apache: security bump to 2.4.43
This minor version bump fixes: CVE-2020-1934 CVE-2020-1927 Upstream added cross-compile compatibility to apxs, so we can drop a sed script. Upstream also added the OpenWrt layout, so we can drop our local copy. The OpenSSL patch to remove deprecated symbols doesn't apply anymore and gets removed. Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This commit is contained in:
Sebastian Kemper
parent
18cf4a15ca
commit
fbe213f61f
|
|
@ -8,13 +8,13 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=apache
|
||||
PKG_VERSION:=2.4.41
|
||||
PKG_RELEASE:=6
|
||||
PKG_VERSION:=2.4.43
|
||||
PKG_RELEASE:=1
|
||||
PKG_SOURCE_NAME:=httpd
|
||||
|
||||
PKG_SOURCE:=$(PKG_SOURCE_NAME)-$(PKG_VERSION).tar.bz2
|
||||
PKG_SOURCE_URL:=@APACHE/httpd/
|
||||
PKG_HASH:=133d48298fe5315ae9366a0ec66282fa4040efa5d566174481077ade7d18ea40
|
||||
PKG_HASH:=a497652ab3fc81318cdc2a203090a999150d86461acff97c1065dc910fe10f43
|
||||
|
||||
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_SOURCE_NAME)-$(PKG_VERSION)
|
||||
|
||||
|
|
@ -271,11 +271,6 @@ CONFIGURE_VARS += \
|
|||
ac_cv_gettid=yes \
|
||||
ap_cv_void_ptr_lt_long=no
|
||||
|
||||
define Build/Prepare
|
||||
$(call Build/Prepare/Default)
|
||||
$(INSTALL_DATA) ./files/openwrt.layout $(PKG_BUILD_DIR)/config.layout
|
||||
endef
|
||||
|
||||
define Build/InstallDev
|
||||
$(INSTALL_DIR) $(1)/usr/bin
|
||||
$(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/apxs $(1)/usr/bin
|
||||
|
|
@ -286,8 +281,6 @@ define Build/InstallDev
|
|||
$(INSTALL_DIR) $(1)/usr/share/apache2/build
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/share/apache2/build/* \
|
||||
$(1)/usr/share/apache2/build
|
||||
$(SED) 's%/usr/share/apache2/build%$(STAGING_DIR)/usr/share/apache2/build%' \
|
||||
$(1)/usr/bin/apxs
|
||||
$(SED) 's%^prefix =.*%prefix = $(STAGING_DIR)/usr%' \
|
||||
$(1)/usr/share/apache2/build/config_vars.mk
|
||||
endef
|
||||
|
|
|
|||
|
|
@ -1,24 +0,0 @@
|
|||
|
||||
<Layout OpenWrt>
|
||||
prefix: /usr
|
||||
exec_prefix: ${prefix}
|
||||
bindir: ${prefix}/bin
|
||||
sbindir: ${prefix}/sbin
|
||||
libdir: ${prefix}/lib
|
||||
libexecdir: ${prefix}/lib+
|
||||
mandir: ${prefix}/share/man
|
||||
sysconfdir: /etc+
|
||||
datadir: ${prefix}/share+
|
||||
installbuilddir: ${datadir}/build
|
||||
errordir: ${datadir}/error
|
||||
iconsdir: ${datadir}/icons
|
||||
htdocsdir: ${datadir}/htdocs
|
||||
manualdir: /usr/share/doc/apache2/manual
|
||||
cgidir: ${datadir}/cgi-bin
|
||||
includedir: ${prefix}/include+
|
||||
localstatedir: /var
|
||||
runtimedir: ${localstatedir}/run+
|
||||
logfiledir: ${localstatedir}/log+
|
||||
proxycachedir: ${localstatedir}/cache/apache2
|
||||
</Layout>
|
||||
|
||||
|
|
@ -1,177 +0,0 @@
|
|||
--- a/modules/ssl/mod_ssl.c
|
||||
+++ b/modules/ssl/mod_ssl.c
|
||||
@@ -328,6 +328,7 @@ static int modssl_is_prelinked(void)
|
||||
|
||||
static apr_status_t ssl_cleanup_pre_config(void *data)
|
||||
{
|
||||
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
||||
/*
|
||||
* Try to kill the internals of the SSL library.
