summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBenedikt Boehm <hollow@gentoo.org>2008-06-01 12:09:51 +0000
committerBenedikt Boehm <hollow@gentoo.org>2008-06-01 12:09:51 +0000
commitb5a5faba8e00e63fbc2b0c675aa62a57e5b7231d (patch)
tree7004432662c3a1ee23ab84822630650edca781df /2.2/patches
parentfix #110556, #209095, #212837 (diff)
downloadapache-b5a5faba8e00e63fbc2b0c675aa62a57e5b7231d.tar.gz
apache-b5a5faba8e00e63fbc2b0c675aa62a57e5b7231d.tar.bz2
apache-b5a5faba8e00e63fbc2b0c675aa62a57e5b7231d.zip
add mod_ssl patch wrt security #222643; add configdump to init script
Diffstat (limited to '2.2/patches')
-rw-r--r--2.2/patches/05_all_mod_ssl_cleanup.patch26
1 files changed, 26 insertions, 0 deletions
diff --git a/2.2/patches/05_all_mod_ssl_cleanup.patch b/2.2/patches/05_all_mod_ssl_cleanup.patch
new file mode 100644
index 0000000..b296ada
--- /dev/null
+++ b/2.2/patches/05_all_mod_ssl_cleanup.patch
@@ -0,0 +1,26 @@
+--- httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:16:38 654118
++++ httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:17:31 654119
+@@ -218,17 +218,18 @@
+ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+ ENGINE_cleanup();
+ #endif
+-#ifdef HAVE_OPENSSL
+-#if OPENSSL_VERSION_NUMBER >= 0x00907001
+- CRYPTO_cleanup_all_ex_data();
+-#endif
+-#endif
+ ERR_remove_state(0);
+
+ /* Don't call ERR_free_strings here; ERR_load_*_strings only
+ * actually load the error strings once per process due to static
+ * variable abuse in OpenSSL. */
+
++ /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
++ * ex_data indices may have been cached in static variables in
++ * OpenSSL; removing them may cause havoc. Notably, with OpenSSL
++ * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
++ * could result in a per-connection memory leak (!). */
++
+ /*
+ * TODO: determine somewhere we can safely shove out diagnostics
+ * (when enabled) at this late stage in the game: