- updated to 2.4.65

diff --git a/apache-v6only-ENOPROTOOPT.patch b/apache-v6only-ENOPROTOOPT.patch
index ba6da25284ad6e5ec91fbb7a00d1df5af53f57dc..418d6cac8c95ee9443e5a4084df4cbcc367dfa56 100644 (file)
--- a/apache-v6only-ENOPROTOOPT.patch
+++ b/apache-v6only-ENOPROTOOPT.patch
@@ -1,12 +1,12 @@
---- httpd-2.0.48/server/listen.c.orig  Mon Mar 31 06:30:52 2003
-+++ httpd-2.0.48/server/listen.c       Wed Mar  3 12:05:09 2004
-@@ -76,7 +76,7 @@
+diff -ruNp httpd-2.4.64.orig/server/listen.c httpd-2.4.64/server/listen.c
+--- httpd-2.4.64.orig/server/listen.c  2025-06-04 11:41:25.000000000 +0200
++++ httpd-2.4.64/server/listen.c       2025-07-10 20:14:55.139703494 +0200
+@@ -163,7 +163,7 @@ static apr_status_t make_sock(apr_pool_t
  #if APR_HAVE_IPV6
-     if (server->bind_addr->family == APR_INET6) {
-         stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting);
--        if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) {
-+        if (stat != APR_SUCCESS && stat != APR_ENOTIMPL && stat != ENOPROTOOPT) {
-             ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069)
-                           "make_sock: for address %pI, apr_socket_opt_set: "
-                           "(IPV6_V6ONLY)",
-
+         if (server->bind_addr->family == APR_INET6) {
+             stat = apr_socket_opt_set(s, APR_IPV6_V6ONLY, v6only_setting);
+-            if (stat != APR_SUCCESS && stat != APR_ENOTIMPL) {
++            if (stat != APR_SUCCESS && stat != APR_ENOTIMPL && stat != ENOPROTOOPT) {
+                 ap_log_perror(APLOG_MARK, APLOG_CRIT, stat, p, APLOGNO(00069)
+                               "make_sock: for address %pI, apr_socket_opt_set: "
+                               "(IPV6_V6ONLY)",

diff --git a/apache.spec b/apache.spec
index 430f3b76d98cfc94c793e13172ded1a00bc148cb..7ac2f0b27ca29622a70596a596fc228cd37cb88d 100644 (file)
--- a/apache.spec
+++ b/apache.spec
@@ -34,12 +34,12 @@ Summary(pt_BR.UTF-8):       Servidor HTTPD para prover serviços WWW
 Summary(ru.UTF-8):     Самый популярный веб-сервер
 Summary(tr.UTF-8):     Lider WWW tarayıcı
 Name:          apache
-Version:       2.4.63
+Version:       2.4.65
 Release:       1
 License:       Apache v2.0
 Group:         Networking/Daemons/HTTP
 Source0:       http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-# Source0-md5: 8b5ee2a61d569a3eacec5778e7f20e13
+# Source0-md5: 7274bb6fa215925fd697451a0f133483
 Source1:       %{name}.init
 Source2:       %{name}.logrotate
 Source3:       %{name}.sysconfig
@@ -87,9 +87,6 @@ Patch20:      %{name}-apxs.patch
 # Relaxed version of suexec. If called as suexec.fcgi don't check uid/gid against file owner.
 # Required by our patched mod_fcgid to run php as fcgi via suexec.
 Patch23:       %{name}-suexec_fcgi.patch
-# http://scripts.mit.edu/trac/browser/trunk/server/common/patches/httpd-2.2.x-mod_ssl-sessioncaching.patch?rev=1348
-Patch25:       httpd-2.2.x-mod_ssl-sessioncaching.patch
-Patch26:       %{name}-mod_vhost_alias_docroot.patch
 Patch29:       libtool-tag.patch
 URL:           http://httpd.apache.org/
 BuildRequires: apr-devel >= %{apr_ver}
@@ -112,7 +109,7 @@ BuildRequires:      pkgconfig
 BuildRequires: rpm >= 4.4.9-56
 BuildRequires: rpm-build >= 4.4.0
 BuildRequires: rpm-perlprov >= 4.1-13
-BuildRequires: rpmbuild(macros) >= 1.647
+BuildRequires: rpmbuild(macros) >= 2.043
 BuildRequires: sed >= 4.0
 BuildRequires: zlib-devel
 Requires:      %{name}-errordocs = %{version}-%{release}
@@ -2667,28 +2664,24 @@ Dwa programy testowe/przykładowe cgi: test-cgi and print-env.
 
 %prep
 %setup -q -n httpd-%{version}
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
 
-%patch7 -p1
+%patch -P7 -p1
 
-%patch10 -p1
+%patch -P10 -p1
 
-%patch14 -p1
-%patch15 -p1
-%patch18 -p1
-%patch19 -p1
-%patch20 -p1
-%patch23 -p1
+%patch -P14 -p1
+%patch -P15 -p1
+%patch -P18 -p1
+%patch -P19 -p1
+%patch -P20 -p1
+%patch -P23 -p1
 
-# ?
-#%patch25 -p1
-# ?
-#%patch26 -p1
-%patch29 -p1
+%patch -P29 -p1
 
 # sanity check
 MODULES_API=`awk '/#define MODULE_MAGIC_NUMBER_MAJOR/ {print $3}' include/ap_mmn.h`
@@ -2720,7 +2713,8 @@ cd ../..
 
 CPPFLAGS="-DMAX_SERVER_LIMIT=200000 -DBIG_SECURITY_HOLE=1"
 install -d build; cd build
-../%configure \
+%define configuredir ..
+%configure \
        --enable-layout=TLD \
        --disable-systemd \
        --disable-v4-mapped \

diff --git a/httpd-2.2.x-mod_ssl-sessioncaching.patch b/httpd-2.2.x-mod_ssl-sessioncaching.patch
deleted file mode 100644 (file)
index f0ee0a3..0000000
--- a/httpd-2.2.x-mod_ssl-sessioncaching.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-Index: httpd-2.2.x/modules/ssl/ssl_private.h
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_private.h      (revision 833672)
-+++ httpd-2.2.x/modules/ssl/ssl_private.h      (working copy)
-@@ -395,6 +395,9 @@ typedef struct {
- #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
-     const char     *szCryptoDevice;
- #endif
-+#ifndef OPENSSL_NO_TLSEXT
-+    ssl_enabled_t  session_tickets_enabled;
-+#endif
-     struct {
-         void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
-     } rCtx;
-@@ -545,6 +548,7 @@ const char  *ssl_cmd_SSLRequire(cmd_parm
- const char  *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
- const char  *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
- const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
-+const char  *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *cdfg, int flag);
- 
- const char  *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
- const char  *ssl_cmd_SSLProxyProtocol(cmd_parms *, void *, const char *);
-Index: httpd-2.2.x/modules/ssl/ssl_engine_init.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_init.c  (revision 833672)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_init.c  (working copy)
-@@ -382,6 +382,15 @@ static void ssl_init_ctx_tls_extensions(
-         ssl_log_ssl_error(APLOG_MARK, APLOG_ERR, s);
-         ssl_die();
-     }
-+
-+    /*
-+     * Session tickets (stateless resumption)
-+     */
-+    if ((myModConfig(s))->session_tickets_enabled == SSL_ENABLED_FALSE) {
-+        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
-+                     "Disabling TLS session ticket support");
-+        SSL_CTX_set_options(mctx->ssl_ctx, SSL_OP_NO_TICKET);
-+    }
- }
- #endif
- 
-@@ -1018,6 +1027,11 @@ void ssl_init_CheckServers(server_rec *b
- 
-     BOOL conflict = FALSE;
- 
-+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
-+    unsigned char *tlsext_tick_keys = NULL;
-+    long tick_keys_len;
-+#endif
-+
-     /*
-      * Give out warnings when a server has HTTPS configured
-      * for the HTTP port or vice versa
-@@ -1042,6 +1056,25 @@ void ssl_init_CheckServers(server_rec *b
-                          ssl_util_vhostid(p, s),
-                          DEFAULT_HTTP_PORT, DEFAULT_HTTPS_PORT);
-         }
-+
-+#if !defined(OPENSSL_NO_TLSEXT) && OPENSSL_VERSION_NUMBER < 0x009080d0
-+        /*
-+         * When using OpenSSL versions 0.9.8f through 0.9.8l, configure
-+         * the same ticket encryption parameters for every SSL_CTX (workaround
-+         * for SNI+SessionTicket extension interoperability issue in these versions)
-+         */
-+        if ((sc->enabled == SSL_ENABLED_TRUE) ||
-+            (sc->enabled == SSL_ENABLED_OPTIONAL)) {
-+            if (!tlsext_tick_keys) {
-+                tick_keys_len = SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
-+                                                               (-1),(NULL));
-+                tlsext_tick_keys = (unsigned char *)apr_palloc(p, tick_keys_len);
-+                RAND_bytes(tlsext_tick_keys, tick_keys_len);
-+            }
-+            SSL_CTX_ctrl((sc->server->ssl_ctx),SSL_CTRL_SET_TLSEXT_TICKET_KEYS,
-+                                           (tick_keys_len),(tlsext_tick_keys));
-+        }
-+#endif
-     }
- 
-     /*
-Index: httpd-2.2.x/modules/ssl/ssl_engine_config.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_config.c        (revision 833672)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_config.c        (working copy)
-@@ -75,6 +75,9 @@ SSLModConfigRec *ssl_config_global_creat
- #if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT)
-     mc->szCryptoDevice         = NULL;
- #endif
-+#ifndef OPENSSL_NO_TLSEXT
-+    mc->session_tickets_enabled = SSL_ENABLED_UNSET;
-+#endif
- 
-     memset(mc->pTmpKeys, 0, sizeof(mc->pTmpKeys));
- 
-@@ -1471,6 +1474,26 @@ const char  *ssl_cmd_SSLStrictSNIVHostCh
- #endif
- }
- 
-+const char *ssl_cmd_SSLSessionTicketExtension(cmd_parms *cmd, void *dcfg, int flag)
-+{
-+#ifndef OPENSSL_NO_TLSEXT
-+    const char *err;
-+    SSLModConfigRec *mc = myModConfig(cmd->server);
-+
-+    if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
-+        return err;
-+    }
-+
-+    mc->session_tickets_enabled = flag ? SSL_ENABLED_TRUE : SSL_ENABLED_FALSE;
-+
-+    return NULL;
-+#else
-+    return "SSLSessionTicketExtension failed; OpenSSL is not built with support "
-+           "for TLS extensions. Refer to the documentation, and build "
-+           "a compatible version of OpenSSL.";
-+#endif
-+}
-+
- void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
- {
-     if (!ap_exists_config_define("DUMP_CERTS")) {
-Index: httpd-2.2.x/modules/ssl/ssl_engine_kernel.c
-===================================================================
---- httpd-2.2.x/modules/ssl/ssl_engine_kernel.c        (revision 833672)
-+++ httpd-2.2.x/modules/ssl/ssl_engine_kernel.c        (working copy)
-@@ -29,6 +29,7 @@
-                                   time I was too famous.''
-                                             -- Unknown                */
- #include "ssl_private.h"
-+#include "util_md5.h"
- 
- static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
- #ifndef OPENSSL_NO_TLSEXT
-@@ -2010,6 +2011,7 @@ static int ssl_find_vhost(void *serverna
-     apr_array_header_t *names;
-     int i;
-     SSLConnRec *sslcon;
-+    char *sid_ctx;
- 
-     /* check ServerName */
-     if (!strcasecmp(servername, s->server_hostname)) {
-@@ -2074,6 +2076,21 @@ static int ssl_find_vhost(void *serverna
-             SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
-                            SSL_CTX_get_verify_callback(ssl->ctx));
-         }
-+        /*
-+         * Adjust the session id context. ssl_init_ssl_connection()
-+         * always picks the configuration of the first vhost when
-+         * calling SSL_new(), but we want to tie the session to the
-+         * vhost we have just switched to. Again, we have to make sure
-+         * that we're not overwriting a session id context which was
-+         * possibly set in ssl_hook_Access(), before triggering
-+         * a renegotation.
-+         */
-+        if (!SSL_num_renegotiations(ssl)) {
-+            sid_ctx = ap_md5_binary(c->pool, (unsigned char*)sc->vhost_id,
-+                                    sc->vhost_id_len);
-+            SSL_set_session_id_context(ssl, (unsigned char *)sid_ctx,
-+                                       APR_MD5_DIGESTSIZE*2);
-+        }
- 
-         /*
-          * Save the found server into our SSLConnRec for later
-Index: httpd-2.2.x/modules/ssl/mod_ssl.c
-===================================================================
---- httpd-2.2.x/modules/ssl/mod_ssl.c  (revision 833672)
-+++ httpd-2.2.x/modules/ssl/mod_ssl.c  (working copy)
-@@ -92,6 +92,8 @@ static const command_rec ssl_config_cmds
-     SSL_CMD_SRV(RandomSeed, TAKE23,
-                 "SSL Pseudo Random Number Generator (PRNG) seeding source "
-                 "(`startup|connect builtin|file:/path|exec:/path [bytes]')")
-+    SSL_CMD_SRV(SessionTicketExtension, FLAG,
-+                "TLS Session Ticket extension support")
- 
-     /*
-      * Per-server context configuration directives