diff options
| author |   Benedikt Boehm <hollow@gentoo.org> | 2008-06-01 12:09:51 +0000 |
|---|---|---|
| committer | Benedikt Boehm <hollow@gentoo.org> | 2008-06-01 12:09:51 +0000 |
| commit | b5a5faba8e00e63fbc2b0c675aa62a57e5b7231d (patch) | |
| tree | 7004432662c3a1ee23ab84822630650edca781df | |
| parent | fix #110556, #209095, #212837 (diff) | |
| download | apache-b5a5faba8e00e63fbc2b0c675aa62a57e5b7231d.tar.gz apache-b5a5faba8e00e63fbc2b0c675aa62a57e5b7231d.tar.bz2 apache-b5a5faba8e00e63fbc2b0c675aa62a57e5b7231d.zip | |
add mod_ssl patch wrt security #222643; add configdump to init script
| -rwxr-xr-x | 2.2/init/apache2.initd | 20 | ||||
| -rw-r--r-- | 2.2/patches/05_all_mod_ssl_cleanup.patch | 26 |
2 files changed, 45 insertions, 1 deletions
diff --git a/2.2/init/apache2.initd b/2.2/init/apache2.initd index b3dd8d5..2638c87 100755 --- a/2.2/init/apache2.initd +++ b/2.2/init/apache2.initd @@ -2,7 +2,7 @@ # Copyright 1999-2007 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -opts="configtest fullstatus graceful gracefulstop modules reload" +opts="configdump configtest fullstatus graceful gracefulstop modules reload" depend() { need net @@ -144,4 +144,22 @@ fullstatus() { fi } +configdump() { + LYNX="${LYNX:-lynx -dump}" + INFOURL="${INFOURL:-http://localhost/server-info}" + + checkconfd || return 1 + + if ! service_started "${SVCNAME}"; then + eerror "${SVCNAME} not started" + elif ! type -p ${LYNX} 2>&1 >/dev/null; then + eerror "lynx not found! you need to emerge www-client/lynx" + else + echo "${APACHE2} started with '${APACHE2_OPTS}'" + for i in config server list; do + ${LYNX} "${INFOURL}/?${i}" | sed '/Apache Server Information/d;/^[[:space:]]\+[_]\+$/Q' + done + fi +} + # vim: ts=4 filetype=gentoo-init-d diff --git a/2.2/patches/05_all_mod_ssl_cleanup.patch b/2.2/patches/05_all_mod_ssl_cleanup.patch new file mode 100644 index 0000000..b296ada --- /dev/null +++ b/2.2/patches/05_all_mod_ssl_cleanup.patch @@ -0,0 +1,26 @@ +--- httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:16:38 654118 ++++ httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:17:31 654119 +@@ -218,17 +218,18 @@ + #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES + ENGINE_cleanup(); + #endif +-#ifdef HAVE_OPENSSL +-#if OPENSSL_VERSION_NUMBER >= 0x00907001 +- CRYPTO_cleanup_all_ex_data(); +-#endif +-#endif + ERR_remove_state(0); + + /* Don't call ERR_free_strings here; ERR_load_*_strings only + * actually load the error strings once per process due to static + * variable abuse in OpenSSL. */ + ++ /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered ++ * ex_data indices may have been cached in static variables in ++ * OpenSSL; removing them may cause havoc. Notably, with OpenSSL ++ * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which ++ * could result in a per-connection memory leak (!). */ ++ + /* + * TODO: determine somewhere we can safely shove out diagnostics + * (when enabled) at this late stage in the game: |