From c1c6d0869976ccbd0545c8317c015f23f40dd6d6 Mon Sep 17 00:00:00 2001 From: Roy Li Date: Wed, 6 May 2015 13:36:50 +0800 Subject: apache2: upgrade to 2.4.12 Remove apache-CVE-2014-0117.patch which apache2 2.4.12 has it Update the apache-ssl-ltmain-rpath.patch Backport the patch to fix CVE-2015-0228 Signed-off-by: Roy Li Signed-off-by: Martin Jansa --- .../recipes-httpd/apache2/apache2-native_2.4.10.bb | 45 ---- .../recipes-httpd/apache2/apache2-native_2.4.12.bb | 45 ++++ ...0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch | 58 +++++ .../apache2/apache2/apache-CVE-2014-0117.patch | 289 --------------------- .../apache2/apache2/apache-ssl-ltmain-rpath.patch | 62 +++-- .../recipes-httpd/apache2/apache2_2.4.10.bb | 164 ------------ .../recipes-httpd/apache2/apache2_2.4.12.bb | 164 ++++++++++++ 7 files changed, 302 insertions(+), 525 deletions(-) delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2-native_2.4.10.bb create mode 100644 meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb create mode 100644 meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch delete mode 100644 meta-webserver/recipes-httpd/apache2/apache2_2.4.10.bb create mode 100644 meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.10.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.10.bb deleted file mode 100644 index 5963b79435..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.10.bb +++ /dev/null @@ -1,45 +0,0 @@ -DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ -extensible web server." -SUMMARY = "Apache HTTP Server" -HOMEPAGE = "http://httpd.apache.org/" -DEPENDS = "expat-native pcre-native apr-native apr-util-native" -SECTION = "net" -LICENSE = "Apache-2.0" - -inherit autotools pkgconfig native - -SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ - file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ - " - -S = "${WORKDIR}/httpd-${PV}" - -LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" -SRC_URI[md5sum] = "44543dff14a4ebc1e9e2d86780507156" -SRC_URI[sha256sum] = "176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a" - -EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ - --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ - --prefix=${prefix} --datadir=${datadir}/apache2 \ - " - -do_install () { - install -d ${D}${bindir} ${D}${libdir} - cp server/gen_test_char ${D}${bindir} - install -m 755 support/apxs ${D}${bindir}/ - install -m 755 httpd ${D}${bindir}/ - install -d ${D}${datadir}/apache2/build - cp ${S}/build/*.mk ${D}${datadir}/apache2/build - cp build/*.mk ${D}${datadir}/apache2/build - cp ${S}/build/instdso.sh ${D}${datadir}/apache2/build - - install -d ${D}${includedir}/apache2 - cp ${S}/include/* ${D}${includedir}/apache2 - cp include/* ${D}${includedir}/apache2 - cp ${S}/os/unix/os.h ${D}${includedir}/apache2 - cp ${S}/os/unix/unixd.h ${D}${includedir}/apache2 - - cp support/envvars-std ${D}${bindir}/envvars - chmod 755 ${D}${bindir}/envvars -} - diff --git a/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb new file mode 100644 index 0000000000..1704bd927f --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2-native_2.4.12.bb @@ -0,0 +1,45 @@ +DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ +extensible web server." +SUMMARY = "Apache HTTP Server" +HOMEPAGE = "http://httpd.apache.org/" +DEPENDS = "expat-native pcre-native apr-native apr-util-native" +SECTION = "net" +LICENSE = "Apache-2.0" + +inherit autotools pkgconfig native + +SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ + file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ + " + +S = "${WORKDIR}/httpd-${PV}" + +LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" +SRC_URI[md5sum] = "b8dc8367a57a8d548a9b4ce16d264a13" +SRC_URI[sha256sum] = "ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4" + +EXTRA_OECONF = "--with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ + --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ + --prefix=${prefix} --datadir=${datadir}/apache2 \ + " + +do_install () { + install -d ${D}${bindir} ${D}${libdir} + cp server/gen_test_char ${D}${bindir} + install -m 755 support/apxs ${D}${bindir}/ + install -m 755 httpd ${D}${bindir}/ + install -d ${D}${datadir}/apache2/build + cp ${S}/build/*.mk ${D}${datadir}/apache2/build + cp build/*.mk ${D}${datadir}/apache2/build + cp ${S}/build/instdso.sh ${D}${datadir}/apache2/build + + install -d ${D}${includedir}/apache2 + cp ${S}/include/* ${D}${includedir}/apache2 + cp include/* ${D}${includedir}/apache2 + cp ${S}/os/unix/os.h ${D}${includedir}/apache2 + cp ${S}/os/unix/unixd.h ${D}${includedir}/apache2 + + cp support/envvars-std ${D}${bindir}/envvars + chmod 755 ${D}${bindir}/envvars +} + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch b/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch new file mode 100644 index 0000000000..264fde7104 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch @@ -0,0 +1,58 @@ +From 643f0fcf3b8ab09a68f0ecd2aa37aafeda3e63ef Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Wed, 4 Feb 2015 14:44:23 +0000 +Subject: [PATCH] *) SECURITY: CVE-2015-0228 (cve.mitre.org) mod_lua: A + maliciously crafted websockets PING after a script calls r:wsupgrade() + can cause a child process crash. [Edward Lu ] + +Upstream-Status: BackPort + +Discovered by Guido Vranken + +Submitted by: Edward Lu +Committed by: covener + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1657261 13f79535-47bb-0310-9956-ffa450edef68 + +Signed-off-by: Roy Li +--- + modules/lua/lua_request.c | 6 +++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c +index dded599..1200c55 100644 +--- a/modules/lua/lua_request.c ++++ b/modules/lua/lua_request.c +@@ -2227,6 +2227,7 @@ static int lua_websocket_read(lua_State *L) + { + apr_socket_t *sock; + apr_status_t rv; ++ int do_read = 1; + int n = 0; + apr_size_t len = 1; + apr_size_t plen = 0; +@@ -2244,6 +2245,8 @@ static int lua_websocket_read(lua_State *L) + mask_bytes = apr_pcalloc(r->pool, 4); + sock = ap_get_conn_socket(r->connection); + ++ while (do_read) { ++ do_read = 0; + /* Get opcode and FIN bit */ + if (plaintext) { + rv = apr_socket_recv(sock, &byte, &len); +@@ -2377,10 +2380,11 @@ static int lua_websocket_read(lua_State *L) + frame[0] = 0x8A; + frame[1] = 0; + apr_socket_send(sock, frame, &plen); /* Pong! */ +- lua_websocket_read(L); /* read the next frame instead */ ++ do_read = 1; + } + } + } ++ } + return 0; + } + +-- +1.9.1 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch deleted file mode 100644 index 8585f0bb30..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-CVE-2014-0117.patch +++ /dev/null @@ -1,289 +0,0 @@ -apache: CVE-2014-0117 - -The patch comes from upstream: -http://svn.apache.org/viewvc?view=revision&revision=1610674 - -SECURITY (CVE-2014-0117): Fix a crash in mod_proxy. In a -reverse proxy configuration, a remote attacker could send a carefully crafted -request which could crash a server process, resulting in denial of service. - -Thanks to Marek Kroemeke working with HP's Zero Day Initiative for -reporting this issue. - -Upstream-Status: Backport - -Submitted by: Edward Lu, breser, covener -Signed-off-by: Zhang Xiao ---- - modules/proxy/mod_proxy_http.c | 8 +++- - include/httpd.h | 17 ++++++++ - modules/proxy/proxy_util.c | 67 ++++++++++++++---------------- - server/util.c | 89 ++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 143 insertions(+), 38 deletions(-) - -diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c -index cffad2e..f11c16f 100644 ---- a/modules/proxy/mod_proxy_http.c -+++ b/modules/proxy/mod_proxy_http.c -@@ -1362,6 +1362,7 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, - */ - if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) { - int major, minor; -+ int toclose; - - major = buffer[5] - '0'; - minor = buffer[7] - '0'; -@@ -1470,7 +1471,12 @@ apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r, - te = apr_table_get(r->headers_out, "Transfer-Encoding"); - - /* strip connection listed hop-by-hop headers from response */ -- backend->close = ap_proxy_clear_connection_fn(r, r->headers_out); -+ toclose = ap_proxy_clear_connection_fn(r, r->headers_out); -+ backend->close = (toclose != 0); -+ if (toclose < 0) { -+ return ap_proxyerror(r, HTTP_BAD_REQUEST, -+ "Malformed connection header"); -+ } - - if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { - ap_set_content_type(r, apr_pstrdup(p, buf)); -diff --git a/include/httpd.h b/include/httpd.h -index 36cd58d..9a2cf5c 100644 ---- a/include/httpd.h -+++ b/include/httpd.h -@@ -1528,6 +1528,23 @@ AP_DECLARE(int) ap_find_etag_weak(apr_pool_t *p, const char *line, const char *t - AP_DECLARE(int) ap_find_etag_strong(apr_pool_t *p, const char *line, const char *tok); - - /** -+ * Retrieve an array of tokens in the format "1#token" defined in RFC2616. Only -+ * accepts ',' as a delimiter, does not accept quoted strings, and errors on -+ * any separator. -+ * @param p The pool to allocate from -+ * @param tok The line to read tokens from -+ * @param tokens Pointer to an array of tokens. If not NULL, must be an array -+ * of char*, otherwise it will be allocated on @a p when a token is found -+ * @param skip_invalid If true, when an invalid separator is encountered, it -+ * will be ignored. -+ * @return NULL on success, an error string otherwise. -+ * @remark *tokens may be NULL on output if NULL in input and no token is found -+ */ -+AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p, const char *tok, -+ apr_array_header_t **tokens, -+ int skip_invalid); -+ -+/** - * Retrieve a token, spacing over it and adjusting the pointer to - * the first non-white byte afterwards. Note that these tokens - * are delimited by semis and commas and can also be delimited -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index 67dc939..58daa21 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -2847,68 +2847,59 @@ PROXY_DECLARE(proxy_balancer_shared *) ap_proxy_find_balancershm(ap_slotmem_prov - typedef struct header_connection { - apr_pool_t *pool; - apr_array_header_t *array; -- const char *first; -- unsigned int closed:1; -+ const char *error; -+ int is_req; - } header_connection; - - static int find_conn_headers(void *data, const char *key, const char *val) - { - header_connection *x = data; -- const char *name; -- -- do { -- while (*val == ',' || *val == ';') { -- val++; -- } -- name = ap_get_token(x->pool, &val, 0); -- if (!strcasecmp(name, "close")) { -- x->closed = 1; -- } -- if (!x->first) { -- x->first = name; -- } -- else { -- const char **elt; -- if (!x->array) { -- x->array = apr_array_make(x->pool, 4, sizeof(char *)); -- } -- elt = apr_array_push(x->array); -- *elt = name; -- } -- } while (*val); - -- return 1; -+ x->error = ap_parse_token_list_strict(x->pool, val, &x->array, !x->is_req); -+ return !x->error; - } - - /** - * Remove all headers referred to by the Connection header. -+ * Returns -1 on error. Otherwise, returns 1 if 'Close' was seen in -+ * the Connection header tokens, and 0 if not. - */ - static int ap_proxy_clear_connection(request_rec *r, apr_table_t *headers) - { -- const char **name; -+ int closed = 0; - header_connection x; - - x.pool = r->pool; - x.array = NULL; -- x.first = NULL; -- x.closed = 0; -+ x.error = NULL; -+ x.is_req = (headers == r->headers_in); - - apr_table_unset(headers, "Proxy-Connection"); - - apr_table_do(find_conn_headers, &x, headers, "Connection", NULL); -- if (x.first) { -- /* fast path - no memory allocated for one header */ -- apr_table_unset(headers, "Connection"); -- apr_table_unset(headers, x.first); -+ apr_table_unset(headers, "Connection"); -+ -+ if (x.error) { -+ ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, APLOGNO() -+ "Error parsing Connection header: %s", x.error); -+ return -1; - } -+ - if (x.array) { -- /* two or more headers */ -- while ((name = apr_array_pop(x.array))) { -- apr_table_unset(headers, *name); -+ int i; -+ for (i = 0; i < x.array->nelts; i++) { -+ const char *name = APR_ARRAY_IDX(x.array, i, const char *); -+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO() -+ "Removing header '%s' listed in Connection header", -+ name); -+ if (!strcasecmp(name, "close")) { -+ closed = 1; -+ } -+ apr_table_unset(headers, name); - } - } - -- return x.closed; -+ return closed; - } - - PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, -@@ -3095,7 +3086,9 @@ PROXY_DECLARE(int) ap_proxy_create_hdrbrgd(apr_pool_t *p, - * apr is compiled with APR_POOL_DEBUG. - */ - headers_in_copy = apr_table_copy(r->pool, r->headers_in); -- ap_proxy_clear_connection(r, headers_in_copy); -+ if (ap_proxy_clear_connection(r, headers_in_copy) < 0) { -+ return HTTP_BAD_REQUEST; -+ } - /* send request headers */ - headers_in_array = apr_table_elts(headers_in_copy); - headers_in = (const apr_table_entry_t *) headers_in_array->elts; -diff --git a/server/util.c b/server/util.c -index e0ba5c2..541c9f0 100644 ---- a/server/util.c -+++ b/server/util.c -@@ -1449,6 +1449,95 @@ AP_DECLARE(int) ap_find_etag_weak(apr_pool_t *p, const char *line, - return find_list_item(p, line, tok, AP_ETAG_WEAK); - } - -+/* Grab a list of tokens of the format 1#token (from RFC7230) */ -+AP_DECLARE(const char *) ap_parse_token_list_strict(apr_pool_t *p, -+ const char *str_in, -+ apr_array_header_t **tokens, -+ int skip_invalid) -+{ -+ int in_leading_space = 1; -+ int in_trailing_space = 0; -+ int string_end = 0; -+ const char *tok_begin; -+ const char *cur; -+ -+ if (!str_in) { -+ return NULL; -+ } -+ -+ tok_begin = cur = str_in; -+ -+ while (!string_end) { -+ const unsigned char c = (unsigned char)*cur; -+ -+ if (!TEST_CHAR(c, T_HTTP_TOKEN_STOP) && c != '\0') { -+ /* Non-separator character; we are finished with leading -+ * whitespace. We must never have encountered any trailing -+ * whitespace before the delimiter (comma) */ -+ in_leading_space = 0; -+ if (in_trailing_space) { -+ return "Encountered illegal whitespace in token"; -+ } -+ } -+ else if (c == ' ' || c == '\t') { -+ /* "Linear whitespace" only includes ASCII CRLF, space, and tab; -+ * we can't get a CRLF since headers are split on them already, -+ * so only look for a space or a tab */ -+ if (in_leading_space) { -+ /* We're still in leading whitespace */ -+ ++tok_begin; -+ } -+ else { -+ /* We must be in trailing whitespace */ -+ ++in_trailing_space; -+ } -+ } -+ else if (c == ',' || c == '\0') { -+ if (!in_leading_space) { -+ /* If we're out of the leading space, we know we've read some -+ * characters of a token */ -+ if (*tokens == NULL) { -+ *tokens = apr_array_make(p, 4, sizeof(char *)); -+ } -+ APR_ARRAY_PUSH(*tokens, char *) = -+ apr_pstrmemdup((*tokens)->pool, tok_begin, -+ (cur - tok_begin) - in_trailing_space); -+ } -+ /* We're allowed to have null elements, just don't add them to the -+ * array */ -+ -+ tok_begin = cur + 1; -+ in_leading_space = 1; -+ in_trailing_space = 0; -+ string_end = (c == '\0'); -+ } -+ else { -+ /* Encountered illegal separator char */ -+ if (skip_invalid) { -+ /* Skip to the next separator */ -+ const char *temp; -+ temp = ap_strchr_c(cur, ','); -+ if(!temp) { -+ temp = ap_strchr_c(cur, '\0'); -+ } -+ -+ /* Act like we haven't seen a token so we reset */ -+ cur = temp - 1; -+ in_leading_space = 1; -+ in_trailing_space = 0; -+ } -+ else { -+ return apr_psprintf(p, "Encountered illegal separator " -+ "'\\x%.2x'", (unsigned int)c); -+ } -+ } -+ -+ ++cur; -+ } -+ -+ return NULL; -+} -+ - /* Retrieve a token, spacing over it and returning a pointer to - * the first non-white byte afterwards. Note that these tokens - * are delimited by semis and commas; and can also be delimited --- diff --git a/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch index 3a59fb0799..413dc535e4 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch +++ b/meta-webserver/recipes-httpd/apache2/apache2/apache-ssl-ltmain-rpath.patch @@ -1,52 +1,57 @@ ---- httpd-2.2.8.orig/build/ltmain.sh -+++ httpd-2.2.8/build/ltmain.sh -@@ -1515,7 +1515,7 @@ EOF - dir=`$echo "X$arg" | $Xsed -e 's/^-L//'` + build/ltmain.sh | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +diff --git a/build/ltmain.sh b/build/ltmain.sh +index 5eca4ae..805b461 100644 +--- a/build/ltmain.sh ++++ b/build/ltmain.sh +@@ -6944,7 +6944,7 @@ func_mode_link () + dir=$func_resolve_sysroot_result # We need an absolute path. case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; + =* | [\\/]* | [A-Za-z]:[\\/]*) ;; *) absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then -@@ -2558,7 +2558,7 @@ EOF - $echo "*** $linklib is not portable!" + test -z "$absdir" && \ +@@ -8137,7 +8137,7 @@ func_mode_link () + $ECHO "*** $linklib is not portable!" fi - if test "$linkmode" = lib && -- test "$hardcode_into_libs" = yes; then -+ test "x$wrs_use_rpaths" = "xyes" && test "$hardcode_into_libs" = yes; then + if test lib = "$linkmode" && +- test yes = "$hardcode_into_libs"; then ++ test "x$wrs_use_rpaths" = "xyes" && test "$hardcode_into_libs" = yes; then # Hardcode the library path. # Skip directories that are in the system default run-time # search path. -@@ -2832,7 +2832,7 @@ EOF +@@ -8404,7 +8404,7 @@ func_mode_link () - if test "$linkmode" = lib; then + if test lib = "$linkmode"; then if test -n "$dependency_libs" && -- { test "$hardcode_into_libs" != yes || -+ { test "$hardcode_into_libs" != yes || test "x$wrs_use_rpaths" != "xyes" || - test "$build_old_libs" = yes || - test "$link_static" = yes; }; then +- { test yes != "$hardcode_into_libs" || ++ { test yes != "$hardcode_into_libs" || test "x$wrs_use_rpaths" != "xyes" || + test yes = "$build_old_libs" || + test yes = "$link_static"; }; then # Extract -R from dependency_libs -@@ -3426,7 +3426,8 @@ EOF - *) finalize_rpath="$finalize_rpath $libdir" ;; +@@ -9025,7 +9025,8 @@ func_mode_link () + *) func_append finalize_rpath " $libdir" ;; esac done -- if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then -+ if test "$hardcode_into_libs" != yes || test "x$wrs_use_rpaths" != "xyes" || -+ test "$build_old_libs" = yes; then +- if test yes != "$hardcode_into_libs" || test yes = "$build_old_libs"; then ++ if test yes != "$hardcode_into_libs" || test "x$wrs_use_rpaths" != "xyes" || ++ test yes = "$build_old_libs"; then dependency_libs="$temp_xrpath $dependency_libs" fi fi -@@ -3843,7 +3844,7 @@ EOF - case $archive_cmds in - *\$LD\ *) wl= ;; +@@ -9473,7 +9474,7 @@ EOF + case $archive_cmds in + *\$LD\ *) wl= ;; esac -- if test "$hardcode_into_libs" = yes; then -+ if test "$hardcode_into_libs" = yes && test "x$wrs_use_rpaths" = "xyes" ; then +- if test yes = "$hardcode_into_libs"; then ++ if test yes = "$hardcode_into_libs" && test "x$wrs_use_rpaths" = "xyes"; then # Hardcode the library paths hardcode_libdirs= dep_rpath= -@@ -4397,6 +4398,27 @@ EOF +@@ -10211,6 +10212,27 @@ EOF # Now hardcode the library paths rpath= hardcode_libdirs= @@ -74,3 +79,6 @@ for libdir in $compile_rpath $finalize_rpath; do if test -n "$hardcode_libdir_flag_spec"; then if test -n "$hardcode_libdir_separator"; then +-- +1.9.1 + diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.10.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.10.bb deleted file mode 100644 index 55d507f757..0000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.10.bb +++ /dev/null @@ -1,164 +0,0 @@ -DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ -extensible web server." -SUMMARY = "Apache HTTP Server" -HOMEPAGE = "http://httpd.apache.org/" -DEPENDS = "libtool-native apache2-native openssl expat pcre apr apr-util" -SECTION = "net" -LICENSE = "Apache-2.0" - -SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ - file://server-makefile.patch \ - file://httpd-2.4.1-corelimit.patch \ - file://httpd-2.4.4-export.patch \ - file://httpd-2.4.1-selinux.patch \ - file://apache-configure_perlbin.patch \ - file://replace-lynx-to-curl-in-apachectl-script.patch \ - file://apache-ssl-ltmain-rpath.patch \ - file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ - file://npn-patch-2.4.7.patch \ - file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ - file://configure-allow-to-disable-selinux-support.patch \ - file://init \ - file://apache2-volatile.conf \ - file://apache2.service \ - file://apache-CVE-2014-0117.patch \ - " - -LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" -SRC_URI[md5sum] = "44543dff14a4ebc1e9e2d86780507156" -SRC_URI[sha256sum] = "176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a" - -S = "${WORKDIR}/httpd-${PV}" - -inherit autotools update-rc.d pkgconfig systemd - -SYSTEMD_SERVICE_${PN} = "apache2.service" -SYSTEMD_AUTO_ENABLE_${PN} = "disable" - -SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" - -CFLAGS_append = " -DPATH_MAX=4096" -CFLAGS_prepend = "-I${STAGING_INCDIR}/openssl " -EXTRA_OECONF = "--enable-ssl \ - --with-ssl=${STAGING_LIBDIR}/.. \ - --with-expat=${STAGING_LIBDIR}/.. \ - --with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ - --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ - --enable-info \ - --enable-rewrite \ - --with-dbm=sdbm \ - --with-berkeley-db=no \ - --localstatedir=/var/${BPN} \ - --with-gdbm=no \ - --with-ndbm=no \ - --includedir=${includedir}/${BPN} \ - --datadir=${datadir}/${BPN} \ - --sysconfdir=${sysconfdir}/${BPN} \ - --libexecdir=${libdir}/${BPN}/modules \ - ap_cv_void_ptr_lt_long=no \ - --enable-mpms-shared \ - ac_cv_have_threadsafe_pollset=no" - -PACKAGECONFIG ?= "${@base_contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" -PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux" - -do_install_append() { - install -d ${D}/${sysconfdir}/init.d - cat ${WORKDIR}/init | \ - sed -e 's,/usr/sbin/,${sbindir}/,g' \ - -e 's,/usr/bin/,${bindir}/,g' \ - -e 's,/usr/lib,${libdir}/,g' \ - -e 's,/etc/,${sysconfdir}/,g' \ - -e 's,/usr/,${prefix}/,g' > ${D}/${sysconfdir}/init.d/${BPN} - chmod 755 ${D}/${sysconfdir}/init.d/${BPN} - # remove the goofy original files... - rm -rf ${D}/${sysconfdir}/${BPN}/original - # Expat should be found in the staging area via DEPENDS... - rm -f ${D}/${libdir}/libexpat.* - - install -d ${D}${sysconfdir}/${BPN}/conf.d - install -d ${D}${sysconfdir}/${BPN}/modules.d - - # Ensure configuration file pulls in conf.d and modules.d - printf "\nIncludeOptional ${sysconfdir}/${BPN}/conf.d/*.conf" >> ${D}/${sysconfdir}/${BPN}/httpd.conf - printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.conf\n\n" >> ${D}/${sysconfdir}/${BPN}/httpd.conf - # match with that is in init script - printf "\nPidFile /run/httpd.pid" >> ${D}/${sysconfdir}/${BPN}/httpd.conf - # Set 'ServerName' to fix error messages when restart apache service - sed -i 's/^#ServerName www.example.com/ServerName localhost/' ${D}/${sysconfdir}/${BPN}/httpd.conf - - if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - install -d ${D}${sysconfdir}/tmpfiles.d/ - install -m 0644 ${WORKDIR}/apache2-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ - fi - - install -d ${D}${systemd_unitdir}/system - install -m 0644 ${WORKDIR}/apache2.service ${D}${systemd_unitdir}/system - sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/apache2.service - sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' ${D}${systemd_unitdir}/system/apache2.service -} - -SYSROOT_PREPROCESS_FUNCS += "apache_sysroot_preprocess" - -apache_sysroot_preprocess () { - install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}/ - install -m 755 ${D}${bindir}/apxs ${SYSROOT_DESTDIR}${bindir_crossscripts}/ - sed -i 's!my $installbuilddir = .*!my $installbuilddir = "${STAGING_DIR_HOST}/${datadir}/${BPN}/build";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs - sed -i 's!my $libtool = .*!my $libtool = "${STAGING_BINDIR_CROSS}/${TARGET_PREFIX}libtool";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs - - sed -i 's!^APR_CONFIG = .*!APR_CONFIG = ${STAGING_BINDIR_CROSS}/apr-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!^APU_CONFIG = .*!APU_CONFIG = ${STAGING_BINDIR_CROSS}/apu-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk - sed -i 's!^includedir = .*!includedir = ${STAGING_INCDIR}/apache2!