packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!22 update httpd to 2.4.46

Browse Source 
From: @haochenstar
Reviewed-by: @zengwefeng
Signed-off-by: @zengwefeng
This commit is contained in:
openeuler-ci-bot 2021-02-01 14:55:45 +08:00 committed by Gitee
commit 34d9fca361
12 changed files with 1873 additions and 2398 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
CVE-2020-11984.patch
View File

@ -1,61 +0,0 @@
From 0c543e3f5b3881d515d6235f152aacaaaf3aba72 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Fri, 24 Jul 2020 09:35:25 +0000
Subject: [PATCH] Merge r1880205, r1880214 from trunk:
mod_proxy_uwsgi: Error out on HTTP header larger than 16K
The uwsgi protocol does not let us serialize more than 16K of HTTP header,
so fail early with 500 if it happens.
Follow up to r1880205, APLOGNO().
Submitted by: ylavic
Reviewed by: ylavic, covener, icing
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1880251 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/mod_proxy_uwsgi.c | 13 ++++++++++---
1 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
index 2ac2a95d2ef..0209ac4062e 100644
--- a/modules/proxy/mod_proxy_uwsgi.c
+++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -136,7 +136,7 @@ static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
int j;
apr_size_t headerlen = 4;
- apr_uint16_t pktsize, keylen, vallen;
+ apr_size_t pktsize, keylen, vallen;
const char *script_name;
const char *path_info;
const char *auth;
@@ -178,6 +178,15 @@ static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
headerlen += 2 + strlen(env[j].key) + 2 + strlen(env[j].val);
}
+ pktsize = headerlen - 4;
+ if (pktsize > APR_UINT16_MAX) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10259)
+ "can't send headers to %s:%u: packet size too "
+ "large (%" APR_SIZE_T_FMT ")",
+ conn->hostname, conn->port, pktsize);
+ return HTTP_INTERNAL_SERVER_ERROR;
+ }
+
ptr = buf = apr_palloc(r->pool, headerlen);
ptr += 4;
@@ -196,8 +205,6 @@ static int uwsgi_send_headers(request_rec *r, proxy_conn_rec * conn)
ptr += vallen;
}
- pktsize = headerlen - 4;
-
buf[0] = 0;
buf[1] = (apr_byte_t) (pktsize & 0xff);
buf[2] = (apr_byte_t) ((pktsize >> 8) & 0xff);

