[arch-commits] Commit in apache/trunk (PKGBUILD httpd-2.2.14-CVE-2009-3555.patch)
Jan de Groot
jgc at archlinux.org
Sat Mar 13 20:37:41 UTC 2010
Date: Saturday, March 13, 2010 @ 15:37:40
Author: jgc
Revision: 72250
upgpkg: apache 2.2.15-1
Update to 2.2.15, remove upstream-applied patch
Modified:
apache/trunk/PKGBUILD
Deleted:
apache/trunk/httpd-2.2.14-CVE-2009-3555.patch
----------------------------------+
PKGBUILD | 9 -
httpd-2.2.14-CVE-2009-3555.patch | 284 -------------------------------------
2 files changed, 3 insertions(+), 290 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2010-03-13 20:28:16 UTC (rev 72249)
+++ PKGBUILD 2010-03-13 20:37:40 UTC (rev 72250)
@@ -3,8 +3,8 @@
# Contributor: Pierre Schmitz <pierre at archlinux.de>
pkgname=apache
-pkgver=2.2.14
-pkgrel=3
+pkgver=2.2.15
+pkgrel=1
pkgdesc='A high performance Unix-based HTTP server'
arch=('i686' 'x86_64')
options=('!libtool')
@@ -28,13 +28,12 @@
${_itkurl}/08-max-clients-per-vhost.patch
${_itkurl}/09-capabilities.patch
${_itkurl}/10-nice.patch
- httpd-2.2.14-CVE-2009-3555.patch
apachectl-confd.patch
apache.conf.d
httpd.logrotate
httpd
arch.layout)
-md5sums=('a5226203aaf97e5b941c41a71c112704'
+md5sums=('016cec97337eccead2aad6a7c27f2e14'
'db42cfcc18ae1c32aaaff2347e35b79d'
'131408ad4dc7b18547b4e062e7e495ab'
'ee488f391054d528547c3a372faa2aa7'
@@ -44,7 +43,6 @@
'9f7a8935f9cabc7b46d0052906634cef'
'1b28e3363e1b0d05b738a21e7ddd264f'
'd9667fcd2ffecc63e446edd4d6666731'
- '65df0a4f22728b84479dd59155ac940c'
'4ac64df6e019edbe137017cba1ff2f51'
'08b3c875f6260644f2f52b4056d656b0'
'f4d627c64024c1b7b95efb5ffbaa625e'
@@ -54,7 +52,6 @@
build() {
cd "${srcdir}/httpd-${pkgver}"
- patch -Np1 -i "${srcdir}/httpd-2.2.14-CVE-2009-3555.patch" || return 1
patch -Np0 -i "${srcdir}/apachectl-confd.patch" || return 1
# set default user
Deleted: httpd-2.2.14-CVE-2009-3555.patch
===================================================================
--- httpd-2.2.14-CVE-2009-3555.patch 2010-03-13 20:28:16 UTC (rev 72249)
+++ httpd-2.2.14-CVE-2009-3555.patch 2010-03-13 20:37:40 UTC (rev 72250)
@@ -1,284 +0,0 @@
---- httpd-2.2.14/modules/ssl/ssl_engine_init.c.cve3555
-+++ httpd-2.2.14/modules/ssl/ssl_engine_init.c
-@@ -501,10 +501,7 @@ static void ssl_init_ctx_callbacks(serve
- SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
- SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
-
-- if (s->loglevel >= APLOG_DEBUG) {
-- /* this callback only logs if LogLevel >= info */
-- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
-- }
-+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
- }
-
- static void ssl_init_ctx_verify(server_rec *s,
---- httpd-2.2.14/modules/ssl/ssl_engine_io.c.cve3555
-+++ httpd-2.2.14/modules/ssl/ssl_engine_io.c
-@@ -103,6 +103,7 @@ typedef struct {
- ap_filter_t *pInputFilter;
- ap_filter_t *pOutputFilter;
- int nobuffer; /* non-zero to prevent buffering */
-+ SSLConnRec *config;
- } ssl_filter_ctx_t;
-
- typedef struct {
-@@ -193,7 +194,13 @@ static int bio_filter_out_read(BIO *bio,
- static int bio_filter_out_write(BIO *bio, const char *in, int inl)
- {
- bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
--
-+
-+ /* Abort early if the client has initiated a renegotiation. */
-+ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
-+ outctx->rc = APR_ECONNABORTED;
-+ return -1;
-+ }
-+
- /* when handshaking we'll have a small number of bytes.
