Index: trunk/server/common/patches/httpd-2.2.x-CVE-2011-3607.patch
===================================================================
--- trunk/server/common/patches/httpd-2.2.x-CVE-2011-3607.patch (revision 2156)
+++ (revision )
@@ -1,32 +1,0 @@
---- httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:42:04 1227279
-+++ httpd/httpd/branches/2.2.x/server/util.c 2012/01/04 19:45:22 1227280
-@@ -82,6 +82,8 @@
- #define IS_SLASH(s) (s == '/')
- #endif
-
-+/* same as APR_SIZE_MAX which doesn't appear until APR 1.3 */
-+#define UTIL_SIZE_MAX (~((apr_size_t)0))
-
- /*
- * Examine a field value (such as a media-/content-type) string and return
-@@ -366,7 +368,7 @@
- char *dest, *dst;
- char c;
- size_t no;
-- int len;
-+ apr_size_t len;
-
- if (!source)
- return NULL;
-@@ -391,6 +393,11 @@
- len++;
- }
- else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
-+ if (UTIL_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
-+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-+ "integer overflow or out of memory condition." );
-+ return NULL;
-+ }
- len += pmatch[no].rm_eo - pmatch[no].rm_so;
- }
-
Index: trunk/server/common/patches/httpd-2.2.x-CVE-2012-0031.patch
===================================================================
--- trunk/server/common/patches/httpd-2.2.x-CVE-2012-0031.patch (revision 2156)
+++ (revision )
@@ -1,29 +1,0 @@
---- httpd/httpd/branches/2.2.x/server/scoreboard.c 2012/01/13 13:27:19 1231057
-+++ httpd/httpd/branches/2.2.x/server/scoreboard.c 2012/01/13 13:27:46 1231058
-@@ -42,6 +42,8 @@
- AP_DECLARE_DATA int ap_extended_status = 0;
- AP_DECLARE_DATA int ap_mod_status_reqtail = 0;
-
-+static ap_scoreboard_e scoreboard_type;
-+
- #if APR_HAS_SHARED_MEMORY
-
- #include "apr_shm.h"
-@@ -250,7 +252,7 @@
- if (ap_scoreboard_image == NULL) {
- return APR_SUCCESS;
- }
-- if (ap_scoreboard_image->global->sb_type == SB_SHARED) {
-+ if (scoreboard_type == SB_SHARED) {
- ap_cleanup_shared_mem(NULL);
- }
- else {
-@@ -312,7 +314,7 @@
- ap_init_scoreboard(sb_mem);
- }
-
-- ap_scoreboard_image->global->sb_type = sb_type;
-+ ap_scoreboard_image->global->sb_type = scoreboard_type = sb_type;
- ap_scoreboard_image->global->running_generation = 0;
- ap_scoreboard_image->global->restart_time = apr_time_now();
-
Index: trunk/server/common/patches/httpd-2.2.x-CVE-2012-0053.patch
===================================================================
--- trunk/server/common/patches/httpd-2.2.x-CVE-2012-0053.patch (revision 2156)
+++ (revision )
@@ -1,84 +1,0 @@
---- httpd/httpd/branches/2.2.x/server/protocol.c 2012/01/24 19:59:57 1235453
-+++ httpd/httpd/branches/2.2.x/server/protocol.c 2012/01/24 20:02:19 1235454
-@@ -670,6 +670,16 @@
- return 1;
- }
-
-+/* get the length of the field name for logging, but no more than 80 bytes */
-+#define LOG_NAME_MAX_LEN 80
-+static int field_name_len(const char *field)
-+{
-+ const char *end = ap_strchr_c(field, ':');
-+ if (end == NULL || end - field > LOG_NAME_MAX_LEN)
-+ return LOG_NAME_MAX_LEN;
-+ return end - field;
-+}
-+
- AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
- {
- char *last_field = NULL;
-@@ -709,12 +719,15 @@
- /* insure ap_escape_html will terminate correctly */
- field[len - 1] = '\0';
- apr_table_setn(r->notes, "error-notes",
-- apr_pstrcat(r->pool,
-+ apr_psprintf(r->pool,
- "Size of a request header field "
- "exceeds server limit.
\n"
-- "\n",
-- ap_escape_html(r->pool, field),
-- "
\n", NULL));
-+ "\n%.*s\n
/n",
-+ field_name_len(field),
-+ ap_escape_html(r->pool, field)));
-+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-+ "Request header exceeds LimitRequestFieldSize: "
-+ "%.*s", field_name_len(field), field);
- }
- return;
- }
-@@ -735,13 +748,17 @@
- * overflow (last_field) as the field with the problem
- */
- apr_table_setn(r->notes, "error-notes",
-- apr_pstrcat(r->pool,
-+ apr_psprintf(r->pool,
- "Size of a request header field "
- "after folding "
- "exceeds server limit.
\n"
-- "\n",
-- ap_escape_html(r->pool, last_field),
-- "
\n", NULL));
-+ "\n%.*s\n
\n",
-+ field_name_len(last_field),
-+ ap_escape_html(r->pool, last_field)));
-+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-+ "Request header exceeds LimitRequestFieldSize "
-+ "after folding: %.*s",
-+ field_name_len(last_field), last_field);
- return;
- }
-
-@@ -773,13 +790,18 @@
- if (!(value = strchr(last_field, ':'))) { /* Find ':' or */
- r->status = HTTP_BAD_REQUEST; /* abort bad request */
- apr_table_setn(r->notes, "error-notes",
-- apr_pstrcat(r->pool,
-+ apr_psprintf(r->pool,
- "Request header field is "
- "missing ':' separator.
\n"
-- "\n",
-+ "\n%.*s
\n",
-+ (int)LOG_NAME_MAX_LEN,
- ap_escape_html(r->pool,
-- last_field),
-- "
\n", NULL));
-+ last_field)));
-+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
-+ "Request header field is missing ':' "
-+ "separator: %.*s", (int)LOG_NAME_MAX_LEN,
-+ last_field);
-+
- return;
- }
-
Index: trunk/server/fedora/specs/httpd.spec.patch
===================================================================
--- trunk/server/fedora/specs/httpd.spec.patch (revision 2156)
+++ trunk/server/fedora/specs/httpd.spec.patch (revision 2157)
@@ -10,5 +10,5 @@
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
-@@ -54,6 +54,18 @@
+@@ -54,6 +54,15 @@
Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}
Requires: httpd-tools = %{version}-%{release}, apr-util-ldap, systemd-units
@@ -22,7 +22,4 @@
+Patch1007: httpd-fixup-vhost.patch
+Patch1008: httpd-sysv-deps.patch
-+Patch1009: httpd-2.2.x-CVE-2011-3607.patch
-+Patch1010: httpd-2.2.x-CVE-2012-0053.patch
-+Patch1011: httpd-2.2.x-CVE-2012-0031.patch
+
%description
@@ -57,5 +54,5 @@
%patch1 -p1 -b .apctl
%patch2 -p1 -b .apxs
-@@ -128,6 +147,17 @@
+@@ -128,6 +147,14 @@
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH20} | patch -p1
@@ -68,7 +65,4 @@
+%patch1007 -p1 -b .fixup-vhost
+# Note that patch1008 is not here, as it patches the initscript elsewhere in this .spec
-+%patch1009 -p4 -b .cve-2011-3607
-+%patch1010 -p4 -b .cve-2012-0053
-+%patch1011 -p4 -b .cve-2012-0031
+
# Safety check: prevent build if defined MMN does not equal upstream MMN.