diff --git a/.gitignore b/.gitignore index bcfa24c..b636c17 100644 --- a/.gitignore +++ b/.gitignore @@ -41,3 +41,4 @@ x86_64 /httpd-2.4.48.tar.bz2.asc /httpd-2.4.49.tar.bz2.asc /httpd-2.4.51.tar.bz2.asc +/httpd-2.4.53.tar.bz2.asc diff --git a/httpd-2.4.51-CVE-2021-44224.patch b/httpd-2.4.51-CVE-2021-44224.patch deleted file mode 100644 index e4d8b03..0000000 --- a/httpd-2.4.51-CVE-2021-44224.patch +++ /dev/null @@ -1,252 +0,0 @@ -diff --git a/include/http_protocol.h b/include/http_protocol.h -index 9ccac89..20bd202 100644 ---- a/include/http_protocol.h -+++ b/include/http_protocol.h -@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r); - AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, - apr_bucket_brigade *bb); - -+/** -+ * Run post_read_request hook and validate. -+ * @param r The current request -+ * @return OK or HTTP_... -+ */ -+AP_DECLARE(int) ap_post_read_request(request_rec *r); -+ - /* Finish up stuff after a request */ - - /** -diff --git a/modules/http/http_request.c b/modules/http/http_request.c -index c9ae5af..d59cfe2 100644 ---- a/modules/http/http_request.c -+++ b/modules/http/http_request.c -@@ -680,7 +680,7 @@ static request_rec *internal_internal_redirect(const char *new_uri, - * to do their thing on internal redirects as well. Perhaps this is a - * misnamed function. - */ -- if ((access_status = ap_run_post_read_request(new))) { -+ if ((access_status = ap_post_read_request(new))) { - ap_die(access_status, new); - return NULL; - } -diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c -index ee4f1fb..ff9f81d 100644 ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -777,11 +777,12 @@ static int proxy_detect(request_rec *r) - - if (conf->req && r->parsed_uri.scheme) { - /* but it might be something vhosted */ -- if (!(r->parsed_uri.hostname -- && !ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) -- && ap_matches_request_vhost(r, r->parsed_uri.hostname, -- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port -- : ap_default_port(r))))) { -+ if (!r->parsed_uri.hostname -+ || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 -+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname, -+ (apr_port_t)(r->parsed_uri.port_str -+ ? r->parsed_uri.port -+ : ap_default_port(r)))) { - r->proxyreq = PROXYREQ_PROXY; - r->uri = r->unparsed_uri; - r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL); -@@ -2021,6 +2022,7 @@ static const char * - struct proxy_alias *new; - char *f = cmd->path; - char *r = NULL; -+ const char *real; - char *word; - apr_table_t *params = apr_table_make(cmd->pool, 5); - const apr_array_header_t *arr; -@@ -2107,6 +2109,10 @@ static const char * - if (r == NULL) { - return "ProxyPass|ProxyPassMatch needs a path when not defined in a location"; - } -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) { -+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL"; -+ } -+ - - /* if per directory, save away the single alias */ - if (cmd->path) { -@@ -2123,7 +2129,7 @@ static const char * - } - - new->fake = apr_pstrdup(cmd->pool, f); -- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r)); -+ new->real = apr_pstrdup(cmd->pool, real); - new->flags = flags; - if (worker_type & AP_PROXY_WORKER_IS_MATCH) { - new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED); -@@ -2649,6 +2655,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - proxy_worker *worker; - char *path = cmd->path; - char *name = NULL; -+ const char *real; - char *word; - apr_table_t *params = apr_table_make(cmd->pool, 5); - const apr_array_header_t *arr; -@@ -2689,6 +2696,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - return "BalancerMember must define balancer name when outside section"; - if (!name) - return "BalancerMember must define remote proxy server"; -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { -+ return "BalancerMember uses an invalid \"unix:\" URL"; -+ } - - ap_str_tolower(path); /* lowercase scheme://hostname */ - -@@ -2701,8 +2711,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg) - } - - /* Try to find existing worker */ -- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, -- ap_proxy_de_socketfy(cmd->temp_pool, name)); -+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real); - if (!worker) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147) - "Defining worker '%s' for balancer '%s'", -@@ -2799,9 +2808,14 @@ static const char * - } - } - else { -+ const char *real; -+ -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { -+ return "ProxySet uses an invalid \"unix:\" URL"; -+ } -+ - worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, conf, -- ap_proxy_de_socketfy(cmd->temp_pool, name), -- worker_type); -+ real, worker_type); - if (!worker) { - if (in_proxy_section) { - err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, -@@ -2944,9 +2958,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg) - } - } - else { -+ const char *real; -+ -+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) { -+ return " uses an invalid \"unix:\" URL"; -+ } -+ - worker = ap_proxy_get_worker_ex(cmd->temp_pool, NULL, sconf, -- ap_proxy_de_socketfy(cmd->temp_pool, conf->p), -- worker_type); -+ real, worker_type); - if (!worker) { - err = ap_proxy_define_worker_ex(cmd->pool, &worker, NULL, sconf, - conf->p, worker_type); -diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h -index 044a6c4..c21c4d8 100644 ---- a/modules/proxy/mod_proxy.h -+++ b/modules/proxy/mod_proxy.h -@@ -751,6 +751,7 @@ PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p, - #define AP_PROXY_WORKER_IS_PREFIX (1u << 0) - #define AP_PROXY_WORKER_IS_MATCH (1u << 1) - #define AP_PROXY_WORKER_IS_MALLOCED (1u << 2) -+#define AP_PROXY_WORKER_NO_UDS (1u << 3) - - /** - * Get the worker from proxy configuration, looking for either PREFIXED or -diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c -index 8225045..cbe300f 100644 ---- a/modules/proxy/proxy_util.c -+++ b/modules/proxy/proxy_util.c -@@ -1741,7 +1741,12 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p, - return NULL; - } - -+ if (!(mask & AP_PROXY_WORKER_NO_UDS)) { - url = ap_proxy_de_socketfy(p, url); -+ if (!url) { -+ return NULL; -+ } -+ } - - c = ap_strchr_c(url, ':'); - if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') { -@@ -2323,22 +2328,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, - - access_status = proxy_run_pre_request(worker, balancer, r, conf, url); - if (access_status == DECLINED && *balancer == NULL) { -- *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url); -+ const int forward = (r->proxyreq == PROXYREQ_PROXY); -+ *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url, -+ forward ? AP_PROXY_WORKER_NO_UDS : 0); - if (*worker) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "%s: found worker %s for %s", - (*worker)->s->scheme, (*worker)->s->name, *url); -- *balancer = NULL; -- if (!fix_uds_filename(r, url)) { -+ if (!forward && !fix_uds_filename(r, url)) { - return HTTP_INTERNAL_SERVER_ERROR; - } - access_status = OK; - } -- else if (r->proxyreq == PROXYREQ_PROXY) { -+ else if (forward) { - if (conf->forward) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "*: found forward proxy worker for %s", *url); -- *balancer = NULL; - *worker = conf->forward; - access_status = OK; - /* -@@ -2352,8 +2357,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, - else if (r->proxyreq == PROXYREQ_REVERSE) { - if (conf->reverse) { - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, -- "*: using default reverse proxy worker for %s (no keepalive)", *url); -- *balancer = NULL; -+ "*: using default reverse proxy worker for %s " -+ "(no keepalive)", *url); - *worker = conf->reverse; - access_status = OK; - /* -diff --git a/server/protocol.c b/server/protocol.c -index 3d74c5b..2214f72 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1548,7 +1548,7 @@ request_rec *ap_read_request(conn_rec *conn) - /* we may have switched to another server */ - apply_server_config(r); - -- if ((access_status = ap_run_post_read_request(r))) { -+ if ((access_status = ap_post_read_request(r))) { - goto die; - } - -@@ -1603,6 +1603,27 @@ ignore: - return NULL; - } - -+AP_DECLARE(int) ap_post_read_request(request_rec *r) -+{ -+ int status; -+ -+ if ((status = ap_run_post_read_request(r))) { -+ return status; -+ } -+ -+ /* Enforce http(s) only scheme for non-forward-proxy requests */ -+ if (!r->proxyreq -+ && r->parsed_uri.scheme -+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0 -+ || (r->parsed_uri.scheme[4] != '\0' -+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's' -+ || r->parsed_uri.scheme[5] != '\0')))) { -+ return HTTP_BAD_REQUEST; -+ } -+ -+ return OK; -+} -+ - /* if a request with a body creates a subrequest, remove original request's - * input headers which pertain to the body which has already been read. - * out-of-line helper function for ap_set_sub_req_protocol. diff --git a/httpd-2.4.51-CVE-2021-44790.patch b/httpd-2.4.51-CVE-2021-44790.patch deleted file mode 100644 index ddf4738..0000000 --- a/httpd-2.4.51-CVE-2021-44790.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/modules/lua/lua_request.c 2021/12/16 11:09:40 1896038 -+++ b/modules/lua/lua_request.c 2021/12/16 11:15:47 1896039 -@@ -410,6 +410,7 @@ - if (end == NULL) break; - key = (char *) apr_pcalloc(r->pool, 256); - filename = (char *) apr_pcalloc(r->pool, 256); -+ if (end - crlf <= 8) break; - vlen = end - crlf - 8; - buffer = (char *) apr_pcalloc(r->pool, vlen+1); - memcpy(buffer, crlf + 4, vlen); diff --git a/httpd-2.4.51-CVE-2022-22720.patch b/httpd-2.4.51-CVE-2022-22720.patch deleted file mode 100644 index a91923c..0000000 --- a/httpd-2.4.51-CVE-2022-22720.patch +++ /dev/null @@ -1,154 +0,0 @@ -diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c -index b10d2b7..5659c4b 100644 ---- a/modules/http/http_filters.c -+++ b/modules/http/http_filters.c -@@ -1595,9 +1595,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status) - */ - AP_DECLARE(int) ap_discard_request_body(request_rec *r) - { -+ int rc = OK; -+ conn_rec *c = r->connection; - apr_bucket_brigade *bb; -- int seen_eos; -- apr_status_t rv; - - /* Sometimes we'll get in a state where the input handling has - * detected an error where we want to drop the connection, so if -@@ -1606,54 +1606,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r) - * - * This function is also a no-op on a subrequest. - */ -- if (r->main || r->connection->keepalive == AP_CONN_CLOSE || -- ap_status_drops_connection(r->status)) { -+ if (r->main || c->keepalive == AP_CONN_CLOSE) { -+ return OK; -+ } -+ if (ap_status_drops_connection(r->status)) { -+ c->keepalive = AP_CONN_CLOSE; - return OK; - } - - bb = apr_brigade_create(r->pool, r->connection->bucket_alloc); -- seen_eos = 0; -- do { -- apr_bucket *bucket; -+ for (;;) { -+ apr_status_t rv; - - rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES, - APR_BLOCK_READ, HUGE_STRING_LEN); -- - if (rv != APR_SUCCESS) { -- apr_brigade_destroy(bb); -- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -+ rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST); -+ goto cleanup; - } - -- for (bucket = APR_BRIGADE_FIRST(bb); -- bucket != APR_BRIGADE_SENTINEL(bb); -- bucket = APR_BUCKET_NEXT(bucket)) -- { -- const char *data; -- apr_size_t len; -+ while (!APR_BRIGADE_EMPTY(bb)) { -+ apr_bucket *b = APR_BRIGADE_FIRST(bb); - -- if (APR_BUCKET_IS_EOS(bucket)) { -- seen_eos = 1; -- break; -+ if (APR_BUCKET_IS_EOS(b)) { -+ goto cleanup; - } - -- /* These are metadata buckets. */ -- if (bucket->length == 0) { -- continue; -- } -- -- /* We MUST read because in case we have an unknown-length -- * bucket or one that morphs, we want to exhaust it. -+ /* There is no need to read empty or metadata buckets or -+ * buckets of known length, but we MUST read buckets of -+ * unknown length in order to exhaust them. - */ -- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ); -+ if (b->length == (apr_size_t)-1) { -+ apr_size_t len; -+ const char *data; -+ -+ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ); - if (rv != APR_SUCCESS) { -- apr_brigade_destroy(bb); -- return HTTP_BAD_REQUEST; -+ rc = HTTP_BAD_REQUEST; -+ goto cleanup; - } - } -- apr_brigade_cleanup(bb); -- } while (!seen_eos); - -- return OK; -+ apr_bucket_delete(b); -+ } -+ } -+ -+cleanup: -+ apr_brigade_cleanup(bb); -+ if (rc != OK) { -+ c->keepalive = AP_CONN_CLOSE; -+ } -+ return rc; - } - - /* Here we deal with getting the request message body from the client. -diff --git a/server/protocol.c b/server/protocol.c -index 3d74c5b..03b5419 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1666,23 +1666,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew, - rnew->main = (request_rec *) r; - } - --static void end_output_stream(request_rec *r) -+static void end_output_stream(request_rec *r, int status) - { - conn_rec *c = r->connection; - apr_bucket_brigade *bb; - apr_bucket *b; - - bb = apr_brigade_create(r->pool, c->bucket_alloc); -+ if (status != OK) { -+ b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc); -+ APR_BRIGADE_INSERT_TAIL(bb, b); -+ } - b = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, b); -+ - ap_pass_brigade(r->output_filters, bb); -+ apr_brigade_cleanup(bb); - } - - AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub) - { - /* tell the filter chain there is no more content coming */ - if (!sub->eos_sent) { -- end_output_stream(sub); -+ end_output_stream(sub, OK); - } - } - -@@ -1693,11 +1699,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub) - */ - AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r) - { -- (void) ap_discard_request_body(r); -+ int status = ap_discard_request_body(r); - - /* tell the filter chain there is no more content coming */ - if (!r->eos_sent) { -- end_output_stream(r); -+ end_output_stream(r, status); - } - } - diff --git a/httpd-2.4.51-openssl3.patch b/httpd-2.4.51-openssl3.patch deleted file mode 100644 index a4423c7..0000000 --- a/httpd-2.4.51-openssl3.patch +++ /dev/null @@ -1,505 +0,0 @@ - -https://github.com/apache/httpd/pull/258 - ---- httpd-2.4.51/modules/ssl/ssl_engine_init.c.openssl3 -+++ httpd-2.4.51/modules/ssl/ssl_engine_init.c -@@ -91,7 +91,6 @@ - - return 1; - } --#endif - - /* - * Grab well-defined DH parameters from OpenSSL, see the BN_get_rfc* -@@ -171,6 +170,7 @@ - - return NULL; /* impossible to reach. */ - } -+#endif - - static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf, - server_rec *s) -@@ -440,8 +440,9 @@ - - modssl_init_app_data2_idx(); /* for modssl_get_app_data2() at request time */ - -+#if MODSSL_USE_OPENSSL_PRE_1_1_API - init_dh_params(); --#if !MODSSL_USE_OPENSSL_PRE_1_1_API -+#else - init_bio_methods(); - #endif - -@@ -862,7 +863,11 @@ - { - SSL_CTX *ctx = mctx->ssl_ctx; - -+#if MODSSL_USE_OPENSSL_PRE_1_1_API -+ /* Note that for OpenSSL>=1.1, auto selection is enabled via -+ * SSL_CTX_set_dh_auto(,1) if no parameter is configured. */ - SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); -+#endif - - SSL_CTX_set_info_callback(ctx, ssl_callback_Info); - -@@ -871,6 +876,23 @@ - #endif - } - -+static APR_INLINE -+int modssl_CTX_load_verify_locations(SSL_CTX *ctx, -+ const char *file, -+ const char *path) -+{ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ if (!SSL_CTX_load_verify_locations(ctx, file, path)) -+ return 0; -+#else -+ if (file && !SSL_CTX_load_verify_file(ctx, file)) -+ return 0; -+ if (path && !SSL_CTX_load_verify_dir(ctx, path)) -+ return 0; -+#endif -+ return 1; -+} -+ - static apr_status_t ssl_init_ctx_verify(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -911,10 +933,8 @@ - ap_log_error(APLOG_MARK, APLOG_TRACE1, 0, s, - "Configuring client authentication"); - -- if (!SSL_CTX_load_verify_locations(ctx, -- mctx->auth.ca_cert_file, -- mctx->auth.ca_cert_path)) -- { -+ if (!modssl_CTX_load_verify_locations(ctx, mctx->auth.ca_cert_file, -+ mctx->auth.ca_cert_path)) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01895) - "Unable to configure verify locations " - "for client authentication"); -@@ -999,6 +1019,23 @@ - return APR_SUCCESS; - } - -+static APR_INLINE -+int modssl_X509_STORE_load_locations(X509_STORE *store, -+ const char *file, -+ const char *path) -+{ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ if (!X509_STORE_load_locations(store, file, path)) -+ return 0; -+#else -+ if (file && !X509_STORE_load_file(store, file)) -+ return 0; -+ if (path && !X509_STORE_load_path(store, path)) -+ return 0; -+#endif -+ return 1; -+} -+ - static apr_status_t ssl_init_ctx_crl(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -1037,8 +1074,8 @@ - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01900) - "Configuring certificate revocation facility"); - -- if (!store || !X509_STORE_load_locations(store, mctx->crl_file, -- mctx->crl_path)) { -+ if (!store || !modssl_X509_STORE_load_locations(store, mctx->crl_file, -+ mctx->crl_path)) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01901) - "Host %s: unable to configure X.509 CRL storage " - "for certificate revocation", mctx->sc->vhost_id); -@@ -1267,6 +1304,31 @@ - return 0; - } - -+static APR_INLINE int modssl_DH_bits(DH *dh) -+{ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ return DH_bits(dh); -+#else -+ return BN_num_bits(DH_get0_p(dh)); -+#endif -+} -+ -+/* SSL_CTX_use_PrivateKey_file() can fail either because the private -+ * key was encrypted, or due to a mismatch between an already-loaded -+ * cert and the key - a common misconfiguration - from calling -+ * X509_check_private_key(). This macro is passed the last error code -+ * off the OpenSSL stack and evaluates to true only for the first -+ * case. With OpenSSL < 3 the second case is identifiable by the -+ * function code, but function codes are not used from 3.0. */ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_FUNC(ec) != X509_F_X509_CHECK_PRIVATE_KEY) -+#else -+#define CHECK_PRIVKEY_ERROR(ec) (ERR_GET_LIB != ERR_LIB_X509 \ -+ || (ERR_GET_REASON(ec) != X509_R_KEY_TYPE_MISMATCH \ -+ && ERR_GET_REASON(ec) != X509_R_KEY_VALUES_MISMATCH \ -+ && ERR_GET_REASON(ec) != X509_R_UNKNOWN_KEY_TYPE)) -+#endif -+ - static apr_status_t ssl_init_server_certs(server_rec *s, - apr_pool_t *p, - apr_pool_t *ptemp, -@@ -1277,7 +1339,7 @@ - const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; - int i; - X509 *cert; -- DH *dhparams; -+ DH *dh; - #ifdef HAVE_ECC - EC_GROUP *ecparams = NULL; - int nid; -@@ -1372,8 +1434,7 @@ - } - else if ((SSL_CTX_use_PrivateKey_file(mctx->ssl_ctx, keyfile, - SSL_FILETYPE_PEM) < 1) -- && (ERR_GET_FUNC(ERR_peek_last_error()) -- != X509_F_X509_CHECK_PRIVATE_KEY)) { -+ && CHECK_PRIVKEY_ERROR(ERR_peek_last_error())) { - ssl_asn1_t *asn1; - const unsigned char *ptr; - -@@ -1462,13 +1523,22 @@ - */ - certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); - if (certfile && !modssl_is_engine_id(certfile) -- && (dhparams = ssl_dh_GetParamFromFile(certfile))) { -- SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dhparams); -+ && (dh = ssl_dh_GetParamFromFile(certfile))) { -+ /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey() -+ * for OpenSSL 3.0+. */ -+ SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) - "Custom DH parameters (%d bits) for %s loaded from %s", -- DH_bits(dhparams), vhost_id, certfile); -- DH_free(dhparams); -+ modssl_DH_bits(dh), vhost_id, certfile); -+ DH_free(dh); - } -+#if !MODSSL_USE_OPENSSL_PRE_1_1_API -+ else { -+ /* If no parameter is manually configured, enable auto -+ * selection. */ -+ SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); -+ } -+#endif - - #ifdef HAVE_ECC - /* -@@ -1518,6 +1588,7 @@ - char buf[TLSEXT_TICKET_KEY_LEN]; - char *path; - modssl_ticket_key_t *ticket_key = mctx->ticket_key; -+ int res; - - if (!ticket_key->file_path) { - return APR_SUCCESS; -@@ -1545,11 +1616,22 @@ - } - - memcpy(ticket_key->key_name, buf, 16); -- memcpy(ticket_key->hmac_secret, buf + 16, 16); - memcpy(ticket_key->aes_key, buf + 32, 16); -- -- if (!SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, -- ssl_callback_SessionTicket)) { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ memcpy(ticket_key->hmac_secret, buf + 16, 16); -+ res = SSL_CTX_set_tlsext_ticket_key_cb(mctx->ssl_ctx, -+ ssl_callback_SessionTicket); -+#else -+ ticket_key->mac_params[0] = -+ OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, buf + 16, 16); -+ ticket_key->mac_params[1] = -+ OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "sha256", 0); -+ ticket_key->mac_params[2] = -+ OSSL_PARAM_construct_end(); -+ res = SSL_CTX_set_tlsext_ticket_key_evp_cb(mctx->ssl_ctx, -+ ssl_callback_SessionTicket); -+#endif -+ if (!res) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01913) - "Unable to initialize TLS session ticket key callback " - "(incompatible OpenSSL version?)"); -@@ -1680,7 +1762,7 @@ - return ssl_die(s); - } - -- X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); -+ modssl_X509_STORE_load_locations(store, pkp->ca_cert_file, NULL); - - for (n = 0; n < ncerts; n++) { - int i; -@@ -2277,10 +2359,11 @@ - - } - --#if !MODSSL_USE_OPENSSL_PRE_1_1_API -+#if MODSSL_USE_OPENSSL_PRE_1_1_API -+ free_dh_params(); -+#else - free_bio_methods(); - #endif -- free_dh_params(); - - return APR_SUCCESS; - } ---- httpd-2.4.51/modules/ssl/ssl_engine_io.c.openssl3 -+++ httpd-2.4.51/modules/ssl/ssl_engine_io.c -@@ -194,6 +194,10 @@ - static int bio_filter_out_read(BIO *bio, char *out, int outl) - { - /* this is never called */ -+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, -+ "BUG: %s() should not be called", "bio_filter_out_read"); -+ AP_DEBUG_ASSERT(0); - return -1; - } - -@@ -293,12 +297,20 @@ - static int bio_filter_out_gets(BIO *bio, char *buf, int size) - { - /* this is never called */ -+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, -+ "BUG: %s() should not be called", "bio_filter_out_gets"); -+ AP_DEBUG_ASSERT(0); - return -1; - } - - static int bio_filter_out_puts(BIO *bio, const char *str) - { - /* this is never called */ -+ bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)BIO_get_data(bio); -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, outctx->c, -+ "BUG: %s() should not be called", "bio_filter_out_puts"); -+ AP_DEBUG_ASSERT(0); - return -1; - } - -@@ -533,22 +545,47 @@ - - static int bio_filter_in_write(BIO *bio, const char *in, int inl) - { -+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, -+ "BUG: %s() should not be called", "bio_filter_in_write"); -+ AP_DEBUG_ASSERT(0); - return -1; - } - - static int bio_filter_in_puts(BIO *bio, const char *str) - { -+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, -+ "BUG: %s() should not be called", "bio_filter_in_puts"); -+ AP_DEBUG_ASSERT(0); - return -1; - } - - static int bio_filter_in_gets(BIO *bio, char *buf, int size) - { -+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, -+ "BUG: %s() should not be called", "bio_filter_in_gets"); -+ AP_DEBUG_ASSERT(0); - return -1; - } - - static long bio_filter_in_ctrl(BIO *bio, int cmd, long num, void *ptr) - { -- return -1; -+ bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)BIO_get_data(bio); -+ switch (cmd) { -+#ifdef BIO_CTRL_EOF -+ case BIO_CTRL_EOF: -+ return inctx->rc == APR_EOF; -+#endif -+ default: -+ break; -+ } -+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, inctx->f->c, -+ "BUG: bio_filter_in_ctrl() should not be called with cmd=%i", -+ cmd); -+ AP_DEBUG_ASSERT(0); -+ return 0; - } - - #if MODSSL_USE_OPENSSL_PRE_1_1_API -@@ -573,7 +610,7 @@ - bio_filter_in_read, - bio_filter_in_puts, /* puts is never called */ - bio_filter_in_gets, /* gets is never called */ -- bio_filter_in_ctrl, /* ctrl is never called */ -+ bio_filter_in_ctrl, /* ctrl is called for EOF check */ - bio_filter_create, - bio_filter_destroy, - NULL ---- httpd-2.4.51/modules/ssl/ssl_engine_kernel.c.openssl3 -+++ httpd-2.4.51/modules/ssl/ssl_engine_kernel.c -@@ -1685,6 +1685,7 @@ - ** _________________________________________________________________ - */ - -+#if MODSSL_USE_OPENSSL_PRE_1_1_API - /* - * Hand out standard DH parameters, based on the authentication strength - */ -@@ -1730,6 +1731,7 @@ - - return modssl_get_dh_params(keylen); - } -+#endif - - /* - * This OpenSSL callback function is called when OpenSSL -@@ -2614,7 +2616,11 @@ - unsigned char *keyname, - unsigned char *iv, - EVP_CIPHER_CTX *cipher_ctx, -- HMAC_CTX *hctx, -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_CTX *hmac_ctx, -+#else -+ EVP_MAC_CTX *mac_ctx, -+#endif - int mode) - { - conn_rec *c = (conn_rec *)SSL_get_app_data(ssl); -@@ -2640,7 +2646,13 @@ - } - EVP_EncryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, - ticket_key->aes_key, iv); -- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, -+ tlsext_tick_md(), NULL); -+#else -+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); -+#endif - - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02289) - "TLS session ticket key for %s successfully set, " -@@ -2661,7 +2673,13 @@ - - EVP_DecryptInit_ex(cipher_ctx, EVP_aes_128_cbc(), NULL, - ticket_key->aes_key, iv); -- HMAC_Init_ex(hctx, ticket_key->hmac_secret, 16, tlsext_tick_md(), NULL); -+ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_Init_ex(hmac_ctx, ticket_key->hmac_secret, 16, -+ tlsext_tick_md(), NULL); -+#else -+ EVP_MAC_CTX_set_params(mac_ctx, ticket_key->mac_params); -+#endif - - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(02290) - "TLS session ticket key for %s successfully set, " ---- httpd-2.4.51/modules/ssl/ssl_engine_log.c.openssl3 -+++ httpd-2.4.51/modules/ssl/ssl_engine_log.c -@@ -78,6 +78,16 @@ - return APR_EGENERAL; - } - -+static APR_INLINE -+unsigned long modssl_ERR_peek_error_data(const char **data, int *flags) -+{ -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ return ERR_peek_error_line_data(NULL, NULL, data, flags); -+#else -+ return ERR_peek_error_data(data, flags); -+#endif -+} -+ - /* - * Prints the SSL library error information. - */ -@@ -87,7 +97,7 @@ - const char *data; - int flags; - -- while ((e = ERR_peek_error_line_data(NULL, NULL, &data, &flags))) { -+ while ((e = modssl_ERR_peek_error_data(&data, &flags))) { - const char *annotation; - char err[256]; - ---- httpd-2.4.51/modules/ssl/ssl_private.h.openssl3 -+++ httpd-2.4.51/modules/ssl/ssl_private.h -@@ -89,6 +89,9 @@ - /* must be defined before including ssl.h */ - #define OPENSSL_NO_SSL_INTERN - #endif -+#if OPENSSL_VERSION_NUMBER >= 0x30000000 -+#include -+#endif - #include - #include - #include -@@ -134,13 +137,12 @@ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MIN_PROTO_VERSION, version, NULL) - #define SSL_CTX_set_max_proto_version(ctx, version) \ - SSL_CTX_ctrl(ctx, SSL_CTRL_SET_MAX_PROTO_VERSION, version, NULL) --#elif LIBRESSL_VERSION_NUMBER < 0x2070000f -+#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ - /* LibreSSL before 2.7 declares OPENSSL_VERSION_NUMBER == 2.0 but does not - * include most changes from OpenSSL >= 1.1 (new functions, macros, - * deprecations, ...), so we have to work around this... - */ --#define MODSSL_USE_OPENSSL_PRE_1_1_API (1) --#endif /* LIBRESSL_VERSION_NUMBER < 0x2060000f */ -+#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) - #else /* defined(LIBRESSL_VERSION_NUMBER) */ - #define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) - #endif -@@ -681,7 +683,11 @@ - typedef struct { - const char *file_path; - unsigned char key_name[16]; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - unsigned char hmac_secret[16]; -+#else -+ OSSL_PARAM mac_params[3]; -+#endif - unsigned char aes_key[16]; - } modssl_ticket_key_t; - #endif -@@ -945,8 +951,16 @@ - int ssl_callback_ClientHello(SSL *, int *, void *); - #endif - #ifdef HAVE_TLS_SESSION_TICKETS --int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, -- EVP_CIPHER_CTX *, HMAC_CTX *, int); -+int ssl_callback_SessionTicket(SSL *ssl, -+ unsigned char *keyname, -+ unsigned char *iv, -+ EVP_CIPHER_CTX *cipher_ctx, -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ HMAC_CTX *hmac_ctx, -+#else -+ EVP_MAC_CTX *mac_ctx, -+#endif -+ int mode); - #endif - - #ifdef HAVE_TLS_ALPN -@@ -1124,10 +1138,12 @@ - - #endif - -+#if MODSSL_USE_OPENSSL_PRE_1_1_API - /* Retrieve DH parameters for given key length. Return value should - * be treated as unmutable, since it is stored in process-global - * memory. */ - DH *modssl_get_dh_params(unsigned keylen); -+#endif - - /* Returns non-zero if the request was made over SSL/TLS. If sslconn - * is non-NULL and the request is using SSL/TLS, sets *sslconn to the diff --git a/httpd-2.4.43-detect-systemd.patch b/httpd-2.4.53-detect-systemd.patch similarity index 76% rename from httpd-2.4.43-detect-systemd.patch rename to httpd-2.4.53-detect-systemd.patch index 540687f..d501b06 100644 --- a/httpd-2.4.43-detect-systemd.patch +++ b/httpd-2.4.53-detect-systemd.patch @@ -1,5 +1,5 @@ diff --git a/Makefile.in b/Makefile.in -index 0b088ac..9eeb5c7 100644 +index a2e9c82..bd8045c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -4,7 +4,7 @@ CLEAN_SUBDIRS = test @@ -12,10 +12,10 @@ index 0b088ac..9eeb5c7 100644 PROGRAM_DEPENDENCIES = \ server/libmain.la \ diff --git a/acinclude.m4 b/acinclude.m4 -index 2a7e5d1..eb28321 100644 +index 97484c9..05abe18 100644 --- a/acinclude.m4 +++ b/acinclude.m4 -@@ -624,6 +624,7 @@ case $host in +@@ -631,6 +631,7 @@ case $host in if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then AC_MSG_WARN([Your system does not