Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Lars Wendler <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: www-servers/apache/files/, www-servers/apache/
Date: Wed, 02 Nov 2016 14:39:24
Message-Id: 1478097555.692a27baa1b889755b928d2766f9efee17462291.polynomial-c@gentoo
1 commit: 692a27baa1b889755b928d2766f9efee17462291
2 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3 AuthorDate: Wed Nov 2 14:38:57 2016 +0000
4 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 2 14:39:15 2016 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=692a27ba
7
8 www-servers/apache: Security revbumps for CVE-2016-5387 (bug #589226).
9
10 Also fixes fcgi bug in apache-2.4.23 (bug #591288).
11
12 Package-Manager: portage-2.3.2
13 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
14
15 www-servers/apache/Manifest | 1 +
16 www-servers/apache/apache-2.2.31-r1.ebuild | 119 +++++++++++
17 www-servers/apache/apache-2.4.23-r2.ebuild | 245 ++++++++++++++++++++++
18 www-servers/apache/files/apache-asf-httpoxy.patch | 20 ++
19 4 files changed, 385 insertions(+)
20
21 diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest
22 index 5482f14..a266c24 100644
23 --- a/www-servers/apache/Manifest
24 +++ b/www-servers/apache/Manifest
25 @@ -1,3 +1,4 @@
26 +DIST apache-2.4.23-fcgi_fix.patch 1186 SHA256 2943092f4d16f998bed1839d762be6b12254bb59b54e027ae17a2f8042c0eac7 SHA512 5dd1d2eee99322d7af398e7e9c46da4275b83d47bbdac663c022fab734715aabaf5cf0e7abe9bf7b90b69a7b6456f4df55ec33519844124906ad9021f0331e01 WHIRLPOOL 80b03d44e861b08ade36fb317a7aa8cb13a7b79b80b6d59d90d404c9ce99590d8466cb098812b4e2fbb85e69fc7a69ce973269b1ec6ce516e2ad835566534f8e
27 DIST gentoo-apache-2.2.29-20140922.tar.bz2 64135 SHA256 8c69c36c2f40fb81ee905b4dd72ab74aab4563c75149d302f372a451498e2678 SHA512 1d9aa12aa3ab79b5f80ee3fda020b33ff6798e5b1abbcbc138acea06a1ab9968ad240d2bdf9c5dbb9640fa9fb6718eec7175df7cc0fb8574cc4d7d5cdfb5bcc4 WHIRLPOOL f655300f0dcd2f4503cbdb25983fed902e4b717ff57e06f66486bebd0ed7cb8df56387be74b4259bfffad949bb446c5ec28f89065b6d5239585324b610be7b88
28 DIST gentoo-apache-2.4.18-r1-20160303.tar.bz2 24505 SHA256 d81e32d876594b48a7ff6d9123bf776c5bea5453eddd2fe40f4a9b79c11537aa SHA512 68f0c4de38ae05c45839fe692cbb7de641e331ca133b8aaaf69f3659dec15833cda95e6e074edb3a5b6b6d59b3fc5a4ee3589fff810707fe27417a25cd8a4c4d WHIRLPOOL fb61224b2104e611237e1d09eb4dfb3d2b8f023348c9622f7f19434b6b77d63786c41af17a300d994c14d983676f3753ab6fa52f7a7fcd07b9cea3d7eeacc9b9
29 DIST httpd-2.2.31.tar.bz2 5610489 SHA256 f32f9d19f535dac63b06cb55dfc023b40dcd28196b785f79f9346779e22f26ac SHA512 5aa47d4b76f692bbd8b309135ff99152df98cf69b505b9daf3f13f7f2a31443eaf4995161adfbc47a133b4d0e091fda2d95fc6b87a956f0ada18d7466ee28e74 WHIRLPOOL a2e3e53c51719cb6f7e641b41788cd89ce7b4d2ea105b403bfa3b3d4479b69c5604228269062f66722594e105e91121d05b1c9f27ca7dc4ecfcf339da8b8375c
30
31 diff --git a/www-servers/apache/apache-2.2.31-r1.ebuild b/www-servers/apache/apache-2.2.31-r1.ebuild
32 new file mode 100644
33 index 00000000..5e2b8c7
34 --- /dev/null
35 +++ b/www-servers/apache/apache-2.2.31-r1.ebuild
36 @@ -0,0 +1,119 @@
37 +# Copyright 1999-2016 Gentoo Foundation
38 +# Distributed under the terms of the GNU General Public License v2
39 +# $Id$
40 +
41 +EAPI=5
42 +
43 +# latest gentoo apache files
44 +GENTOO_PATCHSTAMP="20140922"
45 +GENTOO_DEVELOPER="polynomial-c"
46 +GENTOO_PATCHNAME="gentoo-apache-2.2.29"
47 +
48 +# IUSE/USE_EXPAND magic
49 +IUSE_MPMS_FORK="itk peruser prefork"
50 +IUSE_MPMS_THREAD="event worker"
51 +
52 +IUSE_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon
53 +authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default
54 +authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta
55 +charset_lite cgi cgid dav dav_fs dav_lock dbd deflate dir disk_cache dumpio
56 +env expires ext_filter file_cache filter headers ident imagemap include info
57 +log_config log_forensic logio mem_cache mime mime_magic negotiation proxy
58 +proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http proxy_scgi rewrite
59 +reqtimeout setenvif speling status substitute unique_id userdir usertrack
60 +version vhost_alias"
61 +# The following are also in the source as of this version, but are not available
62 +# for user selection:
63 +# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
64 +# optional_fn_import optional_hook_export optional_hook_import
65 +
66 +# inter-module dependencies
67 +# TODO: this may still be incomplete
68 +MODULE_DEPENDS="
69 + dav_fs:dav
70 + dav_lock:dav
71 + deflate:filter
72 + disk_cache:cache
73 + ext_filter:filter
74 + file_cache:cache
75 + log_forensic:log_config
76 + logio:log_config
77 + mem_cache:cache
78 + mime_magic:mime
79 + proxy_ajp:proxy
80 + proxy_balancer:proxy
81 + proxy_connect:proxy
82 + proxy_ftp:proxy
83 + proxy_http:proxy
84 + proxy_scgi:proxy
85 + substitute:filter
86 +"
87 +
88 +# module<->define mappings
89 +MODULE_DEFINES="
90 + auth_digest:AUTH_DIGEST
91 + authnz_ldap:AUTHNZ_LDAP
92 + cache:CACHE
93 + dav:DAV
94 + dav_fs:DAV
95 + dav_lock:DAV
96 + disk_cache:CACHE
97 + file_cache:CACHE
98 + info:INFO
99 + ldap:LDAP
100 + mem_cache:CACHE
101 + proxy:PROXY
102 + proxy_ajp:PROXY
103 + proxy_balancer:PROXY
104 + proxy_connect:PROXY
105 + proxy_ftp:PROXY
106 + proxy_http:PROXY
107 + ssl:SSL
108 + status:STATUS
109 + suexec:SUEXEC
110 + userdir:USERDIR
111 +"
112 +
113 +# critical modules for the default config
114 +MODULE_CRITICAL="
115 + authz_host
116 + dir
117 + mime
118 +"
119 +
120 +inherit apache-2 systemd toolchain-funcs
121 +
122 +DESCRIPTION="The Apache Web Server"
123 +HOMEPAGE="https://httpd.apache.org/"
124 +
125 +# some helper scripts are Apache-1.1, thus both are here
126 +LICENSE="Apache-2.0 Apache-1.1"
127 +SLOT="2"
128 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd"
129 +IUSE=""
130 +
131 +PATCHES=(
132 + "${FILESDIR}/${PN}-asf-httpoxy.patch"
133 +)
134 +
135 +src_configure() {
136 + # Brain dead check.
137 + tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
138 +
139 + apache-2_src_configure
140 +}
141 +
142 +src_install() {
143 + apache-2_src_install
144 +
145 + # install apxs in /usr/bin (bug #502384) and put a symlink into the
146 + # old location until all ebuilds and eclasses have been modified to
147 + # use the new location.
148 + local apxs_dir="/usr/bin"
149 + dodir ${apxs_dir}
150 + mv "${D}"/usr/sbin/apxs "${D}"${apxs_dir} || die
151 + ln -s ../bin/apxs "${D}"/usr/sbin/apxs || die
152 +
153 + systemd_newunit "${FILESDIR}/apache2.2.service" "apache2.service"
154 + systemd_dotmpfilesd "${FILESDIR}/apache.conf"
155 +}
156
157 diff --git a/www-servers/apache/apache-2.4.23-r2.ebuild b/www-servers/apache/apache-2.4.23-r2.ebuild
158 new file mode 100644
159 index 00000000..80874b3
160 --- /dev/null
161 +++ b/www-servers/apache/apache-2.4.23-r2.ebuild
162 @@ -0,0 +1,245 @@
163 +# Copyright 1999-2016 Gentoo Foundation
164 +# Distributed under the terms of the GNU General Public License v2
165 +# $Id$
166 +
167 +EAPI=5
168 +
169 +# latest gentoo apache files
170 +GENTOO_PATCHSTAMP="20160303"
171 +GENTOO_DEVELOPER="polynomial-c"
172 +GENTOO_PATCHNAME="gentoo-apache-2.4.18-r1"
173 +
174 +# IUSE/USE_EXPAND magic
175 +IUSE_MPMS_FORK="prefork"
176 +IUSE_MPMS_THREAD="event worker"
177 +
178 +# << obsolete modules:
179 +# authn_default authz_default mem_cache
180 +# mem_cache is replaced by cache_disk
181 +# ?? buggy modules
182 +# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
183 +# >> added modules for reason:
184 +# compat: compatibility with 2.2 access control
185 +# authz_host: new module for access control
186 +# authn_core: functionality provided by authn_alias in previous versions
187 +# authz_core: new module, provides core authorization capabilities
188 +# cache_disk: replacement for mem_cache
189 +# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
190 +# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
191 +# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
192 +# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
193 +# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
194 +# socache_shmcb: shared object cache provider. Default config with ssl needs it
195 +# unixd: fixes startup error: Invalid command 'User'
196 +IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
197 +authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
198 +authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
199 +cache cache_disk cern_meta charset_lite cgi cgid dav dav_fs dav_lock dbd deflate
200 +dir dumpio env expires ext_filter file_cache filter headers http2 ident imagemap
201 +include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
202 +lbmethod_heartbeat log_config log_forensic logio macro mime mime_magic negotiation
203 +proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi
204 +proxy_fcgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
205 +slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
206 +unixd version vhost_alias"
207 +# The following are also in the source as of this version, but are not available
208 +# for user selection:
209 +# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
210 +# optional_fn_import optional_hook_export optional_hook_import
211 +
212 +# inter-module dependencies
213 +# TODO: this may still be incomplete
214 +MODULE_DEPENDS="
215 + dav_fs:dav
216 + dav_lock:dav
217 + deflate:filter
218 + cache_disk:cache
219 + ext_filter:filter
220 + file_cache:cache
221 + lbmethod_byrequests:proxy_balancer
222 + lbmethod_byrequests:slotmem_shm
223 + lbmethod_bytraffic:proxy_balancer
224 + lbmethod_bybusyness:proxy_balancer
225 + lbmethod_heartbeat:proxy_balancer
226 + log_forensic:log_config
227 + logio:log_config
228 + cache_disk:cache
229 + mime_magic:mime
230 + proxy_ajp:proxy
231 + proxy_balancer:proxy
232 + proxy_balancer:slotmem_shm
233 + proxy_connect:proxy
234 + proxy_ftp:proxy
235 + proxy_html:proxy
236 + proxy_http:proxy
237 + proxy_scgi:proxy
238 + proxy_fcgi:proxy
239 + proxy_wstunnel:proxy
240 + substitute:filter
241 +"
242 +
243 +# module<->define mappings
244 +MODULE_DEFINES="
245 + auth_digest:AUTH_DIGEST
246 + authnz_ldap:AUTHNZ_LDAP
247 + cache:CACHE
248 + cache_disk:CACHE
249 + dav:DAV
250 + dav_fs:DAV
251 + dav_lock:DAV
252 + file_cache:CACHE
253 + http2:HTTP2
254 + info:INFO
255 + ldap:LDAP
256 + proxy:PROXY
257 + proxy_ajp:PROXY
258 + proxy_balancer:PROXY
259 + proxy_connect:PROXY
260 + proxy_ftp:PROXY
261 + proxy_html:PROXY
262 + proxy_http:PROXY
263 + proxy_fcgi:PROXY
264 + proxy_scgi:PROXY
265 + proxy_wstunnel:PROXY
266 + socache_shmcb:SSL
267 + ssl:SSL
268 + status:STATUS
269 + suexec:SUEXEC
270 + userdir:USERDIR
271 +"
272 +
273 +# critical modules for the default config
274 +MODULE_CRITICAL="
275 + authn_core
276 + authz_core
277 + authz_host
278 + dir
279 + mime
280 + unixd
281 +"
282 +inherit eutils apache-2 systemd toolchain-funcs
283 +
284 +DESCRIPTION="The Apache Web Server"
285 +HOMEPAGE="https://httpd.apache.org/"
286 +
287 +# some helper scripts are Apache-1.1, thus both are here
288 +LICENSE="Apache-2.0 Apache-1.1"
289 +SLOT="2"
290 +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~amd64-linux ~x64-macos ~x86-macos ~m68k-mint ~sparc64-solaris ~x64-solaris"
291 +
292 +# Upstream fixes
293 +SRC_URI+=" http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_fcgi.c?r1=1751970&r2=1751969&pathrev=1751970&view=patch -> ${PN}-2.4.23-fcgi_fix.patch"
294 +
295 +DEPEND+="apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )"
296 +
297 +REQUIRED_USE="apache2_modules_http2? ( ssl )"
298 +
299 +PATCHES=(
300 + "${DISTDIR}"/${P}-fcgi_fix.patch
301 + "${FILESDIR}"/apache-asf-httpoxy.patch
302 +)
303 +
304 +pkg_setup() {
305 + # dependend critical modules which are not allowed in global scope due
306 + # to USE flag conditionals (bug #499260)
307 + use ssl && MODULE_CRITICAL+=" socache_shmcb"
308 + use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
309 + apache-2_pkg_setup
310 +}
311 +
312 +src_configure() {
313 + # Brain dead check.