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk -} - -# -# implications - used by update-rc.d scripts -# -INITSCRIPT_NAME = "apache2" -INITSCRIPT_PARAMS = "defaults 91 20" -LEAD_SONAME = "libapr-1.so.0" - -PACKAGES = "${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}" - -CONFFILES_${PN} = "${sysconfdir}/${BPN}/httpd.conf \ - ${sysconfdir}/${BPN}/magic \ - ${sysconfdir}/${BPN}/mime.types \ - ${sysconfdir}/init.d/${BPN} " - -# we override here rather than append so that .so links are -# included in the runtime package rather than here (-dev) -# and to get build, icons, error into the -dev package -FILES_${PN}-dev = "${datadir}/${BPN}/build \ - ${datadir}/${BPN}/icons \ - ${datadir}/${BPN}/error \ - ${bindir}/apr-config ${bindir}/apu-config \ - ${libdir}/apr*.exp \ - ${includedir}/${BPN} \ - ${libdir}/*.la \ - ${libdir}/*.a \ - ${bindir}/apxs \ - " - - -# manual to manual -FILES_${PN}-doc += " ${datadir}/${BPN}/manual" - -FILES_${PN}-scripts += "${bindir}/dbmmanage" - -# -# override this too - here is the default, less datadir -# -FILES_${PN} = "${bindir} ${sbindir} ${libexecdir} ${libdir}/lib*.so.* ${sysconfdir} \ - ${sharedstatedir} ${localstatedir} /bin /sbin /lib/*.so* \ - ${libdir}/${BPN}" - -# we want htdocs and cgi-bin to go with the binary -FILES_${PN} += "${datadir}/${BPN}/htdocs ${datadir}/${BPN}/cgi-bin" - -#make sure the lone .so links also get wrapped in the base package -FILES_${PN} += "${libdir}/lib*.so ${libdir}/pkgconfig/*" - -FILES_${PN}-dbg += "${libdir}/${BPN}/modules/.debug" - -RDEPENDS_${PN} += "openssl libgcc" -RDEPENDS_${PN}-scripts += "perl ${PN}" diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb new file mode 100644 index 0000000000..0712b4a93d --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.12.bb @@ -0,0 +1,164 @@ +DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ +extensible web server." +SUMMARY = "Apache HTTP Server" +HOMEPAGE = "http://httpd.apache.org/" +DEPENDS = "libtool-native apache2-native openssl expat pcre apr apr-util" +SECTION = "net" +LICENSE = "Apache-2.0" + +SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \ + file://server-makefile.patch \ + file://httpd-2.4.1-corelimit.patch \ + file://httpd-2.4.4-export.patch \ + file://httpd-2.4.1-selinux.patch \ + file://apache-configure_perlbin.patch \ + file://replace-lynx-to-curl-in-apachectl-script.patch \ + file://apache-ssl-ltmain-rpath.patch \ + file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \ + file://npn-patch-2.4.7.patch \ + file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ + file://configure-allow-to-disable-selinux-support.patch \ + file://init \ + file://apache2-volatile.conf \ + file://apache2.service \ + file://0001-SECURITY-CVE-2015-0228-cve.mitre.org.patch \ + " + +LIC_FILES_CHKSUM = "file://LICENSE;md5=dbff5a2b542fa58854455bf1a0b94b83" +SRC_URI[md5sum] = "b8dc8367a57a8d548a9b4ce16d264a13" +SRC_URI[sha256sum] = "ad6d39edfe4621d8cc9a2791f6f8d6876943a9da41ac8533d77407a2e630eae4" + +S = "${WORKDIR}/httpd-${PV}" + +inherit autotools update-rc.d pkgconfig systemd + +SYSTEMD_SERVICE_${PN} = "apache2.service" +SYSTEMD_AUTO_ENABLE_${PN} = "disable" + +SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" + +CFLAGS_append = " -DPATH_MAX=4096" +CFLAGS_prepend = "-I${STAGING_INCDIR}/openssl " +EXTRA_OECONF = "--enable-ssl \ + --with-ssl=${STAGING_LIBDIR}/.. \ + --with-expat=${STAGING_LIBDIR}/.. \ + --with-apr=${STAGING_BINDIR_CROSS}/apr-1-config \ + --with-apr-util=${STAGING_BINDIR_CROSS}/apu-1-config \ + --enable-info \ + --enable-rewrite \ + --with-dbm=sdbm \ + --with-berkeley-db=no \ + --localstatedir=/var/${BPN} \ + --with-gdbm=no \ + --with-ndbm=no \ + --includedir=${includedir}/${BPN} \ + --datadir=${datadir}/${BPN} \ + --sysconfdir=${sysconfdir}/${BPN} \ + --libexecdir=${libdir}/${BPN}/modules \ + ap_cv_void_ptr_lt_long=no \ + --enable-mpms-shared \ + ac_cv_have_threadsafe_pollset=no" + +PACKAGECONFIG ?= "${@base_contains('DISTRO_FEATURES', 'selinux', 'selinux', '', d)}" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux" + +do_install_append() { + install -d ${D}/${sysconfdir}/init.d + cat ${WORKDIR}/init | \ + sed -e 's,/usr/sbin/,${sbindir}/,g' \ + -e 's,/usr/bin/,${bindir}/,g' \ + -e 's,/usr/lib,${libdir}/,g' \ + -e 's,/etc/,${sysconfdir}/,g' \ + -e 's,/usr/,${prefix}/,g' > ${D}/${sysconfdir}/init.d/${BPN} + chmod 755 ${D}/${sysconfdir}/init.d/${BPN} + # remove the goofy original files... + rm -rf ${D}/${sysconfdir}/${BPN}/original + # Expat should be found in the staging area via DEPENDS... + rm -f ${D}/${libdir}/libexpat.* + + install -d ${D}${sysconfdir}/${BPN}/conf.d + install -d ${D}${sysconfdir}/${BPN}/modules.d + + # Ensure configuration file pulls in conf.d and modules.d + printf "\nIncludeOptional ${sysconfdir}/${BPN}/conf.d/*.conf" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.conf\n\n" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + # match with that is in init script + printf "\nPidFile /run/httpd.pid" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + # Set 'ServerName' to fix error messages when restart apache service + sed -i 's/^#ServerName www.example.com/ServerName localhost/' ${D}/${sysconfdir}/${BPN}/httpd.conf + + if ${@base_contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/apache2-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + fi + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/apache2.service ${D}${systemd_unitdir}/system + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/apache2.service + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' ${D}${systemd_unitdir}/system/apache2.service +} + +SYSROOT_PREPROCESS_FUNCS += "apache_sysroot_preprocess" + +apache_sysroot_preprocess () { + install -d ${SYSROOT_DESTDIR}${bindir_crossscripts}/ + install -m 755 ${D}${bindir}/apxs ${SYSROOT_DESTDIR}${bindir_crossscripts}/ + sed -i 's!my $installbuilddir = .*!my $installbuilddir = "${STAGING_DIR_HOST}/${datadir}/${BPN}/build";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs + sed -i 's!my $libtool = .*!my $libtool = "${STAGING_BINDIR_CROSS}/${TARGET_PREFIX}libtool";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs + + sed -i 's!^APR_CONFIG = .*!APR_CONFIG = ${STAGING_BINDIR_CROSS}/apr-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^APU_CONFIG = .*!APU_CONFIG = ${STAGING_BINDIR_CROSS}/apu-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^includedir = .*!includedir = ${STAGING_INCDIR}/apache2!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk +} + +# +# implications - used by update-rc.d scripts +# +INITSCRIPT_NAME = "apache2" +INITSCRIPT_PARAMS = "defaults 91 20" +LEAD_SONAME = "libapr-1.so.0" + +PACKAGES = "${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}" + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/httpd.conf \ + ${sysconfdir}/${BPN}/magic \ + ${sysconfdir}/${BPN}/mime.types \ + ${sysconfdir}/init.d/${BPN} " + +# we override here rather than append so that .so links are +# included in the runtime package rather than here (-dev) +# and to get build, icons, error into the -dev package +FILES_${PN}-dev = "${datadir}/${BPN}/build \ + ${datadir}/${BPN}/icons \ + ${datadir}/${BPN}/error \ + ${bindir}/apr-config ${bindir}/apu-config \ + ${libdir}/apr*.exp \ + ${includedir}/${BPN} \ + ${libdir}/*.la \ + ${libdir}/*.a \ + ${bindir}/apxs \ + " + + +# manual to manual +FILES_${PN}-doc += " ${datadir}/${BPN}/manual" + +FILES_${PN}-scripts += "${bindir}/dbmmanage" + +# +# override this too - here is the default, less datadir +# +FILES_${PN} = "${bindir} ${sbindir} ${libexecdir} ${libdir}/lib*.so.* ${sysconfdir} \ + ${sharedstatedir} ${localstatedir} /bin /sbin /lib/*.so* \ + ${libdir}/${BPN}" + +# we want htdocs and cgi-bin to go with the binary +FILES_${PN} += "${datadir}/${BPN}/htdocs ${datadir}/${BPN}/cgi-bin" + +#make sure the lone .so links also get wrapped in the base package +FILES_${PN} += "${libdir}/lib*.so ${libdir}/pkgconfig/*" + +FILES_${PN}-dbg += "${libdir}/${BPN}/modules/.debug" + +RDEPENDS_${PN} += "openssl libgcc" +RDEPENDS_${PN}-scripts += "perl ${PN}" -- cgit 1.2.3-korg