status_t) ap_filte - void *ctx) - { - ap_filter_t *f = ctx; -+ apr_status_t rv; - -- return ap_pass_brigade(f, bb); -+ rv = ap_pass_brigade(f, bb); -+ -+ /* apr_brigade_write* require that the flush function ensures that -+ * the brigade is empty upon return; otherwise the brigade may be -+ * left with a transient bucket whose contents have fallen out of -+ * scope. Call cleanup here unconditionally to avoid the issue in -+ * all cases. */ -+ apr_brigade_cleanup(bb); -+ -+ return rv; - } - - AP_DECLARE(apr_status_t) ap_fflush(ap_filter_t *f, apr_bucket_brigade *bb) diff --git a/httpd.spec b/httpd.spec index 8826704..e3a7cb4 100644 --- a/httpd.spec +++ b/httpd.spec @@ -4,11 +4,9 @@ %define vstring Fedora %define mpms worker event -%define _default_patch_fuzz 2 - Summary: Apache HTTP Server Name: httpd -Version: 2.2.13 +Version: 2.2.14 Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz @@ -31,19 +29,21 @@ Patch4: httpd-2.1.10-disablemods.patch Patch5: httpd-2.1.10-layout.patch # Features/functional changes Patch20: httpd-2.0.48-release.patch -Patch21: httpd-2.0.40-xfsz.patch +Patch21: httpd-2.2.11-xfsz.patch Patch22: httpd-2.1.10-pod.patch Patch23: httpd-2.0.45-export.patch -Patch24: httpd-2.0.48-corelimit.patch -Patch25: httpd-2.0.54-selinux.patch +Patch24: httpd-2.2.11-corelimit.patch +Patch25: httpd-2.2.11-selinux.patch Patch26: httpd-2.2.9-suenable.patch # Bug fixes Patch54: httpd-2.2.0-authnoprov.patch +# Security fixes +Patch90: httpd-2.2.14-CVE-2009-3555.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root -BuildRequires: autoconf, perl, pkgconfig, findutils, ed -BuildRequires: db4-devel, expat-devel, zlib-devel, libselinux-devel +BuildRequires: autoconf, perl, pkgconfig, findutils +BuildRequires: zlib-devel, libselinux-devel BuildRequires: apr-devel >= 1.2.0, apr-util-devel >= 1.2.0, pcre-devel >= 5.0 Requires: initscripts >= 8.36, /etc/mime.types, system-logos >= 7.92.1-1 Obsoletes: httpd-suexec @@ -102,6 +102,7 @@ Summary: SSL/TLS module for the Apache HTTP Server Epoch: 1 BuildRequires: openssl-devel, distcache-devel Requires(post): openssl >= 0.9.7f-4, /bin/cat +Requires(pre): httpd Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn} Obsoletes: stronghold-mod_ssl @@ -118,7 +119,7 @@ Security (TLS) protocols. %patch4 -p1 -b .disablemods %patch5 -p1 -b .layout -%patch21 -p0 -b .xfsz +%patch21 -p1 -b .xfsz %patch22 -p1 -b .pod %patch23 -p1 -b .export %patch24 -p1 -b .corelimit @@ -127,6 +128,8 @@ Security (TLS) protocols. %patch54 -p1 -b .authnoprov +%patch90 -p1 -b .cve3555 + # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -349,6 +352,9 @@ if [ $1 = 0 ]; then /sbin/chkconfig --del httpd fi +%posttrans +/sbin/service httpd condrestart >/dev/null 2>&1 || : + %define sslcert %{_sysconfdir}/pki/tls/certs/localhost.crt %define sslkey %{_sysconfdir}/pki/tls/private/localhost.key @@ -480,6 +486,12 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Thu Dec 3 2009 Joe Orton - 2.2.14-1 +- update to 2.2.14 +- Requires(pre): httpd in mod_ssl subpackage (#543275) +- add partial security fix for CVE-2009-3555 (#533125) +- add condrestart in posttrans (#491567) + * Sun Aug 23 2009 Joe Orton 2.2.13-1 - update to 2.2.13 - add delaycompress to logrotate config diff --git a/sources b/sources index 21fdcfd..10a5750 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2803e35be6650f5b739e6e91faa824dd httpd-2.2.13.tar.gz +2c1e3c7ba00bcaa0163da7b3e66aaa1e httpd-2.2.14.tar.gz