From acd018ca035f4939aa692238805dec4272ec4202 Mon Sep 17 00:00:00 2001 From: maxice8 <30738253+maxice8@users.noreply.github.com> Date: Wed, 25 Oct 2017 02:01:26 -0200 Subject: [PATCH] apache: update to 2.4.29. (#8518) --- ...pache-2.2-optionsbleed-CVE-2017-9798.patch | 21 -- srcpkgs/apache/patches/fix-libressl.patch | 199 ------------------ srcpkgs/apache/template | 4 +- 3 files changed, 2 insertions(+), 222 deletions(-) delete mode 100644 srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch diff --git a/srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch b/srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch deleted file mode 100644 index 30e5c0520c3..00000000000 --- a/srcpkgs/apache/patches/apache-2.2-optionsbleed-CVE-2017-9798.patch +++ /dev/null @@ -1,21 +0,0 @@ -CVE-2017-9798 - -Backport from https://svn.apache.org/viewvc?view=revision&revision=1807655 - -diff --git a/server/core.c b/server/core.c -index f61699e..d24542e 100644 ---- ./server/core.c -+++ ./server/core.c -@@ -1809,6 +1809,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd, - /* method has not been registered yet, but resorce restriction - * is always checked before method handling, so register it. - */ -+ if (cmd->pool == cmd->temp_pool) { -+ /* In .htaccess, we can't globally register new methods. */ -+ return apr_psprintf(cmd->pool, "Could not register method '%s' " -+ "for %s from .htaccess configuration", -+ method, cmd->cmd->name); -+ } - methnum = ap_method_register(cmd->pool, - apr_pstrdup(cmd->pool, method)); - diff --git a/srcpkgs/apache/patches/fix-libressl.patch b/srcpkgs/apache/patches/fix-libressl.patch index cafdf52b2f9..258812e8b47 100644 --- a/srcpkgs/apache/patches/fix-libressl.patch +++ b/srcpkgs/apache/patches/fix-libressl.patch @@ -1,144 +1,3 @@ ---- ./modules/ssl/mod_ssl.c.orig -+++ ./modules/ssl/mod_ssl.c -@@ -337,12 +337,12 @@ - #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES - ENGINE_cleanup(); - #endif --#if OPENSSL_VERSION_NUMBER >= 0x1000200fL -+#if OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined(OPENSSL_NO_COMP) - SSL_COMP_free_compression_methods(); - #endif - - /* Usually needed per thread, but this parent process is single-threaded */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #if OPENSSL_VERSION_NUMBER >= 0x1000000fL - ERR_remove_thread_state(NULL); - #else -@@ -383,14 +383,14 @@ - /* Some OpenSSL internals are allocated per-thread, make sure they - * are associated to the/our same thread-id until cleaned up. - */ --#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L -+#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - ssl_util_thread_id_setup(pconf); - #endif - - /* We must register the library in full, to ensure our configuration - * code can successfully test the SSL environment. - */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - CRYPTO_malloc_init(); - #else - OPENSSL_malloc_init(); ---- ./modules/ssl/ssl_engine_init.c.orig -+++ ./modules/ssl/ssl_engine_init.c -@@ -47,7 +47,7 @@ - #define KEYTYPES "RSA or DSA" - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* OpenSSL Pre-1.1.0 compatibility */ - /* Taken from OpenSSL 1.1.0 snapshot 20160410 */ - static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -@@ -257,7 +257,7 @@ - #endif - } - --#if APR_HAS_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L -+#if APR_HAS_THREADS && ( OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ) - ssl_util_thread_setup(p); - #endif - -@@ -380,7 +380,7 @@ - modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ - - init_dh_params(); --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - init_bio_methods(); - #endif - -@@ -1301,7 +1301,7 @@ - * or configure NIST P-256 (required to enable ECDHE for earlier versions) - * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList - */ --#if (OPENSSL_VERSION_NUMBER < 0x10100000L) -+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) - else { - #if defined(SSL_CTX_set_ecdh_auto) - SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); -@@ -2011,7 +2011,7 @@ - - } - --#if OPENSSL_VERSION_NUMBER >= 0x10100000L -+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - free_bio_methods(); - #endif - free_dh_params(); ---- ./modules/ssl/ssl_engine_io.c.orig -+++ ./modules/ssl/ssl_engine_io.c -@@ -164,7 +164,7 @@ - { - BIO_set_shutdown(bio, 1); - BIO_set_init(bio, 1); --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* No setter method for OpenSSL 1.1.0 available, - * but I can't find any functional use of the - * "num" field there either. -@@ -549,7 +549,7 @@ - return -1; - } - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - - static BIO_METHOD bio_filter_out_method = { - BIO_TYPE_MEM, -@@ -2024,7 +2024,7 @@ - - filter_ctx->pInputFilter = ap_add_input_filter(ssl_io_filter, inctx, r, c); - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - filter_ctx->pbioRead = BIO_new(&bio_filter_in_method); - #else - filter_ctx->pbioRead = BIO_new(bio_filter_in_method); -@@ -2059,7 +2059,7 @@ - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, - filter_ctx, r, c); - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method); - #else - filter_ctx->pbioWrite = BIO_new(bio_filter_out_method); ---- ./modules/ssl/ssl_engine_kernel.c.orig -+++ ./modules/ssl/ssl_engine_kernel.c -@@ -1733,7 +1733,7 @@ - * so we need to increment here to prevent them from - * being freed. - */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define modssl_set_cert_info(info, cert, pkey) \ - *cert = info->x509; \ - CRYPTO_add(&(*cert)->references, +1, CRYPTO_LOCK_X509); \ ---- ./modules/ssl/ssl_engine_vars.c.orig -+++ ./modules/ssl/ssl_engine_vars.c -@@ -529,7 +529,7 @@ - resdup = FALSE; - } - else if (strcEQ(var, "A_SIG")) { --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - nid = OBJ_obj2nid((ASN1_OBJECT *)(xs->cert_info->signature->algorithm)); - #else - const ASN1_OBJECT *paobj; --- ./modules/ssl/ssl_private.h.orig +++ ./modules/ssl/ssl_private.h @@ -123,6 +123,16 @@ @@ -158,64 +17,6 @@ #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif -@@ -136,7 +146,7 @@ - #endif - - /* session id constness */ --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define IDCONST - #else - #define IDCONST const -@@ -199,7 +209,7 @@ - - #endif /* !defined(OPENSSL_NO_TLSEXT) && defined(SSL_set_tlsext_host_name) */ - --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define BN_get_rfc2409_prime_768 get_rfc2409_prime_768 - #define BN_get_rfc2409_prime_1024 get_rfc2409_prime_1024 - #define BN_get_rfc3526_prime_1536 get_rfc3526_prime_1536 -@@ -219,7 +229,7 @@ - void free_bio_methods(void); - #endif - --#if OPENSSL_VERSION_NUMBER < 0x10002000L -+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) - #define X509_STORE_CTX_get0_store(x) (x->ctx) - #endif - -@@ -934,7 +944,7 @@ - const char * const *); - BOOL ssl_util_path_check(ssl_pathcheck_t, const char *, apr_pool_t *); - #if APR_HAS_THREADS --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - void ssl_util_thread_setup(apr_pool_t *); - #endif - void ssl_util_thread_id_setup(apr_pool_t *); ---- ./modules/ssl/ssl_util.c.orig -+++ ./modules/ssl/ssl_util.c -@@ -247,7 +247,7 @@ - } - - #if APR_HAS_THREADS --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - /* - * To ensure thread-safetyness in OpenSSL - work in progress - */ ---- ./modules/ssl/ssl_util_ssl.h.orig -+++ ./modules/ssl/ssl_util_ssl.h -@@ -41,7 +41,7 @@ - #define MODSSL_LIBRARY_VERSION OPENSSL_VERSION_NUMBER - #define MODSSL_LIBRARY_NAME "OpenSSL" - #define MODSSL_LIBRARY_TEXT OPENSSL_VERSION_TEXT --#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) - #define MODSSL_LIBRARY_DYNTEXT SSLeay_version(SSLEAY_VERSION) - #else - #define MODSSL_LIBRARY_DYNTEXT OpenSSL_version(OPENSSL_VERSION) --- ./support/ab.c.orig +++ ./support/ab.c @@ -197,6 +197,14 @@ diff --git a/srcpkgs/apache/template b/srcpkgs/apache/template index 70198b20254..9e21f51e063 100644 --- a/srcpkgs/apache/template +++ b/srcpkgs/apache/template @@ -1,6 +1,6 @@ # Template file for 'apache' pkgname=apache -version=2.4.27 +version=2.4.29 revision=1 wrksrc=httpd-${version} build_style=gnu-configure @@ -36,7 +36,7 @@ maintainer="Juan RP " homepage="http://httpd.apache.org/" license="Apache-2.0" distfiles="http://www.apache.org/dist/httpd/httpd-${version}.tar.bz2" -checksum=71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a +checksum=777753a5a25568a2a27428b2214980564bc1c38c1abf9ccc7630b639991f7f00 system_accounts="_$pkgname" _apache_homedir="/srv/www/$pkgname"