diff options
Diffstat (limited to 'debian')
82 files changed, 1852 insertions, 1283 deletions
diff --git a/debian/PACKAGING b/debian/PACKAGING index 0bbb06c4..24b80dfb 100644 --- a/debian/PACKAGING +++ b/debian/PACKAGING @@ -69,6 +69,11 @@ interface. If an updated package is not buildable with Apache 2.2 anymore, the apache2-dev build-dependency should be versioned ">> 2.4~", because older versions of apache2-threaded-dev did provide apache2-dev. +A module package that uses openssl specific interfaces in mod_ssl, either by +using the mod_ssl_openssl.h header, or by using mod_ssl-internal private +interfaces (don't do that!), must build-depend on apache2-ssl-dev to ensure +that the correct version of the openssl headers are used. + The resulting binary package should be called libapache2-mod-<modulename> and MUST NOT depend on apache2 or apache2-bin. Instead a module package must depend on our virtual package providing the module magic number which denotes the ABI diff --git a/debian/README.backtrace b/debian/README.backtrace index 17ccb184..9d06130b 100644 --- a/debian/README.backtrace +++ b/debian/README.backtrace @@ -7,9 +7,11 @@ In case of a crash, do the following: 1) Install the packages apache2-dbg libapr1-dbg libaprutil1-dbg gdb. -2) Add "CoreDumpDirectory /var/cache/apache2" to your apache configuration. +2) Add "CoreDumpDirectory /var/cache/apache2/core" to your apache configuration. 3) Execute as root: + mkdir -p /var/cache/apache2/core + chown www-data: /var/cache/apache2/core /etc/init.d/apache2 stop ulimit -c unlimited /etc/init.d/apache2 start @@ -19,14 +21,14 @@ In case of a crash, do the following: 5) If you use a forking MPM (e.g. mod_prefork), execute: - gdb /usr/sbin/apache2 /var/cache/apache2/core + gdb /usr/sbin/apache2 /var/cache/apache2/core/core (gdb) bt full ... (gdb) quit If you use a threaded mpm (mod_worker, mod_event), execute: - gdb /usr/sbin/apache2 /var/cache/apache2/core + gdb /usr/sbin/apache2 /var/cache/apache2/core/core (gdb) thread apply all bt full ... (gdb) quit diff --git a/debian/README.multiple-instances b/debian/README.multiple-instances index ae038d39..42c3baff 100644 --- a/debian/README.multiple-instances +++ b/debian/README.multiple-instances @@ -14,11 +14,17 @@ Adjust the configuration in /etc/apache2-xxx, especially the listen ports in ports.conf and in the virtual host directives in /etc/apache2-xxx/sites-enabled/*. -You can then use a2enmod-xxx, /etc/init.d/apache2-xxx, ... as usual, and they +You can then use a2enmod-xxx, apache2ctl-xxx, ... as usual, and they will affect the new instance of apache2. +If you use systemd, the service name of your new instance is +"apache2@xxx.service". Otherwise the script installed an init script +named /etc/init.d/apache2-xxx. + To start the new apache2 instance on boot, use -- if you use dependency based boot sequence (the default): +- if you use systemd, run: + systemctl enable apache2@xxx +- if you use sysv-init with dependency based boot sequence (the default): If you don't have ssl keys with passphrases, you may want to set 'X-Interactive: false' in /etc/init.d/apache2-xxx to reduce boot time. Then execute: @@ -55,13 +61,24 @@ The Apache 2 package will only remove the default configuration files and directories. -Configuration -============= +htcacheclean service +==================== + +The apache-htcacheclean service can be handled in the same way as the +main apache2 script. You can create an +'apache-htcacheclean@instance.service' service under systemd or you can +copy /etc/init.d/apache-htcacheclean as +/etc/init.d/apache-htcacheclean-xxx under SystemV. + +The parameters of the service can be customized with +/etc/default/apache-htcacheclean-xxx (that is created by the +setup-instance helper script). -The init script will try to read /etc/defaults/apache2-xxx. If that does not -exist, it will use /etc/defaults/apache2 instead. -The following environment variables can be used to influence the scripts. The +Environment variables +===================== + +The following environment variables can be used to influence many scripts. The default apache2 configuration will make use of them, too. Most can be set in /etc/apache2-xxx/envvars. Variables set in /etc/apache2-xxx/envvars must be exported. @@ -77,7 +94,7 @@ APACHE_ARGUMENTS empty if $APACHE_CONFDIR = /etc/apache2 APACHE_RUN_USER www-data APACHE_RUN_GROUP www-data -APACHE_PID_FILE /var/run/apache2.pid or /var/run/apachd2-xxx.pid +APACHE_PID_FILE /var/run/apache2/apache2.pid or /var/run/apache2-xxx/apache2.pid APACHE_RUN_DIR /var/run/apache2 or /var/run/apache2-xxx APACHE_LOCK_DIR /var/lock/apache2 or /var/lock/apache2-xxx APACHE_LOG_DIR /var/log/apache2 or /var/log/apache2-xxx @@ -89,4 +106,3 @@ APACHE_SITES_ENABLED $APACHE_CONFDIR/sites-enabled APACHE_LYNX www-browser -dump APACHE_STATUSURL http://localhost:80/server-status - diff --git a/debian/a2enmod b/debian/a2enmod index 79736291..0a097265 100755 --- a/debian/a2enmod +++ b/debian/a2enmod @@ -11,6 +11,8 @@ use File::Spec; use File::Basename; use File::Path; use Getopt::Long; +use 5.014; +no if $] >= 5.017011, warnings => 'experimental::smartmatch'; my $quiet; my $force; @@ -32,12 +34,18 @@ my $act = $1; my $obj = $2; my $dir_suffix = $3; -my $env_file = $ENV{APACHE_ENVVARS} - || ( - $ENV{APACHE_CONFDIR} - ? "$ENV{APACHE_CONFDIR}/envvars" - : "/etc/apache2$dir_suffix/envvars" - ); +my @essential_module_list = qw(alias auth_basic authn_file authz_host + authz_user autoindex deflate dir env filter logio mime negotiation + setenvif unixd version watchdog); +my $env_file = $ENV{APACHE_ENVVARS}; +if (! $env_file) { + if ($ENV{APACHE_CONFDIR}) { + $env_file = "$ENV{APACHE_CONFDIR}/envvars"; + } + else { + $env_file = "/etc/apache2$dir_suffix/envvars"; + } +} $ENV{LANG} = 'C'; read_env_file($env_file); @@ -79,7 +87,16 @@ my $choicedir = $act eq 'enable' ? $availdir : $enabldir; my $linkdir = File::Spec->abs2rel( $availdir, $enabldir ); my $request_reload = 0; - +my $request_htcacheclean; +my $htc = "apache-htcacheclean$dir_suffix"; +my $htc_service = "apache-htcacheclean"; # Service name for systemd +my $apache_service = "apache2"; +if (defined($dir_suffix) and $dir_suffix ne '') { + # Uses '@instance.service' suffix instead of '-instance' suffix + my $service_suffix = '@' . substr($dir_suffix, 1) . '.service'; + $htc_service .= $service_suffix; + $apache_service .= $service_suffix; +} my $rc = 0; if ( !scalar @ARGV ) { @@ -108,6 +125,9 @@ foreach my $acton (@objs) { doit($acton) or $rc = 1; } +my $htcstart = ""; +my $apache_reload = ""; +my $cmd = ($act eq "enable") ? "start" : "stop"; if ($smf) { my $status = `$svcstatus apache2`; chomp $status; @@ -118,12 +138,20 @@ if ($smf) { } else { info("Note, that current status of apache2 service is $status\n") } + exit($rc); +} +if (-d "/run/systemd" and -x "/bin/systemctl") { + $htcstart = " systemctl $cmd $htc_service\n"; + $apache_reload = " systemctl $reload $apache_service\n"; } else { - info( - "To activate the new configuration, you need to run:\n service apache2 $reload\n" - ) if $request_reload; + $htcstart = " service $htc $cmd\n"; + $apache_reload = " service apache2$dir_suffix $reload\n"; } +info( "To activate the new configuration, you need to run:\n" + . $apache_reload + . ($request_htcacheclean ? $htcstart : "") +) if $request_reload; exit($rc); @@ -146,7 +174,7 @@ sub doit { my ( $conftgt, $conflink ); if ( $obj eq 'module' ) { - if ( $acton eq 'cgi' && threaded() ) { + if ( $act eq 'enable' && $acton eq 'cgi' && threaded() ) { print "Your MPM seems to be threaded. Selecting cgid instead of cgi.\n"; $acton = 'cgid'; @@ -195,11 +223,6 @@ sub doit { # handle module dependencies if ( $obj eq 'module' ) { if ( $act eq 'enable' ) { - if ( $acton eq 'mpm_itk' ) { - warning( "MPM_ITK is a third party module that is not part " - . "of the official Apache HTTPD. It has seen less " - . "testing than the official MPM modules." ); - } my @depends = get_deps("$availdir/$acton.load"); do_deps( $acton, @depends ) or return 0; @@ -278,11 +301,7 @@ sub doit { } print "Enabling $obj $acton.\n"; - if ( $acton eq 'ssl' ) { - info( "See /usr/share/doc/apache2/README.Debian.gz on " - . "how to configure SSL and create self-signed certificates.\n" - ); - } + special_module_handling($acton); return add_link( $tgt, $link ) && switch_marker( $obj, $act, $acton ); } @@ -293,6 +312,10 @@ sub doit { } else { if ( -e $link || -l $link ) { + special_module_handling($acton); + if ($obj eq 'module' && grep {$_ eq $acton} @essential_module_list) { + $force || essential_module_handling($acton); + } remove_link($link); if ( $conflink && -e $conflink ) { remove_link($conflink); @@ -447,7 +470,7 @@ sub threaded { if ( $? != 0 ) { # config doesn't work - if ( -e "$enabldir/mpm_prefork.load" || -e "$enabldir/mpm_itk.load" ) + if ( -e "$enabldir/mpm_prefork.load" ) { return 0; } @@ -547,4 +570,60 @@ sub switch_marker { } } +sub essential_module_handling { + my $module = shift; + + print "WARNING: The following essential module will be disabled.\n"; + print "This might result in unexpected behavior and should NOT be done\n"; + print "unless you know exactly what you are doing!\n $module\n\n"; + print "To continue type in the phrase 'Yes, do as I say!' or retry by passing '-f': "; + my $input = <STDIN>; + chomp($input); + if ($input ne 'Yes, do as I say!') { + print("Aborting\n"); + exit(1) + } +} + +sub special_module_handling { + my $acton = shift; + + if ($obj ne 'module') { + return; + } + + given ($acton) { + when ('ssl') { + if ( $act eq 'enable' ) { + info( "See /usr/share/doc/apache2/README.Debian.gz on " + . "how to configure SSL and create self-signed " + . "certificates.\n" + ); + } + } + when ('cache_disk') { + $request_htcacheclean = 1; + my $verb = "\u$act"; + my $command; + $verb =~ s/e$/ing/; + if (-d "/run/systemd" and -x "/bin/systemctl") { + info("$verb external service $htc_service\n"); + $command = "systemctl $act $htc_service"; + } else { + info("$verb external service $htc\n"); + $command = "update-rc.d $htc $act"; + } + my $res = system($command); + if ($res == 0) { + info("The service will be started on next reboot.\n") + if $act eq 'enable'; + } + else { + warning("'$command' failed\n"); + } + + } + } +} + # vim: syntax=perl sw=4 sts=4 sr et diff --git a/debian/a2query.in b/debian/a2query.in index 47a60f2b..f9f1a910 100755 --- a/debian/a2query.in +++ b/debian/a2query.in @@ -4,7 +4,7 @@ # Copyright (C) 2012 Arno Töll <debian@toell.net> # # This program is licensed at your choice under the terms of the GNU General -# Public License vserion 2+ or under the terms of the Apache Software License +# Public License version 2+ or under the terms of the Apache Software License # 2.0. # # For GPL-2+: @@ -176,9 +176,9 @@ sub load_defaults { my @out = `$APACHE2 -V 2>/dev/null`; return if $?; - for (my $line; $line <= $#out; $line++) + foreach my $line (@out) { - if ($out[$line] =~ m/(Server version|Server MPM|Magic Number):\s+(.*?)$/) + if ($line =~ m/(Server version|Server MPM|Magic Number):\s+(.*?)$/) { my ($pattern, $value) = ($1, $2); if ($pattern =~ /version/) @@ -186,11 +186,11 @@ sub load_defaults $SERVER_VERSION = $value; $SERVER_VERSION =~ s/[^\d\.]//g; } - elsif($pattern =~ /MPM/) + elsif ($pattern =~ /MPM/) { $MPM = $value; } - elsif($pattern =~ /Magic/) + elsif ($pattern =~ /Magic/) { $API = $value; $API =~ s/\:\d+//; @@ -203,18 +203,18 @@ sub load_defaults sub load_modules { my $conf_dir = $CONFIG_DIR . "/mods-enabled"; - opendir(DIR, $conf_dir) || fail("$conf_dir: $!"); - while( readdir(DIR) ) + opendir(DIR, $conf_dir) || fail("$conf_dir: $!", 1); + while ( readdir(DIR) ) { my $file = $_; next if $file !~ m/\.load$/; $file =~ s/\.load//; - if ($file =~ /mpm_(\w+)/ && $file ne 'mpm_itk') + if ($file =~ /mpm_(event|worker|prefork)/) { $MPM = $1 if $MPM eq 'invalid'; - if(grep { $_ =~ m/^mpm_/ } @MODULES) + if (grep { $_ =~ m/^mpm_(?:event|worker|prefork)/ } @MODULES) { - fail("There is more than one MPM loaded. Do not proceed due to undefined results"); + fail("There is more than one MPM loaded. Do not proceed due to undefined results", 1); } } push @MODULES, $file; @@ -230,8 +230,8 @@ sub load_conf return; } my $conf_dir = $CONFIG_DIR . "/conf-enabled"; - opendir(DIR, $conf_dir) || fail("$conf_dir: $!"); - while( readdir(DIR) ) + opendir(DIR, $conf_dir) || fail("$conf_dir: $!", 1); + while ( readdir(DIR) ) { my $file = $_; next if $file !~ m/\.conf$/; @@ -249,8 +249,8 @@ sub load_sites return; } my $conf_dir = $CONFIG_DIR . "/sites-enabled"; - opendir(DIR, $conf_dir) || fail("$conf_dir: $!"); - while( readdir(DIR) ) + opendir(DIR, $conf_dir) || fail("$conf_dir: $!", 1); + while ( readdir(DIR) ) { my $file = $_; next if $file !~ m/\.conf$/; diff --git a/debian/apache2-bin.dirs b/debian/apache2-bin.dirs new file mode 100644 index 00000000..642a5c65 --- /dev/null +++ b/debian/apache2-bin.dirs @@ -0,0 +1 @@ +var/lib/apache2 diff --git a/debian/apache2-doc.maintscript b/debian/apache2-doc.maintscript deleted file mode 100644 index 75d87c94..00000000 --- a/debian/apache2-doc.maintscript +++ /dev/null @@ -1 +0,0 @@ -mv_conffile /etc/apache2/conf.d/apache2-doc /etc/apache2/conf-available/apache2-doc.conf diff --git a/debian/apache2-mpm.postinst.in b/debian/apache2-mpm.postinst.in deleted file mode 100644 index 562f8460..00000000 --- a/debian/apache2-mpm.postinst.in +++ /dev/null @@ -1,49 +0,0 @@ -#! /bin/bash -# postinst script for apache2-mpm-__TYPE__ -# -# see: dh_installdeb(1) - -set -e - - -# summary of how this script can be called: -# * <postinst> `configure' <most-recently-configured-version> -# * <old-postinst> `abort-upgrade' <new version> -# * <conflictor's-postinst> `abort-remove' `in-favour' <package> -# <new-version> -# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' -# <failed-install-package> <version> `removing' -# <conflicting-package> <version> -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - if [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.4.4-4" ; then - if [ -d /usr/share/doc/apache2-mpm-__TYPE__ ] ; then - RET=0 - rmdir /usr/share/doc/apache2-mpm-__TYPE__ > /dev/null 2>&1|| RET=$? - if [ $RET = 0 ] ; then - ln -s /usr/share/doc/apache2 /usr/share/doc/apache2-mpm-__TYPE__ - fi - fi - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/apache2-ssl-dev.install b/debian/apache2-ssl-dev.install new file mode 100644 index 00000000..5ba2e5e0 --- /dev/null +++ b/debian/apache2-ssl-dev.install @@ -0,0 +1 @@ +/usr/include/apache2/mod_ssl_openssl.h diff --git a/debian/apache2-suexec.postinst b/debian/apache2-suexec.postinst deleted file mode 100644 index ac1e8314..00000000 --- a/debian/apache2-suexec.postinst +++ /dev/null @@ -1,50 +0,0 @@ -#! /bin/bash -# postinst script for apache2 -# -# see: dh_installdeb(1) - -set -e - - -# summary of how this script can be called: -# * <postinst> `configure' <most-recently-configured-version> -# * <old-postinst> `abort-upgrade' <new version> -# * <conflictor's-postinst> `abort-remove' `in-favour' <package> -# <new-version> -# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' -# <failed-install-package> <version> `removing' -# <conflicting-package> <version> -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - if [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.4.3" ; then - if [ -d /usr/share/doc/apache2-suexec/ ] ; then - RET=0 - rmdir /usr/share/doc/apache2-suexec/ > /dev/null 2>&1|| RET=$? - if [ $RET = 0 ] ; then - ln -s /usr/share/doc/apache2-suexec-pristine /usr/share/doc/apache2-suexec - fi - fi - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - diff --git a/debian/apache2.2-bin.postinst b/debian/apache2.2-bin.postinst deleted file mode 100644 index 27a551bf..00000000 --- a/debian/apache2.2-bin.postinst +++ /dev/null @@ -1,49 +0,0 @@ -#! /bin/bash -# postinst script for apache2.2-bin -# -# see: dh_installdeb(1) - -set -e - - -# summary of how this script can be called: -# * <postinst> `configure' <most-recently-configured-version> -# * <old-postinst> `abort-upgrade' <new version> -# * <conflictor's-postinst> `abort-remove' `in-favour' <package> -# <new-version> -# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' -# <failed-install-package> <version> `removing' -# <conflicting-package> <version> -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - if [ -n "$2" ] && dpkg --compare-versions "$2" lt "2.4.4-5" ; then - if [ -d /usr/share/doc/apache2.2-bin ] ; then - RET=0 - rmdir /usr/share/doc/apache2.2-bin > /dev/null 2>&1|| RET=$? - if [ $RET = 0 ] ; then - ln -s /usr/share/doc/apache2-bin /usr/share/doc/apache2.2-bin - fi - fi - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/apache2.NEWS b/debian/apache2.NEWS index b4141511..6b28c833 100644 --- a/debian/apache2.NEWS +++ b/debian/apache2.NEWS @@ -1,3 +1,10 @@ +apache2 (2.4.10-2) unstable; urgency=low + + The default period for which rotated log files are kept has been + reduced from one year to 14 days. + + -- Stefan Fritsch <sf@debian.org> Tue, 23 Sep 2014 22:25:06 +0200 + apache2 (2.4.1-1) unstable; urgency=low This package introduces a new major release of the Apache HTTP server. It is @@ -8,10 +15,11 @@ apache2 (2.4.1-1) unstable; urgency=low modules, you have to re-compile them for apache2 2.4. The authorization and authentication system has changed. Existing - configurations using deprecated Order/Allow/Deny directives should be + configurations using deprecated Order/Allow/Deny directives need to be upgraded to the new system. Please review upstream's "Authentication, - Authorization and Access Control Howto" [1]. However, "mod_access_compat" is - loaded by default to provide backward compatibility. + Authorization and Access Control Howto" [1]. There is a new module + "mod_access_compat", which is supposed to provide backward compatibility, + but it does not work well in practice. Furthermore, MPMs are simple modules now. Thus, the MPM can be changed at any time by (un-)loading a specific module. Be careful when upgrading. An diff --git a/debian/apache2.default b/debian/apache2.apache-htcacheclean.default index 020f0796..73637fcd 100644 --- a/debian/apache2.default +++ b/debian/apache2.apache-htcacheclean.default @@ -1,16 +1,12 @@ -### htcacheclean settings ### - -## run htcacheclean: yes, no, auto -## auto means run if /etc/apache2/mods-enabled/cache_disk.load exists -## default: auto -HTCACHECLEAN_RUN=auto +# This file must only contain KEY=VALUE lines. Do not use advanced +# shell script constructs! ## run mode: cron, daemon ## run in daemon mode or as daily cron job ## default: daemon HTCACHECLEAN_MODE=daemon -## cache size +## cache size HTCACHECLEAN_SIZE=300M ## interval: if in daemon mode, clean cache every x minutes @@ -18,7 +14,7 @@ HTCACHECLEAN_DAEMON_INTERVAL=120 ## path to cache ## must be the same as in CacheRoot directive -HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk +#HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk ## additional options: ## -n : be nice diff --git a/debian/apache2.apache-htcacheclean.init b/debian/apache2.apache-htcacheclean.init new file mode 100755 index 00000000..a7043212 --- /dev/null +++ b/debian/apache2.apache-htcacheclean.init @@ -0,0 +1,64 @@ +#!/bin/sh +# kFreeBSD do not accept scripts as interpreters, using #!/bin/sh and sourcing. +if [ true != "$INIT_D_SCRIPT_SOURCED" ] ; then + set "$0" "$@"; INIT_D_SCRIPT_SOURCED=true . /lib/init/init-d-script +fi +### BEGIN INIT INFO +# Provides: apache-htcacheclean +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Cache cleaner process for Apache2 web server +# Description: Start the htcacheclean helper +# This script will start htcacheclean which will periodically scan the +# cache directory of Apache2's mod_cache_disk and remove outdated files. +### END INIT INFO + +DESC="Apache htcacheclean" +DAEMON=/usr/bin/htcacheclean + +NAME="${0##*/}" +NAME="${NAME##[KS][0-9][0-9]}" +DIR_SUFFIX="${NAME##apache-htcacheclean}" +APACHE_CONFDIR="${APACHE_CONFDIR:=/etc/apache2$DIR_SUFFIX}" +RUN_USER=$(. $APACHE_CONFDIR/envvars > /dev/null && echo "$APACHE_RUN_USER") + +# Default values. Edit /etc/default/apache-htcacheclean$DIR_SUFFIX to change these +HTCACHECLEAN_SIZE="${HTCACHECLEAN_SIZE:=300M}" +HTCACHECLEAN_DAEMON_INTERVAL="${HTCACHECLEAN_DAEMON_INTERVAL:=120}" +HTCACHECLEAN_PATH="${HTCACHECLEAN_PATH:=/var/cache/apache2$DIR_SUFFIX/mod_cache_disk}" +HTCACHECLEAN_OPTIONS="${HTCACHECLEAN_OPTIONS:=-n}" + +PIDDIR="/var/run/apache2/$RUN_USER" +PIDFILE="$PIDDIR/$NAME.pid" +DAEMON_ARGS="$HTCACHECLEAN_OPTIONS \ + -d$HTCACHECLEAN_DAEMON_INTERVAL \ + -P$PIDFILE -i \ + -p$HTCACHECLEAN_PATH \ + -l$HTCACHECLEAN_SIZE" + +do_start_prepare () { + if [ ! -d "$PIDDIR" ] ; then + mkdir -p "$PIDDIR" + chown "$RUN_USER:" "$PIDDIR" + fi + if [ ! -d "$HTCACHECLEAN_PATH" ] ; then + echo "Directory $HTCACHECLEAN_PATH does not exist!" >&2 + exit 2 + fi +} + +do_start_cmd_override () { + start-stop-daemon --start --quiet --pidfile ${PIDFILE} \ + -u $RUN_USER --startas $DAEMON --name htcacheclean --test > /dev/null \ + || return 1 + start-stop-daemon --start --quiet --pidfile ${PIDFILE} \ + -c $RUN_USER --startas $DAEMON --name htcacheclean -- $DAEMON_ARGS \ + || return 2 +} + +do_stop_cmd_override () { + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \ + -u $RUN_USER --pidfile ${PIDFILE} --name htcacheclean +} diff --git a/debian/apache2.apache-htcacheclean.service b/debian/apache2.apache-htcacheclean.service new file mode 100644 index 00000000..70222f36 --- /dev/null +++ b/debian/apache2.apache-htcacheclean.service @@ -0,0 +1,16 @@ +[Unit] +Description=Disk Cache Cleaning Daemon for Apache HTTP Server +After=apache2.service + +[Service] +Type=forking +User=www-data +Environment=HTCACHECLEAN_SIZE=300M +Environment=HTCACHECLEAN_DAEMON_INTERVAL=120 +Environment=HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk +Environment=HTCACHECLEAN_OPTIONS=-n +EnvironmentFile=-/etc/default/apache-htcacheclean +ExecStart=/usr/bin/htcacheclean -d $HTCACHECLEAN_DAEMON_INTERVAL -p $HTCACHECLEAN_PATH -l $HTCACHECLEAN_SIZE $HTCACHECLEAN_OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/debian/apache2.apache-htcacheclean@.service b/debian/apache2.apache-htcacheclean@.service new file mode 100644 index 00000000..5cd86726 --- /dev/null +++ b/debian/apache2.apache-htcacheclean@.service @@ -0,0 +1,16 @@ +[Unit] +Description=Disk Cache Cleaning Daemon for Apache HTTP Server +After=apache2@%i.service + +[Service] +Type=forking +User=www-data +Environment=HTCACHECLEAN_SIZE=300M +Environment=HTCACHECLEAN_DAEMON_INTERVAL=120 +Environment=HTCACHECLEAN_PATH=/var/cache/apache2-%i/mod_cache_disk +Environment=HTCACHECLEAN_OPTIONS=-n +EnvironmentFile=-/etc/default/apache-htcacheclean-%i +ExecStart=/usr/bin/htcacheclean -d $HTCACHECLEAN_DAEMON_INTERVAL -p $HTCACHECLEAN_PATH -l $HTCACHECLEAN_SIZE $HTCACHECLEAN_OPTIONS + +[Install] +WantedBy=multi-user.target diff --git a/debian/apache2.cron.daily b/debian/apache2.cron.daily index d5f9cbc9..6461f079 100644 --- a/debian/apache2.cron.daily +++ b/debian/apache2.cron.daily @@ -1,30 +1,25 @@ #!/bin/sh -# run htcacheclean +# run htcacheclean if set to 'cron' mode set -e set -u type htcacheclean > /dev/null 2>&1 || exit 0 -[ -e /etc/default/apache2 ] || exit 0 +[ -e /etc/default/apache-htcacheclean ] || exit 0 -# edit /etc/default/apache2 to change this +# edit /etc/default/apache-htcacheclean to change this HTCACHECLEAN_MODE=daemon HTCACHECLEAN_RUN=auto HTCACHECLEAN_SIZE=300M HTCACHECLEAN_PATH=/var/cache/apache2/mod_cache_disk HTCACHECLEAN_OPTIONS="" -. /etc/default/apache2 +. /etc/default/apache-htcacheclean [ "$HTCACHECLEAN_MODE" = "cron" ] || exit 0 -[ "$HTCACHECLEAN_RUN" = "yes" ] || -( [ "$HTCACHECLEAN_RUN" = "auto" ] && \ - [ -e /etc/apache2/mods-enabled/cache_disk.load ] ) || exit 0 - htcacheclean ${HTCACHECLEAN_OPTIONS} \ -p${HTCACHECLEAN_PATH} \ -l${HTCACHECLEAN_SIZE} - diff --git a/debian/apache2.docs b/debian/apache2.docs index 5000c3b4..6de97478 100644 --- a/debian/apache2.docs +++ b/debian/apache2.docs @@ -1,4 +1,3 @@ debian/README.backtrace debian/README.multiple-instances debian/PACKAGING -debian/migrate-sites.pl diff --git a/debian/apache2.init b/debian/apache2.init index e9aa4076..1f51d9e7 100755 --- a/debian/apache2.init +++ b/debian/apache2.init @@ -7,13 +7,11 @@ # Default-Stop: 0 1 6 # X-Interactive: true # Short-Description: Apache2 web server -# Description: Start the web server and associated helpers -# This script will start apache2, and possibly all associated instances. -# Moreover, it will set-up temporary directories and helper tools such as -# htcacheclean when required by the configuration. +# Description: Start the web server +# This script will start the apache2 web server. ### END INIT INFO -DESC="web server" +DESC="Apache httpd web server" NAME=apache2 DAEMON=/usr/sbin/$NAME @@ -45,22 +43,6 @@ if [ "$APACHE_ENVVARS" != "$APACHE_CONFDIR/envvars" ] ; then ENV="$ENV APACHE_ENVVARS=$APACHE_ENVVARS" fi - -#edit /etc/default/apache2 to change this. -HTCACHECLEAN_RUN=auto -HTCACHECLEAN_MODE=daemon -HTCACHECLEAN_SIZE=300M -HTCACHECLEAN_DAEMON_INTERVAL=120 -HTCACHECLEAN_PATH=/var/cache/apache2$DIR_SUFFIX/mod_cache_disk -HTCACHECLEAN_OPTIONS="" - -# Read configuration variable file if it is present -if [ -f /etc/default/apache2$DIR_SUFFIX ] ; then - . /etc/default/apache2$DIR_SUFFIX -elif [ -f /etc/default/apache2 ] ; then - . /etc/default/apache2 -fi - PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE) VERBOSE=no @@ -72,7 +54,6 @@ fi # Now, set defaults: APACHE2CTL="$ENV apache2ctl" -HTCACHECLEAN="$ENV htcacheclean" PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE) APACHE2_INIT_MESSAGE="" @@ -116,6 +97,10 @@ print_error_msg() { apache_wait_start() { local STATUS=$1 local i=0 + + if [ $STATUS != 0 ] ; then + return $STATUS + fi while : ; do PIDTMP=$(pidofproc -p $PIDFILE $DAEMON) if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then @@ -135,14 +120,25 @@ apache_wait_start() { apache_wait_stop() { local STATUS=$1 + local METH=$2 + + if [ $STATUS != 0 ] ; then + return $STATUS + fi PIDTMP=$(pidofproc -p $PIDFILE $DAEMON) if [ -n "${PIDTMP:-}" ] && kill -0 "${PIDTMP:-}" 2> /dev/null; then + if [ "$METH" = "kill" ]; then + killproc -p $PIDFILE $DAEMON + else + $APACHE2CTL $METH > /dev/null 2>&1 + fi + local i=0 while kill -0 "${PIDTMP:-}" 2> /dev/null; do if [ $i = '60' ]; then - break STATUS=2 + break fi [ "$VERBOSE" != no ] && log_progress_msg "." sleep 1 @@ -215,15 +211,13 @@ do_stop() fi if [ $AP_RET = 2 ] && apache_conftest ; then - $APACHE2CTL $STOP > /dev/null 2>&1 - apache_wait_stop $? + apache_wait_stop $? $STOP return $? else if [ $AP_RET = 2 ]; then clear_error_msg APACHE2_INIT_MESSAGE="The apache2$DIR_SUFFIX configtest failed, so we are trying to kill it manually. This is almost certainly suboptimal, so please make sure your system is working as you'd expect now!" - killproc -p $PIDFILE $DAEMON - apache_wait_stop $? + apache_wait_stop $? "kill" return $? elif [ $AP_RET = 1 ] ; then APACHE2_INIT_MESSAGE="There are processes named 'apache2' running which do not match your pid file which are left untouched in the name of safety, Please review the situation by hand". @@ -252,27 +246,6 @@ do_reload() { } -check_htcacheclean() { - [ "$HTCACHECLEAN_MODE" = "daemon" ] || return 1 - [ "$HTCACHECLEAN_RUN" = "yes" ] && return 0 - - MODSDIR=$(. $APACHE_ENVVARS && echo $APACHE_MODS_ENABLED) - [ "$HTCACHECLEAN_RUN" = "auto" \ - -a -e ${MODSDIR:-$APACHE_CONFDIR/mods-enabled}/cache_disk.load ] && \ - return 0 - return 1 -} - -start_htcacheclean() { - $HTCACHECLEAN $HTCACHECLEAN_OPTIONS -d$HTCACHECLEAN_DAEMON_INTERVAL \ - -i -p$HTCACHECLEAN_PATH -l$HTCACHECLEAN_SIZE -} - -stop_htcacheclean() { - pkill -P 1 -f "htcacheclean.* -p$HTCACHECLEAN_PATH " 2> /dev/null || return 1 -} - - # Sanity checks. They need to occur after function declarations [ -x $DAEMON ] || exit 0 @@ -286,14 +259,6 @@ if [ -z "$PIDFILE" ] ; then exit 2 fi -if check_htcacheclean ; then - if [ ! -d "$HTCACHECLEAN_PATH" ] ; then - echo "htcacheclean is configured, but directory $HTCACHECLEAN_PATH does not exist!" >&2 - exit 2 - fi -fi - - case "$1" in start) @@ -304,11 +269,6 @@ case "$1" in 0|1) log_success_msg [ "$VERBOSE" != no ] && [ $RET_STATUS = 1 ] && log_warning_msg "Server was already running" - if check_htcacheclean ; then - [ "$VERBOSE" != no ] && log_daemon_msg "Starting HTTP cache cleaning daemon" "htcacheclean" - start_htcacheclean - [ "$VERBOSE" != no ] && log_end_msg $? - fi ;; 2) log_failure_msg @@ -334,12 +294,6 @@ case "$1" in esac print_error_msg - if check_htcacheclean ; then - [ "$VERBOSE" != no ] && log_daemon_msg "Stopping HTTP cache cleaning daemon" "htcacheclean" - stop_htcacheclean - [ "$VERBOSE" != no ] && log_end_msg $? - fi - ;; status) status_of_proc -p $PIDFILE "apache2" "$NAME" @@ -387,20 +341,11 @@ case "$1" in ;; esac ;; - start-htcacheclean) - log_daemon_msg "Starting htcacheclean" - start_htcacheclean - log_end_msg $? - exit $? - ;; - stop-htcacheclean) - log_daemon_msg "Stopping htcacheclean" - stop_htcacheclean - log_end_msg $? - exit $? + start-htcacheclean|stop-htcacheclean) + echo "Use 'service apache-htcacheclean' instead" ;; *) - echo "Usage: $SCRIPTNAME {start|stop|graceful-stop|restart|reload|force-reload|start-htcacheclean|stop-htcacheclean}" >&2 + echo "Usage: $SCRIPTNAME {start|stop|graceful-stop|restart|reload|force-reload}" >&2 exit 3 ;; esac diff --git a/debian/apache2.install b/debian/apache2.install index 4c391fb7..798d2f0b 100644 --- a/debian/apache2.install +++ b/debian/apache2.install @@ -1,6 +1,10 @@ -debian/bash_completion/apache2 /etc/bash_completion.d/ -debian/config-dir/* /etc/apache2 +debian/bash_completion/a2enmod /usr/share/bash-completion/completions/ +debian/config-dir/*.conf /etc/apache2 +debian/config-dir/*-available /etc/apache2 +debian/config-dir/magic /etc/apache2 +debian/config-dir/envvars /etc/apache2 debian/a2enmod /usr/sbin debian/apache2ctl /usr/sbin debian/a2query /usr/sbin +debian/ask-for-passphrase /usr/share/apache2/ debian/debhelper/apache2-maintscript-helper /usr/share/apache2/ diff --git a/debian/apache2.links b/debian/apache2.links index 6f23c018..3e38af84 100644 --- a/debian/apache2.links +++ b/debian/apache2.links @@ -1,8 +1,13 @@ -usr/share/bug/apache2-bin/script usr/share/bug/apache2/script -usr/share/bug/apache2-bin/control usr/share/bug/apache2/control -usr/sbin/a2enmod usr/sbin/a2dismod -usr/sbin/a2enmod usr/sbin/a2ensite -usr/sbin/a2enmod usr/sbin/a2dissite -usr/sbin/a2enmod usr/sbin/a2enconf -usr/sbin/a2enmod usr/sbin/a2disconf -usr/sbin/apache2ctl usr/sbin/apachectl +usr/share/bash-completion/completions/a2enmod usr/share/bash-completion/completions/a2dismod +usr/share/bash-completion/completions/a2enmod usr/share/bash-completion/completions/a2ensite +usr/share/bash-completion/completions/a2enmod usr/share/bash-completion/completions/a2dissite +usr/share/bash-completion/completions/a2enmod usr/share/bash-completion/completions/a2enconf +usr/share/bash-completion/completions/a2enmod usr/share/bash-completion/completions/a2disconf +usr/share/bug/apache2-bin/script usr/share/bug/apache2/script +usr/share/bug/apache2-bin/control usr/share/bug/apache2/control +usr/sbin/a2enmod usr/sbin/a2dismod +usr/sbin/a2enmod usr/sbin/a2ensite +usr/sbin/a2enmod usr/sbin/a2dissite +usr/sbin/a2enmod usr/sbin/a2enconf +usr/sbin/a2enmod usr/sbin/a2disconf +usr/sbin/apache2ctl usr/sbin/apachectl diff --git a/debian/apache2.lintian-overrides b/debian/apache2.lintian-overrides index c9ec6574..4b539722 100644 --- a/debian/apache2.lintian-overrides +++ b/debian/apache2.lintian-overrides @@ -7,3 +7,6 @@ package-contains-empty-directory usr/lib/cgi-bin/ # Apache uses var/www/html/ as a new default document root # See #730372 and https://lists.debian.org/debian-devel/2012/04/msg00301.html apache2: dir-or-file-in-var-www var/www/html/ +# Second update-rc.d call is to disable the service +duplicate-updaterc.d-calls-in-postinst apache-htcacheclean + diff --git a/debian/apache2.logrotate b/debian/apache2.logrotate index 1866c69f..70e21810 100644 --- a/debian/apache2.logrotate +++ b/debian/apache2.logrotate @@ -1,7 +1,7 @@ /var/log/apache2/*.log { - weekly + daily missingok - rotate 52 + rotate 14 compress delaycompress notifempty diff --git a/debian/apache2.maintscript b/debian/apache2.maintscript new file mode 100644 index 00000000..b8781315 --- /dev/null +++ b/debian/apache2.maintscript @@ -0,0 +1,2 @@ +rm_conffile /etc/bash_completion.d/apache2 2.4.12-3~ +mv_conffile /etc/default/apache2 /etc/default/apache-htcacheclean 2.4.18-2~ diff --git a/debian/apache2.postinst b/debian/apache2.postinst index acbe652f..f4944340 100644 --- a/debian/apache2.postinst +++ b/debian/apache2.postinst @@ -18,80 +18,6 @@ set -e # the debian-policy package # -# XXX remove -# echo apache2.postinst $@ running - -OBSOLETE_CONFFILES="/etc/apache2/mods-available/authz_default.load -/etc/apache2/mods-available/authn_default.load -/etc/apache2/mods-available/mem_cache.load -/etc/apache2/mods-available/mem_cache.conf -/etc/apache2/mods-available/authn_alias.load -/etc/apache2/mods-available/cern_meta.load -/etc/apache2/mods-available/disk_cache.load -/etc/apache2/mods-available/disk_cache.conf -/etc/apache2/mods-available/ident.load -/etc/apache2/mods-available/imagemap.load -/etc/apache2/mods-available/version.load" - - -MOVED_CONFFILES="/etc/bash_completion.d/apache2.2-common:/etc/bash_completion.d/apache2 -/etc/apache2/sites-available/default:/etc/apache2/sites-available/000-default.conf -/etc/apache2/sites-available/default-ssl:/etc/apache2/sites-available/default-ssl.conf -/etc/apache2/conf.d/charset:/etc/apache2/conf-available/charset.conf -/etc/apache2/conf.d/localized-error-pages:/etc/apache2/conf-available/localized-error-pages.conf -/etc/apache2/conf.d/other-vhosts-access-log:/etc/apache2/conf-available/other-vhosts-access-log.conf -/etc/apache2/conf.d/security:/etc/apache2/conf-available/security.conf" - - -# the functions below need to be idempotent, however we guess the upgrade based -# on obsolete conffiles which might be removed anytime. Thus, remember we were -# already in there once. -WHEEZY_UPGRADE=0 - -# n.b you can't rely on $2 (the last installed version) for upgrades, as -# the user might have been using apache2.2-common only. Let's pretend we're -# upgrading if there is either a /etc/apache2/.apache2_mpm_selected file -# around or an /etc/apache2/.apache2_upgrade file exists. -we_are_upgrading_from_wheezy() -{ - if [ -n "$2" ] && dpkg --compare-versions "$2" le-nl "2.3"; then - WHEEZY_UPGRADE=1 - return 0 - fi - - # this check is a probably tautology but makes it easier to understand - # the logic - if [ -n "$2" ] && dpkg --compare-versions "$2" ge-nl "2.3"; then - return 1 - fi - - if [ -e /etc/apache2/.apache2_mpm_selected ] ; then - WHEEZY_UPGRADE=1 - return 0 - fi - - if [ "$WHEEZY_UPGRADE" -eq 1 ] ; then - return 0 - fi - - for CONFFILE in $OBSOLETE_CONFFILES ; do - if [ -e "$CONFFILE.dpkg-backup" ] || [ -e "$CONFFILE.dpkg-remove" ] ; then - WHEEZY_UPGRADE=1 - return 0 - fi - done - - for CONFFILE in $MOVED_CONFFILES ; do - OLDCONFFILE=$( echo "$CONFFILE" | cut -d: -f1 ) - if [ -e "$OLDCONFFILE.dpkg-remove" ] ; then - WHEEZY_UPGRADE=1 - return 0 - fi - done - - return 1 -} - is_fresh_install() { if [ -z "$2" ] ; then @@ -101,100 +27,10 @@ is_fresh_install() } -# The two functions below are licensed GPL-2+ and was written by dpkg maintainers -# See the dpkg-maintscript-helper script for details - -remove_conffiles() -{ - # we can't use dpkg-maintscript-helper as we shifted conffiles from the - # apache2.2-common package to apache2, too. The tool can cope with - # that, but additionally we didn't require apache2 to be installed. This - # yields the wrong result when upgrading such an installation - if we_are_upgrading_from_wheezy $@ ; then - for CONFFILE in $OBSOLETE_CONFFILES ; do - if [ -e "$CONFFILE.dpkg-backup" ]; then - mv -f "$CONFFILE.dpkg-backup" "$CONFFILE.dpkg-bak" - fi - if [ -e "$CONFFILE.dpkg-remove" ]; then - echo "Removing obsolete conffile $CONFFILE ..." - rm -f "$CONFFILE.dpkg-remove" - fi - done - fi -} - -mv_conffiles() -{ - # same rationale as above - if we_are_upgrading_from_wheezy $@ ; then - for CONFFILE in $MOVED_CONFFILES ; do - OLDCONFFILE=$( echo "$CONFFILE" | cut -d: -f1 ) - NEWCONFFILE=$( echo "$CONFFILE" | cut -d: -f2 ) - - rm -f $OLDCONFFILE.dpkg-remove - [ -e "$OLDCONFFILE" ] || continue - - echo "Preserving user changes to $NEWCONFFILE (renamed from $OLDCONFFILE)..." - mv -f "$NEWCONFFILE" "$NEWCONFFILE.dpkg-new" - mv -f "$OLDCONFFILE" "$NEWCONFFILE" - done - - if [ -d /etc/apache2/conf.d ] && [ ! "$(ls -A /etc/apache2/conf.d)" ] ; then - echo "Removing obsolete directory /etc/apache2/conf.d" - rmdir /etc/apache2/conf.d - fi - - if [ -d /etc/apache2/conf.d ] && [ "$(ls -A /etc/apache2/conf.d)" ] ; then - echo "Directory /etc/apache2/conf.d is not empty - leaving as is" - echo "Please note, that directory is considered obsolete and not read anymore by default" - # XXX order of processing??? this may become empty later on (after upgrade of apache2-doc) - ls -A /etc/apache2/conf.d - fi - fi -} - - enable_default_mpm() { - mpm="mpm_event" - if we_are_upgrading_from_wheezy $@ && [ -e /etc/apache2/.apache2_mpm_selected ]; then - tmpmpm=$(grep -v "^#" /etc/apache2/.apache2_mpm_selected | head -n1) - case "$tmpmpm" in - apache2-mpm-worker) - mpm="mpm_worker" - ;; - - apache2-mpm-event) - mpm="mpm_event" - ;; - - apache2-mpm-prefork) - mpm="mpm_prefork" - ;; - - apache2-mpm-itk) - # apache2-mpm-itk is installed, which is a - # transitional package depending on - # libapache2-mpm-itk which will enable itself - # in its maintainer scripts. - mpm="mpm_prefork" - ;; - - *) - # default MPM for upgrading in case we got an unrecognized - # hint file - mpm="mpm_event" - ;; - esac - - # No -m here, we pretend the user picked the MPM as this choice comes - # from a 2.2 package relation - a2enmod -q $mpm - return 0 - fi - if is_fresh_install $@ ; then - a2enmod -m -q $mpm + a2enmod -m -q mpm_event fi } @@ -209,53 +45,22 @@ enable_default_modules() status ; do a2enmod -m -q $module done - elif we_are_upgrading_from_wheezy $@; then - for module in authn_core authz_core filter access_compat ; do - a2enmod -m -q $module - done - elif dpkg --compare-versions "$2" "le" "2.4.6-1~" ; then - # These modules had dependencies missing in the initial 2.4 upload - for module in auth_basic auth_digest auth_form cache_disk include ratelimit mpm_event - do - if [ -e /etc/apache2/mods-enabled/$module.load ] ; then - # If module is enabled, enable again to - # enable new dependencies - a2enmod -m -q $module - fi - done fi } enable_default_conf() { - if is_fresh_install $@ || we_are_upgrading_from_wheezy $@ ; then - for conf in charset localized-error-pages other-vhosts-access-log security ; do + if is_fresh_install $@ ; then + for conf in charset localized-error-pages other-vhosts-access-log \ + security serve-cgi-bin ; do a2enconf -m -q $conf done fi - # This line must catch upgrades, upgrades from Wheezy und fresh - # installs - if dpkg --compare-versions "$2" "le" "2.4.1-4" ; then - a2enconf -m -q serve-cgi-bin - fi } install_default_site() { - if we_are_upgrading_from_wheezy $@ ; then - # by here, the old default sites were already renamed. Thus, the links - # are dangling - for SITE in /etc/apache2/sites-enabled/000-default /etc/apache2/sites-enabled/default-ssl ; do - if [ -L $SITE ] ; then - target=$(readlink -e "$SITE") || true - sitename=$(basename "$SITE") - if [ -z "$target" ] ; then - rm -f $SITE - a2ensite -q "$sitename" - fi - fi - done - elif is_fresh_install $@ ; then + if is_fresh_install $@ ; then if [ ! -L /etc/apache2/sites-enabled/000-default.conf -a \ ! -f /etc/apache2/sites-enabled/000-default.conf ]; then a2ensite -q 000-default @@ -271,11 +76,26 @@ install_default_site() fi } +is_problematic_index_html () { + local FILE="$1" + [ -f "$FILE" ] || return 1 + local MD5=$(md5sum "$FILE" 2> /dev/null |cut -d' ' -f 1) + [ -n "$MD5" ] || return 1 + grep -q "$MD5" <<- EOF + 1736dfc80cf1f5a8966c096a0b094377 + 776221a94e5a174dc2396c0f3f6b6a74 + 51a41c3207374dad24ec64a0f2646bdc + c481228d439cbb54bdcedbaec5bbb11a + 3183a3d71d86bcc88aaf3ca5cbbefb45 + 74cec59a19e5d16f7cc6a2445e35fa3b + EOF +} + # XXX: This site is installed in the apache2-data package. Should the postinst # scriptlet move there too? install_default_files() { - if is_fresh_install $@ || we_are_upgrading_from_wheezy $@ ; then + if is_fresh_install $@ ; then local do_copy=true local dir ext for dir in /var/www /var/www/html ; do @@ -293,133 +113,181 @@ install_default_files() if $do_copy ; then cp /usr/share/apache2/default-site/index.html /var/www/html/index.html fi + else + # see #821313 + for dir in /var/www /var/www/html ; do + local file=$dir/index.html + if is_problematic_index_html $file ; then + cp /usr/share/apache2/default-site/index.html $file + fi + done fi } -# XXX: Find out whether I am on crack removing stale modules that way refresh_modules() { - if we_are_upgrading_from_wheezy $@ && [ -d /etc/apache2/mods-enabled/ ] ; then - shopt -s nullglob - for link in /etc/apache2/mods-enabled/*.load ; do - target=$(readlink "$link") || true - if [ -z "$target" ] ; then - continue - fi - - module=$(basename "$link" | sed 's/\.load//') || true + if dpkg --compare-versions "$2" lt-nl "2.4.10-12~" ; then + if [ -e "/etc/apache2/mods-enabled/proxy_html.load" ] + then + a2enmod -q proxy_html + fi + fi +} - if [ ! -e "/etc/apache2/mods-enabled/$target" ] ; then - echo "disable obsolete module $module" - a2dismod -m -q "$module" +start_htcacheclean () +{ + local action + if [ -x "/etc/init.d/apache-htcacheclean" ]; then + if [ -n "$2" ]; then + action=restart + else + action=start + fi + invoke-rc.d apache-htcacheclean $action || true + fi +} - if [ "$module" = "disk_cache" ] ; then - echo "Enable cache_disk as disk_cache was enabled in Apache 2.2" - # ditto, we pretend it was the user's - # choice not to use -m here - a2enmod -q cache_disk - fi - fi - # the module is already enabled, however - # dependencies could have changed hence re-call - # a2enmod again. - # Example: the deflate module when upgraded from - # Wheezy - if [ -e "/etc/apache2/mods-enabled/$target" ] ; then - a2enmod -m -q "$module" - fi - done +disable_htcacheclean() +{ + if deb-systemd-helper debian-installed apache-htcacheclean.service; then + deb-systemd-helper disable apache-htcacheclean.service >/dev/null || true fi + update-rc.d apache-htcacheclean disable >/dev/null } -move_httpd_conf() +# The apache-htcacheclean service is disabled by default. Can't use +# debhelper. The update-rc.d 'disable' call must come after the 'defaults' +# call, or the former will fail. +handle_htcacheclean () { - if we_are_upgrading_from_wheezy $@ ; then - if [ -e /etc/apache2/httpd.conf ] && [ -f /etc/apache2/httpd.conf ] ; then - local md5sum="$(md5sum /etc/apache2/httpd.conf | sed -e 's/ .*//')" - if [ $md5sum = "d41d8cd98f00b204e9800998ecf8427e" ] || - [ $md5sum = "a20c3e53dd07836481a5e64bc71e1a33" ] - then - echo "Remove obsolete configuration file /etc/apache2/httpd.conf" - rm -f /etc/apache2/httpd.conf - else - if [ -d /etc/apache2/conf-available/ ] && [ ! -f /etc/apache2/conf-available/httpd.conf ] ; then - echo "Detected legacy httpd.conf - moving file to /etc/apache2/conf-available/httpd.conf" - mv /etc/apache2/httpd.conf /etc/apache2/conf-available/httpd.conf - a2enconf -q httpd - fi - fi + if dpkg --compare-versions "$2" lt "2.4.18-2~"; then + # Disable on initial installation or when upgrading from an old + # version without that init script and with the module disabled + # (or when configured to run from cron) + if [ ! -e "/etc/apache2/mods-enabled/cache_disk.load" ]; then + disable_htcacheclean + return + elif (. /etc/default/apache-htcacheclean && [ "$HTCACHECLEAN_MODE" = "cron" ]); then + disable_htcacheclean + return fi fi + + # Restart it if applicable + if [ -e "/etc/apache2/mods-enabled/cache_disk.load" ]; then + start_htcacheclean + fi } -migrate_data() +msg () { - #XXX: jimjag recommends purging the cache albeit it is probably not - # technically required. - #if we_are_upgrading_from_wheezy $@ ; then - # # /var/cache/apache2/mod_disk_cache -> /var/cache/apache2/mod_cache_disk - # if [ -d /var/cache/apache2/mod_disk_cache ] && [ "$(ls -A /var/cache/apache2/mod_disk_cache)" ] ; then - # echo "Migrate mod_disk_cache cache data to /var/cache/apache2/mod_cache_disk/" - # mv /var/cache/apache2/mod_disk_cache/* /var/cache/apache2/mod_cache_disk/ - # rmdir /var/cache/apache2/mod_disk_cache - # fi - #fi - if we_are_upgrading_from_wheezy $@ ; then - if [ -d /var/cache/apache2/mod_disk_cache ] ; then - echo "Purge obsolete mod_disk_cache cache data in /var/cache/apache2/mod_cache_disk/" - rm -rf /var/cache/apache2/mod_disk_cache - fi + local PRIORITY="$1" + local MSG="$2" + echo "$PRIORITY: $MSG" + if type logger > /dev/null 2>&1 ; then + logger -p daemon.$PRIORITY -t apache2.postinst "$MSG" || true fi } -warn_itk_users() +execute_deferred_actions () { - # the function below only applies to Debian Testing users. Stable users are properly upgraded - if [ -n "$2" ] && dpkg --compare-versions "$2" 'lt' '2.4.7-1~' && dpkg --compare-versions "$2" 'ge' '2.4.1-1' ; then - local mpm="" - [ -e /etc/apache2/.apache2_mpm_selected ] && mpm=$(grep -v "^#" /etc/apache2/.apache2_mpm_selected | head -n1) - if [ "$mpm" = 'apache2-mpm-itk' ] ; then - echo "=======================================================================" - echo "You appear to be using the ITK MPM. Starting with Apache2 2.4.7-1 this" - echo "is a separate package not bundled with Apache anymore. Moreover, it is" - echo "not a MPM anymore. This upgrade will switch your MPM to 'prefork'. If" - echo "you plan to use ITK in future, please do: " - echo "" - echo " apt-get install libapache2-mpm-itk" - echo "" - echo "=======================================================================" + if [ ! -e /var/lib/apache2/deferred_actions ]; then + return 0 + fi + + local error=false + + cat /var/lib/apache2/deferred_actions | + while read PACKAGE FUNCTION ARG1 ARG2 ARG3 + do + if ! dpkg-query -f '${Status}' -W "$PACKAGE"|egrep -q 'installed|triggers-awaited|triggers-pending' ; then + # If the package has been removed again, skip the actions + continue fi + case "$FUNCTION" in + apache2_invoke) + case "$ARG1" in + enmod|dismod|enconf|disconf|ensite|dissite) + # We can ignore reload/restart in ARG3 because apache2 has not + # been started, yet. + msg "info" "Executing deferred 'a2$ARG1 $ARG2' for package $PACKAGE" + a2$ARG1 -m -q "$ARG2" + ;; + *) + msg "error" "'apache2_invoke $ARG1' in /var/lib/apache2/deferred_actions invalid" + error=true + esac + ;; + apache2_switch_mpm) + local MPM="$ARG1" + local CUR_MPM="$(ls /etc/apache2/mods-enabled/mpm_*.load | grep -e event -e prefork -e worker)" + CUR_MPM="${CUR_MPM##*/mpm_}" + CUR_MPM="${CUR_MPM%.load}" + if [ ! -e /etc/apache2/mods-available/mpm_$MPM.load ] ; then + msg "error" "mpm $MPM not found in 'apache2_switch_mpm $ARG1' for package $PACKAGE" + error=true + elif [ -e /etc/apache2/mods-enabled/mpm_$MPM.load ] ; then + msg "info" "Switch to mpm $MPM for package $PACKAGE: No action required" + else + msg "info" "Switch to mpm $MPM for package $PACKAGE" + if ! a2dismod -m -q "mpm_$CUR_MPM" || + ! a2enmod -m -q "mpm_$MPM" + then + msg "error" "Switching to mpm $MPM failed" + error=true + fi + fi + ;; + *) + msg "ERROR: function '$FUNCTION' in /var/lib/apache2/deferred_actions invalid" + ;; + esac + done + + if $error ; then + msg "error" "Some deferred actions failed. You will need to fix the configuration manually." fi + rm /var/lib/apache2/deferred_actions } -#XXX: Deal with the sites-available/sites-enabled *.conf transition, e.g. rename -# all files which look like site configuration? +list_fixup_conffiles () { + cat <<- EOF + /etc/bash_completion.d/apache2 + /etc/apache2/sites-available/000-default.conf + /etc/apache2/sites-available/default-ssl.conf + /etc/apache2/conf-available/charset.conf + /etc/apache2/conf-available/localized-error-pages.conf + /etc/apache2/conf-available/other-vhosts-access-log.conf + /etc/apache2/conf-available/security.conf + EOF +} case "$1" in configure) - remove_conffiles $@ - mv_conffiles $@ + if dpkg --compare-versions "$2" lt-nl "2.4.23-3~" ; then + list_fixup_conffiles | while read FILE ; do + if [ -e "${FILE}.dpkg-remove-fixup" ] ; then + echo "Removing backup copy of $FILE" + rm "${FILE}.dpkg-remove-fixup" + fi + done + fi enable_default_mpm $@ refresh_modules $@ install_default_files $@ enable_default_modules $@ enable_default_conf $@ install_default_site $@ - move_httpd_conf $@ - migrate_data $@ - warn_itk_users $@ + execute_deferred_actions - # post installation cleanup - if [ -e /etc/apache2/.apache2_mpm_selected ] ; then - rm -f /etc/apache2/.apache2_mpm_selected - fi + ;; + abort-upgrade) ;; - abort-upgrade|abort-remove|abort-deconfigure) + abort-remove|abort-deconfigure) ;; @@ -431,15 +299,15 @@ esac #DEBHELPER# -# And now the traditional insanity of apache2 upgrades (see #390823): -# If everything went well, we need to purge apache2.2-common's postrm, or -# purging that package will remove our logs, caches, ... -if [ "$1" = configure ] && we_are_upgrading_from_wheezy $@ ; then - oldpostrm=$(dpkg-query -c apache2.2-common postrm 2>/dev/null || true) - if [ -n "$oldpostrm" ] ; then - rm -f "$oldpostrm" - fi -fi +# Deal with htcacheclean after debhelper's initial init script handling +case "$1" in + configure) + handle_htcacheclean $@ + ;; + abort-upgrade) + start_htcacheclean $@ + ;; +esac exit 0 diff --git a/debian/apache2.postrm b/debian/apache2.postrm index 72de74c6..a68583c0 100644 --- a/debian/apache2.postrm +++ b/debian/apache2.postrm @@ -18,41 +18,38 @@ set -e # for details, see http://www.debian.org/doc/debian-policy/ or # the debian-policy package +is_default_index_html () { + local FILE="$1" + [ -f "$FILE" ] || return 1 + local MD5=$(md5sum "$FILE" 2> /dev/null |cut -d' ' -f 1) || + return 1 + grep -q "$MD5" <<- EOF + 1736dfc80cf1f5a8966c096a0b094377 + 21dde95d9d269cbb2fa6560309dca40c + 3183a3d71d86bcc88aaf3ca5cbbefb45 + 51a41c3207374dad24ec64a0f2646bdc + 5388f60d7695cb57b87c799ee62d20b2 + 74cec59a19e5d16f7cc6a2445e35fa3b + 776221a94e5a174dc2396c0f3f6b6a74 + c481228d439cbb54bdcedbaec5bbb11a + e2620d4a5a0f8d80dd4b16de59af981f + EOF +} -OBSOLETE_CONFFILES="/etc/apache2/mods-available/authz_default.load -/etc/apache2/mods-available/authn_default.load -/etc/apache2/mods-available/mem_cache.load -/etc/apache2/mods-available/mem_cache.conf -/etc/apache2/mods-available/authn_alias.load -/etc/apache2/mods-available/cern_meta.load -/etc/apache2/mods-available/disk_cache.load -/etc/apache2/mods-available/disk_cache.conf -/etc/apache2/mods-available/ident.load -/etc/apache2/mods-available/imagemap.load -/etc/apache2/mods-available/version.load" - -MOVED_CONFFILES="/etc/bash_completion.d/apache2.2-common:/etc/bash_completion.d/apache2 -/etc/apache2/sites-available/default:/etc/apache2/sites-available/000-default.conf -/etc/apache2/sites-available/default-ssl:/etc/apache2/sites-available/default-ssl.conf -/etc/apache2/conf.d/charset:/etc/apache2/conf-available/charset.conf -/etc/apache2/conf.d/localized-error-pages:/etc/apache2/conf-available/localized-error-pages.conf -/etc/apache2/conf.d/other-vhosts-access-log:/etc/apache2/conf-available/other-vhosts-access-log.conf -/etc/apache2/conf.d/security:/etc/apache2/conf-available/security.conf" case "$1" in purge) - for CONFFILE in $OBSOLETE_CONFFILES ; do - rm -f "$CONFFILE.dpkg-bak" "$CONFFILE.dpkg-remove" "$CONFFILE.dpkg-backup" - done - for d in var/cache/apache2 \ var/cache/apache2/mod_cache_disk \ var/log/apache2 \ - var/lib/apache2 ; do + var/lib/apache2/conf \ + var/lib/apache2/module \ + var/lib/apache2/site ; do [ -d $d ] && rm -rf $d done + rm -f /var/lib/apache2/deferred_actions for f in /etc/apache2/sites-enabled/* \ /etc/apache2/conf-enabled/* \ @@ -70,46 +67,12 @@ case "$1" in rmdir $d 2> /dev/null || true done - #XXX: index.html is intentionally(?) left back - ;; - - abort-install|abort-upgrade) - - - for CONFFILE in $OBSOLETE_CONFFILES ; do - - if [ -e "$CONFFILE.dpkg-remove" ]; then - echo "Reinstalling $CONFFILE that was moved away" - mv "$CONFFILE.dpkg-remove" "$CONFFILE" - fi - if [ -e "$CONFFILE.dpkg-backup" ]; then - echo "Reinstalling $CONFFILE that was backupped" - mv "$CONFFILE.dpkg-backup" "$CONFFILE" - fi - done - - for CONFFILE in $MOVED_CONFFILES ; do - - CONFFILE=$( echo "$CONFFILE" | cut -d: -f1 ) - - if [ -e "$CONFFILE.dpkg-remove" ]; then - echo "Reinstalling $CONFFILE that was moved away" - mv "$CONFFILE.dpkg-remove" "$CONFFILE" - fi - if [ -e "$CONFFILE.dpkg-backup" ]; then - echo "Reinstalling $CONFFILE that was backupped" - mv "$CONFFILE.dpkg-backup" "$CONFFILE" - fi - done - - # post installation cleanup - if [ -e /etc/apache2/.apache2_mpm_selected ] ; then - rm -f /etc/apache2/.apache2_mpm_selected + if is_default_index_html /var/www/html/index.html ; then + rm -f /var/www/html/index.html fi - ;; - remove|upgrade|failed-upgrade|disappear) + remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ;; *) diff --git a/debian/apache2.preinst b/debian/apache2.preinst deleted file mode 100644 index 2a5238f7..00000000 --- a/debian/apache2.preinst +++ /dev/null @@ -1,156 +0,0 @@ -#! /bin/bash -# preinst script for apache2 -# -# see: dh_installdeb(1) - -set -e - -# summary of how this script can be called: -# * <new-preinst> `install' -# * <new-preinst> `install' <old-version> -# * <new-preinst> `upgrade' <old-version> -# * <old-preinst> `abort-upgrade' <new-version> -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -# XXX remove -# echo apache2.preinst $@ running - -# XXX: Whichever file you add in one of the sections below, make sure you copy -# the same file arrays to apache2.postinst and apache2.postrm, too! - -OBSOLETE_CONFFILES="/etc/apache2/mods-available/authz_default.load -/etc/apache2/mods-available/authn_default.load -/etc/apache2/mods-available/mem_cache.load -/etc/apache2/mods-available/mem_cache.conf -/etc/apache2/mods-available/authn_alias.load -/etc/apache2/mods-available/cern_meta.load -/etc/apache2/mods-available/disk_cache.load -/etc/apache2/mods-available/disk_cache.conf -/etc/apache2/mods-available/ident.load -/etc/apache2/mods-available/imagemap.load -/etc/apache2/mods-available/version.load" - -# conffiles which moved from one random location to another, separate source and -# destination by a colon -MOVED_CONFFILES="/etc/bash_completion.d/apache2.2-common:/etc/bash_completion.d/apache2 -/etc/apache2/sites-available/default:/etc/apache2/sites-available/000-default.conf -/etc/apache2/sites-available/default-ssl:/etc/apache2/sites-available/default-ssl.conf -/etc/apache2/conf.d/charset:/etc/apache2/conf-available/charset.conf -/etc/apache2/conf.d/localized-error-pages:/etc/apache2/conf-available/localized-error-pages.conf -/etc/apache2/conf.d/other-vhosts-access-log:/etc/apache2/conf-available/other-vhosts-access-log.conf -/etc/apache2/conf.d/security:/etc/apache2/conf-available/security.conf" - - -obsolete_conffile_exists() -{ - for CONFFILE in $OBSOLETE_CONFFILES ; do - if [ -e "$CONFFILE" ] ; then - return 0 - fi - done - - for CONFFILE in $MOVED_CONFFILES_IN ; do - if [ -e "/etc/apache2/conf.d/$CONFFILE" ] ; then - return 0 - fi - done - - return 1 -} - -# The two functions below are licensed GPL-2+ and was written by dpkg maintainers -# See the dpkg-maintscript-helper script for details -prepare_rm_conffile() -{ - for CONFFILE in $OBSOLETE_CONFFILES ; do - [ -e "$CONFFILE" ] || continue - - local md5sum="$(md5sum $CONFFILE | sed -e 's/ .*//')" - local old_md5sum="$(dpkg-query -W -f='${Conffiles}' apache2.2-common apache2 | \ - sed -n -e "\' $CONFFILE ' { s/ obsolete$//; s/.* //; p }")" - if [ "$md5sum" != "$old_md5sum" ]; then - echo "Obsolete conffile $CONFFILE has been modified by you." - echo "Saving as $CONFFILE.dpkg-bak ..." - mv -f "$CONFFILE" "$CONFFILE.dpkg-backup" - else - echo "Moving obsolete conffile $CONFFILE out of the way..." - mv -f "$CONFFILE" "$CONFFILE.dpkg-remove" - fi - done -} - -prepare_mv_conffile() -{ - for CONFFILE in $MOVED_CONFFILES ; do - - CONFFILE=$( echo "$CONFFILE" | cut -d: -f1 ) - - [ -e "$CONFFILE" ] || continue - - local md5sum="$(md5sum $CONFFILE | sed -e 's/ .*//')" - local old_md5sum="$(dpkg-query -W -f='${Conffiles}' apache2.2-common apache2 | \ - sed -n -e "\' $CONFFILE ' { s/ obsolete$//; s/.* //; p }")" - - if [ "$md5sum" = "$old_md5sum" ]; then - mv -f "$CONFFILE" "$CONFFILE.dpkg-remove" - fi - done -} - -case "$1" in - install|upgrade) - - # black magic follows below. we're upgrading from Squeeze if - - # 1) an apache2-mpm package exists - if [ -d "/etc/apache2/" ] ; then - mpm=$(dpkg-query -f '${Package}\t${Status}\n' -W 'apache2-mpm-*' 2>/dev/null | grep "install ok" | cut -f1) - if [ -n "$mpm" ] ; then - if [ ! -f /etc/apache2/.apache2_mpm_selected ] ; then - echo "# automatically created during upgrade" >> /etc/apache2/.apache2_mpm_selected - echo "# it can be safely removed anytime" >> /etc/apache2/.apache2_mpm_selected - echo "$mpm" >> /etc/apache2/.apache2_mpm_selected - fi - fi - - if [ -n "$2" ] && dpkg --compare-versions "$2" 'lt' '2.4.7-1~' && dpkg --compare-versions "$2" 'ge' '2.4.1-1' ; then - CUR_MPM=$(a2query -M) || exit 1 - if [ "$CUR_MPM" == "itk" ] ; then - echo "apache2-mpm-itk" >> /etc/apache2/.apache2_mpm_selected - fi - fi - fi - # 2) an apache2.2-common conffiles exists or the 2.2 apache2 package is - # installed - if [ -n "$2" ] || obsolete_conffile_exists ; then - prepare_rm_conffile - prepare_mv_conffile - fi - - if [ -n "$2" ] && dpkg --compare-versions "$2" le 2.4.6-4+dyson2; then - # Renaming Apache SMF service: - if [ -x /usr/bin/smf_present ] && /usr/bin/smf_present; then - svcadm -v disable -s svc:/network/apache2 || true - fi - fi - ;; - - abort-upgrade) - ;; - - *) - echo "preinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 - -# vim: syntax=sh ts=4 sw=4 sts=4 sr noet diff --git a/debian/apache2.preinst.in b/debian/apache2.preinst.in new file mode 100644 index 00000000..ebd9fe54 --- /dev/null +++ b/debian/apache2.preinst.in @@ -0,0 +1,111 @@ +#! /bin/bash +# preinst script for apache2 +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * <new-preinst> `install' +# * <new-preinst> `install' <old-version> +# * <new-preinst> `upgrade' <old-version> +# * <old-preinst> `abort-upgrade' <new-version> +# for details, see http://www.debian.org/doc/debian-policy/ or +# the debian-policy package + +FIXUP_TEMPFILE= + + +# During the migration of conffiles from apache2.2-common to apache2, +# some things may have gone wrong. +# * Some conffiles may have been left with obsolete content. These +# have an md5sum in this list. +# * Some other conffiles may have been removed but dpkg still thinks that +# they belong to apache2.2-common. A few of these have been re-introduced, +# but dpkg being confused about their state causes dpkg to think the +# admin has removed them and to not create the new content. +# These have a 'restore' instead of a md5 in the list. +list_fixup_conffiles () { + cat <<- EOF + /etc/bash_completion.d/apache2 6a5f85e62655f6b5c8fa0f95c7c35c9c removed + /etc/apache2/sites-available/000-default.conf 2cc450cf300a880abbc3767fc002477d + /etc/apache2/sites-available/default-ssl.conf 196d150beeaeaf845ece50d7e84e12de + /etc/apache2/conf-available/charset.conf e6fbb8adf631932851d6cc522c1e48d7 + /etc/apache2/conf-available/localized-error-pages.conf 844ba27ddb794fc6967bfb56b950e6a8 + /etc/apache2/conf-available/other-vhosts-access-log.conf 2cad303fc4221d6b0068a8b37597b9fb + /etc/apache2/conf-available/security.conf 0f644d9d04ad556f44f1e65674bc07dc + /etc/apache2/mods-available/cern_meta.load restore + /etc/apache2/mods-available/ident.load restore + /etc/apache2/mods-available/imagemap.load restore + EOF +} + +create_fixup_conffiles_tgz () { + FIXUP_TEMPFILE=$(mktemp) + base64 -d > $FIXUP_TEMPFILE << EOF +XXX_FIXUP_CONFFILES_BASE64_XXX +EOF +} + +extract_fixup_conffile () { + local FILE=$1 + local BASENAME=${FILE##*/} + tar -xz -O -f $FIXUP_TEMPFILE $BASENAME > $FILE +} + +replace_broken_conffiles () { + local FILE + local MD5 + create_fixup_conffiles_tgz + while read FILE MD5 REMOVED ; do + if [ -f "$FILE" ] && md5sum "$FILE" | grep -q "^$MD5 " ; then + echo "Replacing broken conffile ${FILE}." + mv "$FILE" "${FILE}.dpkg-remove-fixup" + if [ -z "$REMOVED" ] ; then + extract_fixup_conffile "$FILE" + fi + elif [ ! -e "$FILE" ] && [ "$MD5" = "restore" ] ; then + echo "Restoring lost conffile ${FILE}." + extract_fixup_conffile "$FILE" + fi + done + rm -f "$FIXUP_TEMPFILE" +} + +revert_broken_conffiles () { + local FILE + local MD5 + local REMOVE + while read FILE MD5 REMOVED; do + if [ -f "$FILE.dpkg-remove-fixup" ]; then + echo "Moving broken conffile $FILE back." + mv "${FILE}.dpkg-remove-fixup" "$FILE" + fi + done +} + +case "$1" in + upgrade|install) + + if dpkg --compare-versions "$2" lt-nl "2.4.23-3~" ; then + list_fixup_conffiles | replace_broken_conffiles + fi + + ;; + + abort-upgrade) + list_fixup_conffiles | revert_broken_conffiles + ;; + + *) + echo "preinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/debian/apache2.prerm b/debian/apache2.prerm new file mode 100644 index 00000000..813b6fed --- /dev/null +++ b/debian/apache2.prerm @@ -0,0 +1,8 @@ +#!/bin/sh +set -e + +if [ -x "/etc/init.d/apache-htcacheclean" ] && [ "$1" = remove ] ; then + invoke-rc.d apache-htcacheclean stop || true +fi + +#DEBHELPER# diff --git a/debian/apache2.service b/debian/apache2.service new file mode 100644 index 00000000..92a371a8 --- /dev/null +++ b/debian/apache2.service @@ -0,0 +1,14 @@ +[Unit] +Description=The Apache HTTP Server +After=network.target remote-fs.target nss-lookup.target + +[Service] +Type=forking +ExecStart=/usr/sbin/apachectl start +ExecStop=/usr/sbin/apachectl stop +ExecReload=/usr/sbin/apachectl graceful +PrivateTmp=true +Restart=on-abort + +[Install] +WantedBy=multi-user.target diff --git a/debian/apache2@.service b/debian/apache2@.service new file mode 100644 index 00000000..395137ba --- /dev/null +++ b/debian/apache2@.service @@ -0,0 +1,16 @@ +[Unit] +Description=The Apache HTTP Server +After=network.target remote-fs.target nss-lookup.target +ConditionPathIsDirectory=/etc/apache2-%i + +[Service] +Type=forking +Environment=APACHE_CONFDIR=/etc/apache2-%i +ExecStart=/usr/sbin/apachectl start +ExecStop=/usr/sbin/apachectl stop +ExecReload=/usr/sbin/apachectl graceful +PrivateTmp=true +Restart=on-abort + +[Install] +WantedBy=multi-user.target diff --git a/debian/ask-for-passphrase b/debian/ask-for-passphrase new file mode 100755 index 00000000..de66d52a --- /dev/null +++ b/debian/ask-for-passphrase @@ -0,0 +1,48 @@ +#!/bin/bash +# +# ask-for-passphrase - designed to be used by SSLPassPhraseDialog exec: +# +# Copyright Canonical, Ltd. 2010, All Rights Reserved +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +sitename=$1 +keytype=$2 + +log="logger -p daemon.err -t apache2" + +prompt="Enter passphrase for SSL/TLS keys for $sitename ($keytype):" + +# Apache gives us a pipe for stdin, but we want to +# talk to apache's terminal. +tty=`tty < /proc/${PPID}/fd/0` +if [ "$tty" = "not a tty" ] ; then + if [ -x /bin/systemd-ask-password ] ; then + exec /bin/systemd-ask-password --timeout=0 "$prompt" + elif [ -x /bin/plymouth ] && plymouth --ping ; then + echo $prompt | logger + exec plymouth ask-for-password --prompt="$prompt" + else + $log "No way to ask user for passphrase" + exit 1 + fi + $log "Passphrase prompt failed" + exit 1 +fi + +# We must not print anything on stdout except the passphrase +read -s -p "$prompt" passphrase > $tty 2>&1 < $tty +echo > $tty +echo "$passphrase" diff --git a/debian/bash_completion/apache2 b/debian/bash_completion/a2enmod index e57c100e..e57c100e 100644 --- a/debian/bash_completion/apache2 +++ b/debian/bash_completion/a2enmod diff --git a/debian/changelog b/debian/changelog index aa18e945..81b61057 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,17 +1,452 @@ +apache2 (2.4.23-8) unstable; urgency=medium + + * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a + new package apache2-ssl-dev. Packages that interface with openssl + state from mod_ssl must build-depend on this new package. + This will help to disentangle the build-deps in the openssl transition. + Closes: #845033 + + -- Stefan Fritsch <sf@debian.org> Sun, 20 Nov 2016 00:33:13 +0100 + +apache2 (2.4.23-7) unstable; urgency=medium + + * Make apache2-dev depend on openssl 1.0, too. Closes: #844160 + * Move DefaultRuntimeDir and pid file for multi-instances to + /var/run/apache2-xxx. Thanks to Horst Platz for the debugging. + Closes: #838932 LP: #1627339 + * Fix systemd unit naming for multi-instances. + * Tweak embedded .tar.gz some more to build reproducibly. + + -- Stefan Fritsch <sf@debian.org> Sun, 13 Nov 2016 13:08:28 +0100 + +apache2 (2.4.23-6) unstable; urgency=medium + + * One more tweak for reproducible build. Thanks to Daniel Shahaf for the + patch. Closes: #839977 + * Avoid building with openssl 1.1 for now. See #828236 + + -- Stefan Fritsch <sf@debian.org> Wed, 09 Nov 2016 23:51:25 +0100 + +apache2 (2.4.23-5) unstable; urgency=low + + * Team upload. + + [ Stefan Fritsch ] + * Tweak creation of .tar.gz embedded in preinst to get reproducible + build. + + [ Raphaël Hertzog ] + * Add systemd unit files. Closes: #798430 + * Improve a2enmod to enable apache-htcacheclean with systemctl and let + it enable 'apache-htcacheclean@instance.service' for multi-instance + support. + * Improve setup-instance to rely on the systemd apache2@instance.service for + multi-instance support. + * Drop /lib/systemd/system/apache2.service.d/forking.conf now that we have + proper native systemd support. + * Modify handling of /etc/init.d/apache-htcacheclean to have a usual + Default-Start value but instead we disable it manually in the postinst. + That way "systemctl enable apache-htcacheclean" works. + * Add some lintian overrides for non-problems (two update-rc.d calls in + postinst, and a .js file with a very long line). + + -- Raphaël Hertzog <hertzog@debian.org> Thu, 29 Sep 2016 12:03:31 +0200 + +apache2 (2.4.23-4) unstable; urgency=medium + + * Fix pre-inst script for new installations. Closes: #834169 + + -- Stefan Fritsch <sf@debian.org> Fri, 12 Aug 2016 21:44:31 +0200 + +apache2 (2.4.23-3) unstable; urgency=low + + * Fix conffiles that may have got the wrong content during upgrade from + wheezy to early jessie versions. Closes: #794933 + * Also restore re-introduced *.load files for mod_ident, mod_imagemap, and + mod_cern_meta. These may have gone missing due to dpkg thinking they still + belong to apache2.2-common. Reported by Markus Waldeck. + * apache2-maintscript-helper: Make apache2_switch_mpm do nothing if the + local admin has disabled the requested mpm manually. + Closes: #827446, #799630 + * Make mod_proxy_html depend on mod_xml2enc. + * dh_apache2: Make versioned recommends on apache2 less strict. There is + no advantage in recommending the current version. Closes: #784290 + + -- Stefan Fritsch <sf@debian.org> Thu, 11 Aug 2016 21:40:35 +0200 + +apache2 (2.4.23-2) unstable; urgency=high + + * CVE-2016-5387: Sets environmental variable based on user supplied Proxy + request header. + Don't pass through HTTP_PROXY in server/util_script.c + + -- Stefan Fritsch <sf@debian.org> Thu, 21 Jul 2016 23:21:37 +0200 + +apache2 (2.4.23-1) unstable; urgency=high + + * New upstream release + - Security: CVE-2016-4979: Fix bypass of TLS client certificate + verification in mod_http2. + - new modules mod_proxy_http2 (experimental) and mod_proxy_hcheck + * Re-introduce mod_imagemap and mod_cern_meta. Closes: #786657 + * Set SHELL=/bin/bash during configure to get reproducible builds regardless + of where /bin/sh points to. + * Use 'Require method' instead of Limit/LimitExcept in userdir.conf. + + -- Stefan Fritsch <sf@debian.org> Tue, 05 Jul 2016 23:57:25 +0200 + +apache2 (2.4.20-2) unstable; urgency=medium + + * Fix crash in ap_get_useragent_host() triggered by mod_perl test. + Closes: #820824 + * Fix race condition and logical error in init script. Thanks to Thomas + Stangner for the patch. Closes: #822144 + * Remove links to manpages.debian.org in default index.html to avoid + broken robots doing a DoS on the site. Closes: #821313 + * Fix a2enmod to run on perl 5.14 to simplify backports. Closes: #821956 + * Bump Standards-Version (no changes necessary). + * Fix segfault with logresolve -c. Closes: #823259 + + -- Stefan Fritsch <sf@debian.org> Sat, 28 May 2016 16:14:09 +0200 + +apache2 (2.4.20-1) unstable; urgency=medium + + * New upstream release + - mostly bugfixes and HTTP/2 improvements + * Build against lua 5.2 instead of 5.1. Closes: #820243 + * Correct systemd-sysv-generator behavior by customizing some parameters. + This fixes 'systemctl status' returning incorrect results. Thanks to + Pierre-André MOREY for the patch. LP: #1488962 + * On Linux, use pthread mutexes. On kfreebsd/hurd, continue using fctnl + because they lack robust pthred mutexes. LP: #1565744, #1527044 + + -- Stefan Fritsch <sf@debian.org> Sun, 10 Apr 2016 14:03:41 +0200 + +apache2 (2.4.18-2) unstable; urgency=low + + * htcacheclean: + - split starting/stopping into separate init script 'apache-htcacheclean' + - move config from /etc/default/apache2 to /etc/default/apache-htcacheclean + - make a2enmod/a2dismod enable/disable htcacheclean with mod_cache_disk + - start htcacheclean as the apache2 run user/group + * Fix a2query -M not returning output if apache2 config is broken. + Fix missing quotes in apache2-maintscript-helper. Closes: #810500 + * README.backtrace: Note that coredump directory needs to be owned by + www-data. Closes: #806697 + * Remove ssl work-arounds for MSIE. Newer versions of IE work without them + and older versions are no longer supported by MS. Closes: #815852 + * Give a hint about systemd in README.multiple-instances. Closes: #818904 + * Don't treat mod_access_compat as essential. It's essentially broken, + anyway. + * Merge cross-compile tweaks for debian/rules from ubuntu. + * Merge autopkgtests from Ubuntu. Many thanks to Robie Basak. + Closes: #719245 + * Fix duplicate-module-load test and make sure it fails if it cannot execute + apache2ctl. + * Bump Standards-Version (no changes necessary). + + -- Stefan Fritsch <sf@debian.org> Mon, 28 Mar 2016 21:58:54 +0200 + +apache2 (2.4.18-1) unstable; urgency=medium + + * New upstream release: + - mostly HTTP/2 improvements + + -- Stefan Fritsch <sf@debian.org> Sat, 19 Dec 2015 09:26:14 +0100 + +apache2 (2.4.17-3) unstable; urgency=medium + + * mpm_prefork: Fix segfault if started with -X. Closes: #805737 + + -- Stefan Fritsch <sf@debian.org> Mon, 23 Nov 2015 19:52:09 +0100 + +apache2 (2.4.17-2) unstable; urgency=medium + + * Revert REDIRECT_URL to pre-2.4.17 behavior for now. The change broke + lots of web-apps. Closes: #803353 + * Fix secondary-init-script to not source the main init script with 'set -e'. + Closes: #803177 + * mod_http2: Write HTTP/2 into THE_REQUEST and the access log. + + -- Stefan Fritsch <sf@debian.org> Sat, 31 Oct 2015 23:17:11 +0100 + +apache2 (2.4.17-1) unstable; urgency=medium + + [ Stefan Fritsch ] + * New upstream release: + - New experimental http2 module + * reproducible build: Make symbol sorting consistent over different locales + * Conflict with apache2.2-common and apache2.2-bin to get the transitional + packages removed. Closes: #768815 + * Don't treat mpm_itk as MPM module in a2query. Closes: #791902 + * Don't treat mpm_itk as MPM module in deferred actions in postinst. + Hopefully really closes: #789914 + * Don't treat mpm_itk as MPM module in a2enmod. + + [ Jean-Michel Vourgère ] + * Updated upstream keyring used to check source authenticity. + + -- Stefan Fritsch <sf@debian.org> Sat, 24 Oct 2015 22:14:32 +0200 + +apache2 (2.4.16-3) unstable; urgency=medium + + [ Jean-Michel Vourgère ] + * Have apache2.postrm removes content of /var/lib/apache2, not the + directory itself. Closes: #793862 + * d/p/reproducible_builds.diff: Sort exported symbols list. + + [ Stefan Fritsch ] + * apxs: Don't pass --silent to libtool. Closes: #795820 + * Remove default /var/www/html/index.html on package purge. + + -- Stefan Fritsch <sf@debian.org> Tue, 18 Aug 2015 13:49:09 +0200 + +apache2 (2.4.16-2) unstable; urgency=medium + + * Make dh_apache2 add a versioned dependency on apache2-bin, for the + new symbols required for the CVE-2015-3185 fix. + + -- Stefan Fritsch <sf@debian.org> Fri, 07 Aug 2015 23:43:16 +0200 + +apache2 (2.4.16-1) unstable; urgency=medium + + [ Stefan Fritsch ] + * New upstream version, fixing the following security issues: + + CVE-2015-3183: Fix chunk header parsing defect. + + CVE-2015-3185: ap_some_auth_required() broken in apache 2.4 in an + unfixable way. Add a new replacement API ap_some_authn_required() + and ap_force_authn hook. + + [ Jean-Michel Vourgère ] + * Allow "triggers-awaited" and "triggers-pending" states in addition to + "installed" when determining whether to defer actions or process + deferred actions. Thanks Colin Watson. Closes: #787103 + * Allow a2dismod cgi on threaded mpms. Thanks Raul Dias. Closes: + #733979 + * Remove pre-Jessie transition scripts, and remaining breaks. + * Made builds reproducible: d/rules set the date from the changelog in + CPPFLAGS, new reproducible_builds.diff patch to use it. + * Moved bash_completion from /etc to /usr/share/bash_completion. Added + links there for dynamic loading. + * Upgrade security.conf comments to 2.4 auth format. Thanks Werner + Detter. Closes: #789788 + * apache2.postinst: Fixed tests on deferred mpm switch. Closes: + #789914 + + -- Stefan Fritsch <sf@debian.org> Sun, 02 Aug 2015 00:44:07 +0200 + +apache2 (2.4.12-2) unstable; urgency=medium + + [ Jean-Michel Nirgal Vourgère ] + * d/control: + + Update Vcs-Browser. + * d/copyright: + + Change d/debhelper/dh_apache2 to dh_apache2.in. + + Drop paragraph about inexistant itk patches. + + [ Stefan Fritsch ] + * Remove all the transitional packages: + apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event, + apache2-mpm-itk, apache2.2-bin, apache2.2-common, + libapache2-mod-proxy-html, libapache2-mod-macro, apache2-suexec + This also fixes the dependency problems caused by a recent version + of debhelper (see #784803). + + -- Stefan Fritsch <sf@debian.org> Mon, 11 May 2015 22:07:26 +0200 + +apache2 (2.4.12-1) unstable; urgency=medium + + * New upstream version + * Add a patch for CVE-2015-0253 which was introduced in 2.4.11 which + was never shipped in Debian. + * Ship mod_proxy_html's default config file. Closes: #782022 + * Fix typo in dh_apache2 man page. Closes: #781032 + + -- Stefan Fritsch <sf@debian.org> Tue, 28 Apr 2015 22:54:41 +0200 + +apache2 (2.4.10-11) unstable; urgency=medium + + * core: Fix -D[efined] or <Define>[d] variables lifetime accross restarts. + This could cause all kinds of strange behavior. PR 56008. PR 57328 + * mpm_event: Fix process deadlock when shutting down a worker. PR 56960 + * mpm_event: Fix crashes due to various race conditions. Closes: #779078 + + -- Stefan Fritsch <sf@debian.org> Tue, 31 Mar 2015 22:27:16 +0200 + +apache2 (2.4.10-10) unstable; urgency=medium + + * CVE-2015-0228: mod_lua: Fix denial of service vulnerability in + wsupgrade(). + * Fix setup-instance example script to handle a2enconf/a2disconf. + LP: #1430936 + * Tweak mention of mod_access_compat in NEWS.Debian. The module does + not really work in practice. + + -- Stefan Fritsch <sf@debian.org> Sun, 15 Mar 2015 10:47:36 +0100 + +apache2 (2.4.10-9) unstable; urgency=medium + + * CVE-2014-8109: mod_lua: Fix handling of the Require line when a + LuaAuthzProvider is used in multiple Require directives with different + arguments. + * Include ask-for-passphrase script from Ubuntu with some tweaks. This + fixes asking for certificate passphrases if started via systemd. + Closes: #773405 + * Fix init script to not wait 20s if passphrase was wrong. + * Also bump debhelper build-depends to get dh_installdeb with support for + symlink_to_dir. Closes: #770421 + + -- Stefan Fritsch <sf@debian.org> Mon, 22 Dec 2014 20:24:36 +0100 + +apache2 (2.4.10-8) unstable; urgency=medium + + * Bump dpkg Pre-Depends to version that supports relative symlinks in + dpkg-maintscript-helper's symlink_to_dir. Closes: #769821 + * mod_proxy_fcgi: Fix potential denial of service by malicious fcgi + script. (CVE-2014-3583). Fix similar bug in mod_authnz_fcgi even + though it does not seem to be exploitable. + * mpm_event: Fix use-after-free that may lead to a server crash. + * mod_ssl: Fix memory leak on graceful restart. Closes: #754492 + * mod_ssl: Avoid crashes during startup or graceful restart due to + openssl using a callback to invalid memory. LP: #1366174 + + -- Stefan Fritsch <sf@debian.org> Tue, 18 Nov 2014 15:18:18 +0100 + +apache2 (2.4.10-7) unstable; urgency=medium + + * Handle transitions of doc dirs and symlinks correctly during upgrade. + Use dpkg-maintscript-helper for this and remove existing explicit logic. + Closes: #767850 + * Remove obsolete conffiles in apache2.2-common, instead doing this only in + apache2. This partially fixes #768815 + + -- Stefan Fritsch <sf@debian.org> Sun, 09 Nov 2014 19:03:30 +0100 + +apache2 (2.4.10-6) unstable; urgency=medium + + * Disable SSLv3 in default config. Closes: #765347 + * Pull changes from upstream 2.4.x branch up to r1632831 + - Fixes an LDAP regression in 2.4.10 + - mod_cache: Avoid sending 304 responses during failed revalidations. + PR 56881 + - mod_status: Honor client IP address using mod_remoteip. PR 55886 + * Fix typo in package description. Closes: #765500 + + -- Stefan Fritsch <sf@debian.org> Tue, 21 Oct 2014 22:42:06 +0200 + +apache2 (2.4.10-5) unstable; urgency=medium + + * Remove one forgotten instance of ident.load in the preinst. + + -- Stefan Fritsch <sf@debian.org> Fri, 10 Oct 2014 00:20:09 +0200 + +apache2 (2.4.10-4) unstable; urgency=medium + + [ Stefan Fritsch ] + * Make apache2 depend on apache2-utils. This got lost somewhere in the + 2.4 update. + * Fix possible installation failure because of broken preinst script. + Closes: #764498 + * Improve package descriptions. Closes: #763676 + + [ Arno Töll ] + * Add proper return codes to fail() conditions in a2query. Thanks to Ondřej + Surý for providing a patch. + + -- Stefan Fritsch <sf@debian.org> Thu, 09 Oct 2014 22:19:12 +0200 + +apache2 (2.4.10-3) unstable; urgency=medium + + * CVE-2014-3581: Fix a DoS in mod_cache. + * If apache2 is not configured yet, defer actions executed via + apache2-maintscript-helper. This fixes installation failures if a + module package is configured first. Closes: #745834 + * Don't use a2query in preinst, as it may not be available yet. + Closes: #745812 + * Include mod_authnz_fcgi. Closes: #762908 + * Add some comments about SSLHonorCipherOrder in ssl.conf. Closes: #746359 + * Remove misleading sentence in apache2-bin's description. Closes: #762645 + * Remove trailing space in apache2/suexec/www-data. Closes: #719930 + * Add NEWS entry for the logrotate change in 2.4.10-2. + * Bump Standards-version (no changes). + * Fix lintian warning: Tweak licence short names in copyright file. + + -- Stefan Fritsch <sf@debian.org> Sun, 28 Sep 2014 22:37:02 +0200 + +apache2 (2.4.10-2) unstable; urgency=medium + + * Pull changes from upstream 2.4.x branch up to r1626207 + + Security Fix for CVE-2013-5704: HTTP trailers could be used to + replace HTTP headers late during request processing, potentially + undoing or otherwise confusing modules that examined or modified + request headers earlier. + Adds "MergeTrailers" directive to restore legacy behavior. + + * Switch to apache2 providing the httpd and httpd-cgi virtual packages. + The previously providing apache2-bin package lacks the configuration + files. Closes: #756361 + * Keep fewer logs by default. Instead of 52 weekly logs, keep 14 daily + logs. The daily graceful restart also has the advantage of regenerating + things like TLS session ticket keys more often. Closes: #759382 + * Clarify description of apache2 package. Closes: #755976 + * In the maintainer script helper, print out Apache's error message if + the config check fails. + * Re-add mod_ident. It has still at least one user. LP: #1333388 + + -- Stefan Fritsch <sf@debian.org> Sun, 21 Sep 2014 22:58:33 +0200 + +apache2 (2.4.10-1) unstable; urgency=medium + + [ Arno Töll ] + * New upstream version + + Refresh debian/patches/fhs_compliance.patch + + Security Fixes: + - CVE-2014-0117 mod_proxy: Fix DoS that could cause a crash + - CVE-2014-0226 Fix a race condition resulting in a heap overflow in + scoreboard handling + - CVE-2014-0118 mod_deflate: The DEFLATE input filter now limits the + length and compression ratio of inflated request to mitigate a + possible DoS + - CVE-2014-0231 mod_cgid: Fix a denial of service against CGI scripts + + Fixes SNI with certificate defined in global scope. (Closes: #751361) + * Warn users if they try to disable modules that we consider essential for + operation of the Apache web server (Closes: #709461) + * Drop libcap from our build-dependencies. That was needed for itk which we + gave source out to it's own package again. + * Provide apache2.2-common package to avoid upgrading problems for people + using --purge (apt) or --purge-unused (aptitude) even though that's + clearly discouraged. This caused disappearing of conffiles because we move + them from apache2.2-common to apache2 during the upgrade. Ugh. This was + not a bug in our packaging, but an unfortunately people blame us + nonetheless even though it's not all our fault. This alternative helps + those people, but at the same time means that incompatible modules aren't + force-removed by dpkg during the upgrade. Hopefully we catch all of them + with the Breaks relation coming along (Closes: #716880, #752922, #711925) + + -- Stefan Fritsch <sf@debian.org> Tue, 22 Jul 2014 23:16:20 +0200 + apache2 (2.4.9-2~dyson1) unstable; urgency=medium * Package for Dyson -- Igor Pashev <pashev.igor@gmail.com> Sun, 01 Jun 2014 23:01:12 +0400 -apache2 (2.4.9-2) UNRELEASED; urgency=medium +apache2 (2.4.9-2) unstable; urgency=medium * Fix logic in postinst to detect existing index.* files in both DocumentRoots, the old /var/www and the new /var/www/html. Also change the compiled in default DocumentRoot to /var/www/html. Closes: #743915 - - -- Stefan Fritsch <sf@debian.org> Sun, 27 Apr 2014 22:15:58 +0200 + * Fix buffer overflows in suexec with very long (unix) usernames. Not + exploitable due to FORTIFY_SOURCE. And creating users usually requires + root privileges, anyway. Thanks to Luca Bruno for the report. + * Remove conflicts of mpm modules with mpm_itk, which isn't an mpm + anymore. Fixes a part of: #734865. libapache2-mpm-itk needs a fix, too. + * Remove obsolete warning in a2enmod about mpm-itk. + * Fix lintian warning: Remove image ref to w3.org, which is a privacy + breach. + + -- Stefan Fritsch <sf@debian.org> Sun, 08 Jun 2014 10:38:04 +0200 apache2 (2.4.9-1) unstable; urgency=medium diff --git a/debian/clean b/debian/clean index bde0e617..ae27f642 100644 --- a/debian/clean +++ b/debian/clean @@ -10,13 +10,13 @@ debian/apache2-suexec-pristine.prerm debian/apache2-suexec-pristine.links debian/apache2-suexec-pristine.dirs debian/apache2-suexec-pristine.lintian-overrides -debian/apache2-mpm-event.postinst -debian/apache2-mpm-itk.postinst -debian/apache2-mpm-prefork.postinst -debian/apache2-mpm-worker.postinst debian/a2query +debian/config-dir/apache2.conf debian/manpages/a2query.8 debian/manpages/dh_apache2.1 debian/debhelper/dh_apache2 +debian/apache2.preinst +debian/fixup_conffiles.b64 +debian/fixup_conffiles.tgz config.nice support/suexec-custom.c diff --git a/debian/config-dir/apache2.conf b/debian/config-dir/apache2.conf.in index baf6d8aa..72220aab 100644 --- a/debian/config-dir/apache2.conf +++ b/debian/config-dir/apache2.conf.in @@ -71,7 +71,13 @@ # # The accept serialization lock file MUST BE STORED ON A LOCAL DISK. # -Mutex file:${APACHE_LOCK_DIR} default +___MUTEX___Mutex file:${APACHE_LOCK_DIR} default + +# +# The directory where shm and other runtime files will be stored. +# + +DefaultRuntimeDir ${APACHE_RUN_DIR} # # PidFile: The file in which the server should record its process diff --git a/debian/config-dir/conf-available/security.conf b/debian/config-dir/conf-available/security.conf index 599333b1..f9f69d49 100644 --- a/debian/config-dir/conf-available/security.conf +++ b/debian/config-dir/conf-available/security.conf @@ -7,8 +7,7 @@ # #<Directory /> # AllowOverride None -# Order Deny,Allow -# Deny from all +# Require all denied #</Directory> diff --git a/debian/config-dir/envvars b/debian/config-dir/envvars index 91328ac7..708d1706 100644 --- a/debian/config-dir/envvars +++ b/debian/config-dir/envvars @@ -16,7 +16,7 @@ fi export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data # temporary state file location. This might be changed to /run in Wheezy+1 -export APACHE_PID_FILE=/var/run/apache2/apache2$SUFFIX.pid +export APACHE_PID_FILE=/var/run/apache2$SUFFIX/apache2.pid export APACHE_RUN_DIR=/var/run/apache2$SUFFIX export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX # Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. diff --git a/debian/config-dir/mods-available/authnz_fcgi.load b/debian/config-dir/mods-available/authnz_fcgi.load new file mode 100644 index 00000000..69d757c5 --- /dev/null +++ b/debian/config-dir/mods-available/authnz_fcgi.load @@ -0,0 +1 @@ +LoadModule authnz_fcgi_module /usr/lib/apache2/modules/mod_authnz_fcgi.so diff --git a/debian/config-dir/mods-available/cern_meta.load b/debian/config-dir/mods-available/cern_meta.load new file mode 100644 index 00000000..bcc7546a --- /dev/null +++ b/debian/config-dir/mods-available/cern_meta.load @@ -0,0 +1 @@ +LoadModule cern_meta_module /usr/lib/apache2/modules/mod_cern_meta.so diff --git a/debian/config-dir/mods-available/http2.load b/debian/config-dir/mods-available/http2.load new file mode 100644 index 00000000..e5c769fe --- /dev/null +++ b/debian/config-dir/mods-available/http2.load @@ -0,0 +1 @@ +LoadModule http2_module /usr/lib/apache2/modules/mod_http2.so diff --git a/debian/config-dir/mods-available/ident.load b/debian/config-dir/mods-available/ident.load new file mode 100644 index 00000000..f7c4c3ce --- /dev/null +++ b/debian/config-dir/mods-available/ident.load @@ -0,0 +1 @@ +LoadModule ident_module /usr/lib/apache2/modules/mod_ident.so diff --git a/debian/config-dir/mods-available/imagemap.load b/debian/config-dir/mods-available/imagemap.load new file mode 100644 index 00000000..0fd55f8a --- /dev/null +++ b/debian/config-dir/mods-available/imagemap.load @@ -0,0 +1 @@ +LoadModule imagemap_module /usr/lib/apache2/modules/mod_imagemap.so diff --git a/debian/config-dir/mods-available/mpm_event.load b/debian/config-dir/mods-available/mpm_event.load index 141d7a17..00d970ba 100644 --- a/debian/config-dir/mods-available/mpm_event.load +++ b/debian/config-dir/mods-available/mpm_event.load @@ -1,2 +1,2 @@ -# Conflicts: mpm_worker mpm_prefork mpm_itk +# Conflicts: mpm_worker mpm_prefork LoadModule mpm_event_module /usr/lib/apache2/modules/mod_mpm_event.so diff --git a/debian/config-dir/mods-available/mpm_prefork.load b/debian/config-dir/mods-available/mpm_prefork.load index 3142c448..05da7a3b 100644 --- a/debian/config-dir/mods-available/mpm_prefork.load +++ b/debian/config-dir/mods-available/mpm_prefork.load @@ -1,2 +1,2 @@ -# Conflicts: mpm_event mpm_worker mpm_itk +# Conflicts: mpm_event mpm_worker LoadModule mpm_prefork_module /usr/lib/apache2/modules/mod_mpm_prefork.so diff --git a/debian/config-dir/mods-available/mpm_worker.load b/debian/config-dir/mods-available/mpm_worker.load index 6357ab97..f9d0c4d2 100644 --- a/debian/config-dir/mods-available/mpm_worker.load +++ b/debian/config-dir/mods-available/mpm_worker.load @@ -1,2 +1,2 @@ -# Conflicts: mpm_event mpm_prefork mpm_itk +# Conflicts: mpm_event mpm_prefork LoadModule mpm_worker_module /usr/lib/apache2/modules/mod_mpm_worker.so diff --git a/debian/config-dir/mods-available/proxy_hcheck.load b/debian/config-dir/mods-available/proxy_hcheck.load new file mode 100644 index 00000000..b70f421c --- /dev/null +++ b/debian/config-dir/mods-available/proxy_hcheck.load @@ -0,0 +1,2 @@ +# Depends: proxy +LoadModule proxy_hcheck_module /usr/lib/apache2/modules/mod_proxy_hcheck.so diff --git a/debian/config-dir/mods-available/proxy_html.conf b/debian/config-dir/mods-available/proxy_html.conf new file mode 100644 index 00000000..14692add --- /dev/null +++ b/debian/config-dir/mods-available/proxy_html.conf @@ -0,0 +1,75 @@ +# Configuration example. +# +# For detailed information about these directives see +# <URL:http://httpd.apache.org/docs/2.4/mod/mod_proxy_html.html> +# and for mod_xml2enc see +# <URL:http://httpd.apache.org/docs/2.4/mod/mod_xml2enc.html> +# + +# All knowledge of HTML links has been removed from the mod_proxy_html +# code itself, and is instead read from httpd.conf (or included file) +# at server startup. So you MUST declare it. This will normally be +# at top level, but can also be used in a <Location>. +# +# Here's the declaration for W3C HTML 4.01 and XHTML 1.0 + +ProxyHTMLLinks a href +ProxyHTMLLinks area href +ProxyHTMLLinks link href +ProxyHTMLLinks img src longdesc usemap +ProxyHTMLLinks object classid codebase data usemap +ProxyHTMLLinks q cite +ProxyHTMLLinks blockquote cite +ProxyHTMLLinks ins cite +ProxyHTMLLinks del cite +ProxyHTMLLinks form action +ProxyHTMLLinks input src usemap +ProxyHTMLLinks head profile +ProxyHTMLLinks base href +ProxyHTMLLinks script src for + +# To support scripting events (with ProxyHTMLExtended On), +# you'll need to declare them too. + +ProxyHTMLEvents onclick ondblclick onmousedown onmouseup \ + onmouseover onmousemove onmouseout onkeypress \ + onkeydown onkeyup onfocus onblur onload \ + onunload onsubmit onreset onselect onchange + +# If you need to support legacy (pre-1998, aka "transitional") HTML or XHTML, +# you'll need to uncomment the following deprecated link attributes. +# Note that these are enabled in earlier mod_proxy_html versions +# +# ProxyHTMLLinks frame src longdesc +# ProxyHTMLLinks iframe src longdesc +# ProxyHTMLLinks body background +# ProxyHTMLLinks applet codebase +# +# If you're dealing with proprietary HTML variants, +# declare your own URL attributes here as required. +# +# ProxyHTMLLinks myelement myattr otherattr +# +########### +# EXAMPLE # +########### +# +# To define the URL /my-gateway/ as a gateway to an appserver with address +# http://some.app.intranet/ on a private network, after loading the +# modules and including this configuration file: +# +# ProxyRequests Off <-- this is an important security setting +# ProxyPass /my-gateway/ http://some.app.intranet/ +# <Location /my-gateway/> +# ProxyPassReverse / +# ProxyHTMLEnable On +# ProxyHTMLURLMap http://some.app.intranet/ /my-gateway/ +# ProxyHTMLURLMap / /my-gateway/ +# </Location> +# +# Many (though not all) real-life setups are more complex. +# +# See the documentation at +# http://apache.webthing.com/mod_proxy_html/ +# and the tutorial at +# http://www.apachetutor.org/admin/reverseproxies diff --git a/debian/config-dir/mods-available/proxy_html.load b/debian/config-dir/mods-available/proxy_html.load index d8b248e9..50f1a2cd 100644 --- a/debian/config-dir/mods-available/proxy_html.load +++ b/debian/config-dir/mods-available/proxy_html.load @@ -1,2 +1,2 @@ -# Depends: proxy +# Depends: proxy xml2enc LoadModule proxy_html_module /usr/lib/apache2/modules/mod_proxy_html.so diff --git a/debian/config-dir/mods-available/proxy_http2.load b/debian/config-dir/mods-available/proxy_http2.load new file mode 100644 index 00000000..b251d0c5 --- /dev/null +++ b/debian/config-dir/mods-available/proxy_http2.load @@ -0,0 +1,2 @@ +# Depends: proxy http2 +LoadModule proxy_http2_module /usr/lib/apache2/modules/mod_proxy_http2.so diff --git a/debian/config-dir/mods-available/ssl.conf b/debian/config-dir/mods-available/ssl.conf index 2df23389..1dc4eea6 100644 --- a/debian/config-dir/mods-available/ssl.conf +++ b/debian/config-dir/mods-available/ssl.conf @@ -33,7 +33,7 @@ # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. - SSLPassPhraseDialog builtin + SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism @@ -58,10 +58,19 @@ # Enable only secure ciphers: SSLCipherSuite HIGH:!aNULL + # SSL server cipher order preference: + # Use server priorities for cipher algorithm choice. + # Clients may prefer lower grade encryption. You should enable this + # option if you want to enforce stronger encryption, and can afford + # the CPU cost, and did not override SSLCipherSuite in a way that puts + # insecure ciphers first. + # Default: Off + #SSLHonorCipherOrder on + # The protocols to enable. # Available values: all, SSLv3, TLSv1, TLSv1.1, TLSv1.2 # SSL v2 is no longer supported - SSLProtocol all + SSLProtocol all -SSLv3 # Allow insecure renegotiation with clients which do not yet support the # secure renegotiation protocol. Default: Off diff --git a/debian/config-dir/mods-available/userdir.conf b/debian/config-dir/mods-available/userdir.conf index a6c0da6c..2c334ecf 100644 --- a/debian/config-dir/mods-available/userdir.conf +++ b/debian/config-dir/mods-available/userdir.conf @@ -5,12 +5,7 @@ <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec - <Limit GET POST OPTIONS> - Require all granted - </Limit> - <LimitExcept GET POST OPTIONS> - Require all denied - </LimitExcept> + Require method GET POST OPTIONS </Directory> </IfModule> diff --git a/debian/config-dir/sites-available/default-ssl.conf b/debian/config-dir/sites-available/default-ssl.conf index 432b9650..7e37a9c3 100644 --- a/debian/config-dir/sites-available/default-ssl.conf +++ b/debian/config-dir/sites-available/default-ssl.conf @@ -124,11 +124,9 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - BrowserMatch "MSIE [2-6]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - # MSIE 7 and newer should be able to use keepalive - BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + # BrowserMatch "MSIE [2-6]" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 </VirtualHost> </IfModule> diff --git a/debian/control b/debian/control index a03d73f3..25d8d575 100644 --- a/debian/control +++ b/debian/control @@ -3,43 +3,44 @@ Section: httpd Priority: optional Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Stefan Fritsch <sf@debian.org>, Arno Töll <arno@debian.org> -Build-Depends: debhelper (>= 8.9.7~), lsb-release, dpkg-dev (>= 1.16.1~), +Build-Depends: debhelper (>= 9.20131213~), lsb-release, dpkg-dev (>= 1.16.1~), libaprutil1-dev (>= 1.5.0), libapr1-dev (>= 1.5.0), libpcre3-dev, zlib1g-dev, - libssl-dev (>= 0.9.8m), libcap-dev [linux-any], perl, + libnghttp2-dev, libssl1.0-dev | libssl-dev (<< 1.1), perl, dh-smf [illumos-any], - liblua5.1-0-dev, libxml2-dev, autotools-dev, gawk | awk + liblua5.2-dev, libxml2-dev, autotools-dev, gawk | awk, + dh-systemd [linux-any] Build-Conflicts: autoconf2.13 -Standards-Version: 3.9.5 -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-apache/apache2.git +Standards-Version: 3.9.8 +Vcs-Browser: https://anonscm.debian.org/cgit/pkg-apache/apache2.git/ Vcs-Git: git://anonscm.debian.org/pkg-apache/apache2.git Homepage: http://httpd.apache.org/ Package: apache2 Architecture: any +Pre-Depends: dpkg (>= 1.17.14) Depends: ${misc:Depends}, lsb-base, procps [!hurd-i386], perl, mime-support, apache2-bin (= ${binary:Version}), - apache2-data (= ${source:Version}), ${perl:Depends} -Replaces: apache2.2-common -Conflicts: apache2.2-common + apache2-utils (>= 2.4), apache2-data (= ${source:Version}), + ${perl:Depends} +Provides: httpd, httpd-cgi Recommends: ssl-cert -Suggests: www-browser, apache2-doc, apache2-suexec-pristine | apache2-suexec-custom, - apache2-utils +Conflicts: apache2.2-common, apache2.2-bin +Replaces: apache2.2-common, apache2.2-bin +Suggests: www-browser, apache2-doc, apache2-suexec-pristine | apache2-suexec-custom Description: Apache HTTP Server - The Apache Software Foundation's goal is to build a secure, efficient and + The Apache HTTP Server Project's goal is to build a secure, efficient and extensible HTTP server as standards-compliant open source software. The result has long been the number one web server on the Internet. . - This package contains the configuration files, init scripts and support - scripts. It does not install the actual apache2 binaries. + Installing this package results in a full installation, including the + configuration files, init scripts and support scripts. Package: apache2-data Architecture: all Depends: ${misc:Depends} -Replaces: apache2.2-common -Conflicts: apache2.2-common Multi-Arch: foreign Description: Apache HTTP Server (common files) - The Apache Software Foundation's goal is to build a secure, efficient and + The Apache HTTP Server Project's goal is to build a secure, efficient and extensible HTTP server as standards-compliant open source software. The result has long been the number one web server on the Internet. . @@ -50,91 +51,16 @@ Package: apache2-bin Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends}, ${perl:Depends} # MODULE_MAGIC_NUMBER_MAJOR from apache2/include/ap_mmn.h -Provides: ${apache2:API}, httpd, httpd-cgi +Provides: ${apache2:API} Suggests: www-browser, apache2-doc, apache2-suexec-pristine | apache2-suexec-custom -Replaces: apache2.2-bin (<< 2.3~), apache2.2-common, apache2-mpm-prefork (<< 2.3~), - apache2-mpm-itk (<< 2.3~), apache2-mpm-worker (<< 2.3~), apache2-mpm-event (<< 2.3~), - libapache2-mod-proxy-html (<< 1:2.4.4-2~), libapache2-mod-macro (<< 1:2.4.6-1~) -Conflicts: apache2.2-bin (<< 2.3~), apache2.2-common -Breaks: libapache2-mod-proxy-html (<< 1:2.4.4-2~), libapache2-mod-macro (<< 1:2.4.6-1~) -Description: Apache HTTP Server (binary files and modules) - The Apache Software Foundation's goal is to build a secure, efficient and +Description: Apache HTTP Server (modules and other binary files) + The Apache HTTP Server Project's goal is to build a secure, efficient and extensible HTTP server as standards-compliant open source software. The result has long been the number one web server on the Internet. . This package contains the binaries only and does not set up a working web-server instance. Install the "apache2" package to get a fully working - instance. Do not install this package unless you want to set-up the Apache - HTTP server entirely on your own. - -Package: apache2-mpm-worker -Architecture: any -Section: oldlibs -Priority: extra -Provides: httpd, httpd-cgi -Depends: ${misc:Depends}, apache2 (= ${binary:Version}) -Description: transitional worker MPM package for apache2 - This is a transitional package to apache2 for users of apache2-mpm-worker and - can be safely removed after the installation is complete. - -Package: apache2-mpm-prefork -Architecture: any -Section: oldlibs -Priority: extra -Provides: httpd, httpd-cgi -Depends: ${misc:Depends}, apache2 (= ${binary:Version}) -Description: transitional prefork MPM package for apache2 - This is a transitional package to apache2 for users of apache2-mpm-prefork and - can be safely removed after the installation is complete. - -Package: apache2-mpm-event -Architecture: any -Section: oldlibs -Priority: extra -Provides: httpd, httpd-cgi -Depends: ${misc:Depends}, apache2 (= ${binary:Version}) -Description: transitional event MPM package for apache2 - This is a transitional package to apache2 for users of apache2-mpm-event and - can be safely removed after the installation is complete. - -Package: apache2-mpm-itk -Architecture: any -Section: oldlibs -Priority: extra -Provides: httpd, httpd-cgi -Depends: ${misc:Depends}, apache2 (= ${binary:Version}), libapache2-mpm-itk -Description: transitional itk MPM package for apache2 - This is a transitional package to apache2 for users of apache2-mpm-itk and - can be safely removed after the installation is complete. - -Package: apache2.2-bin -Architecture: any -Section: oldlibs -Priority: extra -Breaks: gnome-user-share (<< 3.8.0-2~), libapache2-mod-dnssd (<< 0.6-3.1~) -Depends: ${misc:Depends}, apache2-bin (>= 2.3~) -Description: Transitional package for apache2-bin - This is a transitional package for apache2-bin, and can be safely removed - after the installation is complete. - -Package: libapache2-mod-proxy-html -Architecture: any -Section: oldlibs -Priority: extra -Depends: ${misc:Depends}, apache2-bin (>= 2.3~) -Description: Transitional package for apache2-bin - This is a transitional package for apache2-bin, and can be safely removed - after the installation is complete. - -Package: libapache2-mod-macro -Architecture: any -Section: oldlibs -Priority: extra -Depends: ${misc:Depends}, apache2-bin (>= 2.3~) -Description: Transitional package for apache2-bin - This is a transitional package for apache2-bin, and can be safely removed - after the installation is complete. - + instance. Package: apache2-utils Architecture: any @@ -144,7 +70,7 @@ Description: Apache HTTP Server (utility programs for web servers) Provides some add-on programs useful for any web server. These include: - ab (Apache benchmark tool) - fcgistarter (Start a FastCGI program) - - logresolve (Resolve IP addresses to hostname in logfiles) + - logresolve (Resolve IP addresses to hostnames in logfiles) - htpasswd (Manipulate basic authentication files) - htdigest (Manipulate digest authentication files) - htdbm (Manipulate basic authentication files in DBM format, using APR) @@ -155,21 +81,9 @@ Description: Apache HTTP Server (utility programs for web servers) - check_forensic (Extract mod_log_forensic output from Apache log files) - httxt2dbm (Generate dbm files for use with RewriteMap) -Package: apache2-suexec -Architecture: any -Section: oldlibs -Priority: extra -Depends: ${misc:Depends}, - apache2-suexec-pristine (= ${binary:Version}) -Description: transitional package for apache2-suexec-pristine - This is a transitional package for apache2-suexec-pristine, and can be safely - removed after the installation is complete. - Package: apache2-suexec-pristine Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, apache2-bin -Replaces: apache2-suexec (<< 2.3~) -Breaks: apache2-suexec (<< 2.3~) Provides: apache2-suexec Description: Apache HTTP Server standard suexec program for mod_suexec Provides the standard suexec helper program for mod_suexec. This version is @@ -180,8 +94,6 @@ Package: apache2-suexec-custom Priority: extra Architecture: any Depends: ${misc:Depends}, ${shlibs:Depends}, apache2-bin -Replaces: apache2-suexec (<< 2.3~) -Breaks: apache2-suexec (<< 2.3~) Provides: apache2-suexec Description: Apache HTTP Server configurable suexec program for mod_suexec Provides a customizable version of the suexec helper program for mod_suexec. @@ -199,7 +111,7 @@ Pre-Depends: ${misc:Pre-Depends} Recommends: apache2 Depends: ${misc:Depends} Description: Apache HTTP Server (on-site documentation) - The Apache Software Foundation's goal is to build a secure, efficient and + The Apache HTTP Server Project's goal is to build a secure, efficient and extensible HTTP server as standards-compliant open source software. The result has long been the number one web server on the Internet. . @@ -209,18 +121,16 @@ Description: Apache HTTP Server (on-site documentation) Package: apache2-dev Architecture: any -Depends: ${misc:Depends}, openssl, - libapr1-dev, libaprutil1-dev, debhelper (>= 9), ${perl:Depends} -Provides: apache2-prefork-dev, apache2-threaded-dev, dh-apache2 -Replaces: apache2-prefork-dev, apache2-threaded-dev -Conflicts: apache2-prefork-dev, apache2-threaded-dev +Depends: ${misc:Depends}, openssl, libapr1-dev, libaprutil1-dev, + debhelper (>= 9), ${perl:Depends} +Provides: dh-apache2 Description: Apache HTTP Server (development headers) - The Apache Software Foundation's goal is to build a secure, efficient and + The Apache HTTP Server Project's goal is to build a secure, efficient and extensible HTTP server as standards-compliant open source software. The result has long been the number one web server on the Internet. . - This package provides development headers and the apxs2 binary for the Apache 2 - HTTP server useful to develop and link third party additions to the Debian + This package provides development headers and the apxs2 binary for the Apache + 2 HTTP server, useful to develop and link third party additions to the Debian Apache HTTP server package. . It also provides dh_apache2 and dh sequence addons useful to install various @@ -229,13 +139,25 @@ Description: Apache HTTP Server (development headers) - Site configuration files - Global configuration files +Package: apache2-ssl-dev +Architecture: any +Depends: ${misc:Depends}, apache2-dev (= ${binary:Version}), + libssl1.0-dev | libssl-dev (<< 1.1) +Description: Apache HTTP Server (mod_ssl development headers) + The Apache HTTP Server Project's goal is to build a secure, efficient and + extensible HTTP server as standards-compliant open source software. The + result has long been the number one web server on the Internet. + . + This package provides the development header and the dependencies for + modules that interact with mod_ssl's internal openssl state. + Package: apache2-dbg Section: debug Priority: extra Architecture: any Depends: ${misc:Depends}, apache2-bin (= ${binary:Version}) Description: Apache debugging symbols - The Apache Software Foundation's goal is to build a secure, efficient and + The Apache HTTP Server Project's goal is to build a secure, efficient and extensible HTTP server as standards-compliant open source software. The result has long been the number one web server on the Internet. . diff --git a/debian/copyright b/debian/copyright index 42815f93..097be01e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -4,12 +4,12 @@ Source: http://httpd.apache.org/ Files: * Copyright: Copyright 2009 The Apache Software Foundation -License: Apache 2.0 +License: Apache-2.0 Files: include/ap_regex.h Copyright: 2009 The Apache Software Foundation Copyright: 1997-2004 University of Cambridge -License: Apache 2.0 and BSD-3-clause (Cambridge) +License: Apache-2.0 and BSD-3-clause-Cambridge Files: server/util_pcre.c Copyright: 1997-2001 University of Cambridge @@ -21,38 +21,38 @@ License: GPL-3+ or Custom Files: test/test_limits.c Copyright: 1998 Dag-Erling Codan Smrgrav -License: BSD-3-clause (Smrgrav) +License: BSD-3-clause-Smrgrav Files: modules/metadata/mod_mime_magic.c Copyright: 2009 The Apache Software Foundation 1996-1997 Cisco Systems, Inc. 1987 Ian F. Darwin. -License: Apache 2.0 and Cisco +License: Apache-2.0 and Cisco Files: docs/conf/magic debian/config-dir/magic Copyright: Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995. -License: BSD-2-clause (Darwin) +License: BSD-2-clause-Darwin Files: modules/mappers/mod_imagemap.c Copyright: 2009 The Apache Software Foundation 1992 by Eric Haines, erich@eye.com -License: Apache 2.0 and Haines +License: Apache-2.0 and Haines Files: server/util_md5.c Copyright: 2009 The Apache Software Foundation 1995, Board of Trustees of the University of Illinois 1993,1994 by Carnegie Mellon University 1991 Bell Communications Research, Inc. (Bellcore) -License: Apache 2.0 and MD5 +License: Apache-2.0 and MD5 Files: support/ab.c Copyright: 2009 The Apache Software Foundation 1996 by Zeus Technology Ltd. http://www.zeustech.net/ -License: Apache 2.0 and Zeus +License: Apache-2.0 and Zeus -Files: debian/a2query.in debian/debhelper/dh_apache2 +Files: debian/a2query.in debian/debhelper/dh_apache2.in Copyright: 2012 Arno Töll -License: Apache 2.0 or GPL-2+ +License: Apache-2.0 or GPL-2+ Files: debian/debhelper/apache2-maintscript-helper Copyright: 2012 Arno Töll @@ -60,13 +60,9 @@ License: MIT Files: debian/a2enmod Copyright: 2008 Stefan Fritsch -License: Apache 2.0 +License: Apache-2.0 -Files: debian/patches/itk/* -Copyright: 2005-2012 Steinar H. Gunderson, 2008 Knut Auvor Grythe -License: Apache 2.0 - -License: Apache 2.0 +License: Apache-2.0 Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. @@ -270,7 +266,7 @@ License: Haines Mark Cox, mark@ukweb.com, Allow relative URLs even when no base specified -License: BSD-2-clause (Darwin) +License: BSD-2-clause-Darwin Software written by Ian F. Darwin and others; maintained 1994-2004 Christos Zoulas. . @@ -364,7 +360,7 @@ License: Cisco Submission to Apache Software Foundation July 1997 -License: BSD-3-clause (Smrgrav) +License: BSD-3-clause-Smrgrav Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -389,7 +385,7 @@ License: BSD-3-clause (Smrgrav) THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -License: BSD-3-clause (Cambridge) +License: BSD-3-clause-Cambridge Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: . diff --git a/debian/create_preinst b/debian/create_preinst new file mode 100755 index 00000000..1f30072a --- /dev/null +++ b/debian/create_preinst @@ -0,0 +1,32 @@ +#!/usr/bin/perl +# +# This script embeds a base64 encoded tarball into apache2.preinst. +# See #794933 + +use strict; +use warnings; +use autodie; + + +sub readfile +{ + my $fname = shift; + local $/; + open(my $fd, "<", $fname); + my $content = <$fd>; + return $content; +} + +sub writefile +{ + my $fname = shift; + my $content = shift; + open(my $fd, ">", $fname); + print $fd $content; +} + +my $preinst = readfile("debian/apache2.preinst.in"); +my $embed = readfile("debian/fixup_conffiles.b64"); + +$preinst =~ s/XXX_FIXUP_CONFFILES_BASE64_XXX/$embed/; +writefile("debian/apache2.preinst", $preinst); diff --git a/debian/debhelper/apache2-maintscript-helper b/debian/debhelper/apache2-maintscript-helper index 29dab2b9..68560cce 100644 --- a/debian/debhelper/apache2-maintscript-helper +++ b/debian/debhelper/apache2-maintscript-helper @@ -75,6 +75,11 @@ else fi fi + APACHE2_MAINTSCRIPT_DEFER= + if ! dpkg-query -f '${Status}' -W apache2|egrep -q 'installed|triggers-awaited|triggers-pending'; then + echo "Package apache2 is not configured yet. Will defer actions by package $DPKG_MAINTSCRIPT_PACKAGE." + APACHE2_MAINTSCRIPT_DEFER=/var/lib/apache2/deferred_actions + fi if [ -z "$1" ] ; then echo "You must invoke apache2-maintscript-helper with an unmodified environment when sourcing it" >&2 @@ -129,8 +134,6 @@ fi # - - # # Function apache2_msg # print out a warning to both, the syslog and a local standard output. @@ -273,22 +276,36 @@ apache2_switch_mpm() local MPM="$1" MPM="${MPM#mpm_}" + if [ -n "$APACHE2_MAINTSCRIPT_DEFER" ] ; then + echo "$APACHE2_MAINTSCRIPT_PACKAGE apache2_switch_mpm $*" >> $APACHE2_MAINTSCRIPT_DEFER + return 0 + fi if [ ! -e "/etc/apache2/mods-available/mpm_$MPM.load" ] ; then apache2_msg "err" "apache2_switch_mpm: MPM $MPM not found" return 1 fi - local CUR_MPM=$(a2query -M) || return 1 + local a2query_ret=0 + a2query -m "$mpm_$MPM" > /dev/null 2>&1 || a2query_ret=$? - if [ $CUR_MPM != $MPM ] ; then - a2dismod -m -q "mpm_$CUR_MPM"; - a2enmod -m -q "mpm_$MPM"; - apache2_msg "info" "apache2_switch_mpm Switch to $MPM" - else + case $a2query_ret in + 0) apache2_msg "info" "apache2_switch_mpm $MPM: No action required" return 0 - fi + ;; + 32) + apache2_msg "info" "apache2_switch_mpm $MPM: Has been disabled manually, not changing" + return 1 + ;; + + esac + + local CUR_MPM=$(a2query -M) || return 1 + + a2dismod -m -q "mpm_$CUR_MPM"; + a2enmod -m -q "mpm_$MPM"; + apache2_msg "info" "apache2_switch_mpm Switch to $MPM" if ! apache2_has_module "mpm_$MPM" ; then # rollback @@ -331,9 +348,9 @@ apache2_switch_mpm() # 2.4.6-4: Allow apache2_invoke to disable configuration in preinst/postinst apache2_invoke() { - local CMD=$1 - local CONF=$2 - local RCD_ACTION=$3 + local CMD="$1" + local CONF="$2" + local RCD_ACTION="$3" local invoke_rcd=0 local check_switch="" local invoke_string="" @@ -341,6 +358,11 @@ apache2_invoke() [ -x "/usr/sbin/a2$CMD" ] || return 1 [ -x "/usr/sbin/a2query" ] || return 1 + if [ -n "$APACHE2_MAINTSCRIPT_DEFER" ] ; then + echo "$APACHE2_MAINTSCRIPT_PACKAGE apache2_invoke $*" >> "$APACHE2_MAINTSCRIPT_DEFER" + return 0 + fi + case "${RCD_ACTION:-}" in ""|reload|restart) ;; @@ -379,8 +401,8 @@ apache2_invoke() apache2_msg "info" "apache2_invoke $CONF: already enabled" APACHE2_NEED_ACTION=1 elif [ "$a2query_ret" -eq 32 ] ; then - # the maintainer disabled the module - apache2_msg "info" "apache2_invoke $CONF: no action - $invoke_string was disabled by maintainer" + # the admin disabled the module + apache2_msg "info" "apache2_invoke $CONF: no action - $invoke_string was disabled by local admin" return 0 else # coming here either means: @@ -449,6 +471,10 @@ apache2_reload() if ! apache2_needs_action ; then return 0 fi + if [ -n "$APACHE2_MAINTSCRIPT_DEFER" ] ; then + return 0 + fi + local have_smf=no local action local smf_status @@ -472,7 +498,8 @@ apache2_reload() ;; esac - if apache2ctl configtest 2>/dev/null; then + local tmpfile=$(mktemp) + if apache2ctl configtest > $tmpfile 2>&1; then if [ x$have_smf = xyes ]; then smf_status=`svcstatus apache2` case $smf_status in @@ -483,7 +510,14 @@ apache2_reload() fi else apache2_msg "err" "apache2_reload: Your configuration is broken. Not ${action}ing Apache 2" + grep -v -e "Action 'configtest' failed." \ + -e "The Apache error log may have more information." \ + "$tmpfile" | + while read LINE ; do + apache2_msg "err" "apache2_reload: $LINE" + done fi + rm -f "$tmpfile" } # vim: syntax=sh sw=8 sts=8 sr noet diff --git a/debian/debhelper/dh_apache2.in b/debian/debhelper/dh_apache2.in index bd6d2618..3652d079 100755 --- a/debian/debhelper/dh_apache2.in +++ b/debian/debhelper/dh_apache2.in @@ -58,6 +58,11 @@ sub apache_api_version return "apache2-api-$API"; } +sub apache_depends +{ + # TODO XXX this should be determined from ap_mmn.h, too. + return apache_api_version() . ", apache2-bin ( >= 2.4.16 )"; +} sub apache_version { @@ -78,6 +83,7 @@ sub apache_conf_installdir =head1 SYNOPSIS B<dh_apache2> [S<I<debhelper options>>] [S<B<--conditional>>=I<expression>] [B<--error-handler=>I<function>] [B<-n>|B<--noscripts>] + [B<-e>|B<--noenable>] [B<-r>|B<--restart>] =head1 DESCRIPTION @@ -116,7 +122,7 @@ B<dh_apache2>. Instead the helper will scan the package installation directory for recognized files and guess their purpose depending on their installation path in the file system. Use with caution. -=head1 INVOKATION +=head1 INVOCATION B<dh_apache2> is not part of debhelper and might require information available in the apache2-dev package. Packages making use of B<dh_apache2> should declare @@ -434,7 +440,7 @@ foreach my $package ((@{$dh{DOPACKAGES}})) } if ($dir =~ m#etc/apache2/sites-available# and $file =~ m#.conf$#) { - verbose_print("package $package appears to contain a virtual host confoguration\n"); + verbose_print("package $package appears to contain a virtual host configuration\n"); push @{$PACKAGE_TYPE{'has_a_site_conf'}}, $conf_name; } if ($dir =~ m#etc/apache2/conf-available# and $file =~ m#.conf$#) @@ -457,7 +463,7 @@ foreach my $package ((@{$dh{DOPACKAGES}})) { warning("Package $package appears to be an Apache module. It should comply to the package naming scheme libapache2-mod-<modulename>\n"); } - addsubstvar($package, "misc:Depends", apache_api_version()); + addsubstvar($package, "misc:Depends", apache_depends()); my $modules = ""; foreach my $module (@{$PACKAGE_TYPE{'has_a_module'}}) @@ -471,7 +477,7 @@ foreach my $package ((@{$dh{DOPACKAGES}})) if ($#{$PACKAGE_TYPE{'has_a_conf_file'}} >= 0 or $#{$PACKAGE_TYPE{'has_a_site_conf'}} >= 0) { $PACKAGE_TYPE{'dependency_line'} .= "| httpd"; - addsubstvar($package, "misc:Recommends", "apache2 (" . apache_version() . ") " . $PACKAGE_TYPE{'dependency_line'} ); + addsubstvar($package, "misc:Recommends", "apache2 ( >= 2.4.6-4~ ) " . $PACKAGE_TYPE{'dependency_line'} ); my $confs = ""; my $sites = ""; diff --git a/debian/index.html b/debian/index.html index 8e6df3de..766401df 100644 --- a/debian/index.html +++ b/debian/index.html @@ -293,17 +293,17 @@ *-available/ counterparts. These should be managed by using our helpers <tt> - <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enmod">a2enmod</a>, - <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dismod">a2dismod</a>, + a2enmod, + a2dismod, </tt> <tt> - <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2ensite">a2ensite</a>, - <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2dissite">a2dissite</a>, + a2ensite, + a2dissite, </tt> and <tt> - <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2enconf">a2enconf</a>, - <a href="http://manpages.debian.org/cgi-bin/man.cgi?query=a2disconf">a2disconf</a> + a2enconf, + a2disconf </tt>. See their respective man pages for detailed information. </li> @@ -326,7 +326,7 @@ <p> By default, Debian does not allow access through the web browser to <em>any</em> file apart of those located in <tt>/var/www</tt>, - <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html">public_html</a> + <a href="http://httpd.apache.org/docs/2.4/mod/mod_userdir.html" rel="nofollow">public_html</a> directories (when enabled) and <tt>/usr/share</tt> (for web applications). If your site is using a web document root located elsewhere (such as in <tt>/srv</tt>) you may need to whitelist your @@ -347,8 +347,8 @@ <p> Please use the <tt>reportbug</tt> tool to report bugs in the Apache2 package with Debian. However, check <a - href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0">existing - bug reports</a> before reporting a new bug. + href="http://bugs.debian.org/cgi-bin/pkgreport.cgi?ordering=normal;archive=0;src=apache2;repeatmerged=0" + rel="nofollow">existing bug reports</a> before reporting a new bug. </p> <p> Please report bugs specific to modules (such as PHP and others) @@ -362,9 +362,6 @@ </div> </div> <div class="validator"> - <p> - <a href="http://validator.w3.org/check?uri=referer"><img src="http://www.w3.org/Icons/valid-xhtml10" alt="Valid XHTML 1.0 Transitional" height="31" width="88" /></a> - </p> </div> </body> </html> diff --git a/debian/libapache2-mod-macro.postinst b/debian/libapache2-mod-macro.postinst deleted file mode 100644 index 0ed55d77..00000000 --- a/debian/libapache2-mod-macro.postinst +++ /dev/null @@ -1,49 +0,0 @@ -#! /bin/bash -# postinst script for libapache2-mod-macro -# -# see: dh_installdeb(1) - -set -e - - -# summary of how this script can be called: -# * <postinst> `configure' <most-recently-configured-version> -# * <old-postinst> `abort-upgrade' <new version> -# * <conflictor's-postinst> `abort-remove' `in-favour' <package> -# <new-version> -# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' -# <failed-install-package> <version> `removing' -# <conflicting-package> <version> -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - if [ -n "$2" ] && dpkg --compare-versions "$2" lt "1:2.4.6-1" ; then - if [ -d /usr/share/doc/libapache2-mod-macro ] ; then - RET=0 - rmdir /usr/share/doc/libapache2-mod-macro > /dev/null 2>&1|| RET=$? - if [ $RET = 0 ] ; then - ln -s /usr/share/doc/apache2-bin /usr/share/doc/libapache2-mod-macro - fi - fi - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/libapache2-mod-proxy-html.postinst b/debian/libapache2-mod-proxy-html.postinst deleted file mode 100644 index 14e5a02e..00000000 --- a/debian/libapache2-mod-proxy-html.postinst +++ /dev/null @@ -1,49 +0,0 @@ -#! /bin/bash -# postinst script for libapache2-mod-proxy-html -# -# see: dh_installdeb(1) - -set -e - - -# summary of how this script can be called: -# * <postinst> `configure' <most-recently-configured-version> -# * <old-postinst> `abort-upgrade' <new version> -# * <conflictor's-postinst> `abort-remove' `in-favour' <package> -# <new-version> -# * <deconfigured's-postinst> `abort-deconfigure' `in-favour' -# <failed-install-package> <version> `removing' -# <conflicting-package> <version> -# -# for details, see http://www.debian.org/doc/debian-policy/ or -# the debian-policy package - -case "$1" in - configure) - if [ -n "$2" ] && dpkg --compare-versions "$2" lt "1:2.4.4-2" ; then - if [ -d /usr/share/doc/libapache2-mod-proxy-html ] ; then - RET=0 - rmdir /usr/share/doc/libapache2-mod-proxy-html > /dev/null 2>&1|| RET=$? - if [ $RET = 0 ] ; then - ln -s /usr/share/doc/apache2-bin /usr/share/doc/libapache2-mod-proxy-html - fi - fi - fi - ;; - - abort-upgrade|abort-remove|abort-deconfigure) - - ;; - - *) - echo "postinst called with unknown argument \`$1'" >&2 - exit 1 - ;; -esac - -# dh_installdeb will replace this with shell code automatically -# generated by other debhelper scripts. - -#DEBHELPER# - -exit 0 diff --git a/debian/migrate-sites.pl b/debian/migrate-sites.pl deleted file mode 100644 index 82968448..00000000 --- a/debian/migrate-sites.pl +++ /dev/null @@ -1,62 +0,0 @@ -#! /usr/bin/perl - -# -# Rename existing sites in $SITES_AVAILABLE to make sure they have a -# .conf suffix. update symlinks in $SITES_ENABLED if necessary -# -# Warning: This script does not work if you didn't use a2ensite/a2dissite to -# manage your sites -# - -use strict; -use File::Copy; -use File::Spec; -use File::Basename; - -my $SITES_AVAILABLE = "/etc/apache2/sites-available"; -my $SITES_ENABLED = "/etc/apache2/sites-enabled"; - -my %SITES = ( - "$SITES_AVAILABLE" => [], - "$SITES_ENABLED" => [] -); - -sub error -{ - my $reason = shift; - print STDERR "$reason\n"; - exit 1; -} - -foreach my $key (keys %SITES) -{ - error("No such directory: $key") unless -d $key; - - opendir(DIR, $key) || error("$key: $!"); - push $SITES{$key}, grep { m#^[^\.]# && $_ !~ m/default|default-ssl/ && $_ !~ m#\.conf$# } readdir(DIR); - closedir(DIR); -} - -foreach my $site (@{ $SITES{$SITES_AVAILABLE} }) -{ - print("rename $site -> $site.conf\n"); - my $curname = $SITES_AVAILABLE . "/" . $site; - my $newname = $curname . ".conf"; - my $curlink = $SITES_ENABLED . "/" . $site; - my $newlink = $curlink . ".conf"; - - if (-e $curname) - { - move($curname, $newname) || error("Could not rename file $curname: $!"); - if ( grep { $_ eq $site && -l $SITES_ENABLED . "/" . $_ } @{ $SITES{$SITES_ENABLED} } ) - { - print("re-enable site: $site as $site.conf\n"); - symlink( File::Spec->abs2rel( $newname, dirname($newlink)), $newlink ) || error("Could not create link $newlink: $1"); - if ( -l $curlink ) - { - unlink($curlink) - } - } - } -} - diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch new file mode 100644 index 00000000..7badf022 --- /dev/null +++ b/debian/patches/CVE-2016-5387.patch @@ -0,0 +1,17 @@ +--- apache2.orig/server/util_script.c ++++ apache2/server/util_script.c +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them diff --git a/debian/patches/customize_apxs.patch b/debian/patches/customize_apxs.patch index 7ccca92b..5b580276 100644 --- a/debian/patches/customize_apxs.patch +++ b/debian/patches/customize_apxs.patch @@ -6,9 +6,9 @@ Forwarded: not-needed Author: Stefan Fritsch <sf@debian.org> Last-Update: 2012-03-17 ---- a/support/apxs.in -+++ b/support/apxs.in -@@ -38,7 +38,7 @@ +--- apache2.orig/support/apxs.in ++++ apache2/support/apxs.in +@@ -38,7 +38,7 @@ my $localstatedir = get_vars("localstat my $CFG_TARGET = get_vars("progname"); my $CFG_SYSCONFDIR = get_vars("sysconfdir"); my $CFG_CFLAGS = join ' ', map { get_vars($_) } @@ -17,7 +17,16 @@ Last-Update: 2012-03-17 my $CFG_LDFLAGS = join ' ', map { get_vars($_) } qw(LDFLAGS NOTEST_LDFLAGS SH_LDFLAGS); my $includedir = get_vars("includedir"); -@@ -276,6 +276,7 @@ +@@ -49,7 +49,7 @@ my $CFG_LIBEXECDIR = eval qq("$libexecdi + my $sbindir = get_vars("sbindir"); + my $CFG_SBINDIR = eval qq("$sbindir"); + my $ltflags = $ENV{'LTFLAGS'}; +-$ltflags or $ltflags = "--silent"; ++$ltflags or $ltflags = ""; + + my %internal_vars = map {$_ => 1} + qw(TARGET CC CFLAGS CFLAGS_SHLIB LD_SHLIB LDFLAGS_SHLIB LIBS_SHLIB +@@ -276,6 +276,7 @@ if ($opt_g) { $data =~ s|%TARGET%|$CFG_TARGET|sg; $data =~ s|%PREFIX%|$prefix|sg; $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg; @@ -25,7 +34,7 @@ Last-Update: 2012-03-17 my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s); -@@ -428,7 +429,7 @@ +@@ -428,7 +429,7 @@ if ($opt_c) { $la =~ s|\.c$|.la|; my $o = $s; $o =~ s|\.c$|.o|; @@ -34,7 +43,7 @@ Last-Update: 2012-03-17 unshift(@objs, $lo); } -@@ -469,7 +470,7 @@ +@@ -469,7 +470,7 @@ if ($opt_c) { $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags"; } @@ -43,7 +52,7 @@ Last-Update: 2012-03-17 # execute the commands &execute_cmds(@cmds); -@@ -503,7 +504,7 @@ +@@ -503,7 +504,7 @@ if ($opt_i or $opt_e) { if ($opt_i) { push(@cmds, "$installbuilddir/instdso.sh SH_LIBTOOL='" . "$libtool' $f $CFG_LIBEXECDIR"); @@ -52,7 +61,7 @@ Last-Update: 2012-03-17 } # determine module symbolname and filename -@@ -539,10 +540,11 @@ +@@ -539,10 +540,11 @@ if ($opt_i or $opt_e) { $filename = "mod_${name}.c"; } my $dir = $CFG_LIBEXECDIR; @@ -66,7 +75,7 @@ Last-Update: 2012-03-17 } # execute the commands -@@ -550,108 +552,35 @@ +@@ -550,108 +552,35 @@ if ($opt_i or $opt_e) { # activate module via LoadModule/AddModule directive if ($opt_a or $opt_A) { @@ -198,7 +207,7 @@ Last-Update: 2012-03-17 } } -@@ -671,8 +600,8 @@ +@@ -671,8 +600,8 @@ __DATA__ ## builddir=. diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch index 46827cd6..af5125a5 100644 --- a/debian/patches/fhs_compliance.patch +++ b/debian/patches/fhs_compliance.patch @@ -2,9 +2,11 @@ Description: Fix up FHS file locations for apache2 droppings. Forwarded: not-needed Author: Adam Conrad <adconrad@0c3.net> Last-Update: 2012-02-25 ---- a/configure -+++ b/configure -@@ -32725,17 +32725,17 @@ +Index: apache2/configure +=================================================================== +--- apache2.orig/configure ++++ apache2/configure +@@ -33031,17 +33031,17 @@ ap_prefix="${ap_cur}" cat >>confdefs.h <<_ACEOF @@ -25,9 +27,11 @@ Last-Update: 2012-02-25 _ACEOF ---- a/configure.in -+++ b/configure.in -@@ -823,11 +823,11 @@ +Index: apache2/configure.in +=================================================================== +--- apache2.orig/configure.in ++++ apache2/configure.in +@@ -826,11 +826,11 @@ rm -f modules.c echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c APR_EXPAND_VAR(ap_prefix, $prefix) @@ -42,8 +46,10 @@ Last-Update: 2012-02-25 [Location of the MIME types config file, relative to the Apache root directory]) perlbin=`$ac_aux_dir/PrintPath perl` ---- a/include/ap_config_layout.h.in -+++ b/include/ap_config_layout.h.in +Index: apache2/include/ap_config_layout.h.in +=================================================================== +--- apache2.orig/include/ap_config_layout.h.in ++++ apache2/include/ap_config_layout.h.in @@ -60,5 +60,6 @@ #define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@" #define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@" @@ -51,9 +57,11 @@ Last-Update: 2012-02-25 +#define DEFAULT_PIDLOG "/var/run/apache2.pid" #endif /* AP_CONFIG_LAYOUT_H */ ---- a/include/httpd.h -+++ b/include/httpd.h -@@ -109,7 +109,7 @@ +Index: apache2/include/httpd.h +=================================================================== +--- apache2.orig/include/httpd.h ++++ apache2/include/httpd.h +@@ -109,7 +109,7 @@ extern "C" { #define DOCUMENT_LOCATION HTTPD_ROOT "/docs" #else /* Set default for non OS/2 file system */ diff --git a/debian/patches/fix_logresolve_segfault.patch b/debian/patches/fix_logresolve_segfault.patch new file mode 100644 index 00000000..8f9aaefe --- /dev/null +++ b/debian/patches/fix_logresolve_segfault.patch @@ -0,0 +1,12 @@ +# http://svn.apache.org/viewvc?view=revision&revision=1745863 +--- apache2.orig/support/logresolve.c ++++ apache2/support/logresolve.c +@@ -284,7 +284,7 @@ int main(int argc, const char * const ar + */ + status = apr_sockaddr_info_get(&ipdouble, hostname, ip->family, 0, + 0, pline); +- if (status == APR_SUCCESS || ++ if (status != APR_SUCCESS || + memcmp(ipdouble->ipaddr_ptr, ip->ipaddr_ptr, ip->ipaddr_len)) { + /* Double-lookup failed */ + *space = ' '; diff --git a/debian/patches/reproducible_builds.diff b/debian/patches/reproducible_builds.diff new file mode 100644 index 00000000..42a6fd07 --- /dev/null +++ b/debian/patches/reproducible_builds.diff @@ -0,0 +1,44 @@ +Description: Make builds reproducible + Don't use __DATE__ __TIME__. Use changelog date instead. + Sort exported symbols. +Author: Jean-Michel Vourgère <nirgal@debian.org> +Forwarded: no +Last-Update: 2015-08-11 + +Index: apache2/server/buildmark.c +=================================================================== +--- apache2.orig/server/buildmark.c ++++ apache2/server/buildmark.c +@@ -17,11 +17,7 @@ + #include "ap_config.h" + #include "httpd.h" + +-#if defined(__DATE__) && defined(__TIME__) +-static const char server_built[] = __DATE__ " " __TIME__; +-#else +-static const char server_built[] = "unknown"; +-#endif ++static const char server_built[] = BUILD_DATETIME; + + AP_DECLARE(const char *) ap_get_server_built() + { +Index: apache2/server/Makefile.in +=================================================================== +--- apache2.orig/server/Makefile.in ++++ apache2/server/Makefile.in +@@ -1,3 +1,4 @@ ++export LC_ALL = C + + CLEAN_TARGETS = gen_test_char test_char.h \ + ApacheCoreOS2.def httpd.exp export_files \ +@@ -80,8 +81,8 @@ httpd.exp: exports.c export_vars.h + @echo "#! ." > $@ + @echo "* This file was AUTOGENERATED at build time." >> $@ + @echo "* Please do not edit by hand." >> $@ +- $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) exports.c | grep "ap_hack_" | grep -v apr_ | sed -e 's/^.*[)]\(.*\);$$/\1/' >> $@ +- $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) export_vars.h | grep -v apr_ | sed -e 's/^\#[^!]*//' | sed -e '/^$$/d' >> $@ ++ $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) exports.c | grep "ap_hack_" | grep -v apr_ | sed -e 's/^.*[)]\(.*\);$$/\1/' | sort >> $@ ++ $(CPP) $(ALL_CPPFLAGS) $(ALL_INCLUDES) export_vars.h | grep -v apr_ | sed -e 's/^\#[^!]*//' | sed -e '/^$$/d' | sort >> $@ + + + # developer stuff diff --git a/debian/patches/series b/debian/patches/series index fce31717..6c75e38e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,5 +3,10 @@ no_LD_LIBRARY_PATH.patch suexec-CVE-2007-1742.patch customize_apxs.patch build_suexec-custom.patch +reproducible_builds.diff + # This patch is applied manually #suexec-custom.patch + +fix_logresolve_segfault.patch +CVE-2016-5387.patch diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch index 9ea0ee01..5655522e 100644 --- a/debian/patches/suexec-CVE-2007-1742.patch +++ b/debian/patches/suexec-CVE-2007-1742.patch @@ -2,10 +2,10 @@ Description: Fix race condition with chdir Fix /var/www* being accepted as docroot instead of /var/www/* (the same for public_html* instead of public_html/* ) Author: Stefan Fritsch <sf@debian.org> -Last-Update: 2012-02-25 +Last-Update: 2014-05-29 Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 ---- a/support/suexec.c -+++ b/support/suexec.c +--- apache2.orig/support/suexec.c ++++ apache2/support/suexec.c @@ -42,6 +42,7 @@ #if APR_HAVE_UNISTD_H #include <unistd.h> @@ -14,7 +14,13 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 #include <stdio.h> #include <stdarg.h> -@@ -261,6 +262,7 @@ +@@ -256,11 +257,12 @@ int main(int argc, char *argv[]) + char *actual_gname; /* actual group name */ + char *cmd; /* command to be executed */ + char cwd[AP_MAXPATH]; /* current working directory */ +- char dwd[AP_MAXPATH]; /* docroot working directory */ ++ char dwd[AP_MAXPATH+1]; /* docroot working directory */ + struct passwd *pw; /* password entry holder */ struct group *gr; /* group entry holder */ struct stat dir_info; /* directory info holder */ struct stat prg_info; /* program info holder */ @@ -22,7 +28,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 /* * Start with a "clean" environment -@@ -502,11 +504,16 @@ +@@ -502,11 +504,16 @@ int main(int argc, char *argv[]) exit(111); } @@ -40,7 +46,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 log_err("cannot get docroot information (%s)\n", target_homedir); exit(112); } -@@ -514,12 +521,18 @@ +@@ -514,12 +521,16 @@ int main(int argc, char *argv[]) else { if (((chdir(AP_DOC_ROOT)) != 0) || ((getcwd(dwd, AP_MAXPATH)) == NULL) || @@ -53,10 +59,8 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752 + close(cwdh); + -+ if (strlen(cwd) > strlen(dwd)) { -+ strncat(dwd, "/", AP_MAXPATH); -+ dwd[AP_MAXPATH-1] = '\0'; -+ } ++ if (strlen(cwd) > strlen(dwd)) ++ strncat(dwd, "/", 1); if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { log_err("command not in docroot (%s/%s)\n", cwd, cmd); exit(114); diff --git a/debian/patches/suexec-custom.patch b/debian/patches/suexec-custom.patch index e25842e3..532f99a3 100644 --- a/debian/patches/suexec-custom.patch +++ b/debian/patches/suexec-custom.patch @@ -1,9 +1,9 @@ Description: the actual patch to make suexec-custom read a config file Forwarded: not-needed Author: Stefan Fritsch <sf@debian.org> -Last-Update: 2012-02-25 ---- a/support/suexec-custom.c -+++ b/support/suexec-custom.c +Last-Update: 2014-05-29 +--- apache2.orig/support/suexec-custom.c ++++ apache2/support/suexec-custom.c @@ -29,6 +29,7 @@ * * @@ -20,7 +20,7 @@ Last-Update: 2012-02-25 #if APR_HAVE_UNISTD_H #include <unistd.h> #endif -@@ -197,6 +199,26 @@ +@@ -197,6 +199,26 @@ static void log_no_err(const char *fmt,. return; } @@ -47,7 +47,7 @@ Last-Update: 2012-02-25 static void clean_env(void) { char pathbuf[512]; -@@ -263,6 +285,11 @@ +@@ -263,6 +285,11 @@ int main(int argc, char *argv[]) struct stat dir_info; /* directory info holder */ struct stat prg_info; /* program info holder */ int cwdh; /* handle to cwd */ @@ -59,7 +59,7 @@ Last-Update: 2012-02-25 /* * Start with a "clean" environment -@@ -292,15 +319,10 @@ +@@ -292,15 +319,10 @@ int main(int argc, char *argv[]) || (! strcmp(AP_HTTPD_USER, pw->pw_name))) #endif /* _OSD_POSIX */ ) { @@ -76,7 +76,7 @@ Last-Update: 2012-02-25 #ifdef AP_LOG_EXEC fprintf(stderr, " -D AP_LOG_EXEC=\"%s\"\n", AP_LOG_EXEC); #endif -@@ -313,9 +335,6 @@ +@@ -313,9 +335,6 @@ int main(int argc, char *argv[]) #ifdef AP_UID_MIN fprintf(stderr, " -D AP_UID_MIN=%d\n", AP_UID_MIN); #endif @@ -86,7 +86,7 @@ Last-Update: 2012-02-25 exit(0); } /* -@@ -330,23 +349,6 @@ +@@ -330,23 +349,6 @@ int main(int argc, char *argv[]) target_gname = argv[2]; cmd = argv[3]; @@ -110,7 +110,7 @@ Last-Update: 2012-02-25 /* * Check for a leading '/' (absolute path) in the command to be executed, -@@ -371,6 +373,63 @@ +@@ -371,6 +373,59 @@ int main(int argc, char *argv[]) } /* @@ -119,18 +119,14 @@ Last-Update: 2012-02-25 + * SUEXEC_CONFIG_DIR/username + * If not, error out. + */ -+ filename = malloc(AP_MAXPATH+1); + suexec_docroot = malloc(AP_MAXPATH+1); + suexec_userdir_suffix = malloc(AP_MAXPATH+1); -+ if (!filename || !suexec_docroot || !suexec_userdir_suffix) { ++ if (!suexec_docroot || !suexec_userdir_suffix || ++ asprintf(&filename, SUEXEC_CONFIG_DIR "%s", pw->pw_name) == -1) { + log_err("malloc failed\n"); + exit(120); + } + -+ strncpy(filename, SUEXEC_CONFIG_DIR, AP_MAXPATH); -+ strncat(filename, pw->pw_name, AP_MAXPATH); -+ filename[AP_MAXPATH] = '\0'; -+ + configfile = fopen(filename, "r"); + if (!configfile) { + log_err("User %s not allowed: Could not open config file %s\n", pw->pw_name, filename); @@ -174,7 +170,7 @@ Last-Update: 2012-02-25 * Error out if the target username is invalid. */ if (strspn(target_uname, "1234567890") != strlen(target_uname)) { -@@ -511,7 +570,7 @@ +@@ -511,7 +566,7 @@ int main(int argc, char *argv[]) if (userdir) { if (((chdir(target_homedir)) != 0) || @@ -183,7 +179,7 @@ Last-Update: 2012-02-25 ((getcwd(dwd, AP_MAXPATH)) == NULL) || ((fchdir(cwdh)) != 0)) { log_err("cannot get docroot information (%s)\n", target_homedir); -@@ -519,7 +578,7 @@ +@@ -519,7 +574,7 @@ int main(int argc, char *argv[]) } } else { diff --git a/debian/rules b/debian/rules index 4fce75e8..13203893 100755 --- a/debian/rules +++ b/debian/rules @@ -18,13 +18,15 @@ endif LSB_RELEASE := $(shell lsb_release -i -s) SERVER_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*([\d\.]+)/') DEBIAN_VERSION := $(shell dpkg-parsechangelog | perl -ne 'print $$1 if m/Version:\s*(.+)/') +BUILD_DATETIME := $(shell date -u --date="`dpkg-parsechangelog -S Date`" +%FT%T) MODULE_DIR := /usr/lib/apache2/modules/ API = $(shell perl -ne 'print $$1 if m/define\s+MODULE_MAGIC_NUMBER_MAJOR\s+?(.*)$$/' < include/ap_mmn.h) AP2_CFLAGS = -pipe $(CFLAGS) AP2_LDFLAGS = -Wl,--as-needed $(LDFLAGS) -AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' $(CPPFLAGS) +AP2_CPPFLAGS = -DPLATFORM='\"$(LSB_RELEASE)\"' -DBUILD_DATETIME='\"$(BUILD_DATETIME)\"' $(CPPFLAGS) AP2_LTFLAGS = --no-silent - +DEB_HOST_GNU_TYPE := $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE := $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) support/suexec-custom.c: support/suexec.c debian/patches/suexec-custom.patch cp support/suexec.c support/suexec-custom.c @@ -43,6 +45,36 @@ prebuild-checks: ls -1 $$ERRS ;\ false ;\ fi + MD5=$$(md5sum debian/index.html 2> /dev/null |cut -d' ' -f 1) ; \ + if ! grep -q $$MD5 debian/apache2.postrm ; then \ + echo "ERROR: index.html's md5 is missing in postrm!" ;\ + false ; \ + fi + +debian/fixup_conffiles.tgz: \ + debian/config-dir/sites-available/000-default.conf \ + debian/config-dir/sites-available/default-ssl.conf \ + debian/config-dir/conf-available/charset.conf \ + debian/config-dir/conf-available/localized-error-pages.conf \ + debian/config-dir/conf-available/other-vhosts-access-log.conf \ + debian/config-dir/conf-available/security.conf \ + debian/config-dir/mods-available/cern_meta.load \ + debian/config-dir/mods-available/ident.load \ + debian/config-dir/mods-available/imagemap.load + @# mtime/owner/group/mode are for reproducible build + tar \ + --mtime=2000-01-01T00:00Z \ + --owner=root:0 \ + --group=root:0 \ + --mode=0644 \ + --transform 's,.*/,,' \ + -c $^ | gzip -n > $@ + +debian/fixup_conffiles.b64: debian/fixup_conffiles.tgz + base64 < $< > $@ + +debian/apache2.preinst: debian/apache2.preinst.in debian/fixup_conffiles.b64 debian/create_preinst + debian/create_preinst clean-config-vars: # Clean up config_vars.mk @@ -58,7 +90,7 @@ prepare-scripts: debian/a2query debian/debhelper/dh_apache2 (grep -s -v apache2:API debian/apache2-bin.substvars; echo apache2:API=apache2-api-$(API)) > debian/apache2-bin.substvars.new mv debian/apache2-bin.substvars.new debian/apache2-bin.substvars -generate-maintainer-scripts: +generate-maintainer-scripts: debian/apache2.preinst set -e ; \ for type in custom pristine ; do \ for f in postinst preinst prerm links dirs lintian-overrides postrm; do \ @@ -68,22 +100,13 @@ generate-maintainer-scripts: fi ;\ done ;\ done - set -e ; \ - for type in worker itk prefork event ; do \ - for f in postinst preinst prerm links dirs lintian-overrides postrm; do \ - if [ -e debian/apache2-mpm.$$f.in ] ; then \ - perl -pe "s{__TYPE__}{$$type}g" < debian/apache2-mpm.$$f.in > debian/apache2-mpm-$$type.$$f ;\ - chmod `/usr/bin/stat -c '%a' "debian/apache2-mpm.$$f.in"` debian/apache2-mpm-$$type.$$f ;\ - fi ;\ - done ;\ - done - clean build build-arch build-indep binary binary-arch binary-indep: %: - dh $@ --parallel --with autotools_dev + dh $@ --parallel --with autotools_dev,systemd override_dh_auto_configure: generate-maintainer-scripts prebuild-checks support/suexec-custom.c - ./configure --enable-layout=Debian --enable-so --with-program-name=apache2 \ + ./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) \ + --enable-layout=Debian --enable-so --with-program-name=apache2 \ --enable-suexec --with-suexec-caller=www-data \ --with-suexec-bin=/usr/lib/apache2/suexec --with-suexec-docroot=/var/www \ --with-suexec-userdir=public_html --with-suexec-logfile=/var/log/apache2/suexec.log \ @@ -92,14 +115,29 @@ override_dh_auto_configure: generate-maintainer-scripts prebuild-checks support/ --with-pcre=yes \ $(enable-pie) \ --enable-mpms-shared=all \ - --enable-mods-shared="all cgi" \ + --enable-mods-shared="all cgi ident authnz_fcgi imagemap cern_meta proxy_fdpass proxy_http2" \ --enable-mods-static="unixd logio watchdog version" \ CFLAGS="$(AP2_CFLAGS)" CPPFLAGS="$(AP2_CPPFLAGS)" LDFLAGS="$(AP2_LDFLAGS)" \ - LTFLAGS="$(AP2_LTFLAGS)" - + LTFLAGS="$(AP2_LTFLAGS)" SHELL=/bin/bash + + +debian/config-dir/apache2.conf: debian/config-dir/apache2.conf.in + @# Sanity check that the marker is actually there + grep -q ___MUTEX___ $< +ifeq "$(DEB_BUILD_ARCH_OS)" "linux" + @# On linux, we use the default pthread mutex. Comment out + @# Mutex directive. + perl -p -e 's,___MUTEX___,#,' < $< > $@ +else + @# On kfreebsd/hurd, pthread mutexes are not robust. There, we need to + @# use fcntl and set the directory explicitly for multi-instance setups. + perl -p -i -e 's,___MUTEX___,,' < $< > $@ +endif -override_dh_install: clean-config-vars prepare-scripts - dh_install --list-missing +override_dh_install: clean-config-vars prepare-scripts debian/config-dir/apache2.conf + # don't install mod_ssl_openssl.h in apache2-dev + dh_install --list-missing -papache2-dev -Xopenssl + dh_install --list-missing --remaining-packages override_dh_fixperms-arch: # standard suexec @@ -117,7 +155,17 @@ override_dh_fixperms-indep: dh_fixperms -i override_dh_installinit: - dh_installinit --restart-after-upgrade --error-handler=true -- defaults 91 09 + dh_installinit --error-handler=true + # We enable apache-htcacheclean but we don't start it, some + # custom postinst code will then manually either disable it or + # start the service + dh_installinit --name apache-htcacheclean --no-start + +override_dh_systemd_enable: + dh_systemd_enable -papache2 apache2.service + dh_systemd_enable -papache2 --name=apache2@ apache2@.service + dh_systemd_enable -papache2 --name=apache-htcacheclean apache-htcacheclean.service + dh_systemd_enable -papache2 --name=apache-htcacheclean@ apache-htcacheclean@.service override_dh_installdocs-indep: # TODO: So, did anyone check convert_docs needs an update? ;) @@ -125,23 +173,14 @@ override_dh_installdocs-indep: dh_installdocs -i override_dh_installdocs-arch: - dh_installdocs --link-doc=apache2 -papache2 -papache2-dbg \ - -papache2-mpm-worker -papache2-mpm-prefork -papache2-mpm-event \ - -papache2-mpm-itk - dh_installdocs --link-doc=apache2-bin -papache2.2-bin -plibapache2-mod-proxy-html \ - -plibapache2-mod-macro - dh_installdocs --link-doc=apache2-suexec-pristine -papache2-suexec + dh_installdocs --link-doc=apache2 -papache2 -papache2-dbg + dh_installdocs --link-doc=apache2-dev -papache2-ssl-dev dh_installdocs -a override_dh_installchangelogs: - # Do not install changelogs for transitional packages and the -data - # package not to trash the disk at the installation site. Together with - # dh_installdocs this means that changelogs are installed in a few - # packages only. - dh_installchangelogs -Napache2-suexec -Napache2-mpm-worker \ - -Napache2-mpm-prefork -Napache2-mpm-event -Napache2-mpm-itk \ - -Napache2-data -Nlibapache2-mod-proxy-html -Napache2.2-bin \ - -Nlibapache2-mod-macro + # Do not install changelogs the -data package not to reduce + # disk space usage. + dh_installchangelogs -Napache2-data override_dh_installman: mv debian/tmp/usr/share/man/man8/suexec.8 debian/tmp/usr/share/man/man8/suexec-pristine.8 @@ -158,13 +197,5 @@ override_dh_auto_install: override_dh_builddeb: dh_builddeb -- -Zxz -override_dh_auto_clean: - dh_auto_clean - -override_dh_gencontrol: - dh_gencontrol -p libapache2-mod-proxy-html -- -v1:$(DEBIAN_VERSION) - dh_gencontrol -p libapache2-mod-macro -- -v1:$(DEBIAN_VERSION) - dh_gencontrol --remaining-packages - .PHONY: generate-maintainer-scripts clean-config-vars prepare-scripts prebuild-checks .PHONY: clean build build-arch build-indep binary binary-arch binary-indep diff --git a/debian/secondary-init-script b/debian/secondary-init-script index 7b0c5c4d..8cdfa306 100644 --- a/debian/secondary-init-script +++ b/debian/secondary-init-script @@ -9,8 +9,6 @@ # Short-Description: Start/stop apache2 web server (config /etc/apache2-XXX) ### END INIT INFO -set -e - # # this init script can be installed as /etc/init.d/apache2-XXX # diff --git a/debian/setup-instance b/debian/setup-instance index adf7d3b9..e404decc 100644 --- a/debian/setup-instance +++ b/debian/setup-instance @@ -18,14 +18,22 @@ fi echo Setting up /etc/apache2-$SUFFIX ... cp -a /etc/apache2 /etc/apache2-$SUFFIX -echo Setting up /etc/init.d/apache2-$SUFFIX ... -cp /usr/share/doc/apache2/examples/secondary-init-script /etc/init.d/apache2-$SUFFIX -# adjust service name (this prevents us from using a simple symlink) -perl -p -i -e s,XXX,$SUFFIX, /etc/init.d/apache2-$SUFFIX -chmod 755 /etc/init.d/apache2-$SUFFIX +if [ -d /run/systemd ] && [ -x /bin/systemctl ]; then + echo "systemd is in use, no init script installed" + echo "use the 'apache2@$SUFFIX.service' service to control your new instance" + echo "sample commands:" + echo "systemctl start apache2@$SUFFIX.service" + echo "systemctl enable apache2@$SUFFIX.service" +else + echo "Setting up /etc/init.d/apache2-$SUFFIX ..." + cp /usr/share/doc/apache2/examples/secondary-init-script /etc/init.d/apache2-$SUFFIX + # adjust service name (this prevents us from using a simple symlink) + perl -p -i -e s,XXX,$SUFFIX, /etc/init.d/apache2-$SUFFIX + chmod 755 /etc/init.d/apache2-$SUFFIX +fi echo -n Setting up symlinks: -for a in a2enmod a2dismod a2ensite a2dissite apache2ctl ; do +for a in a2enmod a2dismod a2ensite a2dissite a2enconf a2disconf apache2ctl ; do echo -n " $a-$SUFFIX" ln -s /usr/sbin/$a /usr/local/sbin/$a-$SUFFIX done @@ -37,3 +45,6 @@ perl -p -i -e s,apache2,apache2-$SUFFIX,g /etc/logrotate.d/apache2-$SUFFIX mkdir /var/log/apache2-$SUFFIX chmod 750 /var/log/apache2-$SUFFIX chown root:adm /var/log/apache2-$SUFFIX + +echo "Setting up /etc/default/apache-htcacheclean-$SUFFIX" +cp -a /etc/default/apache-htcacheclean /etc/default/apache-htcacheclean-$SUFFIX diff --git a/debian/source/include-binaries b/debian/source/include-binaries index aa809ac7..5e7771e8 100644 --- a/debian/source/include-binaries +++ b/debian/source/include-binaries @@ -16,4 +16,4 @@ debian/icons/odf6odp-20x22.png debian/icons/odf6otp-20x22.png debian/icons/odf6oth-20x22.png debian/icons/openlogo-75.png -debian/upstream-signing-key.pgp +debian/upstream/signing-key.pgp diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides new file mode 100644 index 00000000..6b5d470e --- /dev/null +++ b/debian/source/lintian-overrides @@ -0,0 +1,2 @@ +# Even though one line is very long, it's still hand-editable source code +source-is-missing docs/manual/style/scripts/prettify.js .* diff --git a/debian/suexec-config-dir/www-data b/debian/suexec-config-dir/www-data index 6fbaccd2..85537880 100644 --- a/debian/suexec-config-dir/www-data +++ b/debian/suexec-config-dir/www-data @@ -2,6 +2,6 @@ public_html/cgi-bin # The first two lines contain the suexec document root and the suexec userdir # suffix. If one of them is disabled by prepending a # character, suexec will -# refuse the corresponding type of request. +# refuse the corresponding type of request. # This config file is only used by the apache2-suexec-custom package. See the # suexec man page included in the package for more details. diff --git a/debian/tests/chroot b/debian/tests/chroot new file mode 100644 index 00000000..d722a29b --- /dev/null +++ b/debian/tests/chroot @@ -0,0 +1,39 @@ +#!/bin/sh +set -ex + +# Check that ChrootDir works correctly. Written in response to LP: #1251939. +# +# Author: Robie Basak <robie.basak@ubuntu.com> +# +# This test requires: +# * wget +# * The dpkg-dev package for the dpkg-architecture command +# +# This is a "breaks-testbed" dep8 test. +# +# This test sets up a minimal environment to exercise ChrootDir. Do not use +# it as an example of how to set up Apache in a secure chroot environment. + +sed -i 's_DocumentRoot.*$_DocumentRoot /_' /etc/apache2/sites-available/000-default.conf + +LIBGCC_S_PATH=/lib/$(dpkg-architecture -qDEB_HOST_MULTIARCH)/libgcc_s.so.1 +cat > /etc/apache2/conf-available/chroot.conf <<EOT +LoadFile $LIBGCC_S_PATH +ChrootDir /var/www +<Directory /> + Options Indexes FollowSymLinks + AllowOverride None + Require all granted +</Directory> +EOT +a2enconf chroot + +echo "Hello, world!" > /var/www/hello.txt + +service apache2 restart + +result=`wget -qO- http://localhost/hello.txt` +if [ "$result" != "Hello, world!" ]; then + echo "Unexpected result from wget" >&2 + exit 1 +fi diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 00000000..99c5db90 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,16 @@ +Tests: duplicate-module-load +Restrictions: allow-stderr, needs-root +Depends: apache2 + +Tests: htcacheclean +Restrictions: allow-stderr, needs-root +Depends: apache2 + +Tests: ssl-passphrase +Restrictions: needs-root allow-stderr breaks-testbed +Depends: apache2, curl, expect, ssl-cert + +Tests: chroot +Features: no-build-needed +Restrictions: needs-root allow-stderr breaks-testbed +Depends: apache2, wget, dpkg-dev diff --git a/debian/tests/duplicate-module-load b/debian/tests/duplicate-module-load new file mode 100644 index 00000000..3d284716 --- /dev/null +++ b/debian/tests/duplicate-module-load @@ -0,0 +1,26 @@ +#!/bin/sh +set -exu + +# Check to make sure that module loads haven't been duplicated. +# Since this is potential minefield that could cause chaos, and a fix is +# currently in the Ubuntu delta, check specifically for it. + +# Why is this so bad? See: +# https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1251939 +# https://issues.apache.org/bugzilla/show_bug.cgi?id=55787 + +cd $ADTTMP + +apache2ctl -l -M > unsorted +sort unsorted > sorted +if ! grep core.c sorted ; then + echo "core.c not found in apach2ctl output. apache2ctl broken?" + exit 1 +fi + +uniq < sorted > dedup + +if ! diff -u sorted dedup ; then + echo Duplicate module loads found + exit 1 +fi diff --git a/debian/tests/htcacheclean b/debian/tests/htcacheclean new file mode 100644 index 00000000..99f51215 --- /dev/null +++ b/debian/tests/htcacheclean @@ -0,0 +1,64 @@ +#!/bin/sh +set -exu + +fatal () { + echo "ERROR: $@" >&2 + exit 1 +} + +htc_enabled () { + if ls /etc/rc[2345].d/S*apache-htcacheclean > /dev/null 2>&1 ; then + return 0 + else + return 1 + fi +} + +if htc_enabled ; then + fatal "apache-htcacheclean should not be enabled" +fi + +a2enmod cache_disk + +if ! htc_enabled ; then + fatal "apache-htcacheclean should be enabled" +fi + +service apache-htcacheclean start + +# for debugging +ps -ef|grep /usr/bin/htcacheclean || true + +PGREP="pgrep -P 1 -u www-data -G www-data htcacheclean" + +if ! $PGREP ; then + fatal "htcacheclean is not running or running as wrong user/group" +fi + +if ! service apache-htcacheclean status ; then + fatal "status did not return 'running'" +fi + +service apache-htcacheclean stop + +if $PGREP ; then + fatal "htcacheclean did not stop" +fi + +if service apache-htcacheclean status ; then + fatal "status did not return 'stopped'" +fi + +a2dismod cache_disk + +if htc_enabled ; then + fatal "apache-htcacheclean should not be enabled" +fi + +a2enmod cache_socache + +if htc_enabled ; then + fatal "apache-htcacheclean has been enabled for cache_socache" +fi + +exit 0 diff --git a/debian/tests/ssl-passphrase b/debian/tests/ssl-passphrase new file mode 100644 index 00000000..a0a4fb6d --- /dev/null +++ b/debian/tests/ssl-passphrase @@ -0,0 +1,54 @@ +#!/bin/sh +set -ex + +# Check that the init script correctly prompts for the passphrase on startup, +# then starts and responds correctly to https queries. +# +# Author: Robie Basak <robie.basak@ubuntu.com> + +cd /etc/ssl/private +[ -f ssl-cert-snakeoil.key.nopassphrase ] || mv ssl-cert-snakeoil.key ssl-cert-snakeoil.key.nopassphrase +openssl rsa -des3 -in ssl-cert-snakeoil.key.nopassphrase -out ssl-cert-snakeoil.key -passout pass:test +a2enmod ssl +a2ensite default-ssl + +# respond to systemd-ask-passphrase +password_responder() { + while [ ! -e /run/systemd/ask-password/sck.* ]; do sleep 1; done + echo "ssl-passphrase test password responder: found prompt, sending password" + echo test | /lib/systemd/systemd-reply-password 1 /run/systemd/ask-password/sck.* +} +password_responder & + +# run expect for running under sysvinit/upstart +expect <<EOT +spawn service apache2 restart +set timeout 600 +expect { + "assphrase:" {send "test\r"} + + # Failure cases + "failed" {exit 1} + eof {exit 0} +} + +# wait for eof and return exit code from spawned process back to the caller +expect eof +catch wait result +exit [lindex \$result 3] +EOT + +echo "Hello, world!" > /var/www/html/hello.txt + +# Use curl here. wget doesn't work on Debian, even with --no-check-certificate +# wget on Debian gives me: +# GnuTLS: A TLS warning alert has been received. +# Unable to establish SSL connection. +# Presumably this is due to the self-signed certificate, but I'm not sure how +# to skip the warning with wget. curl will do for now. +result=`curl -k https://localhost/hello.txt` + +if [ "$result" != "Hello, world!" ]; then + echo "Unexpected result from wget" >&2 + exit 1 +fi diff --git a/debian/upstream-signing-key.pgp b/debian/upstream/signing-key.pgp Binary files differindex adf18bd4..66841280 100644 --- a/debian/upstream-signing-key.pgp +++ b/debian/upstream/signing-key.pgp |