Hello community,
here is the log from the commit of package apache2 for openSUSE:11.3
checked in at Mon Dec 5 17:54:37 CET 2011.
--------
--- old-versions/11.3/UPDATES/all/apache2/apache2.changes 2011-10-26 15:52:56.000000000 +0200
+++ 11.3/apache2/apache2.changes 2011-11-29 16:51:01.000000000 +0100
@@ -1,0 +2,23 @@
+Tue Nov 29 16:50:30 CET 2011 - draht@suse.de
+
+- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff re-worked:
+ len needs to be unsigned. int -> apr_size_t. [bnc#729181]
+
+-------------------------------------------------------------------
+Fri Nov 25 14:43:52 CET 2011 - draht@suse.de
+
+- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff fixes an
+ integer overflow in server/util.c also known as CVE-2011-3607.
+ [bnc#729181]
+- httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff: make non-ascii
+ eg UTF8 passwords work with mod_authnz_ldap. [bnc#727071]
+- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff is a fix
+ for CVE-2011-4317, which is to be seen a variant of CVE-2011-3368
+ which was addressed below in
+ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff. [bnc#722545]
+- new template file: /etc/apache2/vhosts.d/vhost-ssl.template
+ allow TLSv1 only, browser match stuff commented out.
+- rc script /etc/init.d/apache2: handle reload with deleted binaries
+ by message to stdout only, but refrain from sending signals.
+
+-------------------------------------------------------------------
calling whatdependson for 11.3-i586
New:
----
httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff
httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff
httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100
+++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100
@@ -64,7 +64,7 @@
Group: Productivity/Networking/Web/Servers
%define realver 2.2.15
Version: 2.2.15
-Release: 4.<RELEASE7>
+Release: 4.<RELEASE9>
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
# Add file to take mtime from it in prep section
@@ -127,6 +127,9 @@
Patch104: httpd-2.2.x-bnc713966-CVE-2011-3192.patch
Patch105: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
Patch106: httpd-2.2.x-CVE-2011-3348-mod_proxy_ajp.patch
+Patch107: httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff
+Patch108: httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff
+Patch109: httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff
Url: http://httpd.apache.org/
Icon: Apache.xpm
Summary: The Apache Web Server Version 2.2
@@ -405,6 +408,9 @@
%patch104 -p0
%patch105 -p0
%patch106 -p0
+%patch107 -p0
+%patch108 -p0
+%patch109 -p0
#
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
#
++++++ apache2-vhost-ssl.template ++++++
--- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100
+++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100
@@ -13,20 +13,11 @@
# serve pages over an https connection. For detailing information about these
# directives see URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html
#
-# For the moment, see URL:http://www.modssl.org/docs/ for this info.
-# The documents are still being prepared from material donated by the
-# modssl project.
-#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
-# Until documentation is completed, please check http://www.modssl.org/
-# for additional config examples and module docmentation. Directives
-# and features of mod_ssl are largely unchanged from the mod_ssl project
-# for Apache 1.3.
-
<IfDefine SSL>
@@ -47,10 +38,21 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
+ SSLProtocol all -SSLv2 -SSLv3
+
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
- SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ #
+ # formerly, this was set to the following:
+ # ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ #
+ # We now disable weak ciphers by default.
+ # Please see the documentation via the links above, and
+ # "openssl ciphers -v" for a complete list of ciphers that are
+ # available.
+ SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
@@ -185,9 +187,12 @@
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
- SetEnvIf User-Agent ".*MSIE.*" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
+ # remark: The below configuration snippet is here for illustration purposes.
+ # Browser specific deficiencies exist, but generally all of them
+ # should handle SSL/TLS encapsulated connections well.
+ #SetEnvIf User-Agent ".*MSIE.*" \
+ # nokeepalive ssl-unclean-shutdown \
+ # downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
++++++ httpd-2.2.x-CVE-2011-3348-mod_proxy_ajp.patch ++++++
--- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100
+++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100
@@ -1,37 +1,7 @@
-diff -rNU 50 ../httpd-2.2.17-o/modules/proxy/mod_proxy_ajp.c ./modules/proxy/mod_proxy_ajp.c
---- ../httpd-2.2.17-o/modules/proxy/mod_proxy_ajp.c 2010-08-25 16:16:25.000000000 +0200
-+++ ./modules/proxy/mod_proxy_ajp.c 2011-10-24 23:37:12.000000000 +0200
-@@ -166,101 +166,103 @@
- {
- apr_status_t status;
- int result;
- apr_bucket *e;
- apr_bucket_brigade *input_brigade;
- apr_bucket_brigade *output_brigade;
- ajp_msg_t *msg;
- apr_size_t bufsiz = 0;
- char *buff;
- char *send_body_chunk_buff;
- apr_uint16_t size;
- const char *tenc;
- int havebody = 1;
- int output_failed = 0;
- int backend_failed = 0;
- apr_off_t bb_len;
- int data_sent = 0;
- int request_ended = 0;
- int headers_sent = 0;
- int rv = 0;
- apr_int32_t conn_poll_fd;
- apr_pollfd_t *conn_poll;
- proxy_server_conf *psf =
- ap_get_module_config(r->server->module_config, &proxy_module);
- apr_size_t maxsize = AJP_MSG_BUFFER_SZ;
- int send_body = 0;
- apr_off_t content_length = 0;
-
- if (psf->io_buffer_size_set)
- maxsize = psf->io_buffer_size;
+diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy_ajp.c ./modules/proxy/mod_proxy_ajp.c
+--- ../httpd-2.2.12-o/modules/proxy/mod_proxy_ajp.c 2011-10-07 14:35:30.000000000 +0200
++++ ./modules/proxy/mod_proxy_ajp.c 2011-10-07 15:04:51.000000000 +0200
+@@ -196,41 +196,43 @@
if (maxsize > AJP_MAX_BUFFER_SZ)
maxsize = AJP_MAX_BUFFER_SZ;
else if (maxsize < AJP_MSG_BUFFER_SZ)
@@ -76,33 +46,3 @@
conn->close++;
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
"proxy: ajp_alloc_data_msg failed");
- return HTTP_INTERNAL_SERVER_ERROR;
- }
-
- /* read the first bloc of data */
- input_brigade = apr_brigade_create(p, r->connection->bucket_alloc);
- tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
- if (tenc && (strcasecmp(tenc, "chunked") == 0)) {
- /* The AJP protocol does not want body data yet */
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
- "proxy: request is chunked");
- } else {
- /* Get client provided Content-Length header */
- content_length = get_content_length(r);
- status = ap_get_brigade(r->input_filters, input_brigade,
- AP_MODE_READBYTES, APR_BLOCK_READ,
- maxsize - AJP_HEADER_SZ);
-
- if (status != APR_SUCCESS) {
- /* We had a failure: Close connection to backend */
- conn->close++;
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
- "proxy: ap_get_brigade failed");
- apr_brigade_destroy(input_brigade);
- return HTTP_BAD_REQUEST;
- }
-
- /* have something */
- if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(input_brigade))) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
- "proxy: APR_BUCKET_IS_EOS");
++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++
--- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100
+++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100
@@ -1,6 +1,6 @@
-diff -rNU 50 ../httpd-2.2.15-o/server/protocol.c ./server/protocol.c
---- ../httpd-2.2.15-o/server/protocol.c 2011-10-26 15:50:45.000000000 +0200
-+++ ./server/protocol.c 2011-10-26 15:50:54.000000000 +0200
+diff -rNU 50 ../httpd-2.2.12-o/server/protocol.c ./server/protocol.c
+--- ../httpd-2.2.12-o/server/protocol.c 2011-10-26 15:08:02.000000000 +0200
++++ ./server/protocol.c 2011-10-26 15:08:13.000000000 +0200
@@ -590,100 +590,125 @@
apr_status_t rv;
++++++ httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff ++++++
diff -rNU 20 ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c ./modules/mappers/mod_rewrite.c
--- ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c 2009-07-10 14:20:45.000000000 +0200
+++ ./modules/mappers/mod_rewrite.c 2011-11-24 04:08:35.000000000 +0100
@@ -4230,40 +4230,47 @@
/*
* only do something under runtime if the engine is really enabled,
* else return immediately!
*/
if (conf->state == ENGINE_DISABLED) {
return DECLINED;
}
/*
* check for the ugly API case of a virtual host section where no
* mod_rewrite directives exists. In this situation we became no chance
* by the API to setup our default per-server config so we have to
* on-the-fly assume we have the default config. But because the default
* config has a disabled rewriting engine we are lucky because can
* just stop operating now.
*/
if (conf->server != r->server) {
return DECLINED;
}
+ /* Check that the URI is valid. */
+ if (!r->uri || r->uri[0] != '/') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in request %s", r->the_request);
+ return HTTP_BAD_REQUEST;
+ }
+
/*
* add the SCRIPT_URL variable to the env. this is a bit complicated
* due to the fact that apache uses subrequests and internal redirects
*/
if (r->main == NULL) {
var = apr_table_get(r->subprocess_env, REDIRECT_ENVVAR_SCRIPT_URL);
if (var == NULL) {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, r->uri);
}
else {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
}
else {
var = apr_table_get(r->main->subprocess_env, ENVVAR_SCRIPT_URL);
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
/*
diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy.c ./modules/proxy/mod_proxy.c
--- ../httpd-2.2.12-o/modules/proxy/mod_proxy.c 2009-01-31 21:58:07.000000000 +0100
+++ ./modules/proxy/mod_proxy.c 2011-11-24 04:08:35.000000000 +0100
@@ -527,40 +527,47 @@
proxy_server_conf *conf =
(proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
int i, len;
struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts;
proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config,
&proxy_module);
const char *fake;
const char *real;
ap_regmatch_t regm[AP_MAX_REG_MATCH];
ap_regmatch_t reg1[AP_MAX_REG_MATCH];
char *found = NULL;
int mismatch = 0;
if (r->proxyreq) {
/* someone has already set up the proxy, it was possibly ourselves
* in proxy_detect
*/
return OK;
}
+ /* Check that the URI is valid. */
+ if (!r->uri || r->uri[0] != '/') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in request %s", r->the_request);
+ return HTTP_BAD_REQUEST;
+ }
+
/* XXX: since r->uri has been manipulated already we're not really
* compliant with RFC1945 at this point. But this probably isn't
* an issue because this is a hybrid proxy/origin server.
*/
for (i = 0; i < conf->aliases->nelts; i++) {
unsigned int nocanon = ent[i].flags & PROXYPASS_NOCANON;
const char *use_uri = nocanon ? r->unparsed_uri : r->uri;
if ((dconf->interpolate_env == 1)
&& (ent[i].flags & PROXYPASS_INTERPOLATE)) {
fake = proxy_interpolate(r, ent[i].fake);
real = proxy_interpolate(r, ent[i].real);
}
else {
fake = ent[i].fake;
real = ent[i].real;
}
if (ent[i].regex) {
if (!ap_regexec(ent[i].regex, r->uri, AP_MAX_REG_MATCH, regm, 0)) {
if ((real[0] == '!') && (real[1] == '\0')) {
++++++ httpd-2.2.x-bnc727071-mod_authnz_ldap-utf8.diff ++++++
diff -rNU 30 ../httpd-2.2.15-o/modules/aaa/mod_authnz_ldap.c ./modules/aaa/mod_authnz_ldap.c
--- ../httpd-2.2.15-o/modules/aaa/mod_authnz_ldap.c 2010-02-25 03:25:35.000000000 +0100
+++ ./modules/aaa/mod_authnz_ldap.c 2011-11-29 16:46:58.000000000 +0100
@@ -126,60 +126,82 @@
charset = apr_pstrdup(p, charset);
}
return charset;
}
static apr_xlate_t* get_conv_set (request_rec *r)
{
char *lang_line = (char*)apr_table_get(r->headers_in, "accept-language");
char *lang;
apr_xlate_t *convset;
if (lang_line) {
lang_line = apr_pstrdup(r->pool, lang_line);
for (lang = lang_line;*lang;lang++) {
if ((*lang == ',') || (*lang == ';')) {
*lang = '\0';
break;
}
}
lang = derive_codepage_from_lang(r->pool, lang_line);
if (lang && (apr_xlate_open(&convset, to_charset, lang, r->pool) == APR_SUCCESS)) {
return convset;
}
}
return NULL;
}
+static const char* authn_ldap_xlate_password(request_rec *r,
+ const char* sent_password)
+{
+ apr_xlate_t *convset = NULL;
+ apr_size_t inbytes;
+ apr_size_t outbytes;
+ char *outbuf;
+
+ if (charset_conversions && (convset = get_conv_set(r)) ) {
+ inbytes = strlen(sent_password);
+ outbytes = (inbytes+1)*3;
+ outbuf = apr_pcalloc(r->pool, outbytes);
+
+ /* Convert the password to UTF-8. */
+ if (apr_xlate_conv_buffer(convset, sent_password, &inbytes, outbuf,
+ &outbytes) == APR_SUCCESS)
+ return outbuf;
+ }
+
+ return sent_password;
+}
+
/*
* Build the search filter, or at least as much of the search filter that
* will fit in the buffer. We don't worry about the buffer not being able
* to hold the entire filter. If the buffer wasn't big enough to hold the
* filter, ldap_search_s will complain, but the only situation where this
* is likely to happen is if the client sent a really, really long
* username, most likely as part of an attack.
*
* The search filter consists of the filter provided with the URL,
* combined with a filter made up of the attribute provided with the URL,
* and the actual username passed by the HTTP client. For example, assume
* that the LDAP URL is
*
* ldap://ldap.airius.com/ou=People, o=Airius?uid??(posixid=*)
*
* Further, assume that the userid passed by the client was `userj'. The
* search filter will be (&(posixid=*)(uid=userj)).
*/
#define FILTER_LENGTH MAX_STRING_LEN
static void authn_ldap_build_filter(char *filtbuf,
request_rec *r,
const char* sent_user,
const char* sent_filter,
authn_ldap_config_t *sec)
{
char *p, *q, *filtbuf_end;
char *user, *filter;
apr_xlate_t *convset = NULL;
apr_size_t inbytes;
@@ -317,116 +339,120 @@
{
util_ldap_connection_t *ldc = param;
util_ldap_connection_close(ldc);
return APR_SUCCESS;
}
/*
* Authentication Phase
* --------------------
*
* This phase authenticates the credentials the user has sent with
* the request (ie the username and password are checked). This is done
* by making an attempt to bind to the LDAP server using this user's
* DN and the supplied password.
*
*/
static authn_status authn_ldap_check_password(request_rec *r, const char *user,
const char *password)
{
int failures = 0;
const char **vals = NULL;
char filtbuf[FILTER_LENGTH];
authn_ldap_config_t *sec =
(authn_ldap_config_t *)ap_get_module_config(r->per_dir_config, &authnz_ldap_module);
util_ldap_connection_t *ldc = NULL;
int result = 0;
int remote_user_attribute_set = 0;
const char *dn = NULL;
+ const char *utfpassword;
authn_ldap_request_t *req =
(authn_ldap_request_t *)apr_pcalloc(r->pool, sizeof(authn_ldap_request_t));
ap_set_module_config(r->request_config, &authnz_ldap_module, req);
/*
if (!sec->enabled) {
return AUTH_USER_NOT_FOUND;
}
*/
/*
* Basic sanity checks before any LDAP operations even happen.
*/
if (!sec->have_ldap_url) {
return AUTH_GENERAL_ERROR;
}
start_over:
/* There is a good AuthLDAPURL, right? */
if (sec->host) {
ldc = util_ldap_connection_find(r, sec->host, sec->port,
sec->binddn, sec->bindpw, sec->deref,
sec->secure);
}
else {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: no sec->host - weird...?", getpid());
return AUTH_GENERAL_ERROR;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: using URL %s", getpid(), sec->url);
/* Get the password that the client sent */
if (password == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: no password specified", getpid());
util_ldap_connection_close(ldc);
return AUTH_GENERAL_ERROR;
}
if (user == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: no user specified", getpid());
util_ldap_connection_close(ldc);
return AUTH_GENERAL_ERROR;
}
/* build the username filter */
authn_ldap_build_filter(filtbuf, r, user, NULL, sec);
+ /* convert password to utf-8 */
+ utfpassword = authn_ldap_xlate_password(r, password);
+
/* do the user search */
result = util_ldap_cache_checkuserid(r, ldc, sec->url, sec->basedn, sec->scope,
- sec->attributes, filtbuf, password, &dn, &vals);
+ sec->attributes, filtbuf, utfpassword, &dn, &vals);
util_ldap_connection_close(ldc);
/* sanity check - if server is down, retry it up to 5 times */
if (AP_LDAP_IS_SERVER_DOWN(result)) {
if (failures++ <= 5) {
goto start_over;
}
}
/* handle bind failure */
if (result != LDAP_SUCCESS) {
if (!sec->bind_authoritative) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s] (not authoritative)",
getpid(), user, r->uri, ldc->reason, ldap_err2string(result));
return AUTH_USER_NOT_FOUND;
}
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"[%" APR_PID_T_FMT "] auth_ldap authenticate: "
"user %s authentication failed; URI %s [%s][%s]",
getpid(), user, r->uri, ldc->reason, ldap_err2string(result));
return (LDAP_NO_SUCH_OBJECT == result) ? AUTH_USER_NOT_FOUND
#ifdef LDAP_SECURITY_ERROR
: (LDAP_SECURITY_ERROR(result)) ? AUTH_DENIED
#else
: (LDAP_INAPPROPRIATE_AUTH == result) ? AUTH_DENIED
: (LDAP_INVALID_CREDENTIALS == result) ? AUTH_DENIED
++++++ httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff ++++++
diff -rNU 20 ../httpd-2.2.12-o/server/util.c ./server/util.c
--- ../httpd-2.2.12-o/server/util.c 2011-11-29 16:27:42.000000000 +0100
+++ ./server/util.c 2011-11-29 16:29:03.000000000 +0100
@@ -349,72 +349,81 @@
* passed ap_regexec(). pmatch should not be greater than the maximum number
* of subexpressions - i.e. one more than the re_nsub member of ap_regex_t.
*
* input should be the string with the $-expressions, source should be the
* string that was matched against.
*
* It returns the substituted string, or NULL on error.
*
* Parts of this code are based on Henry Spencer's regsub(), from his
* AT&T V8 regexp package.
*/
AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
const char *source, size_t nmatch,
ap_regmatch_t pmatch[])
{
const char *src = input;
char *dest, *dst;
char c;
size_t no;
- int len;
+ apr_size_t len;
if (!source)
return NULL;
if (!nmatch)
return apr_pstrdup(p, src);
/* First pass, find the size */
len = 0;
while ((c = *src++) != '\0') {
if (c == '&')
no = 0;
else if (c == '$' && apr_isdigit(*src))
no = *src++ - '0';
else
no = 10;
if (no > 9) { /* Ordinary character. */
if (c == '\\' && (*src == '$' || *src == '&'))
c = *src++;
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
}
dest = dst = apr_pcalloc(p, len + 1);
+ if(!dest)
+ return NULL;
+
+
/* Now actually fill in the string */
src = input;
while ((c = *src++) != '\0') {
if (c == '&')
no = 0;
else if (c == '$' && apr_isdigit(*src))
no = *src++ - '0';
else
no = 10;
if (no > 9) { /* Ordinary character. */
if (c == '\\' && (*src == '$' || *src == '&'))
c = *src++;
*dst++ = c;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
len = pmatch[no].rm_eo - pmatch[no].rm_so;
memcpy(dst, source + pmatch[no].rm_so, len);
++++++ rc.apache2 ++++++
--- /var/tmp/diff_new_pack.EHsCCV/_old 2011-12-05 17:54:03.000000000 +0100
+++ /var/tmp/diff_new_pack.EHsCCV/_new 2011-12-05 17:54:03.000000000 +0100
@@ -6,9 +6,8 @@
# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
#
# Authors: Rolf Haberrecker , 2001
-# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007,
-# 2008, 2009, 2010
-#
+# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007, 2008
+# Roman Drahtmueller , 2009-2012
#
# /etc/init.d/apache2
#
@@ -161,6 +160,8 @@
echo -n "(not running)"
else
pid=$(<$pidfile)
+ # re-read exe symlink, it could be (deleted) in the meanwhile.
+ apache_bin=$(readlink /proc/$pid/exe 2>/dev/null)
kill -TERM $pid 2>/dev/null
case $? in
1) echo -n "(not running)";;
@@ -174,7 +175,7 @@
if ! test -f /proc/$pid/exe; then
break
fi
- if test "$(readlink /proc/$pid/exe 2>/dev/null)" = $apache_bin; then
+ if test "$(readlink /proc/$pid/exe 2>/dev/null)" = "$apache_bin"; then
usleep 500000
else
break
@@ -260,7 +261,24 @@
rc_status
;;
reload|force-reload|graceful)
+ # check if there is a deleted binary. If there is, then logrotate
+ # or other occasions will fail to reload, as dlopen(3) of apache
+ # modules is prone to fail due to symbol mismatches.
+ # in this case, we only complain and fail.
+ if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi
+ executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null )
+ case "$executable" in
+ *httpd*delete*)
+ echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! "
+ rc_failed 1
+ rc_status -v
+ rc_exit
+ ;;
+ *)
+ ;;
+ esac
echo -n "Reload httpd2 (graceful restart)"
+
cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@")
if eval $cmdline -t &> $logdir/rc$pname.out; then
killproc -USR1 $apache_bin || return=$rc_failed
continue with "q"...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org