public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] proj/apache:master commit in: /, 2.2/patches/
@ 2013-11-09 15:32 Lars Wendler
  0 siblings, 0 replies; only message in thread
From: Lars Wendler @ 2013-11-09 15:32 UTC (permalink / raw
  To: gentoo-commits

commit:     8e7082d1d4d2d7c427d600a816934b89cdc6f7f8
Author:     Benedikt Boehm <hollow <AT> gentoo <DOT> org>
AuthorDate: Wed Jul 29 08:08:30 2009 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Wed Jul 29 08:08:30 2009 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commit;h=8e7082d1

remove patches that have been backported to 2.2.12

---
 .gitignore                                         |   1 +
 2.2/patches/04_all_mod_ssl_tls_sni.patch           | 380 ---------------------
 .../05_all_fix_graceful_multiple_listeners.patch   |  42 ---
 2.2/patches/06_all_CVE-2009-1191.patch             |  37 --
 2.2/patches/07_all_CVE-2009-1195.patch             | 136 --------
 2.2/patches/08_all_CVE-2009-1890.patch             |  38 ---
 2.2/patches/09_all_CVE-2009-1891.patch             |  29 --
 2.2/patches/10_all_r779472.patch                   |  67 ----
 2.2/patches/11_all_r790738.patch                   |  18 -
 9 files changed, 1 insertion(+), 747 deletions(-)

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..bb6dce2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+gentoo-apache-*.tar.bz2

diff --git a/2.2/patches/04_all_mod_ssl_tls_sni.patch b/2.2/patches/04_all_mod_ssl_tls_sni.patch
deleted file mode 100644
index 73392ae..0000000
--- a/2.2/patches/04_all_mod_ssl_tls_sni.patch
+++ /dev/null
@@ -1,380 +0,0 @@
-# httpd-2.2.x-sni.patch - server name indication support for Apache 2.2
-# (see RFC 4366, "Transport Layer Security (TLS) Extensions")
-
-# based on a patch from the EdelKey project
-# (http://www.edelweb.fr/EdelKey/files/apache-2.2.0+0.9.9+servername.patch)
-
-# Needs openssl-SNAP-20060330 / OpenSSL 0.9.8f or later
-# to work properly (ftp://ftp.openssl.org/snapshot/). The 0.9.8 versions
-# must be configured explicitly for TLS extension support at compile time
-# ("./config enable-tlsext").
-
-Index: httpd-2.2.x/modules/ssl/ssl_private.h
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_private.h	(revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_private.h	(working copy)
-@@ -35,6 +35,7 @@
- #include "http_connection.h"
- #include "http_request.h"
- #include "http_protocol.h"
-+#include "http_vhost.h"
- #include "util_script.h"
- #include "util_filter.h"
- #include "util_ebcdic.h"
-@@ -555,6 +556,9 @@ int          ssl_callback_NewSessionCach
- SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
- void         ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
- void         ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
-+#ifndef OPENSSL_NO_TLSEXT
-+int          ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
-+#endif
- 
- /**  Session Cache Support  */
- void         ssl_scache_init(server_rec *, apr_pool_t *);
-Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_init.c	(revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c	(working copy)
-@@ -355,6 +355,33 @@ static void ssl_init_server_check(server
-     }
- }
- 
-+#ifndef OPENSSL_NO_TLSEXT
-+static void ssl_init_ctx_tls_extensions(server_rec *s,
-+                                        apr_pool_t *p,
-+                                        apr_pool_t *ptemp,
-+                                        modssl_ctx_t *mctx)
-+{
-+    /*
-+     * Configure TLS extensions support
-+     */
-+    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+                 "Configuring TLS extension handling");
-+
-+    /*
-+     * Server name indication (SNI)
-+     */
-+    if (!SSL_CTX_set_tlsext_servername_callback(mctx->ssl_ctx,
-+                          ssl_callback_ServerNameIndication) ||
-+        !SSL_CTX_set_tlsext_servername_arg(mctx->ssl_ctx, mctx)) {
-+        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
