--- apache2-2.2.16.orig/debian/apache2-doc.dirs +++ apache2-2.2.16/debian/apache2-doc.dirs @@ -0,0 +1,2 @@ +etc/apache2/conf.d +usr/share/doc/apache2-doc --- apache2-2.2.16.orig/debian/apache2-dbg.links +++ apache2-2.2.16/debian/apache2-dbg.links @@ -0,0 +1,4 @@ +usr/lib/debug/usr/lib/apache2/mpm-itk/apache2-mpm-itk usr/lib/debug/usr/sbin/apache2-mpm-itk +usr/lib/debug/usr/lib/apache2/mpm-prefork/apache2-mpm-prefork usr/lib/debug/usr/sbin/apache2-mpm-prefork +usr/lib/debug/usr/lib/apache2/mpm-worker/apache2-mpm-worker usr/lib/debug/usr/sbin/apache2-mpm-worker +usr/lib/debug/usr/lib/apache2/mpm-event/apache2-mpm-event usr/lib/debug/usr/sbin/apache2-mpm-event --- apache2-2.2.16.orig/debian/apache2.dirs +++ apache2-2.2.16/debian/apache2.dirs @@ -0,0 +1 @@ +usr/share/bug/apache2 --- apache2-2.2.16.orig/debian/apache2.2-common.apache2.init +++ apache2-2.2.16/debian/apache2.2-common.apache2.init @@ -0,0 +1,276 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: apache2 +# Required-Start: $local_fs $remote_fs $network $syslog +# Required-Stop: $local_fs $remote_fs $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# X-Interactive: true +# Short-Description: Start/stop apache2 web server +### END INIT INFO + +set -e + +if [ -n "$APACHE_CONFDIR" ] ; then + if [ "${APACHE_CONFDIR##/etc/apache2-}" != "$APACHE_CONFDIR}" ] ; then + DIR_SUFFIX="${APACHE_CONFDIR##/etc/apache2-}" + else + DIR_SUFFIX= + fi +elif [ "${0##*/apache2-}" != "$0" ] ; then + DIR_SUFFIX="-${0##*/apache2-}" + APACHE_CONFDIR=/etc/apache2$DIR_SUFFIX +else + DIR_SUFFIX= + APACHE_CONFDIR=/etc/apache2 +fi +if [ -z "$APACHE_ENVVARS" ] ; then + APACHE_ENVVARS=$APACHE_CONFDIR/envvars +fi +export APACHE_CONFDIR APACHE_ENVVARS + +ENV="env -i LANG=C PATH=/usr/local/bin:/usr/bin:/bin" +if [ "$APACHE_CONFDIR" != /etc/apache2 ] ; then + ENV="$ENV APACHE_CONFDIR=$APACHE_CONFDIR" +fi +if [ "$APACHE_ENVVARS" != "$APACHE_CONFDIR/envvars" ] ; then + ENV="$ENV APACHE_ENVVARS=$APACHE_ENVVARS" +fi + + +#edit /etc/default/apache2 to change this. +HTCACHECLEAN_RUN=auto +HTCACHECLEAN_MODE=daemon +HTCACHECLEAN_SIZE=300M +HTCACHECLEAN_DAEMON_INTERVAL=120 +HTCACHECLEAN_PATH=/var/cache/apache2$DIR_SUFFIX/mod_disk_cache +HTCACHECLEAN_OPTIONS="" + +APACHE_HTTPD=$(. $APACHE_ENVVARS && echo $APACHE_HTTPD) +if [ -z "$APACHE_HTTPD" ] ; then + APACHE_HTTPD=/usr/sbin/apache2 +fi +if [ ! -x $APACHE_HTTPD ] ; then + echo "No apache MPM package installed" + exit 0 +fi + +. /lib/lsb/init-functions + +test -f /etc/default/rcS && . /etc/default/rcS + +if [ -f /etc/default/apache2$DIR_SUFFIX ] ; then + . /etc/default/apache2$DIR_SUFFIX +elif [ -f /etc/default/apache2 ] ; then + . /etc/default/apache2 +fi + +APACHE2CTL="$ENV /usr/sbin/apache2ctl" +HTCACHECLEAN="$ENV /usr/sbin/htcacheclean" + +PIDFILE=$(. $APACHE_ENVVARS && echo $APACHE_PID_FILE) +if [ -z "$PIDFILE" ] ; then + echo ERROR: APACHE_PID_FILE needs to be defined in $APACHE_ENVVARS >&2 + exit 2 +fi + + +check_htcacheclean() { + [ "$HTCACHECLEAN_MODE" = "daemon" ] || return 1 + + [ "$HTCACHECLEAN_RUN" = "yes" ] && return 0 + + MODSDIR=$(. $APACHE_ENVVARS && echo $APACHE_MODS_ENABLED) + [ "$HTCACHECLEAN_RUN" = "auto" \ + -a -e ${MODSDIR:-$APACHE_CONFDIR/mods-enabled}/disk_cache.load ] && \ + return 0 + + return 1 +} + +start_htcacheclean() { + if [ ! -d "$HTCACHECLEAN_PATH" ] ; then + echo "... directory $HTCACHECLEAN_PATH does not exist!" >&2 + return 1 + fi + $HTCACHECLEAN $HTCACHECLEAN_OPTIONS -d$HTCACHECLEAN_DAEMON_INTERVAL \ + -i -p$HTCACHECLEAN_PATH -l$HTCACHECLEAN_SIZE +} + +stop_htcacheclean() { + pkill -P 1 -f "htcacheclean.* -p$HTCACHECLEAN_PATH " 2> /dev/null || echo ...not running +} + +pidof_apache() { + # if there is actually an apache2 process whose pid is in PIDFILE, + # print it and return 0. + if [ -e "$PIDFILE" ]; then + if pidof apache2 | tr ' ' '\n' | grep -w $(cat $PIDFILE); then + return 0 + fi + fi + return 1 +} + +apache_stop() { + if $APACHE2CTL configtest > /dev/null 2>&1; then + # if the config is ok than we just stop normaly + $APACHE2CTL stop 2>&1 | grep -v 'not running' >&2 || true + else + # if we are here something is broken and we need to try + # to exit as nice and clean as possible + PID=$(pidof_apache) || true + + if [ "${PID}" ]; then + # in this case it is everything nice and dandy and we kill apache2 + echo + log_warning_msg "The apache2$DIR_SUFFIX configtest failed, so we are trying to kill it manually. This is almost certainly suboptimal, so please make sure your system is working as you'd expect now!" + kill $PID + elif [ "$(pidof apache2)" ]; then + if [ "$VERBOSE" != no ]; then + echo " ... failed!" + echo "You may still have some apache2 processes running. There are" + echo "processes named 'apache2' which do not match your pid file," + echo "and in the name of safety, we've left them alone. Please review" + echo "the situation by hand." + fi + return 1 + fi + fi +} + +apache_wait_stop() { + # running ? + PIDTMP=$(pidof_apache) || true + if kill -0 "${PIDTMP:-}" 2> /dev/null; then + PID=$PIDTMP + fi + + apache_stop + + # wait until really stopped + if [ -n "${PID:-}" ]; then + i=0 + while kill -0 "${PID:-}" 2> /dev/null; do + if [ $i = '60' ]; then + break; + else + if [ $i = '0' ]; then + echo -n " ... waiting " + else + echo -n "." + fi + i=$(($i+1)) + sleep 1 + fi + done + fi +} + +case $1 in + start) + log_daemon_msg "Starting web server" "apache2" + if $APACHE2CTL start; then + if check_htcacheclean ; then + log_progress_msg htcacheclean + start_htcacheclean || log_end_msg 1 + fi + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + stop) + if check_htcacheclean ; then + log_daemon_msg "Stopping web server" "htcacheclean" + stop_htcacheclean + log_progress_msg "apache2" + else + log_daemon_msg "Stopping web server" "apache2" + fi + if apache_wait_stop; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + graceful-stop) + if check_htcacheclean ; then + log_daemon_msg "Stopping web server" "htcacheclean" + stop_htcacheclean + log_progress_msg "apache2" + else + log_daemon_msg "Stopping web server" "apache2" + fi + if $APACHE2CTL graceful-stop; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + graceful | reload | force-reload) + if ! $APACHE2CTL configtest > /dev/null 2>&1; then + $APACHE2CTL configtest || true + log_end_msg 1 + exit 1 + fi + log_daemon_msg "Reloading web server config" "apache2" + if pidof_apache > /dev/null ; then + if $APACHE2CTL graceful $2 ; then + log_end_msg 0 + else + log_end_msg 1 + fi + fi + ;; + restart) + if ! $APACHE2CTL configtest > /dev/null 2>&1; then + $APACHE2CTL configtest || true + log_end_msg 1 + exit 1 + fi + if check_htcacheclean ; then + log_daemon_msg "Restarting web server" "htcacheclean" + stop_htcacheclean + log_progress_msg apache2 + else + log_daemon_msg "Restarting web server" "apache2" + fi + PID=$(pidof_apache) || true + if ! apache_wait_stop; then + log_end_msg 1 || true + fi + if $APACHE2CTL start; then + if check_htcacheclean ; then + start_htcacheclean || log_end_msg 1 + fi + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + start-htcacheclean) + log_daemon_msg "Starting htcacheclean" + start_htcacheclean || log_end_msg 1 + log_end_msg 0 + ;; + stop-htcacheclean) + log_daemon_msg "Stopping htcacheclean" + stop_htcacheclean + log_end_msg 0 + ;; + status) + PID=$(pidof_apache) || true + if [ -n "$PID" ]; then + echo "Apache2$DIR_SUFFIX is running (pid $PID)." + exit 0 + else + echo "Apache2$DIR_SUFFIX is NOT running." + exit 1 + fi + ;; + *) + log_success_msg "Usage: /etc/init.d/apache2$DIR_SUFFIX {start|stop|graceful-stop|restart|reload|force-reload|start-htcacheclean|stop-htcacheclean|status}" + exit 1 + ;; +esac --- apache2-2.2.16.orig/debian/apache2-prefork-dev.install +++ apache2-2.2.16/debian/apache2-prefork-dev.install @@ -0,0 +1 @@ +usr/share/man/man8/apxs2.8 --- apache2-2.2.16.orig/debian/apache2-prefork-dev.dirs +++ apache2-2.2.16/debian/apache2-prefork-dev.dirs @@ -0,0 +1,4 @@ +usr/include/apache2 +usr/bin +usr/share/apache2/build +usr/share/man/man8 --- apache2-2.2.16.orig/debian/apache2-utils.dirs +++ apache2-2.2.16/debian/apache2-utils.dirs @@ -0,0 +1,4 @@ +usr/bin +usr/sbin +usr/share/man/man1 +usr/share/man/man8 --- apache2-2.2.16.orig/debian/suexec.8 +++ apache2-2.2.16/debian/suexec.8 @@ -0,0 +1,67 @@ +.TH suexec 8 "April 2008" +.\" Copyright 1999-2004 The Apache Software Foundation +.\" Copyright 2008 Stefan Fritsch +.\" +.\" Licensed under the Apache License, Version 2.0 (the "License"); +.\" you may not use this file except in compliance with the License. +.\" You may obtain a copy of the License at +.\" +.\" http://www.apache.org/licenses/LICENSE-2.0 +.\" +.\" Unless required by applicable law or agreed to in writing, software +.\" distributed under the License is distributed on an "AS IS" BASIS, +.\" WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +.\" See the License for the specific language governing permissions and +.\" limitations under the License. +.\" +.SH NAME +suexec \- Switch User For Exec +.SH SYNOPSIS +.B suexec -V +.PP +This is a customized version that can be configured with +config files in /etc/apache2/suexec. +.PP +No other synopsis for usage, because this program +is otherwise only used internally by the Apache HTTP server. +.PP +.SH DESCRIPTION +.B suexec +is the "wrapper" support program for the suexec behaviour for the +Apache HTTP server. It is run from within the server automatically +to switch the user when an external program has to be run under a +different user. For more information about suexec in general, see the online +document `Apache suexec Support' on the HTTP server project's +Web site at http://httpd.apache.org/docs/suexec.html . +.PP +This version of suexec reads a config file on every execution. Therefore +it is a bit slower than the standard suexec version from the apache2-suexec +package. +.SH CONFIGURATION +If suexec is called by a user with name 'username', it will look into +/etc/apache2/suexec/username for configuration. If the file does not exist, +suexec will abort. By creating several config files, you can allow several +different apache run users to use suexec. +.PP +The first line in the file is used as the document root (/var/www in the +standard suexec) and the second line in the file is used as the suffix that is +appended to users' home directories (public_html in standard suexec). +.PP +If any of the lines is commented out (with #), suexec will refuse the +corresponding type of request. It is recommended to comment out the +userdir suffix if you don't need it. +.SH SECURITY +Do not set the document root to a path that includes users' home directories +(like /home or /var) or directories where users can mount removable media. +Doing so would create local security issues. Suexec does not allow to set the +document root to the root directory / . +.SH OPTIONS +.IP -V +Display the list of compile-time settings used when \fBsuexec\fP +was built. No other action is taken. +.PD +.SH FILES +.BR /etc/apache2/suexec/www-data +.SH SEE ALSO +.BR apache2(8) , +.BR /usr/share/doc/apache2.2-common/README.Debian.gz --- apache2-2.2.16.orig/debian/default-index.html +++ apache2-2.2.16/debian/default-index.html @@ -0,0 +1,4 @@ +

It works!

+

This is the default web page for this server.

+

The web server software is running but no content has been added, yet.

+ --- apache2-2.2.16.orig/debian/apache2.2-bin.dirs +++ apache2-2.2.16/debian/apache2.2-bin.dirs @@ -0,0 +1,4 @@ +usr/lib/apache2/mpm-worker +usr/lib/apache2/mpm-prefork +usr/lib/apache2/mpm-event +usr/lib/apache2/mpm-itk --- apache2-2.2.16.orig/debian/apache2.2-common.ufw.profile +++ apache2-2.2.16/debian/apache2.2-common.ufw.profile @@ -0,0 +1,14 @@ +[Apache] +title=Web Server +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80/tcp + +[Apache Secure] +title=Web Server (HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=443/tcp + +[Apache Full] +title=Web Server (HTTP,HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80,443/tcp --- apache2-2.2.16.orig/debian/apache2.2-common.dirs +++ apache2-2.2.16/debian/apache2.2-common.dirs @@ -0,0 +1,15 @@ +etc/apache2/mods-enabled +etc/apache2/sites-enabled +etc/apache2/conf.d +etc/bash_completion.d +etc/logrotate.d +usr/lib/cgi-bin +usr/share/apache2/build +usr/share/apache2/default-site +usr/share/bug/apache2.2-common +usr/share/lintian/overrides +var/cache/apache2 +var/cache/apache2/mod_disk_cache +var/log/apache2 +var/www +etc/ufw/applications.d --- apache2-2.2.16.orig/debian/apache2-utils.manpages +++ apache2-2.2.16/debian/apache2-utils.manpages @@ -0,0 +1,3 @@ +debian/check_forensic.8 +debian/checkgid.8 +debian/split-logfile.8 --- apache2-2.2.16.orig/debian/apache2.2-common.postinst +++ apache2-2.2.16/debian/apache2.2-common.postinst @@ -0,0 +1,97 @@ +#!/bin/sh -e + +if [ "$1" != "configure" ]; then + exit 0 +fi + +mod_is_enabled() { + test -L /etc/apache2/mods-enabled/$1.load +} + +#set up default site and dummy error and access logs +if [ -z "$2" ]; then + if [ ! -L /etc/apache2/sites-enabled/000-default -a \ + ! -f /etc/apache2/sites-enabled/000-default ]; then + a2ensite -q default + fi + touch /var/log/apache2/error.log /var/log/apache2/access.log + chown root:adm /var/log/apache2/error.log /var/log/apache2/access.log + chmod 0640 /var/log/apache2/error.log /var/log/apache2/access.log +fi + +# Note, this line catches new installs as well as upgrades +if dpkg --compare-versions "$2" lt 2.2.3-3.1; then + a2enmod -q alias + a2enmod -q autoindex + a2enmod -q dir + a2enmod -q env + a2enmod -q mime + a2enmod -q negotiation + a2enmod -q setenvif + a2enmod -q status + a2enmod -q auth_basic + a2enmod -q deflate + + # Those come from mod_auth: + a2enmod -q authz_default + a2enmod -q authz_user + a2enmod -q authz_groupfile + a2enmod -q authn_file + + # This comes from mod_access: + a2enmod -q authz_host + +fi + +if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.2.15-4~ ; then + echo activating new config files ... + for a in ldap proxy_balancer proxy_ftp ; do + if mod_is_enabled $a && [ ! -e /etc/apache2/mods-enabled/$a.conf ] ; then + a2enmod -q $a + fi + done + echo " done." +fi + +# Note, this line catches new installs as well as upgrades +if dpkg --compare-versions "$2" lt 2.2.7-1~0; then + if [ ! -e /var/www/index.html -a \ + ! -h /var/www/index.html -a \ + ! -e /var/www/index.cgi -a \ + ! -e /var/www/index.pl -a \ + ! -e /var/www/index.php -a \ + ! -e /var/www/index.xhtml -a \ + ! -e /var/www/index.htm ] ; then + cp /usr/share/apache2/default-site/index.html /var/www/index.html + fi +fi + +# DavLockDB format change +if dpkg --compare-versions "$2" lt 2.2.14-3~; then + rm -f /var/lock/apache2/DAVLock.dir /var/lock/apache2/DAVLock.pag +fi + +# Note, this line catches new installs as well as upgrades +if dpkg --compare-versions "$2" lt 2.2.15-1~0; then + a2enmod -q reqtimeout +fi + +# The definition of other_vhost_access.log has been moved. +# Disable the new definition if the admin has changed the old +# one (as determined by preinst). +if [ -e /etc/apache2/disable-other-vhost-access-log.dpkg-apache2.2-common ] ; then + echo "Disabling /etc/apache2/conf.d/other-vhosts-access-log" + perl -p -i -e 's/^(CustomLog.*)$/#$1/' /etc/apache2/conf.d/other-vhosts-access-log + rm /etc/apache2/disable-other-vhost-access-log.dpkg-apache2.2-common +fi + +rm -f /etc/apache2/ports.conf.dpkg-apache2.2-common.old +rm -f /etc/default/apache2.dpkg-apache2.2-common.old +rm -f /etc/apache2/conf.d/charset.dpkg-apache2.2-common.old + +[ -f /etc/apache2/httpd.conf ] || touch /etc/apache2/httpd.conf + +#DEBHELPER# + +exit 0 + --- apache2-2.2.16.orig/debian/a2enmod +++ apache2-2.2.16/debian/a2enmod @@ -0,0 +1,341 @@ +#!/usr/bin/perl -w +# +# a2enmod by Stefan Fritsch +# Licensed under Apache License 2.0 + +use strict; +use Cwd 'realpath'; +use File::Spec; +use File::Basename; +use Getopt::Long; + +my $quiet; +my $force; +Getopt::Long::Configure('bundling'); +GetOptions( + 'quiet|q' => \$quiet, + 'force|f' => \$force +) or exit 2; + +my $basename = basename($0); +$basename =~ /^a2(en|dis)(mod|site)((?:-.+)?)$/ + or die "$basename call name unknown\n"; +my $act = $1; +my $obj = $2; +my $dir_suffix = $3; + +my $env_file = $ENV{APACHE_ENVVARS} + || ( + $ENV{APACHE_CONFDIR} + ? "$ENV{APACHE_CONFDIR}/envvars" + : "/etc/apache2$dir_suffix/envvars" + ); +$ENV{LANG}='C'; +read_env_file($env_file); + +$act .= 'able'; +my ( $name, $dir, $sffx, $reload ); +if ( $obj eq 'mod' ) { + $obj = 'module'; + $dir = 'mods'; + $sffx = '.load'; + $reload = 'restart'; +} +else { + $dir = 'sites'; + $sffx = ''; + $reload = 'reload'; +} +$name = ucfirst($obj); + +my $confdir = $ENV{APACHE_CONFDIR} || "/etc/apache2$dir_suffix"; +my $availdir = $ENV{ uc("APACHE_${dir}_AVAILABLE") } || "$confdir/$dir-available"; +my $enabldir = $ENV{ uc("APACHE_${dir}_ENABLED") } || "$confdir/$dir-enabled"; + +my $choicedir = $act eq 'enable' ? $availdir : $enabldir; +my $linkdir = File::Spec->abs2rel( $availdir, $enabldir ); + +my $request_reload = 0; + +my $rc = 0; + +if ( !scalar @ARGV ) { + my @choices = myglob('*'); + print "Your choices are: @choices\n"; + print "Which ${obj}(s) do you want to $act (wildcards ok)?\n"; + my $input = <>; + @ARGV = split /\s+/, $input; + +} + +my @objs; +foreach my $arg (@ARGV) { + my @glob = myglob($arg); + if ( !@glob ) { + error("No $obj found matching $arg!\n"); + $rc = 1; + } + else { + push @objs, @glob; + } +} + +foreach my $acton (@objs) { + doit($acton) or $rc = 1; +} + +info("Run '/etc/init.d/apache2 $reload' to activate new configuration!\n") + if $request_reload; + +exit($rc); + +############################################################################## + +sub myglob { + my $arg = shift; + + my @glob = map { + s{^$choicedir/}{}; + s{$sffx$}{}; + s{^000-default$}{default}; + $_ + } glob("$choicedir/$arg$sffx"); + + # use same rules as apache's Include directive + @glob = grep( /^[[:alnum:]][-._[:alnum:]]*$/, @glob ); + @glob = grep( !/\.dpkg/, @glob ); + + return @glob; +} + +sub doit { + my $acton = shift; + + my $prio = ""; + if ( $obj eq 'site' && $acton eq 'default' ) { + $prio = '000-'; + } + + my ( $conftgt, $conflink ); + if ( $obj eq 'module' ) { + if ( $acton eq 'cgi' && threaded() ) { + print "Your MPM seems to be threaded. Selecting cgid instead of cgi.\n"; + $acton = 'cgid'; + } + + $conftgt = "$availdir/$acton.conf"; + if ( -e $conftgt ) { + $conflink = "$enabldir/$acton.conf"; + } + } + + my $tgt = "$availdir/$acton$sffx"; + my $link = "$enabldir/$prio$acton$sffx"; + + if ( !-e $tgt ) { + if ( -l $link && !-e $link ) { + if ( $act eq 'disable' ) { + info("removing dangling symlink $link\n"); + unlink($link); + return 1; + } + else { + error("$link is a dangling symlink!\n"); + } + } + + error("$name $acton does not exist!\n"); + return 0; + } + + # handle module dependencies + if ( $obj eq 'module' ) { + if ( $act eq 'enable' ) { + my $depends = qx{grep "# Depends:" "$availdir/$acton.load"|cut -f2 -d:}; + $depends =~ s,^[\s\n]+,,; + $depends =~ s,[\s\n]+$,,; + do_deps( $acton, split( /[\n\s]+/, $depends ) ) or return 0; + } + else { + my @depends = qx{egrep "# Depends:.*${acton}( |\$)" $enabldir/*.load}; + @depends = grep {s{^.*?/([^/]*?)\.load:.*}{$1}s} @depends; + if ( scalar @depends ) { + if ($force) { + do_deps( $acton, @depends ) or return 0; + } + else { + error( + "The following modules depend on $acton ", + "and need to be disabled first: @depends\n" + ); + return 0; + } + } + } + } + + if ( $act eq 'enable' ) { + my $check = check_link( $tgt, $link ); + if ( $check eq 'ok' ) { + if ($conflink) { + + # handle .conf file + my $confcheck = check_link( $conftgt, $conflink ); + if ( $confcheck eq 'ok' ) { + info("$name $acton already enabled\n"); + return 1; + } + elsif ( $confcheck eq 'missing' ) { + print "Enabling config file $acton.conf.\n"; + add_link( $conftgt, $conflink ) or return 0; + } + else { + error("Config file $acton.conf not properly enabled: $confcheck\n"); + return 0; + } + } + else { + info("$name $acton already enabled\n"); + return 1; + } + } + elsif ( $check eq 'missing' ) { + if ($conflink) { + + # handle .conf file + my $confcheck = check_link( $conftgt, $conflink ); + if ( $confcheck eq 'missing' ) { + add_link( $conftgt, $conflink ) or return 0; + } + elsif ( $confcheck ne 'ok' ) { + error("Config file $acton.conf not properly enabled: $confcheck\n"); + return 0; + } + } + + print "Enabling $obj $acton.\n"; + if ( $acton eq 'ssl' ) { + info("See /usr/share/doc/apache2.2-common/README.Debian.gz on " . + "how to configure SSL and create self-signed certificates.\n"); + } + return add_link( $tgt, $link ); + } + else { + error("$name $acton not properly enabled: $check\n"); + return 0; + } + } + else { + if ( -e $link || -l $link ) { + remove_link($link); + if ( $conflink && -e $conflink ) { + remove_link($conflink); + } + print "$name $acton disabled.\n"; + } + elsif ( $conflink && -e $conflink ) { + print "Disabling stale config file $acton.conf.\n"; + remove_link($conflink); + } + else { + info("$name $acton already disabled\n"); + return 1; + } + } + + return 1; +} + +sub do_deps { + my $acton = shift; + foreach my $d (@_) { + info("Considering dependency $d for $acton:\n"); + if ( !doit($d) ) { + error("Could not $act dependency $d for $acton, aborting\n"); + return 0; + } + } + return 1; +} + +sub add_link { + my ( $tgt, $link ) = @_; + + # create relative link + if ( !symlink( File::Spec->abs2rel( $tgt, dirname($link) ), $link ) ) { + die("Could not create $link: $!\n"); + } + $request_reload = 1; + return 1; +} + +sub check_link { + my ( $tgt, $link ) = @_; + + if ( !-e $link ) { + if ( -l $link ) { + + # points to nowhere + info("Removing dangling link $link"); + unlink($link) or die "Could not remove $link\n"; + } + return 'missing'; + } + + if ( -e $link && !-l $link ) { + return "$link is a real file, not touching it"; + } + if ( realpath($link) ne realpath($tgt) ) { + return "$link exists but does not point to $tgt, not touching it"; + } + return 'ok'; +} + +sub remove_link { + my ($link) = @_; + + if ( -l $link ) { + unlink($link) or die "Could not remove $link: $!\n"; + } + elsif ( -e $link ) { + error("$link is not a symbolic link, not deleting\n"); + return 0; + } + $request_reload = 1; + return 1; +} + +sub threaded { + my $result = ""; + $result = qx{/usr/sbin/apache2 -V | grep 'threaded'} if -x '/usr/sbin/apache2'; + if ( $result =~ / no/ ) { + return 0; + } + else { + return 1; + } +} + +sub info { + print @_ if !$quiet; +} + +sub error { + print STDERR 'ERROR: ', @_; +} + +sub read_env_file { + my $file = shift; + + -r $file or return; + my @lines = qx{env - sh -c '. $file && env'}; + if ($?) { + die "Could not read $file\n"; + } + + foreach my $l (@lines) { + chomp $l; + $l =~ /^(.*)?=(.*)$/ or die "Could not parse $file\n"; + $ENV{$1} = $2; + } +} --- apache2-2.2.16.orig/debian/apache2-suexec-custom.manpages +++ apache2-2.2.16/debian/apache2-suexec-custom.manpages @@ -0,0 +1 @@ +debian/suexec.8 --- apache2-2.2.16.orig/debian/README.backtrace +++ apache2-2.2.16/debian/README.backtrace @@ -0,0 +1,51 @@ +If apache crashes or freezes, it is helpful if you include a backtrace in the +bug report. + + + +In case of a crash, do the following: + +1) Install the packages apache2-dbg libapr1-dbg libaprutil1-dbg gdb. + +2) Add "CoreDumpDirectory /var/cache/apache2" to your apache configuration. + +3) Execute as root: + /etc/init.d/apache2 stop + ulimit -c unlimited + /etc/init.d/apache2 start + +4) Do whatever it takes to reproduce the crash. There should now be the file +/var/cache/apache2/core . + +5) If you use apache2-mpm-prefork, execute: + + gdb /usr/sbin/apache2 /var/cache/apache2/core + (gdb) bt full + ... + (gdb) quit + +If you use a threaded mpm, execute: + + gdb /usr/sbin/apache2 /var/cache/apache2/core + (gdb) thread apply all bt full + ... + (gdb) quit + +Include the backtrace in the bug report. + +6) Undo the change to your configuration, uninstall the debug packages, remove +/var/cache/apache2/core + + + +In case of a hanging process, you don't need a core dump and you can skip steps 2 and 3. + +4) Reproduce the problem. Get the pid of a hanging process. + +5) Start gdb with + + gdb -p pid + +and continue as described above. It may also be helpful to include the output of + + strace -p pid --- apache2-2.2.16.orig/debian/apache2ctl +++ apache2-2.2.16/debian/apache2ctl @@ -0,0 +1,154 @@ +#!/bin/sh +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# Apache control script designed to allow an easy command line interface +# to controlling Apache. Written by Marc Slemko, 1997/08/23 +# +# Heavily modified for Debian by Stefan Fritsch 2007-2010 +# +# The exit codes returned are: +# XXX this doc is no longer correct now that the interesting +# XXX functions are handled by httpd +# 0 - operation completed successfully +# 1 - +# 2 - usage error +# 3 - httpd could not be started +# 4 - httpd could not be stopped +# 5 - httpd could not be started during a restart +# 6 - httpd could not be restarted during a restart +# 7 - httpd could not be restarted during a graceful restart +# 8 - configuration syntax error +# +# When multiple arguments are given, only the error from the _last_ +# one is reported. Run "apachectl help" for usage info +# +ARGV="$@" +# +# |||||||||||||||||||| START CONFIGURATION SECTION |||||||||||||||||||| +# -------------------- -------------------- +# +# main configuration directory +if test -z "$APACHE_CONFDIR" ; then + if test "${0##*apache2ctl-}" != "$0" ; then + APACHE_CONFDIR="/etc/apache2-${0##*apache2ctl-}" + else + APACHE_CONFDIR=/etc/apache2 + fi +fi +# the path to the environment variable file +test -z "$APACHE_ENVVARS" && APACHE_ENVVARS="$APACHE_CONFDIR/envvars" +# pick up any necessary environment variables +if test -f $APACHE_ENVVARS; then + . $APACHE_ENVVARS +fi + +if test "$APACHE_CONFDIR" != /etc/apache2 ; then + APACHE_ARGUMENTS="-d $APACHE_CONFDIR $APACHE_ARGUMENTS" +fi +# the following APACHE_* variables should be set in /etc/apache2/envvars +# +# the path to your httpd binary, including options if necessary +HTTPD=${APACHE_HTTPD:-/usr/sbin/apache2} +# +# a command that outputs a formatted text version of the HTML at the +# url given on the command line. Designed for lynx, however other +# programs may work. +LYNX="${APACHE_LYNX:-www-browser -dump}" +# +# the URL to your server's mod_status status page. If you do not +# have one, then status and fullstatus will not work. +STATUSURL="${APACHE_STATUSURL:-http://localhost:80/server-status}" +# +# Set this variable to a command that increases the maximum +# number of file descriptors allowed per child process. This is +# critical for configurations that use many file descriptors, +# such as mass vhosting, or a multithreaded server. +ULIMIT_MAX_FILES="${APACHE_ULIMIT_MAX_FILES:-ulimit -S -n `ulimit -H -n`}" +# -------------------- -------------------- +# |||||||||||||||||||| END CONFIGURATION SECTION |||||||||||||||||||| + +# Set the maximum number of file descriptors allowed per child process. +if [ "x$ULIMIT_MAX_FILES" != "x" ] ; then + $ULIMIT_MAX_FILES +fi + +ERROR=0 +if [ "x$ARGV" = "x" ] || [ "x$ARGV" = "xusage" ] || [ "x$ARGV" = "xhelp" ] || [ "x$ARGV" = "x--help" ]; then + echo "Usage: $0 start|stop|restart|graceful|graceful-stop|configtest|status|fullstatus|help" >&2 + echo " $0 " >&2 + echo " $0 -h (for help on )" >&2 + exit 1 +fi + +get_status () { + if ! $LYNX $STATUSURL ; then + echo "'$LYNX $STATUSURL'" failed. >&2 + echo Maybe you need to install a package providing www-browser or you >&2 + echo need to adjust the APACHE_LYNX variable in /etc/apache2/envvars >&2 + exit 1 + fi +} + +case $ARGV in +start) + mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2} + install -d -o ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} + # ssl_scache shouldn't be here if we're just starting up. + # (this is bad if there are several apache2 instances running) + rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache* + $HTTPD ${APACHE_ARGUMENTS} -k $ARGV + ERROR=$? + ;; +stop|graceful-stop) + $HTTPD ${APACHE_ARGUMENTS} -k $ARGV + ERROR=$? + ;; +restart|graceful) + if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then + $HTTPD ${APACHE_ARGUMENTS} -k $ARGV + else + $HTTPD ${APACHE_ARGUMENTS} -t + fi + ERROR=$? + ;; +startssl|sslstart|start-SSL) + echo The startssl option is no longer supported. + echo Please edit httpd.conf to include the SSL configuration settings + echo and then use "apachectl start". + ERROR=2 + ;; +configtest) + $HTTPD ${APACHE_ARGUMENTS} -t + ERROR=$? + ;; +status) + get_status | awk ' /process$/ { print; exit } { print } ' + ;; +fullstatus) + get_status + ;; +*) + $HTTPD ${APACHE_ARGUMENTS} $ARGV + ERROR=$? +esac + +if [ "$ERROR" != 0 ] ; then + echo Action \'"$@"\' failed. + echo The Apache error log may have more information. +fi +exit $ERROR --- apache2-2.2.16.orig/debian/rules +++ apache2-2.2.16/debian/rules @@ -0,0 +1,338 @@ +#! /usr/bin/make -f + +# Code for httpd 2.1, based on apache2 and others. +# Copyright (C) Canonical Ltd, 2005 + +export DEB_BUILD_HARDENING=1 +export DEB_BUILD_OPTIONS +export DH_OPTIONS + +SHELL := sh -e + +#enable dpatch +include /usr/share/dpatch/dpatch.make + +# These are used for cross-compiling and for saving the configure script +# # from having to guess our platform (since we know it already) +DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) + +LSB_RELEASE := $(shell lsb_release -i -s) + +CONFFLAGS += ac_cv_prog_AWK=mawk ac_cv_prog_LYNX_PATH=www-browser + +AP2_COMMON_CONFARGS = --enable-layout=Debian --enable-so \ + --with-program-name=apache2 \ + --with-ldap=yes --with-ldap-include=/usr/include \ + --with-ldap-lib=/usr/lib \ + --with-suexec-caller=www-data \ + --with-suexec-bin=/usr/lib/apache2/suexec \ + --with-suexec-docroot=/var/www \ + --with-suexec-userdir=public_html \ + --with-suexec-logfile=/var/log/apache2/suexec.log \ + --with-suexec-uidmin=100 \ + --enable-suexec=shared \ + --enable-log-config=static --enable-logio=static \ + --with-apr=/usr/bin/apr-1-config \ + --with-apr-util=/usr/bin/apu-1-config \ + --with-pcre=yes \ + --enable-pie + +AP2_MODS_CONFARGS = --enable-authn-alias=shared --enable-authnz-ldap=shared \ + --enable-disk-cache=shared --enable-cache=shared \ + --enable-mem-cache=shared --enable-file-cache=shared \ + --enable-cern-meta=shared --enable-dumpio=shared --enable-ext-filter=shared \ + --enable-charset-lite=shared --enable-cgi=shared \ + --enable-dav-lock=shared --enable-log-forensic=shared \ + --enable-ldap=shared --enable-proxy=shared \ + --enable-proxy-connect=shared --enable-proxy-ftp=shared \ + --enable-proxy-http=shared --enable-proxy-ajp=shared \ + --enable-proxy-scgi=shared \ + --enable-proxy-balancer=shared --enable-ssl=shared \ + --enable-authn-dbm=shared --enable-authn-anon=shared \ + --enable-authn-dbd=shared --enable-authn-file=shared \ + --enable-authn-default=shared --enable-authz-host=shared \ + --enable-authz-groupfile=shared --enable-authz-user=shared \ + --enable-authz-dbm=shared --enable-authz-owner=shared \ + --enable-authnz-ldap=shared --enable-authz-default=shared \ + --enable-auth-basic=shared --enable-auth-digest=shared \ + --enable-dbd=shared --enable-deflate=shared \ + --enable-include=shared --enable-filter=shared \ + --enable-env=shared --enable-mime-magic=shared \ + --enable-expires=shared --enable-headers=shared \ + --enable-ident=shared --enable-usertrack=shared \ + --enable-unique-id=shared --enable-setenvif=shared \ + --enable-version=shared --enable-status=shared \ + --enable-autoindex=shared --enable-asis=shared \ + --enable-info=shared --enable-cgid=shared \ + --enable-dav=shared --enable-dav-fs=shared \ + --enable-vhost-alias=shared --enable-negotiation=shared \ + --enable-dir=shared --enable-imagemap=shared \ + --enable-actions=shared --enable-speling=shared \ + --enable-userdir=shared --enable-alias=shared \ + --enable-rewrite=shared --enable-mime=shared \ + --enable-substitute=shared --enable-reqtimeout=shared + +AP2_CFLAGS = $(CFLAGS) -g -pipe -I/usr/include/xmltok -I/usr/include/openssl -Wall -Wformat -Wformat-security -D_FORTIFY_SOURCE=2 -fstack-protector +AP2_LDFLAGS = -Wl,--as-needed -Wl,-z,relro + +#support noopt building +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + AP2_CFLAGS += -O0 +else + AP2_CFLAGS += -O2 +endif + +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) +DEB_BUILD_STRIP = yes +endif + +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif + +BUILD=debian/build-tree +REALCURDIR=$(CURDIR) +INSTALL=/usr/bin/install + +clean: unpatch + dh_testdir + rm -rf $(BUILD) mpm-worker mpm-prefork mpm-event mpm-itk install + rm -rf debian/tmp-worker debian/tmp-prefork + dh_clean + +build: patch-stamp build-stamp +build-stamp: patch-stamp mpm-worker mpm-prefork mpm-event mpm-itk + for mpm in prefork event itk ; do \ + if ! diff -u $(BUILD)/$$mpm/mods.list $(BUILD)/worker/mods.list ; then \ + echo Different modules built into httpd binaries, will not proceed ;\ + exit 1 ;\ + fi \ + done + touch $@ + + +mpm-worker mpm-prefork mpm-event mpm-itk: mpm-%: patch-stamp mpm-%.scripts-stamp + dh_testdir + mkdir -p $(BUILD)/$* + # we don't want modifications done by itk outside of server/mpm/experimental/itk + # to appear in the other mpms. Therefore we copy the whole source tree. + set -ex ; \ + if [ $* = itk ] ; then \ + cp -a `find . -maxdepth 1 -mindepth 1 -not -name debian` $(BUILD)/$* ; \ + cd $(BUILD)/$* ; \ + mkdir server/mpm/experimental/itk/ ; \ + cp server/mpm/prefork/* server/mpm/experimental/itk/ ; \ + mv server/mpm/experimental/itk/prefork.c server/mpm/experimental/itk/itk.c ; \ + \ + for PATCH in `tail -n +2 ../../mpm-itk/patches/series`; do \ + echo Applying $$PATCH ... ; \ + patch -p1 < ../../mpm-itk/patches/$$PATCH ; \ + echo ; \ + done ; \ + \ + autoheader ; \ + autoconf ; \ + CONFIGURE=./configure ; \ + else \ + cd $(BUILD)/$* ; \ + CONFIGURE="$(REALCURDIR)/configure --srcdir=$(REALCURDIR)" ; \ + fi ; \ + if [ $* = worker ] ; then \ + ENABLE_MODULES="$(AP2_MODS_CONFARGS)" ; \ + else \ + ENABLE_MODULES=--enable-modules=none ; \ + fi ; \ + CFLAGS="$(AP2_CFLAGS)" LDFLAGS="$(AP2_LDFLAGS)" $(CONFFLAGS) $$CONFIGURE \ + $(AP2_COMMON_CONFARGS) $$ENABLE_MODULES --with-mpm=$* ; \ + $(MAKE) ; \ + ./apache2 -l |grep -v $* > mods.list + touch $@ + +mpm-%.scripts-stamp: debian/mpms.postinst debian/mpms.preinst debian/mpms.prerm debian/mpms.lintian-overrides debian/mpms.dirs debian/mpms.links + for f in postinst preinst prerm links dirs ; do \ + perl -p -e "s/MPMXXX/$*/g" < debian/mpms.$$f > debian/apache2-mpm-$*.$$f ;\ + done + perl -p -e "s/^/apache2-mpm-$*: /" < debian/mpms.lintian-overrides > debian/apache2-mpm-$*.lintian-overrides + touch $@ + +install-worker: mpm-worker + dh_testdir + dh_testroot + cd $(BUILD)/worker ;\ + $(MAKE) DESTDIR=$(REALCURDIR)/debian/tmp install + for m in logresolve ab; do d=$(REALCURDIR)/debian/tmp/usr/share/man/ ;\ + perl -p -e 's/^([.]TH.*?) 8 (.*)/$$1 1 $$2/' < $$d/man8/$$m.8 > $$d/man1/$$m.1 ;\ + done + ln -sf tmp debian/tmp-worker + +install-prefork: mpm-prefork + dh_testdir + dh_testroot + cd $(BUILD)/prefork ;\ + $(MAKE) DESTDIR=$(REALCURDIR)/debian/tmp-prefork install + +install-dev: install-worker install-prefork + dh_testdir + dh_testroot + dh_installdirs + for i in worker prefork; do \ + if [ "$$i" = "prefork" ]; then \ + TARGET=prefork ;\ + else \ + TARGET=threaded ;\ + fi ;\ + cp debian/tmp-$$i/usr/include/apache2/* debian/apache2-$$TARGET-dev/usr/include/apache2/ ;\ + cp debian/tmp-$$i/usr/share/apache2/build/* debian/apache2-$$TARGET-dev/usr/share/apache2/build/ ;\ + cp $(BUILD)/$$i/support/apxs debian/apache2-$$TARGET-dev/usr/bin/apxs2 ;\ + perl -p -e s/^P=apache2/P=apache2-$${TARGET}-dev/ < debian/apache2.postinst > debian/apache2-$${TARGET}-dev.postinst ;\ + done +# Clean up config_vars.mk + set -x ; for i in threaded prefork; do \ + ( cd debian/apache2-$$i-dev/usr/share/apache2/build/ ; \ + grep -v -E '(^|_)(CPP|C)FLAGS' config_vars.mk > tmp_config_vars.mk ; \ + printf "CPPFLAGS = %s\n" "`grep -E '(^|_)(CPPFLAGS|INCLUDES)' config_vars.mk | cut -d= -f 2- | tr ' ' '\n' | grep -E '^-([DI]|pthread)' | sort | uniq | tr '\n' ' '`" >> tmp_config_vars.mk ; \ + printf "CFLAGS = %s\n" "`grep -E '(^|_)(CPPFLAGS|CFLAGS|INCLUDES)' config_vars.mk | cut -d= -f 2- | tr ' ' '\n' | grep -E '^-(D|I/|pthread)' | sort | uniq | tr '\n' ' '`" >> tmp_config_vars.mk ; \ + printf "NOTEST_CPPFLAGS = \n" >> tmp_config_vars.mk ; \ + printf "EXTRA_CPPFLAGS = \n" >> tmp_config_vars.mk ; \ + printf "EXTRA_CFLAGS = \n" >> tmp_config_vars.mk ; \ + mv tmp_config_vars.mk config_vars.mk ) ; \ + done + +install: build install-dev + dh_testroot + dh_testdir + dh_installdirs + + #cleanup of death + rm -rf debian/tmp/etc/apache2/original + rm -rf debian/tmp/usr/include + rm -rf debian/tmp/usr/share/apache2/build + rm -f debian/tmp/usr/share/man/man8/httpd.8 # We install our own + rm -f debian/tmp/usr/sbin/apxs debian/tmp/usr/sbin/apache2 debian/tmp/usr/sbin/apachectl + + # DO NOT FALL FOR THE TEMPTATION TO MV INTO PACKAGES OR DOOM + # WILL FIND YOU. Use dh_install, this is just because dh_install + # can't rename files + + mv debian/tmp/usr/share/man/man8/apxs.8 debian/tmp/usr/share/man/man8/apxs2.8 + mv debian/tmp/usr/share/man/man8/apachectl.8 debian/tmp/usr/share/man/man8/apache2ctl.8 + mkdir -p debian/tmp/usr/share/apache2/icons/ + for i in `ls debian/icons/ | cut -d. -f1,2`; do \ + uudecode -o debian/tmp/usr/share/apache2/icons/$$i debian/icons/$$i".uue"; \ + done + + dh_install --list-missing + + cp debian/bash_completion debian/apache2.2-common/etc/bash_completion.d/apache2.2-common + install -m644 debian/apache2.2-common.ufw.profile debian/apache2.2-common/etc/ufw/applications.d/apache2.2-common + + # standard suexec + chmod 4754 debian/apache2-suexec/usr/lib/apache2/suexec + chgrp www-data debian/apache2-suexec/usr/lib/apache2/suexec + + chmod 644 debian/apache2.2-bin/usr/lib/apache2/modules/mod_suexec.so + + # configurable suexec + cp debian/build-tree/worker/support/suexec-custom debian/apache2-suexec-custom/usr/lib/apache2/suexec + cp debian/suexec-custom.config debian/apache2-suexec-custom/etc/apache2/suexec/www-data + chmod 4754 debian/apache2-suexec-custom/usr/lib/apache2/suexec + chgrp www-data debian/apache2-suexec-custom/usr/lib/apache2/suexec + + cp debian/apache2-doc.conf debian/apache2-doc/etc/apache2/conf.d/apache2-doc + grep -rl apachectl debian/apache2-doc/usr/share/doc/apache2-doc/manual | xargs perl -p -i -e 's/apachectl(?!\.html)/apache2ctl/g' + # remove content negotiation + mv debian/apache2-doc/usr/share/doc/apache2-doc/manual \ + debian/apache2-doc/usr/share/doc/apache2-doc/manual.orig + perl debian/convert_docs debian/apache2-doc/usr/share/doc/apache2-doc/manual.orig \ + debian/apache2-doc/usr/share/doc/apache2-doc/manual + mv debian/apache2-doc/usr/share/doc/apache2-doc/manual.orig/images \ + debian/apache2-doc/usr/share/doc/apache2-doc/manual.orig/style \ + debian/apache2-doc/usr/share/doc/apache2-doc/manual + rmdir debian/apache2-doc/usr/share/doc/apache2-doc/manual/style/lang + rmdir debian/apache2-doc/usr/share/doc/apache2-doc/manual/style/xsl/util + rmdir debian/apache2-doc/usr/share/doc/apache2-doc/manual/style/xsl + rm -r debian/apache2-doc/usr/share/doc/apache2-doc/manual.orig + + cp debian/logrotate debian/apache2.2-common/etc/logrotate.d/apache2 + cp debian/default-index.html debian/apache2.2-common/usr/share/apache2/default-site/index.html + + for i in worker prefork event itk; do \ + install -m 755 $(BUILD)/$$i/apache2 debian/apache2.2-bin/usr/lib/apache2/mpm-$$i/apache2 ;\ + done + + for pkg in `awk '/^Package:/ { print $$2 }' debian/control`; do \ + find debian/$$pkg/ -name .svn -exec rm -rf {} + ; \ + done + + dh_installdocs debian/README.backtrace -papache2.2-bin + dh_installdocs debian/README.backtrace debian/README.multiple-instances -papache2.2-common + dh_installdocs -Napache2.2-common -Napache2.2-bin + cp debian/README.Debian debian/apache2-doc/usr/share/doc/apache2-doc/ + dh_installman + dh_bugfiles + dh_installinit --no-start -r --name=apache2 -- defaults 91 09 + dh_installcron --name=apache2 + dh_installchangelogs CHANGES -Napache2-suexec -Napache2-suexec-custom -Napache2 + dh_installchangelogs -papache2-suexec -papache2-suexec-custom -papache2 + dh_lintian + rm -f debian/apache2.2-bin/usr/share/doc/apache2.2-bin/NEWS.Debian + rm -f debian/apache2-utils/usr/share/doc/apache2-utils/NEWS.Debian + + dh_strip --dbg-package=apache2-dbg -Napache2-dbg -Xusr/lib/apache2/mpm + if [ "$(LSB_RELEASE)" != "Ubuntu" ] && [ -n "$(DEB_BUILD_STRIP)" ] ; then \ + for i in worker prefork event itk; do \ + MPM=usr/lib/apache2/mpm-$$i/apache2 ;\ + objcopy --only-keep-debug $(BUILD)/$$i/apache2 \ + debian/apache2-dbg/usr/lib/debug/$$MPM-mpm-$$i ;\ + chmod 644 debian/apache2-dbg/usr/lib/debug/$$MPM-mpm-$$i ;\ + strip --remove-section=.comment --remove-section=.note --strip-unneeded \ + debian/apache2.2-bin/$$MPM ;\ + objcopy --add-gnu-debuglink=debian/apache2-dbg/usr/lib/debug/$$MPM-mpm-$$i \ + debian/apache2.2-bin/$$MPM ;\ + done ;\ + fi + + cp debian/mpm-itk/README debian/apache2.2-common/usr/share/doc/apache2.2-common/README.mpm-itk + cp debian/mpm-itk/CHANGES debian/apache2.2-common/usr/share/doc/apache2.2-common/changelog.mpm-itk + cp debian/mpm-itk/debian/changelog debian/apache2.2-common/usr/share/doc/apache2.2-common/changelog.mpm-itk.Debian + for p in apache2-prefork-dev apache2-threaded-dev apache2-mpm-prefork apache2-mpm-event \ + apache2-mpm-worker apache2-mpm-itk apache2; \ + do \ + rm -rf debian/$$p/usr/share/doc/$$p ;\ + ln -s apache2.2-common debian/$$p/usr/share/doc/$$p ;\ + done + rm -rf debian/apache2-dbg/usr/share/doc/apache2-dbg + ln -s apache2.2-bin debian/apache2-dbg/usr/share/doc/apache2-dbg + dh_link + dh_installexamples + dh_compress + dh_fixperms -Xsuexec + chown -R www-data:www-data debian/apache2.2-common/var/cache/apache2 + chown root:adm debian/apache2.2-common/var/log/apache2 + chmod o-rx debian/apache2.2-common/var/log/apache2 + + touch $@ + +binary-indep: install + dh_installdeb -i + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +binary-arch: install + dh_makeshlibs -a -V + dh_installdeb -a + dh_shlibdeps -a + dh_gencontrol -a + dh_md5sums -a + if [ "$(LSB_RELEASE)" = "Ubuntu" ]; then \ + rm -rf debian/apache2-dbg; \ + sed -i '/apache2-dbg/d' debian/files; \ + dh_builddeb -a -Napache2-dbg; \ + else \ + dh_builddeb -a; \ + fi + +binary: binary-arch binary-indep --- apache2-2.2.16.orig/debian/apache2.2-common.examples +++ apache2-2.2.16/debian/apache2.2-common.examples @@ -0,0 +1,3 @@ +debian/setup-instance +debian/secondary-init-script +debian/apache2.monit --- apache2-2.2.16.orig/debian/a2enmod.8 +++ apache2-2.2.16/debian/a2enmod.8 @@ -0,0 +1,68 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH A2ENMOD 8 "12 October 2006" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +a2enmod, a2dismod \- enable or disable an apache2 module +.SH SYNOPSIS +.B a2enmod +.RI [ module ] +.PP +.B a2dismod +.RI [ module ] +.SH DESCRIPTION +This manual page documents briefly the +.B a2enmod +and +.B a2dismod +commands. +.PP +.B a2enmod +is a script that enables the specified module within the +.B apache2 +configuration. It does this by creating symlinks within +.BR /etc/apache2/mods-enabled . +Likewise, +.B a2dismod +disables a module by removing those symlinks. It is not an error to +enable a module which is already enabled, or to disable one which is +already disabled. +.SH EXAMPLES +.RS +.B "a2enmod imagemap" +.br +.B "a2dismod mime_magic" +.RE +.PP +Enables the +.B mod_imagemap +module, and disables the +.B mod_mime_magic +module. +.SH FILES +.TP +.B /etc/apache2/mods-available +Directory with files giving information on available modules. +.TP +.B /etc/apache2/mods-enabled +Directory with links to the files in +.B mods-available +for enabled modules. +.SH "SEE ALSO" +.BR apache2ctl (8). +.SH AUTHOR +This manual page was written by Daniel Stone for the Debian +GNU/Linux distribution, as it is a Debian-specific script with the package. --- apache2-2.2.16.orig/debian/apache2.8 +++ apache2-2.2.16/debian/apache2.8 @@ -0,0 +1,81 @@ +.TH "APACHE2" 8 "2008-04-05" "Apache HTTP Server" "apache2" + +.SH NAME +apache2 \- Apache Hypertext Transfer Protocol Server +.SH "SYNOPSIS" +.PP +\fBapache2\fR [ -\fBd\fR \fIserverroot\fR ] [ -\fBf\fR \fIconfig\fR ] [ -\fBC\fR \fIdirective\fR ] [ -\fBc\fR \fIdirective\fR ] [ -\fBD\fR \fIparameter\fR ] [ -\fBe\fR \fIlevel\fR ] [ -\fBE\fR \fIfile\fR ] [ \fB-k\fR start|restart|graceful|stop|graceful-stop ] [ -\fBR\fR \fIdirectory\fR ] [ -\fBh\fR ] [ -\fBl\fR ] [ -\fBL\fR ] [ -\fBS\fR ] [ -\fBt\fR ] [ -\fBv\fR ] [ -\fBV\fR ] [ -\fBX\fR ] [ -\fBM\fR ] +.SH "SUMMARY" +.PP +apache2 is the Apache HyperText Transfer Protocol (HTTP) server program\&. It is designed to be run as a standalone daemon process\&. When used like this it will create a pool of child processes or threads to handle requests\&. +.PP +In general, apache2 should not be invoked directly, but rather should be +invoked via /etc/init.d/apache2 or apache2ctl\&. The default Debian +configuration requires environment variables that are defined in +/etc/apache2/envvars and are not available if apache2 is started directly. +However, apache2ctl can be used to pass arbitrary arguments to apache2. +.SH "DOCUMENTATION" +.PP +The full documentation is available in the apache2-doc package or at +http://httpd.apache.org/docs/2.2/ . Information about Debian specific changes +and configuration can be found in +/usr/share/doc/apache2.2-common/README.Debian.gz . +.SH "OPTIONS" +.TP +-d \fIserverroot\fR +Set the initial value for the ServerRoot directive to \fIserverroot\fR\&. This can be overridden by the ServerRoot directive in the configuration file\&. +.TP +-f \fIconfig\fR +Uses the directives in the file \fIconfig\fR on startup\&. If \fIconfig\fR does not begin with a /, then it is taken to be a path relative to the ServerRoot\&. The default is /etc/apache2/apache2\&.conf\&. +.TP +-k start|restart|graceful|stop|graceful-stop +Signals apache2 to start, restart, or stop\&. See Stopping Apache for more information\&. +.TP +-C \fIdirective\fR +Process the configuration \fIdirective\fR before reading config files\&. +.TP +-c \fIdirective\fR +Process the configuration \fIdirective\fR after reading config files\&. +.TP +-D \fIparameter\fR +Sets a configuration \fIparameter \fRwhich can be used with sections in the configuration files to conditionally skip or process commands at server startup and restart\&. +.TP +-e \fIlevel\fR +Sets the LogLevel to \fIlevel\fR during server startup\&. This is useful for temporarily increasing the verbosity of the error messages to find problems during startup\&. +.TP +-E \fIfile\fR +Send error messages during server startup to \fIfile\fR\&. +.TP +-R \fIdirectory\fR +When the server is compiled using the SHARED_CORE rule, this specifies the \fIdirectory\fR for the shared object files\&. +.TP +-h +Output a short summary of available command line options\&. +.TP +-l +Output a list of modules compiled into the server\&. This will \fBnot\fR list dynamically loaded modules included using the LoadModule directive\&. +.TP +-L +Output a list of directives together with expected arguments and places where the directive is valid\&. +.TP +-M +Dump a list of loaded Static and Shared Modules\&. +.TP +-S +Show the settings as parsed from the config file (currently only shows the virtualhost settings)\&. +.TP +-t +Run syntax tests for configuration files only\&. The program immediately exits after these syntax parsing tests with either a return code of 0 (Syntax OK) or return code not equal to 0 (Syntax Error)\&. If -D \fIDUMP\fR_\fIVHOSTS \fRis also set, details of the virtual host configuration will be printed\&. If -D \fIDUMP\fR_\fIMODULES \fR is set, all loaded modules will be printed\&. +.TP +-v +Print the version of apache2, and then exit\&. +.TP +-V +Print the version and build parameters of apache2, and then exit\&. +.TP +-X +Run apache2 in debug mode\&. Only one worker will be started and the server will not detach from the console\&. +.SH SEE ALSO +.BR apache2ctl (8), +.BR /usr/share/doc/apache2.2-common/README.Debian.gz + --- apache2-2.2.16.orig/debian/split-logfile.8 +++ apache2-2.2.16/debian/split-logfile.8 @@ -0,0 +1,21 @@ +.TH "SPLIT-LOGFILE" 8 "2009-12-06" "Apache HTTP Server" "split-logfile" + +.SH NAME +split-logfile - Split combined virtual hosts access log into one file per virtual host + +.SH "SYNOPSIS" + +.PP +\fBsplit-logfile\fR < \fIlogfile\fR + +.SH "SUMMARY" + +.PP +This script will take a combined Web server access log file and break its contents into separate files. +It assumes that the first field of each line is the virtual host identity (put there by "%v"), and that the logfiles should be named that+".log" in the current directory. + +The combined log file is read from stdin. +Records read will be appended to any existing log files. + +.SH "EXAMPLES" +split-logfile < /var/log/apache2/other_vhosts_access.log --- apache2-2.2.16.orig/debian/httxt2dbm.8 +++ apache2-2.2.16/debian/httxt2dbm.8 @@ -0,0 +1,41 @@ +.TH "HTTXT2DBM" 8 "2007-06-26" "Apache HTTP Server" "httxt2dbm" + +.SH NAME +httxt2dbm - Generate dbm files for use with RewriteMap + +.SH "SYNOPSIS" + +.PP +\fBhttxt2dbm\fR [ \fB\-v\fR ] [ \fB\-f\fR \fIDBM_TYPE\fR ] \fB\-i\fR \fISOURCE_TXT\fR \fB\-o\fR \fIOUTPUT_DBM\fR + +.SH "SUMMARY" + +.PP +\fBhttxt2dbm\fR is used to generate dbm files from text input, for use in RewriteMap with the dbm map type. + +.SH "OPTIONS" + +.TP +\-v +More verbose output +.TP +\-f \fIDBM_TYPE\fR +Specify the DBM type to be used for the output. If not specified, will use the APR Default. Available types are: + GDBM for GDBM files + SDBM for SDBM files + DB for berkeley DB files + NDBM for NDBM files + default for the default DBM type +.TP +\-i \fISOURCE_TXT\fR +Input file from which the dbm is to be created. The file should be formated with one record per line, of the form: + key value +See the documentation for RewriteMap for further details of this file's format and meaning. +.TP +\-o \fIOUTPUT_DBM\fR +Name of the output dbm files. + +.SH "EXAMPLES" +httxt2dbm \-i rewritemap.txt \-o rewritemap.dbm + +httxt2dbm \-f SDBM \-i rewritemap.txt \-o rewritemap.dbm --- apache2-2.2.16.orig/debian/check_forensic.8 +++ apache2-2.2.16/debian/check_forensic.8 @@ -0,0 +1,16 @@ +.TH check_forensic 8 +.SH NAME +check_forensic \- tool to extract mod_log_forensic output from apache log files +.SH SYNOPSIS +.B check_forensic + +.SH "DESCRIPTION" +chech_forensic is a simple shell script designed to help apache administrators +to extract mod_log_forensic output from apache2 log files. +It checks the forensic log for requests that did not complete +and outputs the request log for each one. +.PP +.SH AUTHOR +This manual page was written by Fabio M. Di Nitto +, for the Debian GNU/Linux system +(but may be used by others). --- apache2-2.2.16.orig/debian/bash_completion +++ apache2-2.2.16/debian/bash_completion @@ -0,0 +1,54 @@ +# bash completion for Debian apache2 configuration tools +# $Id: apache2,v 1.1 2005/03/16 22:51:19 guillaume Exp $ + +_apache2_modsites() +{ + COMPREPLY=( $( compgen -W '$( command ls /etc/apache2/$1 2>/dev/null \ + | sed -e 's/[.]load$//' -e 's/[.]conf$//' )' -- $cur ) ) +} + +_a2enmod() +{ + local cur + + COMPREPLY=() + cur=${COMP_WORDS[COMP_CWORD]} + + _apache2_modsites mods-available +} +complete -F _a2enmod a2enmod + +_a2ensite() +{ + local cur + + COMPREPLY=() + cur=${COMP_WORDS[COMP_CWORD]} + + _apache2_modsites sites-available + +} +complete -F _a2ensite a2ensite + +_a2dismod() +{ + local cur + + COMPREPLY=() + cur=${COMP_WORDS[COMP_CWORD]} + + _apache2_modsites mods-enabled +} +complete -F _a2dismod a2dismod + +_a2dissite() +{ + local cur + + COMPREPLY=() + cur=${COMP_WORDS[COMP_CWORD]} + + _apache2_modsites sites-enabled + +} +complete -F _a2dissite a2dissite --- apache2-2.2.16.orig/debian/apache2.links +++ apache2-2.2.16/debian/apache2.links @@ -0,0 +1 @@ +usr/share/bug/apache2.2-common/script usr/share/bug/apache2/script --- apache2-2.2.16.orig/debian/copyright +++ apache2-2.2.16/debian/copyright @@ -0,0 +1,546 @@ +This package was debianized by Thom May on +Tues, 8 Feb 2005 16:00:00 +0000. + +It was downloaded from http://httpd.apache.org/download.cgi + +Upstream Authors: + The Apache Software Foundation - http://httpd.apache.org + For apache2-mpm-itk: + Steinar H. Gunderson + Knut Auvor Grythe + +Copyright: + +Licensed to the Apache Software Foundation (ASF) under one or more contributor +license agreements. The ASF licenses this work to You under the Apache License, +Version 2.0 (the "License"); you may not use this work except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +On a Debian system, the license can be found at +/usr/share/common-licenses/Apache-2.0 . + +APACHE2-MPM-ITK: + +apache2-mpm-itk is copyright Steinar H. Gunderson +and Knut Auvor Grythe , and is provided under the same license +as the Apache web server. + +Get the latest version at http://mpm-itk.sesse.net/ . + +APACHE HTTP SERVER SUBCOMPONENTS: + +The Apache HTTP Server includes a number of subcomponents with +separate copyright notices and license terms. Your use of the source +code for the these subcomponents is subject to the terms and +conditions of the following licenses. + +For the mod_mime_magic component: + +/* + * mod_mime_magic: MIME type lookup via file magic numbers + * Copyright (c) 1996-1997 Cisco Systems, Inc. + * + * This software was submitted by Cisco Systems to the Apache Group in July + * 1997. Future revisions and derivatives of this source code must + * acknowledge Cisco Systems as the original contributor of this module. + * All other licensing and usage conditions are those of the Apache Group. + * + * Some of this code is derived from the free version of the file command + * originally posted to comp.sources.unix. Copyright info for that program + * is included below as required. + * --------------------------------------------------------------------------- + * - Copyright (c) Ian F. Darwin, 1987. Written by Ian F. Darwin. + * + * This software is not subject to any license of the American Telephone and + * Telegraph Company or of the Regents of the University of California. + * + * Permission is granted to anyone to use this software for any purpose on any + * computer system, and to alter it and redistribute it freely, subject to + * the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, credits + * must appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users ever read + * sources, credits must appear in the documentation. + * + * 4. This notice may not be removed or altered. + * ------------------------------------------------------------------------- + * + */ + +For the file /etc/apache2/magic (taken from the package file 4.17-5etch3): + +Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995. +Software written by Ian F. Darwin and others; +maintained 1994-2004 Christos Zoulas. + +This software is not subject to any export provision of the United States +Department of Commerce, and may be exported to any country or planet. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: +1. Redistributions of source code must retain the above copyright + notice immediately at the beginning of the file, without modification, + this list of conditions, and the following disclaimer. +2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR +ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +SUCH DAMAGE. + + +For the modules\mappers\mod_imap.c component: + + "macmartinized" polygon code copyright 1992 by Eric Haines, erich@eye.com + +For the server\util_md5.c component: + +/************************************************************************ + * NCSA HTTPd Server + * Software Development Group + * National Center for Supercomputing Applications + * University of Illinois at Urbana-Champaign + * 605 E. Springfield, Champaign, IL 61820 + * httpd@ncsa.uiuc.edu + * + * Copyright (C) 1995, Board of Trustees of the University of Illinois + * + ************************************************************************ + * + * md5.c: NCSA HTTPd code which uses the md5c.c RSA Code + * + * Original Code Copyright (C) 1994, Jeff Hostetler, Spyglass, Inc. + * Portions of Content-MD5 code Copyright (C) 1993, 1994 by Carnegie Mellon + * University (see Copyright below). + * Portions of Content-MD5 code Copyright (C) 1991 Bell Communications + * Research, Inc. (Bellcore) (see Copyright below). + * Portions extracted from mpack, John G. Myers - jgm+@cmu.edu + * Content-MD5 Code contributed by Martin Hamilton (martin@net.lut.ac.uk) + * + */ + + +/* these portions extracted from mpack, John G. Myers - jgm+@cmu.edu */ +/* (C) Copyright 1993,1994 by Carnegie Mellon University + * All Rights Reserved. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without + * fee, provided that the above copyright notice appear in all copies + * and that both that copyright notice and this permission notice + * appear in supporting documentation, and that the name of Carnegie + * Mellon University not be used in advertising or publicity + * pertaining to distribution of the software without specific, + * written prior permission. Carnegie Mellon University makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied + * warranty. + * + * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE + * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore) + * + * Permission to use, copy, modify, and distribute this material + * for any purpose and without fee is hereby granted, provided + * that the above copyright notice and this permission notice + * appear in all copies, and that the name of Bellcore not be + * used in advertising or publicity pertaining to this + * material without the specific, prior written permission + * of an authorized representative of Bellcore. BELLCORE + * MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY + * OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS", + * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. + */ + +For the srclib\apr\include\apr_md5.h component: +/* + * This is work is derived from material Copyright RSA Data Security, Inc. + * + * The RSA copyright statement and Licence for that original material is + * included below. This is followed by the Apache copyright statement and + * licence for the modifications made to that material. + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message-Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + */ + +For the srclib\apr\passwd\apr_md5.c component: + +/* + * This is work is derived from material Copyright RSA Data Security, Inc. + * + * The RSA copyright statement and Licence for that original material is + * included below. This is followed by the Apache copyright statement and + * licence for the modifications made to that material. + */ + +/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message-Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + */ +/* + * The apr_md5_encode() routine uses much code obtained from the FreeBSD 3.0 + * MD5 crypt() function, which is licenced as follows: + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +For the srclib\apr-util\crypto\apr_md4.c component: + + * This is derived from material copyright RSA Data Security, Inc. + * Their notice is reproduced below in its entirety. + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD4 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD4 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software for any particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + +For the srclib\apr-util\include\apr_md4.h component: + + * + * This is derived from material copyright RSA Data Security, Inc. + * Their notice is reproduced below in its entirety. + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD4 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD4 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software for any particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + + +For the srclib\apr-util\test\testdbm.c component: + +/* ==================================================================== + * The Apache Software License, Version 1.1 + * + * Copyright (c) 2000-2002 The Apache Software Foundation. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The end-user documentation included with the redistribution, + * if any, must include the following acknowledgment: + * "This product includes software developed by the + * Apache Software Foundation (http://www.apache.org/)." + * Alternately, this acknowledgment may appear in the software itself, + * if and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Apache" and "Apache Software Foundation" must + * not be used to endorse or promote products derived from this + * software without prior written permission. For written + * permission, please contact apache@apache.org. + * + * 5. Products derived from this software may not be called "Apache", + * nor may "Apache" appear in their name, without prior written + * permission of the Apache Software Foundation. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + * This file came from the SDBM package (written by oz@nexus.yorku.ca). + * That package was under public domain. This file has been ported to + * APR, updated to ANSI C and other, newer idioms, and added to the Apache + * codebase under the above copyright and license. + */ + + +For the srclib\apr-util\test\testmd4.c component: + + * + * This is derived from material copyright RSA Data Security, Inc. + * Their notice is reproduced below in its entirety. + * + * Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All + * rights reserved. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software for any particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + +For the srclib\apr-util\xml\expat\conftools\install-sh component: + +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# + +For the srclib\pcre\install-sh component: + +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. + +For the pcre component: + +PCRE LICENCE +------------ + +PCRE is a library of functions to support regular expressions whose syntax +and semantics are as close as possible to those of the Perl 5 language. + +Written by: Philip Hazel + +University of Cambridge Computing Service, +Cambridge, England. Phone: +44 1223 334714. + +Copyright (c) 1997-2001 University of Cambridge + +Permission is granted to anyone to use this software for any purpose on any +computer system, and to redistribute it freely, subject to the following +restrictions: + +1. This software is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +2. The origin of this software must not be misrepresented, either by + explicit claim or by omission. In practice, this means that if you use + PCRE in software which you distribute to others, commercially or + otherwise, you must put a sentence like this + + Regular expression support is provided by the PCRE library package, + which is open source software, written by Philip Hazel, and copyright + by the University of Cambridge, England. + + somewhere reasonably visible in your documentation and in any relevant + files or online help data or similar. A reference to the ftp site for + the source, that is, to + + ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ + + should also be given in the documentation. + +3. Altered versions must be plainly marked as such, and must not be + misrepresented as being the original software. + +4. If PCRE is embedded in any software that is released under the GNU + General Purpose Licence (GPL), or Lesser General Purpose Licence (LGPL), + then the terms of that licence shall supersede any condition above with + which it is incompatible. + +The documentation for PCRE, supplied in the "doc" directory, is distributed +under the same terms as the software itself. + +End PCRE LICENCE + +Note: The various versions of the GPL and the LGPL can be found in +/usr/share/common-licenses/. + +For the test\zb.c component: + +/* ZeusBench V1.01 + =============== + +This program is Copyright (C) Zeus Technology Limited 1996. + +This program may be used and copied freely providing this copyright notice +is not removed. + +This software is provided "as is" and any express or implied waranties, +including but not limited to, the implied warranties of merchantability and +fitness for a particular purpose are disclaimed. In no event shall +Zeus Technology Ltd. be liable for any direct, indirect, incidental, special, +exemplary, or consequential damaged (including, but not limited to, +procurement of substitute good or services; loss of use, data, or profits; +or business interruption) however caused and on theory of liability. Whether +in contract, strict liability or tort (including negligence or otherwise) +arising in any way out of the use of this software, even if advised of the +possibility of such damage. + + Written by Adam Twiss (adam@zeus.co.uk). March 1996 + +Thanks to the following people for their input: + Mike Belshe (mbelshe@netscape.com) + Michael Campanella (campanella@stevms.enet.dec.com) + +*/ + +For the expat xml parser component: + +Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd + and Clark Cooper + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +==================================================================== + +OpenDocument icons: +------------------- + +These icons are copyright of Pete Harlow and licensed under the Apache +license. See +https://bugs.edge.launchpad.net/ubuntu/+source/apache2/+bug/130836 +http://www.catnip.co.uk/opendocument/icons/#apache --- apache2-2.2.16.orig/debian/apache2-suexec-custom.lintian-overrides +++ apache2-2.2.16/debian/apache2-suexec-custom.lintian-overrides @@ -0,0 +1 @@ +setuid-binary usr/lib/apache2/suexec 4754 root/www-data --- apache2-2.2.16.orig/debian/apache2.2-common.lintian-overrides +++ apache2-2.2.16/debian/apache2.2-common.lintian-overrides @@ -0,0 +1,3 @@ +apache2.2-common: setuid-binary usr/lib/apache2/suexec 4754 root/www-data +apache2.2-common: non-standard-dir-perm var/log/apache2/ 0750 != 0755 +apache2.2-common: package-contains-empty-directory usr/lib/cgi-bin/ --- apache2-2.2.16.orig/debian/apache2.2-common.apache2.cron.daily +++ apache2-2.2.16/debian/apache2.2-common.apache2.cron.daily @@ -0,0 +1,30 @@ +#!/bin/sh + +# run htcacheclean + +set -e +set -u + +[ -e /usr/sbin/htcacheclean ] || exit 0 +[ -e /etc/default/apache2 ] || exit 0 + + +# edit /etc/default/apache2 to change this +HTCACHECLEAN_MODE=daemon +HTCACHECLEAN_RUN=auto +HTCACHECLEAN_SIZE=300M +HTCACHECLEAN_PATH=/var/cache/apache2/mod_disk_cache +HTCACHECLEAN_OPTIONS="" + +. /etc/default/apache2 + +[ "$HTCACHECLEAN_MODE" = "cron" ] || exit 0 + +[ "$HTCACHECLEAN_RUN" = "yes" ] || +( [ "$HTCACHECLEAN_RUN" = "auto" ] && \ + [ -e /etc/apache2/mods-enabled/disk_cache.load ] ) || exit 0 + +/usr/sbin/htcacheclean ${HTCACHECLEAN_OPTIONS} \ + -p${HTCACHECLEAN_PATH} \ + -l${HTCACHECLEAN_SIZE} + --- apache2-2.2.16.orig/debian/apache2.2-common.bug-script +++ apache2-2.2.16/debian/apache2.2-common.bug-script @@ -0,0 +1,60 @@ +#!/usr/bin/perl -w + +use strict; +use Text::Wrap; +$Text::Wrap::columns = 70; + +open (my $out, ">&=3") or die "could not open FD 3\n"; + +my $apache = ". /etc/apache2/envvars && /usr/sbin/apache2"; +my $res = `$apache -t 2>&1`; +my @modules; +my $php; +if ($res !~ "Syntax OK") { + # if we are not root, syntax check will fail because ssl private keys + # are not readable + print $out "Config file syntax check failed.\n" if $> == 0; + @modules = sort glob("/etc/apache2/mods-enabled/*.load"); + map { s{^/etc/apache2/mods-enabled/(.*)\.load$}{$1} } @modules; + print $out "List of /etc/apache2/mods-enabled/*.load:\n"; +} +else { + @modules = sort `$apache -M 2>&1`; + @modules = map { /^ (.*)_module \(shared\)/ ? ($1) : () } @modules; + print $out "List of enabled modules from 'apache2 -M':\n"; +} +if (! scalar @modules) { + print $out "Could not determine module list\n"; +} +else { + my $missing; + foreach my $m (@modules) { + if (-e "/etc/apache2/mods-available/$m.conf" and + ! -e "/etc/apache2/mods-enabled/$m.conf") { + $m .= "*"; + $missing = 1; + } + if ($m =~ /^(php\d)/) { + $php = $1; + } + } + + print $out wrap(" ", " ", "@modules\n"); + + print $out + wrap(" ", " ", + "(A * means that the .conf file for that module is not " . + "enabled in /etc/apache2/mods-enabled/)\n") + if $missing; +} +if (defined $php) { + my @exts = qx{egrep ^extension= /etc/$php/apache2/php.ini /etc/$php/apache2/conf.d/* 2>/dev/null}; + if (scalar @exts) { + chomp @exts; + @exts = grep { ! m{\.dpkg-(?:bak|dist):} } @exts; + @exts = sort grep { s{^.*:extension=(\S+)\.\S+}{$1} } @exts; + print $out "List of enabled $php extensions:\n"; + print $out wrap(" ", " ", "@exts\n"); + } +} + --- apache2-2.2.16.orig/debian/README.source +++ apache2-2.2.16/debian/README.source @@ -0,0 +1,17 @@ +Debian-apache uses dpatch to make changes to the upstream source. + +To apply all of the patches run: +./debian/rules patch + +To unapply all of the patches run: +./debian/rules unpatch + +To add (or edit) a patch run: +dpatch-edit-patch name_of_patch_goes_here +#make your changes +exit + +dpatch will make a new patch in debian/patches/ if one with that name doesn't already exist, otherwise it will change the existing one. +To make it get used add it to debian/patches/00list . + +To make a patch not get used remove it from debian/patches/00list . --- apache2-2.2.16.orig/debian/README.Debian +++ apache2-2.2.16/debian/README.Debian @@ -0,0 +1,372 @@ +Contents +======== + + Apache2 Configuration under Debian GNU/Linux + Files and Directories in /etc/apache2 + Tools + + Using mod_disk_cache + + SSL + Enabling SSL + Creating self-signed certificates + SSL workaround for MSIE + + Suexec + + Documentation + + Upgrades + + Common Problems + + +Apache2 Configuration under Debian GNU/Linux +============================================ + +Debian's default Apache2 installation attempts to make adding and +removing modules, virtual hosts, and extra configuration directives as +flexible as possible, in order to make automating the changes and +administering the server as easy as possible. + +Please be aware that this layout is quite different from the standard +Apache configuration. Due to the use of environment variables, apache2 +needs to be started/stopped with /etc/init.d/apache2 or apache2ctl. +Calling /usr/bin/apache2 directly will not work with the default +configuration. To call apache2 with specific command line arguments, +just call apache2ctl with the same arguments. + +Files and Directories in /etc/apache2: +------------------------------------- + +apache2.conf + + This is the main configuration file. + +envvars + + This contains environment variables that may be used in the + configuration. Some settings, like user and pid file, need to + go in here so that other scripts can use them. It can also + be used to change some default settings used by apache2ctl. + Here is also the default LANG=C setting that can be changed + to a different language. + +conf.d/ + + Files in this directory are included by this line in + apache2.conf: + + # Include generic snippets of statements + Include /etc/apache2/conf.d + + This is a good place to add additional configuration + directives. Packages should not use configuration + files that start with 'local-' or end with '.local'. + The local administrator can use these filenames to make + sure that there are no conflicts with files provided by + packages. + + If the local administrator is not comfortable with packages + activating their config files by default, it is possible + to change the 'Include /etc/apache2/conf.d/' in apache2.conf + into 'Include /etc/apache2/conf.d.enabled/' and create that + directory. He can then put symlinks to the files in conf.d + which he wants to enable into conf.d.enabled. + +httpd.conf + + Empty file. + +magic + + Empty file. + +mods-available/ + + This directory contains a series of .load and .conf files. + The .load files contain the Apache configuration directive + necessary to load the module in question. The respective + .conf files contain configuration directives necessary to + utilize the module in question. + +mods-enabled/ + + To actually enable a module for Apache2, it is necessary to + create a symlink in this directory to the .load (and .conf, if + it exists) files associated with the module in + mods-available/. For example: + + cgi.load -> /etc/apache2/mods-available/cgi.load + +ports.conf + + Configuration directives for which ports and IP addresses to + listen to. + +sites-available/ + + Like mods-available/, except it contains configuration + directives for different virtual hosts that might be used with + apache2. Note that the hostname doesn't have to correspond + exactly with the filename. 'default' is the default host. + +sites-enabled/ + + Similar in functionality to mods-enabled/, sites-enabled + contains symlinks to sites in sites-available/ that the + admnistrator wishes to enable. + + Apache uses the first VirtualHost that matches the IP/Port + as default for named virtual hosts. Therefore the 'default' + site is linked to '000-default' so that it will be read first. + + Example: + dedasys -> /etc/apache2/sites-available/dedasys + +The Include directive ignores files with names that + +- do not begin with a letter or number +- contain a character that is neither letter nor number nor _-. +- contain .dpkg + +Other files +----------- + +For historical reasons, the pid file is in /var/run/apache2.pid and not in +/var/run/apache2/apache2.pid. + +Tools +----- + +a2enmod and a2dismod are available for enabling and disabling modules utilizing +the above configuration system. + +a2ensite and a2dissite do essentially the same thing as the above tools, but +for sites rather than modules. + +apxs2 -a/-A is modified to use a2enmod to activate newly installed modules. + + +Using mod_disk_cache +==================== + +To ensure that the disk cache does not grow indefinitely, htcacheclean is +started when mod_disk_cache is enabled. Both daemon and cron (daily) mode +are supported. The configuration (run mode, cache size, ...) is in +/etc/default/apache2 . + +Normally, htcacheclean is automatically started and stopped by +/etc/init.d/apache2. However, if you change the state of mod_disk_cache or the +configuration of htcacheclean while apache2 is running, you may need to +manually start/stop htcacheclean with "/etc/init.d/apache2 start-htcacheclean" +or "/etc/init.d/apache2 stop-htcacheclean". + + +SSL +=== + +Enabling SSL +------------ + +To enable SSL, type (as user root): + + a2ensite default-ssl + a2enmod ssl + +If you want to use self-signed certificates, you should install the ssl-cert +package (see below). Otherwise, just adjust the SSLCertificateFile and +SSLCertificateKeyFile directives in /etc/apache2/sites-available/default-ssl to +point to your SSL certificate. Then restart apache: + + /etc/init.d/apache2 restart + +The SSL key file should only be readable by root, the certificate file may be +globally readable. These files are read by the Apache parent process which runs +as root. Therefore it is not necessary to make the files readable by the +www-data user. + +Creating self-signed certificates +--------------------------------- + +If you install the ssl-cert package, a self-signed certificate will be +automatically created using the hostname currently configured on your computer. +You can recreate that certificate (e.g. after you have changed /etc/hosts or +DNS to give the correct hostname) as user root with: + + make-ssl-cert generate-default-snakeoil --force-overwrite + +To create more certificates with different host names, you can use + + make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /path/to/cert-file.crt + +This will ask you for the hostname and place both SSL key and certificate in +the file /path/to/cert-file.crt . Use this file with the SSLCertificateFile +directive in the Apache config (you don't need the SSLCertificateKeyFile in +this case as it also contains the key). The file /path/to/cert-file.crt should +only be readable by root. A good directory to use for the additional +certificates/keys is /etc/ssl/private . + +SSL workaround for MSIE +----------------------- + +The SSL workaround for MS Internet Explorer needs to be added to your SSL +VirtualHost section (it was previously in ssl.conf but caused keepalive to be +disabled even for non-SSL connections): + + BrowserMatch "MSIE [2-6]" \ + nokeepalive ssl-unclean-shutdown \ + downgrade-1.0 force-response-1.0 + BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown + +The default SSL virtual host in /etc/apache2/sites-available/default-ssl +already contains this workaround. + + +Suexec +====== + +Debian ships two version of the suexec helper program required by mod_suexec. +It is not installed by default, to avoid possible security issues. The package +apache2-suexec contains the standard version that works only with document root +/var/www, userdir suffix public_html, and Apache run user www-data. The package +apache2-suexec-custom contains a customizable version, that can be configured +with a config file to use different settings (like /srv/www as document root). +For more information see the suexec(8) man page in the apache2-suexec-custom +package. + +Since apache2-suexec-custom has received less testing and might be slightly +slower, apache2-suexec is the recommended version unless you need the features +from apache2-suexec-custom. + + +Documentation +============= + +The full Apache 2 documentation can be found on the web at + +http://httpd.apache.org/docs/2.2/ + +or, if you have installed the apache2-doc package, in + +/usr/share/doc/apache2-doc/manual/ + +or at + +http://localhost/manual/ + +There is also a wiki that contains useful information: + +http://wiki.apache.org/httpd/ + +Some hints about securing Apache 2 on Debian are available at + +http://wiki.debian.org/Apache/Hardening + + +Upgrades +======== + +Changes in the Apache packages that require manual configuration adjustments +are announced in NEWS.Debian. Installing the apt-listchanges package is +recommended. It will display the relevant NEWS.Debian sections before +upgrades. + + +Multiple instances +================== + +There is some support for running multiple instances of Apache2 on the same +machine. See /usr/share/doc/apache2.2-common/README.multiple-instances for more +information. + + +Common Problems +=============== + +1) Error message "Could not determine the server's fully qualified domain name, +using 127.0.0.1 for ServerName" during start + +This can usually be ignored but it means that Apache httpd was unable to obtain +a fully-qualified hostname by doing a reverse lookup on your server's IP +address. You may want to add the fully-qualified hostname to /etc/hosts . + + +2) Error message "mod_rewrite: could not create rewrite_log_lock" + +This probably means that there are some stale SYSV semaphores around. This +usually happens after apache2 has been killed with kill -9 (SIGKILL). You can +clean up the semaphores with: + + ipcs -s | grep www-data | awk ' { print $2 } ' | xargs ipcrm sem + +3) Message "NameVirtualHost *:80 has no VirtualHosts" in error log + +Probably the VirtualHost definitions have not been adjusted after the +NameVirtualHost directive was changed in ports.conf. +See /usr/share/doc/apache2.2-common/NEWS.Debian.gz + +4) Message "File does not exist: /etc/apache2/htdocs" in error log + +In most cases this means that no matching VirtualHost definition could be +found for an incoming request. Check that the target IP address/port and the +name in the Host: header of the request actually match one of the virtual +hosts. + +5) Message "Couldn't create pollset in child; check user or system limits" in + error log + +On Linux kernels since 2.6.27.8, the value in + + /proc/sys/fs/epoll/max_user_instances + +needs to be larger than + + for prefork/itk MPM: 2 * MaxClients + for worker/event MPM: MaxClients + MaxClients/ThreadsPerChild + +It can be set on boot by adding a line like + + fs.epoll.max_user_instances=1024 + +to /etc/sysctl.conf. + +There are several other error messages related to creating a pollset that can +appear for the same reason. + +On the other hand, errors about to adding to a pollset are related to the +setting fs.epoll.max_user_watches. On most systems, max_user_watches should be +high enough by default. + +6) Message "Server should be SSL-aware but has no certificate configured" in + error log + +Since 2.2.12, Apache is stricter about certain misconfigurations concerning +name based SSL virtual hosts. See NEWS.Debian.gz for more details. + +7) Apache does not pass Authorization header to CGI scripts + +This is intentional to avoid security holes. If you really want to change it, +you can use mod_rewrite: + + RewriteCond %{HTTP:Authorization} (.*) + RewriteRule . - [env=HTTP_AUTHORIZATION:%1] + +8) mod_dav is behaving strangely + +In general, if you use mod_dav_fs, you need to disable multiviews and script +execution for that directory. For example: + + + Dav on + Options -MultiViews -ExecCGI + SetHandler none + + php_admin_value engine Off + + + +9) Message "apache2: bad user name ${APACHE_RUN_USER}" when starting apache2 + directly + +Use apache2ctl (it accepts all options of apache2). --- apache2-2.2.16.orig/debian/apache2.2-bin.install +++ apache2-2.2.16/debian/apache2.2-bin.install @@ -0,0 +1,2 @@ +usr/lib/apache2/modules +usr/sbin/httxt2dbm --- apache2-2.2.16.orig/debian/suexec-custom.config +++ apache2-2.2.16/debian/suexec-custom.config @@ -0,0 +1,5 @@ +/var/www +public_html/cgi-bin +# The first two lines contain the suexec document root and the suexec userdir +# suffix. Both features can be disabled separately by prepending a # character. +# This config file is only used by the apache2-suexec-custom package. --- apache2-2.2.16.orig/debian/apache2.2-common.manpages +++ apache2-2.2.16/debian/apache2.2-common.manpages @@ -0,0 +1,7 @@ +debian/a2enmod.8 +debian/a2dismod.8 +debian/apache2.8 +debian/apachectl.8 +debian/apache2ctl.8 +debian/a2ensite.8 +debian/a2dissite.8 --- apache2-2.2.16.orig/debian/apache2-threaded-dev.install +++ apache2-2.2.16/debian/apache2-threaded-dev.install @@ -0,0 +1 @@ +usr/share/man/man8/apxs2.8 --- apache2-2.2.16.orig/debian/mpms.prerm +++ apache2-2.2.16/debian/mpms.prerm @@ -0,0 +1,27 @@ +#!/bin/sh -e + +# Apache2 prerm +# Thom May + +case "$1" in + upgrade|remove) + if [ -x "/etc/init.d/apache2" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d apache2 stop || true + else + /etc/init.d/apache2 stop || true + fi + fi + sleep 2 + ;; + deconfigure|failed-upgrade) + ;; + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- apache2-2.2.16.orig/debian/a2ensite.8 +++ apache2-2.2.16/debian/a2ensite.8 @@ -0,0 +1,70 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH A2ENSITE 8 "8 June 2007" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +a2ensite, a2dissite \- enable or disable an apache2 site / virtual host +.SH SYNOPSIS +.B a2ensite +.RI [ site ] +.PP +.B a2dissite +.RI [ site ] +.SH DESCRIPTION +This manual page documents briefly the +.B a2ensite +and +.B a2dissite +commands. +.PP +.B a2ensite +is a script that enables the specified site (which contains a block) within the +.B apache2 +configuration. It does this by creating symlinks within +.BR /etc/apache2/sites-enabled . +Likewise, +.B a2dissite +disables a site by removing those symlinks. It is not an error to +enable a site which is already enabled, or to disable one which is +already disabled. +.PP +The +.B default +site is handled specially: The resulting symlink will be called +.B 000-default +in order to be loaded first. +.SH EXAMPLES +.RS +.B "a2dissite default" +.RE +.PP +Disables the +.B default +site. +.SH FILES +.TP +.B /etc/apache2/sites-available +Directory with files giving information on available sites. +.TP +.B /etc/apache2/sites-enabled +Directory with links to the files in +.B sites-available +for enabled sites. +.SH "SEE ALSO" +.BR apache2ctl (8). +.SH AUTHOR +This manual page was written by Stefan Fritsch (based on the a2enmod manual +page by Daniel Stone ) for the Debian GNU/Linux distribution. --- apache2-2.2.16.orig/debian/changelog +++ apache2-2.2.16/debian/changelog @@ -0,0 +1,2865 @@ +apache2 (2.2.16-1ubuntu3.3) maverick-security; urgency=low + + * SECURITY UPDATE: Range header DoS vulnerability + - debian/patches/084_CVE-2011-3192.dpatch: filter out large + byte ranges and improve memory efficiency in handling buckets. + (thanks to Debian and upstream) + - CVE-2011-3192 + * Include fix for regressions introduced by above patch: + - debian/patches/085_CVE-2011-3192_regression.dpatch: return 206 + and 416 response codes where appropriate (see deban bug 639825) + + -- Steve Beattie Thu, 01 Sep 2011 01:51:58 -0700 + +apache2 (2.2.16-1ubuntu3.1) maverick-security; urgency=low + + * SECURITY UPDATE: denial of service via memory leak in mod_reqtimeout. + - debian/patches/204_CVE-2010-1623.dpatch: merge by small buckets to + prevent high memory usage in modules/filters/mod_reqtimeout.c. + - CVE-2010-1623 + + -- Marc Deslauriers Thu, 18 Nov 2010 12:59:47 -0500 + +apache2 (2.2.16-1ubuntu3) maverick; urgency=low + + * Revert "stty sane" to unbreak apache starting, this will have to be + fixed a different way. (LP: #626723) + + -- Chuck Short Wed, 08 Sep 2010 08:33:17 -0400 + +apache2 (2.2.16-1ubuntu2) maverick; urgency=low + + * debian/apache2.2-common.apache2.init: Add stty sane so that users will get a + password prompt when using apache-ssl. (LP: #582963) + + -- Chuck Short Wed, 25 Aug 2010 09:25:05 -0400 + +apache2 (2.2.16-1ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) + + -- Chuck Short Mon, 26 Jul 2010 20:21:37 +0100 + +apache2 (2.2.16-1) unstable; urgency=medium + + * Urgency medium for security fix. + * New upstream release: + - CVE-2010-1452: mod_dav, mod_cache: Fix denial of service vulnerability + due to incorrect handling of requests without a path segment. + - mod_dir: add FallbackResource directive, to enable admin to specify + an action to happen when a URL maps to no file, without resorting + to ErrorDocument or mod_rewrite + * Fix mod_ssl header line corruption because of using memcpy for overlapping + buffers. PR 45444. LP: #609290, #589611, #595116 + + -- Stefan Fritsch Sat, 24 Jul 2010 22:18:43 +0200 + +apache2 (2.2.15-6) unstable; urgency=low + + * Fix init script not correctly killing htcacheclean. Closes: #580971 + * Add a separate entry in README.Debian about the need to use apache2ctl + for starting instead of calling apache2 directly. Closes: #580445 + * Fix debug info to allow gdb loading it automatically. Closes: #581514 + * Fix install target in Makefile created by apxs2 -n. Closes: #588787 + * Fix ab sending more requests than specified by the -n parameter. + Closes: #541158 + * Add apache2 monit configuration to apache2.2-commons examples dir. + Closes: #583127 + * Build as PIE, since gdb in squeeze now supports it. + * Update the postrm script to also purge the version of /var/www/index.html + introduced in 2.2.11-7. + * Bump Standards-Version (no changes). + + -- Stefan Fritsch Fri, 16 Jul 2010 23:41:08 +0200 + +apache2 (2.2.15-5ubuntu1) maverick; urgency=low + + * Merge from debian unstable. Remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + - debian/apache2-2.common.apache2.init: Add graceful restart (LP: #456381) + + Dropped: + - debian/patches/206-fix-potential-memory-leaks.dpatch: No longer needed. + - debian/patches/206-report-max-client-mpm-worker.dpatch: No longer needed. + - debian/config-dir/apache2.conf: Merged back from debian. + - mod-reqtimeout functionality: Merge back from debian. + - debian/patches/204_CVE-2010-0408.dpatch: No longer needed. + - debian/patches/205_CVE-2010-0434.dpatch: No longer needed. + - debian/patches/203_fix-ab-segfault.dpatch: No longer needed. + + -- Chuck Short Wed, 05 May 2010 01:28:04 +0100 + +apache2 (2.2.15-5) unstable; urgency=low + + * Conflict with apache package as we now include apachectl. Closes: #579065 + * Remove conflicts with old apache 2.0 modules. The conflicts are not + necessary anymore as skipping a stable release is not supported anyway. + * Silence the grep in preinst. + + -- Stefan Fritsch Sun, 25 Apr 2010 10:46:09 +0200 + +apache2 (2.2.15-4) unstable; urgency=low + + * Move definition of other_vhosts_access.log to new config file + /etc/apache2/conf.d/other-vhosts-access-log, but disable it + if it has been disabled by the admin. Closes: #576572. LP: #507616 + * Comment out the contents of mods-available/proxy.conf, as it just + is a nuisance for use of apache2 as a reverse proxy, which is much + more common than the use as forward proxy. Extend the comments + in the file. + * Change defaults or add example configs for some modules: + status.conf: + - enable ExtendedStatus by default + - enable ProxyStatus by default + - document SeeRequestTail directive + proxy_ftp.conf: + - set 'ProxyFtpDirCharset UTF-8' by default + ldap.conf: + - enable /ldap-status page, allow it from localhost by default + proxy_balancer.conf: + - add (disabled) example for /balancer-manager page + ssl.conf: + - document SSLStrictSNIVHostCheck directive + * Add symlink from apachectl to apache2ctl to be more compatible with + upstream. Apache httpd 1.3 hasn't been in Debian for some time. + * Simplify logrotate script. Closes: #576105 + * Remove empty directory /usr/lib/debug/usr/sbin in mpm packages. + Closes: #576089 + * Fix apxs2 to work with perl 5.12rc3. Closes: #577239 + * Add source/format file to make lintian happy. + + -- Stefan Fritsch Tue, 20 Apr 2010 23:11:09 +0200 + +apache2 (2.2.15-3) unstable; urgency=low + + * mod_reqtimeout: backport bugfixes from upstream trunk up to r928881, + including a fix for mod_proxy CONNECT requests. + * mod_dav_fs: Use correct permissions when creating new files. LP: #540747 + + -- Stefan Fritsch Mon, 29 Mar 2010 22:16:24 +0200 + +apache2 (2.2.15-2) unstable; urgency=low + + * Make the Files ~ "^\.ht" block in apache2.conf more secure by adding + Satisfy all. Closes: #572075 + * mod_reqtimeout: Various bug fixes, including: + - Don't mess up timeouts of mod_proxy's backend connections. + Closes: #573163 + + -- Stefan Fritsch Wed, 10 Mar 2010 21:06:06 +0100 + +apache2 (2.2.15-1) unstable; urgency=low + + * New upstream version: + - CVE-2010-0408: mod_proxy_ajp: Fixes denial of service vulnerability + - CVE-2009-3555: mod_ssl: Improve the mitigation against SSL/TLS protocol + prefix injection attack. + - CVE-2010-0434: mod_headers: Fix potential information leak with threaded + MPMs. + - mod_reqtimeout: New module limiting the time waiting for receiving + a request from the client. This is a (partial) mitigation against + slowloris-type resource exhaustion attacks. The module is enabled by + default. Closes: #533661 + - mod_ssl: Add SSLInsecureRenegotiation directive to allows insecure + renegotiation with clients which do not yet support the secure + renegotiation protocol. As this requires openssl 0.9.8m, bump + build dependency accordingly. + * Fix bash completion for a2ensite if the site name contains 'conf' or + 'load'. Closes: #572232 + * Do a configcheck in the init script before doing a non-graceful restart. + Closes: #571461 + + -- Stefan Fritsch Sun, 07 Mar 2010 23:22:56 +0100 + +apache2 (2.2.14-7) unstable; urgency=low + + * Fix potential memory leaks related to the usage of apr_brigade_destroy(). + * Add hints about correct mod_dav_fs configuration to README.Debian. + Closes: #257945 + * Fix error in Polish translation of 404 error page. Closes: #570228 + * Document ThreadLimit in apache2.conf's comments. + + -- Stefan Fritsch Sat, 20 Feb 2010 12:38:30 +0100 + +apache2 (2.2.14-6) unstable; urgency=low + + * Use environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, and + APACHE_LOG_DIR in the default configuration. If you have modified + /etc/apache2/envvars, make sure that these variables are set and exported. + * Add support for multiple apache2 instances to initscript and apache2ctl. + See /usr/share/doc/apache2.2-common/README.multiple-instances for details. + Closes: #353450 + * Set default compiled-in ServerRoot to /etc/apache2 and make paths in + apache2.conf relative to ServerRoot. + * Move ab and logresolve from /usr/sbin to /usr/bin. Closes: #351450, #564061 + * Fix symlinks in apache2-dbg package. Closes: #567076 + * Fix mod_cache CacheIgnoreURLSessionIdentifiers handling. Closes: #556383 + * Add new init script action graceful-stop (LP: #456381) + * Add more languages to mime.conf. To limit this to useful entries, we only + add those for which a translation of the Debian intaller exists. LP: #217964 + * Unset $HOME in /etc/apache2/envvars. + * Change default config of mod_info and mod_status to use IP addresses + instead of hostnames. Otherwise the hostname is sometimes logged even with + 'HostnameLookup Off'. Closes: #568409 + * Add a hook to apache2.2-common's postrm script that may come in handy + when upgrading to 2.4. + * Make bug script also display php extensions. + * Bump Standards-Version (no changes). + * Remove Adam Conrad from Uploaders. Thanks for your work in the past. + + -- Stefan Fritsch Sun, 07 Feb 2010 17:29:45 +0100 + +apache2 (2.2.14-5ubuntu8) lucid; urgency=low + + * debian/patches/210-backport-mod-reqtimeout-ftbfs.dpatch: Add missing mod_reqtime.so + (LP: #562370) + + -- Chuck Short Tue, 13 Apr 2010 15:09:57 -0400 + +apache2 (2.2.14-5ubuntu7) lucid; urgency=low + + * debian/patches/206-fix-potential-memory-leaks.dpatch: Fix potential memory + leaks by making sure to not destroy bucket brigades that have been created + by earlier filters. Backported from 2.2.15. + * debian/patches/206-report-max-client-mpm-worker.dpatch: Don't report server + has reached MaxClients until it has. Backported from 2.2.15 + * debian/config-dir/apache2.conf: Make the Files ~ "^\.ht" block in apache2.conf + more secure by adding Satisfy all. (Debian bug: #572075) + * debian/rules, debian/patches/209-backport-mod-reqtimeout.dpatch, + debian/config2-dir/mods-available/reqtimeout.load, + debian/config2-dir/mods-available/reqtimeout.conf debian/NEWS : Backport the + mod-reqtimeout module from 2.2.15, this will mitigate apache slowloris + bug in apache. Enable it by default. (LP: #392759) + + -- Chuck Short Mon, 05 Apr 2010 09:53:35 -0400 + +apache2 (2.2.14-5ubuntu6) lucid; urgency=low + + * debian/apache2.2-common.apache2.init: Fix thinko. (LP: #551681) + + -- Chuck Short Tue, 30 Mar 2010 09:41:11 -0400 + +apache2 (2.2.14-5ubuntu5) lucid; urgency=low + + * Revert 99-fix-mod-dav-permissions.dpatch + + -- Chuck Short Tue, 30 Mar 2010 07:55:46 -0400 + +apache2 (2.2.14-5ubuntu4) lucid; urgency=low + + * debian/patches/99-fix-mod-dav-permissions.dpatch: Fix permisisons when + downloading files from webdav (LP: #540747) + * debian/apache2.2-common.apache2.init: Add graceful restart (LP: #456381) + + -- Chuck Short Mon, 29 Mar 2010 13:37:39 -0400 + +apache2 (2.2.14-5ubuntu3) lucid; urgency=low + + * SECURITY UPDATE: denial of service via crafted request in mod_proxy_ajp + - debian/patches/204_CVE-2010-0408.dpatch: return the right error code + in modules/proxy/mod_proxy_ajp.c. + - CVE-2010-0408 + * SECURITY UPDATE: information disclosure via improper handling of + headers in subrequests + - debian/patches/205_CVE-2010-0434.dpatch: use a copy of r->headers_in + in server/protocol.c. + - CVE-2010-0434 + + -- Marc Deslauriers Wed, 10 Mar 2010 14:48:48 -0500 + +apache2 (2.2.14-5ubuntu2) lucid; urgency=low + + * debian/patches/203_fix-ab-segfault.dpatch: Fix segfaulting ab when using really + wacky options. (LP: #450501) + + -- Chuck Short Mon, 08 Mar 2010 14:53:17 -0500 + +apache2 (2.2.14-5ubuntu1) lucid; urgency=low + + * Merge from debian testing. Remaining changes: LP: #506862 + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + + -- Bhavani Shankar Wed, 13 Jan 2010 14:28:41 +0530 + +apache2 (2.2.14-5) unstable; urgency=low + + * Security: Further mitigation for the TLS renegotation attack + (CVE-2009-3555): Disable keep-alive if parts of the next request have + already been received when doing a renegotiation. This defends against + some request splicing attacks. + * Print a useful error message if 'apache2ctl status' fails. Add a comment + to /etc/apache2/envvars on how to change the options for www-browser. + Closes: #561496, #272069 + * Improve function to detect apache2 pid in init-script (closes: #562583). + * Add hint README.Debian on how to pass auth info to CGI scripts. + Closes: #483219 + * Re-introduce objcopy magic to avoid dangling symlinks to the debug info + in the mpm packages. Closes: #563278 + * Make apxs2 use a2enmod and /etc/apache2/mods-available. Closes: #470178, + LP: #500703 + * Point to README.backtrace in apache2-dbg's description. + * Use more debhelper functions to simplify debian/rules. + * Add misc-depends to various packages to make lintian happy. + * Change build-dep from libcap2-dev to libcap-dev because of package rename. + + -- Stefan Fritsch Sat, 02 Jan 2010 22:44:15 +0100 + +apache2 (2.2.14-4ubuntu1) lucid; urgency=low + + * Resynchronzie with Debian, remaining changes are: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. + - debian/control: Add bzr tag and point it to our tree. + + -- Chuck Short Wed, 23 Dec 2009 14:44:51 -0500 + +apache2 (2.2.14-4) unstable; urgency=low + + * Disable localized error pages again by default because they break + configurations with " SetHandler ...". A workaround is + described in the comments in /etc/apache2/conf.d/localized-error-pages + (closes: #543333). + * mod_rewrite: Fix URLs in redirects with literal IPv6 hosts + (closes: #557015). + * Automatically listen on port 443 if mod_gnutls is loaded (closes: #558234). + * Add man page for split-logfile. + * Link with -lcrypt where necessary to fix a FTBFS with binutils-gold + (closes: #553946). + + -- Stefan Fritsch Sun, 13 Dec 2009 20:05:37 +0100 + +apache2 (2.2.14-3) unstable; urgency=low + + * Backport various mod_dav/mod_dav_fs fixes from upstream trunk svn. This + includes: + - Make PUT replace files atomically (closes: #525137). + - Make MOVE not delete the destination if the source file disappeared in + the meantime (closes: #273476). + NOTE: The format of the DavLockDB has changed. The default DavLockDB will + be deleted on upgrade. Non-default DavLockDBs should be deleted manually. + * Fix output of "/etc/init.d/apache2 status" (closes: #555687). + * Update the comment about SNI in ports.conf (closes: #556932). + * Set redirect-carefully for Konqueror/4. + + -- Stefan Fritsch Sat, 21 Nov 2009 10:20:54 +0100 + +apache2 (2.2.14-2) unstable; urgency=medium + + * Security: + Reject any client-initiated SSL/TLS renegotiations. This is a partial fix + for the TLS renegotiation prefix injection attack (CVE-2009-3555). + Any configuration which requires renegotiation for per-directory/location + access control is still vulnerable. + * Allow RemoveType to override the types from /etc/mime.types. This allows + to use .es and .tr for Spanish and Turkish files in mod_negotiation. + Closes: #496080 + * Fix 'CacheEnable disk http://'. Closes: #442266 + * Fix missing dependency by changing killall to pkill in the init script. + LP: #460692 + * Add X-Interactive header to init script as it may ask for the ssl key + passphrase. Closes: #554824 + * Move httxt2dbm man page into apache2.2-bin, which includes httxt2dbm, too. + * Enable keepalive for MSIE 7 and newer in default-ssl site and README.Debian + + -- Stefan Fritsch Sat, 07 Nov 2009 14:37:37 +0100 + +apache2 (2.2.14-1ubuntu1) lucid; urgency=low + + * Merge from debian testing, remaining changes: + - debian/{control, rules}: Enable PIE hardening. + - debian/{control, rules, pache2.2-common.ufw.profile}: Add ufw profiles. + - debian/conrol: Add bzr tag and point it to our tree. + - Dropped debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: + Already applied upstream. + + -- Chuck Short Fri, 06 Nov 2009 00:29:03 +0000 + +apache2 (2.2.14-1) unstable; urgency=low + + * New upstream version: + - new module mod_proxy_scgi + * Disable hardening option -pie again, as gdb in Debian does not support + it properly and it is broken on mips*. + + -- Stefan Fritsch Tue, 29 Sep 2009 20:55:05 +0200 + +apache2 (2.2.13-2) unstable; urgency=high + + * mod_proxy_ftp security fixes (closes: #545951): + - DoS by malicious ftp server (CVE-2009-3094) + - missing input sanitization: a user could execute arbitrary ftp commands + on the backend ftp server (CVE-2009-3095) + * Add entries to NEWS.Debian and README.Debian about Apache being stricter + about certain misconfigurations involving name based SSL virtual hosts. + Also make Apache print the location of the misconfigured VirtualHost when + it complains about a missing SSLCertificateFile statement. Closes: #541607 + * Add Build-Conflicts: autoconf2.13 (closes: #541536). + * Adjust priority of apache2-mpm-itk to extra. + * Switch apache2.2-common and the four mpm packages from architecture all to + any. This is stupid but makes apache2 binNMUable again (closes: #544509). + * Bump Standards-Version (no changes). + + -- Stefan Fritsch Wed, 16 Sep 2009 20:55:02 +0200 + +apache2 (2.2.13-1) unstable; urgency=low + + * New upstream release: + - Fixes segfault with mod_deflate and mod_php (closes: #542623). + + -- Stefan Fritsch Mon, 31 Aug 2009 20:28:56 +0200 + +apache2 (2.2.12-1ubuntu2) karmic; urgency=low + + * debian/patches/203_fix_legacy_ap_rputs_segfaults.dpatch: + - Fix potential segfaults with the use of the legacy ap_rputs() etc + interfaces, in cases where an output filter fails. This happens + frequently after CVE-2009-1891 got fixed. (LP: #409987) + + -- Marc Deslauriers Mon, 17 Aug 2009 15:38:47 -0400 + +apache2 (2.2.12-1ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + - Dropped debian/patches/203_fix-ssl-timeftm-ignored.dpatch. + + -- Chuck Short Tue, 04 Aug 2009 20:04:24 +0100 + +apache2 (2.2.12-1) unstable; urgency=low + + * New upstream release: + - Adds support for TLS Server Name Indication (closes: #461917 LP: #184131). + (The Debian default configuration will be changed to use SNI in a later + version.) + - Fixes timefmt config in SSI (closes: #363964). + - mod_ssl: Adds SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN directives + to enable stricter checking of remote server certificates. + * Make mod_deflate not compress the content for HEAD requests. This is a + similar issue as CVE-2009-1891. + * Enable hardening compile options. + * Switch default LogFormat from %b (size of file sent) to %O (bytes actually + sent) (closes: #272476 LP: #255124) + * Add the default LANG=C to /etc/apache2/envvars and document it in + README.Debian (closes: #511878). + * Enable localized error pages by default if the necessary modules are + loaded. Move the config for it from apache2.conf to + /etc/apache2/conf.d/localized-error-pages (closes: #467004). Clarify the + required order of the aliases in the comment (closes: #196795). + * Change default for ServerTokens to 'OS', to not announce the exact module + versions to the world (LP: #205996) + * Make a2ensite and friends ignore the same filenames as apache does for + included config files, even if LANG is not C. + * Merge source packages apache2 and apache2-mpm-itk (current itk version is + 2.2.11-02). This removes the binNMU mess necessary for every apache2 upload + (closes: #500885, #512084). Add Steinar to Uploaders. Remove apache2-src + package, which is no longer necessary. + * Ship our own version of the magic config file (taken from file 4.17-5etch3) + which is still compatible with mod_mime_magic (closes: #483111). + * Add ThreadLimit to the default config and put ThreadsPerChild and + MaxClients into the correct order so that Apache does not complain + (closes: #495656). + Also add a configuration block for the event MPM in apache2.conf. + * Fix HTTP PUT with mod_dav failing to detect an aborted connection + (closes: #451563). + * Change references to httpd.conf in apache2-doc to apache2.conf + (closes: #465393). + * Clarify the recommended permissions for SSL certificates in README.Debian + (closes: #512778). + * Document in README.Debian how to name files in conf.d to avoid conflicts + with packages (closes: #493252) + * Remove 2.0 -> 2.2 upgrade logic from maintainer scripts. + * Remove other_vhosts_access.log on package purge. + + -- Stefan Fritsch Tue, 04 Aug 2009 11:02:34 +0200 + +apache2 (2.2.11-7ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: LP: #398130 + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 11 Jul 2009 16:34:32 +0530 + +apache2 (2.2.11-7) unstable; urgency=low + + * Security fixes: + - CVE-2009-1890: denial of service in mod_proxy + - CVE-2009-1891: denial of service in mod_deflate (closes: #534712) + * Add symlinks for the debug info to the mpm packages. + * Be slightly more informative in the default index.html without pointing + to Apache or Debian (LP: #89364) + * Remove dependency on net-tools, which is no longer necessary + (closes: #535849) + * Bump Standards-Version (no changes) + + -- Stefan Fritsch Fri, 10 Jul 2009 22:42:57 +0200 + +apache2 (2.2.11-6ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssl-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Tue, 09 Jun 2009 01:01:23 +0100 + +apache2 (2.2.11-6) unstable; urgency=high + + * CVE-2009-1195: mod_include allowed to bypass IncludesNoExec for Server + Side Includes (closes: #530834). + * Fix postinst scripts (closes: #532278). + + -- Stefan Fritsch Mon, 08 Jun 2009 19:22:58 +0200 + +apache2 (2.2.11-5ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Wed, 03 Jun 2009 14:10:54 +1200 + +apache2 (2.2.11-5) unstable; urgency=low + + * Move all binaries into a new package apache2.2-bin and make + apache2.2-common depend on it. This allows to + - run apache as user process only, e.g. with gnome-user-share. + Closes: #468690 + - run multiple instances of apache with different MPMs. This configuration + is not supported in any way, though. Closes: #517572 + * Switch to debhelper compatibility level 7 and remove some code duplication + in debian/rules. + * Override some Lintian warnings about old autotools helper files and being + not binNMUable (apache2 is not binNMUable anyway, because of the + apache2 <-> apache2-mpm-itk dependency). + + -- Stefan Fritsch Fri, 22 May 2009 19:30:20 +0200 + +apache2 (2.2.11-4) unstable; urgency=low + + [ Stefan Fritsch ] + * Disable TRACE method by default (closes: #492130). + * Compress some more mime types with mod_deflate by default. This may cause + problems with MSIE 6, but that browser should now be considered obsolete. + Closes: #397526, #521209 + * Various backports from upstream svn branches/2.2.x: + - CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous + request which failed to send a request body + - Fix FollowSymlinks / SymlinksIfOwnerMatch ignored with + server-side-includes PR 45959 (closes: #524474) + - Fix mod_rewrite "B" flag breakage PR 45529 (closes: #524268) + - Fix mod_deflate etag handling PR 45023 (LP: #358314) + - Fix mod_ldap segfault if LDAP initialization failed PR 45994 + * Allow apache2-mpm-itk as alternate dependency in apache2 meta package + (closes: #527225). + * Fix some misuse of command substitution in the init script. Thanks to + Jari Aalto for the patch. (Closes: #523398) + * Extend the gnome-vfs DAV workaround to gvfs (closes: #522845). + * Add more info to check_forensic man page (closes: #528424). + * Make "apache2ctl help" point to help on apache2 args (closes: #528425). + * Lintian warnings: + - fix spelling error in apache2-utils description + - tweak debian/copyright to make lintian not complain about pointers to GPL + - bump standards-version (no changes) + + [ Peter Samuelson ] + * Adjust sections to match recent ftpmaster overrides. + + -- Stefan Fritsch Tue, 19 May 2009 22:55:27 +0200 + +apache2 (2.2.11-3ubuntu1) karmic; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + - debian/{control,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Andrew Mitchell Tue, 12 May 2009 16:15:34 +1200 + +apache2 (2.2.11-3) unstable; urgency=low + + * Rebuild against apr-util 1.3, to fix undefined symbol errors in mod_ldap + (see #521899). This also creates the dependencies on the new external + libaprutil1-dbd-* and libaprutil1-ldap packages. + + -- Stefan Fritsch Tue, 31 Mar 2009 21:07:26 +0200 + +apache2 (2.2.11-2ubuntu2) jaunty; urgency=low + + * debian/patches/203_fix-ssi-timeftm-ignored.dpatch: + Fix timefmt is ignored when XBitHack is on. (LP: #258914) + + -- Chuck Short Wed, 01 Apr 2009 11:39:17 -0400 + +apache2 (2.2.11-2ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{contro,rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Sat, 17 Jan 2009 00:02:55 +0000 + +apache2 (2.2.11-2) unstable; urgency=low + + * Report an error instead instead of segfaulting when apr_pollset_create + fails (PR 46467). On Linux kernels since 2.6.27.8, the value in + /proc/sys/fs/epoll/max_user_instances needs to be larger than twice the + value of MaxClients in the Apache configuration. Closes: #511103 + + -- Stefan Fritsch Fri, 16 Jan 2009 19:01:59 +0100 + +apache2 (2.2.11-1ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Mon, 15 Dec 2008 00:06:50 +0000 + +apache2 (2.2.11-1) unstable; urgency=low + + [Thom May] + * New Upstream Version (Closes: #508186, LP: #307397) + - Contains rewritten shmcb code which should fix alignment problems on + alpha (Closes: #419720). + - Notable new features: chroot support, mod_proxy improvements. + + [Ryan Niebur] + * fix segfault in ab when being verbose on ssl sites (Closes: #495982) + * remove trailing slash for DocumentRoot (Closes: #495110) + + -- Stefan Fritsch Sun, 14 Dec 2008 09:34:24 +0100 + +apache2 (2.2.9-11ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: (LP: #303375) + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Bhavani Shankar Sat, 29 Nov 2008 14:02:31 +0530 + +apache2 (2.2.9-11) unstable; urgency=low + + * Regression fix from upstream svn for mod_proxy: + Prevent segmentation faults by correctly adjusting the lifetime of the + buckets read from the proxy backend. PR 45792 + * Fix from upstream svn for mpm_worker: + Crosscheck that idle workers are still available before using them and + thus preventing an overflow of the worker queue which causes a SegFault. + PR 45605 + * Add a comment to ports.conf to point to NEWS.Debian.gz in case of + upgrading problems. + + -- Stefan Fritsch Wed, 26 Nov 2008 23:10:22 +0100 + +apache2 (2.2.9-10ubuntu1) jaunty; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control, rules}: enable PIE hardening. + - debian/{control, rules, apache2.2-common.ufw.profile}: add ufw profiles. + + -- Chuck Short Wed, 05 Nov 2008 02:23:18 -0400 + +apache2 (2.2.9-10) unstable; urgency=low + + * Regression fix from upstream svn for mod_proxy_http: + Don't trigger a retry by the client if a failure to read the response line + was the result of a timeout. + + -- Stefan Fritsch Wed, 01 Oct 2008 11:50:18 +0200 + +apache2 (2.2.9-9) unstable; urgency=medium + + * Revert the attempted fix for #496080 because it did not work due to + upstream PR 38330. Instead, document the problem and possible workarounds + in README.Debian. + + -- Stefan Fritsch Fri, 12 Sep 2008 11:39:15 +0200 + +apache2 (2.2.9-8) unstable; urgency=low + + * Fix Spanish language support which was broken by .es being added to + /etc/mime.types for application/ecmascript. (Closes: #496080) + * Correct description of ServerTokens in /etc/apache2/conf.d/security. + (Closes: #497362) + * Clarify how to use apache2ctl to pass arbitrary arguments to + apache2. (LP: #259363) + * Add hints to README.Debian about the messages + "NameVirtualHost *:80 has no VirtualHosts" and + "File does not exist: /htdocs". + + -- Stefan Fritsch Thu, 11 Sep 2008 09:17:33 +0200 + +apache2 (2.2.9-7ubuntu3) intrepid; urgency=low + + * Revert logrotate change since it will break it for everyone. + + -- Chuck Short Fri, 19 Sep 2008 09:32:01 -0400 + +apache2 (2.2.9-7ubuntu2) intrepid; urgency=low + + * debian/logrotate: Restart rather than reload for busy websites. + (LP: #270899) + + -- Chuck Short Thu, 18 Sep 2008 08:42:22 -0400 + +apache2 (2.2.9-7ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/{control,rules}: enable PIE hardening. + - debian/{control,rules,apache2.2-common.ufw.profile}: add ufw profiles. + + -- Kees Cook Thu, 28 Aug 2008 08:10:59 -0700 + +apache2 (2.2.9-7) unstable; urgency=low + + * Fix XSS in mod_proxy_ftp (CVE-2008-2939). + * Fix mod_proxy_http losing the query string with noescape (PR 45247). + * Make the balancer manager work in Opera and MSIE (PR 45578). + * Fix mod_headers "edit" removing multiple headers with the same name (PR + 45333). + * Also describe how to get a backtrace from a running process in + README.backtrace. + + -- Stefan Fritsch Fri, 08 Aug 2008 19:27:40 +0200 + +apache2 (2.2.9-6) unstable; urgency=high + + * Urgency high for RC bug fix. + * Fix SIGBUS on SPARC by preventing gcc from optimizing some memcpy calls + away. (Closes: #485525) + + -- Stefan Fritsch Sun, 20 Jul 2008 10:17:19 +0200 + +apache2 (2.2.9-5) unstable; urgency=medium + + * Urgency medium to get this into testing before the freeze. + * Remove IPv6 patch that was necessary for very old kernels but creates + problems on systems with current kernels and net.ipv6.bindv6only = 1. + Apache will now always create its sockets with IPV6_V6ONLY set to 0. + (Closes: #391280) + + -- Stefan Fritsch Mon, 07 Jul 2008 21:20:48 +0200 + +apache2 (2.2.9-4) unstable; urgency=low + + * Make postinst more quiet. (Closes: #489153) + * Add Turkish language support. (Closes: #489224) + * Remove duplicate comments in sites-available/default-ssl. (Closes: #489383) + * Describe in NEWS.Debian how to revert to the old NameVirtualHost config. + (Closes: #489215) + * Redirect apache2 bug reports to apache2.2-common, to get useful dependency + information. + + -- Stefan Fritsch Sun, 06 Jul 2008 10:38:37 +0200 + +apache2 (2.2.9-3ubuntu2) intrepid; urgency=low + + * add ufw integration (see + https://wiki.ubuntu.com/UbuntuFirewall#Integrating%20UFW%20with%20Packages) + (LP: #261198) + - debian/control: suggest ufw for apache2.2-common + - add apache2.2-common.ufw.profile with 3 profiles and install it to + /etc/ufw/applications.d/apache2.2-common + + -- Didier Roche Tue, 26 Aug 2008 19:03:42 +0200 + +apache2 (2.2.9-3ubuntu1) intrepid; urgency=low + + * debian/{control,rules}: enable PIE hardening + + -- Kees Cook Wed, 20 Aug 2008 15:45:00 -0700 + +apache2 (2.2.9-3) unstable; urgency=low + + [ Stefan Fritsch ] + * Move NameVirtualHost directive to ports.conf and switch from "*" to + "*:80". (Closes: #314606, #486286) + * Comment out the CacheEnable line in disk_cache.conf. It would have caused + problems with Etch to Lenny upgrades. + * Change the minimum user id for suexec back to 100, the new value of 1000 + was too disruptive for existing configurations. (Closes: #488821) + * Add a default SSL virtual host. (Closes: #267477) + - Use snakeoil certificate by default (if ssl-cert is installed). + (Closes: #293524, #446765) + - Document this in README.Debian. + (Closes: #293469, #293519, #398520, #395823) + - Add MSIE workarounds. (Closes: #421802) + - Add ssl-cert to Recommends. + * Add a new config file /etc/apache2/conf.d/security with some vaguely + security related diectives. (Closes: #260063) + * Adjust mod_userdir accordingly. Also add "AllowOverride Indexes" for the + home directories. + * Disable SSLv2 by default. It is insecure. Also only enable ciphers with + key lengths of at least 128 bit. + * Make the init script complain about a missing $APACHE_PID_FILE during + "start", too, and not only during "stop" or "restart". This makes it more + obvious that /etc/apache2/envvars has to be updated. (Closes: #473982) + * Add hint about the "..., using 127.0.0.1 for ServerName" warning to + README.Debian. (Closes: #457708) + * Add hint about the "could not create rewrite_log_lock" error message to + README.Debian. (Closes: #450831) + * Remove empty dir from apache2-doc to fix Lintian warning. + * Always pass -g to gcc instead of relying on dpkg-buildpackage to set + CFLAGS. We always want the debug info for the apache2-dbg package. + + [ Ryan Niebur ] + * Upgraded to policy 3.8.0 + - added support for noopt in DEB_BUILD_OPTIONS + - added a README.source + - added support for parallel in DEB_BUILD_OPTIONS + * Dropped XS- from the Vcs fields in control + + -- Stefan Fritsch Wed, 02 Jul 2008 10:15:57 +0200 + +apache2 (2.2.9-2) unstable; urgency=low + + * Make the init script use normal 'stop' instead of 'graceful-stop' again: + With graceful-stop, it can take a long time until all child processes have + closed their listening sockets and there is no way for the init script to + know when it is save to start apache again. This could make the restart of + apache fail. (Closes: #486629, #463338) + * Improve package descriptions, thanks to Justin B Rye. (Closes: #486855) + + -- Stefan Fritsch Sat, 21 Jun 2008 12:22:17 +0200 + +apache2 (2.2.9-1) unstable; urgency=low + + * New upstream release. Notable changes: + - mod_proxy_http: Better handling of excessive interim responses from + origin server to prevent potential denial of service and high memory + usage (CVE-2008-2364). + - mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager + (CVE-2007-6420). + - Worker / Event MPM: Fix race condition in pool recycling that leads to + segmentation faults under load. (Closes: #484800) + - mod_proxy: Keep connections to the backend persistent in the HTTPS case. + - mod_proxy: Support environment variable interpolation in reverse + proxying directives. + - mod_headers: Add 'merge' option to avoid duplicate values within the + same header. + - mod_substitute: The default is now flattening the buckets after each + substitution. The newly added 'q' flag allows for the quicker, more + efficient bucket-splitting. + * Shorten the init script's waiting period during 'restart' from 10 to 4 + seconds. This should still be plenty to allow the apache processes to + close their listening sockets. Make the wait even shorter if apache dies + faster. (Closes: #479136) + * Fix some lintian warnings: + - Add some missing patch descriptions. + - Point to /usr/share/common-licenses instead of including the license in + the copyright file. + + -- Stefan Fritsch Sat, 14 Jun 2008 08:29:41 +0200 + +apache2 (2.2.8-5) unstable; urgency=low + + * Replace a2{en,dis}{mod,site} by a rewritten version that + - supports wildcards (Closes: #373969). + - can be influenced with environment variables (Closes: #349716). + - checks existing symlinks for correctness (Closes: #409970). + - allows to remove dead symlinks (Closes: #480893). + * Move suexec suid helper program to a separate package apache2-suexec, + which is not installed by default. Provide an alternative version of + suexec, which can be customized with a config file. This can be found in + the apache2-suexec-custom package. Closes: #312252, #266835 + * Some more suexec fixes: + - Fix race condition when changing directories. + - Accept only /var/www/*, and not /var/www*. The same for public_html/* + instead of public_html* (CVE-2007-1742). + - Raise the minimum userid that suexec may change to from 100 to 1000. + * Enable mod_deflate in new installs. + * Include config.nice in apache2-src. This hopefully allows apache2-mpm-itk + to drop the build-dependency on apache2-prefork-dev. + * Mention environment variables in apache2 and apache2ctl man pages and point + to README.Debian. (Closes: #475150) + * Drop unneeded build-dep on libtool. + * Drop obsolete apache2-mpm-perchild package (closes: #477522). + * Don't fail in postinst if there is a dangling symlink /var/www/index.html. + * Fix typo in bug number in 2.2.8-3 changelog entry. + * Use dh_lintian in debian/rules. + + -- Stefan Fritsch Sat, 31 May 2008 17:02:03 +0200 + +apache2 (2.2.8-4) unstable; urgency=high + + * Urgency high for DoS vulnerability fix. + * Fix memory leak in mod_ssl with zlib compression. + + -- Stefan Fritsch Tue, 13 May 2008 22:31:37 +0200 + +apache2 (2.2.8-3) unstable; urgency=low + + * mod_cache: Handle If-Range correctly if the cached resource was stale + (closes: #470652). + * mod_autodindex: Use UTF-8 as character set for filenames in the default + configuration. Change this in autoindex.conf if you are still using + ISO-8859-1. + * Introduce APACHE_RUN_DIR and APACHE_LOCK_DIR in apache2ctl. Also, make it + use APACHE_RUN_USER instead of APACHE2_RUN_USER, to be consistent with + apache2.conf. + * Add 'status' function to init script (adapted from patch by Dustin + Kirkland). + * Don't build the modules three times. We are only shipping one set of them, + anyway. (Inspired by the Fedora package.) + * Remove Fabio M. Di Nitto from the uploaders field (thanks for your work). + + -- Stefan Fritsch Fri, 14 Mar 2008 10:57:19 +0100 + +apache2 (2.2.8-2) unstable; urgency=low + + * Provide a fallback access log (other_vhosts_access.log) and a suitable + LogFormat (vhost_combined) for VirtualHosts that don't define their own + log file. (Closes: #313430) + * Fix broken symlink to README.Debian.gz and typos in the file + (closes: #461462). + * Improve generation of password salts in htpasswd (closes: #469271). + * Point VCS tags in debian control to trunk, to make them useful with + debcheckout. + * Add missing ${APACHE_ARGUMENTS} to *) case in apache2ctl. + * In upgrades from etch, replace /etc/apache2/default without asking also in + the NO_START=1 case, in order to not break piuparts (closes: #466367). + * Print file name where "Useless use of AllowOverride" occured. + (Closes: #410334) + * Make bugreport script source /etc/apache2/envvars before calling apache2. + * Add note about MSIE SSL workaround to README.Debian. + * Don't ship empty /var/www/apache2-default in apache2-doc. + (Closes: #469145) + * mod_autoindex: Use the bomb icon only for the name 'core', not for + '*core'. (Closes: #467480) + * Include module name in a2enmod error messages (closes: #461341). + + -- Stefan Fritsch Sat, 08 Mar 2008 12:28:14 +0100 + +apache2 (2.2.8-1) unstable; urgency=low + + * New upstream version: + - Fixes cross-site scripting issues in + o mod_imagemap (CVE-2007-5000) + o mod_status (CVE-2007-6388) + o mod_proxy_balancer's balancer manager (CVE-2007-6421) + - Fixes a denial of service issue in mod_proxy_balancer's balancer manager + (CVE-2007-6422). + - Fixes mod_proxy URL encoding in error messages (closes: #337325). + - Adds explicit charset to the output of various modules to work around + possible cross-site scripting flaws affecting web browsers that do not + derive the response character set as required by RFC2616. For + mod_proxy_ftp there is now the new ProxyFtpDirCharset directive to + specify something else than ISO-8859-1 (CVE-2008-0005). + - Adds mod_substitute which performs inline response content pattern + matching (including regex) and substitution (like mod_line_edit). + - Adds "DefaultType none" option. + - Adds new "B" option to RewriteRule to suppress URL unescaping. + - Adds an "if" directive for mod_include to test whether an URL is + accessible, and if so, conditionally display content. + - Adds support for mod_ssl to the event MPM. + * Move the configuration of User, Group, and PidFile to + /etc/apache2/envvars. This makes it easier to use these settings in + scripts. /etc/apache2/envvars can now also be used to influence apache2ctl + (inspired by Marc Haber's patch). (Closes: #349709, #460105, #458085) + * Make apache2ctl check the configuration syntax before trying to restart + apache, to match the behaviour documented in the man page. + (Closes: #459236) + * Convert docs to be directly viewable with a browser (and not use content + negotiation). + * Add doc-base entry for the documentation. (closes: #311269) + * Don't ship default files in /var/www, but copy a sample file to + /var/www/index.html on new installs. Also remove the now unneeded + RedirectMatch line from sites-available/default. + (Closes: #411774, #458093) + * Add some information to README.Debian (Apache wiki, default virtual host) + * Build with LDFLAGS=-Wl,--as-needed to drop a lot of unnecessary + dependencies, easing library transitions (closes: #458857). + * Add icons for OpenDocuments, add sharutils to Build-Depends for uudecode. + Patch by Nicolas Valcárcel. (Closes: #436441) + * Add reportbug script to list enabled modules. + * Fix some lintian warnings: + - Pass --no-start to dh_installinit instead of omitting the debhelper token + in various maintainer scripts. Also move the update-rc.d call to + apache2.2-common. + - Add Short-Description to init script. + * Remove unused apache2-mpm-prefork.prerm from source package and clean up + debian/rules a bit. + * Don't ship NEWS.Debian with apache2-utils, as the contents are only + relevant for the server. + + -- Stefan Fritsch Thu, 17 Jan 2008 20:27:56 +0100 + +apache2 (2.2.6-3) unstable; urgency=low + + * Allocate fewer bucket brigades in case of a flush bucket. This might help + with the memory leaks reported in #399776 and #421557. + * Escape the HTTP method in error messages to avoid potential cross site + scripting vulnerabilities (CVE-2007-6203). + * Update 053_bad_file_descriptor_PR42829.dpatch to avoid a race condition. + * Redirect /doc/apache2-doc/manual/ to /manual/ in the apache2-doc config + (Closes: #450867). + * Add icons for .ogg and .ogm (Closes: #255443). + * Add comment about how to log X-Forwarded-For (Closes: #425008). + * Make mod_proxy_balancer not depend on mod_cache. + * Add Homepage field to debian/control. + * Add/fix some lintian overrides, fix some warnings. + * Bump Standards-Version (no changes). + + -- Stefan Fritsch Fri, 07 Dec 2007 22:38:59 +0100 + +apache2 (2.2.6-2) unstable; urgency=low + + * Avoid calling apr_pollset_poll() and accept_func() when the listening + sockets have already been closed on graceful stop or reload. This + hopefully fixes processes not being killed (closes: #445263, #447164) + and the "Bad file descriptor: apr_socket_accept: (client socket)" + error message (closes: #400918, #443310) + * Allow logresolve to process long lines (Closes: #331631) + * Remove duplicate config examples (Closes: #294662) + * Include README.backtrace describing how to create a backtrace + * Add CVE reference to 2.2.6-1 changelog entry + + -- Stefan Fritsch Thu, 18 Oct 2007 19:35:40 +0200 + +apache2 (2.2.6-1) unstable; urgency=low + + * New upstream release + - fixes mod_proxy DoS for threaded MPMs (CVE-2007-3847) + - fixes spurious warning for valid wildcard certificates (Closes: #414855) + - adds warning that htpasswd is not setuid safe (Closes: #356285) + - adds Type and Charset options to IndexOptions directive, + allowing a workaround for buggy browsers affected by CVE-2007-4465 + - adds new ProxyPassMatch directive + * Add index.htm to the default DirectoryIndex configuration + (Closes: #439375) + * Use apache2ctl in init script (Closes: #439027) + * make init script less noisy (Closes: #438950) + * improve NEWS entry (Closes: #440084) + + -- Stefan Fritsch Thu, 06 Sep 2007 23:54:42 +0200 + +apache2 (2.2.4-3) unstable; urgency=low + + [ Stefan Fritsch ] + * enable default site on new installs again (Closes: #436341) + * make mod_authn_dbd depend on mod_dbd + * make a2dissite return 0 if a site is already disabled (Closes: #435398) + * make a2 scripts print errors to stderr (Closes: #435400) + * move TypesConfig directive from apache2.conf to mime.conf + (Closes: #434248) + + [ Adam Conrad ] + * Special case apache2-dbg magic in debian/rules, so we don't do + this on Ubuntu, which has an archive of detached debug packages. + + -- Stefan Fritsch Tue, 07 Aug 2007 20:49:28 +0200 + +apache2 (2.2.4-2) unstable; urgency=low + + * Modularize config: Move module specific configuration from apache2.conf + to mods-available/*conf (Closes: #338472) + * Remove the NO_START kludge. Now you have to use rc*.d symlinks to disable + apache2. (Closes: #408462, #275561) + * Create run and lock directores in apache2ctl to make it work on fresh + installations before the first call of the init script. Together with + the previous item, this closes: #418499 + * Disable AddDefaultCharset again (Closes: #397886) + * Make ports.conf, conf.d/charset, and /etc/default/apache2 conffiles + managed by dpkg + * Listen on port 443 by default if mod_ssl is loaded (Closes: #404598) + * Add logic to start htcacheclean as daemon or cronjob. The configuration + is in /etc/default/apache2 + * Fix security issues: + - CVE-2007-3304: prevent parent process to send SIGUSR1 to arbitrary + processes + - CVE-2006-5752: XSS in mod_status + * Add init.d dependency info from insserv overrides to /etc/init.d/apache2 + * Replace apachectl with apache2ctl in docs (Closes: #164493) + * Add usage message to apache2ctl (Closes: #359008) + * Make -dev packages priority extra + * Add secure example cipher/protocol configuration to ssl.conf + * Update watch file (Closes: #433552) + * Bump dh_compat to 5 + * Add new package apache2-dbg with debugging symbols + * Fix mod_cache returning 304 instead of 200 on HEAD requests + + -- Stefan Fritsch Tue, 03 Jul 2007 21:23:40 +0200 + +apache2 (2.2.4-1) unstable; urgency=medium + + [ Stefan Fritsch ] + * Urgency medium for security fix + * Fix CVE-2007-1863: DoS in mod_cache + * New upstream version (Closes: #427050) + - Fixes "proxy: error reading status line from remote server" + (Closes: #410331) + * Fix CVE-2007-1862: mod_mem_cache DoS (introduced in 2.2.4) + * Change logrotate script to use reload instead of restart. + (Closes: #298689) + * chmod o-rx /var/log/apache2 (Closes: #291841) + * chmod o-x suexec (Closes: #431048) + * Update patch for truncated mod_cgi 500 responses from upstream SVN + (Closes: #412580) + * Don't use AddDefaultCharset for our docs (Closes: #414429) + * fix options syntax in sites-available/default (Closes: #419539) + * Move conf.d include to the end of apache2.conf (Closes: #305933) + * Remove log, cache, and lock files on purge (Closes: #428887) + * Ship /usr/lib/cgi-bin (Closes: #415698) + * Add note to README.Debian how to read docs (Closes: #350822) + * Document pid file name (Closes: #350286) + * Update Standards-Version (no changes needed) + * Fix some lintian warnings, add some overrides + * Start apache when doing a "restart" even if it was not running + (Closes: #384682) + * reload config in apache2-doc postinst (Closes: #289289) + * don't fail in prerm if apache is not running (Closes: #418536) + * Suggest apache2-doc and www-browser (Closes: #399056) + * Make init script always display a warning if NO_START=1 since + VERBOSE=yes is not the default anymore (Closes: #430116) + * Replace apache2(8) man page with a more current version + * Add httxt2dbm(8) man page + * Show -X option in help message (Closes: #391817) + * remove sick-hack-to-update-modules + * don't depend on procps on hurd (Closes: #431125) + + [ Peter Samuelson ] + * Add shlibs:Depends to apache2.2-common. + + -- Stefan Fritsch Sun, 01 Jul 2007 19:57:51 +0200 + +apache2 (2.2.3-5) unstable; urgency=low + + [ Tollef Fog Heen ] + * Fix up apache2-src so the .tar.gz contains an apache2 top level + directory. + * Make apache2 MPMs provide and conflict with apache2-mpm so other + packages can provide MPMs too. + * Get rid of 2.1 references from descriptions. (Closes: #400981) + + [ Thom May ] + * Let the init script cope with multiple pid files correctly. Probably we + shouldn't be doing this at all, but we might as well do it properly! + (Closes: #396162) + * Add a sensible autoindex default config + * Add patch from upstream to ensure that mod_cgi 500 responses aren't + truncated (Closes: #412580) + * Use graceful-stop to shutdown apache to ensure we cope nicely with long + running or blocked children + + [ Peter Samuelson ] + * Ship apache2 manpage in apache2.2-common. (Closes: #391813) + * Rearrange init script so that 'force-reload' is the same as 'reload'. + (Closes: #401053) + * Add Build-Depends: mawk. (Closes: #403682) + * Add a needed guard to apache2.conf. + (Closes: #407307) + * Stop shipping /var/run/apache2/ as it is created at runtime anyway. + * Move the /var/lock/apache2 owner fix from the apache2.2-common + postinst to the init script, as /var/lock may not persist across + reboots. (Closes: #420101) + + [ Stefan Fritsch ] + * Add Build-Depends: libssl-dev, zlib1g-dev (Closes: #399043) + * Add XS-Vcs-* to debian/control + * Improve handling of empty $MODNAME in a2enmod (Closes: #422589) + * Treat apache2-mpm-itk as prefork in a2enmod (Closes: #412602) + * Re-add README.Debian and describe + - the config dir layout (closes: #419552) + - which files are ignored by Include + - when and how to change "restart" to "reload" in the logrotate script + * When purging, remove {mods,sites}-enabled symlinks and the config files + created by postinst (Closes: #397789) + * Fix suexec to log after a cgi error (Closes: #312385) + * Add watch file + * Add AddType for .bz2 (Closes: #416322) + * Make init script messages conform better to policy (Closes: #390348) + and exit with failure if called with unknown parameter (Closes: #412407) + * Fix segfault in mod_proxy_ftp when FTP server sends back no spaces + (Closes: #413727) + * Ship /etc/apache2/conf.d/apache2-doc (Closes: #418464) + * Tell the user when selecting cgid instead of cgi (Closes: #428058) + * Add a2ensite/a2dissite man pages (Closes: #322385) + * Comment out CacheEnable by default, to prevent filling up /var. + Document the problem in README.Debian and NEWS.Debian, point to + htcacheclean and give a warning when doing a2enmod disk_cache + (Closes: #423653). + * Add myself to Uploaders. + + -- Stefan Fritsch Sun, 10 Jun 2007 18:54:29 +0200 + +apache2 (2.2.3-4) unstable; urgency=high + + * High-urgency upload for RC bugfixes. + * Ack NMUs - thanks Andi, Steve. + * Add myself to Uploaders. + * Refactor apache2.2-common.postinst slightly, to account for sarge + upgrades (since it's a new package name, rather than an upgrade). + (Closes: #396782, #415775) + * If mod_proxy was configured in sarge, add proxy_http and + disk_cache modules, which used to be included in the mod_proxy config. + (Closes: #407171) + + -- Peter Samuelson Tue, 27 Mar 2007 07:06:49 -0500 + +apache2 (2.2.3-3.3) unstable; urgency=high + + * Non-maintainer upload. + * High-urgency upload for RC bugfix. + * apache2.2-common should depend on procps, since it will fail to create + httpd.conf if it's not installed. Closes: #398535. + + -- Steve Langasek Mon, 5 Feb 2007 01:55:57 -0800 + +apache2 (2.2.3-3.2) unstable; urgency=high + + * Non-maintainer upload. + * 043_ajp_connection_reuse: Patch from upstream Bugzilla, fixing a critical + issue with regard to connection reuse in mod_proxy_ajp. + Closes: #396265 + + -- Andreas Barth Sat, 9 Dec 2006 21:05:45 +0000 + +apache2 (2.2.3-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Enable authz_user by default, fix silent authentication breakage. + Closes: #397310 + * Add default modules if coming from earlier than this version. + Closes: #392349, #392352, #392701, #393913, #396678, #395976 + * Re-Enable modules cern_meta, dumpio and ext_filter. Closes: #391393 + + -- Andreas Barth Fri, 10 Nov 2006 15:44:33 +0100 + +apache2 (2.2.3-3) unstable; urgency=medium + + [ Peter Samuelson ] + * a2dismod: exit 0 if a module exists but is already disabled. + * Ship a2enmod.8 and a2dismod.8 again, and expand them a bit. + (Closes: #270551) + + [ Tollef Fog Heen ] + * Build apache2-src package. + * Do not AddDefaultCharset if we are proxying. Closes: #277526 + * Do not forcefully link against libdb4.3 and other libs. + * Enable the same list of modules as we had in 2.0 (by default) and do + that for all older versions than 2.2.3-3 to fix upgrade issues people + have had. Closes: #392349 + * Set default IndexWidth to *. + * Clean up CPPFLAGS and CFLAGS, including making all of CFLAGS a + superset of CPPFLAGS. Also make sure to include -I switches with + absolute paths so the apache headers are useful. + * Warn when not starting HTTPD due to missing apache binary. + Closes: #384128 + * Provide sample disk and memory cache configurations. Closes: #278564 + * Provide dir.conf. Closes: #392356 + * Add alternate dependency from apache to apache2-mpm-event + * On reload, make the init script exit 1 with an error message if the + configuration is broken. Closes: #316858 + * Add default deflate.conf compressing text/html, text/plain and + text/xml. Closes: #349016 + * Add { and } around the usage format in the init script to make the + init script bash completion happier. Closes: #350606 + + [ Adam Conrad ] + * Update our php4 and php5 conflicts, to reflect the reality that each + were uploaded and built again while apache2.2 was in the new queue. + Closes: #392189 + * Migrate kill symlinks from K91 to K09 (closes: #376503) + * Make apache2 depend on the current version of the MPMs, as it used + to in the 2.0.x series (and make it binNMU-safe) (closes: #394658) + * Make sure that the RedirectMatch in sites-available/default continues + to be commented out for Ubuntu, while having it uncommented for Debian. + + [ Thom May ] + * Fix permissions on suexec (Closes: #391918) + * This is Debian, not Ubuntu (Closes: #393277) + + -- Adam Conrad Sat, 7 Oct 2006 17:57:04 +1000 + +apache2 (2.2.3-2) unstable; urgency=low + + * Make sure to ship /var/log/apache2 in the apache2.2-common package. + Closes: #390786 + * Install suexec.8 as suexec2.8. Closes: #390774 + * Make sure that we never ship .svn directories in any binary packages. + Closes: #390785 + * Not only chmod -x /usr/sbin/apache2 in apache2.2-common.preinst, chmod + +x it in same's postinst too. Closes: #390794 + * We now ship htcacheclean in apache2-utils. Closes: #376680 + * Try to stop old apaches in preinst of the mpms. Closes: #390893 + * Make apache2-mpm-{worker,prefork} conflict with apache2-mpm-event and + apache2-common. + * rm -f /var/lib/dpkg/info/apache2-common.postrm. So apache2-common can + be purged. Yes, we're on crack. Closes: #390823 + * Make apache2-utils's Replaces on apache2-common be unversioned. + Closes: #391018 + * Stop shipping cern_meta.load, dumpio.load and ext_filter.load. Thanks + to Stephane Chazelas for noticing. Closes: #391393 + + -- Tollef Fog Heen Tue, 3 Oct 2006 10:03:48 +0200 + +apache2 (2.2.3-1) unstable; urgency=low + + * Remove mention of AddDefaultCharset from apache2.conf as this is now + in /etc/apache2/conf.d/charset. + * Rename apache2-common to apache2.2-common. Conflict and replace old + version. This is to force modules to be uninstalled until versions + compiled against 2.2 are provided. + * Remove Daniel Stone from list of uploaders. + * We no longer ship 035_HEAD_Content-Length_Fix_From_CVS. Closes: #298143 + * Don't start the server on reload. Closes: #316321 + * Install S91/K09 links, not S91/K91, also only support not starting + through defaults file to cover upgrades from old + installations. Closes: #359977, #349655 + * Big cleanup by using dh_install properly rather than loads of hacks in + debian/rules. + * No longer ship compat symlinks for ab, etc. Those are installed as + ab, htpasswd and similar. + * Remove apache2-mpm-{event,worker}-{prerm,preinst,postinst} in clean, + as those are copies of other files. + * Add build-depends for libapr1-dev (>= 1.2.7-6) to make sure we get a + version which ships a useful apr-config --apr-libtool. + * chmod -x /usr/sbin/apache2 on upgrades from before 2.2 to avoid + problems stopping apache due to some dpkg bug. + * Add Conflicts for broken modules which didn't depend on + apache2-common. + + -- Tollef Fog Heen Thu, 17 Aug 2006 14:02:58 +0200 + +apache2 (2.2.3-1~exp.r170) experimental; urgency=low + + [ Jeroen van Wolffelaar ] + * Staging upload to experimental of subversion revision r170 + + [ Thom May, Tollef Fog Heen, Fabio M. Di Nitto and Adam Conrad ] + * New Upstream Release. Closes: #344072 + http://httpd.apache.org/docs/2.2/new_features_2_2.html has a list of + new features and changes. + - Fixes LFS support. Closes: #341460, #285337, #241223 + - Fixes off-by-one error in mod_rewrite ldap schema handling + (CVE-2006-3747) + - Fixes XSS issue in mod_imap/mod_imagemap (CVE-2005-3352). + Closes: #343467. + - mpm_perchild no longer exists, so closing bugs for perchild. + Closes: #236193, #238586 + - Fixes PHP POST with SSLVerifyClient. Closes: 353443 + * Build-depend on lsb-release and pick up the branding from there. + * Build-depend on apr-util 1.0 which is now in a separate source + package. + * Mangle the Debian layout to be more FHS compatible + * No longer build-conflict with libgdbm-dev + * Use external PCRE + * Make apache2-utils stop providing apache2-utils. Also make it stop + conflicting with itself. + * Rename default site from default-site to just default. + * Try to migrate modules which used to be built-in:, alias, mime, + authz_host, autoindex, dir, env, negotiation, setenvif, status. + * Mod imap has been renamed to imagemap, ditto for auth_ldap => + authnz_ldap. Cope with that in postinst. + * Stop globbing in apache2.conf. + Closes: #337817, #340955, #348189, #379015, #368497 + * Don't install CHANGES into the apache2 package. It's just a + metapackage. + * Add rudimentary rdeps handling to a2dismod. Closes: #273929 + * Stop providing apache-utils. + * Cope with /var/run and /var/lock on tmpfs. + * Remove all subdirs in srclib as we are using external libraries for + those anyway. Also remove test/zb.c. Closes: 340538 + * Make ssl.conf not block on /dev/random, but rather use /dev/urandom. + * Make apache2-common depend on lsb-base, thanks to Gleb Arshinov + + -- Jeroen van Wolffelaar Tue, 15 Aug 2006 16:17:33 +0200 + +apache2 (2.0.55-4.1) unstable; urgency=high + + * Non-maintainer upload. Urgency set to high due to security fixes. + * Added '052_mod_rewrite_CVE-2006-3747' to fix the off-by-one bug in + mod_rewrite. + [CVE-2006-3747]. (Closes: #380182) + * Added '053_restore_prefix_fix' to allow rebuilding from source. + (Closes: #374160) + * Added '054_apr_sendfile' to allow building for Hurd. + (Closes: #349416) + * Added '055_expect_CVE-2006-3918' to fix XSS attack in Expect headers. + [CVE-2006-3918]. (Closes: #381376) + * Added bash-completion script from Guillaume Rousse. + (Closes: #299855) + + -- Steve Kemp Sat, 5 Aug 2006 21:35:53 +0000 + +apache2 (2.2.0-1) UNRELEASED; urgency=low + + * New upstream release. + + -- Fabio M. Di Nitto Thu, 26 Jan 2006 13:46:08 +0100 + +apache2 (2.0.55-4) unstable; urgency=low + + * Add 050_mod_imap_CVE-2005-3352 to escape untrusted referer headers in + mod_imap before outputting HTML to avoid XSS attacks; see CVE-2005-3352 + * Add 051_mod_ssl_CVE-2005-3357 to avoid a remote denial of service in + threaded MPMs when making a non-SSL connection to an SSL-enabled port + on a server with a custom 400 error document defined; see CVE-2005-3357 + * Clean up our use of trailing slashes on directories in debian/rules, so + the newer, pickier, obviously very improved coreutils doesn't bite us. + * Remove some cruft from apache2-common's postinst, dealing with upgrade + scenarios from versions older than those released in Sarge or Warty. + * Use "SHELL := sh -e" in debian/rules, so the build will stop on shell + errors, instead of blundering on to later make targets (closes: #340761) + * Recreate /var/run/apache2 and /var/lock/apache2 in our init script, in + case the user has /var/run and /var/lock on tmpfs, which is fasionable. + * Make our init script a /bin/bash script instead of a /bin/sh script, so + we can abuse it with regex globbing (#348189, #347962, #340955, #342008) + * Take patch from Adrian Bridgett to output errors from our config test + in the init script, but only do so when we're VERBOSE (closes: #339323) + * In the spirit of the LSB, make our init script exit 2 when called with + incorrect arguments, and exit 4 when asked for status (closes: #330275) + * Fix the default site to not mix configuration syntax (closes: #345922) + * Mention apxs2 in the apache2-*-dev long descriptions (closes: #307921) + + -- Adam Conrad Sat, 26 Nov 2005 19:06:32 +1100 + +apache2 (2.0.55-3) unstable; urgency=low + + * Brown paper bag release: Tidy up CFLAGS and APR configure call to make + sure that what we link to agrees with what apu-config tells others to do. + + -- Adam Conrad Mon, 24 Oct 2005 13:02:52 +1000 + +apache2 (2.0.55-2) unstable; urgency=low + + * Mess with 010_more_fhs_compliancy to nail down the compiled default for + cgisock to match with the default shipped in the config file, so people + don't get confused if they miss including cgid.conf (closes: #316477) + * Make the compiled-in PidFile match the config file for similar reasons. + * Add 049_apr_tables_HEAD_cleanup, resolving an issue where merging two + tables from different resource pools would leave you with the contents + of only one, rather than both. This patch also cleans up some broken + pointer arithmetic and type casting along the way (closes: #251800) + * Specify the DocumentRoot without a trailing slash (closes: #311317) + * Fix the manpage to point at proper locations (closes: #307665, #332619) + + -- Adam Conrad Sun, 23 Oct 2005 13:24:39 +1000 + +apache2 (2.0.55-1) unstable; urgency=low + + * New upstream bugfix and security release, superseding these patches: + - Drop 041_util_ldap_fix.patch, util_ldap seems to be unbroken. + - Drop 043_ssl_off_by_one_CAN-2005-1268, fixed upstream. + - Drop 044_content_length_CAN-2005-2088, fixed upstream. + - Drop 045_byterange_CAN-2005-2728, fixed upstream. + - Drop 046_verify_client_CAN-2005-2700, fixed upstream. + - Resolves a serious memory leak in the worker MPM; see CVE-2005-2970 + - Add 048_reverse_proxy_fix, to resolve a regression in 2.0.55 with + mod_proxy, mod_ssl and HTTP POST requests (upstream bug #37145) + * New release builds cleanly with OpenSSL 0.9.8 (closes: #332791, #333363) + * Fix up our built-in version of DBS to use find's -{max,min}depth + arguments in a way that doesn't make find whine like a spoiled child. + * Merge Ubuntu and Debian packaging, bringing in patch 047 (closes: #327269) + - Comment out the / -> /apache2-default/ redirect, as user feedback seems + to indicate that it's just too bloody confusing for most people. + - New installations (only) now get an AddDefaultCharset UTF-8 directive. + * Build-depend on lsb-release, and use it in debian/rules to determine which + distribution we're building on, dropping the 007_debian_advertising patch. + * Drop debconf dependency entirely; we don't even use it (closes: #331741) + * Finally support DEB_BUILD_OPTIONS="noopt debug" properly in debian/rules. + * Adjust mime_magic.conf to point at the new FHS location of magic.mime. + * Drop the apache2-mpm-threadpool transitional package; Sarge is released. + * Try a bit harder to find the *CORRECT* PidFile directive in the init + script, instead of the old "rgrep and pray" method (closes: #303076) + * Make init script to always use apache2ctl consistently (closes: #316303) + * Build (and have -dev packages depend on) libdb4.3 instead of libdb4.2. + + -- Adam Conrad Mon, 17 Oct 2005 13:00:13 +1000 + +apache2 (2.0.54-5ubuntu2) breezy; urgency=low + + * Add 047_ssl_reneg_with_body, which adds a (bounded) buffer of request + body data to provide a limited but safe fix for the mod_ssl renegotiation + vs requests-with-bodies bug, as occurs with POST and SVN (Ubuntu #14991) + + -- Adam Conrad Tue, 4 Oct 2005 11:53:01 +1000 + +apache2 (2.0.54-5ubuntu1) breezy; urgency=low + + * Resynchronise with Debian, bringing in several security patches. + + -- Adam Conrad Mon, 5 Sep 2005 20:40:31 +1000 + +apache2 (2.0.54-5) stable-security; urgency=high + + * Add 043_ssl_off_by_one_CAN-2005-1268, fixing an off-by-one error in SSL + certificate validation; see CAN-2005-1268 (closes: #320048, #320063) + * Add 044_content_length_CAN-2005-2088, resolving an issue in mod_proxy + where, when a response contains both Transfer-Encoding and Content-Length + headers, the connection can be used for HTTP request smuggling and HTTP + request spoofing attacks; see CAN-2005-2088 (closes: #316173) + * Add 045_byterange_CAN-2005-2728, to resolve a denial of service in apache + when large byte ranges are requested; see CAN-2005-2728 (closes: #326435) + * Add 046_verify_client_CAN-2005-2700, resolving an issue where the context + of the SSLVerifyClient directive is not honoured within a + nested in a , and is left unenforced; see CAN-2005-2700 + + -- Adam Conrad Fri, 2 Sep 2005 22:26:28 +1000 + +apache2 (2.0.54-4) unstable; urgency=low + + * Alter 041_util_ldap_fix.patch to revert util_ldap.c to the known + good version from 2.0.53 (closes: #308648, and re-fixes #307567) + + -- Adam Conrad Wed, 11 May 2005 20:15:38 -0600 + +apache2 (2.0.54-3) unstable; urgency=medium + + * Add 042_htdigest_CAN-2005-1344 to fix a buffer overflow in + htdigest, which is described in CAN-2005-1344 (closes: #307134) + * Add 041_util_ldap_fix.patch from upstream bug #34618 to fix + issues with mod_auth_ldap sometimes segfaulting and sometimes + locking up and spinning the CPU to oblivion (closes: #307567) + * Alter 011_fix_ap-config to make apr-config point us at the system + libtool, and make libapr0-dev depend on libtool (closes: #306481) + * Alter 008_make_include_safe to prevent apache2 from including dpkg + conffile leftovers (.dpkg-old et al) (closes: #304786, #296728) + + -- Adam Conrad Thu, 5 May 2005 03:45:24 -0600 + +apache2 (2.0.54-2) unstable; urgency=low + + * Set suexec2's ownership properly, so it's actually executable by + apache2 with the newly-restrictive permissions (closes: #305242) + + -- Adam Conrad Mon, 18 Apr 2005 22:09:42 -0600 + +apache2 (2.0.54-1) unstable; urgency=low + + * New upstream bugfix-only release (closes: #305121) + * Fix debian/watch file to only look at apache 2.0.x, so we stop being + told about the 2.1 beta releases (and I'll notice new 2.0.x releases) + * Drop o+rx permissions from suexec2; while it has code in place to + make sure the caller is www-data, if that code should be buggy, + filesystem permissions will help mitigate fallout (closes: #301045) + * Update the 003_build_with_autoconf_2.5 patch to make sure both + apr and apr-util have an AC_PREREQ for autoconf 2.50, so we don't get + weird autoconf mix-and-match FTBFS issues (closes: #301819) + + -- Adam Conrad Sun, 17 Apr 2005 23:10:18 -0600 + +apache2 (2.0.53-5ubuntu5) hoary; urgency=low + + * Fix the init script to not exit with an error when asked to + stop a daemon that isn't running (Was the root cause of #8374) + + -- Adam Conrad Fri, 1 Apr 2005 16:30:56 +0000 + +apache2 (2.0.53-5ubuntu4) hoary; urgency=low + + * Make sure package removals don't fail even if the init script + doesn't stop apache2 (Ubuntu #8374) + + -- Adam Conrad Fri, 1 Apr 2005 15:07:20 +0000 + +apache2 (2.0.53-5ubuntu3) hoary; urgency=low + + * Add dependency on lsb-base (>= 1.3-9ubuntu2) to guarantee + availability of lsb init functions (Ubuntu #7765) + + -- Adam Conrad Sun, 27 Mar 2005 21:55:41 -0700 + +apache2 (2.0.53-5ubuntu2) hoary; urgency=low + + * Really remove /etc/apache2/conf.d/charset on purge, rather + than just writing about it in the changelog. + + -- Adam Conrad Sun, 27 Mar 2005 08:32:39 -0700 + +apache2 (2.0.53-5ubuntu1) hoary; urgency=low + + * Resynchronise with Debian, resolving minor conflicts. + * Remove /etc/apache2/conf.d/charset on purge. + + -- Adam Conrad Sun, 27 Mar 2005 15:15:44 +0000 + +apache2 (2.0.53-5) unstable; urgency=high + + * Update 040_link_external_pcre to require autoconf 2.50, so it + doesn't fail when autoconf2.13 is installed (closes: #295428) + * Further mangle the apache_stop function in the init script so it + attempts as hard as possible to make sure apache2 is stopped before + it tries to restart. Thanks to Andre Tomt for + the bug and patch this fix was based on (closes: #295915, #281557) + + -- Adam Conrad Fri, 25 Feb 2005 00:51:13 -0700 + +apache2 (2.0.53-4) unstable; urgency=low + + * Add 040_link_external_pcre to allow us to link to an external libpcre + rather than statically compiling the bundled version. + * Add --with-external-pcre to the configure flags in debian/rules + (closes: #294673, #294675, #282606, #294740) + * Stop hardcoding the path to netstat in postinst (closes: #294737) + + -- Adam Conrad Mon, 14 Feb 2005 01:45:08 +0000 + +apache2 (2.0.53-3) unstable; urgency=medium + + * Drop Andres Salomon's PCRE manglig patch in favour of hand-merging + Joe Orton's patch against head to completely internalise apache's + copy of PCRE, only exposing a wrapper API. (closes: #294395) + + -- Adam Conrad Wed, 9 Feb 2005 11:30:21 -0700 + +apache2 (2.0.53-2) unstable; urgency=low + + * Make apache2-threaded-dev and apache2-prefork-dev both arch:any + as they contain architecture-dependant defines (closes: #294257) + + -- Adam Conrad Wed, 9 Feb 2005 04:20:07 -0700 + +apache2 (2.0.53-1) unstable; urgency=low + + * New upstream release + - Remove 036_HEAD_CAN-2004-0942, integrated upstream + - Remove 037_HEAD_CAN-2004-0885, integrated upstream + * Drop support for the threadpool MPM, as it's abandoned upstream. + - Make apache2-mpm-threadpool an empty package depending on + apache2-mpm-worker, and make worker replace the old threadpool + * Make SYSCONFDIR configurable at the top of a2{en,dis}{mod,site} + * Drop the build-conflict on gawk, and use ac_cv_prog_AWK=mawk + instead (closes: #283396) + * Make the apache_stop() function stop trying to do the equivalent + of "killall apache2", and instead issue a nasty warning if it can't + stop apache2 on its own + * Make "restart" an alias for "force-reload" in the init script, as + apache2ctl restart doesn't match policy's requirements for restart + * Swapping between threaded and unthreaded MPMs could leave one with + both mod_cgi and mod_cgid enabled. Fixed the postinsts so that + no longer happens + * Update 021-pcre_mangle_symbols.patch from Andres Salomon, now also + mangling typedefs, which should fix PHP (closes: #280823) + * Hardcode a dependency on libgcc1 (>= 1:3.3.5) so pthread_cancel + will work correctly with partial upgrades (closes: #287033) + * When removing ssl_scache, make sure to remove its db transation logs + and other garbage as well (closes: #293831) + * Remove duplicate /icons/ from the default site (closes: #291856) + * Yank 039_fix_forensic_tmpfiles from Ubuntu's apache2 packages + * Split out utils into seperate apache2-utils. This will also + supercede the apache-utils package (closes: #285219) + * Add split-logfile to apache2-utils (closes: #290814) + * Make the MPM postinsts scream loudly, but not fail, if you've + deleted cgi{,d}.load before swapping MPMs (closes: #283141) + + -- Adam Conrad Mon, 7 Feb 2005 07:54:12 -0700 + +apache2 (2.0.52-3) unstable; urgency=high + + * Brown paper bag release to fix apache2-common's postinst, by judiciously + sprinkling ||true in a couple of needed places (closes: #280527) + * While hunting for unclean uses of VAR=`command` in the package, found + the cause of the "can't purge with broken config" bugs and fixed that + too with yet another ||true (closes: #263511, #273759, #279875) + + -- Adam Conrad Wed, 10 Nov 2004 01:32:16 -0700 + +apache2 (2.0.52-2) unstable; urgency=high + + * Include two patches, 036_HEAD_CAN-2004-0942 and 037_HEAD_CAN-2004-0885 + - CAN-2004-0942: Memory leak in header parsing in server/protocol.c + - CAN-2004-0885: Incorrect SSLCipherSuite selection in mod_ssl + * Fix up our use of netstat in apache2-common's postinst to clean up some + unnecessary output to stderr, as well as detect when netstat believes + we don't have AF_INET support. This should allow for installation in + chroots where the /proc filesystem isn't mounted (closes: #245487) + * Add 035_HEAD_Content-Length_Fix_From_CVS, which should solve problems + with Content-Length being set incorrectly on proxied HEAD requests, + breaking Windows Update from proxied machines (closes: #277787) + * Take out the reload/start magic in the postinst, and just call start in + all cases, as we stop the daemon in the prerm (closes: #275175, #222786) + * Copy config.guess/config.sub/ltmain.sh in from /usr/share/libtool at + build time. (closes: #257228, #263101) + * Clean up the clean target in debian/rules to remove some duplicate + maintainer scripts from the debian/ directory that we don't need to be + shipping in the source package. + * Move envvars to /etc/apache2/ and add patch 038_no_LD_LIBRARY_PATH to + remove the extraneous LD_LIBRARY_PATH from envvars (closes: #276670) + + -- Adam Conrad Sun, 7 Nov 2004 04:09:46 -0700 + +apache2 (2.0.52-1) unstable; urgency=high + + * New upstream bugfix/security release: + - Fixes CAN-2004-0811: Satisfy directive bypass (closes: #273412) + * Add '|| true' to a2enmod to stop it from dying when the installed MPM + isn't prefork (closes: #273017, #273019, #272865, #273021, #273258) + * Touch /var/log/apache2/error.log on new installs to ensure that our log + directory isn't removed until the package is purged, so logrotate doesn't + complain about its inability to find it (closes: #239571) + * Add 032_suexec_is_shared, which makes sure suEXEC is only searched for + and enabled when mod_suexec is loaded (closes: #227653) + * Use '$APACHE2CTL startssl' consistently in init script to make sure the + SSL define doesn't disappear on force-reload (closes: #272531) + * Add 033_dbm_read_hash_or_btree to allow apr-util and dbmmanage to open + and manipulate DB_BTREE databases, while still defaulting to creating + DB_HASH databases as before. This should clear up incompatibilities + with other applications (such as PHP) which default to DB_BTREE. + * Moved dbmmanage2 to /usr/bin, instead of /usr/sbin, as it's a user tool. + * Added 034_ab2_has_openssl, thanks to 2.1-cvs, Fedora, thom, and a bit + of munging, to compile a working ab2 with SSL support (closes: #261820) + + -- Adam Conrad Tue, 28 Sep 2004 10:21:20 -0600 + +apache2 (2.0.51-2) unstable; urgency=high + + * Test for the existence of /usr/sbin/apache2 before we go trying to invoke + it to determine what MPM we have installed (closes: #272103, #272207) + * Make the default httpd.conf created in apache2-common's postinst contain + a fake LoadModule line (commented out), and make apxs2 default to + installing modules to /etc/apache2/httpd.conf, so people using apxs2 + rather than the mods-{enabled,available} directories get the expected + behaviour, rather than obscure errors (closes: #167552, #231134) + * apxs2 now writes the correct path to modules in httpd.conf, including + the mysteriously missing slash (closes: #231450, #167557) + * Make apxs2 install modules with mode 644, since 755 makes no sense. + * Added a bit of magic to a2{en,dis}site to treat the default site as a + special case and add a "000-" priority to the beginning of its symlink. + Patches welcome to turn this into something robust, like update-rc.d. + + -- Adam Conrad Sat, 18 Sep 2004 07:12:12 -0600 + +apache2 (2.0.51-1) unstable; urgency=high + + * New upstream release, including the following security fixes: + - CAN-2004-0747: ap_resolve_env buffer overflow + - CAN-2004-0786: apr_uri_parse segfault in memcpy + - CAN-2004-0809: mod_dav crash/DoS via NULL pointer dereference + * Drop the following patches which are now included upstream: + - 025_CAN-2004-0748.patch + - 026_CAN-2004-0751.patch + - 027_autoindex_ignore_bad_files.patch + - 028_apr_sticky_bits.patch + * Install a properly sanitised config_vars.mk so that apxs2 behaves in + a reasonably sane way (closes: #243340, #270768) + * Relax www-browser dependency to a Suggests, as the mod_status dump from + apache2ctl is a pretty minor (and oft unused) feature (closes: #269309) + * init script now allows you to stop (but not start, restart, etc) the web + server, even if NO_START is set to 1 (closes: #269398) + * Make the apache2 -> apache2-mpm-* dependency tighter, so it does what + one expects when installing it (closes: #269580) + * Remove the ^/doc/apache2-doc/manual(.*)$ /manual$1 RedirectMatch from + the default site which was confusing and useless (closes: #270216) + * Add debian/watch file to track upstream versions. + * Add some magic to a2enmod to map cgi to cgid if using a threaded MPM. + * Add a2ensite and a2dissite which do the same thing as a2{en,dis}mod, + but for sites rather than modules (closes: #269251) + + -- Adam Conrad Wed, 15 Sep 2004 00:09:39 -0600 + +apache2 (2.0.50-12) unstable; urgency=high + + * Build-depend on mawk, and build-conflict with gawk, as we're only + guaranteed of having one or the other installed at any given time + and GNU awk seems to royally mess up the build with regards to which + external symbols get exported by httpd (closes: #268155) + * Add myself to the Uploaders field as it seems that, for better or + worse, I have become a co-maintainer of apache2. + * Drop the :80 from the default site config, so changing ports in + ports.conf now Just Works (closes: #253271) + * Added 029_docroot_manual.patch, which corrects the links in the start + page to point to /manual/ instead of manual/, so the link actually + works when apache2-doc is installed (closes: #232954) + * Add a postrm to apache2-common, implementing a policy-compliant purge + process (closes: #237030, #252254, #197986) + * Add a simple RedirectMatch to the "default" site, so that fresh + installations see the default start page, rather than a directory + listing (closes: #240772, #255974, #264070) + * Add 030_www-browser_apachectl.patch, and make apache2-common depend + on www-browser, so 'apache2ctl status' works (closes: #266724) + * Move apache2's (re)start from the apache2-common postinst to the MPM + postinsts, so we're not trying to start the old binary if apache2-common + is configured before apache2-mpm-* is unpacked (closes: #268936) + * Enable CGI on initial installation, as packages depending on httpd-cgi + require it to be running to work (closes: #267547, #263038) + * Only enable userdir on upgrades from older versions where it was + built-in, or on fresh installs. + + -- Adam Conrad Mon, 30 Aug 2004 17:40:47 -0600 + +apache2 (2.0.50-11) unstable; urgency=high + + * Add two patches from upstream to address two vulnerabilities in mod_ssl: + - CAN-2004-0748 is a potential infinite loop in the SSL input filter + which can be triggered by an aborted connection. + - CAN-2004-0751 is a potential segfault in the SSL input filter which + can be triggered by the response to request which is proxied to a + remote SSL server. + * Changed the ownership of /var/cache/apache2 to allow mod_proxy to + actually cache files (closes: #264622) + * Added a patch from upstream to make mod_autoindex skip over files that + it can't stat() (closes: #264645) + * New installations now get an /etc/default/apache2 file with a moderately + informative comment, and the default set sanely (closes: #263515) + * Added a patch from upstream to make APR stop creating directories with + the sticky bit set (closes: #266198) + * Remove the bogus "-e" from the echo that creates httpd.conf, so people + installing with ash/dash don't get a broken file (closes: #267693) + + -- Adam Conrad Mon, 23 Aug 2004 19:25:50 -0600 + +apache2 (2.0.50-10) unstable; urgency=high + + * Roll back the libapr0 ABI changes introduced in 2.0.50-9. We were + hopeful that we could hunt down and fix any fallout from this change + before release, and we were, apparently, wrong. + (closes: #266211, #266145, #266165, #266330, #266230, #266279, #266736) + + -- Adam Conrad Thu, 19 Aug 2004 03:46:11 -0600 + +apache2 (2.0.50-9) unstable; urgency=medium + + * Enable LFS properly. (Closes: #264645, #244897) + - Added 023_largefiles_upstream_fixes which makes the upstream configure + script a bit smarter and fixes some misuses of size_t/off_t. + - Added 024_largefiles_debian_hacks which adds some hideous hackery to + work around a bug in glibc where sendfile64 is used in place of sendfile + with no fallback even if the current kernel doesn't support it. + - Add note to README.Debian noting that while we can now read, write, and + list large files, SERVING large files is kernel-dependant. + * Bump libapr0 shlibs to (>= 2.0.50-9), since we're introducing + some serious ABI breakage with the above changes. + * Fix up the PATH in apache2's init script to list /usr/local, /usr, / + in the standard order. + * Change misleading return messages for a2{en,dis}mod, to reflect + the reality that some modules just won't load/unload properly + without a full stop/start server cycle. + + -- Adam Conrad Sun, 15 Aug 2004 07:41:19 -0600 + +apache2 (2.0.50-8) unstable; urgency=high + + * Ensure we link against the correct version of DB42 + + -- Thom May Mon, 9 Aug 2004 14:37:38 +0100 + +apache2 (2.0.50-7) unstable; urgency=high + + * Fix up linking of apr-util (Closes: #262009) + + -- Thom May Tue, 3 Aug 2004 12:42:53 +0100 + +apache2 (2.0.50-6) unstable; urgency=high + + * use 'env -i' rather than trying to parse env (Closes: #261558, #258713) + * revert to old build process (Closes: #260756, #259693) + * Reflect changes in ssl setup - Thanks, Björn Wiberg (Closes: #259414) + * Remove userdir config from main config file (Closes: #260058) + + -- Thom May Tue, 27 Jul 2004 10:31:46 +0100 + +apache2 (2.0.50-5) unstable; urgency=high + + * Add necessary suexec information to central build + (Closes: #258453, #258772) + * Exclude lines starting with a space from removal from the env + (Closes: #258713) + + -- Thom May Mon, 12 Jul 2004 17:30:59 +0100 + +apache2 (2.0.50-4) unstable; urgency=high + + * Fix dependencies so the MPMs don't conflict with the metapackages *g* + Thanks to Adam Conrad for this catch + + -- Thom May Fri, 9 Jul 2004 00:55:19 +0100 + +apache2 (2.0.50-3) unstable; urgency=high + + * Brown paper bag of epic proportion. Build all mpms with the proper + collection of libraries. (Closes: #258217, #258202) + * Clean up environment (Closes: #241579) + * Clarify prefork description (Closes: #252918) + * Make apache2-default/manual DTRT (Closes: #244847) + * Note that we don't ship INSTALL or README.platforms (Closes: #232956) + + -- Thom May Thu, 8 Jul 2004 16:04:31 +0100 + +apache2 (2.0.50-2) unstable; urgency=high + + * Make a2enmod a bit more robust (Closes: #258149, #258145) + * Should really be urgency=high to get into testing quick + + -- Thom May Wed, 7 Jul 2004 23:03:36 +0100 + +apache2 (2.0.50-1) unstable; urgency=medium + + * New upstream release, fixes [CAN-2004-0493] and [CAN-2004-0488] + * The "I can't believe you're late to your own raid" release + * Check whether verbose is on or off in rcS's config (Closes: #242351) + * Add an apache2 metapackage (Closes: #234955) + * Specifically disable /~root (Closes: #246139) + * Stop the daemon in prerm (Closes: #245488) + * Redirect /doc/apache2-doc/manual to /manual so the correct magic happens + (Closes: #248038) + * Update SSL config to current upstream (Closes: #234591,#231147) + * No longer install default cgis - they're already shipped in -doc as + examples. (Closes: #231665) + * Tighten regex for Include (Closes: #234489) + * Remove ext-filter.load since we ship ext_filter.load too (Closes: #249268) + * Enable userdir as a shared module (Closes: #251102, #246134) + * OSKURO SUCKS (otherwise known as: not a bug) (Closes: #208569) + * Create /var/lib/apache2 (Closes: #242169) + * Remove 'AddDefaultCharset' line from apache2.conf (Suggestion from Marco + D'Itri) + + -- Thom May Tue, 6 Jul 2004 18:45:35 +0100 + +apache2 (2.0.49-1) unstable; urgency=high + + * New Upstream release. (Closes: #240100) + * Add missing $ to init-script (closes: #240301) + * Provides: httpd-cgi in reference to #117916 + + -- Thom May Sun, 4 Apr 2004 11:32:20 +0100 + +apache2 (2.0.48-8) unstable; urgency=low + + * Fix typo in debian/rules (closes: #230760) + * Added patch 021-pcre_mangle_symbols.patch (closes: #235810) + * Fixed typo in the init scripts (closes: #230263) + * Changed a bunch of mv's to cp's in rules (closes: #228840) + * Change mime_magic to use magic from libmagic1 (closes: #236509) + * Disable ssl-cert until it sucks less. related to 230791 (closes: #231726) + * update descriptions (closes: #234543, #234538, #234542) + * Nuke /etc/vhosts and all associated cruft (closes: #235029) + + -- Thom May Mon, 2 Feb 2004 12:47:10 +0000 + +apache2 (2.0.48-7) unstable; urgency=low + + * Brown paper bag release. Refix the nonfixed libapr0 which built + without linking information. + + -- Tollef Fog Heen Fri, 30 Jan 2004 18:25:12 +0100 + +apache2 (2.0.48-6) unstable; urgency=low + + * Build-Conflict with gdbm (closes: #230226, #230175, #204672) + + -- Tollef Fog Heen Fri, 30 Jan 2004 12:24:09 +0100 + +apache2 (2.0.48-5) unstable; urgency=low + + * (Daniel Stone) + - Bump Standards-Version to 3.6.1.0. + - init-script: Print a small warning when NO_START=1. (closes: #178431) + - default site: Enable FollowSymLinks. (closes: #200829) + * (Thom May) + - Permanently kill the ErrorLog directive from ssl.conf + - Call ssl-cert to generate an SSL cert using debconf (closes: #178322) + - Allow /usr/share/doc/ to be viewable from localhost (closes: #222551) + - Set the default DocumentRoot to be /var/www (closes: #222552) + - Change where the init script is installed to (Closes: #223417) + - Upgrade to DB4.2 + * (Tollef Fog Heen) + - handle building out of the SVN checkout. + + -- Tollef Fog Heen Wed, 28 Jan 2004 00:13:13 +0100 + +apache2 (2.0.48-4) unstable; urgency=medium + + * (Daniel Stone) + - Change apache2-threaded-dev's Conflicts from apache2-perfork-dev to + apache2-prefork-dev. Learn how to type, dude (thanks to Grzegorz + Prokopski for spotting this one). + + -- Daniel Stone Mon, 17 Nov 2003 12:00:11 +1100 + +apache2 (2.0.48-3) unstable; urgency=medium + + * Grmmp. stuffed the upload + + -- Thom May Wed, 12 Nov 2003 18:18:54 +0000 + +apache2 (2.0.48-2) unstable; urgency=high + + * (Thom May) + - Fix locking busted by NPTL (Closes: #220299) + - Fix IPv6 weirdness (thanks to Jordi/Fabio) (Closes: #220334) + + -- Thom May Wed, 12 Nov 2003 13:04:04 +0000 + +apache2 (2.0.48-1) unstable; urgency=low + + * (Thom May) + - New Upstream Release (Closes: #202094) + - Fix i18n autonegotiation for the manual (Closes: #201648) + - Add deb.{gif,png} (Closes: #199454) + - Explicitly link against libdl (Closes: #195968) + - Add dependency on ssl-cert (Closes: #177837) + - Take preventative action against SCTP + - Add apache2-prefork-dev to work around PHP. + - Shut Oskuro up - startup time changed to 91 (Closes: #208569) + - Install README.etc into apache2-common's doc dir + (Closes: #208751,#177941) + - Auth_LDAP loads mod_ldap as well. (Closes: #217795) + - Make sure /var/lock/apache2 has correct ownership (Closes: #206375) + - Fix for SSL enabled virtual hosts (Closes: #202925) + - Steal new apr_threads.m4 from upstream to deal with -lpthread better + (Closes: #197685) + * (Fabio M. Di Nitto) + - Fixed init script (Closes: #203093) + + -- Thom May Sat, 16 Aug 2003 00:13:20 +0100 + +apache2 (2.0.47-2) unstable; urgency=low + + * Move dav.conf to dav_fs.conf (Closes: #201530) + * Fix the manual, and only ship it once. (Closes: #201648) + * Enable SymLinksIfOwnerMatch for cgi-bin (Closes: #200829) + + -- Thom May Wed, 16 Jul 2003 10:24:28 +0100 + +apache2 (2.0.47-1) unstable; urgency=high + + * New Upstream Release. Bunch of security fixes (Closes: #200593) + * Add asis.load, auth_ldap.load, cache.load, dav_fs.load, disk_cache.load, + ext_filter.load, file_cache.load, imap.load, ldap.load, mem_cache.load, + include.load (Closes: #197152, #198389, #196115) + Note that dav_fs was previously loaded by dav.load, and is now broken out + into a seperate file. + * Patch apxs2 to use datadir rather than prefix for top_builddir. + (Closes: #198607) + * Kill a couple of pointless conflicts. (Closes: #197242) + * Change suexec docroot from /var/www/apache2-default to /var/www + (Closes: #198981) + * Make sure we use Expat rather than xmltok (Closes: #197020) + * Ship find_ap{r,u}.m4 (per Nuutti Kotivuori) + + -- Thom May Fri, 4 Jul 2003 13:40:37 +0100 + +apache2 (2.0.46-3) unstable; urgency=low + + * Clean up the proxy config although it's not enabled by default. + (Closes: #195187) + * Remove all traces of gdbm. (Closes: #196231) + * Re-enable ldap support (Closes: #190092) + * This changelog should be policy compliant. Any whingers can take a long + hike off a short pier. + * use printf rather than echo to work round weird shells. (Closes: #196230) + + -- Thom May Thu, 5 Jun 2003 19:26:21 +0100 + +apache2 (2.0.46-2) unstable; urgency=critical + + * Fix config_vars.mk creation and installation (Closes: #195141, #195190) + + -- Thom May Thu, 29 May 2003 11:47:13 +0100 + +apache2 (2.0.46-1) unstable; urgency=critical + + * The "David Welton is my hero" release + * New upstream release, numerous security vulns fixed. + * Oh the pain. + * Move ScriptSocket to /var/run/apache2 (Closes: #188655) + * Restore mod_include (Closes: #188483) + * Move the virtual hosts config to the end of the config file + (Closes: #188584) + * Add Mod-Ext-Filter (Closes: #182770) + * Add actions.load (Closes: #178087, #179571, #181527) + * Add a dependency on net-tool (Closes: #190663) + * Clean up FHS compliancy and fix up a typo in apachectl (Closes: #187723) + * Fix for the apxs -q APR_BINDIR doesn't work problem (Closes: #188278) + * Special case the install of special.mk (Closes: #179776) + * Make apache2-dev and apache-dev not conflict. (This renames apxs back to + apxs2) + * Add README for /etc/apache2 written by David. + * Add auth_digest.load courtesy of Amelia A Lewis + (Closes: #194111) + + -- Thom May Wed, 28 May 2003 14:17:21 +0100 + +apache2 (2.0.45-3) unstable; urgency=critical + + * another "stupid freaking sasl" release. the series is on! + + -- Thom May Tue, 8 Apr 2003 17:13:09 +0100 + +apache2 (2.0.45-2) unstable; urgency=critical + + * the "stupid freaking sasl" release. + * fix override disparities too. + * fix dulpicate dependency on libssl0.9.7 (Closes: #179598) + + -- Thom May Tue, 8 Apr 2003 13:34:44 +0100 + +apache2 (2.0.45-1) unstable; urgency=critical + + * New upstream release (Closes: #187502) + * Fix korean language type, thanks to Donggyoo Lee + (Closes: #179542) + * Add explicit dependency to libsasl-dev (Closes: #179674) + * Remove ErrorLog from ssl.conf + * forward ported patches courtesy of Roberto Moreda ; big + thanks! + + -- Thom May Sat, 5 Apr 2003 14:35:58 +0100 + +apache2 (2.0.44-6) unstable; urgency=low + + * Make APR's postinst idempotent (Closes: #178105, #178141) + * Make Apache2-common's postinst non interactive (Closes: #178551) + * People filing bugs after they're fixed should be shot (Closes: #178244) + * Build Logio into the core, apparently. + + -- Thom May Mon, 27 Jan 2003 20:47:28 +0000 + +apache2 (2.0.44-5) unstable; urgency=low + + * The "someone should take my compiler away from me" release + * Depend on openssl as well. Grrr. (Closes: #177985) + * Clean up the last of the section mismatches + + -- Thom May Thu, 23 Jan 2003 15:04:20 +0000 + +apache2 (2.0.44-4) unstable; urgency=low + + * The "going for broke" release. + * Enable Logio, suggested by Roberto Moreda + * Stop force loading of cgi modules. (until we can do it cleanly) + (Closes: #177876, #177795) + * Restore symlink for libapr.so.0 (Closes: #177792) + * Apache2-common must depend on libssl0.9.7 (Closes: #177845) + * Rename ssl-certificate so we don't conflict with apache-ssl + (Closes: #177881) + * Only create the certificate if it's not there already (Duh!) + + -- Thom May Wed, 22 Jan 2003 09:59:11 +0000 + +apache2 (2.0.44-3) unstable; urgency=low + + * The "This one goes out wearing a brown paper bag" release + * Fix apxs to correctly return the header locations (Closes: #177729) + + -- Thom May Tue, 21 Jan 2003 16:35:14 +0000 + +apache2 (2.0.44-2) unstable; urgency=low + + * The "Ooops, I did it again" release + * Fixup of sections and priorities. + * Add dependency of libldap2-dev to libapr0-dev + * Correct dependencies to be db4.1 not db4.0 + + -- Thom May Tue, 21 Jan 2003 13:26:57 +0000 + +apache2 (2.0.44-1) unstable; urgency=low + + * Conform to 10.4 of policy re init scripts, (Closes: #165693) + * Be more selective about filenames when doing Include + Patch - 008_make_include_safe (Closes: #161512) + * Make HTMLTable validate, and add a note recommending its use. + (Patch submitted upstream and will be in 2.0.44) + Patch - 010_fix_html_table (Closes: #153593) + * Make apr have correct library versioning + Patch committed upstream + Patch - 011_make_apr_versioned (Closes: #162775) + * Placed packaging code under subversion change management + http://svn.positive-internet.com/svn/apache2/trunk + * Changed some bash scripts to use #!/bin/bash rather than #!/bin/sh + (Closes: #168338) + * Changed apache2-common to merely suggest apache2-doc (Closes: #167595) + * Patch from David Kimdon to clean up debian/scripts/* + * Rename apxs2 to apxs; conflict with apache-dev (Closes: #167550) + * Upstream fix for AllowOverride documentation (Closes: #169431) + * Tighter build dependency on debhelper (Closes: #170803) + * Only reload in logrotate if apache2 is actually running (Closes: #171095) + * Upstream Fix for AddOutputFilterByType documentation (Closes: #172294) + * Add robots.txt to apache2-common (Closes: #172592) + * Enable cgi in postinst (Closes: #168709) + * Create an SSL Certificate on install (Closes: #168109) + * Fix a couple of typos in debian/ssl-certificate, with thanks to Nuutti + Kotivuori + * Change to restart rather than reload in logrotate, to work round a nasty + PHP bug (PHP has bugs? *gasp* I thought it was perfect!) with thanks to + Adam Conrad for the suggestion + * Clarify what needs to be installed for a working system (Thanks to Sean + Abrahams) + * Support debug DEB_BUILD_OPTIONS setting, thanks to Karl Hegbloom + (Closes: #174221) + * Add -pipe to the CFLAGS, thanks to Karl Hegbloom + * Force apr-util to build against db4 + * add OSX finder to the list of things that needs to be redirect-carefully'd + * s/enabled/disabled in debian/a2-scripts/a2dismod (Closes: #173956) + * enable auth-ldap, auth-anon, auth-dbm, auth-digest, and action as shared + modules (Closes: #172044, #174583, #172093) + * Upgrade to Berkely DB 4.1 + * Upgrade to OpenSSL 0.9.7 + * Add patch to ensure DB4.1 --with-unique-names is picked up. (Committed + upstream) + * Add local apache2 and apache2ctl manpages, since upstream have removed + them. + + -- Thom May Mon, 20 Jan 2003 11:14:43 +0000 + +apache2 (2.0.43-1) unstable; urgency=medium + + * New Upstream Release; Fixes: CVE: CAN-2002-0840 CERT: VU#240329 + * Add extra config to unfuck perchild. hopefully. + * Rejig Proxy Config some. With thanks to: Emmanuel Chantreau (Closes: #163124) + * Fix cgi install. Thanks to: Bastian Kleineidam (Closes: #162791) + * Fix postinst to check installation type and behave accordingly (Closes: #162627) + * Bring product version into line with RFC2616 (Closes: #151384) + * Add allow line for ipv6 localhost (Closes: #163533) + * Make more of the modules modular. + * Set UseCanonicalName off + * Added index.xhtml to DirectoryIndex settings + * Enabled MultiViews in the default site, and for the manual (Closes: #160367) + * Removed Unnecessary cgi.conf (Closes: #163842) + + -- Thom May Fri, 4 Oct 2002 21:47:18 +0100 + +apache2 (2.0.42-2) unstable; urgency=low + + * Tighten dependencies yet more + * Restart in postinst. don't stop in prerm and start in postinst (Closes: #162344, #162350, #162537) + * Fix dh_shlibdeps up + * PERCHILD IS NOT WORKING IN THIS RELEASE. DON'T EXPECT IT TO. BUGS ABOUT + THIS WILL BE CLOSED WITH EXTREME PREJUDICE. + + -- Thom May Fri, 27 Sep 2002 13:06:59 +0100 + +apache2 (2.0.42-1) unstable; urgency=low + + * "Pretty. What shall we blow up?" + * New Upstream Version (Closes: #160364) + * Fix man names and sections (Closes: #157113) + * Correct the regex for netstat checking of ports, thanks to Matthew Hambley + for this. + * Correct dependencies for apache2-common. (Closes: #161793) + * Applied patch from Stefan Gybas to fix a2enmod (Closes: #159459) + * Added BrowserMatch directives for microsoft's bodgy DAV implementations + and also for gnome-vfs (Closes: #155097) + * Loosened the config for home directories (Closes: #153599) + * Updated to latest standards version + * Drop priority to extra to bring it in line with libdb4.0 + * Added logrotate script - Thanks to Phil Edwards for the basic version, and + the apache package that I ripped the rest off from (Closes: #155488) + * Tighten up what the Include lines load some. This is related to #161512 + but doesn't completely close it. + + -- Thom May Sat, 21 Sep 2002 22:14:22 +0100 + +apache2 (2.0.40-1) unstable; urgency=low + + * New Upstream Version + * Correct dependencies. (Closes: #156959) + * Code to check for something else listening on 80 (Closes: #156129) + * correct permissions on suexec2 man page (Closes: #157005) + * Make the start and stop targets use apache2 directly rather than + apache2ctl. + * Check for the existence of apache2 and exit if it's not there (Closes: #156640) + * Nuke ssl_scache on startup (Closes: #157445) + * patch apxs to not need an mpm installed. Correct dependencies for -dev. + Stop messing around with ap_config_auto.h. + This hopefully resolves James Troup's objections to apache2. (Closes: #157895) + * Add code to check for a 2.2 based kernel and set up the Scoreboard + accordingly. (Closes: #156899) + * make sure i only have to update one init.d script, rather than 4. + * make apxs return a correctly formatted response on queries. + + -- Thom May Wed, 21 Aug 2002 14:21:14 +0100 + +apache2 (2.0.39+cvs.1028741220-2) unstable; urgency=low + + * Rebuild against new libc6. Grr. (Closes: #155865) + * Actually create /etc/apache2/httpd.conf + * Propagate init.d changes through the other MPMs. + + -- Thom May Thu, 8 Aug 2002 09:19:49 +0100 + +apache2 (2.0.39+cvs.1028741220-1) unstable; urgency=low + + * New Upstream Version + * Make a versioned depends on libapr0 (Closes: #154879, #155400) + * Ensure that /etc/init.d/apache2 is registered properly. + * Added a conf.d directory for random conf snippets + * Ensure that the /manual/ alias is setup by the correct package (Closes: #155179) + * Ensure that DAVLockDB is created in the right directory (Closes: #155096) + * Now Building in a pbuilder chroot environment. + * Perchild is now pseudo working (Closes: #154148) + * Cumulatively (note to Lazarus Long: this means all the things in this + changelog added together) (Closes: #155297, #155307, #155317, #155717, #155363, #155719, #155801) + * Note that preceeding changelog entry may not be parseable by strict grammar + checks. Thanks to Jamie Wilkinson for pointing this out. + * Turn MultiViews back on for the default site (Closes: #155450) + checks. Thanks to Jamie Wilkinson for pointing this out. + * Turn MultiViews back on for the default site (Closes: #155450) + * Removed all CVS directories (Closes: #155602, #155393, #155402) + * SSI has been fixed upstream (Closes: #151744) + * Removed SSLLog directives (Closes: #152940) + * Put icons in the right place (Closes: #155178) + * Fixed build-dep on libgdbmg1-dev (Closes: #155412) + * Get correct information into config_vars.mk (Closes: #151712) + * Removed 'ServerName localhost' line (Closes: #155359) + * Placed apr-util headers in correct package + * Ensured that the init.d script restarts apache properly + + -- Thom May Tue, 30 Jul 2002 22:37:52 +0100 + +apache2 (2.0.39+cvs.1027964860-1) unstable; urgency=low + + * New Upstream Source + * Correct Icons path (Closes: #151314) + * Add missing dep on mime-support (Closes: #151848, #152220, #152221, #151772) + * Fixup suexec2, thanks to Masahito Omote (Closes: #151422) + * Mark Brown + - Remove spurious claim that apache2 hasn't been uploaded (Closes: #151433) + - Bring apache2 in line with policy on /usr/share/doc/ (Closes: #151459) + - Make reload behave the same as force-reload (Closes: #151432) + * place the manual in the right place, thanks to Md (Closes: #151766) + * David Kimdon + - add build depends on zlib1g-dev (Closes: #151286) + + -- Thom May Fri, 29 Jul 2002 19:12:56 +0100 + +apache2 (2.0.39-1) unstable; urgency=low + + * New Upstream Version, fixing a denial of service attack. + * Fix installation of icons and manual. + * David Kimdon + - fix path for envvars in apxs2 + - use generalized directives in ssl.conf ( SSLLog -> ErrorLog, + SSLLogLevel -> LogLevel ), this allows server to load ssl + module + + -- Thom May Fri, 14 Jun 2002 17:29:59 -0700 + +apache2 (2.0.37-2) unstable; urgency=low + + * Updated Copyright file to actually contain a copy of the various licenses. + + -- Thom May Fri, 14 Jun 2002 15:41:41 +0100 + +apache2 (2.0.37-1) unstable; urgency=low + + * New upstream version + + -- Thom May Thu, 13 Jun 2002 17:47:12 +0100 + +apache2 (2.0.37+cvs.JCW_PRE2_2037-1) unstable; urgency=low + * New upstream release + -- Thom May Wed, 5 Jun 2002 12:42:34 +0100 + +apache2 (2.0.36-2) unstable; urgency=low + + * debian/control - Correct provides, conflicts and depends, especially for + the mpms. + * build-dep doesn't work with provides, which makes sense. Need to make a + note of this in the policy. + * debian/rules - ensure that the mpm specific header file is installed into + the right place + + -- Thom May Fri, 31 May 2002 14:54:39 +0100 + +apache2 (2.0.36-1) unstable; urgency=low + + * The "The obviously begging in a changelog works" release. + * New Upstream release + * Vpath Builds now work, giving the ability to select which MPM you require + * Changed vhost base to only be a Recommends: as I'm not happy that it's + currently in a properly releasable state. + * New enhost script courtesy of DannyS. + * David Kimdon + - make apxs2 find envvars properly + - use libtool to install apache2 binaries for different mpm's + - fix dependancies for apache2-dev (we can't do a versioned 'Provides' + so we need to list all the packages that provide apache2 along + with their version) + * Implemented a long overdue suggestion to only create ports.conf if it's + not in existance already, rather than to add a command to listen on 80 iff + that didn't exist. The person who suggested it is lost in the mists of my + mailbox. If it was you, please email me! + * debian/vhost-base/add.d/apache2 - apply patch from "Omniflux" + to fix some brainos + + -- Thom May Mon, 6 May 2002 16:39:18 +0100 + +apache2 (2.0.35+cvs.20020420-1) unstable; urgency=low + + * The "finding myself standing on the corner staring into a different world" + release. Will someone please give me a job? + * Resync with upstream CVS. lots and lots of bug fixes since the last + release. + * Attempting to build with multiple MPMs, so speedfreaks can have a threaded + MPM. (Available MPMs are: prefork, worker, threadpool, and + leader/follower). + * Now sedding ap{r,u}-config in the install target. + * vpath build evilness suggested by Andrew Suffield and others. I hate them + all. :) + + -- Thom May Sat, 20 Apr 2002 17:04:46 +0100 + +apache2 (2.0.35-2) unstable; urgency=low + + * The "Apache2 isn't released, therefore the Bug Tracking System doesn't + bloody well work" release + * Fixes a bug in add host, due to the change from Port to Listen. + (Reported by numerous people, patch more or less from Esteve Fernandez + . + * Attempt to fix apu-config, suggestion and patch from David Kimdon, if it's + wrong, I broke it. (Changed it to apply pre-build, rather than post build. + Yes, it's the lazy approach. It's also the right one :) ) + * THE BUG TRACKING SYSTEM IS NOT THE RIGHT PLACE TO SEND BUG REPORTS FOR + APACHE2. + * REALLY. + + -- Thom May Sat, 6 Apr 2002 21:04:16 +0100 + +apache2 (2.0.35-1) unstable; urgency=low + + * WOOOOOOOOOOOHOOOOOOOOO! Apache2's first General Availability release! + * Various bug fixes, suggestions and so on. + * Built with db3 for the time being. + + -- Thom May Sat, 6 Apr 2002 03:01:24 +0100 + +apache2 (2.0.34+retag-1) unstable; urgency=low + + * Resync with upstream release. + * Fix packaging-fus (Hi Marcello!) + * Upstream have fixed cgi probs. + + -- Thom May Mon, 1 Apr 2002 14:50:12 +0100 + +apache2 (2.0.34-1) unstable; urgency=low + + * New upstream release + * added mod_deflate as a shared library + * bashed on apache2.conf some. + + -- Thom May Tue, 26 Mar 2002 23:23:09 +0000 + +apache2 (2.0.33-1) unstable; urgency=low + + * New upstream. + * Unfucked all code, include init.d and /etc/vhosts. + * FHS'ified, more or less + * Some debconf, but not much. + * Merged more patches upstream + + -- Thom May Sat, 9 Mar 2002 23:33:09 +0000 + +apache2 (2.0.32+cvs.20020228-1) unstable; urgency=low + + * The "bathwater, no baby" release. + * Submitted patches upstream like crazy. + * Tossed the insanely bogus apachectl patch + * Debconf not included here. Want to get everything else right, and a + release out. + * Boom! + + -- Thom May Thu, 28 Feb 2002 21:07:24 +0000 + +apache2 (2.0.32-1) unstable; urgency=low + + * The "Throwing stuff away like mad and seeing if it still builds" release. + * Ditched apache2-modules* on the principle of least surprise - the deb + layouts now pretty closely follow apache. + * Trying to triage away patches that have been fixed upstream. + * Major attack on debconfiscation starts here -> . + + -- Thom May Tue, 19 Feb 2002 20:37:58 +0000 + +apache2 (2.0.31+cvs.20020217-1) unstable; urgency=low + + * New CVS snapshot from HEAD to benefit Subversion for the impending 0.9 + release. Enjoy! 81 lines in the last couple of days ... :) + * debian/patches/005_more_hardcoded_paths: + - Regenerated diff against newer version of mpm_default.h. + * debian/patches/008_apr-config_sucks + - Regenerated apr-util part of diff against newer version of + apu-config.in. + * debian/apache2.{config,templates,postinst}, + debian/vhost-base/add.d/apache2, + debian/vhost-base/templates.d/apache2{,.in}, debian/rules: + - Debconfage asking which port to run on, and make the vhost-base script + only list the current ports; ports stuff moved to + /etc/apache2/ports.conf - re-enable dh_installdebconf in debian/rules. + - Moved templates.d/apache2 to templates.d/apache2.in so we can do some + nifty inplace regexps. + * debian/apache2.init.d: + - Bail out of the init script if there aren't any sites enabled. + * debian/{rules,control}: + - Get rid of apache2-modules; move its contents to apache2. + * debian/config-mods/cgid.conf: + - Get rid of redundant wrapper around ScriptSock, so it + actually loads. Thanks to Pieter "Pitr" Jansen for this one. + + -- Daniel Stone Sun, 17 Feb 2002 01:23:43 +1100 + +apache2 (2.0.31+cvs.20020207-1) unstable; urgency=low + + * The one-big-happy-apache2-bug-squashing-family release. + * Update to latest CVS; hopefully this won't mean that piro deadlocks every + time dpkg goes to read its database. Hopefully this gets rid of the bugs. + Yes, all of them. + * debian/patches/004a_srclib_layout_support: + - Updated a touch to fit in with .32-dev. + * debian/patches/008_stuff_in_sbin_not_bin: + - Removed; obsoleted by upstream discovering sanity. + * debian/patches/008_apr-config_sucks: + - Fix problem whereby @prefix@ would sub to $(prefix), but $(prefix) + wouldn't sub to the prefix, or ${prefix}, thus screwing up the running + of apr-config ... ditto for apu-config (from apr-util). + * debian/patches/009_apxs: + - Reworked to make it actually work, and apply cleanly. + - Fix libtool breakage once again, thanks David Kimdon. + * debian/patches/010_shmget: + - Hack to srclib/apr/apr.h.in to make it prefer shmget over everything + else, to make it 2.2/non-tmpfs safe. (Thanks Ben Collins). + * debian/patches/012_debian_version: + - Minor update (include a space in front of "Debian", change it to + "Debian GNU/Linux" to clarify things, and before the the Hurd [happy + now, you crack junkies?] people complain, it's not released as a Debian + port yet, so feh). + * debian/vhost-base/add.d/apache2: + - Change sites to sites-available, in line with the previous change. + * debian/config/mods-available: + - Move to debian/config-mods to make life easier with the move to + apache2-modules (see below). + * debian/config-mods/auth_dbm.load: + - New file, in line with introducing mod_auth_dbm; thanks again to David + Kimdon. + * debian/a2-scripts/a2{en,dis}mod: + - Rewritten to be much cleaner and cool. (Thanks to Ben Collins for + pointing out that the permissions were screwed). + * debian/apache2.postinst: + - New file, no #DEBHELPER# token so that we don't care if postinst fails; + this way it won't bail if you're already running another web server. + Thanks to David Kimdon for pointing out an error. + * debian/vhost-base/{enable,disable}.d/apache2: + - Fixed! Woot! The code isn't the best you'll see, but now *WORKS*. Whoo! + * debian/control: + - Extend libapr-dev's Depends to include libapr0 (duh). + - Remove apache2-modules-dev as modules are no longer built both shared + and static, IMHO this was quite braindead behavior. Upstream's change, + not mine. + - Remove apache2-support as apxs2 requred apache2 anyway. Chalk one (more) + down for "failed experiments". + - Removed redundant libssl0.9.6 and libxmltok1 build-deps; we already + build-depped on the relevant -dev packages; thanks Ben Collins. + * debian/rules: + - Modules are no longer built statically as well as dynamically (upstream + change), so stop trying to move the files around. + - Sort out the libapr0/libapr-dev mess once and for all; thanks to Matt + Wilcox and Ben Collins for patiently talking me through it. + - Move *contents* of mods-available to apache2-modules, but keep the + directory itself as part of apache2, to keep the addons happy; thanks + David Kimdon. + - s/apache2-support/apache2/, see debian/control entry. + - Remove extraneous LICENSE file from the vhost manual. + - Remove *.exp files, because they're unneeded. + * debian/apache2.docs: + - Remove KEYS from the list of docs because this is crap and no longer + distributed. w00t! + + -- Daniel Stone Thu, 7 Feb 2002 20:39:44 +1100 + +apache2 (2.0.28-3) unstable; urgency=low + + * Enabled mod_auth_dbm for Subversion. (thanks David Kimdon). + + -- Daniel Stone Thu, 29 Nov 2001 23:25:53 +1100 + +apache2 (2.0.28-2) unstable; urgency=low + + * Fixed up a couple of things, + /etc/apache2/modules->/etc/apache2/mods-available, etc. + * Included mod_dav, so Subversion can be built. + * New package: apache2-modules-dev, containing all + /usr/lib/apache2/modules/*a. (Thanks Adam Heath). + * Moved libapr.so.* symlinks to libapr-dev (Thanks again to doogie). + + -- Daniel Stone Sun, 25 Nov 2001 19:00:19 +1100 + +apache2 (2.0.28-1) unstable; urgency=low + + * Updated to 2.0.28, which they actually managed to agree on calling a beta. + * debian/apache2.init.d: + - Stripped of almost all its functionality. Now just touches httpd.conf if + we're starting and it doesn't exist, and then calls apache2ctl with all + our options, whatever they may be - it can error out if it wants. + * Removed patches: + - 010_index.html.it_typo - merged upstream. + * Updated patches: + - 009_apxs: make it actually find libtool. Thanks to David Kimdon. + - 002_apache2ctl: really fix apache2ctl graceful. + + -- Daniel Stone Sun, 18 Nov 2001 15:29:43 +1100 + +apache2 (2.0.26+cvs.20011028-2) unstable; urgency=low + + * Added vhost-base support. + - Removed Debconfage and moved all the templates to + debian/vhost-base/templates.d (/etc/vhosts/templates.d). + Removed apache2.postinst and apache2.config. + - Removed a2{dis,en}host. + * /usr/lib/cgi-bin will now be /cgi-bin, /var/vhosts/hostname/cgi-bin will be + /cgi-local. + + -- Daniel Stone Fri, 9 Nov 2001 21:53:27 +1100 + +apache2 (2.0.26+cvs.20011028-1) unstable; urgency=low + + * Resync with HEAD (another coming to fix segfaults, but no net connectivity + at the moment - 4-11-2001, 2:12pm. Grrr). + * New patches: + - 011_mod_autoindex-symlink: make icons for symlinks to files and dirs + special cases. + + Touches modules/generators/mod_autoindex.c + + Special cases: ^^SYMDIR^^ and ^^SYMLINK^^. + - 012_debian_version: adds "Debian" to the Apache version string. + + Touches include/ap_release.h - this patch has *no* context. Please + don't give it any, I don't want to have to rediff every version. + * debian/config/httpd.conf, debian/config/apache2.conf: + - Move main config file to apache2.conf, made it much more bare-bones. + + User (or package) config should be done in httpd.conf. + * apache2.conf: + - s/Port/Listen/ - booya! Finally they cleaned it up. + - Add (commented-out) icon entries for ^^SYMDIR^^ and ^^SYMLINK^^. + Anyone volunteer to create icons? + * debian/apache2.postinst: + - Minor cleanups. + - And later: Made it just call ap2addhost --default. (and a2enhost). + * debian/config/modules/ssl.conf, debian/config/sites/default-443: + - Put only generic SSL stuff in ssl.conf, split SSL support out into + a new virtual host thingy in accordance with dealing with ports. + * debian/config/sites/default, debian/config/sites/default-443, + debian/patches/004b_debian_layout: + - Add a new alias /cgi-pub/ to /usr/lib/cgi-bin. Packages should put + scripts here. + * debian/control: + - changed the Suggests: on apache2-doc to a Recommends: + + otherwise /manual/ will be a broken alias, as it points to + /usr/share/doc/apache2-doc/manual. + - changed libapr-dev to Architecture: all (from Arch: any) - whoops. + * Added support for multiple ports on the one virtual host. At the moment + it's one gigantic, ugly, kludge. *sigh*. Format: + - /var/vhosts/site.name/htdocs-PORT + - /var/vhosts/site.name/logs/(access|error).log-PORT + - /var/vhosts/site.name/cgi-bin-PORT + * debian/apache2.postinst, debian/config/sites/default, etc: + - s#/var/www#/var/vhosts#; + - s#htdocs#htdocs-$PORT#; + * More Debconfage - it now asks if you want SSL support in the default + virtual host, and which port number you want (default 81 so it sits + side-by-side with apache). + * Major change to postinst, a2addhost, et al: + - It's all now done in Perl, and postinst is no longer a special case. + The standalones call Debconf for what they need to do, calling it as a + standalone. This way, postinst just calls a2addhost, etc, and it also + smooths the path for me to do the vhost-base stuff. + * No, this migration path probably won't be smooth (between apache2 + versions). Sorry. + * Last release before I make it vhost-base compliant. + + -- Daniel Stone Sun, 28 Oct 2001 20:33:18 +1100 + +apache2 (2.0.26+cvs.20011023-1) unstable; urgency=low + + * Damnit, resync with HEAD (2_0_26 was unstable). + + -- Daniel Stone Tue, 23 Oct 2001 18:36:42 +1000 + +apache2 (2.0.26-1) unstable; urgency=low + + * Resync with upstream CVS (but only as far as the APACHE_2_0_26 tag). + Essentially, this gives all the coolness of a CVS tree, but all the + stability of a release. I may start tracking HEAD later, we'll just + have to see. + * Changed libapr->libapr0. + * Fixed a couple of typo's in index.html.it (thanks Md, via Joey). + * 22nd October, 7:51pm: Resync again as they added a couple of files + and bumped the tag to fix segfaults. + + -- Daniel Stone Wed, 17 Oct 2001 23:50:39 +1000 + +apache2 (2.0.25+cvs.20011001-1) unstable; urgency=low + + * More CVS resyncing joy. + * Silly stupid evil poo bum hack to apachectl. I don't like this. + Please, help. + * Got rid of a few lintian warnings. + * Install build stuff to /etc/apache2/build, adjust apxs accordingly. + * Agreed on policy with madduck. This is a MAJOR CHANGE, people. + A lot of stuff has changed around, so you'll need to change your + packages. + apache2 now treats everything as a virtual host (even when you only + have one host). This allows us to skirt around FHS and do our own + thing. ("Thpthpthpthpthpthpt, we're using vhosts. FHS doesn't say + anything about that.") + Please see README.Debian for more details. + * More fun with virtual hosts. Migrated their configuration files to + /etc/apache2/virtuals/. This will allow for easy adding and + removal, via the new tools /usr/sbin/ap2(add|del)vh. + apache2's postinst touches /etc/apache2/POSTINST_CONFED, and will refuse + to re-run the postinst config stuff if it's there already. + * Module fun - /usr/sbin/ap2mod(en|dis). Modules put their loading line in + /etc/apache2/modules/foo.load, config in /etc/apache2/modules/foo.conf. + Enabled module stuff gets symlinked into /etc/apache2/mods-enabled. + * Move APR stuff to /usr/lib, not /usr/lib/libapr. Whoops, should've done + this a *long* *time* *ago*. + * More silly APR hacks: Move /usr/include/libapr to /usr/include/apache2, as + silly things like php4 don't get the fact that APR and apache2 can indeed + have different include directories. Grrr. + * Juggled script names - it's now a2(en|dis)(host|mod). + * I don't care, I'm uploading. No, really (closes: #103471). + It's been 93 days since I first did dh_make and ITPed it. :) + + -- Daniel Stone Thu, 4 Oct 2001 20:15:31 +1000 + +apache2 (2.0.25+cvs.20010923-1) unstable; urgency=low + + * Another resync with upstream CVS; most of the changes below were made + between then and now. + * Also added apache2-support - everything from support/*, so php4, et al + don't need to Build-Depend on apache2 itself. + + -- Daniel Stone Sun, 23 Sep 2001 13:21:16 +1000 + +apache2 (2.0.25+cvs.20010908-1) unstable; urgency=low + + * Synched everything with CVS; it works now. + * We now build with ./buildconf due to the above; redo all the patches + against configure.in. I swear this will be the last change, and that I'll + test it. + * Removed php4 and modperl-2.0 from the tree. I should keep the changelogs + internal, as this is now getting not only very silly, but very embarassing. + * I corrected myself in the ITP that it was licensed under the Apache + Software License, not GPLed, but forgot to do that in debian/copyright. + Whoops. Feel free to LART. + * Lintian cleanups: + - Remove extra LICENSE files. + - Stop stuff calling -rpath. + - Change printenv to call /usr/bin/perl, not /usr/local/bin/perl - wtf? + - Move manpages to the right directory. + * Minor merge from Thom courtesy of some stuff being stored on pandora:~thom. + - Use buildprogs.pl to parse stuff like apache2ctl, apxs2, etc. + * Hopefully I'm only one CVS sync away from an upload. + * Moved some stuff over to /usr/sbin, fixed apache2ctl once and for all. + Hopefully. + + -- Daniel Stone Sun, 9 Sep 2001 00:05:03 +1000 + +apache2 (2.0.24-2) unstable; urgency=low + + * The "Farewell Buddha" Release. + * Or, alternatively: The "Darren Milburn is an Idiot for Inciting Crowds" + Release. + * Yes, it's the height of evil, I know: modperl-2.0 goes into the source + tree. (from CVS). + Separate tarballs, thanks to DBS, but still, yeah. + * Ditto php4. + * Still no Thom's laptop; hence no merges, and I'm not going to duplicate + work. + + -- Daniel Stone Sun, 2 Sep 2001 21:50:59 +1000 + +apache2 (2.0.24-1) unstable; urgency=low + + * New upstream version. + * Use prefork, not threaded, MPM. (threaded is currently broken). + * Update example httpd.conf for mod_ssl and have lines for all the modules. + * Build-Depends, all the Build-Depends! + * Update maintainer email address (thanks Joey). + * Turns out using buildconf was what broke modules. I swear I won't do + anything like that again. Promise! (thanks Thom for pointing this out) + * Implied by the above, rediff all patches against configure, not + configure.in. + * Also, don't copy configure.{guess,sub} over anymore, because we don't need + them. + * More Thom merges: + - debian/patches/003_apache2ctl - rewritten apache2ctl to actually work. + * Return of debian/patches/006_dont_install_build_crap. GAH! + + -- Daniel Stone Sat, 18 Aug 2001 17:01:19 +1000 + +apache2 (2.0.23-2) unstable; urgency=low + * SSL finally works, and beat instructions on how to get it going out + of someone on new-httpd. Moved SSL stuff to apache2-modules. + * Disabled TLS, because it's unstable and unnecessary. + * Merge from Thom May's tree: + 005b_debian_layout - The Debian layout for stuff + - Move APR stuff to /usr/lib/libapr and /usr/include/libapr. + - Clean up debian/rules, largely thanks to the two new patches. + * General cleanups, resulting from running lintian: + - Chuck #DEBHELPER# in postinst, which also fixes the /usr/doc + and init.d problems (due to debhelper now doing its postinst + thing). + - Remove LICENSE files from apache2-doc and the default document + root. + - Remove man/ and build/ top-level dirs, install manpages correctly. + - Updated 004_perl_in_usr_bin to include the manual search CGI. + * Remove all evil, ugly, patches to configure in debian/patches/*, instead, + diff against configure.in, because autoconf gets run in the configure + stage every time. + * Copy config.{guess,sub} from /usr/share/misc (provided by autotools-dev) at + runtime, thus eliminating debian/patches/002_config_guess_and_sub. + * Reshuffled patch numbers to cope with the above. + * I give up on this DBM crap. Disable mod_auth_dbm for now. + + -- Daniel Stone Wed, 15 Aug 2001 18:27:23 +1000 + +apache2 (2.0.23-1) unstable; urgency=low + + * New upstream - 2.0.23. + * New patches: + 004_conffile_in_etc_apache2 - Make an ugly init.d hack unnecessary. + 005_perl_in_usr_bin - Make example CGI scripts use /usr/bin/perl. + * Fix mime_magic stuff by copying magic to /etc/apache2. + * Remove debian/patches/003_cgisock_in_var_log_apache2, instead found a new + conffile directive, put this into the default distributed conffile. + + -- Daniel Stone Sun, 12 Aug 2001 18:05:32 +1000 + +apache2 (2.0.22-2) unstable; urgency=low + + * Aargh, I'm an idiot. Fix a bug in mod_cgid.c that had a hardcoded path. + That's now debian/pactches/003*. + + -- Daniel Stone Sat, 11 Aug 2001 08:04:13 +1000 + +apache2 (2.0.22-1) unstable; urgency=low + + * Updated to 2.0.22, started using a form of DBS. + * Merge from Thom May's 2.0.20 tree - new libapr-dev package. + * Backed out the old mod_(tls|ssl) hacks, see if 2.0.23 is any better + (apparently it is, thank god). + + -- Daniel Stone Wed, 8 Aug 2001 15:13:09 +1000 + +apache2 (2.0.20-2) unstable; urgency=low + + * New SSL fixes from new-httpd. Apparently, this (generally) works. + + -- Daniel Stone Fri, 13 Jul 2001 07:57:18 -0500 + +apache2 (2.0.20-1) unstable; urgency=low + + * New upstream release + + -- Daniel Stone Mon, 9 Jul 2001 18:41:04 +1000 + +apache2 (2.0.18-1) unstable; urgency=low + + * Initial Release. + + -- Daniel Stone Wed, 4 Jul 2001 21:29:29 +1000 + --- apache2-2.2.16.orig/debian/apache2.2-bin.manpages +++ apache2-2.2.16/debian/apache2.2-bin.manpages @@ -0,0 +1 @@ +debian/httxt2dbm.8 --- apache2-2.2.16.orig/debian/NEWS +++ apache2-2.2.16/debian/NEWS @@ -0,0 +1,154 @@ +apache2 (2.2.15-4) unstable; urgency=low + + * Note to people using mod_proxy as forward proxy, i.e. with + 'ProxyRequests on': + This release disables the configuration in mods-available/proxy.conf + by default. You should verify that access control for proxy access + still works as intended. This is especially important if you have + your forward proxy configuration in a different configuration file + than proxy.conf. + + -- Stefan Fritsch Mon, 19 Apr 2010 22:36:57 +0200 + +apache2 (2.2.15-1) unstable; urgency=low + + * This release adds and enables mod_reqtimeout, which limits the time + Apache waits for a client to send a complete request. This helps to + mitigate against certain denial of service attacks. In case of problems + with slow clients, the timeout values can be adjusted in + /etc/apache2/mods-available/reqtimeout.conf , or the module can be + disabled with "a2dismod reqtimeout". + + -- Stefan Fritsch Sun, 07 Mar 2010 23:09:30 +0100 + +apache2 (2.2.14-6) unstable; urgency=low + + * Apache now uses the environment variables APACHE_RUN_DIR, APACHE_LOCK_DIR, + and APACHE_LOG_DIR in the default configuration. If you have modified + /etc/apache2/envvars, make sure that these variables are set and exported. + * There is now some support for running multiple instances of Apache on the + same machine. See the documentation in /usr/share/doc/apache2.2-common for + details. + + -- Stefan Fritsch Sun, 07 Feb 2010 13:56:59 +0100 + +apache2 (2.2.13-2) unstable; urgency=high + + * The new support for TLS Server Name Indication added in 2.2.12 causes + Apache to be stricter about certain misconfigurations involving name + based SSL virtual hosts. This may result in Apache refusing to start + with the logged error message: + + Server should be SSL-aware but has no certificate configured + [Hint: SSLCertificateFile] + + Up to 2.2.11, Apache accepted configurations where the necessary SSL + configuration statements were included in the first (default) + block but not in subsequent + blocks. Starting with 2.2.12, every VirtualHost block used with SSL must + contain the SSLEngine, SSLCertificateFile, and SSLCertificateKeyFile + directives (SSLCertificateKeyFile is optional in some cases). + + When you encounter the above problem, the output of the command + + egrep -ir '^[^#]*(sslcertificate|sslengine|virtualhost)' \ + /etc/apache2/*conf* /etc/apache2/*enabled + + may be useful to determine which VirtualHost sections need to be changed. + + Also, formerly accidentially working constructs like + + + + where one virtual host definition is used for both a non-ssl and a ssl + virtual host do not work anymore. You can achieve a similar effect with + + + Include /.../vhost.include + + + SSLEngine on + SSLCertificateFile ... + Include /.../vhost.include + + + -- Stefan Fritsch Wed, 16 Sep 2009 20:14:59 +0200 + +apache2 (2.2.9-3) unstable; urgency=low + + * The directive "NameVirtualHost *" has been changed to "NameVirtualHost + *:80". It has also been moved from sites-available/default to ports.conf. + This allows to ship a proper SSL default virtual host config in + sites-available/default-ssl, but it means that if you use several name + based virtual hosts: + + - you will have to change to in your + name based virtual hosts + + - you need to add more NameVirtualHost directives if you use other ports + than 80 with name based virtual hosts. You may also have to add these + ports to the default virtual host in /etc/apache2/sites-available/default + (like this: ""). + + If you prefer to revert to the old setup instead (and don't need the + default-ssl host), just change "NameVirtualHost *:80" back to + "NameVirtualHost *" in ports.conf and "" to + "" in sites-available/default. + + * For mod_disk_cache, caching is again disabled in disk_cache.conf by + default. It usually makes more sense to enable this on a per-virtual host + basis. + + -- Stefan Fritsch Mon, 30 Jun 2008 19:47:52 +0200 + +apache2 (2.2.8-5) unstable; urgency=low + + * The suexec helper program needed for mod_suexec is now shipped in a + separate package, apache2-suexec, which is not installed by default. + You need to install this package manually if you are using mod_suexec. + + There is now also the apache2-suexec-custom package, which contains a + customizable version of suexec which can be used with different document + roots than /var/www. + + -- Stefan Fritsch Sun, 04 May 2008 20:24:00 +0200 + +apache2 (2.2.8-1) unstable; urgency=low + + * The Apache User and Group and the PidFile path are now configured in + /etc/apache2/envvars, to make it easier to use them in scripts + (like the init and logrotate scripts, and apache2ctl). + If you have changed these settings from their default values, you need to + adjust /etc/apache2/envvars. + This also means that starting apache2 with "apache2 -k start" is no longer + possible, you have to use /etc/init.d/apache2 or apache2ctl. + + -- Stefan Fritsch Tue, 15 Jan 2008 21:41:23 +0100 + +apache2 (2.2.4-2) unstable; urgency=low + + * This version introduces some changes in the configuration layout and + defaults. You will probably have to adjust your configuration accordingly. + + - Module specific configuration has been moved from + /etc/apache2/apache2.conf to /etc/apache2/mods-available/*.conf for the + following modules: + actions alias autoindex + info mime negotiation + setenvif status + + - AddDefaultCharset is again disabled by default. See + /etc/apache2/conf.d/charset + + - "Listen 443" is automatically enabled in /etc/apache2/ports.conf if + mod_ssl is enabled. + + * The NO_START functionality from /etc/default/apache2 has been removed. If + you don't want to start apache2 on boot, rename the S*apache2 start + symlinks as usual. + + * To ensure that the disk cache does not grow indefinitely, htcacheclean is + now started when mod_disk_cache is enabled. The details can be configured + in /etc/default/apache2 . + + -- Stefan Fritsch Mon, 09 Jul 2007 21:50:58 +0200 --- apache2-2.2.16.orig/debian/a2dismod.8 +++ apache2-2.2.16/debian/a2dismod.8 @@ -0,0 +1 @@ +.so man8/a2enmod.8 --- apache2-2.2.16.orig/debian/apachectl.8 +++ apache2-2.2.16/debian/apachectl.8 @@ -0,0 +1 @@ +.so man8/apache2ctl.8 --- apache2-2.2.16.orig/debian/control +++ apache2-2.2.16/debian/control @@ -0,0 +1,205 @@ +Source: apache2 +Section: httpd +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Apache Maintainers +Uploaders: Tollef Fog Heen , Thom May , Adam Conrad , Peter Samuelson , Stefan Fritsch , Steinar H. Gunderson +Build-Depends: debhelper (>= 7.4.3), dpatch, lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev (>= 1.2.7-6), openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 0.9.8m), sharutils, libcap-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], autoconf, hardening-wrapper +Build-Conflicts: autoconf2.13 +Standards-Version: 3.9.0 +Vcs-Bzr: http://code.launchpad.net/ubuntu/+source/apache2 +XSBC-Original-Vcs-Browser: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2 +XSBC-Original-Vcs-svn: svn://svn.debian.org/pkg-apache/trunk/apache2 +Homepage: http://httpd.apache.org/ + +Package: apache2.2-common +Architecture: any +Depends: ${misc:Depends}, apache2.2-bin (= ${binary:Version}), apache2-utils, libmagic1, mime-support, lsb-base, procps [!hurd-i386], perl +Recommends: ssl-cert +Suggests: www-browser, apache2-doc, apache2-suexec | apache2-suexec-custom, ufw +Conflicts: apache2-common, apache +Replaces: apache2-common +Description: Apache HTTP Server common files + The Apache Software Foundation's goal is to build a secure, efficient and + extensible HTTP server as standards-compliant open source software. The + result has long been the number one web server on the Internet. + . + This package contains the configuration and support scripts. + However, it does *not* include the server itself; for this you need to + install one of the apache2-mpm-* packages, such as worker or prefork. + +Package: apache2.2-bin +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Conflicts: apache2.2-common (<< 2.2.11-5~) +Replaces: apache2.2-common (<< 2.2.14-2~) +Description: Apache HTTP Server common binary files + The Apache Software Foundation's goal is to build a secure, efficient and + extensible HTTP server as standards-compliant open source software. The + result has long been the number one web server on the Internet. + . + This package contains all binaries but no configuration or support scripts. + To get a stand-alone server, you need to install one of the apache2-mpm-* + packages, such as worker or prefork. Other packages like gnome-user-share + may bring their own Apache configuration, though. + +Package: apache2-mpm-worker +Architecture: any +Depends: ${misc:Depends}, apache2.2-common (= ${binary:Version}), apache2.2-bin (= ${binary:Version}) +Provides: apache2-mpm, apache2, httpd, httpd-cgi +Conflicts: apache2-mpm, apache2-common +Replaces: apache2-mpm-threadpool (<< 2.0.53), apache2-mpm-perchild (<< 2.2.0) +Description: Apache HTTP Server - high speed threaded model + Each Apache Multi-Processing Module provides a different "flavor" of + web server binary, compiled with a different processing model. + . + The worker MPM provides the default threaded implementation. It is + recommended especially for high-traffic sites because it is faster + and has a smaller memory footprint than the traditional prefork MPM. + +Package: apache2-mpm-prefork +Architecture: any +Depends: ${misc:Depends}, apache2.2-common (= ${binary:Version}), apache2.2-bin (= ${binary:Version}) +Provides: apache2-mpm, apache2, httpd, httpd-cgi +Conflicts: apache2-mpm, apache2-common +Description: Apache HTTP Server - traditional non-threaded model + Each Apache Multi-Processing Module provides a different "flavor" of + web server binary, compiled with a different processing model. + . + The prefork MPM provides a non-threaded, pre-forking implementation + that handles requests in a manner similar to Apache 1.3. It is not as + fast as threaded models, but is considered to be more stable. It is + appropriate for sites that need to maintain compatibility with + non-thread-safe libraries, and is the best MPM for isolating each + request, so that a problem with a single request will not affect any + other. + +Package: apache2-mpm-event +Architecture: any +Depends: ${misc:Depends}, apache2.2-common (= ${binary:Version}), apache2.2-bin (= ${binary:Version}) +Provides: apache2-mpm, apache2, httpd, httpd-cgi +Conflicts: apache2-mpm, apache2-common +Description: Apache HTTP Server - event driven model + Each Apache Multi-Processing Module provides a different "flavor" of + web server binary, compiled with a different processing model. + . + The event MPM is designed to allow more requests to be served + simultaneously by passing off some processing work to supporting + threads, freeing up the main threads to work on new requests. It is + especially suitable for sites that see extensive KeepAlive traffic. + . + This MPM is experimental and less tested than the worker and prefork MPMs. + +Package: apache2-mpm-itk +Depends: ${misc:Depends}, apache2.2-common (= ${binary:Version}), apache2.2-bin (= ${binary:Version}) +Provides: apache2-mpm, apache2, httpd, httpd-cgi +Conflicts: apache2-mpm, apache2-common +Architecture: any +Priority: extra +Description: multiuser MPM for Apache 2.2 + The ITK Multi-Processing Module (MPM) works in about the same way as the + classical "prefork" module (that is, without threads), except that it allows + you to constrain each individual vhost to a particular system user. This + allows you to run several different web sites on a single server without + worrying that they will be able to read each others' files. This is a + third-party MPM that is not included in the normal Apache httpd. + . + Please note that this MPM is somewhat less tested than the MPMs that come with + Apache itself. + +Package: apache2-utils +Architecture: any +Replaces: apache2-common, apache-utils (<< 1.3.33-4) +Conflicts: apache-common (<< 1.3.28.0.1-1) +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: utility programs for webservers + Provides some add-on programs useful for any webserver. These include: + - ab (Apache benchmark tool) + - logresolve (Resolve IP addresses to hostname in logfiles) + - htpasswd (Manipulate basic authentication files) + - htdigest (Manipulate digest authentication files) + - dbmmanage (Manipulate basic authentication files in DBM format, using perl) + - htdbm (Manipulate basic authentication files in DBM format, using APR) + - rotatelogs (Periodically stop writing to a logfile and open a new one) + - split-logfile (Split a single log including multiple vhosts) + - checkgid (Checks whether the caller can setgid to the specified group) + - check_forensic (Extract mod_log_forensic output from Apache log files) + +Package: apache2-suexec +Priority: optional +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, apache2.2-common +Conflicts: apache2-suexec, apache-common +Replaces: apache2-suexec +Description: Standard suexec program for Apache 2 mod_suexec + Provides the standard suexec helper program for mod_suexec. This version is + compiled with document root /var/www and userdir suffix public_html. If you + need different settings, use the package apache2-suexec-custom. + +Package: apache2-suexec-custom +Priority: extra +Architecture: any +Depends: ${misc:Depends}, ${shlibs:Depends}, apache2.2-common +Provides: apache2-suexec +Conflicts: apache2-suexec, apache-common +Replaces: apache2-suexec +Description: Configurable suexec program for Apache 2 mod_suexec + Provides a customizable version of the suexec helper program for mod_suexec. + This is not the version from upstream, but can be configured with a + configuration file. + . + If you do not need non-standard document root or userdir settings, it is + recommended that you use the standard suexec helper program from the + apache2-suexec package instead. + +Package: apache2 +Architecture: any +Depends: ${misc:Depends}, apache2-mpm-worker (= ${binary:Version}) | apache2-mpm-prefork (= ${binary:Version}) | apache2-mpm-event (= ${binary:Version}) | apache2-mpm-itk (= ${binary:Version}), apache2.2-common (= ${binary:Version}) +Description: Apache HTTP Server metapackage + The Apache Software Foundation's goal is to build a secure, efficient and + extensible HTTP server as standards-compliant open source software. The + result has long been the number one web server on the Internet. + . + It features support for HTTPS, virtual hosting, CGI, SSI, IPv6, easy + scripting and database integration, request/response filtering, many + flexible authentication schemes, and more. + +Package: apache2-doc +Section: doc +Architecture: all +Depends: ${misc:Depends} +Description: Apache HTTP Server documentation + This package provides the documentation for Apache 2. For more details + see the apache2 package description. + +Package: apache2-prefork-dev +Architecture: any +Depends: ${misc:Depends}, apache2.2-common (= ${binary:Version}), openssl, libaprutil1-dev +Conflicts: apache2-threaded-dev +Priority: extra +Description: Apache development headers - non-threaded MPM + This package provides the development headers and apxs2 binary for + apache2-mpm-prefork; see the apache2 package description for more details. + . + This should only be used when you absolutely *must* support a non-threaded + environment (for PHP, for example). + +Package: apache2-threaded-dev +Architecture: any +Depends: ${misc:Depends}, apache2.2-common (= ${binary:Version}), openssl, libaprutil1-dev +Conflicts: apache2-prefork-dev +Provides: apache2-dev +Priority: extra +Description: Apache development headers - threaded MPM + This package provides the development headers and apxs2 binary for + threaded versions of apache2; see the apache2 package description + for more details. + +Package: apache2-dbg +Section: debug +Priority: extra +Architecture: any +Depends: ${misc:Depends}, apache2.2-bin (= ${binary:Version}) +Description: Apache debugging symbols + This package includes the debugging symbols for Apache 2. + See /usr/share/doc/apache2.2-common/README.backtrace for more information. --- apache2-2.2.16.orig/debian/apache2-dbg.postinst +++ apache2-2.2.16/debian/apache2-dbg.postinst @@ -0,0 +1,18 @@ +#!/bin/sh +set -e + +if [ "$1" != "configure" ]; then + exit 0 +fi + +P=apache2-dbg +if dpkg --compare-versions "$2" lt 2.2.11-5~ ; then + DOCDIR=/usr/share/doc/$P + if [ ! -h $DOCDIR -a -d $DOCDIR ] ; then + rmdir $DOCDIR 2> /dev/null && ln -s apache2.2-bin $DOCDIR + fi +fi + +#DEBHELPER# + +exit 0 --- apache2-2.2.16.orig/debian/apache2.2-common.postrm +++ apache2-2.2.16/debian/apache2.2-common.postrm @@ -0,0 +1,79 @@ +#! /bin/sh + +set -e + +# Allow apache 2.4 to override what we do. +if [ -x /etc/apache2/upgrade-to-2.4-in-progress ] ; then + set +e + /etc/apache2/upgrade-to-2.4-in-progress $0 "$@" + ret=$? + set -e + case $ret in + 42) + exit 0 + ;; + 43) + DONT_PURGE=1 + ;; + 0) + : # do nothing + ;; + *) + exit $ret + ;; + esac +fi + + +if [ "$1" = purge -a "$DONT_PURGE" != 1 ] ; then + rm -f /etc/apache2/httpd.conf \ + /var/cache/apache2/reload \ + /var/log/apache2/access.log* \ + /var/log/apache2/other_vhosts_access.log* \ + /var/log/apache2/error.log* + + rm -rf /var/cache/apache2/proxy \ + /var/cache/apache2/mod_disk_cache \ + /var/run/apache2 \ + /var/lock/apache2 + + for f in /etc/apache2/sites-enabled/* \ + /etc/apache2/mods-enabled/* ; do + [ -L "$f" ] && rm -f "$f" + done + + for d in /etc/apache2/sites-enabled/ \ + /etc/apache2/mods-enabled/ \ + /etc/apache2/conf.d \ + /etc/apache2 \ + /var/log/apache2 \ + /var/cache/apache2 ; do + rmdir $d 2> /dev/null || true + done + +fi + +restore_conffile() { + if [ -e $1.dpkg-apache2.2-common.old ] ; then + echo Restoring previous version of $1 ... + mv $1.dpkg-apache2.2-common.old $1 + fi +} + +if [ "$1" = abort-upgrade ] ; then + restore_conffile /etc/default/apache2 + restore_conffile /etc/apache2/ports.conf + restore_conffile /etc/apache2/conf.d/charset +fi + +if [ "$1" = remove ] ; then + MD5SUM="`md5sum /var/www/index.html 2>/dev/null | cut -d ' ' -f 1`" + case "$MD5SUM" in + 5388f60d7695cb57b87c799ee62d20b2|\ + 21dde95d9d269cbb2fa6560309dca40c) + rm -f /var/www/index.html + ;; + esac +fi + +#DEBHELPER# --- apache2-2.2.16.orig/debian/setup-instance +++ apache2-2.2.16/debian/setup-instance @@ -0,0 +1,39 @@ +#!/bin/sh + +set -eu + +if [ $# != 1 ] ; then + echo usage: $0 '' + exit 1 +fi + +# the SUFFIX must not contain spaces or shell meta characters +SUFFIX=$1 + +if [ -e /etc/apache2-$SUFFIX ] ; then + echo ERROR: /etc/apache2-$SUFFIX already exists + exit 2 +fi + +echo Setting up /etc/apache2-$SUFFIX ... +cp -a /etc/apache2 /etc/apache2-$SUFFIX + +echo Setting up /etc/init.d/apache2-$SUFFIX ... +cp /usr/share/doc/apache2.2-common/examples/secondary-init-script /etc/init.d/apache2-$SUFFIX +# adjust service name (this prevents us from using a simple symlink) +perl -p -i -e s,XXX,$SUFFIX, /etc/init.d/apache2-$SUFFIX +chmod 755 /etc/init.d/apache2-$SUFFIX + +echo -n Setting up symlinks: +for a in a2enmod a2dismod a2ensite a2dissite apache2ctl ; do + echo -n " $a-$SUFFIX" + ln -s /usr/sbin/$a /usr/local/sbin/$a-$SUFFIX +done +echo + +echo Setting up /etc/logrotate.d/apache2-$SUFFIX and /var/log/apache2-$SUFFIX ... +cp -a /etc/logrotate.d/apache2 /etc/logrotate.d/apache2-$SUFFIX +perl -p -i -e s,apache2,apache2-$SUFFIX,g /etc/logrotate.d/apache2-$SUFFIX +mkdir /var/log/apache2-$SUFFIX +chmod 750 /var/log/apache2-$SUFFIX +chown root:adm /var/log/apache2-$SUFFIX --- apache2-2.2.16.orig/debian/apache2.2-common.preinst +++ apache2-2.2.16/debian/apache2.2-common.preinst @@ -0,0 +1,28 @@ +#! /bin/sh -e + +mv_conffile() { + if [ "`md5sum $1 2>/dev/null | cut -d ' ' -f 1`" = "$2" ] ; then + echo Replacing $1 with new version ... + mv $1 $1.dpkg-apache2.2-common.old + fi +} + +if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.2.4-2; then + mv_conffile /etc/default/apache2 9ac83f9132b78c3aa6dd4d7a583bf476 + mv_conffile /etc/default/apache2 801eb5156368b54d92ecb578ce710836 + mv_conffile /etc/apache2/ports.conf d5fcefc335117f400d451de47efeca87 + mv_conffile /etc/apache2/conf.d/charset 641239a7d2d172856cb1413a47d2e142 +fi + +if [ -n "$2" ] && dpkg --compare-versions "$2" lt 2.2.15-4~ ; then + # The definition of other_vhosts_access.log has been moved from + # apache2.conf to conf.d/other-vhosts-access-log. If the admin has + # removed it from apache2.conf, mark it to be disabled in + # conf.d/other-vhosts-access-log in the postinst. + if ! egrep -q '^ *CustomLog.*other_vhosts_access.log vhost_combined$' /etc/apache2/apache2.conf + then + touch /etc/apache2/disable-other-vhost-access-log.dpkg-apache2.2-common + fi +fi + +#DEBHELPER# --- apache2-2.2.16.orig/debian/mpms.preinst +++ apache2-2.2.16/debian/mpms.preinst @@ -0,0 +1,30 @@ +#!/bin/sh -e + +#Debian preinstall handling for apache2 +# Thom May + +if [ "$2" ] && dpkg --compare-versions "$2" lt 2.2; then + if [ -x "/etc/init.d/apache2" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d apache2 stop || true + else + /etc/init.d/apache2 stop || true + fi + fi + chmod -x /usr/sbin/apache2 +fi + +case "$1" in + install) + rm -f /var/cache/apache2/reload + ;; + upgrade) + if [ -d /var/cache/apache2 ]; then + touch /var/cache/apache2/reload + fi + ;; + *) + ;; +esac + +#DEBHELPER# --- apache2-2.2.16.orig/debian/mpms.postinst +++ apache2-2.2.16/debian/mpms.postinst @@ -0,0 +1,48 @@ +#!/bin/sh +set -e + +if [ "$1" != "configure" ]; then + exit 0 +fi + +P=apache2-mpm-MPMXXX +if [ $P = apache2-mpm-prefork ] || [ $P = apache2-mpm-itk ]; then + CGI_DIS=cgid + CGI_EN=cgi +else + CGI_DIS=cgi + CGI_EN=cgid +fi + +#enable cgi/cgid, but only on new installs. +if [ -z "$2" ]; then + a2dismod $CGI_DIS >/dev/null || true + a2enmod $CGI_EN >/dev/null || echo "It looks like you've deleted /etc/apache2/mods-available/cgid.load, so mod_cgid cannot be enabled. To fix this, please purge and reinstall apache2.2-common." +fi + +# Migrate our kill symlinks, including ones the user may have done an s/S/K/ to: +for i in `seq 0 6`; do + if [ -L /etc/rc"$i".d/K91apache2 ]; then + mv /etc/rc"$i".d/K91apache2 \ + /etc/rc"$i".d/K09apache2 + fi +done + +if [ -x "/etc/init.d/apache2" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d apache2 start ||true + else + /etc/init.d/apache2 start ||true + fi +fi + +if dpkg --compare-versions "$2" lt 2.2.11-5~ ; then + DOCDIR=/usr/share/doc/$P + if [ ! -h $DOCDIR -a -d $DOCDIR ] ; then + rmdir $DOCDIR 2> /dev/null && ln -s apache2.2-common $DOCDIR + fi +fi + +#DEBHELPER# + +exit 0 --- apache2-2.2.16.orig/debian/convert_docs +++ apache2-2.2.16/debian/convert_docs @@ -0,0 +1,96 @@ +#!/usr/bin/perl -w + +use strict; +use File::Path; +use Fatal qw/mkpath symlink open close/; + +scalar @ARGV == 2 or die; + +my $SRC=$ARGV[0]; +my $TGT=$ARGV[1]; + +# list of languages +my @lang = glob("$SRC/index.html.*") or die; +map { s{^.*html\.}{} } @lang; + +# map "ja.euc-jp" to "ja/", ... +my %lpath; +foreach my $l (@lang) { + my $t=$l; + $t =~ s{\..*$}{}; + $lpath{$l}="$t/"; +} + + +my @html=`find $SRC -name *.html` or die; +chomp(@html); +map { s{^$SRC/}{} } @html; + +foreach my $h (@html) { + my $dir=""; + if ($h =~ m{^(.*/)}) { + $dir=$1; + } + + for my $l (@lang) { + my $tdir="$TGT/$lpath{$l}"; + -d "$tdir$dir" || mkpath("$tdir$dir"); + + my $updir=$dir; + $updir =~ s{[^/]+}{..}g; + + if ($l eq "en") { + conv("$SRC/$h.en", "$tdir$h", $h); + } + elsif ( -f "$SRC/$h.$l" ) { + conv("$SRC/$h.$l", "$tdir$h", $h); + } + else { + symlink("${updir}../en/$h", "$tdir$h"); + } + + } +} + +open(my $out, ">", "$TGT/index.html"); +print $out '', + '', + "\n\n"; +foreach my $l (sort values %lpath) { + print $out qq{\n}; +} +print $out '
$l
'; + + +### END + + +sub conv { + my ($old, $new, $name) = @_; + + open(my $in, "<", $old); + local $/; + my $file = <$in>; + close($in); + + # /mod/ -> /mod/index.html + $file =~ s{href="([^:"]*/)"}{href="${1}index.html"}g; + + # style and images now one level up + $file =~ s{(src|href)="../(style|images)}{$1="../../$2}g; + $file =~ s{(src|href)="./(style|images)}{$1="../$2}g; + + foreach my $l (values %lpath) { + # language directories one level up + $file =~ s{href="\.\./$l}{href="../../$l}g; + $file =~ s{href="\./$l}{href="../$l}g; + } + + # Debian tweaks + $file =~ s{/usr/local/apache2/conf/httpd[.]conf}{/etc/apache2/apache2.conf}g; + $file =~ s{httpd[.]conf}{apache2.conf}g; + + open(my $out, ">", $new); + print $out $file; + close($out); +} --- apache2-2.2.16.orig/debian/mpms.links +++ apache2-2.2.16/debian/mpms.links @@ -0,0 +1,2 @@ +usr/lib/apache2/mpm-MPMXXX/apache2 usr/sbin/apache2 +usr/share/bug/apache2.2-common/script usr/share/bug/apache2-mpm-MPMXXX/script --- apache2-2.2.16.orig/debian/apache2-threaded-dev.dirs +++ apache2-2.2.16/debian/apache2-threaded-dev.dirs @@ -0,0 +1,4 @@ +usr/include/apache2 +usr/bin +usr/share/apache2/build +usr/share/man/man8 --- apache2-2.2.16.orig/debian/apache2-doc.postinst +++ apache2-2.2.16/debian/apache2-doc.postinst @@ -0,0 +1,11 @@ +#!/bin/sh -e + +if [ -x "/etc/init.d/apache2" ]; then + if [ -x /usr/sbin/invoke-rc.d ]; then + invoke-rc.d apache2 reload ||true + else + /etc/init.d/apache2 reload ||true + fi +fi + +#DEBHELPER# --- apache2-2.2.16.orig/debian/secondary-init-script +++ apache2-2.2.16/debian/secondary-init-script @@ -0,0 +1,19 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: apache2-XXX +# Required-Start: $local_fs $remote_fs $network $syslog +# Required-Stop: $local_fs $remote_fs $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# X-Interactive: true +# Short-Description: Start/stop apache2 web server (config /etc/apache2-XXX) +### END INIT INFO + +set -e + +# +# this init script can be installed as /etc/init.d/apache2-XXX +# + +# source original init script to keep $0 and other arguments +. /etc/init.d/apache2 --- apache2-2.2.16.orig/debian/mpms.dirs +++ apache2-2.2.16/debian/mpms.dirs @@ -0,0 +1,4 @@ +usr/sbin +usr/lib/apache2/mpm-MPMXXX +usr/share/lintian/overrides +usr/share/bug/apache2-mpm-MPMXXX --- apache2-2.2.16.orig/debian/README.multiple-instances +++ apache2-2.2.16/debian/README.multiple-instances @@ -0,0 +1,99 @@ +Setup +===== + +The scripts apache2ctl, a2enmod, a2ensite, ... and the init script have some +support for handling multiple instances of apache2 running on the same machine. + +The basic idea is to copy /etc/apache2 to /etc/apache2-xxx. An example script +that demonstrates what else needs to be done can be found in +/usr/share/doc/apache2.2-common/examples/setup-instance. Use with: + + sh /usr/share/doc/apache2.2-common/examples/setup-instance xxx + +Adjust the configuration in /etc/apache2-xxx, especially the listen ports in +ports.conf and in the virtual host directives in +/etc/apache2-xxx/sites-enabled/*. + +You can then use a2enmod-xxx, /etc/init.d/apache2-xxx, ... as usual, and they +will affect the new instance of apache2. + +To start the new apache2 instance on boot, use +- if you use dependency based boot sequence (the default): + If you don't have ssl keys with passphrases, you may want to set + 'X-Interactive: false' in /etc/init.d/apache2-xxx to reduce boot time. + Then execute: + insserv apache2-xxx +- otherwise: + ln -s ../init.d/apache2-xxx /etc/rc2.d/S80apache2-xxx + +To make 'apache2ctl-xxx status' work, you need to set APACHE_STATUSURL in +/etc/apache2-xxx/envvars. + + +Upgrades +======== + +Since onle the configuration files in /etc/apache2 are in the package, the +configuration of other instances won't change if the default configuration +changes. Possibly ways to deal with this are: + +- Use symlinks to the files in /etc/apache2 where possible instead of copying + the files. +- Don't modify /etc/apache2 at all but use it to track the default + configuration. You can then merge the changes into the /etc/apache2-xxx dirs. + It may be a good idea to use a version control system for /etc/apache2 to + keep track of the changes. See the package etckeeper for keeping the whole + /etc dir under version control. + An advanced scheme may be for every /etc/apache2* dir to be a separate git + repository so that you can easily pull/push changes from one dir to another. + + +Package removal +=============== + +The Apache 2 package will only remove the default configuration files and +directories. + + +Configuration +============= + +The init script will try to read /etc/defaults/apache2-xxx. If that does not +exist, it will use /etc/defaults/apache2 instead. + +The following environment variables can be used to influence the scripts. The +default apache2 configuration will make use of them, too. Most can be set in +/etc/apache2-xxx/envvars. Variables set in /etc/apache2-xxx/envvars must be +exported. + +variable default value +-------- ------------- +APACHE_CONFDIR /etc/apache2 or /etc/apache2-xxx +APACHE_ENVVARS $APACHE_CONFDIR/envvars +APACHE_HTTPD /usr/sbin/apache2 +APACHE_ARGUMENTS empty if $APACHE_CONFDIR = /etc/apache2 + "-d $APACHE_CONFDIR" otherwise + +APACHE_RUN_USER www-data +APACHE_RUN_GROUP www-data + +APACHE_PID_FILE /var/run/apache2.pid or /var/run/apachd2-xxx.pid +APACHE_RUN_DIR /var/run/apache2 or /var/run/apache2-xxx +APACHE_LOCK_DIR /var/lock/apache2 or /var/lock/apache2-xxx +APACHE_LOG_DIR /var/log/apache2 or /var/log/apache2-xxx + +APACHE_MODS_AVAILABLE $APACHE_CONFDIR/mods-available +APACHE_MODS_ENABLED $APACHE_CONFDIR/mods-enabled +APACHE_SITES_AVAILABLE $APACHE_CONFDIR/sites-available +APACHE_SITES_ENABLED $APACHE_CONFDIR/sites-enabled + +APACHE_LYNX www-browser -dump +APACHE_STATUSURL http://localhost:80/server-status + + +MPMs +==== + +You can use different MPMs for different instances by setting APACHE_HTTPD to +one of /usr/lib/apache2/mpm-*/apache2. Note that some modules like mod_php only +work with the non-threaded MPMs (prefork, itk). --- apache2-2.2.16.orig/debian/a2dissite.8 +++ apache2-2.2.16/debian/a2dissite.8 @@ -0,0 +1 @@ +.so man8/a2ensite.8 --- apache2-2.2.16.orig/debian/apache2-suexec.lintian-overrides +++ apache2-2.2.16/debian/apache2-suexec.lintian-overrides @@ -0,0 +1,2 @@ +setuid-binary usr/lib/apache2/suexec 4754 root/www-data +package-relation-with-self replaces: apache2-suexec --- apache2-2.2.16.orig/debian/apache2ctl.8 +++ apache2-2.2.16/debian/apache2ctl.8 @@ -0,0 +1,182 @@ +.TH apache2ctl 8 "April 2008" +.\" The Apache Software License, Version 1.1 +.\" +.\" Copyright (c) 2000-2002 The Apache Software Foundation. All rights +.\" reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. The end-user documentation included with the redistribution, +.\" if any, must include the following acknowledgment: +.\" "This product includes software developed by the +.\" Apache Software Foundation (http://www.apache.org/)." +.\" Alternately, this acknowledgment may appear in the software itself, +.\" if and wherever such third-party acknowledgments normally appear. +.\" +.\" 4. The names "Apache" and "Apache Software Foundation" must +.\" not be used to endorse or promote products derived from this +.\" software without prior written permission. For written +.\" permission, please contact apache@apache.org. +.\" +.\" 5. Products derived from this software may not be called "Apache", +.\" nor may "Apache" appear in their name, without prior written +.\" permission of the Apache Software Foundation. +.\" +.\" THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED +.\" WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +.\" DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF +.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT +.\" OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" This software consists of voluntary contributions made by many +.\" individuals on behalf of the Apache Software Foundation. For more +.\" information on the Apache Software Foundation, please see +.\" . +.\" +.SH NAME +apache2ctl \- Apache HTTP server control interface +.SH SYNOPSIS +When acting in SysV init mode, apache2ctl takes simple, one-word commands, +defined below. +.PP +.B apachectl +.I command +.PP +.B apache2ctl +.I command +.PP +When acting in pass-through mode, apache2ctl can take all the arguments available +for the httpd binary. +.PP +.B apachectl +.RI [ httpd-argument ] +.PP +.B apache2ctl +.RI [ httpd-argument ] +.PP +.SH DESCRIPTION +.B apache2ctl +is a front end to the Apache HyperText Transfer Protocol (HTTP) +server. It is designed to help the administrator control the +functioning of the Apache +.B apache2 +daemon. +.PP +.B NOTE: +The default Debian configuration requires the environment variables +.BR APACHE_RUN_USER , +.BR APACHE_RUN_GROUP , +and +.B APACHE_PID_FILE +to be set in +.BR /etc/apache2/envvars . +.PP +The +.B apache2ctl +script returns a 0 exit value on success, and >0 if an error +occurs. For more details, view the comments in the script. +.PP +.SH OPTIONS +The \fIcommand\fP can be any one or more of the following options: +.TP 14 +.BI start +Start the Apache daemon. Gives an error if it is already running. +.TP +.BI stop +Stops the Apache daemon. +.TP +.BI restart +Restarts the Apache daemon by sending it a SIGHUP. If the daemon +is not running, it is started. +This command automatically checks the configuration files via +.BI configtest +before initiating the restart to to catch the most obvious errors. +However, it is still possible for the daemon to die because of problems +with the configuration. +.TP +.BI fullstatus +Displays a full status report from +.B mod_status. +For this to work, you need to have mod_status enabled on your server +and a text-based browser such as \fIlynx\fP available on your system. The +URL used to access the status report can be set by setting the +.B APACHE_STATUSURL +variable in +.BR /etc/apache2/envvars . +.TP +.BI status +Displays a brief status report. Similar to the fullstatus option, +except that the list of requests currently being served is omitted. +.TP +.BI graceful +Gracefully restarts the Apache daemon by sending it a SIGUSR1. If +the daemon is not running, it is started. This differs from a +normal restart in that currently open connections are not aborted. +A side effect is that old log files will not be closed immediately. +This means that if used in a log rotation script, a substantial delay may be +necessary to ensure that the old log files are closed before processing them. +This command automatically checks the configuration files via apache2ctl +configtest before initiating the restart to to catch the most obvious errors. +However, it is still possible for the daemon to die because of problems with +the configuration. +.TP +.BI graceful-stop +Gracefully stops the Apache httpd daemon. +This differs from a normal stop in that currently open connections are not +aborted. +A side effect is that old log files will not be closed immediately. +.TP +.BI configtest +Run a configuration file syntax test. It parses the configuration +files and either reports +.B "Syntax Ok" +or information about the particular syntax error. This test does not catch +all errors. +.TP +.BI help +Displays a short help message. +.TP +The following option was available in earlier versions but has been removed. +.TP +.BI startssl +To start httpd with SSL support, you should edit your configuration file to +include the relevant directives and then use the normal apache2ctl start. +.SH ENVIRONMENT +The behaviour of +.B apache2ctl +can be influenced with these environment variables: +.BR APACHE_HTTPD , +.BR APACHE_LYNX , +.BR APACHE_STATUSURL , +.BR APACHE_ULIMIT_MAX_FILES , +.BR APACHE_RUN_DIR , +.BR APACHE_LOCK_DIR , +.BR APACHE_RUN_USER , +.BR APACHE_ARGUMENTS , +.BR APACHE_ENVVARS . +See the comments in the script for details. +These variables (except +.BR APACHE_ENVVARS ) +can be set in +.BR /etc/apache2/envvars . +.SH SEE ALSO +.BR apache2(8) , +.BR /usr/share/doc/apache2.2-common/README.Debian.gz +. --- apache2-2.2.16.orig/debian/apache2.2-common.install +++ apache2-2.2.16/debian/apache2.2-common.install @@ -0,0 +1,7 @@ +usr/share/apache2/icons +usr/share/apache2/error +usr/sbin/envvars-std usr/share/apache2/build +etc/apache2 usr/share/doc/apache2.2-common/examples +debian/config-dir/* etc/apache2 +debian/a2enmod usr/sbin +debian/apache2ctl usr/sbin --- apache2-2.2.16.orig/debian/apache2-suexec.install +++ apache2-2.2.16/debian/apache2-suexec.install @@ -0,0 +1,2 @@ +usr/sbin/suexec usr/lib/apache2 +usr/share/man/man8/suexec.8 --- apache2-2.2.16.orig/debian/apache2-doc.doc-base +++ apache2-2.2.16/debian/apache2-doc.doc-base @@ -0,0 +1,10 @@ +Document: apache2-manual +Title: Apache HTTP Server Version 2.2 Documentation +Abstract: This documentation describes the configuration of the Apache Web + server and the included modules. +Section: web + +Format: HTML +Index: /usr/share/doc/apache2-doc/manual/en/index.html +Files: /usr/share/doc/apache2-doc/manual/*/*.html + /usr/share/doc/apache2-doc/manual/*/*/*.html --- apache2-2.2.16.orig/debian/apache2.monit +++ apache2-2.2.16/debian/apache2.monit @@ -0,0 +1,7 @@ +check process apache2 with pidfile /var/run/apache2.pid + group www + start program = "/etc/init.d/apache2 start" + stop program = "/etc/init.d/apache2 stop" + if failed host localhost port 80 + protocol HTTP request "/" then restart + if 5 restarts within 5 cycles then timeout --- apache2-2.2.16.orig/debian/apache2-utils.install +++ apache2-2.2.16/debian/apache2-utils.install @@ -0,0 +1,19 @@ +usr/sbin/ab /usr/bin +usr/share/man/man1/ab.1 +usr/sbin/checkgid +usr/sbin/dbmmanage usr/bin/ +usr/share/man/man1/dbmmanage.1 +usr/sbin/htdbm usr/bin/ +usr/share/man/man1/htdbm.1 +usr/sbin/htdigest usr/bin/ +usr/share/man/man1/htdigest.1 +usr/sbin/htpasswd usr/bin/ +usr/share/man/man1/htpasswd.1 +usr/sbin/logresolve /usr/bin +usr/share/man/man1/logresolve.1 +usr/sbin/rotatelogs +usr/share/man/man8/rotatelogs.8 +usr/sbin/htcacheclean +usr/share/man/man8/htcacheclean.8 +support/check_forensic usr/sbin +debian/build-tree/worker/support/split-logfile usr/sbin --- apache2-2.2.16.orig/debian/watch +++ apache2-2.2.16/debian/watch @@ -0,0 +1,2 @@ +version=3 +http://www.apache.org/dist/httpd/httpd-(2\.2.*)\.tar\.gz --- apache2-2.2.16.orig/debian/compat +++ apache2-2.2.16/debian/compat @@ -0,0 +1 @@ +7 --- apache2-2.2.16.orig/debian/apache2.2-common.apache2.default +++ apache2-2.2.16/debian/apache2.2-common.apache2.default @@ -0,0 +1,26 @@ +### htcacheclean settings ### + +## run htcacheclean: yes, no, auto +## auto means run if /etc/apache2/mods-enabled/disk_cache.load exists +## default: auto +HTCACHECLEAN_RUN=auto + +## run mode: cron, daemon +## run in daemon mode or as daily cron job +## default: daemon +HTCACHECLEAN_MODE=daemon + +## cache size +HTCACHECLEAN_SIZE=300M + +## interval: if in daemon mode, clean cache every x minutes +HTCACHECLEAN_DAEMON_INTERVAL=120 + +## path to cache +## must be the same as in CacheRoot directive +HTCACHECLEAN_PATH=/var/cache/apache2/mod_disk_cache + +## additional options: +## -n : be nice +## -t : remove empty directories +HTCACHECLEAN_OPTIONS="-n" --- apache2-2.2.16.orig/debian/apache2.2-common.bug-control +++ apache2-2.2.16/debian/apache2.2-common.bug-control @@ -0,0 +1 @@ +package-status: apache2-mpm-prefork apache2-mpm-worker apache2-mpm-event apache2-mpm-itk --- apache2-2.2.16.orig/debian/apache2.2-common.links +++ apache2-2.2.16/debian/apache2.2-common.links @@ -0,0 +1,4 @@ +usr/sbin/a2enmod usr/sbin/a2dismod +usr/sbin/a2enmod usr/sbin/a2ensite +usr/sbin/a2enmod usr/sbin/a2dissite +usr/sbin/apache2ctl usr/sbin/apachectl --- apache2-2.2.16.orig/debian/apache2-dbg.dirs +++ apache2-2.2.16/debian/apache2-dbg.dirs @@ -0,0 +1,5 @@ +usr/lib/debug/usr/sbin +usr/lib/debug/usr/lib/apache2/mpm-worker +usr/lib/debug/usr/lib/apache2/mpm-prefork +usr/lib/debug/usr/lib/apache2/mpm-event +usr/lib/debug/usr/lib/apache2/mpm-itk --- apache2-2.2.16.orig/debian/checkgid.8 +++ apache2-2.2.16/debian/checkgid.8 @@ -0,0 +1,36 @@ +.\" Hey, EMACS: -*- nroff -*- +.\" First parameter, NAME, should be all caps +.\" Second parameter, SECTION, should be 1-8, maybe w/ subsection +.\" other parameters are allowed: see man(7), man(1) +.TH CHECKGID 8 "November 3rd, 2001" +.\" Please adjust this date whenever revising the manpage. +.\" +.\" Some roff macros, for reference: +.\" .nh disable hyphenation +.\" .hy enable hyphenation +.\" .ad l left justify +.\" .ad b justify to both left and right margins +.\" .nf disable filling +.\" .fi enable filling +.\" .br insert line break +.\" .sp insert n+1 empty lines +.\" for manpage-specific macros, see man(7) +.SH NAME +checkgid \- checks the gid +.SH SYNOPSIS +.B checkgid group +.SH DESCRIPTION +This manual page documents briefly the +.B checkgid +command. +.PP +.\" TeX users may be more comfortable with the \fB\fP and +.\" \fI\fP escape sequences to invode bold face and italics, +.\" respectively. +\fBcheckgid\fP is a program that checks whether it can setgid to the group +specified. This is to see if it is a valid group for apache2 to use at runtime. +If the user (should be run as superuser) is in that group, or can setgid to it, +it will return 0. +.SH AUTHOR +This manual page was written by Daniel Stone for the Debian +GNU/Linux distribution, as the original did not have a manpage. --- apache2-2.2.16.orig/debian/logrotate +++ apache2-2.2.16/debian/logrotate @@ -0,0 +1,13 @@ +/var/log/apache2/*.log { + weekly + missingok + rotate 52 + compress + delaycompress + notifempty + create 640 root adm + sharedscripts + postrotate + /etc/init.d/apache2 reload > /dev/null + endscript +} --- apache2-2.2.16.orig/debian/apache2.bug-control +++ apache2-2.2.16/debian/apache2.bug-control @@ -0,0 +1 @@ +Submit-As: apache2.2-common --- apache2-2.2.16.orig/debian/apache2-doc.conf +++ apache2-2.2.16/debian/apache2-doc.conf @@ -0,0 +1,10 @@ +Alias /manual /usr/share/doc/apache2-doc/manual/ + + + Options Indexes FollowSymlinks + AllowOverride None + Order allow,deny + Allow from all + AddDefaultCharset off + + --- apache2-2.2.16.orig/debian/source.lintian-overrides +++ apache2-2.2.16/debian/source.lintian-overrides @@ -0,0 +1,2 @@ +apache2 source: ancient-autotools-helper-file srclib/apr-util/xml/expat/conftools/config.sub 2002-03-07 +apache2 source: ancient-autotools-helper-file srclib/apr-util/xml/expat/conftools/config.guess 2002-03-20 --- apache2-2.2.16.orig/debian/apache2.postinst +++ apache2-2.2.16/debian/apache2.postinst @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +if [ "$1" != "configure" ]; then + exit 0 +fi + +# postinst for apache2, apache2-prefork-dev, apache2-threaded-dev + +P=apache2 +if dpkg --compare-versions "$2" lt 2.2.11-5~ ; then + DOCDIR=/usr/share/doc/$P + if [ ! -h $DOCDIR -a -d $DOCDIR ] ; then + rmdir $DOCDIR 2> /dev/null && ln -s apache2.2-common $DOCDIR + fi +fi + +#DEBHELPER# + +exit 0 --- apache2-2.2.16.orig/debian/clean +++ apache2-2.2.16/debian/clean @@ -0,0 +1,28 @@ +debian/apache2-mpm-worker.postinst +debian/apache2-mpm-worker.preinst +debian/apache2-mpm-worker.prerm +debian/apache2-mpm-worker.lintian-overrides +debian/apache2-mpm-worker.dirs +debian/apache2-mpm-worker.links +debian/apache2-mpm-event.postinst +debian/apache2-mpm-event.preinst +debian/apache2-mpm-event.prerm +debian/apache2-mpm-event.lintian-overrides +debian/apache2-mpm-event.dirs +debian/apache2-mpm-event.links +debian/apache2-mpm-prefork.postinst +debian/apache2-mpm-prefork.preinst +debian/apache2-mpm-prefork.prerm +debian/apache2-mpm-prefork.lintian-overrides +debian/apache2-mpm-prefork.dirs +debian/apache2-mpm-prefork.links +debian/apache2-mpm-itk.postinst +debian/apache2-mpm-itk.preinst +debian/apache2-mpm-itk.prerm +debian/apache2-mpm-itk.lintian-overrides +debian/apache2-mpm-itk.dirs +debian/apache2-mpm-itk.links +debian/apache2-prefork-dev.postinst +debian/apache2-threaded-dev.postinst +debian/tmp-worker +debian/tmp-prefork --- apache2-2.2.16.orig/debian/apache2-suexec-custom.dirs +++ apache2-2.2.16/debian/apache2-suexec-custom.dirs @@ -0,0 +1,2 @@ +usr/lib/apache2 +etc/apache2/suexec --- apache2-2.2.16.orig/debian/apache2-doc.install +++ apache2-2.2.16/debian/apache2-doc.install @@ -0,0 +1,3 @@ +usr/share/apache2/default-site/htdocs/manual usr/share/doc/apache2-doc +usr/lib/cgi-bin/printenv usr/share/doc/apache2-doc/cgi-examples +usr/lib/cgi-bin/test-cgi usr/share/doc/apache2-doc/cgi-examples --- apache2-2.2.16.orig/debian/mpms.lintian-overrides +++ apache2-2.2.16/debian/mpms.lintian-overrides @@ -0,0 +1,2 @@ +binary-without-manpage usr/sbin/apache2 +debug-package-should-be-named-dbg usr/lib/debug/usr/ --- apache2-2.2.16.orig/debian/mpm-itk/CHANGES +++ apache2-2.2.16/debian/mpm-itk/CHANGES @@ -0,0 +1,44 @@ +apache2.2-mpm-itk 2.2.11-02, released 2009-04-14: + + * Really fix the waitpid() code; thanks to Dave Cundiff for spotting the typo. + * Add CAP_DAC_READ_SEARCH to the list of capabilities, so Apache can read + .htaccess files that are not world readable. This should fix some of the + "permission denied" problems that cropped up in 2.2.11-01, although you + will still see the problem if you use root-squashed NFS. + +apache2.2-mpm-itk 2.2.11-01, released 2009-03-21: + + * NOTE: This release contains major new functionality. As with mpm-itk in + general, you may want to consider closely whether you actually want to + put it in production. Also note that Apache 2.0 is no longer supported. + * Updated for Apache 2.2.11 (in particular, prefork had a few minor changes + that are now incorporated). + * Allow uid/gid and nice value to be set per-directory (actually per-location) + in addition to per-vhost. Adapted from patch by Knut Auvor Grythe. + * Some minor code cleanups. + * If waitpid() is interrupted by a signal (returning EINTR), try again. + This fixes a race condition where a graceful restart could fail and hang + the child forever. Adapted from patch by Jan Boysen, who also diagnosed and + reported the bug. + * As a side effect of the per-directory patches doing proper config merging, + you can now set default values for all options outside the vhost definitions + and have them get properly overridden by settings in more specific scopes. + * Fix a small memory leak on reload by using apr_pstrdup() instead of + strdup(). + +apache2.2-mpm-itk 2.2.6-02, released 2008-07-27: + + * Fix a typo in the autoconf snippet that would prevent building with + capability dropping support. Note that you'll need to run autoheader before + autoconf to get -lcap detected (the Debian/Ubuntu packages was missing + this, so others might as well). + +apache2.2-mpm-itk 2.2.6-01, released 2008-01-05: + + * Updated 01-copy-prefork.patch to let prefork.c come from Apache 2.2.6 + instead of 2.2.3. Updated all the patches so they apply cleanly + afterwards. In other words, there is no mpm-itk-specific functionality + in this release, it's only a maintenance release against the latest + Apache. + * Removed a few instances of trailing whitespace in the patches. + * Added this changelog. --- apache2-2.2.16.orig/debian/mpm-itk/README +++ apache2-2.2.16/debian/mpm-itk/README @@ -0,0 +1,121 @@ +This is a copy of the documentation available at http://mpm-itk.sesse.net/, +dumped with the Lynx web browser and edited briefly. + + The Apache 2 ITK MPM + + apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing + Module) for the [1]Apache web server. mpm-itk allows you to run each of + your vhost under a separate uid and gid -- in short, the scripts and + configuration files for one vhost no longer have to be readable for all + the other vhosts. + + There are already MPMs available that do this; however, I am not aware + of any besides mpm-itk that are actively developed. (If you only run + CGI scripts, suexec will probably solve most of your problems with any + MPM.) + + mpm-itk is based on the traditional prefork MPM, which means it's + non-threaded; in short, this means you can run non-thread-aware code + (like many [2]PHP extensions) without problems. On the other hand, you + lose out to any performance benefit you'd get with threads, of course; + you'd have to decide for yourself if that's worth it or not. You will + also take an additional performance hit over prefork, since there's an + extra fork per request. + +Installation + + If you can't apply a patch, you probably should not be using this. :-) + However, several distributions now include mpm-itk as a choice + alongside the other MPMs; in alphabetical order: + * [3]Arch Linux + * [4]Debian GNU/Linux + * [5]FreeBSD ports + * [6]Gentoo Linux + * [7]Mandriva + * [8]Ubuntu + + If you know of any I missed, or if you have included mpm-itk in your + favourite distribution, please drop me a note (see below). I'd always + be happy to expand this list :-) + +Configuration + + The new configuration settings compared to the prefork MPM are: + * AssignUserID: Takes two parameters, uid and gid (or really, user + name and group name); specifies what uid and gid the vhost will run + as (after parsing the request etc., of course). Note that if you do + not assign a user ID, the default one from Apache will be used. + * MaxClientsVHost: A separate MaxClients for the vhost. This can be + useful if, say, half of your vhosts depend on some NFS server (like + on our setup); if the NFS server goes down, you do not want the + children waiting forever on NFS to take the non-NFS-dependent hosts + down. This can thus act as a safety measure, giving "server too + busy" on the NFS-dependent vhosts while keeping the other ones + happily running. (Of course, you could use it to simply keep one + site from eating way too much resources, but there are probably + better ways of doing that.) + * NiceValue: Lets you nice some requests down, to give them less CPU + time. + + AssignUserID and NiceValue can be set wherever you'd like in the Apache + configuration, except in .htaccess. MaxClientsVHost can only be set + inside a VirtualHost directive. + +Quirks and warnings + + Since mpm-itk has to be able to setuid(), it runs as root (although + restricted with POSIX capabilities where possible) until the request is + parsed and the vhost determined. This means that any security hole + before the request is parsed will be a root security hole. (The most + likely place is probably in mod_ssl.) This is not going to change in + the near future, as the most likely alternative solution (socket + passing and its variants) is very hard to get to work properly in a + number of common use cases, like SSL. + + The lack of socket passing also leads to another minor quirk: if you + connect to httpd, make a request and then make a request on the same + connection that gets handled by a different uid, mpm-itk simply shuts + down the connection. This is perfectly legal according to RFC2616, and + all major clients seem to handle it well; the web server simply + simulates a timeout, and the client just opens a new connection and + retries the request. However, there is a small performance hit, and + thus you should avoid including content from multiple uids in the same + page. + + Note that mpm-itk is experimental software; and we've done a fair + amount of stress testing, but it's nowhere as tested as, say, prefork. + That being said, it's being run in production at several sites in the + world, both hobbyist and commercial, some as large as ~10 million hits + a day. + + People have reported issues with mpm-itk and mod_python, mod_ruby and + FastCGI. I believe the mod_python and FastCGI problems have been + largely solved by updates to those packages, but as I use neither, I + can't really guarantee anything. YMMV, test before use. + +Licensing + + mpm-itk is licensed under the Apache License, version 2.0, like the + rest of Apache. + +Contact + + mpm-itk is developed by Steinar H. Gunderson; e-mail address is at my + [9]home page. + + There is a user mailing list at mpm-itk [at] lists.err.no. Visit the + [10]mailing list page to subscribe, or send a blank e-mail to + mpm-itk-subscribe [at] lists.err.no. + +References + + 1. http://www.apache.org/ + 2. http://www.php.net/ + 3. http://www.archlinux.org/ + 4. http://www.debian.org/ + 5. http://www.freebsd.org/ + 6. http://www.gentoo.org/ + 7. http://www.mandriva.com/ + 8. http://www.ubuntu.com/ + 9. http://www.sesse.net/ + 10. http://lists.err.no/mailman/listinfo/mpm-itk --- apache2-2.2.16.orig/debian/mpm-itk/COPYRIGHT +++ apache2-2.2.16/debian/mpm-itk/COPYRIGHT @@ -0,0 +1,686 @@ +apache2-mpm-itk is copyright Steinar H. Gunderson +and Knut Auvor Grythe , and is provided under the same license +as the Apache web server. + +Get the latest version at http://mpm-itk.sesse.net/ . + +The entire license text for Apache is: + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + + +APACHE HTTP SERVER SUBCOMPONENTS: + +The Apache HTTP Server includes a number of subcomponents with +separate copyright notices and license terms. Your use of the source +code for the these subcomponents is subject to the terms and +conditions of the following licenses. + +For the mod_mime_magic component: + +/* + * mod_mime_magic: MIME type lookup via file magic numbers + * Copyright (c) 1996-1997 Cisco Systems, Inc. + * + * This software was submitted by Cisco Systems to the Apache Group in July + * 1997. Future revisions and derivatives of this source code must + * acknowledge Cisco Systems as the original contributor of this module. + * All other licensing and usage conditions are those of the Apache Group. + * + * Some of this code is derived from the free version of the file command + * originally posted to comp.sources.unix. Copyright info for that program + * is included below as required. + * --------------------------------------------------------------------------- + * - Copyright (c) Ian F. Darwin, 1987. Written by Ian F. Darwin. + * + * This software is not subject to any license of the American Telephone and + * Telegraph Company or of the Regents of the University of California. + * + * Permission is granted to anyone to use this software for any purpose on any + * computer system, and to alter it and redistribute it freely, subject to + * the following restrictions: + * + * 1. The author is not responsible for the consequences of use of this + * software, no matter how awful, even if they arise from flaws in it. + * + * 2. The origin of this software must not be misrepresented, either by + * explicit claim or by omission. Since few users ever read sources, credits + * must appear in the documentation. + * + * 3. Altered versions must be plainly marked as such, and must not be + * misrepresented as being the original software. Since few users ever read + * sources, credits must appear in the documentation. + * + * 4. This notice may not be removed or altered. + * ------------------------------------------------------------------------- + * + */ + + +For the modules\mappers\mod_imap.c component: + + "macmartinized" polygon code copyright 1992 by Eric Haines, erich@eye.com + +For the server\util_md5.c component: + +/************************************************************************ + * NCSA HTTPd Server + * Software Development Group + * National Center for Supercomputing Applications + * University of Illinois at Urbana-Champaign + * 605 E. Springfield, Champaign, IL 61820 + * httpd@ncsa.uiuc.edu + * + * Copyright (C) 1995, Board of Trustees of the University of Illinois + * + ************************************************************************ + * + * md5.c: NCSA HTTPd code which uses the md5c.c RSA Code + * + * Original Code Copyright (C) 1994, Jeff Hostetler, Spyglass, Inc. + * Portions of Content-MD5 code Copyright (C) 1993, 1994 by Carnegie Mellon + * University (see Copyright below). + * Portions of Content-MD5 code Copyright (C) 1991 Bell Communications + * Research, Inc. (Bellcore) (see Copyright below). + * Portions extracted from mpack, John G. Myers - jgm+@cmu.edu + * Content-MD5 Code contributed by Martin Hamilton (martin@net.lut.ac.uk) + * + */ + + +/* these portions extracted from mpack, John G. Myers - jgm+@cmu.edu */ +/* (C) Copyright 1993,1994 by Carnegie Mellon University + * All Rights Reserved. + * + * Permission to use, copy, modify, distribute, and sell this software + * and its documentation for any purpose is hereby granted without + * fee, provided that the above copyright notice appear in all copies + * and that both that copyright notice and this permission notice + * appear in supporting documentation, and that the name of Carnegie + * Mellon University not be used in advertising or publicity + * pertaining to distribution of the software without specific, + * written prior permission. Carnegie Mellon University makes no + * representations about the suitability of this software for any + * purpose. It is provided "as is" without express or implied + * warranty. + * + * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO + * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE + * FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN + * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING + * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +/* + * Copyright (c) 1991 Bell Communications Research, Inc. (Bellcore) + * + * Permission to use, copy, modify, and distribute this material + * for any purpose and without fee is hereby granted, provided + * that the above copyright notice and this permission notice + * appear in all copies, and that the name of Bellcore not be + * used in advertising or publicity pertaining to this + * material without the specific, prior written permission + * of an authorized representative of Bellcore. BELLCORE + * MAKES NO REPRESENTATIONS ABOUT THE ACCURACY OR SUITABILITY + * OF THIS MATERIAL FOR ANY PURPOSE. IT IS PROVIDED "AS IS", + * WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. + */ + +For the srclib\apr\include\apr_md5.h component: +/* + * This is work is derived from material Copyright RSA Data Security, Inc. + * + * The RSA copyright statement and Licence for that original material is + * included below. This is followed by the Apache copyright statement and + * licence for the modifications made to that material. + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message-Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + */ + +For the srclib\apr\passwd\apr_md5.c component: + +/* + * This is work is derived from material Copyright RSA Data Security, Inc. + * + * The RSA copyright statement and Licence for that original material is + * included below. This is followed by the Apache copyright statement and + * licence for the modifications made to that material. + */ + +/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm + */ + +/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + rights reserved. + + License to copy and use this software is granted provided that it + is identified as the "RSA Data Security, Inc. MD5 Message-Digest + Algorithm" in all material mentioning or referencing this software + or this function. + + License is also granted to make and use derivative works provided + that such works are identified as "derived from the RSA Data + Security, Inc. MD5 Message-Digest Algorithm" in all material + mentioning or referencing the derived work. + + RSA Data Security, Inc. makes no representations concerning either + the merchantability of this software or the suitability of this + software for any particular purpose. It is provided "as is" + without express or implied warranty of any kind. + + These notices must be retained in any copies of any part of this + documentation and/or software. + */ +/* + * The apr_md5_encode() routine uses much code obtained from the FreeBSD 3.0 + * MD5 crypt() function, which is licenced as follows: + * ---------------------------------------------------------------------------- + * "THE BEER-WARE LICENSE" (Revision 42): + * wrote this file. As long as you retain this notice you + * can do whatever you want with this stuff. If we meet some day, and you think + * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + * ---------------------------------------------------------------------------- + */ + +For the srclib\apr-util\crypto\apr_md4.c component: + + * This is derived from material copyright RSA Data Security, Inc. + * Their notice is reproduced below in its entirety. + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD4 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD4 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software for any particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + +For the srclib\apr-util\include\apr_md4.h component: + + * + * This is derived from material copyright RSA Data Security, Inc. + * Their notice is reproduced below in its entirety. + * + * Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All + * rights reserved. + * + * License to copy and use this software is granted provided that it + * is identified as the "RSA Data Security, Inc. MD4 Message-Digest + * Algorithm" in all material mentioning or referencing this software + * or this function. + * + * License is also granted to make and use derivative works provided + * that such works are identified as "derived from the RSA Data + * Security, Inc. MD4 Message-Digest Algorithm" in all material + * mentioning or referencing the derived work. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software for any particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + + +For the srclib\apr-util\test\testdbm.c component: + +/* ==================================================================== + * The Apache Software License, Version 1.1 + * + * Copyright (c) 2000-2002 The Apache Software Foundation. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. The end-user documentation included with the redistribution, + * if any, must include the following acknowledgment: + * "This product includes software developed by the + * Apache Software Foundation (http://www.apache.org/)." + * Alternately, this acknowledgment may appear in the software itself, + * if and wherever such third-party acknowledgments normally appear. + * + * 4. The names "Apache" and "Apache Software Foundation" must + * not be used to endorse or promote products derived from this + * software without prior written permission. For written + * permission, please contact apache@apache.org. + * + * 5. Products derived from this software may not be called "Apache", + * nor may "Apache" appear in their name, without prior written + * permission of the Apache Software Foundation. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF + * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, + * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT + * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * ==================================================================== + * + * This software consists of voluntary contributions made by many + * individuals on behalf of the Apache Software Foundation. For more + * information on the Apache Software Foundation, please see + * . + * + * This file came from the SDBM package (written by oz@nexus.yorku.ca). + * That package was under public domain. This file has been ported to + * APR, updated to ANSI C and other, newer idioms, and added to the Apache + * codebase under the above copyright and license. + */ + + +For the srclib\apr-util\test\testmd4.c component: + + * + * This is derived from material copyright RSA Data Security, Inc. + * Their notice is reproduced below in its entirety. + * + * Copyright (C) 1990-2, RSA Data Security, Inc. Created 1990. All + * rights reserved. + * + * RSA Data Security, Inc. makes no representations concerning either + * the merchantability of this software or the suitability of this + * software for any particular purpose. It is provided "as is" + * without express or implied warranty of any kind. + * + * These notices must be retained in any copies of any part of this + * documentation and/or software. + */ + +For the srclib\apr-util\xml\expat\conftools\install-sh component: + +# +# install - install a program, script, or datafile +# This comes from X11R5 (mit/util/scripts/install.sh). +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. +# + +For the srclib\pcre\install-sh component: + +# +# Copyright 1991 by the Massachusetts Institute of Technology +# +# Permission to use, copy, modify, distribute, and sell this software and its +# documentation for any purpose is hereby granted without fee, provided that +# the above copyright notice appear in all copies and that both that +# copyright notice and this permission notice appear in supporting +# documentation, and that the name of M.I.T. not be used in advertising or +# publicity pertaining to distribution of the software without specific, +# written prior permission. M.I.T. makes no representations about the +# suitability of this software for any purpose. It is provided "as is" +# without express or implied warranty. + +For the pcre component: + +PCRE LICENCE +------------ + +PCRE is a library of functions to support regular expressions whose syntax +and semantics are as close as possible to those of the Perl 5 language. + +Written by: Philip Hazel + +University of Cambridge Computing Service, +Cambridge, England. Phone: +44 1223 334714. + +Copyright (c) 1997-2001 University of Cambridge + +Permission is granted to anyone to use this software for any purpose on any +computer system, and to redistribute it freely, subject to the following +restrictions: + +1. This software is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +2. The origin of this software must not be misrepresented, either by + explicit claim or by omission. In practice, this means that if you use + PCRE in software which you distribute to others, commercially or + otherwise, you must put a sentence like this + + Regular expression support is provided by the PCRE library package, + which is open source software, written by Philip Hazel, and copyright + by the University of Cambridge, England. + + somewhere reasonably visible in your documentation and in any relevant + files or online help data or similar. A reference to the ftp site for + the source, that is, to + + ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/ + + should also be given in the documentation. + +3. Altered versions must be plainly marked as such, and must not be + misrepresented as being the original software. + +4. If PCRE is embedded in any software that is released under the GNU + General Purpose Licence (GPL), or Lesser General Purpose Licence (LGPL), + then the terms of that licence shall supersede any condition above with + which it is incompatible. + +The documentation for PCRE, supplied in the "doc" directory, is distributed +under the same terms as the software itself. + +End PCRE LICENCE + + +For the test\zb.c component: + +/* ZeusBench V1.01 + =============== + +This program is Copyright (C) Zeus Technology Limited 1996. + +This program may be used and copied freely providing this copyright notice +is not removed. + +This software is provided "as is" and any express or implied waranties, +including but not limited to, the implied warranties of merchantability and +fitness for a particular purpose are disclaimed. In no event shall +Zeus Technology Ltd. be liable for any direct, indirect, incidental, special, +exemplary, or consequential damaged (including, but not limited to, +procurement of substitute good or services; loss of use, data, or profits; +or business interruption) however caused and on theory of liability. Whether +in contract, strict liability or tort (including negligence or otherwise) +arising in any way out of the use of this software, even if advised of the +possibility of such damage. + + Written by Adam Twiss (adam@zeus.co.uk). March 1996 + +Thanks to the following people for their input: + Mike Belshe (mbelshe@netscape.com) + Michael Campanella (campanella@stevms.enet.dec.com) + +*/ + +For the expat xml parser component: + +Copyright (c) 1998, 1999, 2000 Thai Open Source Software Center Ltd + and Clark Cooper + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be included +in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +==================================================================== --- apache2-2.2.16.orig/debian/mpm-itk/patches/07-base-functionality.patch +++ apache2-2.2.16/debian/mpm-itk/patches/07-base-functionality.patch @@ -0,0 +1,218 @@ +Add the base functionality of mpm_itk over prefork; parse the new configuration +options, fork on each new connection, and setuid() as required. + +Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-21 23:52:01.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:27:51.000000000 +0200 +@@ -26,6 +26,11 @@ + #include "apr_thread_proc.h" + #include "apr_signal.h" + ++# define _DBG(text,par...) \ ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, \ ++ "(itkmpm: pid=%d uid=%d, gid=%d) %s(): " text, \ ++ getpid(), getuid(), getgid(), __FUNCTION__, par) ++ + #define APR_WANT_STDIO + #define APR_WANT_STRFUNC + #include "apr_want.h" +@@ -47,6 +52,7 @@ + #include "http_config.h" + #include "http_core.h" /* for get_remote_host */ + #include "http_connection.h" ++#include "http_request.h" /* for ap_hook_post_perdir_config */ + #include "scoreboard.h" + #include "ap_mpm.h" + #include "unixd.h" +@@ -146,6 +152,15 @@ + + static volatile int die_now = 0; + ++typedef struct ++{ ++ uid_t uid; ++ gid_t gid; ++ char *username; ++} itk_per_dir_conf; ++ ++module AP_MODULE_DECLARE_DATA mpm_itk_module; ++ + #ifdef GPROF + /* + * change directory for gprof to plop the gmon.out file +@@ -512,10 +527,6 @@ + clean_child_exit(APEXIT_CHILDFATAL); + } + +- if (unixd_setup_child()) { +- clean_child_exit(APEXIT_CHILDFATAL); +- } +- + ap_run_child_init(pchild, ap_server_conf); + + ap_create_sb_handle(&sbh, pchild, my_child_num, 0); +@@ -651,10 +662,38 @@ + * socket options, file descriptors, and read/write buffers. + */ + +- current_conn = ap_run_create_connection(ptrans, ap_server_conf, csd, my_child_num, sbh, bucket_alloc); +- if (current_conn) { +- ap_process_connection(current_conn, csd); +- ap_lingering_close(current_conn); ++ { ++ pid_t pid = fork(), child_pid; ++ int status; ++ switch (pid) { ++ case -1: ++ ap_log_error(APLOG_MARK, APLOG_ERR, errno, NULL, "fork: Unable to fork new process"); ++ break; ++ case 0: /* child */ ++ apr_proc_mutex_child_init(&accept_mutex, ap_lock_fname, pchild); ++ current_conn = ap_run_create_connection(ptrans, ap_server_conf, csd, my_child_num, sbh, bucket_alloc); ++ if (current_conn) { ++ ap_process_connection(current_conn, csd); ++ ap_lingering_close(current_conn); ++ } ++ exit(0); ++ default: /* parent; just wait for child to be done */ ++ do { ++ child_pid = waitpid(pid, &status, 0); ++ } while (child_pid == -1 && errno == EINTR); ++ ++ if (child_pid != pid || !WIFEXITED(status)) { ++ if (WIFSIGNALED(status)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "child died with signal %u", WTERMSIG(status)); ++ } else if (WEXITSTATUS(status) != 0) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, "child exited with non-zero exit status %u", WEXITSTATUS(status)); ++ } else { ++ ap_log_error(APLOG_MARK, APLOG_ERR, errno, NULL, "waitpid() failed"); ++ } ++ clean_child_exit(1); ++ } ++ break; ++ } + } + + /* Check the pod and the generation number after processing a +@@ -672,6 +711,10 @@ + */ + die_now = 1; + } ++ ++ /* if we have already setuid(), die (we can't be used anyhow) */ ++ if (getuid()) ++ die_now = 1; + } + clean_child_exit(0); + } +@@ -1334,6 +1377,56 @@ + return OK; + } + ++static int itk_post_perdir_config(request_rec *r) ++{ ++ uid_t wanted_uid; ++ gid_t wanted_gid; ++ const char *wanted_username; ++ int err = 0; ++ ++ itk_per_dir_conf *dconf = ++ (itk_per_dir_conf *) ap_get_module_config(r->per_dir_config, &mpm_itk_module); ++ ++ strncpy(ap_scoreboard_image->servers[my_child_num][0].vhost, r->server->server_hostname, 31); ++ ap_scoreboard_image->servers[my_child_num][0].vhost[31] = 0; ++ ++ wanted_uid = dconf->uid; ++ wanted_gid = dconf->gid; ++ wanted_username = dconf->username; ++ ++ if (wanted_uid == -1 || wanted_gid == -1) { ++ wanted_uid = unixd_config.user_id; ++ wanted_gid = unixd_config.group_id; ++ wanted_username = unixd_config.user_name; ++ } ++ ++ if (wanted_uid != -1 && wanted_gid != -1 && (getuid() != wanted_uid || getgid() != wanted_gid)) { ++ if (setgid(wanted_gid)) { ++ _DBG("setgid(%d): %s", wanted_gid, strerror(errno)); ++ err = 1; ++ } else if (initgroups(wanted_username, wanted_gid)) { ++ _DBG("initgroups(%s, %d): %s", wanted_username, wanted_gid, strerror(errno)); ++ err = 1; ++ } else if (setuid(wanted_uid)) { ++ _DBG("setuid(%d): %s", wanted_uid, strerror(errno)); ++ err = 1; ++ } ++ } ++ ++ /* ++ * Most likely a case of switching uid/gid within a persistent ++ * connection; the RFCs allow us to just close the connection ++ * at anytime, so we excercise our right. :-) ++ */ ++ if (err) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, \ ++ "Couldn't set uid/gid, closing connection."); ++ ap_lingering_close(r->connection); ++ exit(0); ++ } ++ return OK; ++} ++ + static void itk_hooks(apr_pool_t *p) + { + /* The itk open_logs phase must run before the core's, or stderr +@@ -1351,6 +1444,9 @@ + * to retrieve it, so register as REALLY_FIRST + */ + ap_hook_pre_config(itk_pre_config, NULL, NULL, APR_HOOK_REALLY_FIRST); ++ ++ /* set the uid as fast as possible, but not before merging per-dit config */ ++ ap_hook_header_parser(itk_post_perdir_config, NULL, NULL, APR_HOOK_REALLY_FIRST); + } + + static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, const char *arg) +@@ -1463,6 +1559,15 @@ + return NULL; + } + ++static const char *assign_user_id (cmd_parms *cmd, void *ptr, const char *user_name, const char *group_name) ++{ ++ itk_per_dir_conf *dconf = (itk_per_dir_conf *) ptr; ++ dconf->username = apr_pstrdup(cmd->pool, user_name); ++ dconf->uid = ap_uname2id(user_name); ++ dconf->gid = ap_gname2id(group_name); ++ return NULL; ++} ++ + static const command_rec itk_cmds[] = { + UNIX_DAEMON_COMMANDS, + LISTEN_COMMANDS, +@@ -1476,14 +1581,25 @@ + "Maximum number of children alive at the same time"), + AP_INIT_TAKE1("ServerLimit", set_server_limit, NULL, RSRC_CONF, + "Maximum value of MaxClients for this run of Apache"), ++AP_INIT_TAKE2("AssignUserID", assign_user_id, NULL, RSRC_CONF|ACCESS_CONF, ++ "Tie a virtual host to a specific child process."), + AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND, + { NULL } + }; + ++/* == allocate a private per-dir config structure == */ ++static void *itk_create_dir_config(apr_pool_t *p, char *dummy) ++{ ++ itk_per_dir_conf *c = (itk_per_dir_conf *) ++ apr_pcalloc(p, sizeof(itk_per_dir_conf)); ++ c->uid = c->gid = -1; ++ return c; ++} ++ + module AP_MODULE_DECLARE_DATA mpm_itk_module = { + MPM20_MODULE_STUFF, + ap_mpm_rewrite_args, /* hook to run before apache parses args */ +- NULL, /* create per-directory config structure */ ++ itk_create_dir_config, /* create per-directory config structure */ + NULL, /* merge per-directory config structures */ + NULL, /* create per-server config structure */ + NULL, /* merge per-server config structures */ --- apache2-2.2.16.orig/debian/mpm-itk/patches/series +++ apache2-2.2.16/debian/mpm-itk/patches/series @@ -0,0 +1,10 @@ +01-copy-prefork.patch +02-rename-prefork-to-itk.patch +03-add-mpm-to-build-system.patch +04-correct-output-makefile-location.patch +05-add-copyright.patch +06-hook-just-after-merging-perdir-config.patch +07-base-functionality.patch +08-max-clients-per-vhost.patch +09-capabilities.patch +10-nice.patch --- apache2-2.2.16.orig/debian/mpm-itk/patches/02-rename-prefork-to-itk.patch +++ apache2-2.2.16/debian/mpm-itk/patches/02-rename-prefork-to-itk.patch @@ -0,0 +1,157 @@ +Rename prefork to itk in the copy that was created in 01-copy-prefork.patch. + +Index: httpd-2.2.11/server/mpm/experimental/itk/Makefile.in +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:38:54.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:39:03.000000000 +0100 +@@ -1,5 +1,5 @@ + +-LTLIBRARY_NAME = libprefork.la +-LTLIBRARY_SOURCES = prefork.c ++LTLIBRARY_NAME = libitk.la ++LTLIBRARY_SOURCES = itk.c + + include $(top_srcdir)/build/ltlib.mk +Index: httpd-2.2.11/server/mpm/experimental/itk/config.m4 +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/config.m4 2009-03-17 21:38:53.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/config.m4 2009-03-17 21:39:03.000000000 +0100 +@@ -1,3 +1,3 @@ +-if test "$MPM_NAME" = "prefork" ; then ++if test "$MPM_NAME" = "itk" ; then + APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile) + fi +Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-17 21:38:54.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-17 21:39:03.000000000 +0100 +@@ -1250,7 +1250,7 @@ + /* This really should be a post_config hook, but the error log is already + * redirected by that point, so we need to do this in the open_logs phase. + */ +-static int prefork_open_logs(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) ++static int itk_open_logs(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) + { + apr_status_t rv; + +@@ -1271,7 +1271,7 @@ + return OK; + } + +-static int prefork_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp) ++static int itk_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp) + { + static int restart_num = 0; + int no_detach, debug, foreground; +@@ -1328,9 +1328,9 @@ + return OK; + } + +-static void prefork_hooks(apr_pool_t *p) ++static void itk_hooks(apr_pool_t *p) + { +- /* The prefork open_logs phase must run before the core's, or stderr ++ /* The itk open_logs phase must run before the core's, or stderr + * will be redirected to a file, and the messages won't print to the + * console. + */ +@@ -1340,11 +1340,11 @@ + (void) set42sig(); + #endif + +- ap_hook_open_logs(prefork_open_logs, NULL, aszSucc, APR_HOOK_MIDDLE); ++ ap_hook_open_logs(itk_open_logs, NULL, aszSucc, APR_HOOK_MIDDLE); + /* we need to set the MPM state before other pre-config hooks use MPM query + * to retrieve it, so register as REALLY_FIRST + */ +- ap_hook_pre_config(prefork_pre_config, NULL, NULL, APR_HOOK_REALLY_FIRST); ++ ap_hook_pre_config(itk_pre_config, NULL, NULL, APR_HOOK_REALLY_FIRST); + } + + static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, const char *arg) +@@ -1457,7 +1457,7 @@ + return NULL; + } + +-static const command_rec prefork_cmds[] = { ++static const command_rec itk_cmds[] = { + UNIX_DAEMON_COMMANDS, + LISTEN_COMMANDS, + AP_INIT_TAKE1("StartServers", set_daemons_to_start, NULL, RSRC_CONF, +@@ -1474,13 +1474,13 @@ + { NULL } + }; + +-module AP_MODULE_DECLARE_DATA mpm_prefork_module = { ++module AP_MODULE_DECLARE_DATA mpm_itk_module = { + MPM20_MODULE_STUFF, + ap_mpm_rewrite_args, /* hook to run before apache parses args */ + NULL, /* create per-directory config structure */ + NULL, /* merge per-directory config structures */ + NULL, /* create per-server config structure */ + NULL, /* merge per-server config structures */ +- prefork_cmds, /* command apr_table_t */ +- prefork_hooks, /* register hooks */ ++ itk_cmds, /* command apr_table_t */ ++ itk_hooks, /* register hooks */ + }; +Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm.h 2009-03-17 21:38:54.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-17 21:39:03.000000000 +0100 +@@ -15,10 +15,10 @@ + */ + + /** +- * @file prefork/mpm.h +- * @brief Unix Prefork MPM (default for Uinx systems) ++ * @file itk/mpm.h ++ * @brief ITK MPM (setuid per-vhost, no threads) + * +- * @defgroup APACHE_MPM_PREFORK Unix Prefork ++ * @defgroup APACHE_MPM_ITK Apache ITK + * @ingroup APACHE_MPM APACHE_OS_UNIX + * @{ + */ +@@ -28,12 +28,12 @@ + #include "scoreboard.h" + #include "unixd.h" + +-#ifndef APACHE_MPM_PREFORK_H +-#define APACHE_MPM_PREFORK_H ++#ifndef APACHE_MPM_ITK_H ++#define APACHE_MPM_ITK_H + +-#define PREFORK_MPM ++#define ITK_MPM + +-#define MPM_NAME "Prefork" ++#define MPM_NAME "ITK" + + #define AP_MPM_WANT_RECLAIM_CHILD_PROCESSES + #define AP_MPM_WANT_WAIT_OR_TIMEOUT +@@ -58,5 +58,5 @@ + extern int ap_threads_per_child; + extern int ap_max_daemons_limit; + extern server_rec *ap_server_conf; +-#endif /* APACHE_MPM_PREFORK_H */ ++#endif /* APACHE_MPM_ITK_H */ + /** @} */ +Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:38:54.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:39:03.000000000 +0100 +@@ -15,10 +15,10 @@ + */ + + /** +- * @file prefork/mpm_default.h +- * @brief Prefork MPM defaults ++ * @file itk/mpm_default.h ++ * @brief ITK MPM defaults + * +- * @addtogroup APACHE_MPM_PREFORK ++ * @addtogroup APACHE_MPM_ITK + * @{ + */ + --- apache2-2.2.16.orig/debian/mpm-itk/patches/08-max-clients-per-vhost.patch +++ apache2-2.2.16/debian/mpm-itk/patches/08-max-clients-per-vhost.patch @@ -0,0 +1,94 @@ +Enforce the per-vhost server limit. Note that this is per-vhost, not +per-directory (since it works by reading the scoreboard), so we need to add +per-server configuration data. + +Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-21 13:03:45.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-21 13:03:50.000000000 +0100 +@@ -159,6 +159,11 @@ + char *username; + } itk_per_dir_conf; + ++typedef struct ++{ ++ int max_clients_vhost; ++} itk_server_conf; ++ + module AP_MODULE_DECLARE_DATA mpm_itk_module; + + #ifdef GPROF +@@ -1383,6 +1388,26 @@ + gid_t wanted_gid; + const char *wanted_username; + int err = 0; ++ ++ itk_server_conf *sconf = ++ (itk_server_conf *) ap_get_module_config(r->server->module_config, &mpm_itk_module); ++ ++ /* Enforce MaxClientsVhost. */ ++ if (sconf->max_clients_vhost > 0) { ++ int i, num_other_servers = 0; ++ for (i = 0; i < ap_daemons_limit; ++i) { ++ worker_score *ws = &ap_scoreboard_image->servers[i][0]; ++ if (ws->status >= SERVER_BUSY_READ && strncmp(ws->vhost, r->server->server_hostname, 31) == 0) ++ ++num_other_servers; ++ } ++ ++ if (num_other_servers > sconf->max_clients_vhost) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, \ ++ "MaxClientsVhost reached for %s, refusing client.", ++ r->server->server_hostname); ++ return HTTP_SERVICE_UNAVAILABLE; ++ } ++ } + + itk_per_dir_conf *dconf = + (itk_per_dir_conf *) ap_get_module_config(r->per_dir_config, &mpm_itk_module); +@@ -1568,6 +1593,14 @@ + return NULL; + } + ++static const char *set_max_clients_vhost (cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ itk_server_conf *sconf = ++ (itk_server_conf *) ap_get_module_config(cmd->server->module_config, &mpm_itk_module); ++ sconf->max_clients_vhost = atoi(arg); ++ return NULL; ++} ++ + static const command_rec itk_cmds[] = { + UNIX_DAEMON_COMMANDS, + LISTEN_COMMANDS, +@@ -1583,6 +1616,8 @@ + "Maximum value of MaxClients for this run of Apache"), + AP_INIT_TAKE2("AssignUserID", assign_user_id, NULL, RSRC_CONF|ACCESS_CONF, + "Tie a virtual host to a specific child process."), ++AP_INIT_TAKE1("MaxClientsVHost", set_max_clients_vhost, NULL, RSRC_CONF, ++ "Maximum number of children alive at the same time for this virtual host."), + AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND, + { NULL } + }; +@@ -1596,12 +1631,21 @@ + return c; + } + ++/* == allocate a private server config structure == */ ++static void *itk_create_server_config(apr_pool_t *p, server_rec *s) ++{ ++ itk_server_conf *c = (itk_server_conf *) ++ apr_pcalloc(p, sizeof(itk_server_conf)); ++ c->max_clients_vhost = -1; ++ return c; ++} ++ + module AP_MODULE_DECLARE_DATA mpm_itk_module = { + MPM20_MODULE_STUFF, + ap_mpm_rewrite_args, /* hook to run before apache parses args */ + itk_create_dir_config, /* create per-directory config structure */ + NULL, /* merge per-directory config structures */ +- NULL, /* create per-server config structure */ ++ itk_create_server_config, /* create per-server config structure */ + NULL, /* merge per-server config structures */ + itk_cmds, /* command apr_table_t */ + itk_hooks, /* register hooks */ --- apache2-2.2.16.orig/debian/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch +++ apache2-2.2.16/debian/mpm-itk/patches/06-hook-just-after-merging-perdir-config.patch @@ -0,0 +1,60 @@ +Add an extra hook right after merging per-directory configuration. +This makes sure we are able to setuid() as early as possible (that +is, as soon as know what uid/gid to use for this location), so we +won't run all sorts of subrequests and other stuff as root. + +Index: httpd-2.2.11/include/http_request.h +=================================================================== +--- httpd-2.2.11.orig/include/http_request.h 2009-03-21 13:03:31.000000000 +0100 ++++ httpd-2.2.11/include/http_request.h 2009-03-21 13:03:41.000000000 +0100 +@@ -356,6 +356,15 @@ + */ + AP_DECLARE_HOOK(void,insert_filter,(request_rec *r)) + ++/** ++ * This hook allows modules to affect the request immediately after the ++ * per-directory configuration for the request has been generated. This allows ++ * modules to make decisions based upon the current directory configuration ++ * @param r The current request ++ * @return OK or DECLINED ++ */ ++AP_DECLARE_HOOK(int,post_perdir_config,(request_rec *r)) ++ + AP_DECLARE(int) ap_location_walk(request_rec *r); + AP_DECLARE(int) ap_directory_walk(request_rec *r); + AP_DECLARE(int) ap_file_walk(request_rec *r); +Index: httpd-2.2.11/server/request.c +=================================================================== +--- httpd-2.2.11.orig/server/request.c 2009-03-21 13:03:13.000000000 +0100 ++++ httpd-2.2.11/server/request.c 2009-03-21 13:03:41.000000000 +0100 +@@ -67,6 +67,7 @@ + APR_HOOK_LINK(auth_checker) + APR_HOOK_LINK(insert_filter) + APR_HOOK_LINK(create_request) ++ APR_HOOK_LINK(post_perdir_config) + ) + + AP_IMPLEMENT_HOOK_RUN_FIRST(int,translate_name, +@@ -86,6 +87,8 @@ + AP_IMPLEMENT_HOOK_VOID(insert_filter, (request_rec *r), (r)) + AP_IMPLEMENT_HOOK_RUN_ALL(int, create_request, + (request_rec *r), (r), OK, DECLINED) ++AP_IMPLEMENT_HOOK_RUN_ALL(int,post_perdir_config, ++ (request_rec *r), (r), OK, DECLINED) + + + static int decl_die(int status, char *phase, request_rec *r) +@@ -164,6 +167,13 @@ + return access_status; + } + ++ /* First chance to handle the request after per-directory configuration is ++ * generated ++ */ ++ if ((access_status = ap_run_post_perdir_config(r))) { ++ return access_status; ++ } ++ + /* Only on the main request! */ + if (r->main == NULL) { + if ((access_status = ap_run_header_parser(r))) { --- apache2-2.2.16.orig/debian/mpm-itk/patches/09-capabilities.patch +++ apache2-2.2.16/debian/mpm-itk/patches/09-capabilities.patch @@ -0,0 +1,75 @@ +Use Linux' capability system to run as a sort of "lesser root"; we drop nearly +all root privilegies except the ability to setuid. An attacker capable of injecting +code will still be able to run as any (normal) user on the system, but at least +he/she cannot directly load kernel code etc. + +Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-04-14 23:28:02.000000000 +0200 ++++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:29:16.000000000 +0200 +@@ -71,6 +71,10 @@ + #include /* for bindprocessor() */ + #endif + ++#if HAVE_LIBCAP ++#include ++#endif ++ + #include + #include + +@@ -501,6 +505,15 @@ + apr_bucket_alloc_t *bucket_alloc; + int last_poll_idx = 0; + ++#if HAVE_LIBCAP ++ cap_t caps; ++ cap_value_t suidcaps[] = { ++ CAP_SETUID, ++ CAP_SETGID, ++ CAP_DAC_READ_SEARCH, ++ }; ++#endif ++ + mpm_state = AP_MPMQ_STARTING; /* for benefit of any hooks that run as this + * child initializes + */ +@@ -554,6 +567,22 @@ + (void) apr_pollset_add(pollset, &pfd); + } + ++#if HAVE_LIBCAP ++ /* Drop as many privileges as we can. We'll still ++ * access files with uid=0, and we can setuid() to anything, but ++ * at least there's tons of other evilness (like loading kernel ++ * modules) we can't do directly. (The setuid() capability will ++ * go away automatically when we setuid() or exec() -- the former ++ * is likely to come first.) ++ */ ++ caps = cap_init(); ++ cap_clear(caps); ++ cap_set_flag(caps, CAP_PERMITTED, sizeof(suidcaps)/sizeof(cap_value_t), suidcaps, CAP_SET); ++ cap_set_flag(caps, CAP_EFFECTIVE, sizeof(suidcaps)/sizeof(cap_value_t), suidcaps, CAP_SET); ++ cap_set_proc(caps); ++ cap_free(caps); ++#endif ++ + mpm_state = AP_MPMQ_RUNNING; + + bucket_alloc = apr_bucket_alloc_create(pchild); +Index: httpd-2.2.11/server/mpm/config.m4 +=================================================================== +--- httpd-2.2.11.orig/server/mpm/config.m4 2009-04-14 23:26:41.000000000 +0200 ++++ httpd-2.2.11/server/mpm/config.m4 2009-04-14 23:28:03.000000000 +0200 +@@ -66,6 +66,11 @@ + else + MPM_SUBDIR_NAME=$MPM_NAME + fi ++ ++if test "$apache_cv_mpm" = "itk" ; then ++ AC_CHECK_LIB(cap, cap_init) ++fi ++ + MPM_DIR=server/mpm/$MPM_SUBDIR_NAME + MPM_LIB=$MPM_DIR/lib${MPM_NAME}.la + --- apache2-2.2.16.orig/debian/mpm-itk/patches/05-add-copyright.patch +++ apache2-2.2.16/debian/mpm-itk/patches/05-add-copyright.patch @@ -0,0 +1,87 @@ +Add copyright notices, as the next patches are going to add code. + +Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-03-21 13:02:18.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-21 13:02:33.000000000 +0100 +@@ -12,6 +12,12 @@ + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. ++ * ++ * Portions copyright 2005-2009 Steinar H. Gunderson . ++ * Licensed under the same terms as the rest of Apache. ++ * ++ * Portions copyright 2008 Knut Auvor Grythe . ++ * Licensed under the same terms as the rest of Apache. + */ + + #include "apr.h" +Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm.h 2009-03-21 13:02:18.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-21 13:02:33.000000000 +0100 +@@ -12,6 +12,12 @@ + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. ++ * ++ * Portions copyright 2005-2009 Steinar H. Gunderson . ++ * Licensed under the same terms as the rest of Apache. ++ * ++ * Portions copyright 2008 Knut Auvor Grythe . ++ * Licensed under the same terms as the rest of Apache. + */ + + /** +Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/mpm_default.h 2009-03-21 13:02:18.000000000 +0100 ++++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-21 13:02:33.000000000 +0100 +@@ -12,6 +12,12 @@ + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. ++ * ++ * Portions copyright 2005-2009 Steinar H. Gunderson . ++ * Licensed under the same terms as the rest of Apache. ++ * ++ * Portions copyright 2008 Knut Auvor Grythe . ++ * Licensed under the same terms as the rest of Apache. + */ + + /** +Index: httpd-2.2.11/include/http_request.h +=================================================================== +--- httpd-2.2.11.orig/include/http_request.h 2009-03-21 13:03:19.000000000 +0100 ++++ httpd-2.2.11/include/http_request.h 2009-03-21 13:03:31.000000000 +0100 +@@ -12,6 +12,12 @@ + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. ++ * ++ * Portions copyright 2005-2009 Steinar H. Gunderson . ++ * Licensed under the same terms as the rest of Apache. ++ * ++ * Portions copyright 2008 Knut Auvor Grythe . ++ * Licensed under the same terms as the rest of Apache. + */ + + /** +Index: httpd-2.2.11/server/request.c +=================================================================== +--- httpd-2.2.11.orig/server/request.c 2009-03-21 13:03:04.000000000 +0100 ++++ httpd-2.2.11/server/request.c 2009-03-21 13:03:13.000000000 +0100 +@@ -12,6 +12,12 @@ + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. ++ * ++ * Portions copyright 2005-2009 Steinar H. Gunderson . ++ * Licensed under the same terms as the rest of Apache. ++ * ++ * Portions copyright 2008 Knut Auvor Grythe . ++ * Licensed under the same terms as the rest of Apache. + */ + + /* --- apache2-2.2.16.orig/debian/mpm-itk/patches/10-nice.patch +++ apache2-2.2.16/debian/mpm-itk/patches/10-nice.patch @@ -0,0 +1,140 @@ +Support a per-location nice value. Note that since we now have two different settings +in the per-dir configuration, we need to introduce a merge function. + +Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c +=================================================================== +--- httpd-2.2.11.orig/server/mpm/experimental/itk/itk.c 2009-04-14 23:29:16.000000000 +0200 ++++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-04-14 23:31:05.000000000 +0200 +@@ -156,11 +156,14 @@ + + static volatile int die_now = 0; + ++#define UNSET_NICE_VALUE 100 ++ + typedef struct + { + uid_t uid; + gid_t gid; + char *username; ++ int nice_value; + } itk_per_dir_conf; + + typedef struct +@@ -511,6 +514,7 @@ + CAP_SETUID, + CAP_SETGID, + CAP_DAC_READ_SEARCH, ++ CAP_SYS_NICE, + }; + #endif + +@@ -1444,6 +1448,12 @@ + strncpy(ap_scoreboard_image->servers[my_child_num][0].vhost, r->server->server_hostname, 31); + ap_scoreboard_image->servers[my_child_num][0].vhost[31] = 0; + ++ if (dconf->nice_value != UNSET_NICE_VALUE && ++ setpriority(PRIO_PROCESS, 0, dconf->nice_value)) { ++ _DBG("setpriority(): %s", strerror(errno)); ++ err = 1; ++ } ++ + wanted_uid = dconf->uid; + wanted_gid = dconf->gid; + wanted_username = dconf->username; +@@ -1454,7 +1464,7 @@ + wanted_username = unixd_config.user_name; + } + +- if (wanted_uid != -1 && wanted_gid != -1 && (getuid() != wanted_uid || getgid() != wanted_gid)) { ++ if (!err && wanted_uid != -1 && wanted_gid != -1 && (getuid() != wanted_uid || getgid() != wanted_gid)) { + if (setgid(wanted_gid)) { + _DBG("setgid(%d): %s", wanted_gid, strerror(errno)); + err = 1; +@@ -1474,7 +1484,7 @@ + */ + if (err) { + ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL, \ +- "Couldn't set uid/gid, closing connection."); ++ "Couldn't set uid/gid/priority, closing connection."); + ap_lingering_close(r->connection); + exit(0); + } +@@ -1630,6 +1640,27 @@ + return NULL; + } + ++static const char *set_nice_value (cmd_parms *cmd, void *ptr, const char *arg) ++{ ++ itk_per_dir_conf *dconf = (itk_per_dir_conf *) ptr; ++ int nice_value = atoi(arg); ++ ++ if (nice_value < -20) { ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "WARNING: NiceValue of %d is below -20, increasing NiceValue to -20.", ++ nice_value); ++ nice_value = -20; ++ } ++ else if (nice_value > 19) { ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "WARNING: NiceValue of %d is above 19, lowering NiceValue to 19.", ++ nice_value); ++ nice_value = 19; ++ } ++ dconf->nice_value = nice_value; ++ return NULL; ++} ++ + static const command_rec itk_cmds[] = { + UNIX_DAEMON_COMMANDS, + LISTEN_COMMANDS, +@@ -1647,6 +1678,8 @@ + "Tie a virtual host to a specific child process."), + AP_INIT_TAKE1("MaxClientsVHost", set_max_clients_vhost, NULL, RSRC_CONF, + "Maximum number of children alive at the same time for this virtual host."), ++AP_INIT_TAKE1("NiceValue", set_nice_value, NULL, RSRC_CONF|ACCESS_CONF, ++ "Set nice value for the given vhost, from -20 (highest priority) to 19 (lowest priority)."), + AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND, + { NULL } + }; +@@ -1657,6 +1690,32 @@ + itk_per_dir_conf *c = (itk_per_dir_conf *) + apr_pcalloc(p, sizeof(itk_per_dir_conf)); + c->uid = c->gid = -1; ++ c->nice_value = UNSET_NICE_VALUE; ++ return c; ++} ++ ++/* == merge the parent per-dir config structure into ours == */ ++static void *itk_merge_dir_config(apr_pool_t *p, void *parent_ptr, void *child_ptr) ++{ ++ itk_per_dir_conf *c = (itk_per_dir_conf *) ++ apr_pcalloc(p, sizeof(itk_per_dir_conf)); ++ itk_per_dir_conf *parent = (itk_per_dir_conf *) parent_ptr; ++ itk_per_dir_conf *child = (itk_per_dir_conf *) child_ptr; ++ ++ if (child->username != NULL) { ++ c->username = apr_pstrdup(p, child->username); ++ c->uid = child->uid; ++ c->gid = child->gid; ++ } else if (parent->username != NULL) { ++ c->username = apr_pstrdup(p, parent->username); ++ c->uid = parent->uid; ++ c->gid = parent->gid; ++ } ++ if (child->nice_value != UNSET_NICE_VALUE) { ++ c->nice_value = child->nice_value; ++ } else { ++ c->nice_value = parent->nice_value; ++ } + return c; + } + +@@ -1673,7 +1732,7 @@ + MPM20_MODULE_STUFF, + ap_mpm_rewrite_args, /* hook to run before apache parses args */ + itk_create_dir_config, /* create per-directory config structure */ +- NULL, /* merge per-directory config structures */ ++ itk_merge_dir_config, /* merge per-directory config structures */ + itk_create_server_config, /* create per-server config structure */ + NULL, /* merge per-server config structures */ + itk_cmds, /* command apr_table_t */ --- apache2-2.2.16.orig/debian/mpm-itk/patches/03-add-mpm-to-build-system.patch +++ apache2-2.2.16/debian/mpm-itk/patches/03-add-mpm-to-build-system.patch @@ -0,0 +1,25 @@ +Add the new MPM to the build system as an alternative to the other MPMs, +and mark it as experimental. + +Index: apache2.2/server/mpm/config.m4 +=================================================================== +--- apache2.2.orig/server/mpm/config.m4 2007-01-29 21:30:26.000000000 +0100 ++++ apache2.2/server/mpm/config.m4 2007-01-29 21:30:35.000000000 +0100 +@@ -1,7 +1,7 @@ + AC_MSG_CHECKING(which MPM to use) + AC_ARG_WITH(mpm, + APACHE_HELP_STRING(--with-mpm=MPM,Choose the process model for Apache to use. +- MPM={beos|event|worker|prefork|mpmt_os2}),[ ++ MPM={beos|event|worker|prefork|mpmt_os2|itk}),[ + APACHE_MPM=$withval + ],[ + if test "x$APACHE_MPM" = "x"; then +@@ -23,7 +23,7 @@ + + ap_mpm_is_experimental () + { +- if test "$apache_cv_mpm" = "event" ; then ++ if test "$apache_cv_mpm" = "event" -o "$apache_cv_mpm" = "itk" ; then + return 0 + else + return 1 --- apache2-2.2.16.orig/debian/mpm-itk/patches/01-copy-prefork.patch +++ apache2-2.2.16/debian/mpm-itk/patches/01-copy-prefork.patch @@ -0,0 +1,1662 @@ +Just copies server/mpm/prefork/* to server/mpm/experimental/itk/, with prefork.c +copied to itk.c. Basically the patch equivalent of + + mkdir server/mpm/experimental/itk/ + cp server/mpm/prefork/* server/mpm/experimental/itk/ + mv server/mpm/experimental/itk/prefork.c server/mpm/experimental/itk/itk.c + +Index: httpd-2.2.11/server/mpm/experimental/itk/Makefile.in +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ httpd-2.2.11/server/mpm/experimental/itk/Makefile.in 2009-03-17 21:38:54.000000000 +0100 +@@ -0,0 +1,5 @@ ++ ++LTLIBRARY_NAME = libprefork.la ++LTLIBRARY_SOURCES = prefork.c ++ ++include $(top_srcdir)/build/ltlib.mk +Index: httpd-2.2.11/server/mpm/experimental/itk/config.m4 +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ httpd-2.2.11/server/mpm/experimental/itk/config.m4 2009-03-17 21:38:53.000000000 +0100 +@@ -0,0 +1,3 @@ ++if test "$MPM_NAME" = "prefork" ; then ++ APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile) ++fi +Index: httpd-2.2.11/server/mpm/experimental/itk/itk.c +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ httpd-2.2.11/server/mpm/experimental/itk/itk.c 2009-03-17 21:38:54.000000000 +0100 +@@ -0,0 +1,1486 @@ ++/* Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++#include "apr.h" ++#include "apr_portable.h" ++#include "apr_strings.h" ++#include "apr_thread_proc.h" ++#include "apr_signal.h" ++ ++#define APR_WANT_STDIO ++#define APR_WANT_STRFUNC ++#include "apr_want.h" ++ ++#if APR_HAVE_UNISTD_H ++#include ++#endif ++#if APR_HAVE_SYS_TYPES_H ++#include ++#endif ++ ++#define CORE_PRIVATE ++ ++#include "ap_config.h" ++#include "httpd.h" ++#include "mpm_default.h" ++#include "http_main.h" ++#include "http_log.h" ++#include "http_config.h" ++#include "http_core.h" /* for get_remote_host */ ++#include "http_connection.h" ++#include "scoreboard.h" ++#include "ap_mpm.h" ++#include "unixd.h" ++#include "mpm_common.h" ++#include "ap_listen.h" ++#include "ap_mmn.h" ++#include "apr_poll.h" ++ ++#ifdef HAVE_BSTRING_H ++#include /* for IRIX, FD_SET calls bzero() */ ++#endif ++#ifdef HAVE_TIME_H ++#include ++#endif ++#ifdef HAVE_SYS_PROCESSOR_H ++#include /* for bindprocessor() */ ++#endif ++ ++#include ++#include ++ ++/* Limit on the total --- clients will be locked out if more servers than ++ * this are needed. It is intended solely to keep the server from crashing ++ * when things get out of hand. ++ * ++ * We keep a hard maximum number of servers, for two reasons --- first off, ++ * in case something goes seriously wrong, we want to stop the fork bomb ++ * short of actually crashing the machine we're running on by filling some ++ * kernel table. Secondly, it keeps the size of the scoreboard file small ++ * enough that we can read the whole thing without worrying too much about ++ * the overhead. ++ */ ++#ifndef DEFAULT_SERVER_LIMIT ++#define DEFAULT_SERVER_LIMIT 256 ++#endif ++ ++/* Admin can't tune ServerLimit beyond MAX_SERVER_LIMIT. We want ++ * some sort of compile-time limit to help catch typos. ++ */ ++#ifndef MAX_SERVER_LIMIT ++#define MAX_SERVER_LIMIT 200000 ++#endif ++ ++#ifndef HARD_THREAD_LIMIT ++#define HARD_THREAD_LIMIT 1 ++#endif ++ ++/* config globals */ ++ ++int ap_threads_per_child=0; /* Worker threads per child */ ++static apr_proc_mutex_t *accept_mutex; ++static int ap_daemons_to_start=0; ++static int ap_daemons_min_free=0; ++static int ap_daemons_max_free=0; ++static int ap_daemons_limit=0; /* MaxClients */ ++static int server_limit = DEFAULT_SERVER_LIMIT; ++static int first_server_limit = 0; ++static int changed_limit_at_restart; ++static int mpm_state = AP_MPMQ_STARTING; ++static ap_pod_t *pod; ++ ++/* ++ * The max child slot ever assigned, preserved across restarts. Necessary ++ * to deal with MaxClients changes across AP_SIG_GRACEFUL restarts. We ++ * use this value to optimize routines that have to scan the entire scoreboard. ++ */ ++int ap_max_daemons_limit = -1; ++server_rec *ap_server_conf; ++ ++/* one_process --- debugging mode variable; can be set from the command line ++ * with the -X flag. If set, this gets you the child_main loop running ++ * in the process which originally started up (no detach, no make_child), ++ * which is a pretty nice debugging environment. (You'll get a SIGHUP ++ * early in standalone_main; just continue through. This is the server ++ * trying to kill off any child processes which it might have lying ++ * around --- Apache doesn't keep track of their pids, it just sends ++ * SIGHUP to the process group, ignoring it in the root process. ++ * Continue through and you'll be fine.). ++ */ ++ ++static int one_process = 0; ++ ++static apr_pool_t *pconf; /* Pool for config stuff */ ++static apr_pool_t *pchild; /* Pool for httpd child stuff */ ++ ++static pid_t ap_my_pid; /* it seems silly to call getpid all the time */ ++static pid_t parent_pid; ++#ifndef MULTITHREAD ++static int my_child_num; ++#endif ++ap_generation_t volatile ap_my_generation=0; ++ ++#ifdef TPF ++int tpf_child = 0; ++char tpf_server_name[INETD_SERVNAME_LENGTH+1]; ++#endif /* TPF */ ++ ++static volatile int die_now = 0; ++ ++#ifdef GPROF ++/* ++ * change directory for gprof to plop the gmon.out file ++ * configure in httpd.conf: ++ * GprofDir $RuntimeDir/ -> $ServerRoot/$RuntimeDir/gmon.out ++ * GprofDir $RuntimeDir/% -> $ServerRoot/$RuntimeDir/gprof.$pid/gmon.out ++ */ ++static void chdir_for_gprof(void) ++{ ++ core_server_config *sconf = ++ ap_get_module_config(ap_server_conf->module_config, &core_module); ++ char *dir = sconf->gprof_dir; ++ const char *use_dir; ++ ++ if(dir) { ++ apr_status_t res; ++ char *buf = NULL ; ++ int len = strlen(sconf->gprof_dir) - 1; ++ if(*(dir + len) == '%') { ++ dir[len] = '\0'; ++ buf = ap_append_pid(pconf, dir, "gprof."); ++ } ++ use_dir = ap_server_root_relative(pconf, buf ? buf : dir); ++ res = apr_dir_make(use_dir, ++ APR_UREAD | APR_UWRITE | APR_UEXECUTE | ++ APR_GREAD | APR_GEXECUTE | ++ APR_WREAD | APR_WEXECUTE, pconf); ++ if(res != APR_SUCCESS && !APR_STATUS_IS_EEXIST(res)) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, res, ap_server_conf, ++ "gprof: error creating directory %s", dir); ++ } ++ } ++ else { ++ use_dir = ap_server_root_relative(pconf, DEFAULT_REL_RUNTIMEDIR); ++ } ++ ++ chdir(use_dir); ++} ++#else ++#define chdir_for_gprof() ++#endif ++ ++/* XXX - I don't know if TPF will ever use this module or not, so leave ++ * the ap_check_signals calls in but disable them - manoj */ ++#define ap_check_signals() ++ ++/* a clean exit from a child with proper cleanup */ ++static void clean_child_exit(int code) __attribute__ ((noreturn)); ++static void clean_child_exit(int code) ++{ ++ mpm_state = AP_MPMQ_STOPPING; ++ ++ if (pchild) { ++ apr_pool_destroy(pchild); ++ } ++ ap_mpm_pod_close(pod); ++ chdir_for_gprof(); ++ exit(code); ++} ++ ++static void accept_mutex_on(void) ++{ ++ apr_status_t rv = apr_proc_mutex_lock(accept_mutex); ++ if (rv != APR_SUCCESS) { ++ const char *msg = "couldn't grab the accept mutex"; ++ ++ if (ap_my_generation != ++ ap_scoreboard_image->global->running_generation) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, NULL, "%s", msg); ++ clean_child_exit(0); ++ } ++ else { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, rv, NULL, "%s", msg); ++ exit(APEXIT_CHILDFATAL); ++ } ++ } ++} ++ ++static void accept_mutex_off(void) ++{ ++ apr_status_t rv = apr_proc_mutex_unlock(accept_mutex); ++ if (rv != APR_SUCCESS) { ++ const char *msg = "couldn't release the accept mutex"; ++ ++ if (ap_my_generation != ++ ap_scoreboard_image->global->running_generation) { ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, rv, NULL, "%s", msg); ++ /* don't exit here... we have a connection to ++ * process, after which point we'll see that the ++ * generation changed and we'll exit cleanly ++ */ ++ } ++ else { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, rv, NULL, "%s", msg); ++ exit(APEXIT_CHILDFATAL); ++ } ++ } ++} ++ ++/* On some architectures it's safe to do unserialized accept()s in the single ++ * Listen case. But it's never safe to do it in the case where there's ++ * multiple Listen statements. Define SINGLE_LISTEN_UNSERIALIZED_ACCEPT ++ * when it's safe in the single Listen case. ++ */ ++#ifdef SINGLE_LISTEN_UNSERIALIZED_ACCEPT ++#define SAFE_ACCEPT(stmt) do {if (ap_listeners->next) {stmt;}} while(0) ++#else ++#define SAFE_ACCEPT(stmt) do {stmt;} while(0) ++#endif ++ ++AP_DECLARE(apr_status_t) ap_mpm_query(int query_code, int *result) ++{ ++ switch(query_code){ ++ case AP_MPMQ_MAX_DAEMON_USED: ++ *result = ap_daemons_limit; ++ return APR_SUCCESS; ++ case AP_MPMQ_IS_THREADED: ++ *result = AP_MPMQ_NOT_SUPPORTED; ++ return APR_SUCCESS; ++ case AP_MPMQ_IS_FORKED: ++ *result = AP_MPMQ_DYNAMIC; ++ return APR_SUCCESS; ++ case AP_MPMQ_HARD_LIMIT_DAEMONS: ++ *result = server_limit; ++ return APR_SUCCESS; ++ case AP_MPMQ_HARD_LIMIT_THREADS: ++ *result = HARD_THREAD_LIMIT; ++ return APR_SUCCESS; ++ case AP_MPMQ_MAX_THREADS: ++ *result = 0; ++ return APR_SUCCESS; ++ case AP_MPMQ_MIN_SPARE_DAEMONS: ++ *result = ap_daemons_min_free; ++ return APR_SUCCESS; ++ case AP_MPMQ_MIN_SPARE_THREADS: ++ *result = 0; ++ return APR_SUCCESS; ++ case AP_MPMQ_MAX_SPARE_DAEMONS: ++ *result = ap_daemons_max_free; ++ return APR_SUCCESS; ++ case AP_MPMQ_MAX_SPARE_THREADS: ++ *result = 0; ++ return APR_SUCCESS; ++ case AP_MPMQ_MAX_REQUESTS_DAEMON: ++ *result = ap_max_requests_per_child; ++ return APR_SUCCESS; ++ case AP_MPMQ_MAX_DAEMONS: ++ *result = server_limit; ++ return APR_SUCCESS; ++ case AP_MPMQ_MPM_STATE: ++ *result = mpm_state; ++ return APR_SUCCESS; ++ } ++ return APR_ENOTIMPL; ++} ++ ++#if defined(NEED_WAITPID) ++/* ++ Systems without a real waitpid sometimes lose a child's exit while waiting ++ for another. Search through the scoreboard for missing children. ++ */ ++int reap_children(int *exitcode, apr_exit_why_e *status) ++{ ++ int n, pid; ++ ++ for (n = 0; n < ap_max_daemons_limit; ++n) { ++ if (ap_scoreboard_image->servers[n][0].status != SERVER_DEAD && ++ kill((pid = ap_scoreboard_image->parent[n].pid), 0) == -1) { ++ ap_update_child_status_from_indexes(n, 0, SERVER_DEAD, NULL); ++ /* just mark it as having a successful exit status */ ++ *status = APR_PROC_EXIT; ++ *exitcode = 0; ++ return(pid); ++ } ++ } ++ return 0; ++} ++#endif ++ ++/***************************************************************** ++ * Connection structures and accounting... ++ */ ++ ++static void just_die(int sig) ++{ ++ clean_child_exit(0); ++} ++ ++static void stop_listening(int sig) ++{ ++ ap_close_listeners(); ++ ++ /* For a graceful stop, we want the child to exit when done */ ++ die_now = 1; ++} ++ ++/* volatile just in case */ ++static int volatile shutdown_pending; ++static int volatile restart_pending; ++static int volatile is_graceful; ++ ++static void sig_term(int sig) ++{ ++ if (shutdown_pending == 1) { ++ /* Um, is this _probably_ not an error, if the user has ++ * tried to do a shutdown twice quickly, so we won't ++ * worry about reporting it. ++ */ ++ return; ++ } ++ shutdown_pending = 1; ++ is_graceful = (sig == AP_SIG_GRACEFUL_STOP); ++} ++ ++/* restart() is the signal handler for SIGHUP and AP_SIG_GRACEFUL ++ * in the parent process, unless running in ONE_PROCESS mode ++ */ ++static void restart(int sig) ++{ ++ if (restart_pending == 1) { ++ /* Probably not an error - don't bother reporting it */ ++ return; ++ } ++ restart_pending = 1; ++ is_graceful = (sig == AP_SIG_GRACEFUL); ++} ++ ++static void set_signals(void) ++{ ++#ifndef NO_USE_SIGACTION ++ struct sigaction sa; ++#endif ++ ++ if (!one_process) { ++ ap_fatal_signal_setup(ap_server_conf, pconf); ++ } ++ ++#ifndef NO_USE_SIGACTION ++ sigemptyset(&sa.sa_mask); ++ sa.sa_flags = 0; ++ ++ sa.sa_handler = sig_term; ++ if (sigaction(SIGTERM, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGTERM)"); ++#ifdef AP_SIG_GRACEFUL_STOP ++ if (sigaction(AP_SIG_GRACEFUL_STOP, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, ++ "sigaction(" AP_SIG_GRACEFUL_STOP_STRING ")"); ++#endif ++#ifdef SIGINT ++ if (sigaction(SIGINT, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGINT)"); ++#endif ++#ifdef SIGXCPU ++ sa.sa_handler = SIG_DFL; ++ if (sigaction(SIGXCPU, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXCPU)"); ++#endif ++#ifdef SIGXFSZ ++ sa.sa_handler = SIG_DFL; ++ if (sigaction(SIGXFSZ, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGXFSZ)"); ++#endif ++#ifdef SIGPIPE ++ sa.sa_handler = SIG_IGN; ++ if (sigaction(SIGPIPE, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGPIPE)"); ++#endif ++ ++ /* we want to ignore HUPs and AP_SIG_GRACEFUL while we're busy ++ * processing one ++ */ ++ sigaddset(&sa.sa_mask, SIGHUP); ++ sigaddset(&sa.sa_mask, AP_SIG_GRACEFUL); ++ sa.sa_handler = restart; ++ if (sigaction(SIGHUP, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(SIGHUP)"); ++ if (sigaction(AP_SIG_GRACEFUL, &sa, NULL) < 0) ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "sigaction(" AP_SIG_GRACEFUL_STRING ")"); ++#else ++ if (!one_process) { ++#ifdef SIGXCPU ++ apr_signal(SIGXCPU, SIG_DFL); ++#endif /* SIGXCPU */ ++#ifdef SIGXFSZ ++ apr_signal(SIGXFSZ, SIG_DFL); ++#endif /* SIGXFSZ */ ++ } ++ ++ apr_signal(SIGTERM, sig_term); ++#ifdef SIGHUP ++ apr_signal(SIGHUP, restart); ++#endif /* SIGHUP */ ++#ifdef AP_SIG_GRACEFUL ++ apr_signal(AP_SIG_GRACEFUL, restart); ++#endif /* AP_SIG_GRACEFUL */ ++#ifdef AP_SIG_GRACEFUL_STOP ++ apr_signal(AP_SIG_GRACEFUL_STOP, sig_term); ++#endif /* AP_SIG_GRACEFUL */ ++#ifdef SIGPIPE ++ apr_signal(SIGPIPE, SIG_IGN); ++#endif /* SIGPIPE */ ++ ++#endif ++} ++ ++/***************************************************************** ++ * Child process main loop. ++ * The following vars are static to avoid getting clobbered by longjmp(); ++ * they are really private to child_main. ++ */ ++ ++static int requests_this_child; ++static int num_listensocks = 0; ++ ++ ++int ap_graceful_stop_signalled(void) ++{ ++ /* not ever called anymore... */ ++ return 0; ++} ++ ++ ++static void child_main(int child_num_arg) ++{ ++ apr_pool_t *ptrans; ++ apr_allocator_t *allocator; ++ apr_status_t status; ++ int i; ++ ap_listen_rec *lr; ++ apr_pollset_t *pollset; ++ ap_sb_handle_t *sbh; ++ apr_bucket_alloc_t *bucket_alloc; ++ int last_poll_idx = 0; ++ ++ mpm_state = AP_MPMQ_STARTING; /* for benefit of any hooks that run as this ++ * child initializes ++ */ ++ ++ my_child_num = child_num_arg; ++ ap_my_pid = getpid(); ++ requests_this_child = 0; ++ ++ ap_fatal_signal_child_setup(ap_server_conf); ++ ++ /* Get a sub context for global allocations in this child, so that ++ * we can have cleanups occur when the child exits. ++ */ ++ apr_allocator_create(&allocator); ++ apr_allocator_max_free_set(allocator, ap_max_mem_free); ++ apr_pool_create_ex(&pchild, pconf, NULL, allocator); ++ apr_allocator_owner_set(allocator, pchild); ++ ++ apr_pool_create(&ptrans, pchild); ++ apr_pool_tag(ptrans, "transaction"); ++ ++ /* needs to be done before we switch UIDs so we have permissions */ ++ ap_reopen_scoreboard(pchild, NULL, 0); ++ status = apr_proc_mutex_child_init(&accept_mutex, ap_lock_fname, pchild); ++ if (status != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, status, ap_server_conf, ++ "Couldn't initialize cross-process lock in child " ++ "(%s) (%d)", ap_lock_fname, ap_accept_lock_mech); ++ clean_child_exit(APEXIT_CHILDFATAL); ++ } ++ ++ if (unixd_setup_child()) { ++ clean_child_exit(APEXIT_CHILDFATAL); ++ } ++ ++ ap_run_child_init(pchild, ap_server_conf); ++ ++ ap_create_sb_handle(&sbh, pchild, my_child_num, 0); ++ ++ (void) ap_update_child_status(sbh, SERVER_READY, (request_rec *) NULL); ++ ++ /* Set up the pollfd array */ ++ /* ### check the status */ ++ (void) apr_pollset_create(&pollset, num_listensocks, pchild, 0); ++ ++ for (lr = ap_listeners, i = num_listensocks; i--; lr = lr->next) { ++ apr_pollfd_t pfd = { 0 }; ++ ++ pfd.desc_type = APR_POLL_SOCKET; ++ pfd.desc.s = lr->sd; ++ pfd.reqevents = APR_POLLIN; ++ pfd.client_data = lr; ++ ++ /* ### check the status */ ++ (void) apr_pollset_add(pollset, &pfd); ++ } ++ ++ mpm_state = AP_MPMQ_RUNNING; ++ ++ bucket_alloc = apr_bucket_alloc_create(pchild); ++ ++ /* die_now is set when AP_SIG_GRACEFUL is received in the child; ++ * shutdown_pending is set when SIGTERM is received when running ++ * in single process mode. */ ++ while (!die_now && !shutdown_pending) { ++ conn_rec *current_conn; ++ void *csd; ++ ++ /* ++ * (Re)initialize this child to a pre-connection state. ++ */ ++ ++ apr_pool_clear(ptrans); ++ ++ if ((ap_max_requests_per_child > 0 ++ && requests_this_child++ >= ap_max_requests_per_child)) { ++ clean_child_exit(0); ++ } ++ ++ (void) ap_update_child_status(sbh, SERVER_READY, (request_rec *) NULL); ++ ++ /* ++ * Wait for an acceptable connection to arrive. ++ */ ++ ++ /* Lock around "accept", if necessary */ ++ SAFE_ACCEPT(accept_mutex_on()); ++ ++ if (num_listensocks == 1) { ++ /* There is only one listener record, so refer to that one. */ ++ lr = ap_listeners; ++ } ++ else { ++ /* multiple listening sockets - need to poll */ ++ for (;;) { ++ apr_int32_t numdesc; ++ const apr_pollfd_t *pdesc; ++ ++ /* timeout == -1 == wait forever */ ++ status = apr_pollset_poll(pollset, -1, &numdesc, &pdesc); ++ if (status != APR_SUCCESS) { ++ if (APR_STATUS_IS_EINTR(status)) { ++ if (one_process && shutdown_pending) { ++ return; ++ } ++ else if (die_now) { ++ /* In graceful stop/restart; drop the mutex ++ * and terminate the child. */ ++ SAFE_ACCEPT(accept_mutex_off()); ++ clean_child_exit(0); ++ } ++ continue; ++ } ++ /* Single Unix documents select as returning errnos ++ * EBADF, EINTR, and EINVAL... and in none of those ++ * cases does it make sense to continue. In fact ++ * on Linux 2.0.x we seem to end up with EFAULT ++ * occasionally, and we'd loop forever due to it. ++ */ ++ ap_log_error(APLOG_MARK, APLOG_ERR, status, ++ ap_server_conf, "apr_pollset_poll: (listen)"); ++ SAFE_ACCEPT(accept_mutex_off()); ++ clean_child_exit(1); ++ } ++ ++ /* We can always use pdesc[0], but sockets at position N ++ * could end up completely starved of attention in a very ++ * busy server. Therefore, we round-robin across the ++ * returned set of descriptors. While it is possible that ++ * the returned set of descriptors might flip around and ++ * continue to starve some sockets, we happen to know the ++ * internal pollset implementation retains ordering ++ * stability of the sockets. Thus, the round-robin should ++ * ensure that a socket will eventually be serviced. ++ */ ++ if (last_poll_idx >= numdesc) ++ last_poll_idx = 0; ++ ++ /* Grab a listener record from the client_data of the poll ++ * descriptor, and advance our saved index to round-robin ++ * the next fetch. ++ * ++ * ### hmm... this descriptor might have POLLERR rather ++ * ### than POLLIN ++ */ ++ lr = pdesc[last_poll_idx++].client_data; ++ goto got_fd; ++ } ++ } ++ got_fd: ++ /* if we accept() something we don't want to die, so we have to ++ * defer the exit ++ */ ++ status = lr->accept_func(&csd, lr, ptrans); ++ ++ SAFE_ACCEPT(accept_mutex_off()); /* unlock after "accept" */ ++ ++ if (status == APR_EGENERAL) { ++ /* resource shortage or should-not-occur occured */ ++ clean_child_exit(1); ++ } ++ else if (status != APR_SUCCESS) { ++ continue; ++ } ++ ++ /* ++ * We now have a connection, so set it up with the appropriate ++ * socket options, file descriptors, and read/write buffers. ++ */ ++ ++ current_conn = ap_run_create_connection(ptrans, ap_server_conf, csd, my_child_num, sbh, bucket_alloc); ++ if (current_conn) { ++ ap_process_connection(current_conn, csd); ++ ap_lingering_close(current_conn); ++ } ++ ++ /* Check the pod and the generation number after processing a ++ * connection so that we'll go away if a graceful restart occurred ++ * while we were processing the connection or we are the lucky ++ * idle server process that gets to die. ++ */ ++ if (ap_mpm_pod_check(pod) == APR_SUCCESS) { /* selected as idle? */ ++ die_now = 1; ++ } ++ else if (ap_my_generation != ++ ap_scoreboard_image->global->running_generation) { /* restart? */ ++ /* yeah, this could be non-graceful restart, in which case the ++ * parent will kill us soon enough, but why bother checking? ++ */ ++ die_now = 1; ++ } ++ } ++ clean_child_exit(0); ++} ++ ++ ++static int make_child(server_rec *s, int slot) ++{ ++ int pid; ++ ++ if (slot + 1 > ap_max_daemons_limit) { ++ ap_max_daemons_limit = slot + 1; ++ } ++ ++ if (one_process) { ++ apr_signal(SIGHUP, sig_term); ++ /* Don't catch AP_SIG_GRACEFUL in ONE_PROCESS mode :) */ ++ apr_signal(SIGINT, sig_term); ++#ifdef SIGQUIT ++ apr_signal(SIGQUIT, SIG_DFL); ++#endif ++ apr_signal(SIGTERM, sig_term); ++ child_main(slot); ++ return 0; ++ } ++ ++ (void) ap_update_child_status_from_indexes(slot, 0, SERVER_STARTING, ++ (request_rec *) NULL); ++ ++ ++#ifdef _OSD_POSIX ++ /* BS2000 requires a "special" version of fork() before a setuid() call */ ++ if ((pid = os_fork(unixd_config.user_name)) == -1) { ++#elif defined(TPF) ++ if ((pid = os_fork(s, slot)) == -1) { ++#else ++ if ((pid = fork()) == -1) { ++#endif ++ ap_log_error(APLOG_MARK, APLOG_ERR, errno, s, "fork: Unable to fork new process"); ++ ++ /* fork didn't succeed. Fix the scoreboard or else ++ * it will say SERVER_STARTING forever and ever ++ */ ++ (void) ap_update_child_status_from_indexes(slot, 0, SERVER_DEAD, ++ (request_rec *) NULL); ++ ++ /* In case system resources are maxxed out, we don't want ++ * Apache running away with the CPU trying to fork over and ++ * over and over again. ++ */ ++ sleep(10); ++ ++ return -1; ++ } ++ ++ if (!pid) { ++#ifdef HAVE_BINDPROCESSOR ++ /* by default AIX binds to a single processor ++ * this bit unbinds children which will then bind to another cpu ++ */ ++ int status = bindprocessor(BINDPROCESS, (int)getpid(), ++ PROCESSOR_CLASS_ANY); ++ if (status != OK) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ++ ap_server_conf, "processor unbind failed %d", status); ++ } ++#endif ++ RAISE_SIGSTOP(MAKE_CHILD); ++ AP_MONCONTROL(1); ++ /* Disable the parent's signal handlers and set up proper handling in ++ * the child. ++ */ ++ apr_signal(SIGHUP, just_die); ++ apr_signal(SIGTERM, just_die); ++ /* The child process just closes listeners on AP_SIG_GRACEFUL. ++ * The pod is used for signalling the graceful restart. ++ */ ++ apr_signal(AP_SIG_GRACEFUL, stop_listening); ++ child_main(slot); ++ } ++ ++ ap_scoreboard_image->parent[slot].pid = pid; ++ ++ return 0; ++} ++ ++ ++/* start up a bunch of children */ ++static void startup_children(int number_to_start) ++{ ++ int i; ++ ++ for (i = 0; number_to_start && i < ap_daemons_limit; ++i) { ++ if (ap_scoreboard_image->servers[i][0].status != SERVER_DEAD) { ++ continue; ++ } ++ if (make_child(ap_server_conf, i) < 0) { ++ break; ++ } ++ --number_to_start; ++ } ++} ++ ++ ++/* ++ * idle_spawn_rate is the number of children that will be spawned on the ++ * next maintenance cycle if there aren't enough idle servers. It is ++ * doubled up to MAX_SPAWN_RATE, and reset only when a cycle goes by ++ * without the need to spawn. ++ */ ++static int idle_spawn_rate = 1; ++#ifndef MAX_SPAWN_RATE ++#define MAX_SPAWN_RATE (32) ++#endif ++static int hold_off_on_exponential_spawning; ++ ++static void perform_idle_server_maintenance(apr_pool_t *p) ++{ ++ int i; ++ int to_kill; ++ int idle_count; ++ worker_score *ws; ++ int free_length; ++ int free_slots[MAX_SPAWN_RATE]; ++ int last_non_dead; ++ int total_non_dead; ++ ++ /* initialize the free_list */ ++ free_length = 0; ++ ++ to_kill = -1; ++ idle_count = 0; ++ last_non_dead = -1; ++ total_non_dead = 0; ++ ++ for (i = 0; i < ap_daemons_limit; ++i) { ++ int status; ++ ++ if (i >= ap_max_daemons_limit && free_length == idle_spawn_rate) ++ break; ++ ws = &ap_scoreboard_image->servers[i][0]; ++ status = ws->status; ++ if (status == SERVER_DEAD) { ++ /* try to keep children numbers as low as possible */ ++ if (free_length < idle_spawn_rate) { ++ free_slots[free_length] = i; ++ ++free_length; ++ } ++ } ++ else { ++ /* We consider a starting server as idle because we started it ++ * at least a cycle ago, and if it still hasn't finished starting ++ * then we're just going to swamp things worse by forking more. ++ * So we hopefully won't need to fork more if we count it. ++ * This depends on the ordering of SERVER_READY and SERVER_STARTING. ++ */ ++ if (status <= SERVER_READY) { ++ ++ idle_count; ++ /* always kill the highest numbered child if we have to... ++ * no really well thought out reason ... other than observing ++ * the server behaviour under linux where lower numbered children ++ * tend to service more hits (and hence are more likely to have ++ * their data in cpu caches). ++ */ ++ to_kill = i; ++ } ++ ++ ++total_non_dead; ++ last_non_dead = i; ++ } ++ } ++ ap_max_daemons_limit = last_non_dead + 1; ++ if (idle_count > ap_daemons_max_free) { ++ /* kill off one child... we use the pod because that'll cause it to ++ * shut down gracefully, in case it happened to pick up a request ++ * while we were counting ++ */ ++ ap_mpm_pod_signal(pod); ++ idle_spawn_rate = 1; ++ } ++ else if (idle_count < ap_daemons_min_free) { ++ /* terminate the free list */ ++ if (free_length == 0) { ++ /* only report this condition once */ ++ static int reported = 0; ++ ++ if (!reported) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, ap_server_conf, ++ "server reached MaxClients setting, consider" ++ " raising the MaxClients setting"); ++ reported = 1; ++ } ++ idle_spawn_rate = 1; ++ } ++ else { ++ if (idle_spawn_rate >= 8) { ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, ap_server_conf, ++ "server seems busy, (you may need " ++ "to increase StartServers, or Min/MaxSpareServers), " ++ "spawning %d children, there are %d idle, and " ++ "%d total children", idle_spawn_rate, ++ idle_count, total_non_dead); ++ } ++ for (i = 0; i < free_length; ++i) { ++#ifdef TPF ++ if (make_child(ap_server_conf, free_slots[i]) == -1) { ++ if(free_length == 1) { ++ shutdown_pending = 1; ++ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, ap_server_conf, ++ "No active child processes: shutting down"); ++ } ++ } ++#else ++ make_child(ap_server_conf, free_slots[i]); ++#endif /* TPF */ ++ } ++ /* the next time around we want to spawn twice as many if this ++ * wasn't good enough, but not if we've just done a graceful ++ */ ++ if (hold_off_on_exponential_spawning) { ++ --hold_off_on_exponential_spawning; ++ } ++ else if (idle_spawn_rate < MAX_SPAWN_RATE) { ++ idle_spawn_rate *= 2; ++ } ++ } ++ } ++ else { ++ idle_spawn_rate = 1; ++ } ++} ++ ++/***************************************************************** ++ * Executive routines. ++ */ ++ ++int ap_mpm_run(apr_pool_t *_pconf, apr_pool_t *plog, server_rec *s) ++{ ++ int index; ++ int remaining_children_to_start; ++ apr_status_t rv; ++ ++ ap_log_pid(pconf, ap_pid_fname); ++ ++ first_server_limit = server_limit; ++ if (changed_limit_at_restart) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, s, ++ "WARNING: Attempt to change ServerLimit " ++ "ignored during restart"); ++ changed_limit_at_restart = 0; ++ } ++ ++ /* Initialize cross-process accept lock */ ++ ap_lock_fname = apr_psprintf(_pconf, "%s.%" APR_PID_T_FMT, ++ ap_server_root_relative(_pconf, ap_lock_fname), ++ ap_my_pid); ++ ++ rv = apr_proc_mutex_create(&accept_mutex, ap_lock_fname, ++ ap_accept_lock_mech, _pconf); ++ if (rv != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, ++ "Couldn't create accept lock (%s) (%d)", ++ ap_lock_fname, ap_accept_lock_mech); ++ mpm_state = AP_MPMQ_STOPPING; ++ return 1; ++ } ++ ++#if APR_USE_SYSVSEM_SERIALIZE ++ if (ap_accept_lock_mech == APR_LOCK_DEFAULT || ++ ap_accept_lock_mech == APR_LOCK_SYSVSEM) { ++#else ++ if (ap_accept_lock_mech == APR_LOCK_SYSVSEM) { ++#endif ++ rv = unixd_set_proc_mutex_perms(accept_mutex); ++ if (rv != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_EMERG, rv, s, ++ "Couldn't set permissions on cross-process lock; " ++ "check User and Group directives"); ++ mpm_state = AP_MPMQ_STOPPING; ++ return 1; ++ } ++ } ++ ++ if (!is_graceful) { ++ if (ap_run_pre_mpm(s->process->pool, SB_SHARED) != OK) { ++ mpm_state = AP_MPMQ_STOPPING; ++ return 1; ++ } ++ /* fix the generation number in the global score; we just got a new, ++ * cleared scoreboard ++ */ ++ ap_scoreboard_image->global->running_generation = ap_my_generation; ++ } ++ ++ set_signals(); ++ ++ if (one_process) { ++ AP_MONCONTROL(1); ++ make_child(ap_server_conf, 0); ++ } ++ else { ++ if (ap_daemons_max_free < ap_daemons_min_free + 1) /* Don't thrash... */ ++ ap_daemons_max_free = ap_daemons_min_free + 1; ++ ++ /* If we're doing a graceful_restart then we're going to see a lot ++ * of children exiting immediately when we get into the main loop ++ * below (because we just sent them AP_SIG_GRACEFUL). This happens pretty ++ * rapidly... and for each one that exits we'll start a new one until ++ * we reach at least daemons_min_free. But we may be permitted to ++ * start more than that, so we'll just keep track of how many we're ++ * supposed to start up without the 1 second penalty between each fork. ++ */ ++ remaining_children_to_start = ap_daemons_to_start; ++ if (remaining_children_to_start > ap_daemons_limit) { ++ remaining_children_to_start = ap_daemons_limit; ++ } ++ if (!is_graceful) { ++ startup_children(remaining_children_to_start); ++ remaining_children_to_start = 0; ++ } ++ else { ++ /* give the system some time to recover before kicking into ++ * exponential mode ++ */ ++ hold_off_on_exponential_spawning = 10; ++ } ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, ++ "%s configured -- resuming normal operations", ++ ap_get_server_description()); ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, ap_server_conf, ++ "Server built: %s", ap_get_server_built()); ++#ifdef AP_MPM_WANT_SET_ACCEPT_LOCK_MECH ++ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, ap_server_conf, ++ "AcceptMutex: %s (default: %s)", ++ apr_proc_mutex_name(accept_mutex), ++ apr_proc_mutex_defname()); ++#endif ++ restart_pending = shutdown_pending = 0; ++ ++ mpm_state = AP_MPMQ_RUNNING; ++ ++ while (!restart_pending && !shutdown_pending) { ++ int child_slot; ++ apr_exit_why_e exitwhy; ++ int status, processed_status; ++ /* this is a memory leak, but I'll fix it later. */ ++ apr_proc_t pid; ++ ++ ap_wait_or_timeout(&exitwhy, &status, &pid, pconf); ++ ++ /* XXX: if it takes longer than 1 second for all our children ++ * to start up and get into IDLE state then we may spawn an ++ * extra child ++ */ ++ if (pid.pid != -1) { ++ processed_status = ap_process_child_status(&pid, exitwhy, status); ++ if (processed_status == APEXIT_CHILDFATAL) { ++ mpm_state = AP_MPMQ_STOPPING; ++ return 1; ++ } ++ ++ /* non-fatal death... note that it's gone in the scoreboard. */ ++ child_slot = find_child_by_pid(&pid); ++ if (child_slot >= 0) { ++ (void) ap_update_child_status_from_indexes(child_slot, 0, SERVER_DEAD, ++ (request_rec *) NULL); ++ if (processed_status == APEXIT_CHILDSICK) { ++ /* child detected a resource shortage (E[NM]FILE, ENOBUFS, etc) ++ * cut the fork rate to the minimum ++ */ ++ idle_spawn_rate = 1; ++ } ++ else if (remaining_children_to_start ++ && child_slot < ap_daemons_limit) { ++ /* we're still doing a 1-for-1 replacement of dead ++ * children with new children ++ */ ++ make_child(ap_server_conf, child_slot); ++ --remaining_children_to_start; ++ } ++#if APR_HAS_OTHER_CHILD ++ } ++ else if (apr_proc_other_child_alert(&pid, APR_OC_REASON_DEATH, status) == APR_SUCCESS) { ++ /* handled */ ++#endif ++ } ++ else if (is_graceful) { ++ /* Great, we've probably just lost a slot in the ++ * scoreboard. Somehow we don't know about this ++ * child. ++ */ ++ ap_log_error(APLOG_MARK, APLOG_WARNING, ++ 0, ap_server_conf, ++ "long lost child came home! (pid %ld)", (long)pid.pid); ++ } ++ /* Don't perform idle maintenance when a child dies, ++ * only do it when there's a timeout. Remember only a ++ * finite number of children can die, and it's pretty ++ * pathological for a lot to die suddenly. ++ */ ++ continue; ++ } ++ else if (remaining_children_to_start) { ++ /* we hit a 1 second timeout in which none of the previous ++ * generation of children needed to be reaped... so assume ++ * they're all done, and pick up the slack if any is left. ++ */ ++ startup_children(remaining_children_to_start); ++ remaining_children_to_start = 0; ++ /* In any event we really shouldn't do the code below because ++ * few of the servers we just started are in the IDLE state ++ * yet, so we'd mistakenly create an extra server. ++ */ ++ continue; ++ } ++ ++ perform_idle_server_maintenance(pconf); ++#ifdef TPF ++ shutdown_pending = os_check_server(tpf_server_name); ++ ap_check_signals(); ++ sleep(1); ++#endif /*TPF */ ++ } ++ } /* one_process */ ++ ++ mpm_state = AP_MPMQ_STOPPING; ++ ++ if (shutdown_pending && !is_graceful) { ++ /* Time to shut down: ++ * Kill child processes, tell them to call child_exit, etc... ++ */ ++ if (unixd_killpg(getpgrp(), SIGTERM) < 0) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "killpg SIGTERM"); ++ } ++ ap_reclaim_child_processes(1); /* Start with SIGTERM */ ++ ++ /* cleanup pid file on normal shutdown */ ++ { ++ const char *pidfile = NULL; ++ pidfile = ap_server_root_relative (pconf, ap_pid_fname); ++ if ( pidfile != NULL && unlink(pidfile) == 0) ++ ap_log_error(APLOG_MARK, APLOG_INFO, ++ 0, ap_server_conf, ++ "removed PID file %s (pid=%ld)", ++ pidfile, (long)getpid()); ++ } ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, ++ "caught SIGTERM, shutting down"); ++ ++ return 1; ++ } else if (shutdown_pending) { ++ /* Time to perform a graceful shut down: ++ * Reap the inactive children, and ask the active ones ++ * to close their listeners, then wait until they are ++ * all done to exit. ++ */ ++ int active_children; ++ apr_time_t cutoff = 0; ++ ++ /* Stop listening */ ++ ap_close_listeners(); ++ ++ /* kill off the idle ones */ ++ ap_mpm_pod_killpg(pod, ap_max_daemons_limit); ++ ++ /* Send SIGUSR1 to the active children */ ++ active_children = 0; ++ for (index = 0; index < ap_daemons_limit; ++index) { ++ if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) { ++ /* Ask each child to close its listeners. */ ++ ap_mpm_safe_kill(MPM_CHILD_PID(index), AP_SIG_GRACEFUL); ++ active_children++; ++ } ++ } ++ ++ /* Allow each child which actually finished to exit */ ++ ap_relieve_child_processes(); ++ ++ /* cleanup pid file */ ++ { ++ const char *pidfile = NULL; ++ pidfile = ap_server_root_relative (pconf, ap_pid_fname); ++ if ( pidfile != NULL && unlink(pidfile) == 0) ++ ap_log_error(APLOG_MARK, APLOG_INFO, ++ 0, ap_server_conf, ++ "removed PID file %s (pid=%ld)", ++ pidfile, (long)getpid()); ++ } ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, ++ "caught " AP_SIG_GRACEFUL_STOP_STRING ", shutting down gracefully"); ++ ++ if (ap_graceful_shutdown_timeout) { ++ cutoff = apr_time_now() + ++ apr_time_from_sec(ap_graceful_shutdown_timeout); ++ } ++ ++ /* Don't really exit until each child has finished */ ++ shutdown_pending = 0; ++ do { ++ /* Pause for a second */ ++ sleep(1); ++ ++ /* Relieve any children which have now exited */ ++ ap_relieve_child_processes(); ++ ++ active_children = 0; ++ for (index = 0; index < ap_daemons_limit; ++index) { ++ if (ap_mpm_safe_kill(MPM_CHILD_PID(index), 0) == APR_SUCCESS) { ++ active_children = 1; ++ /* Having just one child is enough to stay around */ ++ break; ++ } ++ } ++ } while (!shutdown_pending && active_children && ++ (!ap_graceful_shutdown_timeout || apr_time_now() < cutoff)); ++ ++ /* We might be here because we received SIGTERM, either ++ * way, try and make sure that all of our processes are ++ * really dead. ++ */ ++ unixd_killpg(getpgrp(), SIGTERM); ++ ++ return 1; ++ } ++ ++ /* we've been told to restart */ ++ apr_signal(SIGHUP, SIG_IGN); ++ apr_signal(AP_SIG_GRACEFUL, SIG_IGN); ++ if (one_process) { ++ /* not worth thinking about */ ++ return 1; ++ } ++ ++ /* advance to the next generation */ ++ /* XXX: we really need to make sure this new generation number isn't in ++ * use by any of the children. ++ */ ++ ++ap_my_generation; ++ ap_scoreboard_image->global->running_generation = ap_my_generation; ++ ++ if (is_graceful) { ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, ++ "Graceful restart requested, doing restart"); ++ ++ /* kill off the idle ones */ ++ ap_mpm_pod_killpg(pod, ap_max_daemons_limit); ++ ++ /* This is mostly for debugging... so that we know what is still ++ * gracefully dealing with existing request. This will break ++ * in a very nasty way if we ever have the scoreboard totally ++ * file-based (no shared memory) ++ */ ++ for (index = 0; index < ap_daemons_limit; ++index) { ++ if (ap_scoreboard_image->servers[index][0].status != SERVER_DEAD) { ++ ap_scoreboard_image->servers[index][0].status = SERVER_GRACEFUL; ++ /* Ask each child to close its listeners. ++ * ++ * NOTE: we use the scoreboard, because if we send SIGUSR1 ++ * to every process in the group, this may include CGI's, ++ * piped loggers, etc. They almost certainly won't handle ++ * it gracefully. ++ */ ++ ap_mpm_safe_kill(ap_scoreboard_image->parent[index].pid, AP_SIG_GRACEFUL); ++ } ++ } ++ } ++ else { ++ /* Kill 'em off */ ++ if (unixd_killpg(getpgrp(), SIGHUP) < 0) { ++ ap_log_error(APLOG_MARK, APLOG_WARNING, errno, ap_server_conf, "killpg SIGHUP"); ++ } ++ ap_reclaim_child_processes(0); /* Not when just starting up */ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, ap_server_conf, ++ "SIGHUP received. Attempting to restart"); ++ } ++ ++ return 0; ++} ++ ++/* This really should be a post_config hook, but the error log is already ++ * redirected by that point, so we need to do this in the open_logs phase. ++ */ ++static int prefork_open_logs(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s) ++{ ++ apr_status_t rv; ++ ++ pconf = p; ++ ap_server_conf = s; ++ ++ if ((num_listensocks = ap_setup_listeners(ap_server_conf)) < 1) { ++ ap_log_error(APLOG_MARK, APLOG_ALERT|APLOG_STARTUP, 0, ++ NULL, "no listening sockets available, shutting down"); ++ return DONE; ++ } ++ ++ if ((rv = ap_mpm_pod_open(pconf, &pod))) { ++ ap_log_error(APLOG_MARK, APLOG_CRIT|APLOG_STARTUP, rv, NULL, ++ "Could not open pipe-of-death."); ++ return DONE; ++ } ++ return OK; ++} ++ ++static int prefork_pre_config(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp) ++{ ++ static int restart_num = 0; ++ int no_detach, debug, foreground; ++ apr_status_t rv; ++ ++ mpm_state = AP_MPMQ_STARTING; ++ ++ debug = ap_exists_config_define("DEBUG"); ++ ++ if (debug) { ++ foreground = one_process = 1; ++ no_detach = 0; ++ } ++ else ++ { ++ no_detach = ap_exists_config_define("NO_DETACH"); ++ one_process = ap_exists_config_define("ONE_PROCESS"); ++ foreground = ap_exists_config_define("FOREGROUND"); ++ } ++ ++ /* sigh, want this only the second time around */ ++ if (restart_num++ == 1) { ++ is_graceful = 0; ++ ++ if (!one_process && !foreground) { ++ rv = apr_proc_detach(no_detach ? APR_PROC_DETACH_FOREGROUND ++ : APR_PROC_DETACH_DAEMONIZE); ++ if (rv != APR_SUCCESS) { ++ ap_log_error(APLOG_MARK, APLOG_CRIT, rv, NULL, ++ "apr_proc_detach failed"); ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ } ++ ++ parent_pid = ap_my_pid = getpid(); ++ } ++ ++ unixd_pre_config(ptemp); ++ ap_listen_pre_config(); ++ ap_daemons_to_start = DEFAULT_START_DAEMON; ++ ap_daemons_min_free = DEFAULT_MIN_FREE_DAEMON; ++ ap_daemons_max_free = DEFAULT_MAX_FREE_DAEMON; ++ ap_daemons_limit = server_limit; ++ ap_pid_fname = DEFAULT_PIDLOG; ++ ap_lock_fname = DEFAULT_LOCKFILE; ++ ap_max_requests_per_child = DEFAULT_MAX_REQUESTS_PER_CHILD; ++ ap_extended_status = 0; ++#ifdef AP_MPM_WANT_SET_MAX_MEM_FREE ++ ap_max_mem_free = APR_ALLOCATOR_MAX_FREE_UNLIMITED; ++#endif ++ ++ apr_cpystrn(ap_coredump_dir, ap_server_root, sizeof(ap_coredump_dir)); ++ ++ return OK; ++} ++ ++static void prefork_hooks(apr_pool_t *p) ++{ ++ /* The prefork open_logs phase must run before the core's, or stderr ++ * will be redirected to a file, and the messages won't print to the ++ * console. ++ */ ++ static const char *const aszSucc[] = {"core.c", NULL}; ++ ++#ifdef AUX3 ++ (void) set42sig(); ++#endif ++ ++ ap_hook_open_logs(prefork_open_logs, NULL, aszSucc, APR_HOOK_MIDDLE); ++ /* we need to set the MPM state before other pre-config hooks use MPM query ++ * to retrieve it, so register as REALLY_FIRST ++ */ ++ ap_hook_pre_config(prefork_pre_config, NULL, NULL, APR_HOOK_REALLY_FIRST); ++} ++ ++static const char *set_daemons_to_start(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ ap_daemons_to_start = atoi(arg); ++ return NULL; ++} ++ ++static const char *set_min_free_servers(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ ap_daemons_min_free = atoi(arg); ++ if (ap_daemons_min_free <= 0) { ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "WARNING: detected MinSpareServers set to non-positive."); ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "Resetting to 1 to avoid almost certain Apache failure."); ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "Please read the documentation."); ++ ap_daemons_min_free = 1; ++ } ++ ++ return NULL; ++} ++ ++static const char *set_max_free_servers(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ ap_daemons_max_free = atoi(arg); ++ return NULL; ++} ++ ++static const char *set_max_clients (cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ ap_daemons_limit = atoi(arg); ++ if (ap_daemons_limit > server_limit) { ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "WARNING: MaxClients of %d exceeds ServerLimit value " ++ "of %d servers,", ap_daemons_limit, server_limit); ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ " lowering MaxClients to %d. To increase, please " ++ "see the ServerLimit", server_limit); ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ " directive."); ++ ap_daemons_limit = server_limit; ++ } ++ else if (ap_daemons_limit < 1) { ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "WARNING: Require MaxClients > 0, setting to 1"); ++ ap_daemons_limit = 1; ++ } ++ return NULL; ++} ++ ++static const char *set_server_limit (cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ int tmp_server_limit; ++ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ tmp_server_limit = atoi(arg); ++ /* you cannot change ServerLimit across a restart; ignore ++ * any such attempts ++ */ ++ if (first_server_limit && ++ tmp_server_limit != server_limit) { ++ /* how do we log a message? the error log is a bit bucket at this ++ * point; we'll just have to set a flag so that ap_mpm_run() ++ * logs a warning later ++ */ ++ changed_limit_at_restart = 1; ++ return NULL; ++ } ++ server_limit = tmp_server_limit; ++ ++ if (server_limit > MAX_SERVER_LIMIT) { ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "WARNING: ServerLimit of %d exceeds compile time limit " ++ "of %d servers,", server_limit, MAX_SERVER_LIMIT); ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ " lowering ServerLimit to %d.", MAX_SERVER_LIMIT); ++ server_limit = MAX_SERVER_LIMIT; ++ } ++ else if (server_limit < 1) { ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ "WARNING: Require ServerLimit > 0, setting to 1"); ++ server_limit = 1; ++ } ++ return NULL; ++} ++ ++static const command_rec prefork_cmds[] = { ++UNIX_DAEMON_COMMANDS, ++LISTEN_COMMANDS, ++AP_INIT_TAKE1("StartServers", set_daemons_to_start, NULL, RSRC_CONF, ++ "Number of child processes launched at server startup"), ++AP_INIT_TAKE1("MinSpareServers", set_min_free_servers, NULL, RSRC_CONF, ++ "Minimum number of idle children, to handle request spikes"), ++AP_INIT_TAKE1("MaxSpareServers", set_max_free_servers, NULL, RSRC_CONF, ++ "Maximum number of idle children"), ++AP_INIT_TAKE1("MaxClients", set_max_clients, NULL, RSRC_CONF, ++ "Maximum number of children alive at the same time"), ++AP_INIT_TAKE1("ServerLimit", set_server_limit, NULL, RSRC_CONF, ++ "Maximum value of MaxClients for this run of Apache"), ++AP_GRACEFUL_SHUTDOWN_TIMEOUT_COMMAND, ++{ NULL } ++}; ++ ++module AP_MODULE_DECLARE_DATA mpm_prefork_module = { ++ MPM20_MODULE_STUFF, ++ ap_mpm_rewrite_args, /* hook to run before apache parses args */ ++ NULL, /* create per-directory config structure */ ++ NULL, /* merge per-directory config structures */ ++ NULL, /* create per-server config structure */ ++ NULL, /* merge per-server config structures */ ++ prefork_cmds, /* command apr_table_t */ ++ prefork_hooks, /* register hooks */ ++}; +Index: httpd-2.2.11/server/mpm/experimental/itk/mpm.