25636039 Upgrade Apache Web Server to version 2.2.32 s11u3-sru
authorPetr Sumbera <petr.sumbera@oracle.com>
Mon, 27 Feb 2017 04:56:30 -0800
branchs11u3-sru
changeset 7699 16280dbf81f5
parent 7694 468c72fb070b
child 7703 665dcbbc9dfe
25636039 Upgrade Apache Web Server to version 2.2.32 25385707 problem in UTILITY/APACHE
components/apache2/Makefile
components/apache2/apache.license
components/apache2/patches/bug48357.patch
components/apache2/patches/httpoxy.patch
components/apache2/patches/no_ssl2_and_3.patch
components/apache2/patches/no_ssl3.patch
--- a/components/apache2/Makefile	Fri Feb 24 07:31:29 2017 -0800
+++ b/components/apache2/Makefile	Mon Feb 27 04:56:30 2017 -0800
@@ -18,22 +18,22 @@
 #
 # CDDL HEADER END
 #
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
 #
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		apache2
-COMPONENT_VERSION=	2.2.31
+COMPONENT_VERSION=	2.2.32
 COMPONENT_PROJECT_URL=	http://httpd.apache.org/
 COMPONENT_SRC_NAME=	httpd
 COMPONENT_SRC=		$(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-     sha256:77afdd50ca2624f7d78832b1e92f34e4df293328ec59fd0e3f6cdedf67ac0c7f
+     sha256:b6e1528779f99c301d6438d89ae892a311619b43a39f16297f9eabd4a8d16cb8
 COMPONENT_ARCHIVE_URL=	http://archive.apache.org/dist/httpd/$(COMPONENT_ARCHIVE)
 COMPONENT_BUGDB=	utility/apache
 
-TPNO_APACHE=		23672
+TPNO_APACHE=		33796
 TPNO_MOD_SED=		8897
 
 CONFIGURE_DEFAULT_DIRS=no
--- a/components/apache2/apache.license	Fri Feb 24 07:31:29 2017 -0800
+++ b/components/apache2/apache.license	Mon Feb 27 04:56:30 2017 -0800
@@ -1,5 +1,5 @@
 Apache HTTP Server
-Copyright 2015 The Apache Software Foundation.
+Copyright 2017 The Apache Software Foundation.
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
--- a/components/apache2/patches/bug48357.patch	Fri Feb 24 07:31:29 2017 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,39 +0,0 @@
-https://issues.apache.org/bugzilla/show_bug.cgi?id=48357
-
---- server/protocol.c	Tue Jan 24 12:02:19 2012
-+++ server/protocol.c	Mon Oct  1 04:53:41 2012
[email protected]@ -871,7 +871,7 @@
-     request_rec *r;
-     apr_pool_t *p;
-     const char *expect;
--    int access_status;
-+    int access_status = HTTP_OK;
-     apr_bucket_brigade *tmp_bb;
-     apr_socket_t *csd;
-     apr_interval_time_t cur_timeout;
[email protected]@ -1049,7 +1049,7 @@
-          * HTTP/1.1 mentions twice (S9, S14.23) that a request MUST contain
-          * a Host: header, and the server MUST respond with 400 if it doesn't.
-          */
--        r->status = HTTP_BAD_REQUEST;
-+        access_status = HTTP_BAD_REQUEST;
-         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
-                       "client sent HTTP/1.1 request without hostname "
-                       "(see RFC2616 section 14.23): %s", r->uri);
[email protected]@ -1065,14 +1065,8 @@
-     ap_add_input_filter_handle(ap_http_input_filter_handle,
-                                NULL, r, r->connection);
- 
--    if (r->status != HTTP_OK) {
--        ap_send_error_response(r, 0);
--        ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
--        ap_run_log_transaction(r);
--        return r;
--    }
--
--    if ((access_status = ap_run_post_read_request(r))) {
-+    if (access_status != HTTP_OK
-+        || (access_status = ap_run_post_read_request(r))) {
-         ap_die(access_status, r);
-         ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
-         ap_run_log_transaction(r);
--- a/components/apache2/patches/httpoxy.patch	Fri Feb 24 07:31:29 2017 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,38 +0,0 @@
-https://www.apache.org/security/asf-httpoxy-response.txt
-http://svn.apache.org/viewvc?view=revision&revision=1756564
-
---- docs/conf/httpd.conf.in	2012/02/06 16:54:24	1241075
-+++ docs/conf/httpd.conf.in	2016/08/16 23:32:35	1756564
[email protected]@ -284,6 +284,15 @@
- #
- DefaultType text/plain
- 
-+<IfModule headers_module>
-+    #
-+    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
-+    # backend servers which have lingering "httpoxy" defects.
-+    # 'Proxy' request header is undefined by the IETF, not listed by IANA
-+    #
-+    RequestHeader unset Proxy early
-+</IfModule>
-+
- <IfModule mime_module>
-     #
-     # TypesConfig points to the file containing the list of mappings from
---- server/util_script.c	2012/08/21 17:42:49	1375683
-+++ server/util_script.c	2016/08/16 23:32:35	1756564
[email protected]@ -165,6 +165,14 @@
-         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
-             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
-         }
-+        /* HTTP_PROXY collides with a popular envvar used to configure
-+         * proxies, don't let clients set/override it.  But, if you must...
-+         */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+            ;
-+        }
-+#endif
-         /*
-          * You really don't want to disable this check, since it leaves you
-          * wide open to CGIs stealing passwords and people viewing them
--- a/components/apache2/patches/no_ssl2_and_3.patch	Fri Feb 24 07:31:29 2017 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,48 +0,0 @@
-Patch origin: in-house
-Patch status: unclear; so far they disable it just in configuration file
-
-https://bz.apache.org/bugzilla/show_bug.cgi?id=57120
-
---- modules/ssl/ssl_private.h
-+++ modules/ssl/ssl_private.h
[email protected]@ -244,9 +244,9 @@
- #define SSL_PROTOCOL_SSLV3 (1<<1)
- #define SSL_PROTOCOL_TLSV1 (1<<2)
- #ifdef OPENSSL_NO_SSL2
--#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
-+#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
- #else
--#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
-+#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
- #endif
- #ifdef HAVE_TLSV1_X
- #define SSL_PROTOCOL_TLSV1_1 (1<<3)
---- docs/manual/mod/mod_ssl.html.en
-+++ docs/manual/mod/mod_ssl.html.en
[email protected]@ -1082,8 +1082,8 @@
-     <p>
-     This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
-     the Netscape Corporation. 
--    It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by
--    almost all popular browsers.</p></li>
-+    It is the successor to SSLv2 and the predecessor to TLSv1. Though its
-+    use has been deprecated, because of weaknesses in the security of the protocol.</p></li>
- 
- <li><code>TLSv1</code>
-     <p>
[email protected]@ -1103,13 +1103,11 @@
- 
- <li><code>All</code>
-     <p>
--    This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' or
--    - when using OpenSSL 1.0.1 and later -
--    ``<code>+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively.</p></li>
-+    This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
- </ul>
- <div class="example"><h3>Example</h3><p><code>
- # enable SSLv3 and all available TLSv1 flavors, but not SSLv2<br />
--SSLProtocol All -SSLv2
-+SSLProtocol All +SSLv3
- </code></p></div>
- 
- </div>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/no_ssl3.patch	Mon Feb 27 04:56:30 2017 -0800
@@ -0,0 +1,38 @@
+Patch origin: in-house
+Patch status: unclear; so far they disable it just in configuration file
+ 
+https://bz.apache.org/bugzilla/show_bug.cgi?id=57120
+
+--- modules/ssl/ssl_private.h
++++ modules/ssl/ssl_private.h
[email protected]@ -246,9 +246,9 @@
+ #endif
+ #define SSL_PROTOCOL_TLSV1 (1<<2)
+ #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+-#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
+ #elif !defined(OPENSSL_NO_SSL3)
+-#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
+ #else
+ #define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
+ #endif
+--- docs/manual/mod/mod_ssl.html.en
++++ docs/manual/mod/mod_ssl.html.en
[email protected]@ -1108,13 +1108,11 @@
+ 
+ <li><code>All</code>
+     <p>
+-    This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' or
+-    - when using OpenSSL 1.0.1 and later -
+-    ``<code>+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively.</p></li>
++    This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
+ </ul>
+ <div class="example"><h3>Example</h3><p><code>
+-# enable SSLv3 and all available TLSv1 flavors, but not SSLv2<br />
+-SSLProtocol All -SSLv2
++# enable SSLv3 and all available TLSv1 flavors<br />
++SSLProtocol All +SSLv3
+ </code></p></div>
+ 
+ </div>