25636039 Upgrade Apache Web Server to version 2.2.32
25385707 problem in UTILITY/APACHE
--- a/components/apache2/Makefile Fri Feb 24 07:31:29 2017 -0800
+++ b/components/apache2/Makefile Mon Feb 27 04:56:30 2017 -0800
@@ -18,22 +18,22 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2017, Oracle and/or its affiliates. All rights reserved.
#
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= apache2
-COMPONENT_VERSION= 2.2.31
+COMPONENT_VERSION= 2.2.32
COMPONENT_PROJECT_URL= http://httpd.apache.org/
COMPONENT_SRC_NAME= httpd
COMPONENT_SRC= $(COMPONENT_SRC_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:77afdd50ca2624f7d78832b1e92f34e4df293328ec59fd0e3f6cdedf67ac0c7f
+ sha256:b6e1528779f99c301d6438d89ae892a311619b43a39f16297f9eabd4a8d16cb8
COMPONENT_ARCHIVE_URL= http://archive.apache.org/dist/httpd/$(COMPONENT_ARCHIVE)
COMPONENT_BUGDB= utility/apache
-TPNO_APACHE= 23672
+TPNO_APACHE= 33796
TPNO_MOD_SED= 8897
CONFIGURE_DEFAULT_DIRS=no
--- a/components/apache2/apache.license Fri Feb 24 07:31:29 2017 -0800
+++ b/components/apache2/apache.license Mon Feb 27 04:56:30 2017 -0800
@@ -1,5 +1,5 @@
Apache HTTP Server
-Copyright 2015 The Apache Software Foundation.
+Copyright 2017 The Apache Software Foundation.
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
--- a/components/apache2/patches/bug48357.patch Fri Feb 24 07:31:29 2017 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,39 +0,0 @@
-https://issues.apache.org/bugzilla/show_bug.cgi?id=48357
-
---- server/protocol.c Tue Jan 24 12:02:19 2012
-+++ server/protocol.c Mon Oct 1 04:53:41 2012
-@@ -871,7 +871,7 @@
- request_rec *r;
- apr_pool_t *p;
- const char *expect;
-- int access_status;
-+ int access_status = HTTP_OK;
- apr_bucket_brigade *tmp_bb;
- apr_socket_t *csd;
- apr_interval_time_t cur_timeout;
-@@ -1049,7 +1049,7 @@
- * HTTP/1.1 mentions twice (S9, S14.23) that a request MUST contain
- * a Host: header, and the server MUST respond with 400 if it doesn't.
- */
-- r->status = HTTP_BAD_REQUEST;
-+ access_status = HTTP_BAD_REQUEST;
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
- "client sent HTTP/1.1 request without hostname "
- "(see RFC2616 section 14.23): %s", r->uri);
-@@ -1065,14 +1065,8 @@
- ap_add_input_filter_handle(ap_http_input_filter_handle,
- NULL, r, r->connection);
-
-- if (r->status != HTTP_OK) {
-- ap_send_error_response(r, 0);
-- ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
-- ap_run_log_transaction(r);
-- return r;
-- }
--
-- if ((access_status = ap_run_post_read_request(r))) {
-+ if (access_status != HTTP_OK
-+ || (access_status = ap_run_post_read_request(r))) {
- ap_die(access_status, r);
- ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
- ap_run_log_transaction(r);
--- a/components/apache2/patches/httpoxy.patch Fri Feb 24 07:31:29 2017 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,38 +0,0 @@
-https://www.apache.org/security/asf-httpoxy-response.txt
-http://svn.apache.org/viewvc?view=revision&revision=1756564
-
---- docs/conf/httpd.conf.in 2012/02/06 16:54:24 1241075
-+++ docs/conf/httpd.conf.in 2016/08/16 23:32:35 1756564
-@@ -284,6 +284,15 @@
- #
- DefaultType text/plain
-
-+<IfModule headers_module>
-+ #
-+ # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
-+ # backend servers which have lingering "httpoxy" defects.
-+ # 'Proxy' request header is undefined by the IETF, not listed by IANA
-+ #
-+ RequestHeader unset Proxy early
-+</IfModule>
-+
- <IfModule mime_module>
- #
- # TypesConfig points to the file containing the list of mappings from
---- server/util_script.c 2012/08/21 17:42:49 1375683
-+++ server/util_script.c 2016/08/16 23:32:35 1756564
-@@ -165,6 +165,14 @@
- else if (!strcasecmp(hdrs[i].key, "Content-length")) {
- apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
- }
-+ /* HTTP_PROXY collides with a popular envvar used to configure
-+ * proxies, don't let clients set/override it. But, if you must...
-+ */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+ ;
-+ }
-+#endif
- /*
- * You really don't want to disable this check, since it leaves you
- * wide open to CGIs stealing passwords and people viewing them
--- a/components/apache2/patches/no_ssl2_and_3.patch Fri Feb 24 07:31:29 2017 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,48 +0,0 @@
-Patch origin: in-house
-Patch status: unclear; so far they disable it just in configuration file
-
-https://bz.apache.org/bugzilla/show_bug.cgi?id=57120
-
---- modules/ssl/ssl_private.h
-+++ modules/ssl/ssl_private.h
-@@ -244,9 +244,9 @@
- #define SSL_PROTOCOL_SSLV3 (1<<1)
- #define SSL_PROTOCOL_TLSV1 (1<<2)
- #ifdef OPENSSL_NO_SSL2
--#define SSL_MOST_ALL SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
-+#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
- #else
--#define SSL_MOST_ALL SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
-+#define SSL_MOST_ALL SSL_PROTOCOL_TLSV1
- #endif
- #ifdef HAVE_TLSV1_X
- #define SSL_PROTOCOL_TLSV1_1 (1<<3)
---- docs/manual/mod/mod_ssl.html.en
-+++ docs/manual/mod/mod_ssl.html.en
-@@ -1082,8 +1082,8 @@
- <p>
- This is the Secure Sockets Layer (SSL) protocol, version 3.0, from
- the Netscape Corporation.
-- It is the successor to SSLv2 and the predecessor to TLSv1. It's supported by
-- almost all popular browsers.</p></li>
-+ It is the successor to SSLv2 and the predecessor to TLSv1. Though its
-+ use has been deprecated, because of weaknesses in the security of the protocol.</p></li>
-
- <li><code>TLSv1</code>
- <p>
-@@ -1103,13 +1103,11 @@
-
- <li><code>All</code>
- <p>
-- This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' or
-- - when using OpenSSL 1.0.1 and later -
-- ``<code>+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively.</p></li>
-+ This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
- </ul>
- <div class="example"><h3>Example</h3><p><code>
- # enable SSLv3 and all available TLSv1 flavors, but not SSLv2<br />
--SSLProtocol All -SSLv2
-+SSLProtocol All +SSLv3
- </code></p></div>
-
- </div>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/no_ssl3.patch Mon Feb 27 04:56:30 2017 -0800
@@ -0,0 +1,38 @@
+Patch origin: in-house
+Patch status: unclear; so far they disable it just in configuration file
+
+https://bz.apache.org/bugzilla/show_bug.cgi?id=57120
+
+--- modules/ssl/ssl_private.h
++++ modules/ssl/ssl_private.h
+@@ -246,9 +246,9 @@
+ #endif
+ #define SSL_PROTOCOL_TLSV1 (1<<2)
+ #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+-#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
+ #elif !defined(OPENSSL_NO_SSL3)
+-#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1
++#define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
+ #else
+ #define SSL_PROTOCOL_BASIC SSL_PROTOCOL_TLSV1
+ #endif
+--- docs/manual/mod/mod_ssl.html.en
++++ docs/manual/mod/mod_ssl.html.en
+@@ -1108,13 +1108,11 @@
+
+ <li><code>All</code>
+ <p>
+- This is a shortcut for ``<code>+SSLv2 +SSLv3 +TLSv1</code>'' or
+- - when using OpenSSL 1.0.1 and later -
+- ``<code>+SSLv2 +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2</code>'', respectively.</p></li>
++ This is a shortcut for ``<code>+TLSv1 +TLSv1.1 +TLSv1.2</code>''.</p></li>
+ </ul>
+ <div class="example"><h3>Example</h3><p><code>
+-# enable SSLv3 and all available TLSv1 flavors, but not SSLv2<br />
+-SSLProtocol All -SSLv2
++# enable SSLv3 and all available TLSv1 flavors<br />
++SSLProtocol All +SSLv3
+ </code></p></div>
+
+ </div>