--- httpd.spec.~1~ 2014-07-23 06:24:15.000000000 -0400 +++ httpd.spec 2014-10-09 03:26:23.922059553 -0400 @@ -15,7 +15,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.10 -Release: 2%{?dist} +Release: 2%{?dist}.scripts.%{scriptsversion} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -65,6 +65,16 @@ Patch101: httpd-2.4.6-CVE-2014-3581.patch Patch102: httpd-2.4.10-CVE-2014-3583.patch Patch103: httpd-2.4.10-CVE-2014-8109.patch + +Patch1001: httpd-suexec-scripts.patch +Patch1002: httpd-mod_status-security.patch +Patch1003: httpd-304s.patch +Patch1004: httpd-fixup-vhost.patch +Patch1005: httpd-allow-null-user.patch +Patch1006: httpd-suexec-journald.patch +Patch1007: httpd-bug57070.patch +Patch1008: httpd-suexec-CVE-2016-5387.patch + License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -77,6 +86,7 @@ Provides: webserver Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}, httpd-mmn = %{oldmmnisa} +Provides: scripts-httpd = %{version}-%{release} Requires: httpd-tools = %{version}-%{release} Requires(pre): /usr/sbin/useradd Requires(preun): systemd-units @@ -94,6 +104,7 @@ Obsoletes: secureweb-devel, apache-devel, stronghold-apache-devel Requires: apr-devel, apr-util-devel, pkgconfig Requires: httpd = %{version}-%{release} +Provides: scripts-httpd-devel = %{version}-%{release} %description devel The httpd-devel package contains the APXS binary and other files @@ -132,6 +143,7 @@ Requires(post): openssl, /bin/cat Requires(pre): httpd Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Provides: scripts-mod_ssl Obsoletes: stronghold-mod_ssl %description -n mod_ssl @@ -190,6 +202,15 @@ %patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid +%patch1001 -p1 -b .suexec-scripts +%patch1002 -p1 -b .mod_status-security +%patch1003 -p1 -b .scripts-304s +%patch1004 -p1 -b .fixup-vhost +%patch1005 -p1 -b .allow-null-user +%patch1006 -p1 -b .journald +%patch1007 -p0 -b .bug57070 +%patch1008 -p0 -b .CVE-2016-5387 + # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -242,11 +262,13 @@ --enable-suexec --with-suexec \ --enable-suexec-capabilities \ --with-suexec-caller=%{suexec_caller} \ - --with-suexec-docroot=%{docroot} \ - --without-suexec-logfile \ - --with-suexec-syslog \ + --with-suexec-docroot=/ \ + --with-suexec-userdir=web_scripts \ + --with-suexec-trusteddir=/usr/libexec/scripts-trusted \ + --with-suexec-logfile=%{_localstatedir}/log/httpd/suexec.log \ + --without-suexec-syslog \ --with-suexec-bin=%{_sbindir}/suexec \ - --with-suexec-uidmin=500 --with-suexec-gidmin=100 \ + --with-suexec-uidmin=50 --with-suexec-gidmin=50 \ --enable-pie \ --with-pcre \ --enable-mods-shared=all \ @@ -542,7 +564,8 @@ %{_sbindir}/fcgistarter %{_sbindir}/apachectl %{_sbindir}/rotatelogs -%caps(cap_setuid,cap_setgid+pe) %attr(510,root,%{suexec_caller}) %{_sbindir}/suexec +# cap_dac_override needed to write to /var/log/httpd +%caps(cap_setuid,cap_setgid,cap_dac_override+pe) %attr(555,root,%{suexec_caller}) %{_sbindir}/suexec %dir %{_libdir}/httpd %dir %{_libdir}/httpd/modules