-+                     "Unable to initialize TLS servername extension "
-+                     "callback (incompatible OpenSSL version?)");
-+        ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
-+        ssl_die();
-+    }
-+}
-+#endif
-+
- static void ssl_init_ctx_protocol(server_rec *s,
-                                   apr_pool_t *p,
-                                   apr_pool_t *ptemp,
-@@ -687,6 +714,9 @@ static void ssl_init_ctx(server_rec *s,
-     if (mctx->pks) {
-         /* XXX: proxy support? */
-         ssl_init_ctx_cert_chain(s, p, ptemp, mctx);
-+#ifndef OPENSSL_NO_TLSEXT
-+        ssl_init_ctx_tls_extensions(s, p, ptemp, mctx);
-+#endif
-     }
- }
- 
-@@ -1036,9 +1066,19 @@ void ssl_init_CheckServers(server_rec *b
-         klen = strlen(key);
- 
-         if ((ps = (server_rec *)apr_hash_get(table, key, klen))) {
--            ap_log_error(APLOG_MARK, APLOG_WARNING, 0,
-+            ap_log_error(APLOG_MARK, 
-+#ifdef OPENSSL_NO_TLSEXT
-+                         APLOG_WARNING, 
-+#else
-+                         APLOG_DEBUG, 
-+#endif
-+                         0,
-                          base_server,
-+#ifdef OPENSSL_NO_TLSEXT
-                          "Init: SSL server IP/port conflict: "
-+#else
-+                         "Init: SSL server IP/port overlap: "
-+#endif
-                          "%s (%s:%d) vs. %s (%s:%d)",
-                          ssl_util_vhostid(p, s),
-                          (s->defn_name ? s->defn_name : "unknown"),
-@@ -1055,8 +1095,14 @@ void ssl_init_CheckServers(server_rec *b
- 
-     if (conflict) {
-         ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server,
-+#ifdef OPENSSL_NO_TLSEXT
-                      "Init: You should not use name-based "
-                      "virtual hosts in conjunction with SSL!!");
-+#else
-+                     "Init: Name-based SSL virtual hosts only "
-+                     "work for clients with TLS server name indication "
-+                     "support (RFC 4366)");
-+#endif
-     }
- }
- 
-Index: httpd-2.2.x/modules/ssl/ssl_engine_vars.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_vars.c	(revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_vars.c	(working copy)
-@@ -320,6 +320,12 @@ static char *ssl_var_lookup_ssl(apr_pool
-     else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
-         result = ssl_var_lookup_ssl_compress_meth(ssl);
-     }
-+#ifndef OPENSSL_NO_TLSEXT
-+    else if (ssl != NULL && strcEQ(var, "TLS_SNI")) {
-+        result = apr_pstrdup(p, SSL_get_servername(ssl,
-+                                                   TLSEXT_NAMETYPE_host_name));
-+    }
-+#endif
-     return result;
- }
- 
-Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c	(working copy)
-@@ -31,6 +31,9 @@
- #include "ssl_private.h"
- 
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
-+#ifndef OPENSSL_NO_TLSEXT
-+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
-+#endif
- 
- /*
-  *  Post Read Request Handler
-@@ -39,6 +42,9 @@ int ssl_hook_ReadReq(request_rec *r)
- {
-     SSLConnRec *sslconn = myConnConfig(r->connection);
-     SSL *ssl;
-+#ifndef OPENSSL_NO_TLSEXT
-+    const char *servername;
-+#endif
- 
-     if (!sslconn) {
-         return DECLINED;
-@@ -87,6 +93,14 @@ int ssl_hook_ReadReq(request_rec *r)
-     if (!ssl) {
-         return DECLINED;
-     }
-+#ifndef OPENSSL_NO_TLSEXT
-+    if (!r->hostname &&
-+        (servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-+        /* Use the SNI extension as the hostname if no Host: header was sent */
-+        r->hostname = apr_pstrdup(r->pool, servername);
-+        ap_update_vhost_from_headers(r);
-+    }
-+#endif
-     SSL_set_app_data2(ssl, r);
- 
-     /*
-@@ -353,6 +367,11 @@ int ssl_hook_Access(request_rec *r)
-      * currently active/remembered verify depth (because this means more
-      * restriction on the certificate chain).
-      */
-+    if ((sc->server->auth.verify_depth != UNSET) &&
-+        (dc->nVerifyDepth == UNSET)) {
-+        /* apply per-vhost setting, if per-directory config is not set */
-+        dc->nVerifyDepth = sc->server->auth.verify_depth;
-+    }
-     if (dc->nVerifyDepth != UNSET) {
-         /* XXX: doesnt look like sslconn->verify_depth is actually used */
-         if (!(n = sslconn->verify_depth)) {
-@@ -382,6 +401,11 @@ int ssl_hook_Access(request_rec *r)
-      * verification but at least skip the I/O-intensive renegotation
-      * handshake.
-      */
-+    if ((sc->server->auth.verify_mode != SSL_CVERIFY_UNSET) &&
-+        (dc->nVerifyClient == SSL_CVERIFY_UNSET)) {
-+        /* apply per-vhost setting, if per-directory config is not set */
-+        dc->nVerifyClient = sc->server->auth.verify_mode;
-+    }
-     if (dc->nVerifyClient != SSL_CVERIFY_UNSET) {
-         /* remember old state */
-         verify_old = SSL_get_verify_mode(ssl);
-@@ -997,6 +1021,9 @@ int ssl_hook_Fixup(request_rec *r)
-     SSLDirConfigRec *dc = myDirConfig(r);
-     apr_table_t *env = r->subprocess_env;
-     char *var, *val = "";
-+#ifndef OPENSSL_NO_TLSEXT
-+    const char *servername;
-+#endif
-     STACK_OF(X509) *peer_certs;
-     SSL *ssl;
-     int i;
-@@ -1018,6 +1045,13 @@ int ssl_hook_Fixup(request_rec *r)
-     /* the always present HTTPS (=HTTP over SSL) flag! */
-     apr_table_setn(env, "HTTPS", "on");
- 
-+#ifndef OPENSSL_NO_TLSEXT
-+    /* add content of SNI TLS extension (if supplied with ClientHello) */
-+    if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
-+        apr_table_set(env, "SSL_TLS_SNI", servername);
-+    }
-+#endif
-+
-     /* standard SSL environment variables */
-     if (dc->nOptions & SSL_OPT_STDENVVARS) {
-         for (i = 0; ssl_hook_Fixup_vars[i]; i++) {
-@@ -1810,3 +1844,141 @@ void ssl_callback_LogTracingState(MODSSL
-     }
- }
- 
-+#ifndef OPENSSL_NO_TLSEXT
-+/*
-+ * This callback function is executed when OpenSSL encounters an extended
-+ * client hello with a server name indication extension ("SNI", cf. RFC 4366).
-+ */
-+int ssl_callback_ServerNameIndication(SSL *ssl, int *al, modssl_ctx_t *mctx)
-+{
-+    const char *servername =
-+                SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
-+
-+    if (servername) {
-+        conn_rec *c = (conn_rec *)SSL_get_app_data(ssl);
-+        if (c) {
-+            if (ap_vhost_iterate_given_conn(c, ssl_find_vhost,
-+                                            (void *)servername)) {
-+                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
-+                              "SSL virtual host for servername %s found",
-+                              servername);
-+                return SSL_TLSEXT_ERR_OK;
-+            }
-+            else {
-+                ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
-+                              "No matching SSL virtual host for servername "
-+                              "%s found (using default/first virtual host)",
-+                              servername);
-+                return SSL_TLSEXT_ERR_ALERT_WARNING;
-+            }
-+        }
-+    }
-+
-+    return SSL_TLSEXT_ERR_NOACK;
-+}
-+
-+/*
-+ * Find a (name-based) SSL virtual host where either the ServerName
-+ * or one of the ServerAliases matches the supplied name (to be used
-+ * with ap_vhost_iterate_given_conn())
-+ */
-+static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s) 
-+{
-+    SSLSrvConfigRec *sc;
-+    SSL *ssl;
-+    BOOL found = FALSE;
-+    apr_array_header_t *names;
-+    int i;
-+
-+    /* check ServerName */
-+    if (!strcasecmp(servername, s->server_hostname)) {
-+        found = TRUE;
-+    }
-+
-+    /* 
-+     * if not matched yet, check ServerAlias entries
-+     * (adapted from vhost.c:matches_aliases())
-+     */
-+    if (!found) {
-+        names = s->names;
-+        if (names) {
-+            char **name = (char **)names->elts;
-+            for (i = 0; i < names->nelts; ++i) {
-+                if (!name[i])
-+                    continue;
-+                if (!strcasecmp(servername, name[i])) {
-+                    found = TRUE;
-+                    break;
-+                }
-+            }
-+        }
-+    }
-+
-+    /* if still no match, check ServerAlias entries with wildcards */
-+    if (!found) {
-+        names = s->wild_names;
-+        if (names) {
-+            char **name = (char **)names->elts;
-+            for (i = 0; i < names->nelts; ++i) {
-+                if (!name[i])
-+                    continue;
-+                if (!ap_strcasecmp_match(servername, name[i])) {
-+                    found = TRUE;
-+                    break;
-+                }
-+            }
-+        }
-+    }
-+
-+    /* set SSL_CTX (if matched) */
-+    if (found && (ssl = ((SSLConnRec *)myConnConfig(c))->ssl) &&
-+        (sc = mySrvConfig(s))) {
-+        SSL_set_SSL_CTX(ssl, sc->server->ssl_ctx);
-+        /*
-+         * SSL_set_SSL_CTX() only deals with the server cert,
-+         * so we need to duplicate a few additional settings
-+         * from the ctx by hand
-+         */
-+        SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
-+        if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
-+            (SSL_num_renegotiations(ssl) == 0)) {
-+           /*
-+            * Only initialize the verification settings from the ctx
-+            * if they are not yet set, or if we're called when a new
-+            * SSL connection is set up (num_renegotiations == 0).
-+            * Otherwise, we would possibly reset a per-directory
-+            * configuration which was put into effect by ssl_hook_Access.
-+            */
-+            SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
-+                           SSL_CTX_get_verify_callback(ssl->ctx));
-+        }
-+
-+        /*
-+         * We also need to make sure that the correct mctx
-+         * (accessed through the c->base_server->module_config vector)
-+         * is assigned to the connection - the CRL callback e.g.
-+         * makes use of it for retrieving its store (mctx->crl).
-+         * Since logging in callbacks uses c->base_server in many
-+         * cases, it also ensures that these messages are routed
-+         * to the proper log.
-+         */
-+        c->base_server = s;
-+
-+        /*
-+         * There is one special filter callback, which is set
-+         * very early depending on the base_server's log level.
-+         * If this is not the first vhost we're now selecting
-+         * (and the first vhost doesn't use APLOG_DEBUG), then
-+         * we need to set that callback here.
-+         */
-+        if (c->base_server->loglevel >= APLOG_DEBUG) {
-+            BIO_set_callback(SSL_get_rbio(ssl), ssl_io_data_cb);
-+            BIO_set_callback_arg(SSL_get_rbio(ssl), (void *)ssl);
-+        }
-+
-+        return 1;
-+    }
-+
-+    return 0;
-+}
-+#endif
-Index: httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h	(revision 663014)
-+++ httpd-2.2.x/modules/ssl/ssl_toolkit_compat.h	(working copy)
-@@ -264,6 +264,12 @@ typedef void (*modssl_popfree_fn)(char *
- #define SSL_SESS_CACHE_NO_INTERNAL  SSL_SESS_CACHE_NO_INTERNAL_LOOKUP
- #endif
- 
-+#ifndef OPENSSL_NO_TLSEXT
-+#ifndef SSL_CTRL_SET_TLSEXT_HOSTNAME
-+#define OPENSSL_NO_TLSEXT
-+#endif
-+#endif
-+
- #endif /* SSL_TOOLKIT_COMPAT_H */
- 
- /** @} */

diff --git a/2.2/patches/05_all_fix_graceful_multiple_listeners.patch b/2.2/patches/05_all_fix_graceful_multiple_listeners.patch
deleted file mode 100644
index 6ed9de1..0000000
--- a/2.2/patches/05_all_fix_graceful_multiple_listeners.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c	2009/01/31 20:53:11	739607
-+++ httpd/httpd/branches/2.2.x/server/mpm/prefork/prefork.c	2009/01/31 20:54:55	739608
-@@ -577,19 +577,27 @@
-                 apr_int32_t numdesc;
-                 const apr_pollfd_t *pdesc;
- 
--                /* timeout == -1 == wait forever */
--                status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc);
-+                /* check for termination first so we don't sleep for a while in
-+                 * poll if already signalled
-+                 */
-+                if (one_process && shutdown_pending) {
-+                    SAFE_ACCEPT(accept_mutex_off());
-+                    return;
-+                }
-+                else if (die_now) {
-+                    /* In graceful stop/restart; drop the mutex
-+                     * and terminate the child. */
-+                    SAFE_ACCEPT(accept_mutex_off());
-+                    clean_child_exit(0);
-+                }
-+                /* timeout == 10 seconds to avoid a hang at graceful restart/stop
-+                 * caused by the closing of sockets by the signal handler
-+                 */
-+                status = apr_pollset_poll(pollset, apr_time_from_sec(10), 
-+                                          &numdesc, &pdesc);
-                 if (status != APR_SUCCESS) {
--                    if (APR_STATUS_IS_EINTR(status)) {
--                        if (one_process && shutdown_pending) {
--                            return;
--                        }
--                        else if (die_now) {
--                            /* In graceful stop/restart; drop the mutex
--                             * and terminate the child. */
--                            SAFE_ACCEPT(accept_mutex_off());
--                            clean_child_exit(0);
--                        }
-+                    if (APR_STATUS_IS_TIMEUP(status) ||
-+                        APR_STATUS_IS_EINTR(status)) {
-                         continue;
-                     }
-                     /* Single Unix documents select as returning errnos

diff --git a/2.2/patches/06_all_CVE-2009-1191.patch b/2.2/patches/06_all_CVE-2009-1191.patch
deleted file mode 100644
index cbb790a..0000000
--- a/2.2/patches/06_all_CVE-2009-1191.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-Index: modules/proxy/mod_proxy_ajp.c
-===================================================================
---- modules/proxy/mod_proxy_ajp.c	(Revision 763379)
-+++ modules/proxy/mod_proxy_ajp.c	(Arbeitskopie)
-@@ -307,21 +307,17 @@
-                          "proxy: read zero bytes, expecting"
-                          " %" APR_OFF_T_FMT " bytes",
-                          content_length);
--            status = ajp_send_data_msg(conn->sock, msg, 0);
--            if (status != APR_SUCCESS) {
--                /* We had a failure: Close connection to backend */
--                conn->close++;
--                ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
--                            "proxy: send failed to %pI (%s)",
--                            conn->worker->cp->addr,
--                            conn->worker->hostname);
--                return HTTP_INTERNAL_SERVER_ERROR;
--            }
--            else {
--                /* Client send zero bytes with C-L > 0
--                 */
--                return HTTP_BAD_REQUEST;
--            }
-+            /*
-+             * We can only get here if the client closed the connection
-+             * to us without sending the body.
-+             * Now the connection is in the wrong state on the backend.
-+             * Sending an empty data msg doesn't help either as it does
-+             * not move this connection to the correct state on the backend
-+             * for later resusage by the next request again.
-+             * Close it to clean things up.
-+             */
-+            conn->close++;
-+            return HTTP_BAD_REQUEST;
-         }
-     }
- 

diff --git a/2.2/patches/07_all_CVE-2009-1195.patch b/2.2/patches/07_all_CVE-2009-1195.patch
deleted file mode 100644
index 14a6dba..0000000
--- a/2.2/patches/07_all_CVE-2009-1195.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-Index: server/config.c
-===================================================================
---- server/config.c	(revision 773036)
-+++ server/config.c	(working copy)
-@@ -1510,7 +1510,7 @@
-     parms.temp_pool = ptemp;
-     parms.server = s;
-     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
--    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
- 
-     parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
-                                             &arr_parms, NULL,
-@@ -1617,7 +1617,7 @@
-     parms.temp_pool = ptemp;
-     parms.server = s;
-     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
--    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
- 
-     rv = ap_pcfg_openfile(&cfp, p, fname);
-     if (rv != APR_SUCCESS) {
-@@ -1755,7 +1755,7 @@
-     parms.temp_pool = ptemp;
-     parms.server = s;
-     parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
--    parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
-+    parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
-     parms.limited = -1;
- 
-     errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
-Index: server/core.c
-===================================================================
---- server/core.c	(revision 773036)
-+++ server/core.c	(working copy)
-@@ -108,8 +108,7 @@
-     conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
-     conf->opts_add = conf->opts_remove = OPT_NONE;
-     conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
--    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
--                          | OPT_MULTI;
-+    conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
- 
-     conf->content_md5 = 2;
-     conf->accept_path_info = 3;
-@@ -242,8 +241,15 @@
-         conf->opts_remove = (conf->opts_remove & ~new->opts_add)
-                             | new->opts_remove;
-         conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
--        if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
--            conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
-+
-+        /* If Includes was enabled with exec in the base config, but
-+         * was enabled without exec in the new config, then disable
-+         * exec in the merged set. */
-+        if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
-+             == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
-+            && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
-+                == OPT_INCLUDES)) {
-+            conf->opts &= ~OPT_INC_WITH_EXEC;
-         }
-     }
-     else {
-@@ -1304,10 +1310,12 @@
-             opt = OPT_INDEXES;
-         }
-         else if (!strcasecmp(w, "Includes")) {
--            opt = OPT_INCLUDES;
-+            /* If Includes is permitted, both Includes and
-+             * IncludesNOEXEC may be changed. */
-+            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
-         }
-         else if (!strcasecmp(w, "IncludesNOEXEC")) {
--            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
-+            opt = OPT_INCLUDES;
-         }
-         else if (!strcasecmp(w, "FollowSymLinks")) {
-             opt = OPT_SYM_LINKS;
-@@ -1428,10 +1436,10 @@
-             opt = OPT_INDEXES;
-         }
-         else if (!strcasecmp(w, "Includes")) {
--            opt = OPT_INCLUDES;
-+            opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
-         }
-         else if (!strcasecmp(w, "IncludesNOEXEC")) {
--            opt = (OPT_INCLUDES | OPT_INCNOEXEC);
-+            opt = OPT_INCLUDES;
-         }
-         else if (!strcasecmp(w, "FollowSymLinks")) {
-             opt = OPT_SYM_LINKS;
-Index: modules/filters/mod_include.c
-===================================================================
---- modules/filters/mod_include.c	(revision 773036)
-+++ modules/filters/mod_include.c	(working copy)
-@@ -3574,7 +3574,7 @@
-         intern->seen_eos = 0;
-         intern->state = PARSE_PRE_HEAD;
