rpms/httpd/F-10 httpd-2.2.11-corelimit.patch, NONE, 1.1 httpd-2.2.11-selinux.patch, NONE, 1.1 httpd-2.2.11-xfsz.patch, NONE, 1.1 httpd-2.2.14-CVE-2009-3555.patch, NONE, 1.1 httpd.spec, 1.129, 1.130 sources, 1.21, 1.22 httpd-2.0.40-xfsz.patch, 1.5, NONE httpd-2.0.48-corelimit.patch, 1.2, NONE httpd-2.0.54-selinux.patch, 1.3, NONE httpd-2.2.4-oldflush.patch, 1.3, NONE
jorton
jorton at fedoraproject.org
Thu Dec 3 16:11:28 UTC 2009
Author: jorton
Update of /cvs/extras/rpms/httpd/F-10
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv13107
Modified Files:
httpd.spec sources
Added Files:
httpd-2.2.11-corelimit.patch httpd-2.2.11-selinux.patch
httpd-2.2.11-xfsz.patch httpd-2.2.14-CVE-2009-3555.patch
Removed Files:
httpd-2.0.40-xfsz.patch httpd-2.0.48-corelimit.patch
httpd-2.0.54-selinux.patch httpd-2.2.4-oldflush.patch
Log Message:
* Thu Dec 3 2009 Joe Orton <jorton at redhat.com> - 2.2.14-1
- update to 2.2.14
- Requires(pre): httpd in mod_ssl subpackage (#543275)
- add partial security fix for CVE-2009-3555 (#533125)
- add condrestart in posttrans (#491567)
httpd-2.2.11-corelimit.patch:
core.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- NEW FILE httpd-2.2.11-corelimit.patch ---
--- httpd-2.2.11/server/core.c.corelimit
+++ httpd-2.2.11/server/core.c
@@ -3777,6 +3779,25 @@ static int core_post_config(apr_pool_t *
set_banner(pconf);
ap_setup_make_content_type(pconf);
+
+#ifdef RLIMIT_CORE
+ if (ap_coredumpdir_configured) {
+ struct rlimit lim;
+
+ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) {
+ lim.rlim_cur = lim.rlim_max;
+ if (setrlimit(RLIMIT_CORE, &lim) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "core dump file size limit raised to %lu bytes",
+ lim.rlim_cur);
+ } else {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL,
+ "core dump file size is zero, setrlimit failed");
+ }
+ }
+ }
+#endif
+
return OK;
}
httpd-2.2.11-selinux.patch:
configure.in | 4 ++++
server/core.c | 22 ++++++++++++++++++++++
2 files changed, 26 insertions(+)
--- NEW FILE httpd-2.2.11-selinux.patch ---
--- httpd-2.2.11/configure.in.selinux
+++ httpd-2.2.11/configure.in
@@ -412,6 +412,10 @@ getpgid
dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN
+AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ APR_ADDTO(AP_LIBS, [-lselinux])
+])
+
dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
AC_CACHE_CHECK([for tm_gmtoff in struct tm], ac_cv_struct_tm_gmtoff,
[AC_TRY_COMPILE([#include <sys/types.h>
--- httpd-2.2.11/server/core.c.selinux
+++ httpd-2.2.11/server/core.c
@@ -51,6 +51,8 @@
#include "mod_so.h" /* for ap_find_loaded_module_symbol */
+#include <selinux/selinux.h>
+
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
@@ -3796,6 +3798,26 @@ static int core_post_config(apr_pool_t *
}
#endif
+ {
+ static int already_warned = 0;
+ int is_enabled = is_selinux_enabled() > 0;
+
+ if (is_enabled && !already_warned) {
+ security_context_t con;
+
+ if (getcon(&con) == 0) {
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+
+ already_warned = 1;
+
+ freecon(con);
+ }
+ }
+ }
+
return OK;
}
httpd-2.2.11-xfsz.patch:
prefork.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE httpd-2.2.11-xfsz.patch ---
--- httpd-2.2.11/server/mpm/prefork/prefork.c.xfsz
+++ httpd-2.2.11/server/mpm/prefork/prefork.c
@@ -399,7 +399,7 @@ static void set_signals(void)
ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXCPU)");
#endif
#ifdef SIGXFSZ
- sa.sa_handler = SIG_DFL;
+ sa.sa_handler = SIG_IGN;
if (sigaction(SIGXFSZ, &sa, NULL) < 0)
ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXFSZ)");
#endif
httpd-2.2.14-CVE-2009-3555.patch:
ssl_engine_init.c | 5 -
ssl_engine_io.c | 17 +++++
ssl_engine_kernel.c | 151 +++++++++++++++++++++++++++++++---------------------
ssl_private.h | 16 +++++
4 files changed, 123 insertions(+), 66 deletions(-)
--- NEW FILE httpd-2.2.14-CVE-2009-3555.patch ---
--- httpd-2.2.14/modules/ssl/ssl_engine_init.c.cve3555
+++ httpd-2.2.14/modules/ssl/ssl_engine_init.c
@@ -501,10 +501,7 @@ static void ssl_init_ctx_callbacks(serve
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
- if (s->loglevel >= APLOG_DEBUG) {
- /* this callback only logs if LogLevel >= info */
- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
- }
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
}
static void ssl_init_ctx_verify(server_rec *s,
--- httpd-2.2.14/modules/ssl/ssl_engine_io.c.cve3555
+++ httpd-2.2.14/modules/ssl/ssl_engine_io.c
@@ -103,6 +103,7 @@ typedef struct {
ap_filter_t *pInputFilter;
ap_filter_t *pOutputFilter;
int nobuffer; /* non-zero to prevent buffering */
+ SSLConnRec *config;
} ssl_filter_ctx_t;
typedef struct {
@@ -193,7 +194,13 @@ static int bio_filter_out_read(BIO *bio,
static int bio_filter_out_write(BIO *bio, const char *in, int inl)
{
bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
-
+
+ /* Abort early if the client has initiated a renegotiation. */
+ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
+ outctx->rc = APR_ECONNABORTED;
+ return -1;
+ }
+
/* when handshaking we'll have a small number of bytes.
* max size SSL will pass us here is about 16k.
* (16413 bytes to be exact)
@@ -466,6 +473,12 @@ static int bio_filter_in_read(BIO *bio,
if (!in)
return 0;
+ /* Abort early if the client has initiated a renegotiation. */
+ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
+ inctx->rc = APR_ECONNABORTED;
+ return -1;
+ }
+
/* XXX: flush here only required for SSLv2;
* OpenSSL calls BIO_flush() at the appropriate times for
* the other protocols.
@@ -1724,6 +1737,8 @@ void ssl_io_filter_init(conn_rec *c, SSL
filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
+ filter_ctx->config = myConnConfig(c);
+
filter_ctx->nobuffer = 0;
filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
filter_ctx, NULL, c);
--- httpd-2.2.14/modules/ssl/ssl_engine_kernel.c.cve3555
+++ httpd-2.2.14/modules/ssl/ssl_engine_kernel.c
@@ -729,6 +729,10 @@ int ssl_hook_Access(request_rec *r)
(unsigned char *)&id,
sizeof(id));
+ /* Toggle the renegotiation state to allow the new
+ * handshake to proceed. */
+ sslconn->reneg_state = RENEG_ALLOW;
+
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
@@ -750,6 +754,8 @@ int ssl_hook_Access(request_rec *r)
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
+ sslconn->reneg_state = RENEG_REJECT;
+
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation handshake failed: "
@@ -1844,76 +1850,55 @@ void ssl_callback_DelSessionCacheEntry(S
return;
}
-/*
- * This callback function is executed while OpenSSL processes the
- * SSL handshake and does SSL record layer stuff. We use it to
- * trace OpenSSL's processing in out SSL logfile.
- */
-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+/* Dump debugginfo trace to the log file. */
+static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
+ server_rec *s, int where, int rc)
{
- conn_rec *c;
- server_rec *s;
- SSLSrvConfigRec *sc;
-
- /*
- * find corresponding server
- */
- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
- return;
- }
-
- s = mySrvFromConn(c);
- if (!(sc = mySrvConfig(s))) {
- return;
- }
-
/*
* create the various trace messages
*/
- if (s->loglevel >= APLOG_DEBUG) {
- if (where & SSL_CB_HANDSHAKE_START) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Handshake: start", SSL_LIBRARY_NAME);
- }
- else if (where & SSL_CB_HANDSHAKE_DONE) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Handshake: done", SSL_LIBRARY_NAME);
- }
- else if (where & SSL_CB_LOOP) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Loop: %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- else if (where & SSL_CB_READ) {
+ if (where & SSL_CB_HANDSHAKE_START) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Handshake: start", SSL_LIBRARY_NAME);
+ }
+ else if (where & SSL_CB_HANDSHAKE_DONE) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Handshake: done", SSL_LIBRARY_NAME);
+ }
+ else if (where & SSL_CB_LOOP) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Loop: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_READ) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Read: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_WRITE) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Write: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_ALERT) {
+ char *str = (where & SSL_CB_READ) ? "read" : "write";
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Alert: %s:%s:%s",
+ SSL_LIBRARY_NAME, str,
+ SSL_alert_type_string_long(rc),
+ SSL_alert_desc_string_long(rc));
+ }
+ else if (where & SSL_CB_EXIT) {
+ if (rc == 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Read: %s",
+ "%s: Exit: failed in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
- else if (where & SSL_CB_WRITE) {
+ else if (rc < 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Write: %s",
+ "%s: Exit: error in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
- else if (where & SSL_CB_ALERT) {
- char *str = (where & SSL_CB_READ) ? "read" : "write";
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Alert: %s:%s:%s",
- SSL_LIBRARY_NAME, str,
- SSL_alert_type_string_long(rc),
- SSL_alert_desc_string_long(rc));
- }
- else if (where & SSL_CB_EXIT) {
- if (rc == 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Exit: failed in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- else if (rc < 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Exit: error in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- }
}
/*
@@ -1933,6 +1918,52 @@ void ssl_callback_LogTracingState(MODSSL
}
}
+/*
+ * This callback function is executed while OpenSSL processes the SSL
+ * handshake and does SSL record layer stuff. It's used to trap
+ * client-initiated renegotiations, and for dumping everything to the
+ * log.
+ */
+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+{
+ conn_rec *c;
+ server_rec *s;
+ SSLConnRec *scr;
+
+ /* Retrieve the conn_rec and the associated SSLConnRec. */
+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
+ return;
+ }
+
+ if ((scr = myConnConfig(c)) == NULL) {
+ return;
+ }
+
+ /* If the reneg state is to reject renegotiations, check the SSL
+ * state machine and move to ABORT if a Client Hello is being
+ * read. */
+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
+ int state = SSL_get_state(ssl);
+
+ if (state == SSL3_ST_SR_CLNT_HELLO_A
+ || state == SSL23_ST_SR_CLNT_HELLO_A) {
+ scr->reneg_state = RENEG_ABORT;
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+ "rejecting client initiated renegotiation");
+ }
+ }
+ /* If the first handshake is complete, change state to reject any
+ * subsequent client-initated renegotiation. */
+ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
+ scr->reneg_state = RENEG_REJECT;
+ }
+
+ s = mySrvFromConn(c);
+ if (s && s->loglevel >= APLOG_DEBUG) {
+ log_tracing_state(ssl, c, s, where, rc);
+ }
+}
+
#ifndef OPENSSL_NO_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended
--- httpd-2.2.14/modules/ssl/ssl_private.h.cve3555
+++ httpd-2.2.14/modules/ssl/ssl_private.h
@@ -356,6 +356,20 @@ typedef struct {
int is_proxy;
int disabled;
int non_ssl_request;
+
+ /* Track the handshake/renegotiation state for the connection so
+ * that all client-initiated renegotiations can be rejected, as a
+ * partial fix for CVE-2009-3555. */
+ enum {
+ RENEG_INIT = 0, /* Before initial handshake */
+ RENEG_REJECT, /* After initial handshake; any client-initiated
+ * renegotiation should be rejected */
+ RENEG_ALLOW, /* A server-initated renegotiation is taking
+ * place (as dictated by configuration) */
+ RENEG_ABORT /* Renegotiation initiated by client, abort the
+ * connection */
+ } reneg_state;
+
server_rec *server;
} SSLConnRec;
@@ -574,7 +588,7 @@ int ssl_callback_proxy_cert(SSL
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
#ifndef OPENSSL_NO_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif
Index: httpd.spec
===================================================================
RCS file: /cvs/extras/rpms/httpd/F-10/httpd.spec,v
retrieving revision 1.129
retrieving revision 1.130
diff -u -p -r1.129 -r1.130
--- httpd.spec 23 Aug 2009 10:11:04 -0000 1.129
+++ httpd.spec 3 Dec 2009 16:11:27 -0000 1.130
@@ -4,11 +4,9 @@
%define vstring Fedora
%define mpms worker event
-%define _default_patch_fuzz 2
-
Summary: Apache HTTP Server
Name: httpd
-Version: 2.2.13
+Version: 2.2.14
Release: 1%{?dist}
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
@@ -31,19 +29,21 @@ Patch4: httpd-2.1.10-disablemods.patch
Patch5: httpd-2.1.10-layout.patch
# Features/functional changes
Patch20: httpd-2.0.48-release.patch
-Patch21: httpd-2.0.40-xfsz.patch
+Patch21: httpd-2.2.11-xfsz.patch
Patch22: httpd-2.1.10-pod.patch
Patch23: httpd-2.0.45-export.patch
-Patch24: httpd-2.0.48-corelimit.patch
-Patch25: httpd-2.0.54-selinux.patch
+Patch24: httpd-2.2.11-corelimit.patch
+Patch25: httpd-2.2.11-selinux.patch
Patch26: httpd-2.2.9-suenable.patch
# Bug fixes
Patch54: httpd-2.2.0-authnoprov.patch
+# Security fixes
+Patch90: httpd-2.2.14-CVE-2009-3555.patch
License: ASL 2.0
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-BuildRequires: autoconf, perl, pkgconfig, findutils, ed
-BuildRequires: db4-devel, expat-devel, zlib-devel, libselinux-devel
+BuildRequires: autoconf, perl, pkgconfig, findutils
+BuildRequires: zlib-devel, libselinux-devel
BuildRequires: apr-devel >= 1.2.0, apr-util-devel >= 1.2.0, pcre-devel >= 5.0
Requires: initscripts >= 8.36, /etc/mime.types, system-logos >= 7.92.1-1
Obsoletes: httpd-suexec
@@ -102,6 +102,7 @@ Summary: SSL/TLS module for the Apache H
Epoch: 1
BuildRequires: openssl-devel, distcache-devel
Requires(post): openssl >= 0.9.7f-4, /bin/cat
+Requires(pre): httpd
Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn}
Obsoletes: stronghold-mod_ssl
@@ -118,7 +119,7 @@ Security (TLS) protocols.
%patch4 -p1 -b .disablemods
%patch5 -p1 -b .layout
-%patch21 -p0 -b .xfsz
+%patch21 -p1 -b .xfsz
%patch22 -p1 -b .pod
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
@@ -127,6 +128,8 @@ Security (TLS) protocols.
%patch54 -p1 -b .authnoprov
+%patch90 -p1 -b .cve3555
+
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
@@ -349,6 +352,9 @@ if [ $1 = 0 ]; then
/sbin/chkconfig --del httpd
fi
+%posttrans
+/sbin/service httpd condrestart >/dev/null 2>&1 || :
+
%define sslcert %{_sysconfdir}/pki/tls/certs/localhost.crt
%define sslkey %{_sysconfdir}/pki/tls/private/localhost.key
@@ -480,6 +486,12 @@ rm -rf $RPM_BUILD_ROOT
%{_libdir}/httpd/build/*.sh
%changelog
+* Thu Dec 3 2009 Joe Orton <jorton at redhat.com> - 2.2.14-1
+- update to 2.2.14
+- Requires(pre): httpd in mod_ssl subpackage (#543275)
+- add partial security fix for CVE-2009-3555 (#533125)
+- add condrestart in posttrans (#491567)
+
* Sun Aug 23 2009 Joe Orton <jorton at redhat.com> 2.2.13-1
- update to 2.2.13
- add delaycompress to logrotate config
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/httpd/F-10/sources,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -p -r1.21 -r1.22
--- sources 23 Aug 2009 10:11:04 -0000 1.21
+++ sources 3 Dec 2009 16:11:27 -0000 1.22
@@ -1 +1 @@
-2803e35be6650f5b739e6e91faa824dd httpd-2.2.13.tar.gz
+2c1e3c7ba00bcaa0163da7b3e66aaa1e httpd-2.2.14.tar.gz
--- httpd-2.0.40-xfsz.patch DELETED ---
--- httpd-2.0.48-corelimit.patch DELETED ---
--- httpd-2.0.54-selinux.patch DELETED ---
--- httpd-2.2.4-oldflush.patch DELETED ---
More information about the scm-commits
mailing list