1902
CVE-2020-11993.patch
View File

File diff suppressed because it is too large Load Diff

394
CVE-2020-9490.patch
View File

@ -1,394 +0,0 @@
From f1e4032670b82a84a469f6506de9052fd9df54f8 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Wed, 29 Jul 2020 12:15:58 +0000
Subject: [PATCH] *) mod_http2: remote support for abandoned http-wg draft
<https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1880395 13f79535-47bb-0310-9956-ffa450edef68
---
modules/http2/h2_push.c | 255 ++++---------------------------------
modules/http2/h2_push.h | 54 +++++---
2 files changed, 64 insertions(+), 245 deletions(-)
diff --git a/modules/http2/h2_push.c b/modules/http2/h2_push.c
index 60488cf..dc21e1e 100644
--- a/modules/http2/h2_push.c
+++ b/modules/http2/h2_push.c
@@ -464,33 +464,6 @@ apr_array_header_t *h2_push_collect(apr_pool_t *p, const h2_request *req,
return NULL;
}
-/*******************************************************************************
- * push diary
- *
- * - The push diary keeps track of resources already PUSHed via HTTP/2 on this
- * connection. It records a hash value from the absolute URL of the resource
- * pushed.
- * - Lacking openssl, it uses 'apr_hashfunc_default' for the value
- * - with openssl, it uses SHA256 to calculate the hash value
- * - whatever the method to generate the hash, the diary keeps a maximum of 64
- * bits per hash, limiting the memory consumption to about
- * H2PushDiarySize * 8
- * bytes. Entries are sorted by most recently used and oldest entries are
- * forgotten first.
- * - Clients can initialize/replace the push diary by sending a 'Cache-Digest'
- * header. Currently, this is the base64url encoded value of the cache digest
- * as specified in https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
- * This draft can be expected to evolve and the definition of the header
- * will be added there and refined.
- * - The cache digest header is a Golomb Coded Set of hash values, but it may
- * limit the amount of bits per hash value even further. For a good description
- * of GCS, read here:
- * http://giovanni.bajo.it/post/47119962313/golomb-coded-sets-smaller-than-bloom-filters
- * - The means that the push diary might be initialized with hash values of much
- * less than 64 bits, leading to more false positives, but smaller digest size.
- ******************************************************************************/
-
-
#define GCSLOG_LEVEL APLOG_TRACE1
typedef struct h2_push_diary_entry {
@@ -617,38 +590,48 @@ static int h2_push_diary_find(h2_push_diary *diary, apr_uint64_t hash)
return -1;
}
-static h2_push_diary_entry *move_to_last(h2_push_diary *diary, apr_size_t idx)
+static void move_to_last(h2_push_diary *diary, apr_size_t idx)
{
h2_push_diary_entry *entries = (h2_push_diary_entry*)diary->entries->elts;
h2_push_diary_entry e;
- apr_size_t lastidx = diary->entries->nelts-1;
+ int lastidx;
+ /* Move an existing entry to the last place */
+ if (diary->entries->nelts <= 0)
+ return;
+
/* move entry[idx] to the end */
+ lastidx = diary->entries->nelts - 1;
if (idx < lastidx) {
e = entries[idx];
- memmove(entries+idx, entries+idx+1, sizeof(e) * (lastidx - idx));
+ memmove(entries+idx, entries+idx+1, sizeof(h2_push_diary_entry) * (lastidx - idx));
entries[lastidx] = e;
}
- return &entries[lastidx];
}
-static void h2_push_diary_append(h2_push_diary *diary, h2_push_diary_entry *e)
+static void remove_first(h2_push_diary *diary)
{
- h2_push_diary_entry *ne;
+ h2_push_diary_entry *entries = (h2_push_diary_entry*)diary->entries->elts;
+ int lastidx;
- if (diary->entries->nelts < diary->N) {
- /* append a new diary entry at the end */
- APR_ARRAY_PUSH(diary->entries, h2_push_diary_entry) = *e;
- ne = &APR_ARRAY_IDX(diary->entries, diary->entries->nelts-1, h2_push_diary_entry);
+ /* move remaining entries to index 0 */
+ lastidx = diary->entries->nelts - 1;
+ if (lastidx > 0) {
+ --diary->entries->nelts;
+ memmove(entries, entries+1, sizeof(h2_push_diary_entry) * diary->entries->nelts);
}
- else {
- /* replace content with new digest. keeps memory usage constant once diary is full */
- ne = move_to_last(diary, 0);
- *ne = *e;
+}
+
+static void h2_push_diary_append(h2_push_diary *diary, h2_push_diary_entry *e)
+{
+ while (diary->entries->nelts >= diary->N) {
+ remove_first(diary);
}
+ /* append a new diary entry at the end */
+ APR_ARRAY_PUSH(diary->entries, h2_push_diary_entry) = *e;
/* Intentional no APLOGNO */
ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, diary->entries->pool,
- "push_diary_append: %"APR_UINT64_T_HEX_FMT, ne->hash);
+ "push_diary_append: %"APR_UINT64_T_HEX_FMT, e->hash);
}
apr_array_header_t *h2_push_diary_update(h2_session *session, apr_array_header_t *pushes)
@@ -691,30 +674,12 @@ apr_array_header_t *h2_push_collect_update(h2_stream *stream,
const struct h2_request *req,
const struct h2_headers *res)
{
- h2_session *session = stream->session;
- const char *cache_digest = apr_table_get(req->headers, "Cache-Digest");
apr_array_header_t *pushes;
- apr_status_t status;
- if (cache_digest && session->push_diary) {
- status = h2_push_diary_digest64_set(session->push_diary, req->authority,
- cache_digest, stream->pool);
- if (status != APR_SUCCESS) {
- ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, session->c,
- H2_SSSN_LOG(APLOGNO(03057), session,
- "push diary set from Cache-Digest: %s"), cache_digest);
- }
- }
pushes = h2_push_collect(stream->pool, req, stream->push_policy, res);
return h2_push_diary_update(stream->session, pushes);
}
-static apr_int32_t h2_log2inv(unsigned char log2)
-{
- return log2? (1 << log2) : 1;
-}
-
-
typedef struct {
h2_push_diary *diary;
unsigned char log2p;
@@ -829,11 +794,6 @@ apr_status_t h2_push_diary_digest_get(h2_push_diary *diary, apr_pool_t *pool,
apr_size_t hash_count;
nelts = diary->entries->nelts;
-
- if (nelts > APR_UINT32_MAX) {
- /* should not happen */
- return APR_ENOTIMPL;
- }
N = ceil_power_of_2(nelts);
log2n = h2_log2(N);
@@ -895,166 +855,3 @@ apr_status_t h2_push_diary_digest_get(h2_push_diary *diary, apr_pool_t *pool,
return APR_SUCCESS;
}
-typedef struct {
- h2_push_diary *diary;
- apr_pool_t *pool;
- unsigned char log2p;
- const unsigned char *data;
- apr_size_t datalen;
- apr_size_t offset;
- unsigned int bit;
- apr_uint64_t last_val;
-} gset_decoder;
-
-static int gset_decode_next_bit(gset_decoder *decoder)
-{
- if (++decoder->bit >= 8) {
- if (++decoder->offset >= decoder->datalen) {
- return -1;
- }
- decoder->bit = 0;
- }
- return (decoder->data[decoder->offset] & cbit_mask[decoder->bit])? 1 : 0;
-}
-
-static apr_status_t gset_decode_next(gset_decoder *decoder, apr_uint64_t *phash)
-{
- apr_uint64_t flex = 0, fixed = 0, delta;
- int i;
-
- /* read 1 bits until we encounter 0, then read log2n(diary-P) bits.
- * On a malformed bit-string, this will not fail, but produce results
- * which are pbly too large. Luckily, the diary will modulo the hash.
- */
- while (1) {
- int bit = gset_decode_next_bit(decoder);
- if (bit == -1) {
- return APR_EINVAL;
- }
- if (!bit) {
- break;
- }
- ++flex;
- }
-
- for (i = 0; i < decoder->log2p; ++i) {
- int bit = gset_decode_next_bit(decoder);
- if (bit == -1) {
- return APR_EINVAL;
- }
- fixed = (fixed << 1) | bit;
- }
-
- delta = (flex << decoder->log2p) | fixed;
- *phash = delta + decoder->last_val;
- decoder->last_val = *phash;
-
- /* Intentional no APLOGNO */
- ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, decoder->pool,
- "h2_push_diary_digest_dec: val=%"APR_UINT64_T_HEX_FMT", delta=%"
- APR_UINT64_T_HEX_FMT", flex=%d, fixed=%"APR_UINT64_T_HEX_FMT,
- *phash, delta, (int)flex, fixed);
-
- return APR_SUCCESS;
-}
-
-/**
- * Initialize the push diary by a cache digest as described in
- * https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
- * .
- * @param diary the diary to set the digest into
- * @param data the binary cache digest
- * @param len the length of the cache digest
- * @return APR_EINVAL if digest was not successfully parsed
- */
-apr_status_t h2_push_diary_digest_set(h2_push_diary *diary, const char *authority,
- const char *data, apr_size_t len)
-{
- gset_decoder decoder;
- unsigned char log2n, log2p;
- int N, i;
- apr_pool_t *pool = diary->entries->pool;
- h2_push_diary_entry e;
- apr_status_t status = APR_SUCCESS;
-
- if (len < 2) {
- /* at least this should be there */
- return APR_EINVAL;
- }
- log2n = data[0];
- log2p = data[1];
- diary->mask_bits = log2n + log2p;
- if (diary->mask_bits > 64) {
- /* cannot handle */
- return APR_ENOTIMPL;
- }
-
- /* whatever is in the digest, it replaces the diary entries */
- apr_array_clear(diary->entries);
- if (!authority || !strcmp("*", authority)) {
- diary->authority = NULL;
- }
- else if (!diary->authority || strcmp(diary->authority, authority)) {
- diary->authority = apr_pstrdup(diary->entries->pool, authority);
- }
-
- N = h2_log2inv(log2n + log2p);
-
- decoder.diary = diary;
- decoder.pool = pool;
- decoder.log2p = log2p;
- decoder.data = (const unsigned char*)data;
- decoder.datalen = len;
- decoder.offset = 1;
- decoder.bit = 8;
- decoder.last_val = 0;
-
- diary->N = N;
- /* Determine effective N we use for storage */
- if (!N) {
- /* a totally empty cache digest. someone tells us that she has no
- * entries in the cache at all. Use our own preferences for N+mask
- */
- diary->N = diary->NMax;
- return APR_SUCCESS;
- }
- else if (N > diary->NMax) {
- /* Store not more than diary is configured to hold. We open us up
- * to DOS attacks otherwise. */
- diary->N = diary->NMax;
- }
-
- /* Intentional no APLOGNO */
- ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, pool,
- "h2_push_diary_digest_set: N=%d, log2n=%d, "
- "diary->mask_bits=%d, dec.log2p=%d",
- (int)diary->N, (int)log2n, diary->mask_bits,
- (int)decoder.log2p);
-
- for (i = 0; i < diary->N; ++i) {
- if (gset_decode_next(&decoder, &e.hash) != APR_SUCCESS) {
- /* the data may have less than N values */
- break;
- }
- h2_push_diary_append(diary, &e);
- }
-
- /* Intentional no APLOGNO */
- ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, pool,
- "h2_push_diary_digest_set: diary now with %d entries, mask_bits=%d",
- (int)diary->entries->nelts, diary->mask_bits);
- return status;
-}
-
-apr_status_t h2_push_diary_digest64_set(h2_push_diary *diary, const char *authority,
- const char *data64url, apr_pool_t *pool)
-{
- const char *data;
- apr_size_t len = h2_util_base64url_decode(&data, data64url, pool);
- /* Intentional no APLOGNO */
- ap_log_perror(APLOG_MARK, GCSLOG_LEVEL, 0, pool,
- "h2_push_diary_digest64_set: digest=%s, dlen=%d",
- data64url, (int)len);
- return h2_push_diary_digest_set(diary, authority, data, len);
-}
-
diff --git a/modules/http2/h2_push.h b/modules/http2/h2_push.h
index bc24e68..d061dd8 100644
--- a/modules/http2/h2_push.h
+++ b/modules/http2/h2_push.h
@@ -35,6 +35,44 @@ typedef enum {
H2_PUSH_DIGEST_SHA256
} h2_push_digest_type;
+/*******************************************************************************
+ * push diary
+ *
+ * - The push diary keeps track of resources already PUSHed via HTTP/2 on this
+ * connection. It records a hash value from the absolute URL of the resource
+ * pushed.
+ * - Lacking openssl,
+ * - with openssl, it uses SHA256 to calculate the hash value, otherwise it
+ * falls back to apr_hashfunc_default()
+ * - whatever the method to generate the hash, the diary keeps a maximum of 64
+ * bits per hash, limiting the memory consumption to about
+ * H2PushDiarySize * 8
+ * bytes. Entries are sorted by most recently used and oldest entries are
+ * forgotten first.
+ * - While useful by itself to avoid duplicated PUSHes on the same connection,
+ * the original idea was that clients provided a 'Cache-Digest' header with
+ * the values of *their own* cached resources. This was described in
+ * <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>
+ * and some subsequent revisions that tweaked values but kept the overall idea.
+ * - The draft was abandoned by the IETF http-wg, as support from major clients,
+ * e.g. browsers, was lacking for various reasons.
+ * - For these reasons, mod_h2 abandoned its support for client supplied values
+ * but keeps the diary. It seems to provide value for applications using PUSH,
+ * is configurable in size and defaults to a very moderate amount of memory
+ * used.
+ * - The cache digest header is a Golomb Coded Set of hash values, but it may
+ * limit the amount of bits per hash value even further. For a good description
+ * of GCS, read here:
+ * <http://giovanni.bajo.it/post/47119962313/golomb-coded-sets-smaller-than-bloom-filters>
+ ******************************************************************************/
+
+
+/*
+ * The push diary is based on the abandoned draft
+ * <https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/>
+ * that describes how to use golomb filters.
+ */
+
typedef struct h2_push_diary h2_push_diary;
typedef void h2_push_digest_calc(h2_push_diary *diary, apr_uint64_t *phash, h2_push *push);
@@ -101,20 +139,4 @@ apr_status_t h2_push_diary_digest_get(h2_push_diary *diary, apr_pool_t *p,
int maxP, const char *authority,
const char **pdata, apr_size_t *plen);
-/**
- * Initialize the push diary by a cache digest as described in
- * https://datatracker.ietf.org/doc/draft-kazuho-h2-cache-digest/
- * .
- * @param diary the diary to set the digest into
- * @param authority the authority to set the data for
- * @param data the binary cache digest
- * @param len the length of the cache digest
- * @return APR_EINVAL if digest was not successfully parsed
- */
-apr_status_t h2_push_diary_digest_set(h2_push_diary *diary, const char *authority,
- const char *data, apr_size_t len);
-
-apr_status_t h2_push_diary_digest64_set(h2_push_diary *diary, const char *authority,
- const char *data64url, apr_pool_t *pool);
-
#endif /* defined(__mod_h2__h2_push__) */

59
httpd-2.4.25-detect-systemd.patch → httpd-2.4.43-detect-systemd.patch
View File

@ -1,25 +1,8 @@
diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in
--- httpd-2.4.25/configure.in.detectsystemd
+++ httpd-2.4.25/configure.in
@@ -234,6 +234,7 @@
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`])
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
else
AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/])
fi
@@ -668,6 +676,7 @@
APACHE_SUBST(BUILTIN_LIBS)
APACHE_SUBST(SHLIBPATH_VAR)
APACHE_SUBST(OS_SPECIFIC_VARS)
+APACHE_SUBST(HTTPD_LIBS)
PRE_SHARED_CMDS='echo ""'
POST_SHARED_CMDS='echo ""'
--- httpd-2.4.25/Makefile.in.detectsystemd
+++ httpd-2.4.25/Makefile.in
@@ -4,7 +4,7 @@
diff --git a/Makefile.in b/Makefile.in
index 0b088ac..9eeb5c7 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test
PROGRAM_NAME = $(progname)
PROGRAM_SOURCES = modules.c
@ -28,3 +11,35 @@ diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in
PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c
PROGRAM_DEPENDENCIES = \
server/libmain.la \
diff --git a/acinclude.m4 b/acinclude.m4
index 2a7e5d1..eb28321 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -624,6 +624,7 @@ case $host in
if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then
AC_MSG_WARN([Your system does not support systemd.])
else
+ APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS])
AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported])
fi
fi
diff --git a/configure.in b/configure.in
index 3618a5a..74a782b 100644
--- a/configure.in
+++ b/configure.in
@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then
AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG])
APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`])
APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`])
+ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)])
else
AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/])
fi
@@ -710,6 +711,7 @@ APACHE_SUBST(OS_DIR)
APACHE_SUBST(BUILTIN_LIBS)
APACHE_SUBST(SHLIBPATH_VAR)
APACHE_SUBST(OS_SPECIFIC_VARS)
+APACHE_SUBST(HTTPD_LIBS)
PRE_SHARED_CMDS='echo ""'
POST_SHARED_CMDS='echo ""'

93
httpd-2.4.43-gettid.patch Normal file
View File

@ -0,0 +1,93 @@
From d4e5b6e1e5585d341d1e51f1ddc637c099111076 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@redhat.com>
Date: Tue, 7 Jul 2020 09:48:01 +0100
Subject: [PATCH] Check and use gettid() directly with glibc 2.30+.
* configure.in: Check for gettid() and define HAVE_SYS_GETTID if
gettid() is only usable via syscall().
* server/log.c (log_tid): Use gettid() directly if available.
---
configure.in | 14 +++++++++-----
server/log.c | 8 ++++++--
2 files changed, 15 insertions(+), 7 deletions(-)
diff --git a/configure.in b/configure.in
index 423d58d4b9a..60cbf7b7f81 100644
--- httpd-2.4.43/configure.in.gettid
+++ httpd-2.4.43/configure.in
@@ -478,7 +500,8 @@
timegm \
getpgid \
fopen64 \
-getloadavg
+getloadavg \
+gettid
)
dnl confirm that a void pointer is large enough to store a long integer
@@ -489,16 +512,19 @@
APR_ADDTO(HTTPD_LIBS, [-lselinux])
])
-AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
+if test $ac_cv_func_gettid = no; then
+ # On Linux before glibc 2.30, gettid() is only usable via syscall()
+ AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid,
[AC_TRY_RUN(#define _GNU_SOURCE
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/types.h>
int main(int argc, char **argv) {
pid_t t = syscall(SYS_gettid); return t == -1 ? 1 : 0; },
-[ac_cv_gettid=yes], [ac_cv_gettid=no], [ac_cv_gettid=no])])
-if test "$ac_cv_gettid" = "yes"; then
- AC_DEFINE(HAVE_GETTID, 1, [Define if you have gettid()])
+ [ap_cv_gettid=yes], [ap_cv_gettid=no], [ap_cv_gettid=no])])
+ if test "$ap_cv_gettid" = "yes"; then
+ AC_DEFINE(HAVE_SYS_GETTID, 1, [Define if you have gettid() via syscall()])
+ fi
fi
dnl ## Check for the tm_gmtoff field in struct tm to get the timezone diffs
--- httpd-2.4.43/server/log.c.gettid
+++ httpd-2.4.43/server/log.c
@@ -55,7 +55,7 @@
#include "ap_mpm.h"
#include "ap_listen.h"
-#if HAVE_GETTID
+#if HAVE_SYS_GETTID
#include <sys/syscall.h>
#include <sys/types.h>
#endif
@@ -625,14 +625,18 @@
#if APR_HAS_THREADS
int result;
#endif
-#if HAVE_GETTID
+#if defined(HAVE_GETTID) || defined(HAVE_SYS_GETTID)
if (arg && *arg == 'g') {
+#ifdef HAVE_GETTID
+ pid_t tid = gettid();
+#else
pid_t tid = syscall(SYS_gettid);
+#endif
if (tid == -1)
return 0;
return apr_snprintf(buf, buflen, "%"APR_PID_T_FMT, tid);
}
-#endif
+#endif /* HAVE_GETTID || HAVE_SYS_GETTID */
#if APR_HAS_THREADS
if (ap_mpm_query(AP_MPMQ_IS_THREADED, &result) == APR_SUCCESS
&& result != AP_MPMQ_NOT_SUPPORTED)
@@ -966,7 +970,7 @@
#if APR_HAS_THREADS
field_start = len;
len += cpystrn(buf + len, ":tid ", buflen - len);
- item_len = log_tid(info, NULL, buf + len, buflen - len);
+ item_len = log_tid(info, "g", buf + len, buflen - len);
if (!item_len)
len = field_start;
else

