Compare commits

..

No commits in common. 'cs10' and 'c9' have entirely different histories.
cs10 ... c9

@ -15,7 +15,6 @@ LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
LoadModule authz_core_module modules/mod_authz_core.so LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_dbm_module modules/mod_authz_dbm.so

@ -4,6 +4,7 @@
# #
#LoadModule asis_module modules/mod_asis.so #LoadModule asis_module modules/mod_asis.so
#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
#LoadModule buffer_module modules/mod_buffer.so #LoadModule buffer_module modules/mod_buffer.so
#LoadModule heartbeat_module modules/mod_heartbeat.so #LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so #LoadModule heartmonitor_module modules/mod_heartmonitor.so

@ -5,7 +5,6 @@
]> ]>
<!-- <!--
Copyright 2020 Red Hat, Inc. Copyright 2020 Red Hat, Inc.
Copyright 2018 Frank Dana
Licensed to the Apache Software Foundation (ASF) under one or more Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with contributor license agreements. See the NOTICE file distributed with
@ -71,7 +70,7 @@
<para>The version of <command>apachectl</command> used on this <para>The version of <command>apachectl</command> used on this
system is a replacement script intended to be mostly (but not system is a replacement script intended to be mostly (but not
completely) compatible with the version provided with completely) compatible with version provided with
<emphasis>Apache httpd</emphasis>. This <emphasis>Apache httpd</emphasis>. This
<command>apachectl</command> mostly acts as a wrapper around <command>apachectl</command> mostly acts as a wrapper around
<command>systemctl</command> and manipulates the <command>systemctl</command> and manipulates the
@ -161,7 +160,7 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><option>configtest</option> | <option>-t</option></term> <term><option>configtest</option></term>
<listitem> <listitem>
<para>Run a configuration file syntax test. It parses the configuration <para>Run a configuration file syntax test. It parses the configuration
files and either reports <literal>Syntax OK</literal> files and either reports <literal>Syntax OK</literal>
@ -174,7 +173,7 @@
<refsect1 id='bugs'> <refsect1 id='bugs'>
<title>Bugs</title> <title>Bugs</title>
<para>Please report bugs by filing an issue in @BUG_REPORT_URL@.</para> <para>Please report bugs by filing an issue in Bugzilla via <ulink url='https://bugzilla.redhat.com/'/>.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

@ -1,6 +1,3 @@
Upstream-Status: local customisation
diff --git a/support/apxs.in b/support/apxs.in diff --git a/support/apxs.in b/support/apxs.in
index b2705fa..c331631 100644 index b2705fa..c331631 100644
--- a/support/apxs.in --- a/support/apxs.in

@ -1,6 +1,3 @@
Upstream-Status: local customisation
diff --git a/server/core.c b/server/core.c diff --git a/server/core.c b/server/core.c
index 79b2a82..dc0f17a 100644 index 79b2a82..dc0f17a 100644
--- a/server/core.c --- a/server/core.c

@ -1,5 +1,12 @@
Reduce size of httpd binary by telling linker to export all symbols
from libmain.a, rather than bloating the symbol table with ap_hack_*
to do so indirectly.
Upstream: https://svn.apache.org/r1861685 (as new default-off configure option)
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index bd8045c..d6733a5 100644 index 40c7076..ac98e5f 100644
--- a/Makefile.in --- a/Makefile.in
+++ b/Makefile.in +++ b/Makefile.in
@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test @@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test
@ -33,10 +40,10 @@ index 8111877..f00bb3f 100644
eoc_bucket.c eor_bucket.c core_filters.c \ eoc_bucket.c eor_bucket.c core_filters.c \
util_expr_parse.c util_expr_scan.c util_expr_eval.c util_expr_parse.c util_expr_scan.c util_expr_eval.c
diff --git a/server/main.c b/server/main.c diff --git a/server/main.c b/server/main.c
index 7da7aa2..e63d2eb 100644 index 62e06df..17c09ee 100644
--- a/server/main.c --- a/server/main.c
+++ b/server/main.c +++ b/server/main.c
@@ -857,17 +857,3 @@ int main(int argc, const char * const argv[]) @@ -835,17 +835,3 @@ int main(int argc, const char * const argv[])
return !OK; return !OK;
} }

@ -1,6 +1,8 @@
--- httpd-2.4.59/server/core.c.full-release diff --git a/server/core.c b/server/core.c
+++ httpd-2.4.59/server/core.c index c36ff26..621c82a 100644
@@ -3586,6 +3586,7 @@ --- a/server/core.c
+++ b/server/core.c
@@ -3569,6 +3569,7 @@ enum server_token_type {
SrvTk_MINIMAL, /* eg: Apache/2.0.41 */ SrvTk_MINIMAL, /* eg: Apache/2.0.41 */
SrvTk_OS, /* eg: Apache/2.0.41 (UNIX) */ SrvTk_OS, /* eg: Apache/2.0.41 (UNIX) */
SrvTk_FULL, /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */ SrvTk_FULL, /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */
@ -8,7 +10,7 @@
SrvTk_PRODUCT_ONLY /* eg: Apache */ SrvTk_PRODUCT_ONLY /* eg: Apache */
}; };
static enum server_token_type ap_server_tokens = SrvTk_FULL; static enum server_token_type ap_server_tokens = SrvTk_FULL;
@@ -3662,7 +3663,10 @@ @@ -3645,7 +3646,10 @@ static void set_banner(apr_pool_t *pconf)
else if (ap_server_tokens == SrvTk_MAJOR) { else if (ap_server_tokens == SrvTk_MAJOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION); ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
} }
@ -20,7 +22,7 @@
ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")"); ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
} }
@@ -3670,7 +3674,7 @@ @@ -3653,7 +3657,7 @@ static void set_banner(apr_pool_t *pconf)
* Lock the server_banner string if we're not displaying * Lock the server_banner string if we're not displaying
* the full set of tokens * the full set of tokens
*/ */
@ -29,7 +31,7 @@
banner_locked++; banner_locked++;
} }
server_description = AP_SERVER_BASEVERSION " (" PLATFORM ")"; server_description = AP_SERVER_BASEVERSION " (" PLATFORM ")";
@@ -3703,8 +3707,11 @@ @@ -3686,8 +3690,11 @@ static const char *set_serv_tokens(cmd_parms *cmd, void *dummy,
else if (!ap_cstr_casecmp(arg, "Full")) { else if (!ap_cstr_casecmp(arg, "Full")) {
ap_server_tokens = SrvTk_FULL; ap_server_tokens = SrvTk_FULL;
} }

@ -1,8 +1,8 @@
diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en
index c5004b8..a0ae3c8 100644 index 9f2c120..61ff7de 100644
--- a/docs/manual/mod/mod_proxy_wstunnel.html.en --- a/docs/manual/mod/mod_proxy_wstunnel.html.en
+++ b/docs/manual/mod/mod_proxy_wstunnel.html.en +++ b/docs/manual/mod/mod_proxy_wstunnel.html.en
@@ -96,6 +96,7 @@ WebSocket always happens. @@ -83,6 +83,7 @@ in the response <code>Upgrade</code></p>
<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3 class="directives">Directives</h3> <div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3 class="directives">Directives</h3>
<ul id="toc"> <ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketfallbacktoproxyhttp">ProxyWebsocketFallbackToProxyHttp</a></li> <li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketfallbacktoproxyhttp">ProxyWebsocketFallbackToProxyHttp</a></li>
@ -10,7 +10,7 @@ index c5004b8..a0ae3c8 100644
</ul> </ul>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_proxy_wstunnel">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_proxy_wstunnel">Report a bug</a></li></ul><h3>See also</h3> <h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_proxy_wstunnel">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_proxy_wstunnel">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso"> <ul class="seealso">
@@ -121,6 +122,23 @@ WebSocket always happens. @@ -108,6 +109,23 @@ in the response <code>Upgrade</code></p>
WebSocket requests as in httpd 2.4.46 and earlier.</p> WebSocket requests as in httpd 2.4.46 and earlier.</p>
</div> </div>
@ -35,7 +35,7 @@ index c5004b8..a0ae3c8 100644
<div class="bottomlang"> <div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_proxy_wstunnel.html" title="English">&nbsp;en&nbsp;</a> | <p><span>Available Languages: </span><a href="../en/mod/mod_proxy_wstunnel.html" title="English">&nbsp;en&nbsp;</a> |
diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
index 30ba1b4..e27e6f8 100644 index bcbba42..c29ded1 100644
--- a/modules/proxy/mod_proxy_wstunnel.c --- a/modules/proxy/mod_proxy_wstunnel.c
+++ b/modules/proxy/mod_proxy_wstunnel.c +++ b/modules/proxy/mod_proxy_wstunnel.c
@@ -22,6 +22,7 @@ module AP_MODULE_DECLARE_DATA proxy_wstunnel_module; @@ -22,6 +22,7 @@ module AP_MODULE_DECLARE_DATA proxy_wstunnel_module;
@ -46,7 +46,7 @@ index 30ba1b4..e27e6f8 100644
} proxyws_dir_conf; } proxyws_dir_conf;
static int can_fallback_to_proxy_http; static int can_fallback_to_proxy_http;
@@ -176,6 +177,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, @@ -152,6 +153,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
conn_rec *c = r->connection; conn_rec *c = r->connection;
apr_socket_t *sock = conn->sock; apr_socket_t *sock = conn->sock;
conn_rec *backconn = conn->connection; conn_rec *backconn = conn->connection;
@ -55,7 +55,7 @@ index 30ba1b4..e27e6f8 100644
char *buf; char *buf;
apr_bucket_brigade *header_brigade; apr_bucket_brigade *header_brigade;
apr_bucket *e; apr_bucket *e;
@@ -253,10 +256,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, @@ -229,10 +232,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
c->keepalive = AP_CONN_CLOSE; c->keepalive = AP_CONN_CLOSE;
do { /* Loop until done (one side closes the connection, or an error) */ do { /* Loop until done (one side closes the connection, or an error) */
@ -70,7 +70,7 @@ index 30ba1b4..e27e6f8 100644
} }
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02444) "error apr_poll()"); ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02444) "error apr_poll()");
return HTTP_INTERNAL_SERVER_ERROR; return HTTP_INTERNAL_SERVER_ERROR;
@@ -442,11 +448,26 @@ cleanup: @@ -418,11 +424,26 @@ cleanup:
return status; return status;
} }
@ -97,7 +97,7 @@ index 30ba1b4..e27e6f8 100644
new->fallback_to_proxy_http = 1; new->fallback_to_proxy_http = 1;
return (void *) new; return (void *) new;
@@ -489,7 +510,8 @@ static const command_rec ws_proxy_cmds[] = @@ -465,7 +486,8 @@ static const command_rec ws_proxy_cmds[] =
proxyws_fallback_to_proxy_http, NULL, RSRC_CONF|ACCESS_CONF, proxyws_fallback_to_proxy_http, NULL, RSRC_CONF|ACCESS_CONF,
"whether to let mod_proxy_http handle the upgrade and tunneling, " "whether to let mod_proxy_http handle the upgrade and tunneling, "
"On by default"), "On by default"),

@ -1,6 +1,3 @@
Upstream-Status: in trunk, not proposed for 2.4.x
diff --git a/Makefile.in b/Makefile.in diff --git a/Makefile.in b/Makefile.in
index 6747aea..40c7076 100644 index 6747aea..40c7076 100644
--- a/Makefile.in --- a/Makefile.in

@ -1,64 +0,0 @@
Upstream-Status: in trunk not in 2.4.x
diff --git a/configure.in b/configure.in
index 74015ca..8c0ee10 100644
--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux
+++ httpd-2.4.54/modules/arch/unix/config5.m4
@@ -23,6 +23,11 @@
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+ ])
+
APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux
+++ httpd-2.4.54/modules/arch/unix/mod_systemd.c
@@ -35,6 +35,10 @@
#include <unistd.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
APR_DECLARE_OPTIONAL_FN(int,
ap_find_systemd_socket, (process_rec *, apr_port_t));
@@ -70,6 +74,20 @@
return apr_psprintf(p, "%s port %u", addr, sa->port);
}
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+ char *con;
+
+ if (is_selinux_enabled() && getcon(&con) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+ freecon(con);
+ }
+}
+#endif
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -87,6 +105,10 @@
if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
return OK;
+#ifdef HAVE_SELINUX
+ log_selinux_context();
+#endif
+
for (lr = ap_listeners; lr; lr = lr->next) {
char *s = dump_listener(lr, ptemp);

@ -5,8 +5,6 @@ http://svn.apache.org/viewvc?view=revision&revision=1912718
http://svn.apache.org/viewvc?view=revision&revision=1913654 http://svn.apache.org/viewvc?view=revision&revision=1913654
http://svn.apache.org/viewvc?view=revision&revision=1914438 http://svn.apache.org/viewvc?view=revision&revision=1914438
Upstream-Status: in trunk, not proposed for 2.4.x
--- httpd-2.4.58/modules/dav/fs/config6.m4.r1912477+ --- httpd-2.4.58/modules/dav/fs/config6.m4.r1912477+
+++ httpd-2.4.58/modules/dav/fs/config6.m4 +++ httpd-2.4.58/modules/dav/fs/config6.m4
@@ -20,4 +20,10 @@ @@ -20,4 +20,10 @@

@ -0,0 +1,60 @@
diff --git a/configure.in b/configure.in
index 3932407..00e2369 100644
--- a/configure.in
+++ b/configure.in
@@ -531,6 +531,11 @@ gettid
dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN
+AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(HTTPD_LIBS, [-lselinux])
+])
+
if test $ac_cv_func_gettid = no; then
# On Linux before glibc 2.30, gettid() is only usable via syscall()
AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid,
diff --git a/server/core.c b/server/core.c
index 8970a50..ff1024d 100644
--- a/server/core.c
+++ b/server/core.c
@@ -65,6 +65,10 @@
#include <unistd.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
@@ -5170,6 +5174,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
}
#endif
+#ifdef HAVE_SELINUX
+ {
+ static int already_warned = 0;
+ int is_enabled = is_selinux_enabled() > 0;
+
+ if (is_enabled && !already_warned) {
+ security_context_t con;
+
+ if (getcon(&con) == 0) {
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+
+ already_warned = 1;
+
+ freecon(con);
+ }
+ }
+ }
+#endif
+
return OK;
}

@ -1,8 +1,8 @@
diff --git a/configure.in b/configure.in diff --git a/configure.in b/configure.in
index f8f9442..f276550 100644 index 7194de5..00e2369 100644
--- a/configure.in --- a/configure.in
+++ b/configure.in +++ b/configure.in
@@ -786,9 +786,9 @@ APACHE_SUBST(INSTALL_SUEXEC) @@ -843,9 +843,9 @@ APACHE_SUBST(INSTALL_SUEXEC)
dnl APR should go after the other libs, so the right symbols can be picked up dnl APR should go after the other libs, so the right symbols can be picked up
if test x${apu_found} != xobsolete; then if test x${apu_found} != xobsolete; then

@ -1,11 +0,0 @@
--- httpd-2.4.59/modules/ssl/ssl_private.h.no-engine
+++ httpd-2.4.59/modules/ssl/ssl_private.h
@@ -112,7 +112,7 @@
|| (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
&& !defined(OPENSSL_NO_ENGINE)
#include <openssl/engine.h>
-#define MODSSL_HAVE_ENGINE_API 1
+#define MODSSL_HAVE_ENGINE_API 0
#endif
#ifndef MODSSL_HAVE_ENGINE_API
#define MODSSL_HAVE_ENGINE_API 0

