[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#684567: marked as done (unblock: apache2/2.2.22-11)

Your message dated Sat, 11 Aug 2012 12:20:16 +0100
with message-id <1344684016.2978.36.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#684567: unblock: apache2/2.2.22-11
has caused the Debian Bug report #684567,
regarding unblock: apache2/2.2.22-11
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
684567: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684567
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: unblock
Severity: normal

Please unblock package apache2. I've attached a git diff of changes
since 2.2.22-9 which is currently in Testing. These are changes since then:

Close bug #682840 "Default /etc/apache2/mods-available/disk_cache.conf
is incompatible with ext3". It turned out Apache's default configuration
for mod_cache_disk does not work very well under some circumstances
causing Apache to stop service. We changed the default to a more
moderate setting. This is a non-invasive default configuration change
only. However, we need to purge the on-disk cache of users on upgrades.
This was fixed in 2.2.22-10 whereas upload 2.2.22-11 makes the handling
of the cache directory more secure to avoid link attacks.

Close bug #682401 "dbmmanage: please use Digest::SHA instead of
Digest::SHA1". The Perl modules used by dbmmanage are not shipped in
Wheezy. The patch makes dbmmanage work on Wheezy.

Switch to xz compression for .deb members. This was done upon request as
Apache might end up on Wheezy's CD1 (if we switch to Gnome again)
because gnome-user-server reverse depends on it.

Close bug #682897: "apache2: Directive "SSLProtocol" should support TLS
1.1+". Add support for TLSv1.0 and TLS in OpenSSL. The SSL Protocol
change is important because it allows administrators to work around
interopability problems that will doubtless occur with TLS v1.[12] with
some buggy clients. Admittedly this is a heavy patch but we think it is
of great benefit to Wheezy. It was backported from upstream's Apache 2.4
branch.

unblock apache2/2.2.22-11



diff --git a/debian/apache2.2-common.postinst b/debian/apache2.2-common.postinst
index 65a565c..a730b9e 100644
--- a/debian/apache2.2-common.postinst
+++ b/debian/apache2.2-common.postinst
@@ -102,6 +102,23 @@ if [ -e /etc/apache2/disable-other-vhost-access-log.dpkg-apache2.2-common ] ; th
 	rm  /etc/apache2/disable-other-vhost-access-log.dpkg-apache2.2-common
 fi
 
+
+# Should run on upgrades from Squeeze or Testing only
+# This code existed in parts 2.2.22-10 already but it wasn't complete.
+# Thus, users of 2.2.22-10 (only in Sid) enter here as well. That's not
+# optimal, but not a problem either.
+if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.2.22-11; then
+	if [ -d /var/cache/apache2/mod_disk_cache ] ; then
+		echo "Purging old mod_disk_cache cache data in /var/cache/apache2/mod_disk_cache"
+		if [ -d /var/cache/apache2/ ] && [ "$(stat -c '%U' /var/cache/apache2/)" = "www-data" ] ; then
+			 chown root:root /var/cache/apache2/
+		fi
+		rm -rf /var/cache/apache2/mod_disk_cache
+		install -o www-data -g www-data -d /var/cache/apache2/mod_disk_cache/
+	fi
+fi
+
+
 rm -f /etc/apache2/ports.conf.dpkg-apache2.2-common.old
 rm -f /etc/default/apache2.dpkg-apache2.2-common.old
 rm -f /etc/apache2/conf.d/charset.dpkg-apache2.2-common.old
diff --git a/debian/changelog b/debian/changelog
index 6fa1ac1..665b678 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,31 @@
+apache2 (2.2.22-11) unstable; urgency=low
+
+  * Be more careful regarding link attacks when purging the cache disk
+    directory.
+  * Change file ownership of /var/cache/apache2/ to root.
+  * Compress the data.tar in binary packages using xz to save some space on
+    installation medias (Debian only).
+
+ -- Arno Töll <arno@debian.org>  Fri, 03 Aug 2012 23:20:50 +0200
+
+apache2 (2.2.22-10) unstable; urgency=low
+
+  [ Arno Töll ]
+  * Fix "dbmmanage: please use Digest::SHA instead of Digest::SHA1" by changing
+    perl module imports to make use Digest::SHA shipped with perl 5.10 (Closes:
+    #682401)
+  * Fix "Default /etc/apache2/mods-available/disk_cache.conf is incompatible
+    with ext3" by changing the default to more moderate values. Some file
+    systems have a hard limit for the number of subdirectories in a single
+    directory. This change requires the cache directory to be purged.
+    (Closes: #682840)
+
+  [ Stefan Fritsch ]
+  * Add support for TLSv1.0 ans TLSv1.1 to SSLProtocol and SSLProxyProtocol
+    directives. Closes: #682897
+
+ -- Stefan Fritsch <sf@debian.org>  Mon, 30 Jul 2012 22:23:02 +0200
+
 apache2 (2.2.22-9) unstable; urgency=low
 
   * Fix typo in conf.d/security comment. Closes: #678740
diff --git a/debian/config-dir/mods-available/disk_cache.conf b/debian/config-dir/mods-available/disk_cache.conf
index 01414dc..3a7361b 100644
--- a/debian/config-dir/mods-available/disk_cache.conf
+++ b/debian/config-dir/mods-available/disk_cache.conf
@@ -14,6 +14,10 @@
 
 	#CacheEnable disk /
 
-        CacheDirLevels 5
-        CacheDirLength 3
+        # The result of CacheDirLevels * CacheDirLength must not be higher than
+        # 20. Moreover, pay attention on file system limits. Some file systems
+        # do not support more than a certain number of subdirectories in a
+        # single directory (e.g. 32000 for ext3)
+        CacheDirLevels 2
+        CacheDirLength 1
 </IfModule>
diff --git a/debian/patches/SSLProtocol-tls11-12.2.patch b/debian/patches/SSLProtocol-tls11-12.2.patch
new file mode 100644
index 0000000..3c1c925
--- /dev/null
+++ b/debian/patches/SSLProtocol-tls11-12.2.patch
@@ -0,0 +1,148 @@
+Description: Support TLSv1.1 and TLSv1.2 in SSLProtocol directive
+Forwarded: not-needed
+Author: Stefan Fritsch
+Last-Update: 2012-07-30
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682897
+#
+# This patch encompases backports from 2.4 branch;
+#
+#   http://svn.apache.org/viewvc?view=revision&revision=1222921
+#   http://svn.apache.org/viewvc?view=revision&revision=1222930
+#
+# However, it also accounts for the fact that SSLv2 support
+# remains present in httpd-2.2 branch and makes no changes
+# which changes the existing configuration behavior, with
+# the exception of adding TLS1.1 and TLS1.2 by default.)
+#
+Index: apache2/modules/ssl/ssl_private.h
+===================================================================
+--- apache2.orig/modules/ssl/ssl_private.h
++++ apache2/modules/ssl/ssl_private.h
+@@ -59,6 +59,11 @@
+ /** mod_ssl headers */
+ #include "ssl_toolkit_compat.h"
+ #include "ssl_expr.h"
++
++#ifdef SSL_OP_NO_TLSv1_2
++#define HAVE_TLSV1_X
++#endif
++
+ #include "ssl_util_ssl.h"
+ 
+ /** The #ifdef macros are only defined AFTER including the above
+@@ -218,10 +223,14 @@
+ #define SSL_PROTOCOL_SSLV2 (1<<0)
+ #define SSL_PROTOCOL_SSLV3 (1<<1)
+ #define SSL_PROTOCOL_TLSV1 (1<<2)
++#define SSL_PROTOCOL_TLSV1_1 (1<<3)
++#define SSL_PROTOCOL_TLSV1_2 (1<<4)
+ #ifndef OPENSSL_NO_SSL2
+-#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
++#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV2|SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|\
++                          SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+ #else
+-#define SSL_PROTOCOL_ALL   (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1)
++#define SSL_PROTOCOL_ALL (SSL_PROTOCOL_SSLV3|SSL_PROTOCOL_TLSV1|\
++                          SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
+ #endif
+ typedef int ssl_proto_t;
+ 
+Index: apache2/modules/ssl/ssl_engine_init.c
+===================================================================
+--- apache2.orig/modules/ssl/ssl_engine_init.c
++++ apache2/modules/ssl/ssl_engine_init.c
+@@ -459,6 +459,10 @@
+                      (protocol & SSL_PROTOCOL_SSLV2 ? "SSLv2, " : ""),
+                      (protocol & SSL_PROTOCOL_SSLV3 ? "SSLv3, " : ""),
+                      (protocol & SSL_PROTOCOL_TLSV1 ? "TLSv1, " : ""),
++#ifdef HAVE_TLSV1_X
++                     (protocol & SSL_PROTOCOL_TLSV1_1 ? "TLSv1.1, " : ""),
++                     (protocol & SSL_PROTOCOL_TLSV1_2 ? "TLSv1.2, " : ""),
++#endif
+                      NULL);
+     cp[strlen(cp)-2] = NUL;
+ 
+@@ -474,6 +478,21 @@
+     }
+     else
+ #endif
++#ifdef HAVE_TLSV1_X
++    if (protocol == SSL_PROTOCOL_TLSV1_1) {
++        method = mctx->pkp ?
++            TLSv1_1_client_method() : /* proxy */
++            TLSv1_1_server_method();  /* server */
++        ctx = SSL_CTX_new(method);
++    }
++    else if (protocol == SSL_PROTOCOL_TLSV1_2) {
++        method = mctx->pkp ?
++            TLSv1_2_client_method() : /* proxy */
++            TLSv1_2_server_method();  /* server */
++        ctx = SSL_CTX_new(method);
++    }
++    else
++#endif
+     {
+         method = mctx->pkp ?
+             SSLv23_client_method() : /* proxy */
+@@ -497,6 +516,16 @@
+         SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
+     }
+ 
++#ifdef HAVE_TLSV1_X
++    if (!(protocol & SSL_PROTOCOL_TLSV1_1)) {
++        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
++    }
++
++    if (!(protocol & SSL_PROTOCOL_TLSV1_2)) {
++        SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
++    }
++#endif
++
+ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE
+     if (sc->cipher_server_pref == TRUE) {
+         SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+Index: apache2/modules/ssl/ssl_engine_config.c
+===================================================================
+--- apache2.orig/modules/ssl/ssl_engine_config.c
