Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response
splitting (CVE-2023-38709)
This commit is contained in:
parent
4d9b575bdc
commit
00795d8d53
74
httpd-2.4.37-CVE-2023-38709.patch
Normal file
74
httpd-2.4.37-CVE-2023-38709.patch
Normal file
@ -0,0 +1,74 @@
|
||||
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
|
||||
index 393343a..16cb23c 100644
|
||||
--- a/modules/http/http_filters.c
|
||||
+++ b/modules/http/http_filters.c
|
||||
@@ -1348,6 +1348,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
|
||||
*/
|
||||
apr_table_clear(r->headers_out);
|
||||
apr_table_clear(r->err_headers_out);
|
||||
+ r->content_type = r->content_encoding = NULL;
|
||||
+ r->content_languages = NULL;
|
||||
+ r->clength = r->chunked = 0;
|
||||
apr_brigade_cleanup(b);
|
||||
|
||||
/* Don't recall ap_die() if we come back here (from its own internal
|
||||
@@ -1364,8 +1367,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
|
||||
APR_BRIGADE_INSERT_TAIL(b, e);
|
||||
e = apr_bucket_eos_create(c->bucket_alloc);
|
||||
APR_BRIGADE_INSERT_TAIL(b, e);
|
||||
- r->content_type = r->content_encoding = NULL;
|
||||
- r->content_languages = NULL;
|
||||
ap_set_content_length(r, 0);
|
||||
recursive_error = 1;
|
||||
}
|
||||
@@ -1392,6 +1393,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
|
||||
if (!apr_is_empty_table(r->err_headers_out)) {
|
||||
r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
|
||||
r->headers_out);
|
||||
+ apr_table_clear(r->err_headers_out);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1411,6 +1413,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
|
||||
fixup_vary(r);
|
||||
}
|
||||
|
||||
+
|
||||
+ /*
|
||||
+ * Control cachability for non-cacheable responses if not already set by
|
||||
+ * some other part of the server configuration.
|
||||
+ */
|
||||
+ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
|
||||
+ char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
|
||||
+ ap_recent_rfc822_date(date, r->request_time);
|
||||
+ apr_table_addn(r->headers_out, "Expires", date);
|
||||
+ }
|
||||
+
|
||||
/*
|
||||
* Now remove any ETag response header field if earlier processing
|
||||
* says so (such as a 'FileETag None' directive).
|
||||
@@ -1423,6 +1436,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
|
||||
basic_http_header_check(r, &protocol);
|
||||
ap_set_keepalive(r);
|
||||
|
||||
+ /* 204/304 responses don't have content related headers */
|
||||
if (AP_STATUS_IS_HEADER_ONLY(r->status)) {
|
||||
apr_table_unset(r->headers_out, "Transfer-Encoding");
|
||||
apr_table_unset(r->headers_out, "Content-Length");
|
||||
@@ -1465,16 +1479,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
|
||||
apr_table_setn(r->headers_out, "Content-Language", field);
|
||||
}
|
||||
|
||||
- /*
|
||||
- * Control cachability for non-cacheable responses if not already set by
|
||||
- * some other part of the server configuration.
|
||||
- */
|
||||
- if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
|
||||
- char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
|
||||
- ap_recent_rfc822_date(date, r->request_time);
|
||||
- apr_table_addn(r->headers_out, "Expires", date);
|
||||
- }
|
||||
-
|
||||
/* This is a hack, but I can't find anyway around it. The idea is that
|
||||
* we don't want to send out 0 Content-Lengths if it is a head request.
|
||||
* This happens when modules try to outsmart the server, and return
|
@ -13,7 +13,7 @@
|
||||
Summary: Apache HTTP Server
|
||||
Name: httpd
|
||||
Version: 2.4.37
|
||||
Release: 64%{?dist}
|
||||
Release: 65%{?dist}
|
||||
URL: https://httpd.apache.org/
|
||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||
Source2: httpd.logrotate
|
||||
@ -258,6 +258,8 @@ Patch238: httpd-2.4.37-CVE-2023-25690.patch
|
||||
Patch239: httpd-2.4.37-CVE-2023-27522.patch
|
||||
# https://issues.redhat.com/browse/RHEL-14448
|
||||
Patch240: httpd-2.4.37-CVE-2023-31122.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2273491
|
||||
Patch241: httpd-2.4.37-CVE-2023-38709.patch
|
||||
|
||||
License: ASL 2.0
|
||||
Group: System Environment/Daemons
|
||||
@ -484,6 +486,7 @@ interface for storing and accessing per-user session data.
|
||||
%patch238 -p1 -b .CVE-2023-25690
|
||||
%patch239 -p1 -b .CVE-2023-27522
|
||||
%patch240 -p1 -b .CVE-2023-31122
|
||||
%patch241 -p1 -b .CVE-2023-38709
|
||||
|
||||
# Patch in the vendor string
|
||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||
@ -989,6 +992,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||
|
||||
%changelog
|
||||
* Wed Jun 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65
|
||||
- Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response
|
||||
splitting (CVE-2023-38709)
|
||||
|
||||
* Fri Feb 16 2024 Joe Orton <jorton@redhat.com> - 2.4.37-64
|
||||
- Resolves: RHEL-14448 - httpd: mod_macro: out-of-bounds read
|
||||
vulnerability (CVE-2023-31122)
|
||||
|
Loading…
Reference in New Issue
Block a user