* [gentoo-commits] gentoo-x86 commit in net-nds/389-admin/files/1.1.14_backports: 0001-ssl-segfault-fix.patch 0000-selinux-crash-fix.patch
@ 2011-01-11 22:30 Fabio Erculiani (lxnay)
0 siblings, 0 replies; 2+ messages in thread
From: Fabio Erculiani (lxnay) @ 2011-01-11 22:30 UTC (permalink / raw
To: gentoo-commits
lxnay 11/01/11 22:30:14
Added: 0001-ssl-segfault-fix.patch
0000-selinux-crash-fix.patch
Log:
version bump
(Portage version: 2.1.9.28/cvs/Linux x86_64)
Revision Changes Path
1.1 net-nds/389-admin/files/1.1.14_backports/0001-ssl-segfault-fix.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0001-ssl-segfault-fix.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0001-ssl-segfault-fix.patch?rev=1.1&content-type=text/plain
Index: 0001-ssl-segfault-fix.patch
===================================================================
From f08ab2ae5a9ce1ed7d5187f5e93a7e7854faacf3 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Wed, 5 Jan 2011 15:47:28 -0700
Subject: [PATCH] Bug 664671 - Admin server segfault when full SSL access (http+ldap+console) required
https://bugzilla.redhat.com/show_bug.cgi?id=664671
Resolves: bug 664671
Bug Description: Admin server segfault when full SSL access (http+ldap+console) required
Reviewed by: ???
Branch: master
Fix Description: Do not call NSS_Shutdown in mod_admserv. It should always
be called in mod_nss, after mod_admserv_unload is called. The only thing
we need to do in mod_admserv_unload() is to clear the session cache to
release any resources acquired by mod_admserv. mod_nss unload will take
care of the rest.
Platforms tested: RHEL5 i386
Flag Day: no
Doc impact: no
---
mod_admserv/mod_admserv.c | 27 +++++++++++----------------
1 files changed, 11 insertions(+), 16 deletions(-)
diff --git a/mod_admserv/mod_admserv.c b/mod_admserv/mod_admserv.c
index ec7397c..6f96669 100644
--- a/mod_admserv/mod_admserv.c
+++ b/mod_admserv/mod_admserv.c
@@ -2223,28 +2223,23 @@ host_ip_init(apr_pool_t *p, apr_pool_t *plog,
* NSS caches SSL client session information - this cache must be cleared, otherwise
* NSS_Shutdown will give an error. mod_nss also does this (along with the NSS_Shutdown)
* It is ok to call SSL_ClearSessionCache multiple times.
+ * The actual NSS_Shutdown is done in mod_nss. Note that we cannot call NSS_Shutdown
+ * here - if NSS_Shutdown fails because mod_nss still has server caches referenced,
+ * NSS will be left in a bad state - it won't really be shutdown because of the outstanding
+ * references, but NSS_IsInitialized will return false, and NSS_Initialize will fail.
+ * So we must be careful here to just release any references we have.
+ * The assumption here is that mod_nss is loaded before mod_admserv (which will usually
+ * happen since it is listed first in the httpd.conf) - but note that module unload
+ * happens in _reverse_ order - so mod_admserv_unload will be called _before_ the
+ * mod_nss unload function. If this ever changes, we will need to figure out some other
+ * way to ensure that NSS_Shutdown is only ever called once, and only after all caches
+ * and other resources have been released.
*/
static
apr_status_t mod_admserv_unload(void *data)
{
if (NSS_IsInitialized()) {
- SECStatus status;
SSL_ClearSessionCache();
- status = NSS_Shutdown();
- if (status != SECSuccess) {
- PRErrorCode prerr = PR_GetError();
- if (prerr == SEC_ERROR_NOT_INITIALIZED) {
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
- "Unable to shutdown NSS - not initialized");
- } else if (prerr == SEC_ERROR_BUSY) {
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
- "Unable to shutdown NSS - still busy - assume mod_nss is holding references - continuing");
- } else {
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
- "Unable to shutdown NSS - [%d:%s]",
- prerr, SSL_Strerror(prerr));
- }
- }
}
return OK;
}
--
1.5.5.6
1.1 net-nds/389-admin/files/1.1.14_backports/0000-selinux-crash-fix.patch
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0000-selinux-crash-fix.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0000-selinux-crash-fix.patch?rev=1.1&content-type=text/plain
Index: 0000-selinux-crash-fix.patch
===================================================================
From 6d86721d58f9dd150c970f61911c8a8bc2c8c050 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Tue, 4 Jan 2011 15:03:29 -0800
Subject: [PATCH] Bug 638511 - dirsrv-admin crashes at startup with SELinux enabled
On RHEL5, starting the dirsrv-admin service with SELinux enabled
will cause httpd child processes to repeatedly crash. The context
used by the dirsrv-admin start scripts needs some additional
process capabilities to fix this problem.
---
selinux/dirsrv-admin.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/selinux/dirsrv-admin.te b/selinux/dirsrv-admin.te
index 51c2dc6..4c842d9 100644
--- a/selinux/dirsrv-admin.te
+++ b/selinux/dirsrv-admin.te
@@ -78,7 +78,7 @@ ifdef(`targeted_policy',`
# Needed for stop and restart scripts
dirsrv_read_var_run(dirsrvadmin_t)
-allow dirsrvadmin_t httpd_t:process signal;
+allow dirsrvadmin_t httpd_t:process { signal siginh rlimitinh noatsecure };
allow dirsrvadmin_t httpd_var_run_t:file read_file_perms;
########################################
--
1.5.5.6
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] gentoo-x86 commit in net-nds/389-admin/files/1.1.14_backports: 0001-ssl-segfault-fix.patch 0000-selinux-crash-fix.patch
@ 2011-06-14 19:14 Fabio Erculiani (lxnay)
0 siblings, 0 replies; 2+ messages in thread
From: Fabio Erculiani (lxnay) @ 2011-06-14 19:14 UTC (permalink / raw
To: gentoo-commits
lxnay 11/06/14 19:14:10
Removed: 0001-ssl-segfault-fix.patch
0000-selinux-crash-fix.patch
Log:
version bump, fixes Gentoo bug #371633, drop older releases
(Portage version: 2.2.0_alpha30/cvs/Linux x86_64)
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-06-14 19:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-11 22:30 [gentoo-commits] gentoo-x86 commit in net-nds/389-admin/files/1.1.14_backports: 0001-ssl-segfault-fix.patch 0000-selinux-crash-fix.patch Fabio Erculiani (lxnay)
-- strict thread matches above, loose matches on Subject: below --
2011-06-14 19:14 Fabio Erculiani (lxnay)
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox