main/apache2: security upgrade to 2.4.34

fixes #9266
author: Andy Postnikov <apostnikov@gmail.com> 2018-07-19 14:58:32 +0300
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2018-08-20 13:49:53 +0300
commit: 59a11b59748d0c389571723c781e7c0507893bf5 (patch)
tree: 106dadffeeac817172d3d5b1a88e70caa402a9bc
parent: f21552df8b35137d4fe31dbd14c342d797a69319 (diff)
download: alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.tar.bz2
alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.tar.xz
alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.zip
2 files changed, 82 insertions, 2 deletions
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index 20f9c7b4b9..6bc210a432 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=apache2
 _pkgreal=httpd
-pkgver=2.4.33
+pkgver=2.4.34
 pkgrel=0
 pkgdesc="A high performance Unix-based HTTP server"
 url="http://httpd.apache.org/"
@@ -31,6 +31,7 @@ source="http://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
        apache2.logrotate
        apache2.initd
        alpine.layout
+        apache-2.4.34-libressl-compatibility.patch
        conf/0001-httpd.conf-ServerRoot.patch
        conf/0002-httpd.conf-ServerTokens.patch
        conf/0003-httpd.conf-ServerSignature.patch
@@ -50,6 +51,9 @@ options="suid"
 builddir="$srcdir"/$_pkgreal-$pkgver
 # secfixes:
+#   2.4.34-r0:
+#     - CVE-2018-1333
+#     - CVE-2018-8011
 #   2.4.33-r0:
 #     - CVE-2017-15710
 #     - CVE-2017-15715
@@ -314,11 +318,12 @@ _lua() {
                "$subpkgdir"/usr/lib/apache2/ || return 1
        _load_mods
 }
-sha512sums="e74b2b3346d67be45a8bc8a7cbb8eabf5c403a5cfe5797a976f94a539529843fbcdf03b9ca0548816b2cf37f4ce0eb301f8d5af25b1270fdf8dd9f5bf0585269  httpd-2.4.33.tar.bz2
+sha512sums="2bc09213f08a4722e305929fbac5f5060c7a8444704494894bb9b61f17e4d20bb6e3d663bb93fc5b2030b04a43fb12373d260cc291422b210b299725aaf3b5c8  httpd-2.4.34.tar.bz2
 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc  apache2.confd
 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b  apache2.logrotate
 81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701  apache2.initd
 177c58d049fc4476fd9b9b36b67725145777c84cf81948105c9314cb09312dff6c1931fe21aaa243597abaefded6c6dfd80d83839e45a23950b50de615d73b06  alpine.layout
+fb0e896666126fd2c79cf12533a09f19ff991a44ede33ab7933381fbe5ebf94008ffb4c824a9958e47d2277fd4b985f14597fa533b2964666e3d4684e8ede9d9  apache-2.4.34-libressl-compatibility.patch
 361e0a74f6f8f5734f074dc2f2001ff64896ecc81f88ea384b6db7db33b7738eb92b4e16163b356259581a8e7dd86adeac971d36d2584abb781e8f9b8fae6356  0001-httpd.conf-ServerRoot.patch
 40f3b7579c403952ba1efcb8dfd6ffd91c2695a06a2e5530ab5a583946558790fbfa16cad259d273ac1aa7a6335dd79636aa82fd844dc3a60a34c34d90db5e17  0002-httpd.conf-ServerTokens.patch
 ad0c1711bc240f99cd0256d0984ad0142e03c384d30378ccca3e47cdd2596307e64bb19fbd810a56c0e4c0716577d3160bad2ae39783b1358412588bc729c113  0003-httpd.conf-ServerSignature.patch
diff --git a/main/apache2/apache-2.4.34-libressl-compatibility.patch b/main/apache2/apache-2.4.34-libressl-compatibility.patch
new file mode 100644
index 0000000000..8eb2854901
--- /dev/null
+++ b/main/apache2/apache-2.4.34-libressl-compatibility.patch
@@ -0,0 +1,75 @@
+# based on upstream commit from:
+# https://github.com/apache/httpd/commit/8134addfabf2685e08da6d51167775b628fda0dc
+# this should be included in the next release (2.4.34?)
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index 48d64cb624..2392019aed 100644
+--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
+@@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
+     /* We must register the library in full, to ensure our configuration
+      * code can successfully test the SSL environment.
+      */
+-#if MODSSL_USE_OPENSSL_PRE_1_1_API
+#if MODSSL_USE_OPENSSL_PRE_1_1_API || defined(LIBRESSL_VERSION_NUMBER)
+     (void)CRYPTO_malloc_init();
+ #else
+     OPENSSL_malloc_init();
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index a3a74f474c..88c0939cab 100644
+--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
+@@ -546,7 +546,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+     char *cp;
+     int protocol = mctx->protocol;
+     SSLSrvConfigRec *sc = mySrvConfig(s);
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
+       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
+     int prot;
+ #endif
+ 
+@@ -616,7 +617,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
+ 
+     SSL_CTX_set_options(ctx, SSL_OP_ALL);
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
+       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
+     /* always disable SSLv2, as per RFC 6176 */
+     SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
+ 
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index a39569cbf7..e0e1b37087 100644
+--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
+@@ -132,13 +132,14 @@
+         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
+ #define SSL_CTX_set_max_proto_version(ctx, version) \
+         SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
+-#endif
+-/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
+- * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
+- * we have to work around this...
+#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
+/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
+ * include most changes from OpenSSL >= 1.1 (new functions, macros, 
+ * deprecations, ...), so we have to work around this...
+  */
+ #define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
+-#else
+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
+#else /* defined(LIBRESSL_VERSION_NUMBER) */
+ #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ #endif
+ 
+@@ -238,7 +239,8 @@ void init_bio_methods(void);
+ void free_bio_methods(void);
+ #endif
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10002000L || \
+       (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
+ #define X509_STORE_CTX_get0_store(x) (x->ctx)
+ #endif
+
author	Andy Postnikov <apostnikov@gmail.com>	2018-07-19 14:58:32 +0300
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2018-08-20 13:49:53 +0300
commit	59a11b59748d0c389571723c781e7c0507893bf5 (patch)
tree	106dadffeeac817172d3d5b1a88e70caa402a9bc
parent	f21552df8b35137d4fe31dbd14c342d797a69319 (diff)
download	alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.tar.bz2 alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.tar.xz alpine_aports-59a11b59748d0c389571723c781e7c0507893bf5.zip

diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index 20f9c7b4b9..6bc210a432 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD
@@ -2,7 +2,7 @@
2	# Contributor: Valery Kartel <valery.kartel@gmail.com>	2	# Contributor: Valery Kartel <valery.kartel@gmail.com>
3	pkgname=apache2	3	pkgname=apache2
4	_pkgreal=httpd	4	_pkgreal=httpd
5	pkgver=2.4.33	5	pkgver=2.4.34
6	pkgrel=0	6	pkgrel=0
7	pkgdesc="A high performance Unix-based HTTP server"	7	pkgdesc="A high performance Unix-based HTTP server"
8	url="http://httpd.apache.org/"	8	url="http://httpd.apache.org/"
@@ -31,6 +31,7 @@ source="http://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
31	apache2.logrotate	31	apache2.logrotate
32	apache2.initd	32	apache2.initd
33	alpine.layout	33	alpine.layout
		34	apache-2.4.34-libressl-compatibility.patch
34	conf/0001-httpd.conf-ServerRoot.patch	35	conf/0001-httpd.conf-ServerRoot.patch
35	conf/0002-httpd.conf-ServerTokens.patch	36	conf/0002-httpd.conf-ServerTokens.patch
36	conf/0003-httpd.conf-ServerSignature.patch	37	conf/0003-httpd.conf-ServerSignature.patch
@@ -50,6 +51,9 @@ options="suid"
50	builddir="$srcdir"/$_pkgreal-$pkgver	51	builddir="$srcdir"/$_pkgreal-$pkgver
51		52
52	# secfixes:	53	# secfixes:
		54	# 2.4.34-r0:
		55	# - CVE-2018-1333
		56	# - CVE-2018-8011
53	# 2.4.33-r0:	57	# 2.4.33-r0:
54	# - CVE-2017-15710	58	# - CVE-2017-15710
55	# - CVE-2017-15715	59	# - CVE-2017-15715
@@ -314,11 +318,12 @@ _lua() {
314	"$subpkgdir"/usr/lib/apache2/ \|\| return 1	318	"$subpkgdir"/usr/lib/apache2/ \|\| return 1
315	_load_mods	319	_load_mods
316	}	320	}
317	sha512sums="e74b2b3346d67be45a8bc8a7cbb8eabf5c403a5cfe5797a976f94a539529843fbcdf03b9ca0548816b2cf37f4ce0eb301f8d5af25b1270fdf8dd9f5bf0585269 httpd-2.4.33.tar.bz2	321	sha512sums="2bc09213f08a4722e305929fbac5f5060c7a8444704494894bb9b61f17e4d20bb6e3d663bb93fc5b2030b04a43fb12373d260cc291422b210b299725aaf3b5c8 httpd-2.4.34.tar.bz2
318	8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd	322	8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
319	18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate	323	18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
320	81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd	324	81a2d2a297d8049ba1b021b879ec863767149e056d9bdb2ac8acf63572b254935ec96c2e1580eba86639ea56433eec5c41341e4f1501f9072745dccdb3602701 apache2.initd
321	177c58d049fc4476fd9b9b36b67725145777c84cf81948105c9314cb09312dff6c1931fe21aaa243597abaefded6c6dfd80d83839e45a23950b50de615d73b06 alpine.layout	325	177c58d049fc4476fd9b9b36b67725145777c84cf81948105c9314cb09312dff6c1931fe21aaa243597abaefded6c6dfd80d83839e45a23950b50de615d73b06 alpine.layout
		326	fb0e896666126fd2c79cf12533a09f19ff991a44ede33ab7933381fbe5ebf94008ffb4c824a9958e47d2277fd4b985f14597fa533b2964666e3d4684e8ede9d9 apache-2.4.34-libressl-compatibility.patch
322	361e0a74f6f8f5734f074dc2f2001ff64896ecc81f88ea384b6db7db33b7738eb92b4e16163b356259581a8e7dd86adeac971d36d2584abb781e8f9b8fae6356 0001-httpd.conf-ServerRoot.patch	327	361e0a74f6f8f5734f074dc2f2001ff64896ecc81f88ea384b6db7db33b7738eb92b4e16163b356259581a8e7dd86adeac971d36d2584abb781e8f9b8fae6356 0001-httpd.conf-ServerRoot.patch
323	40f3b7579c403952ba1efcb8dfd6ffd91c2695a06a2e5530ab5a583946558790fbfa16cad259d273ac1aa7a6335dd79636aa82fd844dc3a60a34c34d90db5e17 0002-httpd.conf-ServerTokens.patch	328	40f3b7579c403952ba1efcb8dfd6ffd91c2695a06a2e5530ab5a583946558790fbfa16cad259d273ac1aa7a6335dd79636aa82fd844dc3a60a34c34d90db5e17 0002-httpd.conf-ServerTokens.patch
324	ad0c1711bc240f99cd0256d0984ad0142e03c384d30378ccca3e47cdd2596307e64bb19fbd810a56c0e4c0716577d3160bad2ae39783b1358412588bc729c113 0003-httpd.conf-ServerSignature.patch	329	ad0c1711bc240f99cd0256d0984ad0142e03c384d30378ccca3e47cdd2596307e64bb19fbd810a56c0e4c0716577d3160bad2ae39783b1358412588bc729c113 0003-httpd.conf-ServerSignature.patch


diff --git a/main/apache2/apache-2.4.34-libressl-compatibility.patch b/main/apache2/apache-2.4.34-libressl-compatibility.patch new file mode 100644 index 0000000000..8eb2854901 --- /dev/null +++ b/main/apache2/apache-2.4.34-libressl-compatibility.patch
@@ -0,0 +1,75 @@
		1	# based on upstream commit from:
		2	# https://github.com/apache/httpd/commit/8134addfabf2685e08da6d51167775b628fda0dc
		3	# this should be included in the next release (2.4.34?)
