diff options
| author |   Benedikt Boehm <hollow@gentoo.org> | 2009-07-29 08:08:30 +0000 |
|---|---|---|
| committer | Benedikt Boehm <hollow@gentoo.org> | 2009-07-29 08:08:30 +0000 |
| commit | 8e7082d1d4d2d7c427d600a816934b89cdc6f7f8 (patch) | |
| tree | 7d37954713c54299079b1f88ece358c9fe1fcaab | |
| parent | add peruser-dc patch (diff) | |
| download | apache-8e7082d1d4d2d7c427d600a816934b89cdc6f7f8.tar.gz apache-8e7082d1d4d2d7c427d600a816934b89cdc6f7f8.tar.bz2 apache-8e7082d1d4d2d7c427d600a816934b89cdc6f7f8.zip | |
remove patches that have been backported to 2.2.12
| -rw-r--r-- | .gitignore | 1 | ||||
| -rw-r--r-- | 2.2/patches/04_all_mod_ssl_tls_sni.patch | 380 | ||||
| -rw-r--r-- | 2.2/patches/05_all_fix_graceful_multiple_listeners.patch | 42 | ||||
| -rw-r--r-- | 2.2/patches/06_all_CVE-2009-1191.patch | 37 | ||||
| -rw-r--r-- | 2.2/patches/07_all_CVE-2009-1195.patch | 136 | ||||
| -rw-r--r-- | 2.2/patches/08_all_CVE-2009-1890.patch | 38 | ||||
| -rw-r--r-- | 2.2/patches/09_all_CVE-2009-1891.patch | 29 | ||||
| -rw-r--r-- | 2.2/patches/10_all_r779472.patch | 67 | ||||
| -rw-r--r-- | 2.2/patches/11_all_r790738.patch | 18 |
9 files changed, 1 insertions, 747 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..bb6dce2 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +gentoo-apache-*.tar.bz2 diff --git a/2.2/patches/04_all_mod_ssl_tls_sni.patch b/2.2/patches/04_all_mod_ssl_tls_sni.patch deleted file mode 100644 index 73392ae..0000000 --- a/2.2/patches/04_all_mod_ssl_tls_sni.patch +++ /dev/null @@ -1,380 +0,0 @@ -# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 -# (see RFC 4366, "Transport Layer Security (TLS) Extensions") - -# based on a patch from the EdelKey project -# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch) - -# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later -# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions -# must be configured explicitly for TLS extension support at compile time -# ("./config enable-tlsext"). - -Index: httpd-2.2.x/modules/ssl/ssl_private.h -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_private.h (revision 663014) -+++ httpd-2.2.x/modules/ssl/ssl_private.h (working copy) -@@ -35,6 +35,7 @@ - #include "http_connection.h" - #include "http_request.h" - #include "http_protocol.h" -+#include "http_vhost.h" - #include "util_script.h" - #include "util_filter.h" - #include "util_ebcdic.h" -@@ -555,6 +556,9 @@ int ssl_callback_NewSessionCach - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); - void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); -+#ifndef OPENSSL_NO_TLSEXT -+int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); -+#endif - - /** Session Cache Support */ - void ssl_scache_init(server_rec *, apr_pool_t *); -Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_init.c (revision 663014) -+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c (working copy) -@@ -355,6 +355,33 @@ static void ssl_init_server_check(server - } - } - -+#ifndef OPENSSL_NO_TLSEXT -+static void ssl_init_ctx_tls_extensions(server_rec *s, -+ apr_pool_t *p, -+ apr_pool_t *ptemp, -+ modssl_ctx_t *mctx) -+{ -+ /* -+ * Configure TLS extensions support -+ */ -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "Configuring TLS extension handling"); -+ -+ /* -+ * Server name indication (SNI) -+ */ -+ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, -+ ssl_callback_ServerNameIndication) || -+ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, -+ "Unable to initialize TLS servername extension " -+ "callback (incompatible OpenSSL version?)"); -+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s); -+ ssl_die(); -+ } -+} -+#endif -+ - static void ssl_init_ctx_protocol(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s, - if (mctx->pks) { - /* XXX: proxy support? */ - ssl_init_ctx_cert_chain(s, p, ptemp, mctx); -+#ifndef OPENSSL_NO_TLSEXT -+ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx); -+#endif - } - } - -@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b - klen = strlen(key); - - if ((ps = (server_rec *)apr_hash_get(table, key, klen))) { -- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, -+ ap_log_error(APLOG_MARK, -+#ifdef OPENSSL_NO_TLSEXT -+ APLOG_WARNING, -+#else -+ APLOG_DEBUG, -+#endif -+ 0, - base_server, -+#ifdef OPENSSL_NO_TLSEXT - "Init: SSL server IP/port conflict: " -+#else -+ "Init: SSL server IP/port overlap: " -+#endif - "%s (%s:%d) vs. %s (%s:%d)", - ssl_util_vhostid(p, s), - (s->defn_name ? s->defn_name : "unknown"), -@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b - - if (conflict) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, -+#ifdef OPENSSL_NO_TLSEXT - "Init: You should not use name-based " - "virtual hosts in conjunction with SSL!!"); -+#else -+ "Init: Name-based SSL virtual hosts only " -+ "work for clients with TLS server name indication " -+ "support (RFC 4366)"); -+#endif - } - } - -Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_vars.c (revision 663014) -+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c (working copy) -@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool - else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) { - result = ssl_var_lookup_ssl_compress_meth(ssl); - } -+#ifndef OPENSSL_NO_TLSEXT -+ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) { -+ result = apr_pstrdup(p, SSL_get_servername(ssl, -+ TLSEXT_NAMETYPE_host_name)); -+ } -+#endif - return result; - } - -Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (revision 663014) -+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c (working copy) -@@ -31,6 +31,9 @@ - #include "ssl_private.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); -+#ifndef OPENSSL_NO_TLSEXT -+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); -+#endif - - /* - * Post Read Request Handler -@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r) - { - SSLConnRec *sslconn = myConnConfig(r->connection); - SSL *ssl; -+#ifndef OPENSSL_NO_TLSEXT -+ const char *servername; -+#endif - - if (!sslconn) { - return DECLINED; -@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r) - if (!ssl) { - return DECLINED; - } -+#ifndef OPENSSL_NO_TLSEXT -+ if (!r->hostname && -+ (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { -+ /* Use the SNI extension as the hostname if no Host: header was sent */ -+ r->hostname = apr_pstrdup(r->pool, servername); -+ ap_update_vhost_from_headers(r); -+ } -+#endif - SSL_set_app_data2(ssl, r); - - /* -@@ -353,6 +367,11 @@ int ssl_hook_Access(request_rec *r) - * currently active/remembered verify depth (because this means more - * restriction on the certificate chain). - */ -+ if ((sc->server->auth.verify_depth != UNSET) && -+ (dc->nVerifyDepth == UNSET)) { -+ /* apply per-vhost setting, if per-directory config is not set */ -+ dc->nVerifyDepth = sc->server->auth.verify_depth; -+ } - if (dc->nVerifyDepth != UNSET) { - /* XXX: doesnt look like sslconn->verify_depth is actually used */ - if (!(n = sslconn->verify_depth)) { -@@ -382,6 +401,11 @@ int ssl_hook_Access(request_rec *r) - * verification but at least skip the I/O-intensive renegotation - * handshake. - */ -+ if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) && -+ (dc->nVerifyClient == SSL_CVERIFY_UNSET)) { -+ /* apply per-vhost setting, if per-directory config is not set */ -+ dc->nVerifyClient = sc->server->auth.verify_mode; -+ } - if (dc->nVerifyClient != SSL_CVERIFY_UNSET) { - /* remember old state */ - verify_old = SSL_get_verify_mode(ssl); -@@ -997,6 +1021,9 @@ int ssl_hook_Fixup(request_rec *r) - SSLDirConfigRec *dc = myDirConfig(r); - apr_table_t *env = r->subprocess_env; - char *var, *val = ""; -+#ifndef OPENSSL_NO_TLSEXT -+ const char *servername; -+#endif - STACK_OF(X509) *peer_certs; - SSL *ssl; - int i; -@@ -1018,6 +1045,13 @@ int ssl_hook_Fixup(request_rec *r) - /* the always present HTTPS (=HTTP over SSL) flag! */ - apr_table_setn(env, "HTTPS", "on"); - -+#ifndef OPENSSL_NO_TLSEXT -+ /* add content of SNI TLS extension (if supplied with ClientHello) */ -+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { -+ apr_table_set(env, "SSL_TLS_SNI", servername); -+ } -+#endif -+ - /* standard SSL environment variables */ - if (dc->nOptions & SSL_OPT_STDENVVARS) { - for (i = 0; ssl_hook_Fixup_vars[i]; i++) { -@@ -1810,3 +1844,141 @@ void ssl_callback_LogTracingState(MODSSL - } - } - -+#ifndef OPENSSL_NO_TLSEXT -+/* -+ * This callback function is executed when OpenSSL encounters an extended -+ * client hello with a server name indication extension ("SNI", cf. RFC 4366). -+ */ -+int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx) -+{ -+ const char *servername = -+ SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); -+ -+ if (servername) { -+ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -+ if (c) { -+ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost, -+ (void *)servername)) { -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -+ "SSL virtual host for servername %s found", -+ servername); -+ return SSL_TLSEXT_ERR_OK; -+ } -+ else { -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -+ "No matching SSL virtual host for servername " -+ "%s found (using default/first virtual host)", -+ servername); -+ return SSL_TLSEXT_ERR_ALERT_WARNING; -+ } -+ } -+ } -+ -+ return SSL_TLSEXT_ERR_NOACK; -+} -+ -+/* -+ * Find a (name-based) SSL virtual host where either the ServerName -+ * or one of the ServerAliases matches the supplied name (to be used -+ * with ap_vhost_iterate_given_conn()) -+ */ -+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) -+{ -+ SSLSrvConfigRec *sc; -+ SSL *ssl; -+ BOOL found = FALSE; -+ apr_array_header_t *names; -+ int i; -+ -+ /* check ServerName */ -+ if (!strcasecmp(servername, s->server_hostname)) { -+ found = TRUE; -+ } -+ -+ /* -+ * if not matched yet, check ServerAlias entries -+ * (adapted from vhost.c:matches_aliases()) -+ */ -+ if (!found) { -+ names = s->names; -+ if (names) { -+ char **name = (char **)names->elts; -+ for (i = 0; i < names->nelts; ++i) { -+ if (!name[i]) -+ continue; -+ if (!strcasecmp(servername, name[i])) { -+ found = TRUE; -+ break; -+ } -+ } -+ } -+ } -+ -+ /* if still no match, check ServerAlias entries with wildcards */ -+ if (!found) { -+ names = s->wild_names; -+ if (names) { -+ char **name = (char **)names->elts; -+ for (i = 0; i < names->nelts; ++i) { -+ if (!name[i]) -+ continue; -+ if (!ap_strcasecmp_match(servername, name[i])) { -+ found = TRUE; -+ break; -+ } -+ } -+ } -+ } -+ -+ /* set SSL_CTX (if matched) */ -+ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) && -+ (sc = mySrvConfig(s))) { -+ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx); -+ /* -+ * SSL_set_SSL_CTX() only deals with the server cert, -+ * so we need to duplicate a few additional settings -+ * from the ctx by hand -+ */ -+ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); -+ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || -+ (SSL_num_renegotiations(ssl) == 0)) { -+ /* -+ * Only initialize the verification settings from the ctx -+ * if they are not yet set, or if we're called when a new -+ * SSL connection is set up (num_renegotiations == 0). -+ * Otherwise, we would possibly reset a per-directory -+ * configuration which was put into effect by ssl_hook_Access. -+ */ -+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), -+ SSL_CTX_get_verify_callback(ssl->ctx)); -+ } -+ -+ /* -+ * We also need to make sure that the correct mctx -+ * (accessed through the c->base_server->module_config vector) -+ * is assigned to the connection - the CRL callback e.g. -+ * makes use of it for retrieving its store (mctx->crl). -+ * Since logging in callbacks uses c->base_server in many -+ * cases, it also ensures that these messages are routed -+ * to the proper log. -+ */ -+ c->base_server = s; -+ -+ /* -+ * There is one special filter callback, which is set -+ * very early depending on the base_server's log level. -+ * If this is not the first vhost we're now selecting -+ * (and the first vhost doesn't use APLOG_DEBUG), then -+ * we need to set that callback here. -+ */ -+ if (c->base_server->loglevel >= APLOG_DEBUG) { -+ BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb); -+ BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl); -+ } -+ -+ return 1; -+ } -+ -+ return 0; -+} -+#endif -Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h -=================================================================== ---- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (revision 663014) -+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h (working copy) -@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char * - #define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP - #endif - -+#ifndef OPENSSL_NO_TLSEXT -+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME -+#define OPENSSL_NO_TLSEXT -+#endif -+#endif -+ - #endif /* SSL_TOOLKIT_COMPAT_H */ - - /** @} */ diff --git a/2.2/patches/05_all_fix_graceful_multiple_listeners.patch b/2.2/patches/05_all_fix_graceful_multiple_listeners.patch deleted file mode 100644 index 6ed9de1..0000000 --- a/2.2/patches/05_all_fix_graceful_multiple_listeners.patch +++ /dev/null @@ -1,42 +0,0 @@ ---- httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c 2009/01/31 20:53:11 739607 -+++ httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c 2009/01/31 20:54:55 739608 -@@ -577,19 +577,27 @@ - apr_int32_t numdesc; - const apr_pollfd_t *pdesc; - -- /* timeout == -1 == wait forever */ -- status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc); -+ /* check for termination first so we don't sleep for a while in -+ * poll if already signalled -+ */ -+ if (one_process && shutdown_pending) { -+ SAFE_ACCEPT(accept_mutex_off()); -+ return; -+ } -+ else if (die_now) { -+ /* In graceful stop/restart; drop the mutex -+ * and terminate the child. */ -+ SAFE_ACCEPT(accept_mutex_off()); -+ clean_child_exit(0); -+ } -+ /* timeout == 10 seconds to avoid a hang at graceful restart/stop -+ * caused by the closing of sockets by the signal handler -+ */ -+ status = apr_pollset_poll(pollset, apr_time_from_sec(10), -+ &numdesc, &pdesc); - if (status != APR_SUCCESS) { -- if (APR_STATUS_IS_EINTR(status)) { -- if (one_process && shutdown_pending) { -- return; -- } -- else if (die_now) { -- /* In graceful stop/restart; drop the mutex -- * and terminate the child. */ -- SAFE_ACCEPT(accept_mutex_off()); -- clean_child_exit(0); -- } -+ if (APR_STATUS_IS_TIMEUP(status) || -+ APR_STATUS_IS_EINTR(status)) { - continue; - } - /* Single Unix documents select as returning errnos diff --git a/2.2/patches/06_all_CVE-2009-1191.patch b/2.2/patches/06_all_CVE-2009-1191.patch deleted file mode 100644 index cbb790a..0000000 --- a/2.2/patches/06_all_CVE-2009-1191.patch +++ /dev/null @@ -1,37 +0,0 @@ -Index: modules/proxy/mod_proxy_ajp.c -=================================================================== ---- modules/proxy/mod_proxy_ajp.c (Revision 763379) -+++ modules/proxy/mod_proxy_ajp.c (Arbeitskopie) -@@ -307,21 +307,17 @@ - "proxy: read zero bytes, expecting" - " %" APR_OFF_T_FMT " bytes", - content_length); -- status = ajp_send_data_msg(conn->sock, msg, 0); -- if (status != APR_SUCCESS) { -- /* We had a failure: Close connection to backend */ -- conn->close++; -- ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server, -- "proxy: send failed to %pI (%s)", -- conn->worker->cp->addr, -- conn->worker->hostname); -- return HTTP_INTERNAL_SERVER_ERROR; -- } -- else { -- /* Client send zero bytes with C-L > 0 -- */ -- return HTTP_BAD_REQUEST; -- } -+ /* -+ * We can only get here if the client closed the connection -+ * to us without sending the body. -+ * Now the connection is in the wrong state on the backend. -+ * Sending an empty data msg doesn't help either as it does -+ * not move this connection to the correct state on the backend -+ * for later resusage by the next request again. -+ * Close it to clean things up. -+ */ -+ conn->close++; -+ return HTTP_BAD_REQUEST; - } - } - diff --git a/2.2/patches/07_all_CVE-2009-1195.patch b/2.2/patches/07_all_CVE-2009-1195.patch deleted file mode 100644 index 14a6dba..0000000 --- a/2.2/patches/07_all_CVE-2009-1195.patch +++ /dev/null @@ -1,136 +0,0 @@ -Index: server/config.c -=================================================================== ---- server/config.c (revision 773036) -+++ server/config.c (working copy) -@@ -1510,7 +1510,7 @@ - parms.temp_pool = ptemp; - parms.server = s; - parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); -- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; -+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; - - parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives", - &arr_parms, NULL, -@@ -1617,7 +1617,7 @@ - parms.temp_pool = ptemp; - parms.server = s; - parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); -- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; -+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; - - rv = ap_pcfg_openfile(&cfp, p, fname); - if (rv != APR_SUCCESS) { -@@ -1755,7 +1755,7 @@ - parms.temp_pool = ptemp; - parms.server = s; - parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT); -- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI; -+ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; - parms.limited = -1; - - errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults); -Index: server/core.c -=================================================================== ---- server/core.c (revision 773036) -+++ server/core.c (working copy) -@@ -108,8 +108,7 @@ - conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL; - conf->opts_add = conf->opts_remove = OPT_NONE; - conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL; -- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER -- | OPT_MULTI; -+ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI; - - conf->content_md5 = 2; - conf->accept_path_info = 3; -@@ -242,8 +241,15 @@ - conf->opts_remove = (conf->opts_remove & ~new->opts_add) - | new->opts_remove; - conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add; -- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) { -- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES; -+ -+ /* If Includes was enabled with exec in the base config, but -+ * was enabled without exec in the new config, then disable -+ * exec in the merged set. */ -+ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) -+ == (OPT_INCLUDES|OPT_INC_WITH_EXEC)) -+ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC)) -+ == OPT_INCLUDES)) { -+ conf->opts &= ~OPT_INC_WITH_EXEC; - } - } - else { -@@ -1304,10 +1310,12 @@ - opt = OPT_INDEXES; - } - else if (!strcasecmp(w, "Includes")) { -- opt = OPT_INCLUDES; -+ /* If Includes is permitted, both Includes and -+ * IncludesNOEXEC may be changed. */ -+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); - } - else if (!strcasecmp(w, "IncludesNOEXEC")) { -- opt = (OPT_INCLUDES | OPT_INCNOEXEC); -+ opt = OPT_INCLUDES; - } - else if (!strcasecmp(w, "FollowSymLinks")) { - opt = OPT_SYM_LINKS; -@@ -1428,10 +1436,10 @@ - opt = OPT_INDEXES; - } - else if (!strcasecmp(w, "Includes")) { -- opt = OPT_INCLUDES; -+ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC); - } - else