[gentoo-commits] gentoo-x86 commit in net-nds/389-admin/files/1.1.14_backports: 0001-ssl-segfault-fix.patch 0000-selinux-crash-fix.patch

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] gentoo-x86 commit in net-nds/389-admin/files/1.1.14_backports: 0001-ssl-segfault-fix.patch 0000-selinux-crash-fix.patch
@ 2011-01-11 22:30 Fabio Erculiani (lxnay)
  0 siblings, 0 replies; 2+ messages in thread
From: Fabio Erculiani (lxnay) @ 2011-01-11 22:30 UTC (permalink / raw
  To: gentoo-commits

lxnay       11/01/11 22:30:14

  Added:                0001-ssl-segfault-fix.patch
                        0000-selinux-crash-fix.patch
  Log:
  version bump
  
  (Portage version: 2.1.9.28/cvs/Linux x86_64)

Revision  Changes    Path
1.1                  net-nds/389-admin/files/1.1.14_backports/0001-ssl-segfault-fix.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0001-ssl-segfault-fix.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0001-ssl-segfault-fix.patch?rev=1.1&content-type=text/plain

Index: 0001-ssl-segfault-fix.patch
===================================================================
From f08ab2ae5a9ce1ed7d5187f5e93a7e7854faacf3 Mon Sep 17 00:00:00 2001
From: Rich Megginson <rmeggins@redhat.com>
Date: Wed, 5 Jan 2011 15:47:28 -0700
Subject: [PATCH] Bug 664671 - Admin server segfault when full SSL access (http+ldap+console) required

https://bugzilla.redhat.com/show_bug.cgi?id=664671
Resolves: bug 664671
Bug Description: Admin server segfault when full SSL access (http+ldap+console) required
Reviewed by: ???
Branch: master
Fix Description: Do not call NSS_Shutdown in mod_admserv.  It should always
be called in mod_nss, after mod_admserv_unload is called.  The only thing
we need to do in mod_admserv_unload() is to clear the session cache to
release any resources acquired by mod_admserv.  mod_nss unload will take
care of the rest.
Platforms tested: RHEL5 i386
Flag Day: no
Doc impact: no
---
 mod_admserv/mod_admserv.c |   27 +++++++++++----------------
 1 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/mod_admserv/mod_admserv.c b/mod_admserv/mod_admserv.c
index ec7397c..6f96669 100644
--- a/mod_admserv/mod_admserv.c
+++ b/mod_admserv/mod_admserv.c
@@ -2223,28 +2223,23 @@ host_ip_init(apr_pool_t *p, apr_pool_t *plog,
  * NSS caches SSL client session information - this cache must be cleared, otherwise
  * NSS_Shutdown will give an error.  mod_nss also does this (along with the NSS_Shutdown)
  * It is ok to call SSL_ClearSessionCache multiple times.
+ * The actual NSS_Shutdown is done in mod_nss.  Note that we cannot call NSS_Shutdown
+ * here - if NSS_Shutdown fails because mod_nss still has server caches referenced,
+ * NSS will be left in a bad state - it won't really be shutdown because of the outstanding
+ * references, but NSS_IsInitialized will return false, and NSS_Initialize will fail.
+ * So we must be careful here to just release any references we have.
+ * The assumption here is that mod_nss is loaded before mod_admserv (which will usually
+ * happen since it is listed first in the httpd.conf) - but note that module unload
+ * happens in _reverse_ order - so mod_admserv_unload will be called _before_ the
+ * mod_nss unload function.  If this ever changes, we will need to figure out some other
+ * way to ensure that NSS_Shutdown is only ever called once, and only after all caches
+ * and other resources have been released.
  */
 static
 apr_status_t mod_admserv_unload(void *data)
 {
     if (NSS_IsInitialized()) {
-        SECStatus status;
         SSL_ClearSessionCache();
-        status = NSS_Shutdown();
-        if (status != SECSuccess) {
-            PRErrorCode prerr = PR_GetError();
-            if (prerr == SEC_ERROR_NOT_INITIALIZED) {
-                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
-                             "Unable to shutdown NSS - not initialized");
-            } else if (prerr == SEC_ERROR_BUSY) {
-                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
-                             "Unable to shutdown NSS - still busy - assume mod_nss is holding references - continuing");
-            } else {
-                ap_log_error(APLOG_MARK, APLOG_WARNING, 0, NULL,
-                             "Unable to shutdown NSS - [%d:%s]",
-                             prerr, SSL_Strerror(prerr));
-            }
-        }
     }
     return OK;
 }
-- 
1.5.5.6




1.1                  net-nds/389-admin/files/1.1.14_backports/0000-selinux-crash-fix.patch

file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0000-selinux-crash-fix.patch?rev=1.1&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-nds/389-admin/files/1.1.14_backports/0000-selinux-crash-fix.patch?rev=1.1&content-type=text/plain

Index: 0000-selinux-crash-fix.patch
===================================================================
From 6d86721d58f9dd150c970f61911c8a8bc2c8c050 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Tue, 4 Jan 2011 15:03:29 -0800
Subject: [PATCH] Bug 638511 - dirsrv-admin crashes at startup with SELinux enabled

On RHEL5, starting the dirsrv-admin service with SELinux enabled
will cause httpd child processes to repeatedly crash.  The context
used by the dirsrv-admin start scripts needs some additional
process capabilities to fix this problem.
---
 selinux/dirsrv-admin.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/selinux/dirsrv-admin.te b/selinux/dirsrv-admin.te
index 51c2dc6..4c842d9 100644
--- a/selinux/dirsrv-admin.te
+++ b/selinux/dirsrv-admin.te
@@ -78,7 +78,7 @@ ifdef(`targeted_policy',`
 
 # Needed for stop and restart scripts
 dirsrv_read_var_run(dirsrvadmin_t)
-allow dirsrvadmin_t httpd_t:process signal;
+allow dirsrvadmin_t httpd_t:process { signal siginh rlimitinh noatsecure };
 allow dirsrvadmin_t httpd_var_run_t:file read_file_perms;
 
 ########################################
-- 
1.5.5.6







^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [gentoo-commits] gentoo-x86 commit in net-nds/389-admin/files/1.1.14_backports: 0001-ssl-segfault-fix.patch 0000-selinux-crash-fix.patch
@ 2011-06-14 19:14 Fabio Erculiani (lxnay)
  0 siblings, 0 replies; 2+ messages in thread
From: Fabio Erculiani (lxnay) @ 2011-06-14 19:14 UTC (permalink / raw
  To: gentoo-commits

lxnay       11/06/14 19:14:10

  Removed:              0001-ssl-segfault-fix.patch
                        0000-selinux-crash-fix.patch
  Log:
  version bump, fixes Gentoo bug #371633, drop older releases
  
  (Portage version: 2.2.0_alpha30/cvs/Linux x86_64)



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-06-14 19:14 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-11 22:30 [gentoo-commits] gentoo-x86 commit in net-nds/389-admin/files/1.1.14_backports: 0001-ssl-segfault-fix.patch 0000-selinux-crash-fix.patch Fabio Erculiani (lxnay)
  -- strict thread matches above, loose matches on Subject: below --
2011-06-14 19:14 Fabio Erculiani (lxnay)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox