diff --git a/.gitignore b/.gitignore index 6188d89..c9ce001 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/httpd-2.4.18.tar.bz2 +SOURCES/httpd-2.4.25.tar.bz2 diff --git a/.httpd24-httpd.metadata b/.httpd24-httpd.metadata index bd783d7..400eb06 100644 --- a/.httpd24-httpd.metadata +++ b/.httpd24-httpd.metadata @@ -1 +1 @@ -271a129f2f04e3aa694e5c2091df9b707bf8ef80 SOURCES/httpd-2.4.18.tar.bz2 +bd6d138c31c109297da2346c6e7b93b9283993d2 SOURCES/httpd-2.4.25.tar.bz2 diff --git a/SOURCES/00-base.conf b/SOURCES/00-base.conf index c109de6..e99ff0e 100644 --- a/SOURCES/00-base.conf +++ b/SOURCES/00-base.conf @@ -64,4 +64,5 @@ LoadModule unixd_module modules/mod_unixd.so LoadModule userdir_module modules/mod_userdir.so LoadModule version_module modules/mod_version.so LoadModule vhost_alias_module modules/mod_vhost_alias.so +LoadModule watchdog_module modules/mod_watchdog.so diff --git a/SOURCES/00-optional.conf b/SOURCES/00-optional.conf index 70bda5e..b95c56c 100644 --- a/SOURCES/00-optional.conf +++ b/SOURCES/00-optional.conf @@ -6,7 +6,6 @@ #LoadModule asis_module modules/mod_asis.so #LoadModule buffer_module modules/mod_buffer.so #LoadModule file_cache_module modules/mod_file_cache.so -#LoadModule watchdog_module modules/mod_watchdog.so #LoadModule heartbeat_module modules/mod_heartbeat.so #LoadModule heartmonitor_module modules/mod_heartmonitor.so #LoadModule usertrack_module modules/mod_usertrack.so diff --git a/SOURCES/00-proxy.conf b/SOURCES/00-proxy.conf index cc0bca0..448eb63 100644 --- a/SOURCES/00-proxy.conf +++ b/SOURCES/00-proxy.conf @@ -12,5 +12,6 @@ LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so LoadModule proxy_scgi_module modules/mod_proxy_scgi.so LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so diff --git a/SOURCES/action-configtest.sh b/SOURCES/action-configtest.sh index d1cc989..3a702a7 100644 --- a/SOURCES/action-configtest.sh +++ b/SOURCES/action-configtest.sh @@ -1,2 +1,6 @@ #!/bin/sh -exec $sbindir/apachectl configtest +#!/bin/sh +if [ -r $sysconfdir/httpd ]; then + . $sysconfdir/httpd +fi +exec $sbindir/httpd-scl-wrapper -t diff --git a/SOURCES/action-graceful.sh b/SOURCES/action-graceful.sh index 5d3c87a..2afa0a2 100644 --- a/SOURCES/action-graceful.sh +++ b/SOURCES/action-graceful.sh @@ -1,2 +1,5 @@ #!/bin/sh -exec $sbindir/apachectl graceful +if [ -r $sysconfdir/httpd ]; then + . $sysconfdir/httpd +fi +exec $sbindir/httpd-scl-wrapper -k graceful diff --git a/SOURCES/httpd-2.4.1-selinux.patch b/SOURCES/httpd-2.4.1-selinux.patch deleted file mode 100644 index e97c5a4..0000000 --- a/SOURCES/httpd-2.4.1-selinux.patch +++ /dev/null @@ -1,61 +0,0 @@ - -Log the SELinux context at startup. - -Upstream-Status: unlikely to be any interest in this upstream - ---- httpd-2.4.1/configure.in.selinux -+++ httpd-2.4.1/configure.in -@@ -458,6 +458,11 @@ fopen64 - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -+ APR_ADDTO(AP_LIBS, [-lselinux]) -+]) -+ - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE - #include ---- httpd-2.4.1/server/core.c.selinux -+++ httpd-2.4.1/server/core.c -@@ -58,6 +58,10 @@ - #include - #endif - -+#ifdef HAVE_SELINUX -+#include -+#endif -+ - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * - } - #endif - -+#ifdef HAVE_SELINUX -+ { -+ static int already_warned = 0; -+ int is_enabled = is_selinux_enabled() > 0; -+ -+ if (is_enabled && !already_warned) { -+ security_context_t con; -+ -+ if (getcon(&con) == 0) { -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "SELinux policy enabled; " -+ "httpd running as context %s", con); -+ -+ already_warned = 1; -+ -+ freecon(con); -+ } -+ } -+ } -+#endif -+ - return OK; - } - diff --git a/SOURCES/httpd-2.4.10-mod_systemd.patch b/SOURCES/httpd-2.4.10-mod_systemd.patch new file mode 100644 index 0000000..88d76ac --- /dev/null +++ b/SOURCES/httpd-2.4.10-mod_systemd.patch @@ -0,0 +1,172 @@ +diff --git a/modules/arch/unix/config5.m4 b/modules/arch/unix/config5.m4 +index 77027a8..7a13d5a 100644 +--- a/modules/arch/unix/config5.m4 ++++ b/modules/arch/unix/config5.m4 +@@ -18,6 +18,16 @@ APACHE_MODULE(privileges, Per-virtualhost Unix UserIDs and enhanced security for + fi + ]) + ++APACHE_MODULE(systemd, Systemd support, , , all, [ ++ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then ++ AC_MSG_WARN([Your system does not support systemd.]) ++ enable_systemd="no" ++ else ++ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS]) ++ enable_systemd="yes" ++ fi ++]) ++ + APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) + + APACHE_MODPATH_FINISH +diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c +new file mode 100644 +index 0000000..5381c98 +--- /dev/null ++++ b/modules/arch/unix/mod_systemd.c +@@ -0,0 +1,145 @@ ++/* Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ */ ++ ++#include ++#include ++#include "ap_mpm.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include "unixd.h" ++#include "scoreboard.h" ++#include "mpm_common.h" ++ ++#include "systemd/sd-daemon.h" ++ ++#if APR_HAVE_UNISTD_H ++#include ++#endif ++ ++static int shutdown_timer = 0; ++static int shutdown_counter = 0; ++static unsigned long bytes_served; ++static pid_t mainpid; ++ ++static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type) ++{ ++ int rv; ++ ++ ap_extended_status = 1; ++ mainpid = getpid(); ++ ++ rv = sd_notifyf(0, "READY=1\n" ++ "STATUS=Processing requests...\n" ++ "MAINPID=%" APR_PID_T_FMT, mainpid); ++ if (rv < 0) { ++ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p, APLOGNO(02395) ++ "sd_notifyf returned an error %d", rv); ++ } ++ ++ return OK; ++} ++ ++static int systemd_monitor(apr_pool_t *p, server_rec *s) ++{ ++ ap_sload_t sload; ++ apr_interval_time_t up_time; ++ char bps[5]; ++ int rv; ++ ++ ap_get_sload(&sload); ++ /* up_time in seconds */ ++ up_time = (apr_uint32_t) apr_time_sec(apr_time_now() - ++ ap_scoreboard_image->global->restart_time); ++ ++ apr_strfsize((unsigned long)((float) (sload.bytes_served) ++ / (float) up_time), bps); ++ ++ rv = sd_notifyf(0, "READY=1\n" ++ "STATUS=Total requests: %lu; Idle/Busy workers %d/%d;" ++ "Requests/sec: %.3g; Bytes served/sec: %sB/sec\n", ++ sload.access_count, sload.idle, sload.busy, ++ ((float) sload.access_count) / (float) up_time, bps); ++ ++ if (rv < 0) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02396) ++ "sd_notifyf returned an error %d", rv); ++ } ++ ++ /* Shutdown httpd when nothing is sent for shutdown_timer seconds. */ ++ if (sload.bytes_served == bytes_served) { ++ /* mpm_common.c: INTERVAL_OF_WRITABLE_PROBES is 10 */ ++ shutdown_counter += 10; ++ if (shutdown_timer > 0 && shutdown_counter >= shutdown_timer) { ++ rv = sd_notifyf(0, "READY=1\n" ++ "STATUS=Stopped as result of IdleShutdown " ++ "timeout."); ++ if (rv < 0) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02804) ++ "sd_notifyf returned an error %d", rv); ++ } ++ kill(mainpid, AP_SIG_GRACEFUL); ++ } ++ } ++ else { ++ shutdown_counter = 0; ++ } ++ ++ bytes_served = sload.bytes_served; ++ ++ return DECLINED; ++} ++ ++static void systemd_register_hooks(apr_pool_t *p) ++{ ++ /* We know the PID in this hook ... */ ++ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST); ++ /* Used to update httpd's status line using sd_notifyf */ ++ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE); ++} ++ ++static const char *set_shutdown_timer(cmd_parms *cmd, void *dummy, ++ const char *arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ shutdown_timer = atoi(arg); ++ return NULL; ++} ++ ++static const command_rec systemd_cmds[] = ++{ ++AP_INIT_TAKE1("IdleShutdown", set_shutdown_timer, NULL, RSRC_CONF, ++ "Number of seconds in idle-state after which httpd is shutdown"), ++ {NULL} ++}; ++ ++AP_DECLARE_MODULE(systemd) = { ++ STANDARD20_MODULE_STUFF, ++ NULL, ++ NULL, ++ NULL, ++ NULL, ++ systemd_cmds, ++ systemd_register_hooks, ++}; diff --git a/SOURCES/httpd-2.4.18-CVE-2016-4979.patch b/SOURCES/httpd-2.4.18-CVE-2016-4979.patch deleted file mode 100644 index de9a4d9..0000000 --- a/SOURCES/httpd-2.4.18-CVE-2016-4979.patch +++ /dev/null @@ -1,13 +0,0 @@ -# ./pullrev.sh 1750808 -http://svn.apache.org/viewvc?view=revision&revision=1750808 - ---- httpd-2.4.18/modules/ssl/ssl_engine_kernel.c -+++ httpd-2.4.18/modules/ssl/ssl_engine_kernel.c -@@ -727,6 +727,7 @@ - * on this connection. - */ - apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client"); -+ SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify); - return HTTP_FORBIDDEN; - } - /* optimization */ diff --git a/SOURCES/httpd-2.4.18-CVE-2016-5387.patch b/SOURCES/httpd-2.4.18-CVE-2016-5387.patch deleted file mode 100644 index cfbd4a9..0000000 --- a/SOURCES/httpd-2.4.18-CVE-2016-5387.patch +++ /dev/null @@ -1,16 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387 - ---- httpd-2.4.18/server/util_script.c.cve5387 -+++ httpd-2.4.18/server/util_script.c -@@ -195,6 +195,10 @@ - } - } - #endif -+ else if (!strcasecmp(hdrs[i].key, "Proxy")) { -+ /* Don't pass through HTTP_PROXY */ -+ continue; -+ } - else - add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); - } diff --git a/SOURCES/httpd-2.4.18-apxs.patch b/SOURCES/httpd-2.4.18-apxs.patch deleted file mode 100644 index 1566249..0000000 --- a/SOURCES/httpd-2.4.18-apxs.patch +++ /dev/null @@ -1,47 +0,0 @@ - -Use libdir from configuration. - ---- httpd-2.4.18/support/apxs.in.apxs -+++ httpd-2.4.18/support/apxs.in -@@ -35,6 +35,7 @@ my $CFG_PREFIX = $prefix; - my $exec_prefix = get_vars("exec_prefix"); - my $datadir = get_vars("datadir"); - my $localstatedir = get_vars("localstatedir"); -+my $libdir = get_vars("libdir"); - my $CFG_TARGET = get_vars("progname"); - my $CFG_SYSCONFDIR = get_vars("sysconfdir"); - my $CFG_CFLAGS = join ' ', map { get_vars($_) } -@@ -275,7 +276,7 @@ if ($opt_g) { - $data =~ s|%NAME%|$name|sg; - $data =~ s|%TARGET%|$CFG_TARGET|sg; - $data =~ s|%PREFIX%|$prefix|sg; -- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; -+ $data =~ s|%LIBDIR%|$libdir|sg; - - my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); - -@@ -453,11 +454,11 @@ if ($opt_c) { - my $ldflags = "$CFG_LDFLAGS"; - if ($opt_p == 1) { - -- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`; -+ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`; - chomp($apr_libs); - my $apu_libs=""; - if ($apr_major_version < 2) { -- $apu_libs=`$apu_config --ldflags --link-libtool --libs`; -+ $apu_libs=`$apu_config --ldflags --link-libtool`; - chomp($apu_libs); - } - -@@ -672,8 +673,8 @@ __DATA__ - - builddir=. - top_srcdir=%PREFIX% --top_builddir=%PREFIX% --include %INSTALLBUILDDIR%/special.mk -+top_builddir=%LIBDIR%/httpd -+include %LIBDIR%/httpd/build/special.mk - - # the used tools - APACHECTL=apachectl diff --git a/SOURCES/httpd-2.4.18-documentroot.patch b/SOURCES/httpd-2.4.18-documentroot.patch deleted file mode 100644 index 182bc04..0000000 --- a/SOURCES/httpd-2.4.18-documentroot.patch +++ /dev/null @@ -1,13 +0,0 @@ ---- a/server/core.c 2013/07/24 09:49:38 1506473 -+++ b/server/core.c 2013/07/24 09:51:14 1506474 -@@ -1481,7 +1481,9 @@ - conf->ap_document_root = arg; - } - else { -- return "DocumentRoot must be a directory"; -+ return apr_psprintf(cmd->pool, -+ "DocumentRoot '%s' is not a directory, or is not readable", -+ arg); - } - } - return NULL; diff --git a/SOURCES/httpd-2.4.25-apxs.patch b/SOURCES/httpd-2.4.25-apxs.patch new file mode 100644 index 0000000..83b1849 --- /dev/null +++ b/SOURCES/httpd-2.4.25-apxs.patch @@ -0,0 +1,59 @@ + +- use libdir from configuration. +- only link against -lapr itself +- also run restorecon on install module .so + +--- httpd-2.4.25/support/apxs.in.apxs ++++ httpd-2.4.25/support/apxs.in +@@ -35,6 +35,7 @@ + my $exec_prefix = get_vars("exec_prefix"); + my $datadir = get_vars("datadir"); + my $localstatedir = get_vars("localstatedir"); ++my $libdir = get_vars("libdir"); + my $CFG_TARGET = get_vars("progname"); + my $CFG_SYSCONFDIR = get_vars("sysconfdir"); + my $CFG_CFLAGS = join ' ', map { get_vars($_) } +@@ -275,7 +276,7 @@ + $data =~ s|%NAME%|$name|sg; + $data =~ s|%TARGET%|$CFG_TARGET|sg; + $data =~ s|%PREFIX%|$prefix|sg; +- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; ++ $data =~ s|%LIBDIR%|$libdir|sg; + + my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); + +@@ -453,11 +454,11 @@ + my $ldflags = "$CFG_LDFLAGS"; + if ($opt_p == 1) { + +- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`; ++ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`; + chomp($apr_libs); + my $apu_libs=""; + if ($apr_major_version < 2) { +- $apu_libs=`$apu_config --ldflags --link-libtool --libs`; ++ $apu_libs=`$apu_config --ldflags --link-libtool`; + chomp($apu_libs); + } + +@@ -504,6 +505,9 @@ + push(@cmds, "$installbuilddir/instdso.sh SH_LIBTOOL='" . + "$libtool' $f $CFG_LIBEXECDIR"); + push(@cmds, "chmod 755 $CFG_LIBEXECDIR/$t"); ++ if (-x "/sbin/restorecon") { ++ push(@cmds, "restorecon -v $CFG_LIBEXECDIR/$t"); ++ } + } + + # determine module symbolname and filename +@@ -672,8 +676,8 @@ + + builddir=. + top_srcdir=%PREFIX% +-top_builddir=%PREFIX% +-include %INSTALLBUILDDIR%/special.mk ++top_builddir=%LIBDIR%/httpd ++include %LIBDIR%/httpd/build/special.mk + + # the used tools + APACHECTL=apachectl diff --git a/SOURCES/httpd-2.4.25-detect-systemd.patch