7202142 Upgrade Apache Web Server to version 2.2.23
7164140 ErrorDocument can not handle 400 status properly in case of HTTP 1.1
7198847 Problem with utility/apache
--- a/components/apache2/Makefile Thu Oct 04 16:40:21 2012 -0700
+++ b/components/apache2/Makefile Mon Oct 08 07:58:20 2012 -0700
@@ -23,12 +23,12 @@
include ../../make-rules/shared-macros.mk
COMPONENT_NAME= httpd
-COMPONENT_VERSION= 2.2.22
+COMPONENT_VERSION= 2.2.23
COMPONENT_PROJECT_URL= http://httpd.apache.org/
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz
COMPONENT_ARCHIVE_HASH= \
- sha256:74c1ffffefe1a502339b004ad6488fbd858eb425a05968cd67c05695dbc0fe7c
+ sha256:227c85a5c57f2edae0c5c54c68ccc127f06f6e7cff5340efa00de04f463fa3a4
COMPONENT_ARCHIVE_URL= http://archive.apache.org/dist/httpd/$(COMPONENT_ARCHIVE)
CONFIGURE_DEFAULT_DIRS=no
--- a/components/apache2/apache-22.p5m Thu Oct 04 16:40:21 2012 -0700
+++ b/components/apache2/apache-22.p5m Mon Oct 08 07:58:20 2012 -0700
@@ -348,17 +348,17 @@
file path=usr/apache2/2.2/libexec/mod_usertrack.so
file path=usr/apache2/2.2/libexec/mod_version.so
file path=usr/apache2/2.2/libexec/mod_vhost_alias.so
-file path=usr/apache2/2.2/man/man1/ab.1
-file path=usr/apache2/2.2/man/man1/apxs.1
file path=usr/apache2/2.2/man/man1/dbmmanage.1
file path=usr/apache2/2.2/man/man1/htdbm.1
file path=usr/apache2/2.2/man/man1/httxt2dbm.1
file path=usr/apache2/2.2/man/man1/htdigest.1
file path=usr/apache2/2.2/man/man1/htpasswd.1
-file path=usr/apache2/2.2/man/man1/logresolve.1
+file path=usr/apache2/2.2/man/man8/ab.8
file path=usr/apache2/2.2/man/man8/apachectl.8
+file path=usr/apache2/2.2/man/man8/apxs.8
file path=usr/apache2/2.2/man/man8/htcacheclean.8
file path=usr/apache2/2.2/man/man8/httpd.8
+file path=usr/apache2/2.2/man/man8/logresolve.8
file path=usr/apache2/2.2/man/man8/rotatelogs.8
file path=usr/apache2/2.2/man/man8/suexec.8
file Solaris/apache2.1m.sunman path=usr/share/man/man1m/apache2.1m
@@ -633,17 +633,17 @@
link path=usr/bin/httxt2dbm target=../apache2/2.2/bin/httxt2dbm
link path=usr/bin/logresolve target=../apache2/2.2/bin/logresolve
link path=usr/bin/rotatelogs target=../apache2/2.2/bin/rotatelogs
-link path=usr/share/man/man1/ab.1 target=../../../apache2/2.2/man/man1/ab.1
-link path=usr/share/man/man1/apxs.1 target=../../../apache2/2.2/man/man1/apxs.1
link path=usr/share/man/man1/dbmmanage.1 target=../../../apache2/2.2/man/man1/dbmmanage.1
link path=usr/share/man/man1/htdbm.1 target=../../../apache2/2.2/man/man1/htdbm.1
link path=usr/share/man/man1/httxt2dbm.1 target=../../../apache2/2.2/man/man1/httxt2dbm.1
link path=usr/share/man/man1/htdigest.1 target=../../../apache2/2.2/man/man1/htdigest.1
link path=usr/share/man/man1/htpasswd.1 target=../../../apache2/2.2/man/man1/htpasswd.1
-link path=usr/share/man/man1/logresolve.1 target=../../../apache2/2.2/man/man1/logresolve.1
+link path=usr/share/man/man8/ab.8 target=../../../apache2/2.2/man/man8/ab.8
+link path=usr/share/man/man8/apxs.8 target=../../../apache2/2.2/man/man8/apxs.8
link path=usr/share/man/man8/apachectl.8 target=../../../apache2/2.2/man/man8/apachectl.8
link path=usr/share/man/man8/htcacheclean.8 target=../../../apache2/2.2/man/man8/htcacheclean.8
link path=usr/share/man/man8/httpd.8 target=../../../apache2/2.2/man/man8/httpd.8
+link path=usr/share/man/man8/logresolve.8 target=../../../apache2/2.2/man/man8/logresolve.8
link path=usr/share/man/man8/rotatelogs.8 target=../../../apache2/2.2/man/man8/rotatelogs.8
link path=usr/share/man/man8/suexec.8 target=../../../apache2/2.2/man/man8/suexec.8
link path=var/apache2/2.2/libexec/64 target=$(MACH64)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/apache2/patches/bug48357.patch Mon Oct 08 07:58:20 2012 -0700
@@ -0,0 +1,39 @@
+https://issues.apache.org/bugzilla/show_bug.cgi?id=48357
+
+--- server/protocol.c Tue Jan 24 12:02:19 2012
++++ server/protocol.c Mon Oct 1 04:53:41 2012
[email protected]@ -869,7 +869,7 @@
+ request_rec *r;
+ apr_pool_t *p;
+ const char *expect;
+- int access_status;
++ int access_status = HTTP_OK;
+ apr_bucket_brigade *tmp_bb;
+ apr_socket_t *csd;
+ apr_interval_time_t cur_timeout;
[email protected]@ -1021,7 +1021,7 @@
+ * HTTP/1.1 mentions twice (S9, S14.23) that a request MUST contain
+ * a Host: header, and the server MUST respond with 400 if it doesn't.
+ */
+- r->status = HTTP_BAD_REQUEST;
++ access_status = HTTP_BAD_REQUEST;
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "client sent HTTP/1.1 request without hostname "
+ "(see RFC2616 section 14.23): %s", r->uri);
[email protected]@ -1037,14 +1037,8 @@
+ ap_add_input_filter_handle(ap_http_input_filter_handle,
+ NULL, r, r->connection);
+
+- if (r->status != HTTP_OK) {
+- ap_send_error_response(r, 0);
+- ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+- ap_run_log_transaction(r);
+- return r;
+- }
+-
+- if ((access_status = ap_run_post_read_request(r))) {
++ if (access_status != HTTP_OK
++ || (access_status = ap_run_post_read_request(r))) {
+ ap_die(access_status, r);
+ ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+ ap_run_log_transaction(r);
--- a/components/apache2/patches/bug52774.patch Thu Oct 04 16:40:21 2012 -0700
+++ b/components/apache2/patches/bug52774.patch Mon Oct 08 07:58:20 2012 -0700
@@ -1,18 +1,33 @@
https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
---- modules/mappers/mod_rewrite.c Tue Jan 24 11:39:31 2012
-+++ modules/mappers/mod_rewrite.c Thu Apr 5 07:37:37 2012
[email protected]@ -4266,9 +4266,13 @@
+--- modules/mappers/mod_rewrite.c Mon Aug 20 10:22:53 2012
++++ modules/mappers/mod_rewrite.c Tue Sep 18 04:02:33 2012
[email protected]@ -4302,14 +4302,29 @@
+ /* Unless the anyuri option is set, ensure that the input to the
+ * first rule really is a URL-path, avoiding security issues with
+ * poorly configured rules. See CVE-2011-3368, CVE-2011-4317. */
++ /*
++ * We believe that URI starting with "http://" is valid and thus we fork
++ * here little bit from upstream. I'm intentionally not optimizing
++ * following if statement to keep changes against upstream clear.
++ * See also: https://issues.apache.org/bugzilla/show_bug.cgi?id=52774
++ */
+ if ((dconf->options & OPTION_ANYURI) == 0
+ && ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
+- || !r->uri || r->uri[0] != '/')) {
++ || !r->uri)) {
+ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
+ "Consult the manual entry for the RewriteOptions directive "
+ "for options and caveats about matching other strings.",
+ r->uri));
return DECLINED;
- }
-
-- if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0')
-- || !r->uri || r->uri[0] != '/') {
-+ if ((r->unparsed_uri[0] == '*' && r->unparsed_uri[1] == '\0') || !r->uri) {
- return DECLINED;
-+ } else if (r->uri[0] != '/') {
++ } else if ((dconf->options & OPTION_ANYURI) == 0 && r->uri[0] != '/') {
+ if (strncmp(r->uri, "http://" , 7) != 0 &&
+ strncmp(r->uri, "https://", 8 )!= 0) {
++ rewritelog((r, 8, NULL, "Declining, request-URI '%s' is not a URL-path. "
++ "Consult the manual entry for the RewriteOptions directive "
++ "for options and caveats about matching other strings.",
++ r->uri));
+ return DECLINED;
+ }
}