rpms/httpd/FC-4 httpd-2.0.52-CVE-2005-2970.patch, NONE, 1.1 httpd-2.0.52-CVE-2005-3352.patch, NONE, 1.1 httpd-2.0.52-CVE-2005-3357.patch, NONE, 1.1 httpd-2.0.54-sslreneg.patch, NONE, 1.1 httpd.spec, 1.72, 1.73
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jan 17 11:32:43 UTC 2006
Author: jorton
Update of /cvs/dist/rpms/httpd/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv4894
Modified Files:
httpd.spec
Added Files:
httpd-2.0.52-CVE-2005-2970.patch
httpd-2.0.52-CVE-2005-3352.patch
httpd-2.0.52-CVE-2005-3357.patch httpd-2.0.54-sslreneg.patch
Log Message:
* Tue Jan 17 2006 Joe Orton <jorton at redhat.com> 2.0.54-10.3
- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
- mod_imap: add security fix for XSS issue (CVE-2005-3352)
- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
and bug fixes for handling resource allocation failures (#171759)
- mod_ssl: buffer request bodies for per-location renegotiation (upstream #12355)
httpd-2.0.52-CVE-2005-2970.patch:
worker.c | 96 ++++++++++++++++++++++++++++++++++++++++-----------------------
1 files changed, 61 insertions(+), 35 deletions(-)
--- NEW FILE httpd-2.0.52-CVE-2005-2970.patch ---
--- httpd-2.0.52/server/mpm/worker/worker.c.cve2970
+++ httpd-2.0.52/server/mpm/worker/worker.c
@@ -133,6 +134,7 @@
static fd_queue_t *worker_queue;
static fd_queue_info_t *worker_queue_info;
static int mpm_state = AP_MPMQ_STARTING;
+static int sick_child_detected;
/* The structure used to pass unique initialization info to each thread */
typedef struct {
@@ -572,8 +574,7 @@
int process_slot = ti->pid;
apr_pool_t *tpool = apr_thread_pool_get(thd);
void *csd = NULL;
- apr_pool_t *ptrans; /* Pool for per-transaction stuff */
- apr_pool_t *recycled_pool = NULL;
+ apr_pool_t *ptrans = NULL; /* Pool for per-transaction stuff */
int n;
apr_pollfd_t *pollset;
apr_status_t rv;
@@ -602,8 +603,11 @@
if (listener_may_exit) break;
if (!have_idle_worker) {
+ /* the following pops a recycled ptrans pool off a stack
+ * if there is one, in addition to reserving a worker thread
+ */
rv = ap_queue_info_wait_for_idler(worker_queue_info,
- &recycled_pool);
+ &ptrans);
if (APR_STATUS_IS_EOF(rv)) {
break; /* we've been signaled to die now */
}
@@ -680,8 +684,9 @@
}
got_fd:
if (!listener_may_exit) {
- /* create a new transaction pool for each accepted socket */
- if (recycled_pool == NULL) {
+ if (ptrans == NULL) {
+ /* we can't use a recycled transaction pool this time.
+ * create a new transaction pool */
apr_allocator_t *allocator;
apr_allocator_create(&allocator);
@@ -689,9 +694,6 @@
apr_pool_create_ex(&ptrans, NULL, NULL, allocator);
apr_allocator_owner_set(allocator, ptrans);
}
- else {
- ptrans = recycled_pool;
- }
apr_pool_tag(ptrans, "transaction");
rv = lr->accept_func(&csd, lr, ptrans);
/* later we trash rv and rely on csd to indicate success/failure */
@@ -736,7 +738,13 @@
else {
if ((rv = SAFE_ACCEPT(apr_proc_mutex_unlock(accept_mutex)))
!= APR_SUCCESS) {
- ap_log_error(APLOG_MARK, APLOG_EMERG, rv, ap_server_conf,
+ int level = APLOG_EMERG;
+
+ if (ap_scoreboard_image->parent[process_slot].generation !=
+ ap_scoreboard_image->global->running_generation) {
+ level = APLOG_DEBUG; /* common to get these at restart time */
+ }
+ ap_log_error(APLOG_MARK, level, rv, ap_server_conf,
"apr_proc_mutex_unlock failed. Attempting to "
"shutdown process gracefully.");
signal_threads(ST_GRACEFUL);
@@ -871,14 +879,8 @@
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ALERT, rv, ap_server_conf,
"apr_thread_create: unable to create listener thread");
- /* In case system resources are maxxed out, we don't want
- * Apache running away with the CPU trying to fork over and
- * over and over again if we exit.
- * XXX Jeff doesn't see how Apache is going to try to fork again since
- * the exit code is APEXIT_CHILDFATAL
- */
- apr_sleep(apr_time_from_sec(10));
- clean_child_exit(APEXIT_CHILDFATAL);
+ /* let the parent decide how bad this really is */
+ clean_child_exit(APEXIT_CHILDSICK);
}
apr_os_thread_get(&listener_os_thread, ts->listener);
}
@@ -955,11 +957,8 @@
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ALERT, rv, ap_server_conf,
"apr_thread_create: unable to create worker thread");
- /* In case system resources are maxxed out, we don't want
- Apache running away with the CPU trying to fork over and
- over and over again if we exit. */
- apr_sleep(apr_time_from_sec(10));
- clean_child_exit(APEXIT_CHILDFATAL);
+ /* let the parent decide how bad this really is */
+ clean_child_exit(APEXIT_CHILDSICK);
}
threads_created++;
}
@@ -1159,11 +1151,8 @@
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_ALERT, rv, ap_server_conf,
"apr_thread_create: unable to create worker thread");
- /* In case system resources are maxxed out, we don't want
- Apache running away with the CPU trying to fork over and
- over and over again if we exit. */
- apr_sleep(apr_time_from_sec(10));
- clean_child_exit(APEXIT_CHILDFATAL);
+ /* let the parent decide how bad this really is */
+ clean_child_exit(APEXIT_CHILDSICK);
}
mpm_state = AP_MPMQ_RUNNING;
@@ -1336,6 +1340,7 @@
int free_slots[MAX_SPAWN_RATE];
int last_non_dead;
int total_non_dead;
+ int active_thread_count = 0;
/* initialize the free_list */
free_length = 0;
@@ -1373,14 +1378,16 @@
* So we hopefully won't need to fork more if we count it.
* This depends on the ordering of SERVER_READY and SERVER_STARTING.
*/
- if (status <= SERVER_READY && status != SERVER_DEAD &&
- !ps->quiescing &&
- ps->generation == ap_my_generation &&
- /* XXX the following shouldn't be necessary if we clean up
- * properly after seg faults, but we're not yet GLA
- */
- ps->pid != 0) {
- ++idle_thread_count;
+ if (ps->pid != 0) { /* XXX just set all_dead_threads in outer for
+ loop if no pid? not much else matters */
+ if (status <= SERVER_READY && status != SERVER_DEAD &&
+ !ps->quiescing &&
+ ps->generation == ap_my_generation) {
+ ++idle_thread_count;
+ }
+ if (status >= SERVER_READY && status < SERVER_GRACEFUL) {
+ ++active_thread_count;
+ }
}
}
if (any_dead_threads && totally_free_length < idle_spawn_rate
@@ -1411,6 +1418,28 @@
++total_non_dead;
}
}
+
+ if (sick_child_detected) {
+ if (active_thread_count > 0) {
+ /* some child processes appear to be working. don't kill the
+ * whole server.
+ */
+ sick_child_detected = 0;
+ }
+ else {
+ /* looks like a basket case. give up.
+ */
+ shutdown_pending = 1;
+ child_fatal = 1;
+ ap_log_error(APLOG_MARK, APLOG_ALERT, 0,
+ ap_server_conf,
+ "No active workers found..."
+ " Apache is exiting!");
+ /* the child already logged the failure details */
+ return;
+ }
+ }
+
ap_max_daemons_limit = last_non_dead + 1;
if (idle_thread_count > max_spare_threads) {
@@ -1484,6 +1513,12 @@
child_fatal = 1;
return;
}
+ else if (processed_status == APEXIT_CHILDSICK) {
+ /* tell perform_idle_server_maintenance to check into this
+ * on the next timer pop
+ */
+ sick_child_detected = 1;
+ }
/* non-fatal death... note that it's gone in the scoreboard. */
child_slot = find_child_by_pid(&pid);
if (child_slot >= 0) {
httpd-2.0.52-CVE-2005-3352.patch:
modules/mappers/mod_imap.c | 2 +-
server/util.c | 6 ++++++
2 files changed, 7 insertions(+), 1 deletion(-)
--- NEW FILE httpd-2.0.52-CVE-2005-3352.patch ---
--- httpd-2.0.52/modules/mappers/mod_imap.c.cve3352
+++ httpd-2.0.52/modules/mappers/mod_imap.c
@@ -341,7 +341,7 @@
if (!strcasecmp(value, "referer")) {
referer = apr_table_get(r->headers_in, "Referer");
if (referer && *referer) {
- return apr_pstrdup(r->pool, referer);
+ return ap_escape_html(r->pool, referer);
}
else {
/* XXX: This used to do *value = '\0'; ... which is totally bogus
--- httpd-2.0.52/server/util.c.cve3352
+++ httpd-2.0.52/server/util.c
@@ -1761,6 +1761,8 @@
j += 3;
else if (s[i] == '&')
j += 4;
+ else if (s[i] == '"')
+ j += 5;
if (j == 0)
return apr_pstrmemdup(p, s, i);
@@ -1779,6 +1781,10 @@
memcpy(&x[j], "&", 5);
j += 4;
}
+ else if (s[i] == '"') {
+ memcpy(&x[j], """, 6);
+ j += 5;
+ }
else
x[j] = s[i];
httpd-2.0.52-CVE-2005-3357.patch:
ssl_engine_kernel.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE httpd-2.0.52-CVE-2005-3357.patch ---
Author: jorton
Date: Tue Dec 6 02:21:41 2005
New Revision: 354394
URL: http://svn.apache.org/viewcvs?rev=354394&view=rev
Log:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access): Omit further
access control checks if SSL is not in use regardless of vhost
settings.
Submitted by: Rüdiger Plüm, Joe Orton
PR: 37791
--- httpd-2.0.52/modules/ssl/ssl_engine_kernel.c.cve3357
+++ httpd-2.0.52/modules/ssl/ssl_engine_kernel.c
@@ -193,7 +193,7 @@
/*
* Check to see if SSL protocol is on
*/
- if (!(sc->enabled || ssl)) {
+ if (!sc->enabled || !ssl) {
return DECLINED;
}
/*
httpd-2.0.54-sslreneg.patch:
ssl_engine_io.c | 178 ++++++++++++++++++++++++++++++++++++++++++++++++++++
ssl_engine_kernel.c | 96 ++++++++--------------------
ssl_private.h | 4 +
3 files changed, 211 insertions(+), 67 deletions(-)
--- NEW FILE httpd-2.0.54-sslreneg.patch ---
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- httpd-2.0.54/modules/ssl/ssl_engine_io.c.sslreneg
+++ httpd-2.0.54/modules/ssl/ssl_engine_io.c
@@ -882,6 +882,7 @@
}
static const char ssl_io_filter[] = "SSL/TLS Filter";
+static const char ssl_io_buffer[] = "SSL/TLS Buffer";
/*
* Close the SSL part of the socket connection
@@ -1375,6 +1376,180 @@
return status;
}
+/* 128K maximum buffer size by default. */
+#ifndef SSL_MAX_IO_BUFFER
+#define SSL_MAX_IO_BUFFER (128 * 1024)
+#endif
+
+struct modssl_buffer_ctx {
+ apr_bucket_brigade *bb;
+};
+
+int ssl_io_buffer_fill(request_rec *r)
+{
+ conn_rec *c = r->connection;
+ struct modssl_buffer_ctx *ctx;
+ apr_bucket_brigade *tempb;
+ apr_off_t total = 0; /* total length buffered */
+ int eos = 0; /* non-zero once EOS is seen */
+
+ /* Create the context which will be passed to the input filter. */
+ ctx = apr_palloc(r->pool, sizeof *ctx);
+ ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc);
+
+ /* ... and a temporary brigade. */
+ tempb = apr_brigade_create(r->pool, c->bucket_alloc);
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "filling buffer");
+
+ do {
+ apr_status_t rv;
+ apr_bucket *e, *next;
+
+ /* The request body is read from the protocol-level input
+ * filters; the buffering filter will reinject it from that
+ * level, allowing content/resource filters to run later, if
+ * necessary. */
+
+ rv = ap_get_brigade(r->proto_input_filters, tempb, AP_MODE_READBYTES,
+ APR_BLOCK_READ, 8192);
+ if (rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "could not read request body for SSL buffer");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ /* Iterate through the returned brigade: setaside each bucket
+ * into the context's pool and move it into the brigade. */
+ for (e = APR_BRIGADE_FIRST(tempb);
+ e != APR_BRIGADE_SENTINEL(tempb) && !eos; e = next) {
+ const char *data;
+ apr_size_t len;
+
+ next = APR_BUCKET_NEXT(e);
+
+ if (APR_BUCKET_IS_EOS(e)) {
+ eos = 1;
+ } else if (!APR_BUCKET_IS_METADATA(e)) {
+ rv = apr_bucket_read(e, &data, &len, APR_BLOCK_READ);
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "could not read bucket for SSL buffer");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+ total += len;
+ }
+
+ rv = apr_bucket_setaside(e, r->pool);
+ if (rv != APR_SUCCESS) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+ "could not setaside bucket for SSL buffer");
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ APR_BUCKET_REMOVE(e);
+ APR_BRIGADE_INSERT_TAIL(ctx->bb, e);
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+ "total of %" APR_OFF_T_FMT " bytes in buffer, eos=%d",
+ total, eos);
+
+ /* Fail if this exceeds the maximum buffer size. */
+ if (total > SSL_MAX_IO_BUFFER) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "request body exceeds maximum size for SSL buffer");
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+
+ } while (!eos);
+
+ apr_brigade_destroy(tempb);
+
+ /* Insert the filter which will supply the buffered data. */
+ ap_add_input_filter(ssl_io_buffer, ctx, r, c);
+
+ return 0;
+}
+
+/* This input filter supplies the buffered request body to the caller
+ * from the brigade stored in f->ctx. */
+static apr_status_t ssl_io_filter_buffer(ap_filter_t *f,
+ apr_bucket_brigade *bb,
+ ap_input_mode_t mode,
+ apr_read_type_e block,
+ apr_off_t bytes)
+{
+ struct modssl_buffer_ctx *ctx = f->ctx;
+ apr_status_t rv;
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, f->r,
+ "read from buffered SSL brigade, mode %d, "
+ "%" APR_OFF_T_FMT " bytes",
+ mode, bytes);
+
+ if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
+ return APR_ENOTIMPL;
+ }
+
+ if (mode == AP_MODE_READBYTES) {
+ apr_bucket *e;
+
+ /* Partition the buffered brigade. */
+ rv = apr_brigade_partition(ctx->bb, bytes, &e);
+ if (rv && rv != APR_INCOMPLETE) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r,
+ "could not partition buffered SSL brigade");
+ ap_remove_input_filter(f);
+ return rv;
+ }
+
+ /* If the buffered brigade contains less then the requested
+ * length, just pass it all back. */
+ if (rv == APR_INCOMPLETE) {
+ APR_BRIGADE_CONCAT(bb, ctx->bb);
+ } else {
+ apr_bucket *d = APR_BRIGADE_FIRST(ctx->bb);
+
+ e = APR_BUCKET_PREV(e);
+
+ /* Unsplice the partitioned segment and move it into the
+ * passed-in brigade; no convenient way to do this with
+ * the APR_BRIGADE_* macros. */
+ APR_RING_UNSPLICE(d, e, link);
+ APR_RING_SPLICE_HEAD(&bb->list, d, e, apr_bucket, link);
+ }
+ }
+ else {
+ /* Split a line into the passed-in brigade. */
+ rv = apr_brigade_split_line(bb, ctx->bb, mode, bytes);
+
+ if (rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, f->r,
+ "could not split line from buffered SSL brigade");
+ ap_remove_input_filter(f);
+ return rv;
+ }
+ }
+
+ if (APR_BRIGADE_EMPTY(ctx->bb)) {
+ apr_bucket *e = APR_BRIGADE_LAST(bb);
+
+ /* Ensure that the brigade is terminated by an EOS if the
+ * buffered request body has been entirely consumed. */
+ if (e == APR_BRIGADE_SENTINEL(bb) || !APR_BUCKET_IS_EOS(e)) {
+ e = apr_bucket_eos_create(f->c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, e);
+ }
+
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, f->r,
+ "buffered SSL brigade now exhausted; removing filter");
+ ap_remove_input_filter(f);
+ }
+
+ return APR_SUCCESS;
+}
+
static void ssl_io_input_add_filter(ssl_filter_ctx_t *filter_ctx, conn_rec *c,
SSL *ssl)
{
@@ -1433,6 +1608,9 @@
{
ap_register_input_filter (ssl_io_filter, ssl_io_filter_input, NULL, AP_FTYPE_CONNECTION + 5);
ap_register_output_filter (ssl_io_filter, ssl_io_filter_output, NULL, AP_FTYPE_CONNECTION + 5);
+
+ ap_register_input_filter (ssl_io_buffer, ssl_io_filter_buffer, NULL, AP_FTYPE_PROTOCOL - 1);
+
return;
}
--- httpd-2.0.54/modules/ssl/ssl_engine_kernel.c.sslreneg
+++ httpd-2.0.54/modules/ssl/ssl_engine_kernel.c
@@ -480,73 +480,35 @@
}
#endif /* HAVE_SSL_SET_CERT_STORE */
- /*
- * SSL renegotiations in conjunction with HTTP
- * requests using the POST method are not supported.
- *
- * Background:
- *
- * 1. When the client sends a HTTP/HTTPS request, Apache's core code
- * reads only the request line ("METHOD /path HTTP/x.y") and the
- * attached MIME headers ("Foo: bar") up to the terminating line ("CR
- * LF"). An attached request body (for instance the data of a POST
- * method) is _NOT_ read. Instead it is read by mod_cgi's content
- * handler and directly passed to the CGI script.
- *
- * 2. mod_ssl supports per-directory re-configuration of SSL parameters.
- * This is implemented by performing an SSL renegotiation of the
- * re-configured parameters after the request is read, but before the
- * response is sent. In more detail: the renegotiation happens after the
- * request line and MIME headers were read, but _before_ the attached
- * request body is read. The reason simply is that in the HTTP protocol
- * usually there is no acknowledgment step between the headers and the
- * body (there is the 100-continue feature and the chunking facility
- * only), so Apache has no API hook for this step.
- *
- * 3. the problem now occurs when the client sends a POST request for
- * URL /foo via HTTPS the server and the server has SSL parameters
- * re-configured on a per-URL basis for /foo. Then mod_ssl has to
- * perform an SSL renegotiation after the request was read and before
- * the response is sent. But the problem is the pending POST body data
- * in the receive buffer of SSL (which Apache still has not read - it's
- * pending until mod_cgi sucks it in). When mod_ssl now tries to perform
- * the renegotiation the pending data leads to an I/O error.
- *
- * Solution Idea:
- *
- * There are only two solutions: Either to simply state that POST
- * requests to URLs with SSL re-configurations are not allowed, or to
- * renegotiate really after the _complete_ request (i.e. including
- * the POST body) was read. Obviously the latter would be preferred,
- * but it cannot be done easily inside Apache, because as already
- * mentioned, there is no API step between the body reading and the body
- * processing. And even when we mod_ssl would hook directly into the
- * loop of mod_cgi, we wouldn't solve the problem for other handlers, of
- * course. So the only general solution is to suck in the pending data
- * of the request body from the OpenSSL BIO into the Apache BUFF. Then
- * the renegotiation can be done and after this step Apache can proceed
- * processing the request as before.
- *
- * Solution Implementation:
- *
- * We cannot simply suck in the data via an SSL_read-based loop because of
- * HTTP chunking. Instead we _have_ to use the Apache API for this step which
- * is aware of HTTP chunking. So the trick is to suck in the pending request
- * data via the Apache API (which uses Apache's BUFF code and in the
- * background mod_ssl's I/O glue code) and re-inject it later into the Apache
- * BUFF code again. This way the data flows twice through the Apache BUFF, of
- * course. But this way the solution doesn't depend on any Apache specifics
- * and is fully transparent to Apache modules.
- *
- * !! BUT ALL THIS IS STILL NOT RE-IMPLEMENTED FOR APACHE 2.0 !!
- */
- if (renegotiate && !renegotiate_quick && (r->method_number == M_POST)) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
- "SSL Re-negotiation in conjunction "
- "with POST method not supported! "
- "hint: try SSLOptions +OptRenegotiate");
-
- return HTTP_METHOD_NOT_ALLOWED;
+ /* If a renegotiation is now required for this location, and the
+ * request includes a message body (and the client has not
+ * requested a "100 Continue" response), then the client will be
+ * streaming the request body over the wire already. In that
+ * case, it is not possible to stop and perform a new SSL
+ * handshake immediately; once the SSL library moves to the
+ * "accept" state, it will reject the SSL packets which the client
+ * is sending for the request body.
+ *
+ * To allow authentication to complete in this auth hook, the
+ * solution used here is to fill a (bounded) buffer with the
+ * request body, and then to reinject that request body later.
+ */
+ if (renegotiate && !renegotiate_quick
+ && (apr_table_get(r->headers_in, "transfer-encoding")
+ || (apr_table_get(r->headers_in, "content-length")
+ && strcmp(apr_table_get(r->headers_in, "content-length"), "0")))
+ && !r->expecting_100) {
+ int rv;
+
+ /* Fill the I/O buffer with the request body if possible. */
+ rv = ssl_io_buffer_fill(r);
+
+ if (rv) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "could not buffer message body to allow "
+ "SSL renegotiation to proceed");
+ return rv;
+ }
}
/*
--- httpd-2.0.54/modules/ssl/ssl_private.h.sslreneg
+++ httpd-2.0.54/modules/ssl/ssl_private.h
@@ -708,6 +708,10 @@
void ssl_io_filter_register(apr_pool_t *);
long ssl_io_data_cb(BIO *, int, MODSSL_BIO_CB_ARG_TYPE *, int, long, long);
+/* ssl_io_buffer_fill fills the setaside buffering of the HTTP request
+ * to allow an SSL renegotiation to take place. */
+int ssl_io_buffer_fill(request_rec *r);
+
/* PRNG */
int ssl_rand_seed(server_rec *, apr_pool_t *, ssl_rsctx_t, char *);
Index: httpd.spec
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/httpd.spec,v
retrieving revision 1.72
retrieving revision 1.73
diff -u -r1.72 -r1.73
--- httpd.spec 2 Sep 2005 15:50:53 -0000 1.72
+++ httpd.spec 17 Jan 2006 11:32:24 -0000 1.73
@@ -7,7 +7,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.0.54
-Release: 10.2
+Release: 10.3
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
Source1: index.html
@@ -74,11 +74,15 @@
Patch90: httpd-2.0.49-workerstack.patch
Patch91: httpd-2.0.46-testhook.patch
Patch92: httpd-2.0.46-dumpcerts.patch
+Patch93: httpd-2.0.54-sslreneg.patch
# Security fixes
Patch110: httpd-2.0.52-CAN-2005-1268.patch
Patch111: httpd-2.0.52-CAN-2005-2088.patch
Patch112: httpd-2.0.52-CAN-2005-2700.patch
Patch113: httpd-2.0.52-CAN-2005-2728.patch
+Patch114: httpd-2.0.52-CVE-2005-2970.patch
+Patch115: httpd-2.0.52-CVE-2005-3352.patch
+Patch116: httpd-2.0.52-CVE-2005-3357.patch
License: Apache Software License
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-root
@@ -191,11 +195,15 @@
%patch90 -p1 -b .workerstack
%patch91 -p1 -b .testhook
%patch92 -p1 -b .dumpcerts
+%patch93 -p1 -b .sslreneg
%patch110 -p1 -b .can1268
%patch111 -p1 -b .can2088
%patch112 -p1 -b .can2700
%patch113 -p1 -b .can2728
+%patch114 -p1 -b .cve2970
+%patch115 -p1 -b .cve3352
+%patch116 -p1 -b .cve3357
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH70} | patch -p1
@@ -566,6 +574,13 @@
%{_libdir}/httpd/build/libtool
%changelog
+* Tue Jan 17 2006 Joe Orton <jorton at redhat.com> 2.0.54-10.3
+- mod_ssl: add security fix for HTTP-on-SSL-port handling (CVE-2005-3357)
+- mod_imap: add security fix for XSS issue (CVE-2005-3352)
+- worker MPM: add security fix for memory consumption DoS (CVE-2005-2970),
+ and bug fixes for handling resource allocation failures (#171759)
+- mod_ssl: buffer request bodies for per-location renegotiation (upstream #12355)
+
* Fri Sep 2 2005 Joe Orton <jorton at redhat.com> 2.0.54-10.2
- mod_ssl: add security fix for SSLVerifyClient (#167196, CVE CAN-2005-2700)
- add security fix for byterange filter DoS (#167104, CVE CAN-2005-2728)
More information about the fedora-cvs-commits
mailing list