|
||||
*/
|
||||
@@ -343,11 +344,9 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
|
||||
#ifndef OPENSSL_NO_COMP
|
||||
SSL_COMP_free_compression_methods();
|
||||
-#endif
|
||||
#endif
|
||||
|
||||
/* Usually needed per thread, but this parent process is single-threaded */
|
||||
-#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x1000000fL
|
||||
ERR_remove_thread_state(NULL);
|
||||
#else
|
||||
@@ -376,6 +375,7 @@ static apr_status_t ssl_cleanup_pre_config(void *data)
|
||||
* (when enabled) at this late stage in the game:
|
||||
* CRYPTO_mem_leaks_fp(stderr);
|
||||
*/
|
||||
+#endif
|
||||
return APR_SUCCESS;
|
||||
}
|
||||
|
||||
@@ -400,14 +400,16 @@ static int ssl_hook_pre_config(apr_pool_t *pconf,
|
||||
#else
|
||||
OPENSSL_malloc_init();
|
||||
#endif
|
||||
+#if MODSSL_USE_OPENSSL_PRE_1_1_API
|
||||
ERR_load_crypto_strings();
|
||||
SSL_load_error_strings();
|
||||
SSL_library_init();
|
||||
+ OpenSSL_add_all_algorithms();
|
||||
+ OPENSSL_load_builtin_modules();
|
||||
+#endif
|
||||
#if HAVE_ENGINE_LOAD_BUILTIN_ENGINES
|
||||
ENGINE_load_builtin_engines();
|
||||
#endif
|
||||
- OpenSSL_add_all_algorithms();
|
||||
- OPENSSL_load_builtin_modules();
|
||||
|
||||
if (OBJ_txt2nid("id-on-dnsSRV") == NID_undef) {
|
||||
(void)OBJ_create("1.3.6.1.5.5.7.8.7", "id-on-dnsSRV",
|
||||
--- a/modules/ssl/ssl_engine_init.c
|
||||
+++ b/modules/ssl/ssl_engine_init.c
|
||||
@@ -88,6 +88,8 @@ static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
|
||||
|
||||
return 1;
|
||||
}
|
||||
+
|
||||
+#define OpenSSL_version_num SSLeay
|
||||
#endif
|
||||
|
||||
/*
|
||||
@@ -223,7 +225,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
|
||||
apr_status_t rv;
|
||||
apr_array_header_t *pphrases;
|
||||
|
||||
- if (SSLeay() < MODSSL_LIBRARY_VERSION) {
|
||||
+ if (OpenSSL_version_num() < MODSSL_LIBRARY_VERSION) {
|
||||
ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882)
|
||||
"Init: this version of mod_ssl was compiled against "
|
||||
"a newer library (%s, version currently loaded is %s)"
|
||||
--- a/modules/ssl/ssl_engine_io.c
|
||||
+++ b/modules/ssl/ssl_engine_io.c
|
||||
@@ -1255,9 +1255,9 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
|
||||
if (dc->proxy->ssl_check_peer_expire != FALSE) {
|
||||
if (!cert
|
||||
|| (X509_cmp_current_time(
|
||||
- X509_get_notBefore(cert)) >= 0)
|
||||
+ X509_get0_notBefore(cert)) >= 0)
|
||||
|| (X509_cmp_current_time(
|
||||
- X509_get_notAfter(cert)) <= 0)) {
|
||||
+ X509_get0_notAfter(cert)) <= 0)) {
|
||||
proxy_ssl_check_peer_ok = FALSE;
|
||||
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c, APLOGNO(02004)
|
||||
"SSL Proxy: Peer certificate is expired");
|
||||
--- a/modules/ssl/ssl_engine_log.c
|
||||
+++ b/modules/ssl/ssl_engine_log.c
|
||||
@@ -163,10 +163,10 @@ static void ssl_log_cert_error(const char *file, int line, int level,
|
||||
BIO_puts(bio, "(ERROR)");
|
||||
|
||||
BIO_puts(bio, " / notbefore: ");
|
||||
- ASN1_TIME_print(bio, X509_get_notBefore(cert));
|
||||
+ ASN1_TIME_print(bio, X509_get0_notBefore(cert));
|
||||
|
||||
BIO_puts(bio, " / notafter: ");
|
||||
- ASN1_TIME_print(bio, X509_get_notAfter(cert));
|
||||
+ ASN1_TIME_print(bio, X509_get0_notAfter(cert));
|
||||
|
||||
BIO_puts(bio, "]");
|
||||
|
||||
--- a/modules/ssl/ssl_engine_vars.c
|
||||
+++ b/modules/ssl/ssl_engine_vars.c
|
||||
@@ -495,13 +495,13 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
|
||||
result = ssl_var_lookup_ssl_cert_serial(p, xs);
|
||||
}
|
||||
else if (strcEQ(var, "V_START")) {
|
||||
- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notBefore(xs));
|
||||
+ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notBefore(xs));
|
||||
}
|
||||
else if (strcEQ(var, "V_END")) {
|
||||
- result = ssl_var_lookup_ssl_cert_valid(p, X509_get_notAfter(xs));
|
||||
+ result = ssl_var_lookup_ssl_cert_valid(p, X509_getm_notAfter(xs));
|
||||
}
|
||||
else if (strcEQ(var, "V_REMAIN")) {
|
||||
- result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
|
||||
+ result = ssl_var_lookup_ssl_cert_remain(p, X509_getm_notAfter(xs));
|
||||
resdup = FALSE;
|
||||
}
|
||||
else if (*var && strcEQ(var+1, "_DN")) {
|
||||
--- a/modules/ssl/ssl_private.h
|
||||
+++ b/modules/ssl/ssl_private.h
|
||||
@@ -92,6 +92,8 @@
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/pem.h>
|
||||
#include <openssl/crypto.h>
|
||||
+#include <openssl/bn.h>
|
||||
+#include <openssl/dh.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/x509v3.h>
|
||||
@@ -234,6 +236,10 @@
|
||||
#define BIO_get_shutdown(x) (x->shutdown)
|
||||
#define BIO_set_shutdown(x,v) (x->shutdown=v)
|
||||
#define DH_bits(x) (BN_num_bits(x->p))
|
||||
+#define X509_get0_notBefore X509_get_notBefore
|
||||
+#define X509_get0_notAfter X509_get_notAfter
|
||||
+#define X509_getm_notBefore X509_get_notBefore
|
||||
+#define X509_getm_notAfter X509_get_notAfter
|
||||
#else
|
||||
void init_bio_methods(void);
|
||||
void free_bio_methods(void);
|
||||
--- a/support/ab.c
|
||||
+++ b/support/ab.c
|
||||
@@ -205,6 +205,10 @@ typedef STACK_OF(X509) X509_STACK_TYPE;
|
||||
#define SSL_CTX_set_max_proto_version(ctx, version) \
|
||||
SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL)
|
||||
#endif
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
+#define X509_get0_notBefore X509_get_notBefore
|
||||
+#define X509_get0_notAfter X509_get_notAfter
|
||||
+#endif
|
||||
#endif
|
||||
|
||||
#include <math.h>
|
||||
@@ -652,11 +656,11 @@ static void ssl_print_cert_info(BIO *bio, X509 *cert)
|
||||
|
||||
BIO_printf(bio, "Certificate version: %ld\n", X509_get_version(cert)+1);
|
||||
BIO_printf(bio,"Valid from: ");
|
||||
- ASN1_UTCTIME_print(bio, X509_get_notBefore(cert));
|
||||
+ ASN1_UTCTIME_print(bio, X509_get0_notBefore(cert));
|
||||
BIO_printf(bio,"\n");
|
||||
|
||||
BIO_printf(bio,"Valid to : ");
|
||||
- ASN1_UTCTIME_print(bio, X509_get_notAfter(cert));
|
||||
+ ASN1_UTCTIME_print(bio, X509_get0_notAfter(cert));
|
||||
BIO_printf(bio,"\n");
|
||||
|
||||
pk = X509_get_pubkey(cert);
|
||||
@@ -2634,8 +2638,10 @@ int main(int argc, const char * const argv[])
|
||||
CRYPTO_malloc_init();
|
||||
#endif
|
||||
#endif
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||
SSL_load_error_strings();
|
||||
SSL_library_init();
|
||||
+#endif
|
||||
bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
|
||||
bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
|
||||
|
||||
Loading…
Reference in New Issue