source: trunk/server/fedora/specs/httpd.spec.patch @ 2791

--- httpd.spec.~1~      2014-07-23 06:24:15.000000000 -0400
+++ httpd.spec  2014-10-09 03:26:23.922059553 -0400
@@ -15,7 +15,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.10
-Release: 2%{?dist}
+Release: 2%{?dist}.scripts.%{scriptsversion}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -65,6 +65,16 @@
 Patch101: httpd-2.4.6-CVE-2014-3581.patch
 Patch102: httpd-2.4.10-CVE-2014-3583.patch
 Patch103: httpd-2.4.10-CVE-2014-8109.patch
+
+Patch1001: httpd-suexec-scripts.patch
+Patch1002: httpd-mod_status-security.patch
+Patch1003: httpd-304s.patch
+Patch1004: httpd-fixup-vhost.patch
+Patch1005: httpd-allow-null-user.patch
+Patch1006: httpd-suexec-journald.patch
+Patch1007: httpd-bug57070.patch
+Patch1008: httpd-suexec-CVE-2016-5387.patch
+
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -77,6 +86,7 @@
 Provides: webserver
 Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
 Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}, httpd-mmn = %{oldmmnisa}
+Provides: scripts-httpd = %{version}-%{release}
 Requires: httpd-tools = %{version}-%{release}
 Requires(pre): /usr/sbin/useradd
 Requires(preun): systemd-units
@@ -94,6 +104,7 @@
 Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel
 Requires: apr-devel, apr-util-devel, pkgconfig
 Requires: httpd = %{version}-%{release}
+Provides: scripts-httpd-devel = %{version}-%{release}
 
 %description devel
 The httpd-devel package contains the APXS binary and other files
@@ -132,6 +143,7 @@
 Requires(post): openssl, /bin/cat
 Requires(pre): httpd
 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
+Provides: scripts-mod_ssl
 Obsoletes: stronghold-mod_ssl
 
 %description -n mod_ssl
@@ -190,6 +202,15 @@
 %patch55 -p1 -b .malformedhost
 %patch56 -p1 -b .uniqueid
 
+%patch1001 -p1 -b .suexec-scripts
+%patch1002 -p1 -b .mod_status-security
+%patch1003 -p1 -b .scripts-304s
+%patch1004 -p1 -b .fixup-vhost
+%patch1005 -p1 -b .allow-null-user
+%patch1006 -p1 -b .journald
+%patch1007 -p0 -b .bug57070
+%patch1008 -p0 -b .CVE-2016-5387
+
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
 
@@ -242,11 +262,13 @@
        --enable-suexec --with-suexec \
         --enable-suexec-capabilities \
        --with-suexec-caller=%{suexec_caller} \
-       --with-suexec-docroot=%{docroot} \
-       --without-suexec-logfile \
-        --with-suexec-syslog \
+       --with-suexec-docroot=/ \
+       --with-suexec-userdir=web_scripts \
+       --with-suexec-trusteddir=/usr/libexec/scripts-trusted \
+       --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \
+        --without-suexec-syslog \
        --with-suexec-bin=%{_sbindir}/suexec \
-       --with-suexec-uidmin=500 --with-suexec-gidmin=100 \
+       --with-suexec-uidmin=50 --with-suexec-gidmin=50 \
         --enable-pie \
         --with-pcre \
         --enable-mods-shared=all \
@@ -542,7 +564,8 @@
 %{_sbindir}/fcgistarter
 %{_sbindir}/apachectl
 %{_sbindir}/rotatelogs
-%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec
+# cap_dac_override needed to write to /var/log/httpd
+%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(555,root,%{suexec_caller}) %{_sbindir}/suexec
 
 %dir %{_libdir}/httpd
 %dir %{_libdir}/httpd/modules