From 6670f082a51dd256ffdea8505cdcc9bc0d3c68ed Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 24 2017 08:18:34 +0000 Subject: import httpd24-httpd-2.4.27-8.el7 --- diff --git a/.gitignore b/.gitignore index c9ce001..657ad18 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/httpd-2.4.25.tar.bz2 +SOURCES/httpd-2.4.27.tar.bz2 diff --git a/.httpd24-httpd.metadata b/.httpd24-httpd.metadata index 400eb06..d0b8573 100644 --- a/.httpd24-httpd.metadata +++ b/.httpd24-httpd.metadata @@ -1 +1 @@ -bd6d138c31c109297da2346c6e7b93b9283993d2 SOURCES/httpd-2.4.25.tar.bz2 +699e4e917e8fb5fd7d0ce7e009f8256ed02ec6fc SOURCES/httpd-2.4.27.tar.bz2 diff --git a/SOURCES/action-graceful.sh b/SOURCES/action-graceful.sh index 2afa0a2..7dad98c 100644 --- a/SOURCES/action-graceful.sh +++ b/SOURCES/action-graceful.sh @@ -1,5 +1,2 @@ #!/bin/sh -if [ -r $sysconfdir/httpd ]; then - . $sysconfdir/httpd -fi -exec $sbindir/httpd-scl-wrapper -k graceful +exec $sbindir/apachectl graceful \ No newline at end of file diff --git a/SOURCES/httpd-2.4.10-mod_systemd.patch b/SOURCES/httpd-2.4.10-mod_systemd.patch index 88d76ac..a8e30a3 100644 --- a/SOURCES/httpd-2.4.10-mod_systemd.patch +++ b/SOURCES/httpd-2.4.10-mod_systemd.patch @@ -21,10 +21,10 @@ index 77027a8..7a13d5a 100644 APACHE_MODPATH_FINISH diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c new file mode 100644 -index 0000000..5381c98 +index 0000000..9359d38 --- /dev/null +++ b/modules/arch/unix/mod_systemd.c -@@ -0,0 +1,145 @@ +@@ -0,0 +1,161 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. @@ -66,11 +66,20 @@ index 0000000..5381c98 +static unsigned long bytes_served; +static pid_t mainpid; + ++static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, ++ apr_pool_t *ptemp) ++{ ++ sd_notify(0, ++ "RELOADING=1\n" ++ "STATUS=Reading configuration...\n"); ++ ap_extended_status = 1; ++ return OK; ++} ++ +static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type) +{ + int rv; + -+ ap_extended_status = 1; + mainpid = getpid(); + + rv = sd_notifyf(0, "READY=1\n" @@ -91,6 +100,11 @@ index 0000000..5381c98 + char bps[5]; + int rv; + ++ if (!ap_extended_status) { ++ /* Nothing useful to report if ExtendedStatus disabled. */ ++ return DECLINED; ++ } ++ + ap_get_sload(&sload); + /* up_time in seconds */ + up_time = (apr_uint32_t) apr_time_sec(apr_time_now() - @@ -136,6 +150,8 @@ index 0000000..5381c98 + +static void systemd_register_hooks(apr_pool_t *p) +{ ++ /* Enable ap_extended_status. */ ++ ap_hook_pre_config(systemd_pre_config, NULL, NULL, APR_HOOK_LAST); + /* We know the PID in this hook ... */ + ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST); + /* Used to update httpd's status line using sd_notifyf */ diff --git a/SOURCES/httpd-2.4.12-skiplist.patch b/SOURCES/httpd-2.4.12-skiplist.patch index 7339d33..e514785 100644 --- a/SOURCES/httpd-2.4.12-skiplist.patch +++ b/SOURCES/httpd-2.4.12-skiplist.patch @@ -25,10 +25,10 @@ index 8aa1631..fa9b8af 100644 ], , [\$(MOD_MPM_EVENT_LDADD)]) diff --git a/server/mpm/event/apr_skiplist.c b/server/mpm/event/apr_skiplist.c new file mode 100644 -index 0000000..effcf60 +index 0000000..b4696bd --- /dev/null +++ b/server/mpm/event/apr_skiplist.c -@@ -0,0 +1,650 @@ +@@ -0,0 +1,721 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. @@ -56,12 +56,18 @@ index 0000000..effcf60 + +#include "apr_skiplist.h" + ++typedef struct { ++ apr_skiplistnode **data; ++ size_t size, pos; ++ apr_pool_t *p; ++} apr_skiplist_q; ++ +struct apr_skiplist { + apr_skiplist_compare compare; + apr_skiplist_compare comparek; + int height; + int preheight; -+ int size; ++ size_t size; + apr_skiplistnode *top; + apr_skiplistnode *bottom; + /* These two are needed for appending */ @@ -69,6 +75,8 @@ index 0000000..effcf60 + apr_skiplistnode *bottomend; + apr_skiplist *index; + apr_array_header_t *memlist; ++ apr_skiplist_q nodes_q, ++ stack_q; + apr_pool_t *pool; +}; + @@ -83,20 +91,15 @@ index 0000000..effcf60 + apr_skiplist *sl; +}; + -+#ifndef MIN -+#define MIN(a,b) ((a 31) { /* Num bits in return of rand() */ + ph = 0; -+ randseq = (apr_uint32_t) rand(); ++ randseq = rand(); + } -+ ph++; -+ return ((randseq & (1 << (ph - 1))) >> (ph - 1)); ++ return randseq & (1 << ph++); +} + +typedef struct { @@ -134,7 +137,7 @@ index 0000000..effcf60 + memlist++; + } + /* no free chunks */ -+ ptr = apr_pcalloc(sl->pool, size); ++ ptr = apr_palloc(sl->pool, size); + if (!ptr) { + return ptr; + } @@ -153,7 +156,7 @@ index 0000000..effcf60 + return ptr; + } + else { -+ return calloc(1, size); ++ return malloc(size); + } +} + @@ -180,27 +183,73 @@ index 0000000..effcf60 + } +} + ++static apr_status_t skiplist_qpush(apr_skiplist_q *q, apr_skiplistnode *m) ++{ ++ if (q->pos >= q->size) { ++ apr_skiplistnode **data; ++ size_t size = (q->pos) ? q->pos * 2 : 32; ++ if (q->p) { ++ data = apr_palloc(q->p, size * sizeof(*data)); ++ if (data) { ++ memcpy(data, q->data, q->pos * sizeof(*data)); ++ } ++ } ++ else { ++ data = realloc(q->data, size * sizeof(*data)); ++ } ++ if (!data) { ++ return APR_ENOMEM; ++ } ++ q->data = data; ++ q->size = size; ++ } ++ q->data[q->pos++] = m; ++ return APR_SUCCESS; ++} ++ ++static APR_INLINE apr_skiplistnode *skiplist_qpop(apr_skiplist_q *q) ++{ ++ return (q->pos > 0) ? q->data[--q->pos] : NULL; ++} ++ ++static APR_INLINE void skiplist_qclear(apr_skiplist_q *q) ++{ ++ q->pos = 0; ++} ++ ++static apr_skiplistnode *skiplist_new_node(apr_skiplist *sl) ++{ ++ apr_skiplistnode *m = skiplist_qpop(&sl->nodes_q); ++ if (!m) { ++ if (sl->pool) { ++ m = apr_palloc(sl->pool, sizeof *m); ++ } ++ else { ++ m = malloc(sizeof *m); ++ } ++ } ++ return m; ++} ++ ++static apr_status_t skiplist_free_node(apr_skiplist *sl, apr_skiplistnode *m) ++{ ++ return skiplist_qpush(&sl->nodes_q, m); ++} ++ +static apr_status_t skiplisti_init(apr_skiplist **s, apr_pool_t *p) +{ + apr_skiplist *sl; + if (p) { + sl = apr_pcalloc(p, sizeof(apr_skiplist)); + sl->memlist = apr_array_make(p, 20, sizeof(memlist_t)); ++ sl->pool = sl->nodes_q.p = sl->stack_q.p = p; + } + else { + sl = calloc(1, sizeof(apr_skiplist)); ++ if (!sl) { ++ return APR_ENOMEM; ++ } + } -+#if 0 -+ sl->compare = (apr_skiplist_compare) NULL; -+ sl->comparek = (apr_skiplist_compare) NULL; -+ sl->height = 0; -+ sl->preheight = 0; -+ sl->size = 0; -+ sl->top = NULL; -+ sl->bottom = NULL; -+ sl->index = NULL; -+#endif -+ sl->pool = p; + *s = sl; + return APR_SUCCESS; +} @@ -279,56 +328,32 @@ index 0000000..effcf60 + } +} + -+APR_DECLARE(apr_skiplistnode *) apr_skiplist_getlist(apr_skiplist *sl) -+{ -+ if (!sl->bottom) { -+ return NULL; -+ } -+ return sl->bottom->next; -+} -+ -+APR_DECLARE(void *) apr_skiplist_find(apr_skiplist *sl, void *data, apr_skiplistnode **iter) -+{ -+ void *ret; -+ apr_skiplistnode *aiter; -+ if (!sl->compare) { -+ return 0; -+ } -+ if (iter) { -+ ret = apr_skiplist_find_compare(sl, data, iter, sl->compare); -+ } -+ else { -+ ret = apr_skiplist_find_compare(sl, data, &aiter, sl->compare); -+ } -+ return ret; -+} -+ +static int skiplisti_find_compare(apr_skiplist *sl, void *data, + apr_skiplistnode **ret, + apr_skiplist_compare comp) +{ -+ apr_skiplistnode *m = NULL; + int count = 0; ++ apr_skiplistnode *m; + m = sl->top; + while (m) { -+ int compared; -+ compared = (m->next) ? comp(data, m->next->data) : -1; -+ if (compared == 0) { -+ m = m->next; -+ while (m->down) { -+ m = m->down; ++ if (m->next) { ++ int compared = comp(data, m->next->data); ++ if (compared == 0) { ++ m = m->next; ++ while (m->down) { ++ m = m->down; ++ } ++ *ret = m; ++ return count; ++ } ++ if (compared > 0) { ++ m = m->next; ++ count++; ++ continue; + } -+ *ret = m; -+ return count; -+ } -+ if ((m->next == NULL) || (compared < 0)) { -+ m = m->down; -+ count++; -+ } -+ else { -+ m = m->next; -+ count++; + } ++ m = m->down; ++ count++; + } + *ret = NULL; + return count; @@ -338,20 +363,48 @@ index 0000000..effcf60 + apr_skiplistnode **iter, + apr_skiplist_compare comp) +{ -+ apr_skiplistnode *m = NULL; ++ apr_skiplistnode *m; + apr_skiplist *sl; ++ if (!comp) { ++ if (iter) { ++ *iter = NULL; ++ } ++ return NULL; ++ } + if (comp == sli->compare || !sli->index) { + sl = sli; + } + else { + apr_skiplist_find(sli->index, (void *)comp, &m); ++ if (!m) { ++ if (iter) { ++ *iter = NULL; ++ } ++ return NULL; ++ } + sl = (apr_skiplist *) m->data; + } -+ skiplisti_find_compare(sl, data, iter, sl->comparek); -+ return (iter && *iter) ? ((*iter)->data) : NULL; ++ skiplisti_find_compare(sl, data, &m, sl->comparek); ++ if (iter) { ++ *iter = m; ++ } ++ return (m) ? m->data : NULL; ++} ++ ++APR_DECLARE(void *) apr_skiplist_find(apr_skiplist *sl, void *data, apr_skiplistnode **iter) ++{ ++ return apr_skiplist_find_compare(sl, data, iter, sl->compare); +} + + ++APR_DECLARE(apr_skiplistnode *) apr_skiplist_getlist(apr_skiplist *sl) ++{ ++ if (!sl->bottom) { ++ return NULL; ++ } ++ return sl->bottom->next; ++} ++ +APR_DECLARE(void *) apr_skiplist_next(apr_skiplist *sl, apr_skiplistnode **iter) +{ + if (!*iter) { @@ -370,98 +423,74 @@ index 0000000..effcf60 + return (*iter) ? ((*iter)->data) : NULL; +} + -+APR_DECLARE(apr_skiplistnode *) apr_skiplist_insert(apr_skiplist *sl, void *data) ++static APR_INLINE int skiplist_height(const apr_skiplist *sl) +{ -+ if (!sl->compare) { -+ return 0; -+ } -+ return apr_skiplist_insert_compare(sl, data, sl->compare); ++ /* Skiplists (even empty) always have a top node, although this ++ * implementation defers its creation until the first insert, or ++ * deletes it with the last remove. We want the real height here. ++ */ ++ return sl->height ? sl->height : 1; +} + +APR_DECLARE(apr_skiplistnode *) apr_skiplist_insert_compare(apr_skiplist *sl, void *data, + apr_skiplist_compare comp) +{ -+ apr_skiplistnode *m, *p, *tmp, *ret = NULL, **stack; -+ int nh = 1, ch, stacki; -+ if (!sl->top) { -+ sl->height = 1; -+ sl->topend = sl->bottomend = sl->top = sl->bottom = -+ (apr_skiplistnode *)apr_skiplist_alloc(sl, sizeof(apr_skiplistnode)); -+#if 0 -+ sl->top->next = (apr_skiplistnode *)NULL; -+ sl->top->data = (apr_skiplistnode *)NULL; -+ sl->top->prev = (apr_skiplistnode *)NULL; -+ sl->top->up = (apr_skiplistnode *)NULL; -+ sl->top->down = (apr_skiplistnode *)NULL; -+ sl->top->nextindex = (apr_skiplistnode *)NULL; -+ sl->top->previndex = (apr_skiplistnode *)NULL; -+#endif -+ sl->top->sl = sl; ++ apr_skiplistnode *m, *p, *tmp, *ret = NULL; ++ int ch, nh = 1; ++ ++ if (!comp) { ++ return NULL; + } ++ ++ ch = skiplist_height(sl); + if (sl->preheight) { + while (nh < sl->preheight && get_b_rand()) { + nh++; + } + } + else { -+ while (nh <= sl->height && get_b_rand()) { ++ while (nh <= ch && get_b_rand()) { + nh++; + } + } -+ /* Now we have the new height at which we wish to insert our new node */ -+ /* -+ * Let us make sure that our tree is a least that tall (grow if -+ * necessary) ++ ++ /* Now we have in nh the height at which we wish to insert our new node, ++ * and in ch the current height: don't create skip paths to the inserted ++ * element until the walk down through the tree (which decrements ch) ++ * reaches nh. From there, any walk down pushes the current node on a ++ * stack (the node(s) after which we would insert) to pop back through ++ * for insertion later. + */ -+ for (; sl->height < nh; sl->height++) { -+ sl->top->up = -+ (apr_skiplistnode *)apr_skiplist_alloc(sl, sizeof(apr_skiplistnode)); -+ sl->top->up->down = sl->top; -+ sl->top = sl->topend = sl->top->up; -+#if 0 -+ sl->top->prev = sl->top->next = sl->top->nextindex = -+ sl->top->previndex = sl->top->up = NULL; -+ sl->top->data = NULL; -+#endif -+ sl->top->sl = sl; -+ } -+ ch = sl->height; -+ /* Find the node (or node after which we would insert) */ -+ /* Keep a stack to pop back through for insertion */ -+ /* malloc() is OK since we free the temp stack */ + m = sl->top; -+ stack = (apr_skiplistnode **)malloc(sizeof(apr_skiplistnode *) * (nh)); -+ stacki = 0; + while (m) { -+ int compared = -1; + if (m->next) { -+ compared = comp(data, m->next->data); -+ } -+ if (compared == 0) { -+ free(stack); /* OK. was malloc'ed */ -+ return 0; -+ } -+ if ((m->next == NULL) || (compared < 0)) { -+ if (ch <= nh) { -+ /* push on stack */ -+ stack[stacki++] = m; ++ int compared = comp(data, m->next->data); ++ if (compared == 0) { ++ /* Keep the existing element(s) */ ++ skiplist_qclear(&sl->stack_q); ++ return NULL; ++ } ++ if (compared > 0) { ++ m = m->next; ++ continue; + } -+ m = m->down; -+ ch--; + } -+ else { -+ m = m->next; ++ if (ch <= nh) { ++ /* push on stack */ ++ skiplist_qpush(&sl->stack_q, m); + } ++ m = m->down; ++ ch--; + } + /* Pop the stack and insert nodes */ + p = NULL; -+ for (; stacki > 0; stacki--) { -+ m = stack[stacki - 1]; -+ tmp = (apr_skiplistnode *)apr_skiplist_alloc(sl, sizeof(apr_skiplistnode)); ++ while ((m = skiplist_qpop(&sl->stack_q))) { ++ tmp = skiplist_new_node(sl); + tmp->next = m->next; + if (m->next) { + m->next->prev = tmp; + } ++ m->next = tmp; + tmp->prev = m; + tmp->up = NULL; + tmp->nextindex = tmp->previndex = NULL; @@ -469,17 +498,44 @@ index 0000000..effcf60 + if (p) { + p->up = tmp; + } ++ else { ++ /* This sets ret to the bottom-most node we are inserting */ ++ ret = tmp; ++ } + tmp->data = data; + tmp->sl = sl; ++ p = tmp; ++ } ++ ++ /* Now we are sure the node is inserted, grow our tree to 'nh' tall */ ++ for (; sl->height < nh; sl->height++) { ++ m = skiplist_new_node(sl); ++ tmp = skiplist_new_node(sl); ++ m->up = m->prev = m->nextindex = m->previndex = NULL; + m->next = tmp; -+ /* This sets ret to the bottom-most node we are inserting */ -+ if (!p) { ++ m->down = sl->top; ++ m->data = NULL; ++ m->sl = sl; ++ if (sl->top) { ++ sl->top->up = m; ++ } ++ else { ++ sl->bottom = sl->bottomend = m; ++ } ++ sl->top = sl->topend = tmp->prev = m; ++ tmp->up = tmp->next = tmp->nextindex = tmp->previndex = NULL; ++ tmp->down = p; ++ tmp->data = data; ++ tmp->sl = sl; ++ if (p) { ++ p->up = tmp; ++ } ++ else { ++ /* This sets ret to the bottom-most node we are inserting */ + ret = tmp; -+ sl->size++; /* this seems to go here got each element to be counted */ + } + p = tmp; + } -+ free(stack); /* OK. was malloc'ed */ + if (sl->index != NULL) { + /* + * this is a external insertion, we must insert into each index as @@ -488,25 +544,20 @@ index 0000000..effcf60 + apr_skiplistnode *ni, *li; + li = ret; + for (p = apr_skiplist_getlist(sl->index); p; apr_skiplist_next(sl->index, &p)) { -+ ni = apr_skiplist_insert((apr_skiplist *) p->data, ret->data); ++ apr_skiplist *sli = (apr_skiplist *)p->data; ++ ni = apr_skiplist_insert_compare(sli, ret->data, sli->compare); + li->nextindex = ni; + ni->previndex = li; + li = ni; + } + } -+ else { -+ /* sl->size++; */ -+ } + sl->size++; + return ret; +} + -+APR_DECLARE(int) apr_skiplist_remove(apr_skiplist *sl, void *data, apr_skiplist_freefunc myfree) ++APR_DECLARE(apr_skiplistnode *) apr_skiplist_insert(apr_skiplist *sl, void *data) +{ -+ if (!sl->compare) { -+ return 0; -+ } -+ return apr_skiplist_remove_compare(sl, data, myfree, sl->comparek); ++ return apr_skiplist_insert_compare(sl, data, sl->compare); +} + +#if 0 @@ -551,7 +602,7 @@ index 0000000..effcf60 + if (!m && myfree && p->data) { + myfree(p->data); + } -+ apr_skiplist_free(sl, p); ++ skiplist_free_node(sl, p); + } + sl->size--; + while (sl->top && sl->top->next == NULL) { @@ -561,13 +612,14 @@ index 0000000..effcf60 + if (sl->top) { + sl->top->up = NULL; /* Make it think its the top */ + } -+ apr_skiplist_free(sl, p); ++ skiplist_free_node(sl, p); + sl->height--; + } + if (!sl->top) { -+ sl->bottom = NULL; ++ sl->bottom = sl->bottomend = NULL; ++ sl->topend = NULL; + } -+ return sl->height; /* return 1; ?? */ ++ return skiplist_height(sl); +} + +APR_DECLARE(int) apr_skiplist_remove_compare(apr_skiplist *sli, @@ -576,11 +628,17 @@ index 0000000..effcf60 +{ + apr_skiplistnode *m; + apr_skiplist *sl; ++ if (!comp) { ++ return 0; ++ } + if (comp == sli->comparek || !sli->index) { + sl = sli; + } + else { + apr_skiplist_find(sli->index, (void *)comp, &m); ++ if (!m) { ++ return 0; ++ } + sl = (apr_skiplist *) m->data; + } + skiplisti_find_compare(sl, data, &m, comp); @@ -593,6 +651,11 @@ index 0000000..effcf60 + return skiplisti_remove(sl, m, myfree); +} + ++APR_DECLARE(int) apr_skiplist_remove(apr_skiplist *sl, void *data, apr_skiplist_freefunc myfree) ++{ ++ return apr_skiplist_remove_compare(sl, data, myfree, sl->comparek); ++} ++ +APR_DECLARE(void) apr_skiplist_remove_all(apr_skiplist *sl, apr_skiplist_freefunc myfree) +{ + /* @@ -604,16 +667,18 @@ index 0000000..effcf60 + m = sl->bottom; + while (m) { + p = m->next; -+ if (p && myfree && p->data) ++ if (myfree && p && p->data) { + myfree(p->data); -+ while (m) { ++ } ++ do { + u = m->up; -+ apr_skiplist_free(sl, p); ++ skiplist_free_node(sl, m); + m = u; -+ } ++ } while (m); + m = p; + } + sl->top = sl->bottom = NULL; ++ sl->topend = sl->bottomend = NULL; + sl->height = 0; + sl->size = 0; +} @@ -642,8 +707,7 @@ index 0000000..effcf60 + +static void skiplisti_destroy(void *vsl) +{ -+ apr_skiplist_destroy((apr_skiplist *) vsl, NULL); -+ apr_skiplist_free((apr_skiplist *) vsl, vsl); ++ apr_skiplist_destroy(vsl, NULL); +} + +APR_DECLARE(void) apr_skiplist_destroy(apr_skiplist *sl, apr_skiplist_freefunc myfree) @@ -651,6 +715,13 @@ index 0000000..effcf60 + while (apr_skiplist_pop(sl->index, skiplisti_destroy) != NULL) + ; + apr_skiplist_remove_all(sl, myfree); ++ if (!sl->pool) { ++ while (sl->nodes_q.pos) ++ free(sl->nodes_q.data[--sl->nodes_q.pos]); ++ free(sl->nodes_q.data); ++ free(sl->stack_q.data); ++ free(sl); ++ } +} + +APR_DECLARE(apr_skiplist *) apr_skiplist_merge(apr_skiplist *sl1, apr_skiplist *sl2) @@ -681,10 +752,10 @@ index 0000000..effcf60 +} diff --git a/server/mpm/event/apr_skiplist.h b/server/mpm/event/apr_skiplist.h new file mode 100644 -index 0000000..bc17efd +index 0000000..f56ff22 --- /dev/null +++ b/server/mpm/event/apr_skiplist.h -@@ -0,0 +1,259 @@ +@@ -0,0 +1,263 @@ +/* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. @@ -727,7 +798,9 @@ index 0000000..bc17efd +/** + * apr_skiplist_compare is the function type that must be implemented + * per object type that is used in a skip list for comparisons to maintain -+ * order ++ * order. A value <0 indicates placement after this node; a value of 0 ++ * indicates collision with this exact node; a value >0 indicates placement ++ * before this node. + * */ +typedef int (*apr_skiplist_compare) (void *, void *); + @@ -858,7 +931,8 @@ index 0000000..bc17efd +APR_DECLARE(void *) apr_skiplist_previous(apr_skiplist *sl, apr_skiplistnode **iter); + +/** -+ * Insert an element into the skip list using the specified comparison function. ++ * Insert an element into the skip list using the specified comparison function ++ * if it does not already exist. + * @param sl The skip list + * @param data The element to insert + * @param comp The comparison function to use for placement into the skip list @@ -867,7 +941,8 @@ index 0000000..bc17efd + void *data, apr_skiplist_compare comp); + +/** -+ * Insert an element into the skip list using the existing comparison function. ++ * Insert an element into the skip list using the existing comparison function ++ * if it does not already exist (as determined by the comparison function) + * @param sl The skip list + * @param data The element to insert + * @remark If no comparison function has been set for the skip list, the element @@ -877,7 +952,7 @@ index 0000000..bc17efd + +/** + * Remove an element from the skip list using the specified comparison function for -+ * locating the element. ++ * locating the element. In the case of duplicates, the 1st entry will be removed. + * @param sl The skip list + * @param data The element to remove + * @param myfree A function to be called for each removed element @@ -890,7 +965,7 @@ index 0000000..bc17efd + +/** + * Remove an element from the skip list using the existing comparison function for -+ * locating the element. ++ * locating the element. In the case of duplicates, the 1st entry will be removed. + * @param sl The skip list + * @param data The element to remove + * @param myfree A function to be called for each removed element @@ -916,7 +991,7 @@ index 0000000..bc17efd +APR_DECLARE(void) apr_skiplist_destroy(apr_skiplist *sl, apr_skiplist_freefunc myfree); + +/** -+ * Return the first element in the skip list, leaving the element in the skip list. ++ * Return the first element in the skip list, removing the element from the skip list. + * @param sl The skip list + * @param myfree A function to be called for the removed element + * @remark NULL will be returned if there are no elements diff --git a/SOURCES/httpd-2.4.18-r1684636.patch b/SOURCES/httpd-2.4.18-r1684636.patch deleted file mode 100644 index c99bdcc..0000000 --- a/SOURCES/httpd-2.4.18-r1684636.patch +++ /dev/null @@ -1,24 +0,0 @@ ---- a/modules/aaa/mod_auth_digest.c 2015/06/10 10:32:46 1684635 -+++ b/modules/aaa/mod_auth_digest.c 2015/06/10 10:43:54 1684636 -@@ -249,9 +249,18 @@ - client_shm_filename = ap_runtime_dir_relative(ctx, "authdigest_shm"); - client_shm_filename = ap_append_pid(ctx, client_shm_filename, "."); - -- /* Now create that segment */ -- sts = apr_shm_create(&client_shm, shmem_size, -- client_shm_filename, ctx); -+ /* Use anonymous shm by default, fall back on name-based. */ -+ sts = apr_shm_create(&client_shm, shmem_size, NULL, ctx); -+ if (APR_STATUS_IS_ENOTIMPL(sts)) { -+ /* For a name-based segment, remove it first in case of a -+ * previous unclean shutdown. */ -+ apr_shm_remove(client_shm_filename, ctx); -+ -+ /* Now create that segment */ -+ sts = apr_shm_create(&client_shm, shmem_size, -+ client_shm_filename, ctx); -+ } -+ - if (APR_SUCCESS != sts) { - ap_log_error(APLOG_MARK, APLOG_ERR, sts, s, APLOGNO(01762) - "Failed to create shared memory segment on file %s", diff --git a/SOURCES/httpd-2.4.18-r1738229.patch b/SOURCES/httpd-2.4.18-r1738229.patch deleted file mode 100644 index 1fcc79d..0000000 --- a/SOURCES/httpd-2.4.18-r1738229.patch +++ /dev/null @@ -1,59 +0,0 @@ -# ./pullrev.sh 1738229 - -https://bugzilla.redhat.com/show_bug.cgi?id=1225116 - -As for mod_auth_digest, fix to use anonymous SHM by default. - -http://svn.apache.org/viewvc?view=revision&revision=1738229 - ---- httpd-2.4.18/modules/lua/mod_lua.c -+++ httpd-2.4.18/modules/lua/mod_lua.c -@@ -83,6 +83,8 @@ - int broken; - } lua_filter_ctx; - -+#define DEFAULT_LUA_SHMFILE "lua_ivm_shm" -+ - apr_global_mutex_t *lua_ivm_mutex; - apr_shm_t *lua_ivm_shm; - char *lua_ivm_shmfile; -@@ -1995,7 +1997,6 @@ - apr_pool_t *ptemp, server_rec *s) - { - apr_pool_t **pool; -- const char *tempdir; - apr_status_t rs; - - lua_ssl_val = APR_RETRIEVE_OPTIONAL_FN(ssl_var_lookup); -@@ -2011,21 +2012,20 @@ - return HTTP_INTERNAL_SERVER_ERROR; - } - -- /* Create shared memory space */ -- rs = apr_temp_dir_get(&tempdir, pconf); -- if (rs != APR_SUCCESS) { -- ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, APLOGNO(02664) -- "mod_lua IVM: Failed to find temporary directory"); -- return HTTP_INTERNAL_SERVER_ERROR; -+ /* Create shared memory space, anonymous first if possible. */ -+ rs = apr_shm_create(&lua_ivm_shm, sizeof pool, NULL, pconf); -+ if (APR_STATUS_IS_ENOTIMPL(rs)) { -+ /* Fall back to filename-based; nuke any left-over first. */ -+ lua_ivm_shmfile = ap_runtime_dir_relative(pconf, DEFAULT_LUA_SHMFILE); -+ -+ apr_shm_remove(lua_ivm_shmfile, pconf); -+ -+ rs = apr_shm_create(&lua_ivm_shm, sizeof pool, lua_ivm_shmfile, pconf); - } -- lua_ivm_shmfile = apr_psprintf(pconf, "%s/httpd_lua_shm.%ld", tempdir, -- (long int)getpid()); -- rs = apr_shm_create(&lua_ivm_shm, sizeof(apr_pool_t**), -- (const char *) lua_ivm_shmfile, pconf); - if (rs != APR_SUCCESS) { - ap_log_error(APLOG_MARK, APLOG_ERR, rs, s, APLOGNO(02665) - "mod_lua: Failed to create shared memory segment on file %s", -- lua_ivm_shmfile); -+ lua_ivm_shmfile ? lua_ivm_shmfile : "(anonymous)"); - return HTTP_INTERNAL_SERVER_ERROR; - } - pool = (apr_pool_t **)apr_shm_baseaddr_get(lua_ivm_shm); diff --git a/SOURCES/httpd-2.4.25-CVE-2017-3167.patch b/SOURCES/httpd-2.4.25-CVE-2017-3167.patch deleted file mode 100644 index 36cffc2..0000000 --- a/SOURCES/httpd-2.4.25-CVE-2017-3167.patch +++ /dev/null @@ -1,163 +0,0 @@ -diff --git a/include/http_protocol.h b/include/http_protocol.h -index a9e0990..29d887c 100644 ---- a/include/http_protocol.h -+++ b/include/http_protocol.h -@@ -558,7 +558,11 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r); - AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type)) - - /** -- * Get the password from the request headers -+ * Get the password from the request headers. This function has multiple side -+ * effects due to its prior use in the old authentication framework. -+ * ap_get_basic_auth_components() should be preferred. -+ * -+ * @deprecated @see ap_get_basic_auth_components - * @param r The current request - * @param pw The password as set in the headers - * @return 0 (OK) if it set the 'pw' argument (and assured -@@ -571,6 +575,25 @@ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type)) - */ - AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw); - -+#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE" -+ -+/** -+ * Get the username and/or password from the request's Basic authentication -+ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side -+ * effects on the passed request_rec. -+ * -+ * @param r The current request -+ * @param username If not NULL, set to the username sent by the client -+ * @param password If not NULL, set to the password sent by the client -+ * @return APR_SUCCESS if the credentials were successfully parsed and returned; -+ * APR_EINVAL if there was no authentication header sent or if the -+ * client was not using the Basic authentication scheme. username and -+ * password are unchanged on failure. -+ */ -+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r, -+ const char **username, -+ const char **password); -+ - /** - * parse_uri: break apart the uri - * @warning Side Effects: -diff --git a/server/protocol.c b/server/protocol.c -index 63b358d..32d6123 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1593,6 +1593,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw) - - t = ap_pbase64decode(r->pool, auth_line); - r->user = ap_getword_nulls (r->pool, &t, ':'); -+ apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1"); - r->ap_auth_type = "Basic"; - - *pw = t; -@@ -1600,6 +1601,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw) - return