Merge branch 'c8-stream-2.4' into a8-stream-2.4
This commit is contained in:
commit
0afc2f5f9f
|
@ -0,0 +1,13 @@
|
||||||
|
diff --git a/server/scoreboard.c b/server/scoreboard.c
|
||||||
|
index 23e3d70..7b01bdf 100644
|
||||||
|
--- a/server/scoreboard.c
|
||||||
|
+++ b/server/scoreboard.c
|
||||||
|
@@ -376,7 +376,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
|
||||||
|
if (pfn_ap_logio_get_last_bytes != NULL) {
|
||||||
|
bytes = pfn_ap_logio_get_last_bytes(r->connection);
|
||||||
|
}
|
||||||
|
- else if (r->method_number == M_GET && r->method[0] == 'H') {
|
||||||
|
+ else if (r->method_number == M_GET && r->method && r->method[0] == 'H') {
|
||||||
|
bytes = 0;
|
||||||
|
}
|
||||||
|
else {
|
|
@ -0,0 +1,21 @@
|
||||||
|
diff --git a/server/util.c b/server/util.c
|
||||||
|
index e0c558c..2a5dd04 100644
|
||||||
|
--- a/server/util.c
|
||||||
|
+++ b/server/util.c
|
||||||
|
@@ -2460,13 +2460,12 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
|
||||||
|
* in front of every " that doesn't already have one.
|
||||||
|
*/
|
||||||
|
while (*inchr != '\0') {
|
||||||
|
- if ((*inchr == '\\') && (inchr[1] != '\0')) {
|
||||||
|
- *outchr++ = *inchr++;
|
||||||
|
- *outchr++ = *inchr++;
|
||||||
|
- }
|
||||||
|
if (*inchr == '"') {
|
||||||
|
*outchr++ = '\\';
|
||||||
|
}
|
||||||
|
+ if ((*inchr == '\\') && (inchr[1] != '\0')) {
|
||||||
|
+ *outchr++ = *inchr++;
|
||||||
|
+ }
|
||||||
|
if (*inchr != '\0') {
|
||||||
|
*outchr++ = *inchr++;
|
||||||
|
}
|
|
@ -0,0 +1,154 @@
|
||||||
|
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
|
||||||
|
index 9828cdf..6bedcac 100644
|
||||||
|
--- a/modules/http/http_filters.c
|
||||||
|
+++ b/modules/http/http_filters.c
|
||||||
|
@@ -1605,9 +1605,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status)
|
||||||
|
*/
|
||||||
|
AP_DECLARE(int) ap_discard_request_body(request_rec *r)
|
||||||
|
{
|
||||||
|
+ int rc = OK;
|
||||||
|
+ conn_rec *c = r->connection;
|
||||||
|
apr_bucket_brigade *bb;
|
||||||
|
- int seen_eos;
|
||||||
|
- apr_status_t rv;
|
||||||
|
|
||||||
|
/* Sometimes we'll get in a state where the input handling has
|
||||||
|
* detected an error where we want to drop the connection, so if
|
||||||
|
@@ -1616,54 +1616,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r)
|
||||||
|
*
|
||||||
|
* This function is also a no-op on a subrequest.
|
||||||
|
*/
|
||||||
|
- if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||
|
||||||
|
- ap_status_drops_connection(r->status)) {
|
||||||
|
+ if (r->main || c->keepalive == AP_CONN_CLOSE) {
|
||||||
|
+ return OK;
|
||||||
|
+ }
|
||||||
|
+ if (ap_status_drops_connection(r->status)) {
|
||||||
|
+ c->keepalive = AP_CONN_CLOSE;
|
||||||
|
return OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
|
||||||
|
- seen_eos = 0;
|
||||||
|
- do {
|
||||||
|
- apr_bucket *bucket;
|
||||||
|
+ for (;;) {
|
||||||
|
+ apr_status_t rv;
|
||||||
|
|
||||||
|
rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
|
||||||
|
APR_BLOCK_READ, HUGE_STRING_LEN);
|
||||||
|
-
|
||||||
|
if (rv != APR_SUCCESS) {
|
||||||
|
- apr_brigade_destroy(bb);
|
||||||
|
- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
|
||||||
|
+ rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
- for (bucket = APR_BRIGADE_FIRST(bb);
|
||||||
|
- bucket != APR_BRIGADE_SENTINEL(bb);
|
||||||
|
- bucket = APR_BUCKET_NEXT(bucket))
|
||||||
|
- {
|
||||||
|
- const char *data;
|
||||||
|
- apr_size_t len;
|
||||||
|
+ while (!APR_BRIGADE_EMPTY(bb)) {
|
||||||
|
+ apr_bucket *b = APR_BRIGADE_FIRST(bb);
|
||||||
|
|
||||||
|
- if (APR_BUCKET_IS_EOS(bucket)) {
|
||||||
|
- seen_eos = 1;
|
||||||
|
- break;
|
||||||
|
+ if (APR_BUCKET_IS_EOS(b)) {
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
- /* These are metadata buckets. */
|
||||||
|
- if (bucket->length == 0) {
|
||||||
|
- continue;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- /* We MUST read because in case we have an unknown-length
|
||||||
|
- * bucket or one that morphs, we want to exhaust it.
|
||||||
|
+ /* There is no need to read empty or metadata buckets or
|
||||||
|
+ * buckets of known length, but we MUST read buckets of
|
||||||
|
+ * unknown length in order to exhaust them.
|
||||||
|
*/
|
||||||
|
- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
|
||||||
|
+ if (b->length == (apr_size_t)-1) {
|
||||||
|
+ apr_size_t len;
|
||||||
|
+ const char *data;
|
||||||
|
+
|
||||||
|
+ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ);
|
||||||
|
if (rv != APR_SUCCESS) {
|
||||||
|
- apr_brigade_destroy(bb);
|
||||||
|
- return HTTP_BAD_REQUEST;
|
||||||
|
+ rc = HTTP_BAD_REQUEST;
|
||||||
|
+ goto cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- apr_brigade_cleanup(bb);
|
||||||
|
- } while (!seen_eos);
|
||||||
|
|
||||||
|
- return OK;
|
||||||
|
+ apr_bucket_delete(b);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+cleanup:
|
||||||
|
+ apr_brigade_cleanup(bb);
|
||||||
|
+ if (rc != OK) {
|
||||||
|
+ c->keepalive = AP_CONN_CLOSE;
|
||||||
|
+ }
|
||||||
|
+ return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Here we deal with getting the request message body from the client.
|
||||||
|
diff --git a/server/protocol.c b/server/protocol.c
|
||||||
|
index a2aa081..a554970 100644
|
||||||
|
--- a/server/protocol.c
|
||||||
|
+++ b/server/protocol.c
|
||||||
|
@@ -1666,23 +1666,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
|
||||||
|
rnew->main = (request_rec *) r;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static void end_output_stream(request_rec *r)
|
||||||
|
+static void end_output_stream(request_rec *r, int status)
|
||||||
|
{
|
||||||
|
conn_rec *c = r->connection;
|
||||||
|
apr_bucket_brigade *bb;
|
||||||
|
apr_bucket *b;
|
||||||
|
|
||||||
|
bb = apr_brigade_create(r->pool, c->bucket_alloc);
|
||||||
|
+ if (status != OK) {
|
||||||
|
+ b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc);
|
||||||
|
+ APR_BRIGADE_INSERT_TAIL(bb, b);
|
||||||
|
+ }
|
||||||
|
b = apr_bucket_eos_create(c->bucket_alloc);
|
||||||
|
APR_BRIGADE_INSERT_TAIL(bb, b);
|
||||||
|
+
|
||||||
|
ap_pass_brigade(r->output_filters, bb);
|
||||||
|
+ apr_brigade_cleanup(bb);
|
||||||
|
}
|
||||||
|
|
||||||
|
AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
|
||||||
|
{
|
||||||
|
/* tell the filter chain there is no more content coming */
|
||||||
|
if (!sub->eos_sent) {
|
||||||
|
- end_output_stream(sub);
|
||||||
|
+ end_output_stream(sub, OK);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1693,11 +1699,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
|
||||||
|
*/
|
||||||
|
AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r)
|
||||||
|
{
|
||||||
|
- (void) ap_discard_request_body(r);
|
||||||
|
+ int status = ap_discard_request_body(r);
|
||||||
|
|
||||||
|
/* tell the filter chain there is no more content coming */
|
||||||
|
if (!r->eos_sent) {
|
||||||
|
- end_output_stream(r);
|
||||||
|
+ end_output_stream(r, status);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
|
@ -14,7 +14,7 @@
|
||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.37
|
Version: 2.4.37
|
||||||
Release: 43%{?dist}.1
|
Release: 43%{?dist}.3
|
||||||
URL: https://httpd.apache.org/
|
URL: https://httpd.apache.org/
|
||||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source2: httpd.logrotate
|
Source2: httpd.logrotate
|
||||||
|
@ -199,6 +199,12 @@ Patch214: httpd-2.4.37-CVE-2021-40438.patch
|
||||||
Patch215: httpd-2.4.37-CVE-2021-26691.patch
|
Patch215: httpd-2.4.37-CVE-2021-26691.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2034674
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2034674
|
||||||
Patch216: httpd-2.4.37-CVE-2021-44790.patch
|
Patch216: httpd-2.4.37-CVE-2021-44790.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2005128
|
||||||
|
Patch217: httpd-2.4.37-CVE-2021-34798.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2005119
|
||||||
|
Patch218: httpd-2.4.37-CVE-2021-39275.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2064321#
|
||||||
|
Patch219: httpd-2.4.37-CVE-2022-22720.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
|
@ -395,6 +401,9 @@ interface for storing and accessing per-user session data.
|
||||||
%patch214 -p1 -b .CVE-2021-40438
|
%patch214 -p1 -b .CVE-2021-40438
|
||||||
%patch215 -p1 -b .CVE-2021-26691
|
%patch215 -p1 -b .CVE-2021-26691
|
||||||
%patch216 -p1 -b .CVE-2021-44790
|
%patch216 -p1 -b .CVE-2021-44790
|
||||||
|
%patch217 -p1 -b .CVE-2021-34798
|
||||||
|
%patch218 -p1 -b .CVE-2021-39275
|
||||||
|
%patch219 -p1 -b .CVE-2022-22720
|
||||||
|
|
||||||
# Patch in the vendor string
|
# Patch in the vendor string
|
||||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||||
|
@ -900,9 +909,19 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Jan 25 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-43.1.alma
|
* Thu Mar 24 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-43.3.alma
|
||||||
- include AlmaLinux in version string
|
- include AlmaLinux in version string
|
||||||
|
|
||||||
|
* Mon Mar 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.3
|
||||||
|
- Resolves: #2065247 - CVE-2022-22720 httpd:2.4/httpd: HTTP request smuggling
|
||||||
|
vulnerability in Apache HTTP Server 2.4.52 and earlier
|
||||||
|
|
||||||
|
* Fri Feb 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.2
|
||||||
|
- Resolves: #2059256 - CVE-2021-34798 httpd:2.4/httpd: NULL pointer dereference
|
||||||
|
via malformed requests
|
||||||
|
- Resolves: #2059257 - CVE-2021-39275 httpd:2.4/httpd: out-of-bounds write in
|
||||||
|
ap_escape_quotes() via malicious input
|
||||||
|
|
||||||
* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.1
|
* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43.1
|
||||||
- Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible buffer
|
- Resolves: #2035062 - CVE-2021-44790 httpd:2.4/httpd: mod_lua: possible buffer
|
||||||
overflow when parsing multipart content
|
overflow when parsing multipart content
|
||||||
|
|
Loading…
Reference in New Issue