1413
httpd-2.4.43-r1828172+.patch Normal file
View File

File diff suppressed because it is too large Load Diff

271
httpd-2.4.43-r1861793+.patch Normal file
View File

@ -0,0 +1,271 @@
diff --git a/configure.in b/configure.in
index cb43246..0bb6b0d 100644
--- httpd-2.4.43/configure.in.r1861793+
+++ httpd-2.4.43/configure.in
@@ -465,6 +465,28 @@
AC_SEARCH_LIBS(crypt, crypt)
CRYPT_LIBS="$LIBS"
APACHE_SUBST(CRYPT_LIBS)
+
+if test "$ac_cv_search_crypt" != "no"; then
+ # Test crypt() with the SHA-512 test vector from https://akkadia.org/drepper/SHA-crypt.txt
+ AC_CACHE_CHECK([whether crypt() supports SHA-2], [ap_cv_crypt_sha2], [
+ AC_RUN_IFELSE([AC_LANG_PROGRAM([[
+#include <crypt.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define PASSWD_0 "Hello world!"
+#define SALT_0 "\$6\$saltstring"
+#define EXPECT_0 "\$6\$saltstring\$svn8UoSVapNtMuq1ukKS4tPQd8iKwSMHWjl/O817G3uBnIFNjnQJu" \
+ "esI68u4OTLiBFdcbYEdFCoEOfaS35inz1"
+]], [char *result = crypt(PASSWD_0, SALT_0);
+ if (!result) return 1;
+ if (strcmp(result, EXPECT_0)) return 2;
+])], [ap_cv_crypt_sha2=yes], [ap_cv_crypt_sha2=no])])
+ if test "$ap_cv_crypt_sha2" = yes; then
+ AC_DEFINE([HAVE_CRYPT_SHA2], 1, [Define if crypt() supports SHA-2 hashes])
+ fi
+fi
+
LIBS="$saved_LIBS"
dnl See Comment #Spoon
--- httpd-2.4.43/docs/man/htpasswd.1.r1861793+
+++ httpd-2.4.43/docs/man/htpasswd.1
@@ -27,16 +27,16 @@
.SH "SYNOPSIS"
.PP
-\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
+\fB\fBhtpasswd\fR [ -\fBc\fR ] [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBb\fR [ -\fBc\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] [ -\fBD\fR ] [ -\fBv\fR ] \fIpasswdfile\fR \fIusername\fR \fIpassword\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
+\fB\fBhtpasswd\fR -\fBn\fR [ -\fBi\fR ] [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR\fR
.PP
-\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
+\fB\fBhtpasswd\fR -\fBnb\fR [ -\fBm\fR | -\fBB\fR | -\fB2\fR | -\fB5\fR | -\fBd\fR | -\fBs\fR | -\fBp\fR ] [ -\fBr\fR \fIrounds\fR ] [ -\fBC\fR \fIcost\fR ] \fIusername\fR \fIpassword\fR\fR
.SH "SUMMARY"
@@ -48,7 +48,7 @@
Resources available from the Apache HTTP server can be restricted to just the users listed in the files created by \fBhtpasswd\fR\&. This program can only manage usernames and passwords stored in a flat-file\&. It can encrypt and display password information for use in other types of data stores, though\&. To use a DBM database see dbmmanage or htdbm\&.
.PP
-\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA1, or the system's \fBcrypt()\fR routine\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
+\fBhtpasswd\fR encrypts passwords using either bcrypt, a version of MD5 modified for Apache, SHA-1, or the system's \fBcrypt()\fR routine\&. SHA-2-based hashes (SHA-256 and SHA-512) are supported for \fBcrypt()\fR\&. Files managed by \fBhtpasswd\fR may contain a mixture of different encoding types of passwords; some user records may have bcrypt or MD5-encrypted passwords while others in the same file may have passwords encrypted with \fBcrypt()\fR\&.
.PP
This manual page only lists the command line arguments\&. For details of the directives necessary to configure user authentication in httpd see the Apache manual, which is part of the Apache distribution or can be found at http://httpd\&.apache\&.org/\&.
@@ -73,17 +73,26 @@
\fB-m\fR
Use MD5 encryption for passwords\&. This is the default (since version 2\&.2\&.18)\&.
.TP
+\fB-2\fR
+Use SHA-256 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
+\fB-5\fR
+Use SHA-512 \fBcrypt()\fR based hashes for passwords\&. This is supported on most Unix platforms\&.
+.TP
\fB-B\fR
Use bcrypt encryption for passwords\&. This is currently considered to be very secure\&.
.TP
\fB-C\fR
This flag is only allowed in combination with \fB-B\fR (bcrypt encryption)\&. It sets the computing time used for the bcrypt algorithm (higher is more secure but slower, default: 5, valid: 4 to 17)\&.
.TP
+\fB-r\fR
+This flag is only allowed in combination with \fB-2\fR or \fB-5\fR\&. It sets the number of hash rounds used for the SHA-2 algorithms (higher is more secure but slower; the default is 5,000)\&.
+.TP
\fB-d\fR
Use \fBcrypt()\fR encryption for passwords\&. This is not supported by the httpd server on Windows and Netware\&. This algorithm limits the password length to 8 characters\&. This algorithm is \fBinsecure\fR by today's standards\&. It used to be the default algorithm until version 2\&.2\&.17\&.
.TP
\fB-s\fR
-Use SHA encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
+Use SHA-1 (160-bit) encryption for passwords\&. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif)\&. This algorithm is \fBinsecure\fR by today's standards\&.
.TP
\fB-p\fR
Use plaintext passwords\&. Though \fBhtpasswd\fR will support creation on all platforms, the httpd daemon will only accept plain text passwords on Windows and Netware\&.
@@ -152,10 +161,13 @@
When using the \fBcrypt()\fR algorithm, note that only the first 8 characters of the password are used to form the password\&. If the supplied password is longer, the extra characters will be silently discarded\&.
