diff --git a/.gitignore b/.gitignore
index 6188d89..c9ce001 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/httpd-2.4.18.tar.bz2
+SOURCES/httpd-2.4.25.tar.bz2
diff --git a/.httpd24-httpd.metadata b/.httpd24-httpd.metadata
index bd783d7..400eb06 100644
--- a/.httpd24-httpd.metadata
+++ b/.httpd24-httpd.metadata
@@ -1 +1 @@
-271a129f2f04e3aa694e5c2091df9b707bf8ef80 SOURCES/httpd-2.4.18.tar.bz2
+bd6d138c31c109297da2346c6e7b93b9283993d2 SOURCES/httpd-2.4.25.tar.bz2
diff --git a/SOURCES/00-base.conf b/SOURCES/00-base.conf
index c109de6..e99ff0e 100644
--- a/SOURCES/00-base.conf
+++ b/SOURCES/00-base.conf
@@ -64,4 +64,5 @@ LoadModule unixd_module modules/mod_unixd.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule version_module modules/mod_version.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
+LoadModule watchdog_module modules/mod_watchdog.so
diff --git a/SOURCES/00-optional.conf b/SOURCES/00-optional.conf
index 70bda5e..b95c56c 100644
--- a/SOURCES/00-optional.conf
+++ b/SOURCES/00-optional.conf
@@ -6,7 +6,6 @@
#LoadModule asis_module modules/mod_asis.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule file_cache_module modules/mod_file_cache.so
-#LoadModule watchdog_module modules/mod_watchdog.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so
#LoadModule usertrack_module modules/mod_usertrack.so
diff --git a/SOURCES/00-proxy.conf b/SOURCES/00-proxy.conf
index cc0bca0..448eb63 100644
--- a/SOURCES/00-proxy.conf
+++ b/SOURCES/00-proxy.conf
@@ -12,5 +12,6 @@ LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
diff --git a/SOURCES/action-configtest.sh b/SOURCES/action-configtest.sh
index d1cc989..3a702a7 100644
--- a/SOURCES/action-configtest.sh
+++ b/SOURCES/action-configtest.sh
@@ -1,2 +1,6 @@
#!/bin/sh
-exec $sbindir/apachectl configtest
+#!/bin/sh
+if [ -r $sysconfdir/httpd ]; then
+ . $sysconfdir/httpd
+fi
+exec $sbindir/httpd-scl-wrapper -t
diff --git a/SOURCES/action-graceful.sh b/SOURCES/action-graceful.sh
index 5d3c87a..2afa0a2 100644
--- a/SOURCES/action-graceful.sh
+++ b/SOURCES/action-graceful.sh
@@ -1,2 +1,5 @@
#!/bin/sh
-exec $sbindir/apachectl graceful
+if [ -r $sysconfdir/httpd ]; then
+ . $sysconfdir/httpd
+fi
+exec $sbindir/httpd-scl-wrapper -k graceful
diff --git a/SOURCES/httpd-2.4.1-selinux.patch b/SOURCES/httpd-2.4.1-selinux.patch
deleted file mode 100644
index e97c5a4..0000000
--- a/SOURCES/httpd-2.4.1-selinux.patch
+++ /dev/null
@@ -1,61 +0,0 @@
-
-Log the SELinux context at startup.
-
-Upstream-Status: unlikely to be any interest in this upstream
-
---- httpd-2.4.1/configure.in.selinux
-+++ httpd-2.4.1/configure.in
-@@ -458,6 +458,11 @@ fopen64
- dnl confirm that a void pointer is large enough to store a long integer
- APACHE_CHECK_VOID_PTR_LEN
-
-+AC_CHECK_LIB(selinux, is_selinux_enabled, [
-+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
-+ APR_ADDTO(AP_LIBS, [-lselinux])
-+])
-+
- AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
- [AC_TRY_RUN(#define _GNU_SOURCE
- #include <unistd.h>
---- httpd-2.4.1/server/core.c.selinux
-+++ httpd-2.4.1/server/core.c
-@@ -58,6 +58,10 @@
- #include <unistd.h>
- #endif
-
-+#ifdef HAVE_SELINUX
-+#include <selinux/selinux.h>
-+#endif
-+
- /* LimitRequestBody handling */
- #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
- #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
-@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t *
- }
- #endif
-
-+#ifdef HAVE_SELINUX
-+ {
-+ static int already_warned = 0;
-+ int is_enabled = is_selinux_enabled() > 0;
-+
-+ if (is_enabled && !already_warned) {
-+ security_context_t con;
-+
-+ if (getcon(&con) == 0) {
-+
-+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
-+ "SELinux policy enabled; "
-+ "httpd running as context %s", con);
-+
-+ already_warned = 1;
-+
-+ freecon(con);
-+ }
-+ }
-+ }
-+#endif
-+
- return OK;
- }
-
diff --git a/SOURCES/httpd-2.4.10-mod_systemd.patch b/SOURCES/httpd-2.4.10-mod_systemd.patch
new file mode 100644
index 0000000..88d76ac
--- /dev/null
+++ b/SOURCES/httpd-2.4.10-mod_systemd.patch
@@ -0,0 +1,172 @@
+diff --git a/modules/arch/unix/config5.m4 b/modules/arch/unix/config5.m4
+index 77027a8..7a13d5a 100644
+--- a/modules/arch/unix/config5.m4
++++ b/modules/arch/unix/config5.m4
+@@ -18,6 +18,16 @@ APACHE_MODULE(privileges, Per-virtualhost Unix UserIDs and enhanced security for
+ fi
+ ])
+
++APACHE_MODULE(systemd, Systemd support, , , all, [
++ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
++ AC_MSG_WARN([Your system does not support systemd.])
++ enable_systemd="no"
++ else
++ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
++ enable_systemd="yes"
++ fi
++])
++
+ APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
+
+ APACHE_MODPATH_FINISH
+diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c
+new file mode 100644
+index 0000000..5381c98
+--- /dev/null
++++ b/modules/arch/unix/mod_systemd.c
+@@ -0,0 +1,145 @@
++/* Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ *
++ */
++
++#include <stdint.h>
++#include <ap_config.h>
++#include "ap_mpm.h"
++#include <http_core.h>
++#include <httpd.h>
++#include <http_log.h>
++#include <apr_version.h>
++#include <apr_pools.h>
++#include <apr_strings.h>
++#include "unixd.h"
++#include "scoreboard.h"
++#include "mpm_common.h"
++
++#include "systemd/sd-daemon.h"
++
++#if APR_HAVE_UNISTD_H
++#include <unistd.h>
++#endif
++
++static int shutdown_timer = 0;
++static int shutdown_counter = 0;
++static unsigned long bytes_served;
++static pid_t mainpid;
++
++static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type)
++{
++ int rv;
++
++ ap_extended_status = 1;
++ mainpid = getpid();
++
++ rv = sd_notifyf(0, "READY=1\n"
++ "STATUS=Processing requests...\n"
++ "MAINPID=%" APR_PID_T_FMT, mainpid);
++ if (rv < 0) {
++ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p, APLOGNO(02395)
++ "sd_notifyf returned an error %d", rv);
++ }
++
++ return OK;
++}
++
++static int systemd_monitor(apr_pool_t *p, server_rec *s)
++{
++ ap_sload_t sload;
++ apr_interval_time_t up_time;
++ char bps[5];
++ int rv;
++
++ ap_get_sload(&sload);
++ /* up_time in seconds */
++ up_time = (apr_uint32_t) apr_time_sec(apr_time_now() -
++ ap_scoreboard_image->global->restart_time);
++
++ apr_strfsize((unsigned long)((float) (sload.bytes_served)
++ / (float) up_time), bps);
++
++ rv = sd_notifyf(0, "READY=1\n"
++ "STATUS=Total requests: %lu; Idle/Busy workers %d/%d;"
++ "Requests/sec: %.3g; Bytes served/sec: %sB/sec\n",
++ sload.access_count, sload.idle, sload.busy,
++ ((float) sload.access_count) / (float) up_time, bps);
++
++ if (rv < 0) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02396)
++ "sd_notifyf returned an error %d", rv);
++ }
++
++ /* Shutdown httpd when nothing is sent for shutdown_timer seconds. */
++ if (sload.bytes_served == bytes_served) {
++ /* mpm_common.c: INTERVAL_OF_WRITABLE_PROBES is 10 */
++ shutdown_counter += 10;
++ if (shutdown_timer > 0 && shutdown_counter >= shutdown_timer) {
++ rv = sd_notifyf(0, "READY=1\n"
++ "STATUS=Stopped as result of IdleShutdown "
++ "timeout.");
++ if (rv < 0) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02804)
++ "sd_notifyf returned an error %d", rv);
++ }
++ kill(mainpid, AP_SIG_GRACEFUL);
++ }
++ }
++ else {
++ shutdown_counter = 0;
++ }
++
++ bytes_served = sload.bytes_served;
++
++ return DECLINED;
++}
++
++static void systemd_register_hooks(apr_pool_t *p)
++{
++ /* We know the PID in this hook ... */
++ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST);
++ /* Used to update httpd's status line using sd_notifyf */
++ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE);
++}
++
++static const char *set_shutdown_timer(cmd_parms *cmd, void *dummy,
++ const char *arg)
++{
++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
++ if (err != NULL) {
++ return err;
++ }
++
++ shutdown_timer = atoi(arg);
++ return NULL;
++}
++
++static const command_rec systemd_cmds[] =
++{
++AP_INIT_TAKE1("IdleShutdown", set_shutdown_timer, NULL, RSRC_CONF,
++ "Number of seconds in idle-state after which httpd is shutdown"),
++ {NULL}
++};
++
++AP_DECLARE_MODULE(systemd) = {
++ STANDARD20_MODULE_STUFF,
++ NULL,
++ NULL,
++ NULL,
++ NULL,
++ systemd_cmds,
++ systemd_register_hooks,
++};
diff --git a/SOURCES/httpd-2.4.18-CVE-2016-4979.patch b/SOURCES/httpd-2.4.18-CVE-2016-4979.patch
deleted file mode 100644
index de9a4d9..0000000
--- a/SOURCES/httpd-2.4.18-CVE-2016-4979.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-# ./pullrev.sh 1750808
-http://svn.apache.org/viewvc?view=revision&revision=1750808
-
---- httpd-2.4.18/modules/ssl/ssl_engine_kernel.c
-+++ httpd-2.4.18/modules/ssl/ssl_engine_kernel.c
-@@ -727,6 +727,7 @@
- * on this connection.
- */
- apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
-+ SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify);
- return HTTP_FORBIDDEN;
- }
- /* optimization */
diff --git a/SOURCES/httpd-2.4.18-CVE-2016-5387.patch b/SOURCES/httpd-2.4.18-CVE-2016-5387.patch
deleted file mode 100644
index cfbd4a9..0000000
--- a/SOURCES/httpd-2.4.18-CVE-2016-5387.patch
+++ /dev/null
@@ -1,16 +0,0 @@
-
-https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387
-
---- httpd-2.4.18/server/util_script.c.cve5387
-+++ httpd-2.4.18/server/util_script.c
-@@ -195,6 +195,10 @@
- }
- }
- #endif
-+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+ /* Don't pass through HTTP_PROXY */
-+ continue;
-+ }
- else
- add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
- }
diff --git a/SOURCES/httpd-2.4.18-apxs.patch b/SOURCES/httpd-2.4.18-apxs.patch
deleted file mode 100644
index 1566249..0000000
--- a/SOURCES/httpd-2.4.18-apxs.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-
-Use libdir from configuration.
-
---- httpd-2.4.18/support/apxs.in.apxs
-+++ httpd-2.4.18/support/apxs.in
-@@ -35,6 +35,7 @@ my $CFG_PREFIX = $prefix;
- my $exec_prefix = get_vars("exec_prefix");
- my $datadir = get_vars("datadir");
- my $localstatedir = get_vars("localstatedir");
-+my $libdir = get_vars("libdir");
- my $CFG_TARGET = get_vars("progname");
- my $CFG_SYSCONFDIR = get_vars("sysconfdir");
- my $CFG_CFLAGS = join ' ', map { get_vars($_) }
-@@ -275,7 +276,7 @@ if ($opt_g) {
- $data =~ s|%NAME%|$name|sg;
- $data =~ s|%TARGET%|$CFG_TARGET|sg;
- $data =~ s|%PREFIX%|$prefix|sg;
-- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg;
-+ $data =~ s|%LIBDIR%|$libdir|sg;
-
- my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
-
-@@ -453,11 +454,11 @@ if ($opt_c) {
- my $ldflags = "$CFG_LDFLAGS";
- if ($opt_p == 1) {
-
-- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`;
-+ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`;
- chomp($apr_libs);
- my $apu_libs="";
- if ($apr_major_version < 2) {
-- $apu_libs=`$apu_config --ldflags --link-libtool --libs`;
-+ $apu_libs=`$apu_config --ldflags --link-libtool`;
- chomp($apu_libs);
- }
-
-@@ -672,8 +673,8 @@ __DATA__
-
- builddir=.
- top_srcdir=%PREFIX%
--top_builddir=%PREFIX%
--include %INSTALLBUILDDIR%/special.mk
-+top_builddir=%LIBDIR%/httpd
-+include %LIBDIR%/httpd/build/special.mk
-
- # the used tools
- APACHECTL=apachectl
diff --git a/SOURCES/httpd-2.4.18-documentroot.patch b/SOURCES/httpd-2.4.18-documentroot.patch
deleted file mode 100644
index 182bc04..0000000
--- a/SOURCES/httpd-2.4.18-documentroot.patch
+++ /dev/null
@@ -1,13 +0,0 @@
---- a/server/core.c 2013/07/24 09:49:38 1506473
-+++ b/server/core.c 2013/07/24 09:51:14 1506474
-@@ -1481,7 +1481,9 @@
- conf->ap_document_root = arg;
- }
- else {
-- return "DocumentRoot must be a directory";
-+ return apr_psprintf(cmd->pool,
-+ "DocumentRoot '%s' is not a directory, or is not readable",
-+ arg);
- }
- }
- return NULL;
diff --git a/SOURCES/httpd-2.4.25-apxs.patch b/SOURCES/httpd-2.4.25-apxs.patch
new file mode 100644
index 0000000..83b1849
--- /dev/null
+++ b/SOURCES/httpd-2.4.25-apxs.patch
@@ -0,0 +1,59 @@
+
+- use libdir from configuration.
+- only link against -lapr itself
+- also run restorecon on install module .so
+
+--- httpd-2.4.25/support/apxs.in.apxs
++++ httpd-2.4.25/support/apxs.in
+@@ -35,6 +35,7 @@
+ my $exec_prefix = get_vars("exec_prefix");
+ my $datadir = get_vars("datadir");
+ my $localstatedir = get_vars("localstatedir");
++my $libdir = get_vars("libdir");
+ my $CFG_TARGET = get_vars("progname");
+ my $CFG_SYSCONFDIR = get_vars("sysconfdir");
+ my $CFG_CFLAGS = join ' ', map { get_vars($_) }
+@@ -275,7 +276,7 @@
+ $data =~ s|%NAME%|$name|sg;
+ $data =~ s|%TARGET%|$CFG_TARGET|sg;
+ $data =~ s|%PREFIX%|$prefix|sg;
+- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg;
++ $data =~ s|%LIBDIR%|$libdir|sg;
+
+ my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
+
+@@ -453,11 +454,11 @@
+ my $ldflags = "$CFG_LDFLAGS";
+ if ($opt_p == 1) {
+
+- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`;
++ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`;
+ chomp($apr_libs);
+ my $apu_libs="";
+ if ($apr_major_version < 2) {
+- $apu_libs=`$apu_config --ldflags --link-libtool --libs`;
++ $apu_libs=`$apu_config --ldflags --link-libtool`;
+ chomp($apu_libs);
+ }
+
+@@ -504,6 +505,9 @@
+ push(@cmds, "$installbuilddir/instdso.sh SH_LIBTOOL='" .
+ "$libtool' $f $CFG_LIBEXECDIR");
+ push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t");
++ if (-x "/sbin/restorecon") {
++ push(@cmds, "restorecon -v $CFG_LIBEXECDIR/$t");
++ }
+ }
+
+ # determine module symbolname and filename
+@@ -672,8 +676,8 @@
+
+ builddir=.
+ top_srcdir=%PREFIX%
+-top_builddir=%PREFIX%
+-include %INSTALLBUILDDIR%/special.mk
++top_builddir=%LIBDIR%/httpd
++include %LIBDIR%/httpd/build/special.mk
+
+ # the used tools
+ APACHECTL=apachectl
diff --git a/SOURCES/httpd-2.4.25-detect-systemd.patch b/SOURCES/httpd-2.4.25-detect-systemd.patch
new file mode 100644
index 0000000..f8e302b
--- /dev/null
+++ b/SOURCES/httpd-2.4.25-detect-systemd.patch
@@ -0,0 +1,75 @@
+diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4
+diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4
+diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4
+--- httpd-2.4.25/acinclude.m4.detectsystemd
++++ httpd-2.4.25/acinclude.m4
+@@ -604,6 +604,30 @@
+ fi
+ ])
+
++AC_DEFUN(APACHE_CHECK_SYSTEMD, [
++dnl Check for systemd support for listen.c's socket activation.
++case $host in
++*-linux-*)
++ if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then
++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd`
++ elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then
++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon`
++ else
++ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon")
++ fi
++ if test -n "$SYSTEMD_LIBS"; then
++ AC_CHECK_HEADERS(systemd/sd-daemon.h)
++ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
++ AC_MSG_WARN([Your system does not support systemd.])
++ else
++ APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS])
++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported])
++ fi
++ fi
++ ;;
++esac
++])
++
+ dnl
+ dnl APACHE_EXPORT_ARGUMENTS
+ dnl Export (via APACHE_SUBST) the various path-related variables that
+diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in
+--- httpd-2.4.25/configure.in.detectsystemd
++++ httpd-2.4.25/configure.in
+@@ -234,6 +234,7 @@
+ AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
+ APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
+ APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`])
++ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
+ else
+ AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/])
+ fi
+@@ -504,6 +510,8 @@
+ AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field])
+ fi
+
++APACHE_CHECK_SYSTEMD
++
+ dnl ## Set up any appropriate OS-specific environment variables for apachectl
+
+ case $host in
+@@ -668,6 +676,7 @@
+ APACHE_SUBST(BUILTIN_LIBS)
+ APACHE_SUBST(SHLIBPATH_VAR)
+ APACHE_SUBST(OS_SPECIFIC_VARS)
++APACHE_SUBST(HTTPD_LIBS)
+
+ PRE_SHARED_CMDS='echo ""'
+ POST_SHARED_CMDS='echo ""'
+--- httpd-2.4.25/Makefile.in.detectsystemd
++++ httpd-2.4.25/Makefile.in
+@@ -4,7 +4,7 @@
+
+ PROGRAM_NAME = $(progname)
+ PROGRAM_SOURCES = modules.c
+-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
++PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS)
+ PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c
+ PROGRAM_DEPENDENCIES = \
+ server/libmain.la \
diff --git a/SOURCES/httpd-2.4.25-r1778319+.patch b/SOURCES/httpd-2.4.25-r1778319+.patch
new file mode 100644
index 0000000..b791e9d
--- /dev/null
+++ b/SOURCES/httpd-2.4.25-r1778319+.patch
@@ -0,0 +1,32 @@
+# ./pullrev.sh 1778319 1778331
+
+http://svn.apache.org/viewvc?view=revision&revision=1778319
+http://svn.apache.org/viewvc?view=revision&revision=1778331
+
+--- httpd-2.4.25/modules/core/mod_watchdog.c
++++ httpd-2.4.25/modules/core/mod_watchdog.c
+@@ -436,19 +436,19 @@
+ {
+ apr_status_t rv;
+ const char *pk = "watchdog_init_module_tag";
+- apr_pool_t *pproc = s->process->pool;
++ apr_pool_t *ppconf = pconf;
+ const apr_array_header_t *wl;
+
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
+ /* First time config phase -- skip. */
+ return OK;
+
+- apr_pool_userdata_get((void *)&wd_server_conf, pk, pproc);
++ apr_pool_userdata_get((void *)&wd_server_conf, pk, ppconf);
+ if (!wd_server_conf) {
+- if (!(wd_server_conf = apr_pcalloc(pproc, sizeof(wd_server_conf_t))))
++ if (!(wd_server_conf = apr_pcalloc(ppconf, sizeof(wd_server_conf_t))))
+ return APR_ENOMEM;
+- apr_pool_create(&wd_server_conf->pool, pproc);
+- apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, pproc);
++ apr_pool_create(&wd_server_conf->pool, ppconf);
++ apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, ppconf);
+ }
+ wd_server_conf->s = s;
+ if ((wl = ap_list_provider_names(pconf, AP_WATCHDOG_PGROUP,
diff --git a/SOURCES/httpd-2.4.25-r1782332.patch b/SOURCES/httpd-2.4.25-r1782332.patch
new file mode 100644
index 0000000..5b1c25b
--- /dev/null
+++ b/SOURCES/httpd-2.4.25-r1782332.patch
@@ -0,0 +1,50 @@
+# ./pullrev.sh 1782332
+http://svn.apache.org/viewvc?view=revision&revision=1782332
+
+--- httpd-2.4.25/modules/proxy/mod_proxy.c
++++ httpd-2.4.25/modules/proxy/mod_proxy.c
+@@ -764,6 +764,10 @@
+ || !r->uri || r->uri[0] != '/') {
+ return DECLINED;
+ }
++
++ if (apr_table_get(r->subprocess_env, "no-proxy")) {
++ return DECLINED;
++ }
+
+ /* XXX: since r->uri has been manipulated already we're not really
+ * compliant with RFC1945 at this point. But this probably isn't
+@@ -771,29 +775,18 @@
+ */
+
+ dconf = ap_get_module_config(r->per_dir_config, &proxy_module);
+- conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config,
+- &proxy_module);
++
+ /* short way - this location is reverse proxied? */