OK; - } - -+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r, -+ const char **username, -+ const char **password) -+{ -+ const char *auth_header; -+ const char *credentials; -+ const char *decoded; -+ const char *user; -+ -+ auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization" -+ : "Authorization"; -+ credentials = apr_table_get(r->headers_in, auth_header); -+ -+ if (!credentials) { -+ /* No auth header. */ -+ return APR_EINVAL; -+ } -+ -+ if (ap_cstr_casecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) { -+ /* These aren't Basic credentials. */ -+ return APR_EINVAL; -+ } -+ -+ while (*credentials == ' ' || *credentials == '\t') { -+ credentials++; -+ } -+ -+ /* XXX Our base64 decoding functions don't actually error out if the string -+ * we give it isn't base64; they'll just silently stop and hand us whatever -+ * they've parsed up to that point. -+ * -+ * Since this function is supposed to be a drop-in replacement for the -+ * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x. -+ */ -+ decoded = ap_pbase64decode(r->pool, credentials); -+ user = ap_getword_nulls(r->pool, &decoded, ':'); -+ -+ if (username) { -+ *username = user; -+ } -+ if (password) { -+ *password = decoded; -+ } -+ -+ return APR_SUCCESS; -+} -+ - struct content_length_ctx { - int data_sent; /* true if the C-L filter has already sent at - * least one bucket on to the next output filter -diff --git a/server/request.c b/server/request.c -index 9377836..939e515 100644 ---- a/server/request.c -+++ b/server/request.c -@@ -124,6 +124,8 @@ static int decl_die(int status, const char *phase, request_rec *r) - AP_DECLARE(int) ap_some_authn_required(request_rec *r) - { - int access_status; -+ char *olduser = r->user; -+ int rv = FALSE; - - switch (ap_satisfies(r)) { - case SATISFY_ALL: -@@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r) - - access_status = ap_run_access_checker_ex(r); - if (access_status == DECLINED) { -- return TRUE; -+ rv = TRUE; - } - - break; -@@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r) - - access_status = ap_run_access_checker_ex(r); - if (access_status == DECLINED) { -- return TRUE; -+ rv = TRUE; - } - - break; - } - -- return FALSE; -+ r->user = olduser; -+ return rv; - } - - /* This is the master logic for processing requests. Do NOT duplicate -@@ -259,6 +262,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) - r->ap_auth_type = r->main->ap_auth_type; - } - else { -+ /* A module using a confusing API (ap_get_basic_auth_pw) caused -+ ** r->user to be filled out prior to check_authn hook. We treat -+ ** it is inadvertent. -+ */ -+ if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) { -+ r->user = NULL; -+ } -+ - switch (ap_satisfies(r)) { - case SATISFY_ALL: - case SATISFY_NOSPEC: diff --git a/SOURCES/httpd-2.4.25-CVE-2017-3169.patch b/SOURCES/httpd-2.4.25-CVE-2017-3169.patch deleted file mode 100644 index 37c5885..0000000 --- a/SOURCES/httpd-2.4.25-CVE-2017-3169.patch +++ /dev/null @@ -1,65 +0,0 @@ -diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c -index 8829871..8fcbe2d 100644 ---- a/modules/ssl/ssl_engine_io.c -+++ b/modules/ssl/ssl_engine_io.c -@@ -878,20 +878,21 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, - * establish an outgoing SSL connection. */ - #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1) - --static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f) -+static void ssl_io_filter_disable(SSLConnRec *sslconn, -+ bio_filter_in_ctx_t *inctx) - { -- bio_filter_in_ctx_t *inctx = f->ctx; - SSL_free(inctx->ssl); - sslconn->ssl = NULL; - inctx->ssl = NULL; - inctx->filter_ctx->pssl = NULL; - } - --static apr_status_t ssl_io_filter_error(ap_filter_t *f, -+static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx, - apr_bucket_brigade *bb, - apr_status_t status, - int is_init) - { -+ ap_filter_t *f = inctx->f; - SSLConnRec *sslconn = myConnConfig(f->c); - apr_bucket *bucket; - int send_eos = 1; -@@ -904,7 +905,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f, - "trying to send HTML error page"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server); - -- ssl_io_filter_disable(sslconn, f); -+ ssl_io_filter_disable(sslconn, inctx); - f->c->keepalive = AP_CONN_CLOSE; - if (is_init) { - sslconn->non_ssl_request = NON_SSL_SEND_REQLINE; -@@ -1455,7 +1456,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, - * rather than have SSLEngine On configured. - */ - if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) { -- return ssl_io_filter_error(f, bb, status, is_init); -+ return ssl_io_filter_error(inctx, bb, status, is_init); - } - - #ifdef HAVE_TLS_NPN -@@ -1541,7 +1542,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, - - /* Handle custom errors. */ - if (status != APR_SUCCESS) { -- return ssl_io_filter_error(f, bb, status, 0); -+ return ssl_io_filter_error(inctx, bb, status, 0); - } - - /* Create a transient bucket out of the decrypted data. */ -@@ -1726,7 +1727,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f, - inctx->block = APR_BLOCK_READ; - - if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) { -- return ssl_io_filter_error(f, bb, status, 0); -+ return ssl_io_filter_error(inctx, bb, status, 0); - } - - while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) { diff --git a/SOURCES/httpd-2.4.25-CVE-2017-7659.patch b/SOURCES/httpd-2.4.25-CVE-2017-7659.patch deleted file mode 100644 index e5b24ac..0000000 --- a/SOURCES/httpd-2.4.25-CVE-2017-7659.patch +++ /dev/null @@ -1,23 +0,0 @@ -diff --git a/modules/http2/h2_stream.c b/modules/http2/h2_stream.c -index 3f30949..8a7dbb9 100644 ---- a/modules/http2/h2_stream.c -+++ b/modules/http2/h2_stream.c -@@ -286,11 +286,13 @@ apr_status_t h2_stream_set_request_rec(h2_stream *stream, request_rec *r) - return APR_ECONNRESET; - } - status = h2_request_rcreate(&req, stream->pool, r); -- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058) -- "h2_request(%d): set_request_rec %s host=%s://%s%s", -- stream->id, req->method, req->scheme, req->authority, -- req->path); -- stream->rtmp = req; -+ if (status == APR_SUCCESS) { -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058) -+ "h2_request(%d): set_request_rec %s host=%s://%s%s", -+ stream->id, req->method, req->scheme, req->authority, -+ req->path); -+ stream->rtmp = req; -+ } - return status; - } - diff --git a/SOURCES/httpd-2.4.25-CVE-2017-7668.patch b/SOURCES/httpd-2.4.25-CVE-2017-7668.patch deleted file mode 100644 index d0c247f..0000000 --- a/SOURCES/httpd-2.4.25-CVE-2017-7668.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff --git a/server/util.c b/server/util.c -index fba34bd..7335a0f 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -1679,10 +1679,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok) - - s = (const unsigned char *)line; - for (;;) { -- /* find start of token, skip all stop characters, note NUL -- * isn't a token stop, so we don't need to test for it -- */ -- while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { -+ /* find start of token, skip all stop characters */ -+ while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) { - ++s; - } - if (!*s) { diff --git a/SOURCES/httpd-2.4.25-CVE-2017-7679.patch b/SOURCES/httpd-2.4.25-CVE-2017-7679.patch deleted file mode 100644 index b34a0b2..0000000 --- a/SOURCES/httpd-2.4.25-CVE-2017-7679.patch +++ /dev/null @@ -1,16 +0,0 @@ -diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c -index f92119b..28c53be 100644 ---- a/modules/http/mod_mime.c -+++ b/modules/http/mod_mime.c -@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s) - int res = -1; - int c; - -- if (((s + 1) != NULL) && (*s == '\\')) { -+ if (*s == '\\') { - c = (int) *(s + 1); -- if (apr_isascii(c)) { -+ if (c && apr_isascii(c)) { - res = 1; - } - } diff --git a/SOURCES/httpd-2.4.25-CVE-2017-9788.patch b/SOURCES/httpd-2.4.25-CVE-2017-9788.patch deleted file mode 100644 index b5501fc..0000000 --- a/SOURCES/httpd-2.4.25-CVE-2017-9788.patch +++ /dev/null @@ -1,29 +0,0 @@ -diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c -index c22bb09..d391559 100644 ---- a/modules/aaa/mod_auth_digest.c -+++ b/modules/aaa/mod_auth_digest.c -@@ -965,13 +965,13 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp) - - /* find value */ - -+ vv = 0; - if (auth_line[0] == '=') { - auth_line++; - while (apr_isspace(auth_line[0])) { - auth_line++; - } - -- vv = 0; - if (auth_line[0] == '\"') { /* quoted string */ - auth_line++; - while (auth_line[0] != '\"' && auth_line[0] != '\0') { -@@ -990,8 +990,8 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp) - value[vv++] = *auth_line++; - } - } -- value[vv] = '\0'; - } -+ value[vv] = '\0'; - - while (auth_line[0] != ',' && auth_line[0] != '\0') { - auth_line++; diff --git a/SOURCES/httpd-2.4.25-r1778319+.patch b/SOURCES/httpd-2.4.25-r1778319+.patch deleted file mode 100644 index b791e9d..0000000 --- a/SOURCES/httpd-2.4.25-r1778319+.patch +++ /dev/null @@ -1,32 +0,0 @@ -# ./pullrev.sh 1778319 1778331 - -http://svn.apache.org/viewvc?view=revision&revision=1778319 -http://svn.apache.org/viewvc?view=revision&revision=1778331 - ---- httpd-2.4.25/modules/core/mod_watchdog.c -+++ httpd-2.4.25/modules/core/mod_watchdog.c -@@ -436,19 +436,19 @@ - { - apr_status_t rv; - const char *pk = "watchdog_init_module_tag"; -- apr_pool_t *pproc = s->process->pool; -+ apr_pool_t *ppconf = pconf; - const apr_array_header_t *wl; - - if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) - /* First time config phase -- skip. */ - return OK; - -- apr_pool_userdata_get((void *)&wd_server_conf, pk, pproc); -+ apr_pool_userdata_get((void *)&wd_server_conf, pk, ppconf); - if (!wd_server_conf) { -- if (!