@ -0,0 +1,64 @@
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
--- modules/ssl/ssl_engine_pphrase.c (revision 1920590)
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
@@ -806,6 +806,9 @@
return APR_SUCCESS;
}
+/* Tries to load the key and optionally certificate via the ENGINE
+ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an
+ * ENGINE implementation. */
static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
apr_pool_t *ptemp,
const char *vhostid,
@@ -831,7 +834,7 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
"Init: Unrecognized private key identifier `%s'",
keyid);
- return ssl_die(s);
+ return APR_ENOTIMPL;
}
scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
@@ -839,8 +842,8 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
"Init: Failed to load engine for private key %s",
keyid);
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- return ssl_die(s);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
+ return APR_ENOTIMPL;
}
if (!ENGINE_init(e)) {
@@ -996,15 +999,21 @@
X509 **pubkey, EVP_PKEY **privkey)
{
#if MODSSL_HAVE_ENGINE_API
- SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
- * support was not present compile-time, or if it's built but
- * SSLCryptoDevice is not configured. */
- if (mc->szCryptoDevice)
- return modssl_load_keypair_engine(s, pconf, ptemp,
- vhostid, certid, keyid,
- pubkey, privkey);
+ rv = modssl_load_keypair_engine(s, pconf, ptemp,
+ vhostid, certid, keyid,
+ pubkey, privkey);
+ if (rv == APR_SUCCESS) {
+ return rv;
+ }
+ /* If STORE support is not present, all errors are fatal here; if
+ * STORE is present and the ENGINE could not be loaded, ignore the
+ * error and fall through to try loading via the STORE API. */
+ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
+ return ssl_die(s);
+ }
+
#endif
#if MODSSL_HAVE_OPENSSL_STORE
return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,

@ -0,0 +1,133 @@
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 53fb1e9..f735c50 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4477,20 +4477,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
* ourself).
*/
if (p->flags & RULEFLAG_PROXY) {
- /* For rules evaluated in server context, the mod_proxy fixup
- * hook can be relied upon to escape the URI as and when
- * necessary, since it occurs later. If in directory context,
- * the ordering of the fixup hooks is forced such that
- * mod_proxy comes first, so the URI must be escaped here
- * instead. See PR 39746, 46428, and other headaches. */
- if (ctx->perdir && (p->flags & RULEFLAG_NOESCAPE) == 0) {
- char *old_filename = r->filename;
-
- r->filename = ap_escape_uri(r->pool, r->filename);
- rewritelog((r, 2, ctx->perdir, "escaped URI in per-dir context "
- "for proxy, %s -> %s", old_filename, r->filename));
- }
-
fully_qualify_uri(r);
rewritelog((r, 2, ctx->perdir, "forcing proxy-throughput with %s",
@@ -5013,7 +4999,7 @@ static int hook_uri2file(request_rec *r)
}
if ((r->args != NULL)
&& ((r->proxyreq == PROXYREQ_PROXY)
- || (rulestatus == ACTION_NOESCAPE))) {
+ || apr_table_get(r->notes, "proxy-nocanon"))) {
/* see proxy_http:proxy_http_canon() */
r->filename = apr_pstrcat(r->pool, r->filename,
"?", r->args, NULL);
@@ -5304,13 +5290,28 @@ static int hook_fixup(request_rec *r)
if (to_proxyreq) {
/* it should go on as an internal proxy request */
- /* make sure the QUERY_STRING and
- * PATH_INFO parts get incorporated
+ /* check if the proxy module is enabled, so
+ * we can actually use it!
+ */
+ if (!proxy_available) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10160)
+ "attempt to make remote request from mod_rewrite "
+ "without proxy enabled: %s", r->filename);
+ return HTTP_FORBIDDEN;
+ }
+
+ if (rulestatus == ACTION_NOESCAPE) {
+ apr_table_setn(r->notes, "proxy-nocanon", "1");
+ }
+
+ /* make sure the QUERY_STRING gets incorporated in the case
+ * [NE] was specified on the Proxy rule. We are preventing
+ * mod_proxy canon handler from incorporating r->args as well
+ * as escaping the URL.
* (r->path_info was already appended by the
* rewriting engine because of the per-dir context!)
*/
- if (r->args != NULL) {
- /* see proxy_http:proxy_http_canon() */
+ if ((r->args != NULL) && apr_table_get(r->notes, "proxy-nocanon")) {
r->filename = apr_pstrcat(r->pool, r->filename,
"?", r->args, NULL);
}
@@ -5610,10 +5611,7 @@ static void ap_register_rewrite_mapfunc(char *name, rewrite_mapfunc_t *func)
static void register_hooks(apr_pool_t *p)
{
- /* fixup after mod_proxy, so that the proxied url will not
- * escaped accidentally by mod_proxy's fixup.
- */
- static const char * const aszPre[]={ "mod_proxy.c", NULL };
+ static const char * const aszModProxy[] = { "mod_proxy.c", NULL };
/* make the hashtable before registering the function, so that
* other modules are prevented from accessing uninitialized memory.
@@ -5625,10 +5623,12 @@ static void register_hooks(apr_pool_t *p)
ap_hook_pre_config(pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init(init_child, NULL, NULL, APR_HOOK_MIDDLE);
-
- ap_hook_fixups(hook_fixup, aszPre, NULL, APR_HOOK_FIRST);
+
+ /* allow to change the uri before mod_proxy takes over it */
+ ap_hook_translate_name(hook_uri2file, NULL, aszModProxy, APR_HOOK_FIRST);
+ /* fixup before mod_proxy so that a [P] URL gets fixed up there */
+ ap_hook_fixups(hook_fixup, NULL, aszModProxy, APR_HOOK_FIRST);
ap_hook_fixups(hook_mimetype, NULL, NULL, APR_HOOK_LAST);
- ap_hook_translate_name(hook_uri2file, NULL, NULL, APR_HOOK_FIRST);
}
/* the main config structure */
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 8f13e68..bd0aa68 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -3344,27 +3344,26 @@ static int proxy_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
}
static void register_hooks(apr_pool_t *p)
{
- /* fixup before mod_rewrite, so that the proxied url will not
- * escaped accidentally by our fixup.
- */
- static const char * const aszSucc[] = { "mod_rewrite.c", NULL};
/* Only the mpm_winnt has child init hook handler.
* make sure that we are called after the mpm
* initializes.
*/
static const char *const aszPred[] = { "mpm_winnt.c", "mod_proxy_balancer.c",
"mod_proxy_hcheck.c", NULL};
+ static const char * const aszModRewrite[] = { "mod_rewrite.c", NULL };
+
/* handler */
ap_hook_handler(proxy_handler, NULL, NULL, APR_HOOK_FIRST);
/* filename-to-URI translation */
ap_hook_pre_translate_name(proxy_pre_translate_name, NULL, NULL,
APR_HOOK_MIDDLE);
- ap_hook_translate_name(proxy_translate_name, aszSucc, NULL,
+ /* mod_rewrite has a say on the uri before proxy translation */
+ ap_hook_translate_name(proxy_translate_name, aszModRewrite, NULL,
APR_HOOK_FIRST);
/* walk <Proxy > entries and suppress default TRACE behavior */
ap_hook_map_to_storage(proxy_map_location, NULL,NULL, APR_HOOK_FIRST);
- /* fixups */
- ap_hook_fixups(proxy_fixup, NULL, aszSucc, APR_HOOK_FIRST);
+ /* fixup after mod_rewrite so that a [P] URL from there gets fixed up */
+ ap_hook_fixups(proxy_fixup, aszModRewrite, NULL, APR_HOOK_FIRST);
/* post read_request handling */
ap_hook_post_read_request(proxy_detect, NULL, NULL, APR_HOOK_FIRST);
/* pre config handling */

@ -26,25 +26,8 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop # Send SIGWINCH for graceful stop
KillSignal=SIGWINCH KillSignal=SIGWINCH
KillMode=mixed KillMode=mixed
DevicePolicy=closed
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
OOMPolicy=continue
PrivateDevices=yes
PrivateTmp=true PrivateTmp=true
ProtectClock=yes OOMPolicy=continue
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

@ -175,7 +175,7 @@ Wants=network-online.target</programlisting>
<para>System packages (including the httpd package itself) may <para>System packages (including the httpd package itself) may
restart the httpd service automatically after packages are restart the httpd service automatically after packages are
upgraded, installed, or removed. This is done using the upgraded, installed, or removed. This is done using the
<command>systemctl try-restart httpd.service</command> command, which <command>systemctl try-restart httpd.service</command>, which
stops then starts the service if it is running.</para> stops then starts the service if it is running.</para>
<para>To disable automatic restarts, create the file <para>To disable automatic restarts, create the file
@ -183,9 +183,8 @@ Wants=network-online.target</programlisting>
When <command>httpd</command> interfaces are added in an update, When <command>httpd</command> interfaces are added in an update,
it may not be safe to <emphasis>reload</emphasis> a running it may not be safe to <emphasis>reload</emphasis> a running
service after upgrading, if updated modules require interfaces service after upgrading, if updated modules require interfaces
only available in the updated <command>httpd</command> binary. only available in the updated httpd. It is recommended to allow
It is recommended to allow automatic restarts for this automatic restarts for this reason.</para>
reason.</para>
</refsect2> </refsect2>
<refsect2> <refsect2>
@ -231,16 +230,7 @@ Wants=network-online.target</programlisting>
<refsect2> <refsect2>
<title>Process policies and restrictions</title> <title>Process policies and restrictions</title>
<para>The <command>httpd.service</command> unit enables a <para>The httpd service uses the following options:
variety of sandboxing options. Many of these prevent the service
from changing the system configuration or attributes of the
kernel - such as <emphasis>ProtectClock</emphasis> and
<emphasis>ProtectKernelModules</emphasis>. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on these options. Particular notice should
be taken of the following:
<itemizedlist> <itemizedlist>
<listitem><para><emphasis>PrivateTmp</emphasis> is enabled by <listitem><para><emphasis>PrivateTmp</emphasis> is enabled by
@ -256,21 +246,13 @@ Wants=network-online.target</programlisting>
the policy to <emphasis>continue</emphasis>, httpd will the policy to <emphasis>continue</emphasis>, httpd will
continue to run (and recover) if a single child is terminated continue to run (and recover) if a single child is terminated
because of excess memory consumption.</para></listitem> because of excess memory consumption.</para></listitem>
</itemizedlist>
<listitem><para><emphasis>ProtectHome</emphasis> is set to See
<emphasis>read-only</emphasis> by default. CGI scripts run via <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
<emphasis>UserDir</emphasis> will not be able modify any and
content in <filename>/home</filename> by <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
default.</para></listitem> for more information.</para>
<listitem><para><emphasis>ProtectSystem</emphasis> is set to
<emphasis>yes</emphasis> by default; this mounts various
system paths like <filename>/usr</filename> and
<filename>/boot</filename> as read-only by
default.</para></listitem>
</itemizedlist></para>
</refsect2> </refsect2>
<refsect2> <refsect2>

@ -19,25 +19,8 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
# Send SIGWINCH for graceful stop # Send SIGWINCH for graceful stop
KillSignal=SIGWINCH KillSignal=SIGWINCH
KillMode=mixed KillMode=mixed
DevicePolicy=closed
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
OOMPolicy=continue
PrivateDevices=yes
PrivateTmp=true PrivateTmp=true
ProtectClock=yes OOMPolicy=continue
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

