[apache2] 03/03: upgrade to 2.4.26
Stefan Fritsch
sf at moszumanska.debian.org
Sun Jun 25 07:59:32 UTC 2017
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit 30479672fca13eb0ecd3e8d8b29a75b3ce7dd2c4
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sun Jun 25 09:13:03 2017 +0200
upgrade to 2.4.26
and remove obsolete patches
---
debian/changelog | 6 +
debian/patches/CVE-2017-3167.diff | 206 ---------------------
debian/patches/CVE-2017-3169.diff | 84 ---------
debian/patches/CVE-2017-7659.diff | 33 ----
debian/patches/CVE-2017-7668.diff | 34 ----
debian/patches/CVE-2017-7679.diff | 34 ----
.../mpm_event_restart_segfault_PR60487.patch | 23 ---
debian/patches/series | 7 -
8 files changed, 6 insertions(+), 421 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index dca7153..cfea578 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+apache2 (2.4.26-1) UNRELEASED; urgency=medium
+
+ [ New upstream release ]
+
+ -- Stefan Fritsch <sf at debian.org> Sun, 25 Jun 2017 09:12:21 +0200
+
apache2 (2.4.25-4) unstable; urgency=high
* Backport security fixes from 2.4.26:
diff --git a/debian/patches/CVE-2017-3167.diff b/debian/patches/CVE-2017-3167.diff
deleted file mode 100644
index 22b41fc..0000000
--- a/debian/patches/CVE-2017-3167.diff
+++ /dev/null
@@ -1,206 +0,0 @@
-#commit 78f0f0b6585f13ec1175c7020ee01cd0237fc1ba
-#Author: Jim Jagielski <jim at apache.org>
-#Date: Tue May 30 12:27:41 2017 +0000
-#
-# Merge r1796348 from trunk:
-#
-# core: deprecate and replace ap_get_basic_auth_pw
-#
-# *) core: Deprecate ap_get_basic_auth_pw() and add
-# ap_get_basic_auth_components().
-#
-# Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
-#
-#
-#
-# Submitted by: covener
-# Reviewed by: covener, ylavic, jim
-#
-#
-# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796855 13f79535-47bb-0310-9956-ffa450edef68
-#
-diff --git a/include/ap_mmn.h b/include/ap_mmn.h
-index 124057ca7d..2764501833 100644
---- a/include/ap_mmn.h
-+++ b/include/ap_mmn.h
-@@ -494,6 +494,8 @@
- * and ap_scan_vchar_obstext()
- * Replaced fold boolean with with multiple bit flags
- * to ap_[r]getline()
-+ * 20120211.68 (2.4.26-dev) Add ap_get_basic_auth_components() and deprecate
-+ * ap_get_basic_auth_pw()
- */
-
- #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
-@@ -501,7 +503,7 @@
- #ifndef MODULE_MAGIC_NUMBER_MAJOR
- #define MODULE_MAGIC_NUMBER_MAJOR 20120211
- #endif
--#define MODULE_MAGIC_NUMBER_MINOR 67 /* 0...n */
-+#define MODULE_MAGIC_NUMBER_MINOR 68 /* 0...n */
-
- /**
- * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
-diff --git a/include/http_protocol.h b/include/http_protocol.h
-index a9e09904bd..29d887c61e 100644
---- a/include/http_protocol.h
-+++ b/include/http_protocol.h
-@@ -558,7 +558,11 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
- AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
-
- /**
-- * Get the password from the request headers
-+ * Get the password from the request headers. This function has multiple side
-+ * effects due to its prior use in the old authentication framework.
-+ * ap_get_basic_auth_components() should be preferred.
-+ *
-+ * @deprecated @see ap_get_basic_auth_components
- * @param r The current request
- * @param pw The password as set in the headers
- * @return 0 (OK) if it set the 'pw' argument (and assured
-@@ -571,6 +575,25 @@ AP_DECLARE_HOOK(int, note_auth_failure, (request_rec *r, const char *auth_type))
- */
- AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
-
-+#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
-+
-+/**
-+ * Get the username and/or password from the request's Basic authentication
-+ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
-+ * effects on the passed request_rec.
-+ *
-+ * @param r The current request
-+ * @param username If not NULL, set to the username sent by the client
-+ * @param password If not NULL, set to the password sent by the client
-+ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
-+ * APR_EINVAL if there was no authentication header sent or if the
-+ * client was not using the Basic authentication scheme. username and
-+ * password are unchanged on failure.
