From 9af4144949af02634b67351fea257c92d3bbc86f Mon Sep 17 00:00:00 2001 From: Steve Simpson Date: Wed, 5 Aug 2020 20:41:30 -0400 Subject: [PATCH] Updated httpd24u for 2.4.43 (#35) Co-authored-by: Steve Simpson Co-authored-by: Carl George --- httpd-2.4.10-sigint.patch | 28 -- httpd-2.4.10-sslciphdefault.patch | 20 -- httpd-2.4.25-detect-systemd.patch | 48 ---- httpd-2.4.25-selinux.patch | 91 ------- httpd-2.4.33-systemd.patch | 245 ----------------- httpd-2.4.34-r1738878.patch | 130 --------- httpd-2.4.4-r1337344+.patch | 250 ------------------ ....4.9-apxs.patch => httpd-2.4.43-apxs.patch | 15 +- httpd-2.4.43-detect-systemd.patch | 34 +++ httpd-2.4.43-selinux.patch | 60 +++++ httpd24u.spec | 25 +- 11 files changed, 112 insertions(+), 834 deletions(-) delete mode 100644 httpd-2.4.10-sigint.patch delete mode 100644 httpd-2.4.10-sslciphdefault.patch delete mode 100644 httpd-2.4.25-detect-systemd.patch delete mode 100644 httpd-2.4.25-selinux.patch delete mode 100644 httpd-2.4.33-systemd.patch delete mode 100644 httpd-2.4.34-r1738878.patch delete mode 100644 httpd-2.4.4-r1337344+.patch rename httpd-2.4.9-apxs.patch => httpd-2.4.43-apxs.patch (79%) create mode 100644 httpd-2.4.43-detect-systemd.patch create mode 100644 httpd-2.4.43-selinux.patch diff --git a/httpd-2.4.10-sigint.patch b/httpd-2.4.10-sigint.patch deleted file mode 100644 index ecdd82e..0000000 --- a/httpd-2.4.10-sigint.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c -index 559f90a..a386a75 100644 ---- a/server/mpm/prefork/prefork.c -+++ b/server/mpm/prefork/prefork.c -@@ -220,6 +220,9 @@ static void clean_child_exit(int code) - { - retained->mpm->mpm_state = AP_MPMQ_STOPPING; - -+ apr_signal(SIGHUP, SIG_IGN); -+ apr_signal(SIGTERM, SIG_IGN); -+ - if (pchild) { - apr_pool_destroy(pchild); - } -@@ -699,6 +702,13 @@ static int make_child(server_rec *s, int slot, int bucket) - */ - apr_signal(SIGHUP, just_die); - apr_signal(SIGTERM, just_die); -+ /* Ignore SIGINT in child. This fixes race-condition in signals -+ * handling when httpd is runnning on foreground and user hits ctrl+c. -+ * In this case, SIGINT is sent to all children followed by SIGTERM -+ * from the main process, which interrupts the SIGINT handler and -+ * leads to inconsistency. -+ */ -+ apr_signal(SIGINT, SIG_IGN); - /* The child process just closes listeners on AP_SIG_GRACEFUL. - * The pod is used for signalling the graceful restart. - */ diff --git a/httpd-2.4.10-sslciphdefault.patch b/httpd-2.4.10-sslciphdefault.patch deleted file mode 100644 index 37a74e3..0000000 --- a/httpd-2.4.10-sslciphdefault.patch +++ /dev/null @@ -1,20 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=1109119 - -Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. - ---- httpd-2.4.10/modules/ssl/ssl_engine_config.c.sslciphdefault -+++ httpd-2.4.10/modules/ssl/ssl_engine_config.c -@@ -692,8 +692,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; - -- /* always disable null and export ciphers */ -- arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); -+ /* Disable null and export ciphers by default, except for PROFILE= -+ * configs where the parser doesn't cope. */ -+ if (strncmp(arg, "PROFILE=", 8) != 0) -+ arg = apr_pstrcat(cmd->pool, "!aNULL:!eNULL:!EXP:", arg, NULL); - - if (cmd->path) { - dc->szCipherSuite = arg; diff --git a/httpd-2.4.25-detect-systemd.patch b/httpd-2.4.25-detect-systemd.patch deleted file mode 100644 index 3b91b5b..0000000 --- a/httpd-2.4.25-detect-systemd.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 -diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 -diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 ---- httpd-2.4.25/acinclude.m4.detectsystemd -+++ httpd-2.4.25/acinclude.m4 -@@ -604,6 +604,30 @@ - fi - ]) - -+AC_DEFUN(APACHE_CHECK_SYSTEMD, [ -+dnl Check for systemd support for listen.c's socket activation. -+case $host in -+*-linux-*) -+ if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` -+ elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon` -+ else -+ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon") -+ fi -+ if test -n "$SYSTEMD_LIBS"; then -+ AC_CHECK_HEADERS(systemd/sd-daemon.h) -+ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then -+ AC_MSG_WARN([Your system does not support systemd.]) -+ else -+ APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS]) -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported]) -+ fi -+ fi -+ ;; -+esac -+]) -+ - dnl - dnl APACHE_EXPORT_ARGUMENTS - dnl Export (via APACHE_SUBST) the various path-related variables that -diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in ---- httpd-2.4.25/configure.in.detectsystemd -+++ httpd-2.4.25/configure.in -@@ -504,6 +510,8 @@ - AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field]) - fi - -+APACHE_CHECK_SYSTEMD -+ - dnl ## Set up any appropriate OS-specific environment variables for apachectl - - case $host in diff --git a/httpd-2.4.25-selinux.patch b/httpd-2.4.25-selinux.patch deleted file mode 100644 index e60475d..0000000 --- a/httpd-2.4.25-selinux.patch +++ /dev/null @@ -1,91 +0,0 @@ - -Log the SELinux context at startup. - -Upstream-Status: unlikely to be any interest in this upstream - ---- httpd-2.4.1/configure.in.selinux -+++ httpd-2.4.1/configure.in -@@ -458,6 +458,11 @@ fopen64 - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -+ APR_ADDTO(AP_LIBS, [-lselinux]) -+]) -+ - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE - #include ---- httpd-2.4.1/server/core.c.selinux -+++ httpd-2.4.1/server/core.c -@@ -58,6 +58,10 @@ - #include - #endif - -+#ifdef HAVE_SELINUX -+#include -+#endif -+ - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * - } - #endif - -+#ifdef HAVE_SELINUX -+ { -+ static int already_warned = 0; -+ int is_enabled = is_selinux_enabled() > 0; -+ -+ if (is_enabled && !already_warned) { -+ security_context_t con; -+ -+ if (getcon(&con) == 0) { -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "SELinux policy enabled; " -+ "httpd running as context %s", con); -+ -+ already_warned = 1; -+ -+ freecon(con); -+ } -+ } -+ } -+#endif -+ - return OK; - } - -diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in ---- httpd-2.4.25/configure.in.detectsystemd -+++ httpd-2.4.25/configure.in -@@ -234,6 +234,7 @@ - AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) - APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) - APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) -+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) - else - AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) - fi -@@ -668,6 +676,7 @@ - APACHE_SUBST(BUILTIN_LIBS) - APACHE_SUBST(SHLIBPATH_VAR) - APACHE_SUBST(OS_SPECIFIC_VARS) -+APACHE_SUBST(HTTPD_LIBS) - - PRE_SHARED_CMDS='echo ""' - POST_SHARED_CMDS='echo ""' ---- httpd-2.4.25/Makefile.in.detectsystemd -+++ httpd-2.4.25/Makefile.in -@@ -4,7 +4,7 @@ - - PROGRAM_NAME = $(progname) - PROGRAM_SOURCES = modules.c --PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) -+PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) - PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c - PROGRAM_DEPENDENCIES = \ - server/libmain.la \ diff --git a/httpd-2.4.33-systemd.patch b/httpd-2.4.33-systemd.patch deleted file mode 100644 index 7f5ee3b..0000000 --- a/httpd-2.4.33-systemd.patch +++ /dev/null @@ -1,245 +0,0 @@ ---- httpd-2.4.33/modules/arch/unix/config5.m4.systemd -+++ httpd-2.4.33/modules/arch/unix/config5.m4 -@@ -18,6 +18,16 @@ - fi - ]) - -+APACHE_MODULE(systemd, Systemd support, , , all, [ -+ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then -+ AC_MSG_WARN([Your system does not support systemd.]) -+ enable_systemd="no" -+ else -+ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS]) -+ enable_systemd="yes" -+ fi -+]) -+ - APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) - - APACHE_MODPATH_FINISH ---- httpd-2.4.33/modules/arch/unix/mod_systemd.c.systemd -+++ httpd-2.4.33/modules/arch/unix/mod_systemd.c -@@ -0,0 +1,223 @@ -+/* Licensed to the Apache Software Foundation (ASF) under one or more -+ * contributor license agreements. See the NOTICE file distributed with -+ * this work for additional information regarding copyright ownership. -+ * The ASF licenses this file to You under the Apache License, Version 2.0 -+ * (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ * -+ */ -+ -+#include -+#include -+#include "ap_mpm.h" -+#include -+#include -+#include -+#include -+#include -+#include -+#include "unixd.h" -+#include "scoreboard.h" -+#include "mpm_common.h" -+ -+#include "systemd/sd-daemon.h" -+#include "systemd/sd-journal.h" -+ -+#if APR_HAVE_UNISTD_H -+#include -+#endif -+ -+static int shutdown_timer = 0; -+static int shutdown_counter = 0; -+static unsigned long bytes_served; -+static pid_t mainpid; -+static char describe_listeners[50]; -+ -+static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, -+ apr_pool_t *ptemp) -+{ -+ sd_notify(0, -+ "RELOADING=1\n" -+ "STATUS=Reading configuration...\n"); -+ ap_extended_status = 1; -+ return OK; -+} -+ -+static char *dump_listener(ap_listen_rec *lr, apr_pool_t *p) -+{ -+ apr_sockaddr_t *sa = lr->bind_addr; -+ char addr[128]; -+ -+ if (apr_sockaddr_is_wildcard(sa)) { -+ return apr_pstrcat(p, "port ", apr_itoa(p, sa->port), NULL); -+ } -+ -+ apr_sockaddr_ip_getbuf(addr, sizeof addr, sa); -+ -+ return apr_psprintf(p, "%s port %u", addr, sa->port); -+} -+ -+static int systemd_post_config(apr_pool_t *pconf, apr_pool_t *plog, -+ apr_pool_t *ptemp, server_rec *s) -+{ -+ ap_listen_rec *lr; -+ apr_size_t plen = sizeof describe_listeners; -+ char *p = describe_listeners; -+ -+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) -+ return OK; -+ -+ for (lr = ap_listeners; lr; lr = lr->next) { -+ char *s = dump_listener(lr, ptemp); -+ -+ if (strlen(s) + 3 < plen) { -+ char *newp = apr_cpystrn(p, s, plen); -+ if (lr->next) -+ newp = apr_cpystrn(newp, ", ", 3); -+ plen -= newp - p; -+ p = newp; -+ } -+ else { -+ if (plen < 4) { -+ p = describe_listeners + sizeof describe_listeners - 4; -+ plen = 4; -+ } -+ apr_cpystrn(p, "...", plen); -+ break; -+ } -+ } -+ -+ sd_journal_print(LOG_INFO, "Server configured, listening on: %s", describe_listeners); -+ -+ return OK; -+} -+ -+static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type) -+{ -+ int rv; -+ -+ mainpid = getpid(); -+ -+ rv = sd_notifyf(0, "READY=1\n" -+ "STATUS=Started, listening on: %s\n" -+ "MAINPID=%" APR_PID_T_FMT, -+ describe_listeners, mainpid); -+ if (rv < 0) { -+ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p, APLOGNO(02395) -+ "sd_notifyf returned an error %d", rv); -+ } -+ -+ return OK; -+} -+ -+static int systemd_monitor(apr_pool_t *p, server_rec *s) -+{ -+ ap_sload_t sload; -+ apr_interval_time_t up_time; -+ char bps[5]; -+ int rv; -+ -+ if (!ap_extended_status) { -+ /* Nothing useful to report if ExtendedStatus disabled. */ -+ return DECLINED; -+ } -+ -+ ap_get_sload(&sload); -+ -+ if (sload.access_count == 0) { -+ rv = sd_notifyf(0, "READY=1\n" -+ "STATUS=Running, listening on: %s\n", -+ describe_listeners); -+ } -+ else { -+ /* up_time in seconds */ -+ up_time = (apr_uint32_t) apr_time_sec(apr_time_now() - -+ ap_scoreboard_image->global->restart_time); -+ -+ apr_strfsize((unsigned long)((float) (sload.bytes_served) -+ / (float) up_time), bps); -+ -+ rv = sd_notifyf(0, "READY=1\n" -+ "STATUS=Total requests: %lu; Idle/Busy workers %d/%d;" -+ "Requests/sec: %.3g; Bytes served/sec: %sB/sec\n", -+ sload.access_count, sload.idle, sload.busy, -+ ((float) sload.access_count) / (float) up_time, bps); -+ } -+ -+ if (rv < 0) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02396) -+ "sd_notifyf returned an error %d", rv); -+ } -+ -+ /* Shutdown httpd when nothing is sent for shutdown_timer seconds. */ -+ if (sload.bytes_served == bytes_served) { -+ /* mpm_common.c: INTERVAL_OF_WRITABLE_PROBES is 10 */ -+ shutdown_counter += 10; -+ if (shutdown_timer > 0 && shutdown_counter >= shutdown_timer) { -+ rv = sd_notifyf(0, "READY=1\n" -+ "STATUS=Stopped as result of IdleShutdown " -+ "timeout."); -+ if (rv < 0) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02804) -+ "sd_notifyf returned an error %d", rv); -+ } -+ kill(mainpid, AP_SIG_GRACEFUL); -+ } -+ } -+ else { -+ shutdown_counter = 0; -+ } -+ -+ bytes_served = sload.bytes_served; -+ -+ return DECLINED; -+} -+ -+static void systemd_register_hooks(apr_pool_t *p) -+{ -+ /* Enable ap_extended_status. */ -+ ap_hook_pre_config(systemd_pre_config, NULL, NULL, APR_HOOK_LAST); -+ /* Grab the listener config. */ -+ ap_hook_post_config(systemd_post_config, NULL, NULL, APR_HOOK_LAST); -+ /* We know the PID in this hook ... */ -+ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST); -+ /* Used to update httpd's status line using sd_notifyf */ -+ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE); -+} -+ -+static const char *set_shutdown_timer(cmd_parms *cmd, void *dummy, -+ const char *arg) -+{ -+ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); -+ if (err != NULL) { -+ return err; -+ } -+ -+ shutdown_timer = atoi(arg); -+ return NULL; -+} -+ -+static const command_rec systemd_cmds[] = -+{ -+AP_INIT_TAKE1("IdleShutdown", set_shutdown_timer, NULL, RSRC_CONF, -+ "Number of seconds in idle-state after which httpd is shutdown"), -+ {NULL} -+}; -+ -+AP_DECLARE_MODULE(systemd) = { -+ STANDARD20_MODULE_STUFF, -+ NULL, -+ NULL, -+ NULL, -+ NULL, -+ systemd_cmds, -+ systemd_register_hooks, -+}; diff --git a/httpd-2.4.34-r1738878.patch b/httpd-2.4.34-r1738878.patch deleted file mode 100644 index 5af48f5..0000000 --- a/httpd-2.4.34-r1738878.patch +++ /dev/null @@ -1,130 +0,0 @@ ---- httpd-2.4.34/modules/proxy/ajp_header.c.r1738878 -+++ httpd-2.4.34/modules/proxy/ajp_header.c -@@ -213,7 +213,8 @@ - - static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, - request_rec *r, -- apr_uri_t *uri) -+ apr_uri_t *uri, -+ const char *secret) - { - int method; - apr_uint32_t i, num_headers = 0; -@@ -293,17 +294,15 @@ - i, elts[i].key, elts[i].val); - } - --/* XXXX need to figure out how to do this -- if (s->secret) { -+ if (secret) { - if (ajp_msg_append_uint8(msg, SC_A_SECRET) || -- ajp_msg_append_string(msg, s->secret)) { -+ ajp_msg_append_string(msg, secret)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) -- "Error ajp_marshal_into_msgb - " -+ "ajp_marshal_into_msgb: " - "Error appending secret"); - return APR_EGENERAL; - } - } -- */ - - if (r->user) { - if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || -@@ -671,7 +670,8 @@ - apr_status_t ajp_send_header(apr_socket_t *sock, - request_rec *r, - apr_size_t buffsize, -- apr_uri_t *uri) -+ apr_uri_t *uri, -+ const char *secret) - { - ajp_msg_t *msg; - apr_status_t rc; -@@ -683,7 +683,7 @@ - return rc; - } - -- rc = ajp_marshal_into_msgb(msg, r, uri); -+ rc = ajp_marshal_into_msgb(msg, r, uri, secret); - if (rc != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) - "ajp_send_header: ajp_marshal_into_msgb failed"); ---- httpd-2.4.34/modules/proxy/ajp.h.r1738878 -+++ httpd-2.4.34/modules/proxy/ajp.h -@@ -413,12 +413,14 @@ - * @param sock backend socket - * @param r current request - * @param buffsize max size of the AJP packet. -+ * @param secret authentication secret - * @param uri requested uri - * @return APR_SUCCESS or error - */ - apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, - apr_size_t buffsize, -- apr_uri_t *uri); -+ apr_uri_t *uri, -+ const char *secret); - - /** - * Read the ajp message and return the type of the message. ---- httpd-2.4.34/modules/proxy/mod_proxy_ajp.c.r1738878 -+++ httpd-2.4.34/modules/proxy/mod_proxy_ajp.c -@@ -193,6 +193,7 @@ - apr_off_t content_length = 0; - int original_status = r->status; - const char *original_status_line = r->status_line; -+ const char *secret = NULL; - - if (psf->io_buffer_size_set) - maxsize = psf->io_buffer_size; -@@ -202,12 +203,15 @@ - maxsize = AJP_MSG_BUFFER_SZ; - maxsize = APR_ALIGN(maxsize, 1024); - -+ if (*conn->worker->s->secret) -+ secret = conn->worker->s->secret; -+ - /* - * Send the AJP request to the remote server - */ - - /* send request headers */ -- status = ajp_send_header(conn->sock, r, maxsize, uri); -+ status = ajp_send_header(conn->sock, r, maxsize, uri, secret); - if (status != APR_SUCCESS) { - conn->close = 1; - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) ---- httpd-2.4.34/modules/proxy/mod_proxy.c.r1738878 -+++ httpd-2.4.34/modules/proxy/mod_proxy.c -@@ -319,6 +319,12 @@ - (int)sizeof(worker->s->upgrade)); - } - } -+ else if (!strcasecmp(key, "secret")) { -+ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { -+ return apr_psprintf(p, "Secret length must be < %d characters", -+ (int)sizeof(worker->s->secret)); -+ } -+ } - else if (!strcasecmp(key, "responsefieldsize")) { - long s = atol(val); - if (s < 0) { ---- httpd-2.4.34/modules/proxy/mod_proxy.h.r1738878 -+++ httpd-2.4.34/modules/proxy/mod_proxy.h -@@ -357,6 +357,7 @@ - #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 - #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE - #define PROXY_BALANCER_MAX_STICKY_SIZE 64 -+#define PROXY_WORKER_MAX_SECRET_SIZE 64 - - #define PROXY_RFC1035_HOSTNAME_SIZE 256 - -@@ -453,6 +454,7 @@ - char hostname_ex[PROXY_RFC1035_HOSTNAME_SIZE]; /* RFC1035 compliant version of the remote backend address */ - apr_size_t response_field_size; /* Size of proxy response buffer in bytes. */ - unsigned int response_field_size_set:1; -+ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ - } proxy_worker_shared; - - #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) diff --git a/httpd-2.4.4-r1337344+.patch b/httpd-2.4.4-r1337344+.patch deleted file mode 100644 index 6e5c3e7..0000000 --- a/httpd-2.4.4-r1337344+.patch +++ /dev/null @@ -1,250 +0,0 @@ -# ./pullrev.sh 1337344 1341905 1342065 1341930 - -suexec enhancements: - -1) use syslog for logging -2) use capabilities not setuid/setgid root binary - -http://svn.apache.org/viewvc?view=revision&revision=1337344 -http://svn.apache.org/viewvc?view=revision&revision=1341905 -http://svn.apache.org/viewvc?view=revision&revision=1342065 -http://svn.apache.org/viewvc?view=revision&revision=1341930 - ---- httpd-2.4.4/configure.in.r1337344+ -+++ httpd-2.4.4/configure.in -@@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin, - - AC_ARG_WITH(suexec-logfile, - APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[ -- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] ) -+ if test "x$withval" = "xyes"; then -+ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file]) -+ fi -+]) -+ -+AC_ARG_WITH(suexec-syslog, -+APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[ -+ if test $withval = "yes"; then -+ if test "x${with_suexec_logfile}" != "xno"; then -+ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"]) -+ AC_MSG_ERROR([suexec does not support both logging to file and syslog]) -+ fi -+ AC_CHECK_FUNCS([vsyslog], [], [ -+ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])]) -+ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog]) -+ fi -+]) -+ - - AC_ARG_WITH(suexec-safepath, - APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[ -@@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask, - APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[ - AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] ) - -+INSTALL_SUEXEC=setuid -+AC_ARG_ENABLE([suexec-capabilities], -+APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [ -+INSTALL_SUEXEC=caps -+AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1, -+ [Enable if suexec is installed with Linux capabilities, not setuid]) -+]) -+APACHE_SUBST(INSTALL_SUEXEC) -+ - dnl APR should go after the other libs, so the right symbols can be picked up - if test x${apu_found} != xobsolete; then - AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`" ---- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+ -+++ httpd-2.4.4/docs/manual/suexec.html.en -@@ -372,6 +372,21 @@ - together with the --enable-suexec option to let - APACI accept your request for using the suEXEC feature. - -+
--enable-suexec-capabilities
-+ -+
Linux specific: Normally, -+ the suexec binary is installed "setuid/setgid -+ root", which allows it to run with the full privileges of the -+ root user. If this option is used, the suexec -+ binary will instead be installed with only the setuid/setgid -+ "capability" bits set, which is the subset of full root -+ priviliges required for suexec operation. Note that -+ the suexec binary may not be able to write to a log -+ file in this mode; it is recommended that the -+ --with-suexec-syslog --without-suexec-logfile -+ options are used in conjunction with this mode, so that syslog -+ logging is used instead.
-+ -
--with-suexec-bin=PATH
- -
The path to the suexec binary must be hard-coded -@@ -433,6 +448,12 @@ - "suexec_log" and located in your standard logfile - directory (--logfiledir).
- -+
--with-suexec-syslog
-+ -+
If defined, suexec will log notices and errors to syslog -+ instead of a logfile. This option must be combined -+ with --without-suexec-logfile.
-+ -
--with-suexec-safepath=PATH
- -
Define a safe PATH environment to pass to CGI -@@ -550,9 +571,12 @@ Group webgroup - -

The suEXEC wrapper will write log information - to the file defined with the --with-suexec-logfile -- option as indicated above. If you feel you have configured and -- installed the wrapper properly, have a look at this log and the -- error_log for the server to see where you may have gone astray.

-+ option as indicated above, or to syslog if --with-suexec-syslog -+ is used. If you feel you have configured and -+ installed the wrapper properly, have a look at the log and the -+ error_log for the server to see where you may have gone astray. -+ The output of "suexec -V" will show the options -+ used to compile suexec, if using a binary distribution.

- -
top
-
-@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined') - prettyPrint(); - } - //--> -- -\ No newline at end of file -+ ---- httpd-2.4.4/Makefile.in.r1337344+ -+++ httpd-2.4.4/Makefile.in -@@ -238,11 +238,22 @@ install-man: - cd $(DESTDIR)$(manualdir) && find . -name ".svn" -type d -print | xargs rm -rf 2>/dev/null || true; \ - fi - --install-suexec: -+install-suexec: install-suexec-binary install-suexec-$(INSTALL_SUEXEC) -+ -+install-suexec-binary: - @if test -f $(builddir)/support/suexec; then \ - test -d $(DESTDIR)$(sbindir) || $(MKINSTALLDIRS) $(DESTDIR)$(sbindir); \ - $(INSTALL_PROGRAM) $(top_builddir)/support/suexec $(DESTDIR)$(sbindir); \ -- chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ -+ fi -+ -+install-suexec-setuid: -+ @if test -f $(builddir)/support/suexec; then \ -+ chmod 4755 $(DESTDIR)$(sbindir)/suexec; \ -+ fi -+ -+install-suexec-caps: -+ @if test -f $(builddir)/support/suexec; then \ -+ setcap 'cap_setuid,cap_setgid+pe' $(DESTDIR)$(sbindir)/suexec; \ - fi - - suexec: ---- httpd-2.4.4/modules/arch/unix/mod_unixd.c.r1337344+ -+++ httpd-2.4.4/modules/arch/unix/mod_unixd.c -@@ -284,6 +284,13 @@ unixd_set_suexec(cmd_parms *cmd, void *d - return NULL; - } - -+#ifdef AP_SUEXEC_CAPABILITIES -+/* If suexec is using capabilities, don't test for the setuid bit. */ -+#define SETUID_TEST(finfo) (1) -+#else -+#define SETUID_TEST(finfo) (finfo.protection & APR_USETID) -+#endif -+ - static int - unixd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, - apr_pool_t *ptemp) -@@ -300,7 +307,7 @@ unixd_pre_config(apr_pool_t *pconf, apr_ - ap_unixd_config.suexec_enabled = 0; - if ((apr_stat(&wrapper, SUEXEC_BIN, APR_FINFO_NORM, ptemp)) - == APR_SUCCESS) { -- if ((wrapper.protection & APR_USETID) && wrapper.user == 0 -+ if (SETUID_TEST(wrapper) && wrapper.user == 0 - && (access(SUEXEC_BIN, R_OK|X_OK) == 0)) { - ap_unixd_config.suexec_enabled = 1; - ap_unixd_config.suexec_disabled_reason = ""; ---- httpd-2.4.4/support/suexec.c.r1337344+ -+++ httpd-2.4.4/support/suexec.c -@@ -58,6 +58,10 @@ - #include - #endif - -+#ifdef AP_LOG_SYSLOG -+#include -+#endif -+ - #if defined(PATH_MAX) - #define AP_MAXPATH PATH_MAX - #elif defined(MAXPATHLEN) -@@ -69,7 +73,20 @@ - #define AP_ENVBUF 256 - - extern char **environ; -+ -+#ifdef AP_LOG_SYSLOG -+/* Syslog support. */ -+#if !defined(AP_LOG_FACILITY) && defined(LOG_AUTHPRIV) -+#define AP_LOG_FACILITY LOG_AUTHPRIV -+#elif !defined(AP_LOG_FACILITY) -+#define AP_LOG_FACILITY LOG_AUTH -+#endif -+ -+static int log_open; -+#else -+/* Non-syslog support. */ - static FILE *log = NULL; -+#endif - - static const char *const safe_env_lst[] = - { -@@ -137,7 +154,14 @@ static void err_output(int is_error, con - - static void err_output(int is_error, const char *fmt, va_list ap) - { --#ifdef AP_LOG_EXEC -+#if defined(AP_LOG_SYSLOG) -+ if (!log_open) { -+ openlog("suexec", LOG_PID, AP_LOG_FACILITY); -+ log_open = 1; -+ } -+ -+ vsyslog(is_error ? LOG_ERR : LOG_INFO, fmt, ap); -+#elif defined(AP_LOG_EXEC) - time_t timevar; - struct tm *lt; - -@@ -295,7 +319,9 @@ int main(int argc, char *argv[]) - #ifdef AP_HTTPD_USER - fprintf(stderr, " -D AP_HTTPD_USER=\"%s\"\n", AP_HTTPD_USER); - #endif --#ifdef AP_LOG_EXEC -+#if defined(AP_LOG_SYSLOG) -+ fprintf(stderr, " -D AP_LOG_SYSLOG\n"); -+#elif defined(AP_LOG_EXEC) - fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); - #endif - #ifdef AP_SAFE_PATH -@@ -591,6 +617,12 @@ int main(int argc, char *argv[]) - #endif /* AP_SUEXEC_UMASK */ - - /* Be sure to close the log file so the CGI can't mess with it. */ -+#ifdef AP_LOG_SYSLOG -+ if (log_open) { -+ closelog(); -+ log_open = 0; -+ } -+#else - if (log != NULL) { - #if APR_HAVE_FCNTL_H - /* -@@ -612,6 +644,7 @@ int main(int argc, char *argv[]) - log = NULL; - #endif - } -+#endif - - /* - * Execute the command, replacing our image with its own. diff --git a/httpd-2.4.9-apxs.patch b/httpd-2.4.43-apxs.patch similarity index 79% rename from httpd-2.4.9-apxs.patch rename to httpd-2.4.43-apxs.patch index 22dee8a..1c7e133 100644 --- a/httpd-2.4.9-apxs.patch +++ b/httpd-2.4.43-apxs.patch @@ -1,7 +1,6 @@ -diff -Naurp a/support/apxs.in b/support/apxs.in ---- a/support/apxs.in 2013-12-26 12:01:53.000000000 -0600 -+++ b/support/apxs.in 2015-07-27 13:57:32.581334998 -0500 -@@ -25,7 +25,18 @@ package apxs; +--- a/support/apxs.in 2020-03-20 09:00:44.000000000 -0400 ++++ b/support/apxs.in 2020-06-05 11:09:15.000000000 -0400 +@@ -35,7 +35,18 @@ if ($ddi >= 0) { my %config_vars = (); @@ -18,10 +17,10 @@ diff -Naurp a/support/apxs.in b/support/apxs.in + +my $installbuilddir = $libdir . "/httpd/build"; + - get_config_vars("$installbuilddir/config_vars.mk",\%config_vars); + get_config_vars($destdir . "$installbuilddir/config_vars.mk",\%config_vars); # read the configuration variables once -@@ -275,7 +286,7 @@ if ($opt_g) { +@@ -285,7 +296,7 @@ if ($opt_g) { $data =~ s|%NAME%|$name|sg; $data =~ s|%TARGET%|$CFG_TARGET|sg; $data =~ s|%PREFIX%|$prefix|sg; @@ -30,7 +29,7 @@ diff -Naurp a/support/apxs.in b/support/apxs.in my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); -@@ -453,11 +464,11 @@ if ($opt_c) { +@@ -463,11 +474,11 @@ if ($opt_c) { my $ldflags = "$CFG_LDFLAGS"; if ($opt_p == 1) { @@ -44,7 +43,7 @@ diff -Naurp a/support/apxs.in b/support/apxs.in chomp($apu_libs); } -@@ -672,8 +683,8 @@ __DATA__ +@@ -682,8 +693,8 @@ __DATA__ builddir=. top_srcdir=%PREFIX% diff --git a/httpd-2.4.43-detect-systemd.patch b/httpd-2.4.43-detect-systemd.patch new file mode 100644 index 0000000..271aa59 --- /dev/null +++ b/httpd-2.4.43-detect-systemd.patch @@ -0,0 +1,34 @@ +diff --git a/Makefile.in b/Makefile.in +index ea8366e..06b8c5a 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test + + PROGRAM_NAME = $(progname) + PROGRAM_SOURCES = modules.c +-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) ++PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) + PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c + PROGRAM_DEPENDENCIES = \ + server/libmain.la \ +diff --git a/configure.in b/configure.in +index f276550..a63eada 100644 +--- a/configure.in ++++ b/configure.in +@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then + AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) + APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) + APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) ++ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) + else + AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) + fi +@@ -679,6 +682,7 @@ APACHE_SUBST(OS_DIR) + APACHE_SUBST(BUILTIN_LIBS) + APACHE_SUBST(SHLIBPATH_VAR) + APACHE_SUBST(OS_SPECIFIC_VARS) ++APACHE_SUBST(HTTPD_LIBS) + + PRE_SHARED_CMDS='echo ""' + POST_SHARED_CMDS='echo ""' + \ No newline at end of file diff --git a/httpd-2.4.43-selinux.patch b/httpd-2.4.43-selinux.patch new file mode 100644 index 0000000..0552720 --- /dev/null +++ b/httpd-2.4.43-selinux.patch @@ -0,0 +1,60 @@ +diff --git a/configure.in b/configure.in +index c8f9aa2..cb43246 100644 +--- a/configure.in ++++ b/configure.in +@@ -484,6 +484,11 @@ getloadavg + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + ++AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) ++ APR_ADDTO(HTTPD_LIBS, [-lselinux]) ++]) ++ + AC_CACHE_CHECK([for gettid()], ac_cv_gettid, + [AC_TRY_RUN(#define _GNU_SOURCE + #include +diff --git a/server/core.c b/server/core.c +index dc0f17a..7ed9527 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -59,6 +59,10 @@ + #include + #endif + ++#ifdef HAVE_SELINUX ++#include ++#endif ++ + /* LimitRequestBody handling */ + #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) +@@ -5015,6 +5019,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte + } + #endif + ++#ifdef HAVE_SELINUX ++ { ++ static int already_warned = 0; ++ int is_enabled = is_selinux_enabled() > 0; ++ ++ if (is_enabled && !already_warned) { ++ security_context_t con; ++ ++ if (getcon(&con) == 0) { ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "SELinux policy enabled; " ++ "httpd running as context %s", con); ++ ++ already_warned = 1; ++ ++ freecon(con); ++ } ++ } ++ } ++#endif ++ + return OK; + } + \ No newline at end of file diff --git a/httpd24u.spec b/httpd24u.spec index cd11199..67911ce 100644 --- a/httpd24u.spec +++ b/httpd24u.spec @@ -24,7 +24,7 @@ Summary: Apache HTTP Server Name: httpd24u -Version: 2.4.41 +Version: 2.4.43 Release: 1%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -66,26 +66,20 @@ Source52: htcacheclean.init Source53: httpd.logrotate-legacy # build/scripts patches Patch1: httpd-2.4.1-apctl.patch -Patch2: httpd-2.4.9-apxs.patch +Patch2: httpd-2.4.43-apxs.patch Patch3: httpd-2.4.1-deplibs.patch Patch6: httpd-2.4.3-apctl-systemd.patch Patch8: httpd-2.4.35-layout-legacy.patch # Needed for socket activation and mod_systemd patch -Patch19: httpd-2.4.25-detect-systemd.patch +Patch19: httpd-2.4.43-detect-systemd.patch # Features/functional changes Patch23: httpd-2.4.33-export.patch Patch24: httpd-2.4.1-corelimit.patch -Patch25: httpd-2.4.25-selinux.patch -Patch26: httpd-2.4.4-r1337344+.patch +Patch25: httpd-2.4.43-selinux.patch Patch27: httpd-2.4.2-icons.patch -Patch29: httpd-2.4.33-systemd.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch34: httpd-2.4.17-socket-activation.patch -# Bug fixes -# https://bugzilla.redhat.com/show_bug.cgi?id=1397243 -Patch58: httpd-2.4.34-r1738878.patch - # Security fixes License: ASL 2.0 @@ -287,17 +281,14 @@ interface for storing and accessing per-user session data. %patch8 -p1 -b .layout %endif -%{?with_systemd:%patch19 -p1 -b .detectsystemd} +%patch19 -p1 -b .detectsystemd %patch23 -p1 -b .export %patch24 -p1 -b .corelimit %patch25 -p1 -b .selinux -#patch26 -p1 -b .r1337344+ %patch27 -p1 -b .icons -%{?with_systemd:%patch29 -p1 -b .systemd} %patch30 -p1 -b .cachehardmax %{?with_systemd:%patch34 -p1 -b .socketactivation} -%patch58 -p1 -b .r1738878 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -373,6 +364,9 @@ export LYNX_PATH=/usr/bin/links --enable-cgid --enable-cgi \ --enable-authn-anon --enable-authn-alias \ --disable-imagemap --disable-file-cache \ + %if %{with systemd} + --enable-systemd \ + %endif $* make %{?_smp_mflags} @@ -826,6 +820,9 @@ exit $rv %changelog +* Tue Jun 09 2020 Steve Simpson - 2.4.43-1 +- Latest upstream + * Tue Aug 20 2019 Andreas Schnederle-Wagner - 2.4.41-1 - Latest upstream