@ -4,28 +4,16 @@
%define mmn 20120211 %define mmn 20120211
%define mmnisa %{mmn}%{__isa_name}%{__isa_bits} %define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
%define vstring %(source /etc/os-release; echo ${NAME}) %define vstring %(source /etc/os-release; echo ${NAME})
%define bugurl %(source /etc/os-release; echo ${BUG_REPORT_URL})
%if 0%{?fedora} > 26 || 0%{?rhel} > 7 %if 0%{?fedora} > 26 || 0%{?rhel} > 7
%global mpm event %global mpm event
%else %else
%global mpm prefork %global mpm prefork
%endif %endif
%if 0%{?fedora} > 35 || 0%{?rhel} > 9
%bcond_without pcre2
%bcond_with pcre
%else
%bcond_with pcre2
%bcond_without pcre
%endif
# Similar issue to https://bugzilla.redhat.com/show_bug.cgi?id=2043092
%undefine _package_note_flags
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.62 Version: 2.4.62
Release: 5%{?dist} Release: 1%{?dist}.2
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -77,60 +65,57 @@ Source48: apache-poweredby.png
Source49: httpd.sysusers Source49: httpd.sysusers
# build/scripts patches # build/scripts patches
Patch1: httpd-2.4.59-full-release.patch
Patch2: httpd-2.4.43-apxs.patch Patch2: httpd-2.4.43-apxs.patch
Patch3: httpd-2.4.43-deplibs.patch Patch3: httpd-2.4.59-deplibs.patch
# Needed for socket activation and mod_systemd patch # Needed for socket activation and mod_systemd patch
Patch19: httpd-2.4.53-detect-systemd.patch Patch19: httpd-2.4.53-detect-systemd.patch
# Features/functional changes # Features/functional changes
Patch20: httpd-2.4.48-r1842929+.patch Patch21: httpd-2.4.48-r1842929+.patch
Patch21: httpd-2.4.43-mod_systemd.patch Patch22: httpd-2.4.43-mod_systemd.patch
Patch22: httpd-2.4.53-export.patch Patch23: httpd-2.4.48-export.patch
Patch23: httpd-2.4.43-corelimit.patch Patch24: httpd-2.4.43-corelimit.patch
Patch24: httpd-2.4.54-icons.patch Patch25: httpd-2.4.57-selinux.patch
Patch25: httpd-2.4.43-cachehardmax.patch Patch26: httpd-2.4.53-icons.patch
Patch26: httpd-2.4.43-socket-activation.patch Patch27: httpd-2.4.43-cachehardmax.patch
Patch27: httpd-2.4.43-sslciphdefault.patch Patch28: httpd-2.4.62-socket-activation.patch
Patch29: httpd-2.4.43-sslprotdefault.patch Patch29: httpd-2.4.43-sslciphdefault.patch
Patch30: httpd-2.4.43-logjournal.patch Patch30: httpd-2.4.43-sslprotdefault.patch
Patch31: httpd-2.4.53-separate-systemd-fns.patch Patch31: httpd-2.4.43-logjournal.patch
Patch32: httpd-2.4.58-r1912477+.patch Patch32: httpd-2.4.48-proxy-ws-idle-timeout.patch
Patch33: httpd-2.4.54-selinux.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1949606 # https://bugzilla.redhat.com/show_bug.cgi?id=1949606
Patch34: httpd-2.4.62-freebind.patch Patch33: httpd-2.4.62-freebind.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1947496 # https://bugzilla.redhat.com/show_bug.cgi?id=2065677
Patch35: httpd-2.4.62-proxy-ws-idle-timeout.patch Patch34: httpd-2.4.53-separate-systemd-fns.patch
# https://issues.redhat.com/browse/RHEL-5071
Patch35: httpd-2.4.57-r1912477+.patch
# Bug fixes # Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch60: httpd-2.4.43-enable-sslv3.patch Patch100: httpd-2.4.43-enable-sslv3.patch
Patch61: httpd-2.4.59-no-engine.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1932442
Patch101: httpd-2.4.48-full-release.patch
# https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 # https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
Patch62: httpd-2.4.62-r1919325.patch Patch102: httpd-2.4.62-r1919325.patch
# https://issues.redhat.com/browse/RHEL-36755
Patch103: httpd-2.4.62-engine-fallback.patch
# https://issues.redhat.com/browse/RHEL-68660
Patch104: httpd-2.4.62-r1921299.patch
# Security fixes # Security fixes
# Patch200: ... # https://bugzilla.redhat.com/show_bug.cgi?id=...
#
# https://bugzilla.redhat.com/show_bug.cgi?id=
# Patch200: httpd-2.4.X-CVE-XXXX-YYYYY.patch
# Apache-2.0: everything
# BSD-3-Clause: util_pcre.c, ap_regex.h
# metamail AND HPND-sell-variant:: server/util_md5.c:
# Spencer-94: modules/metadata/mod_mime_magic.c
License: Apache-2.0 AND (BSD-3-Clause AND metamail AND HPND-sell-variant AND Spencer-94)
License: ASL 2.0
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
BuildRequires: perl-interpreter, perl-generators, systemd-devel BuildRequires: perl-interpreter, perl-generators, systemd-devel
BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel
BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0 BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0
BuildRequires: openldap-devel
BuildRequires: systemd-rpm-macros
%if %{with pcre2}
BuildRequires: pcre2-devel
%endif
%if %{with pcre}
BuildRequires: pcre-devel > 5.0
%endif
BuildRequires: gnupg2 BuildRequires: gnupg2
Requires: system-logos(httpd-logo-ng) BuildRequires: systemd-rpm-macros
Requires: system-logos-httpd
Provides: webserver Provides: webserver
Requires: httpd-core = 0:%{version}-%{release} Requires: httpd-core = 0:%{version}-%{release}
Recommends: mod_http2, mod_lua Recommends: mod_http2, mod_lua
@ -148,12 +133,10 @@ Provides: mod_proxy_uwsgi = %{version}-%{release}
Requires: /etc/mime.types Requires: /etc/mime.types
Requires: httpd-tools = %{version}-%{release} Requires: httpd-tools = %{version}-%{release}
Requires: httpd-filesystem = %{version}-%{release} Requires: httpd-filesystem = %{version}-%{release}
%if 0%{?fedora} > 39 || 0%{?rhel} > 9
Requires: apr-util-1(dbm)%{_isa}
%endif
Requires(pre): httpd-filesystem Requires(pre): httpd-filesystem
Conflicts: apr < 1.5.0-1 Conflicts: apr < 1.5.0-1
Conflicts: httpd < 2.4.53-2 Conflicts: httpd < 2.4.53-3
Conflicts: mod_http2 < 1.15.19-3
Obsoletes: mod_proxy_uwsgi < 2.0.17.1-2 Obsoletes: mod_proxy_uwsgi < 2.0.17.1-2
%description core %description core
@ -161,8 +144,8 @@ The httpd-core package contains essential httpd binaries.
%package devel %package devel
Summary: Development interfaces for the Apache HTTP Server Summary: Development interfaces for the Apache HTTP Server
Requires: apr-devel, apr-util-devel, pkgconfig, libtool Requires: apr-devel, apr-util-devel, pkgconfig
Requires: httpd-core = 0:%{version}-%{release} Requires: httpd-core = %{version}-%{release}
%description devel %description devel
The httpd-devel package contains the APXS binary and other files The httpd-devel package contains the APXS binary and other files
@ -206,11 +189,9 @@ Epoch: 1
BuildRequires: openssl-devel BuildRequires: openssl-devel
Requires(pre): httpd-filesystem Requires(pre): httpd-filesystem
Requires: httpd-core = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} Requires: httpd-core = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
Requires: sscg >= 3.0.3, /usr/bin/hostname Requires: sscg >= 3.0.0-7, /usr/bin/hostname
# Require an OpenSSL which supports PROFILE=SYSTEM # Require an OpenSSL which supports PROFILE=SYSTEM
Conflicts: openssl-libs < 1:1.0.1h-4 Conflicts: openssl-libs < 1:1.0.1h-4
# mod_ssl/mod_nss cannot both be loaded simultaneously
Conflicts: mod_nss
%description -n mod_ssl %description -n mod_ssl
The mod_ssl module provides strong cryptography for the Apache HTTP The mod_ssl module provides strong cryptography for the Apache HTTP
@ -256,7 +237,33 @@ written in the Lua programming language.
%prep %prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%autosetup -p1 -S gendiff %setup -q
%patch2 -p1 -b .apxs
%patch3 -p1 -b .deplibs
%patch19 -p1 -b .detectsystemd
%patch21 -p1 -b .r1842929+
%patch22 -p1 -b .mod_systemd
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux
%patch26 -p1 -b .icons
%patch27 -p1 -b .cachehardmax
%patch28 -p1 -b .socketactivation
%patch29 -p1 -b .sslciphdefault
%patch30 -p1 -b .sslprotdefault
%patch31 -p1 -b .logjournal
%patch32 -p1 -b .proxy-ws-idle-timeout
%patch33 -p1 -b .freebind
%patch34 -p1 -b .separatesystemd
%patch35 -p1 -b .r1912477+
%patch100 -p1 -b .enable-sslv3
%patch101 -p1 -b .full-release
%patch102 -p1 -b .r1919325
%patch103 -p0 -b .engine-fallback
%patch104 -p1 -b .r1921299
# Patch in the vendor string # Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -296,16 +303,16 @@ s,@DOCROOT@,%{docroot},g
s,@LOGDIR@,%{_localstatedir}/log/httpd,g s,@LOGDIR@,%{_localstatedir}/log/httpd,g
' < $RPM_SOURCE_DIR/httpd.conf.xml \ ' < $RPM_SOURCE_DIR/httpd.conf.xml \
> httpd.conf.xml > httpd.conf.xml
sed 's|@BUG_REPORT_URL@|%{bugurl}|g' < $RPM_SOURCE_DIR/apachectl.xml > apachectl.xml
xmlto man ./httpd.conf.xml xmlto man ./httpd.conf.xml
xmlto man $RPM_SOURCE_DIR/htcacheclean.service.xml xmlto man $RPM_SOURCE_DIR/htcacheclean.service.xml
xmlto man $RPM_SOURCE_DIR/httpd.service.xml xmlto man $RPM_SOURCE_DIR/httpd.service.xml
xmlto man apachectl.xml
# apachectl.xml => apachectl.8
xmlto man %{SOURCE47}
: Building with MMN %{mmn}, MMN-ISA %{mmnisa} : Building with MMN %{mmn}, MMN-ISA %{mmnisa}
: Default MPM is %{mpm}, vendor string is '%{vstring}' : Default MPM is %{mpm}, vendor string is '%{vstring}'
: Regex Engine: PCRE=%{with pcre} PCRE2=%{with pcre2}
%build %build
# forcibly prevent use of bundled apr, apr-util, pcre # forcibly prevent use of bundled apr, apr-util, pcre
@ -318,7 +325,11 @@ autoheader && autoconf || exit 1
%{__perl} -pi -e "s:\@exp_installbuilddir\@:%{_libdir}/httpd/build:g" \ %{__perl} -pi -e "s:\@exp_installbuilddir\@:%{_libdir}/httpd/build:g" \
support/apxs.in support/apxs.in
%set_build_flags export CFLAGS=$RPM_OPT_FLAGS
export LDFLAGS="-Wl,-z,relro,-z,now"
# Hard-code path to links to avoid unnecessary builddep
export LYNX_PATH=/usr/bin/links
# Build the daemon # Build the daemon
./configure \ ./configure \
@ -346,33 +357,22 @@ autoheader && autoconf || exit 1
--with-suexec-uidmin=1000 --with-suexec-gidmin=1000 \ --with-suexec-uidmin=1000 --with-suexec-gidmin=1000 \
--with-brotli \ --with-brotli \
--enable-pie \ --enable-pie \
%if %{with pcre2} --with-pcre=/usr/bin/pcre-config \
--with-pcre2=%{_bindir}/pcre2-config \
%endif
%if %{with pcre}
--with-pcre=%{_bindir}/pcre-config \
%endif
--enable-mods-shared=all \ --enable-mods-shared=all \
--enable-ssl --with-ssl --disable-distcache \ --enable-ssl --with-ssl --disable-distcache \
--enable-proxy --enable-proxy-fdpass \ --enable-proxy --enable-proxy-fdpass \
--enable-cache \ --enable-cache \
--enable-disk-cache \ --enable-disk-cache \
--enable-ldap --enable-authnz-ldap \ --enable-ldap --enable-authnz-ldap \
--enable-cgid --enable-cgi --enable-authnz-fcgi \ --enable-cgid --enable-cgi \
--enable-cgid-fdpassing \ --enable-cgid-fdpassing \
--enable-authn-anon --enable-authn-alias \ --enable-authn-anon --enable-authn-alias \
--enable-authnz-fcgi \
--enable-systemd \ --enable-systemd \
--disable-imagemap --disable-file-cache \ --disable-imagemap --disable-file-cache \
--disable-http2 \ --disable-http2 \
--disable-md \ --disable-md \
$* $*
if grep -q ac_cv_have_threadsafe_pollset=no config.log; then
cat config.log
: Failed to find thread-safe APR.
exit 1
fi
%make_build %make_build
%install %install
@ -411,9 +411,8 @@ touch -r $RPM_SOURCE_DIR/00-mpm.conf \
# install systemd override drop directory # install systemd override drop directory
# Web application packages can drop snippets into this location if # Web application packages can drop snippets into this location if
# they need ExecStart[pre|post]. # they need ExecStart[pre|post].
mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.service.d \ mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.service.d
$RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/httpd.service.d
install -m 644 -p $RPM_SOURCE_DIR/10-listen443.conf \ install -m 644 -p $RPM_SOURCE_DIR/10-listen443.conf \
$RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d/10-listen443.conf $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d/10-listen443.conf
@ -478,7 +477,6 @@ cat > $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d/macros.httpd <<EOF
%%_httpd_contentdir %{contentdir} %%_httpd_contentdir %{contentdir}
%%_httpd_moddir %%{_libdir}/httpd/modules %%_httpd_moddir %%{_libdir}/httpd/modules
%%_httpd_requires Requires: httpd-mmn = %%{_httpd_mmn} %%_httpd_requires Requires: httpd-mmn = %%{_httpd_mmn}
%%_httpd_statedir %%{_localstatedir}/lib/httpd
EOF EOF
# Handle contentdir # Handle contentdir
@ -514,10 +512,9 @@ ln -s ../../pixmaps/poweredby.png \
$RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png
# Symlink for the system logo # Symlink for the system logo
%if 0%{?rhel} >= 9
ln -s ../../pixmaps/system-noindex-logo.png \ ln -s ../../pixmaps/system-noindex-logo.png \
$RPM_BUILD_ROOT%{contentdir}/icons/system_noindex_logo.png $RPM_BUILD_ROOT%{contentdir}/icons/system_noindex_logo.png
%endif
# symlinks for /etc/httpd # symlinks for /etc/httpd
rmdir $RPM_BUILD_ROOT/etc/httpd/{state,run} rmdir $RPM_BUILD_ROOT/etc/httpd/{state,run}
@ -581,12 +578,9 @@ sed -i '/instdso/s,top_srcdir,top_builddir,' \
cp -p $RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk \ cp -p $RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk \
$RPM_BUILD_ROOT%{_libdir}/httpd/build/vendor_config_vars.mk $RPM_BUILD_ROOT%{_libdir}/httpd/build/vendor_config_vars.mk
# Sanitize CFLAGS & LIBTOOL in standard config_vars.mk # Sanitize CFLAGS in standard config_vars.mk
sed -e '/^[A-Z]*FLAGS = /s,-specs[^ ]*,,g' \ sed '/^CFLAGS/s,=.*$,= -O2 -g -Wall,' \
-e '/^LIBTOOL/s,/.*/libtool,%{_bindir}/libtool,' \
-i $RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk -i $RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk
diff -u $RPM_BUILD_ROOT%{_libdir}/httpd/build/vendor_config_vars.mk \
$RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk || true
sed 's/config_vars.mk/vendor_config_vars.mk/' \ sed 's/config_vars.mk/vendor_config_vars.mk/' \
$RPM_BUILD_ROOT%{_bindir}/apxs \ $RPM_BUILD_ROOT%{_bindir}/apxs \
@ -615,6 +609,7 @@ rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra}
%pre filesystem %pre filesystem
%sysusers_create_compat %{SOURCE49} %sysusers_create_compat %{SOURCE49}
%post %post
%systemd_post httpd.service htcacheclean.service httpd.socket %systemd_post httpd.service htcacheclean.service httpd.socket
@ -682,6 +677,7 @@ exit $rv
%config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-brotli.conf %config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-brotli.conf
%config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-systemd.conf %config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-systemd.conf
%{_libdir}/httpd/modules/mod_brotli.so %{_libdir}/httpd/modules/mod_brotli.so
%{_libdir}/httpd/modules/mod_systemd.so %{_libdir}/httpd/modules/mod_systemd.so
@ -691,6 +687,7 @@ exit $rv
%{_unitdir}/*.socket %{_unitdir}/*.socket
%files core %files core
%doc ABOUT_APACHE README CHANGES LICENSE VERSIONING NOTICE %doc ABOUT_APACHE README CHANGES LICENSE VERSIONING NOTICE
%doc docs/conf/extra/*.conf %doc docs/conf/extra/*.conf
%doc instance.conf server-status.conf %doc instance.conf server-status.conf
@ -700,7 +697,6 @@ exit $rv
%{_sysconfdir}/httpd/state %{_sysconfdir}/httpd/state
%{_sysconfdir}/httpd/run %{_sysconfdir}/httpd/run
%dir %{_sysconfdir}/httpd/conf %dir %{_sysconfdir}/httpd/conf
%config(noreplace) %{_sysconfdir}/httpd/conf/httpd.conf %config(noreplace) %{_sysconfdir}/httpd/conf/httpd.conf
%config(noreplace) %{_sysconfdir}/httpd/conf/magic %config(noreplace) %{_sysconfdir}/httpd/conf/magic
@ -765,7 +761,6 @@ exit $rv
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
%files filesystem %files filesystem
%dir %{_sysconfdir}/httpd %dir %{_sysconfdir}/httpd
%dir %{_sysconfdir}/httpd/conf.d %dir %{_sysconfdir}/httpd/conf.d
@ -777,7 +772,6 @@ exit $rv
%dir %{contentdir}/icons %dir %{contentdir}/icons
%attr(755,root,root) %dir %{_unitdir}/httpd.service.d %attr(755,root,root) %dir %{_unitdir}/httpd.service.d
%attr(755,root,root) %dir %{_unitdir}/httpd.socket.d %attr(755,root,root) %dir %{_unitdir}/httpd.socket.d
%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/httpd.service.d
%{_sysusersdir}/httpd.conf %{_sysusersdir}/httpd.conf
%files tools %files tools
@ -831,243 +825,234 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.62-5 * Fri Jan 10 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1.2
- Bump release for October 2024 mass rebuild: - Resolves: RHEL-73580 - RewriteRule proxying to UDS (unix domain socket)
Resolves: RHEL-64018 configured in .htaccess doesn't work on httpd-2.4.62-1
* Mon Aug 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-4
- Resolves: RHEL-50031 - httpd default config changes
* Thu Aug 08 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-3
- Resolves: RHEL-53632 - RFE: httpd, add IP_FREEBIND support for Listen
- Resolves: RHEL-53722 - [RFE] ProxyWebsocketIdleTimeout from
httpd mod_proxy_wstunnel
* Sat Aug 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-2 * Thu Nov 28 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1.1
- Resolves: RHEL-52722 - Regression introduced by CVE-2024-38474 fix - mod_ssl: fix loading keys via ENGINE API
Resolves: RHEL-69456
* Fri Jul 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1 * Sat Aug 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1
- new version 2.4.62 - new version 2.4.62
- Resolves: RHEL-33446 - Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix
* Wed Jul 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.61-1 * Fri Jul 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-7
- new version 2.4.61 - Resolves: RHEL-49856: htcacheclean.service missing [Install] section
- Resolves: RHEL-45753 - httpd: Potential SSRF in
mod_rewrite (CVE-2024-39573)
- Resolves: RHEL-45757 - httpd: null pointer dereference in
mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45776 - httpd: Improper escaping of output in
mod_rewrite (CVE-2024-38475)
- Resolves: RHEL-45791 - httpd: Encoding problem in
mod_proxy (CVE-2024-38473)
- Resolves: RHEL-45811 - httpd: Substitution encoding issue in
mod_rewrite (CVE-2024-38474)
- Resolves: RHEL-46051 - httpd: Security issues via backend applications
whose response headers are malicious or exploitable (CVE-2024-38476)
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.59-4.4 * Thu May 30 2024 Joe Orton <jorton@redhat.com> - 2.4.59-6
- Bump release for June 2024 mass rebuild - mod_ssl: restore SSL_OP_NO_RENEGOTIATE support
Related: RHEL-14668
* Thu May 23 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.4 * Tue May 21 2024 Joe Orton <jorton@redhat.com> - 2.4.59-5
- mod_ssl: disable ENGINE support - mod_ssl: defer ENGINE_finish() calls to a cleanup
Resolves: RHEL-33734 Resolves: RHEL-36755
* Fri May 17 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.2 * Mon May 20 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-4
- mod_ssl: use SSL_OP_NO_RENEGOTIATION - Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers
* Fri May 3 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.1 * Wed May 08 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-3
- apachectl(8): use BUG_REPORT_URL from /etc/os-release - Related: RHEL-14668 - RFE: httpd rebase to 2.4.59
- apachectl(8): fix grammar (#2278748)
- httpd.service.xml(8): mention ProtectSystem= setting
* Wed May 1 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3 * Wed May 8 2024 Joe Orton <jorton@redhat.com> - 2.4.59-2
- add ServerTokens: Full-Release support - Resolves: RHEL-35870 - httpd mod_cgi/cgid unification
* Mon Apr 15 2024 Joe Orton <jorton@redhat.com> - 2.4.59-2 * Fri May 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-1
- mod_ssl: add DH param handling fix (r1916863) - new version 2.4.59
- Resolves: RHEL-14668 - RFE: httpd rebase to 2.4.59
- Resolves: RHEL-31856 - httpd: HTTP response splitting
(CVE-2023-38709)
- Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple
modules (CVE-2024-24795)
* Fri Apr 5 2024 Joe Orton <jorton@redhat.com> - 2.4.59-1 * Wed Feb 7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
- update to 2.4.59 - mod_xml2enc: fix media type handling
Resolves: RHEL-17686
- mod_dav: add DavBasePath
Resolves: RHEL-6600
* Thu Mar 28 2024 Joe Orton <jorton@redhat.com> - 2.4.58-8 * Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
- rebuild to fix changelog ordering - Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)
* Thu Mar 7 2024 Rahul Sundaram <sundaram@fedoraproject.org> - 2.4.58-7 * Wed Oct 4 2023 Joe Orton <jorton@redhat.com> - 2.4.57-6
- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening - Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType
- updated httpd.service(5) (Joe Orton) - mod_dav_fs: add global mutex around lockdb interaction
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.58-6 * Thu Jul 20 2023 Tomas Korbar <tkorbar@redhat.com> - 2.4.57-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - Fix issue found by covscan
- Related: #2222001
* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.58-5 * Tue Jul 18 2023 Joe Orton <jorton@redhat.com> - 2.4.57-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - Resolves: #2217726 - Make PROPFIND tolerant of deletion race
* Fri Jan 5 2024 Joe Orton <jorton@redhat.com> - 2.4.58-4 * Tue Jul 11 2023 Tomas Korbar <tkorbar@redhat.com> - 2.4.57-3
- fix OpenSSL 3.0 deprecation warnings (r1913912, r1915067) - Resolves: #2222001 - mod_status lists BusyWorkers IdleWorkers keys twice
- mod_ssl: move to provider API for pkcs11 support (#2253014)
* Fri Dec 8 2023 Joe Orton <jorton@redhat.com> - 2.4.58-3 * Fri Apr 14 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-2
- mod_dav_fs: add DAVLockDBType, use global lock around lockdb - Resolves: #2186645 - Fix issue found by covscan in httpd package
- fix build with libxml2 2.12 - Resolves: #2173295 - Include Apache httpd module mod_authnz_fcgi
* Thu Nov 2 2023 Joe Orton <jorton@redhat.com> - 2.4.58-2
- add dependency on apr-util-1(dbm) so a DBM provider is present
* Fri Oct 20 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.58-1
- new version 2.4.58
* Fri Oct 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-4
- SPDX migration
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.57-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jul 5 2023 Joe Orton <jorton@redhat.com> - 2.4.57-2
- package /etc/systemd/httpd/httpd.service.d
- also sanitize LDFLAGS/CXXFLAGS in non-vendor config_vars.mk
* Tue Apr 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-1 * Tue Apr 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-1
- new version 2.4.57 - Resolves: #2184403 - rebase httpd to 2.4.57
- Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with
* Thu Mar 09 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.56-1 mod_rewrite and mod_proxy
- new version 2.4.56
* Mon Jan 30 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-11
* Tue Mar 7 2023 Joe Orton <jorton@redhat.com> - 2.4.55-3 - Resolves: #2162500 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write
- build and load mod_authnz_fcgi of zero byte
- Resolves: #2162486 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
* Fri Feb 03 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.55-2 - Resolves: #2162510 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request
- rebuilt with new apr/apr-util smuggling
* Wed Jan 25 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.55-1 * Tue Jan 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-10
- new version 2.4.55 - Resolves: #2160667 - prevent sscg creating /dhparams.pem
* Tue Jan 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-12 * Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-9
- prevent sscg writing /dhparams.pem - Resolves: #2143176 - Dependency from mod_http2 on httpd broken
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.54-11 * Tue Dec 06 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - Resolves: #2151313 - reduce AH03408 log level from WARNING to INFO
* Tue Dec 20 2022 Joe Orton <jorton@redhat.com> - 2.4.54-10 * Wed Jul 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-7
- htcacheclean.service: add [Install] section, PrivateTmp=yes, - Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request
Environment=LANG=C (#2149714) smuggling
- Resolves: #2097032 - CVE-2022-28615 httpd: out-of-bounds read in
* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-9 ap_strcmp_match()
- move SELinux context logging to mod_systemd - Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
by hop-by-hop mechanism
* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-8 - Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
- define _httpd_statedir macro - Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
- Resolves: #2097459 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability
* Wed Nov 30 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-7 - Resolves: #2097481 - CVE-2022-30556 httpd: mod_lua: Information disclosure
- reduce AH03408 level to INFO in proxy_util.c with websockets
* Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
- Related: #2065677 - httpd minimisation for ubi-micro
* Fri Jun 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-5
- Resolves: #2098056 - mod_ldap: High CPU usage at apr_ldap_rebind_remove()
* Thu Jun 16 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-4
- Resolves: #2095838 - mod_mime_magic: invalid type 0 in mconvert()
* Wed Jun 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-3
- Resolves: #2065677 - httpd minimisation for ubi-micro
- minimize httpd dependencies (new httpd-core package)
- mod_systemd and mod_brotli are now packaged in the main httpd package
* Tue May 31 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-1
- new version 2.4.53
- Resolves: #2079939 - httpd rebase to 2.4.53
- Resolves: #2075406 - httpd.conf uses icon bomb.gif for all files/dirs ending
with core
* Thu Oct 13 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-6 * Mon Apr 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-8
- Provide a sysusers.d file to get user() and group() provides (#2134430) - Resolves: #2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using
SetEnv or PassEnv
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.54-5 * Mon Mar 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild - Resolves: #2065251 - CVE-2022-22720 httpd: HTTP request smuggling
vulnerability in Apache HTTP Server 2.4.52 and earlier
- Resolves: #2066311 - CVE-2021-44224 httpd: possible NULL dereference or SSRF
in forward proxy configurations
* Fri Jun 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-4 * Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-5
- fix downgrade/upgrade issues - Resolves: #2035064 - CVE-2021-44790 httpd: mod_lua: possible buffer overflow
- mod_ssl and other modules should depend only on httpd-core package when parsing multipart content
* Fri Jun 17 2022 Joe Orton <jorton@redhat.com> - 2.4.54-3 * Mon Dec 06 2021 Neal Gompa <ngompa@centosproject.org> - 2.4.51-4
- update PCRE config selection - Use NAME from os-release(5) for vendor string
Resolves: #2029071 - httpd on CentOS identifies as RHEL
* Thu Jun 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-2 * Fri Dec 3 2021 Joe Orton <jorton@redhat.com> - 2.4.51-3
- new version 2.4.54 - add fixes for static analyzer issues (#1938740)
* Mon May 16 2022 Joe Orton <jorton@redhat.com> - 2.4.53-7 * Mon Nov 08 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-2
- disable package notes - Resolves: #2005416 - httpd default configuration changes
* Fri May 13 2022 Joe Orton <jorton@redhat.com> - 2.4.53-6 * Tue Oct 19 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-1
- use %%set_build_flags macro - new version 2.4.51 (#2011090)
* Thu Apr 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-5 * Fri Sep 17 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1
- don't use bomb.gif icon for all files/dirs ending with core - new version 2.4.49 (#2005339)
* Wed Apr 20 2022 Joe Orton <jorton@redhat.com> - 2.4.53-4 * Wed Sep 15 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-18
- switch to PCRE2 for new releases - Resolves: #2004143 - RFE: mod_ssl: allow sending multiple CA names which
differ only in case
* Thu Apr 07 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-3 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-17
- Related: #2070517 - fix issue when mod_systemd is not loaded - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Mar 30 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-2 * Fri Aug 06 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-16
- Resolves: #2070517 - Allow install httpd with smaller footprint - Resolves: #1956386 - Apache trademark update - new logo
- try to minimize httpd dependencies (new httpd-core package)
- mod_systemd and mod_brotli are now in the main httpd package
* Thu Mar 17 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-1 * Fri Aug 6 2021 Florian Weimer <fweimer@redhat.com> - 2.4.48-14
- new version 2.4.53 - Rebuild to pick up new build flags from redhat-rpm-config (#1984652)
- fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720 and CVE-2022-22719
* Tue Feb 1 2022 Joe Orton <jorton@redhat.com> - 2.4.52-5 * Wed Jul 28 2021 Joe Orton <jorton@redhat.com> - 2.4.48-13
- rebuild for new OpenLDAP (#2032699) - mod_ssl: OpenSSL 3 compatibility update (#1986822)
* Mon Jan 31 2022 Joe Orton <jorton@redhat.com> - 2.4.52-4 * Thu Jul 15 2021 Joe Orton <jorton@redhat.com> - 2.4.48-12
- add libtool to Requires: for httpd-devel (#2048281) - mod_ssl: add SSLKEYLOGFILE support (#1982656)
* Fri Jan 28 2022 Joe Orton <jorton@redhat.com> - 2.4.52-3 * Mon Jul 12 2021 Joe Orton <jorton@redhat.com> - 2.4.48-11
- use LIBTOOL=/usr/bin/libtool in the non-vendor config_vars.mk - mod_cgid: fix doubled script timeout (#1977234)
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.52-2 * Fri Jul 9 2021 Joe Orton <jorton@redhat.com> - 2.4.48-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - fix release in ServerTokens Full-Release (#1932442)
* Wed Dec 22 2021 Joe Orton <jorton@redhat.com> - 2.4.52-1 * Wed Jul 7 2021 Joe Orton <jorton@redhat.com> - 2.4.48-9
- update to 2.4.52 - use OOMPolicy=continue in httpd.service, httpd@.service (#1947475)
* Mon Dec 06 2021 Neal Gompa <ngompa@fedoraproject.org> - 2.4.51-3
- Use NAME from os-release(5) for vendor string
Related: #2029071 - httpd on CentOS identifies as RHEL
* Tue Oct 12 2021 Joe Orton <jorton@redhat.com> - 2.4.51-2 * Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-8
- mod_ssl: updated patch for OpenSSL 3.0 compatibility (#2007178) - Resolves: #1950021 - [RFE] Update httpd directive SSLProxyMachineCertificateFile
- mod_deflate/core: add two brigade handling correctness fixes to be able to handle certs without matching private key
* Thu Oct 07 2021 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.4.51-1 * Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-7
- new version 2.4.51 - Resolves: #1950011 - unorderly connection close when client attempts
renegotiation
* Tue Oct 05 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.50-1 * Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-6
- new version 2.4.50 - Resolves: #1932442 - "ServerTokens Full-Release" support
* Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-3 * Fri Jun 25 2021 Joe Orton <jorton@redhat.com> - 2.4.48-5
- Rebuilt for CI testing - mod_ssl: fix loading encrypted privkeys with OpenSSL 3.0 (#1976080)
* Thu Sep 16 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1 * Fri Jun 25 2021 Joe Orton <jorton@redhat.com> - 2.4.48-4
- new version 2.4.49 (#2004776) - add OpenSSL v3 compatibility fixes (#1975201)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.4.48-8 * Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-3
- Rebuilt with OpenSSL 3.0.0 - Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Fri Aug 06 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-7 * Tue Jun 08 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-2
- add symlink to system logo for noindex test page - Resolves: #1947099 - centralizing default index.html for httpd
* Fri Aug 6 2021 Joe Orton <jorton@redhat.com> - 2.4.48-4 * Wed Jun 02 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-1
- add OpenSSL 3.x compatibility patch - new version 2.4.48
- Resolves: #1952817 - rebase to 2.4.48
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.48-3 * Wed May 26 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.46-15
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - Resolves: #1949606 - RFE: httpd, add IP_FREEBIND support for Listen
* Fri Jul 16 2021 Joe Orton <jorton@redhat.com> - 2.4.48-2 * Wed May 19 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-14
- mod_cgi/mod_cgid: update to unification from trunk - Resolves: #1949969 - httpd : mod_proxy should allow to specify
- httpd.conf: add note on care with Listen and starting at boot Proxy-Authorization in ProxyRemote directive
* Wed Jun 02 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-1 * Thu Apr 22 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-13
- new version 2.4.48 - Resolves: #1952546 - mod_proxy_wstunnel.html is a malformed XML
- Resolves: #1964746 - httpd-2.4.48 is available
* Mon May 03 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-13 * Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.46-12
- Related: #1934739 - Apache trademark update - new logo - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Fri Apr 9 2021 Joe Orton <jorton@redhat.com> - 2.4.46-12 * Tue Apr 13 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-11
- use OOMPolicy=continue in httpd.service, httpd@.service (#1947475) - Resolves: #1947496 - [RFE] ProxyWebsocketIdleTimeout from httpd mod_proxy_wstunnel
* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-11 * Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-10
- Resolves: #1934739 - Apache trademark update - new logo - Resolves: #1934739 - Apache trademark update - new logo
* Tue Feb 23 2021 Joe Orton <jorton@redhat.com> - 2.4.46-10
- add Conflicts: with mod_nss
- drop use of apr_ldap_rebind (r1878890, #1847585)
* Mon Feb 01 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-9 * Mon Feb 01 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-9
- Resolves: #1914182 - RFE: CustomLog should be able to use journald - Resolves: #1914182 - RFE: CustomLog should be able to use journald

Loading…
Cancel
Save