diff options
| author | Stefan Fritsch <sf@debian.org> | 2010-03-07 22:02:34 +0000 |
|---|---|---|
| committer | Stefan Fritsch <sf@sfritsch.de> | 2012-01-02 10:37:08 +0100 |
| commit | 9758b8d214623ba0229b0065993384e9426931cd (patch) | |
| tree | 2d2f20231f607429e4a806990f0b9981529048b4 | |
| parent | f06031deb81fe296cc96b6e76ebfeaba1995b52b (diff) | |
| download | apache2-9758b8d214623ba0229b0065993384e9426931cd.tar.gz | |
Prepare new upstream 2.2.15
- build mod_reqtimeout
- enable mod_reqtimeout by default and on upgrades
- bump openssl build-dep to 0.9.8m for SSLInsecureRenegotiation
git-svn-id: svn+ssh://svn.debian.org/svn/pkg-apache/trunk/apache2@1162 01b336ce-410b-0410-9a02-a0e7f243c266
| -rw-r--r-- | debian/apache2.2-common.postinst | 5 | ||||
| -rw-r--r-- | debian/changelog | 16 | ||||
| -rw-r--r-- | debian/config-dir/mods-available/reqtimeout.conf | 12 | ||||
| -rw-r--r-- | debian/config-dir/mods-available/reqtimeout.load | 1 | ||||
| -rw-r--r-- | debian/config-dir/mods-available/ssl.conf | 4 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rw-r--r-- | debian/patches/00list | 4 | ||||
| -rwxr-xr-x | debian/patches/033_dbm_read_hash_or_btree | 10 | ||||
| -rw-r--r-- | debian/patches/068_mod_dav_detect_EOF.dpatch | 20 | ||||
| -rw-r--r-- | debian/patches/070_RemoveType_override_mime.types.dpatch | 55 | ||||
| -rw-r--r-- | debian/patches/072_CVE-2009-3555.dpatch | 384 | ||||
| -rw-r--r-- | debian/patches/078_avoid_brigade_destroy.dpatch | 92 | ||||
| -rwxr-xr-x | debian/rules | 2 |
13 files changed, 44 insertions, 563 deletions
diff --git a/debian/apache2.2-common.postinst b/debian/apache2.2-common.postinst index 32645529..45b081d1 100644 --- a/debian/apache2.2-common.postinst +++ b/debian/apache2.2-common.postinst @@ -72,6 +72,11 @@ if dpkg --compare-versions "$2" lt 2.2.14-3~; then rm -f /var/lock/apache2/DAVLock.dir /var/lock/apache2/DAVLock.pag fi +# Note, this line catches new installs as well as upgrades +if dpkg --compare-versions "$2" lt 2.2.15-1~0; then + a2enmod -q reqtimeout +fi + rm -f /etc/apache2/ports.conf.dpkg-apache2.2-common.old rm -f /etc/default/apache2.dpkg-apache2.2-common.old rm -f /etc/apache2/conf.d/charset.dpkg-apache2.2-common.old diff --git a/debian/changelog b/debian/changelog index 2d2cf281..51060d82 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,19 @@ -apache2 (2.2.14-8) UNRELEASED; urgency=low +apache2 (2.2.15-1) UNRELEASED; urgency=low + * New upstream version: + - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability + - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol + prefix injection attack. + - CVE-2010-0434: mod_headers: Fix potential information leak with threaded + MPMs. + - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure + renegotiation with clients which do not yet support the secure + renegotiation protocol. As this requires openssl 0.9.8m, bump + build dependency accordingly. + - mod_reqtimeout: New module limiting the time waiting for receiving + a request from the client. This is a (partial) mitigation against + slowloris-type resource exhaustion attacks. The module is enabled by + default. Closes: #533661 * Fix bash completion for a2ensite if the site name contains 'conf' or 'load'. Closes: #572232 * Do a configcheck in the init script before doing a non-graceful restart. diff --git a/debian/config-dir/mods-available/reqtimeout.conf b/debian/config-dir/mods-available/reqtimeout.conf new file mode 100644 index 00000000..5620d62c --- /dev/null +++ b/debian/config-dir/mods-available/reqtimeout.conf @@ -0,0 +1,12 @@ +<IfModule reqtimeout_module> + +# Wait max 10 seconds for the first byte of the request line+headers +# From then, require a minimum data rate of 500 bytes/s, but don't +# wait longer than 20 seconds in total. +RequestReadTimeout header=10-20,minrate=500 + +# Wait max 10 seconds for the first byte of the request body (if any) +# From then, require a minimum data rate of 500 bytes/s +RequestReadTimeout body=10,minrate=500 + +</IfModule> diff --git a/debian/config-dir/mods-available/reqtimeout.load b/debian/config-dir/mods-available/reqtimeout.load new file mode 100644 index 00000000..8b2c5e6a --- /dev/null +++ b/debian/config-dir/mods-available/reqtimeout.load @@ -0,0 +1 @@ +LoadModule reqtimeout_module /usr/lib/apache2/modules/mod_reqtimeout.so diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf index 0e8c1fdf..839131ec 100644 --- a/debian/config-dir/mods-available/ssl.conf +++ b/debian/config-dir/mods-available/ssl.conf @@ -62,4 +62,8 @@ SSLCipherSuite HIGH:MEDIUM:!ADH # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 SSLProtocol all -SSLv2 +# Allow insecure renegotiation with clients which do not yet support the +# secure renegotiation protocol +# SSLInsecureRenegotiation on + </IfModule> diff --git a/debian/control b/debian/control index 636eb317..2417288a 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Section: httpd Priority: optional Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Tollef Fog Heen <tfheen@debian.org>, Thom May <thom@debian.org>, Peter Samuelson <peter@p12n.org>, Stefan Fritsch <sf@debian.org>, Steinar H. Gunderson <sesse@debian.org> -Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev, sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf +Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 0.9.8m), sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf Build-Conflicts: autoconf2.13 Standards-Version: 3.8.4 Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2 diff --git a/debian/patches/00list b/debian/patches/00list index 9cf7274d..cef03a32 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -15,17 +15,13 @@ 057_disablemods.dpatch 058_suexec-CVE-2007-1742.dpatch 067_fix_segfault_in_ab.dpatch -068_mod_dav_detect_EOF.dpatch 069_no_deflate_for_HEAD.dpatch -070_RemoveType_override_mime.types.dpatch 071_fix_cacheenable.dpatch -072_CVE-2009-3555.dpatch 073_mod_dav_trunk_fixes.dpatch 074_link_support_progs_with_lcrypt.dpatch 075_mod_rewrite_literal_ipv6_redirect.dpatch 076_apxs2_a2enmod.dpatch 077_CacheIgnoreURLSessionIdentifiers.dpatch -078_avoid_brigade_destroy.dpatch 079_polish_translation.dpatch 099_config_guess_sub_update 200_cp_suexec.dpatch diff --git a/debian/patches/033_dbm_read_hash_or_btree b/debian/patches/033_dbm_read_hash_or_btree index 410c336c..15283971 100755 --- a/debian/patches/033_dbm_read_hash_or_btree +++ b/debian/patches/033_dbm_read_hash_or_btree @@ -17,7 +17,7 @@ sub usage { my $cmds = join "|", sort keys %dbmc::; @@ -154,7 +154,9 @@ - my($mode, $flags) = $command =~ + my($mode, $flags) = $command =~ /^(?:view|check)$/ ? (0644, O_RDONLY) : (0644, O_RDWR|O_CREAT); -tie (%DB, "AnyDBM_File", $file, $flags, $mode) || die "Can't tie $file: $!"; @@ -28,11 +28,11 @@ untie %DB; @@ -168,7 +168,7 @@ - srand (time ^ $$ or time ^ ($$ + ($$ << 15))); + srand (time ^ $$ or time ^ ($$ + ($$ << 15))); } else { -- for (qw(-xlwwa -le)) { -+ for (qw(xlwwa -le)) { - `ps $_ 2>/dev/null`; +- for (qw(-xlwwa -le)) { ++ for (qw(xlwwa -le)) { + `ps $_ 2>/dev/null`; $psf = $_, last unless $?; } diff --git a/debian/patches/068_mod_dav_detect_EOF.dpatch b/debian/patches/068_mod_dav_detect_EOF.dpatch deleted file mode 100644 index 4cef425f..00000000 --- a/debian/patches/068_mod_dav_detect_EOF.dpatch +++ /dev/null @@ -1,20 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## -## DP: Detect aborted connections for PUT and POST (Bug#451563) -## Forwarded: https://issues.apache.org/bugzilla/show_bug.cgi?id=33098 - -@DPATCH@ ---- a/modules/http/http_filters.c 2009/07/09 06:24:53 792408 -+++ a/modules/http/http_filters.c 2009/07/09 06:28:54 792409 -@@ -524,6 +524,11 @@ - - if (ctx->state != BODY_NONE) { - ctx->remaining -= totalread; -+ if (ctx->remaining > 0) { -+ e = APR_BRIGADE_LAST(b); -+ if (APR_BUCKET_IS_EOS(e)) -+ return APR_EOF; -+ } - } - - /* If we have no more bytes remaining on a C-L request, diff --git a/debian/patches/070_RemoveType_override_mime.types.dpatch b/debian/patches/070_RemoveType_override_mime.types.dpatch deleted file mode 100644 index 6f99505b..00000000 --- a/debian/patches/070_RemoveType_override_mime.types.dpatch +++ /dev/null @@ -1,55 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: Make RemoveType override the info from TypesConfig - -@DPATCH@ -commit 22de79599d8b6bf44a9e590f1a66166f5e9742fd -Author: Stefan Fritsch <sf@apache.org> -Date: Sat Oct 3 12:13:41 2009 +0000 - - Make RemoveType override the info from TypesConfig - - - git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@821298 13f79535-47bb-0310-9956-ffa450edef68 - -diff --git a/modules/http/mod_mime.c b/modules/http/mod_mime.c -index 9570976..3cde932 100644 ---- a/modules/http/mod_mime.c -+++ b/modules/http/mod_mime.c -@@ -274,6 +274,16 @@ static const char *add_extension_info(cmd_parms *cmd, void *m_, - } - - /* -+ * As RemoveType should also override the info from TypesConfig, we add an -+ * empty string as type instead of actually removing the type. -+ */ -+static const char *remove_extension_type(cmd_parms *cmd, void *m_, -+ const char *ext) -+{ -+ return add_extension_info(cmd, m_, "", ext); -+} -+ -+/* - * Note handler names are un-added with each per_dir_config merge. - * This keeps the association from being inherited, but not - * from being re-added at a subordinate level. -@@ -403,7 +413,7 @@ static const command_rec mime_cmds[] = - AP_INIT_ITERATE("RemoveOutputFilter", remove_extension_info, - (void *)APR_OFFSETOF(extension_info, output_filters), OR_FILEINFO, - "one or more file extensions"), -- AP_INIT_ITERATE("RemoveType", remove_extension_info, -+ AP_INIT_ITERATE("RemoveType", remove_extension_type, - (void *)APR_OFFSETOF(extension_info, forced_type), OR_FILEINFO, - "one or more file extensions"), - AP_INIT_TAKE1("TypesConfig", set_types_config, NULL, RSRC_CONF, -@@ -819,7 +829,8 @@ static int find_ct(request_rec *r) - - if (exinfo != NULL) { - -- if (exinfo->forced_type) { -+ /* empty string is treated as special case for RemoveType */ -+ if (exinfo->forced_type && *exinfo->forced_type) { - ap_set_content_type(r, exinfo->forced_type); - found = 1; - } diff --git a/debian/patches/072_CVE-2009-3555.dpatch b/debian/patches/072_CVE-2009-3555.dpatch deleted file mode 100644 index 1af643a4..00000000 --- a/debian/patches/072_CVE-2009-3555.dpatch +++ /dev/null @@ -1,384 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: TLS/SSL partial fix for CVE-2009-3555 -## DP: includes http://svn.apache.org/viewcvs.cgi?rev=891282&view=rev - -@DPATCH@ - *) SECURITY: CVE-2009-3555 (cve.mitre.org) - A partial fix for the TLS renegotiation prefix injection attack by - rejecting any client-initiated renegotiations. Any configuration - which requires renegotiation for per-directory/location access - control is still vulnerable, unless using OpenSSL >= 0.9.8l. - [Joe Orton, Ruediger Pluem] -Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c -URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_init.c?rev=833622&r1=833621&r2=833622&view=diff -============================================================================== ---- 1/modules/ssl/ssl_engine_init.c (original) -+++ 1/modules/ssl/ssl_engine_init.c Sat Nov 7 00:56:23 2009 -@@ -501,10 +501,7 @@ - SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); - SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); - -- if (s->loglevel >= APLOG_DEBUG) { -- /* this callback only logs if LogLevel >= info */ -- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState); -- } -+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info); - } - - static void ssl_init_ctx_verify(server_rec *s, - -Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c -URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_io.c?rev=833622&r1=833621&r2=833622&view=diff -============================================================================== ---- 1/modules/ssl/ssl_engine_io.c (original) -+++ 1/modules/ssl/ssl_engine_io.c Sat Nov 7 00:56:23 2009 -@@ -103,6 +103,7 @@ - ap_filter_t *pInputFilter; - ap_filter_t *pOutputFilter; - int nobuffer; /* non-zero to prevent buffering */ -+ SSLConnRec *config; - } ssl_filter_ctx_t; - - typedef struct { -@@ -193,7 +194,13 @@ - static int bio_filter_out_write(BIO *bio, const char *in, int inl) - { - bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr); -- -+ -+ /* Abort early if the client has initiated a renegotiation. */ -+ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { -+ outctx->rc = APR_ECONNABORTED; -+ return -1; -+ } -+ - /* when handshaking we'll have a small number of bytes. - * max size SSL will pass us here is about 16k. - * (16413 bytes to be exact) -@@ -466,6 +473,12 @@ - if (!in) - return 0; - -+ /* Abort early if the client has initiated a renegotiation. */ -+ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { -+ inctx->rc = APR_ECONNABORTED; -+ return -1; -+ } -+ - /* XXX: flush here only required for SSLv2; - * OpenSSL calls BIO_flush() at the appropriate times for - * the other protocols. -@@ -1358,9 +1371,17 @@ - } - else { - /* We have no idea what you are talking about, so return an error. */ -- return APR_ENOTIMPL; -+ status = APR_ENOTIMPL; - } - -+ /* It is possible for mod_ssl's BIO to be used outside of the -+ * direct control of mod_ssl's input or output filter -- notably, -+ * when mod_ssl initiates a renegotiation. Switching the BIO mode -+ * back to "blocking" here ensures such operations don't fail with -+ * SSL_ERROR_WANT_READ. */ -+ inctx->block = APR_BLOCK_READ; -+ -+ /* Handle custom errors. */ - if (status != APR_SUCCESS) { - return ssl_io_filter_error(f, bb, status); - } -@@ -1724,6 +1745,8 @@ - - filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t)); - -+ filter_ctx->config = myConnConfig(c); -+ - filter_ctx->nobuffer = 0; - filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter, - filter_ctx, NULL, c); -Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c -URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_engine_kernel.c?rev=833622&r1=833621&r2=833622&view=diff -============================================================================== ---- 1/modules/ssl/ssl_engine_kernel.c (original) -+++ 1/modules/ssl/ssl_engine_kernel.c Sat Nov 7 00:56:23 2009 -@@ -35,6 +35,29 @@ - static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); - #endif - -+/* Perform a speculative (and non-blocking) read from the connection -+ * filters for the given request, to determine whether there is any -+ * pending data to read. Return non-zero if there is, else zero. */ -+static int has_buffered_data(request_rec *r) -+{ -+ apr_bucket_brigade *bb; -+ apr_off_t len; -+ apr_status_t rv; -+ int result; -+ -+ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); -+ -+ rv = ap_get_brigade(r->connection->input_filters, bb, AP_MODE_SPECULATIVE, -+ APR_NONBLOCK_READ, 1); -+ result = rv == APR_SUCCESS -+ && apr_brigade_length(bb, 1, &len) == APR_SUCCESS -+ && len > 0; -+ -+ apr_brigade_destroy(bb); -+ -+ return result; -+} -+ - /* - * Post Read Request Handler - */ -@@ -720,6 +743,23 @@ - else { - request_rec *id = r->main ? r->main : r; - -+ /* Additional mitigation for CVE-2009-3555: At this point, -+ * before renegotiating, an (entire) request has been read -+ * from the connection. An attacker may have sent further -+ * data to "prefix" any subsequent request by the victim's -+ * client after the renegotiation; this data may already -+ * have been read and buffered. Forcing a connection -+ * closure after the response ensures such data will be -+ * discarded. Legimately pipelined HTTP requests will be -+ * retried anyway with this approach. */ -+ if (has_buffered_data(r)) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "insecure SSL re-negotiation required, but " -+ "a pipelined request is present; keepalive " -+ "disabled"); -+ r->connection->keepalive = AP_CONN_CLOSE; -+ } -+ - /* do a full renegotiation */ - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, - "Performing full renegotiation: " -@@ -729,6 +769,10 @@ - (unsigned char *)&id, - sizeof(id)); - -+ /* Toggle the renegotiation state to allow the new -+ * handshake to proceed. */ -+ sslconn->reneg_state = RENEG_ALLOW; -+ - SSL_renegotiate(ssl); - SSL_do_handshake(ssl); - -@@ -750,6 +794,8 @@ - SSL_set_state(ssl, SSL_ST_ACCEPT); - SSL_do_handshake(ssl); - -+ sslconn->reneg_state = RENEG_REJECT; -+ - if (SSL_get_state(ssl) != SSL_ST_OK) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, - "Re-negotiation handshake failed: " -@@ -1844,76 +1890,55 @@ - return; - } - --/* -- * This callback function is executed while OpenSSL processes the -- * SSL handshake and does SSL record layer stuff. We use it to -- * trace OpenSSL's processing in out SSL logfile. -- */ --void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) -+/* Dump debugginfo trace to the log file. */ -+static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c, -+ server_rec *s, int where, int rc) - { -- conn_rec *c; -- server_rec *s; -- SSLSrvConfigRec *sc; -- -- /* -- * find corresponding server -- */ -- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) { -- return; -- } -- -- s = mySrvFromConn(c); -- if (!(sc = mySrvConfig(s))) { -- return; -- } -- - /* - * create the various trace messages - */ -- if (s->loglevel >= APLOG_DEBUG) { -- if (where & SSL_CB_HANDSHAKE_START) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Handshake: start", SSL_LIBRARY_NAME); -- } -- else if (where & SSL_CB_HANDSHAKE_DONE) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Handshake: done", SSL_LIBRARY_NAME); -- } -- else if (where & SSL_CB_LOOP) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Loop: %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- else if (where & SSL_CB_READ) { -+ if (where & SSL_CB_HANDSHAKE_START) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Handshake: start", SSL_LIBRARY_NAME); -+ } -+ else if (where & SSL_CB_HANDSHAKE_DONE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Handshake: done", SSL_LIBRARY_NAME); -+ } -+ else if (where & SSL_CB_LOOP) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Loop: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_READ) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Read: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_WRITE) { -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Write: %s", -+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -+ } -+ else if (where & SSL_CB_ALERT) { -+ char *str = (where & SSL_CB_READ) ? "read" : "write"; -+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -+ "%s: Alert: %s:%s:%s", -+ SSL_LIBRARY_NAME, str, -+ SSL_alert_type_string_long(rc), -+ SSL_alert_desc_string_long(rc)); -+ } -+ else if (where & SSL_CB_EXIT) { -+ if (rc == 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Read: %s", -+ "%s: Exit: failed in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - } -- else if (where & SSL_CB_WRITE) { -+ else if (rc < 0) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Write: %s", -+ "%s: Exit: error in %s", - SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); - } -- else if (where & SSL_CB_ALERT) { -- char *str = (where & SSL_CB_READ) ? "read" : "write"; -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Alert: %s:%s:%s", -- SSL_LIBRARY_NAME, str, -- SSL_alert_type_string_long(rc), -- SSL_alert_desc_string_long(rc)); -- } -- else if (where & SSL_CB_EXIT) { -- if (rc == 0) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Exit: failed in %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- else if (rc < 0) { -- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, -- "%s: Exit: error in %s", -- SSL_LIBRARY_NAME, SSL_state_string_long(ssl)); -- } -- } - } - - /* -@@ -1933,6 +1958,52 @@ - } - } - -+/* -+ * This callback function is executed while OpenSSL processes the SSL -+ * handshake and does SSL record layer stuff. It's used to trap -+ * client-initiated renegotiations, and for dumping everything to the -+ * log. -+ */ -+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc) -+{ -+ conn_rec *c; -+ server_rec *s; -+ SSLConnRec *scr; -+ -+ /* Retrieve the conn_rec and the associated SSLConnRec. */ -+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) { -+ return; -+ } -+ -+ if ((scr = myConnConfig(c)) == NULL) { -+ return; -+ } -+ -+ /* If the reneg state is to reject renegotiations, check the SSL -+ * state machine and move to ABORT if a Client Hello is being -+ * read. */ -+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) { -+ int state = SSL_get_state(ssl); -+ -+ if (state == SSL3_ST_SR_CLNT_HELLO_A -+ || state == SSL23_ST_SR_CLNT_HELLO_A) { -+ scr->reneg_state = RENEG_ABORT; -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, -+ "rejecting client initiated renegotiation"); -+ } -+ } -+ /* If the first handshake is complete, change state to reject any -+ * subsequent client-initated renegotiation. */ -+ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) { -+ scr->reneg_state = RENEG_REJECT; -+ } -+ -+ s = mySrvFromConn(c); -+ if (s && s->loglevel >= APLOG_DEBUG) { -+ log_tracing_state(ssl, c, s, where, rc); -+ } -+} -+ - #ifndef OPENSSL_NO_TLSEXT - /* - * This callback function is executed when OpenSSL encounters an extended - -Modified: httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h -URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/ssl/ssl_private.h?rev=833622&r1=833621&r2=833622&view=diff -============================================================================== ---- 1/modules/ssl/ssl_private.h (original) -+++ 1/modules/ssl/ssl_private.h Sat Nov 7 00:56:23 2009 -@@ -356,6 +356,20 @@ - int is_proxy; - int disabled; - int non_ssl_request; -+ -+ /* Track the handshake/renegotiation state for the connection so -+ * that all client-initiated renegotiations can be rejected, as a -+ * partial fix for CVE-2009-3555. */ -+ enum { -+ RENEG_INIT = 0, /* Before initial handshake */ -+ RENEG_REJECT, /* After initial handshake; any client-initiated -+ * renegotiation should be rejected */ -+ RENEG_ALLOW, /* A server-initated renegotiation is taking -+ * place (as dictated by configuration) */ -+ RENEG_ABORT /* Renegotiation initiated by client, abort the -+ * connection */ -+ } reneg_state; -+ - server_rec *server; - } SSLConnRec; - -@@ -574,7 +588,7 @@ - int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *); - SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *); - void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *); --void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int); -+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int); - #ifndef OPENSSL_NO_TLSEXT - int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); - #endif diff --git a/debian/patches/078_avoid_brigade_destroy.dpatch b/debian/patches/078_avoid_brigade_destroy.dpatch deleted file mode 100644 index 8f98e871..00000000 --- a/debian/patches/078_avoid_brigade_destroy.dpatch +++ /dev/null @@ -1,92 +0,0 @@ -#! /bin/sh /usr/share/dpatch/dpatch-run -## -## All lines beginning with `## DP:' are a description of the patch. -## DP: avoid potential mem leaks -## DP: adapted from r821477 from upstream svn - -@DPATCH@ -Index: server/core_filters.c -=================================================================== ---- a/server/core_filters.c (Revision 911217) -+++ a/server/core_filters.c (Arbeitskopie) -@@ -655,6 +655,8 @@ - /* Create a temporary brigade as a means - * of concatenating a bunch of buckets together - */ -+ temp_brig = apr_brigade_create(f->c->pool, -+ f->c->bucket_alloc); - if (last_merged_bucket) { - /* If we've concatenated together small - * buckets already in a previous pass, -@@ -667,16 +669,9 @@ - * these buckets, so that the content - * in them doesn't have to be copied again. - */ -- apr_bucket_brigade *bb; -- bb = apr_brigade_split(b, -- APR_BUCKET_NEXT(last_merged_bucket)); -- temp_brig = b; -- b = bb; -+ APR_BRIGADE_PREPEND(b, temp_brig); -+ brigade_move(temp_brig, b, APR_BUCKET_NEXT(last_merged_bucket)); - } -- else { -- temp_brig = apr_brigade_create(f->c->pool, -- f->c->bucket_alloc); -- } - - temp = APR_BRIGADE_FIRST(b); - while (temp != e) { -@@ -879,7 +874,7 @@ - logio_add_bytes_out(c, bytes_sent); - } - -- apr_brigade_destroy(b); -+ apr_brigade_cleanup(b); - - /* drive cleanups for resources which were set aside - * this may occur before or after termination of the request which -@@ -910,7 +905,7 @@ - "core_output_filter: writing data to the network"); - - if (more) -- apr_brigade_destroy(more); -+ apr_brigade_cleanup(more); - - /* No need to check for SUCCESS, we did that above. */ - if (!APR_STATUS_IS_EAGAIN(rv)) { -Index: modules/http/byterange_filter.c -=================================================================== ---- a/modules/http/byterange_filter.c (Revision 911217) -+++ a/modules/http/byterange_filter.c (Arbeitskopie) -@@ -308,7 +308,7 @@ - APR_BRIGADE_INSERT_TAIL(bsend, e); - - /* we're done with the original content - all of our data is in bsend. */ -- apr_brigade_destroy(bb); -+ apr_brigade_cleanup(bb); - - /* send our multipart output */ - return ap_pass_brigade(f->next, bsend); -Index: modules/http/http_filters.c -=================================================================== ---- a/modules/http/http_filters.c (Revision 911217) -+++ a/modules/http/http_filters.c (Arbeitskopie) -@@ -1120,7 +1120,7 @@ - ctx = f->ctx = apr_pcalloc(r->pool, sizeof(header_filter_ctx)); - } - else if (ctx->headers_sent) { -- apr_brigade_destroy(b); -+ apr_brigade_cleanup(b); - return OK; - } - } -@@ -1291,7 +1291,7 @@ - ap_pass_brigade(f->next, b2); - - if (r->header_only) { -- apr_brigade_destroy(b); -+ apr_brigade_cleanup(b); - ctx->headers_sent = 1; - return OK; - } diff --git a/debian/rules b/debian/rules index 181223cb..b600e08c 100755 --- a/debian/rules +++ b/debian/rules @@ -69,7 +69,7 @@ AP2_MODS_CONFARGS = --enable-authn-alias=shared --enable-authnz-ldap=shared \ --enable-actions=shared --enable-speling=shared \ --enable-userdir=shared --enable-alias=shared \ --enable-rewrite=shared --enable-mime=shared \ - --enable-substitute=shared + --enable-substitute=shared --enable-reqtimeout=shared AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok -I/usr/include/openssl -Wall -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector AP2_LDFLAGS = -Wl,--as-needed -Wl,-z,relro |