-         ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
--        if (ap_allow_options(r) & OPT_INCNOEXEC) {
-+        if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
-             ctx->flags |= SSI_FLAG_NO_EXEC;
-         }
-         intern->accessenable = conf->accessenable;
-Index: include/http_core.h
-===================================================================
---- include/http_core.h	(revision 773036)
-+++ include/http_core.h	(working copy)
-@@ -65,7 +65,7 @@
- #define OPT_NONE 0
- /** Indexes directive */
- #define OPT_INDEXES 1
--/**  Includes directive */
-+/** SSI is enabled without exec= permission  */
- #define OPT_INCLUDES 2
- /**  FollowSymLinks directive */
- #define OPT_SYM_LINKS 4
-@@ -73,14 +73,14 @@
- #define OPT_EXECCGI 8
- /**  directive unset */
- #define OPT_UNSET 16
--/**  IncludesNOEXEC directive */
--#define OPT_INCNOEXEC 32
-+/**  SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
-+#define OPT_INC_WITH_EXEC 32
- /** SymLinksIfOwnerMatch directive */
- #define OPT_SYM_OWNER 64
- /** MultiViews directive */
- #define OPT_MULTI 128
- /**  All directives */
--#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
-+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
- /** @} */
- 
- /**
-

diff --git a/2.2/patches/08_all_CVE-2009-1890.patch b/2.2/patches/08_all_CVE-2009-1890.patch
deleted file mode 100644
index 672c82b..0000000
--- a/2.2/patches/08_all_CVE-2009-1890.patch
+++ /dev/null
@@ -1,38 +0,0 @@
---- httpd/httpd/trunk/modules/proxy/mod_proxy_http.c	2009/07/02 13:37:39	790586
-+++ httpd/httpd/trunk/modules/proxy/mod_proxy_http.c	2009/07/02 13:41:18	790587
-@@ -427,10 +427,16 @@
-     apr_off_t bytes_streamed = 0;
- 
-     if (old_cl_val) {
-+        char *endstr;
-+
-         add_cl(p, bucket_alloc, header_brigade, old_cl_val);
--        if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
--                                                 0))) {
--            return HTTP_INTERNAL_SERVER_ERROR;
-+        status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
-+        
-+        if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
-+            ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
-+                          "proxy: could not parse request Content-Length (%s)",
-+                          old_cl_val);
-+            return HTTP_BAD_REQUEST;
-         }
-     }
-     terminate_headers(bucket_alloc, header_brigade);
-@@ -463,8 +469,13 @@
-          *
-          * Prevents HTTP Response Splitting.
-          */
--        if (bytes_streamed > cl_val)
--             continue;
-+        if (bytes_streamed > cl_val) {
-+            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-+                          "proxy: read more bytes of request body than expected "
-+                          "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
-+                          bytes_streamed, cl_val);
-+            return HTTP_INTERNAL_SERVER_ERROR;
-+        }
- 
-         if (header_brigade) {
-             /* we never sent the header brigade, so go ahead and

diff --git a/2.2/patches/09_all_CVE-2009-1891.patch b/2.2/patches/09_all_CVE-2009-1891.patch
deleted file mode 100644
index 4d778f8..0000000
--- a/2.2/patches/09_all_CVE-2009-1891.patch
+++ /dev/null
@@ -1,29 +0,0 @@
---- httpd/httpd/branches/2.2.x/server/core_filters.c	2009/07/06 12:01:05	791453
-+++ httpd/httpd/branches/2.2.x/server/core_filters.c	2009/07/06 12:03:20	791454
-@@ -542,6 +542,12 @@
-     apr_read_type_e eblock = APR_NONBLOCK_READ;
-     apr_pool_t *input_pool = b->p;
- 
-+    /* Fail quickly if the connection has already been aborted. */
-+    if (c->aborted) {
-+        apr_brigade_cleanup(b);
-+        return APR_ECONNABORTED;
-+    }
-+
-     if (ctx == NULL) {
-         ctx = apr_pcalloc(c->pool, sizeof(*ctx));
-         net->out_ctx = ctx;
-@@ -909,12 +915,9 @@
-             /* No need to check for SUCCESS, we did that above. */
-             if (!APR_STATUS_IS_EAGAIN(rv)) {
-                 c->aborted = 1;
-+                return APR_ECONNABORTED;
-             }
- 
--            /* The client has aborted, but the request was successful. We
--             * will report success, and leave it to the access and error
--             * logs to note that the connection was aborted.
--             */
-             return APR_SUCCESS;
-         }
- 

diff --git a/2.2/patches/10_all_r779472.patch b/2.2/patches/10_all_r779472.patch
deleted file mode 100644
index c4bb6cb..0000000
--- a/2.2/patches/10_all_r779472.patch
+++ /dev/null
@@ -1,67 +0,0 @@
-Index: server/core.c
-===================================================================
---- server/core.c	(revision 779471)
-+++ server/core.c	(revision 779472)
-@@ -661,7 +661,11 @@
-     core_dir_config *conf =
-       (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
- 
--    return conf->opts;
-+    /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
-+     * inverted, such that the exposed semantics match that of
-+     * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
-+     * permitted. */
-+    return conf->opts ^ OPT_INC_WITH_EXEC;
- }
- 
- AP_DECLARE(int) ap_allow_overrides(request_rec *r)
-Index: modules/filters/mod_include.c
-===================================================================
---- modules/filters/mod_include.c	(revision 779471)
-+++ modules/filters/mod_include.c	(revision 779472)
-@@ -3565,7 +3565,7 @@
-         intern->seen_eos = 0;
-         intern->state = PARSE_PRE_HEAD;
-         ctx->flags = (SSI_FLAG_PRINTING | SSI_FLAG_COND_TRUE);
--        if ((ap_allow_options(r) & OPT_INC_WITH_EXEC) == 0) {
-+        if (ap_allow_options(r) & OPT_INCNOEXEC) {
-             ctx->flags |= SSI_FLAG_NO_EXEC;
-         }
-         intern->accessenable = conf->accessenable;
-Index: include/http_core.h
-===================================================================
---- include/http_core.h	(revision 779471)
-+++ include/http_core.h	(revision 779472)
-@@ -73,16 +73,29 @@
- #define OPT_EXECCGI 8
- /**  directive unset */
- #define OPT_UNSET 16
--/**  SSI exec= permission is permitted, iff OPT_INCLUDES is also set */
--#define OPT_INC_WITH_EXEC 32
-+/**  IncludesNOEXEC directive */
-+#define OPT_INCNOEXEC 32
- /** SymLinksIfOwnerMatch directive */
- #define OPT_SYM_OWNER 64
- /** MultiViews directive */
- #define OPT_MULTI 128
- /**  All directives */
--#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INC_WITH_EXEC|OPT_SYM_LINKS|OPT_EXECCGI)
-+#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
- /** @} */
- 
-+#ifdef CORE_PRIVATE
-+/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
-+ * internally replaced by OPT_INC_WITH_EXEC.  The internal semantics
-+ * of the two SSI-related bits are hence:
-+ *
-+ *  OPT_INCLUDES => "enable SSI, without exec= permission"
-+ *  OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
-+ *
-+ * The set of options exposed via ap_allow_options() retains the
-+ * semantics of OPT_INCNOEXEC by flipping the bit. */
-+#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
-+#endif
-+
- /**
-  * @defgroup get_remote_host Remote Host Resolution 
-  * @ingroup APACHE_CORE_HTTPD

diff --git a/2.2/patches/11_all_r790738.patch b/2.2/patches/11_all_r790738.patch
deleted file mode 100644
index 3ddf33b..0000000
--- a/2.2/patches/11_all_r790738.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-Index: server/core.c
-===================================================================
---- server/core.c	(revision 790737)
-+++ server/core.c	(revision 790738)
-@@ -665,7 +665,12 @@
-      * inverted, such that the exposed semantics match that of
-      * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
-      * permitted. */
--    return conf->opts ^ OPT_INC_WITH_EXEC;
-+    if (conf->opts & OPT_INCLUDES) {
-+        return conf->opts ^ OPT_INC_WITH_EXEC;
-+    }
-+    else {
-+        return conf->opts;
-+    }
- }
- 
- AP_DECLARE(int) ap_allow_overrides(request_rec *r)


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2013-11-09 15:33 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-09 15:32 [gentoo-commits] proj/apache:master commit in: /, 2.2/patches/ Lars Wendler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox