From 826ed9a43a3d5596132ea18f59d8e900d182118d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Tue, 28 Jul 2009 13:48:17 +0000 Subject: [PATCH] - up to 2.2.12 (fixes CVE-2009-1891, CVE-2009-1195, CVE-2009-1890, CVE-2009-1191) Changed files: PR46949.diff -> 1.2 apache-pollset-segv.patch -> 1.2 apache-prefork-graceful-fix.patch -> 1.2 apache.spec -> 1.567 --- PR46949.diff | 37 --------------------------- apache-pollset-segv.patch | 17 ------------- apache-prefork-graceful-fix.patch | 42 ------------------------------- apache.spec | 19 ++++---------- 4 files changed, 5 insertions(+), 110 deletions(-) delete mode 100644 PR46949.diff delete mode 100644 apache-pollset-segv.patch delete mode 100644 apache-prefork-graceful-fix.patch diff --git a/PR46949.diff b/PR46949.diff deleted file mode 100644 index cbb790a..0000000 --- a/PR46949.diff +++ /dev/null @@ -1,37 +0,0 @@ -Index: modules/proxy/mod_proxy_ajp.c -=================================================================== ---- modules/proxy/mod_proxy_ajp.c (Revision 763379) -+++ modules/proxy/mod_proxy_ajp.c (Arbeitskopie) -@@ -307,21 +307,17 @@ - "proxy: read zero bytes, expecting" - " %" APR_OFF_T_FMT " bytes", - content_length); -- status = ajp_send_data_msg(conn->sock, msg, 0); -- if (status != APR_SUCCESS) { -- /* We had a failure: Close connection to backend */ -- conn->close++; -- ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server, -- "proxy: send failed to %pI (%s)", -- conn->worker->cp->addr, -- conn->worker->hostname); -- return HTTP_INTERNAL_SERVER_ERROR; -- } -- else { -- /* Client send zero bytes with C-L > 0 -- */ -- return HTTP_BAD_REQUEST; -- } -+ /* -+ * We can only get here if the client closed the connection -+ * to us without sending the body. -+ * Now the connection is in the wrong state on the backend. -+ * Sending an empty data msg doesn't help either as it does -+ * not move this connection to the correct state on the backend -+ * for later resusage by the next request again. -+ * Close it to clean things up. -+ */ -+ conn->close++; -+ return HTTP_BAD_REQUEST; - } - } - diff --git a/apache-pollset-segv.patch b/apache-pollset-segv.patch deleted file mode 100644 index e0ac8e0..0000000 --- a/apache-pollset-segv.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- server/mpm/prefork/prefork.c 2009/01/12 11:37:23 733697 -+++ server/mpm/prefork/prefork.c 2009/01/12 11:37:32 733698 -@@ -517,8 +517,12 @@ - (void) ap_update_child_status(sbh, SERVER_READY, (request_rec *) NULL); - - /* Set up the pollfd array */ -- /* ### check the status */ -- (void) apr_pollset_create(&pollset, num_listensocks, pchild, 0); -+ status = apr_pollset_create(&pollset, num_listensocks, pchild, 0); -+ if (status != APR_SUCCESS) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf, -+ "Couldn't create pollset in child; check system or user limits"); -+ clean_child_exit(APEXIT_CHILDSICK); /* assume temporary resource issue */ -+ } - - for (lr = ap_listeners, i = num_listensocks; i--; lr = lr->next) { - apr_pollfd_t pfd = { 0 }; diff --git a/apache-prefork-graceful-fix.patch b/apache-prefork-graceful-fix.patch deleted file mode 100644 index d5085db..0000000 --- a/apache-prefork-graceful-fix.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- server/mpm/prefork/prefork.c 2009/01/31 20:53:11 739607 -+++ server/mpm/prefork/prefork.c 2009/01/31 20:54:55 739608 -@@ -577,19 +577,27 @@ - apr_int32_t numdesc; - const apr_pollfd_t *pdesc; - -- /* timeout == -1 == wait forever */ -- status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc); -+ /* check for termination first so we don't sleep for a while in -+ * poll if already signalled -+ */ -+ if (one_process && shutdown_pending) { -+ SAFE_ACCEPT(accept_mutex_off()); -+ return; -+ } -+ else if (die_now) { -+ /* In graceful stop/restart; drop the mutex -+ * and terminate the child. */ -+ SAFE_ACCEPT(accept_mutex_off()); -+ clean_child_exit(0); -+ } -+ /* timeout == 10 seconds to avoid a hang at graceful restart/stop -+ * caused by the closing of sockets by the signal handler -+ */ -+ status = apr_pollset_poll(pollset, apr_time_from_sec(10), -+ &numdesc, &pdesc); - if (status != APR_SUCCESS) { -- if (APR_STATUS_IS_EINTR(status)) { -- if (one_process && shutdown_pending) { -- return; -- } -- else if (die_now) { -- /* In graceful stop/restart; drop the mutex -- * and terminate the child. */ -- SAFE_ACCEPT(accept_mutex_off()); -- clean_child_exit(0); -- } -+ if (APR_STATUS_IS_TIMEUP(status) || -+ APR_STATUS_IS_EINTR(status)) { - continue; - } - /* Single Unix documents select as returning errnos diff --git a/apache.spec b/apache.spec index efd8956..880eff2 100644 --- a/apache.spec +++ b/apache.spec @@ -18,12 +18,12 @@ Summary(pt_BR.UTF-8): Servidor HTTPD para prover serviços WWW Summary(ru.UTF-8): Самый популярный веб-сервер Summary(tr.UTF-8): Lider WWW tarayıcı Name: apache -Version: 2.2.11 -Release: 13 +Version: 2.2.12 +Release: 1 License: Apache v2.0 Group: Networking/Daemons/HTTP Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz -# Source0-md5: 03e0a99a5de0f3f568a0087fb9993af9 +# Source0-md5: 17f017b571f88aa60abebfe2945d7caf Source1: %{name}.init Source2: %{name}.logrotate Source3: %{name}.sysconfig @@ -72,14 +72,7 @@ Patch19: %{name}-conffile-path.patch Patch20: %{name}-apxs.patch Patch23: %{name}-suexec_fcgi.patch Patch24: %{name}-revert-bug-40463.patch -Patch25: %{name}-prefork-graceful-fix.patch -Patch26: %{name}-pollset-segv.patch -# Official patches -# http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/ -Patch27: PR46949.diff URL: http://httpd.apache.org/ -# http://svn.apache.org/viewvc?view=rev&revision=772997 -BuildRequires: security(CVE-2009-1195) BuildRequires: apr-devel >= 1:1.2 BuildRequires: apr-util-devel >= 1:1.3 BuildRequires: autoconf @@ -1730,10 +1723,8 @@ Dwa programy testowe/przykładowe cgi: test-cgi and print-env. %patch19 -p1 %patch20 -p1 %patch23 -p1 -%patch24 -p1 -%patch25 -p0 -%patch26 -p0 -%patch27 -p0 +# disable for now, we'll see how things are handled now +#%patch24 -p1 # using system apr, apr-util and pcre rm -rf srclib/{apr,apr-util,pcre} -- 2.44.0