rpms/httpd/FC-4 httpd-2.0.52-CAN-2005-2700.patch, NONE, 1.1 httpd-2.0.52-CAN-2005-2728.patch, NONE, 1.1 httpd-2.0.54-ldap.patch, NONE, 1.1 httpd-2.0.54-sslnbio.patch, NONE, 1.1 httpd-2.0.40-pod.patch, 1.7, 1.8 httpd-2.0.54-ldapconn.patch, 1.1, 1.2 httpd.spec, 1.71, 1.72
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Fri Sep 2 15:50:55 UTC 2005
Author: jorton
Update of /cvs/dist/rpms/httpd/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv2614
Modified Files:
httpd-2.0.40-pod.patch httpd-2.0.54-ldapconn.patch httpd.spec
Added Files:
httpd-2.0.52-CAN-2005-2700.patch
httpd-2.0.52-CAN-2005-2728.patch httpd-2.0.54-ldap.patch
httpd-2.0.54-sslnbio.patch
Log Message:
* Fri Sep 2 2005 Joe Orton <jorton at redhat.com> 2.0.54-10.2
- mod_ssl: add security fix for SSLVerifyClient (#167196, CVE CAN-2005-2700)
- add security fix for byterange filter DoS (#167104, CVE CAN-2005-2728)
- add fix for dummy connection handling (#167425)
- mod_ldap/mod_auth_ldap: add fixes from 2.0.x branch (upstream #34209 etc)
- mod_ssl: add fix for handling non-blocking reads
httpd-2.0.52-CAN-2005-2700.patch:
ssl_engine_kernel.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE httpd-2.0.52-CAN-2005-2700.patch ---
--- httpd-2.0.52/modules/ssl/ssl_engine_kernel.c.can2700
+++ httpd-2.0.52/modules/ssl/ssl_engine_kernel.c
@@ -405,8 +405,8 @@
(!(verify_old & SSL_VERIFY_PEER) &&
(verify & SSL_VERIFY_PEER)) ||
- (!(verify_old & SSL_VERIFY_PEER_STRICT) &&
- (verify & SSL_VERIFY_PEER_STRICT)))
+ (!(verify_old & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) &&
+ (verify & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)))
{
renegotiate = TRUE;
/* optimization */
httpd-2.0.52-CAN-2005-2728.patch:
http_protocol.c | 48 +++++++++++++++++++++---------------------------
1 files changed, 21 insertions(+), 27 deletions(-)
--- NEW FILE httpd-2.0.52-CAN-2005-2728.patch ---
--- httpd-2.0.52/modules/http/http_protocol.c.can2728
+++ httpd-2.0.52/modules/http/http_protocol.c
@@ -2855,18 +2855,35 @@
#define MIN_LENGTH(len1, len2) ((len1 > len2) ? len2 : len1)
request_rec *r = f->r;
conn_rec *c = r->connection;
- byterange_ctx *ctx = f->ctx;
+ byterange_ctx *ctx;
apr_bucket *e;
apr_bucket_brigade *bsend;
apr_off_t range_start;
apr_off_t range_end;
char *current;
- apr_off_t bb_length;
apr_off_t clength = 0;
apr_status_t rv;
int found = 0;
- if (!ctx) {
+ /* Iterate through the brigade until reaching EOS or a bucket with
+ * unknown length. */
+ for (e = APR_BRIGADE_FIRST(bb);
+ (e != APR_BRIGADE_SENTINEL(bb) && !APR_BUCKET_IS_EOS(e)
+ && e->length != (apr_size_t)-1);
+ e = APR_BUCKET_NEXT(e)) {
+ clength += e->length;
+ }
+
+ /* Don't attempt to do byte range work if this brigade doesn't
+ * contain an EOS, or if any of the buckets has an unknown length;
+ * this avoids the cases where it is expensive to perform
+ * byteranging (i.e. may require arbitrary amounts of memory). */
+ if (!APR_BUCKET_IS_EOS(e) || clength <= 0) {
+ ap_remove_output_filter(f);
+ return ap_pass_brigade(f->next, bb);
+ }
+
+ {
int num_ranges = ap_set_byterange(r);
/* We have nothing to do, get out of the way. */
@@ -2875,7 +2892,7 @@
return ap_pass_brigade(f->next, bb);
}
- ctx = f->ctx = apr_pcalloc(r->pool, sizeof(*ctx));
+ ctx = apr_pcalloc(r->pool, sizeof(*ctx));
ctx->num_ranges = num_ranges;
/* create a brigade in case we never call ap_save_brigade() */
ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc);
@@ -2902,29 +2919,6 @@
}
}
- /* We can't actually deal with byte-ranges until we have the whole brigade
- * because the byte-ranges can be in any order, and according to the RFC,
- * we SHOULD return the data in the same order it was requested.
- *
- * XXX: We really need to dump all bytes prior to the start of the earliest
- * range, and only slurp up to the end of the latest range. By this we
- * mean that we should peek-ahead at the lowest first byte of any range,
- * and the highest last byte of any range.
- */
- if (!APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(bb))) {
- ap_save_brigade(f, &ctx->bb, &bb, r->pool);
- return APR_SUCCESS;
- }
-
- /* Prepend any earlier saved brigades. */
- APR_BRIGADE_PREPEND(bb, ctx->bb);
-
- /* It is possible that we won't have a content length yet, so we have to
- * compute the length before we can actually do the byterange work.
- */
- apr_brigade_length(bb, 1, &bb_length);
- clength = (apr_off_t)bb_length;
-
/* this brigade holds what we will be sending */
bsend = apr_brigade_create(r->pool, c->bucket_alloc);
httpd-2.0.54-ldap.patch:
mod_auth_ldap.c | 27 +++++++++++++++++++++++++++
util_ldap.c | 19 +++++++++++++++++--
util_ldap_cache.c | 16 ++++++++++++++--
util_ldap_cache_mgr.c | 9 ++++++++-
4 files changed, 66 insertions(+), 5 deletions(-)
--- NEW FILE httpd-2.0.54-ldap.patch ---
LDAP fixes from 2.0.55.
--- httpd-2.0.54/modules/experimental/util_ldap.c.ldap
+++ httpd-2.0.54/modules/experimental/util_ldap.c
@@ -43,6 +43,11 @@
#error mod_ldap requires APR-util to have LDAP support built in
#endif
+#if !defined(OS2) && !defined(WIN32) && !defined(BEOS) && !defined(NETWARE)
+#include "unixd.h"
+#define UTIL_LDAP_SET_MUTEX_PERMS
+#endif
+
/* defines for certificate file types
*/
#define LDAP_CA_TYPE_UNKNOWN 0
@@ -1466,6 +1471,15 @@
return result;
}
+#ifdef UTIL_LDAP_SET_MUTEX_PERMS
+ result = unixd_set_global_mutex_perms(st->util_ldap_cache_lock);
+ if (result != APR_SUCCESS) {
+ ap_log_error(APLOG_MARK, APLOG_CRIT, result, s,
+ "LDAP cache: failed to set mutex permissions");
+ return result;
+ }
+#endif
+
/* merge config in all vhost */
s_vhost = s->next;
while (s_vhost) {
@@ -1650,8 +1664,9 @@
static void util_ldap_child_init(apr_pool_t *p, server_rec *s)
{
apr_status_t sts;
- util_ldap_state_t *st =
- (util_ldap_state_t *)ap_get_module_config(s->module_config, &ldap_module);
+ util_ldap_state_t *st = ap_get_module_config(s->module_config, &ldap_module);
+
+ if (!st->util_ldap_cache_lock) return;
sts = apr_global_mutex_child_init(&st->util_ldap_cache_lock, st->lock_file, p);
if (sts != APR_SUCCESS) {
--- httpd-2.0.54/modules/experimental/util_ldap_cache.c.ldap
+++ httpd-2.0.54/modules/experimental/util_ldap_cache.c
@@ -397,14 +397,26 @@
{
#if APR_HAS_SHARED_MEMORY
apr_status_t result;
+ apr_size_t size;
- result = apr_shm_create(&st->cache_shm, st->cache_bytes, NULL, st->pool);
+ size = APR_ALIGN_DEFAULT(st->cache_bytes);
+
+ result = apr_shm_create(&st->cache_shm, size, NULL, st->pool);
if (result != APR_SUCCESS) {
return result;
}
+ /* Determine the usable size of the shm segment. */
+ size = apr_shm_size_get(st->cache_shm);
+
/* This will create a rmm "handler" to get into the shared memory area */
- apr_rmm_init(&st->cache_rmm, NULL, (void *)apr_shm_baseaddr_get(st->cache_shm), st->cache_bytes, st->pool);
+ result = apr_rmm_init(&st->cache_rmm, NULL,
+ apr_shm_baseaddr_get(st->cache_shm), size,
+ st->pool);
+ if (result != APR_SUCCESS) {
+ return result;
+ }
+
#endif
apr_pool_cleanup_register(st->pool, st , util_ldap_cache_module_kill, apr_pool_cleanup_null);
--- httpd-2.0.54/modules/experimental/util_ldap_cache_mgr.c.ldap
+++ httpd-2.0.54/modules/experimental/util_ldap_cache_mgr.c
@@ -402,11 +402,18 @@
return NULL;
}
+ /* Take a copy of the payload before proceeeding. */
+ payload = (*cache->copy)(cache, payload);
+ if (!payload) {
+ util_ald_free(cache, node);
+ return NULL;
+ }
+
/* populate the entry */
cache->inserts++;
hashval = (*cache->hash)(payload) % cache->size;
node->add_time = apr_time_now();
- node->payload = (*cache->copy)(cache, payload);
+ node->payload = payload;
node->next = cache->nodes[hashval];
cache->nodes[hashval] = node;
--- httpd-2.0.54/modules/experimental/mod_auth_ldap.c.ldap
+++ httpd-2.0.54/modules/experimental/mod_auth_ldap.c
@@ -460,6 +460,26 @@
return DECLINED;
}
+ /*
+ * It is possible that we've skipped mod_auth_ldap's
+ * check_user_id hook, but still get here. In that
+ * case, the req request_config struct hasn't been initialized
+ * causing problems when we try to use req->dn and/or req->name
+ * below. So we simply create one.
+ *
+ * Unlike 2.2, we don't try to search or populate it.
+ */
+ if (!req) {
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: "
+ "no req struct - skipped mod_auth_ldap_check_user_id?",
+ getpid());
+
+ req = (mod_auth_ldap_request_t *)apr_pcalloc(r->pool,
+ sizeof(mod_auth_ldap_request_t));
+ ap_set_module_config(r->request_config, &auth_ldap_module, req);
+ }
+
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
@@ -657,6 +677,13 @@
}
}
else if (strcmp(w, "ldap-attribute") == 0) {
+ if (req->dn == NULL || strlen(req->dn) == 0) {
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r,
+ "[%d] auth_ldap authorise: "
+ "require ldap-attribute: user's DN has not been defined; failing authorisation",
+ getpid());
+ return sec->auth_authoritative? HTTP_UNAUTHORIZED : DECLINED;
+ }
while (t[0]) {
w = ap_getword(r->pool, &t, '=');
value = ap_getword_conf(r->pool, &t);
httpd-2.0.54-sslnbio.patch:
ssl_engine_io.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
--- NEW FILE httpd-2.0.54-sslnbio.patch ---
--- httpd-2.0.54/modules/ssl/ssl_engine_io.c.sslnbio
+++ httpd-2.0.54/modules/ssl/ssl_engine_io.c
@@ -491,12 +491,14 @@
AP_MODE_READBYTES, block,
inl);
- /* Not a problem, there was simply no data ready yet.
- */
+ /* If the read returns EAGAIN or success with an empty
+ * brigade, return an error after setting the retry flag;
+ * SSL_read() will then return -1, and SSL_get_error() will
+ * indicate SSL_ERROR_WANT_READ. */
if (APR_STATUS_IS_EAGAIN(inctx->rc) || APR_STATUS_IS_EINTR(inctx->rc)
|| (inctx->rc == APR_SUCCESS && APR_BRIGADE_EMPTY(inctx->bb))) {
BIO_set_retry_read(bio);
- return 0;
+ return -1;
}
if (inctx->rc != APR_SUCCESS) {
httpd-2.0.40-pod.patch:
mpm_common.c | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
Index: httpd-2.0.40-pod.patch
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/httpd-2.0.40-pod.patch,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- httpd-2.0.40-pod.patch 18 Apr 2005 08:10:30 -0000 1.7
+++ httpd-2.0.40-pod.patch 2 Sep 2005 15:50:53 -0000 1.8
@@ -41,3 +41,12 @@
if (rv != APR_SUCCESS) {
ap_log_error(APLOG_MARK, APLOG_WARNING, rv, ap_server_conf,
"get socket to connect to listener");
+@@ -561,7 +567,7 @@
+ return rv;
+ }
+
+- rv = apr_connect(sock, ap_listeners->bind_addr);
++ rv = apr_connect(sock, lr->bind_addr);
+ if (rv != APR_SUCCESS) {
+ int log_level = APLOG_WARNING;
+
httpd-2.0.54-ldapconn.patch:
util_ldap.c | 30 +++++++++++++++---------------
1 files changed, 15 insertions(+), 15 deletions(-)
Index: httpd-2.0.54-ldapconn.patch
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/httpd-2.0.54-ldapconn.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- httpd-2.0.54-ldapconn.patch 4 May 2005 14:06:31 -0000 1.1
+++ httpd-2.0.54-ldapconn.patch 2 Sep 2005 15:50:53 -0000 1.2
@@ -19,7 +19,7 @@
+ }
+
+ if (st->connectionTimeout >= 0) {
-+ rc = ldap_set_option(NULL, LDAP_OPT_NETWORK_TIMEOUT, (void *)&timeOut);
++ rc = ldap_set_option(ldc->ldap, LDAP_OPT_NETWORK_TIMEOUT, (void *)&timeOut);
+ if (APR_SUCCESS != rc) {
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
+ "LDAP: Could not set the connection timeout" );
Index: httpd.spec
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/httpd.spec,v
retrieving revision 1.71
retrieving revision 1.72
diff -u -r1.71 -r1.72
--- httpd.spec 26 Jul 2005 09:21:39 -0000 1.71
+++ httpd.spec 2 Sep 2005 15:50:53 -0000 1.72
@@ -7,7 +7,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.0.54
-Release: 10.1
+Release: 10.2
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
Source1: index.html
@@ -53,6 +53,8 @@
Patch36: httpd-2.0.52-sslbuff.patch
Patch37: httpd-2.0.54-include.patch
Patch38: httpd-2.0.54-digest.patch
+Patch39: httpd-2.0.54-ldap.patch
+Patch40: httpd-2.0.54-sslnbio.patch
# Features/functional changes
Patch70: httpd-2.0.48-release.patch
Patch71: httpd-2.0.40-xfsz.patch
@@ -75,6 +77,8 @@
# Security fixes
Patch110: httpd-2.0.52-CAN-2005-1268.patch
Patch111: httpd-2.0.52-CAN-2005-2088.patch
+Patch112: httpd-2.0.52-CAN-2005-2700.patch
+Patch113: httpd-2.0.52-CAN-2005-2728.patch
License: Apache Software License
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-root
@@ -167,6 +171,8 @@
%patch36 -p1 -b .sslbuff
%patch37 -p1 -b .include
%patch38 -p1 -b .digest
+%patch39 -p1 -b .ldap
+%patch40 -p1 -b .sslnbio
%patch71 -p0 -b .xfsz
%patch72 -p1 -b .pod
@@ -188,6 +194,8 @@
%patch110 -p1 -b .can1268
%patch111 -p1 -b .can2088
+%patch112 -p1 -b .can2700
+%patch113 -p1 -b .can2728
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH70} | patch -p1
@@ -558,6 +566,13 @@
%{_libdir}/httpd/build/libtool
%changelog
+* Fri Sep 2 2005 Joe Orton <jorton at redhat.com> 2.0.54-10.2
+- mod_ssl: add security fix for SSLVerifyClient (#167196, CVE CAN-2005-2700)
+- add security fix for byterange filter DoS (#167104, CVE CAN-2005-2728)
+- add fix for dummy connection handling (#167425)
+- mod_ldap/mod_auth_ldap: add fixes from 2.0.x branch (upstream #34209 etc)
+- mod_ssl: add fix for handling non-blocking reads
+
* Tue Jul 26 2005 Joe Orton <jorton at redhat.com> 2.0.54-10.1
- add security fix for C-L vs T-E handling (#162245, CVE CAN-2005-2088)
- mod_ssl: add security fix for CRL overflow (CVE CAN-2005-1268)
More information about the fedora-cvs-commits
mailing list