diff options
author | Andy Postnikov <apostnikov@gmail.com> | 2018-07-19 14:58:32 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2018-08-20 13:49:53 +0300 |
commit | 59a11b59748d0c389571723c781e7c0507893bf5 (patch) | |
tree | 106dadffeeac817172d3d5b1a88e70caa402a9bc | |
parent | f21552df8b35137d4fe31dbd14c342d797a69319 (diff) | |
download | alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.tar.bz2 alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.tar.xz alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.zip |
main/apache2: security upgrade to 2.4.34
fixes #9266
-rw-r--r-- | main/apache2/APKBUILD | 9 | ||||
-rw-r--r-- | main/apache2/apache-2.4.34-libressl-compatibility.patch | 75 |
2 files changed, 82 insertions, 2 deletions
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index 20f9c7b4b9..6bc210a432 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD | |||
@@ -2,7 +2,7 @@ | |||
2 | # Contributor: Valery Kartel <valery.kartel@gmail.com> | 2 | # Contributor: Valery Kartel <valery.kartel@gmail.com> |
3 | pkgname=apache2 | 3 | pkgname=apache2 |
4 | _pkgreal=httpd | 4 | _pkgreal=httpd |
5 | pkgver=2.4.33 | 5 | pkgver=2.4.34 |
6 | pkgrel=0 | 6 | pkgrel=0 |
7 | pkgdesc="A high performance Unix-based HTTP server" | 7 | pkgdesc="A high performance Unix-based HTTP server" |
8 | url="http://httpd.apache.org/" | 8 | url="http://httpd.apache.org/" |
@@ -31,6 +31,7 @@ source="http://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2 | |||
31 | apache2.logrotate | 31 | apache2.logrotate |
32 | apache2.initd | 32 | apache2.initd |
33 | alpine.layout | 33 | alpine.layout |
34 | apache-2.4.34-libressl-compatibility.patch | ||
34 | conf/0001-httpd.conf-ServerRoot.patch | 35 | conf/0001-httpd.conf-ServerRoot.patch |
35 | conf/0002-httpd.conf-ServerTokens.patch | 36 | conf/0002-httpd.conf-ServerTokens.patch |
36 | conf/0003-httpd.conf-ServerSignature.patch | 37 | conf/0003-httpd.conf-ServerSignature.patch |
@@ -50,6 +51,9 @@ options="suid" | |||
50 | builddir="$srcdir"/$_pkgreal-$pkgver | 51 | builddir="$srcdir"/$_pkgreal-$pkgver |
51 | 52 | ||
52 | # secfixes: | 53 | # secfixes: |
54 | # 2.4.34-r0: | ||
55 | # - CVE-2018-1333 | ||
56 | # - CVE-2018-8011 | ||
53 | # 2.4.33-r0: | 57 | # 2.4.33-r0: |
54 | # - CVE-2017-15710 | 58 | # - CVE-2017-15710 |
55 | # - CVE-2017-15715 | 59 | # - CVE-2017-15715 |
@@ -314,11 +318,12 @@ _lua() { | |||
314 | "$subpkgdir"/usr/lib/apache2/ || return 1 | 318 | "$subpkgdir"/usr/lib/apache2/ || return 1 |
315 | _load_mods | 319 | _load_mods |
316 | } | 320 | } |
317 | sha512sums="e74b2b3346d67be45a8bc8a7cbb8eabf5c403a5cfe5797a976f94a539529843fbcdf03b9ca0548816b2cf37f4ce0eb301f8d5af25b1270fdf8dd9f5bf0585269 httpd-2.4.33.tar.bz2 | 321 | sha512sums="2bc09213f08a4722e305929fbac5f5060c7a8444704494894bb9b61f17e4d20bb6e3d663bb93fc5b2030b04a43fb12373d260cc291422b210b299725aaf3b5c8 httpd-2.4.34.tar.bz2 |
318 | 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd | 322 | 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd |
319 | 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate | 323 | 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate |
320 | 81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd | 324 | 81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd |
321 | 177c58d049fc4476fd9b9b36b67725145777c84cf81948105c9314cb09312dff6c1931fe21aaa243597abaefded6c6dfd80d83839e45a23950b50de615d73b06 alpine.layout | 325 | 177c58d049fc4476fd9b9b36b67725145777c84cf81948105c9314cb09312dff6c1931fe21aaa243597abaefded6c6dfd80d83839e45a23950b50de615d73b06 alpine.layout |
326 | fb0e896666126fd2c79cf12533a09f19ff991a44ede33ab7933381fbe5ebf94008ffb4c824a9958e47d2277fd4b985f14597fa533b2964666e3d4684e8ede9d9 apache-2.4.34-libressl-compatibility.patch | ||
322 | 361e0a74f6f8f5734f074dc2f2001ff64896ecc81f88ea384b6db7db33b7738eb92b4e16163b356259581a8e7dd86adeac971d36d2584abb781e8f9b8fae6356 0001-httpd.conf-ServerRoot.patch | 327 | 361e0a74f6f8f5734f074dc2f2001ff64896ecc81f88ea384b6db7db33b7738eb92b4e16163b356259581a8e7dd86adeac971d36d2584abb781e8f9b8fae6356 0001-httpd.conf-ServerRoot.patch |
323 | 40f3b7579c403952ba1efcb8dfd6ffd91c2695a06a2e5530ab5a583946558790fbfa16cad259d273ac1aa7a6335dd79636aa82fd844dc3a60a34c34d90db5e17 0002-httpd.conf-ServerTokens.patch | 328 | 40f3b7579c403952ba1efcb8dfd6ffd91c2695a06a2e5530ab5a583946558790fbfa16cad259d273ac1aa7a6335dd79636aa82fd844dc3a60a34c34d90db5e17 0002-httpd.conf-ServerTokens.patch |
324 | ad0c1711bc240f99cd0256d0984ad0142e03c384d30378ccca3e47cdd2596307e64bb19fbd810a56c0e4c0716577d3160bad2ae39783b1358412588bc729c113 0003-httpd.conf-ServerSignature.patch | 329 | ad0c1711bc240f99cd0256d0984ad0142e03c384d30378ccca3e47cdd2596307e64bb19fbd810a56c0e4c0716577d3160bad2ae39783b1358412588bc729c113 0003-httpd.conf-ServerSignature.patch |
diff --git a/main/apache2/apache-2.4.34-libressl-compatibility.patch b/main/apache2/apache-2.4.34-libressl-compatibility.patch new file mode 100644 index 0000000000..8eb2854901 --- /dev/null +++ b/main/apache2/apache-2.4.34-libressl-compatibility.patch | |||
@@ -0,0 +1,75 @@ | |||
1 | # based on upstream commit from: | ||
2 | # https://github.com/apache/httpd/commit/8134addfabf2685e08da6d51167775b628fda0dc | ||
3 | # this should be included in the next release (2.4.34?) | ||
4 | |||
5 | diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c | ||
6 | index 48d64cb624..2392019aed 100644 | ||
7 | --- a/modules/ssl/mod_ssl.c | ||
8 | +++ b/modules/ssl/mod_ssl.c | ||
9 | @@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf, | ||
10 | /* We must register the library in full, to ensure our configuration | ||
11 | * code can successfully test the SSL environment. | ||
12 | */ | ||
13 | -#if MODSSL_USE_OPENSSL_PRE_1_1_API | ||
14 | +#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER) | ||
15 | (void)CRYPTO_malloc_init(); | ||
16 | #else | ||
17 | OPENSSL_malloc_init(); | ||
18 | diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c | ||
19 | index a3a74f474c..88c0939cab 100644 | ||
20 | --- a/modules/ssl/ssl_engine_init.c | ||
21 | +++ b/modules/ssl/ssl_engine_init.c | ||
22 | @@ -546,7 +546,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, | ||
23 | char *cp; | ||
24 | int protocol = mctx->protocol; | ||
25 | SSLSrvConfigRec *sc = mySrvConfig(s); | ||
26 | -#if OPENSSL_VERSION_NUMBER >= 0x10100000L | ||
27 | +#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \ | ||
28 | + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) | ||
29 | int prot; | ||
30 | #endif | ||
31 | |||
32 | @@ -616,7 +617,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, | ||
33 | |||
34 | SSL_CTX_set_options(ctx, SSL_OP_ALL); | ||
35 | |||
36 | -#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
37 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L || \ | ||
38 | + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L) | ||
39 | /* always disable SSLv2, as per RFC 6176 */ | ||
40 | SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); | ||
41 | |||
42 | diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h | ||
43 | index a39569cbf7..e0e1b37087 100644 | ||
44 | --- a/modules/ssl/ssl_private.h | ||
45 | +++ b/modules/ssl/ssl_private.h | ||
46 | @@ -132,13 +132,14 @@ | ||
47 | SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) | ||
48 | #define SSL_CTX_set_max_proto_version(ctx, version) \ | ||
49 | SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) | ||
50 | -#endif | ||
51 | -/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most | ||
52 | - * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so | ||
53 | - * we have to work around this... | ||
54 | +#elif LIBRESSL_VERSION_NUMBER < 0x2070000f | ||
55 | +/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not | ||
56 | + * include most changes from OpenSSL >= 1.1 (new functions, macros, | ||
57 | + * deprecations, ...), so we have to work around this... | ||
58 | */ | ||
59 | #define MODSSL_USE_OPENSSL_PRE_1_1_API (1) | ||
60 | -#else | ||
61 | +#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ | ||
62 | +#else /* defined(LIBRESSL_VERSION_NUMBER) */ | ||
63 | #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) | ||
64 | #endif | ||
65 | |||
66 | @@ -238,7 +239,8 @@ void init_bio_methods(void); | ||
67 | void free_bio_methods(void); | ||
68 | #endif | ||
69 | |||
70 | -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) | ||
71 | +#if OPENSSL_VERSION_NUMBER < 0x10002000L || \ | ||
72 | + (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f) | ||
73 | #define X509_STORE_CTX_get0_store(x) (x->ctx) | ||
74 | #endif | ||
75 | |||