From 7df9fedc9b1ca2d6253fbc171712e736423ef986 Mon Sep 17 00:00:00 2001
From: Pavel Lisý <pali@fedoraproject.org>
Date: Apr 15 2015 08:59:28 +0000
Subject: Resolves bz 1114461 - CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds


- Resolves bz 1094901 - cherokee: script and/or trigger should not directly enable systemd units
- Resolves bz  959170 - cherokee-worker and cherokee-admin want to use execstack (EL5)

---

diff --git a/cherokee.spec b/cherokee.spec
index 807ce8d..38ea10d 100644
--- a/cherokee.spec
+++ b/cherokee.spec
@@ -1,20 +1,18 @@
 %define         home %{_var}/lib/%{name}
 %define         shortversion   %(echo %{version} | sed -e 's/^\([0-9]+\.[0-9]+\)\.[0-9]+/\1/g')
 %define         opensslversion 1.0.0d
-#%define         pkgname webserver
 %define         pkgname cherokee
 %{!?_unitdir:%define _unitdir /lib/systemd/system}
 
 Name:           cherokee
 Version:        1.2.103
-Release:        3%{?dist}
+Release:        6%{?dist}
 Summary:        Flexible and Fast Webserver
 
 Group:          Applications/Internet
 License:        GPLv2
 URL:            http://www.cherokee-project.com/
 Source0:        http://www.cherokee-project.com/download/%{shortversion}/%{version}/%{name}-%{version}.tar.gz
-# Source0:        http://github.com/%{name}/%{pkgname}/archive/%{name}-%{version}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Source1:        %{name}.init
 Source2:        %{name}.logrotate
@@ -63,7 +61,8 @@ Source116: screencast.png
 
 # Drop privileges to cherokee:cherokee after startup
 Patch0: 01-drop-privileges.patch
-#Patch1: http://ausil.fedorapeople.org/aarch64/cherokee/cherokee-aarch64.patch
+# Patch1: http://ausil.fedorapeople.org/aarch64/cherokee/cherokee-aarch64.patch
+Patch2: cherokee-1.2.103_CVE-2014-4668.patch
 
 BuildRequires:  pam-devel mysql-devel pcre-devel GeoIP-devel openldap-devel
 %if "%{rhel}" == "4"
@@ -77,9 +76,10 @@ BuildRequires:  gettext
 Requires:        spawn-fcgi
 
 %if ( 0%{?fedora} )
-Requires(post): systemd-units
-Requires(preun): systemd-units
-Requires(postun): systemd-units
+Requires(post): systemd systemd-units
+Requires(preun): systemd systemd-units
+Requires(postun): systemd systemd-units
+BuildRequires: systemd
 %else
 Requires(post):  chkconfig
 Requires(preun): chkconfig
@@ -114,7 +114,8 @@ This package holds the development files for cherokee.
 %setup -n %{pkgname}-%{version} -q
 %endif
 %patch0 -p1 -b .privs
-#%patch1 -p1 -b .aarch64
+# %patch1 -p1 -b .aarch64
+%patch2 -p1 -b .cve-2014-4668
 
 # Replace upstream logos: https://fedorahosted.org/fesco/ticket/1230
 for i in admin/icons/cherokee-admin-launcher-* \
@@ -226,38 +227,30 @@ exit 0
 
 %post
 %if ( 0%{?fedora} )
-if [ $1 -eq 1 ] ; then 
-    # Initial installation: enabled by default
-    /bin/systemctl enable cherokee.service >/dev/null 2>&1 || :
-fi
+   %systemd_post cherokee.service
 %else
-/sbin/ldconfig
-/sbin/chkconfig --add %{name}
+   /sbin/ldconfig
+   /sbin/chkconfig --add %{name}
+%endif
+%if "%{rhel}" == "5"
+   /usr/bin/execstack --clear-execstack %{_libdir}/lib%{name}-server.so.*
 %endif
 
 %preun
 %if ( 0%{?fedora} )
-if [ $1 -eq 0 ] ; then
-    # Package removal, not upgrade
-    /bin/systemctl --no-reload disable cherokee.service > /dev/null 2>&1 || :
-    /bin/systemctl stop cherokee.service > /dev/null 2>&1 || :
-fi
+   %systemd_preun cherokee.service
 %else
-if [ $1 = 0 ] ; then
-    /sbin/service %{name} stop >/dev/null 2>&1
-    /sbin/chkconfig --del %{name}
-fi
+   if [ $1 = 0 ] ; then
+      /sbin/service %{name} stop >/dev/null 2>&1
+      /sbin/chkconfig --del %{name}
+   fi
 %endif
 
 %postun
 %if ( 0%{?fedora} )
-/bin/systemctl daemon-reload >/dev/null 2>&1 || :
-if [ $1 -ge 1 ] ; then
-    # Package upgrade, not uninstall
-    /bin/systemctl try-restart cherokee.service >/dev/null 2>&1 || :
-fi
+   %systemd_postun_with_restart cherokee.service
 %else
-/sbin/ldconfig
+   /sbin/ldconfig
 %endif
 
 %files
@@ -321,7 +314,19 @@ fi
 %{_datadir}/aclocal/%{name}.m4
 %{_libdir}/lib%{name}-*.so
 
+
 %changelog
+* Wed Apr 15 2015 Pavel Lisý <pali@fedoraproject.org> - 1.2.103-6
+- Resolves bz 1114461 - CVE-2014-4668 cherokee: authentication bypass when LDAP server allows unauthenticated binds
+- Resolves bz 1094901 - cherokee: script and/or trigger should not directly enable systemd units
+- Resolves bz  959170 - cherokee-worker and cherokee-admin want to use execstack (EL5)
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.103-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.2.103-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
 * Wed Mar  5 2014 Toshio Kuratomi <toshio@fedoraproject.org> - 1.2.103-3
 - Remove the upstream cherokee logo due to: https://fedorahosted.org/fesco/ticket/1230