1 |
commit: c2a21676c8017485107e53c6b15c9d12c5ac87b1 |
2 |
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
3 |
AuthorDate: Fri Oct 8 06:47:28 2021 +0000 |
4 |
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> |
5 |
CommitDate: Fri Oct 8 06:47:28 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2a21676 |
7 |
|
8 |
www-servers/apache: Security cleanup |
9 |
|
10 |
Bug: https://bugs.gentoo.org/816864 |
11 |
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org> |
12 |
|
13 |
www-servers/apache/Manifest | 1 - |
14 |
www-servers/apache/apache-2.4.50.ebuild | 262 -------------------------------- |
15 |
2 files changed, 263 deletions(-) |
16 |
|
17 |
diff --git a/www-servers/apache/Manifest b/www-servers/apache/Manifest |
18 |
index 5d789d14468..92f48c54719 100644 |
19 |
--- a/www-servers/apache/Manifest |
20 |
+++ b/www-servers/apache/Manifest |
21 |
@@ -1,3 +1,2 @@ |
22 |
DIST gentoo-apache-2.4.46-r6-20210212.tar.bz2 25854 BLAKE2B 001f16c1beac8c90fd407bb2f77417f886296baf02acf0f6d81dc0f10c209270db7005f58d845d309dec8332773556da88db41a57c6ecc86f24b8a5141ba07d0 SHA512 976dde952277542efca70831b67da32b8bf636a346adeeb6e0bc5a65b3543a7ca4fb182bc01204f747b583dd753607d184d91ef46a93d5e2f3ab55ed787860a2 |
23 |
-DIST httpd-2.4.50.tar.bz2 7653174 BLAKE2B 6bdb26bc03347b9643e973d22726ef283b8d92b675f81e85f4e0470bedf8510bac60cd043fe966bc786d5ae47827ac1bb31da88a0e510f4bb6c665e2075c3beb SHA512 b1afbaf44e503b822ff2b443881dcb44a93aa55d496f88ae399a2e7def05f78590f266a16da1f2c0aac88e463b76fba20843b1e20a102e76c8269de6fae3e158 |
24 |
DIST httpd-2.4.51.tar.bz2 7653609 BLAKE2B a0743327f0411f5cb8b7d0426bf78db0f370e3d587f3a4c4bb7de0e4499effa3f44f5998e19e9ca3ed7b6fc9a8c0867cbe62134b5af7e6ed6c3bc29770b797df SHA512 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66 |
25 |
|
26 |
diff --git a/www-servers/apache/apache-2.4.50.ebuild b/www-servers/apache/apache-2.4.50.ebuild |
27 |
deleted file mode 100644 |
28 |
index 19d45aa6ddd..00000000000 |
29 |
--- a/www-servers/apache/apache-2.4.50.ebuild |
30 |
+++ /dev/null |
31 |
@@ -1,262 +0,0 @@ |
32 |
-# Copyright 1999-2021 Gentoo Authors |
33 |
-# Distributed under the terms of the GNU General Public License v2 |
34 |
- |
35 |
-EAPI=7 |
36 |
- |
37 |
-# latest gentoo apache files |
38 |
-GENTOO_PATCHSTAMP="20210212" |
39 |
-GENTOO_DEVELOPER="polynomial-c" |
40 |
-GENTOO_PATCHNAME="gentoo-apache-2.4.46-r6" |
41 |
- |
42 |
-# IUSE/USE_EXPAND magic |
43 |
-IUSE_MPMS_FORK="prefork" |
44 |
-IUSE_MPMS_THREAD="event worker" |
45 |
- |
46 |
-# << obsolete modules: |
47 |
-# authn_default authz_default mem_cache |
48 |
-# mem_cache is replaced by cache_disk |
49 |
-# ?? buggy modules |
50 |
-# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found |
51 |
-# >> added modules for reason: |
52 |
-# compat: compatibility with 2.2 access control |
53 |
-# authz_host: new module for access control |
54 |
-# authn_core: functionality provided by authn_alias in previous versions |
55 |
-# authz_core: new module, provides core authorization capabilities |
56 |
-# cache_disk: replacement for mem_cache |
57 |
-# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3 |
58 |
-# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3 |
59 |
-# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3 |
60 |
-# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3 |
61 |
-# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests). |
62 |
-# socache_shmcb: shared object cache provider. Default config with ssl needs it |
63 |
-# unixd: fixes startup error: Invalid command 'User' |
64 |
-IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest auth_form |
65 |
-authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authz_core |
66 |
-authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex |
67 |
-brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock |
68 |
-dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2 |
69 |
-ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness |
70 |
-lbmethod_heartbeat log_config log_forensic logio lua macro md mime mime_magic negotiation |
71 |
-proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi |
72 |
-proxy_http2 proxy_fcgi proxy_uwsgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout |
73 |
-session session_cookie session_crypto session_dbd setenvif slotmem_shm speling |
74 |
-socache_memcache socache_shmcb status substitute unique_id userdir usertrack |
75 |
-unixd version vhost_alias watchdog xml2enc" |
76 |
-# The following are also in the source as of this version, but are not available |
77 |
-# for user selection: |
78 |
-# bucketeer case_filter case_filter_in echo http isapi optional_fn_export |
79 |
-# optional_fn_import optional_hook_export optional_hook_import |
80 |
- |
81 |
-# inter-module dependencies |
82 |
-# TODO: this may still be incomplete |
83 |
-MODULE_DEPENDS=" |
84 |
- auth_form:session |
85 |
- brotli:filter |
86 |
- dav_fs:dav |
87 |
- dav_lock:dav |
88 |
- deflate:filter |
89 |
- cache_disk:cache |
90 |
- ext_filter:filter |
91 |
- file_cache:cache |
92 |
- lbmethod_byrequests:proxy_balancer |
93 |
- lbmethod_byrequests:slotmem_shm |
94 |
- lbmethod_bytraffic:proxy_balancer |
95 |
- lbmethod_bybusyness:proxy_balancer |
96 |
- lbmethod_heartbeat:proxy_balancer |
97 |
- log_forensic:log_config |
98 |
- logio:log_config |
99 |
- cache_disk:cache |
100 |
- cache_socache:cache |
101 |
- md:watchdog |
102 |
- mime_magic:mime |
103 |
- proxy_ajp:proxy |
104 |
- proxy_balancer:proxy |
105 |
- proxy_balancer:slotmem_shm |
106 |
- proxy_connect:proxy |
107 |
- proxy_ftp:proxy |
108 |
- proxy_html:proxy |
109 |
- proxy_html:xml2enc |
110 |
- proxy_http:proxy |
111 |
- proxy_http2:proxy |
112 |
- proxy_scgi:proxy |
113 |
- proxy_uwsgi:proxy |
114 |
- proxy_fcgi:proxy |
115 |
- proxy_wstunnel:proxy |
116 |
- session_cookie:session |
117 |
- session_dbd:dbd |
118 |
- session_dbd:session |
119 |
- socache_memcache:cache |
120 |
- substitute:filter |
121 |
-" |
122 |
- |
123 |
-# module<->define mappings |
124 |
-MODULE_DEFINES=" |
125 |
- auth_digest:AUTH_DIGEST |
126 |
- authnz_ldap:AUTHNZ_LDAP |
127 |
- cache:CACHE |
128 |
- cache_disk:CACHE |
129 |
- cache_socache:CACHE |
130 |
- dav:DAV |
131 |
- dav_fs:DAV |
132 |
- dav_lock:DAV |
133 |
- file_cache:CACHE |
134 |
- http2:HTTP2 |
135 |
- info:INFO |
136 |
- ldap:LDAP |
137 |
- lua:LUA |
138 |
- md:SSL |
139 |
- proxy:PROXY |
140 |
- proxy_ajp:PROXY |
141 |
- proxy_balancer:PROXY |
142 |
- proxy_connect:PROXY |
143 |
- proxy_ftp:PROXY |
144 |
- proxy_html:PROXY |
145 |
- proxy_http:PROXY |
146 |
- proxy_fcgi:PROXY |
147 |
- proxy_scgi:PROXY |
148 |
- proxy_wstunnel:PROXY |
149 |
- socache_shmcb:SSL |
150 |
- socache_memcache:CACHE |
151 |
- ssl:SSL |
152 |
- status:STATUS |
153 |
- suexec:SUEXEC |
154 |
- userdir:USERDIR |
155 |
-" |
156 |
- |
157 |
-# critical modules for the default config |
158 |
-MODULE_CRITICAL=" |
159 |
- authn_core |
160 |
- authz_core |
161 |
- authz_host |
162 |
- dir |
163 |
- mime |
164 |
- unixd |
165 |
-" |
166 |
-inherit apache-2 systemd tmpfiles toolchain-funcs |
167 |
- |
168 |
-DESCRIPTION="The Apache Web Server" |
169 |
-HOMEPAGE="https://httpd.apache.org/" |
170 |
- |
171 |
-# some helper scripts are Apache-1.1, thus both are here |
172 |
-LICENSE="Apache-2.0 Apache-1.1" |
173 |
-SLOT="2" |
174 |
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x64-macos ~sparc64-solaris ~x64-solaris" |
175 |
- |
176 |
-# FIXME! Move this to eclass once all ebuilds are EAPI-7 |
177 |
-RDEPEND+=" apache2_modules_lua? ( ${LUA_DEPS} )" |
178 |
-REQUIRED_USE+=" apache2_modules_lua? ( ${LUA_REQUIRED_USE} )" |
179 |
- |
180 |
-pkg_setup() { |
181 |
- # dependend critical modules which are not allowed in global scope due |
182 |
- # to USE flag conditionals (bug #499260) |
183 |
- use ssl && MODULE_CRITICAL+=" socache_shmcb" |
184 |
- use doc && MODULE_CRITICAL+=" alias negotiation setenvif" |
185 |
- apache-2_pkg_setup |
186 |
-} |
187 |
- |
188 |
-src_configure() { |
189 |
- # Brain dead check. |
190 |
- tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no" |
191 |
- |
192 |
- apache-2_src_configure |
193 |
-} |
194 |
- |
195 |
-src_compile() { |
196 |
- if tc-is-cross-compiler ; then |
197 |
- # This header is the same across targets, so use the build compiler. |
198 |
- pushd server >/dev/null |
199 |
- emake gen_test_char |
200 |
- tc-export_build_env BUILD_CC |
201 |
- ${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \ |
202 |
- gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die |
203 |
- popd >/dev/null |
204 |
- fi |
205 |
- |
206 |
- default |
207 |
-} |
208 |
- |
209 |
-src_install() { |
210 |
- apache-2_src_install |
211 |
- local i |
212 |
- local apache_tools_prune_list=( |
213 |
- /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm} |
214 |
- /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs} |
215 |
- /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1} |
216 |
- /usr/share/man/man8/{rotatelogs.8,htcacheclean.8} |
217 |
- ) |
218 |
- for i in ${apache_tools_prune_list[@]} ; do |
219 |
- rm "${ED}"/${i} || die "Failed to prune apache-tools bits" |
220 |
- done |
221 |
- |
222 |
- # install apxs in /usr/bin (bug #502384) and put a symlink into the |
223 |
- # old location until all ebuilds and eclasses have been modified to |
224 |
- # use the new location. |
225 |
- dobin support/apxs |
226 |
- use split-usr && dosym ../bin/apxs /usr/sbin/apxs |
227 |
- |
228 |
- # Note: wait for mod_systemd to be included in some forthcoming release, |
229 |
- # Then apache2.4.service can be used and systemd support controlled |
230 |
- # through --enable-systemd |
231 |
- systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service" |
232 |
- dotmpfiles "${FILESDIR}/apache.conf" |
233 |
- #insinto /etc/apache2/modules.d |
234 |
- #doins "${FILESDIR}/00_systemd.conf" |
235 |
- |
236 |
- # Install http2 module config |
237 |
- insinto /etc/apache2/modules.d |
238 |
- doins "${FILESDIR}"/41_mod_http2.conf |
239 |
- |
240 |
- # Fix path to apache libdir |
241 |
- sed "s|@LIBDIR@|$(get_libdir)|" -i "${ED}"/usr/sbin/apache2ctl || die |
242 |
-} |
243 |
- |
244 |
-pkg_postinst() { |
245 |
- echo |
246 |
- ewarn "Downgrading to pre-GLEP 81 user for now." |
247 |
- ewarn "See bug #802495 and bug #803500 for more information." |
248 |
- ewarn "" |
249 |
- ewarn "You will need to run the following command to unlock the user:" |
250 |
- ewarn "usermod -e '' -U apache 2>/dev/null" |
251 |
- echo |
252 |
- |
253 |
- apache-2_pkg_postinst || die "apache-2_pkg_postinst failed" |
254 |
- |
255 |
- tmpfiles_process apache.conf #662544 |
256 |
- |
257 |
- # warnings that default config might not work out of the box |
258 |
- local mod cmod |
259 |
- for mod in ${MODULE_CRITICAL} ; do |
260 |
- if ! use "apache2_modules_${mod}"; then |
261 |
- echo |
262 |
- ewarn "Warning: Critical module not installed!" |
263 |
- ewarn "Modules 'authn_core', 'authz_core' and 'unixd'" |
264 |
- ewarn "are highly recomended but might not be in the base profile yet." |
265 |
- ewarn "Default config for ssl needs module 'socache_shmcb'." |
266 |
- ewarn "Enabling the following flags is highly recommended:" |
267 |
- for cmod in ${MODULE_CRITICAL} ; do |
268 |
- use "apache2_modules_${cmod}" || \ |
269 |
- ewarn "+ apache2_modules_${cmod}" |
270 |
- done |
271 |
- echo |
272 |
- break |
273 |
- fi |
274 |
- done |
275 |
- # warning for proxy_balancer and missing load balancing scheduler |
276 |
- if use apache2_modules_proxy_balancer; then |
277 |
- local lbset= |
278 |
- for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do |
279 |
- if use "apache2_modules_${mod}"; then |
280 |
- lbset=1 && break |
281 |
- fi |
282 |
- done |
283 |
- if [[ ! ${lbset} ]] ; then |
284 |
- echo |
285 |
- ewarn "Info: Missing load balancing scheduler algorithm module" |
286 |
- ewarn "(They were split off from proxy_balancer in 2.3)" |
287 |
- ewarn "In order to get the ability of load balancing, at least" |
288 |
- ewarn "one of these modules has to be present:" |
289 |
- ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat" |
290 |
- echo |
291 |
- fi |
292 |
- fi |
293 |
-} |