summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBenedikt Boehm <hollow@gentoo.org>2008-01-19 09:31:37 +0000
committerBenedikt Boehm <hollow@gentoo.org>2008-01-19 09:31:37 +0000
commit43d979ec54962e3a133488858774d3fdaafffab1 (patch)
tree72249d987a0a83c4f4b37cf5f59118c93a5defa0
parentfix #204822 (diff)
downloadapache-43d979ec54962e3a133488858774d3fdaafffab1.tar.gz
apache-43d979ec54962e3a133488858774d3fdaafffab1.tar.bz2
apache-43d979ec54962e3a133488858774d3fdaafffab1.zip
remove obsolete CVE patches; bump SNI patch; bump ITK patch
-rw-r--r--2.2/patches/01_all_mod_rewrite_ampescape.patch10
-rw-r--r--2.2/patches/04_all_mod_ssl_tls_sni.patch466
-rw-r--r--2.2/patches/05_all_CVE-2006-6203.patch32
-rw-r--r--2.2/patches/06_all_CVE-2007-5000.patch25
-rw-r--r--2.2/patches/07_all_CVE-2007-6388.patch43
-rw-r--r--2.2/patches/08_all_CVE-2007-6421.patch32
-rw-r--r--2.2/patches/09_all_CVE-2007-6422.patch13
-rw-r--r--2.2/patches/21_all_itk_20080105.patch (renamed from 2.2/patches/21_all_itk_20070425-00.patch)86
8 files changed, 309 insertions, 398 deletions
diff --git a/2.2/patches/01_all_mod_rewrite_ampescape.patch b/2.2/patches/01_all_mod_rewrite_ampescape.patch
index 940e1e2..4347d49 100644
--- a/2.2/patches/01_all_mod_rewrite_ampescape.patch
+++ b/2.2/patches/01_all_mod_rewrite_ampescape.patch
@@ -1,9 +1,9 @@
Provide escaping for the ampersand in mod_rewrite
-Index: httpd-2.2.6/modules/mappers/mod_rewrite.c
+Index: httpd-2.2.8/modules/mappers/mod_rewrite.c
===================================================================
---- httpd-2.2.6.orig/modules/mappers/mod_rewrite.c
-+++ httpd-2.2.6/modules/mappers/mod_rewrite.c
-@@ -1071,6 +1071,30 @@ static char *rewrite_mapfunc_escape(requ
+--- httpd-2.2.8.orig/modules/mappers/mod_rewrite.c
++++ httpd-2.2.8/modules/mappers/mod_rewrite.c
+@@ -1073,6 +1073,30 @@ static char *rewrite_mapfunc_escape(requ
return ap_escape_uri(r->pool, key);
}
@@ -34,7 +34,7 @@ Index: httpd-2.2.6/modules/mappers/mod_rewrite.c
static char *rewrite_mapfunc_unescape(request_rec *r, char *key)
{
ap_unescape_url(key);
-@@ -4007,6 +4031,7 @@ static int pre_config(apr_pool_t *pconf,
+@@ -4040,6 +4064,7 @@ static int pre_config(apr_pool_t *pconf,
map_pfn_register("tolower", rewrite_mapfunc_tolower);
map_pfn_register("toupper", rewrite_mapfunc_toupper);
map_pfn_register("escape", rewrite_mapfunc_escape);
diff --git a/2.2/patches/04_all_mod_ssl_tls_sni.patch b/2.2/patches/04_all_mod_ssl_tls_sni.patch
index ca6a9a4..6e5b86c 100644
--- a/2.2/patches/04_all_mod_ssl_tls_sni.patch
+++ b/2.2/patches/04_all_mod_ssl_tls_sni.patch
@@ -1,208 +1,315 @@
-httpd-2.2.x-sni.patch - server name indication support for Apache 2.2 or later
-(cf. RFC 4366, "Transport Layer Security (TLS) Extensions")
+# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
+# (see RFC 4366, "Transport Layer Security (TLS) Extensions")
-Based on a patch from the EdelKey project (http://www.edelweb.fr/EdelKey/),
-which is used with permission from its author.
+# based on a patch from the EdelKey project
+# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
-Index: httpd-2.2.6/modules/ssl/ssl_engine_init.c
+# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
+# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions
+# must be configured explicitly for TLS extension support at compile time
+# ("./config enable-tlsext").
+
+Index: httpd-2.2.8/modules/ssl/ssl_private.h
===================================================================
---- httpd-2.2.6.orig/modules/ssl/ssl_engine_init.c
-+++ httpd-2.2.6/modules/ssl/ssl_engine_init.c
-@@ -135,6 +135,87 @@ static int ssl_tmp_keys_init(server_rec
- return OK;
- }
-
+--- httpd-2.2.8.orig/modules/ssl/ssl_private.h
++++ httpd-2.2.8/modules/ssl/ssl_private.h
+@@ -35,6 +35,7 @@
+ #include "http_connection.h"
+ #include "http_request.h"
+ #include "http_protocol.h"
++#include "http_vhost.h"
+ #include "util_script.h"
+ #include "util_filter.h"
+ #include "util_ebcdic.h"
+@@ -555,6 +556,9 @@ int ssl_callback_NewSessionCach
+ SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
+ void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
+ void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
+#ifndef OPENSSL_NO_TLSEXT
-+static int set_ssl_vhost(void *servername, conn_rec *c, server_rec *s)
-+{
-+ SSLSrvConfigRec *sc;
-+ SSL *ssl;
-+ BOOL found = FALSE;
-+ apr_array_header_t *names;
-+ int i;
-+
-+ /* check ServerName */
-+ if (!strcasecmp(servername, s->server_hostname))
-+ found = TRUE;
-+
-+ /* if not matched yet, check ServerAlias entries */
-+ if (!found) {
-+ names = s->names;
-+ if (names) {
-+ char **name = (char **) names->elts;
-+ for (i = 0; i < names->nelts; ++i) {
-+ if(!name[i]) continue;
-+ if (!strcasecmp(servername, name[i])) {
-+ found = TRUE;
-+ break;
-+ }
-+ }
-+ }
-+ }
-+
-+ /* if still no match, check ServerAlias entries with wildcards */
-+ if (!found) {
-+ names = s->wild_names;
-+ if (names) {
-+ char **name = (char **) names->elts;
-+ for (i = 0; i < names->nelts; ++i) {
-+ if(!name[i]) continue;
-+ if (!ap_strcasecmp_match(servername, name[i])) {
-+ found = TRUE;
-+ break;
-+ }
-+ }
-+ }
-+ }
-+
-+ /* set SSL_CTX (if matched) */
-+ if (found) {
-+ if ((ssl = ((SSLConnRec *)myConnConfig(c))->ssl) == NULL)
-+ return 0;
-+ if (!(sc = mySrvConfig(s)))
-+ return 0;
-+ SSL_set_SSL_CTX(ssl,sc->server->ssl_ctx);
-+ return 1;
-+ }
-+ return 0;
-+}
-+
-+int ssl_set_vhost_ctx(SSL *ssl, const char *servername)
-+{
-+ conn_rec *c;
-+
-+ if (servername == NULL) /* should not occur. */
-+ return 0;
-+
-+ SSL_set_SSL_CTX(ssl,NULL);
-+
-+ if (!(c = (conn_rec *)SSL_get_app_data(ssl)))
-+ return 0;
-+
-+ return ap_vhost_iterate_given_conn(c,set_ssl_vhost,servername);
-+}
-+
-+int ssl_servername_cb(SSL *s, int *al, modssl_ctx_t *mctx)
-+{
-+ const char *servername = SSL_get_servername(s,TLSEXT_NAMETYPE_host_name);
-+
-+ if (servername) {
-+ return ssl_set_vhost_ctx(s,servername)?SSL_TLSEXT_ERR_OK:SSL_TLSEXT_ERR_ALERT_FATAL;
-+ }
-+ return SSL_TLSEXT_ERR_NOACK;
-+}
++int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
+#endif
-+
- /*
- * Per-module initialization
- */
-@@ -355,6 +436,29 @@ static void ssl_init_server_check(server
+
+ /** Session Cache Support */
+ void ssl_scache_init(server_rec *, apr_pool_t *);
+Index: httpd-2.2.8/modules/ssl/ssl_engine_init.c
+===================================================================
+--- httpd-2.2.8.orig/modules/ssl/ssl_engine_init.c
++++ httpd-2.2.8/modules/ssl/ssl_engine_init.c
+@@ -355,6 +355,33 @@ static void ssl_init_server_check(server
}
}
-+static void ssl_init_server_extensions(server_rec *s,
-+ apr_pool_t *p,
-+ apr_pool_t *ptemp,
-+ modssl_ctx_t *mctx)
++#ifndef OPENSSL_NO_TLSEXT
++static void ssl_init_ctx_tls_extensions(server_rec *s,
++ apr_pool_t *p,
++ apr_pool_t *ptemp,
++ modssl_ctx_t *mctx)
+{
+ /*
+ * Configure TLS extensions support
+ */
-+
-+#ifndef OPENSSL_NO_TLSEXT
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "Configuring TLS extensions facility");
++ "Configuring TLS extension handling");
+
-+ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx, ssl_servername_cb) ||
++ /*
++ * Server name indication (SNI)
++ */
++ if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
++ ssl_callback_ServerNameIndication) ||
+ !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-+ "Unable to initialize servername callback, bad openssl version.");
++ "Unable to initialize TLS servername extension "
++ "callback (incompatible OpenSSL version?)");
+ ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
+ ssl_die();
+ }
-+#endif
+}
++#endif
+
static void ssl_init_ctx_protocol(server_rec *s,
apr_pool_t *p,
apr_pool_t *ptemp,
-@@ -688,6 +792,8 @@ static void ssl_init_ctx(server_rec *s,
+@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,
+ if (mctx->pks) {
/* XXX: proxy support? */
ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
++#ifndef OPENSSL_NO_TLSEXT
++ ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
++#endif
}
-+
-+ ssl_init_server_extensions(s, p, ptemp, mctx);
}
- static int ssl_server_import_cert(server_rec *s,
-@@ -1014,6 +1120,7 @@ void ssl_init_CheckServers(server_rec *b
- }
- }
+@@ -1038,7 +1068,11 @@ void ssl_init_CheckServers(server_rec *b
+ if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
+ base_server,
++#ifdef OPENSSL_NO_TLSEXT
+ "Init: SSL server IP/port conflict: "
++#else
++ "Init: SSL server IP/port overlap: "
++#endif
+ "%s (%s:%d) vs. %s (%s:%d)",
+ ssl_util_vhostid(p, s),
+ (s->defn_name ? s->defn_name : "unknown"),
+@@ -1055,8 +1089,14 @@ void ssl_init_CheckServers(server_rec *b
+ if (conflict) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
+#ifdef OPENSSL_NO_TLSEXT
- /*
- * Give out warnings when more than one SSL-aware virtual server uses the
- * same IP:port. This doesn't work because mod_ssl then will always use
-@@ -1058,6 +1165,7 @@ void ssl_init_CheckServers(server_rec *b
"Init: You should not use name-based "
"virtual hosts in conjunction with SSL!!");
++#else
++ "Init: Name-based SSL virtual hosts only "
++ "work for clients with TLS server name indication "
++ "support (RFC 4366)");
++#endif
+ }
+ }
+
+Index: httpd-2.2.8/modules/ssl/ssl_engine_vars.c
+===================================================================
+--- httpd-2.2.8.orig/modules/ssl/ssl_engine_vars.c
++++ httpd-2.2.8/modules/ssl/ssl_engine_vars.c
+@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool
+ else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
+ result = ssl_var_lookup_ssl_compress_meth(ssl);
}
++#ifndef OPENSSL_NO_TLSEXT
++ else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
++ result = apr_pstrdup(p, SSL_get_servername(ssl,
++ TLSEXT_NAMETYPE_host_name));
++ }
+#endif
+ return result;
}
- #ifdef SSLC_VERSION_NUMBER
-Index: httpd-2.2.6/modules/ssl/ssl_engine_kernel.c
+Index: httpd-2.2.8/modules/ssl/ssl_engine_kernel.c
===================================================================
---- httpd-2.2.6.orig/modules/ssl/ssl_engine_kernel.c
-+++ httpd-2.2.6/modules/ssl/ssl_engine_kernel.c
-@@ -231,6 +231,19 @@ int ssl_hook_Access(request_rec *r)
- * the currently active one.
- */
+--- httpd-2.2.8.orig/modules/ssl/ssl_engine_kernel.c
++++ httpd-2.2.8/modules/ssl/ssl_engine_kernel.c
+@@ -31,6 +31,9 @@
+ #include "ssl_private.h"
+ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+#ifndef OPENSSL_NO_TLSEXT
-+ /*
-+ * We will switch to another virtualhost and to its ssl_ctx
-+ * if changed, we will force a renegotiation.
-+ */
-+ if (r->hostname && !SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name)) {
-+ SSL_CTX *ctx = SSL_get_SSL_CTX(ssl);
-+ if (ssl_set_vhost_ctx(ssl,(char *)r->hostname) &&
-+ ctx != SSL_get_SSL_CTX(ssl))
-+ renegotiate = TRUE;
++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
++#endif
+
+ /*
+ * Post Read Request Handler
+@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r)
+ {
+ SSLConnRec *sslconn = myConnConfig(r->connection);
+ SSL *ssl;
++#ifndef OPENSSL_NO_TLSEXT
++ const char *servername;
++#endif
+
+ if (!sslconn) {
+ return DECLINED;
+@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r)
+ if (!ssl) {
+ return DECLINED;
+ }
++#ifndef OPENSSL_NO_TLSEXT
++ if (!r->hostname &&
++ (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
++ /* Use the SNI extension as the hostname if no Host: header was sent */
++ r->hostname = apr_pstrdup(r->pool, servername);
++ ap_update_vhost_from_headers(r);
+ }
+#endif
-+
+ SSL_set_app_data2(ssl, r);
+
/*
- * Override of SSLCipherSuite
- *
-@@ -997,6 +1010,9 @@ int ssl_hook_Fixup(request_rec *r)
+@@ -997,6 +1011,9 @@ int ssl_hook_Fixup(request_rec *r)
SSLDirConfigRec *dc = myDirConfig(r);
apr_table_t *env = r->subprocess_env;
char *var, *val = "";
+#ifndef OPENSSL_NO_TLSEXT
-+ const char* servername;
++ const char *servername;
+#endif
STACK_OF(X509) *peer_certs;
SSL *ssl;
int i;
-@@ -1018,6 +1034,12 @@ int ssl_hook_Fixup(request_rec *r)
+@@ -1018,6 +1035,13 @@ int ssl_hook_Fixup(request_rec *r)
/* the always present HTTPS (=HTTP over SSL) flag! */
apr_table_setn(env, "HTTPS", "on");
+#ifndef OPENSSL_NO_TLSEXT
+ /* add content of SNI TLS extension (if supplied with ClientHello) */
-+ if (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))
-+ apr_table_set(env, "TLS_SNI", servername);
++ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
++ apr_table_set(env, "SSL_TLS_SNI", servername);
++ }
+#endif
+
/* standard SSL environment variables */
if (dc->nOptions & SSL_OPT_STDENVVARS) {
for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
-Index: httpd-2.2.6/modules/ssl/ssl_toolkit_compat.h
+@@ -1810,3 +1834,118 @@ void ssl_callback_LogTracingState(MODSSL
+ }
+ }
+
++#ifndef OPENSSL_NO_TLSEXT
++/*
++ * This callback function is executed when OpenSSL encounters an extended
++ * client hello with a server name indication extension ("SNI", cf. RFC 4366).
++ */
++int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
++{
++ const char *servername =
++ SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
++
++ if (servername) {
++ conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
++ if (c) {
++ if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
++ (void *)servername)) {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "SSL virtual host for servername %s found",
++ servername);
++ return SSL_TLSEXT_ERR_OK;
++ }
++ else {
++ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
++ "No matching SSL virtual host for servername "
++ "%s found (using default/first virtual host)",
++ servername);
++ return SSL_TLSEXT_ERR_ALERT_WARNING;
++ }
++ }
++ }
++
++ return SSL_TLSEXT_ERR_NOACK;
++}
++
++/*
++ * Find a (name-based) SSL virtual host where either the ServerName
++ * or one of the ServerAliases matches the supplied name (to be used
++ * with ap_vhost_iterate_given_conn())
++ */
++static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s)
++{
++ SSLSrvConfigRec *sc;
++ SSL *ssl;
++ BOOL found = FALSE;
++ apr_array_header_t *names;
++ int i;
++
++ /* check ServerName */
++ if (!strcasecmp(servername, s->server_hostname)) {
++ found = TRUE;
++ }
++
++ /*
++ * if not matched yet, check ServerAlias entries
++ * (adapted from vhost.c:matches_aliases())
++ */
++ if (!found) {
++ names = s->names;
++ if (names) {
++ char **name = (char **)names->elts;
++ for (i = 0; i < names->nelts; ++i) {
++ if (!name[i])
++ continue;
++ if (!strcasecmp(servername, name[i])) {
++ found = TRUE;
++ break;
++ }
++ }
++ }
++ }
++
++ /* if still no match, check ServerAlias entries with wildcards */
++ if (!found) {
++ names = s->wild_names;
++ if (names) {
++ char **name = (char **)names->elts;
++ for (i = 0; i < names->nelts; ++i) {
++ if (!name[i])
++ continue;
++ if (!ap_strcasecmp_match(servername, name[i])) {
++ found = TRUE;
++ break;
++ }
++ }
++ }
++ }
++
++ /* set SSL_CTX (if matched) */
++ if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
++ (sc = mySrvConfig(s))) {
++ SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
++ /*
++ * SSL_set_SSL_CTX() only deals with the server cert,
++ * so we need to duplicate a few additional settings
++ * from the ctx by hand
++ */
++ SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
++ if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
++ (SSL_num_renegotiations(ssl) == 0)) {
++ /*
++ * Only initialize the verification settings from the ctx
++ * if they are not yet set, or if we're called when a new
++ * SSL connection is set up (num_renegotiations == 0).
++ * Otherwise, we would possibly reset a per-directory
++ * configuration which was put into effect by ssl_hook_Access.
++ */
++ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
++ SSL_CTX_get_verify_callback(ssl->ctx));
++ }
++
++ return 1;
++ }
++
++ return 0;
++}
++#endif
+Index: httpd-2.2.8/modules/ssl/ssl_toolkit_compat.h
===================================================================
---- httpd-2.2.6.orig/modules/ssl/ssl_toolkit_compat.h
-+++ httpd-2.2.6/modules/ssl/ssl_toolkit_compat.h
-@@ -258,6 +258,12 @@ typedef void (*modssl_popfree_fn)(char *
+--- httpd-2.2.8.orig/modules/ssl/ssl_toolkit_compat.h
++++ httpd-2.2.8/modules/ssl/ssl_toolkit_compat.h
+@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *
#define SSL_SESS_CACHE_NO_INTERNAL SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
#endif
@@ -215,76 +322,3 @@ Index: httpd-2.2.6/modules/ssl/ssl_toolkit_compat.h
#endif /* SSL_TOOLKIT_COMPAT_H */
/** @} */
-Index: httpd-2.2.6/modules/ssl/ssl_engine_io.c
-===================================================================
---- httpd-2.2.6.orig/modules/ssl/ssl_engine_io.c
-+++ httpd-2.2.6/modules/ssl/ssl_engine_io.c
-@@ -1541,14 +1541,25 @@ int ssl_io_buffer_fill(request_rec *r)
-
- apr_brigade_destroy(tempb);
-
-- /* Insert the filter which will supply the buffered data. */
-+ /* After consuming all protocol-level input, remove all protocol-level
-+ * filters. It should strictly only be necessary to remove filters
-+ * at exactly ftype == AP_FTYPE_PROTOCOL, since this filter will
-+ * precede all > AP_FTYPE_PROTOCOL anyway. */
-+ while (r->proto_input_filters->frec->ftype < AP_FTYPE_CONNECTION) {
-+ ap_remove_input_filter(r->proto_input_filters);
-+ }
-+
-+ /* Insert the filter which will supply the buffered content. */
- ap_add_input_filter(ssl_io_buffer, ctx, r, c);
-
- return 0;
- }
-
- /* This input filter supplies the buffered request body to the caller
-- * from the brigade stored in f->ctx. */
-+ * from the brigade stored in f->ctx. Note that the placement of this
-+ * filter in the filter stack is important; it must be the first
-+ * r->proto_input_filter; lower-typed filters will not be preserved
-+ * across internal redirects (see PR 43738). */
- static apr_status_t ssl_io_filter_buffer(ap_filter_t *f,
- apr_bucket_brigade *bb,
- ap_input_mode_t mode,
-@@ -1567,6 +1578,19 @@ static apr_status_t ssl_io_filter_buffer
- return APR_ENOTIMPL;
- }
-
-+ if (APR_BRIGADE_EMPTY(ctx->bb)) {
-+ /* Suprisingly (and perhaps, wrongly), the request body can be
-+ * pulled from the input filter stack more than once; a
-+ * handler may read it, and ap_discard_request_body() will
-+ * attempt to do so again after *every* request. So input
-+ * filters must be prepared to give up an EOS if invoked after
-+ * initially reading the request. The HTTP_IN filter does this
-+ * with its ->eos_sent flag. */
-+
-+ APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_eos_create(f->c->bucket_alloc));
-+ return APR_SUCCESS;
-+ }
-+
- if (mode == AP_MODE_READBYTES) {
- apr_bucket *e;
-
-@@ -1621,8 +1645,9 @@ static apr_status_t ssl_io_filter_buffer
- }
-
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c,
-- "buffered SSL brigade now exhausted; removing filter");
-- ap_remove_input_filter(f);
-+ "buffered SSL brigade exhausted");
-+ /* Note that the filter must *not* be removed here; it may be
-+ * invoked again, see comment above. */
- }
-
- return APR_SUCCESS;
-@@ -1691,7 +1716,7 @@ void ssl_io_filter_register(apr_pool_t *
- ap_register_input_filter (ssl_io_filter, ssl_io_filter_input, NULL, AP_FTYPE_CONNECTION + 5);
- ap_register_output_filter (ssl_io_filter, ssl_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5);
-
-- ap_register_input_filter (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL - 1);
-+ ap_register_input_filter (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL);
-
- return;
- }
diff --git a/2.2/patches/05_all_CVE-2006-6203.patch b/2.2/patches/05_all_CVE-2006-6203.patch
deleted file mode 100644
index ab440f3..0000000
--- a/2.2/patches/05_all_CVE-2006-6203.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Index: httpd-2.2.6/modules/http/http_protocol.c
-===================================================================
---- httpd-2.2.6.orig/modules/http/http_protocol.c
-+++ httpd-2.2.6/modules/http/http_protocol.c
-@@ -910,7 +910,8 @@ static const char *get_canned_error_stri
- NULL));
- case HTTP_METHOD_NOT_ALLOWED:
- return(apr_pstrcat(p,
-- "<p>The requested method ", r->method,
-+ "<p>The requested method ",
-+ ap_escape_html(r->pool, r->method),
- " is not allowed for the URL ",
- ap_escape_html(r->pool, r->uri),
- ".</p>\n",
-@@ -928,7 +929,7 @@ static const char *get_canned_error_stri
- case HTTP_LENGTH_REQUIRED:
- s1 = apr_pstrcat(p,
- "<p>A request of the requested method ",
-- r->method,
-+ ap_escape_html(r->pool, r->method),
- " requires a valid Content-length.<br />\n",
- NULL);
- return(add_optional_notes(r, s1, "error-notes", "</p>\n"));
-@@ -975,7 +976,7 @@ static const char *get_canned_error_stri
- "The requested resource<br />",
- ap_escape_html(r->pool, r->uri), "<br />\n",
- "does not allow request data with ",
-- r->method,
-+ ap_escape_html(r->pool, r->method),
- " requests, or the amount of data provided in\n"
- "the request exceeds the capacity limit.\n",
- NULL));
diff --git a/2.2/patches/06_all_CVE-2007-5000.patch b/2.2/patches/06_all_CVE-2007-5000.patch
deleted file mode 100644
index ab08e1f..0000000
--- a/2.2/patches/06_all_CVE-2007-5000.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-Index: httpd-2.2.6/modules/mappers/mod_imagemap.c
-===================================================================
---- httpd-2.2.6.orig/modules/mappers/mod_imagemap.c
-+++ httpd-2.2.6/modules/mappers/mod_imagemap.c
-@@ -479,13 +479,16 @@ static int imap_reply(request_rec *r, ch
-
- static void menu_header(request_rec *r, char *menu)
- {
-- ap_set_content_type(r, "text/html");
-+ ap_set_content_type(r, "text/html; charset=ISO-8859-1");
-
-- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
-- "</title>\n</head><body>\n", NULL);
-+ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
-+ ap_escape_html(r->pool, r->uri),
-+ "</title>\n</head><body>\n", NULL);
-
- if (!strcasecmp(menu, "formatted")) {
-- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr />\n\n", NULL);
-+ ap_rvputs(r, "<h1>Menu for ",
-+ ap_escape_html(r->pool, r->uri),
-+ "</h1>\n<hr />\n\n", NULL);
- }
-
- return;
diff --git a/2.2/patches/07_all_CVE-2007-6388.patch b/2.2/patches/07_all_CVE-2007-6388.patch
deleted file mode 100644
index 95c3e7e..0000000
--- a/2.2/patches/07_all_CVE-2007-6388.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-Index: httpd-2.2.6/modules/generators/mod_status.c
-===================================================================
---- httpd-2.2.6.orig/modules/generators/mod_status.c
-+++ httpd-2.2.6/modules/generators/mod_status.c
-@@ -71,6 +71,7 @@
- #endif
- #define APR_WANT_STRFUNC
- #include "apr_want.h"
-+#include "apr_strings.h"
-
- #ifdef NEXT
- #if (NX_CURRENT_COMPILER_RELEASE == 410)
-@@ -282,19 +283,18 @@ static int status_handler(request_rec *r
- if ((loc = ap_strstr_c(r->args,
- status_options[i].form_data_str)) != NULL) {
- switch (status_options[i].id) {
-- case STAT_OPT_REFRESH:
-- if (*(loc + strlen(status_options[i].form_data_str)) == '='
-- && atol(loc + strlen(status_options[i].form_data_str)
-- + 1) > 0)
-- apr_table_set(r->headers_out,
-- status_options[i].hdr_out_str,
-- loc +
-- strlen(status_options[i].hdr_out_str) +
-- 1);
-- else
-- apr_table_set(r->headers_out,
-- status_options[i].hdr_out_str, "1");
-+ case STAT_OPT_REFRESH: {
-+ apr_size_t len = strlen(status_options[i].form_data_str);
-+ long t = 0;
-+
-+ if (*(loc + len ) == '=') {
-+ t = atol(loc + len + 1);
-+ }
-+ apr_table_set(r->headers_out,
-+ status_options[i].hdr_out_str,
-+ apr_ltoa(r->pool, t < 1 ? 1 : t));
- break;
-+ }
- case STAT_OPT_NOTABLE:
- no_table_report = 1;
- break;
diff --git a/2.2/patches/08_all_CVE-2007-6421.patch b/2.2/patches/08_all_CVE-2007-6421.patch
deleted file mode 100644
index d15b5a1..0000000
--- a/2.2/patches/08_all_CVE-2007-6421.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-Index: httpd-2.2.6/modules/proxy/mod_proxy_balancer.c
-===================================================================
---- httpd-2.2.6.orig/modules/proxy/mod_proxy_balancer.c
-+++ httpd-2.2.6/modules/proxy/mod_proxy_balancer.c
-@@ -769,8 +769,10 @@ static int balancer_handler(request_rec
- ap_escape_uri(r->pool, worker->name),
- "\">", NULL);
- ap_rvputs(r, worker->name, "</a></td>", NULL);
-- ap_rvputs(r, "<td>", worker->s->route, NULL);
-- ap_rvputs(r, "</td><td>", worker->s->redirect, NULL);
-+ ap_rvputs(r, "<td>", ap_escape_html(r->pool, worker->s->route),
-+ NULL);
-+ ap_rvputs(r, "</td><td>",
-+ ap_escape_html(r->pool, worker->s->redirect), NULL);
- ap_rprintf(r, "</td><td>%d</td>", worker->s->lbfactor);
- ap_rprintf(r, "<td>%d</td><td>", worker->s->lbset);
- if (worker->s->status & PROXY_WORKER_DISABLED)
-@@ -808,10 +810,12 @@ static int balancer_handler(request_rec
- ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r);
- ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbset);
- ap_rputs("<tr><td>Route:</td><td><input name=\"wr\" type=text ", r);
-- ap_rvputs(r, "value=\"", wsel->route, NULL);
-+ ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->route),
-+ NULL);
- ap_rputs("\"></td></tr>\n", r);
- ap_rputs("<tr><td>Route Redirect:</td><td><input name=\"rr\" type=text ", r);
-- ap_rvputs(r, "value=\"", wsel->redirect, NULL);
-+ ap_rvputs(r, "value=\"", ap_escape_html(r->pool, wsel->s->redirect),
-+ NULL);
- ap_rputs("\"></td></tr>\n", r);
- ap_rputs("<tr><td>Status:</td><td>Disabled: <input name=\"dw\" value=\"Disable\" type=radio", r);
- if (wsel->s->status & PROXY_WORKER_DISABLED)
diff --git a/2.2/patches/09_all_CVE-2007-6422.patch b/2.2/patches/09_all_CVE-2007-6422.patch
deleted file mode 100644
index 930d545..0000000
--- a/2.2/patches/09_all_CVE-2007-6422.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-Index: httpd-2.2.6/modules/proxy/mod_proxy_balancer.c
-===================================================================
---- httpd-2.2.6.orig/modules/proxy/mod_proxy_balancer.c
-+++ httpd-2.2.6/modules/proxy/mod_proxy_balancer.c
-@@ -622,7 +622,7 @@ static int balancer_handler(request_rec
- proxy_worker *ws;
-
- ws = ap_proxy_get_worker(r->pool, conf, name);
-- if (ws) {
-+ if (bsel && ws) {
- worker = (proxy_worker *)bsel->workers->elts;
- for (n = 0; n < bsel->workers->nelts; n++) {
- if (strcasecmp(worker->name, ws->name) == 0) {
diff --git a/2.2/patches/21_all_itk_20070425-00.patch b/2.2/patches/21_all_itk_20080105.patch
index 08200bd..bf498d7 100644
--- a/2.2/patches/21_all_itk_20070425-00.patch
+++ b/2.2/patches/21_all_itk_20080105.patch
@@ -1,7 +1,7 @@
-Index: httpd-2.2.6/server/mpm/config.m4
+Index: httpd-2.2.8/server/mpm/config.m4
===================================================================
---- httpd-2.2.6.orig/server/mpm/config.m4
-+++ httpd-2.2.6/server/mpm/config.m4
+--- httpd-2.2.8.orig/server/mpm/config.m4
++++ httpd-2.2.8/server/mpm/config.m4
@@ -1,7 +1,7 @@
AC_MSG_CHECKING(which MPM to use)
AC_ARG_WITH(mpm,
@@ -32,19 +32,19 @@ Index: httpd-2.2.6/server/mpm/config.m4
MPM_DIR=server/mpm/$MPM_SUBDIR_NAME
MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la
-Index: httpd-2.2.6/server/mpm/experimental/itk/config.m4
+Index: httpd-2.2.8/server/mpm/experimental/itk/config.m4
===================================================================
--- /dev/null
-+++ httpd-2.2.6/server/mpm/experimental/itk/config.m4
++++ httpd-2.2.8/server/mpm/experimental/itk/config.m4
@@ -0,0 +1,3 @@
+if test "$MPM_NAME" = "itk" ; then
+ APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile)
+fi
-Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+Index: httpd-2.2.8/server/mpm/experimental/itk/itk.c
===================================================================
--- /dev/null
-+++ httpd-2.2.6/server/mpm/experimental/itk/itk.c
-@@ -0,0 +1,1682 @@
++++ httpd-2.2.8/server/mpm/experimental/itk/itk.c
+@@ -0,0 +1,1704 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
@@ -199,6 +199,8 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+#endif /* TPF */
+
+static volatile int die_now = 0;
++static volatile int listeners_closed = 0;
++static int active_connection = 0;
+
+typedef struct
+{
@@ -401,7 +403,10 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+
+static void stop_listening(int sig)
+{
-+ ap_close_listeners();
++ if (active_connection) {
++ ap_close_listeners();
++ listeners_closed = 1;
++ }
+
+ /* For a graceful stop, we want the child to exit when done */
+ die_now = 1;
@@ -662,6 +667,11 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ apr_int32_t numdesc;
+ const apr_pollfd_t *pdesc;
+
++ if (die_now) {
++ status = !APR_SUCCESS;
++ goto unlock;
++ }
++
+ /* timeout == -1 == wait forever */
+ status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc);
+ if (status != APR_SUCCESS) {
@@ -710,8 +720,14 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ /* if we accept() something we don't want to die, so we have to
+ * defer the exit
+ */
-+ status = lr->accept_func(&csd, lr, ptrans);
++ if (!die_now) {
++ status = lr->accept_func(&csd, lr, ptrans);
++ }
++ else {
++ status = !APR_SUCCESS;
++ }
+
++ unlock:
+ SAFE_ACCEPT(accept_mutex_off()); /* unlock after "accept" */
+
+ if (status == APR_EGENERAL) {
@@ -726,6 +742,13 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ * We now have a connection, so set it up with the appropriate
+ * socket options, file descriptors, and read/write buffers.
+ */
++
++ active_connection = 1;
++ if (die_now && !listeners_closed) {
++ ap_close_listeners();
++ listeners_closed = 1;
++ }
++
+ {
+ pid_t pid = fork();
+ int status;
@@ -734,7 +757,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ ap_log_error(APLOG_MARK, APLOG_ERR, errno, NULL, "fork: Unable to fork new process");
+ break;
+ case 0: /* child */
-+ apr_proc_mutex_child_init(&accept_mutex, ap_lock_fname, pchild);
++ apr_proc_mutex_child_init(&accept_mutex, ap_lock_fname, pchild);
+ current_conn = ap_run_create_connection(ptrans, ap_server_conf, csd, my_child_num, sbh, bucket_alloc);
+ if (current_conn) {
+ ap_process_connection(current_conn, csd);
@@ -755,6 +778,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ break;
+ }
+ }
++ active_connection = 0;
+
+ /* Check the pod and the generation number after processing a
+ * connection so that we'll go away if a graceful restart occurred
@@ -1103,7 +1127,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf,
+ "%s configured -- resuming normal operations",
-+ ap_get_server_version());
++ ap_get_server_description());
+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, ap_server_conf,
+ "Server built: %s", ap_get_server_built());
+#ifdef AP_MPM_WANT_SET_ACCEPT_LOCK_MECH
@@ -1284,13 +1308,11 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+
+ active_children = 0;
+ for (index = 0; index < ap_daemons_limit; ++index) {
-+ //if (MPM_CHILD_PID(index) != 0) {
-+ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS) {
-+ active_children = 1;
-+ /* Having just one child is enough to stay around */
-+ break;
-+ }
-+ //}
++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS) {
++ active_children = 1;
++ /* Having just one child is enough to stay around */
++ break;
++ }
+ }
+ } while (!shutdown_pending && active_children &&
+ (!ap_graceful_shutdown_timeout || apr_time_now() < cutoff));
@@ -1468,7 +1490,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+
+ strncpy(ap_scoreboard_image->servers[my_child_num][0].vhost, r->server->server_hostname, 31);
+ ap_scoreboard_image->servers[my_child_num][0].vhost[31] = 0;
-+
++
+ if (setpriority(PRIO_PROCESS, 0, sconf->nice_value)) {
+ _DBG("setpriority(): %s", strerror(errno));
+ err = 1;
@@ -1483,7 +1505,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ wanted_gid = unixd_config.group_id;
+ wanted_username = unixd_config.user_name;
+ }
-+
++
+ if (!err && wanted_uid != -1 && wanted_gid != -1 && (getuid() != wanted_uid || getgid() != wanted_gid)) {
+ if (setgid(wanted_gid)) {
+ _DBG("setgid(): %s", strerror(errno));
@@ -1643,7 +1665,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ return NULL;
+}
+
-+static const char *assign_user_id (cmd_parms *cmd, void *dummy, const char *user_name, const char *group_name)
++static const char *assign_user_id (cmd_parms *cmd, void *dummy, const char *user_name, const char *group_name)
+{
+ itk_server_conf *sconf =
+ (itk_server_conf *) ap_get_module_config(cmd->server->module_config, &mpm_itk_module);
@@ -1651,7 +1673,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ sconf->uid = ap_uname2id(user_name);
+ sconf->gid = ap_gname2id(group_name);
+ return NULL;
-+}
++}
+
+static const char *set_max_clients_vhost (cmd_parms *cmd, void *dummy, const char *arg)
+{
@@ -1661,7 +1683,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ return NULL;
+}
+
-+static const char *set_nice_value (cmd_parms *cmd, void *dummy, const char *arg)
++static const char *set_nice_value (cmd_parms *cmd, void *dummy, const char *arg)
+{
+ itk_server_conf *sconf =
+ (itk_server_conf *) ap_get_module_config(cmd->server->module_config, &mpm_itk_module);
@@ -1672,7 +1694,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ "WARNING: NiceValue of %d is below -20, increasing NiceValue to -20.",
+ nice_value);
+ nice_value = -20;
-+ }
++ }
+ else if (nice_value > 19) {
+ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL,
+ "WARNING: NiceValue of %d is above 19, lowering NiceValue to 19.",
@@ -1681,7 +1703,7 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ }
+ sconf->nice_value = nice_value;
+ return NULL;
-+}
++}
+
+static const command_rec itk_cmds[] = {
+UNIX_DAEMON_COMMANDS,
@@ -1727,20 +1749,20 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/itk.c
+ itk_cmds, /* command apr_table_t */
+ itk_hooks, /* register hooks */
+};
-Index: httpd-2.2.6/server/mpm/experimental/itk/Makefile.in
+Index: httpd-2.2.8/server/mpm/experimental/itk/Makefile.in
===================================================================
--- /dev/null
-+++ httpd-2.2.6/server/mpm/experimental/itk/Makefile.in
++++ httpd-2.2.8/server/mpm/experimental/itk/Makefile.in
@@ -0,0 +1,5 @@
+
+LTLIBRARY_NAME = libitk.la
+LTLIBRARY_SOURCES = itk.c
+
+include $(top_srcdir)/build/ltlib.mk
-Index: httpd-2.2.6/server/mpm/experimental/itk/mpm_default.h
+Index: httpd-2.2.8/server/mpm/experimental/itk/mpm_default.h
===================================================================
--- /dev/null
-+++ httpd-2.2.6/server/mpm/experimental/itk/mpm_default.h
++++ httpd-2.2.8/server/mpm/experimental/itk/mpm_default.h
@@ -0,0 +1,77 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
@@ -1819,10 +1841,10 @@ Index: httpd-2.2.6/server/mpm/experimental/itk/mpm_default.h
+
+#endif /* AP_MPM_DEFAULT_H */
+/** @} */
-Index: httpd-2.2.6/server/mpm/experimental/itk/mpm.h
+Index: httpd-2.2.8/server/mpm/experimental/itk/mpm.h
===================================================================
--- /dev/null
-+++ httpd-2.2.6/server/mpm/experimental/itk/mpm.h
++++ httpd-2.2.8/server/mpm/experimental/itk/mpm.h
@@ -0,0 +1,65 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with