support systemd.]) else @@ -24,18 +24,18 @@ index 2a7e5d1..eb28321 100644 fi fi diff --git a/configure.in b/configure.in -index 3618a5a..74a782b 100644 +index cf437fe..521fc45 100644 --- a/configure.in +++ b/configure.in -@@ -234,6 +234,7 @@ if test "$PCRE_CONFIG" != "false"; then +@@ -239,6 +239,7 @@ if test "x$PCRE_CONFIG" != "x"; then AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) - APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) + APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs8 2>/dev/null || $PCRE_CONFIG --libs`]) + APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) else - AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) + AC_MSG_ERROR([pcre(2)-config for libpcre not found. PCRE is required and available from http://pcre.org/]) fi -@@ -710,6 +711,7 @@ APACHE_SUBST(OS_DIR) +@@ -734,6 +735,7 @@ APACHE_SUBST(OS_DIR) APACHE_SUBST(BUILTIN_LIBS) APACHE_SUBST(SHLIBPATH_VAR) APACHE_SUBST(OS_SPECIFIC_VARS) diff --git a/httpd.spec b/httpd.spec index 0e5dcc3..38a0c72 100644 --- a/httpd.spec +++ b/httpd.spec @@ -12,8 +12,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.51 -Release: 8%{?dist} +Version: 2.4.53 +Release: 1%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -66,7 +66,7 @@ Source48: apache-poweredby.png Patch2: httpd-2.4.43-apxs.patch Patch3: httpd-2.4.43-deplibs.patch # Needed for socket activation and mod_systemd patch -Patch19: httpd-2.4.43-detect-systemd.patch +Patch19: httpd-2.4.53-detect-systemd.patch # Features/functional changes Patch21: httpd-2.4.48-r1842929+.patch Patch22: httpd-2.4.43-mod_systemd.patch @@ -98,9 +98,6 @@ Patch50: httpd-2.4.48-r1825120.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 Patch60: httpd-2.4.43-enable-sslv3.patch Patch61: httpd-2.4.46-htcacheclean-dont-break.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=1986822 -# https://bugzilla.redhat.com/show_bug.cgi?id=1976080 -Patch62: httpd-2.4.51-openssl3.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1932442 Patch64: httpd-2.4.48-full-release.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1950011 @@ -111,12 +108,7 @@ Patch66: httpd-2.4.51-r1892413+.patch Patch67: httpd-2.4.51-r1811831.patch # Security fixes -# https://bugzilla.redhat.com/show_bug.cgi?id=2034674 -Patch200: httpd-2.4.51-CVE-2021-44790.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2064321 -Patch201: httpd-2.4.51-CVE-2022-22720.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2034672 -Patch202: httpd-2.4.51-CVE-2021-44224.patch +#Patch200: patchname License: ASL 2.0 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto @@ -267,16 +259,11 @@ written in the Lua programming language. %patch60 -p1 -b .enable-sslv3 %patch61 -p1 -b .htcacheclean-dont-break -%patch62 -p1 -b .r1876934 %patch64 -p1 -b .full-release %patch65 -p1 -b .r1877397 %patch66 -p1 -b .r1892413+ %patch67 -p1 -b .r1811831 -%patch200 -p1 -b .CVE-2021-44790 -%patch201 -p1 -b .CVE-2022-22720 -%patch202 -p1 -b .CVE-2021-44224 - # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i 's/@RELEASE@/%{release}/' server/core.c @@ -822,6 +809,10 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue May 31 2022 Luboš Uhliarik - 2.4.53-1 +- new version 2.4.53 +- Resolves: #2079939 - httpd rebase to 2.4.53 + * Mon Apr 11 2022 Luboš Uhliarik - 2.4.51-8 - Resolves: #2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using SetEnv or PassEnv diff --git a/sources b/sources index edbf616..36266ed 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (httpd-2.4.51.tar.bz2) = 9fb07c4b176f5c0485a143e2b1bb1085345ca9120b959974f68c37a8911a57894d2cb488b1b42fdf3102860b99e890204f5e9fa7ae3828b481119c563812cc66 -SHA512 (httpd-2.4.51.tar.bz2.asc) = c63f2b08eb0b7e688c4a89b4be1d968c9e4a3f09714ffc4fb9b2210b6694b8c90f4067aec63601ec41987507bba8dfcef15f54b8c0707cc49414c9c76dd5d8ce +SHA512 (httpd-2.4.53.tar.bz2) = 07ef59594251a30a864cc9cc9a58ab788c2d006cef85b728f29533243927c63cb063e0867f2a306f37324c3adb9cf7dcb2402f3516b05c2c6f32469d475dd756 +SHA512 (httpd-2.4.53.tar.bz2.asc) = 553df571cf8edda9146c2aaadce7e5a204f9aa8bd05b165dd81e2339db830c06bdb2b546321d3ab1dcc3133a7d37bbbeb31944b725d8a5fc6b6dc389a5c25686 SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192