+ if (dconf->alias) {
+ int rv = ap_proxy_trans_match(r, dconf->alias, dconf);
+- if (OK == rv) {
+- /* Got a hit. Need to make sure it's not explicitly declined */
+- if (conf->aliases->nelts) {
+- ent = (struct proxy_alias *) conf->aliases->elts;
+- for (i = 0; i < conf->aliases->nelts; i++) {
+- int rv = ap_proxy_trans_match(r, &ent[i], dconf);
+- if (DECLINED == rv) {
+- return DECLINED;
+- }
+- }
+- }
+- return OK;
+- }
+ if (DONE != rv) {
+ return rv;
+ }
+ }
+
++ conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config,
++ &proxy_module);
++
+ /* long way - walk the list of aliases, find a match */
+ if (conf->aliases->nelts) {
+ ent = (struct proxy_alias *) conf->aliases->elts;
diff --git a/SOURCES/httpd-2.4.25-r1787301.patch b/SOURCES/httpd-2.4.25-r1787301.patch
new file mode 100644
index 0000000..232e8f0
--- /dev/null
+++ b/SOURCES/httpd-2.4.25-r1787301.patch
@@ -0,0 +1,16 @@
+# ./pullrev.sh 1787301
+http://svn.apache.org/viewvc?view=revision&revision=1787301
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1432249
+
+--- httpd-2.4.25/server/listen.c
++++ httpd-2.4.25/server/listen.c
+@@ -153,7 +153,7 @@
+ #endif
+
+ #if defined(SO_REUSEPORT)
+- if (ap_have_so_reuseport) {
++ if (ap_have_so_reuseport && ap_listencbratio > 0) {
+ int thesock;
+ apr_os_sock_get(&thesock, s);
+ if (setsockopt(thesock, SOL_SOCKET, SO_REUSEPORT,
diff --git a/SOURCES/httpd-2.4.25-rev-r1748324+.patch b/SOURCES/httpd-2.4.25-rev-r1748324+.patch
new file mode 100644
index 0000000..5586c7c
--- /dev/null
+++ b/SOURCES/httpd-2.4.25-rev-r1748324+.patch
@@ -0,0 +1,58 @@
+
+Reverses two changes to mod_proxy_fcgi.c to get back to pre-2.4.23 behaviour:
+
+https://svn.apache.org/r1748324
+https://svn.apache.org/r1755077
+
+diff -uap httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c
+--- httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+
++++ httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c
+@@ -253,6 +253,7 @@
+ apr_status_t rv;
+ apr_size_t avail_len, len, required_len;
+ int next_elem, starting_elem;
++ char *proxyfilename = r->filename;
+ fcgi_req_config_t *rconf = ap_get_module_config(r->request_config, &proxy_fcgi_module);
+
+ if (rconf) {
+@@ -261,33 +262,18 @@
+ }
+ }
+
+- /* Strip proxy: prefixes */
+- if (r->filename) {
+- char *newfname = NULL;
+-
+- if (!strncmp(r->filename, "proxy:balancer://", 17)) {
+- newfname = apr_pstrdup(r->pool, r->filename+17);
+- }
+- else if (!strncmp(r->filename, "proxy:fcgi://", 13)) {
+- newfname = apr_pstrdup(r->pool, r->filename+13);
+- }
+- /* Query string in environment only */
+- if (newfname && r->args && *r->args) {
+- char *qs = strrchr(newfname, '?');
+- if (qs && !strcmp(qs+1, r->args)) {
+- *qs = '\0';
+- }
+- }
+-
+- if (newfname) {
+- newfname = ap_strchr(newfname, '/');
+- r->filename = newfname;
+- }
++ /* Strip balancer prefix */
++ if (r->filename && !strncmp(r->filename, "proxy:balancer://", 17)) {
++ char *newfname = apr_pstrdup(r->pool, r->filename+17);
++ newfname = ap_strchr(newfname, '/');
++ r->filename = newfname;
+ }
+
+ ap_add_common_vars(r);
+ ap_add_cgi_vars(r);
+
++ r->filename = proxyfilename;
++
+ /* XXX are there any FastCGI specific env vars we need to send? */
+
+ /* XXX mod_cgi/mod_cgid use ap_create_environment here, which fills in
diff --git a/SOURCES/httpd-2.4.25-selinux.patch b/SOURCES/httpd-2.4.25-selinux.patch
new file mode 100644
index 0000000..fa4614a
--- /dev/null
+++ b/SOURCES/httpd-2.4.25-selinux.patch
@@ -0,0 +1,61 @@
+
+Log the SELinux context at startup.
+
+Upstream-Status: unlikely to be any interest in this upstream
+
+--- httpd-2.4.1/configure.in.selinux
++++ httpd-2.4.1/configure.in
+@@ -458,6 +458,11 @@ fopen64
+ dnl confirm that a void pointer is large enough to store a long integer
+ APACHE_CHECK_VOID_PTR_LEN
+
++AC_CHECK_LIB(selinux, is_selinux_enabled, [
++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
++ APR_ADDTO(HTTPD_LIBS, [-lselinux])
++])
++
+ AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
+ [AC_TRY_RUN(#define _GNU_SOURCE
+ #include <unistd.h>
+--- httpd-2.4.1/server/core.c.selinux
++++ httpd-2.4.1/server/core.c
+@@ -58,6 +58,10 @@
+ #include <unistd.h>
+ #endif
+
++#ifdef HAVE_SELINUX
++#include <selinux/selinux.h>
++#endif
++
+ /* LimitRequestBody handling */
+ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
+ #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
+@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t *
+ }
+ #endif
+
++#ifdef HAVE_SELINUX
++ {
++ static int already_warned = 0;
++ int is_enabled = is_selinux_enabled() > 0;
++
++ if (is_enabled && !already_warned) {
++ security_context_t con;
++
++ if (getcon(&con) == 0) {
++
++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
++ "SELinux policy enabled; "
++ "httpd running as context %s", con);
++
++ already_warned = 1;
++
++ freecon(con);
++ }
++ }
++ }
++#endif
++
+ return OK;
+ }
+
diff --git a/SOURCES/httpd-2.4.3-apctl-systemd.patch b/SOURCES/httpd-2.4.3-apctl-systemd.patch
index d8adf87..0555fa0 100644
--- a/SOURCES/httpd-2.4.3-apctl-systemd.patch
+++ b/SOURCES/httpd-2.4.3-apctl-systemd.patch
@@ -1,4 +1,8 @@
+Make apachectl run via systemctl.
+
+Note: "apachectl graceful" is documented to start httpd if not running.
+
Upstream-Status: vendor specific patch
--- httpd-2.4.18/support/apachectl.in.apctlsystemd
diff --git a/SOURCES/httpd-2.4.3-mod_systemd.patch b/SOURCES/httpd-2.4.3-mod_systemd.patch
deleted file mode 100644
index a9b1fd9..0000000
--- a/SOURCES/httpd-2.4.3-mod_systemd.patch
+++ /dev/null
@@ -1,163 +0,0 @@
---- httpd-2.4.3/modules/arch/unix/config5.m4.systemd
-+++ httpd-2.4.3/modules/arch/unix/config5.m4
-@@ -18,6 +18,19 @@ APACHE_MODULE(privileges, Per-virtualhos
- fi
- ])
-
-+
-+APACHE_MODULE(systemd, Systemd support, , , $unixd_mods_enabled, [
-+ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon")
-+ AC_CHECK_HEADERS(systemd/sd-daemon.h, [ap_HAVE_SD_DAEMON_H="yes"], [ap_HAVE_SD_DAEMON_H="no"])
-+ if test $ap_HAVE_SD_DAEMON_H = "no" || test -z "${SYSTEMD_LIBS}"; then
-+ AC_MSG_WARN([Your system does not support systemd.])
-+ enable_systemd="no"
-+ else
-+ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
-+ enable_systemd="yes"
-+ fi
-+])
-+
- APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
-
- APACHE_MODPATH_FINISH
---- httpd-2.4.3/modules/arch/unix/mod_systemd.c.systemd
-+++ httpd-2.4.3/modules/arch/unix/mod_systemd.c
-@@ -0,0 +1,138 @@
-+/* Licensed to the Apache Software Foundation (ASF) under one or more
-+ * contributor license agreements. See the NOTICE file distributed with
-+ * this work for additional information regarding copyright ownership.
-+ * The ASF licenses this file to You under the Apache License, Version 2.0
-+ * (the "License"); you may not use this file except in compliance with
-+ * the License. You may obtain a copy of the License at
-+ *
-+ * http://www.apache.org/licenses/LICENSE-2.0
-+ *
-+ * Unless required by applicable law or agreed to in writing, software
-+ * distributed under the License is distributed on an "AS IS" BASIS,
-+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-+ * See the License for the specific language governing permissions and
-+ * limitations under the License.
-+ *
-+ */
-+
-+#include <stdint.h>
-+#include <ap_config.h>
-+#include "ap_mpm.h"
-+#include <http_core.h>
-+#include <http_log.h>
-+#include <apr_version.h>
-+#include <apr_pools.h>
-+#include <apr_strings.h>
-+#include "unixd.h"
-+#include "scoreboard.h"
-+#include "mpm_common.h"
-+
-+#include "systemd/sd-daemon.h"
-+
-+#if APR_HAVE_UNISTD_H
-+#include <unistd.h>
-+#endif
-+
-+#define KBYTE 1024
-+
-+static pid_t pid; /* PID of the main httpd instance */
-+static int server_limit, thread_limit, threads_per_child, max_servers;
-+static time_t last_update_time;
-+static unsigned long last_update_access;
-+static unsigned long last_update_kbytes;
-+
-+static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type)
-+{
-+ int rv;
-+ last_update_time = time(0);
-+
-+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
-+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
-+ ap_mpm_query(AP_MPMQ_MAX_THREADS, &threads_per_child);
-+ /* work around buggy MPMs */
-+ if (threads_per_child == 0)
-+ threads_per_child = 1;
-+ ap_mpm_query(AP_MPMQ_MAX_DAEMONS, &max_servers);
-+
-+ pid = getpid();
-+
-+ rv = sd_notifyf(0, "READY=1\n"
-+ "STATUS=Processing requests...\n"
-+ "MAINPID=%lu",
-+ (unsigned long) pid);
-+ if (rv < 0) {
-+ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
-+ "sd_notifyf returned an error %d", rv);
-+ }
-+
-+ return OK;
-+}
-+
-+static int systemd_monitor(apr_pool_t *p, server_rec *s)
-+{
-+ int i, j, res, rv;
-+ process_score *ps_record;
-+ worker_score *ws_record;
-+ unsigned long access = 0;
-+ unsigned long bytes = 0;
-+ unsigned long kbytes = 0;
-+ char bps[5];
-+ time_t now = time(0);
-+ time_t elapsed = now - last_update_time;
-+
-+ for (i = 0; i < server_limit; ++i) {
-+ ps_record = ap_get_scoreboard_process(i);
-+ for (j = 0; j < thread_limit; ++j) {
-+ ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
-+ if (ap_extended_status && !ps_record->quiescing && ps_record->pid) {
-+ res = ws_record->status;
-+ if (ws_record->access_count != 0 ||
-+ (res != SERVER_READY && res != SERVER_DEAD)) {
-+ access += ws_record->access_count;
-+ bytes += ws_record->bytes_served;
-+ if (bytes >= KBYTE) {
-+ kbytes += (bytes >> 10);
-+ bytes = bytes & 0x3ff;
-+ }
-+ }
-+ }
-+ }
-+ }
-+
-+ apr_strfsize((unsigned long)(KBYTE *(float) (kbytes - last_update_kbytes)
-+ / (float) elapsed), bps);
-+
-+ rv = sd_notifyf(0, "READY=1\n"
-+ "STATUS=Total requests: %lu; Current requests/sec: %.3g; "
-+ "Current traffic: %sB/sec\n", access,
-+ ((float)access - last_update_access) / (float) elapsed, bps);
-+ if (rv < 0) {
-+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00000)
-+ "sd_notifyf returned an error %d", rv);
-+ }
-+
-+ last_update_access = access;
-+ last_update_kbytes = kbytes;
-+ last_update_time = now;
-+
-+ return DECLINED;
-+}
-+
-+static void systemd_register_hooks(apr_pool_t *p)
-+{
-+ /* We know the PID in this hook ... */
-+ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST);
-+ /* Used to update httpd's status line using sd_notifyf */
-+ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE);
-+}
-+
-+module AP_MODULE_DECLARE_DATA systemd_module =
-+{
-+ STANDARD20_MODULE_STUFF,
-+ NULL,
-+ NULL,
-+ NULL,
-+ NULL,
-+ NULL,
-+ systemd_register_hooks,
-+};
diff --git a/SOURCES/httpd-2.4.4-malformed-host.patch b/SOURCES/httpd-2.4.4-malformed-host.patch
deleted file mode 100644
index 57975e5..0000000
--- a/SOURCES/httpd-2.4.4-malformed-host.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff --git a/server/protocol.c b/server/protocol.c
-index e1ef204..d6d9165 100644
---- a/server/protocol.c
-+++ b/server/protocol.c
-@@ -1049,6 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn)
- * now read. may update status.
- */
- ap_update_vhost_from_headers(r);
-+ access_status = r->status;
-
- /* Toggle to the Host:-based vhost's timeout mode to fetch the
- * request body and send the response body, if needed.
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 46482a7..454209d 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -48,8 +48,8 @@
Summary: Apache HTTP Server
Name: %{?scl:%scl_prefix}httpd
-Version: 2.4.18
-Release: 11%{?dist}
+Version: 2.4.25
+Release: 9%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@@ -86,17 +86,18 @@ Source41: htcacheclean.sysconf
Source42: htcacheclean.init
# build/scripts patches
Patch1: httpd-2.4.1-apctl.patch
-Patch2: httpd-2.4.18-apxs.patch
+Patch2: httpd-2.4.25-apxs.patch
Patch3: httpd-2.4.1-deplibs.patch
Patch5: httpd-2.4.3-layout.patch
Patch6: httpd-2.4.3-apctl-systemd.patch
Patch7: httpd-2.4.12-skiplist.patch
-Patch8: httpd-2.4.3-mod_systemd.patch
+Patch8: httpd-2.4.25-detect-systemd.patch
# Features/functional changes
+Patch20: httpd-2.4.10-mod_systemd.patch
Patch21: httpd-2.4.6-full-release.patch
Patch23: httpd-2.4.4-export.patch
Patch24: httpd-2.4.1-corelimit.patch
-Patch25: httpd-2.4.1-selinux.patch
+Patch25: httpd-2.4.25-selinux.patch
Patch26: httpd-2.4.4-r1337344+.patch
Patch27: httpd-2.4.2-icons.patch
Patch28: httpd-2.4.6-r1332643+.patch
@@ -104,7 +105,6 @@ Patch30: httpd-2.4.4-cachehardmax.patch
Patch31: httpd-2.4.6-sslmultiproxy.patch
Patch32: httpd-2.4.3-sslsninotreq.patch
# Bug fixes
-Patch55: httpd-2.4.4-malformed-host.patch
Patch56: httpd-2.4.4-mod_unique_id.patch
Patch59: httpd-2.4.6-r1556473.patch
Patch62: httpd-2.4.6-apachectl-status.patch
@@ -112,15 +112,18 @@ Patch63: httpd-2.4.6-ab-overflow.patch
Patch64: httpd-2.4.6-sigint.patch
Patch65: httpd-2.4.17-autoindex-revert.patch
Patch66: httpd-2.4.18-r1684636.patch
-Patch67: httpd-2.4.18-documentroot.patch
Patch68: httpd-2.4.6-ap-ipv6.patch
Patch69: httpd-2.4.6-apachectl-httpd-env.patch
Patch70: httpd-2.4.6-bomb.patch
Patch71: httpd-2.4.18-apachectl-httpd-env2.patch
Patch72: httpd-2.4.18-r1738229.patch
+Patch73: httpd-2.4.25-r1778319+.patch
+Patch74: httpd-2.4.25-rev-r1748324+.patch
+Patch75: httpd-2.4.25-r1782332.patch
+Patch76: httpd-2.4.25-r1787301.patch
+
# Security fixes
-Patch100: httpd-2.4.18-CVE-2016-5387.patch
-Patch101: httpd-2.4.18-CVE-2016-4979.patch
+
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -146,10 +149,8 @@ Requires(post): systemd-units
%else
Requires(post): chkconfig
%endif
-%if 0%{?rhel} < 7
Requires(post): policycoreutils
Requires(post): policycoreutils-python
-%endif
%{?scl:Requires:%scl_runtime}
%description
@@ -281,12 +282,13 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH
%if %{use_systemd}
%patch6 -p1 -b .apctlsystemd
%patch7 -p1 -b .skiplist
-%patch8 -p1 -b .systemd
+%patch8 -p1 -b .detect-systemd
%else
%patch62 -p1 -b .apachectlstatus
%patch71 -p1 -b .envhttpd2
%endif
+%patch20 -p1 -b .mod_systemd
%patch21 -p1 -b .fullrelease
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
@@ -298,21 +300,20 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH
%patch31 -p1 -b .sslmultiproxy
%patch32 -p1 -b .sslsninotreq
-%patch55 -p1 -b .malformedhost
%patch56 -p1 -b .uniqueid
%patch59 -p1 -b .r1556473
%patch63 -p1 -b .aboverflow
%patch64 -p1 -b .sigint
%patch65 -p1 -b .autoindexrevert
%patch66 -p1 -b .r1684636
-%patch67 -p1 -b .documentroot
%patch68 -p1 -b .ipv6
%patch69 -p1 -b .envhttpd
%patch70 -p1 -b .bomb
%patch72 -p1 -b .r1738229
-
-%patch100 -p1 -b .cve5387
-%patch101 -p1 -b .cve4979
+%patch73 -p1 -b .r1778319+
+%patch74 -p1 -b .rev-r1748324+
+%patch75 -p1 -b .r1782332
+%patch76 -p1 -b .r1787301
# Patch in the vendor string and the release string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -604,7 +605,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_root_libexecdir}/initscripts/legacy-actions/%{?scl:%
for f in graceful configtest; do
install -p -m 755 $RPM_SOURCE_DIR/action-${f}.sh \
$RPM_BUILD_ROOT/%{_root_libexecdir}/initscripts/legacy-actions/%{?scl:%scl_prefix}httpd/${f}
- sed -i 's|\$sbindir|%{_sbindir}|' \
+ sed -i 's|\$sbindir|%{_sbindir}|;s|\$sysconfdir|%{_sysconfdir}/sysconfig|' \
$RPM_BUILD_ROOT/%{_root_libexecdir}/initscripts/legacy-actions/%{?scl:%scl_prefix}httpd/${f}
done
%endif
@@ -676,7 +677,7 @@ restorecon -R %{_scl_root} >/dev/null 2>&1 || :
%if %{use_systemd}
%systemd_post %{httpd_service} %{htcacheclean_service}
-semanage fcontext -a -t httpd_exec_t "%{_root_sbindir}/httpd-scl-wrapper"
+semanage fcontext -a -t httpd_exec_t "%{_root_sbindir}/httpd-scl-wrapper" >/dev/null 2>&1 || :
restorecon -R %{_scl_root} >/dev/null 2>&1 || :
%else
# Register the httpd service
@@ -739,7 +740,8 @@ fi
%{_root_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > %{sslkey} 2> /dev/null
FQDN=`hostname`
-if [ "x${FQDN}" = "x" ]; then
+# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress
+if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
FQDN=localhost.localdomain
fi
@@ -781,14 +783,27 @@ if readelf -d $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so | grep TEXTREL; then
: modules contain non-relocatable code
exit 1
fi
+set +x
+rv=0
# Ensure every mod_* that's built is loaded.
for f in $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so; do
m=${f##*/}
if ! grep -q $m $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/*.conf; then
echo ERROR: Module $m not configured. Disable it, or load it.
- exit 1
+ rv=1
+ fi
+done
+# Ensure every loaded mod_* is actually built
+mods=`grep -h ^LoadModule $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/*.conf | sed 's,.*modules/,,'`
+for m in $mods; do
+ f=$RPM_BUILD_ROOT%{_libdir}/httpd/modules/${m}
+ if ! test -x $f; then
+ echo ERROR: Module $m is configured but not built.
+ rv=1
fi
done
+set -x
+exit $rv
%clean
rm -rf $RPM_BUILD_ROOT
@@ -943,6 +958,36 @@ rm -rf $RPM_BUILD_ROOT
%endif
%changelog
+* Fri Mar 24 2017 Joe Orton <jorton@redhat.com> - 2.4.25-9
+- link only httpd, not support/* against -lselinux -lsystemd (#1433474)
+- don't enable SO_REUSEPORT in default configuration (#1432249)
+
+* Thu Mar 2 2017 Joe Orton <jorton@redhat.com> - 2.4.25-8
+- always require policycoreutils; fail silently if SELinux is disabled (#1376738)
+
+* Thu Mar 2 2017 Joe Orton <jorton@redhat.com> - 2.4.25-7
+- run restorecon during apxs -i (#1093057)
+
+* Thu Mar 2 2017 Joe Orton <jorton@redhat.com> - 2.4.25-6
+- fix legacy systemd actions (#1329639)
+
+* Thu Mar 2 2017 Joe Orton <jorton@redhat.com> - 2.4.25-5
+- mod_proxy_fcgi: revert to pre-2.4.23 SCRIPT_FILENAME mangling (#1414037)
+- mod_proxy: fix regression in per-dir ProxyPass (#1417482)
+
+* Fri Jan 20 2017 Joe Orton <jorton@redhat.com> - 2.4.25-4
+- mod_watchdog: fix pool lifetime issue (#1410883)
+
+* Fri Jan 20 2017 Joe Orton <jorton@redhat.com> - 2.4.25-3
+- update systemd library detection
+
+* Fri Jan 20 2017 Joe Orton <jorton@redhat.com> - 2.4.25-2
+- merge default config changes from Fedora
+- mod_ssl: use "localhost" in the dummy SSL cert if len(FQDN) > 59 chars
+
+* Thu Jan 12 2017 Luboš Uhliarik <luhliari@redhat.com> - 2.4.25-1
+- Resolves: #1404778 - RFE: update httpd24 collection
+
* Wed Jul 13 2016 Joe Orton <jorton@redhat.com> - 2.4.18-11
- add security fix for CVE-2016-5387
- mod_ssl: add security fix for CVE-2016-4979