(wd_server_conf = apr_pcalloc(pproc, sizeof(wd_server_conf_t)))) -+ if (!(wd_server_conf = apr_pcalloc(ppconf, sizeof(wd_server_conf_t)))) - return APR_ENOMEM; -- apr_pool_create(&wd_server_conf->pool, pproc); -- apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, pproc); -+ apr_pool_create(&wd_server_conf->pool, ppconf); -+ apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, ppconf); - } - wd_server_conf->s = s; - if ((wl = ap_list_provider_names(pconf, AP_WATCHDOG_PGROUP, diff --git a/SOURCES/httpd-2.4.25-r1782332.patch b/SOURCES/httpd-2.4.25-r1782332.patch deleted file mode 100644 index 5b1c25b..0000000 --- a/SOURCES/httpd-2.4.25-r1782332.patch +++ /dev/null @@ -1,50 +0,0 @@ -# ./pullrev.sh 1782332 -http://svn.apache.org/viewvc?view=revision&revision=1782332 - ---- httpd-2.4.25/modules/proxy/mod_proxy.c -+++ httpd-2.4.25/modules/proxy/mod_proxy.c -@@ -764,6 +764,10 @@ - || !r->uri || r->uri[0] != '/') { - return DECLINED; - } -+ -+ if (apr_table_get(r->subprocess_env, "no-proxy")) { -+ return DECLINED; -+ } - - /* XXX: since r->uri has been manipulated already we're not really - * compliant with RFC1945 at this point. But this probably isn't -@@ -771,29 +775,18 @@ - */ - - dconf = ap_get_module_config(r->per_dir_config, &proxy_module); -- conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config, -- &proxy_module); -+ - /* short way - this location is reverse proxied? */ - if (dconf->alias) { - int rv = ap_proxy_trans_match(r, dconf->alias, dconf); -- if (OK == rv) { -- /* Got a hit. Need to make sure it's not explicitly declined */ -- if (conf->aliases->nelts) { -- ent = (struct proxy_alias *) conf->aliases->elts; -- for (i = 0; i < conf->aliases->nelts; i++) { -- int rv = ap_proxy_trans_match(r, &ent[i], dconf); -- if (DECLINED == rv) { -- return DECLINED; -- } -- } -- } -- return OK; -- } - if (DONE != rv) { - return rv; - } - } - -+ conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config, -+ &proxy_module); -+ - /* long way - walk the list of aliases, find a match */ - if (conf->aliases->nelts) { - ent = (struct proxy_alias *) conf->aliases->elts; diff --git a/SOURCES/httpd-2.4.25-r1787301.patch b/SOURCES/httpd-2.4.25-r1787301.patch deleted file mode 100644 index 232e8f0..0000000 --- a/SOURCES/httpd-2.4.25-r1787301.patch +++ /dev/null @@ -1,16 +0,0 @@ -# ./pullrev.sh 1787301 -http://svn.apache.org/viewvc?view=revision&revision=1787301 - -https://bugzilla.redhat.com/show_bug.cgi?id=1432249 - ---- httpd-2.4.25/server/listen.c -+++ httpd-2.4.25/server/listen.c -@@ -153,7 +153,7 @@ - #endif - - #if defined(SO_REUSEPORT) -- if (ap_have_so_reuseport) { -+ if (ap_have_so_reuseport && ap_listencbratio > 0) { - int thesock; - apr_os_sock_get(&thesock, s); - if (setsockopt(thesock, SOL_SOCKET, SO_REUSEPORT, diff --git a/SOURCES/httpd-2.4.25-rev-r1748324+.patch b/SOURCES/httpd-2.4.25-rev-r1748324+.patch index 5586c7c..40d7e6e 100644 --- a/SOURCES/httpd-2.4.25-rev-r1748324+.patch +++ b/SOURCES/httpd-2.4.25-rev-r1748324+.patch @@ -1,21 +1,16 @@ - -Reverses two changes to mod_proxy_fcgi.c to get back to pre-2.4.23 behaviour: - -https://svn.apache.org/r1748324 -https://svn.apache.org/r1755077 - -diff -uap httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c ---- httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ -+++ httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c -@@ -253,6 +253,7 @@ +diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c +index 41292e8..59dd484 100644 +--- a/modules/proxy/mod_proxy_fcgi.c ++++ b/modules/proxy/mod_proxy_fcgi.c +@@ -321,6 +321,7 @@ static apr_status_t send_environment(proxy_conn_rec *conn, request_rec *r, apr_status_t rv; apr_size_t avail_len, len, required_len; int next_elem, starting_elem; + char *proxyfilename = r->filename; fcgi_req_config_t *rconf = ap_get_module_config(r->request_config, &proxy_fcgi_module); + fcgi_dirconf_t *dconf = ap_get_module_config(r->per_dir_config, &proxy_fcgi_module); - if (rconf) { -@@ -261,33 +262,18 @@ +@@ -330,40 +331,18 @@ static apr_status_t send_environment(proxy_conn_rec *conn, request_rec *r, } } @@ -26,14 +21,21 @@ diff -uap httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ httpd-2.4.25 - if (!strncmp(r->filename, "proxy:balancer://", 17)) { - newfname = apr_pstrdup(r->pool, r->filename+17); - } -- else if (!strncmp(r->filename, "proxy:fcgi://", 13)) { -- newfname = apr_pstrdup(r->pool, r->filename+13); -- } -- /* Query string in environment only */ -- if (newfname && r->args && *r->args) { -- char *qs = strrchr(newfname, '?'); -- if (qs && !strcmp(qs+1, r->args)) { -- *qs = '\0'; +- +- if (!FCGI_MAY_BE_FPM(dconf)) { +- if (!strncmp(r->filename, "proxy:fcgi://", 13)) { +- /* If we strip this under FPM, and any internal redirect occurs +- * on PATH_INFO, FPM may use PATH_TRANSLATED instead of +- * SCRIPT_FILENAME (a la mod_fastcgi + Action). +- */ +- newfname = apr_pstrdup(r->pool, r->filename+13); +- } +- /* Query string in environment only */ +- if (newfname && r->args && *r->args) { +- char *qs = strrchr(newfname, '?'); +- if (qs && !strcmp(qs+1, r->args)) { +- *qs = '\0'; +- } - } - } - @@ -42,7 +44,7 @@ diff -uap httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ httpd-2.4.25 - r->filename = newfname; - } + /* Strip balancer prefix */ -+ if (r->filename && !strncmp(r->filename, "proxy:balancer://", 17)) { ++ if (r->filename && !strncmp(r->filename, "proxy:balancer://", 17)) { + char *newfname = apr_pstrdup(r->pool, r->filename+17); + newfname = ap_strchr(newfname, '/'); + r->filename = newfname; @@ -50,9 +52,9 @@ diff -uap httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ httpd-2.4.25 ap_add_common_vars(r); ap_add_cgi_vars(r); - + + r->filename = proxyfilename; + /* XXX are there any FastCGI specific env vars we need to send? */ - /* XXX mod_cgi/mod_cgid use ap_create_environment here, which fills in + /* Give admins final option to fine-tune env vars */ diff --git a/SOURCES/httpd-2.4.26-sslalpnthunks.patch b/SOURCES/httpd-2.4.26-sslalpnthunks.patch new file mode 100644 index 0000000..d662ec7 --- /dev/null +++ b/SOURCES/httpd-2.4.26-sslalpnthunks.patch @@ -0,0 +1,118 @@ + +Support building against OpenSSL 1.0.1 but using ALPN support from +OpenSSL 1.0.2 if possible, using the dynamic loader to look up +symbols at run-time. + +--- httpd-2.4.26/modules/ssl/config.m4.sslalpnthunks ++++ httpd-2.4.26/modules/ssl/config.m4 +@@ -49,6 +49,15 @@ + fi + ]) + ++AC_ARG_ENABLE(tls-alpn-thunks, ++APACHE_HELP_STRING(--enable-tls-alpn-thunks,Enable support for ALPN thunks in mod_ssl),[ ++ if test "$enableval" = "yes"; then ++ AC_DEFINE(HAVE_TLS_ALPN_THUNKS, 1, [Define if support for ALPN thunks is enabled]) ++ AC_MSG_NOTICE([Enabled support for ALPN thunks in mod_ssl]) ++ fi ++]) ++ ++ + # Ensure that other modules can pick up mod_ssl.h + APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) + +diff -uap httpd-2.4.26/modules/ssl/mod_ssl.c.sslalpnthunks httpd-2.4.26/modules/ssl/mod_ssl.c +--- httpd-2.4.26/modules/ssl/mod_ssl.c.sslalpnthunks ++++ httpd-2.4.26/modules/ssl/mod_ssl.c +@@ -725,6 +725,9 @@ + &ssl_authz_provider_verify_client, + AP_AUTH_INTERNAL_PER_CONF); + ++#ifdef HAVE_TLS_ALPN_THUNKS ++ modssl_init_alpn_thunks(); ++#endif + } + + module AP_MODULE_DECLARE_DATA ssl_module = { +diff -uap httpd-2.4.26/modules/ssl/ssl_engine_init.c.sslalpnthunks httpd-2.4.26/modules/ssl/ssl_engine_init.c +--- httpd-2.4.26/modules/ssl/ssl_engine_init.c.sslalpnthunks ++++ httpd-2.4.26/modules/ssl/ssl_engine_init.c +@@ -47,6 +47,50 @@ + #define KEYTYPES "RSA or DSA" + #endif + ++#ifdef HAVE_TLS_ALPN_THUNKS ++#include ++ ++/* During initialization, fetch pointers to OpenSSL functions if ++ * available from the dynamic loader, and store these for later ++ * use. */ ++typedef int (ssl_alpn_callback_fn)(SSL *ssl, const unsigned char **out, ++ unsigned char *outlen, const unsigned char *in, ++ unsigned int inlen, void *arg); ++static void SSL_CTX_set_alpn_select_cb(SSL_CTX *, ssl_alpn_callback_fn *, void *); ++int modssl_SSL_set_alpn_protos(SSL *, unsigned char *, unsigned); ++ ++static typeof(SSL_CTX_set_alpn_select_cb) *thunk_set_alpn_select_cb; ++static typeof(modssl_SSL_set_alpn_protos) *thunk_set_alpn_protos; ++ ++void modssl_init_alpn_thunks(void) ++{ ++ thunk_set_alpn_select_cb = dlsym(RTLD_NEXT, "SSL_CTX_set_alpn_select_cb"); ++ thunk_set_alpn_protos = dlsym(RTLD_NEXT, "SSL_set_alpn_protos"); ++ ++ if (!thunk_set_alpn_select_cb || !thunk_set_alpn_protos) { ++ /* All or nothing... */ ++ thunk_set_alpn_select_cb = NULL; ++ thunk_set_alpn_protos = NULL; ++ } ++} ++ ++static void SSL_CTX_set_alpn_select_cb(SSL_CTX *ssl, ssl_alpn_callback_fn *cb, void *ud) ++{ ++ if (thunk_set_alpn_select_cb) ++ thunk_set_alpn_select_cb(ssl, cb, ud); ++} ++ ++int modssl_SSL_set_alpn_protos(SSL *ssl, unsigned char *ps, unsigned plen) ++{ ++ if (thunk_set_alpn_protos) ++ return thunk_set_alpn_protos(ssl, ps, plen); ++ else ++ /* Succeed silently; less harmless than failing and logging ++ * warnings. */ ++ return 0; ++} ++#endif /* HAVE_TLS_ALPN_THUNKS */ ++ + #if OPENSSL_VERSION_NUMBER < 0x10100000L + /* OpenSSL Pre-1.1.0 compatibility */ + /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ +diff -uap httpd-2.4.26/modules/ssl/ssl_private.h.sslalpnthunks httpd-2.4.26/modules/ssl/ssl_private.h +--- httpd-2.4.26/modules/ssl/ssl_private.h.sslalpnthunks ++++ httpd-2.4.26/modules/ssl/ssl_private.h +@@ -199,6 +199,24 @@ + #include + #endif + ++#ifdef HAVE_TLS_ALPN_THUNKS ++ ++#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation ++#error Cannot enable TLS ALPN thunks if OpenSSL support is present ++#endif ++ ++#define TLSEXT_TYPE_application_layer_protocol_negotiation 16 ++ ++#define SSL_set_alpn_protos(s, p, l) modssl_SSL_set_alpn_protos(s, p, l) ++ ++/* Thunk for SSL_set_alpn_protos(). */ ++int modssl_SSL_set_alpn_protos(SSL *, unsigned char *, unsigned); ++ ++/* Initialize thunks. */ ++void modssl_init_alpn_thunks(void); ++ ++#endif ++ + /* ALPN Protocol Negotiation */ + #if defined(TLSEXT_TYPE_application_layer_protocol_negotiation) + #define HAVE_TLS_ALPN diff --git a/SOURCES/httpd-2.4.27-CVE-2017-9798.patch b/SOURCES/httpd-2.4.27-CVE-2017-9798.patch new file mode 100644 index 0000000..90bf4f7 --- /dev/null +++ b/SOURCES/httpd-2.4.27-CVE-2017-9798.patch @@ -0,0 +1,15 @@ +--- a/server/core.c 2017/09/08 13:10:16 1807753 ++++ b/server/core.c 2017/09/08 13:13:11 1807754 +@@ -2266,6 +2266,12 @@ + /* method has not been registered yet, but resource restriction + * is always checked before method handling, so register it. + */ ++ if (cmd->pool == cmd->temp_pool) { ++ /* In .htaccess, we can't globally register new methods. */ ++ return apr_psprintf(cmd->pool, "Could not register method '%s' " ++ "for %s from .htaccess configuration", ++ method, cmd->cmd->name); ++ } + methnum = ap_method_register(cmd->pool, + apr_pstrdup(cmd->pool, method)); + } diff --git a/SOURCES/httpd-2.4.27-mod_authz_dbd-missing-query.patch b/SOURCES/httpd-2.4.27-mod_authz_dbd-missing-query.patch new file mode 100644 index 0000000..2d66043 --- /dev/null +++ b/SOURCES/httpd-2.4.27-mod_authz_dbd-missing-query.patch @@ -0,0 +1,38 @@ +diff --git a/modules/aaa/mod_authz_dbd.c b/modules/aaa/mod_authz_dbd.c +index 52aab38..2c468e0 100644 +--- a/modules/aaa/mod_authz_dbd.c ++++ b/modules/aaa/mod_authz_dbd.c +@@ -119,7 +119,7 @@ static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg, + const char *newuri = NULL; + int nrows; + const char *message; +- ap_dbd_t *dbd = dbd_handle(r); ++ ap_dbd_t *dbd = NULL; + apr_dbd_prepared_t *query; + apr_dbd_results_t *res = NULL; + apr_dbd_row_t *row = NULL; +@@ -129,6 +129,7 @@ static int authz_dbd_login(request_rec *r, authz_dbd_cfg *cfg, + "No query configured for %s!", action); + return HTTP_INTERNAL_SERVER_ERROR; + } ++ dbd = dbd_handle(r); + if (dbd == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02902) + "No db handle available for %s! " +@@ -213,7 +213,7 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, + /* SELECT group FROM authz WHERE user = %s */ + int rv; + const char *message; +- ap_dbd_t *dbd = dbd_handle(r); ++ ap_dbd_t *dbd = NULL; + apr_dbd_prepared_t *query; + apr_dbd_results_t *res = NULL; + apr_dbd_row_t *row = NULL; +@@ -223,6 +223,7 @@ static int authz_dbd_group_query(request_rec *r, authz_dbd_cfg *cfg, + "No query configured for dbd-group!"); + return HTTP_INTERNAL_SERVER_ERROR; + } ++ dbd = dbd_handle(r); + if (dbd == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02903) + "No db handle available for dbd-query! " diff --git a/SOURCES/httpd-2.4.6-r1332643+.patch b/SOURCES/httpd-2.4.6-r1332643+.patch index fab9696..69c451d 100644 --- a/SOURCES/httpd-2.4.6-r1332643+.patch +++ b/SOURCES/httpd-2.4.6-r1332643+.patch @@ -1,21 +1,8 @@ -# ./pullrev.sh 1332643 1345599 1487772 - -https://bugzilla.redhat.com//show_bug.cgi?id=809599 - -Backport of (deprecated) NPN support from upstream, with -added support for Protocols in the same way as ALPN is -supported. - -Upstream commits: - -http://svn.apache.org/viewvc?view=revision&revision=1332643 -http://svn.apache.org/viewvc?view=revision&revision=1345599 -http://svn.apache.org/viewvc?view=revision&revision=1487772 - -diff -uap httpd-2.4.18/modules/ssl/mod_ssl.c.r1332643+ httpd-2.4.18/modules/ssl/mod_ssl.c ---- httpd-2.4.18/modules/ssl/mod_ssl.c.r1332643+ -+++ httpd-2.4.18/modules/ssl/mod_ssl.c -@@ -439,6 +439,13 @@ int ssl_engine_disable(conn_rec *c) +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +index 987b256..c24c6e1 100644 +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -514,6 +514,13 @@ int ssl_engine_disable(conn_rec *c) return 1; } @@ -29,7 +16,7 @@ diff -uap httpd-2.4.18/modules/ssl/mod_ssl.c.r1332643+ httpd-2.4.18/modules/ssl/ int ssl_init_ssl_connection(conn_rec *c, request_rec *r) { SSLSrvConfigRec *sc; -@@ -624,6 +631,7 @@ static void ssl_register_hooks(apr_pool_ +@@ -706,6 +713,7 @@ static void ssl_register_hooks(apr_pool_t *p) APR_REGISTER_OPTIONAL_FN(ssl_proxy_enable); APR_REGISTER_OPTIONAL_FN(ssl_engine_disable); @@ -37,10 +24,11 @@ diff -uap httpd-2.4.18/modules/ssl/mod_ssl.c.r1332643+ httpd-2.4.18/modules/ssl/ ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "ssl", AUTHZ_PROVIDER_VERSION, -diff -uap httpd-2.4.18/modules/ssl/mod_ssl.h.r1332643+ httpd-2.4.18/modules/ssl/mod_ssl.h ---- httpd-2.4.18/modules/ssl/mod_ssl.h.r1332643+ -+++ httpd-2.4.18/modules/ssl/mod_ssl.h -@@ -63,5 +63,40 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e +diff --git a/modules/ssl/mod_ssl.h b/modules/ssl/mod_ssl.h +index db8ffaf..d381901 100644 +--- a/modules/ssl/mod_ssl.h ++++ b/modules/ssl/mod_ssl.h +@@ -84,5 +84,40 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_enable, (conn_rec *)); APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); @@ -81,10 +69,11 @@ diff -uap httpd-2.4.18/modules/ssl/mod_ssl.h.r1332643+ httpd-2.4.18/modules/ssl/ + #endif /* __MOD_SSL_H__ */ /** @} */ -diff -uap httpd-2.4.18/modules/ssl/ssl_engine_init.c.r1332643+ httpd-2.4.18/modules/ssl/ssl_engine_init.c ---- httpd-2.4.18/modules/ssl/ssl_engine_init.c.r1332643+ -+++ httpd-2.4.18/modules/ssl/ssl_engine_init.c -@@ -636,6 +636,11 @@ static void ssl_init_ctx_callbacks(serve +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 9526f1b..12b2115 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -736,6 +736,11 @@ static void ssl_init_ctx_callbacks(server_rec *s, #ifdef HAVE_TLS_ALPN SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL); #endif @@ -96,10 +85,11 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_engine_init.c.r1332643+ httpd-2.4.18/modu } static apr_status_t ssl_init_ctx_verify(server_rec *s, -diff -uap httpd-2.4.18/modules/ssl/ssl_engine_io.c.r1332643+ httpd-2.4.18/modules/ssl/ssl_engine_io.c ---- httpd-2.4.18/modules/ssl/ssl_engine_io.c.r1332643+ -+++ httpd-2.4.18/modules/ssl/ssl_engine_io.c -@@ -319,6 +319,7 @@ typedef struct { +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c +index d1f44e9..26ee301 100644 +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -317,6 +317,7 @@ typedef struct { apr_pool_t *pool; char buffer[AP_IOBUFSIZE]; ssl_filter_ctx_t *filter_ctx; @@ -107,8 +97,8 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_engine_io.c.r1332643+ httpd-2.4.18/module } bio_filter_in_ctx_t; /* -@@ -1377,6 +1378,38 @@ static apr_status_t ssl_io_filter_input( - return ssl_io_filter_error(f, bb, status, is_init); +@@ -1517,6 +1518,38 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f, + return ssl_io_filter_error(inctx, bb, status, is_init); } +#ifdef HAVE_TLS_NPN @@ -146,7 +136,7 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_engine_io.c.r1332643+ httpd-2.4.18/module if (is_init) { /* protocol module needs to handshake before sending * data to client (e.g. NNTP or FTP) -@@ -1899,6 +1932,7 @@ static void ssl_io_input_add_filter(ssl_ +@@ -2041,6 +2074,7 @@ static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c, inctx->block = APR_BLOCK_READ; inctx->pool = c->pool; inctx->filter_ctx = filter_ctx; @@ -154,10 +144,11 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_engine_io.c.r1332643+ httpd-2.4.18/module } /* The request_rec pointer is passed in here only to ensure that the -diff -uap httpd-2.4.18/modules/ssl/ssl_engine_kernel.c.r1332643+ httpd-2.4.18/modules/ssl/ssl_engine_kernel.c ---- httpd-2.4.18/modules/ssl/ssl_engine_kernel.c.r1332643+ -+++ httpd-2.4.18/modules/ssl/ssl_engine_kernel.c -@@ -2297,6 +2297,142 @@ int ssl_callback_SessionTicket(SSL *ssl, +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 02acd22..dced334 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -2332,6 +2332,142 @@ int ssl_callback_SessionTicket(SSL *ssl, } #endif /* HAVE_TLS_SESSION_TICKETS */ @@ -300,7 +291,7 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_engine_kernel.c.r1332643+ httpd-2.4.18/mo #ifdef HAVE_TLS_ALPN /* -@@ -2319,8 +2455,6 @@ int ssl_callback_alpn_select(SSL *ssl, +@@ -2354,8 +2490,6 @@ int ssl_callback_alpn_select(SSL *ssl, conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); SSLConnRec *sslconn = myConnConfig(c); apr_array_header_t *client_protos; @@ -309,7 +300,7 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_engine_kernel.c.r1332643+ httpd-2.4.18/mo int i; /* If the connection object is not available, -@@ -2350,40 +2484,7 @@ int ssl_callback_alpn_select(SSL *ssl, +@@ -2385,40 +2519,7 @@ int ssl_callback_alpn_select(SSL *ssl, i += plen; } @@ -351,9 +342,10 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_engine_kernel.c.r1332643+ httpd-2.4.18/mo } #endif /* HAVE_TLS_ALPN */ -diff -uap httpd-2.4.18/modules/ssl/ssl_private.h.r1332643+ httpd-2.4.18/modules/ssl/ssl_private.h ---- httpd-2.4.18/modules/ssl/ssl_private.h.r1332643+ -+++ httpd-2.4.18/modules/ssl/ssl_private.h +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index 41b4387..7c440ef 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h @@ -98,6 +98,8 @@ #include #include @@ -375,7 +367,7 @@ diff -uap httpd-2.4.18/modules/ssl/ssl_private.h.r1332643+ httpd-2.4.18/modules/ #if defined(SSL_OP_NO_TLSv1_2) #define HAVE_TLSV1_X #endif -@@ -816,6 +823,10 @@ int ssl_callback_ServerNameIndi +@@ -872,6 +879,10 @@ int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int); #endif diff --git a/SOURCES/httpd-2.4.6-r1664565.patch b/SOURCES/httpd-2.4.6-r1664565.patch new file mode 100644 index 0000000..7b5a703 --- /dev/null +++ b/SOURCES/httpd-2.4.6-r1664565.patch @@ -0,0 +1,70 @@ +diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +index 3d1fe3c..b5c73f7 100644 +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -265,6 +265,8 @@ typedef struct { + const char *dbdq; /* SQL SELECT statement for rewritemap */ + const char *checkfile2; /* filename to check for map existence + NULL if only one file */ ++ const char *user; /* run RewriteMap program as this user */ ++ const char *group; /* run RewriteMap program as this group */ + } rewritemap_entry; + + /* special pattern types for RewriteCond */ +@@ -1191,6 +1193,7 @@ static void rewrite_child_errfn(apr_pool_t *p, apr_status_t err, + + static apr_status_t rewritemap_program_child(apr_pool_t *p, + const char *progname, char **argv, ++ const char *user, const char *group, + apr_file_t **fpout, + apr_file_t **fpin) + { +@@ -1203,6 +1206,8 @@ static apr_status_t rewritemap_program_child(apr_pool_t *p, + APR_FULL_BLOCK, APR_NO_PIPE)) + && APR_SUCCESS == (rc=apr_procattr_dir_set(procattr, + ap_make_dirstr_parent(p, argv[0]))) ++ && (!user || APR_SUCCESS == (rc=apr_procattr_user_set(procattr, user, ""))) ++ && (!group || APR_SUCCESS == (rc=apr_procattr_group_set(procattr, group))) + && APR_SUCCESS == (rc=apr_procattr_cmdtype_set(procattr, APR_PROGRAM)) + && APR_SUCCESS == (rc=apr_procattr_child_errfn_set(procattr, + rewrite_child_errfn)) +@@ -1260,6 +1265,7 @@ static apr_status_t run_rewritemap_programs(server_rec *s, apr_pool_t *p) + } + + rc = rewritemap_program_child(p, map->argv[0], map->argv, ++ map->user, map->group, + &fpout, &fpin); + if (rc != APR_SUCCESS || fpin == NULL || fpout == NULL) { + ap_log_error(APLOG_MARK, APLOG_ERR, rc, s, APLOGNO(00654) +@@ -3048,7 +3054,7 @@ static const char *cmd_rewriteoptions(cmd_parms *cmd, + } + + static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1, +- const char *a2) ++ const char *a2, const char *a3) + { + rewrite_server_conf *sconf; + rewritemap_entry *newmap; +@@ -3154,6 +3160,11 @@ static const char *cmd_rewritemap(cmd_parms *cmd, void *dconf, const char *a1, + + newmap->type = MAPTYPE_PRG; + newmap->checkfile = newmap->argv[0]; ++ if (a3) { ++ char *tok_cntx; ++ newmap->user = apr_strtok(apr_pstrdup(cmd->pool, a3), ":", &tok_cntx); ++ newmap->group = apr_strtok(NULL, ":", &tok_cntx); ++ } + } + else if (strncasecmp(a2, "int:", 4) == 0) { + newmap->type = MAPTYPE_INT; +@@ -5265,8 +5276,8 @@ static const command_rec command_table[] = { + "an input string and a to be applied regexp-pattern"), + AP_INIT_RAW_ARGS("RewriteRule", cmd_rewriterule, NULL, OR_FILEINFO, + "an URL-applied regexp-pattern and a substitution URL"), +- AP_INIT_TAKE2( "RewriteMap", cmd_rewritemap, NULL, RSRC_CONF, +- "a mapname and a filename"), ++ AP_INIT_TAKE23( "RewriteMap", cmd_rewritemap, NULL, RSRC_CONF, ++ "a mapname and a filename and options"), + { NULL } + }; + diff --git a/SOURCES/httpd-2.4.6-rotatelog-timezone.patch b/SOURCES/httpd-2.4.6-rotatelog-timezone.patch new file mode 100644 index 0000000..b22202e --- /dev/null +++ b/SOURCES/httpd-2.4.6-rotatelog-timezone.patch @@ -0,0 +1,97 @@ +diff --git a/support/rotatelogs.c b/support/rotatelogs.c +index c2373f56..14b0ec4 100644 +--- a/support/rotatelogs.c ++++ b/support/rotatelogs.c +@@ -151,14 +151,14 @@ static void usage(const char *argv0, const char *reason) + exit(1); + } + +-/* +- * Get the unix time with timezone corrections +- * given in the config struct. +- */ +-static int get_now(rotate_config_t *config) ++/* This function returns the current Unix time (time_t) plus any ++ * configured or derived local time offset. The offset applied is ++ * returned via *offset. */ ++static int get_now(rotate_config_t *config, apr_int32_t *offset) + { + apr_time_t tNow = apr_time_now(); +- int utc_offset = config->utc_offset; ++ int utc_offset; ++ + if (config->use_localtime) { + /* Check for our UTC offset before using it, since it might + * change if there's a switch between standard and daylight +@@ -168,6 +168,13 @@ static int get_now(rotate_config_t *config) + apr_time_exp_lt(<, tNow); + utc_offset = lt.tm_gmtoff; + } ++ else { ++ utc_offset = config->utc_offset; ++ } ++ ++ if (offset) ++ *offset = utc_offset; ++ + return (int)apr_time_sec(tNow) + utc_offset; + } + +@@ -231,13 +238,13 @@ static void checkRotate(rotate_config_t *config, rotate_status_t *status) + status->rotateReason = ROTATE_SIZE; + } + else if (config->tRotation) { +- if (get_now(config) >= status->tLogEnd) { ++ if (get_now(config, NULL) >= status->tLogEnd) { + status->rotateReason = ROTATE_TIME; + } + } + } + else if (config->tRotation) { +- if (get_now(config) >= status->tLogEnd) { ++ if (get_now(config, NULL) >= status->tLogEnd) { + status->rotateReason = ROTATE_TIME; + } + } +@@ -361,12 +368,16 @@ static void truncate_and_write_error(rotate_status_t *status) + static void doRotate(rotate_config_t *config, rotate_status_t *status) + { + +- int now = get_now(config); ++ apr_int32_t offset; ++ int now; + int tLogStart; + apr_status_t rv; + struct logfile newlog; + int thisLogNum = -1; + ++ /* Retrieve local-time-adjusted-Unix-time. */ ++ now = get_now(config, &offset); ++ + status->rotateReason = ROTATE_NONE; + + if (config->tRotation) { +@@ -392,7 +403,13 @@ static void doRotate(rotate_config_t *config, rotate_status_t *status) + apr_time_exp_t e; + apr_size_t rs; + +- apr_time_exp_gmt(&e, tNow); ++ /* Explode the local-time-adjusted-Unix-time into a struct tm, ++ * first *reversing* local-time-adjustment applied by ++ * get_now() if we are using localtime. */ ++ if (config->use_localtime) ++ apr_time_exp_lt(&e, tNow - apr_time_from_sec(offset)); ++ else ++ apr_time_exp_gmt(&e, tNow); + apr_strftime(newlog.name, &rs, sizeof(newlog.name), config->szLogRoot, &e); + } + else { +@@ -660,7 +677,7 @@ int main (int argc, const char * const argv[]) + nRead = sizeof(buf); + #if APR_FILES_AS_SOCKETS + if (config.create_empty && config.tRotation) { +- polltimeout = status.tLogEnd ? status.tLogEnd - get_now(&config) : config.tRotation; ++ polltimeout = status.tLogEnd ? status.tLogEnd - get_now(&config, NULL) : config.tRotation; + if (polltimeout <= 0) { + pollret = APR_TIMEUP; + } diff --git a/SOURCES/httpd-2.4.6-sigint.patch b/SOURCES/httpd-2.4.6-sigint.patch index 7574a9c..ecdd82e 100644 --- a/SOURCES/httpd-2.4.6-sigint.patch +++ b/SOURCES/httpd-2.4.6-sigint.patch @@ -1,24 +1,10 @@ -From 20656c3b77cc548b59fea3bde5e2b7705d71c427 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20Kalu=C5=BEa?= -Date: Mon, 18 Aug 2014 07:43:43 +0000 -Subject: [PATCH] prefork: Ignore SIGINT in child. This fixes race-condition in - signals handling when httpd is runnning on foreground and user hits ctrl+c. - In this case, SIGINT is sent to all children followed by SIGTERM from the - main process, which interrupts the SIGINT handler and leads to inconsistency - (process freezes or crashes). - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1618555 13f79535-47bb-0310-9956-ffa450edef68 ---- - server/mpm/prefork/prefork.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c -index 8790ec0..d6c038b 100644 +index 559f90a..a386a75 100644 --- a/server/mpm/prefork/prefork.c +++ b/server/mpm/prefork/prefork.c -@@ -222,6 +222,9 @@ static void clean_child_exit(int code) +@@ -220,6 +220,9 @@ static void clean_child_exit(int code) { - mpm_state = AP_MPMQ_STOPPING; + retained->mpm->mpm_state = AP_MPMQ_STOPPING; + apr_signal(SIGHUP, SIG_IGN); + apr_signal(SIGTERM, SIG_IGN); @@ -26,7 +12,7 @@ index 8790ec0..d6c038b 100644 if (pchild) { apr_pool_destroy(pchild); } -@@ -817,6 +820,13 @@ static int make_child(server_rec *s, int slot) +@@ -699,6 +702,13 @@ static int make_child(server_rec *s, int slot, int bucket) */ apr_signal(SIGHUP, just_die); apr_signal(SIGTERM, just_die); @@ -40,6 +26,3 @@ index 8790ec0..d6c038b 100644 /* The child process just closes listeners on AP_SIG_GRACEFUL. * The pod is used for signalling the graceful restart. */ --- -2.0.4 - diff --git a/SOURCES/httpd.init b/SOURCES/httpd.init index a971ab0..a9e7b59 100755 --- a/SOURCES/httpd.init +++ b/SOURCES/httpd.init @@ -71,8 +71,14 @@ start() { # before SIGKILLing the httpd parent; this gives enough time for the # httpd parent to SIGKILL any errant children. stop() { - echo -n $"Stopping $prog: " - killproc -p ${pidfile} -d ${STOP_TIMEOUT} $httpd + status -p ${pidfile} $httpd > /dev/null + if [[ $? = 0 ]]; then + echo -n $"Stopping $prog: " + killproc -p ${pidfile} -d ${STOP_TIMEOUT} $httpd + else + echo -n $"Stopping $prog: " + success + fi RETVAL=$? echo [ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile} diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index bf7d1c4..c9928eb 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -48,8 +48,8 @@ Summary: Apache HTTP Server Name: %{?scl:%scl_prefix}httpd -Version: 2.4.25 -Release: 9%{?dist}.1 +Version: 2.4.27 +Release: 8%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -104,6 +104,7 @@ Patch28: httpd-2.4.6-r1332643+.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.6-sslmultiproxy.patch Patch32: httpd-2.4.3-sslsninotreq.patch +Patch33: httpd-2.4.26-sslalpnthunks.patch # Bug fixes Patch56: httpd-2.4.4-mod_unique_id.patch Patch59: httpd-2.4.6-r1556473.patch @@ -111,25 +112,16 @@ Patch62: httpd-2.4.6-apachectl-status.patch Patch63: httpd-2.4.6-ab-overflow.patch Patch64: httpd-2.4.6-sigint.patch Patch65: httpd-2.4.17-autoindex-revert.patch -Patch66: httpd-2.4.18-r1684636.patch Patch68: httpd-2.4.6-ap-ipv6.patch Patch69: httpd-2.4.6-apachectl-httpd-env.patch Patch70: httpd-2.4.6-bomb.patch Patch71: httpd-2.4.18-apachectl-httpd-env2.patch -Patch72: httpd-2.4.18-r1738229.patch -Patch73: httpd-2.4.25-r1778319+.patch Patch74: httpd-2.4.25-rev-r1748324+.patch -Patch75: httpd-2.4.25-r1782332.patch -Patch76: httpd-2.4.25-r1787301.patch - +Patch75: httpd-2.4.6-r1664565.patch +Patch76: httpd-2.4.6-rotatelog-timezone.patch +Patch77: httpd-2.4.27-mod_authz_dbd-missing-query.patch # Security fixes -Patch200: httpd-2.4.25-CVE-2017-3167.patch -Patch201: httpd-2.4.25-CVE-2017-3169.patch -Patch202: httpd-2.4.25-CVE-2017-7659.patch -Patch203: httpd-2.4.25-CVE-2017-7668.patch -Patch204: httpd-2.4.25-CVE-2017-7679.patch -Patch205: httpd-2.4.25-CVE-2017-9788.patch - +Patch200: httpd-2.4.27-CVE-2017-9798.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -147,6 +139,7 @@ Provides: %{?scl:%scl_prefix}mod_dav = %{version}-%{release}, %{?scl:%scl_prefix Provides: %{?scl:%scl_prefix}httpd-mmn = %{mmn}, %{?scl:%scl_prefix}httpd-mmn = %{mmnisa} Requires: %{?scl:%scl_prefix}httpd-tools = %{version}-%{release} Requires(pre): /usr/sbin/useradd +Requires(pre): /usr/sbin/groupadd %if %{use_systemd} BuildRequires: systemd-devel Requires(preun): systemd-units @@ -288,11 +281,11 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH %if %{use_systemd} %patch6 -p1 -b .apctlsystemd %patch7 -p1 -b .skiplist -%patch8 -p1 -b .detect-systemd %else %patch62 -p1 -b .apachectlstatus %patch71 -p1 -b .envhttpd2 %endif +%patch8 -p1 -b .detect-systemd %patch20 -p1 -b .mod_systemd %patch21 -p1 -b .fullrelease @@ -305,28 +298,22 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH %patch30 -p1 -b .cachehardmax %patch31 -p1 -b .sslmultiproxy %patch32 -p1 -b .sslsninotreq +%patch33 -p1 -b .sslalpnthunks %patch56 -p1 -b .uniqueid %patch59 -p1 -b .r1556473 %patch63 -p1 -b .aboverflow %patch64 -p1 -b .sigint %patch65 -p1 -b .autoindexrevert -%patch66 -p1 -b .r1684636 %patch68 -p1 -b .ipv6 %patch69 -p1 -b .envhttpd %patch70 -p1 -b .bomb -%patch72 -p1 -b .r1738229 -%patch73 -p1 -b .r1778319+ %patch74 -p1 -b .rev-r1748324+ -%patch75 -p1 -b .r1782332 -%patch76 -p1 -b .r1787301 +%patch75 -p1 -b .r1664565 +%patch76 -p1 -b .rotatelogtimezone +%patch77 -p1 -b .missingquery -%patch200 -p1 -b .cve3167 -%patch201 -p1 -b .cve3169 -%patch202 -p1 -b .cve7659 -%patch203 -p1 -b .cve7668 -%patch204 -p1 -b .cve7679 -%patch205 -p1 -b .cve9788 +%patch200 -p1 -b .CVE-2017-9798 # Patch in the vendor string and the release string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -396,6 +383,9 @@ export LYNX_PATH=/usr/bin/links --with-pcre \ --enable-mods-shared=all \ --enable-ssl --with-ssl --disable-distcache \ +%if 0%{?rhel} >= 7 + --enable-tls-alpn-thunks \ +%endif --enable-proxy \ --enable-cache \ --enable-disk-cache \ @@ -404,7 +394,6 @@ export LYNX_PATH=/usr/bin/links --enable-authn-anon --enable-authn-alias \ --disable-imagemap \ --localstatedir=%{_localstatedir} - $* make %{?_smp_mflags} %install @@ -678,8 +667,9 @@ sed -i 's|\$sbindir|%{_sbindir}|' \ %{buildroot}%{_sbindir}/apachectl %pre -# Add the "apache" user -/usr/sbin/useradd -c "Apache" -u 48 \ +# Add the "apache" group and user +/usr/sbin/groupadd -g 48 -r apache 2> /dev/null || : +/usr/sbin/useradd -c "Apache" -u 48 -g apache \ -s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || : %post @@ -971,9 +961,54 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog -* Wed Jul 26 2017 Luboš Uhliarik - 2.4.25-9.1 -- Resolves: #1473691 - CVE-2017-3167 CVE-2017-3169 CVE-2017-7659 CVE-2017-7668 - CVE-2017-7679 CVE-2017-9788 httpd24-httpd: various flaws +* Wed Sep 20 2017 Luboš Uhliarik - 2.4.27-8 +- Resolves: #1480506 - mod_authz_dbd segfaults when AuthzDBDQuery missing + +* Mon Sep 18 2017 Luboš Uhliarik - 2.4.27-7 +- Related: #1487164 - apache user is not created during httpd + installation when apache group already exist with GID other than 48 + +* Tue Sep 12 2017 Luboš Uhliarik - 2.4.27-6 +- Resolves: #1490947 - CVE-2017-9798 httpd: Use-after-free by limiting + unregistered HTTP method + +* Wed Sep 06 2017 Luboš Uhliarik - 2.4.27-5 +- Resolves: #1488541 - rotatelogs %Z does not use correct timezone + respecting DST + +* Thu Aug 31 2017 Luboš Uhliarik - 2.4.27-4 +- Resolves: #1486832 - RFE: run mod_rewrite external mapping program as non-root + +* Thu Aug 31 2017 Luboš Uhliarik - 2.4.27-3 +- Resolves: #1486843 - apache user is not created during httpd + installation when apache group already exist +- Resolves: #1487164 - apache user is not created during httpd + installation when apache group already exist with GID other than 48 + +* Tue Aug 08 2017 Luboš Uhliarik - 2.4.27-2 +- Resolves: #1475450 - update apr_skiplist to current APR code + +* Mon Jul 31 2017 Luboš Uhliarik - 2.4.27-1 +- new version 2.4.27 + +* Wed Jul 26 2017 Luboš Uhliarik - 2.4.26-5 +- Resolves: #1472846 - CVE-2017-9788 CVE-2017-9789 httpd24-httpd: various flaws +- updated mod_systemd patch + +* Mon Jun 26 2017 Luboš Uhliarik - 2.4.26-4 +- Resolves: #1440858 - graceful start of stopped service fail + +* Fri Jun 23 2017 Luboš Uhliarik - 2.4.26-3 +- Resolves: #1418395 - httpd stop prints failure if service already stopped + +* Thu Jun 22 2017 Joe Orton - 2.4.26-2 +- mod_ssl: add support for ALPN if newer OpenSSL loaded (#1327548) + +* Mon Jun 19 2017 Luboš Uhliarik - 2.4.26-1 +- Resolves: #1461819 - RFE: rebase httpd to 2.4.26 + +* Wed May 24 2017 Luboš Uhliarik - 2.4.25-12 +- rebuild * Fri Mar 24 2017 Joe Orton - 2.4.25-9 - link only httpd, not support/* against -lselinux -lsystemd (#1433474)