diff --git a/.cvsignore b/.cvsignore index 5d49569..ec480fa 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -httpd-2.2.11.tar.gz +httpd-2.2.15.tar.gz diff --git a/httpd-2.2.14-CVE-2009-3555.patch b/httpd-2.2.14-CVE-2009-3555.patch deleted file mode 100644 index 60f5763..0000000 --- a/httpd-2.2.14-CVE-2009-3555.patch +++ /dev/null @@ -1,284 +0,0 @@ ---- httpd-2.2.14/modules/ssl/ssl_engine_init.c.cve3555 -+++ httpd-2.2.14/modules/ssl/ssl_engine_init.c -@@ -501,10 +501,7 @@ static void ssl_init_ctx_callbacks(serve - SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); - SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); - -- if (s->loglevel >= APLOG_DEBUG) { -- /* this callback only logs if LogLevel >= info */ -- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); -- } -+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); - } - - static void ssl_init_ctx_verify(server_rec *s, ---- httpd-2.2.14/modules/ssl/ssl_engine_io.c.cve3555 -+++ httpd-2.2.14/modules/ssl/ssl_engine_io.c -@@ -103,6 +103,7 @@ typedef struct { - ap_filter_t *pInputFilter; - ap_filter_t *pOutputFilter; - int nobuffer; /* non-zero to prevent buffering */ -+ SSLConnRec *config; - } ssl_filter_ctx_t; - - typedef struct { -@@ -193,7 +194,13 @@ static int bio_filter_out_read(BIO *bio, - static int bio_filter_out_write(BIO *bio, const char *in, int inl) - { - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); -- -+ -+ /* Abort early if the client has initiated a renegotiation. */ -+ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { -+ outctx->rc = APR_ECONNABORTED; -+ return -1; -+ } -+ - /* when handshaking we'll have a small number of bytes. - * max size SSL will pass us here is about 16k. - * (16413 bytes to be exact) -@@ -466,6 +473,12 @@ static int bio_filter_in_read(BIO *bio, - if (!in) - return 0; - -+ /* Abort early if the client has initiated a renegotiation. */ -+ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { -+ inctx->rc = APR_ECONNABORTED; -+ return -1; -+ } -+ - /* XXX: flush here only required for SSLv2; - * OpenSSL calls BIO_flush() at the appropriate times for - * the other protocols. -@@ -1724,6 +1737,8 @@ void ssl_io_filter_init(conn_rec *c, SSL - - filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); - -+ filter_ctx->config = myConnConfig(c); -+ - filter_ctx->nobuffer = 0; - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, - filter_ctx, NULL, c); ---- httpd-2.2.14/modules/ssl/ssl_engine_kernel.c.cve3555 -+++ httpd-2.2.14/modules/ssl/ssl_engine_kernel.c -@@ -729,6 +729,10 @@ int ssl_hook_Access(request_rec *r) - (unsigned char *)&id, - sizeof(id)); - -+ /* Toggle the renegotiation state to allow the new -+ * handshake to proceed. */ -+ sslconn->reneg_state = RENEG_ALLOW; -+ - SSL_renegotiate(ssl); - SSL_do_handshake(ssl); - -@@ -750,6 +754,8 @@ int ssl_hook_Access(request_rec *r) - SSL_set_state(ssl, SSL_ST_ACCEPT); - SSL_do_handshake(ssl); - -+ sslconn->reneg_state = RENEG_REJECT; -+ - if (SSL_get_state(ssl) != SSL_ST_OK) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Re-negotiation handshake failed: " -@@ -1844,76 +1850,55 @@ void ssl_callback_DelSessionCacheEntry(S - return; - } - --/* -- * This callback function is executed while OpenSSL processes the -- * SSL handshake and does SSL record layer stuff. We use it to -- * trace OpenSSL's processing in out SSL logfile. -- */ --void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) -+/* Dump debugginfo trace to the log file. */ -+static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, -+ server_rec *s, int where, int rc) - { -- conn_rec *c; -- server_rec *s; -- SSLSrvConfigRec *sc; -- -- /* -- * find corresponding server -- */ -- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { -- return; -- } -- -- s = mySrvFromConn(c); -- if (!(sc = mySrvConfig(s))) { -- return; -- } -- - /* - * create the various trace messages - */ -- if (s->loglevel >= APLOG_DEBUG) { -- if (where & SSL_CB_HANDSHAKE_START) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Handshake: start", SSL_LIBRARY_NAME); -- } -- else if (where & SSL_CB_HANDSHAKE_DONE) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Handshake: done", SSL_LIBRARY_NAME); -- } -- else if (where & SSL_CB_LOOP) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Loop: %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- else if (where & SSL_CB_READ) { -+ if (where & SSL_CB_HANDSHAKE_START) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Handshake: start", SSL_LIBRARY_NAME); -+ } -+ else if (where & SSL_CB_HANDSHAKE_DONE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Handshake: done", SSL_LIBRARY_NAME); -+ } -+ else if (where & SSL_CB_LOOP) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Loop: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_READ) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Read: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_WRITE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Write: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_ALERT) { -+ char *str = (where & SSL_CB_READ) ? "read" : "write"; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Alert: %s:%s:%s", -+ SSL_LIBRARY_NAME, str, -+ SSL_alert_type_string_long(rc), -+ SSL_alert_desc_string_long(rc)); -+ } -+ else if (where & SSL_CB_EXIT) { -+ if (rc == 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Read: %s", -+ "%s: Exit: failed in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - } -- else if (where & SSL_CB_WRITE) { -+ else if (rc < 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Write: %s", -+ "%s: Exit: error in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - } -- else if (where & SSL_CB_ALERT) { -- char *str = (where & SSL_CB_READ) ? "read" : "write"; -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Alert: %s:%s:%s", -- SSL_LIBRARY_NAME, str, -- SSL_alert_type_string_long(rc), -- SSL_alert_desc_string_long(rc)); -- } -- else if (where & SSL_CB_EXIT) { -- if (rc == 0) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Exit: failed in %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- else if (rc < 0) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Exit: error in %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- } - } - - /* -@@ -1933,6 +1918,52 @@ void ssl_callback_LogTracingState(MODSSL - } - } - -+/* -+ * This callback function is executed while OpenSSL processes the SSL -+ * handshake and does SSL record layer stuff. It's used to trap -+ * client-initiated renegotiations, and for dumping everything to the -+ * log. -+ */ -+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) -+{ -+ conn_rec *c; -+ server_rec *s; -+ SSLConnRec *scr; -+ -+ /* Retrieve the conn_rec and the associated SSLConnRec. */ -+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { -+ return; -+ } -+ -+ if ((scr = myConnConfig(c)) == NULL) { -+ return; -+ } -+ -+ /* If the reneg state is to reject renegotiations, check the SSL -+ * state machine and move to ABORT if a Client Hello is being -+ * read. */ -+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { -+ int state = SSL_get_state(ssl); -+ -+ if (state == SSL3_ST_SR_CLNT_HELLO_A -+ || state == SSL23_ST_SR_CLNT_HELLO_A) { -+ scr->reneg_state = RENEG_ABORT; -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, -+ "rejecting client initiated renegotiation"); -+ } -+ } -+ /* If the first handshake is complete, change state to reject any -+ * subsequent client-initated renegotiation. */ -+ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { -+ scr->reneg_state = RENEG_REJECT; -+ } -+ -+ s = mySrvFromConn(c); -+ if (s && s->loglevel >= APLOG_DEBUG) { -+ log_tracing_state(ssl, c, s, where, rc); -+ } -+} -+ - #ifndef OPENSSL_NO_TLSEXT - /* - * This callback function is executed when OpenSSL encounters an extended ---- httpd-2.2.14/modules/ssl/ssl_private.h.cve3555 -+++ httpd-2.2.14/modules/ssl/ssl_private.h -@@ -356,6 +356,20 @@ typedef struct { - int is_proxy; - int disabled; - int non_ssl_request; -+ -+ /* Track the handshake/renegotiation state for the connection so -+ * that all client-initiated renegotiations can be rejected, as a -+ * partial fix for CVE-2009-3555. */ -+ enum { -+ RENEG_INIT = 0, /* Before initial handshake */ -+ RENEG_REJECT, /* After initial handshake; any client-initiated -+ * renegotiation should be rejected */ -+ RENEG_ALLOW, /* A server-initated renegotiation is taking -+ * place (as dictated by configuration) */ -+ RENEG_ABORT /* Renegotiation initiated by client, abort the -+ * connection */ -+ } reneg_state; -+ - server_rec *server; - } SSLConnRec; - -@@ -574,7 +588,7 @@ int ssl_callback_proxy_cert(SSL - int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); --void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); -+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); - #ifndef OPENSSL_NO_TLSEXT - int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); - #endif diff --git a/httpd-2.2.15.tar.gz.asc b/httpd-2.2.15.tar.gz.asc new file mode 100644 index 0000000..4e1df5b --- /dev/null +++ b/httpd-2.2.15.tar.gz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.9 (GNU/Linux) + +iQIcBAABAgAGBQJLjKhHAAoJEKNIuYR/chSnvFwQAIheRJjDn/F3zCS9MW/oxXe2 +goBaTuOnmBCGsdaiGJ/uk3Okxgsjlul3OR6NGQwA1agHwZCosXidCWFptGutFi++ +Joxb0iZPM6H8nuThaZUHIgu35P2IOtZNdwGlw/dgB3zSA2srW6TbIzskFsazozd/ +xplcbgZ+7mCtK076XUUT7COfF5erwTsfwzI1MUGFugKtmP/0ScOU8HeeRECf+ERk +G0xQbizdJITN9ZFNPH6GIx9WxPUB8PZaZ8gBO8arMQxZ6N2TMBldlbbb+gTIJDk6 +PbFeMgbjFHj+XMUmKZ53V5UJTga58clEGAhVLMckkres7iqatoR4c6e6WjRcvbjW +jtcm4Fx79H73gc9xDIQTa7cpapsId+agVMXIZ5EUMe5ykq7oEjONq7sGhaYrlNMj +illZEMLWaKXa+JdKcc3FbxYYhpzlNkR/8oWYjygu3IBkgPM0X3wD7YIOGNRZOe7b +llufYS2g3grFO1pWu/hnX7AfzSVxwjyXBS/7PXvyAaG3iR/62rhmuyVZKxeTYq92 +ooJNeJoObisOfAgyapNV9mGzGR1T6E+bRLuubqIM3aDJ2TYNp71VqAyQFUyPGRTR +ax7nfoAp7QosAmVOzrMj4xSMe8RLhlKrVDs9YaFu4MkNzAXPmHESyA/ZELakufuZ +1gizsJGUooQ7o/xU99HG +=QhkM +-----END PGP SIGNATURE----- diff --git a/httpd.spec b/httpd.spec index 7a3a3e1..ea2615e 100644 --- a/httpd.spec +++ b/httpd.spec @@ -6,7 +6,7 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.2.14 +Version: 2.2.15 Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz @@ -37,8 +37,6 @@ Patch25: httpd-2.2.11-selinux.patch Patch26: httpd-2.2.9-suenable.patch # Bug fixes Patch54: httpd-2.2.0-authnoprov.patch -# Security fixes -Patch90: httpd-2.2.14-CVE-2009-3555.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -128,8 +126,6 @@ Security (TLS) protocols. %patch54 -p1 -b .authnoprov -%patch90 -p1 -b .cve3555 - # Patch in vendor/release string sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1 @@ -488,6 +484,9 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Sun Apr 04 2010 Robert Scheck - 2.2.15-1 +- update to 2.2.15 (#572404, #579311) + * Thu Dec 3 2009 Joe Orton - 2.2.14-1 - update to 2.2.14 - relax permissions on /var/run/httpd (#495780) diff --git a/sources b/sources index 10a5750..6b3f591 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2c1e3c7ba00bcaa0163da7b3e66aaa1e httpd-2.2.14.tar.gz +31fa022dc3c0908c6eaafe73c81c65df httpd-2.2.15.tar.gz diff --git a/upstream b/upstream index 5d49569..a59898a 100644 --- a/upstream +++ b/upstream @@ -1 +1 @@ -httpd-2.2.11.tar.gz +httpd-2.2.14.tar.gz