From 882bf190fdc488f0e62bc0518039389834c92e4f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Pawe=C5=82=20Go=C5=82aszewski?= <blues@pld-linux.org>
Date: Mon, 25 May 2009 11:16:11 +0000
Subject: [PATCH] - rel. 11 - official PR46949 patch added - fixes
 CVE-2009-1191

Changed files:
    PR46949.diff -> 1.1
    TODO -> 1.1
    apache.spec -> 1.563
---
 PR46949.diff | 37 +++++++++++++++++++++++++++++++++++++
 TODO         | 17 +++++++++++++++++
 apache.spec  | 21 +++++----------------
 3 files changed, 59 insertions(+), 16 deletions(-)
 create mode 100644 PR46949.diff
 create mode 100644 TODO

diff --git a/PR46949.diff b/PR46949.diff
new file mode 100644
index 0000000..cbb790a
--- /dev/null
+++ b/PR46949.diff
@@ -0,0 +1,37 @@
+Index: modules/proxy/mod_proxy_ajp.c
+===================================================================
+--- modules/proxy/mod_proxy_ajp.c	(Revision 763379)
++++ modules/proxy/mod_proxy_ajp.c	(Arbeitskopie)
+@@ -307,21 +307,17 @@
+                          "proxy: read zero bytes, expecting"
+                          " %" APR_OFF_T_FMT " bytes",
+                          content_length);
+-            status = ajp_send_data_msg(conn->sock, msg, 0);
+-            if (status != APR_SUCCESS) {
+-                /* We had a failure: Close connection to backend */
+-                conn->close++;
+-                ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
+-                            "proxy: send failed to %pI (%s)",
+-                            conn->worker->cp->addr,
+-                            conn->worker->hostname);
+-                return HTTP_INTERNAL_SERVER_ERROR;
+-            }
+-            else {
+-                /* Client send zero bytes with C-L > 0
+-                 */
+-                return HTTP_BAD_REQUEST;
+-            }
++            /*
++             * We can only get here if the client closed the connection
++             * to us without sending the body.
++             * Now the connection is in the wrong state on the backend.
++             * Sending an empty data msg doesn't help either as it does
++             * not move this connection to the correct state on the backend
++             * for later resusage by the next request again.
++             * Close it to clean things up.
++             */
++            conn->close++;
++            return HTTP_BAD_REQUEST;
+         }
+     }
+ 
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..dff1bd3
--- /dev/null
+++ b/TODO
@@ -0,0 +1,17 @@
+# TODO:
+- config examples for mod_*
+- --with-suexec-uidmin=500 or =1000 ?
+- subpackages for MPMs
+- !!!check if all modules (*.so) are exactly the same for different MPMs
+- check those autn modules inner deps
+- for external packages: don't use any apache module name in dep as they
+  differ for apache 1.3/2.0/2.2!? any better ideas? rpm Suggests: tags?
+- for mod_auth_* modules require each auth module to require virtual authn so at least *_default
+  is chosen?
+- same for mod_authz
+- mod_auth_digest and mod_auth_basic R: apache(authn) ?
+- drop mod_case_filter* or find summary and description for them
+- build modules only once (not with each mpm)
+- FYI: http://wiki.apache.org/httpd/InternalDummyConnection
+
+
diff --git a/apache.spec b/apache.spec
index a981a7f..cdb1796 100644
--- a/apache.spec
+++ b/apache.spec
@@ -1,18 +1,3 @@
-# TODO:
-# - config examples for mod_*
-# - --with-suexec-uidmin=500 or =1000 ?
-# - subpackages for MPMs
-# - !!!check if all modules (*.so) are exactly the same for different MPMs
-# - check those autn modules inner deps
-# - for external packages: don't use any apache module name in dep as they
-#   differ for apache 1.3/2.0/2.2!? any better ideas? rpm Suggests: tags?
-# - for mod_auth_* modules require each auth module to require virtual authn so at least *_default is chosen?
-# - same for mod_authz
-# - mod_auth_digest and mod_auth_basic R: apache(authn) ?
-# - drop mod_case_filter* or find summary and description for them
-# - build modules only once (not with each mpm)
-# - FYI: http://wiki.apache.org/httpd/InternalDummyConnection
-
 # Conditional build:
 %bcond_without	ssl		# build without SSL support
 %bcond_without	ldap		# build without LDAP support
@@ -34,7 +19,7 @@ Summary(ru.UTF-8):	Ð¡Ð°Ð¼ÑÐ¹ Ð¿Ð¾Ð¿ÑÐ»ÑÑÐ½ÑÐ¹ Ð²ÐµÐ±-ÑÐµÑÐ²ÐµÑ
 Summary(tr.UTF-8):	Lider WWW tarayÄ±cÄ±
 Name:		apache
 Version:	2.2.11
-Release:	10
+Release:	11
 License:	Apache v2.0
 Group:		Networking/Daemons/HTTP
 Source0:	http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
@@ -89,6 +74,9 @@ Patch23:	%{name}-suexec_fcgi.patch
 Patch24:	%{name}-revert-bug-40463.patch
 Patch25:	%{name}-prefork-graceful-fix.patch
 Patch26:	%{name}-pollset-segv.patch
+# Official patches
+# http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/
+Patch27:	PR46949.diff
 URL:		http://httpd.apache.org/
 BuildRequires:	apr-devel >= 1:1.2
 BuildRequires:	apr-util-devel >= 1:1.3
@@ -1743,6 +1731,7 @@ Dwa programy testowe/przykÅadowe cgi: test-cgi and print-env.
 %patch24 -p1
 %patch25 -p0
 %patch26 -p0
+%patch27 -p0
 
 # using system apr, apr-util and pcre
 rm -rf srclib/{apr,apr-util,pcre}
-- 
2.44.0