diff options
author | wangmy <wangmy@fujitsu.com> | 2021-09-22 21:15:00 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-09-26 16:35:31 -0700 |
commit | f44e1a2b575826e88b8cb2725e54a7c5d29cf94a (patch) | |
tree | 5bcae1c0d146c86ddba19e77a0ef92c1ca87a18c /meta-webserver/recipes-httpd/apache2/apache2_2.4.49.bb | |
parent | 135af4f1f7e8ef4585756f638b2cbec99943bbb3 (diff) | |
download | meta-openembedded-contrib-f44e1a2b575826e88b8cb2725e54a7c5d29cf94a.tar.gz |
apache2: upgrade 2.4.48 -> 2.4.49
Changes with Apache 2.4.49
*) SECURITY: CVE-2021-40438 (cve.mitre.org)
mod_proxy: Server Side Request Forgery (SSRF) vulnerabilty [Yann Ylavic]
*) SECURITY: CVE-2021-39275 (cve.mitre.org)
core: ap_escape_quotes buffer overflow
*) SECURITY: CVE-2021-36160 (cve.mitre.org)
mod_proxy_uwsgi: Out of bound read vulnerability [Yann Ylavic]
*) SECURITY: CVE-2021-34798 (cve.mitre.org)
core: null pointer dereference on malformed request
*) SECURITY: CVE-2021-33193 (cve.mitre.org)
mod_http2: Request splitting vulnerability with mod_proxy [Stefan Eissing]
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
[Stefan Eissing]
*) mod_ssl: Support logging private key material for use with
wireshark via log file given by SSLKEYLOGFILE environment
variable. Requires OpenSSL 1.1.1. PR 63391. [Joe Orton]
*) mod_proxy: Do not canonicalize the proxied URL when both "nocanon" and
"ProxyPassInterpolateEnv On" are configured. PR 65549.
[Joel Self <joelself gmail.com>]
*) mpm_event: Fix children processes possibly not stopped on graceful
restart. PR 63169. [Joel Self <joelself gmail.com>]
*) mod_proxy: Fix a potential infinite loop when tunneling Upgrade(d)
protocols from mod_proxy_http, and a timeout triggering falsely when
using mod_proxy_wstunnel, mod_proxy_connect or mod_proxy_http with
upgrade= setting. PRs 65521 and 65519. [Yann Ylavic]
*) mod_unique_id: Reduce the time window where duplicates may be generated
PR 65159
[Christophe Jaillet]
*) mpm_prefork: Block signals for child_init hooks to prevent potential
threads created from there to catch MPM's signals.
[Ruediger Pluem, Yann Ylavic]
*) Revert "mod_unique_id: Fix potential duplicated ID generation under heavy load.
PR 65159" added in 2.4.47.
This causes issue on Windows.
[Christophe Jaillet]
*) mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker. [Yann Ylavic]
*) mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
*) mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
[Yann Ylavic]
*) mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
*) mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match worker instances
with others when their URLs contain a '$' substitution. PR 65419 + 65429.
[Yann Ylavic]
*) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
[Graham Leggett]
*) Add hooks deliver_report and gather_reports to mod_dav.h. Allows other
modules apart from versioning implementations to handle the REPORT method.
[Graham Leggett]
*) Add dav_get_provider(), dav_open_lockdb(), dav_close_lockdb() and
dav_get_resource() to mod_dav.h. [Graham Leggett]
*) core: fix ap_escape_quotes substitution logic. [Eric Covener]
*) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
[Christophe Jaillet]
*) core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
[Yann Ylavic, Stefan Eissing]
*) mod_proxy: Fix icomplete initialization of BalancerMember(s) from the
balancer-manager, which can lead to a crash. [Yann Ylavic]
*) mpm_event: Fix graceful stop/restart of children processes if connections
are in lingering close for too long. [Yann Ylavic]
*) mod_md: fixed a potential null pointer dereference if ACME/OCSP
server returned 2xx responses without content type. Reported by chuangwen.
[chuangwen, Stefan Eissing]
*) mod_md:
- Domain names in `<MDomain ...>` can now appear in quoted form.
- Fixed a failure in ACME challenge selection that aborted further searches
when the tls-alpn-01 method did not seem to be suitable.
- Changed the tls-alpn-01 setup to only become unsuitable when none of the
dns names showed support for a configured 'Protocols ... acme-tls/1'. This
allows use of tls-alpn-01 for dns names that are not mapped to a VirtualHost.
[Stefan Eissing]
*) Add CPING to health check logic. [Jean-Frederic Clere]
*) core: Split ap_create_request() from ap_read_request(). [Graham Leggett]
*) core, h2: common ap_parse_request_line() and ap_check_request_header()
code. [Yann Ylavic]
*) core: Add StrictHostCheck to allow unconfigured hostnames to be
rejected. [Eric Covener]
*) htcacheclean: Improve help messages. [Christophe Jaillet]
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 54a96fa4feb1a7712f9f3d1190c0d95d89eb6c7c)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-webserver/recipes-httpd/apache2/apache2_2.4.49.bb')
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2_2.4.49.bb | 225 |
1 files changed, 225 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.49.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.49.bb new file mode 100644 index 0000000000..7e52d1db47 --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.49.bb @@ -0,0 +1,225 @@ +DESCRIPTION = "The Apache HTTP Server is a powerful, efficient, and \ +extensible web server." +SUMMARY = "Apache HTTP Server" +HOMEPAGE = "http://httpd.apache.org/" +SECTION = "net" +LICENSE = "Apache-2.0" + +SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ + file://0001-configure-use-pkg-config-for-PCRE-detection.patch \ + file://0002-apache2-bump-up-the-core-size-limit-if-CoreDumpDirec.patch \ + file://0003-apache2-do-not-export-apr-apr-util-symbols-when-usin.patch \ + file://0004-apache2-log-the-SELinux-context-at-startup.patch \ + file://0005-replace-lynx-to-curl-in-apachectl-script.patch \ + file://0006-apache2-fix-the-race-issue-of-parallel-installation.patch \ + file://0007-apache2-allow-to-disable-selinux-support.patch \ + file://apache-configure_perlbin.patch \ + file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \ + " + +SRC_URI_append_class-target = " \ + file://0008-apache2-do-not-use-relative-path-for-gen_test_char.patch \ + file://init \ + file://apache2-volatile.conf \ + file://apache2.service \ + file://volatiles.04_apache2 \ + " + +LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" +SRC_URI[sha256sum] = "65b965d6890ea90d9706595e4b7b9365b5060bec8ea723449480b4769974133b" + +S = "${WORKDIR}/httpd-${PV}" + +inherit autotools update-rc.d pkgconfig systemd update-alternatives + +DEPENDS = "openssl expat pcre apr apr-util apache2-native " + +CVE_PRODUCT = "http_server" + +SSTATE_SCAN_FILES += "apxs config_vars.mk config.nice" + +PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}" +PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux,libselinux,libselinux" +PACKAGECONFIG[openldap] = "--enable-ldap --enable-authnz-ldap,--disable-ldap --disable-authnz-ldap,openldap" +PACKAGECONFIG[zlib] = "--enable-deflate,,zlib,zlib" + +CFLAGS_append = " -DPATH_MAX=4096" + +EXTRA_OECONF_class-target = "\ + --enable-layout=Debian \ + --prefix=${base_prefix} \ + --exec_prefix=${exec_prefix} \ + --includedir=${includedir}/${BPN} \ + --sysconfdir=${sysconfdir}/${BPN} \ + --datadir=${datadir}/${BPN} \ + --libdir=${libdir} \ + --libexecdir=${libexecdir}/${BPN}/modules \ + --localstatedir=${localstatedir} \ + --enable-ssl \ + --with-dbm=sdbm \ + --with-gdbm=no \ + --with-ndbm=no \ + --with-berkeley-db=no \ + --enable-info \ + --enable-rewrite \ + --enable-mpms-shared \ + ap_cv_void_ptr_lt_long=no \ + ac_cv_have_threadsafe_pollset=no \ + " + +EXTRA_OECONF_class-native = "\ + --prefix=${prefix} \ + --includedir=${includedir}/${BPN} \ + --sysconfdir=${sysconfdir}/${BPN} \ + --datadir=${datadir}/${BPN} \ + --libdir=${libdir} \ + --libexecdir=${libdir}/${BPN}/modules \ + --localstatedir=${localstatedir} \ + " + +do_configure_prepend() { + sed -i -e 's:$''{prefix}/usr/lib/cgi-bin:$''{libexecdir}/cgi-bin:g' ${S}/config.layout +} + +do_install_append_class-target() { + install -d ${D}/${sysconfdir}/init.d + + cat ${WORKDIR}/init | \ + sed -e 's,/usr/sbin/,${sbindir}/,g' \ + -e 's,/usr/bin/,${bindir}/,g' \ + -e 's,/usr/lib/,${libdir}/,g' \ + -e 's,/etc/,${sysconfdir}/,g' \ + -e 's,/usr/,${prefix}/,g' > ${D}/${sysconfdir}/init.d/${BPN} + + chmod 755 ${D}/${sysconfdir}/init.d/${BPN} + + # Remove the goofy original files... + rm -rf ${D}/${sysconfdir}/${BPN}/original + + install -d ${D}${sysconfdir}/${BPN}/conf.d + install -d ${D}${sysconfdir}/${BPN}/modules.d + + # Ensure configuration file pulls in conf.d and modules.d + printf "\nIncludeOptional ${sysconfdir}/${BPN}/conf.d/*.conf" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.load" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + printf "\nIncludeOptional ${sysconfdir}/${BPN}/modules.d/*.conf\n\n" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + + # Match with that is in init script + printf "\nPidFile /run/httpd.pid" >> ${D}/${sysconfdir}/${BPN}/httpd.conf + + # Set 'ServerName' to fix error messages when restart apache service + sed -i 's/^#ServerName www.example.com/ServerName localhost/' ${D}/${sysconfdir}/${BPN}/httpd.conf + + sed -i 's/^ServerRoot/#ServerRoot/' ${D}/${sysconfdir}/${BPN}/httpd.conf + + sed -i -e 's,${STAGING_DIR_TARGET},,g' \ + -e 's,${DEBUG_PREFIX_MAP},,g' \ + -e 's,-fdebug-prefix-map[^ ]*,,g; s,-fmacro-prefix-map[^ ]*,,g' \ + -e 's,${HOSTTOOLS_DIR}/,,g' \ + -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \ + -e 's,APU_CONFIG = .*,APU_CONFIG = ,g' ${D}${datadir}/apache2/build/config_vars.mk + + sed -i -e 's,--sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's,${DEBUG_PREFIX_MAP},,g' \ + -e 's,${RECIPE_SYSROOT},,g' \ + -e 's,-fdebug-prefix-map[^ ]*,,g; s,-fmacro-prefix-map[^ ]*,,g' \ + -e 's,APU_INCLUDEDIR = .*,APU_INCLUDEDIR = ,g' \ + -e 's,".*/configure","configure",g' ${D}${datadir}/apache2/build/config.nice + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/tmpfiles.d/ + install -m 0644 ${WORKDIR}/apache2-volatile.conf ${D}${sysconfdir}/tmpfiles.d/ + + install -d ${D}${systemd_unitdir}/system + install -m 0644 ${WORKDIR}/apache2.service ${D}${systemd_unitdir}/system + sed -i -e 's,@SBINDIR@,${sbindir},g' ${D}${systemd_unitdir}/system/apache2.service + sed -i -e 's,@BASE_BINDIR@,${base_bindir},g' ${D}${systemd_unitdir}/system/apache2.service + elif ${@bb.utils.contains('DISTRO_FEATURES', 'sysvinit', 'true', 'false', d)}; then + install -d ${D}${sysconfdir}/default/volatiles + install -m 0644 ${WORKDIR}/volatiles.04_apache2 ${D}${sysconfdir}/default/volatiles/04_apache2 + fi + + rm -rf ${D}${localstatedir} ${D}${sbindir}/envvars* + chown -R root:root ${D} +} + +do_install_append_class-native() { + install -d ${D}${bindir} ${D}${libdir} + install -m 755 server/gen_test_char ${D}${bindir} +} + +SYSROOT_PREPROCESS_FUNCS_append_class-target = " apache_sysroot_preprocess" + +apache_sysroot_preprocess() { + install -d ${SYSROOT_DESTDIR}${bindir_crossscripts} + install -m 755 ${D}${bindir}/apxs ${SYSROOT_DESTDIR}${bindir_crossscripts} + install -d ${SYSROOT_DESTDIR}${sbindir} + install -m 755 ${D}${sbindir}/apachectl ${SYSROOT_DESTDIR}${sbindir} + sed -i 's!my $installbuilddir = .*!my $installbuilddir = "${STAGING_DIR_HOST}/${datadir}/${BPN}/build";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs + sed -i 's!my $libtool = .*!my $libtool = "${STAGING_BINDIR_CROSS}/${HOST_SYS}-libtool";!' ${SYSROOT_DESTDIR}${bindir_crossscripts}/apxs + + sed -i 's!^APR_CONFIG = .*!APR_CONFIG = ${STAGING_BINDIR_CROSS}/apr-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^APU_CONFIG = .*!APU_CONFIG = ${STAGING_BINDIR_CROSS}/apu-1-config!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^includedir = .*!includedir = ${STAGING_INCDIR}/apache2!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^CFLAGS = -I[^ ]*!CFLAGS = -I${STAGING_INCDIR}/openssl!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^EXTRA_LDFLAGS = .*!EXTRA_LDFLAGS = -L${STAGING_LIBDIR}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!^EXTRA_INCLUDES = .*!EXTRA_INCLUDES = -I$(includedir) -I. -I${STAGING_INCDIR}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk + sed -i 's!--sysroot=[^ ]*!--sysroot=${STAGING_DIR_HOST}!' ${SYSROOT_DESTDIR}${datadir}/${BPN}/build/config_vars.mk +} + +# Implications - used by update-rc.d scripts +INITSCRIPT_NAME = "apache2" +INITSCRIPT_PARAMS = "defaults 91 20" + +SYSTEMD_SERVICE_${PN} = "apache2.service" +SYSTEMD_AUTO_ENABLE_${PN} = "enable" + +ALTERNATIVE_${PN}-doc = "htpasswd.1" +ALTERNATIVE_LINK_NAME[htpasswd.1] = "${mandir}/man1/htpasswd.1" + +PACKAGES = "${PN}-scripts ${PN}-doc ${PN}-dev ${PN}-dbg ${PN}" + +CONFFILES_${PN} = "${sysconfdir}/${BPN}/httpd.conf \ + ${sysconfdir}/${BPN}/magic \ + ${sysconfdir}/${BPN}/mime.types \ + ${sysconfdir}/${BPN}/extra/*" + +# We override here rather than append so that .so links are +# included in the runtime package rather than here (-dev) +# and to get build, icons, error into the -dev package +FILES_${PN}-dev = "${datadir}/${BPN}/build \ + ${datadir}/${BPN}/icons \ + ${datadir}/${BPN}/error \ + ${includedir}/${BPN} \ + ${bindir}/apxs \ + " + +# Add the manual to -doc +FILES_${PN}-doc += " ${datadir}/${BPN}/manual" + +FILES_${PN}-scripts += "${bindir}/dbmmanage" + +# Override this too - here is the default, less datadir +FILES_${PN} = "${bindir} ${sbindir} ${libexecdir} ${libdir} \ + ${sysconfdir} ${libdir}/${BPN}" + +# We want htdocs and cgi-bin to go with the binary +FILES_${PN} += "${datadir}/${BPN}/ ${libdir}/cgi-bin" + +FILES_${PN}-dbg += "${libdir}/${BPN}/modules/.debug" + +RDEPENDS_${PN} += "openssl libgcc" +RDEPENDS_${PN}-scripts += "perl ${PN}" +RDEPENDS_${PN}-dev = "perl" + +BBCLASSEXTEND = "native" + +pkg_postinst_${PN}() { + if [ -z "$D" ]; then + if type systemd-tmpfiles >/dev/null; then + systemd-tmpfiles --create + elif [ -e ${sysconfdir}/init.d/populate-volatile.sh ]; then + ${sysconfdir}/init.d/populate-volatile.sh update + fi + fi +} |