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ httpd-2.2.11/server/mpm/experimental/itk/mpm.h 2009-03-17 21:38:54.000000000 +0100 +@@ -0,0 +1,62 @@ ++/* Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++/** ++ * @file prefork/mpm.h ++ * @brief Unix Prefork MPM (default for Uinx systems) ++ * ++ * @defgroup APACHE_MPM_PREFORK Unix Prefork ++ * @ingroup APACHE_MPM APACHE_OS_UNIX ++ * @{ ++ */ ++ ++#include "httpd.h" ++#include "mpm_default.h" ++#include "scoreboard.h" ++#include "unixd.h" ++ ++#ifndef APACHE_MPM_PREFORK_H ++#define APACHE_MPM_PREFORK_H ++ ++#define PREFORK_MPM ++ ++#define MPM_NAME "Prefork" ++ ++#define AP_MPM_WANT_RECLAIM_CHILD_PROCESSES ++#define AP_MPM_WANT_WAIT_OR_TIMEOUT ++#define AP_MPM_WANT_PROCESS_CHILD_STATUS ++#define AP_MPM_WANT_SET_PIDFILE ++#define AP_MPM_WANT_SET_SCOREBOARD ++#define AP_MPM_WANT_SET_LOCKFILE ++#define AP_MPM_WANT_SET_MAX_REQUESTS ++#define AP_MPM_WANT_SET_COREDUMPDIR ++#define AP_MPM_WANT_SET_ACCEPT_LOCK_MECH ++#define AP_MPM_WANT_SIGNAL_SERVER ++#define AP_MPM_WANT_SET_MAX_MEM_FREE ++#define AP_MPM_WANT_FATAL_SIGNAL_HANDLER ++#define AP_MPM_WANT_SET_GRACEFUL_SHUTDOWN ++#define AP_MPM_DISABLE_NAGLE_ACCEPTED_SOCK ++ ++#define AP_MPM_USES_POD 1 ++#define MPM_CHILD_PID(i) (ap_scoreboard_image->parent[i].pid) ++#define MPM_NOTE_CHILD_KILLED(i) (MPM_CHILD_PID(i) = 0) ++#define MPM_ACCEPT_FUNC unixd_accept ++ ++extern int ap_threads_per_child; ++extern int ap_max_daemons_limit; ++extern server_rec *ap_server_conf; ++#endif /* APACHE_MPM_PREFORK_H */ ++/** @} */ +Index: httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h +=================================================================== +--- /dev/null 1970-01-01 00:00:00.000000000 +0000 ++++ httpd-2.2.11/server/mpm/experimental/itk/mpm_default.h 2009-03-17 21:38:54.000000000 +0100 +@@ -0,0 +1,74 @@ ++/* Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++/** ++ * @file prefork/mpm_default.h ++ * @brief Prefork MPM defaults ++ * ++ * @addtogroup APACHE_MPM_PREFORK ++ * @{ ++ */ ++ ++#ifndef APACHE_MPM_DEFAULT_H ++#define APACHE_MPM_DEFAULT_H ++ ++/* Number of servers to spawn off by default --- also, if fewer than ++ * this free when the caretaker checks, it will spawn more. ++ */ ++#ifndef DEFAULT_START_DAEMON ++#define DEFAULT_START_DAEMON 5 ++#endif ++ ++/* Maximum number of *free* server processes --- more than this, and ++ * they will die off. ++ */ ++ ++#ifndef DEFAULT_MAX_FREE_DAEMON ++#define DEFAULT_MAX_FREE_DAEMON 10 ++#endif ++ ++/* Minimum --- fewer than this, and more will be created */ ++ ++#ifndef DEFAULT_MIN_FREE_DAEMON ++#define DEFAULT_MIN_FREE_DAEMON 5 ++#endif ++ ++/* File used for accept locking, when we use a file */ ++#ifndef DEFAULT_LOCKFILE ++#define DEFAULT_LOCKFILE DEFAULT_REL_RUNTIMEDIR "/accept.lock" ++#endif ++ ++/* Where the main/parent process's pid is logged */ ++#ifndef DEFAULT_PIDLOG ++#define DEFAULT_PIDLOG DEFAULT_REL_RUNTIMEDIR "/httpd.pid" ++#endif ++ ++/* ++ * Interval, in microseconds, between scoreboard maintenance. ++ */ ++#ifndef SCOREBOARD_MAINTENANCE_INTERVAL ++#define SCOREBOARD_MAINTENANCE_INTERVAL 1000000 ++#endif ++ ++/* Number of requests to try to handle in a single process. If <= 0, ++ * the children don't die off. ++ */ ++#ifndef DEFAULT_MAX_REQUESTS_PER_CHILD ++#define DEFAULT_MAX_REQUESTS_PER_CHILD 10000 ++#endif ++ ++#endif /* AP_MPM_DEFAULT_H */ ++/** @} */ --- apache2-2.2.16.orig/debian/mpm-itk/patches/04-correct-output-makefile-location.patch +++ apache2-2.2.16/debian/mpm-itk/patches/04-correct-output-makefile-location.patch @@ -0,0 +1,13 @@ +Fix the build system to use MPM_SUBDIR_NAME (which points to the directory +with the MPM in) instead of MPM_NAME (which returns the name of the MPM); +they differ since the MPM is in experimental/. + +Index: apache2.2/server/mpm/experimental/itk/config.m4 +=================================================================== +--- apache2.2.orig/server/mpm/experimental/itk/config.m4 2007-01-29 21:03:51.000000000 +0100 ++++ apache2.2/server/mpm/experimental/itk/config.m4 2007-01-29 21:03:57.000000000 +0100 +@@ -1,3 +1,3 @@ + if test "$MPM_NAME" = "itk" ; then +- APACHE_FAST_OUTPUT(server/mpm/$MPM_NAME/Makefile) ++ APACHE_FAST_OUTPUT(server/mpm/$MPM_SUBDIR_NAME/Makefile) + fi --- apache2-2.2.16.orig/debian/mpm-itk/debian/changelog +++ apache2-2.2.16/debian/mpm-itk/debian/changelog @@ -0,0 +1,117 @@ +apache2-mpm-itk has been merged into the apache2 source package. For newer +changes, see the apache2 changelog. + +apache2-mpm-itk (2.2.11-02-1) unstable; urgency=low + + * New upstream release. + + -- Steinar H. Gunderson Tue, 14 Apr 2009 23:47:36 +0200 + +apache2-mpm-itk (2.2.11-01-1) unstable; urgency=low + + * New upstream release. + * Updated debian/copyright file with COPYRIGHT from the tarball. + * Updated apache2-src build-dependency to make sure we build against Apache + 2.2.11. (The patch set itself will work just fine for 2.2.9, although + not without some fuzz.) + * Updated Standards-Version to 3.8.1 (no changes needed). + + -- Steinar H. Gunderson Sun, 22 Mar 2009 15:39:39 +0100 + +apache2-mpm-itk (2.2.6-02-1) unstable; urgency=medium + + * New upstream release. + * Fixes a configure test for libcap. + * Update Debian package to fix fine-grained capability dropping support. + Together with the upstream fixes, this enables capability dropping, + which was previously broken. (Closes: #492614) + * Run autoheader before autoconf, so HAVE_LIBCAP gets into the right .h + file. + * Change build-dependency from libcap-dev to libcap2-dev, as libcap-dev is + deprecated. + + -- Steinar H. Gunderson Sun, 27 Jul 2008 22:18:26 +0200 + +apache2-mpm-itk (2.2.6-01-3.1) unstable; urgency=low + + * Non-maintainer upload. + * Correctly determine the dependency on apache2.2-common. (Closes: #477772) + + -- Stefan Fritsch Wed, 18 Jun 2008 23:09:34 +0200 + +apache2-mpm-itk (2.2.6-01-3) unstable; urgency=low + + * Use config.nice from apache2-src. This allows us to drop the + build-dependency on apache2-prefork-dev. + * Bump versioned build-dependency on apache2-src to 2.2.9. + * Build-depend on libaprutil1-dev, since we no lenger get it in + transitively from apache2-prefork-dev. + + -- Steinar H. Gunderson Sun, 15 Jun 2008 10:11:49 -0700 + +apache2-mpm-itk (2.2.6-01-2) unstable; urgency=low + + * Update the long description to better reflect the status of the package + (it can hardly be called “highly experimental†anymore). + * Lintian fixes: + * Build-depend on apache2-src (>= 2.2.6) instead of apache2-src + (>= 2.2.6-1). + * Update to Standards-Version 3.7.3 (no changes needed). + + -- Steinar H. Gunderson Tue, 29 Apr 2008 00:55:41 +0200 + +apache2-mpm-itk (2.2.6-01-1) unstable; urgency=high + + * New upstream release, with patches updated for Apache 2.2.6. Should fix + FTBFS (but that FTBFS was silently ignored, see next item). + * Update the apache2-src build dependency to at least 2.2.6-1, as I'm + unsure of the effects of building with this patch set against older + versions. + * Use "set -e" in the patch target so failing hunks are not ignored during + building. + * Updated the homepage URL in debian/copyright, and added + licensing/copyright/tarball information. + + -- Steinar H. Gunderson Sat, 05 Jan 2008 12:27:08 +0100 + +apache2-mpm-itk (2.2.3-04-3) unstable; urgency=medium + + * Provide and conflict with apache2-mpm, in line with new practice from + the main Apache package. This replaces the old conflict lines, as well as + the Provides: apache2-modules. + * apache2-src now contains a top-level directory; adjust debian/rules + accordingly so we just unpack the tarball instead of making an apache2.2 + directory and untarring within that. Fixes FTBFS with newer apache2-src. + (Closes: #428919) + * Build-depend on apache2-src (>= 2.2.3-5), as this will now FTBFS with + older apache2-src versions. + * Remove an obsolete comment from the debian/rules source target. + + -- Steinar H. Gunderson Fri, 15 Jun 2007 13:19:51 +0200 + +apache2-mpm-itk (2.2.3-04-2) unstable; urgency=low + + * Don't build-depend on libcap-dev for non-Linux architectures, which + prevents building on those; patch from Cyril Brulebois. + (Closes: #416460) + + -- Steinar H. Gunderson Sat, 19 May 2007 01:48:11 +0200 + +apache2-mpm-itk (2.2.3-04-1) unstable; urgency=low + + * New upstream release; now with split patches in a tarball (with license + and all) instead of one monolithic patch. + * Adjust debian/rules accordingly. + * Make a "source" target that uses quilt instead of manual patching. + * Remove workaround for old apache2-src. + * Drop dh_testroot from the clean target, as we do not really need root for + it, and it's convenient to be able to just do "debian/rules source" without + using fakeroot. + + -- Steinar H. Gunderson Wed, 25 Apr 2007 14:13:33 +0200 + +apache2-mpm-itk (2.2.3-01-1) unstable; urgency=low + + * Initial port to Apache 2.2, and upload to Debian. + + -- Steinar H. Gunderson Sun, 29 Oct 2006 23:05:36 +0100 --- apache2-2.2.16.orig/debian/config-dir/ports.conf +++ apache2-2.2.16/debian/config-dir/ports.conf @@ -0,0 +1,23 @@ +# If you just change the port or add more ports here, you will likely also +# have to change the VirtualHost statement in +# /etc/apache2/sites-enabled/000-default +# This is also true if you have upgraded from before 2.2.9-3 (i.e. from +# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and +# README.Debian.gz + +NameVirtualHost *:80 +Listen 80 + + + # If you add NameVirtualHost *:443 here, you will also have to change + # the VirtualHost statement in /etc/apache2/sites-available/default-ssl + # to + # Server Name Indication for SSL named virtual hosts is currently not + # supported by MSIE on Windows XP. + Listen 443 + + + + Listen 443 + + --- apache2-2.2.16.orig/debian/config-dir/envvars +++ apache2-2.2.16/debian/config-dir/envvars @@ -0,0 +1,33 @@ +# envvars - default environment variables for apache2ctl + +# this won't be correct after changing uid +unset HOME + +# for supporting multiple apache2 instances +if [ "${APACHE_CONFDIR##/etc/apache2-}" != "${APACHE_CONFDIR}" ] ; then + SUFFIX="-${APACHE_CONFDIR##/etc/apache2-}" +else + SUFFIX= +fi + +# Since there is no sane way to get the parsed apache2 config in scripts, some +# settings are defined via environment variables and then used in apache2ctl, +# /etc/init.d/apache2, /etc/logrotate.d/apache2, etc. +export APACHE_RUN_USER=www-data +export APACHE_RUN_GROUP=www-data +export APACHE_PID_FILE=/var/run/apache2$SUFFIX.pid +export APACHE_RUN_DIR=/var/run/apache2$SUFFIX +export APACHE_LOCK_DIR=/var/lock/apache2$SUFFIX +# Only /var/log/apache2 is handled by /etc/logrotate.d/apache2. +export APACHE_LOG_DIR=/var/log/apache2$SUFFIX + +## The locale used by some modules like mod_dav +export LANG=C +## Uncomment the following line to use the system default locale instead: +#. /etc/default/locale + +export LANG + +## The command to get the status for 'apache2ctl status'. +## Some packages providing 'www-browser' need '--dump' instead of '-dump'. +#export APACHE_LYNX='www-browser -dump' --- apache2-2.2.16.orig/debian/config-dir/magic +++ apache2-2.2.16/debian/config-dir/magic @@ -0,0 +1,935 @@ +# Magic data for mod_mime_magic (originally for file(1) command) +# +# The format is 4-5 columns: +# Column #1: byte number to begin checking from, ">" indicates continuation +# Column #2: type of data to match +# Column #3: contents of data to match +# Column #4: MIME type of result +# Column #5: MIME encoding of result (optional) + +#------------------------------------------------------------------------------ +# Localstuff: file(1) magic for locally observed files +# Add any locally observed files here. + +# Real Audio (Magic .ra\0375) +0 belong 0x2e7261fd audio/x-pn-realaudio +0 string .RMF application/vnd.rn-realmedia + +#video/x-pn-realvideo +#video/vnd.rn-realvideo +#application/vnd.rn-realmedia +# sigh, there are many mimes for that but the above are the most common. + +# Taken from magic, converted to magic.mime +# mime types according to http://www.geocities.com/nevilo/mod.htm: +# audio/it .it +# audio/x-zipped-it .itz +# audio/xm fasttracker modules +# audio/x-s3m screamtracker modules +# audio/s3m screamtracker modules +# audio/x-zipped-mod mdz +# audio/mod mod +# audio/x-mod All modules (mod, s3m, 669, mtm, med, xm, it, mdz, stm, itz, xmz, s3z) + +# Taken from loader code from mikmod version 2.14 +# by Steve McIntyre (stevem@chiark.greenend.org.uk) +# added title printing on 2003-06-24 +0 string MAS_UTrack_V00 +>14 string >/0 audio/x-mod +#audio/x-tracker-module + +#0 string UN05 MikMod UNI format module sound data + +0 string Extended\ Module: audio/x-mod +#audio/x-tracker-module +##>17 string >\0 Title: "%s" + +21 string/c \!SCREAM! audio/x-mod +#audio/x-screamtracker-module +21 string BMOD2STM audio/x-mod +#audio/x-screamtracker-module +1080 string M.K. audio/x-mod +#audio/x-protracker-module +#>0 string >\0 Title: "%s" +1080 string M!K! audio/x-mod +#audio/x-protracker-module +#>0 string >\0 Title: "%s" +1080 string FLT4 audio/x-mod +#audio/x-startracker-module +#>0 string >\0 Title: "%s" +1080 string FLT8 audio/x-mod +#audio/x-startracker-module +#>0 string >\0 Title: "%s" +1080 string 4CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string 6CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string 8CHN audio/x-mod +#audio/x-fasttracker-module +#>0 string >\0 Title: "%s" +1080 string CD81 audio/x-mod +#audio/x-oktalyzer-tracker-module +#>0 string >\0 Title: "%s" +1080 string OKTA audio/x-mod +#audio/x-oktalyzer-tracker-module +#>0 string >\0 Title: "%s" +# Not good enough. +#1082 string CH +#>1080 string >/0 %.2s-channel Fasttracker "oktalyzer" module sound data +1080 string 16CN audio/x-mod +#audio/x-taketracker-module +#>0 string >\0 Title: "%s" +1080 string 32CN audio/x-mod +#audio/x-taketracker-module +#>0 string >\0 Title: "%s" + +# Impuse tracker module (it) +0 string IMPM audio/x-mod +#>4 string >\0 "%s" +#>40 leshort !0 compatible w/ITv%x +#>42 leshort !0 created w/ITv%x + +#------------------------------------------------------------------------------ +# end local stuff +#------------------------------------------------------------------------------ + +# xml based formats! + +# svg + +0 string \38 string \<\!DOCTYPE\040svg image/svg+xml + + +# xml +0 string \2 short 0xbabe application/java + +#------------------------------------------------------------------------------ +# audio: file(1) magic for sound formats +# +# from Jan Nicolai Langfeldt , +# + +# Sun/NeXT audio data +0 string .snd +>12 belong 1 audio/basic +>12 belong 2 audio/basic +>12 belong 3 audio/basic +>12 belong 4 audio/basic +>12 belong 5 audio/basic +>12 belong 6 audio/basic +>12 belong 7 audio/basic + +>12 belong 23 audio/x-adpcm + +# DEC systems (e.g. DECstation 5000) use a variant of the Sun/NeXT format +# that uses little-endian encoding and has a different magic number +# (0x0064732E in little-endian encoding). +0 lelong 0x0064732E +>12 lelong 1 audio/x-dec-basic +>12 lelong 2 audio/x-dec-basic +>12 lelong 3 audio/x-dec-basic +>12 lelong 4 audio/x-dec-basic +>12 lelong 5 audio/x-dec-basic +>12 lelong 6 audio/x-dec-basic +>12 lelong 7 audio/x-dec-basic +# compressed (G.721 ADPCM) +>12 lelong 23 audio/x-dec-adpcm + +# Bytes 0-3 of AIFF, AIFF-C, & 8SVX audio files are "FORM" +# AIFF audio data +8 string AIFF audio/x-aiff +# AIFF-C audio data +8 string AIFC audio/x-aiff +# IFF/8SVX audio data +8 string 8SVX audio/x-aiff + + + +# Creative Labs AUDIO stuff +# Standard MIDI data +0 string MThd audio/unknown +#>9 byte >0 (format %d) +#>11 byte >1 using %d channels +# Creative Music (CMF) data +0 string CTMF audio/unknown +# SoundBlaster instrument data +0 string SBI audio/unknown +# Creative Labs voice data +0 string Creative\ Voice\ File audio/unknown +## is this next line right? it came this way... +#>19 byte 0x1A +#>23 byte >0 - version %d +#>22 byte >0 \b.%d + +# [GRR 950115: is this also Creative Labs? Guessing that first line +# should be string instead of unknown-endian long...] +#0 long 0x4e54524b MultiTrack sound data +#0 string NTRK MultiTrack sound data +#>4 long x - version %ld + +# Microsoft WAVE format (*.wav) +# [GRR 950115: probably all of the shorts and longs should be leshort/lelong] +# Microsoft RIFF +0 string RIFF +# - WAVE format +>8 string WAVE audio/x-wav +>8 string/B AVI video/x-msvideo +# +>8 string CDRA image/x-coreldraw + +# AAC (aka MPEG-2 NBC) +0 beshort&0xfff6 0xfff0 audio/X-HX-AAC-ADTS +0 string ADIF audio/X-HX-AAC-ADIF +0 beshort&0xffe0 0x56e0 audio/MP4A-LATM +0 beshort 0x4De1 audio/MP4A-LATM + +# MPEG Layer 3 sound files +0 beshort&0xfffe =0xfffa audio/mpeg +#MP3 with ID3 tag +0 string ID3 audio/mpeg +# Ogg/Vorbis +0 string OggS application/ogg + +#------------------------------------------------------------------------------ +# c-lang: file(1) magic for C programs or various scripts +# + +# XPM icons (Greg Roelofs, newt@uchicago.edu) +# ideally should go into "images", but entries below would tag XPM as C source +0 string /*\ XPM image/x-xpmi 7bit + +# 3DS (3d Studio files) +#16 beshort 0x3d3d image/x-3ds + +# this first will upset you if you're a PL/1 shop... (are there any left?) +# in which case rm it; ascmagic will catch real C programs +# C or REXX program text +#0 string /* text/x-c +# C++ program text +#0 string // text/x-c++ + +#------------------------------------------------------------------------------ +# commands: file(1) magic for various shells and interpreters +# +#0 string :\ shell archive or commands for antique kernel text +0 string #!/bin/sh application/x-shellscript +0 string #!\ /bin/sh application/x-shellscript +0 string #!/bin/csh application/x-shellscript +0 string #!\ /bin/csh application/x-shellscript +# korn shell magic, sent by George Wu, gwu@clyde.att.com +0 string #!/bin/ksh application/x-shellscript +0 string #!\ /bin/ksh application/x-shellscript +0 string #!/bin/tcsh application/x-shellscript +0 string #!\ /bin/tcsh application/x-shellscript +0 string #!/usr/local/tcsh application/x-shellscript +0 string #!\ /usr/local/tcsh application/x-shellscript +0 string #!/usr/local/bin/tcsh application/x-shellscript +0 string #!\ /usr/local/bin/tcsh application/x-shellscript +# bash shell magic, from Peter Tobias (tobias@server.et-inf.fho-emden.de) +0 string #!/bin/bash application/x-shellscript +0 string #!\ /bin/bash application/x-shellscript +0 string #!/usr/local/bin/bash application/x-shellscript +0 string #!\ /usr/local/bin/bash application/x-shellscript + +# +# zsh/ash/ae/nawk/gawk magic from cameron@cs.unsw.oz.au (Cameron Simpson) +0 string #!/bin/zsh application/x-shellscript +0 string #!/usr/bin/zsh application/x-shellscript +0 string #!/usr/local/bin/zsh application/x-shellscript +0 string #!\ /usr/local/bin/zsh application/x-shellscript +0 string #!/usr/local/bin/ash application/x-shellscript +0 string #!\ /usr/local/bin/ash application/x-shellscript +#0 string #!/usr/local/bin/ae Neil Brown's ae +#0 string #!\ /usr/local/bin/ae Neil Brown's ae +0 string #!/bin/nawk application/x-nawk +0 string #!\ /bin/nawk application/x-nawk +0 string #!/usr/bin/nawk application/x-nawk +0 string #!\ /usr/bin/nawk application/x-nawk +0 string #!/usr/local/bin/nawk application/x-nawk +0 string #!\ /usr/local/bin/nawk application/x-nawk +0 string #!/bin/gawk application/x-gawk +0 string #!\ /bin/gawk application/x-gawk +0 string #!/usr/bin/gawk application/x-gawk +0 string #!\ /usr/bin/gawk application/x-gawk +0 string #!/usr/local/bin/gawk application/x-gawk +0 string #!\ /usr/local/bin/gawk application/x-gawk +# +0 string #!/bin/awk application/x-awk +0 string #!\ /bin/awk application/x-awk +0 string #!/usr/bin/awk application/x-awk +0 string #!\ /usr/bin/awk application/x-awk +# update to distinguish from *.vcf files by Joerg Jenderek: joerg dot jenderek at web dot de +#0 regex BEGIN[[:space:]]*[{] application/x-awk + +# For Larry Wall's perl language. The ``eval'' line recognizes an +# outrageously clever hack for USG systems. +# Keith Waclena +0 string #!/bin/perl application/x-perl +0 string #!\ /bin/perl application/x-perl +0 string eval\ "exec\ /bin/perl application/x-perl +0 string #!/usr/bin/perl application/x-perl +0 string #!\ /usr/bin/perl application/x-perl +0 string eval\ "exec\ /usr/bin/perl application/x-perl +0 string #!/usr/local/bin/perl application/x-perl +0 string #!\ /usr/local/bin/perl application/x-perl +0 string eval\ "exec\ /usr/local/bin/perl application/x-perl + +#------------------------------------------------------------------------------ +# compress: file(1) magic for pure-compression formats (no archives) +# +# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, whap, etc. +# +# Formats for various forms of compressed data +# Formats for "compress" proper have been moved into "compress.c", +# because it tries to uncompress it to figure out what's inside. + +# standard unix compress +#0 string \037\235 application/x-compress + +# gzip (GNU zip, not to be confused with [Info-ZIP/PKWARE] zip archiver) +#0 string \037\213 application/x-gzip + +0 string PK\003\004 application/x-zip + +# RAR archiver (Greg Roelofs, newt@uchicago.edu) +0 string Rar! application/x-rar + +# According to gzip.h, this is the correct byte order for packed data. +0 string \037\036 application/octet-stream +# +# This magic number is byte-order-independent. +# +0 short 017437 application/octet-stream + +# XXX - why *two* entries for "compacted data", one of which is +# byte-order independent, and one of which is byte-order dependent? +# +# compacted data +0 short 0x1fff application/octet-stream +0 string \377\037 application/octet-stream +# huf output +0 short 0145405 application/octet-stream + +# Squeeze and Crunch... +# These numbers were gleaned from the Unix versions of the programs to +# handle these formats. Note that I can only uncrunch, not crunch, and +# I didn't have a crunched file handy, so the crunch number is untested. +# Keith Waclena +#0 leshort 0x76FF squeezed data (CP/M, DOS) +#0 leshort 0x76FE crunched data (CP/M, DOS) + +# Freeze +#0 string \037\237 Frozen file 2.1 +#0 string \037\236 Frozen file 1.0 (or gzip 0.5) + +# lzh? +#0 string \037\240 LZH compressed data + +257 string ustar\0 application/x-tar posix +257 string ustar\040\040\0 application/x-tar gnu + +0 short 070707 application/x-cpio +0 short 0143561 application/x-cpio swapped + +0 string = application/x-archive +0 string \! application/x-archive +>8 string debian application/x-debian-package + +#------------------------------------------------------------------------------ +# +# RPM: file(1) magic for Red Hat Packages Erik Troan (ewt@redhat.com) +# +0 beshort 0xedab +>2 beshort 0xeedb application/x-rpm + +0 lelong&0x8080ffff 0x0000081a application/x-arc lzw +0 lelong&0x8080ffff 0x0000091a application/x-arc squashed +0 lelong&0x8080ffff 0x0000021a application/x-arc uncompressed +0 lelong&0x8080ffff 0x0000031a application/x-arc packed +0 lelong&0x8080ffff 0x0000041a application/x-arc squeezed +0 lelong&0x8080ffff 0x0000061a application/x-arc crunched + +0 leshort 0xea60 application/x-arj + +# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu) +2 string -lh0- application/x-lharc lh0 +2 string -lh1- application/x-lharc lh1 +2 string -lz4- application/x-lharc lz4 +2 string -lz5- application/x-lharc lz5 +# [never seen any but the last; -lh4- reported in comp.compression:] +2 string -lzs- application/x-lha lzs +2 string -lh\ - application/x-lha lh +2 string -lhd- application/x-lha lhd +2 string -lh2- application/x-lha lh2 +2 string -lh3- application/x-lha lh3 +2 string -lh4- application/x-lha lh4 +2 string -lh5- application/x-lha lh5 +2 string -lh6- application/x-lha lh6 +2 string -lh7- application/x-lha lh7 +# Shell archives +10 string #\ This\ is\ a\ shell\ archive application/octet-stream x-shell + +#------------------------------------------------------------------------------ +# frame: file(1) magic for FrameMaker files +# +# This stuff came on a FrameMaker demo tape, most of which is +# copyright, but this file is "published" as witness the following: +# +0 string \ +# +0 string/cB \14 byte 12 (OS/2 1.x format) +#>14 byte 64 (OS/2 2.x format) +#>14 byte 40 (Windows 3.x format) +#0 string IC icon +#0 string PI pointer +#0 string CI color icon +#0 string CP color pointer +#0 string BA bitmap array + +# CDROM Filesystems +32769 string CD001 application/x-iso9660 + +# Newer StuffIt archives (grant@netbsd.org) +0 string StuffIt application/x-stuffit +#>162 string >0 : %s + +# BinHex is the Macintosh ASCII-encoded file format (see also "apple") +# Daniel Quinlan, quinlan@yggdrasil.com +11 string must\ be\ converted\ with\ BinHex\ 4 application/mac-binhex40 +##>41 string x \b, version %.3s + + +#------------------------------------------------------------------------------ +# lisp: file(1) magic for lisp programs +# +# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com) +0 string ;; text/plain 8bit +# Emacs 18 - this is always correct, but not very magical. +0 string \012( application/x-elc +# Emacs 19 +0 string ;ELC\023\000\000\000 application/x-elc + +#------------------------------------------------------------------------------ +# mail.news: file(1) magic for mail and news +# +# There are tests to ascmagic.c to cope with mail and news. +0 string Relay-Version: message/rfc822 7bit +0 string #!\ rnews message/rfc822 7bit +0 string N#!\ rnews message/rfc822 7bit +0 string Forward\ to message/rfc822 7bit +0 string Pipe\ to message/rfc822 7bit +0 string Return-Path: message/rfc822 7bit +0 string Received: message/rfc822 +0 string Path: message/news 8bit +0 string Xref: message/news 8bit +0 string From: message/rfc822 7bit +0 string Article message/news 8bit +#------------------------------------------------------------------------------ +# msword: file(1) magic for MS Word files +# +# Contributor claims: +# Reversed-engineered MS Word magic numbers +# + +0 string \376\067\0\043 application/msword +0 string \320\317\021\340\241\261 application/msword +0 string \333\245-\0\0\0 application/msword + + + +#------------------------------------------------------------------------------ +# printer: file(1) magic for printer-formatted files +# + +# PostScript +0 string %! application/postscript +0 string \004%! application/postscript + +# Acrobat +# (due to clamen@cs.cmu.edu) +0 string %PDF- application/pdf + +#------------------------------------------------------------------------------ +# sc: file(1) magic for "sc" spreadsheet +# +38 string Spreadsheet application/x-sc + +#------------------------------------------------------------------------------ +# tex: file(1) magic for TeX files +# +# XXX - needs byte-endian stuff (big-endian and little-endian DVI?) +# +# From + +# Although we may know the offset of certain text fields in TeX DVI +# and font files, we can't use them reliably because they are not +# zero terminated. [but we do anyway, christos] +0 string \367\002 application/x-dvi +#0 string \367\203 TeX generic font data +#0 string \367\131 TeX packed font data +#0 string \367\312 TeX virtual font data +#0 string This\ is\ TeX, TeX transcript text +#0 string This\ is\ METAFONT, METAFONT transcript text + +# There is no way to detect TeX Font Metric (*.tfm) files without +# breaking them apart and reading the data. The following patterns +# match most *.tfm files generated by METAFONT or afm2tfm. +2 string \000\021 application/x-tex-tfm +2 string \000\022 application/x-tex-tfm +#>34 string >\0 (%s) + +# Texinfo and GNU Info, from Daniel Quinlan (quinlan@yggdrasil.com) +0 string \\input\ texinfo text/x-texinfo +0 string This\ is\ Info\ file text/x-info + +# correct TeX magic for Linux (and maybe more) +# from Peter Tobias (tobias@server.et-inf.fho-emden.de) +# +0 leshort 0x02f7 application/x-dvi + +# RTF - Rich Text Format +0 string {\\rtf text/rtf + +#------------------------------------------------------------------------------ +# animation: file(1) magic for animation/movie formats +# +# animation formats, originally from vax@ccwf.cc.utexas.edu (VaX#n8) +# MPEG file +# MPEG sequences +0 belong 0x000001BA +>4 byte &0x40 video/mp2p +>4 byte ^0x40 video/mpeg +0 belong 0x000001BB video/mpeg +0 belong 0x000001B0 video/mp4v-es +0 belong 0x000001B5 video/mp4v-es +0 belong 0x000001B3 video/mpv +0 belong&0xFF5FFF1F 0x47400010 video/mp2t +0 belong 0x00000001 +>4 byte&0x1F 0x07 video/h264 + +# FLI animation format +0 leshort 0xAF11 video/fli +# FLC animation format +0 leshort 0xAF12 video/flc +# +# SGI and Apple formats +# Added ISO mimes +0 string MOVI video/sgi +4 string moov video/quicktime +4 string mdat video/quicktime +4 string wide video/quicktime +4 string skip video/quicktime +4 string free video/quicktime +4 string idsc image/x-quicktime +4 string idat image/x-quicktime +4 string pckg application/x-quicktime +4 string/B jP image/jp2 +4 string ftyp +>8 string isom video/mp4 +>8 string mp41 video/mp4 +>8 string mp42 video/mp4 +>8 string/B jp2 image/jp2 +>8 string 3gp video/3gpp +>8 string avc1 video/3gpp +>8 string mmp4 video/mp4 +>8 string/B M4A audio/mp4 +>8 string/B qt video/quicktime +# The contributor claims: +# I couldn't find a real magic number for these, however, this +# -appears- to work. Note that it might catch other files, too, +# so BE CAREFUL! +# +# Note that title and author appear in the two 20-byte chunks +# at decimal offsets 2 and 22, respectively, but they are XOR'ed with +# 255 (hex FF)! DL format SUCKS BIG ROCKS. +# +# DL file version 1 , medium format (160x100, 4 images/screen) +0 byte 1 video/unknown +0 byte 2 video/unknown +# +# Databases +# +# GDBM magic numbers +# Will be maintained as part of the GDBM distribution in the future. +# +0 belong 0x13579ace application/x-gdbm +0 lelong 0x13579ace application/x-gdbm +0 string GDBM application/x-gdbm +# +0 belong 0x061561 application/x-dbm +# +# Executables +# +0 string \177ELF +>16 leshort 0 application/octet-stream +>16 leshort 1 application/x-object +>16 leshort 2 application/x-executable +>16 leshort 3 application/x-sharedlib +>16 leshort 4 application/x-coredump +>16 beshort 0 application/octet-stream +>16 beshort 1 application/x-object +>16 beshort 2 application/x-executable +>16 beshort 3 application/x-sharedlib +>16 beshort 4 application/x-coredump +# +# DOS +0 string MZ application/x-dosexec +# +# KDE +0 string [KDE\ Desktop\ Entry] application/x-kdelnk +0 string \#\ KDE\ Config\ File application/x-kdelnk +# xmcd database file for kscd +0 string \#\ xmcd text/xmcd + +#------------------------------------------------------------------------------ +# pkgadd: file(1) magic for SysV R4 PKG Datastreams +# +0 string #\ PaCkAgE\ DaTaStReAm application/x-svr4-package + +#PNG Image Format +0 string \x89PNG image/png + +# MNG Video Format, +0 string \x8aMNG video/x-mng +0 string \x8aJNG video/x-jng + +#------------------------------------------------------------------------------ +# Hierarchical Data Format, used to facilitate scientific data exchange +# specifications at http://hdf.ncsa.uiuc.edu/ +#Hierarchical Data Format (version 4) data +0 belong 0x0e031301 application/x-hdf +#Hierarchical Data Format (version 5) data +0 string \211HDF\r\n\032 application/x-hdf + +# Adobe Photoshop +0 string 8BPS image/x-photoshop + +# Felix von Leitner +0 string d8:announce application/x-bittorrent + + +# lotus 1-2-3 document +0 belong 0x00001a00 application/x-123 +0 belong 0x00000200 application/x-123 + +# MS Access database +4 string Standard\ Jet\ DB application/msaccess + +## magic for XBase files +#0 byte 0x02 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x03 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x04 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x05 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x30 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x43 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x7b +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x83 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x8b +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0x8e +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0xb3 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 byte 0xf5 +#>8 leshort >0 +#>>12 leshort 0 application/x-dbf +# +#0 leshort 0x0006 application/x-dbt + +# Debian has entries for the old PGP formats: +# pgp: file(1) magic for Pretty Good Privacy +# see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html +#text/PGP key public ring +0 beshort 0x9900 application/pgp +#text/PGP key security ring +0 beshort 0x9501 application/pgp +#text/PGP key security ring +0 beshort 0x9500 application/pgp +#text/PGP encrypted data +0 beshort 0xa600 application/pgp-encrypted +#text/PGP armored data +##public key block +2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- application/pgp-keys +0 string -----BEGIN\040PGP\40MESSAGE- application/pgp +0 string -----BEGIN\040PGP\40SIGNATURE- application/pgp-signature +# +# GnuPG Magic: +# +# +#text/GnuPG key public ring +0 beshort 0x9901 application/pgp +#text/OpenPGP data +0 beshort 0x8501 application/pgp-encrypted + +# flash: file(1) magic for Macromedia Flash file format +# +# See +# +# http://www.macromedia.com/software/flash/open/ +# +0 string FWS +>3 byte x application/x-shockwave-flash + +# The following paramaters are created for Namazu. +# +# +# 1999/08/13 +#0 string \ +- Je¶li wpisa³e¶ URLa rêcznie, sprawd¼, czy nie siê nie pomyli³e¶. ++ Je¶li wpisa³e¶ URLa rêcznie, sprawd¼, czy siê nie pomyli³e¶. + + + --- apache2-2.2.16.orig/debian/patches/042_htdigest_CAN-2005-1344 +++ apache2-2.2.16/debian/patches/042_htdigest_CAN-2005-1344 @@ -0,0 +1,23 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 042_htdigest_CAN-2005-1344 by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix buffer overflow in htdigest. + +@DPATCH@ +--- apache2/support/htdigest.c.orig 2005-05-05 02:54:31.000000000 -0600 ++++ apache2/support/htdigest.c 2005-05-05 02:59:05.000000000 -0600 +@@ -222,9 +222,11 @@ + apr_strerror(rv, errmsg, sizeof errmsg)); + exit(1); + } ++ apr_cpystrn(user, argv[4], sizeof(user)); ++ apr_cpystrn(realm, argv[3], sizeof(realm)); + apr_file_printf(errfile, "Adding password for %s in realm %s.\n", +- argv[4], argv[3]); +- add_password(argv[4], argv[3], f); ++ user, realm); ++ add_password(user, realm, f); + apr_file_close(f); + exit(0); + } --- apache2-2.2.16.orig/debian/patches/080_mod_reqtimeout_fixes.dpatch +++ apache2-2.2.16/debian/patches/080_mod_reqtimeout_fixes.dpatch @@ -0,0 +1,370 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## DP: r921378, r921526, r922407, r923418, r923429, r925986, r928881 from upstream trunk: +## DP: - Move initialization to process_connection hook, right before +## DP: ap_process_http_request. This ensures that we are not inserted for other +## DP: protocol handlers (like mod_ftp) and mod_proxy's backend connections. +## DP: - Enforce request timeout even for AP_MODE_GETLINE. +## DP: - Shorten lingering close wait time to 2s if timeout occurs. +## DP: - Disable body timeout for CONNECT requests. +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/modules/filters/mod_reqtimeout.c trunk/modules/filters/mod_reqtimeout.c +--- trunk~/modules/filters/mod_reqtimeout.c 2010-03-29 21:51:42.000000000 +0200 ++++ trunk/modules/filters/mod_reqtimeout.c 2010-03-29 22:22:21.652500789 +0200 +@@ -20,9 +20,12 @@ + #include "http_connection.h" + #include "http_protocol.h" + #include "http_log.h" ++#define CORE_PRIVATE ++#include "http_core.h" + #include "util_filter.h" + #define APR_WANT_STRFUNC + #include "apr_strings.h" ++#include "apr_support.h" + + module AP_MODULE_DECLARE_DATA reqtimeout_module; + +@@ -38,6 +41,7 @@ + apr_time_t body_rate_factor; + } reqtimeout_srv_cfg; + ++/* this struct is used both as conn_config and as filter context */ + typedef struct + { + apr_time_t timeout_at; +@@ -47,14 +51,11 @@ + int new_max_timeout; + int in_keep_alive; + char *type; ++ apr_socket_t *socket; + apr_time_t rate_factor; ++ apr_bucket_brigade *tmpbb; + } reqtimeout_con_cfg; + +-typedef struct +-{ +- apr_socket_t *socket; +-} reqtimeout_ctx; +- + static const char *const reqtimeout_filter_name = "reqtimeout"; + + static void extend_timeout(reqtimeout_con_cfg *ccfg, apr_bucket_brigade *bb) +@@ -74,24 +75,60 @@ + } + } + ++static apr_status_t check_time_left(reqtimeout_con_cfg *ccfg, ++ apr_time_t *time_left_p) ++{ ++ *time_left_p = ccfg->timeout_at - apr_time_now(); ++ if (*time_left_p <= 0) ++ return APR_TIMEUP; ++ ++ if (*time_left_p < apr_time_from_sec(1)) { ++ *time_left_p = apr_time_from_sec(1); ++ } ++ return APR_SUCCESS; ++} ++ ++static apr_status_t have_lf_or_eos(apr_bucket_brigade *bb) ++{ ++ apr_bucket *b = APR_BRIGADE_LAST(bb); ++ ++ for ( ; b != APR_BRIGADE_SENTINEL(bb) ; b = APR_BUCKET_PREV(b) ) { ++ const char *str; ++ apr_size_t len; ++ apr_status_t rv; ++ ++ if (APR_BUCKET_IS_EOS(b)) ++ return APR_SUCCESS; ++ ++ if (APR_BUCKET_IS_METADATA(b)) ++ continue; ++ ++ rv = apr_bucket_read(b, &str, &len, APR_BLOCK_READ); ++ if (rv != APR_SUCCESS) ++ return rv; ++ ++ if (len == 0) ++ continue; ++ ++ if (str[len-1] == APR_ASCII_LF) ++ return APR_SUCCESS; ++ } ++ return APR_INCOMPLETE; ++} ++ ++ ++#define MIN(x,y) ((x) < (y) ? (x) : (y)) + static apr_status_t reqtimeout_filter(ap_filter_t *f, + apr_bucket_brigade *bb, + ap_input_mode_t mode, + apr_read_type_e block, + apr_off_t readbytes) + { +- reqtimeout_ctx *ctx; + apr_time_t time_left; + apr_time_t now; + apr_status_t rv; + apr_interval_time_t saved_sock_timeout = -1; +- reqtimeout_con_cfg *ccfg; +- +- ctx = f->ctx; +- AP_DEBUG_ASSERT(ctx != NULL); +- +- ccfg = ap_get_module_config(f->c->conn_config, &reqtimeout_module); +- AP_DEBUG_ASSERT(ccfg != NULL); ++ reqtimeout_con_cfg *ccfg = f->ctx; + + if (ccfg->in_keep_alive) { + /* For this read, the normal keep-alive timeout must be used */ +@@ -114,13 +151,14 @@ + return ap_get_brigade(f->next, bb, mode, block, readbytes); + } + +- time_left = ccfg->timeout_at - now; +- if (time_left <= 0) { +- ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, +- "Request %s read timeout", ccfg->type); +- return APR_TIMEUP; ++ if (!ccfg->socket) { ++ ccfg->socket = ap_get_module_config(f->c->conn_config, &core_module); + } + ++ rv = check_time_left(ccfg, &time_left); ++ if (rv != APR_SUCCESS) ++ goto out; ++ + if (block == APR_NONBLOCK_READ || mode == AP_MODE_INIT + || mode == AP_MODE_EATCRLF) { + rv = ap_get_brigade(f->next, bb, mode, block, readbytes); +@@ -130,41 +168,103 @@ + return rv; + } + +- if (time_left < apr_time_from_sec(1)) { +- time_left = apr_time_from_sec(1); +- } ++ rv = apr_socket_timeout_get(ccfg->socket, &saved_sock_timeout); ++ AP_DEBUG_ASSERT(rv == APR_SUCCESS); + +- rv = apr_socket_timeout_get(ctx->socket, &saved_sock_timeout); ++ rv = apr_socket_timeout_set(ccfg->socket, MIN(time_left, saved_sock_timeout)); + AP_DEBUG_ASSERT(rv == APR_SUCCESS); + +- if (saved_sock_timeout >= time_left) { +- rv = apr_socket_timeout_set(ctx->socket, time_left); +- AP_DEBUG_ASSERT(rv == APR_SUCCESS); +- } +- else { +- saved_sock_timeout = -1; +- } ++ if (mode == AP_MODE_GETLINE) { ++ /* ++ * For a blocking AP_MODE_GETLINE read, apr_brigade_split_line() ++ * would loop until a whole line has been read. As this would make it ++ * impossible to enforce a total timeout, we only do non-blocking ++ * reads. ++ */ ++ apr_off_t remaining = HUGE_STRING_LEN; ++ do { ++ apr_off_t bblen; + +- rv = ap_get_brigade(f->next, bb, mode, block, readbytes); ++ rv = ap_get_brigade(f->next, bb, AP_MODE_GETLINE, APR_NONBLOCK_READ, remaining); ++ if (APR_STATUS_IS_EAGAIN(rv)) { ++ rv = APR_SUCCESS; ++ } ++ else if (rv != APR_SUCCESS) { ++ break; ++ } + +- if (saved_sock_timeout != -1) { +- apr_socket_timeout_set(ctx->socket, saved_sock_timeout); +- } ++ if (!APR_BRIGADE_EMPTY(bb)) { ++ if (ccfg->min_rate > 0) { ++ extend_timeout(ccfg, bb); ++ } ++ ++ rv = have_lf_or_eos(bb); ++ if (rv != APR_INCOMPLETE) { ++ break; ++ } ++ ++ rv = apr_brigade_length(bb, 1, &bblen); ++ if (rv != APR_SUCCESS) { ++ break; ++ } ++ remaining -= bblen; ++ if (remaining <= 0) { ++ break; ++ } ++ ++ /* Haven't got a whole line yet, save what we have ... */ ++ if (!ccfg->tmpbb) { ++ ccfg->tmpbb = apr_brigade_create(f->c->pool, f->c->bucket_alloc); ++ } ++ APR_BRIGADE_CONCAT(ccfg->tmpbb, bb); ++ } ++ ++ /* ... and wait for more */ ++ rv = apr_wait_for_io_or_timeout(NULL, ccfg->socket, 1); ++ if (rv != APR_SUCCESS) ++ break; ++ ++ rv = check_time_left(ccfg, &time_left); ++ if (rv != APR_SUCCESS) ++ break; ++ ++ rv = apr_socket_timeout_set(ccfg->socket, ++ MIN(time_left, saved_sock_timeout)); ++ AP_DEBUG_ASSERT(rv == APR_SUCCESS); ++ ++ } while (1); ++ ++ if (ccfg->tmpbb) ++ APR_BRIGADE_PREPEND(bb, ccfg->tmpbb); + +- if (ccfg->min_rate > 0 && rv == APR_SUCCESS) { +- extend_timeout(ccfg, bb); + } ++ else { ++ /* mode != AP_MODE_GETLINE */ ++ rv = ap_get_brigade(f->next, bb, mode, block, readbytes); ++ if (ccfg->min_rate > 0 && rv == APR_SUCCESS) { ++ extend_timeout(ccfg, bb); ++ } ++ } ++ ++ apr_socket_timeout_set(ccfg->socket, saved_sock_timeout); + ++out: + if (APR_STATUS_IS_TIMEUP(rv)) { + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, f->c, + "Request %s read timeout", ccfg->type); ++ /* ++ * If we allow a normal lingering close, the client may keep this ++ * process/thread busy for another 30s (MAX_SECS_TO_LINGER). ++ * Therefore we tell ap_lingering_close() to shorten this period to ++ * 2s (SECONDS_TO_LINGER). ++ */ ++ apr_table_setn(f->c->notes, "short-lingering-close", "1"); + } + return rv; + } + +-static int reqtimeout_pre_conn(conn_rec *c, void *csd) ++static int reqtimeout_init(conn_rec *c) + { +- reqtimeout_ctx *ctx; + reqtimeout_con_cfg *ccfg; + reqtimeout_srv_cfg *cfg; + +@@ -173,12 +273,9 @@ + AP_DEBUG_ASSERT(cfg != NULL); + if (cfg->header_timeout <= 0 && cfg->body_timeout <= 0) { + /* not configured for this vhost */ +- return OK; ++ return DECLINED; + } + +- ctx = apr_pcalloc(c->pool, sizeof(reqtimeout_ctx)); +- ctx->socket = csd; +- + ccfg = apr_pcalloc(c->pool, sizeof(reqtimeout_con_cfg)); + ccfg->new_timeout = cfg->header_timeout; + ccfg->new_max_timeout = cfg->header_max_timeout; +@@ -187,8 +284,9 @@ + ccfg->rate_factor = cfg->header_rate_factor; + ap_set_module_config(c->conn_config, &reqtimeout_module, ccfg); + +- ap_add_input_filter("reqtimeout", ctx, NULL, c); +- return OK; ++ ap_add_input_filter("reqtimeout", ccfg, NULL, c); ++ /* we are not handling the connection, we just do initialization */ ++ return DECLINED; + } + + static int reqtimeout_after_headers(request_rec *r) +@@ -198,7 +296,7 @@ + ap_get_module_config(r->connection->conn_config, &reqtimeout_module); + + if (ccfg == NULL) { +- /* not configured for this vhost */ ++ /* not configured for this connection */ + return OK; + } + +@@ -208,11 +306,13 @@ + + ccfg->timeout_at = 0; + ccfg->max_timeout_at = 0; +- ccfg->new_timeout = cfg->body_timeout; +- ccfg->new_max_timeout = cfg->body_max_timeout; +- ccfg->min_rate = cfg->body_min_rate; +- ccfg->rate_factor = cfg->body_rate_factor; +- ccfg->type = "body"; ++ if (r->method_number != M_CONNECT) { ++ ccfg->new_timeout = cfg->body_timeout; ++ ccfg->new_max_timeout = cfg->body_max_timeout; ++ ccfg->min_rate = cfg->body_min_rate; ++ ccfg->rate_factor = cfg->body_rate_factor; ++ ccfg->type = "body"; ++ } + + return OK; + } +@@ -224,7 +324,7 @@ + ap_get_module_config(r->connection->conn_config, &reqtimeout_module); + + if (ccfg == NULL) { +- /* not configured for this vhost */ ++ /* not configured for this connection */ + return OK; + } + +@@ -406,7 +506,16 @@ + */ + ap_register_input_filter(reqtimeout_filter_name, reqtimeout_filter, NULL, + AP_FTYPE_CONNECTION + 8); +- ap_hook_pre_connection(reqtimeout_pre_conn, NULL, NULL, APR_HOOK_MIDDLE); ++ ++ /* ++ * mod_reqtimeout needs to be called before ap_process_http_request (which ++ * is run at APR_HOOK_REALLY_LAST) but after all other protocol modules. ++ * This ensures that it only influences normal http connections and not ++ * e.g. mod_ftp. Also, if mod_reqtimeout used the pre_connection hook, it ++ * would be inserted on mod_proxy's backend connections. ++ */ ++ ap_hook_process_connection(reqtimeout_init, NULL, NULL, APR_HOOK_LAST); ++ + ap_hook_post_read_request(reqtimeout_after_headers, NULL, NULL, + APR_HOOK_MIDDLE); + ap_hook_log_transaction(reqtimeout_after_body, NULL, NULL, +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/server/connection.c trunk/server/connection.c +--- trunk~/server/connection.c 2010-03-29 21:51:42.000000000 +0200 ++++ trunk/server/connection.c 2010-03-29 22:22:07.100030216 +0200 +@@ -154,8 +154,20 @@ + break; + + if (timeup == 0) { +- /* First time through; calculate now + 30 seconds. */ +- timeup = apr_time_now() + apr_time_from_sec(MAX_SECS_TO_LINGER); ++ /* ++ * First time through; ++ * calculate now + 30 seconds (MAX_SECS_TO_LINGER). ++ * ++ * If some module requested a shortened waiting period, only wait for ++ * 2s (SECONDS_TO_LINGER). This is useful for mitigating certain ++ * DoS attacks. ++ */ ++ if (apr_table_get(c->notes, "short-lingering-close")) { ++ timeup = apr_time_now() + apr_time_from_sec(SECONDS_TO_LINGER); ++ } ++ else { ++ timeup = apr_time_now() + apr_time_from_sec(MAX_SECS_TO_LINGER); ++ } + continue; + } + } while (apr_time_now() < timeup); --- apache2-2.2.16.orig/debian/patches/071_fix_cacheenable.dpatch +++ apache2-2.2.16/debian/patches/071_fix_cacheenable.dpatch @@ -0,0 +1,118 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Bug #442266 +## DP: r821333,r821538,r821539 from upstream svn + +@DPATCH@ +diff --git a/modules/cache/cache_util.c b/modules/cache/cache_util.c +index ec2d749..aec7b09 100644 +--- a/modules/cache/cache_util.c ++++ b/modules/cache/cache_util.c +@@ -27,41 +27,78 @@ extern module AP_MODULE_DECLARE_DATA cache_module; + /* Determine if "url" matches the hostname, scheme and port and path + * in "filter". All but the path comparisons are case-insensitive. + */ +-static int uri_meets_conditions(apr_uri_t filter, int pathlen, apr_uri_t url) +-{ +- /* Compare the hostnames */ +- if(filter.hostname) { +- if (!url.hostname) { +- return 0; +- } +- else if (strcasecmp(filter.hostname, url.hostname)) { +- return 0; +- } +- } ++static int uri_meets_conditions(const apr_uri_t filter, const int pathlen, ++ const apr_uri_t url) { ++ ++ /* Scheme, hostname port and local part. The filter URI and the ++ * URI we test may have the following shapes: ++ * / ++ * [:://[:][/]] ++ * That is, if there is no scheme then there must be only the path, ++ * and we check only the path; if there is a scheme, we check the ++ * scheme for equality, and then if present we match the hostname, ++ * and then if present match the port, and finally the path if any. ++ * ++ * Note that this means that "/" only matches local paths, ++ * and to match proxied paths one *must* specify the scheme. ++ */ + +- /* Compare the schemes */ +- if(filter.scheme) { +- if (!url.scheme) { +- return 0; +- } +- else if (strcasecmp(filter.scheme, url.scheme)) { ++ /* Is the filter is just for a local path or a proxy URI? */ ++ if (!filter.scheme) { ++ if (url.scheme || url.hostname) { + return 0; + } + } +- +- /* Compare the ports */ +- if(filter.port_str) { +- if (url.port_str && filter.port != url.port) { ++ else { ++ /* The URI scheme must be present and identical except for case. */ ++ if (!url.scheme || strcasecmp(filter.scheme, url.scheme)) { + return 0; + } +- /* NOTE: ap_port_of_scheme will return 0 if given NULL input */ +- else if (filter.port != apr_uri_port_of_scheme(url.scheme)) { +- return 0; ++ ++ /* If the filter hostname is null or empty it matches any hostname, ++ * if it begins with a "*" it matches the _end_ of the URI hostname ++ * excluding the "*", if it begins with a "." it matches the _end_ ++ * of the URI * hostname including the ".", otherwise it must match ++ * the URI hostname exactly. */ ++ ++ if (filter.hostname && filter.hostname[0]) { ++ if (filter.hostname[0] == '.') { ++ const size_t fhostlen = strlen(filter.hostname); ++ const size_t uhostlen = url.hostname ? strlen(url.hostname) : 0; ++ ++ if (fhostlen > uhostlen || strcasecmp(filter.hostname, ++ url.hostname + uhostlen - fhostlen)) { ++ return 0; ++ } ++ } ++ else if (filter.hostname[0] == '*') { ++ const size_t fhostlen = strlen(filter.hostname + 1); ++ const size_t uhostlen = url.hostname ? strlen(url.hostname) : 0; ++ ++ if (fhostlen > uhostlen || strcasecmp(filter.hostname + 1, ++ url.hostname + uhostlen - fhostlen)) { ++ return 0; ++ } ++ } ++ else if (!url.hostname || strcasecmp(filter.hostname, url.hostname)) { ++ return 0; ++ } + } +- } +- else if(url.port_str && filter.scheme) { +- if (apr_uri_port_of_scheme(filter.scheme) == url.port) { +- return 0; ++ ++ /* If the filter port is empty it matches any URL port. ++ * If the filter or URL port are missing, or the URL port is ++ * empty, they default to the port for their scheme. */ ++ ++ if (!(filter.port_str && !filter.port_str[0])) { ++ /* NOTE: ap_port_of_scheme will return 0 if given NULL input */ ++ const unsigned fport = filter.port_str ? filter.port ++ : apr_uri_port_of_scheme(filter.scheme); ++ const unsigned uport = (url.port_str && url.port_str[0]) ++ ? url.port : apr_uri_port_of_scheme(url.scheme); ++ ++ if (fport != uport) { ++ return 0; ++ } + } + } + --- apache2-2.2.16.orig/debian/patches/057_disablemods.dpatch +++ apache2-2.2.16/debian/patches/057_disablemods.dpatch @@ -0,0 +1,62 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## Stolen from the fedora package +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Support "--enable-modules=none" to build an httpd binary with +## DP: no optional modules enabled. + +@DPATCH@ +diff -urNad trunk~/acinclude.m4 trunk/acinclude.m4 +--- trunk~/acinclude.m4 2005-11-13 07:33:15.000000000 +0100 ++++ trunk/acinclude.m4 2008-03-14 01:28:42.379287995 +0100 +@@ -289,14 +289,19 @@ + + AC_ARG_ENABLE(modules, + APACHE_HELP_STRING(--enable-modules=MODULE-LIST,Space-separated list of modules to enable | "all" | "most"),[ +- for i in $enableval; do +- if test "$i" = "all" -o "$i" = "most"; then +- module_selection=$i +- else +- i=`echo $i | sed 's/-/_/g'` +- eval "enable_$i=yes" +- fi +- done ++ if test "$enableval" = "none"; then ++ module_default=no ++ module_selection=none ++ else ++ for i in $enableval; do ++ if test "$i" = "all" -o "$i" = "most"; then ++ module_selection=$i ++ else ++ i=`echo $i | sed 's/-/_/g'` ++ eval "enable_$i=yes" ++ fi ++ done ++ fi + ]) + + AC_ARG_ENABLE(mods-shared, +diff -urNad trunk~/configure trunk/configure +--- trunk~/configure 2008-01-10 17:54:40.000000000 +0100 ++++ trunk/configure 2008-03-14 01:31:55.675287371 +0100 +@@ -8106,6 +8106,10 @@ + # Check whether --enable-modules was given. + if test "${enable_modules+set}" = set; then + enableval=$enable_modules; ++ if test "$enableval" = "none"; then ++ module_default=no ++ module_selection=none ++ else + for i in $enableval; do + if test "$i" = "all" -o "$i" = "most"; then + module_selection=$i +@@ -8114,7 +8118,7 @@ + eval "enable_$i=yes" + fi + done +- ++ fi + fi + + --- apache2-2.2.16.orig/debian/patches/038_no_LD_LIBRARY_PATH +++ apache2-2.2.16/debian/patches/038_no_LD_LIBRARY_PATH @@ -0,0 +1,17 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 038_no_LD_LIBRARY_PATH by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Remove LD_LIBRARY_PATH from envvars-std + +@DPATCH@ +--- apache2/support/envvars-std.in 2004-11-07 04:07:56.000000000 -0700 ++++ apache2/support/envvars-std.in 2004-11-07 04:08:08.000000000 -0700 +@@ -17,7 +17,4 @@ + # + # This file is generated from envvars-std.in + # +-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" +-export @SHLIBPATH_VAR@ +-# + @OS_SPECIFIC_VARS@ --- apache2-2.2.16.orig/debian/patches/075_mod_rewrite_literal_ipv6_redirect.dpatch +++ apache2-2.2.16/debian/patches/075_mod_rewrite_literal_ipv6_redirect.dpatch @@ -0,0 +1,52 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 075_mod_rewrite_literal_ipv6_redirect.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add [] to literal ipv6 hosts in URLs (bug #557015) + +@DPATCH@ +diff -urNad trunk~/modules/mappers/mod_rewrite.c trunk/modules/mappers/mod_rewrite.c +--- trunk~/modules/mappers/mod_rewrite.c 2009-07-10 14:20:45.000000000 +0200 ++++ trunk/modules/mappers/mod_rewrite.c 2009-12-06 00:10:57.468047872 +0100 +@@ -833,6 +833,23 @@ + } + + /* ++ * Get the current server name from the request for the purposes ++ * of using in a URL. If the server name is an IPv6 literal ++ * address, it will be returned in URL format (e.g., "[fe80::1]"). ++ */ ++static const char *get_server_name_for_url(request_rec *r) ++{ ++ const char *plain_server_name = ap_get_server_name(r); ++ ++#if APR_HAVE_IPV6 ++ if (ap_strchr_c(plain_server_name, ':')) { /* IPv6 literal? */ ++ return apr_psprintf(r->pool, "[%s]", plain_server_name); ++ } ++#endif ++ return plain_server_name; ++} ++ ++/* + * add 'http[s]://ourhost[:ourport]/' to URI + * if URI is still not fully qualified + */ +@@ -843,7 +860,7 @@ + char *thisport; + int port; + +- thisserver = ap_get_server_name(r); ++ thisserver = get_server_name_for_url(r); + port = ap_get_server_port(r); + thisport = ap_is_default_port(port, r) + ? "" +@@ -4271,7 +4288,7 @@ + */ + + /* add the canonical URI of this URL */ +- thisserver = ap_get_server_name(r); ++ thisserver = get_server_name_for_url(r); + port = ap_get_server_port(r); + if (ap_is_default_port(port, r)) { + thisport = ""; --- apache2-2.2.16.orig/debian/patches/034_apxs2_libtool_fixtastic +++ apache2-2.2.16/debian/patches/034_apxs2_libtool_fixtastic @@ -0,0 +1,26 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 034_apxs2_libtool_fixtastic by Peter Samuelson +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Make libtool happier + +--- support/apxs.in ++++ apache2/support/apxs.in +@@ -409,7 +409,7 @@ + $la =~ s|\.c$|.la|; + my $o = $s; + $o =~ s|\.c$|.o|; +- push(@cmds, "$libtool $ltflags --mode=compile $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo"); ++ push(@cmds, "$libtool $ltflags --mode=compile --tag=disable-static $CFG_CC $cflags -I$CFG_INCLUDEDIR $apr_includedir $apu_includedir $opt -c -o $lo $s && touch $slo"); + unshift(@objs, $lo); + } + +@@ -446,7 +446,7 @@ + $opt .= " -rpath $CFG_LIBEXECDIR -module -avoid-version $apr_ldflags"; + } + +- push(@cmds, "$libtool $ltflags --mode=link $CFG_CC -o $dso_file $opt $lo"); ++ push(@cmds, "$libtool $ltflags --mode=link --tag=disable-static $CFG_CC -o $dso_file $opt $lo"); + + # execute the commands + &execute_cmds(@cmds); --- apache2-2.2.16.orig/debian/patches/077_CacheIgnoreURLSessionIdentifiers.dpatch +++ apache2-2.2.16/debian/patches/077_CacheIgnoreURLSessionIdentifiers.dpatch @@ -0,0 +1,86 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix CacheIgnoreURLSessionIdentifiers +## DP: r892289, r897705 from upstream svn. Debian bug #556383 + +@DPATCH@ +diff --git a/modules/cache/cache_storage.c b/modules/cache/cache_storage.c +index c122bdd..a44b9e4 100644 +--- a/modules/cache/cache_storage.c ++++ b/modules/cache/cache_storage.c +@@ -498,28 +498,60 @@ apr_status_t cache_generate_key_default(request_rec *r, apr_pool_t* p, + && (*(param + len + 1) == '=') + && !strchr(param + len + 2, '/')) { + path = apr_pstrndup(p, path, param - path); +- break; ++ continue; + } + /* + * Check if the identifier is in the querystring and cut it out. + */ +- if (querystring +- && (param = strstr(querystring, *identifier)) +- && (*(param + len) == '=') +- ) { +- char *amp; +- +- if (querystring != param) { +- querystring = apr_pstrndup(p, querystring, +- param - querystring); ++ if (querystring) { ++ /* ++ * First check if the identifier is at the beginning of the ++ * querystring and followed by a '=' ++ */ ++ if (!strncmp(querystring, *identifier, len) ++ && (*(querystring + len) == '=')) { ++ param = querystring; + } + else { +- querystring = ""; ++ char *complete; ++ ++ /* ++ * In order to avoid subkey matching (PR 48401) prepend ++ * identifier with a '&' and append a '=' ++ */ ++ complete = apr_pstrcat(p, "&", *identifier, "=", NULL); ++ param = strstr(querystring, complete); ++ /* If we found something we are sitting on the '&' */ ++ if (param) { ++ param++; ++ } + } +- if ((amp = strchr(param + len + 1, '&'))) { +- querystring = apr_pstrcat(p, querystring, amp + 1, NULL); ++ if (param) { ++ char *amp; ++ ++ if (querystring != param) { ++ querystring = apr_pstrndup(p, querystring, ++ param - querystring); ++ } ++ else { ++ querystring = ""; ++ } ++ ++ if ((amp = strchr(param + len + 1, '&'))) { ++ querystring = apr_pstrcat(p, querystring, amp + 1, NULL); ++ } ++ else { ++ /* ++ * If querystring is not "", then we have the case ++ * that the identifier parameter we removed was the ++ * last one in the original querystring. Hence we have ++ * a trailing '&' which needs to be removed. ++ */ ++ if (*querystring) { ++ querystring[strlen(querystring) - 1] = '\0'; ++ } ++ } + } +- break; + } + } + } --- apache2-2.2.16.orig/debian/patches/052_logresolve_linelength.dpatch +++ apache2-2.2.16/debian/patches/052_logresolve_linelength.dpatch @@ -0,0 +1,78 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 052_logresolve_linelength.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: remove limit of 1024 bytes per line #331631 + +@DPATCH@ +diff -urNad trunk~/support/logresolve.c trunk/support/logresolve.c +--- trunk~/support/logresolve.c 2006-07-12 05:38:44.000000000 +0200 ++++ trunk/support/logresolve.c 2007-09-27 20:12:47.093217594 +0200 +@@ -82,7 +82,7 @@ + #endif + + static void cgethost(struct in_addr ipnum, char *string, int check); +-static int get_line(char *s, int n); ++static int get_line(); + static void stats(FILE *output); + + #ifdef BEOS +@@ -90,11 +90,6 @@ + #endif + + +-/* maximum line length */ +-#ifndef MAXLINE +-#define MAXLINE 1024 +-#endif +- + /* maximum length of a domain name */ + #ifndef MAXDNAME + #define MAXDNAME 256 +@@ -141,6 +136,8 @@ + static int resolves = 0; + static int withname = 0; + static int errors[MAX_ERR + 3]; ++static size_t maxline=0; ++static char *line = NULL; + + /* + * cgethost - gets hostname by IP address, caching, and adding unresolvable +@@ -287,14 +284,15 @@ + * gets a line from stdin + */ + +-static int get_line (char *s, int n) ++static int get_line () + { ++ ssize_t len; + char *cp; + +- if (!fgets(s, n, stdin)) ++ if ( (len = getline(&line, &maxline, stdin)) == -1 ) + return (0); +- cp = strchr(s, '\n'); +- if (cp) ++ cp = line + len -1; ++ if (*cp == '\n') + *cp = '\0'; + return (1); + } +@@ -302,7 +300,7 @@ + int main (int argc, char *argv[]) + { + struct in_addr ipnum; +- char *bar, hoststring[MAXDNAME + 1], line[MAXLINE], *statfile; ++ char *bar, hoststring[MAXDNAME + 1], *statfile; + int i, check; + + #if defined(WIN32) || (defined(NETWARE) && defined(USE_WINSOCK)) +@@ -337,7 +335,7 @@ + for (i = 0; i < MAX_ERR + 2; i++) + errors[i] = 0; + +- while (get_line(line, MAXLINE)) { ++ while (get_line()) { + if (line[0] == '\0') + continue; + entries++; --- apache2-2.2.16.orig/debian/patches/00list +++ apache2-2.2.16/debian/patches/00list @@ -0,0 +1,35 @@ +001_branding +004_usr_bin_perl_0wnz_j00 +008_make_include_safe +009_apache2_has_dso +010_fhs_compliance +031_apxs2_sucks_more +032_suexec_is_shared +033_dbm_read_hash_or_btree +034_apxs2_libtool_fixtastic +038_no_LD_LIBRARY_PATH +042_htdigest_CAN-2005-1344 +045_suexec_log_cloexec.dpatch +047_fix_usage_message.dpatch +052_logresolve_linelength.dpatch +057_disablemods.dpatch +058_suexec-CVE-2007-1742.dpatch +067_fix_segfault_in_ab.dpatch +069_no_deflate_for_HEAD.dpatch +071_fix_cacheenable.dpatch +073_mod_dav_trunk_fixes.dpatch +074_link_support_progs_with_lcrypt.dpatch +075_mod_rewrite_literal_ipv6_redirect.dpatch +076_apxs2_a2enmod.dpatch +077_CacheIgnoreURLSessionIdentifiers.dpatch +079_polish_translation.dpatch +080_mod_reqtimeout_fixes.dpatch +082_ab_num_requests +083_mod_ssl_memcpy.dpatch +084_CVE-2011-3192.dpatch +085_CVE-2011-3192_regression.dpatch +099_config_guess_sub_update +200_cp_suexec.dpatch +201_build_suexec-custom.dpatch +202_suexec-custom.dpatch +204_CVE-2010-1623 --- apache2-2.2.16.orig/debian/patches/004_usr_bin_perl_0wnz_j00 +++ apache2-2.2.16/debian/patches/004_usr_bin_perl_0wnz_j00 @@ -0,0 +1,15 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 004_usr_bin_perl_0wnz_j00 by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Call /usr/bin/perl in printenv, not /usr/local/bin/perl + +@DPATCH@ +--- apache2/docs/cgi-examples/printenv.orig Fri Sep 21 17:31:24 2001 ++++ apache2/docs/cgi-examples/printenv Fri Sep 21 17:31:29 2001 +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/perl ++#!/usr/bin/perl + ## + ## printenv -- demo CGI program which just prints its environment + ## --- apache2-2.2.16.orig/debian/patches/085_CVE-2011-3192_regression.dpatch +++ apache2-2.2.16/debian/patches/085_CVE-2011-3192_regression.dpatch @@ -0,0 +1,177 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 084_CVE-2011-3192_regression.dpatch by Steve Beattie +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: backport of fixes for debian bug 639825 +# +# Subject: fix regressions introduced by CVE-2011-3192 fixes +# Origin: upstream +# Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639825 +# +# When asked for byte range 0-, should return 206 not 200. +# When asked for byte range entirely outside of the file should return +# 416 not 200. +# +# Contains backported upstream commits +# http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1163851 +# and +# http://svn.apache.org/viewvc?view=revision&sortby=date&revision=1163833 +# +# See also http://marc.info/?l=apache-httpd-dev&m=131482445624089&w=2 +# and http://marc.info/?l=apache-httpd-dev&m=131482610125970&w=2 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apache2-2.2.17~/modules/http/byterange_filter.c apache2-2.2.17/modules/http/byterange_filter.c +--- apache2-2.2.17~/modules/http/byterange_filter.c 2011-08-31 23:09:33.000000000 -0700 ++++ apache2-2.2.17/modules/http/byterange_filter.c 2011-08-31 23:41:36.000000000 -0700 +@@ -248,6 +248,20 @@ + apr_off_t end; + } indexes_t; + ++static apr_status_t send_416(ap_filter_t *f, apr_bucket_brigade *tmpbb) ++{ ++ apr_bucket *e; ++ conn_rec *c = f->r->connection; ++ ap_remove_output_filter(f); ++ f->r->status = HTTP_OK; ++ e = ap_bucket_error_create(HTTP_RANGE_NOT_SATISFIABLE, NULL, ++ f->r->pool, c->bucket_alloc); ++ APR_BRIGADE_INSERT_TAIL(tmpbb, e); ++ e = apr_bucket_eos_create(c->bucket_alloc); ++ APR_BRIGADE_INSERT_TAIL(tmpbb, e); ++ return ap_pass_brigade(f->next, tmpbb); ++} ++ + AP_CORE_DECLARE_NONSTD(apr_status_t) ap_byterange_filter(ap_filter_t *f, + apr_bucket_brigade *bb) + { +@@ -301,6 +315,12 @@ + return ap_pass_brigade(f->next, bb); + } + ++ /* this brigade holds what we will be sending */ ++ bsend = apr_brigade_create(r->pool, c->bucket_alloc); ++ ++ if (num_ranges < 0) ++ return send_416(f, bsend); ++ + if (num_ranges > 1) { + /* Is ap_make_content_type required here? */ + const char *orig_ct = ap_make_content_type(r, r->content_type); +@@ -330,8 +350,6 @@ + ap_xlate_proto_to_ascii(bound_head, strlen(bound_head)); + } + +- /* this brigade holds what we will be sending */ +- bsend = apr_brigade_create(r->pool, c->bucket_alloc); + tmpbb = apr_brigade_create(r->pool, c->bucket_alloc); + + idx = (indexes_t *)indexes->elts; +@@ -389,15 +407,8 @@ + } + + if (found == 0) { +- ap_remove_output_filter(f); +- r->status = HTTP_OK; + /* bsend is assumed to be empty if we get here. */ +- e = ap_bucket_error_create(HTTP_RANGE_NOT_SATISFIABLE, NULL, +- r->pool, c->bucket_alloc); +- APR_BRIGADE_INSERT_TAIL(bsend, e); +- e = apr_bucket_eos_create(c->bucket_alloc); +- APR_BRIGADE_INSERT_TAIL(bsend, e); +- return ap_pass_brigade(f->next, bsend); ++ return send_416(f, bsend); + } + + if (num_ranges > 1) { +@@ -429,7 +440,7 @@ + const char *match; + const char *ct; + char *cur; +- int num_ranges = 0; ++ int num_ranges = 0, unsatisfiable = 0; + apr_off_t sum_lengths = 0; + indexes_t *idx; + int ranges = 1; +@@ -502,14 +513,22 @@ + char *errp; + apr_off_t number, start, end; + ++ if (!*cur) ++ break; ++ ++ /* ++ * Per RFC 2616 14.35.1: If there is at least one syntactically invalid ++ * byte-range-spec, we must ignore the whole header. ++ */ ++ + if (!(dash = strchr(cur, '-'))) { +- break; ++ return 0; + } + + if (dash == range) { + /* In the form "-5" */ + if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) { +- break; ++ return 0; + } + start = clength - number; + end = clength - 1; +@@ -517,14 +536,17 @@ + else { + *dash++ = '\0'; + if (apr_strtoff(&number, cur, &errp, 10) || *errp) { +- break; ++ return 0; + } + start = number; + if (*dash) { + if (apr_strtoff(&number, dash, &errp, 10) || *errp) { +- break; ++ return 0; + } + end = number; ++ if (start > end) { ++ return 0; ++ } + } + else { /* "5-" */ + end = clength - 1; +@@ -534,15 +556,14 @@ + if (start < 0) { + start = 0; + } ++ if (start >= clength) { ++ unsatisfiable = 1; ++ continue; ++ } + if (end >= clength) { + end = clength - 1; + } + +- if (start > end) { +- /* ignore? count? */ +- break; +- } +- + idx = (indexes_t *)apr_array_push(*indexes); + idx->start = start; + idx->end = end; +@@ -551,9 +572,14 @@ + num_ranges++; + } + +- if (sum_lengths >= clength) { ++ if (num_ranges == 0 && unsatisfiable) { ++ /* If all ranges are unsatisfiable, we should return 416 */ ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "0U"); ++ return -1; ++ } ++ if (sum_lengths > clength) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, +- "Sum of ranges not smaller than file, ignoring."); ++ "Sum of ranges larger than file, ignoring."); + return 0; + } + --- apache2-2.2.16.orig/debian/patches/047_fix_usage_message.dpatch +++ apache2-2.2.16/debian/patches/047_fix_usage_message.dpatch @@ -0,0 +1,28 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 047_fix_usage_message.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add -X to the help message + +@DPATCH@ +diff -urNad apache2-2.2.4~/server/main.c apache2-2.2.4/server/main.c +--- apache2-2.2.4~/server/main.c 2006-09-15 15:19:25.000000000 +0200 ++++ apache2-2.2.4/server/main.c 2007-06-25 23:19:58.000000000 +0200 +@@ -336,7 +336,7 @@ + #endif /* AP_MPM_WANT_SET_GRACEFUL_SHUTDOWN */ + #endif + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, +- " %s [-v] [-V] [-h] [-l] [-L] [-t] [-S]", pad); ++ " %s [-v] [-V] [-h] [-l] [-L] [-t] [-S] [-X]", pad); + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, + "Options:"); + +@@ -415,6 +415,8 @@ + " -M : a synonym for -t -D DUMP_MODULES"); + ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, + " -t : run syntax check for config files"); ++ ap_log_error(APLOG_MARK, APLOG_STARTUP, 0, NULL, ++ " -X : debug mode (only one worker, do not detach)"); + + destroy_and_exit_process(process, 1); + } --- apache2-2.2.16.orig/debian/patches/076_apxs2_a2enmod.dpatch +++ apache2-2.2.16/debian/patches/076_apxs2_a2enmod.dpatch @@ -0,0 +1,151 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 076_apxs2_a2enmo.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Make apxs2 use a2enmod and /etc/apache2/mods-available + +@DPATCH@ +diff -urNad trunk~/support/apxs.in trunk/support/apxs.in +--- trunk~/support/apxs.in 2010-01-02 21:52:57.828866228 +0100 ++++ trunk/support/apxs.in 2010-01-02 21:55:48.375597120 +0100 +@@ -521,7 +521,7 @@ + # $dir =~ s|^$CFG_PREFIX/?||; + $dir =~ s|(.)$|$1/|; + $t =~ s|\.la$|.so|; +- push(@lmd, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t")); ++ push(@lmd, [ $name, sprintf("LoadModule %-18s %s", "${name}_module", "$dir$t") ] ); + } + + # execute the commands +@@ -529,108 +529,35 @@ + + # activate module via LoadModule/AddModule directive + if ($opt_a or $opt_A) { +- if (not -f "$CFG_SYSCONFDIR/httpd.conf") { +- error("Config file $CFG_SYSCONFDIR/httpd.conf not found"); ++ if (not -d "$CFG_SYSCONFDIR/mods-available") { ++ error("Config file $CFG_SYSCONFDIR/mods-available not found"); + exit(1); + } + +- open(FP, "<$CFG_SYSCONFDIR/httpd.conf") || die; +- my $content = join('', ); +- close(FP); +- +- if ($content !~ m|\n#?\s*LoadModule\s+|) { +- error("Activation failed for custom $CFG_SYSCONFDIR/httpd.conf file."); +- error("At least one `LoadModule' directive already has to exist."); +- exit(1); +- } +- +- my $lmd; +- my $c = ''; +- $c = '#' if ($opt_A); +- foreach $lmd (@lmd) { +- my $what = $opt_A ? "preparing" : "activating"; +- my $lmd_re = $lmd; +- $lmd_re =~ s/\s+/\\s+/g; +- +- if ($content !~ m|\n#?\s*$lmd_re|) { +- # check for open , so that the new LoadModule +- # directive always appears *outside* of an . +- +- my $before = ($content =~ m|^(.*\n)#?\s*LoadModule\s+[^\n]+\n|s)[0]; +- +- # the '()=' trick forces list context and the scalar +- # assignment counts the number of list members (aka number +- # of matches) then +- my $cntopen = () = ($before =~ m|^\s*<[^/].*$|mg); +- my $cntclose = () = ($before =~ m|^\s*$filename") || die; ++ print FP "$lmd\n"; ++ close(FP); ++ ++ if ($opt_a) { ++ my $cmd = "a2enmod $name"; ++ if (system($cmd) != 0) { ++ die "'$cmd' failed\n"; ++ } ++ } ++ + } +- if (@lmd) { +- if (open(FP, ">$CFG_SYSCONFDIR/httpd.conf.new")) { +- print FP $content; +- close(FP); +- system("cp $CFG_SYSCONFDIR/httpd.conf $CFG_SYSCONFDIR/httpd.conf.bak && " . +- "cp $CFG_SYSCONFDIR/httpd.conf.new $CFG_SYSCONFDIR/httpd.conf && " . +- "rm $CFG_SYSCONFDIR/httpd.conf.new"); +- } else { +- notice("unable to open configuration file"); +- } +- } + } + } + --- apache2-2.2.16.orig/debian/patches/204_CVE-2010-1623.dpatch +++ apache2-2.2.16/debian/patches/204_CVE-2010-1623.dpatch @@ -0,0 +1,61 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +# Description: fix denial of service via memory leak in mod_reqtimeout. +# Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1003626 + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apache2-2.2.16~/modules/filters/mod_reqtimeout.c apache2-2.2.16/modules/filters/mod_reqtimeout.c +--- apache2-2.2.16~/modules/filters/mod_reqtimeout.c 2010-11-18 12:59:09.000000000 -0500 ++++ apache2-2.2.16/modules/filters/mod_reqtimeout.c 2010-11-18 12:59:33.000000000 -0500 +@@ -116,6 +116,41 @@ + return APR_INCOMPLETE; + } + ++/* ++ * Append bbIn to bbOut and merge small buckets, to avoid DoS by high memory ++ * usage ++ */ ++static apr_status_t brigade_append(apr_bucket_brigade *bbOut, apr_bucket_brigade *bbIn) ++{ ++ while (!APR_BRIGADE_EMPTY(bbIn)) { ++ apr_bucket *e = APR_BRIGADE_FIRST(bbIn); ++ const char *str; ++ apr_size_t len; ++ apr_status_t rv; ++ ++ rv = apr_bucket_read(e, &str, &len, APR_BLOCK_READ); ++ if (rv != APR_SUCCESS) { ++ return rv; ++ } ++ ++ APR_BUCKET_REMOVE(e); ++ if (APR_BUCKET_IS_METADATA(e) || len > APR_BUCKET_BUFF_SIZE/4) { ++ APR_BRIGADE_INSERT_TAIL(bbOut, e); ++ } ++ else { ++ if (len > 0) { ++ rv = apr_brigade_write(bbOut, NULL, NULL, str, len); ++ if (rv != APR_SUCCESS) { ++ apr_bucket_destroy(e); ++ return rv; ++ } ++ } ++ apr_bucket_destroy(e); ++ } ++ } ++ return APR_SUCCESS; ++} ++ + + #define MIN(x,y) ((x) < (y) ? (x) : (y)) + static apr_status_t reqtimeout_filter(ap_filter_t *f, +@@ -216,7 +251,9 @@ + if (!ccfg->tmpbb) { + ccfg->tmpbb = apr_brigade_create(f->c->pool, f->c->bucket_alloc); + } +- APR_BRIGADE_CONCAT(ccfg->tmpbb, bb); ++ rv = brigade_append(ccfg->tmpbb, bb); ++ if (rv != APR_SUCCESS) ++ break; + } + + /* ... and wait for more */ --- apache2-2.2.16.orig/debian/patches/200_cp_suexec.dpatch +++ apache2-2.2.16/debian/patches/200_cp_suexec.dpatch @@ -0,0 +1,11 @@ +#!/bin/sh -e + +## DP: copy suexec to suexec-custom + +WORKDIR=${2:-.} + +if [ "$1" = -patch ]; then + cp $WORKDIR/support/suexec.c $WORKDIR/support/suexec-custom.c +elif [ "$1" = -unpatch ]; then + rm $WORKDIR/support/suexec-custom.c +fi --- apache2-2.2.16.orig/debian/patches/073_mod_dav_trunk_fixes.dpatch +++ apache2-2.2.16/debian/patches/073_mod_dav_trunk_fixes.dpatch @@ -0,0 +1,520 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Various bug fixes for mod_dav/mod_dav_fs +## DP: upstream svn revs 834018:835092 and 928403 in modules/dav +## DP: +## DP: *) mod_dav: Include uri when logging a PUT error due to connection abort. +## DP: PR 38149. [Stefan Fritsch] +## DP: +## DP: *) mod_dav: Return 409 instead of 500 for a LOCK request if the parent +## DP: resource does not exist or is not a collection. PR 43465. [Stefan Fritsch] +## DP: +## DP: *) mod_dav_fs: Return 409 instead of 500 for Litmus test case copy_nodestcoll +## DP: (a COPY request where the parent of the destination resource does not +## DP: exist). PR 39299. [Stefan Fritsch] +## DP: +## DP: *) mod_dav_fs: Don't delete the whole file if a PUT with content-range failed. +## DP: PR 42896. [Stefan Fritsch] +## DP: +## DP: *) mod_dav_fs: Make PUT create files atomically and no longer destroy the +## DP: old file if the transfer aborted. PR 39815. [Paul Querna, Stefan Fritsch] +## DP: +## DP: *) mod_dav_fs: Remove inode keyed locking as this conflicts with atomically +## DP: creating files. On systems with inode numbers, this is a format change of +## DP: the DavLockDB. The old DavLockDB must be deleted on upgrade. +## DP: [Stefan Fritsch] +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/modules/dav/fs/lock.c trunk/modules/dav/fs/lock.c +--- trunk~/modules/dav/fs/lock.c 2010-03-29 21:46:51.000000000 +0200 ++++ trunk/modules/dav/fs/lock.c 2010-03-29 21:49:00.970983302 +0200 +@@ -48,9 +48,8 @@ + ** + ** KEY + ** +-** The database is keyed by a key_type unsigned char (DAV_TYPE_INODE or +-** DAV_TYPE_FNAME) followed by inode and device number if possible, +-** otherwise full path (in the case of Win32 or lock-null resources). ++** The database is keyed by a key_type unsigned char (DAV_TYPE_FNAME) ++** followed by the full path. The key_type DAV_TYPE_INODE is not used anymore. + ** + ** VALUE + ** +@@ -82,7 +81,10 @@ + #define DAV_LOCK_DIRECT 1 + #define DAV_LOCK_INDIRECT 2 + +-#define DAV_TYPE_INODE 10 ++/* ++ * not used anymore ++ * #define DAV_TYPE_INODE 10 ++ */ + #define DAV_TYPE_FNAME 11 + + +@@ -372,12 +374,13 @@ + } + + /* +-** dav_fs_build_fname_key +-** +-** Given a pathname, build a DAV_TYPE_FNAME lock database key. ++** dav_fs_build_key: Given a resource, return a apr_datum_t key ++** to look up lock information for this file. + */ +-static apr_datum_t dav_fs_build_fname_key(apr_pool_t *p, const char *pathname) ++static apr_datum_t dav_fs_build_key(apr_pool_t *p, ++ const dav_resource *resource) + { ++ const char *pathname = dav_fs_pathname(resource); + apr_datum_t key; + + /* ### does this allocation have a proper lifetime? need to check */ +@@ -394,46 +397,6 @@ + } + + /* +-** dav_fs_build_key: Given a resource, return a apr_datum_t key +-** to look up lock information for this file. +-** +-** (inode/dev not supported or file is lock-null): +-** apr_datum_t->dvalue = full path +-** +-** (inode/dev supported and file exists ): +-** apr_datum_t->dvalue = inode, dev +-*/ +-static apr_datum_t dav_fs_build_key(apr_pool_t *p, +- const dav_resource *resource) +-{ +- const char *file = dav_fs_pathname(resource); +- apr_datum_t key; +- apr_finfo_t finfo; +- apr_status_t rv; +- +- /* ### use lstat() ?? */ +- /* +- * XXX: What for platforms with no IDENT (dev/inode)? +- */ +- rv = apr_stat(&finfo, file, APR_FINFO_IDENT, p); +- if ((rv == APR_SUCCESS || rv == APR_INCOMPLETE) +- && ((finfo.valid & APR_FINFO_IDENT) == APR_FINFO_IDENT)) +- { +- /* ### can we use a buffer for this? */ +- key.dsize = 1 + sizeof(finfo.inode) + sizeof(finfo.device); +- key.dptr = apr_palloc(p, key.dsize); +- *key.dptr = DAV_TYPE_INODE; +- memcpy(key.dptr + 1, &finfo.inode, sizeof(finfo.inode)); +- memcpy(key.dptr + 1 + sizeof(finfo.inode), &finfo.device, +- sizeof(finfo.device)); +- +- return key; +- } +- +- return dav_fs_build_fname_key(p, file); +-} +- +-/* + ** dav_fs_lock_expired: return 1 (true) if the given timeout is in the past + ** or present (the lock has expired), or 0 (false) if in the future + ** (the lock has not yet expired). +@@ -989,13 +952,8 @@ + + /* + ** dav_fs_remove_locknull_state: Given a request, check to see if r->filename +-** is/was a lock-null resource. If so, return it to an existant state. +-** +-** ### this function is broken... it doesn't check! +-** +-** In this implementation, this involves two things: +-** (a) remove it from the list in the appropriate .DAV/locknull file +-** (b) on *nix, convert the key from a filename to an inode. ++** is/was a lock-null resource. If so, return it to an existant state, i.e. ++** remove it from the list in the appropriate .DAV/locknull file. + */ + static dav_error * dav_fs_remove_locknull_state( + dav_lockdb *lockdb, +@@ -1011,35 +969,6 @@ + return err; + } + +- { +- dav_lock_discovery *ld; +- dav_lock_indirect *id; +- apr_datum_t key; +- +- /* +- ** Fetch the lock(s) that made the resource lock-null. Remove +- ** them under the filename key. Obtain the new inode key, and +- ** save the same lock information under it. +- */ +- key = dav_fs_build_fname_key(p, pathname); +- if ((err = dav_fs_load_lock_record(lockdb, key, DAV_CREATE_LIST, +- &ld, &id)) != NULL) { +- /* ### insert a higher-level error description */ +- return err; +- } +- +- if ((err = dav_fs_save_lock_record(lockdb, key, NULL, NULL)) != NULL) { +- /* ### insert a higher-level error description */ +- return err; +- } +- +- key = dav_fs_build_key(p, resource); +- if ((err = dav_fs_save_lock_record(lockdb, key, ld, id)) != NULL) { +- /* ### insert a higher-level error description */ +- return err; +- } +- } +- + return NULL; + } + +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/modules/dav/fs/repos.c trunk/modules/dav/fs/repos.c +--- trunk~/modules/dav/fs/repos.c 2010-03-29 21:46:51.000000000 +0200 ++++ trunk/modules/dav/fs/repos.c 2010-03-29 21:49:08.031078314 +0200 +@@ -27,6 +27,10 @@ + #include /* for sprintf() */ + #endif + ++#if APR_HAVE_UNISTD_H ++#include /* for getpid() */ ++#endif ++ + #include "httpd.h" + #include "http_log.h" + #include "http_protocol.h" /* for ap_set_* (in dav_fs_set_headers) */ +@@ -139,6 +143,11 @@ + */ + #define DAV_PROPID_FS_executable 1 + ++/* ++ * prefix for temporary files ++ */ ++#define DAV_FS_TMP_PREFIX ".davfs.tmp" ++ + static const dav_liveprop_spec dav_fs_props[] = + { + /* standard DAV properties */ +@@ -191,11 +200,14 @@ + apr_pool_t *p; + apr_file_t *f; + const char *pathname; /* we may need to remove it at close time */ ++ char *temppath; ++ int unlink_on_error; + }; + + /* returns an appropriate HTTP status code given an APR status code for a + * failed I/O operation. ### use something besides 500? */ + #define MAP_IO2HTTP(e) (APR_STATUS_IS_ENOSPC(e) ? HTTP_INSUFFICIENT_STORAGE : \ ++ APR_STATUS_IS_ENOENT(e) ? HTTP_CONFLICT : \ + HTTP_INTERNAL_SERVER_ERROR) + + /* forward declaration for internal treewalkers */ +@@ -414,11 +426,24 @@ + apr_file_close(inf); + apr_file_close(outf); + +- if (is_move && apr_file_remove(src, p) != APR_SUCCESS) { ++ if (is_move && (status = apr_file_remove(src, p)) != APR_SUCCESS) { + dav_error *err; + int save_errno = errno; /* save the errno that got us here */ + +- if (apr_file_remove(dst, p) != APR_SUCCESS) { ++ if (APR_STATUS_IS_ENOENT(status)) { ++ /* ++ * Something is wrong here but the result is what we wanted. ++ * We definitely should not remove the destination file. ++ */ ++ err = dav_new_error(p, HTTP_INTERNAL_SERVER_ERROR, 0, ++ apr_psprintf(p, "Could not remove source " ++ "file %s after move to %s. The " ++ "server may be in an " ++ "inconsistent state.", src, dst)); ++ err->save_errno = save_errno; ++ return err; ++ } ++ else if (apr_file_remove(dst, p) != APR_SUCCESS) { + /* ### ACK. this creates an inconsistency. do more!? */ + + /* ### use something besides 500? */ +@@ -500,9 +525,13 @@ + dst = apr_pstrcat(p, dst, "/", dst_file, NULL); + + /* copy/move the file now */ +- if (is_move && src_finfo.device == dst_state_finfo.device) { +- /* simple rename is possible since it is on the same device */ +- if (apr_file_rename(src, dst, p) != APR_SUCCESS) { ++ if (is_move) { ++ /* try simple rename first */ ++ rv = apr_file_rename(src, dst, p); ++ if (APR_STATUS_IS_EXDEV(rv)) { ++ return dav_fs_copymove_file(is_move, p, src, dst, NULL, NULL, pbuf); ++ } ++ if (rv != APR_SUCCESS) { + /* ### use something besides 500? */ + return dav_new_error(p, HTTP_INTERNAL_SERVER_ERROR, 0, + "Could not move state file."); +@@ -841,6 +870,34 @@ + && ctx2->pathname[len1] == '/'); + } + ++static apr_status_t tmpfile_cleanup(void *data) { ++ dav_stream *ds = data; ++ if (ds->temppath) { ++ apr_file_remove(ds->temppath, ds->p); ++ } ++ return APR_SUCCESS; ++} ++ ++/* custom mktemp that creates the file with APR_OS_DEFAULT permissions */ ++static apr_status_t dav_fs_mktemp(apr_file_t **fp, char *templ, apr_pool_t *p) ++{ ++ apr_status_t rv; ++ int num = ((getpid() << 7) + (int)templ % (1 << 16) ) % ( 1 << 23 ) ; ++ char *numstr = templ + strlen(templ) - 6; ++ ++ ap_assert(numstr >= templ); ++ ++ do { ++ num = (num + 1) % ( 1 << 23 ); ++ snprintf(numstr, 7, "%06x", num); ++ rv = apr_file_open(fp, templ, ++ APR_WRITE | APR_CREATE | APR_BINARY | APR_EXCL, ++ APR_OS_DEFAULT, p); ++ } while (APR_STATUS_IS_EEXIST(rv)); ++ ++ return rv; ++} ++ + static dav_error * dav_fs_open_stream(const dav_resource *resource, + dav_stream_mode mode, + dav_stream **stream) +@@ -865,7 +922,32 @@ + + ds->p = p; + ds->pathname = resource->info->pathname; +- rv = apr_file_open(&ds->f, ds->pathname, flags, APR_OS_DEFAULT, ds->p); ++ ds->temppath = NULL; ++ ds->unlink_on_error = 0; ++ ++ if (mode == DAV_MODE_WRITE_TRUNC) { ++ ds->temppath = apr_pstrcat(p, ap_make_dirstr_parent(p, ds->pathname), ++ DAV_FS_TMP_PREFIX "XXXXXX", NULL); ++ rv = dav_fs_mktemp(&ds->f, ds->temppath, ds->p); ++ apr_pool_cleanup_register(p, ds, tmpfile_cleanup, ++ apr_pool_cleanup_null); ++ } ++ else if (mode == DAV_MODE_WRITE_SEEKABLE) { ++ rv = apr_file_open(&ds->f, ds->pathname, flags | APR_FOPEN_EXCL, ++ APR_OS_DEFAULT, ds->p); ++ if (rv == APR_SUCCESS) { ++ /* we have created a new file */ ++ ds->unlink_on_error = 1; ++ } ++ else if (APR_STATUS_IS_EEXIST(rv)) { ++ rv = apr_file_open(&ds->f, ds->pathname, flags, APR_OS_DEFAULT, ++ ds->p); ++ } ++ } ++ else { ++ rv = apr_file_open(&ds->f, ds->pathname, flags, APR_OS_DEFAULT, ds->p); ++ } ++ + if (rv != APR_SUCCESS) { + return dav_new_error(p, MAP_IO2HTTP(rv), 0, + "An error occurred while opening a resource."); +@@ -879,17 +961,33 @@ + + static dav_error * dav_fs_close_stream(dav_stream *stream, int commit) + { ++ apr_status_t rv; ++ + apr_file_close(stream->f); + + if (!commit) { +- if (apr_file_remove(stream->pathname, stream->p) != APR_SUCCESS) { +- /* ### use a better description? */ +- return dav_new_error(stream->p, HTTP_INTERNAL_SERVER_ERROR, 0, +- "There was a problem removing (rolling " +- "back) the resource " +- "when it was being closed."); ++ if (stream->temppath) { ++ apr_pool_cleanup_run(stream->p, stream, tmpfile_cleanup); ++ } ++ else if (stream->unlink_on_error) { ++ if (apr_file_remove(stream->pathname, stream->p) != APR_SUCCESS) { ++ /* ### use a better description? */ ++ return dav_new_error(stream->p, HTTP_INTERNAL_SERVER_ERROR, 0, ++ "There was a problem removing (rolling " ++ "back) the resource " ++ "when it was being closed."); ++ } + } + } ++ else if (stream->temppath) { ++ rv = apr_file_rename(stream->temppath, stream->pathname, stream->p); ++ if (rv) { ++ return dav_new_error(stream->p, HTTP_INTERNAL_SERVER_ERROR, rv, ++ "There was a problem writing the file " ++ "atomically after writes."); ++ } ++ apr_pool_cleanup_kill(stream->p, stream, tmpfile_cleanup); ++ } + + return NULL; + } +@@ -1201,7 +1299,7 @@ + dav_resource_private *srcinfo = src->info; + dav_resource_private *dstinfo = dst->info; + dav_error *err; +- int can_rename = 0; ++ apr_status_t rv; + + #if DAV_DEBUG + if (src->hooks != dst->hooks) { +@@ -1215,39 +1313,12 @@ + } + #endif + +- /* determine whether a simple rename will work. +- * Assume source exists, else we wouldn't get called. +- */ +- if (dstinfo->finfo.filetype != 0) { +- if (dstinfo->finfo.device == srcinfo->finfo.device) { +- /* target exists and is on the same device. */ +- can_rename = 1; +- } +- } +- else { +- const char *dirpath; +- apr_finfo_t finfo; +- apr_status_t rv; + +- /* destination does not exist, but the parent directory should, +- * so try it +- */ +- dirpath = ap_make_dirstr_parent(dstinfo->pool, dstinfo->pathname); +- /* +- * XXX: If missing dev ... then what test? +- * Really need a try and failover for those platforms. +- * +- */ +- rv = apr_stat(&finfo, dirpath, APR_FINFO_DEV, dstinfo->pool); +- if ((rv == APR_SUCCESS || rv == APR_INCOMPLETE) +- && (finfo.valid & srcinfo->finfo.valid & APR_FINFO_DEV) +- && (finfo.device == srcinfo->finfo.device)) { +- can_rename = 1; +- } +- } ++ /* try rename first */ ++ rv = apr_file_rename(srcinfo->pathname, dstinfo->pathname, srcinfo->pool); + + /* if we can't simply rename, then do it the hard way... */ +- if (!can_rename) { ++ if (APR_STATUS_IS_EXDEV(rv)) { + if ((err = dav_fs_copymove_resource(1, src, dst, DAV_INFINITY, + response)) == NULL) { + /* update resource states */ +@@ -1260,20 +1331,16 @@ + return err; + } + +- /* a rename should work. do it, and move properties as well */ +- + /* no multistatus response */ + *response = NULL; + +- /* ### APR has no rename? */ +- if (apr_file_rename(srcinfo->pathname, dstinfo->pathname, +- srcinfo->pool) != APR_SUCCESS) { ++ if (rv != APR_SUCCESS) { + /* ### should have a better error than this. */ + return dav_new_error(srcinfo->pool, HTTP_INTERNAL_SERVER_ERROR, 0, + "Could not rename resource."); + } + +- /* update resource states */ ++ /* Rename did work. Update resource states and move properties as well */ + dst->exists = 1; + dst->collection = src->collection; + src->exists = 0; +@@ -1475,14 +1542,18 @@ + /* ### need to authorize each file */ + /* ### example: .htaccess is normally configured to fail auth */ + +- /* stuff in the state directory is never authorized! */ +- if (!strcmp(dirent.name, DAV_FS_STATE_DIR)) { ++ /* stuff in the state directory and temp files are never authorized! */ ++ if (!strcmp(dirent.name, DAV_FS_STATE_DIR) || ++ !strncmp(dirent.name, DAV_FS_TMP_PREFIX, ++ strlen(DAV_FS_TMP_PREFIX))) { + continue; + } + } +- /* skip the state dir unless a HIDDEN is performed */ ++ /* skip the state dir and temp files unless a HIDDEN is performed */ + if (!(params->walk_type & DAV_WALKTYPE_HIDDEN) +- && !strcmp(dirent.name, DAV_FS_STATE_DIR)) { ++ && (!strcmp(dirent.name, DAV_FS_STATE_DIR) || ++ !strncmp(dirent.name, DAV_FS_TMP_PREFIX, ++ strlen(DAV_FS_TMP_PREFIX)))) { + continue; + } + +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/modules/dav/main/mod_dav.c trunk/modules/dav/main/mod_dav.c +--- trunk~/modules/dav/main/mod_dav.c 2010-03-29 21:46:51.000000000 +0200 ++++ trunk/modules/dav/main/mod_dav.c 2010-03-29 21:49:00.966964568 +0200 +@@ -986,7 +986,10 @@ + + if (rc != APR_SUCCESS) { + err = dav_new_error(r->pool, HTTP_INTERNAL_SERVER_ERROR, 0, +- "Could not get next bucket brigade"); ++ apr_psprintf(r->pool, ++ "Could not get next bucket " ++ "brigade (URI: %s)", ++ ap_escape_html(r->pool, r->uri))); + break; + } + +@@ -1009,8 +1012,10 @@ + rc = apr_bucket_read(b, &data, &len, APR_BLOCK_READ); + if (rc != APR_SUCCESS) { + err = dav_new_error(r->pool, HTTP_BAD_REQUEST, 0, +- "An error occurred while reading " +- "the request body."); ++ apr_psprintf(r->pool, ++ "An error occurred while reading" ++ " the request body (URI: %s)", ++ ap_escape_html(r->pool, r->uri))); + break; + } + +@@ -2966,6 +2971,7 @@ + { + dav_error *err; + dav_resource *resource; ++ dav_resource *parent; + const dav_hooks_locks *locks_hooks; + int result; + int depth; +@@ -2997,6 +3003,20 @@ + if (err != NULL) + return dav_handle_err(r, err, NULL); + ++ /* Check if parent collection exists */ ++ if ((err = resource->hooks->get_parent_resource(resource, &parent)) != NULL) { ++ /* ### add a higher-level description? */ ++ return dav_handle_err(r, err, NULL); ++ } ++ if (parent && (!parent->exists || parent->collection != 1)) { ++ err = dav_new_error(r->pool, HTTP_CONFLICT, 0, ++ apr_psprintf(r->pool, ++ "The parent resource of %s does not " ++ "exist or is not a collection.", ++ ap_escape_html(r->pool, r->uri))); ++ return dav_handle_err(r, err, NULL); ++ } ++ + /* + * Open writable. Unless an error occurs, we'll be + * writing into the database. --- apache2-2.2.16.orig/debian/patches/201_build_suexec-custom.dpatch +++ apache2-2.2.16/debian/patches/201_build_suexec-custom.dpatch @@ -0,0 +1,42 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 201_make_suexec-custom.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: add suexec-custom to the build system + +@DPATCH@ +diff -urNad trunk~/Makefile.in trunk/Makefile.in +--- trunk~/Makefile.in 2007-04-24 13:08:01.000000000 +0200 ++++ trunk/Makefile.in 2008-04-02 23:03:53.928260185 +0200 +@@ -221,7 +221,7 @@ + fi + + suexec: +- cd support && $(MAKE) suexec ++ cd support && $(MAKE) suexec suexec-custom + + x-local-distclean: + @rm -rf autom4te.cache +diff -urNad trunk~/support/Makefile.in trunk/support/Makefile.in +--- trunk~/support/Makefile.in 2008-04-02 23:03:30.000000000 +0200 ++++ trunk/support/Makefile.in 2008-04-02 23:03:39.188260967 +0200 +@@ -1,7 +1,7 @@ + DISTCLEAN_TARGETS = apxs apachectl dbmmanage log_server_status \ + logresolve.pl phf_abuse_log.cgi split-logfile envvars-std + +-CLEAN_TARGETS = suexec ++CLEAN_TARGETS = suexec suexec-custom + + PROGRAMS = htpasswd htdigest rotatelogs logresolve ab checkgid htdbm htcacheclean httxt2dbm + TARGETS = $(PROGRAMS) +@@ -62,6 +62,10 @@ + suexec: $(suexec_OBJECTS) + $(LINK) $(suexec_OBJECTS) + ++suexec-custom_OBJECTS = suexec-custom.lo ++suexec-custom: $(suexec-custom_OBJECTS) ++ $(LINK) $(suexec-custom_OBJECTS) ++ + htcacheclean_OBJECTS = htcacheclean.lo + htcacheclean: $(htcacheclean_OBJECTS) + $(LINK) $(htcacheclean_LTFLAGS) $(htcacheclean_OBJECTS) $(PROGRAM_LDADD) --- apache2-2.2.16.orig/debian/patches/033_dbm_read_hash_or_btree +++ apache2-2.2.16/debian/patches/033_dbm_read_hash_or_btree @@ -0,0 +1,38 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 033_dbm_read_hash_or_btree by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Be more liberal in the sorts of DBM files we accept. + +@DPATCH@ +--- apache2/support/dbmmanage.in 2004-09-28 00:28:58.000000000 -0600 ++++ apache2/support/dbmmanage.in 2004-09-28 00:29:33.000000000 -0600 +@@ -24,7 +24,7 @@ + BEGIN { @AnyDBM_File::ISA = qw(DB_File NDBM_File GDBM_File SDBM_File) } + use strict; + use Fcntl; +-use AnyDBM_File (); ++use DB_File (); + + sub usage { + my $cmds = join "|", sort keys %dbmc::; +@@ -154,7 +154,9 @@ + my($mode, $flags) = $command =~ + /^(?:view|check)$/ ? (0644, O_RDONLY) : (0644, O_RDWR|O_CREAT); + +-tie (%DB, "AnyDBM_File", $file, $flags, $mode) || die "Can't tie $file: $!"; ++tie (%DB, "DB_File", $file, $flags, $mode, $DB_File::DB_HASH) || ++ tie (%DB, "DB_File", $file, $flags, $mode, $DB_File::DB_BTREE) || ++ die "Can't tie $file: $!"; + dbmc->$command(); + untie %DB; + +@@ -168,7 +168,7 @@ + srand (time ^ $$ or time ^ ($$ + ($$ << 15))); + } + else { +- for (qw(-xlwwa -le)) { ++ for (qw(xlwwa -le)) { + `ps $_ 2>/dev/null`; + $psf = $_, last unless $?; + } --- apache2-2.2.16.orig/debian/patches/008_make_include_safe +++ apache2-2.2.16/debian/patches/008_make_include_safe @@ -0,0 +1,68 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 008_make_include_safe by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Avoid including dpkg droppings in globbed includes. + +@DPATCH@ +--- apache2-2.2.0/server/config.c 2005-11-17 13:39:15.000000000 +0000 ++++ apache2-2.2.0/server/config.c 2006-01-27 17:06:19.000000000 +0000 +@@ -34,6 +34,7 @@ + #include "apr_portable.h" + #include "apr_file_io.h" + #include "apr_fnmatch.h" ++#include "apr_lib.h" + + #define APR_WANT_STDIO + #define APR_WANT_STRFUNC +@@ -1521,6 +1522,30 @@ + return strcmp(f1->fname,f2->fname); + } + ++static int fname_valid(const char *fname) { ++ const unsigned char *c = fname; ++ unsigned char bad_dpkg[] = "*.dpkg*"; ++ ++ if (!apr_isalnum(*c)) { ++ return 0; ++ } ++ ++c; ++ ++ ++ while (*c) { ++ if (!apr_isalnum(*c) && *c!='_' && *c!='-' && *c!='.') { ++ return 0; ++ } ++ ++c; ++ } ++ ++ if (!apr_fnmatch(bad_dpkg, fname, 0)) { ++ return 0; ++ } ++ ++ return 1; ++} ++ + static const char *process_resource_config_nofnmatch(server_rec *s, + const char *fname, + ap_directive_t **conftree, +@@ -1564,7 +1589,8 @@ + while (apr_dir_read(&dirent, APR_FINFO_DIRENT, dirp) == APR_SUCCESS) { + /* strip out '.' and '..' */ + if (strcmp(dirent.name, ".") +- && strcmp(dirent.name, "..")) { ++ && strcmp(dirent.name, "..") ++ && fname_valid(dirent.name)) { + fnew = (fnames *) apr_array_push(candidates); + fnew->fname = ap_make_full_path(p, path, dirent.name); + } +@@ -1692,7 +1718,8 @@ + if (strcmp(dirent.name, ".") + && strcmp(dirent.name, "..") + && (apr_fnmatch(pattern, dirent.name, +- APR_FNM_PERIOD) == APR_SUCCESS)) { ++ APR_FNM_PERIOD) == APR_SUCCESS) ++ && fname_valid(dirent.name)) { + fnew = (fnames *) apr_array_push(candidates); + fnew->fname = ap_make_full_path(p, path, dirent.name); + } --- apache2-2.2.16.orig/debian/patches/084_CVE-2011-3192.dpatch +++ apache2-2.2.16/debian/patches/084_CVE-2011-3192.dpatch @@ -0,0 +1,610 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 083_CVE-2011-3192.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix CVE-2011-3192 (memory usage with overlapping ranges): +## DP: Backport related changes from upstream trunk up to r1162581, +## DP: except for merging of ranges. + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' trunk~/modules/http/byterange_filter.c trunk/modules/http/byterange_filter.c +--- trunk~/modules/http/byterange_filter.c 2010-02-26 10:32:15.000000000 +0100 ++++ trunk/modules/http/byterange_filter.c 2011-08-29 17:06:23.756431405 +0200 +@@ -55,65 +55,8 @@ + #include + #endif + +-static int parse_byterange(char *range, apr_off_t clength, +- apr_off_t *start, apr_off_t *end) +-{ +- char *dash = strchr(range, '-'); +- char *errp; +- apr_off_t number; +- +- if (!dash) { +- return 0; +- } +- +- if ((dash == range)) { +- /* In the form "-5" */ +- if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) { +- return 0; +- } +- *start = clength - number; +- *end = clength - 1; +- } +- else { +- *dash++ = '\0'; +- if (apr_strtoff(&number, range, &errp, 10) || *errp) { +- return 0; +- } +- *start = number; +- if (*dash) { +- if (apr_strtoff(&number, dash, &errp, 10) || *errp) { +- return 0; +- } +- *end = number; +- } +- else { /* "5-" */ +- *end = clength - 1; +- } +- } +- +- if (*start < 0) { +- *start = 0; +- } +- +- if (*end >= clength) { +- *end = clength - 1; +- } +- +- if (*start > *end) { +- return -1; +- } +- +- return (*start > 0 || *end < clength); +-} +- +-static int ap_set_byterange(request_rec *r); +- +-typedef struct byterange_ctx { +- apr_bucket_brigade *bb; +- int num_ranges; +- char *boundary; +- char *bound_head; +-} byterange_ctx; ++static int ap_set_byterange(request_rec *r, apr_off_t clength, ++ apr_array_header_t **indexes); + + /* + * Here we try to be compatible with clients that want multipart/x-byteranges +@@ -131,28 +74,205 @@ + } + + #define BYTERANGE_FMT "%" APR_OFF_T_FMT "-%" APR_OFF_T_FMT "/%" APR_OFF_T_FMT +-#define PARTITION_ERR_FMT "apr_brigade_partition() failed " \ +- "[%" APR_OFF_T_FMT ",%" APR_OFF_T_FMT "]" ++ ++static apr_status_t copy_brigade_range(apr_bucket_brigade *bb, ++ apr_bucket_brigade *bbout, ++ apr_off_t start, ++ apr_off_t end) ++{ ++ apr_bucket *first = NULL, *last = NULL, *out_first = NULL, *e; ++ apr_uint64_t pos = 0, off_first = 0, off_last = 0; ++ apr_status_t rv; ++ const char *s; ++ apr_size_t len; ++ apr_uint64_t start64, end64; ++ apr_off_t pofft = 0; ++ ++ /* ++ * Once we know that start and end are >= 0 convert everything to apr_uint64_t. ++ * See the comments in apr_brigade_partition why. ++ * In short apr_off_t (for values >= 0)and apr_size_t fit into apr_uint64_t. ++ */ ++ start64 = (apr_uint64_t)start; ++ end64 = (apr_uint64_t)end; ++ ++ if (start < 0 || end < 0 || start64 > end64) ++ return APR_EINVAL; ++ ++ for (e = APR_BRIGADE_FIRST(bb); ++ e != APR_BRIGADE_SENTINEL(bb); ++ e = APR_BUCKET_NEXT(e)) ++ { ++ apr_uint64_t elen64; ++ /* we know that no bucket has undefined length (-1) */ ++ AP_DEBUG_ASSERT(e->length != (apr_size_t)(-1)); ++ elen64 = (apr_uint64_t)e->length; ++ if (!first && (elen64 + pos > start64)) { ++ first = e; ++ off_first = pos; ++ } ++ if (elen64 + pos > end64) { ++ last = e; ++ off_last = pos; ++ break; ++ } ++ pos += elen64; ++ } ++ if (!first || !last) ++ return APR_EINVAL; ++ ++ e = first; ++ while (1) ++ { ++ apr_bucket *copy; ++ AP_DEBUG_ASSERT(e != APR_BRIGADE_SENTINEL(bb)); ++ rv = apr_bucket_copy(e, ©); ++ if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ ++ APR_BRIGADE_INSERT_TAIL(bbout, copy); ++ if (e == first) { ++ if (off_first != start64) { ++ rv = apr_bucket_split(copy, (apr_size_t)(start64 - off_first)); ++ if (rv == APR_ENOTIMPL) { ++ rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ); ++ if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ /* ++ * The read above might have morphed copy in a bucket ++ * of shorter length. So read and delete until we reached ++ * the correct bucket for splitting. ++ */ ++ while (start64 - off_first > (apr_uint64_t)copy->length) { ++ apr_bucket *tmp; ++ int i = 0; ++ if (i++ >= 99999) ++ return APR_EINVAL; ++ ++ tmp = APR_BUCKET_NEXT(copy); ++ off_first += (apr_uint64_t)copy->length; ++ APR_BUCKET_REMOVE(copy); ++ apr_bucket_destroy(copy); ++ copy = tmp; ++ rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ); ++ if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ } ++ if (start64 > off_first) { ++ rv = apr_bucket_split(copy, (apr_size_t)(start64 - off_first)); ++ if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ } ++ else { ++ copy = APR_BUCKET_PREV(copy); ++ } ++ } ++ else if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ out_first = APR_BUCKET_NEXT(copy); ++ APR_BUCKET_REMOVE(copy); ++ apr_bucket_destroy(copy); ++ } ++ else { ++ out_first = copy; ++ } ++ } ++ if (e == last) { ++ if (e == first) { ++ off_last += start64 - off_first; ++ copy = out_first; ++ } ++ if (end64 - off_last != (apr_uint64_t)e->length) { ++ rv = apr_bucket_split(copy, (apr_size_t)(end64 + 1 - off_last)); ++ if (rv == APR_ENOTIMPL) { ++ rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ); ++ if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ /* ++ * The read above might have morphed copy in a bucket ++ * of shorter length. So read until we reached ++ * the correct bucket for splitting. ++ */ ++ while (end64 + 1 - off_last > (apr_uint64_t)copy->length) { ++ off_last += (apr_uint64_t)copy->length; ++ copy = APR_BUCKET_NEXT(copy); ++ rv = apr_bucket_read(copy, &s, &len, APR_BLOCK_READ); ++ if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ } ++ if (end64 < off_last + (apr_uint64_t)copy->length - 1) { ++ rv = apr_bucket_split(copy, end64 + 1 - off_last); ++ if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ } ++ } ++ else if (rv != APR_SUCCESS) { ++ apr_brigade_cleanup(bbout); ++ return rv; ++ } ++ copy = APR_BUCKET_NEXT(copy); ++ if (copy != APR_BRIGADE_SENTINEL(bbout)) { ++ APR_BUCKET_REMOVE(copy); ++ apr_bucket_destroy(copy); ++ } ++ } ++ break; ++ } ++ e = APR_BUCKET_NEXT(e); ++ } ++ ++ AP_DEBUG_ASSERT(APR_SUCCESS == apr_brigade_length(bbout, 1, &pofft)); ++ pos = (apr_uint64_t)pofft; ++ AP_DEBUG_ASSERT(pos == end64 - start64 + 1); ++ return APR_SUCCESS; ++} ++ ++typedef struct indexes_t { ++ apr_off_t start; ++ apr_off_t end; ++} indexes_t; + + AP_CORE_DECLARE_NONSTD(apr_status_t) ap_byterange_filter(ap_filter_t *f, + apr_bucket_brigade *bb) + { +-#define MIN_LENGTH(len1, len2) ((len1 > len2) ? len2 : len1) + request_rec *r = f->r; + conn_rec *c = r->connection; +- byterange_ctx *ctx; + apr_bucket *e; + apr_bucket_brigade *bsend; ++ apr_bucket_brigade *tmpbb; + apr_off_t range_start; + apr_off_t range_end; +- char *current; + apr_off_t clength = 0; + apr_status_t rv; + int found = 0; + int num_ranges; ++ char *boundary = NULL; ++ char *bound_head = NULL; ++ apr_array_header_t *indexes; ++ indexes_t *idx; ++ int original_status; ++ int i; + +- /* Iterate through the brigade until reaching EOS or a bucket with +- * unknown length. */ ++ /* ++ * Iterate through the brigade until reaching EOS or a bucket with ++ * unknown length. ++ */ + for (e = APR_BRIGADE_FIRST(bb); + (e != APR_BRIGADE_SENTINEL(bb) && !APR_BUCKET_IS_EOS(e) + && e->length != (apr_size_t)-1); +@@ -160,90 +280,80 @@ + clength += e->length; + } + +- /* Don't attempt to do byte range work if this brigade doesn't ++ /* ++ * Don't attempt to do byte range work if this brigade doesn't + * contain an EOS, or if any of the buckets has an unknown length; + * this avoids the cases where it is expensive to perform +- * byteranging (i.e. may require arbitrary amounts of memory). */ ++ * byteranging (i.e. may require arbitrary amounts of memory). ++ */ + if (!APR_BUCKET_IS_EOS(e) || clength <= 0) { + ap_remove_output_filter(f); + return ap_pass_brigade(f->next, bb); + } + +- num_ranges = ap_set_byterange(r); ++ original_status = r->status; ++ num_ranges = ap_set_byterange(r, clength, &indexes); + + /* We have nothing to do, get out of the way. */ + if (num_ranges == 0) { ++ r->status = original_status; + ap_remove_output_filter(f); + return ap_pass_brigade(f->next, bb); + } + +- ctx = apr_pcalloc(r->pool, sizeof(*ctx)); +- ctx->num_ranges = num_ranges; +- /* create a brigade in case we never call ap_save_brigade() */ +- ctx->bb = apr_brigade_create(r->pool, c->bucket_alloc); +- +- if (ctx->num_ranges > 1) { ++ if (num_ranges > 1) { + /* Is ap_make_content_type required here? */ + const char *orig_ct = ap_make_content_type(r, r->content_type); +- ctx->boundary = apr_psprintf(r->pool, "%" APR_UINT64_T_HEX_FMT "%lx", +- (apr_uint64_t)r->request_time, (long) getpid()); ++ boundary = apr_psprintf(r->pool, "%" APR_UINT64_T_HEX_FMT "%lx", ++ (apr_uint64_t)r->request_time, (long) getpid()); + + ap_set_content_type(r, apr_pstrcat(r->pool, "multipart", + use_range_x(r) ? "/x-" : "/", + "byteranges; boundary=", +- ctx->boundary, NULL)); ++ boundary, NULL)); + + if (strcasecmp(orig_ct, NO_CONTENT_TYPE)) { +- ctx->bound_head = apr_pstrcat(r->pool, +- CRLF "--", ctx->boundary, +- CRLF "Content-type: ", +- orig_ct, +- CRLF "Content-range: bytes ", +- NULL); ++ bound_head = apr_pstrcat(r->pool, ++ CRLF "--", boundary, ++ CRLF "Content-type: ", ++ orig_ct, ++ CRLF "Content-range: bytes ", ++ NULL); + } + else { + /* if we have no type for the content, do our best */ +- ctx->bound_head = apr_pstrcat(r->pool, +- CRLF "--", ctx->boundary, +- CRLF "Content-range: bytes ", +- NULL); ++ bound_head = apr_pstrcat(r->pool, ++ CRLF "--", boundary, ++ CRLF "Content-range: bytes ", ++ NULL); + } +- ap_xlate_proto_to_ascii(ctx->bound_head, strlen(ctx->bound_head)); ++ ap_xlate_proto_to_ascii(bound_head, strlen(bound_head)); + } + + /* this brigade holds what we will be sending */ + bsend = apr_brigade_create(r->pool, c->bucket_alloc); ++ tmpbb = apr_brigade_create(r->pool, c->bucket_alloc); + +- while ((current = ap_getword(r->pool, &r->range, ',')) +- && (rv = parse_byterange(current, clength, &range_start, +- &range_end))) { +- apr_bucket *e2; +- apr_bucket *ec; +- +- if (rv == -1) { +- continue; +- } ++ idx = (indexes_t *)indexes->elts; ++ for (i = 0; i < indexes->nelts; i++, idx++) { ++ range_start = idx->start; ++ range_end = idx->end; + +- /* These calls to apr_brigage_partition should only fail in +- * pathological cases, e.g. a file being truncated whilst +- * being served. */ +- if ((rv = apr_brigade_partition(bb, range_start, &ec)) != APR_SUCCESS) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, +- PARTITION_ERR_FMT, range_start, clength); +- continue; +- } +- if ((rv = apr_brigade_partition(bb, range_end+1, &e2)) != APR_SUCCESS) { ++ rv = copy_brigade_range(bb, tmpbb, range_start, range_end); ++ if (rv != APR_SUCCESS ) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, +- PARTITION_ERR_FMT, range_end+1, clength); ++ "copy_brigade_range() failed [%" APR_OFF_T_FMT ++ "-%" APR_OFF_T_FMT ",%" APR_OFF_T_FMT "]", ++ range_start, range_end, clength); + continue; + } +- + found = 1; + +- /* For single range requests, we must produce Content-Range header. ++ /* ++ * For single range requests, we must produce Content-Range header. + * Otherwise, we need to produce the multipart boundaries. + */ +- if (ctx->num_ranges == 1) { ++ if (num_ranges == 1) { + apr_table_setn(r->headers_out, "Content-Range", + apr_psprintf(r->pool, "bytes " BYTERANGE_FMT, + range_start, range_end, clength)); +@@ -251,7 +361,7 @@ + else { + char *ts; + +- e = apr_bucket_pool_create(ctx->bound_head, strlen(ctx->bound_head), ++ e = apr_bucket_pool_create(bound_head, strlen(bound_head), + r->pool, c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bsend, e); + +@@ -263,23 +373,19 @@ + APR_BRIGADE_INSERT_TAIL(bsend, e); + } + +- do { +- apr_bucket *foo; +- const char *str; +- apr_size_t len; +- +- if (apr_bucket_copy(ec, &foo) != APR_SUCCESS) { +- /* As above; this should not fail since the bucket has +- * a known length, but just to be sure, this takes +- * care of uncopyable buckets that do somehow manage +- * to slip through. */ +- /* XXX: check for failure? */ +- apr_bucket_read(ec, &str, &len, APR_BLOCK_READ); +- apr_bucket_copy(ec, &foo); +- } +- APR_BRIGADE_INSERT_TAIL(bsend, foo); +- ec = APR_BUCKET_NEXT(ec); +- } while (ec != e2); ++ APR_BRIGADE_CONCAT(bsend, tmpbb); ++ if (i && i % 32 == 0) { ++ /* ++ * Every now and then, pass what we have down the filter chain. ++ * In this case, the content-length filter cannot calculate and ++ * set the content length and we must remove any Content-Length ++ * header already present. ++ */ ++ apr_table_unset(r->headers_out, "Content-Length"); ++ if ((rv = ap_pass_brigade(f->next, bsend)) != APR_SUCCESS) ++ return rv; ++ apr_brigade_cleanup(bsend); ++ } + } + + if (found == 0) { +@@ -294,11 +400,11 @@ + return ap_pass_brigade(f->next, bsend); + } + +- if (ctx->num_ranges > 1) { ++ if (num_ranges > 1) { + char *end; + + /* add the final boundary */ +- end = apr_pstrcat(r->pool, CRLF "--", ctx->boundary, "--" CRLF, NULL); ++ end = apr_pstrcat(r->pool, CRLF "--", boundary, "--" CRLF, NULL); + ap_xlate_proto_to_ascii(end, strlen(end)); + e = apr_bucket_pool_create(end, strlen(end), r->pool, c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(bsend, e); +@@ -309,24 +415,32 @@ + + /* we're done with the original content - all of our data is in bsend. */ + apr_brigade_cleanup(bb); ++ apr_brigade_destroy(tmpbb); + + /* send our multipart output */ + return ap_pass_brigade(f->next, bsend); + } + +-static int ap_set_byterange(request_rec *r) ++static int ap_set_byterange(request_rec *r, apr_off_t clength, ++ apr_array_header_t **indexes) + { + const char *range; + const char *if_range; + const char *match; + const char *ct; +- int num_ranges; ++ char *cur; ++ int num_ranges = 0; ++ apr_off_t sum_lengths = 0; ++ indexes_t *idx; ++ int ranges = 1; ++ const char *it; + + if (r->assbackwards) { + return 0; + } + +- /* Check for Range request-header (HTTP/1.1) or Request-Range for ++ /* ++ * Check for Range request-header (HTTP/1.1) or Request-Range for + * backwards-compatibility with second-draft Luotonen/Franks + * byte-ranges (e.g. Netscape Navigator 2-3). + * +@@ -356,7 +470,8 @@ + return 0; + } + +- /* Check the If-Range header for Etag or Date. ++ /* ++ * Check the If-Range header for Etag or Date. + * Note that this check will return false (as required) if either + * of the two etags are weak. + */ +@@ -373,17 +488,77 @@ + } + } + +- if (!ap_strchr_c(range, ',')) { +- /* a single range */ +- num_ranges = 1; ++ range += 6; ++ it = range; ++ while (*it) { ++ if (*it++ == ',') { ++ ranges++; ++ } + } +- else { +- /* a multiple range */ +- num_ranges = 2; ++ it = range; ++ *indexes = apr_array_make(r->pool, ranges, sizeof(indexes_t)); ++ while ((cur = ap_getword(r->pool, &range, ','))) { ++ char *dash; ++ char *errp; ++ apr_off_t number, start, end; ++ ++ if (!(dash = strchr(cur, '-'))) { ++ break; ++ } ++ ++ if (dash == range) { ++ /* In the form "-5" */ ++ if (apr_strtoff(&number, dash+1, &errp, 10) || *errp) { ++ break; ++ } ++ start = clength - number; ++ end = clength - 1; ++ } ++ else { ++ *dash++ = '\0'; ++ if (apr_strtoff(&number, cur, &errp, 10) || *errp) { ++ break; ++ } ++ start = number; ++ if (*dash) { ++ if (apr_strtoff(&number, dash, &errp, 10) || *errp) { ++ break; ++ } ++ end = number; ++ } ++ else { /* "5-" */ ++ end = clength - 1; ++ } ++ } ++ ++ if (start < 0) { ++ start = 0; ++ } ++ if (end >= clength) { ++ end = clength - 1; ++ } ++ ++ if (start > end) { ++ /* ignore? count? */ ++ break; ++ } ++ ++ idx = (indexes_t *)apr_array_push(*indexes); ++ idx->start = start; ++ idx->end = end; ++ sum_lengths += end - start + 1; ++ /* new set again */ ++ num_ranges++; ++ } ++ ++ if (sum_lengths >= clength) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, ++ "Sum of ranges not smaller than file, ignoring."); ++ return 0; + } + + r->status = HTTP_PARTIAL_CONTENT; +- r->range = range + 6; ++ r->range = it; + + return num_ranges; + } --- apache2-2.2.16.orig/debian/patches/074_link_support_progs_with_lcrypt.dpatch +++ apache2-2.2.16/debian/patches/074_link_support_progs_with_lcrypt.dpatch @@ -0,0 +1,39 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 074_support_link_lcrypt.dpatch by Stefan Fritsch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Link support programs with -lcrypt where necessary. Required by +## DP: binutils-gold (bug #553946) + +@DPATCH@ +diff -urNad trunk~/configure trunk/configure +--- trunk~/configure 2009-12-05 23:44:43.501042252 +0100 ++++ trunk/configure 2009-12-05 23:47:07.640043829 +0100 +@@ -14628,11 +14628,11 @@ + + fi + +-htpasswd_LTFLAGS="" ++htpasswd_LTFLAGS="-lcrypt" + htdigest_LTFLAGS="" + rotatelogs_LTFLAGS="" + logresolve_LTFLAGS="" +-htdbm_LTFLAGS="" ++htdbm_LTFLAGS="-lcrypt" + ab_LTFLAGS="" + checkgid_LTFLAGS="" + htcacheclean_LTFLAGS="" +diff -urNad trunk~/support/config.m4 trunk/support/config.m4 +--- trunk~/support/config.m4 2006-12-24 15:40:19.000000000 +0100 ++++ trunk/support/config.m4 2009-12-05 23:47:29.388150162 +0100 +@@ -1,8 +1,8 @@ +-htpasswd_LTFLAGS="" ++htpasswd_LTFLAGS="-lcrypt" + htdigest_LTFLAGS="" + rotatelogs_LTFLAGS="" + logresolve_LTFLAGS="" +-htdbm_LTFLAGS="" ++htdbm_LTFLAGS="-lcrypt" + ab_LTFLAGS="" + checkgid_LTFLAGS="" + htcacheclean_LTFLAGS="" --- apache2-2.2.16.orig/debian/patches/058_suexec-CVE-2007-1742.dpatch +++ apache2-2.2.16/debian/patches/058_suexec-CVE-2007-1742.dpatch @@ -0,0 +1,64 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix race condition with chdir +## DP: Fix /var/www* being accepted as docroot instead of /var/www/* +## DP: (the same for public_html* instead of public_html/* ) + +@DPATCH@ +--- a/support/suexec.c (revision 644465) ++++ b/support/suexec.c (working copy) +@@ -42,6 +42,7 @@ + #if APR_HAVE_UNISTD_H + #include + #endif ++#include + + #include + #include +@@ -263,6 +264,7 @@ + struct group *gr; /* group entry holder */ + struct stat dir_info; /* directory info holder */ + struct stat prg_info; /* program info holder */ ++ int cwdh; /* handle to cwd */ + + /* + * Start with a "clean" environment +@@ -496,11 +498,16 @@ + exit(111); + } + ++ if ( (cwdh = open(".", O_RDONLY)) == -1 ) { ++ log_err("cannot open current working directory\n"); ++ exit(111); ++ } ++ + if (userdir) { + if (((chdir(target_homedir)) != 0) || + ((chdir(AP_USERDIR_SUFFIX)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || +- ((chdir(cwd)) != 0)) { ++ ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", target_homedir); + exit(112); + } +@@ -508,12 +515,18 @@ + else { + if (((chdir(AP_DOC_ROOT)) != 0) || + ((getcwd(dwd, AP_MAXPATH)) == NULL) || +- ((chdir(cwd)) != 0)) { ++ ((fchdir(cwdh)) != 0)) { + log_err("cannot get docroot information (%s)\n", AP_DOC_ROOT); + exit(113); + } + } + ++ close(cwdh); ++ ++ if (strlen(cwd) > strlen(dwd)) { ++ strncat(dwd, "/", AP_MAXPATH); ++ dwd[AP_MAXPATH-1] = '\0'; ++ } + if ((strncmp(cwd, dwd, strlen(dwd))) != 0) { + log_err("command not in docroot (%s/%s)\n", cwd, cmd); + exit(114); --- apache2-2.2.16.orig/debian/patches/032_suexec_is_shared +++ apache2-2.2.16/debian/patches/032_suexec_is_shared @@ -0,0 +1,20 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 032_suexec_is_shared by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Patch to allow suEXEC as shared. + +@DPATCH@ +--- apache2/os/unix/unixd.c 2004-09-27 19:53:29.000000000 -0600 ++++ apache2/os/unix/unixd.c 2004-09-27 19:56:57.000000000 -0600 +@@ -209,6 +209,10 @@ + + /* Check for suexec */ + unixd_config.suexec_enabled = 0; ++ /* If mod_suexec isn't linked in, we shouldn't test for the binary */ ++ if (ap_find_linked_module("mod_suexec.c") == NULL) { ++ return; ++ } + if ((apr_stat(&wrapper, SUEXEC_BIN, + APR_FINFO_NORM, ptemp)) != APR_SUCCESS) { + return; --- apache2-2.2.16.orig/debian/patches/001_branding +++ apache2-2.2.16/debian/patches/001_branding @@ -0,0 +1,36 @@ +#!/bin/sh -e +## 02_branding.dpatch by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Changes apache's PLATFORM based on lsb_release output + +BUILD_DIST="($(lsb_release -i -s))" + +if [ $# -ne 1 ]; then + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 +fi + +case "$1" in + -patch) + if grep -q "${BUILD_DIST}" server/core.c 2>/dev/null; then + echo >&2 "`basename $0`: patch already applied" + exit 1 + else + # This is where we get our distribution-specific server signature from: + sed -i -e "s/(\" PLATFORM \")/${BUILD_DIST}/" server/core.c + fi + ;; + -unpatch) + if grep -q "${BUILD_DIST}" server/core.c 2>/dev/null; then + sed -i -e "s/${BUILD_DIST}/(\" PLATFORM \")/" server/core.c + else + echo >&2 "`basename $0`: patch not yet applied, cannot unpatch" + exit 1 + fi + ;; + *) + echo >&2 "`basename $0`: script expects -patch|-unpatch as argument" + exit 1 + ;; +esac --- apache2-2.2.16.orig/debian/patches/009_apache2_has_dso +++ apache2-2.2.16/debian/patches/009_apache2_has_dso @@ -0,0 +1,41 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 009_apache2_has_dso by Adam Conrad +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Make apxs usable without having apache2 installed. + +@DPATCH@ +--- apache2/support/apxs.in 2003-04-05 11:07:55.000000000 +0200 ++++ apache2/support/apxs.in 2003-04-05 11:25:19.000000000 +0200 +@@ -237,18 +237,19 @@ + ($httpd = $0) =~ s:support/apxs$::; + } + +-unless (-x "$httpd") { +- error("$httpd not found or not executable"); +- exit 1; +-} +- +-unless (grep /mod_so/, `. $envvars && $httpd -l`) { +- error("Sorry, no shared object support for Apache"); +- error("available under your platform. Make sure"); +- error("the Apache module mod_so is compiled into"); +- error("your server binary `$httpd'."); +- exit 1; +-} ++#commented out for Debian GNU/Linux. We know that apache2 has dso support ++#unless (-x "$httpd") { ++# error("$httpd not found or not executable"); ++# exit 1; ++#} ++ ++#unless (grep /mod_so/, `. $envvars && $httpd -l`) { ++# error("Sorry, no shared object support for Apache"); ++# error("available under your platform. Make sure"); ++# error("the Apache module mod_so is compiled into"); ++# error("your server binary `$httpd'."); ++# exit 1; ++#} + + sub get_config_vars{ + my ($file, $rh_config) = @_; --- apache2-2.2.16.orig/debian/source/format +++ apache2-2.2.16/debian/source/format @@ -0,0 +1 @@ +1.0