diff options
Diffstat (limited to 'patches/source/httpd')
| -rw-r--r-- | patches/source/httpd/README | 34 | ||||
| -rw-r--r-- | patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch | 21 | ||||
| -rw-r--r-- | patches/source/httpd/config.layout.diff | 30 | ||||
| -rw-r--r-- | patches/source/httpd/doinst.sh | 71 | ||||
| -rwxr-xr-x | patches/source/httpd/httpd.SlackBuild | 227 | ||||
| -rw-r--r-- | patches/source/httpd/httpd.brigade_move.__noinline__.gcc451.diff | 10 | ||||
| -rw-r--r-- | patches/source/httpd/httpd.nossldefault.diff | 11 | ||||
| -rw-r--r-- | patches/source/httpd/httpd.runasapache.diff | 13 | ||||
| -rw-r--r-- | patches/source/httpd/httpd.url | 2 | ||||
| -rw-r--r-- | patches/source/httpd/logrotate.httpd | 12 | ||||
| -rw-r--r-- | patches/source/httpd/rc.httpd | 35 | ||||
| -rw-r--r-- | patches/source/httpd/slack-desc | 19 |
12 files changed, 485 insertions, 0 deletions
diff --git a/patches/source/httpd/README b/patches/source/httpd/README new file mode 100644 index 00000000..796bb29a --- /dev/null +++ b/patches/source/httpd/README @@ -0,0 +1,34 @@ +WARNING + +This script builds a package that conflicts with apache1. Before +attempting to install this package, you should uninstall any of +these packages that you find on your system: + +apache +mod_ssl +php + +Really though, the only points of overlap are in /usr/sbin, so if you +leave your old packages in place apache2 will still work, but the +apache1 httpd will have been overwritten (along with other files) + +Apache is the most popular web server in the known universe; over half +the servers on the Internet are running Apache or one of its variants. + +By default, we build apache2 with the traditional "apache prefork" multi +processing module (MPM). This is somewhat safer for the use of mod_php, +but can still carry some security risks (all your php scripts run as the +user configured to run apache2). + +For enhanced multi-threaded performance, use "apache worker", but using +mod_php with "worker" is considered dangerous. PHP Core is multi-thread +safe, but many PHP extensions are *NOT*. To build apache2 with the +worker MPM, change the option to: --with-mpm=worker + +Please note that this script does not build apache2 with SuEXEC support. +The Apache group feels SuEXEC should not be part of a default install. +If you need this functionality, please read the following documentation +and make the necessary changes to the ./configure options in the script. + + http://httpd.apache.org/docs/2.0/suexec.html + diff --git a/patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch b/patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch new file mode 100644 index 00000000..4c3ebaab --- /dev/null +++ b/patches/source/httpd/apache-2.2.CVE-2017-9798.optionsbleed.patch @@ -0,0 +1,21 @@ +CVE-2017-9798 + +Backport from https://svn.apache.org/viewvc?view=revision&revision=1807655 + +diff --git a/server/core.c b/server/core.c +index f61699e..d24542e 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -1809,6 +1809,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd, + /* method has not been registered yet, but resorce restriction + * is always checked before method handling, so register it. + */ ++ if (cmd->pool == cmd->temp_pool) { ++ /* In .htaccess, we can't globally register new methods. */ ++ return apr_psprintf(cmd->pool, "Could not register method '%s' " ++ "for %s from .htaccess configuration", ++ method, cmd->cmd->name); ++ } + methnum = ap_method_register(cmd->pool, method); + } + diff --git a/patches/source/httpd/config.layout.diff b/patches/source/httpd/config.layout.diff new file mode 100644 index 00000000..c302515f --- /dev/null +++ b/patches/source/httpd/config.layout.diff @@ -0,0 +1,30 @@ +--- ./config.layout.orig 2004-11-21 12:50:36.000000000 -0600 ++++ ./config.layout 2007-05-23 13:35:20.000000000 -0500 +@@ -322,3 +322,27 @@ + installbuilddir: ${prefix}/etc/apache2/build + errordir: ${datadir}/error + </Layout> ++ ++# FHS layout ++<Layout Slackware-FHS> ++ prefix: /usr ++ exec_prefix: ${prefix} ++ bindir: ${prefix}/bin ++ sbindir: ${prefix}/sbin ++ libdir: ${prefix}/lib/httpd ++ libexecdir: ${prefix}/lib/httpd/modules ++ installbuilddir: ${prefix}/lib/httpd/build ++ mandir: ${prefix}/man ++ sysconfdir: /etc/httpd ++ datadir: /srv/httpd ++ iconsdir: ${datadir}/icons ++ htdocsdir: ${datadir}/htdocs ++ manualdir: ${htdocsdir}/manual ++ cgidir: ${datadir}/cgi-bin ++ errordir: ${datadir}/error ++ includedir: ${prefix}/include/httpd ++ localstatedir: /var ++ runtimedir: ${localstatedir}/run/httpd ++ logfiledir: ${localstatedir}/log/httpd ++ proxycachedir: ${localstatedir}/cache/httpd ++</Layout> diff --git a/patches/source/httpd/doinst.sh b/patches/source/httpd/doinst.sh new file mode 100644 index 00000000..e233c362 --- /dev/null +++ b/patches/source/httpd/doinst.sh @@ -0,0 +1,71 @@ +#!/bin/sh + +config() { + NEW="$1" + OLD="`dirname $NEW`/`basename $NEW .new`" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +preserve_perms() { + NEW="$1" + OLD="$(dirname ${NEW})/$(basename ${NEW} .new)" + if [ -e ${OLD} ]; then + cp -a ${OLD} ${NEW}.incoming + cat ${NEW} > ${NEW}.incoming + mv ${NEW}.incoming ${NEW} + fi + # Don't use config() -- we always want to install this, changed or unchanged. + #config ${NEW} +} + +if [ ! -e var/log/httpd ]; then + mkdir -p var/log/httpd + chmod 755 var/log/httpd +fi + +# Don't wipe out an existing document root with symlinks. If someone has +# replaced the symlinks that are created on a fresh installation, assume +# that they know what they are doing and leave things as-is. +if [ ! -e srv/www ]; then + ( cd srv ; ln -sf /var/www www ) +fi +if [ ! -e srv/httpd ]; then + ( cd srv ; ln -sf /var/www httpd ) +fi + +# Once again, our intent is not to wipe out anyone's +# site, but building in Apache's docs tree is not as +# good an idea as picking a unique DocumentRoot. +# +# Still, we will do what we can here to mitigate +# possible site damage: +if [ -r var/www/htdocs/index.html ]; then + if [ ! -r "var/log/packages/httpd-*upgraded*" ]; then + if [ var/www/htdocs/index.html -nt var/log/packages/httpd-*-? ]; then + cp -a var/www/htdocs/index.html var/www/htdocs/index.html.bak.$$ + fi + fi +fi + +# Keep same perms when installing rc.httpd.new: +preserve_perms etc/rc.d/rc.httpd.new +# Always install the new rc.httpd: +mv etc/rc.d/rc.httpd.new etc/rc.d/rc.httpd + +# Handle config files. Unless this is a fresh installation, the +# admin will have to move the .new files into place to complete +# the package installation, as we don't want to clobber files that +# may contain local customizations. +config etc/httpd/httpd.conf.new +config etc/logrotate.d/httpd.new +for conf_file in etc/httpd/extra/*.new; do + config $conf_file +done +config var/www/htdocs/index.html.new + diff --git a/patches/source/httpd/httpd.SlackBuild b/patches/source/httpd/httpd.SlackBuild new file mode 100755 index 00000000..3480fcd8 --- /dev/null +++ b/patches/source/httpd/httpd.SlackBuild @@ -0,0 +1,227 @@ +#!/bin/sh + +# Copyright 2006, 2007, 2008, 2009, 2010, 2011, 2017 Patrick J. Volkerding, Sebeka, MN, USA +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# This script was written using the one from slackbuilds.org as a reference, +# so thanks to Adis Nezirovic ( adis _at_ linux.org.ba ) for the original work. + + +PKGNAM=httpd +VERSION=${VERSION:-$(echo $PKGNAM-*.tar.bz2 | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} +BUILD=${BUILD:-2_slack13.1} + +# Automatically determine the architecture we're building on: +if [ -z "$ARCH" ]; then + case "$( uname -m )" in + i?86) export ARCH=i486 ;; + arm*) export ARCH=arm ;; + # Unless $ARCH is already set, use uname -m for all other archs: + *) export ARCH=$( uname -m ) ;; + esac +fi + +NUMJOBS=${NUMJOBS:-" -j7 "} + +CWD=$(pwd) +TMP=${TMP:-/tmp} +PKG=$TMP/package-${PKGNAM} +rm -rf $PKG +mkdir -p $TMP $PKG + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "s390" ]; then + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +else + SLKCFLAGS="-O2" + LIBDIRSUFFIX="" +fi + +cd $TMP +rm -rf ${PKGNAM}-${VERSION} +tar xvf $CWD/${PKGNAM}-$VERSION.tar.bz2 || exit 1 +cd ${PKGNAM}-$VERSION + +# Patch CVE-2017-9798 ("optionsbleed"): +zcat $CWD/apache-2.2.CVE-2017-9798.optionsbleed.patch.gz | patch -p1 --verbose || exit 1 + +# Make sure ownerships and permissions are sane: +chown -R root:root . +find . \ + \( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \ + -exec chmod 755 {} \; -o \ + \( -perm 666 -o -perm 664 -o -perm 600 -o -perm 444 -o -perm 440 -o -perm 400 \) \ + -exec chmod 644 {} \; + +# "prefork" is the default, safe, mpm type. If you *are not* using PHP, and you +# like to live on the bleeding edge, you may wish to change the --with-mpm option +# to "worker", which is the new way of doing things, but is multithreaded and +# many scripts (especially PHP ones) are not multithread safe. +# +# I'd leave this option the way is it on any production box that's keeping up +# with HTTP requests. No reason to chance it, IMHO. + +zcat $CWD/config.layout.diff.gz | sed -e "s#lib/httpd#lib${LIBDIRSUFFIX}/httpd#" | patch --verbose -p1 || exit 1 + +# Patch to fix aliasing issue exposed by gcc-4.5.1: +zcat $CWD/httpd.brigade_move.__noinline__.gcc451.diff.gz | patch --verbose -p1 || exit 1 + +# Configure: +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --enable-layout=Slackware-FHS \ + --with-mpm=prefork \ + --with-apr=/usr \ + --with-apr-util=/usr \ + --enable-mods-shared=all \ + --enable-so \ + --enable-pie \ + --enable-cgi \ + --with-pcre \ + --enable-ssl \ + --enable-rewrite \ + --enable-vhost-alias \ + --enable-proxy \ + --enable-proxy-http \ + --enable-proxy-ftp \ + --enable-proxy-balancer \ + --enable-cache \ + --enable-mem-cache \ + --enable-file-cache \ + --enable-disk-cache \ + --disable-speling \ + --enable-dav \ + --enable-ldap \ + --enable-authnz-ldap \ + --enable-authn-anon \ + --enable-authn-alias \ + --build=$ARCH-slackware-linux || exit 1 + +# Build and install: +make $NUMJOBS || make || exit 1 +make install DESTDIR=$PKG || exit 1 + +rmdir $PKG/usr/bin + +# Tweak default apache configuration +( cd $PKG + zcat $CWD/httpd.nossldefault.diff.gz | sed -e "s#lib/httpd#lib${LIBDIRSUFFIX}/httpd#" | patch -p1 --verbose || exit 1 + zcat $CWD/httpd.runasapache.diff.gz | patch -p1 --verbose || exit 1 + rm -f $PKG/etc/httpd/httpd.conf~ $PKG/etc/httpd/httpd.conf.orig +) || exit 1 +# Change config files to .new: +( cd $PKG/etc/httpd + mv httpd.conf httpd.conf.new + for file in extra/*; do + mv $file "${file}.new" + done +) + +cat << EOF >> $PKG/etc/httpd/httpd.conf.new + +# Uncomment the following line to enable PHP: +# +#Include /etc/httpd/mod_php.conf + +# Uncomment the following lines to enable svn support: +# +#LoadModule dav_svn_module lib${LIBDIRSUFFIX}/httpd/modules/mod_dav_svn.so +#LoadModule authz_svn_module lib${LIBDIRSUFFIX}/httpd/modules/mod_authz_svn.so + +EOF + +rmdir $PKG/var/log/httpd + +mkdir -p $PKG/etc/rc.d +cat $CWD/rc.httpd > $PKG/etc/rc.d/rc.httpd.new + +mkdir -p $PKG/etc/logrotate.d +cat $CWD/logrotate.httpd > $PKG/etc/logrotate.d/httpd.new + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc +zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh + +mkdir -p $PKG/usr/doc/$PKGNAM-$VERSION/ +cp -a \ + ABOUT_APACHE Apache.dsw BuildBin.dsp CHANGES INSTALL InstallBin.dsp LAYOUT LICENSE NOTICE NWGNUmakefile README* ROADMAP VERSIONING \ + $PKG/usr/doc/$PKGNAM-$VERSION + +# Other distributions also strip the manual down to just English. +# If this isn't your language of choice, mea culpa. +( cd $PKG/srv/httpd/htdocs/manual + for file in $(find . -type f -name "*.html") ; do + if [ -f ${file}.en ]; then + cp ${file}.en ${file} + rm -f ${file}.* + fi + done +) + +# On Slackware, the traditional location for the Apache document root has always +# been "/var/www/htdocs/". We can avoid an unpleasant surprise for people by +# leaving things where they've always been, and comply with the FHS by providing +# symlinks allowing access through the FHS-approved pathnames. KDE, for example, +# will look for htdig's htsearch here: /var/www/cgi-bin/htsearch +mv $PKG/srv/httpd $PKG/var/www + +## DISABLED. Don't make these symlinks prior to packaging any more, as it is +## possibly dangerous to an existing document root created in the place where +## these symlinks are normally found. Instead, we make them in the install +## script (only if nothing exists there already) +#( cd $PKG/srv +# ln -sf /var/www . +# ln -sf /var/www httpd +#) + +# OK, it's just not generally good form to put your web site in /var/www/htdocs, +# but people do it every day. Like all new .new files, this won't save them this +# time, but if they don't learn their lesson now then it will the next time: +mv $PKG/var/www/htdocs/index.html $PKG/var/www/htdocs/index.html.new + +# Strip binaries: +find $PKG | xargs file | grep -e "executable" -e "shared object" | grep ELF \ + | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + +# Compress and link manpages, if any: +if [ -d $PKG/usr/man ]; then + ( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.* + ) + done + ) +fi + +cd $PKG +/sbin/makepkg -l y -c n $TMP/${PKGNAM}-$VERSION-$ARCH-$BUILD.txz + diff --git a/patches/source/httpd/httpd.brigade_move.__noinline__.gcc451.diff b/patches/source/httpd/httpd.brigade_move.__noinline__.gcc451.diff new file mode 100644 index 00000000..e8915ae4 --- /dev/null +++ b/patches/source/httpd/httpd.brigade_move.__noinline__.gcc451.diff @@ -0,0 +1,10 @@ +--- ./server/core_filters.c.orig 2010-02-26 03:32:15.000000000 -0600 ++++ ./server/core_filters.c 2011-02-12 13:23:22.000000000 -0600 +@@ -83,6 +83,7 @@ + * + * XXXX: Should this function be added to APR-Util? + */ ++__attribute__((__noinline__)) + static void brigade_move(apr_bucket_brigade *b, apr_bucket_brigade *a, + apr_bucket *e) + { diff --git a/patches/source/httpd/httpd.nossldefault.diff b/patches/source/httpd/httpd.nossldefault.diff new file mode 100644 index 00000000..bcf891f8 --- /dev/null +++ b/patches/source/httpd/httpd.nossldefault.diff @@ -0,0 +1,11 @@ +--- ./etc/httpd/httpd.conf.orig 2007-05-17 23:40:15.000000000 -0500 ++++ ./etc/httpd/httpd.conf 2007-05-18 15:55:38.000000000 -0500 +@@ -88,7 +88,7 @@ + LoadModule proxy_http_module lib/httpd/modules/mod_proxy_http.so + LoadModule proxy_ajp_module lib/httpd/modules/mod_proxy_ajp.so + LoadModule proxy_balancer_module lib/httpd/modules/mod_proxy_balancer.so +-LoadModule ssl_module lib/httpd/modules/mod_ssl.so ++#LoadModule ssl_module lib/httpd/modules/mod_ssl.so + LoadModule mime_module lib/httpd/modules/mod_mime.so + LoadModule dav_module lib/httpd/modules/mod_dav.so + LoadModule status_module lib/httpd/modules/mod_status.so diff --git a/patches/source/httpd/httpd.runasapache.diff b/patches/source/httpd/httpd.runasapache.diff new file mode 100644 index 00000000..c1954ec3 --- /dev/null +++ b/patches/source/httpd/httpd.runasapache.diff @@ -0,0 +1,13 @@ +--- ./etc/httpd/httpd.conf.orig 2008-02-14 15:24:21.000000000 -0600 ++++ ./etc/httpd/httpd.conf 2008-02-14 15:34:58.000000000 -0600 +@@ -125,8 +125,8 @@ + # It is usually good practice to create a dedicated user and group for + # running httpd, as with most system services. + # +-User daemon +-Group daemon ++User apache ++Group apache + + </IfModule> + </IfModule> diff --git a/patches/source/httpd/httpd.url b/patches/source/httpd/httpd.url new file mode 100644 index 00000000..36beb7d8 --- /dev/null +++ b/patches/source/httpd/httpd.url @@ -0,0 +1,2 @@ +http://www.apache.org/dist/httpd/httpd-2.2.32.tar.bz2 +http://www.apache.org/dist/httpd/httpd-2.2.32.tar.bz2.asc diff --git a/patches/source/httpd/logrotate.httpd b/patches/source/httpd/logrotate.httpd new file mode 100644 index 00000000..cc638367 --- /dev/null +++ b/patches/source/httpd/logrotate.httpd @@ -0,0 +1,12 @@ +/var/log/httpd/*_log { + rotate 10 + notifempty + missingok + size=5M + compress + delaycompress + sharedscripts + postrotate + /etc/rc.d/rc.httpd restart + endscript +} diff --git a/patches/source/httpd/rc.httpd b/patches/source/httpd/rc.httpd new file mode 100644 index 00000000..064f6ea4 --- /dev/null +++ b/patches/source/httpd/rc.httpd @@ -0,0 +1,35 @@ +#!/bin/sh +# +# /etc/rc.d/rc.httpd +# +# Start/stop/restart/graceful[ly restart]/graceful[ly]-stop +# the Apache (httpd) web server. +# +# To make Apache start automatically at boot, make this +# file executable: chmod 755 /etc/rc.d/rc.httpd +# +# For information on these options, "man apachectl". + +case "$1" in + 'start') + /usr/sbin/apachectl -k start + ;; + 'stop') + /usr/sbin/apachectl -k stop + killall httpd + rm -f /var/run/httpd/*.pid + ;; + 'restart') + /usr/sbin/apachectl -k restart + ;; + 'graceful') + /usr/sbin/apachectl -k graceful + ;; + 'graceful-stop') + /usr/sbin/apachectl -k graceful-stop + ;; + *) + echo "Usage: $0 {start|stop|restart|graceful|graceful-stop}" + ;; +esac + diff --git a/patches/source/httpd/slack-desc b/patches/source/httpd/slack-desc new file mode 100644 index 00000000..38d240b6 --- /dev/null +++ b/patches/source/httpd/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler------------------------------------------------------| +httpd: httpd (The Apache HTTP Server) +httpd: +httpd: Apache is an HTTP server designed as a plug-in replacement for the +httpd: NCSA HTTP server. It fixes numerous bugs in the NCSA server and +httpd: includes many frequently requested new features, and has an API which +httpd: allows it to be extended to meet users' needs more easily. +httpd: +httpd: Apache is the most popular web server in the known universe; over +httpd: half of the servers on the Internet are running Apache or one of +httpd: its variants. +httpd: |