source: trunk/server/fedora/specs/httpd.spec.patch

Last change on this file was 2774, checked in by andersk, 6 years ago
Apply the 2015 suexec patch for CVE-2016-5387 “httpoxy”. Also remove our inexplicable whitelist entry for HTTPS_* environment variables.
File size: 3.3 KB
  • httpd.spec

    old new  
    1515Summary: Apache HTTP Server
    1616Name: httpd
    1717Version: 2.4.10
    18 Release: 2%{?dist}
     18Release: 2%{?dist}.scripts.%{scriptsversion}
    1919URL: http://httpd.apache.org/
    2020Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
    2121Source1: index.html
     
    6565Patch101: httpd-2.4.6-CVE-2014-3581.patch
    6666Patch102: httpd-2.4.10-CVE-2014-3583.patch
    6767Patch103: httpd-2.4.10-CVE-2014-8109.patch
     68
     69Patch1001: httpd-suexec-scripts.patch
     70Patch1002: httpd-mod_status-security.patch
     71Patch1003: httpd-304s.patch
     72Patch1004: httpd-fixup-vhost.patch
     73Patch1005: httpd-allow-null-user.patch
     74Patch1006: httpd-suexec-journald.patch
     75Patch1007: httpd-bug57070.patch
     76Patch1008: httpd-suexec-CVE-2016-5387.patch
     77
    6878License: ASL 2.0
    6979Group: System Environment/Daemons
    7080BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
     
    7786Provides: webserver
    7887Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
    7988Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}, httpd-mmn = %{oldmmnisa}
     89Provides: scripts-httpd = %{version}-%{release}
    8090Requires: httpd-tools = %{version}-%{release}
    8191Requires(pre): /usr/sbin/useradd
    8292Requires(preun): systemd-units
     
    94104Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
    95105Requires: apr-devel, apr-util-devel, pkgconfig
    96106Requires: httpd = %{version}-%{release}
     107Provides: scripts-httpd-devel = %{version}-%{release}
    97108
    98109%description devel
    99110The httpd-devel package contains the APXS binary and other files
     
    132143Requires(post): openssl, /bin/cat
    133144Requires(pre): httpd
    134145Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
     146Provides: scripts-mod_ssl
    135147Obsoletes: stronghold-mod_ssl
    136148
    137149%description -n mod_ssl
     
    190202%patch55 -p1 -b .malformedhost
    191203%patch56 -p1 -b .uniqueid
    192204
     205%patch1001 -p1 -b .suexec-scripts
     206%patch1002 -p1 -b .mod_status-security
     207%patch1003 -p1 -b .scripts-304s
     208%patch1004 -p1 -b .fixup-vhost
     209%patch1005 -p1 -b .allow-null-user
     210%patch1006 -p1 -b .journald
     211%patch1007 -p0 -b .bug57070
     212%patch1008 -p0 -b .CVE-2016-5387
     213
    193214# Patch in the vendor string
    194215sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
    195216
     
    242262        --enable-suexec --with-suexec \
    243263        --enable-suexec-capabilities \
    244264        --with-suexec-caller=%{suexec_caller} \
    245         --with-suexec-docroot=%{docroot} \
    246         --without-suexec-logfile \
    247         --with-suexec-syslog \
     265        --with-suexec-docroot=/ \
     266        --with-suexec-userdir=web_scripts \
     267        --with-suexec-trusteddir=/usr/libexec/scripts-trusted \
     268        --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
     269        --without-suexec-syslog \
    248270        --with-suexec-bin=%{_sbindir}/suexec \
    249         --with-suexec-uidmin=500 --with-suexec-gidmin=100 \
     271        --with-suexec-uidmin=50 --with-suexec-gidmin=50 \
    250272        --enable-pie \
    251273        --with-pcre \
    252274        --enable-mods-shared=all \
     
    542564%{_sbindir}/fcgistarter
    543565%{_sbindir}/apachectl
    544566%{_sbindir}/rotatelogs
    545 %caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
     567# cap_dac_override needed to write to /var/log/httpd
     568%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(555,root,%{suexec_caller}) %{_sbindir}/suexec
    546569
    547570%dir %{_libdir}/httpd
    548571%dir %{_libdir}/httpd/modules
Note: See TracBrowser for help on using the repository browser.