From: Graham Leggett Date: Sat, 18 Nov 2023 11:20:14 +0000 (+0000) Subject: Backport to v2.4: X-Git-Tag: 2.4.59-rc1-candidate~151 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=80560d29c8bc6dac44c8a7f7767e54e0ec52c5e6;p=thirdparty%2Fapache%2Fhttpd.git Backport to v2.4: *) mod_ssl: release memory to the OS when needed Trunk version of patch: https://svn.apache.org/r1898410 https://svn.apache.org/r1898366 svn merge -c 1898366 ^/httpd/httpd/trunk . svn merge -c 1898410 ^/httpd/httpd/trunk . +1: gbechis, ylavic, jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1913909 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index 80b75cdc2b8..0623f110319 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.59 + *) mod_ssl: release memory to the OS when needed. [Giovanni Bechis] + *) mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when some dollar substitution (backreference) happens in the hostname or port part of the URL. [Yann Ylavic] diff --git a/STATUS b/STATUS index 4d012c1b70c..ca3ed677553 100644 --- a/STATUS +++ b/STATUS @@ -153,13 +153,6 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] - *) mod_ssl: release memory to the OS when needed - Trunk version of patch: - https://svn.apache.org/r1898410 - https://svn.apache.org/r1898366 - svn merge -c 1898366 ^/httpd/httpd/trunk . - svn merge -c 1898410 ^/httpd/httpd/trunk . - +1: gbechis, ylavic, jorton PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c index e5d8f68a596..dc51a680f07 100644 --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c @@ -1765,6 +1765,7 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(02208) "SSL proxy client cert initialization failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); + sk_X509_INFO_free(sk); return ssl_die(s); } @@ -1774,7 +1775,11 @@ static apr_status_t ssl_init_proxy_certs(server_rec *s, int i; X509_INFO *inf = sk_X509_INFO_value(pkp->certs, n); - X509_STORE_CTX_init(sctx, store, inf->x509, NULL); + if (!X509_STORE_CTX_init(sctx, store, inf->x509, NULL)) { + sk_X509_INFO_free(sk); + X509_STORE_CTX_free(sctx); + return ssl_die(s); + } /* Attempt to verify the client cert */ if (X509_verify_cert(sctx) != 1) { diff --git a/modules/ssl/ssl_util_ocsp.c b/modules/ssl/ssl_util_ocsp.c index b9c8a0b850e..a202a72ee10 100644 --- a/modules/ssl/ssl_util_ocsp.c +++ b/modules/ssl/ssl_util_ocsp.c @@ -370,8 +370,11 @@ static STACK_OF(X509) *modssl_read_ocsp_certificates(const char *file) while ((x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL)) != NULL) { if (!other_certs) { other_certs = sk_X509_new_null(); - if (!other_certs) + if (!other_certs) { + X509_free(x509); + BIO_free(bio); return NULL; + } } if (!sk_X509_push(other_certs, x509)) { diff --git a/modules/ssl/ssl_util_stapling.c b/modules/ssl/ssl_util_stapling.c index c9d1d8e13d8..a2ed99b5270 100644 --- a/modules/ssl/ssl_util_stapling.c +++ b/modules/ssl/ssl_util_stapling.c @@ -117,8 +117,10 @@ static X509 *stapling_get_issuer(modssl_ctx_t *mctx, X509 *x) } inctx = X509_STORE_CTX_new(); - if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) + if (!X509_STORE_CTX_init(inctx, st, NULL, NULL)) { + X509_STORE_CTX_free(inctx); return 0; + } if (X509_STORE_CTX_get1_issuer(&issuer, inctx, x) <= 0) issuer = NULL; X509_STORE_CTX_cleanup(inctx);