diff --git a/SOURCES/httpd-2.4.53-proxy-util-loglevel.patch b/SOURCES/httpd-2.4.53-proxy-util-loglevel.patch new file mode 100644 index 0000000..34523b8 --- /dev/null +++ b/SOURCES/httpd-2.4.53-proxy-util-loglevel.patch @@ -0,0 +1,14 @@ +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index e488aa6..8267f1b 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -3121,7 +3121,7 @@ PROXY_DECLARE(apr_status_t) ap_proxy_check_connection(const char *scheme, + "%s: backend socket is disconnected.", scheme); + } + else { +- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, server, APLOGNO(03408) ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, server, APLOGNO(03408) + "%s: reusable backend connection is not empty: " + "forcibly closed", scheme); + } + diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 59938c7..309d516 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.53 -Release: 7%{?dist}.5 +Release: 11%{?dist}.4 URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -114,6 +114,8 @@ Patch66: httpd-2.4.51-r1892413+.patch Patch67: httpd-2.4.51-r1811831.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2098056 Patch68: httpd-2.4.53-r1878890.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2151313 +Patch69: httpd-2.4.53-proxy-util-loglevel.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=2094997 @@ -168,7 +170,7 @@ Requires: httpd-filesystem = %{version}-%{release} Requires(pre): httpd-filesystem Conflicts: apr < 1.5.0-1 Conflicts: httpd < 2.4.53-3 -Conflicts: mod_http2 < 1.15.19-3%{?dist}.4 +Conflicts: mod_http2 < 1.15.19-4%{?dist}.3 Obsoletes: mod_proxy_uwsgi < 2.0.17.1-2 %description core @@ -221,7 +223,7 @@ Epoch: 1 BuildRequires: openssl-devel Requires(pre): httpd-filesystem Requires: httpd-core = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -Requires: sscg >= 2.2.0, /usr/bin/hostname +Requires: sscg >= 3.0.0-7, /usr/bin/hostname # Require an OpenSSL which supports PROFILE=SYSTEM Conflicts: openssl-libs < 1:1.0.1h-4 @@ -305,6 +307,7 @@ written in the Lua programming language. %patch66 -p1 -b .r1892413+ %patch67 -p1 -b .r1811831 %patch68 -p1 -b .r1878890 +%patch69 -p1 -b .proxyutil-loglevel %patch200 -p1 -b .CVE-2022-26377 %patch201 -p1 -b .CVE-2022-28615 @@ -876,18 +879,26 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Thu Mar 16 2023 Luboš Uhliarik - 2.4.53-7.5 -- Resolves: #2177751 - CVE-2023-25690 httpd: HTTP request splitting with - mod_rewrite and mod_proxy +* Sat Mar 18 2023 Luboš Uhliarik - 2.4.53-11.4 +- Resolves: #2177752 - CVE-2023-25690 httpd: HTTP request splitting with + mod_rewrite and mod_proxy -* Tue Jan 31 2023 Luboš Uhliarik - 2.4.53-7.1 -- Resolves: #2165975 - prevent sscg creating /dhparams.pem -- Resolves: #2165970 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write +* Mon Jan 30 2023 Luboš Uhliarik - 2.4.53-11 +- Resolves: #2162500 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write of zero byte -- Resolves: #2165973 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting -- Resolves: #2165974 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request +- Resolves: #2162486 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting +- Resolves: #2162510 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request smuggling +* Tue Jan 24 2023 Luboš Uhliarik - 2.4.53-10 +- Resolves: #2160667 - prevent sscg creating /dhparams.pem + +* Thu Dec 08 2022 Luboš Uhliarik - 2.4.53-9 +- Resolves: #2143176 - Dependency from mod_http2 on httpd broken + +* Tue Dec 06 2022 Luboš Uhliarik - 2.4.53-8 +- Resolves: #2151313 - reduce AH03408 log level from WARNING to INFO + * Wed Jul 20 2022 Luboš Uhliarik - 2.4.53-7 - Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling