Author: blues Date: Mon May 25 11:16:16 2009 GMT Module: packages Tag: HEAD ---- Log message: - rel. 11 - official PR46949 patch added - fixes CVE-2009-1191
---- Files affected: packages/apache: apache.spec (1.562 -> 1.563) , PR46949.diff (NONE -> 1.1) (NEW), TODO (NONE -> 1.1) (NEW) ---- Diffs: ================================================================ Index: packages/apache/apache.spec diff -u packages/apache/apache.spec:1.562 packages/apache/apache.spec:1.563 --- packages/apache/apache.spec:1.562 Sun May 3 14:22:04 2009 +++ packages/apache/apache.spec Mon May 25 13:16:11 2009 @@ -1,19 +1,4 @@ # $Revision$, $Date$ -# TODO: -# - config examples for mod_* -# - --with-suexec-uidmin=500 or =1000 ? -# - subpackages for MPMs -# - !!!check if all modules (*.so) are exactly the same for different MPMs -# - check those autn modules inner deps -# - for external packages: don't use any apache module name in dep as they -# differ for apache 1.3/2.0/2.2!? any better ideas? rpm Suggests: tags? -# - for mod_auth_* modules require each auth module to require virtual authn so at least *_default is chosen? -# - same for mod_authz -# - mod_auth_digest and mod_auth_basic R: apache(authn) ? -# - drop mod_case_filter* or find summary and description for them -# - build modules only once (not with each mpm) -# - FYI: http://wiki.apache.org/httpd/InternalDummyConnection - # Conditional build: %bcond_without ssl # build without SSL support %bcond_without ldap # build without LDAP support @@ -35,7 +20,7 @@ Summary(tr.UTF-8): Lider WWW tarayıcı Name: apache Version: 2.2.11 -Release: 10 +Release: 11 License: Apache v2.0 Group: Networking/Daemons/HTTP Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz @@ -90,6 +75,9 @@ Patch24: %{name}-revert-bug-40463.patch Patch25: %{name}-prefork-graceful-fix.patch Patch26: %{name}-pollset-segv.patch +# Official patches +# http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/ +Patch27: PR46949.diff URL: http://httpd.apache.org/ BuildRequires: apr-devel >= 1:1.2 BuildRequires: apr-util-devel >= 1:1.3 @@ -1744,6 +1732,7 @@ %patch24 -p1 %patch25 -p0 %patch26 -p0 +%patch27 -p0 # using system apr, apr-util and pcre rm -rf srclib/{apr,apr-util,pcre} @@ -2722,6 +2711,9 @@ All persons listed below can be reached at <cvs_login>@pld-linux.org $Log$ +Revision 1.563 2009/05/25 11:16:11 blues +- rel. 11 - official PR46949 patch added - fixes CVE-2009-1191 + Revision 1.562 2009/05/03 12:22:04 arekm - rel 10; drop unmaintained/buggy peruser mpm ================================================================ Index: packages/apache/PR46949.diff diff -u /dev/null packages/apache/PR46949.diff:1.1 --- /dev/null Mon May 25 13:16:16 2009 +++ packages/apache/PR46949.diff Mon May 25 13:16:11 2009 @@ -0,0 +1,37 @@ +Index: modules/proxy/mod_proxy_ajp.c +=================================================================== +--- modules/proxy/mod_proxy_ajp.c (Revision 763379) ++++ modules/proxy/mod_proxy_ajp.c (Arbeitskopie) +@@ -307,21 +307,17 @@ + "proxy: read zero bytes, expecting" + " %" APR_OFF_T_FMT " bytes", + content_length); +- status = ajp_send_data_msg(conn->sock, msg, 0); +- if (status != APR_SUCCESS) { +- /* We had a failure: Close connection to backend */ +- conn->close++; +- ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server, +- "proxy: send failed to %pI (%s)", +- conn->worker->cp->addr, +- conn->worker->hostname); +- return HTTP_INTERNAL_SERVER_ERROR; +- } +- else { +- /* Client send zero bytes with C-L > 0 +- */ +- return HTTP_BAD_REQUEST; +- } ++ /* ++ * We can only get here if the client closed the connection ++ * to us without sending the body. ++ * Now the connection is in the wrong state on the backend. ++ * Sending an empty data msg doesn't help either as it does ++ * not move this connection to the correct state on the backend ++ * for later resusage by the next request again. ++ * Close it to clean things up. ++ */ ++ conn->close++; ++ return HTTP_BAD_REQUEST; + } + } + ================================================================ Index: packages/apache/TODO diff -u /dev/null packages/apache/TODO:1.1 --- /dev/null Mon May 25 13:16:17 2009 +++ packages/apache/TODO Mon May 25 13:16:11 2009 @@ -0,0 +1,17 @@ +# TODO: +- config examples for mod_* +- --with-suexec-uidmin=500 or =1000 ? +- subpackages for MPMs +- !!!check if all modules (*.so) are exactly the same for different MPMs +- check those autn modules inner deps +- for external packages: don't use any apache module name in dep as they + differ for apache 1.3/2.0/2.2!? any better ideas? rpm Suggests: tags? +- for mod_auth_* modules require each auth module to require virtual authn so at least *_default + is chosen? +- same for mod_authz +- mod_auth_digest and mod_auth_basic R: apache(authn) ? +- drop mod_case_filter* or find summary and description for them +- build modules only once (not with each mpm) +- FYI: http://wiki.apache.org/httpd/InternalDummyConnection + + ================================================================ ---- CVS-web: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/apache/apache.spec?r1=1.562&r2=1.563&f=u _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit