From 5072c65a7ba0a2cda7310b48f4135eb0a5017a8b Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Jul 18 2018 10:55:03 +0000 Subject: update to 2.4.34 (#1601160) Resolves: rhbz#1601160 --- diff --git a/httpd-2.4.33-r1738878.patch b/httpd-2.4.33-r1738878.patch deleted file mode 100644 index d7ef42f..0000000 --- a/httpd-2.4.33-r1738878.patch +++ /dev/null @@ -1,137 +0,0 @@ -diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h -index c119a7e..267150a 100644 -diff -uap httpd-2.4.33/modules/proxy/ajp_header.c.r1738878 httpd-2.4.33/modules/proxy/ajp_header.c ---- httpd-2.4.33/modules/proxy/ajp_header.c.r1738878 -+++ httpd-2.4.33/modules/proxy/ajp_header.c -@@ -213,7 +213,8 @@ - - static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, - request_rec *r, -- apr_uri_t *uri) -+ apr_uri_t *uri, -+ const char *secret) - { - int method; - apr_uint32_t i, num_headers = 0; -@@ -293,17 +294,15 @@ - i, elts[i].key, elts[i].val); - } - --/* XXXX need to figure out how to do this -- if (s->secret) { -+ if (secret) { - if (ajp_msg_append_uint8(msg, SC_A_SECRET) || -- ajp_msg_append_string(msg, s->secret)) { -+ ajp_msg_append_string(msg, secret)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) -- "Error ajp_marshal_into_msgb - " -+ "ajp_marshal_into_msgb: " - "Error appending secret"); - return APR_EGENERAL; - } - } -- */ - - if (r->user) { - if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || -@@ -671,7 +670,8 @@ - apr_status_t ajp_send_header(apr_socket_t *sock, - request_rec *r, - apr_size_t buffsize, -- apr_uri_t *uri) -+ apr_uri_t *uri, -+ const char *secret) - { - ajp_msg_t *msg; - apr_status_t rc; -@@ -683,7 +683,7 @@ - return rc; - } - -- rc = ajp_marshal_into_msgb(msg, r, uri); -+ rc = ajp_marshal_into_msgb(msg, r, uri, secret); - if (rc != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) - "ajp_send_header: ajp_marshal_into_msgb failed"); -diff -uap httpd-2.4.33/modules/proxy/ajp.h.r1738878 httpd-2.4.33/modules/proxy/ajp.h ---- httpd-2.4.33/modules/proxy/ajp.h.r1738878 -+++ httpd-2.4.33/modules/proxy/ajp.h -@@ -413,12 +413,14 @@ - * @param sock backend socket - * @param r current request - * @param buffsize max size of the AJP packet. -+ * @param secret authentication secret - * @param uri requested uri - * @return APR_SUCCESS or error - */ - apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, - apr_size_t buffsize, -- apr_uri_t *uri); -+ apr_uri_t *uri, -+ const char *secret); - - /** - * Read the ajp message and return the type of the message. -diff -uap httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy_ajp.c ---- httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878 -+++ httpd-2.4.33/modules/proxy/mod_proxy_ajp.c -@@ -193,6 +193,7 @@ - apr_off_t content_length = 0; - int original_status = r->status; - const char *original_status_line = r->status_line; -+ const char *secret = NULL; - - if (psf->io_buffer_size_set) - maxsize = psf->io_buffer_size; -@@ -202,12 +203,15 @@ - maxsize = AJP_MSG_BUFFER_SZ; - maxsize = APR_ALIGN(maxsize, 1024); - -+ if (*conn->worker->s->secret) -+ secret = conn->worker->s->secret; -+ - /* - * Send the AJP request to the remote server - */ - - /* send request headers */ -- status = ajp_send_header(conn->sock, r, maxsize, uri); -+ status = ajp_send_header(conn->sock, r, maxsize, uri, secret); - if (status != APR_SUCCESS) { - conn->close = 1; - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) -diff -uap httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.c ---- httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878 -+++ httpd-2.4.33/modules/proxy/mod_proxy.c -@@ -318,6 +318,12 @@ - (int)sizeof(worker->s->upgrade)); - } - } -+ else if (!strcasecmp(key, "secret")) { -+ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { -+ return apr_psprintf(p, "Secret length must be < %d characters", -+ (int)sizeof(worker->s->secret)); -+ } -+ } - else { - if (set_worker_hc_param_f) { - return set_worker_hc_param_f(p, s, worker, key, val, NULL); -diff -uap httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.h ---- httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878 -+++ httpd-2.4.33/modules/proxy/mod_proxy.h -@@ -353,6 +353,7 @@ - #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 - #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE - #define PROXY_BALANCER_MAX_STICKY_SIZE 64 -+#define PROXY_WORKER_MAX_SECRET_SIZE 64 - - #define PROXY_RFC1035_HOSTNAME_SIZE 256 - -@@ -447,6 +448,7 @@ - apr_interval_time_t interval; - char upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */ - char hostname_ex[PROXY_RFC1035_HOSTNAME_SIZE]; /* RFC1035 compliant version of the remote backend address */ -+ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ - } proxy_worker_shared; - - #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) diff --git a/httpd-2.4.33-r1833841.patch b/httpd-2.4.33-r1833841.patch deleted file mode 100644 index 749d67f..0000000 --- a/httpd-2.4.33-r1833841.patch +++ /dev/null @@ -1,59 +0,0 @@ -# ./pullrev.sh 1833841 -http://svn.apache.org/viewvc?view=revision&revision=1833841 - ---- httpd-2.4.33/modules/http/http_request.c -+++ httpd-2.4.33/modules/http/http_request.c -@@ -345,6 +345,16 @@ - return rv; - } - -+#define RETRIEVE_BRIGADE_FROM_POOL(bb, key, pool, allocator) do { \ -+ apr_pool_userdata_get((void **)&bb, key, pool); \ -+ if (bb == NULL) { \ -+ bb = apr_brigade_create(pool, allocator); \ -+ apr_pool_userdata_setn((const void *)bb, key, NULL, pool); \ -+ } \ -+ else { \ -+ apr_brigade_cleanup(bb); \ -+ } \ -+} while(0) - - AP_DECLARE(void) ap_process_request_after_handler(request_rec *r) - { -@@ -357,7 +367,8 @@ - * this bucket is destroyed, the request will be logged and - * its pool will be freed - */ -- bb = apr_brigade_create(c->pool, c->bucket_alloc); -+ RETRIEVE_BRIGADE_FROM_POOL(bb, "ap_process_request_after_handler_brigade", -+ c->pool, c->bucket_alloc); - b = ap_bucket_eor_create(c->bucket_alloc, r); - APR_BRIGADE_INSERT_HEAD(bb, b); - -@@ -383,7 +394,7 @@ - */ - rv = ap_check_pipeline(c, bb, DEFAULT_LIMIT_BLANK_LINES); - c->data_in_input_filters = (rv == APR_SUCCESS); -- apr_brigade_destroy(bb); -+ apr_brigade_cleanup(bb); - - if (c->cs) - c->cs->state = (c->aborted) ? CONN_STATE_LINGER -@@ -477,7 +488,8 @@ - ap_process_async_request(r); - - if (!c->data_in_input_filters) { -- bb = apr_brigade_create(c->pool, c->bucket_alloc); -+ RETRIEVE_BRIGADE_FROM_POOL(bb, "ap_process_request_brigade", -+ c->pool, c->bucket_alloc); - b = apr_bucket_flush_create(c->bucket_alloc); - APR_BRIGADE_INSERT_HEAD(bb, b); - rv = ap_pass_brigade(c->output_filters, bb); -@@ -490,6 +502,7 @@ - ap_log_cerror(APLOG_MARK, APLOG_INFO, rv, c, APLOGNO(01581) - "flushing data to the client"); - } -+ apr_brigade_cleanup(bb); - } - if (ap_extended_status) { - ap_time_process_request(c->sbh, STOP_PREQUEST); diff --git a/httpd-2.4.33-sslmerging.patch b/httpd-2.4.33-sslmerging.patch deleted file mode 100644 index 066b5c8..0000000 --- a/httpd-2.4.33-sslmerging.patch +++ /dev/null @@ -1,15 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=1564537 - ---- httpd-2.4.33/modules/ssl/ssl_engine_init.c.sslmerging -+++ httpd-2.4.33/modules/ssl/ssl_engine_init.c -@@ -261,7 +261,8 @@ - * the protocol is https. */ - if (ap_get_server_protocol(s) - && strcmp("https", ap_get_server_protocol(s)) == 0 -- && sc->enabled == SSL_ENABLED_UNSET) { -+ && sc->enabled == SSL_ENABLED_UNSET -+ && (!apr_is_empty_array(sc->server->pks->cert_files))) { - sc->enabled = SSL_ENABLED_TRUE; - } - diff --git a/httpd-2.4.34-r1738878.patch b/httpd-2.4.34-r1738878.patch new file mode 100644 index 0000000..5af48f5 --- /dev/null +++ b/httpd-2.4.34-r1738878.patch @@ -0,0 +1,130 @@ +--- httpd-2.4.34/modules/proxy/ajp_header.c.r1738878 ++++ httpd-2.4.34/modules/proxy/ajp_header.c +@@ -213,7 +213,8 @@ + + static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, + request_rec *r, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + int method; + apr_uint32_t i, num_headers = 0; +@@ -293,17 +294,15 @@ + i, elts[i].key, elts[i].val); + } + +-/* XXXX need to figure out how to do this +- if (s->secret) { ++ if (secret) { + if (ajp_msg_append_uint8(msg, SC_A_SECRET) || +- ajp_msg_append_string(msg, s->secret)) { ++ ajp_msg_append_string(msg, secret)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) +- "Error ajp_marshal_into_msgb - " ++ "ajp_marshal_into_msgb: " + "Error appending secret"); + return APR_EGENERAL; + } + } +- */ + + if (r->user) { + if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || +@@ -671,7 +670,8 @@ + apr_status_t ajp_send_header(apr_socket_t *sock, + request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + ajp_msg_t *msg; + apr_status_t rc; +@@ -683,7 +683,7 @@ + return rc; + } + +- rc = ajp_marshal_into_msgb(msg, r, uri); ++ rc = ajp_marshal_into_msgb(msg, r, uri, secret); + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) + "ajp_send_header: ajp_marshal_into_msgb failed"); +--- httpd-2.4.34/modules/proxy/ajp.h.r1738878 ++++ httpd-2.4.34/modules/proxy/ajp.h +@@ -413,12 +413,14 @@ + * @param sock backend socket + * @param r current request + * @param buffsize max size of the AJP packet. ++ * @param secret authentication secret + * @param uri requested uri + * @return APR_SUCCESS or error + */ + apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri); ++ apr_uri_t *uri, ++ const char *secret); + + /** + * Read the ajp message and return the type of the message. +--- httpd-2.4.34/modules/proxy/mod_proxy_ajp.c.r1738878 ++++ httpd-2.4.34/modules/proxy/mod_proxy_ajp.c +@@ -193,6 +193,7 @@ + apr_off_t content_length = 0; + int original_status = r->status; + const char *original_status_line = r->status_line; ++ const char *secret = NULL; + + if (psf->io_buffer_size_set) + maxsize = psf->io_buffer_size; +@@ -202,12 +203,15 @@ + maxsize = AJP_MSG_BUFFER_SZ; + maxsize = APR_ALIGN(maxsize, 1024); + ++ if (*conn->worker->s->secret) ++ secret = conn->worker->s->secret; ++ + /* + * Send the AJP request to the remote server + */ + + /* send request headers */ +- status = ajp_send_header(conn->sock, r, maxsize, uri); ++ status = ajp_send_header(conn->sock, r, maxsize, uri, secret); + if (status != APR_SUCCESS) { + conn->close = 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) +--- httpd-2.4.34/modules/proxy/mod_proxy.c.r1738878 ++++ httpd-2.4.34/modules/proxy/mod_proxy.c +@@ -319,6 +319,12 @@ + (int)sizeof(worker->s->upgrade)); + } + } ++ else if (!strcasecmp(key, "secret")) { ++ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { ++ return apr_psprintf(p, "Secret length must be < %d characters", ++ (int)sizeof(worker->s->secret)); ++ } ++ } + else if (!strcasecmp(key, "responsefieldsize")) { + long s = atol(val); + if (s < 0) { +--- httpd-2.4.34/modules/proxy/mod_proxy.h.r1738878 ++++ httpd-2.4.34/modules/proxy/mod_proxy.h +@@ -357,6 +357,7 @@ + #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 + #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE + #define PROXY_BALANCER_MAX_STICKY_SIZE 64 ++#define PROXY_WORKER_MAX_SECRET_SIZE 64 + + #define PROXY_RFC1035_HOSTNAME_SIZE 256 + +@@ -453,6 +454,7 @@ + char hostname_ex[PROXY_RFC1035_HOSTNAME_SIZE]; /* RFC1035 compliant version of the remote backend address */ + apr_size_t response_field_size; /* Size of proxy response buffer in bytes. */ + unsigned int response_field_size_set:1; ++ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ + } proxy_worker_shared; + + #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) diff --git a/httpd.spec b/httpd.spec index 8f22536..8e30af1 100644 --- a/httpd.spec +++ b/httpd.spec @@ -12,8 +12,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.33 -Release: 10%{?dist} +Version: 2.4.34 +Release: 1%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -78,10 +78,7 @@ Patch36: httpd-2.4.33-r1830819+.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 -Patch58: httpd-2.4.33-r1738878.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1564537 -Patch59: httpd-2.4.33-sslmerging.patch -Patch60: httpd-2.4.33-r1833841.patch +Patch58: httpd-2.4.34-r1738878.patch # Security fixes @@ -230,7 +227,7 @@ interface for storing and accessing per-user session data. %patch23 -p1 -b .export %patch24 -p1 -b .corelimit %patch25 -p1 -b .selinux -%patch26 -p1 -b .r1337344+ +#patch26 -p1 -b .r1337344+ %patch27 -p1 -b .icons %patch29 -p1 -b .systemd %patch30 -p1 -b .cachehardmax @@ -240,8 +237,6 @@ interface for storing and accessing per-user session data. %patch36 -p1 -b .r1830819+ %patch58 -p1 -b .r1738878 -%patch59 -p1 -b .sslmerging -%patch60 -p1 -b .r1833841 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -730,6 +725,9 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Jul 18 2018 Joe Orton - 2.4.34-1 +- update to 2.4.34 (#1601160) + * Mon Jul 16 2018 Joe Orton - 2.4.33-10 - don't block on service try-restart in posttrans scriptlet - add Lua-based /server-status example page to docs