Commits · 06f68fdc54c72573d4b520219b87a05abb098380 · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

Nov 06, 2009

SECURITY: Partial fix for CVE-2009-3555: · 06f68fdc

Joe Orton authored Nov 06, 2009

Reject client-initiated renegotiations; this is sufficient to prevent
the attack for any configuration which does not require renegotiation
due to per-directory/per-location access control configuration.

Configuration with per-directory/per-location access control
requirements (such as "SSLVerifyClient require") are still vulnerable
to CVE-2009-3555 with this patch applied (if using OpenSSL <= 0.9.8k).

* modules/ssl/ssl_private.h (SSLConnRec): Add reneg_state field.
  (ssl_callback_Info): Renamed from ssl_callback_LogTracingState.

* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks): Install
  the (renamed) info callback unconditionally.

* modules/ssl/ssl_engine_io.c (ssl_filter_ctx_t): Add config pointer
  to SSLConnRec.
  (bio_filter_out_write, bio_filter_in_read): Fail with
  APR_ECONNABORTED if the reneg state is set to RENEG_ABORT.

* modules/ssl/ssl_engine_kernel.c (log_tracing_state): Factored out
  of ssl_callback_LogTracingState.
  (ssl_callback_Info): New function.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833582 13f79535-47bb-0310-9956-ffa450edef68

06f68fdc

Remove mod_unique_id from the default build. · e142a869

Sander Temme authored Nov 06, 2009

Reviewed by: sctemme, niq, rpluem


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833477 13f79535-47bb-0310-9956-ffa450edef68

e142a869

Update. · 14685660

Lucien Gentis authored Nov 06, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833393 13f79535-47bb-0310-9956-ffa450edef68

14685660

Touch file, SVN testing. Eeek =) · 90d15a39

Tony Stevenson authored Nov 06, 2009

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833322 13f79535-47bb-0310-9956-ffa450edef68

90d15a39

Nov 05, 2009

expose r->notes to lua · 5f638b16

Brian McCallister authored Nov 05, 2009

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833141 13f79535-47bb-0310-9956-ffa450edef68

5f638b16

seealso list in all the various docs. · 25fd826e

Richard Bowen authored Nov 05, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833139 13f79535-47bb-0310-9956-ffa450edef68

25fd826e

Little typo. · 3aeae32c

Lucien Gentis authored Nov 05, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833090 13f79535-47bb-0310-9956-ffa450edef68

3aeae32c

Moves the "canonial URL" example to remapping · 3e5660bf

Richard Bowen authored Nov 05, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@833061 13f79535-47bb-0310-9956-ffa450edef68

3e5660bf

Moves the "dynamically regenerated" rule to advanced. · 48ba0f5c

Richard Bowen authored Nov 05, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832977 13f79535-47bb-0310-9956-ffa450edef68

48ba0f5c

Removing a ruleset that not only doesn't have a description, but also · 6e1d06e9

Richard Bowen authored Nov 05, 2009

can't possibly work, since it contains a fully-qualified URL in the
RewriteRule. Feel free to revert iff you can provide a description and a
functional rule.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832976 13f79535-47bb-0310-9956-ffa450edef68

6e1d06e9

Moves the 'browser-specific' rule into remapping. · 6414ad1a

Richard Bowen authored Nov 05, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832973 13f79535-47bb-0310-9956-ffa450edef68

6414ad1a

Moves the 'sharding' rule into the 'advanced' doc. · f79cbd6b

Richard Bowen authored Nov 05, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832971 13f79535-47bb-0310-9956-ffa450edef68

f79cbd6b

I'm actually not terribly thrilled with the notion of an "advanced" doc, · a0aaa887

Richard Bowen authored Nov 05, 2009

because that's such an arbitrary designation, and I'm afraid that it
will become a catch-all. So if someone wants to do this differently, I
certainly won't object.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832962 13f79535-47bb-0310-9956-ffa450edef68

a0aaa887

Removing this rule entirely, because it's not meaningful. It relies on · 69eeefe9

Richard Bowen authored Nov 05, 2009

REMOTE_IDENT. Browsers stopped sending REMOTE_IDENT 15 years ago, and
even when they did, it wasn't trustworthy.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832952 13f79535-47bb-0310-9956-ffa450edef68

