From 48b77b39daf0c2fd850a0cc107d05c2e25c63f5d Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jul 18 2016 14:14:28 +0000 Subject: import httpd-2.4.6-40.el7_2.4 --- diff --git a/.gitignore b/.gitignore index 260a2d6..9969f1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ SOURCES/httpd-2.4.6.tar.bz2 -SOURCES/centos-noindex.tar.gz diff --git a/.httpd.metadata b/.httpd.metadata index 17ede1b..d335a99 100644 --- a/.httpd.metadata +++ b/.httpd.metadata @@ -1,2 +1 @@ 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2 -6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz diff --git a/SOURCES/httpd-2.4.6-CVE-2016-5387.patch b/SOURCES/httpd-2.4.6-CVE-2016-5387.patch new file mode 100644 index 0000000..9f22044 --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2016-5387.patch @@ -0,0 +1,16 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387 + +--- httpd-2.4.6/server/util_script.c.cve5387 ++++ httpd-2.4.6/server/util_script.c +@@ -190,6 +190,10 @@ + continue; + } + #endif ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ /* Don't pass through HTTP_PROXY */ ++ continue; ++ } + else + add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); + } diff --git a/SOURCES/httpd-2.4.6-r1560093.patch b/SOURCES/httpd-2.4.6-r1560093.patch new file mode 100644 index 0000000..664699a --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1560093.patch @@ -0,0 +1,16 @@ +# ./pullrev.sh 1560093 + +https://bugzilla.redhat.com/show_bug.cgi?id=1331341 + +http://svn.apache.org/viewvc?view=revision&revision=1560093 + +--- httpd-2.4.6/modules/cache/mod_cache.c ++++ httpd-2.4.6/modules/cache/mod_cache.c +@@ -1130,7 +1130,6 @@ + "Content-Range"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Content-Type"))) +- || ((reason = cache_header_cmp(r->pool, left, right, "Expires"))) + || ((reason = cache_header_cmp(r->pool, left, right, "ETag"))) + || ((reason = cache_header_cmp(r->pool, left, right, + "Last-Modified")))) { diff --git a/SOURCES/httpd-2.4.6-r1748212.patch b/SOURCES/httpd-2.4.6-r1748212.patch new file mode 100644 index 0000000..69ff27f --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1748212.patch @@ -0,0 +1,70 @@ +# ./pullrev.sh 1748212 +http://svn.apache.org/viewvc?view=revision&revision=1748212 + +https://bugzilla.redhat.com/show_bug.cgi?id=1343582 + +diff -uap httpd-2.4.6/include/httpd.h.r1748212 httpd-2.4.6/include/httpd.h +--- httpd-2.4.6/include/httpd.h.r1748212 ++++ httpd-2.4.6/include/httpd.h +@@ -477,7 +477,7 @@ AP_DECLARE(const char *) ap_get_server_b + * When adding a new code here add it to status_lines as well. + * A future version should dynamically generate the apr_table_t at startup. + */ +-#define RESPONSE_CODES 83 ++#define RESPONSE_CODES 103 + + #define HTTP_CONTINUE 100 + #define HTTP_SWITCHING_PROTOCOLS 101 +@@ -525,6 +525,7 @@ AP_DECLARE(const char *) ap_get_server_b + #define HTTP_PRECONDITION_REQUIRED 428 + #define HTTP_TOO_MANY_REQUESTS 429 + #define HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE 431 ++#define HTTP_UNAVAILABLE_FOR_LEGAL_REASONS 451 + #define HTTP_INTERNAL_SERVER_ERROR 500 + #define HTTP_NOT_IMPLEMENTED 501 + #define HTTP_BAD_GATEWAY 502 +diff -uap httpd-2.4.6/modules/http/http_protocol.c.r1748212 httpd-2.4.6/modules/http/http_protocol.c +--- httpd-2.4.6/modules/http/http_protocol.c.r1748212 ++++ httpd-2.4.6/modules/http/http_protocol.c +@@ -146,7 +146,27 @@ static const char * const status_lines[R + "429 Too Many Requests", + NULL, /* 430 */ + "431 Request Header Fields Too Large", +-#define LEVEL_500 71 ++ NULL, /* 432 */ ++ NULL, /* 433 */ ++ NULL, /* 434 */ ++ NULL, /* 435 */ ++ NULL, /* 436 */ ++ NULL, /* 437 */ ++ NULL, /* 438 */ ++ NULL, /* 439 */ ++ NULL, /* 440 */ ++ NULL, /* 441 */ ++ NULL, /* 442 */ ++ NULL, /* 443 */ ++ NULL, /* 444 */ ++ NULL, /* 445 */ ++ NULL, /* 446 */ ++ NULL, /* 447 */ ++ NULL, /* 448 */ ++ NULL, /* 449 */ ++ NULL, /* 450 */ ++ "451 Unavailable For Legal Reasons", ++#define LEVEL_500 91 + "500 Internal Server Error", + "501 Not Implemented", + "502 Bad Gateway", +@@ -1295,6 +1315,12 @@ static const char *get_canned_error_stri + case HTTP_NETWORK_AUTHENTICATION_REQUIRED: + return("

The client needs to authenticate to gain\n" + "network access.

\n"); ++ case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS: ++ s1 = apr_pstrcat(p, ++ "

Access to ", ap_escape_html(r->pool, r->uri), ++ "\nhas been denied for legal reasons.
\n", ++ NULL); ++ return(add_optional_notes(r, s1, "error-notes", "

\n")); + default: /* HTTP_INTERNAL_SERVER_ERROR */ + /* + * This comparison to expose error-notes could be modified to diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf index c1b6c11..5d1e452 100644 --- a/SOURCES/welcome.conf +++ b/SOURCES/welcome.conf @@ -16,7 +16,3 @@ Alias /.noindex.html /usr/share/httpd/noindex/index.html -Alias /noindex/css/bootstrap.min.css /usr/share/httpd/noindex/css/bootstrap.min.css -Alias /noindex/css/open-sans.css /usr/share/httpd/noindex/css/open-sans.css -Alias /images/apache_pb.gif /usr/share/httpd/noindex/images/apache_pb.gif -Alias /images/poweredby.png /usr/share/httpd/noindex/images/poweredby.png diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 39ceacb..8c8a96e 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -4,7 +4,7 @@ %define mmn 20120211 %define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits} %define mmnisa %{mmn}%{__isa_name}%{__isa_bits} -%define vstring CentOS +%define vstring %(source /etc/os-release; echo ${REDHAT_SUPPORT_PRODUCT}) # Drop automatic provides for module DSOs %{?filter_setup: @@ -15,10 +15,10 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.6 -Release: 40%{?dist}.1 +Release: 40%{?dist}.4 URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -Source1: centos-noindex.tar.gz +Source1: index.html Source2: httpd.logrotate Source3: httpd.sysconf Source4: httpd-ssl-pass-dialog @@ -110,6 +110,8 @@ Patch90: httpd-2.4.6-apachectl-status.patch Patch91: httpd-2.4.6-r1650655.patch Patch92: httpd-2.4.6-r1533448.patch Patch93: httpd-2.4.6-r1610013.patch +Patch105: httpd-2.4.6-r1560093.patch +Patch106: httpd-2.4.6-r1748212.patch # Security fixes Patch200: httpd-2.4.6-CVE-2013-6438.patch Patch201: httpd-2.4.6-CVE-2014-0098.patch @@ -122,6 +124,7 @@ Patch207: httpd-2.4.6-CVE-2013-5704.patch Patch208: httpd-2.4.6-CVE-2014-3581.patch Patch209: httpd-2.4.6-CVE-2015-3185.patch Patch210: httpd-2.4.6-CVE-2015-3183.patch +Patch211: httpd-2.4.6-CVE-2016-5387.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -294,6 +297,8 @@ rm modules/ssl/ssl_engine_dh.c %patch91 -p1 -b .r1650655 %patch92 -p1 -b .r1533448 %patch93 -p1 -b .r1610013 +%patch105 -p1 -b .r1560093 +%patch106 -p1 -b .r1748212 %patch200 -p1 -b .cve6438 %patch201 -p1 -b .cve0098 @@ -306,6 +311,7 @@ rm modules/ssl/ssl_engine_dh.c %patch208 -p1 -b .cve3581 %patch209 -p1 -b .cve3185 %patch210 -p1 -b .cve3183 +%patch211 -p1 -b .cve5387 # Patch in the vendor string and the release string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -459,10 +465,8 @@ EOF # Handle contentdir mkdir $RPM_BUILD_ROOT%{contentdir}/noindex -tar xzf $RPM_SOURCE_DIR/centos-noindex.tar.gz \ - -C $RPM_BUILD_ROOT%{contentdir}/noindex/ \ - --strip-components=1 - +install -m 644 -p $RPM_SOURCE_DIR/index.html \ + $RPM_BUILD_ROOT%{contentdir}/noindex/index.html rm -rf %{contentdir}/htdocs # remove manual sources @@ -485,7 +489,7 @@ rm -v $RPM_BUILD_ROOT%{docroot}/html/*.html \ $RPM_BUILD_ROOT%{docroot}/cgi-bin/* # Symlink for the powered-by-$DISTRO image: -ln -s ../noindex/images/poweredby.png \ +ln -s ../../pixmaps/poweredby.png \ $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png # symlinks for /etc/httpd @@ -671,7 +675,7 @@ rm -rf $RPM_BUILD_ROOT %{contentdir}/error/README %{contentdir}/error/*.var %{contentdir}/error/include/*.html -%{contentdir}/noindex/* +%{contentdir}/noindex/index.html %dir %{docroot} %dir %{docroot}/cgi-bin @@ -737,11 +741,14 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog -* Thu May 12 2016 CentOS Sources - 2.4.6-40.el7.centos.1 -- Remove index.html, add centos-noindex.tar.gz -- change vstring -- change symlink for poweredby.png -- update welcome.conf with proper aliases +* Tue Jul 12 2016 Joe Orton - 2.4.6-40.4 +- add security fix for CVE-2016-5387 + +* Thu Jul 7 2016 Joe Orton - 2.4.6-40.3 +- add 451 (Unavailable For Legal Reasons) response status-code (#1353269) + +* Fri Jun 17 2016 Joe Orton - 2.4.6-40.2 +- mod_cache: treat cache as valid with changed Expires in 304 (#1347648) * Mon Mar 21 2016 Jan Kaluza - 2.4.6-40.1 - fix apache user creation when apache group already exists (#1319001)