.PP
-The SHA encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+The SHA-1 encryption format does not use salting: for a given password, there is only one encrypted representation\&. The \fBcrypt()\fR and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult\&.
+
+.PP
+The SHA-1 and \fBcrypt()\fR formats are insecure by today's standards\&.
.PP
-The SHA and \fBcrypt()\fR formats are insecure by today's standards\&.
+The SHA-2-based \fBcrypt()\fR formats (SHA-256 and SHA-512) are supported on most modern Unix systems, and follow the specification at https://www\&.akkadia\&.org/drepper/SHA-crypt\&.txt\&.
.SH "RESTRICTIONS"
--- httpd-2.4.43/support/htpasswd.c.r1861793+
+++ httpd-2.4.43/support/htpasswd.c
@@ -109,17 +109,21 @@
"for it." NL
" -i Read password from stdin without verification (for script usage)." NL
" -m Force MD5 encryption of the password (default)." NL
- " -B Force bcrypt encryption of the password (very secure)." NL
+ " -2 Force SHA-256 crypt() hash of the password (very secure)." NL
+ " -5 Force SHA-512 crypt() hash of the password (very secure)." NL
+ " -B Force bcrypt encryption of the password (very secure)." NL
" -C Set the computing time used for the bcrypt algorithm" NL
" (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
+ " -r Set the number of rounds used for the SHA-256, SHA-512 algorithms" NL
+ " (higher is more secure but slower, default: 5000)." NL
" -d Force CRYPT encryption of the password (8 chars max, insecure)." NL
- " -s Force SHA encryption of the password (insecure)." NL
+ " -s Force SHA-1 encryption of the password (insecure)." NL
" -p Do not encrypt the password (plaintext, insecure)." NL
" -D Delete the specified user." NL
" -v Verify password for the specified user." NL
"On other systems than Windows and NetWare the '-p' flag will "
"probably not work." NL
- "The SHA algorithm does not use a salt and is less secure than the "
+ "The SHA-1 algorithm does not use a salt and is less secure than the "
"MD5 algorithm." NL,
BCRYPT_DEFAULT_COST
);
@@ -178,7 +182,7 @@
if (rv != APR_SUCCESS)
exit(ERR_SYNTAX);
- while ((rv = apr_getopt(state, "cnmspdBbDiC:v", &opt, &opt_arg)) == APR_SUCCESS) {
+ while ((rv = apr_getopt(state, "cnmspdBbDi25C:r:v", &opt, &opt_arg)) == APR_SUCCESS) {
switch (opt) {
case 'c':
*mask |= APHTP_NEWFILE;
--- httpd-2.4.43/support/passwd_common.c.r1861793+
+++ httpd-2.4.43/support/passwd_common.c
@@ -179,16 +179,21 @@
int mkhash(struct passwd_ctx *ctx)
{
char *pw;
- char salt[16];
+ char salt[17];
apr_status_t rv;
int ret = 0;
#if CRYPT_ALGO_SUPPORTED
char *cbuf;
#endif
+#ifdef HAVE_CRYPT_SHA2
+ const char *setting;
+ char method;
+#endif
- if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT) {
+ if (ctx->cost != 0 && ctx->alg != ALG_BCRYPT
+ && ctx->alg != ALG_CRYPT_SHA256 && ctx->alg != ALG_CRYPT_SHA512 ) {
apr_file_printf(errfile,
- "Warning: Ignoring -C argument for this algorithm." NL);
+ "Warning: Ignoring -C/-r argument for this algorithm." NL);
}
if (ctx->passwd == NULL) {
@@ -246,6 +251,34 @@
break;
#endif /* CRYPT_ALGO_SUPPORTED */
+#ifdef HAVE_CRYPT_SHA2
+ case ALG_CRYPT_SHA256:
+ case ALG_CRYPT_SHA512:
+ ret = generate_salt(salt, 16, &ctx->errstr, ctx->pool);
+ if (ret != 0)
+ break;
+
+ method = ctx->alg == ALG_CRYPT_SHA256 ? '5': '6';
+
+ if (ctx->cost)
+ setting = apr_psprintf(ctx->pool, "$%c$rounds=%d$%s",
+ method, ctx->cost, salt);
+ else
+ setting = apr_psprintf(ctx->pool, "$%c$%s",
+ method, salt);
+
+ cbuf = crypt(pw, setting);
+ if (cbuf == NULL) {
+ rv = APR_FROM_OS_ERROR(errno);
+ ctx->errstr = apr_psprintf(ctx->pool, "crypt() failed: %pm", &rv);
+ ret = ERR_PWMISMATCH;
+ break;
+ }
+
+ apr_cpystrn(ctx->out, cbuf, ctx->out_len - 1);
+ break;
+#endif /* HAVE_CRYPT_SHA2 */
+
#if BCRYPT_ALGO_SUPPORTED
case ALG_BCRYPT:
rv = apr_generate_random_bytes((unsigned char*)salt, 16);
@@ -294,6 +327,19 @@
case 's':
ctx->alg = ALG_APSHA;
break;
+#ifdef HAVE_CRYPT_SHA2
+ case '2':
+ ctx->alg = ALG_CRYPT_SHA256;
+ break;
+ case '5':
+ ctx->alg = ALG_CRYPT_SHA512;
+ break;
+#else
+ case '2':
+ case '5':
+ ctx->errstr = "SHA-2 crypt() algorithms are not supported on this platform.";
+ return ERR_ALG_NOT_SUPP;
+#endif
case 'p':
ctx->alg = ALG_PLAIN;
#if !PLAIN_ALGO_SUPPORTED
@@ -324,11 +370,12 @@
return ERR_ALG_NOT_SUPP;
#endif
break;
- case 'C': {
+ case 'C':
+ case 'r': {
char *endptr;
long num = strtol(opt_arg, &endptr, 10);
if (*endptr != '\0' || num <= 0) {
- ctx->errstr = "argument to -C must be a positive integer";
+ ctx->errstr = "argument to -C/-r must be a positive integer";
return ERR_SYNTAX;
}
ctx->cost = num;
--- httpd-2.4.43/support/passwd_common.h.r1861793+
+++ httpd-2.4.43/support/passwd_common.h
@@ -28,6 +28,8 @@
#include "apu_version.h"
#endif
+#include "ap_config_auto.h"
+
#define MAX_STRING_LEN 256
#define ALG_PLAIN 0
@@ -35,6 +37,8 @@
#define ALG_APMD5 2
#define ALG_APSHA 3
#define ALG_BCRYPT 4
+#define ALG_CRYPT_SHA256 5
+#define ALG_CRYPT_SHA512 6
#define BCRYPT_DEFAULT_COST 5
@@ -84,7 +88,7 @@
apr_size_t out_len;
char *passwd;
int alg;
- int cost;
+ int cost; /* cost for bcrypt, rounds for SHA-2 */
enum {
PW_PROMPT = 0,
PW_ARG,

BIN
httpd-2.4.43.tar.bz2
View File

Binary file not shown.

13
httpd-2.4.46-htcacheclean-dont-break.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/support/htcacheclean.c b/support/htcacheclean.c
index 958ba6d..0a7fe3c 100644
--- a/support/htcacheclean.c
+++ b/support/htcacheclean.c
@@ -557,8 +557,6 @@ static int list_urls(char *path, apr_pool_t *pool, apr_off_t round)
}
}
}
-
- break;
}
}
}

40
httpd-2.4.43-lua-resume.patch → httpd-2.4.46-lua-resume.patch
View File

@ -1,5 +1,27 @@
diff --git a/modules/lua/config.m4 b/modules/lua/config.m4
index 29fd563..abeba1c 100644
--- a/modules/lua/config.m4
+++ b/modules/lua/config.m4
@@ -34,7 +34,7 @@ AC_DEFUN([CHECK_LUA_PATH], [dnl
fi
])
-dnl Check for Lua 5.3/5.2/5.1 Libraries
+dnl Check for Lua Libraries
dnl CHECK_LUA(ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND])
dnl Sets:
dnl LUA_CFLAGS
@@ -44,7 +44,7 @@ AC_DEFUN([CHECK_LUA],
AC_ARG_WITH(
lua,
- [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua 5.3/5.2/5.1 prefix])],
+ [AC_HELP_STRING([--with-lua=PATH],[Path to the Lua installation prefix])],
lua_path="$withval",
:)
diff --git a/modules/lua/mod_lua.c b/modules/lua/mod_lua.c
index 05f1e44..be3bedf 100644
index 05f1e44..18b628c 100644
--- a/modules/lua/mod_lua.c
+++ b/modules/lua/mod_lua.c
@@ -342,7 +342,7 @@ static apr_status_t lua_setup_filter_ctx(ap_filter_t* f, request_rec* r, lua_fil
@ -34,7 +56,7 @@ index 05f1e44..be3bedf 100644
/* If Lua yielded, it means we have something to pass on */
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
if (olen > 0) {
@ -43,7 +65,7 @@ index 05f1e44..be3bedf 100644
lua_pushnil(L);
lua_setglobal(L, "bucket");
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
apr_bucket *pbktOut;
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
@ -61,7 +83,7 @@ index 05f1e44..be3bedf 100644
/* If Lua yielded, it means we have something to pass on */
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
pbktOut = apr_bucket_heap_create(output, olen, 0, c->bucket_alloc);
@ -70,15 +92,15 @@ index 05f1e44..be3bedf 100644
lua_pushnil(L);
lua_setglobal(L, "bucket");
- if (lua_resume(L, 0) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD) {
+ if (lua_resume(L, 0, &nres) == LUA_YIELD && nres == 1) {
apr_bucket *pbktOut;
size_t olen;
const char* output = lua_tolstring(L, 1, &olen);
diff --git a/modules/lua/mod_lua.h b/modules/lua/mod_lua.h
index 0e49cdc..8921b87 100644
index 0e49cdc..72b4de7 100644
--- a/modules/lua/mod_lua.h
+++ b/modules/lua/mod_lua.h
@@ -48,7 +48,13 @@
@@ -48,7 +48,15 @@
#if LUA_VERSION_NUM > 501
/* Load mode for lua_load() */
#define lua_load(a,b,c,d) lua_load(a,b,c,d,NULL)
@ -87,7 +109,9 @@ index 0e49cdc..8921b87 100644
+#if LUA_VERSION_NUM > 503
+#define lua_resume(a,b,c) lua_resume(a, NULL, b, c)
+#else
+#define lua_resume(a,b,c) lua_resume(a, NULL, b)
+/* ### For version < 5.4, assume that exactly one stack item is on the
+ * stack, which is what the code did before but seems dubious. */
+#define lua_resume(a,b,c) (*(c) = 1, lua_resume(a, NULL, b))
+#endif
+
#define luaL_setfuncs_compat(a,b) luaL_setfuncs(a,b,0)

BIN
httpd-2.4.46.tar.bz2 Normal file
View File

Binary file not shown.

25
httpd.spec
View File

@ -7,8 +7,8 @@
Name: httpd
Summary: Apache HTTP Server
Version: 2.4.43
Release: 4
Version: 2.4.46
Release: 1
License: ASL 2.0
URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -54,7 +54,7 @@ Patch0: httpd-2.4.1-apctl.patch
Patch1: httpd-2.4.9-apxs.patch
Patch2: httpd-2.4.1-deplibs.patch
Patch3: httpd-2.4.3-apctl-systemd.patch
Patch4: httpd-2.4.25-detect-systemd.patch
Patch4: httpd-2.4.43-detect-systemd.patch
Patch5: httpd-2.4.33-export.patch
Patch6: httpd-2.4.1-corelimit.patch
Patch7: httpd-2.4.25-selinux.patch
@ -65,10 +65,11 @@ Patch11: httpd-2.4.34-sslciphdefault.patch
Patch12: httpd-2.4.34-sslprotdefault.patch
Patch13: httpd-2.4.34-enable-sslv3.patch
Patch14: layout_add_openEuler.patch
Patch15: httpd-2.4.43-lua-resume.patch
Patch16: CVE-2020-11984.patch
Patch17: CVE-2020-11993.patch
Patch18: CVE-2020-9490.patch
Patch15: httpd-2.4.46-lua-resume.patch
Patch16: httpd-2.4.43-gettid.patch
Patch17: httpd-2.4.43-r1861793+.patch
Patch18: httpd-2.4.43-r1828172+.patch
Patch19: httpd-2.4.46-htcacheclean-dont-break.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -355,10 +356,6 @@ exit 0
%postun
%systemd_postun httpd.service htcacheclean.service httpd.socket
%triggerun -- httpd < 2.2.21-5
/usr/bin/systemd-sysv-convert --save httpd.service >/dev/null 2>&1 ||:
/sbin/chkconfig --del httpd >/dev/null 2>&1 || :
%posttrans
test -f /etc/sysconfig/httpd-disable-posttrans || \
/bin/systemctl try-restart --no-block httpd.service htcacheclean.service >/dev/null 2>&1 || :
@ -505,6 +502,12 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Tue Jan 26 2021 xihaochen<xihaochen@huawei.com> - 2.4.46-1
- Type:requirements
- ID:NA
- SUG:NA
- DESC: update httpd to 2.4.46
* Sun Sep 27 2020 yuboyun <yuboyun@huawei.com> - 2.4.43-4
- Type:cves
- ID:CVE-2020-9490 CVE-2020-11984 CVE-2020-11993