69eeefe9

* modules/ssl/ssl_toolkit_compat.h: Fix compat with older OpenSSL. · 3cd4c0dc
Joe Orton authored Nov 05, 2009
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832943 13f79535-47bb-0310-9956-ffa450edef68
```
3cd4c0dc

Relocates another rule. · bdea8fd3

Richard Bowen authored Nov 05, 2009

Please also note that this rule refers to before and after 1.3b6.
That's embarrassing. It would be great if someone would apply the
relevant changes to the 2.2 and 2.0 docs also.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832935 13f79535-47bb-0310-9956-ffa450edef68

bdea8fd3

Relocates another recipe, and updates it. · 78658311

Richard Bowen authored Nov 05, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832923 13f79535-47bb-0310-9956-ffa450edef68

78658311

Nov 04, 2009

* server/mpm/simple: Ignore more. · 76de104c

Joe Orton authored Nov 04, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832920 13f79535-47bb-0310-9956-ffa450edef68

76de104c

add an early note about the Pattern in a rewriterule behaving · 2eb52d33

Eric Covener authored Nov 04, 2009

counterintuitively in per-directory context. (lots of mysterious no-op 
rulesets due to ^/ in htaccess)

Tweak QSA text.



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832914 13f79535-47bb-0310-9956-ffa450edef68

2eb52d33

* modules/lua/: s/apr_strnatcmp/strcmp/ - strnat*cmp functions are · d0409ad7

Joe Orton authored Nov 04, 2009

  for natural order string sorting.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832910 13f79535-47bb-0310-9956-ffa450edef68

d0409ad7

tweak MPM configure to avoid having to grep for MPM names in lists · faf74fd0

Jeff Trawick authored Nov 04, 2009

of MPMs of some type (threaded or share-able or enabled), as suggested
by jorton

rename some MPM-related variables


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832907 13f79535-47bb-0310-9956-ffa450edef68

faf74fd0

allow setting of r->user from lua · fc682144

Brian McCallister authored Nov 04, 2009

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832905 13f79535-47bb-0310-9956-ffa450edef68

fc682144

map r->err_headers_out into lua · b26a1a45

Brian McCallister authored Nov 04, 2009

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832901 13f79535-47bb-0310-9956-ffa450edef68

b26a1a45

* server/mpm/*: Ignore generated files with MPM DSO builds. · d3de80fe

Joe Orton authored Nov 04, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832899 13f79535-47bb-0310-9956-ffa450edef68

d3de80fe

* modules/filters/mod_include.c (handle_printenv): Fix handling of · ee2071e6

Joe Orton authored Nov 04, 2009

  lazy variables, courtesy of LLVM scan-build.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832886 13f79535-47bb-0310-9956-ffa450edef68

ee2071e6

document --enable-mpms-shared · efc3ddd7

Jeff Trawick authored Nov 04, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832859 13f79535-47bb-0310-9956-ffa450edef68

efc3ddd7

Should be a leading slash on that regex. Thanks to Bob Ionescu. · bbc75883
Richard Bowen authored Nov 04, 2009
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832826 13f79535-47bb-0310-9956-ffa450edef68
```
bbc75883
Add a LoadModule directive for the default MPM to the conf file when building MPMs · cbe8d86e
Jeff Trawick authored Nov 04, 2009
```
as shared modules.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832778 13f79535-47bb-0310-9956-ffa450edef68
```
cbe8d86e

ServerAlias and Listen accumulate, not supercede. The latter of course is n/a to vhosts! · 50ee1c14

Eric Covener authored Nov 04, 2009

Additional rewording of vhost details.

PR48125


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832759 13f79535-47bb-0310-9956-ffa450edef68

50ee1c14

Split RewriteCond into two sections, brought TestString section up to date. · c8e6f048
Noirin Plunkett authored Nov 04, 2009
```
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832627 13f79535-47bb-0310-9956-ffa450edef68
```
c8e6f048

Nov 03, 2009

respect the MPM's indication passed on APACHE_MPM_SUPPORTED() of whether · 0b9ec23e

Jeff Trawick authored Nov 03, 2009

or not it can run as a shared library


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832621 13f79535-47bb-0310-9956-ffa450edef68

0b9ec23e

added back HAVE_OCSP define hack for non-configure platforms, but · bc133ea4

Guenter Knauf authored Nov 03, 2009

only use if HAVE_OCSP is not yet defined as suggested by rpluem.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832572 13f79535-47bb-0310-9956-ffa450edef68

bc133ea4

We now check for OCSP support in configure, so we can lose an OpenSSL version · e878f996

Sander Temme authored Nov 03, 2009

number check.  Use a type safe STACK.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832496 13f79535-47bb-0310-9956-ffa450edef68

e878f996

Fix remaining doxygen warnings. "make dox" is now clean with doxygen · 4209614c

Daniel Earl Poirier authored Nov 03, 2009

version 1.5.8.

PR: 48093
Submitted by: Brad Hards
Reviewed by: poirier


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832442 13f79535-47bb-0310-9956-ffa450edef68

4209614c

Change the configure-based MPM build mechanism to support building · 6e1d7a8f

Jeff Trawick authored Nov 03, 2009

an MPM as a shared shared or dynamic module, primarily using the
APACHE_MPM_MODULE() function.

--enable-mpms-shared now builds/installs the MPMs as dynamic modules.
(But no LoadModule directives are added.)


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832434 13f79535-47bb-0310-9956-ffa450edef68

6e1d7a8f

--with-mpm and --enable-mpms-shared: · 075beb53

Jeff Trawick authored Nov 03, 2009

. improve messages
. check for inconsistent settings


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832429 13f79535-47bb-0310-9956-ffa450edef68

075beb53

Brind OS/2 MPM up to date with current API. · 8502b037

Brian Havard authored Nov 03, 2009


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832409 13f79535-47bb-0310-9956-ffa450edef68

8502b037

update transformation · 69c93a93

Nilgun Belma Buguner authored Nov 03, 2009

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832316 13f79535-47bb-0310-9956-ffa450edef68

69c93a93

update for sync with English docs. · 29f63c80

Nilgun Belma Buguner authored Nov 03, 2009

Translated by: Nilgün Belma Bugüner <nilgun belgeler.org>
Reviewed by: Orhan Berent <berent belgeler.org>

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832315 13f79535-47bb-0310-9956-ffa450edef68

29f63c80

fixed validation error: · 49d3b117

Nilgun Belma Buguner authored Nov 03, 2009

Attribute value "proxy-deny" of type ID must be unique within the document.
Possibly a copy&paste error

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832314 13f79535-47bb-0310-9956-ffa450edef68

49d3b117