rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Address CVE-2017-9798 by applying upstream patch

Browse Source 
Reference RHBZ #1490344
This commit is contained in:
Jeroen van Meeuwen (Ergo Project) 2017-09-21 19:28:15 +02:00
parent 6a77761740
commit 10a87792e5
2 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
httpd-2.4.27-CVE-2017-9798.patch Normal file
View File

@ -0,0 +1,15 @@
--- httpd/httpd/branches/2.4.x/server/core.c 2017/08/16 16:50:29 1805223
+++ httpd/httpd/branches/2.4.x/server/core.c 2017/09/08 13:13:11 1807754
@@ -2266,6 +2266,12 @@
/* method has not been registered yet, but resource restriction
* is always checked before method handling, so register it.
*/
+ if (cmd->pool == cmd->temp_pool) {
+ /* In .htaccess, we can't globally register new methods. */
+ return apr_psprintf(cmd->pool, "Could not register method '%s' "
+ "for %s from .htaccess configuration",
+ method, cmd->cmd->name);
+ }
methnum = ap_method_register(cmd->pool,
apr_pstrdup(cmd->pool, method));
}

11
httpd.spec
View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server Summary: Apache HTTP Server
Name: httpd Name: httpd
Version: 2.4.27 Version: 2.4.27
Release: 9%{?dist} Release: 10%{?dist}
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html Source1: index.html
@ -74,7 +74,8 @@ Patch56: httpd-2.4.4-mod_unique_id.patch
Patch57: httpd-2.4.10-sigint.patch Patch57: httpd-2.4.10-sigint.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch58: httpd-2.4.25-r1738878.patch Patch58: httpd-2.4.25-r1738878.patch
Patch59: httpd-2.4.27-r1808230.patch Patch59: httpd-2.4.27-CVE-2017-9798.patch
Patch60: httpd-2.4.27-r1808230.patch
# Security fixes # Security fixes
License: ASL 2.0 License: ASL 2.0
@ -222,7 +223,8 @@ interface for storing and accessing per-user session data.
%patch56 -p1 -b .uniqueid %patch56 -p1 -b .uniqueid
%patch57 -p1 -b .sigint %patch57 -p1 -b .sigint
%patch58 -p1 -b .r1738878 %patch58 -p1 -b .r1738878
%patch59 -p1 -b .r1808230 %patch59 -p4 -b .cve-2017-9798
%patch60 -p1 -b .r1808230
# Patch in the vendor string # Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -687,6 +689,9 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Thu Sep 21 2017 Jeroen van Meeuwen <kanarip@fedoraproject.org> - 2.4.27-10
- Address CVE-2017-9798 by applying patch from upstream (#1490344)
* Thu Sep 21 2017 Joe Orton <jorton@redhat.com> - 2.4.27-9 * Thu Sep 21 2017 Joe Orton <jorton@redhat.com> - 2.4.27-9
- use sscg defaults; append CA cert to generated cert - use sscg defaults; append CA cert to generated cert
- document httpd-init.service in httpd-init.service(8) - document httpd-init.service in httpd-init.service(8)