import httpd-2.4.37-56.module+el8.8.0+18556+a66138c1.4

2023-05-16 06:05:42 +00:00 · 2023-05-16 06:05:42 +00:00 · 0a9df3405e
commit 0a9df3405e
parent 203fa9fde1
2 changed files with 118 additions and 10 deletions
--- a/SOURCES/httpd-2.4.37-add-SNI-support.patch
+++ b/SOURCES/httpd-2.4.37-add-SNI-support.patch
@ -0,0 +1,92 @@
+commit 4c0e27d7bfbf46f14dfbd5d888e56c64ad8c8de5
+Author: Tomas Korbar <tkorbar@redhat.com>
+Date:   Mon Sep 19 13:22:27 2022 +0200
+
+    Backport refactor of SNI support to httpd-2.4.37
+
+diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
+index a7e0dcd..31ccd32 100644
+--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
+@@ -591,16 +591,6 @@ run_connect:
+         }
+         
+         if (!ctx->p_conn->data) {
+-            /* New conection: set a note on the connection what CN is
+-             * requested and what protocol we want */
+-            if (ctx->p_conn->ssl_hostname) {
+-                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner, 
+-                              "set SNI to %s for (%s)", 
+-                              ctx->p_conn->ssl_hostname, 
+-                              ctx->p_conn->hostname);
+-                apr_table_setn(ctx->p_conn->connection->notes,
+-                               "proxy-request-hostname", ctx->p_conn->ssl_hostname);
+-            }
+             if (ctx->is_ssl) {
+                 apr_table_setn(ctx->p_conn->connection->notes,
+                                "proxy-request-alpn-protos", "h2");
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index 1b7bb81..c1c591a 100644
+--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
+@@ -2111,19 +2111,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
+             req->origin->keepalive = AP_CONN_CLOSE;
+         }
+ 
+-        /*
+-         * On SSL connections set a note on the connection what CN is
+-         * requested, such that mod_ssl can check if it is requested to do
+-         * so.
+-         *
+-         * https://github.com/apache/httpd/commit/7d272e2628b4ae05f68cdc74b070707250896a34
+-         */
+-        if (backend->ssl_hostname) {
+-            apr_table_setn(backend->connection->notes,
+-                           "proxy-request-hostname",
+-                           backend->ssl_hostname);
+-        }
+-
+         /* Step Four: Send the Request
+          * On the off-chance that we forced a 100-Continue as a
+          * kinda HTTP ping test, allow for retries
+diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
+index ec9a414..805820d 100644
+--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
+@@ -3261,6 +3261,16 @@ static int proxy_connection_create(const char *proxy_function,
+                          backend_addr, conn->hostname);
+             return HTTP_INTERNAL_SERVER_ERROR;
+         }
+        if (conn->ssl_hostname) {
+            /* Set a note on the connection about what CN is requested,
+             * such that mod_ssl can check if it is requested to do so.
+             */
+            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection, 
+                          "%s: set SNI to %s for (%s)", proxy_function,
+                          conn->ssl_hostname, conn->hostname);
+            apr_table_setn(conn->connection->notes, "proxy-request-hostname",
+                           conn->ssl_hostname);
+        }
+     }
+     else {
+         /* TODO: See if this will break FTP */
+diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
+index 4e3875a..9b4280c 100644
+--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
+@@ -1273,7 +1273,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
+             ((dc->proxy->ssl_check_peer_cn != FALSE) ||
+              (dc->proxy->ssl_check_peer_name == TRUE)) &&
+             hostname_note) {
+-            apr_table_unset(c->notes, "proxy-request-hostname");
+             if (!cert
+                 || modssl_X509_match_name(c->pool, cert, hostname_note,
+                                           TRUE, server) == FALSE) {
+@@ -1290,7 +1289,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
+ 
+             hostname = ssl_var_lookup(NULL, server, c, NULL,
+                                       "SSL_CLIENT_S_DN_CN");
+-            apr_table_unset(c->notes, "proxy-request-hostname");
+ 
+             /* Do string match or simplest wildcard match if that
+              * fails. */
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 51%{?dist}.5
+Release: 56%{?dist}.4
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@ -163,6 +163,8 @@ Patch88: httpd-2.4.37-r1845768+.patch
 Patch89: httpd-2.4.37-r1862410.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1984828
 Patch90: httpd-2.4.37-hcheck-mem-issues.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2017543
+Patch91: httpd-2.4.37-add-SNI-support.patch

 # Security fixes
 Patch200: httpd-2.4.37-r1851471.patch
@ -263,7 +265,7 @@ Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
 Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}
 Requires: httpd-tools = %{version}-%{release}
 Requires: httpd-filesystem = %{version}-%{release}
-Requires: mod_http2
+Requires: mod_http2 >= 1.15.7-5
 Requires(pre): httpd-filesystem
 Requires(preun): systemd-units
 Requires(postun): systemd-units
@ -327,7 +329,7 @@ Epoch: 1
 BuildRequires: openssl-devel
 Requires(pre): httpd-filesystem
 Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
-Requires: sscg >= 2.2.0
+Requires: sscg >= 3.0.0-7, /usr/bin/hostname
 Obsoletes: stronghold-mod_ssl
 # Require an OpenSSL which supports PROFILE=SYSTEM
 Conflicts: openssl-libs < 1:1.0.1h-4
@ -426,6 +428,7 @@ interface for storing and accessing per-user session data.
 %patch88 -p1 -b .r1845768+
 %patch89 -p1 -b .r1862410
 %patch90 -p1 -b .hcheck-mem-issues
+%patch91 -p1 -b .SNI

 %patch200 -p1 -b .r1851471
 %patch201 -p1 -b .CVE-2019-0211
@ -971,18 +974,31 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
-* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51.5
- Resolves: #2177747 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
+* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56.4
+- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
  with mod_rewrite and mod_proxy

-* Tue Jan 31 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51.1
- Resolves: #2165967 - prevent sscg creating /dhparams.pem
- Resolves: #2165976 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write
+* Tue Jan 31 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56
+- Resolves: #2162499 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write
  of zero byte
- Resolves: #2165977 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
- Resolves: #2165978 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request
+- Resolves: #2162485 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
+- Resolves: #2162509 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request
  smuggling

+* Thu Jan 26 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-55
+- Resolves: #2155961 - prevent sscg creating /dhparams.pem
+
+* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-54
+- Resolves: #2095650 - Dependency from mod_http2 on httpd broken
+
+* Wed Nov 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-53
+- Resolves: #2050888 - httpd with SSL fails to start unless hostname command
+  was installed
+
+* Mon Sep 19 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.37-52
+- Add the SNI support in mod_proxy_wstunnel module for Apache httpd
+- Resolves: rhbz#2017543
+
 * Mon Jul 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51
 - Resolves: #2097015 - CVE-2022-28614 httpd:2.4/httpd: out-of-bounds read via
  ap_rwrite()