DeveloperSide.NET Forums

DeveloperSide.NET => Web.Developer Server Suite Community Edition,
Public Support Forum => Topic started by: admin on July 10, 2005, 11:46:58 PM



Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: admin on July 10, 2005, 11:46:58 PM
ASF Bugzilla Bug 33610
http://issues.apache.org/bugzilla/show_bug.cgi?id=33610
This provided a patch to build mod_delate, under Apache 2.0.x, with zlib version 1.2.1+
Currently, Apache 2.0.54 will only compile with zlib 1.1.4
Patch URL...
http://issues.apache.org/bugzilla/attachment.cgi?id=14304
Also from...
http://smithii.com/files/httpd-2.0.54_zlib-1.2.2.patch

No telling when this will be fixed under the official releases, as this has been a problem since a year or more.  If I am correct, this has been addressed under the 2.1 branch.


Security patch for zlib 1.2.2
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
http://linuce.free.fr/zlib-1.2.2-inftrees.c.diff
Code:

--- zlib-1.2.2.orig/inftrees.c 2004-09-15 15:30:06.000000000 +0100
+++ zlib-1.2.2/inftrees.c 2005-07-02 14:42:24.270321629 +0100
@@ -134,7 +134,7 @@
         left -= count[len];
         if (left < 0) return -1;        /* over-subscribed */
     }
-    if (left > 0 && (type == CODES || (codes - count[0] != 1)))
+    if (left > 0 && (type == CODES || max != 1))
         return -1;                      /* incomplete set */
 
     /* generate offsets into symbol table for each length for sorting */


Seems like this will be addressed very soon as v1.2.2-r1 or 1.2.3. Its a one line change!


Patch for 2.0.54 + OpenSSL 0.9.8
http://www.mail-archive.com/dev@httpd.apache.org/msg26348.html
(corrected in latter post in the above url)
Relevent part...
Code:

httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h
*** httpd-2.0.54.orig/modules/ssl/ssl_toolkit_compat.h  Fri Feb  4 21:21:18 2005
--- httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h       Tue Jul  5 11:33:33 2005
***************
*** 99,104 ****
--- 99,111 ----
  #define HAVE_SSL_X509V3_EXT_d2i
  #endif
 
+ #ifndef PEM_F_DEF_CALLBACK
+ #ifdef PEM_F_PEM_DEF_CALLBACK
+ /* In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
+ #define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
+ #endif
+ #endif
+
  #elif defined (SSLC_VERSION_NUMBER) /* RSA */
 
  /* sslc does not support this function, OpenSSL has since 9.5.1 */

A different version of this patch (?) ...
http://smithii.com/files/httpd-2.0.54_openssl-0.9.8.patch


Also check http://smithii.com/ which two of the patches that are pointed to are from here.


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: admin on July 11, 2005, 02:22:10 AM
Another problem...
http://www.securityfocus.com/bid/14106
And it looks like the unreleased Apache 2.0.55 is also affected (fixed in 2.1.6)...
http://www.apache.org/dist/httpd/CHANGES_2.1
Quote

Changes with Apache 2.0.55

  *) SECURITY: CAN-2005-1268 (cve.mitre.org)
     mod_ssl: Fix off-by-one overflow whilst printing CRL information
     at "LogLevel debug" which could be triggered if configured
     to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]

  *) mod_userdir: Fix possible memory corruption issue.  PR 34588.
     [David Leonard <dleonard vintela.com>]

  *) worker MPM: don't take down the whole server for a transient
     thread creation failure.  PR 34514.  [Greg Ames]
 
  *) mod_rewrite: use buffered I/O to improve performance with large
     RewriteMap txt: files.  [Greg Ames]

  *) proxy HTTP: Rework the handling of request bodies to handle
     chunked input and input filters which modify content length, and
     avoid spooling arbitrary-sized request bodies in memory.
     PR 15859.  [Jeff Trawick]


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: Jorge on July 11, 2005, 07:18:53 AM
If i'm not mistaken the openssl 0.9.8 will be fixed in the next release of 2.0,
but there are some problems with that.


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: admin on July 13, 2005, 02:54:53 AM
Manual pages for diff and patch...
http://www.rt.com/man/diff.1.html
http://www.rt.com/man/patch.1.html

Code:

C:\build\httpd-2.0.54> patch -p1 < patch-file-name


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: admin on October 05, 2005, 07:50:00 PM
zlib 1.2.3+ will not be fixed untill httpd-2.1/2.2 (we will have to patch mod_deflate code)
http://issues.apache.org/bugzilla/show_bug.cgi?id=25578

openssl 0.9.8 problem will be fixed under httpd-2.0.55
http://www.apache.org/dist/httpd/CHANGES_2.1
Quote

*) mod_ssl: Fix build with OpenSSL 0.9.8.  PR 35757.  [William Rowe]


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: Jorge on October 06, 2005, 02:50:54 PM
zlib and openssl are allready fixed in httpd-2.1/2.2


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: mattd on October 13, 2005, 09:19:42 AM
All good

Regards,
Matt


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: admin on October 14, 2005, 02:47:31 PM
http://forums.devside.net/viewtopic.php?t=815


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: admin on October 14, 2005, 03:12:09 PM
You can skip the openssl 0.9.8 mod_ssl patch (I think).
httpd-2.0.55 released.


Title: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...
Post by: admin on October 14, 2005, 04:10:23 PM
http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/ssl/ssl_toolkit_compat.h?rev=209825&view=log

http://svn.apache.org/viewcvs.cgi?rev=209468&view=rev

openssl v0.9.8 mod_ssl build patched.