diff --git a/SOURCES/httpd-2.4.6-CVE-2013-6438.patch b/SOURCES/httpd-2.4.6-CVE-2013-6438.patch
new file mode 100644
index 0000000..1b154f5
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2013-6438.patch
@@ -0,0 +1,14 @@
+--- a/modules/dav/main/util.c 2014/01/09 14:28:39 1556815
++++ b/modules/dav/main/util.c 2014/01/09 14:29:47 1556816
+@@ -396,8 +396,10 @@
+
+ if (strip_white) {
+ /* trim leading whitespace */
+- while (apr_isspace(*cdata)) /* assume: return false for '\0' */
++ while (apr_isspace(*cdata)) { /* assume: return false for '\0' */
+ ++cdata;
++ --len;
++ }
+
+ /* trim trailing whitespace */
+ while (len-- > 0 && apr_isspace(cdata[len]))
diff --git a/SOURCES/httpd-2.4.6-CVE-2014-0098.patch b/SOURCES/httpd-2.4.6-CVE-2014-0098.patch
new file mode 100644
index 0000000..64d5064
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-CVE-2014-0098.patch
@@ -0,0 +1,41 @@
+--- a/modules/loggers/mod_log_config.c 2013/11/15 17:07:52 1542329
++++ b/modules/loggers/mod_log_config.c 2014/03/10 11:23:47 1575904
+@@ -543,14 +543,24 @@
+
+ while ((cookie = apr_strtok(cookies, ";", &last1))) {
+ char *name = apr_strtok(cookie, "=", &last2);
+- if (name) {
+- char *value = name + strlen(name) + 1;
+- apr_collapse_spaces(name, name);
++ /* last2 points to the next char following an '=' delim,
++ or the trailing NUL char of the string */
++ char *value = last2;
++ if (name && *name && value && *value) {
++ char *last = value - 2;
++ /* Move past leading WS */
++ name += strspn(name, " \t");
++ while (last >= name && apr_isspace(*last)) {
++ *last = '\0';
++ --last;
++ }
+
+ if (!strcasecmp(name, a)) {
+- char *last;
+- value += strspn(value, " \t"); /* Move past leading WS */
+- last = value + strlen(value) - 1;
++ /* last1 points to the next char following the ';' delim,
++ or the trailing NUL char of the string */
++ last = last1 - (*last1 ? 2 : 1);
++ /* Move past leading WS */
++ value += strspn(value, " \t");
+ while (last >= value && apr_isspace(*last)) {
+ *last = '\0';
+ --last;
+@@ -559,6 +569,7 @@
+ return ap_escape_logitem(r->pool, value);
+ }
+ }
++ /* Iterate the remaining tokens using apr_strtok(NULL, ...) */
+ cookies = NULL;
+ }
+ }
diff --git a/SOURCES/httpd-2.4.6-r1507681+.patch b/SOURCES/httpd-2.4.6-r1507681+.patch
new file mode 100644
index 0000000..82a3b41
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1507681+.patch
@@ -0,0 +1,62 @@
+# ./pullrev.sh 1507681 1533447
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1004046
+
+http://svn.apache.org/viewvc?view=revision&revision=1507681
+http://svn.apache.org/viewvc?view=revision&revision=1533447
+
+--- httpd-2.4.6/modules/dav/main/mod_dav.c
++++ httpd-2.4.6/modules/dav/main/mod_dav.c
+@@ -2756,7 +2756,7 @@
+ * The multistatus responses will contain the information about any
+ * resource that fails the validation.
+ *
+- * We check the parent resource, too, since this is a MOVE. Moving the
++ * We check the parent resource, too, if this is a MOVE. Moving the
+ * resource effectively removes it from the parent collection, so we
+ * must ensure that we have met the appropriate conditions.
+ *
+@@ -2765,7 +2765,9 @@
+ */
+ if ((err = dav_validate_request(r, resource, depth, NULL,
+ &multi_response,
+- DAV_VALIDATE_PARENT
++ (is_move ? DAV_VALIDATE_PARENT
++ : DAV_VALIDATE_RESOURCE
++ | DAV_VALIDATE_NO_MODIFY)
+ | DAV_VALIDATE_USE_424,
+ NULL)) != NULL) {
+ err = dav_push_error(r->pool, err->status, 0,
+--- httpd-2.4.6/modules/dav/main/util.c
++++ httpd-2.4.6/modules/dav/main/util.c
+@@ -954,13 +954,16 @@
+ /*
+ ** For methods other than LOCK:
+ **
+- ** If we have no locks, then <seen_locktoken> can be set to true --
++ ** If we have no locks or if the resource is not being modified
++ ** (per RFC 4918 the lock token is not required on resources
++ ** we are not changing), then <seen_locktoken> can be set to true --
+ ** pretending that we've already met the requirement of seeing one
+ ** of the resource's locks in the If: header.
+ **
+ ** Otherwise, it must be cleared and we'll look for one.
+ */
+- seen_locktoken = (lock_list == NULL);
++ seen_locktoken = (lock_list == NULL
++ || flags & DAV_VALIDATE_NO_MODIFY);
+ }
+
+ /*
+--- httpd-2.4.6/modules/dav/main/mod_dav.h
++++ httpd-2.4.6/modules/dav/main/mod_dav.h
+@@ -1297,6 +1297,9 @@
+ the 424 DAV:response */
+ #define DAV_VALIDATE_USE_424 0x0080 /* return 424 status, not 207 */
+ #define DAV_VALIDATE_IS_PARENT 0x0100 /* for internal use */
++#define DAV_VALIDATE_NO_MODIFY 0x0200 /* resource is not being modified
++ so allow even if lock token
++ is not provided */
+
+ /* Lock-null related public lock functions */
+ DAV_DECLARE(int) dav_get_resource_state(request_rec *r,
diff --git a/SOURCES/httpd-2.4.6-r1542327.patch b/SOURCES/httpd-2.4.6-r1542327.patch
new file mode 100644
index 0000000..b11b535
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1542327.patch
@@ -0,0 +1,868 @@
+# ./pullrev.sh 1542327
+http://svn.apache.org/viewvc?view=revision&revision=1542327
+
+--- httpd-2.4.6/LAYOUT.r1542327
++++ httpd-2.4.6/LAYOUT
+@@ -108,7 +108,6 @@ modules/ ................ Manditory and
+ mod_ssl.c ............... main source file containing API structures
+ mod_ssl.h ............... common header file of mod_ssl
+ ssl_engine_config.c ..... module configuration handling
+- ssl_engine_dh.c ......... DSA/DH support
+ ssl_engine_init.c ....... module initialization
+ ssl_engine_io.c ......... I/O support
+ ssl_engine_kernel.c ..... SSL engine kernel
+--- httpd-2.4.6/modules/ssl/config.m4.r1542327
++++ httpd-2.4.6/modules/ssl/config.m4
+@@ -20,7 +20,6 @@ dnl # list of module object files
+ ssl_objs="dnl
+ mod_ssl.lo dnl
+ ssl_engine_config.lo dnl
+-ssl_engine_dh.lo dnl
+ ssl_engine_init.lo dnl
+ ssl_engine_io.lo dnl
+ ssl_engine_kernel.lo dnl
+--- httpd-2.4.6/modules/ssl/mod_ssl.c.r1542327
++++ httpd-2.4.6/modules/ssl/mod_ssl.c
+@@ -515,15 +515,6 @@ int ssl_init_ssl_connection(conn_rec *c,
+
+ sslconn->ssl = ssl;
+
+- /*
+- * Configure callbacks for SSL connection
+- */
+- SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA);
+- SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH);
+-#ifndef OPENSSL_NO_EC
+- SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH);
+-#endif
+-
+ SSL_set_verify_result(ssl, X509_V_OK);
+
+ ssl_io_filter_init(c, r, ssl);
+--- httpd-2.4.6/modules/ssl/mod_ssl.dsp.r1542327
++++ httpd-2.4.6/modules/ssl/mod_ssl.dsp
+@@ -112,10 +112,6 @@ SOURCE=.\ssl_engine_config.c
+ # End Source File
+ # Begin Source File
+
+-SOURCE=.\ssl_engine_dh.c
+-# End Source File
+-# Begin Source File
+-
+ SOURCE=.\ssl_engine_init.c
+ # End Source File
+ # Begin Source File
+--- httpd-2.4.6/modules/ssl/ssl_engine_config.c.r1542327
++++ httpd-2.4.6/modules/ssl/ssl_engine_config.c
+@@ -76,8 +76,6 @@ SSLModConfigRec *ssl_config_global_creat
+ mc->stapling_mutex = NULL;
+ #endif
+
+- memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
+-
+ apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
+ apr_pool_cleanup_null,
+ pool);
+--- httpd-2.4.6/modules/ssl/ssl_engine_dh.c.r1542327
++++ httpd-2.4.6/modules/ssl/ssl_engine_dh.c
+@@ -1,244 +0,0 @@
+-#if 0
+-=pod
+-#endif
+-
+-/* Licensed to the Apache Software Foundation (ASF) under one or more
+- * contributor license agreements. See the NOTICE file distributed with
+- * this work for additional information regarding copyright ownership.
+- * The ASF licenses this file to You under the Apache License, Version 2.0
+- * (the "License"); you may not use this file except in compliance with
+- * the License. You may obtain a copy of the License at
+- *
+- * http://www.apache.org/licenses/LICENSE-2.0
+- *
+- * Unless required by applicable law or agreed to in writing, software
+- * distributed under the License is distributed on an "AS IS" BASIS,
+- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+- * See the License for the specific language governing permissions and
+- * limitations under the License.
+- */
+-
+-/* _ _
+- * _ __ ___ ___ __| | ___ ___| | mod_ssl
+- * | '_ ` _ \ / _ \ / _` | / __/ __| | Apache Interface to OpenSSL
+- * | | | | | | (_) | (_| | \__ \__ \ |
+- * |_| |_| |_|\___/ \__,_|___|___/___/_|
+- * |_____|
+- * ssl_engine_dh.c
+- * Diffie-Hellman Built-in Temporary Parameters
+- */
+-
+-#include "ssl_private.h"
+-
+-/* ----BEGIN GENERATED SECTION-------- */
+-
+-/*
+-** Diffie-Hellman-Parameters: (512 bit)
+-** prime:
+-** 00:9f:db:8b:8a:00:45:44:f0:04:5f:17:37:d0:ba:
+-** 2e:0b:27:4c:df:1a:9f:58:82:18:fb:43:53:16:a1:
+-** 6e:37:41:71:fd:19:d8:d8:f3:7c:39:bf:86:3f:d6:
+-** 0e:3e:30:06:80:a3:03:0c:6e:4c:37:57:d0:8f:70:
+-** e6:aa:87:10:33
+-** generator: 2 (0x2)
+-** Diffie-Hellman-Parameters: (1024 bit)
+-** prime:
+-** 00:d6:7d:e4:40:cb:bb:dc:19:36:d6:93:d3:4a:fd:
+-** 0a:d5:0c:84:d2:39:a4:5f:52:0b:b8:81:74:cb:98:
+-** bc:e9:51:84:9f:91:2e:63:9c:72:fb:13:b4:b4:d7:
+-** 17:7e:16:d5:5a:c1:79:ba:42:0b:2a:29:fe:32:4a:
+-** 46:7a:63:5e:81:ff:59:01:37:7b:ed:dc:fd:33:16:
+-** 8a:46:1a:ad:3b:72:da:e8:86:00:78:04:5b:07:a7:
+-** db:ca:78:74:08:7d:15:10:ea:9f:cc:9d:dd:33:05:
+-** 07:dd:62:db:88:ae:aa:74:7d:e0:f4:d6:e2:bd:68:
+-** b0:e7:39:3e:0f:24:21:8e:b3
+-** generator: 2 (0x2)
+-*/
+-
+-static unsigned char dh512_p[] = {
+- 0x9F, 0xDB, 0x8B, 0x8A, 0x00, 0x45, 0x44, 0xF0, 0x04, 0x5F, 0x17, 0x37,
+- 0xD0, 0xBA, 0x2E, 0x0B, 0x27, 0x4C, 0xDF, 0x1A, 0x9F, 0x58, 0x82, 0x18,
+- 0xFB, 0x43, 0x53, 0x16, 0xA1, 0x6E, 0x37, 0x41, 0x71, 0xFD, 0x19, 0xD8,
+- 0xD8, 0xF3, 0x7C, 0x39, 0xBF, 0x86, 0x3F, 0xD6, 0x0E, 0x3E, 0x30, 0x06,
+- 0x80, 0xA3, 0x03, 0x0C, 0x6E, 0x4C, 0x37, 0x57, 0xD0, 0x8F, 0x70, 0xE6,
+- 0xAA, 0x87, 0x10, 0x33,
+-};
+-static unsigned char dh512_g[] = {
+- 0x02,
+-};
+-
+-static DH *get_dh512(void)
+-{
+- DH *dh;
+-
+- if (!(dh = DH_new())) {
+- return NULL;
+- }
+-
+- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
+- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
+- if (!(dh->p && dh->g)) {
+- DH_free(dh);
+- return NULL;
+- }
+-
+- return dh;
+-}
+-
+-static unsigned char dh1024_p[] = {
+- 0xD6, 0x7D, 0xE4, 0x40, 0xCB, 0xBB, 0xDC, 0x19, 0x36, 0xD6, 0x93, 0xD3,
+- 0x4A, 0xFD, 0x0A, 0xD5, 0x0C, 0x84, 0xD2, 0x39, 0xA4, 0x5F, 0x52, 0x0B,
+- 0xB8, 0x81, 0x74, 0xCB, 0x98, 0xBC, 0xE9, 0x51, 0x84, 0x9F, 0x91, 0x2E,
+- 0x63, 0x9C, 0x72, 0xFB, 0x13, 0xB4, 0xB4, 0xD7, 0x17, 0x7E, 0x16, 0xD5,
+- 0x5A, 0xC1, 0x79, 0xBA, 0x42, 0x0B, 0x2A, 0x29, 0xFE, 0x32, 0x4A, 0x46,
+- 0x7A, 0x63, 0x5E, 0x81, 0xFF, 0x59, 0x01, 0x37, 0x7B, 0xED, 0xDC, 0xFD,
+- 0x33, 0x16, 0x8A, 0x46, 0x1A, 0xAD, 0x3B, 0x72, 0xDA, 0xE8, 0x86, 0x00,
+- 0x78, 0x04, 0x5B, 0x07, 0xA7, 0xDB, 0xCA, 0x78, 0x74, 0x08, 0x7D, 0x15,
+- 0x10, 0xEA, 0x9F, 0xCC, 0x9D, 0xDD, 0x33, 0x05, 0x07, 0xDD, 0x62, 0xDB,
+- 0x88, 0xAE, 0xAA, 0x74, 0x7D, 0xE0, 0xF4, 0xD6, 0xE2, 0xBD, 0x68, 0xB0,
+- 0xE7, 0x39, 0x3E, 0x0F, 0x24, 0x21, 0x8E, 0xB3,
+-};
+-static unsigned char dh1024_g[] = {
+- 0x02,
+-};
+-
+-static DH *get_dh1024(void)
+-{
+- DH *dh;
+-
+- if (!(dh = DH_new())) {
+- return NULL;
+- }
+-
+- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+- if (!(dh->p && dh->g)) {
+- DH_free(dh);
+- return NULL;
+- }
+-
+- return dh;
+-}
+-
+-/* ----END GENERATED SECTION---------- */
+-
+-DH *ssl_dh_GetTmpParam(int nKeyLen)
+-{
+- DH *dh;
+-
+- if (nKeyLen == 512)
+- dh = get_dh512();
+- else if (nKeyLen == 1024)
+- dh = get_dh1024();
+- else
+- dh = get_dh1024();
+- return dh;
+-}
+-
+-DH *ssl_dh_GetParamFromFile(char *file)
+-{
+- DH *dh = NULL;
+- BIO *bio;
+-
+- if ((bio = BIO_new_file(file, "r")) == NULL)
+- return NULL;
+- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+- BIO_free(bio);
+- return (dh);
+-}
+-
+-/*
+-=cut
+-##
+-## Embedded Perl script for generating the temporary DH parameters
+-##
+-
+-require 5.003;
+-use strict;
+-
+-# configuration
+-my $file = $0;
+-my $begin = '----BEGIN GENERATED SECTION--------';
+-my $end = '----END GENERATED SECTION----------';
+-
+-# read ourself and keep a backup
+-open(FP, "<$file") || die;
+-my $source = '';
+-$source .= $_ while (<FP>);
+-close(FP);
+-open(FP, ">$file.bak") || die;
+-print FP $source;
+-close(FP);
+-
+-# generate the DH parameters
+-print "1. Generate 512 and 1024 bit Diffie-Hellman parameters (p, g)\n";
+-my $rand = '';
+-foreach $file (qw(/var/log/messages /var/adm/messages
+- /kernel /vmunix /vmlinuz /etc/hosts /etc/resolv.conf)) {
+- if (-f $file) {
+- $rand = $file if ($rand eq '');
+- $rand .= ":$file" if ($rand ne '');
+- }
+-}
+-$rand = "-rand $rand" if ($rand ne '');
+-system("openssl gendh $rand -out dh512.pem 512");
+-system("openssl gendh $rand -out dh1024.pem 1024");
+-
+-# generate DH param info
+-my $dhinfo = '';
+-open(FP, "openssl dh -noout -text -in dh512.pem |") || die;
+-$dhinfo .= $_ while (<FP>);
+-close(FP);
+-open(FP, "openssl dh -noout -text -in dh1024.pem |") || die;
+-$dhinfo .= $_ while (<FP>);
+-close(FP);
+-$dhinfo =~ s|^|** |mg;
+-$dhinfo = "\n\/\*\n$dhinfo\*\/\n\n";
+-
+-my $indent_args = "-i4 -npsl -di0 -br -nce -d0 -cli0 -npcs -nfc1";
+-
+-# generate C source from DH params
+-my $dhsource = '';
+-open(FP, "openssl dh -noout -C -in dh512.pem | indent $indent_args | expand |") || die;
+-$dhsource .= $_ while (<FP>);
+-close(FP);
+-open(FP, "openssl dh -noout -C -in dh1024.pem | indent $indent_args | expand |") || die;
