DeveloperSide.NET Forums
May 25, 2020, 10:10:57 AM *
Welcome, Guest. Please login or register.

Login with username, password and session length
News:
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: Patches for Apache 2.0.54, zlib 1.2.3, openssl 0.9.8...  (Read 15786 times)
0 Members and 1 Guest are viewing this topic.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« on: July 10, 2005, 11:46:58 PM »

ASF Bugzilla Bug 33610
http://issues.apache.org/bugzilla/show_bug.cgi?id=33610
This provided a patch to build mod_delate, under Apache 2.0.x, with zlib version 1.2.1+
Currently, Apache 2.0.54 will only compile with zlib 1.1.4
Patch URL...
http://issues.apache.org/bugzilla/attachment.cgi?id=14304
Also from...
http://smithii.com/files/httpd-2.0.54_zlib-1.2.2.patch

No telling when this will be fixed under the official releases, as this has been a problem since a year or more.  If I am correct, this has been addressed under the 2.1 branch.


Security patch for zlib 1.2.2
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2096
http://linuce.free.fr/zlib-1.2.2-inftrees.c.diff
Code:

--- zlib-1.2.2.orig/inftrees.c 2004-09-15 15:30:06.000000000 +0100
+++ zlib-1.2.2/inftrees.c 2005-07-02 14:42:24.270321629 +0100
@@ -134,7 +134,7 @@
         left -= count[len];
         if (left < 0) return -1;        /* over-subscribed */
     }
-    if (left > 0 && (type == CODES || (codes - count[0] != 1)))
+    if (left > 0 && (type == CODES || max != 1))
         return -1;                      /* incomplete set */
 
     /* generate offsets into symbol table for each length for sorting */


Seems like this will be addressed very soon as v1.2.2-r1 or 1.2.3. Its a one line change!


Patch for 2.0.54 + OpenSSL 0.9.8
http://www.mail-archive.com/dev@httpd.apache.org/msg26348.html
(corrected in latter post in the above url)
Relevent part...
Code:

httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h
*** httpd-2.0.54.orig/modules/ssl/ssl_toolkit_compat.h  Fri Feb  4 21:21:18 2005
--- httpd-2.0.54/modules/ssl/ssl_toolkit_compat.h       Tue Jul  5 11:33:33 2005
***************
*** 99,104 ****
--- 99,111 ----
  #define HAVE_SSL_X509V3_EXT_d2i
  #endif
 
+ #ifndef PEM_F_DEF_CALLBACK
+ #ifdef PEM_F_PEM_DEF_CALLBACK
+ /* In OpenSSL 0.9.8 PEM_F_DEF_CALLBACK was renamed */
+ #define PEM_F_DEF_CALLBACK PEM_F_PEM_DEF_CALLBACK
+ #endif
+ #endif
+
  #elif defined (SSLC_VERSION_NUMBER) /* RSA */
 
  /* sslc does not support this function, OpenSSL has since 9.5.1 */

A different version of this patch (?) ...
http://smithii.com/files/httpd-2.0.54_openssl-0.9.8.patch


Also check http://smithii.com/ which two of the patches that are pointed to are from here.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #1 on: July 11, 2005, 02:22:10 AM »

Another problem...
http://www.securityfocus.com/bid/14106
And it looks like the unreleased Apache 2.0.55 is also affected (fixed in 2.1.6)...
http://www.apache.org/dist/httpd/CHANGES_2.1
Quote

Changes with Apache 2.0.55

  *) SECURITY: CAN-2005-1268 (cve.mitre.org)
     mod_ssl: Fix off-by-one overflow whilst printing CRL information
     at "LogLevel debug" which could be triggered if configured
     to use a "malicious" CRL.  PR 35081.  [Marc Stern <mstern csc.com>]

  *) mod_userdir: Fix possible memory corruption issue.  PR 34588.
     [David Leonard <dleonard vintela.com>]

  *) worker MPM: don't take down the whole server for a transient
     thread creation failure.  PR 34514.  [Greg Ames]
 
  *) mod_rewrite: use buffered I/O to improve performance with large
     RewriteMap txt: files.  [Greg Ames]

  *) proxy HTTP: Rework the handling of request bodies to handle
     chunked input and input filters which modify content length, and
     avoid spooling arbitrary-sized request bodies in memory.
     PR 15859.  [Jeff Trawick]
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #2 on: July 11, 2005, 07:18:53 AM »

If i'm not mistaken the openssl 0.9.8 will be fixed in the next release of 2.0,
but there are some problems with that.
Logged

admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #3 on: July 13, 2005, 02:54:53 AM »

Manual pages for diff and patch...
http://www.rt.com/man/diff.1.html
http://www.rt.com/man/patch.1.html

Code:

C:\build\httpd-2.0.54> patch -p1 < patch-file-name
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #4 on: October 05, 2005, 07:50:00 PM »

zlib 1.2.3+ will not be fixed untill httpd-2.1/2.2 (we will have to patch mod_deflate code)
http://issues.apache.org/bugzilla/show_bug.cgi?id=25578

openssl 0.9.8 problem will be fixed under httpd-2.0.55
http://www.apache.org/dist/httpd/CHANGES_2.1
Quote

*) mod_ssl: Fix build with OpenSSL 0.9.8.  PR 35757.  [William Rowe]
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
Jorge
Customer, Basic Support
Guru
*****
Posts: 544

jorge_schrauwen@msn.com
View Profile WWW
« Reply #5 on: October 06, 2005, 02:50:54 PM »

zlib and openssl are allready fixed in httpd-2.1/2.2
Logged

mattd
Member
*
Posts: 4


View Profile
« Reply #6 on: October 13, 2005, 09:19:42 AM »

All good

Regards,
Matt
Logged
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #7 on: October 14, 2005, 02:47:31 PM »

http://forums.devside.net/viewtopic.php?t=815
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #8 on: October 14, 2005, 03:12:09 PM »

You can skip the openssl 0.9.8 mod_ssl patch (I think).
httpd-2.0.55 released.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
admin
Administrator
Master of All Subjects
*****
Posts: 3272


View Profile WWW Email
« Reply #9 on: October 14, 2005, 04:10:23 PM »

http://svn.apache.org/viewcvs.cgi/httpd/httpd/branches/2.0.x/modules/ssl/ssl_toolkit_compat.h?rev=209825&view=log

http://svn.apache.org/viewcvs.cgi?rev=209468&view=rev

openssl v0.9.8 mod_ssl build patched.
Logged

DeveloperSide.NET
Advanced PHP and MySQL Solutions for your Web Design and Development needs with Web.Developer Server Suite.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.9 | SMF © 2006-2009, Simple Machines LLC Valid XHTML 1.0! Valid CSS!