7202142 Upgrade Apache Web Server to version 2.2.23
authorPetr Sumbera <petr.sumbera@oracle.com>
Mon, 08 Oct 2012 07:58:20 -0700
changeset 1008 85cbcf3980ca
parent 1007 16cb553a85a2
child 1009 49c5130fdb42
7202142 Upgrade Apache Web Server to version 2.2.23 7164140 ErrorDocument can not handle 400 status properly in case of HTTP 1.1 7198847 Problem with utility/apache
components/apache2/Makefile
components/apache2/apache-22.p5m
components/apache2/patches/bug48357.patch
components/apache2/patches/bug52774.patch
--- a/components/apache2/Makefile	Thu Oct 04 16:40:21 2012 -0700
+++ b/components/apache2/Makefile	Mon Oct 08 07:58:20 2012 -0700
@@ -23,12 +23,12 @@
 include ../../make-rules/shared-macros.mk
 
 COMPONENT_NAME=		httpd
-COMPONENT_VERSION=	2.2.22
+COMPONENT_VERSION=	2.2.23
 COMPONENT_PROJECT_URL=	http://httpd.apache.org/
 COMPONENT_SRC=		$(COMPONENT_NAME)-$(COMPONENT_VERSION)
 COMPONENT_ARCHIVE=	$(COMPONENT_SRC).tar.gz
 COMPONENT_ARCHIVE_HASH=	\
-    sha256:74c1ffffefe1a502339b004ad6488fbd858eb425a05968cd67c05695dbc0fe7c
+    sha256:227c85a5c57f2edae0c5c54c68ccc127f06f6e7cff5340efa00de04f463fa3a4
 COMPONENT_ARCHIVE_URL=	http://archive.apache.org/dist/httpd/$(COMPONENT_ARCHIVE)
 
 CONFIGURE_DEFAULT_DIRS=no
--- a/components/apache2/apache-22.p5m	Thu Oct 04 16:40:21 2012 -0700
+++ b/components/apache2/apache-22.p5m	Mon Oct 08 07:58:20 2012 -0700
@@ -348,17 +348,17 @@
 file path=usr/apache2/2.2/libexec/mod_usertrack.so
 file path=usr/apache2/2.2/libexec/mod_version.so
 file path=usr/apache2/2.2/libexec/mod_vhost_alias.so
-file path=usr/apache2/2.2/man/man1/ab.1
-file path=usr/apache2/2.2/man/man1/apxs.1
 file path=usr/apache2/2.2/man/man1/dbmmanage.1
 file path=usr/apache2/2.2/man/man1/htdbm.1
 file path=usr/apache2/2.2/man/man1/httxt2dbm.1
 file path=usr/apache2/2.2/man/man1/htdigest.1
 file path=usr/apache2/2.2/man/man1/htpasswd.1
-file path=usr/apache2/2.2/man/man1/logresolve.1
+file path=usr/apache2/2.2/man/man8/ab.8
 file path=usr/apache2/2.2/man/man8/apachectl.8
+file path=usr/apache2/2.2/man/man8/apxs.8
 file path=usr/apache2/2.2/man/man8/htcacheclean.8
 file path=usr/apache2/2.2/man/man8/httpd.8
+file path=usr/apache2/2.2/man/man8/logresolve.8
 file path=usr/apache2/2.2/man/man8/rotatelogs.8
 file path=usr/apache2/2.2/man/man8/suexec.8
 file Solaris/apache2.1m.sunman path=usr/share/man/man1m/apache2.1m
@@ -633,17 +633,17 @@
 link path=usr/bin/httxt2dbm target=../apache2/2.2/bin/httxt2dbm
 link path=usr/bin/logresolve target=../apache2/2.2/bin/logresolve
 link path=usr/bin/rotatelogs target=../apache2/2.2/bin/rotatelogs
-link path=usr/share/man/man1/ab.1 target=../../../apache2/2.2/man/man1/ab.1
-link path=usr/share/man/man1/apxs.1 target=../../../apache2/2.2/man/man1/apxs.1
 link path=usr/share/man/man1/dbmmanage.1 target=../../../apache2/2.2/man/man1/dbmmanage.1
 link path=usr/share/man/man1/htdbm.1 target=../../../apache2/2.2/man/man1/htdbm.1
 link path=usr/share/man/man1/httxt2dbm.1 target=../../../apache2/2.2/man/man1/httxt2dbm.1
 link path=usr/share/man/man1/htdigest.1 target=../../../apache2/2.2/man/man1/htdigest.1
 link path=usr/share/man/man1/htpasswd.1 target=../../../apache2/2.2/man/man1/htpasswd.1
-link path=usr/share/man/man1/logresolve.1 target=../../../apache2/2.2/man/man1/logresolve.1
+link path=usr/share/man/man8/ab.8 target=../../../apache2/2.2/man/man8/ab.8
+link path=usr/share/man/man8/apxs.8 target=../../../apache2/2.2/man/man8/apxs.8
 link path=usr/share/man/man8/apachectl.8 target=../../../apache2/2.2/man/man8/apachectl.8
 link path=usr/share/man/man8/htcacheclean.8 target=../../../apache2/2.2/man/man8/htcacheclean.8
 link path=usr/share/man/man8/httpd.8 target=../../../apache2/2.2/man/man8/httpd.8
+link path=usr/share/man/man8/logresolve.8 target=../../../apache2/2.2/man/man8/logresolve.8
 link path=usr/share/man/man8/rotatelogs.8 target=../../../apache2/2.2/man/man8/rotatelogs.8
 link path=usr/share/man/man8/suexec.8 target=../../../apache2/2.2/man/man8/suexec.8
 link path=var/apache2/2.2/libexec/64 target=$(MACH64)
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/bug48357.patch	Mon Oct 08 07:58:20 2012 -0700
@@ -0,0 +1,39 @@
+https://issues.apache.org/bugzilla/show_bug.cgi?id=48357
+
+--- server/protocol.c	Tue Jan 24 12:02:19 2012
++++ server/protocol.c	Mon Oct  1 04:53:41 2012
[email protected]@ -869,7 +869,7 @@
+     request_rec *r;
+     apr_pool_t *p;
+     const char *expect;
+-    int access_status;
++    int access_status = HTTP_OK;
+     apr_bucket_brigade *tmp_bb;
+     apr_socket_t *csd;
+     apr_interval_time_t cur_timeout;
[email protected]@ -1021,7 +1021,7 @@
+          * HTTP/1.1 mentions twice (S9, S14.23) that a request MUST contain
+          * a Host: header, and the server MUST respond with 400 if it doesn't.
+          */
+-        r->status = HTTP_BAD_REQUEST;
++        access_status = HTTP_BAD_REQUEST;
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                       "client sent HTTP/1.1 request without hostname "
+                       "(see RFC2616 section 14.23): %s", r->uri);
[email protected]@ -1037,14 +1037,8 @@
+     ap_add_input_filter_handle(ap_http_input_filter_handle,
+                                NULL, r, r->connection);
+ 
+-    if (r->status != HTTP_OK) {
+-        ap_send_error_response(r, 0);
+-        ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+-        ap_run_log_transaction(r);
+-        return r;
+-    }
+-
+-    if ((access_status = ap_run_post_read_request(r))) {
++    if (access_status != HTTP_OK
++        || (access_status = ap_run_post_read_request(r))) {
+         ap_die(access_status, r);
+         ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+         ap_run_log_transaction(r);
--- a/components/apache2/patches/bug52774.patch	Thu Oct 04 16:40:21 2012 -0700
+++ b/components/apache2/patches/bug52774.patch	Mon Oct 08 07:58:20 2012 -0700
@@ -1,18 +1,33 @@
 https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
 
---- modules/mappers/mod_rewrite.c	Tue Jan 24 11:39:31 2012
-+++ modules/mappers/mod_rewrite.c	Thu Apr  5 07:37:37 2012
[email protected]@ -4266,9 +4266,13 @@
+--- modules/mappers/mod_rewrite.c	Mon Aug 20 10:22:53 2012
++++ modules/mappers/mod_rewrite.c	Tue Sep 18 04:02:33 2012
[email protected]@ -4302,14 +4302,29 @@
+     /* Unless the anyuri option is set, ensure that the input to the
+      * first rule really is a URL-path, avoiding security issues with
+      * poorly configured rules.  See CVE-2011-3368, CVE-2011-4317. */
++    /*
++     * We believe that URI starting with "http://" is valid and thus we fork
++     * here little bit from upstream. I'm intentionally not optimizing
++     * following if statement to keep changes against upstream clear.
++     * See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
++     */
+     if ((dconf->options & OPTION_ANYURI) == 0
+         && ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+-            || !r->uri || r->uri[0] != '/')) {
++            || !r->uri)) {
+         rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
+                     "Consult the manual entry for the RewriteOptions directive "
+                     "for options and caveats about matching other strings.",
+                     r->uri));
          return DECLINED;
-     }
- 
--    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
--        || !r->uri || r->uri[0] != '/') {
-+    if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') || !r->uri) {
-         return DECLINED;
-+    } else if (r->uri[0] != '/') {
++    } else if ((dconf->options & OPTION_ANYURI) == 0 && r->uri[0] != '/') {
 +        if (strncmp(r->uri, "http://" , 7) != 0 && 
 +            strncmp(r->uri, "https://", 8 )!= 0) {
++              rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
++                          "Consult the manual entry for the RewriteOptions directive "
++                          "for options and caveats about matching other strings.",
++                          r->uri));
 +             return DECLINED;
 +        }
      }