+-$dhsource .= $_ while (<FP>);
+-close(FP);
+-$dhsource =~ s|(DH\s+\*get_dh)(\d+)[^}]*\n}|static $1$2(void)
+-{
+- DH *dh;
+-
+- if (!(dh = DH_new())) {
+- return NULL;
+- }
+-
+- dh->p = BN_bin2bn(dh$2_p, sizeof(dh$2_p), NULL);
+- dh->g = BN_bin2bn(dh$2_g, sizeof(dh$2_g), NULL);
+- if (!(dh->p && dh->g)) {
+- DH_free(dh);
+- return NULL;
+- }
+-
+- return dh;
+-}
+-|sg;
+-
+-# generate output
+-my $o = $dhinfo . $dhsource;
+-
+-# insert the generated code at the target location
+-$source =~ s|(\/\* $begin.+?\n).*\n(.*?\/\* $end)|$1$o$2|s;
+-
+-# and update the source on disk
+-print "Updating file `$file'\n";
+-open(FP, ">$file") || die;
+-print FP $source;
+-close(FP);
+-
+-# cleanup
+-unlink("dh512.pem");
+-unlink("dh1024.pem");
+-
+-=pod
+-*/
+--- httpd-2.4.6/modules/ssl/ssl_engine_init.c.r1542327
++++ httpd-2.4.6/modules/ssl/ssl_engine_init.c
+@@ -56,180 +56,6 @@ static void ssl_add_version_components(a
+ modver, AP_SERVER_BASEVERSION, incver);
+ }
+
+-
+-/*
+- * Handle the Temporary RSA Keys and DH Params
+- */
+-
+-#define MODSSL_TMP_KEY_FREE(mc, type, idx) \
+- if (mc->pTmpKeys[idx]) { \
+- type##_free((type *)mc->pTmpKeys[idx]); \
+- mc->pTmpKeys[idx] = NULL; \
+- }
+-
+-#define MODSSL_TMP_KEYS_FREE(mc, type) \
+- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_512); \
+- MODSSL_TMP_KEY_FREE(mc, type, SSL_TMP_KEY_##type##_1024)
+-
+-static void ssl_tmp_keys_free(server_rec *s)
+-{
+- SSLModConfigRec *mc = myModConfig(s);
+-
+- MODSSL_TMP_KEYS_FREE(mc, RSA);
+- MODSSL_TMP_KEYS_FREE(mc, DH);
+-#ifndef OPENSSL_NO_EC
+- MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256);
+-#endif
+-}
+-
+-static int ssl_tmp_key_init_rsa(server_rec *s,
+- int bits, int idx)
+-{
+- SSLModConfigRec *mc = myModConfig(s);
+-
+-#ifdef HAVE_FIPS
+-
+- if (FIPS_mode() && bits < 1024) {
+- mc->pTmpKeys[idx] = NULL;
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01877)
+- "Init: Skipping generating temporary "
+- "%d bit RSA private key in FIPS mode", bits);
+- return OK;
+- }
+-
+-#endif
+-#ifdef HAVE_GENERATE_EX
+- {
+- RSA *tkey;
+- BIGNUM *bn_f4;
+- if (!(tkey = RSA_new())
+- || !(bn_f4 = BN_new())
+- || !BN_set_word(bn_f4, RSA_F4)
+- || !RSA_generate_key_ex(tkey, bits, bn_f4, NULL))
+- {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01878)
+- "Init: Failed to generate temporary "
+- "%d bit RSA private key", bits);
+- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+- return !OK;
+- }
+- BN_free(bn_f4);
+- mc->pTmpKeys[idx] = tkey;
+- }
+-#else
+- if (!(mc->pTmpKeys[idx] =
+- RSA_generate_key(bits, RSA_F4, NULL, NULL)))
+- {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01879)
+- "Init: Failed to generate temporary "
+- "%d bit RSA private key", bits);
+- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, s);
+- return !OK;
+- }
+-#endif
+-
+- return OK;
+-}
+-
+-static int ssl_tmp_key_init_dh(server_rec *s,
+- int bits, int idx)
+-{
+- SSLModConfigRec *mc = myModConfig(s);
+-
+-#ifdef HAVE_FIPS
+-
+- if (FIPS_mode() && bits < 1024) {
+- mc->pTmpKeys[idx] = NULL;
+- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01880)
+- "Init: Skipping generating temporary "
+- "%d bit DH parameters in FIPS mode", bits);
+- return OK;
+- }
+-
+-#endif
+-
+- if (!(mc->pTmpKeys[idx] =
+- ssl_dh_GetTmpParam(bits)))
+- {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(01881)
+- "Init: Failed to generate temporary "
+- "%d bit DH parameters", bits);
+- return !OK;
+- }
+-
+- return OK;
+-}
+-
+-#ifndef OPENSSL_NO_EC
+-static int ssl_tmp_key_init_ec(server_rec *s,
+- int bits, int idx)
+-{
+- SSLModConfigRec *mc = myModConfig(s);
+- EC_KEY *ecdh = NULL;
+-
+- /* XXX: Are there any FIPS constraints we should enforce? */
+-
+- if (bits != 256) {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02298)
+- "Init: Failed to generate temporary "
+- "%d bit EC parameters, only 256 bits supported", bits);
+- return !OK;
+- }
+-
+- if ((ecdh = EC_KEY_new()) == NULL ||
+- EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1)
+- {
+- ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02299)
+- "Init: Failed to generate temporary "
+- "%d bit EC parameters", bits);
+- return !OK;
+- }
+-
+- mc->pTmpKeys[idx] = ecdh;
+- return OK;
+-}
+-
+-#define MODSSL_TMP_KEY_INIT_EC(s, bits) \
+- ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits)
+-
+-#endif
+-
+-#define MODSSL_TMP_KEY_INIT_RSA(s, bits) \
+- ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits)
+-
+-#define MODSSL_TMP_KEY_INIT_DH(s, bits) \
+- ssl_tmp_key_init_dh(s, bits, SSL_TMP_KEY_DH_##bits)
+-
+-static int ssl_tmp_keys_init(server_rec *s)
+-{
+- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
+- "Init: Generating temporary RSA private keys (512/1024 bits)");
+-
+- if (MODSSL_TMP_KEY_INIT_RSA(s, 512) ||
+- MODSSL_TMP_KEY_INIT_RSA(s, 1024)) {
+- return !OK;
+- }
+-
+- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
+- "Init: Generating temporary DH parameters (512/1024 bits)");
+-
+- if (MODSSL_TMP_KEY_INIT_DH(s, 512) ||
+- MODSSL_TMP_KEY_INIT_DH(s, 1024)) {
+- return !OK;
+- }
+-
+-#ifndef OPENSSL_NO_EC
+- ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s,
+- "Init: Generating temporary EC parameters (256 bits)");
+-
+- if (MODSSL_TMP_KEY_INIT_EC(s, 256)) {
+- return !OK;
+- }
+-#endif
+-
+- return OK;
+-}
+-
+ /*
+ * Per-module initialization
+ */
+@@ -370,10 +196,6 @@ int ssl_init_Module(apr_pool_t *p, apr_p
+ */
+ ssl_pphrase_Handle(base_server, ptemp);
+
+- if (ssl_tmp_keys_init(base_server)) {
+- return !OK;
+- }
+-
+ /*
+ * initialize the mutex handling
+ */
+@@ -681,6 +503,9 @@ static void ssl_init_ctx_protocol(server
+ * Configure additional context ingredients
+ */
+ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
++#ifndef OPENSSL_NO_EC
++ SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
++#endif
+
+ #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
+ /*
+@@ -721,11 +546,7 @@ static void ssl_init_ctx_callbacks(serve
+ {
+ SSL_CTX *ctx = mctx->ssl_ctx;
+
+- SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
+ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
+-#ifndef OPENSSL_NO_EC
+- SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH);
+-#endif
+
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+
+@@ -1165,12 +986,16 @@ static void ssl_init_server_certs(server
+ modssl_ctx_t *mctx)
+ {
+ const char *rsa_id, *dsa_id;
+-#ifndef OPENSSL_NO_EC
++#ifndef OPENSSL_NO_EC
+ const char *ecc_id;
++ EC_GROUP *ecparams;
++ int nid;
++ EC_KEY *eckey;
+ #endif
+ const char *vhost_id = mctx->sc->vhost_id;
+ int i;
+ int have_rsa, have_dsa;
++ DH *dhparams;
+ #ifndef OPENSSL_NO_EC
+ int have_ecc;
+ #endif
+@@ -1217,6 +1042,40 @@ static void ssl_init_server_certs(server
+ "Oops, no " KEYTYPES " server private key found?!");
+ ssl_die(s);
+ }
++
++ /*
++ * Try to read DH parameters from the (first) SSLCertificateFile
++ */
++ if ((mctx->pks->cert_files[0] != NULL) &&
++ (dhparams = ssl_dh_GetParamFromFile(mctx->pks->cert_files[0]))) {
++ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams);
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
++ "Custom DH parameters (%d bits) for %s loaded from %s",
++ BN_num_bits(dhparams->p), vhost_id,
++ mctx->pks->cert_files[0]);
++ }
++
++#ifndef OPENSSL_NO_EC
++ /*
++ * Similarly, try to read the ECDH curve name from SSLCertificateFile...
++ */
++ if ((mctx->pks->cert_files[0] != NULL) &&
++ (ecparams = ssl_ec_GetParamFromFile(mctx->pks->cert_files[0])) &&
++ (nid = EC_GROUP_get_curve_name(ecparams)) &&
++ (eckey = EC_KEY_new_by_curve_name(nid))) {
++ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey);
++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541)
++ "ECDH curve %s for %s specified in %s",
++ OBJ_nid2sn(nid), vhost_id, mctx->pks->cert_files[0]);
++ }
++ /*
++ * ...otherwise, configure NIST P-256 (required to enable ECDHE)
++ */
++ else {
++ SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx,
++ EC_KEY_new_by_curve_name(NID_X9_62_prime256v1));
++ }
++#endif
+ }
+
+ #ifdef HAVE_TLS_SESSION_TICKETS
+@@ -1754,11 +1613,6 @@ apr_status_t ssl_init_ModuleKill(void *d
+ ssl_scache_kill(base_server);
+
+ /*
+- * Destroy the temporary keys and params
+- */
+- ssl_tmp_keys_free(base_server);
+-
+- /*
+ * Free the non-pool allocated structures
+ * in the per-server configurations
+ */
+--- httpd-2.4.6/modules/ssl/ssl_engine_kernel.c.r1542327
++++ httpd-2.4.6/modules/ssl/ssl_engine_kernel.c
+@@ -1289,117 +1289,70 @@ const authz_provider ssl_authz_provider_
+ */
+
+ /*
+- * Handle out temporary RSA private keys on demand
+- *
+- * The background of this as the TLSv1 standard explains it:
+- *
+- * | D.1. Temporary RSA keys
+- * |
+- * | US Export restrictions limit RSA keys used for encryption to 512
+- * | bits, but do not place any limit on lengths of RSA keys used for
+- * | signing operations. Certificates often need to be larger than 512
+- * | bits, since 512-bit RSA keys are not secure enough for high-value
+- * | transactions or for applications requiring long-term security. Some
+- * | certificates are also designated signing-only, in which case they
+- * | cannot be used for key exchange.
+- * |
+- * | When the public key in the certificate cannot be used for encryption,
+- * | the server signs a temporary RSA key, which is then exchanged. In
+- * | exportable applications, the temporary RSA key should be the maximum
+- * | allowable length (i.e., 512 bits). Because 512-bit RSA keys are
+- * | relatively insecure, they should be changed often. For typical
+- * | electronic commerce applications, it is suggested that keys be
+- * | changed daily or every 500 transactions, and more often if possible.
+- * | Note that while it is acceptable to use the same temporary key for
+- * | multiple transactions, it must be signed each time it is used.
+- * |
+- * | RSA key generation is a time-consuming process. In many cases, a
+- * | low-priority process can be assigned the task of key generation.
+- * | Whenever a new key is completed, the existing temporary key can be
+- * | replaced with the new one.
+- *
+- * XXX: base on comment above, if thread support is enabled,
+- * we should spawn a low-priority thread to generate new keys
+- * on the fly.
+- *
+- * So we generated 512 and 1024 bit temporary keys on startup
+- * which we now just hand out on demand....
++ * Grab well-defined DH parameters from OpenSSL, see <openssl/bn.h>
++ * (get_rfc*) for all available primes.
+ */
+-
+-RSA *ssl_callback_TmpRSA(SSL *ssl, int export, int keylen)
+-{
+- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+- SSLModConfigRec *mc = myModConfigFromConn(c);
+- int idx;
+-
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+- "handing out temporary %d bit RSA key", keylen);
+-
+- /* doesn't matter if export flag is on,
+- * we won't be asked for keylen > 512 in that case.
+- * if we are asked for a keylen > 1024, it is too expensive
+- * to generate on the fly.
+- * XXX: any reason not to generate 2048 bit keys at startup?
+- */
+-
+- switch (keylen) {
+- case 512:
+- idx = SSL_TMP_KEY_RSA_512;
+- break;
+-
+- case 1024:
+- default:
+- idx = SSL_TMP_KEY_RSA_1024;
+- }
+-
+- return (RSA *)mc->pTmpKeys[idx];
++#define make_get_dh(rfc,size,gen) \
++static DH *get_dh##size(void) \
++{ \
++ DH *dh; \
++ if (!(dh = DH_new())) { \
++ return NULL; \
++ } \
++ dh->p = get_##rfc##_prime_##size(NULL); \
++ BN_dec2bn(&dh->g, #gen); \
++ if (!dh->p || !dh->g) { \
++ DH_free(dh); \
++ return NULL; \
++ } \
++ return dh; \
+ }
+
+ /*
+- * Hand out the already generated DH parameters...
++ * Prepare DH parameters from 1024 to 4096 bits, in 1024-bit increments
++ */
++make_get_dh(rfc2409, 1024, 2)
++make_get_dh(rfc3526, 2048, 2)
++make_get_dh(rfc3526, 3072, 2)
++make_get_dh(rfc3526, 4096, 2)
++
++/*
++ * Hand out standard DH parameters, based on the authentication strength
+ */
+ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
+ {
+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+- SSLModConfigRec *mc = myModConfigFromConn(c);
+- int idx;
+-
+- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+- "handing out temporary %d bit DH key", keylen);
++ EVP_PKEY *pkey = SSL_get_privatekey(ssl);
++ int type = pkey ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+
+- switch (keylen) {
+- case 512:
+- idx = SSL_TMP_KEY_DH_512;
+- break;
+-
+- case 1024:
+- default:
+- idx = SSL_TMP_KEY_DH_1024;
++ /*
++ * OpenSSL will call us with either keylen == 512 or keylen == 1024
++ * (see the definition of SSL_EXPORT_PKEYLENGTH in ssl_locl.h).
++ * Adjust the DH parameter length according to the size of the
++ * RSA/DSA private key used for the current connection, and always
++ * use at least 1024-bit parameters.
++ * Note: This may cause interoperability issues with implementations
++ * which limit their DH support to 1024 bit - e.g. Java 7 and earlier.
++ * In this case, SSLCertificateFile can be used to specify fixed
++ * 1024-bit DH parameters (with the effect that OpenSSL skips this
++ * callback).
++ */
++ if ((type == EVP_PKEY_RSA) || (type == EVP_PKEY_DSA)) {
++ keylen = EVP_PKEY_bits(pkey);
+ }
+
+- return (DH *)mc->pTmpKeys[idx];
+-}
+-
+-#ifndef OPENSSL_NO_EC
+-EC_KEY *ssl_callback_TmpECDH(SSL *ssl, int export, int keylen)
+-{
+- conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
+- SSLModConfigRec *mc = myModConfigFromConn(c);
+- int idx;
+-
+- /* XXX Uses 256-bit key for now. TODO: support other sizes. */
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+- "handing out temporary 256 bit ECC key");
+-
+- switch (keylen) {
+- case 256:
+- default:
+- idx = SSL_TMP_KEY_EC_256;
+- }
++ "handing out built-in DH parameters for %d-bit authenticated connection", keylen);
+
+- return (EC_KEY *)mc->pTmpKeys[idx];
++ if (keylen >= 4096)
++ return get_dh4096();
++ else if (keylen >= 3072)
++ return get_dh3072();
++ else if (keylen >= 2048)
++ return get_dh2048();
++ else
++ return get_dh1024();
+ }
+-#endif
+
+ /*
+ * This OpenSSL callback function is called when OpenSSL
+--- httpd-2.4.6/modules/ssl/ssl_private.h.r1542327
++++ httpd-2.4.6/modules/ssl/ssl_private.h
+@@ -310,22 +310,6 @@ typedef int ssl_algo_t;
+ #define SSL_AIDX_MAX (2)
+ #endif
+
+-
+-/**
+- * Define IDs for the temporary RSA keys and DH params
+- */
+-
+-#define SSL_TMP_KEY_RSA_512 (0)
+-#define SSL_TMP_KEY_RSA_1024 (1)
+-#define SSL_TMP_KEY_DH_512 (2)
+-#define SSL_TMP_KEY_DH_1024 (3)
+-#ifndef OPENSSL_NO_EC
+-#define SSL_TMP_KEY_EC_256 (4)
+-#define SSL_TMP_KEY_MAX (5)
+-#else
+-#define SSL_TMP_KEY_MAX (4)
+-#endif
+-
+ /**
+ * Define the SSL options
+ */
+@@ -547,7 +531,6 @@ typedef struct {
+ apr_global_mutex_t *pMutex;
+ apr_array_header_t *aRandSeed;
+ apr_hash_t *tVHostKeys;
+- void *pTmpKeys[SSL_TMP_KEY_MAX];
+
+ /* Two hash tables of pointers to ssl_asn1_t structures. The
+ * structures are used to store certificates and private keys
+@@ -837,11 +820,7 @@ extern const authz_provider ssl_authz_pr
+ extern const authz_provider ssl_authz_provider_verify_client;
+
+ /** OpenSSL callbacks */
+-RSA *ssl_callback_TmpRSA(SSL *, int, int);
+ DH *ssl_callback_TmpDH(SSL *, int, int);
+-#ifndef OPENSSL_NO_EC
+-EC_KEY *ssl_callback_TmpECDH(SSL *, int, int);
+-#endif
+ int ssl_callback_SSLVerify(int, X509_STORE_CTX *);
+ int ssl_callback_SSLVerify_CRL(int, X509_STORE_CTX *, conn_rec *);
+ int ssl_callback_proxy_cert(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
+@@ -921,8 +900,10 @@ int ssl_init_ssl_connection(con
+ void ssl_pphrase_Handle(server_rec *, apr_pool_t *);
+
+ /** Diffie-Hellman Parameter Support */
+-DH *ssl_dh_GetTmpParam(int);
+-DH *ssl_dh_GetParamFromFile(char *);
++DH *ssl_dh_GetParamFromFile(const char *);
++#ifndef OPNESSL_NO_EC
++EC_GROUP *ssl_ec_GetParamFromFile(const char *);
++#endif
+
+ unsigned char *ssl_asn1_table_set(apr_hash_t *table,
+ const char *key,
+--- httpd-2.4.6/modules/ssl/ssl_util_ssl.c.r1542327
++++ httpd-2.4.6/modules/ssl/ssl_util_ssl.c
+@@ -483,6 +483,38 @@ BOOL SSL_X509_INFO_load_path(apr_pool_t
+
+ /* _________________________________________________________________
+ **
++** Custom (EC)DH parameter support
++** _________________________________________________________________
++*/
++
++DH *ssl_dh_GetParamFromFile(const char *file)
++{
++ DH *dh = NULL;
++ BIO *bio;
++
++ if ((bio = BIO_new_file(file, "r")) == NULL)
++ return NULL;
++ dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
++ BIO_free(bio);
++ return (dh);
++}
++
++#ifndef OPENSSL_NO_EC
++EC_GROUP *ssl_ec_GetParamFromFile(const char *file)
++{
++ EC_GROUP *group = NULL;
++ BIO *bio;
++
++ if ((bio = BIO_new_file(file, "r")) == NULL)
++ return NULL;
++ group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL);
++ BIO_free(bio);
++ return (group);
++}
++#endif
++
++/* _________________________________________________________________
++**
+ ** Extra Server Certificate Chain Support
+ ** _________________________________________________________________
+ */
diff --git a/SOURCES/httpd-2.4.6-r1553540.patch b/SOURCES/httpd-2.4.6-r1553540.patch
new file mode 100644
index 0000000..6677cbb
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1553540.patch
@@ -0,0 +1,28 @@
+# ./pullrev.sh 1553540
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1040447
+
+http://svn.apache.org/viewvc?view=revision&revision=1553540
+
+--- httpd-2.4.6/modules/proxy/mod_proxy_http.c
++++ httpd-2.4.6/modules/proxy/mod_proxy_http.c
+@@ -710,7 +710,7 @@
+ force10 = 0;
+ }
+
+- header_brigade = apr_brigade_create(p, origin->bucket_alloc);
++ header_brigade = apr_brigade_create(p, bucket_alloc);
+ rv = ap_proxy_create_hdrbrgd(p, header_brigade, r, p_conn,
+ worker, conf, uri, url, server_portstr,
+ &old_cl_val, &old_te_val);
+@@ -1813,6 +1813,10 @@
+ }
+ } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES));
+
++ /* We have to cleanup bb brigade, because buckets inserted to it could be
++ * created from scpool and this pool can be freed before this brigade. */
++ apr_brigade_cleanup(bb);
++
+ /* See define of AP_MAX_INTERIM_RESPONSES for why */
+ if (interim_response >= AP_MAX_INTERIM_RESPONSES) {
+ return ap_proxyerror(r, HTTP_BAD_GATEWAY,
diff --git a/SOURCES/httpd-2.4.6-r1556473.patch b/SOURCES/httpd-2.4.6-r1556473.patch
new file mode 100644
index 0000000..009baa7
--- /dev/null
+++ b/SOURCES/httpd-2.4.6-r1556473.patch
@@ -0,0 +1,31 @@
+# ./pullrev.sh 1556473
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1036666
+
+http://svn.apache.org/viewvc?view=revision&revision=1556473
+
+--- httpd-2.4.6/modules/ssl/ssl_engine_config.c
++++ httpd-2.4.6/modules/ssl/ssl_engine_config.c
+@@ -699,9 +699,20 @@
+ #ifndef SSL_OP_NO_COMPRESSION
+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+ if (err)
+- return "This version of openssl does not support configuring "
+- "compression within <VirtualHost> sections.";
++ return "This version of OpenSSL does not support enabling "
++ "SSLCompression within <VirtualHost> sections.";
+ #endif
++ if (flag) {
++ /* Some (packaged) versions of OpenSSL do not support
++ * compression by default. Enabling this directive would not
++ * have the desired effect, so fail with an error. */
++ STACK_OF(SSL_COMP) *meths = SSL_COMP_get_compression_methods();
++
++ if (sk_SSL_COMP_num(meths) == 0) {
++ return "This version of OpenSSL does not have any compression methods "
++ "available, cannot enable SSLCompression.";
++ }
++ }
+ sc->compression = flag ? TRUE : FALSE;
+ return NULL;
+ #else
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 2afd8db..6fd7f3b 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -2,7 +2,8 @@
%define docroot /var/www
%define suexec_caller apache
%define mmn 20120211
-%define mmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
+%define oldmmnisa %{mmn}-%{__isa_name}-%{__isa_bits}
+%define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
%define vstring Red Hat
# Drop automatic provides for module DSOs
@@ -14,7 +15,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.6
-Release: 7%{?dist}
+Release: 17%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -63,11 +64,18 @@ Patch29: httpd-2.4.3-mod_systemd.patch
Patch30: httpd-2.4.4-cachehardmax.patch
Patch31: httpd-2.4.6-sslmultiproxy.patch
Patch32: httpd-2.4.6-r1537535.patch
+Patch33: httpd-2.4.6-r1542327.patch
# Bug fixes
Patch51: httpd-2.4.3-sslsninotreq.patch
Patch55: httpd-2.4.4-malformed-host.patch
Patch56: httpd-2.4.4-mod_unique_id.patch
Patch57: httpd-2.4.6-ldaprefer.patch
+Patch58: httpd-2.4.6-r1507681+.patch
+Patch59: httpd-2.4.6-r1556473.patch
+Patch60: httpd-2.4.6-r1553540.patch
+# Security fixes
+Patch200: httpd-2.4.6-CVE-2013-6438.patch
+Patch201: httpd-2.4.6-CVE-2014-0098.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -79,7 +87,7 @@ Requires: /etc/mime.types, system-logos >= 7.92.1-1
Obsoletes: httpd-suexec
Provides: webserver
Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
-Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}
+Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}, httpd-mmn = %{oldmmnisa}
Requires: httpd-tools = %{version}-%{release}
Requires(pre): /usr/sbin/useradd
Requires(preun): systemd-units
@@ -191,11 +199,19 @@ interface for storing and accessing per-user session data.
%patch30 -p1 -b .cachehardmax
%patch31 -p1 -b .sslmultiproxy
%patch32 -p1 -b .r1537535
+%patch33 -p1 -b .r1542327
+rm modules/ssl/ssl_engine_dh.c
%patch51 -p1 -b .sninotreq
%patch55 -p1 -b .malformedhost
%patch56 -p1 -b .uniqueid
%patch57 -p1 -b .ldaprefer
+%patch58 -p1 -b .r1507681+
+%patch59 -p1 -b .r1556473
+%patch60 -p1 -b .r1553540
+
+%patch200 -p1 -b .cve6438
+%patch201 -p1 -b .cve0098
# Patch in the vendor string and the release string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -228,6 +244,10 @@ autoheader && autoconf || exit 1
export CFLAGS=$RPM_OPT_FLAGS
export LDFLAGS="-Wl,-z,relro,-z,now"
+%ifarch ppc64
+CFLAGS="$CFLAGS -O3"
+%endif
+
# Hard-code path to links to avoid unnecessary builddep
export LYNX_PATH=/usr/bin/links
@@ -465,7 +485,7 @@ if [ -f %{sslkey} -o -f %{sslcert} ]; then
exit 0
fi
-%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > %{sslkey} 2> /dev/null
+%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > %{sslkey} 2> /dev/null
FQDN=`hostname`
if [ "x${FQDN}" = "x" ]; then
@@ -473,7 +493,7 @@ if [ "x${FQDN}" = "x" ]; then
fi
cat << EOF | %{_bindir}/openssl req -new -key %{sslkey} \
- -x509 -days 365 -set_serial $RANDOM -extensions v3_req \
+ -x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
-out %{sslcert} 2>/dev/null
--
SomeState
@@ -620,6 +640,38 @@ rm -rf $RPM_BUILD_ROOT
%{_sysconfdir}/rpm/macros.httpd
%changelog
+* Thu Mar 20 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-17
+- mod_dav: add security fix for CVE-2013-6438 (#1077907)
+- mod_log_config: add security fix for CVE-2014-0098 (#1077907)
+
+* Wed Mar 5 2014 Joe Orton <jorton@redhat.com> - 2.4.6-16
+- mod_ssl: improve DH temp key handling (#1057687)
+
+* Wed Mar 5 2014 Joe Orton <jorton@redhat.com> - 2.4.6-15
+- mod_ssl: use 2048-bit RSA key with SHA-256 signature in dummy certificate (#1071276)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.6-14
+- Mass rebuild 2014-01-24
+
+* Mon Jan 13 2014 Joe Orton <jorton@redhat.com> - 2.4.6-13
+- mod_ssl: sanity-check use of "SSLCompression" (#1036666)
+- mod_proxy_http: fix brigade memory usage (#1040447)
+
+* Fri Jan 10 2014 Joe Orton <jorton@redhat.com> - 2.4.6-12
+- rebuild
+
+* Thu Jan 9 2014 Joe Orton <jorton@redhat.com> - 2.4.6-11
+- build with -O3 on ppc64 (#1051066)
+
+* Tue Jan 7 2014 Joe Orton <jorton@redhat.com> - 2.4.6-10
+- mod_dav: fix locktoken handling (#1004046)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.4.6-9
+- Mass rebuild 2013-12-27
+
+* Fri Dec 20 2013 Joe Orton <jorton@redhat.com> - 2.4.6-8
+- use unambiguous httpd-mmn (#1029360)
+
* Fri Nov 1 2013 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-7
- mod_ssl: allow SSLEngine to override Listen-based default (#1023168)