- * max size SSL will pass us here is about 16k.
- * (16413 bytes to be exact)
-@@ -466,6 +473,12 @@ static int bio_filter_in_read(BIO *bio,
- if (!in)
- return 0;
-
-+ /* Abort early if the client has initiated a renegotiation. */
-+ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
-+ inctx->rc = APR_ECONNABORTED;
-+ return -1;
-+ }
-+
- /* XXX: flush here only required for SSLv2;
- * OpenSSL calls BIO_flush() at the appropriate times for
- * the other protocols.
-@@ -1724,6 +1737,8 @@ void ssl_io_filter_init(conn_rec *c, SSL
-
- filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
-
-+ filter_ctx->config = myConnConfig(c);
-+
- filter_ctx->nobuffer = 0;
- filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
- filter_ctx, NULL, c);
---- httpd-2.2.14/modules/ssl/ssl_engine_kernel.c.cve3555
-+++ httpd-2.2.14/modules/ssl/ssl_engine_kernel.c
-@@ -729,6 +729,10 @@ int ssl_hook_Access(request_rec *r)
- (unsigned char *)&id,
- sizeof(id));
-
-+ /* Toggle the renegotiation state to allow the new
-+ * handshake to proceed. */
-+ sslconn->reneg_state = RENEG_ALLOW;
-+
- SSL_renegotiate(ssl);
- SSL_do_handshake(ssl);
-
-@@ -750,6 +754,8 @@ int ssl_hook_Access(request_rec *r)
- SSL_set_state(ssl, SSL_ST_ACCEPT);
- SSL_do_handshake(ssl);
-
-+ sslconn->reneg_state = RENEG_REJECT;
-+
- if (SSL_get_state(ssl) != SSL_ST_OK) {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "Re-negotiation handshake failed: "
-@@ -1844,76 +1850,55 @@ void ssl_callback_DelSessionCacheEntry(S
- return;
- }
-
--/*
-- * This callback function is executed while OpenSSL processes the
-- * SSL handshake and does SSL record layer stuff. We use it to
-- * trace OpenSSL's processing in out SSL logfile.
-- */
--void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
-+/* Dump debugginfo trace to the log file. */
-+static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
-+ server_rec *s, int where, int rc)
- {
-- conn_rec *c;
-- server_rec *s;
-- SSLSrvConfigRec *sc;
--
-- /*
-- * find corresponding server
-- */
-- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
-- return;
-- }
--
-- s = mySrvFromConn(c);
-- if (!(sc = mySrvConfig(s))) {
-- return;
-- }
--
- /*
- * create the various trace messages
- */
-- if (s->loglevel >= APLOG_DEBUG) {
-- if (where & SSL_CB_HANDSHAKE_START) {
-- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Handshake: start", SSL_LIBRARY_NAME);
-- }
-- else if (where & SSL_CB_HANDSHAKE_DONE) {
-- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Handshake: done", SSL_LIBRARY_NAME);
-- }
-- else if (where & SSL_CB_LOOP) {
-- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Loop: %s",
-- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
-- }
-- else if (where & SSL_CB_READ) {
-+ if (where & SSL_CB_HANDSHAKE_START) {
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "%s: Handshake: start", SSL_LIBRARY_NAME);
-+ }
-+ else if (where & SSL_CB_HANDSHAKE_DONE) {
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "%s: Handshake: done", SSL_LIBRARY_NAME);
-+ }
-+ else if (where & SSL_CB_LOOP) {
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "%s: Loop: %s",
-+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
-+ }
-+ else if (where & SSL_CB_READ) {
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "%s: Read: %s",
-+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
-+ }
-+ else if (where & SSL_CB_WRITE) {
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "%s: Write: %s",
-+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
-+ }
-+ else if (where & SSL_CB_ALERT) {
-+ char *str = (where & SSL_CB_READ) ? "read" : "write";
-+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+ "%s: Alert: %s:%s:%s",
-+ SSL_LIBRARY_NAME, str,
-+ SSL_alert_type_string_long(rc),
-+ SSL_alert_desc_string_long(rc));
-+ }
-+ else if (where & SSL_CB_EXIT) {
-+ if (rc == 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Read: %s",
-+ "%s: Exit: failed in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
-- else if (where & SSL_CB_WRITE) {
-+ else if (rc < 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Write: %s",
-+ "%s: Exit: error in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
-- else if (where & SSL_CB_ALERT) {
-- char *str = (where & SSL_CB_READ) ? "read" : "write";
-- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Alert: %s:%s:%s",
-- SSL_LIBRARY_NAME, str,
-- SSL_alert_type_string_long(rc),
-- SSL_alert_desc_string_long(rc));
-- }
-- else if (where & SSL_CB_EXIT) {
-- if (rc == 0) {
-- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Exit: failed in %s",
-- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
-- }
-- else if (rc < 0) {
-- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-- "%s: Exit: error in %s",
-- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
-- }
-- }
- }
-
- /*
-@@ -1933,6 +1918,52 @@ void ssl_callback_LogTracingState(MODSSL
- }
- }
-
-+/*
-+ * This callback function is executed while OpenSSL processes the SSL
-+ * handshake and does SSL record layer stuff. It's used to trap
-+ * client-initiated renegotiations, and for dumping everything to the
-+ * log.
-+ */
-+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
-+{
-+ conn_rec *c;
-+ server_rec *s;
-+ SSLConnRec *scr;
-+
-+ /* Retrieve the conn_rec and the associated SSLConnRec. */
-+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
-+ return;
-+ }
-+
-+ if ((scr = myConnConfig(c)) == NULL) {
-+ return;
-+ }
-+
-+ /* If the reneg state is to reject renegotiations, check the SSL
-+ * state machine and move to ABORT if a Client Hello is being
-+ * read. */
-+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
-+ int state = SSL_get_state(ssl);
-+
-+ if (state == SSL3_ST_SR_CLNT_HELLO_A
-+ || state == SSL23_ST_SR_CLNT_HELLO_A) {
-+ scr->reneg_state = RENEG_ABORT;
-+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
-+ "rejecting client initiated renegotiation");
-+ }
-+ }
-+ /* If the first handshake is complete, change state to reject any
-+ * subsequent client-initated renegotiation. */
-+ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
-+ scr->reneg_state = RENEG_REJECT;
-+ }
-+
-+ s = mySrvFromConn(c);
-+ if (s && s->loglevel >= APLOG_DEBUG) {
-+ log_tracing_state(ssl, c, s, where, rc);
-+ }
-+}
-+
- #ifndef OPENSSL_NO_TLSEXT
- /*
- * This callback function is executed when OpenSSL encounters an extended
---- httpd-2.2.14/modules/ssl/ssl_private.h.cve3555
-+++ httpd-2.2.14/modules/ssl/ssl_private.h
-@@ -356,6 +356,20 @@ typedef struct {
- int is_proxy;
- int disabled;
- int non_ssl_request;
-+
-+ /* Track the handshake/renegotiation state for the connection so
-+ * that all client-initiated renegotiations can be rejected, as a
-+ * partial fix for CVE-2009-3555. */
-+ enum {
-+ RENEG_INIT = 0, /* Before initial handshake */
-+ RENEG_REJECT, /* After initial handshake; any client-initiated
-+ * renegotiation should be rejected */
-+ RENEG_ALLOW, /* A server-initated renegotiation is taking
-+ * place (as dictated by configuration) */
-+ RENEG_ABORT /* Renegotiation initiated by client, abort the
-+ * connection */
-+ } reneg_state;
-+
- server_rec *server;
- } SSLConnRec;
-
-@@ -574,7 +588,7 @@ int ssl_callback_proxy_cert(SSL
- int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
- SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
- void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
--void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
-+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
- #ifndef OPENSSL_NO_TLSEXT
- int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
- #endif
More information about the arch-commits
mailing list