add mod_ssl patch wrt security #222643; add configdump to init script

1 files changed, 26 insertions, 0 deletions

diff --git a/2.2/patches/05_all_mod_ssl_cleanup.patch b/2.2/patches/05_all_mod_ssl_cleanup.patch
new file mode 100644
index 0000000..b296ada
--- /dev/null
+++ b/2.2/patches/05_all_mod_ssl_cleanup.patch
@@ -0,0 +1,26 @@
+--- httpd/httpd/trunk/modules/ssl/mod_ssl.c	2008/05/07 14:16:38	654118
++++ httpd/httpd/trunk/modules/ssl/mod_ssl.c	2008/05/07 14:17:31	654119
+@@ -218,17 +218,18 @@
+ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
+     ENGINE_cleanup();
+ #endif
+-#ifdef HAVE_OPENSSL
+-#if OPENSSL_VERSION_NUMBER >= 0x00907001
+-    CRYPTO_cleanup_all_ex_data();
+-#endif
+-#endif
+     ERR_remove_state(0);
+ 
+     /* Don't call ERR_free_strings here; ERR_load_*_strings only
+      * actually load the error strings once per process due to static
+      * variable abuse in OpenSSL. */
+ 
++    /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered
++     * ex_data indices may have been cached in static variables in
++     * OpenSSL; removing them may cause havoc.  Notably, with OpenSSL
++     * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which
++     * could result in a per-connection memory leak (!). */
++
+     /*
+      * TODO: determine somewhere we can safely shove out diagnostics
+      *       (when enabled) at this late stage in the game: