Hello community, here is the log from the commit of package apache2 for openSUSE:Factory checked in at 2014-11-13 09:21:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2 (Old) and /work/SRC/openSUSE:Factory/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2/apache2.changes 2014-11-05 16:26:45.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.apache2.new/apache2.changes 2014-11-13 09:21:37.000000000 +0100 @@ -1,0 +2,12 @@ +Sun Nov 09 00:57:00 UTC 2014 - Led <ledest@gmail.com> + +- fix bashisms in post scripts + +------------------------------------------------------------------- +Fri Nov 7 15:52:47 UTC 2014 - kstreitova@suse.com + +- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid + a crash when Content-Type has an empty value [bnc#899836], + CVE-2014-3581 + +------------------------------------------------------------------- @@ -5,0 +18,6 @@ + +------------------------------------------------------------------- +Sat Oct 18 16:21:00 UTC 2014 - Led <ledest@gmail.com> + +- httpd-2.1.9-apachectl.dif renamed to httpd-2.4.10-apachectl.patch + and updated (fixed bashism). Old: ---- httpd-2.1.9-apachectl.dif New: ---- httpd-2.4.10-apachectl.patch httpd-2.4.10-check_null_pointer_dereference.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.UJxwV3/_old 2014-11-13 09:21:40.000000000 +0100 +++ /var/tmp/diff_new_pack.UJxwV3/_new 2014-11-13 09:21:40.000000000 +0100 @@ -150,7 +150,7 @@ Source143: apache2-systemd-ask-pass Source144: apache2.service Patch2: httpd-2.1.3alpha-layout.dif -Patch23: httpd-2.1.9-apachectl.dif +Patch23: httpd-2.4.10-apachectl.patch #Patch65: httpd-2.0.49-log_server_status.dif Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif @@ -164,6 +164,8 @@ # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration. Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch +# PATCH-FIX-UPSTREAM bnc#899836 kstreitova@suse.com -- avoid a crash when Content-Type has an empty value +Patch112: httpd-2.4.10-check_null_pointer_dereference.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.4 @@ -343,6 +345,7 @@ #%patch108 -p1 %patch109 -p1 %patch111 -p1 +%patch112 -p1 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{S:22}) @@ -981,19 +984,19 @@ %if %prefork %post prefork -/usr/share/%{pname}/get_module_list &>/dev/null +/usr/share/%{pname}/get_module_list >/dev/null 2>&1 exit 0 %endif %if %worker %post worker -/usr/share/%{pname}/get_module_list &>/dev/null +/usr/share/%{pname}/get_module_list >/dev/null 2>&1 exit 0 %endif %if %event %post event -/usr/share/%{pname}/get_module_list &>/dev/null +/usr/share/%{pname}/get_module_list >/dev/null 2>&1 exit 0 %endif @@ -1006,7 +1009,7 @@ %pre %if %{?suse_version:0}%{!?suse_version:1} # on Fedora, add the "apache" user -if ! /usr/bin/getent passwd %httpduser &>/dev/null; then +if ! /usr/bin/getent passwd %httpduser >/dev/null 2>&1; then echo "Creating %httpduser user" /usr/sbin/useradd -c "Apache" -u 48 \ -s /sbin/nologin -r -d %{localstatedir} %httpduser 2> /dev/null || : @@ -1086,7 +1089,7 @@ rm -rf $tmpdir /usr/share/%{pname}/apache-20-22-upgrade -/usr/share/%{pname}/get_module_list &>/dev/null +/usr/share/%{pname}/get_module_list >/dev/null 2>&1 %if 0%{?suse_version} >= 1210 %service_add_post apache2.service %endif ++++++ httpd-2.4.10-apachectl.patch ++++++ diff -Ndurp httpd-2.4.10/support/apachectl.in httpd-2.4.10-apachectl/support/apachectl.in --- httpd-2.4.10/support/apachectl.in 2012-02-01 05:47:28.000000000 +0200 +++ httpd-2.4.10-apachectl/support/apachectl.in 2014-10-18 19:18:51.203692588 +0300 @@ -42,17 +42,32 @@ ARGV="$@" # -------------------- -------------------- # # the path to your httpd binary, including options if necessary -HTTPD='@exp_sbindir@/@progname@' +HTTPD='@exp_sbindir@/httpd2' # # pick up any necessary environment variables if test -f @exp_sbindir@/envvars; then . @exp_sbindir@/envvars fi + +pname=apache2 +sysconfig_apache=/etc/sysconfig/$pname +sysconfdir=/etc/$pname + +test -s $sysconfig_apache && . $sysconfig_apache +httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf} + # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other # programs may work. -LYNX="@LYNX_PATH@ -dump" + +if [ -x "`which w3m`" ]; then + LYNX="w3m -dump -cols ${COLUMNS:-80}" +elif [ -x "`which lynx`" ]; then + LYNX="lynx -dump -width=${COLUMNS:-80}" +fi + + # # the URL to your server's mod_status status page. If you do not # have one, then status and fullstatus will not work. @@ -78,7 +93,7 @@ fi case $ACMD in start|stop|restart|graceful|graceful-stop) - $HTTPD -k $ARGV + $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV ERROR=$? ;; startssl|sslstart|start-SSL) @@ -88,7 +103,7 @@ startssl|sslstart|start-SSL) ERROR=2 ;; configtest) - $HTTPD -t + $HTTPD ${httpd_conf+-f $httpd_conf} -t ERROR=$? ;; status) ++++++ httpd-2.4.10-check_null_pointer_dereference.patch ++++++ Index: httpd-2.4.10/CHANGES =================================================================== --- httpd-2.4.10.orig/CHANGES +++ httpd-2.4.10/CHANGES @@ -1,6 +1,9 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.10 + *) SECURITY: CVE-2014-3581 (cve.mitre.org) + mod_cache: Avoid a crash when Content-Type has an empty value. PR56924. + [Mark Montague <mark catseye.org>, Jan Kaluza] *) SECURITY: CVE-2014-0117 (cve.mitre.org) mod_proxy: Fix crash in Connection header handling which Index: httpd-2.4.10/modules/cache/cache_util.c =================================================================== --- httpd-2.4.10.orig/modules/cache/cache_util.c +++ httpd-2.4.10/modules/cache/cache_util.c @@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req if (r->content_type && !apr_table_get(headers_out, "Content-Type")) { - apr_table_setn(headers_out, "Content-Type", - ap_make_content_type(r, r->content_type)); + const char *ctype = ap_make_content_type(r, r->content_type); + if (ctype) { + apr_table_setn(headers_out, "Content-Type", ctype); + } } if (r->content_encoding -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org