		4
		5	diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
		6	index 48d64cb624..2392019aed 100644
		7	--- a/modules/ssl/mod_ssl.c
		8	+++ b/modules/ssl/mod_ssl.c
		9	@@ -398,7 +398,7 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
		10	/* We must register the library in full, to ensure our configuration
		11	* code can successfully test the SSL environment.
		12	*/
		13	-#if MODSSL_USE_OPENSSL_PRE_1_1_API
		14	+#if MODSSL_USE_OPENSSL_PRE_1_1_API \|\| defined(LIBRESSL_VERSION_NUMBER)
		15	(void)CRYPTO_malloc_init();
		16	#else
		17	OPENSSL_malloc_init();
		18	diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
		19	index a3a74f474c..88c0939cab 100644
		20	--- a/modules/ssl/ssl_engine_init.c
		21	+++ b/modules/ssl/ssl_engine_init.c
		22	@@ -546,7 +546,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
		23	char *cp;
		24	int protocol = mctx->protocol;
		25	SSLSrvConfigRec *sc = mySrvConfig(s);
		26	-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
		27	+#if OPENSSL_VERSION_NUMBER >= 0x10100000L \|\| \
		28	+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
		29	int prot;
		30	#endif
		31
		32	@@ -616,7 +617,8 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s,
		33
		34	SSL_CTX_set_options(ctx, SSL_OP_ALL);
		35
		36	-#if OPENSSL_VERSION_NUMBER < 0x10100000L
		37	+#if OPENSSL_VERSION_NUMBER < 0x10100000L \|\| \
		38	+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20800000L)
		39	/* always disable SSLv2, as per RFC 6176 */
		40	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2);
		41
		42	diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
		43	index a39569cbf7..e0e1b37087 100644
		44	--- a/modules/ssl/ssl_private.h
		45	+++ b/modules/ssl/ssl_private.h
		46	@@ -132,13 +132,14 @@
		47	SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL)
		48	#define SSL_CTX_set_max_proto_version(ctx, version) \
		49	SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
		50	-#endif
		51	-/* LibreSSL declares OPENSSL_VERSION_NUMBER == 2.0 but does not include most
		52	- * changes from OpenSSL >= 1.1 (new functions, macros, deprecations, ...), so
		53	- * we have to work around this...
		54	+#elif LIBRESSL_VERSION_NUMBER < 0x2070000f
		55	+/* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not
		56	+ * include most changes from OpenSSL >= 1.1 (new functions, macros,
		57	+ * deprecations, ...), so we have to work around this...
		58	*/
		59	#define MODSSL_USE_OPENSSL_PRE_1_1_API (1)
		60	-#else
		61	+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */
		62	+#else /* defined(LIBRESSL_VERSION_NUMBER) */
		63	#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L)
		64	#endif
		65
		66	@@ -238,7 +239,8 @@ void init_bio_methods(void);
		67	void free_bio_methods(void);
		68	#endif
		69
		70	-#if OPENSSL_VERSION_NUMBER < 0x10002000L \|\| defined(LIBRESSL_VERSION_NUMBER)
		71	+#if OPENSSL_VERSION_NUMBER < 0x10002000L \|\| \
		72	+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x2070000f)
		73	#define X509_STORE_CTX_get0_store(x) (x->ctx)
		74	#endif
		75