-+ */
-+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
-+ const char **username,
-+ const char **password);
-+
- /**
- * parse_uri: break apart the uri
- * @warning Side Effects:
-diff --git a/server/protocol.c b/server/protocol.c
-index 19d087cbea..ff44b3937c 100644
---- a/server/protocol.c
-+++ b/server/protocol.c
-@@ -1593,6 +1593,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
-
- t = ap_pbase64decode(r->pool, auth_line);
- r->user = ap_getword_nulls (r->pool, &t, ':');
-+ apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
- r->ap_auth_type = "Basic";
-
- *pw = t;
-@@ -1600,6 +1601,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
- return OK;
- }
-
-+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
-+ const char **username,
-+ const char **password)
-+{
-+ const char *auth_header;
-+ const char *credentials;
-+ const char *decoded;
-+ const char *user;
-+
-+ auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
-+ : "Authorization";
-+ credentials = apr_table_get(r->headers_in, auth_header);
-+
-+ if (!credentials) {
-+ /* No auth header. */
-+ return APR_EINVAL;
-+ }
-+
-+ if (ap_cstr_casecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
-+ /* These aren't Basic credentials. */
-+ return APR_EINVAL;
-+ }
-+
-+ while (*credentials == ' ' || *credentials == '\t') {
-+ credentials++;
-+ }
-+
-+ /* XXX Our base64 decoding functions don't actually error out if the string
-+ * we give it isn't base64; they'll just silently stop and hand us whatever
-+ * they've parsed up to that point.
-+ *
-+ * Since this function is supposed to be a drop-in replacement for the
-+ * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
-+ */
-+ decoded = ap_pbase64decode(r->pool, credentials);
-+ user = ap_getword_nulls(r->pool, &decoded, ':');
-+
-+ if (username) {
-+ *username = user;
-+ }
-+ if (password) {
-+ *password = decoded;
-+ }
-+
-+ return APR_SUCCESS;
-+}
-+
- struct content_length_ctx {
- int data_sent; /* true if the C-L filter has already sent at
- * least one bucket on to the next output filter
-diff --git a/server/request.c b/server/request.c
-index b2280cb5a8..fac5f8c7cd 100644
---- a/server/request.c
-+++ b/server/request.c
-@@ -124,6 +124,8 @@ static int decl_die(int status, const char *phase, request_rec *r)
- AP_DECLARE(int) ap_some_authn_required(request_rec *r)
- {
- int access_status;
-+ char *olduser = r->user;
-+ int rv = FALSE;
-
- switch (ap_satisfies(r)) {
- case SATISFY_ALL:
-@@ -134,7 +136,7 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
-
- access_status = ap_run_access_checker_ex(r);
- if (access_status == DECLINED) {
-- return TRUE;
-+ rv = TRUE;
- }
-
- break;
-@@ -145,13 +147,14 @@ AP_DECLARE(int) ap_some_authn_required(request_rec *r)
-
- access_status = ap_run_access_checker_ex(r);
- if (access_status == DECLINED) {
-- return TRUE;
-+ rv = TRUE;
- }
-
- break;
- }
-
-- return FALSE;
-+ r->user = olduser;
-+ return rv;
- }
-
- /* This is the master logic for processing requests. Do NOT duplicate
-@@ -259,6 +262,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
- r->ap_auth_type = r->main->ap_auth_type;
- }
- else {
-+ /* A module using a confusing API (ap_get_basic_auth_pw) caused
-+ ** r->user to be filled out prior to check_authn hook. We treat
-+ ** it is inadvertent.
-+ */
-+ if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) {
-+ r->user = NULL;
-+ }
-+
- switch (ap_satisfies(r)) {
- case SATISFY_ALL:
- case SATISFY_NOSPEC:
diff --git a/debian/patches/CVE-2017-3169.diff b/debian/patches/CVE-2017-3169.diff
deleted file mode 100644
index feb1c10..0000000
--- a/debian/patches/CVE-2017-3169.diff
+++ /dev/null
@@ -1,84 +0,0 @@
-#commit 54e0c857b1b019c147b778c09d5e72d99183ff61
-#Author: Jim Jagielski <jim at apache.org>
-#Date: Tue May 30 12:26:05 2017 +0000
-#
-# Merge r1796343 from trunk:
-#
-# mod_ssl: fix ctx passed to ssl_io_filter_error()
-#
-# Consistently pass the expected bio_filter_in_ctx_t
-# to ssl_io_filter_error().
-#
-# Submitted By: Yann Ylavic
-#
-#
-#
-# Submitted by: covener
-# Reviewed by: covener, ylavic, jim
-#
-#
-# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796854 13f79535-47bb-0310-9956-ffa450edef68
-#
---- apache2.orig/modules/ssl/ssl_engine_io.c
-+++ apache2/modules/ssl/ssl_engine_io.c
-@@ -877,20 +877,21 @@ static apr_status_t ssl_filter_write(ap_
- * establish an outgoing SSL connection. */
- #define MODSSL_ERROR_BAD_GATEWAY (APR_OS_START_USERERR + 1)
-
--static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
-+static void ssl_io_filter_disable(SSLConnRec *sslconn,
-+ bio_filter_in_ctx_t *inctx)
- {
-- bio_filter_in_ctx_t *inctx = f->ctx;
- SSL_free(inctx->ssl);
- sslconn->ssl = NULL;
- inctx->ssl = NULL;
- inctx->filter_ctx->pssl = NULL;
- }
-
--static apr_status_t ssl_io_filter_error(ap_filter_t *f,
-+static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
- apr_bucket_brigade *bb,
- apr_status_t status,
- int is_init)
- {
-+ ap_filter_t *f = inctx->f;
- SSLConnRec *sslconn = myConnConfig(f->c);
- apr_bucket *bucket;
- int send_eos = 1;
-@@ -903,7 +904,7 @@ static apr_status_t ssl_io_filter_error(
- "trying to send HTML error page");
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_INFO, sslconn->server);
-
-- ssl_io_filter_disable(sslconn, f);
-+ ssl_io_filter_disable(sslconn, inctx);
- f->c->keepalive = AP_CONN_CLOSE;
- if (is_init) {
- sslconn->non_ssl_request = NON_SSL_SEND_REQLINE;
-@@ -1454,7 +1455,7 @@ static apr_status_t ssl_io_filter_input(
- * rather than have SSLEngine On configured.
- */
- if ((status = ssl_io_filter_handshake(inctx->filter_ctx)) != APR_SUCCESS) {
-- return ssl_io_filter_error(f, bb, status, is_init);
-+ return ssl_io_filter_error(inctx, bb, status, is_init);
- }
-
- if (is_init) {
-@@ -1508,7 +1509,7 @@ static apr_status_t ssl_io_filter_input(
-
- /* Handle custom errors. */
- if (status != APR_SUCCESS) {
-- return ssl_io_filter_error(f, bb, status, 0);
-+ return ssl_io_filter_error(inctx, bb, status, 0);
- }
-
- /* Create a transient bucket out of the decrypted data. */
-@@ -1693,7 +1694,7 @@ static apr_status_t ssl_io_filter_output
- inctx->block = APR_BLOCK_READ;
-
- if ((status = ssl_io_filter_handshake(filter_ctx)) != APR_SUCCESS) {
-- return ssl_io_filter_error(f, bb, status, 0);
-+ return ssl_io_filter_error(inctx, bb, status, 0);
- }
-
- while (!APR_BRIGADE_EMPTY(bb) && status == APR_SUCCESS) {
diff --git a/debian/patches/CVE-2017-7659.diff b/debian/patches/CVE-2017-7659.diff
deleted file mode 100644
index f89f318..0000000
--- a/debian/patches/CVE-2017-7659.diff
+++ /dev/null
@@ -1,33 +0,0 @@
-#commit 672187c168b94b562d8065e08e2cad5b00cdd0e3
-#Author: Stefan Eissing <icing at apache.org>
-#Date: Wed Feb 1 20:40:38 2017 +0000
-#
-# On the trunk:
-#
-# mod_http2: fix for crash when running out of memory. Initial patch by Robert Swiecki <robert at swiecki.net>
-#
-#
-#
-# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1781304 13f79535-47bb-0310-9956-ffa450edef68
-#
---- apache2.orig/modules/http2/h2_stream.c
-+++ apache2/modules/http2/h2_stream.c
-@@ -286,11 +286,13 @@ apr_status_t h2_stream_set_request_rec(h
- return APR_ECONNRESET;
- }
- status = h2_request_rcreate(&req, stream->pool, r);
-- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058)
-- "h2_request(%d): set_request_rec %s host=%s://%s%s",
-- stream->id, req->method, req->scheme, req->authority,
-- req->path);
-- stream->rtmp = req;
-+ if (status == APR_SUCCESS) {
-+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, status, r, APLOGNO(03058)
-+ "h2_request(%d): set_request_rec %s host=%s://%s%s",
-+ stream->id, req->method, req->scheme, req->authority,
-+ req->path);
-+ stream->rtmp = req;
-+ }
- return status;
- }
-
diff --git a/debian/patches/CVE-2017-7668.diff b/debian/patches/CVE-2017-7668.diff
deleted file mode 100644
index 00b1dcd..0000000
--- a/debian/patches/CVE-2017-7668.diff
+++ /dev/null
@@ -1,34 +0,0 @@
-#commit a585e36e06a53170be6d2d462ceb5b30b8382988
-#Author: Jim Jagielski <jim at apache.org>
-#Date: Tue May 30 12:28:20 2017 +0000
-#
-# Merge r1796350 from trunk:
-#
-# short-circuit on NULL
-#
-# Submitted By: jchampion
-#
-#
-# Submitted by: covener
-# Reviewed by: covener, ylavic, jim
-#
-#
-# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1796856 13f79535-47bb-0310-9956-ffa450edef68
-#
-diff --git a/server/util.c b/server/util.c
-index 6667ac2e46..830ce5b38b 100644
---- a/server/util.c
-+++ b/server/util.c
-@@ -1679,10 +1679,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok)
-
- s = (const unsigned char *)line;
- for (;;) {
-- /* find start of token, skip all stop characters, note NUL
-- * isn't a token stop, so we don't need to test for it
-- */
-- while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
-+ /* find start of token, skip all stop characters */
-+ while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
- ++s;
- }
- if (!*s) {
diff --git a/debian/patches/CVE-2017-7679.diff b/debian/patches/CVE-2017-7679.diff
deleted file mode 100644
index 1c975aa..0000000
--- a/debian/patches/CVE-2017-7679.diff
+++ /dev/null
@@ -1,34 +0,0 @@
-#commit 398f3ddeb1ceb8ba710eadf7036a36a41e0e769a
-#Author: Eric Covener <covener at apache.org>
-#Date: Mon Jun 5 12:12:31 2017 +0000
-#
-# Merge 1797550 from trunk:
-#
-# mod_mime: fix quoted pair scanning
-#
-#
-# Submitted By: ylavic
-# Reviewed By: covener, ylavic, jim
-#
-#
-#
-#
-#
-# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1797653 13f79535-47bb-0310-9956-ffa450edef68
-#
-diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c
-index f92119b633..28c53be132 100644
---- a/modules/http/mod_mime.c
-+++ b/modules/http/mod_mime.c
-@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s)
- int res = -1;
- int c;
-
-- if (((s + 1) != NULL) && (*s == '\\')) {
-+ if (*s == '\\') {
- c = (int) *(s + 1);
-- if (apr_isascii(c)) {
-+ if (c && apr_isascii(c)) {
- res = 1;
- }
- }
diff --git a/debian/patches/mpm_event_restart_segfault_PR60487.patch b/debian/patches/mpm_event_restart_segfault_PR60487.patch
deleted file mode 100644
index bc2825f..0000000
--- a/debian/patches/mpm_event_restart_segfault_PR60487.patch
+++ /dev/null
@@ -1,23 +0,0 @@
-# https://bz.apache.org/bugzilla/show_bug.cgi?id=60487
---- apache2.orig/server/mpm/event/event.c
-+++ apache2/server/mpm/event/event.c
-@@ -681,7 +681,8 @@ static void ap_start_shutdown(int gracef
- return;
- }
- shutdown_pending = 1;
-- retained->is_graceful = graceful;
-+ if (retained)
-+ retained->is_graceful = graceful;
- }
-
- /* do a graceful restart if graceful == 1 */
-@@ -693,7 +694,8 @@ static void ap_start_restart(int gracefu
- return;
- }
- restart_pending = 1;
-- retained->is_graceful = graceful;
-+ if (retained)
-+ retained->is_graceful = graceful;
- }
-
- static void sig_term(int sig)
diff --git a/debian/patches/series b/debian/patches/series
index d46db24..4a1b914 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,10 +9,3 @@ reproducible_builds.diff
#suexec-custom.patch
fix_logresolve_segfault.patch
-mpm_event_restart_segfault_PR60487.patch
-
-CVE-2017-3167.diff
-CVE-2017-3169.diff
-CVE-2017-7659.diff
-CVE-2017-7668.diff
-CVE-2017-7679.diff
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list