++++ apache2/modules/ssl/ssl_engine_config.c
+@@ -1286,6 +1286,14 @@
+         else if (strcEQ(w, "TLSv1")) {
+             thisopt = SSL_PROTOCOL_TLSV1;
+         }
++#ifdef HAVE_TLSV1_X
++        else if (strcEQ(w, "TLSv1.1")) {
++            thisopt = SSL_PROTOCOL_TLSV1_1;
++        }
++        else if (strcEQ(w, "TLSv1.2")) {
++            thisopt = SSL_PROTOCOL_TLSV1_2;
++        }
++#endif
+         else if (strcEQ(w, "all")) {
+             thisopt = SSL_PROTOCOL_ALL;
+         }
+Index: apache2/modules/ssl/mod_ssl.c
+===================================================================
+--- apache2.orig/modules/ssl/mod_ssl.c
++++ apache2/modules/ssl/mod_ssl.c
+@@ -142,8 +142,8 @@
+                 "SSL Session Cache object lifetime "
+                 "(`N' - number of seconds)")
+     SSL_CMD_SRV(Protocol, RAW_ARGS,
+-                "Enable or disable various SSL protocols"
+-                "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
++                "Enable or disable various SSL protocols "
++                "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+     SSL_CMD_SRV(HonorCipherOrder, FLAG,
+                 "Use the server's cipher ordering preference")
+     SSL_CMD_SRV(InsecureRenegotiation, FLAG,
+@@ -160,8 +160,8 @@
+                 "SSL switch for the proxy protocol engine "
+                 "(`on', `off')")
+     SSL_CMD_SRV(ProxyProtocol, RAW_ARGS,
+-               "SSL Proxy: enable or disable SSL protocol flavors "
+-               "(`[+-][SSLv2|SSLv3|TLSv1] ...' - see manual)")
++                "SSL Proxy: enable or disable SSL protocol flavors "
++                "('[+-][SSLv3|TLSv1|TLSv1.1|TLSv1.2] ...' - see manual)")
+     SSL_CMD_SRV(ProxyCipherSuite, TAKE1,
+                "SSL Proxy: colon-delimited list of permitted SSL ciphers "
+                "(`XXX:...:XXX' - see manual)")
diff --git a/debian/patches/dbmmanage-perl-510.patch b/debian/patches/dbmmanage-perl-510.patch
new file mode 100644
index 0000000..0729016
--- /dev/null
+++ b/debian/patches/dbmmanage-perl-510.patch
@@ -0,0 +1,54 @@
+Description: Make use of builtin SHA1 perl routines in Perl 5.10
+Forwarded: not-needed
+Author: Arno Töll <arno@debian.org>
+Last-Update: 2012-07-23
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=682401
+--- a/support/dbmmanage.in
++++ b/support/dbmmanage.in
+@@ -20,6 +20,7 @@
+ #
+ # usage: dbmmanage <DBMfile> <command> <user> <password> <groups> <comment>
+ 
++require v5.10;
+ package dbmmanage;
+ #                               -ldb    -lndbm    -lgdbm    -lsdbm
+ BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File SDBM_File) }
+@@ -49,14 +50,15 @@
+ }
+ 
+ sub need_sha1_crypt {
+-    if (!eval ('require "Digest/SHA1.pm";')) {
++    if (!eval ('require "Digest/SHA.pm";')) {
+         print STDERR <<SHAERR;
+ dbmmanage SHA1 passwords require the interface or the module Digest::SHA1
+-available from CPAN:
++available from CPAN and Debian:
+ 
+-    http://www.cpan.org/modules/by-module/Digest/Digest-MD5-2.12.tar.gz
++    Debian package: libdigest-sha-perl
++    CPAN: http://search.cpan.org/~mshelor/Digest-SHA-5.71/lib/Digest/SHA.pm
+ 
+-Please install Digest::SHA1 and try again, or use a different crypt option:
++Please install Digest::SHA and try again, or use a different crypt option:
+ 
+ SHAERR
+         usage();
+@@ -67,7 +69,9 @@
+     if (!eval ('require "Crypt/PasswdMD5.pm";')) {
+         print STDERR <<MD5ERR;
+ dbmmanage MD5 passwords require the module Crypt::PasswdMD5 available from CPAN
++and Debian:
+ 
++    Debian package: libcrypt-passwdmd5-perl
+     http://www.cpan.org/modules/by-module/Crypt/Crypt-PasswdMD5-1.1.tar.gz
+ 
+ Please install Crypt::PasswdMD5 and try again, or use a different crypt option:
+@@ -209,7 +213,7 @@
+ 
+ sub cryptpw_sha1 {
+     my($pw, $salt) = @_;
+-    '{SHA}' . Digest::SHA1::sha1_base64($pw) . "=";
++    '{SHA}' . Digest::SHA::sha1_base64($pw) . "=";
+ }
+ 
+ sub cryptpw {
diff --git a/debian/patches/series b/debian/patches/series
index 15b506b..6113b65 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -30,3 +30,5 @@
 # If you're aware of that you can uncomment it at any time later and work on it
 # as you wish.
 #202_suexec-custom
+dbmmanage-perl-510.patch
+SSLProtocol-tls11-12.2.patch
diff --git a/debian/rules b/debian/rules
index 4cb688d..df368d0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -237,7 +237,7 @@ override_dh_fixperms:
 	chmod 4754 debian/apache2-suexec-custom/usr/lib/apache2/suexec
 	chgrp www-data debian/apache2-suexec-custom/usr/lib/apache2/suexec
 	dh_fixperms -Xusr/lib/apache2/suexec
-	chown -R www-data:www-data debian/apache2.2-common/var/cache/apache2
+	chown -R www-data:www-data debian/apache2.2-common/var/cache/apache2/mod_disk_cache
 	chown root:adm debian/apache2.2-common/var/log/apache2
 	chmod o-rx debian/apache2.2-common/var/log/apache2
 
@@ -290,7 +290,7 @@ override_dh_builddeb:
 		sed -i '/apache2-dbg/d' debian/files; \
 		dh_builddeb -Napache2-dbg; \
 	else \
-		dh_builddeb; \
+		dh_builddeb -- -Zxz; \
 	fi
 
 override_dh_installlogrotate:

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
--- Begin Message --- 
On Sat, 2012-08-11 at 12:16 +0200, Arno Töll wrote:
> Please unblock package apache2. I've attached a git diff of changes
> since 2.2.22-9 which is currently in Testing. These are changes since then:
> 
> Close bug #682840 "Default /etc/apache2/mods-available/disk_cache.conf
> is incompatible with ext3".
[...]
> Close bug #682401 "dbmmanage: please use Digest::SHA instead of
> Digest::SHA1". The Perl modules used by dbmmanage are not shipped in
> Wheezy. The patch makes dbmmanage work on Wheezy.

This all looks okay.

> Switch to xz compression for .deb members. This was done upon request as
> Apache might end up on Wheezy's CD1 (if we switch to Gnome again)
> because gnome-user-server reverse depends on it.

We haven't actually switched _away_, fwiw...

> Close bug #682897: "apache2: Directive "SSLProtocol" should support TLS
> 1.1+". Add support for TLSv1.0 and TLS in OpenSSL. The SSL Protocol
> change is important because it allows administrators to work around
> interopability problems that will doubtless occur with TLS v1.[12] with
> some buggy clients. Admittedly this is a heavy patch but we think it is
> of great benefit to Wheezy. It was backported from upstream's Apache 2.4
> branch.

Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: