source: trunk/server/fedora/specs/httpd.spec.patch @ 2134

Last change on this file since 2134 was 2134, checked in by achernya, 13 years ago
Patch httpd against some security vulnerabilities.
File size: 3.0 KB
RevLine 
[2066]1--- httpd.spec.orig     2011-09-13 09:43:36.000000000 -0400
2+++ httpd.spec  2011-11-05 20:57:13.910145847 -0400
3@@ -8,7 +8,7 @@
[926]4 Summary: Apache HTTP Server
5 Name: httpd
[2066]6 Version: 2.2.21
7-Release: 1%{?dist}
8+Release: 1%{?dist}.scripts.%{scriptsversion}
[926]9 URL: http://httpd.apache.org/
[1738]10 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
[926]11 Source1: index.html
[2134]12@@ -54,6 +54,18 @@
[2066]13 Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}
14 Requires: httpd-tools = %{version}-%{release}, apr-util-ldap, systemd-units
[1]15 
[2066]16+Provides: scripts-httpd = %{version}-%{release}
[1]17+Patch1000: httpd-suexec-scripts.patch
[795]18+Patch1003: httpd-2.2.x-mod_status-security.patch
[1035]19+Patch1004: httpd-2.2.x-304.patch
[1348]20+Patch1005: httpd-2.2.x-mod_ssl-sessioncaching.patch
[1356]21+Patch1006: httpd-suexec-cloexec.patch
[1602]22+Patch1007: httpd-fixup-vhost.patch
[2066]23+Patch1008: httpd-sysv-deps.patch
[2134]24+Patch1009: httpd-2.2.x-CVE-2011-3607.patch
25+Patch1010: httpd-2.2.x-CVE-2012-0053.patch
26+Patch1011: httpd-2.2.x-CVE-2012-0031.patch
[1]27+
28 %description
29 The Apache HTTP Server is a powerful, efficient, and extensible
30 web server.
[2066]31@@ -64,6 +73,7 @@
[1607]32 Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
33 Requires: apr-devel, apr-util-devel, pkgconfig
34 Requires: httpd = %{version}-%{release}
[2066]35+Provides: scripts-httpd-devel = %{version}-%{release}
[1607]36 
37 %description devel
38 The httpd-devel package contains the APXS binary and other files
[2066]39@@ -102,6 +112,7 @@
40 Requires(post): openssl, /bin/cat
[1499]41 Requires(pre): httpd
[2066]42 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
[925]43+Provides: scripts-mod_ssl
44 Obsoletes: stronghold-mod_ssl
45 
46 %description -n mod_ssl
[2066]47@@ -110,6 +121,11 @@
48 Security (TLS) protocols.
49 
50 %prep
51+
52+# Horrible hack to patch the httpd.init file
53+cd $RPM_SOURCE_DIR
54+%patch1008 -p1 -b .sysv-deps
55+
56 %setup -q
57 %patch1 -p1 -b .apctl
58 %patch2 -p1 -b .apxs
[2134]59@@ -128,6 +144,17 @@
[1]60 # Patch in vendor/release string
61 sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
62 
63+%patch1000 -p1 -b .scripts
[795]64+%patch1003 -p1 -b .permitstatus
[1035]65+%patch1004 -p1 -b .scripts-304
[1348]66+%patch1005 -p1 -b .ssl-sessioncache
[1356]67+%patch1006 -p1 -b .cloexec
[1602]68+%patch1007 -p1 -b .fixup-vhost
[2134]69+# Note that patch1008 is not here, as it patches the initscript elsewhere in this .spec
70+%patch1009 -p4 -b .cve-2011-3607
71+%patch1010 -p4 -b .cve-2012-0053
72+%patch1011 -p4 -b .cve-2012-0031
[1]73+
74 # Safety check: prevent build if defined MMN does not equal upstream MMN.
75 vmmn=`echo MODULE_MAGIC_NUMBER_MAJOR | cpp -include include/ap_mmn.h | sed -n '/^2/p'`
76 if test "x${vmmn}" != "x%{mmn}"; then
[2066]77@@ -175,10 +198,12 @@
[684]78         --with-apr=%{_prefix} --with-apr-util=%{_prefix} \
79        --enable-suexec --with-suexec \
80        --with-suexec-caller=%{suexec_caller} \
81-       --with-suexec-docroot=%{contentdir} \
[1288]82+       --with-suexec-docroot=/ \
[684]83+       --with-suexec-userdir=web_scripts \
[824]84+       --with-suexec-trusteddir=/usr/libexec/scripts-trusted \
[684]85        --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
86        --with-suexec-bin=%{_sbindir}/suexec \
87-       --with-suexec-uidmin=500 --with-suexec-gidmin=100 \
88+       --with-suexec-uidmin=50 --with-suexec-gidmin=50 \
89         --enable-pie \
90         --with-pcre \
91        $*
Note: See TracBrowser for help on using the repository browser.