if (!strcasecmp(w, "IncludesNOEXEC")) { -- opt = (OPT_INCLUDES | OPT_INCNOEXEC); -+ opt = OPT_INCLUDES; - } - else if (!strcasecmp(w, "FollowSymLinks")) { - opt = OPT_SYM_LINKS; -Index: modules/filters/mod_include.c -=================================================================== ---- modules/filters/mod_include.c (revision 773036) -+++ modules/filters/mod_include.c (working copy) -@@ -3574,7 +3574,7 @@ - intern->seen_eos = 0; - intern->state = PARSE_PRE_HEAD; - ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE); -- if (ap_allow_options(r) & OPT_INCNOEXEC) { -+ if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) { - ctx->flags |= SSI_FLAG_NO_EXEC; - } - intern->accessenable = conf->accessenable; -Index: include/http_core.h -=================================================================== ---- include/http_core.h (revision 773036) -+++ include/http_core.h (working copy) -@@ -65,7 +65,7 @@ - #define OPT_NONE 0 - /** Indexes directive */ - #define OPT_INDEXES 1 --/** Includes directive */ -+/** SSI is enabled without exec= permission */ - #define OPT_INCLUDES 2 - /** FollowSymLinks directive */ - #define OPT_SYM_LINKS 4 -@@ -73,14 +73,14 @@ - #define OPT_EXECCGI 8 - /** directive unset */ - #define OPT_UNSET 16 --/** IncludesNOEXEC directive */ --#define OPT_INCNOEXEC 32 -+/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ -+#define OPT_INC_WITH_EXEC 32 - /** SymLinksIfOwnerMatch directive */ - #define OPT_SYM_OWNER 64 - /** MultiViews directive */ - #define OPT_MULTI 128 - /** All directives */ --#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI) -+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) - /** @} */ - - /** - diff --git a/2.2/patches/08_all_CVE-2009-1890.patch b/2.2/patches/08_all_CVE-2009-1890.patch deleted file mode 100644 index 672c82b..0000000 --- a/2.2/patches/08_all_CVE-2009-1890.patch +++ /dev/null @@ -1,38 +0,0 @@ ---- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c 2009/07/02 13:37:39 790586 -+++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c 2009/07/02 13:41:18 790587 -@@ -427,10 +427,16 @@ - apr_off_t bytes_streamed = 0; - - if (old_cl_val) { -+ char *endstr; -+ - add_cl(p, bucket_alloc, header_brigade, old_cl_val); -- if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL, -- 0))) { -- return HTTP_INTERNAL_SERVER_ERROR; -+ status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10); -+ -+ if (status || *endstr || endstr == old_cl_val || cl_val < 0) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, -+ "proxy: could not parse request Content-Length (%s)", -+ old_cl_val); -+ return HTTP_BAD_REQUEST; - } - } - terminate_headers(bucket_alloc, header_brigade); -@@ -463,8 +469,13 @@ - * - * Prevents HTTP Response Splitting. - */ -- if (bytes_streamed > cl_val) -- continue; -+ if (bytes_streamed > cl_val) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "proxy: read more bytes of request body than expected " -+ "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")", -+ bytes_streamed, cl_val); -+ return HTTP_INTERNAL_SERVER_ERROR; -+ } - - if (header_brigade) { - /* we never sent the header brigade, so go ahead and diff --git a/2.2/patches/09_all_CVE-2009-1891.patch b/2.2/patches/09_all_CVE-2009-1891.patch deleted file mode 100644 index 4d778f8..0000000 --- a/2.2/patches/09_all_CVE-2009-1891.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- httpd/httpd/branches/2.2.x/server/core_filters.c 2009/07/06 12:01:05 791453 -+++ httpd/httpd/branches/2.2.x/server/core_filters.c 2009/07/06 12:03:20 791454 -@@ -542,6 +542,12 @@ - apr_read_type_e eblock = APR_NONBLOCK_READ; - apr_pool_t *input_pool = b->p; - -+ /* Fail quickly if the connection has already been aborted. */ -+ if (c->aborted) { -+ apr_brigade_cleanup(b); -+ return APR_ECONNABORTED; -+ } -+ - if (ctx == NULL) { - ctx = apr_pcalloc(c->pool, sizeof(*ctx)); - net->out_ctx = ctx; -@@ -909,12 +915,9 @@ - /* No need to check for SUCCESS, we did that above. */ - if (!APR_STATUS_IS_EAGAIN(rv)) { - c->aborted = 1; -+ return APR_ECONNABORTED; - } - -- /* The client has aborted, but the request was successful. We -- * will report success, and leave it to the access and error -- * logs to note that the connection was aborted. -- */ - return APR_SUCCESS; - } - diff --git a/2.2/patches/10_all_r779472.patch b/2.2/patches/10_all_r779472.patch deleted file mode 100644 index c4bb6cb..0000000 --- a/2.2/patches/10_all_r779472.patch +++ /dev/null @@ -1,67 +0,0 @@ -Index: server/core.c -=================================================================== ---- server/core.c (revision 779471) -+++ server/core.c (revision 779472) -@@ -661,7 +661,11 @@ - core_dir_config *conf = - (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module); - -- return conf->opts; -+ /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is -+ * inverted, such that the exposed semantics match that of -+ * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not* -+ * permitted. */ -+ return conf->opts ^ OPT_INC_WITH_EXEC; - } - - AP_DECLARE(int) ap_allow_overrides(request_rec *r) -Index: modules/filters/mod_include.c -=================================================================== ---- modules/filters/mod_include.c (revision 779471) -+++ modules/filters/mod_include.c (revision 779472) -@@ -3565,7 +3565,7 @@ - intern->seen_eos = 0; - intern->state = PARSE_PRE_HEAD; - ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE); -- if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) { -+ if (ap_allow_options(r) & OPT_INCNOEXEC) { - ctx->flags |= SSI_FLAG_NO_EXEC; - } - intern->accessenable = conf->accessenable; -Index: include/http_core.h -=================================================================== ---- include/http_core.h (revision 779471) -+++ include/http_core.h (revision 779472) -@@ -73,16 +73,29 @@ - #define OPT_EXECCGI 8 - /** directive unset */ - #define OPT_UNSET 16 --/** SSI exec= permission is permitted, iff OPT_INCLUDES is also set */ --#define OPT_INC_WITH_EXEC 32 -+/** IncludesNOEXEC directive */ -+#define OPT_INCNOEXEC 32 - /** SymLinksIfOwnerMatch directive */ - #define OPT_SYM_OWNER 64 - /** MultiViews directive */ - #define OPT_MULTI 128 - /** All directives */ --#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI) -+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI) - /** @} */ - -+#ifdef CORE_PRIVATE -+/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is -+ * internally replaced by OPT_INC_WITH_EXEC. The internal semantics -+ * of the two SSI-related bits are hence: -+ * -+ * OPT_INCLUDES => "enable SSI, without exec= permission" -+ * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec=" -+ * -+ * The set of options exposed via ap_allow_options() retains the -+ * semantics of OPT_INCNOEXEC by flipping the bit. */ -+#define OPT_INC_WITH_EXEC OPT_INCNOEXEC -+#endif -+ - /** - * @defgroup get_remote_host Remote Host Resolution - * @ingroup APACHE_CORE_HTTPD diff --git a/2.2/patches/11_all_r790738.patch b/2.2/patches/11_all_r790738.patch deleted file mode 100644 index 3ddf33b..0000000 --- a/2.2/patches/11_all_r790738.patch +++ /dev/null @@ -1,18 +0,0 @@ -Index: server/core.c -=================================================================== ---- server/core.c (revision 790737) -+++ server/core.c (revision 790738) -@@ -665,7 +665,12 @@ - * inverted, such that the exposed semantics match that of - * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not* - * permitted. */ -- return conf->opts ^ OPT_INC_WITH_EXEC; -+ if (conf->opts & OPT_INCLUDES) { -+ return conf->opts ^ OPT_INC_WITH_EXEC; -+ } -+ else { -+ return conf->opts; -+ } - } - - AP_DECLARE(int) ap_allow_overrides(request_rec *r) |