b/SOURCES/httpd-2.4.25-detect-systemd.patch new file mode 100644 index 0000000..f8e302b --- /dev/null +++ b/SOURCES/httpd-2.4.25-detect-systemd.patch @@ -0,0 +1,75 @@ +diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 +diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 +diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 +--- httpd-2.4.25/acinclude.m4.detectsystemd ++++ httpd-2.4.25/acinclude.m4 +@@ -604,6 +604,30 @@ + fi + ]) + ++AC_DEFUN(APACHE_CHECK_SYSTEMD, [ ++dnl Check for systemd support for listen.c's socket activation. ++case $host in ++*-linux-*) ++ if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` ++ elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon` ++ else ++ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon") ++ fi ++ if test -n "$SYSTEMD_LIBS"; then ++ AC_CHECK_HEADERS(systemd/sd-daemon.h) ++ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then ++ AC_MSG_WARN([Your system does not support systemd.]) ++ else ++ APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS]) ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported]) ++ fi ++ fi ++ ;; ++esac ++]) ++ + dnl + dnl APACHE_EXPORT_ARGUMENTS + dnl Export (via APACHE_SUBST) the various path-related variables that +diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in +--- httpd-2.4.25/configure.in.detectsystemd ++++ httpd-2.4.25/configure.in +@@ -234,6 +234,7 @@ + AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) + APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) + APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) ++ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) + else + AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) + fi +@@ -504,6 +510,8 @@ + AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field]) + fi + ++APACHE_CHECK_SYSTEMD ++ + dnl ## Set up any appropriate OS-specific environment variables for apachectl + + case $host in +@@ -668,6 +676,7 @@ + APACHE_SUBST(BUILTIN_LIBS) + APACHE_SUBST(SHLIBPATH_VAR) + APACHE_SUBST(OS_SPECIFIC_VARS) ++APACHE_SUBST(HTTPD_LIBS) + + PRE_SHARED_CMDS='echo ""' + POST_SHARED_CMDS='echo ""' +--- httpd-2.4.25/Makefile.in.detectsystemd ++++ httpd-2.4.25/Makefile.in +@@ -4,7 +4,7 @@ + + PROGRAM_NAME = $(progname) + PROGRAM_SOURCES = modules.c +-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) ++PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) + PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c + PROGRAM_DEPENDENCIES = \ + server/libmain.la \ diff --git a/SOURCES/httpd-2.4.25-r1778319+.patch b/SOURCES/httpd-2.4.25-r1778319+.patch new file mode 100644 index 0000000..b791e9d --- /dev/null +++ b/SOURCES/httpd-2.4.25-r1778319+.patch @@ -0,0 +1,32 @@ +# ./pullrev.sh 1778319 1778331 + +http://svn.apache.org/viewvc?view=revision&revision=1778319 +http://svn.apache.org/viewvc?view=revision&revision=1778331 + +--- httpd-2.4.25/modules/core/mod_watchdog.c ++++ httpd-2.4.25/modules/core/mod_watchdog.c +@@ -436,19 +436,19 @@ + { + apr_status_t rv; + const char *pk = "watchdog_init_module_tag"; +- apr_pool_t *pproc = s->process->pool; ++ apr_pool_t *ppconf = pconf; + const apr_array_header_t *wl; + + if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) + /* First time config phase -- skip. */ + return OK; + +- apr_pool_userdata_get((void *)&wd_server_conf, pk, pproc); ++ apr_pool_userdata_get((void *)&wd_server_conf, pk, ppconf); + if (!wd_server_conf) { +- if (!(wd_server_conf = apr_pcalloc(pproc, sizeof(wd_server_conf_t)))) ++ if (!(wd_server_conf = apr_pcalloc(ppconf, sizeof(wd_server_conf_t)))) + return APR_ENOMEM; +- apr_pool_create(&wd_server_conf->pool, pproc); +- apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, pproc); ++ apr_pool_create(&wd_server_conf->pool, ppconf); ++ apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, ppconf); + } + wd_server_conf->s = s; + if ((wl = ap_list_provider_names(pconf, AP_WATCHDOG_PGROUP, diff --git a/SOURCES/httpd-2.4.25-r1782332.patch b/SOURCES/httpd-2.4.25-r1782332.patch new file mode 100644 index 0000000..5b1c25b --- /dev/null +++ b/SOURCES/httpd-2.4.25-r1782332.patch @@ -0,0 +1,50 @@ +# ./pullrev.sh 1782332 +http://svn.apache.org/viewvc?view=revision&revision=1782332 + +--- httpd-2.4.25/modules/proxy/mod_proxy.c ++++ httpd-2.4.25/modules/proxy/mod_proxy.c +@@ -764,6 +764,10 @@ + || !r->uri || r->uri[0] != '/') { + return DECLINED; + } ++ ++ if (apr_table_get(r->subprocess_env, "no-proxy")) { ++ return DECLINED; ++ } + + /* XXX: since r->uri has been manipulated already we're not really + * compliant with RFC1945 at this point. But this probably isn't +@@ -771,29 +775,18 @@ + */ + + dconf = ap_get_module_config(r->per_dir_config, &proxy_module); +- conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config, +- &proxy_module); ++ + /* short way - this location is reverse proxied? */ + if (dconf->alias) { + int rv = ap_proxy_trans_match(r, dconf->alias, dconf); +- if (OK == rv) { +- /* Got a hit. Need to make sure it's not explicitly declined */ +- if (conf->aliases->nelts) { +- ent = (struct proxy_alias *) conf->aliases->elts; +- for (i = 0; i < conf->aliases->nelts; i++) { +- int rv = ap_proxy_trans_match(r, &ent[i], dconf); +- if (DECLINED == rv) { +- return DECLINED; +- } +- } +- } +- return OK; +- } + if (DONE != rv) { + return rv; + } + } + ++ conf = (proxy_server_conf *) ap_get_module_config(r->server->module_config, ++ &proxy_module); ++ + /* long way - walk the list of aliases, find a match */ + if (conf->aliases->nelts) { + ent = (struct proxy_alias *) conf->aliases->elts; diff --git a/SOURCES/httpd-2.4.25-r1787301.patch b/SOURCES/httpd-2.4.25-r1787301.patch new file mode 100644 index 0000000..232e8f0 --- /dev/null +++ b/SOURCES/httpd-2.4.25-r1787301.patch @@ -0,0 +1,16 @@ +# ./pullrev.sh 1787301 +http://svn.apache.org/viewvc?view=revision&revision=1787301 + +https://bugzilla.redhat.com/show_bug.cgi?id=1432249 + +--- httpd-2.4.25/server/listen.c ++++ httpd-2.4.25/server/listen.c +@@ -153,7 +153,7 @@ + #endif + + #if defined(SO_REUSEPORT) +- if (ap_have_so_reuseport) { ++ if (ap_have_so_reuseport && ap_listencbratio > 0) { + int thesock; + apr_os_sock_get(&thesock, s); + if (setsockopt(thesock, SOL_SOCKET, SO_REUSEPORT, diff --git a/SOURCES/httpd-2.4.25-rev-r1748324+.patch b/SOURCES/httpd-2.4.25-rev-r1748324+.patch new file mode 100644 index 0000000..5586c7c --- /dev/null +++ b/SOURCES/httpd-2.4.25-rev-r1748324+.patch @@ -0,0 +1,58 @@ + +Reverses two changes to mod_proxy_fcgi.c to get back to pre-2.4.23 behaviour: + +https://svn.apache.org/r1748324 +https://svn.apache.org/r1755077 + +diff -uap httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c +--- httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c.rev-r1748324+ ++++ httpd-2.4.25/modules/proxy/mod_proxy_fcgi.c +@@ -253,6 +253,7 @@ + apr_status_t rv; + apr_size_t avail_len, len, required_len; + int next_elem, starting_elem; ++ char *proxyfilename = r->filename; + fcgi_req_config_t *rconf = ap_get_module_config(r->request_config, &proxy_fcgi_module); + + if (rconf) { +@@ -261,33 +262,18 @@ + } + } + +- /* Strip proxy: prefixes */ +- if (r->filename) { +- char *newfname = NULL; +- +- if (!strncmp(r->filename, "proxy:balancer://", 17)) { +- newfname = apr_pstrdup(r->pool, r->filename+17); +- } +- else if (!strncmp(r->filename, "proxy:fcgi://", 13)) { +- newfname = apr_pstrdup(r->pool, r->filename+13); +- } +- /* Query string in environment only */ +- if (newfname && r->args && *r->args) { +- char *qs = strrchr(newfname, '?'); +- if (qs && !strcmp(qs+1, r->args)) { +- *qs = '\0'; +- } +- } +- +- if (newfname) { +- newfname = ap_strchr(newfname, '/'); +- r->filename = newfname; +- } ++ /* Strip balancer prefix */ ++ if (r->filename && !strncmp(r->filename, "proxy:balancer://", 17)) { ++ char *newfname = apr_pstrdup(r->pool, r->filename+17); ++ newfname = ap_strchr(newfname, '/'); ++ r->filename = newfname; + } + + ap_add_common_vars(r); + ap_add_cgi_vars(r); + ++ r->filename = proxyfilename; ++ + /* XXX are there any FastCGI specific env vars we need to send? */ + + /* XXX mod_cgi/mod_cgid use ap_create_environment here, which fills in diff --git a/SOURCES/httpd-2.4.25-selinux.patch b/SOURCES/httpd-2.4.25-selinux.patch new file mode 100644 index 0000000..fa4614a --- /dev/null +++ b/SOURCES/httpd-2.4.25-selinux.patch @@ -0,0 +1,61 @@ + +Log the SELinux context at startup. + +Upstream-Status: unlikely to be any interest in this upstream + +--- httpd-2.4.1/configure.in.selinux ++++ httpd-2.4.1/configure.in +@@ -458,6 +458,11 @@ fopen64 + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + ++AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) ++ APR_ADDTO(HTTPD_LIBS, [-lselinux]) ++]) ++ + AC_CACHE_CHECK([for gettid()], ac_cv_gettid, + [AC_TRY_RUN(#define _GNU_SOURCE + #include +--- httpd-2.4.1/server/core.c.selinux ++++ httpd-2.4.1/server/core.c +@@ -58,6 +58,10 @@ + #include + #endif + ++#ifdef HAVE_SELINUX ++#include ++#endif ++ + /* LimitRequestBody handling */ + #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) +@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * + } + #endif + ++#ifdef HAVE_SELINUX ++ { ++ static int already_warned = 0; ++ int is_enabled = is_selinux_enabled() > 0; ++ ++ if (is_enabled && !already_warned) { ++ security_context_t con; ++ ++ if (getcon(&con) == 0) { ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "SELinux policy enabled; " ++ "httpd running as context %s", con); ++ ++ already_warned = 1; ++ ++ freecon(con); ++ } ++ } ++ } ++#endif ++ + return OK; + } + diff --git a/SOURCES/httpd-2.4.3-apctl-systemd.patch b/SOURCES/httpd-2.4.3-apctl-systemd.patch index d8adf87..0555fa0 100644 --- a/SOURCES/httpd-2.4.3-apctl-systemd.patch +++ b/SOURCES/httpd-2.4.3-apctl-systemd.patch @@ -1,4 +1,8 @@ +Make apachectl run via systemctl. + +Note: "apachectl graceful" is documented to start httpd if not running. + Upstream-Status: vendor specific patch --- httpd-2.4.18/support/apachectl.in.apctlsystemd diff --git a/SOURCES/httpd-2.4.3-mod_systemd.patch b/SOURCES/httpd-2.4.3-mod_systemd.patch deleted file mode 100644 index a9b1fd9..0000000 --- a/SOURCES/httpd-2.4.3-mod_systemd.patch +++ /dev/null @@ -1,163 +0,0 @@ ---- httpd-2.4.3/modules/arch/unix/config5.m4.systemd -+++ httpd-2.4.3/modules/arch/unix/config5.m4 -@@ -18,6 +18,19 @@ APACHE_MODULE(privileges, Per-virtualhos - fi - ]) - -+ -+APACHE_MODULE(systemd, Systemd support, , , $unixd_mods_enabled, [ -+ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon") -+ AC_CHECK_HEADERS(systemd/sd-daemon.h, [ap_HAVE_SD_DAEMON_H="yes"], [ap_HAVE_SD_DAEMON_H="no"]) -+ if test $ap_HAVE_SD_DAEMON_H = "no" || test -z "${SYSTEMD_LIBS}"; then -+ AC_MSG_WARN([Your system does not support systemd.]) -+ enable_systemd="no" -+ else -+ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS]) -+ enable_systemd="yes" -+ fi -+]) -+ - APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) - - APACHE_MODPATH_FINISH ---- httpd-2.4.3/modules/arch/unix/mod_systemd.c.systemd -+++ httpd-2.4.3/modules/arch/unix/mod_systemd.c -@@ -0,0 +1,138 @@ -+/* Licensed to the Apache Software Foundation (ASF) under one or more -+ * contributor license agreements. See the NOTICE file distributed with -+ * this work for additional information regarding copyright ownership. -+ * The ASF licenses this file to You under the Apache License, Version 2.0 -+ * (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ * -+ */ -+ -+#include -+#include -+#include "ap_mpm.h" -+#include -+#include -+#include -+#include -+#include -+#include "unixd.h" -+#include "scoreboard.h" -+#include "mpm_common.h" -+ -+#include "systemd/sd-daemon.h" -+ -+#if APR_HAVE_UNISTD_H -+#include -+#endif -+ -+#define KBYTE 1024 -+ -+static pid_t pid; /* PID of the main httpd instance */ -+static int server_limit, thread_limit, threads_per_child, max_servers; -+static time_t last_update_time; -+static unsigned long last_update_access; -+static unsigned long last_update_kbytes; -+ -+static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type) -+{ -+ int rv; -+ last_update_time = time(0); -+ -+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit); -+ ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit); -+ ap_mpm_query(AP_MPMQ_MAX_THREADS, &threads_per_child); -+ /* work around buggy MPMs */ -+ if (threads_per_child == 0) -+ threads_per_child = 1; -+ ap_mpm_query(AP_MPMQ_MAX_DAEMONS, &max_servers); -+ -+ pid = getpid(); -+ -+ rv = sd_notifyf(0, "READY=1\n" -+ "STATUS=Processing requests...\n" -+ "MAINPID=%lu", -+ (unsigned long) pid); -+ if (rv < 0) { -+ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p, -+ "sd_notifyf returned an error %d", rv); -+ } -+ -+ return OK; -+} -+ -+static int systemd_monitor(apr_pool_t *p, server_rec *s) -+{ -+ int i, j, res, rv; -+ process_score *ps_record; -+ worker_score *ws_record; -+ unsigned long access = 0; -+ unsigned long bytes = 0; -+ unsigned long kbytes = 0; -+ char bps[5]; -+ time_t now = time(0); -+ time_t elapsed = now - last_update_time; -+ -+ for (i = 0; i < server_limit; ++i) { -+ ps_record = ap_get_scoreboard_process(i); -+ for (j = 0; j < thread_limit; ++j) { -+ ws_record = ap_get_scoreboard_worker_from_indexes(i, j); -+ if (ap_extended_status && !ps_record->quiescing && ps_record->pid) { -+ res = ws_record->status; -+ if (ws_record->access_count != 0 || -+ (res != SERVER_READY && res != SERVER_DEAD)) { -+ access += ws_record->access_count; -+ bytes += ws_record->bytes_served; -+ if (bytes >= KBYTE) { -+ kbytes += (bytes >> 10); -+ bytes = bytes & 0x3ff; -+ } -+ } -+ } -+ } -+ } -+ -+ apr_strfsize((unsigned long)(KBYTE *(float) (kbytes - last_update_kbytes) -+ / (float) elapsed), bps); -+ -+ rv = sd_notifyf(0, "READY=1\n" -+ "STATUS=Total requests: %lu; Current requests/sec: %.3g; " -+ "Current traffic: %sB/sec\n", access, -+ ((float)access - last_update_access) / (float) elapsed, bps); -+ if (rv < 0) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00000) -+ "sd_notifyf returned an error %d", rv); -+ } -+ -+ last_update_access = access; -+ last_update_kbytes = kbytes; -+ last_update_time = now; -+ -+ return DECLINED; -+} -+ -+static void systemd_register_hooks(apr_pool_t *p) -+{ -+ /* We know the PID in this hook ... */ -+ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST); -+ /* Used to update httpd's status line using sd_notifyf */ -+ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE); -+} -+ -+module AP_MODULE_DECLARE_DATA systemd_module = -+{ -+ STANDARD20_MODULE_STUFF, -+ NULL, -+ NULL, -+ NULL, -+ NULL, -+ NULL, -+ systemd_register_hooks, -+}; diff --git a/SOURCES/httpd-2.4.4-malformed-host.patch b/SOURCES/httpd-2.4.4-malformed-host.patch deleted file mode 100644 index 57975e5..0000000 --- a/SOURCES/httpd-2.4.4-malformed-host.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/server/protocol.c b/server/protocol.c -index e1ef204..d6d9165 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1049,6 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn) - * now read. may update status. - */ - ap_update_vhost_from_headers(r); -+ access_status = r->status; - - /* Toggle to the Host:-based vhost's timeout mode to fetch the - * request body and send the response body, if needed. diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 46482a7..454209d 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -48,8 +48,8 @@ Summary: Apache HTTP Server Name: %{?scl:%scl_prefix}httpd -Version: 2.4.18 -Release: 11%{?dist} +Version: 2.4.25 +Release: 9%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -86,17 +86,18 @@ Source41: htcacheclean.sysconf Source42: htcacheclean.init # build/scripts patches Patch1: httpd-2.4.1-apctl.patch -Patch2: httpd-2.4.18-apxs.patch +Patch2: httpd-2.4.25-apxs.patch Patch3: httpd-2.4.1-deplibs.patch Patch5: httpd-2.4.3-layout.patch Patch6: httpd-2.4.3-apctl-systemd.patch Patch7: httpd-2.4.12-skiplist.patch -Patch8: httpd-2.4.3-mod_systemd.patch +Patch8: httpd-2.4.25-detect-systemd.patch # Features/functional changes +Patch20: httpd-2.4.10-mod_systemd.patch Patch21: httpd-2.4.6-full-release.patch Patch23: httpd-2.4.4-export.patch Patch24: httpd-2.4.1-corelimit.patch -Patch25: httpd-2.4.1-selinux.patch +Patch25: httpd-2.4.25-selinux.patch Patch26: httpd-2.4.4-r1337344+.patch Patch27: httpd-2.4.2-icons.patch Patch28: httpd-2.4.6-r1332643+.patch @@ -104,7 +105,6 @@ Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.6-sslmultiproxy.patch Patch32: httpd-2.4.3-sslsninotreq.patch # Bug fixes -Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch Patch59: httpd-2.4.6-r1556473.patch Patch62: httpd-2.4.6-apachectl-status.patch @@ -112,15 +112,18 @@ Patch63: httpd-2.4.6-ab-overflow.patch Patch64: httpd-2.4.6-sigint.patch Patch65: httpd-2.4.17-autoindex-revert.patch Patch66: httpd-2.4.18-r1684636.patch -Patch67: httpd-2.4.18-documentroot.patch Patch68: httpd-2.4.6-ap-ipv6.patch Patch69: httpd-2.4.6-apachectl-httpd-env.patch Patch70: httpd-2.4.6-bomb.patch Patch71: httpd-2.4.18-apachectl-httpd-env2.patch Patch72: httpd-2.4.18-r1738229.patch +Patch73: httpd-2.4.25-r1778319+.patch +Patch74: httpd-2.4.25-rev-r1748324+.patch +Patch75: httpd-2.4.25-r1782332.patch +Patch76: httpd-2.4.25-r1787301.patch + # Security fixes -Patch100: httpd-2.4.18-CVE-2016-5387.patch -Patch101: httpd-2.4.18-CVE-2016-4979.patch + License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -146,10 +149,8 @@ Requires(post): systemd-units %else Requires(post): chkconfig %endif -%if 0%{?rhel} < 7 Requires(post): policycoreutils Requires(post): policycoreutils-python -%endif %{?scl:Requires:%scl_runtime} %description @@ -281,12 +282,13 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH %if %{use_systemd} %patch6 -p1 -b .apctlsystemd %patch7 -p1 -b .skiplist -%patch8 -p1 -b .systemd +%patch8 -p1 -b .detect-systemd %else %patch62 -p1 -b .apachectlstatus %patch71 -p1 -b .envhttpd2 %endif +%patch20 -p1 -b .mod_systemd %patch21 -p1 -b .fullrelease %patch23 -p1 -b .export %patch24 -p1 -b .corelimit @@ -298,21 +300,20 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH %patch31 -p1 -b .sslmultiproxy %patch32 -p1 -b .sslsninotreq -%patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid %patch59 -p1 -b .r1556473 %patch63 -p1 -b .aboverflow %patch64 -p1 -b .sigint %patch65 -p1 -b .autoindexrevert %patch66 -p1 -b .r1684636 -%patch67 -p1 -b .documentroot %patch68 -p1 -b .ipv6 %patch69 -p1 -b .envhttpd %patch70 -p1 -b .bomb %patch72 -p1 -b .r1738229 - -%patch100 -p1 -b .cve5387 -%patch101 -p1 -b .cve4979 +%patch73 -p1 -b .r1778319+ +%patch74 -p1 -b .rev-r1748324+ +%patch75 -p1 -b .r1782332 +%patch76 -p1 -b .r1787301 # Patch in the vendor string and the release string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -604,7 +605,7 @@ mkdir -p $RPM_BUILD_ROOT/%{_root_libexecdir}/initscripts/legacy-actions/%{?scl:% for f in graceful configtest; do install -p -m 755 $RPM_SOURCE_DIR/action-${f}.sh \ $RPM_BUILD_ROOT/%{_root_libexecdir}/initscripts/legacy-actions/%{?scl:%scl_prefix}httpd/${f} - sed -i 's|\$sbindir|%{_sbindir}|' \ + sed -i 's|\$sbindir|%{_sbindir}|;s|\$sysconfdir|%{_sysconfdir}/sysconfig|' \ $RPM_BUILD_ROOT/%{_root_libexecdir}/initscripts/legacy-actions/%{?scl:%scl_prefix}httpd/${f} done %endif @@ -676,7 +677,7 @@ restorecon -R %{_scl_root} >/dev/null 2>&1 || : %if %{use_systemd} %systemd_post %{httpd_service} %{htcacheclean_service} -semanage fcontext -a -t httpd_exec_t "%{_root_sbindir}/httpd-scl-wrapper" +semanage fcontext -a -t httpd_exec_t "%{_root_sbindir}/httpd-scl-wrapper" >/dev/null 2>&1 || : restorecon -R %{_scl_root} >/dev/null 2>&1 || : %else # Register the httpd service @@ -739,7 +740,8 @@ fi %{_root_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > %{sslkey} 2> /dev/null FQDN=`hostname` -if [ "x${FQDN}" = "x" ]; then +# A >59 char FQDN means "root@FQDN" exceeds 64-char max length for emailAddress +if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then FQDN=localhost.localdomain fi @@ -781,14 +783,27 @@ if readelf -d $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so | grep TEXTREL; then : modules contain non-relocatable code exit 1 fi +set +x +rv=0 # Ensure every mod_* that's built is loaded. for f in $RPM_BUILD_ROOT%{_libdir}/httpd/modules/*.so; do m=${f##*/} if ! grep -q $m $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/*.conf; then echo ERROR: Module $m not configured. Disable it, or load it. - exit 1 + rv=1 + fi +done +# Ensure every loaded mod_* is actually built +mods=`grep -h ^LoadModule $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/*.conf | sed 's,.*modules/,,'` +for m in $mods; do + f=$RPM_BUILD_ROOT%{_libdir}/httpd/modules/${m} + if ! test -x $f; then + echo ERROR: Module $m is configured but not built. + rv=1 fi done +set -x +exit $rv %clean rm -rf $RPM_BUILD_ROOT @@ -943,6 +958,36 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog +* Fri Mar 24 2017 Joe Orton - 2.4.25-9 +- link only httpd, not support/* against -lselinux -lsystemd (#1433474) +- don't enable SO_REUSEPORT in default configuration (#1432249) + +* Thu Mar 2 2017 Joe Orton - 2.4.25-8 +- always require policycoreutils; fail silently if SELinux is disabled (#1376738) + +* Thu Mar 2 2017 Joe Orton - 2.4.25-7 +- run restorecon during apxs -i (#1093057) + +* Thu Mar 2 2017 Joe Orton - 2.4.25-6 +- fix legacy systemd actions (#1329639) + +* Thu Mar 2 2017 Joe Orton - 2.4.25-5 +- mod_proxy_fcgi: revert to pre-2.4.23 SCRIPT_FILENAME mangling (#1414037) +- mod_proxy: fix regression in per-dir ProxyPass (#1417482) + +* Fri Jan 20 2017 Joe Orton - 2.4.25-4 +- mod_watchdog: fix pool lifetime issue (#1410883) + +* Fri Jan 20 2017 Joe Orton - 2.4.25-3 +- update systemd library detection + +* Fri Jan 20 2017 Joe Orton - 2.4.25-2 +- merge default config changes from Fedora +- mod_ssl: use "localhost" in the dummy SSL cert if len(FQDN) > 59 chars + +* Thu Jan 12 2017 Luboš Uhliarik - 2.4.25-1 +- Resolves: #1404778 - RFE: update httpd24 collection + * Wed Jul 13 2016 Joe Orton - 2.4.18-11 - add security fix for CVE-2016-5387 - mod_ssl: add security fix for CVE-2016-4979