314 + tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
315 +
316 + apache-2_src_configure
317 +}
318 +
319 +src_compile() {
320 + if tc-is-cross-compiler; then
321 + # This header is the same across targets, so use the build compiler.
322 + pushd server >/dev/null
323 + emake gen_test_char
324 + tc-export_build_env BUILD_CC
325 + ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
326 + gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
327 + popd >/dev/null
328 + fi
329 +
330 + default
331 +}
332 +
333 +src_install() {
334 + apache-2_src_install
335 + for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do
336 + rm "${ED}"/$i || die "Failed to prune apache-tools bits"
337 + done
338 + for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do
339 + rm "${ED}"/$i || die "Failed to prune apache-tools bits"
340 + done
341 + for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do
342 + rm "${ED}"/$i || die "Failed to prune apache-tools bits"
343 + done
344 + for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do
345 + rm "${ED}/"$i || die "Failed to prune apache-tools bits"
346 + done
347 +
348 + # install apxs in /usr/bin (bug #502384) and put a symlink into the
349 + # old location until all ebuilds and eclasses have been modified to
350 + # use the new location.
351 + local apxs="/usr/bin/apxs"
352 + cp "${S}"/support/apxs "${ED}"${apxs} || die "Failed to install apxs"
353 + ln -s ../bin/apxs "${ED}"/usr/sbin/apxs || die
354 + chmod 0755 "${ED}"${apxs} || die
355 +
356 + # Note: wait for mod_systemd to be included in the next release,
357 + # then apache2.4.service can be used and systemd support controlled
358 + # through --enable-systemd
359 + systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
360 + systemd_dotmpfilesd "${FILESDIR}/apache.conf"
361 + #insinto /etc/apache2/modules.d
362 + #doins "${FILESDIR}/00_systemd.conf"
363 +
364 + # Install http2 module config
365 + insinto /etc/apache2/modules.d
366 + doins "${FILESDIR}"/41_mod_http2.conf
367 +}
368 +
369 +pkg_postinst()
370 +{
371 + apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
372 + # warnings that default config might not work out of the box
373 + for mod in $MODULE_CRITICAL; do
374 + if ! use "apache2_modules_${mod}"; then
375 + echo
376 + ewarn "Warning: Critical module not installed!"
377 + ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
378 + ewarn "are highly recomended but might not be in the base profile yet."
379 + ewarn "Default config for ssl needs module 'socache_shmcb'."
380 + ewarn "Enabling the following flags is highly recommended:"
381 + for cmod in $MODULE_CRITICAL; do
382 + use "apache2_modules_${cmod}" || \
383 + ewarn "+ apache2_modules_${cmod}"
384 + done
385 + echo
386 + break
387 + fi
388 + done
389 + # warning for proxy_balancer and missing load balancing scheduler
390 + if use apache2_modules_proxy_balancer; then
391 + local lbset=
392 + for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
393 + if use "apache2_modules_${mod}"; then
394 + lbset=1 && break
395 + fi
396 + done
397 + if [ ! $lbset ]; then
398 + echo
399 + ewarn "Info: Missing load balancing scheduler algorithm module"
400 + ewarn "(They were split off from proxy_balancer in 2.3)"
401 + ewarn "In order to get the ability of load balancing, at least"
402 + ewarn "one of these modules has to be present:"
403 + ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
404 + echo
405 + fi
406 + fi
407 +}
408
409 diff --git a/www-servers/apache/files/apache-asf-httpoxy.patch b/www-servers/apache/files/apache-asf-httpoxy.patch
410 new file mode 100644
411 index 00000000..68e3d86
412 --- /dev/null
413 +++ b/www-servers/apache/files/apache-asf-httpoxy.patch
414 @@ -0,0 +1,20 @@
415 +https://bugs.gentoo.org/589226
416 +https://www.apache.org/security/asf-httpoxy-response.txt
417 +
418 +--- server/util_script.c (revision 1752426)
419 ++++ server/util_script.c (working copy)
420 +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
421 + else if (!strcasecmp(hdrs[i].key, "Content-length")) {
422 + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
423 + }
424 ++ /* HTTP_PROXY collides with a popular envvar used to configure
425 ++ * proxies, don't let clients set/override it. But, if you must...
426 ++ */
427 ++#ifndef SECURITY_HOLE_PASS_PROXY
428 ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
429 ++ ;
430 ++ }
431 ++#endif
432 + /*
433 + * You really don't want to disable this check, since it leaves you
434 + * wide open to CGIs stealing passwords and people viewing them
Report Message
Find on MARC Find on Google Groups