diff --git a/SOURCES/httpd-2.4.62-CVE-2024-47252.patch b/SOURCES/httpd-2.4.62-CVE-2024-47252.patch new file mode 100644 index 0000000..df0063a --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2024-47252.patch @@ -0,0 +1,45 @@ +From c01e60707048be14a510f0a92128a5227923215c Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 7 Jul 2025 12:03:42 +0000 +Subject: [PATCH] backport 1927034 from trunk + + escape ssl vars + +Reviewed By: rpluem, jorton, covener, ylavic + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927042 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_vars.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c +index 418d849e00e..4060c0f6a63 100644 +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -1208,8 +1208,9 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a) + result = "-"; + else if (strEQ(a, "errstr")) + result = (char *)sslconn->verify_error; +- if (result != NULL && result[0] == NUL) +- result = NULL; ++ if (result) { ++ result = *result ? ap_escape_logitem(r->pool, result) : NULL; ++ } + return result; + } + +@@ -1222,8 +1223,9 @@ static const char *ssl_var_log_handler_x(request_rec *r, char *a) + char *result; + + result = ssl_var_lookup(r->pool, r->server, r->connection, r, a); +- if (result != NULL && result[0] == NUL) +- result = NULL; ++ if (result) { ++ result = *result ? ap_escape_logitem(r->pool, result) : NULL; ++ } + return result; + } + + diff --git a/SOURCES/httpd-2.4.62-CVE-2025-23048.patch b/SOURCES/httpd-2.4.62-CVE-2025-23048.patch new file mode 100644 index 0000000..d868acb --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2025-23048.patch @@ -0,0 +1,56 @@ +From d76573e7608cbdeab6c6a658c427d900917bf955 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 7 Jul 2025 11:51:57 +0000 +Subject: [PATCH] update SNI validation + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927035 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_kernel.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 9c51021..d912a87 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -371,19 +371,6 @@ int ssl_hook_ReadReq(request_rec *r) + " provided in HTTP request", servername); + return HTTP_BAD_REQUEST; + } +- if (r->server != handshakeserver +- && !ssl_server_compatible(sslconn->server, r->server)) { +- /* +- * The request does not select the virtual host that was +- * selected by the SNI and its SSL parameters are different +- */ +- +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) +- "Hostname %s provided via SNI and hostname %s provided" +- " via HTTP have no compatible SSL setup", +- servername, r->hostname); +- return HTTP_MISDIRECTED_REQUEST; +- } + } + else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE) + || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE) +@@ -404,6 +391,21 @@ int ssl_hook_ReadReq(request_rec *r) + "which is required to access this server.
\n"); + return HTTP_FORBIDDEN; + } ++ if (r->server != handshakeserver ++ && !ssl_server_compatible(sslconn->server, r->server)) { ++ /* ++ * The request does not select the virtual host that was ++ * selected for handshaking and its SSL parameters are different ++ */ ++ ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) ++ "Hostname %s %s and hostname %s provided" ++ " via HTTP have no compatible SSL setup", ++ servername ? servername : handshakeserver->server_hostname, ++ servername ? "provided via SNI" : "(default host as no SNI was provided)", ++ r->hostname); ++ return HTTP_MISDIRECTED_REQUEST; ++ } + } + #endif + modssl_set_app_data2(ssl, r); diff --git a/SOURCES/httpd-2.4.62-CVE-2025-49812.patch b/SOURCES/httpd-2.4.62-CVE-2025-49812.patch new file mode 100644 index 0000000..3b55e65 --- /dev/null +++ b/SOURCES/httpd-2.4.62-CVE-2025-49812.patch @@ -0,0 +1,198 @@ +From 87a7351c755c9ef8ab386e3090e44838c2a06d48 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 7 Jul 2025 12:09:30 +0000 +Subject: [PATCH] backport 1927037 from trunk + + remove antiquated 'SSLEngine optional' TLS upgrade + +Reviewed By: rpluem, jorton, covener + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927045 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_config.c | 6 ++- + modules/ssl/ssl_engine_init.c | 6 +-- + modules/ssl/ssl_engine_kernel.c | 86 --------------------------------- + modules/ssl/ssl_private.h | 1 - + 4 files changed, 7 insertions(+), 92 deletions(-) + +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 25f50a2..c5dce7f 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -742,11 +742,13 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) + return NULL; + } + else if (!strcasecmp(arg, "Optional")) { +- sc->enabled = SSL_ENABLED_OPTIONAL; ++ sc->enabled = SSL_ENABLED_FALSE; ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, APLOGNO(10510) ++ "'SSLEngine optional' is no longer supported"); + return NULL; + } + +- return "Argument must be On, Off, or Optional"; ++ return "Argument must be On or Off"; + } + + const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index ebb11e9..309a7a4 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -427,7 +427,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + &ssl_module); + + sc = mySrvConfig(s); +- if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) { ++ if (sc->enabled == SSL_ENABLED_TRUE) { + if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) { + return rv; + } +@@ -2152,9 +2152,9 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s, + &ssl_module); + apr_status_t rv; + +- /* Initialize the server if SSL is enabled or optional. ++ /* Initialize the server if SSL is enabled. + */ +- if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) { ++ if (sc->enabled == SSL_ENABLED_TRUE) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914) + "Configuring server %s for SSL protocol", sc->vhost_id); + if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases)) +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index d912a87..33aa1f7 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -38,59 +38,6 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); + static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); + #endif + +-#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols" +-#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1" +-#define CONNECTION_HEADER "Connection: Upgrade" +- +-/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */ +-static apr_status_t upgrade_connection(request_rec *r) +-{ +- struct conn_rec *conn = r->connection; +- apr_bucket_brigade *bb; +- SSLConnRec *sslconn; +- apr_status_t rv; +- SSL *ssl; +- +- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028) +- "upgrading connection to TLS"); +- +- bb = apr_brigade_create(r->pool, conn->bucket_alloc); +- +- rv = ap_fputs(conn->output_filters, bb, SWITCH_STATUS_LINE CRLF +- UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF); +- if (rv == APR_SUCCESS) { +- APR_BRIGADE_INSERT_TAIL(bb, +- apr_bucket_flush_create(conn->bucket_alloc)); +- rv = ap_pass_brigade(conn->output_filters, bb); +- } +- +- if (rv) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029) +- "failed to send 101 interim response for connection " +- "upgrade"); +- return rv; +- } +- +- ssl_init_ssl_connection(conn, r); +- +- sslconn = myConnConfig(conn); +- ssl = sslconn->ssl; +- +- /* Perform initial SSL handshake. */ +- SSL_set_accept_state(ssl); +- SSL_do_handshake(ssl); +- +- if (!SSL_is_init_finished(ssl)) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) +- "TLS upgrade handshake failed"); +- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +- +- return APR_ECONNABORTED; +- } +- +- return APR_SUCCESS; +-} +- + /* Perform a speculative (and non-blocking) read from the connection + * filters for the given request, to determine whether there is any + * pending data to read. Return non-zero if there is, else zero. */ +@@ -270,40 +217,17 @@ int ssl_hook_ReadReq(request_rec *r) + { + SSLSrvConfigRec *sc = mySrvConfig(r->server); + SSLConnRec *sslconn; +- const char *upgrade; + #ifdef HAVE_TLSEXT + const char *servername; + #endif + SSL *ssl; + +- /* Perform TLS upgrade here if "SSLEngine optional" is configured, +- * SSL is not already set up for this connection, and the client +- * has sent a suitable Upgrade header. */ +- if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection) +- && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL +- && ap_find_token(r->pool, upgrade, "TLS/1.0")) { +- if (upgrade_connection(r)) { +- return AP_FILTER_ERROR; +- } +- } +- + /* If we are on a slave connection, we do not expect to have an SSLConnRec, + * but our master connection might. */ + sslconn = myConnConfig(r->connection); + if (!(sslconn && sslconn->ssl) && r->connection->master) { + sslconn = myConnConfig(r->connection->master); + } +- +- /* If "SSLEngine optional" is configured, this is not an SSL +- * connection, and this isn't a subrequest, send an Upgrade +- * response header. Note this must happen before map_to_storage +- * and OPTIONS * request processing is completed. +- */ +- if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl) +- && !r->main) { +- apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); +- apr_table_mergen(r->headers_out, "Connection", "upgrade"); +- } + + if (!sslconn) { + return DECLINED; +@@ -1238,16 +1162,6 @@ int ssl_hook_Access(request_rec *r) + * Support for SSLRequireSSL directive + */ + if (dc->bSSLRequired && !ssl) { +- if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) { +- /* This vhost was configured for optional SSL, just tell the +- * client that we need to upgrade. +- */ +- apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); +- apr_table_setn(r->err_headers_out, "Connection", "Upgrade"); +- +- return HTTP_UPGRADE_REQUIRED; +- } +- + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) + "access to %s failed, reason: %s", + r->filename, "SSL connection required"); +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index c517a7b..aaa75aa 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -518,7 +518,6 @@ typedef enum { + SSL_ENABLED_UNSET = UNSET, + SSL_ENABLED_FALSE = 0, + SSL_ENABLED_TRUE = 1, +- SSL_ENABLED_OPTIONAL = 3 + } ssl_enabled_t; + + /** diff --git a/SOURCES/httpd-2.4.62-r1926107.patch b/SOURCES/httpd-2.4.62-r1926107.patch new file mode 100644 index 0000000..e4a7629 --- /dev/null +++ b/SOURCES/httpd-2.4.62-r1926107.patch @@ -0,0 +1,34 @@ +# ./pullrev.sh 1926107 +http://svn.apache.org/viewvc?view=revision&revision=1926107 + +diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c +index 140366e6d52..daec21ad6c3 100644 +--- a/modules/proxy/mod_proxy_balancer.c ++++ b/modules/proxy/mod_proxy_balancer.c +@@ -276,11 +276,23 @@ static proxy_worker *find_session_route(proxy_balancer *balancer, + char **url) + { + proxy_worker *worker = NULL; ++ char *url_with_qs; + + if (!*balancer->s->sticky) + return NULL; ++ /* ++ * The route might be contained in the query string and *url is not ++ * supposed to contain the query string. Hence add it temporarily if ++ * present. ++ */ ++ if (r->args) { ++ url_with_qs = apr_pstrcat(r->pool, *url, "?", r->args, NULL); ++ } ++ else { ++ url_with_qs = *url; ++ } + /* Try to find the sticky route inside url */ +- *route = get_path_param(r->pool, *url, balancer->s->sticky_path, balancer->s->scolonsep); ++ *route = get_path_param(r->pool, url_with_qs, balancer->s->sticky_path, balancer->s->scolonsep); + if (*route) { + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01159) + "Found value %s for stickysession %s", + + diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 8495da6..a20569f 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.62 -Release: 4%{?dist} +Release: 4%{?dist}.4 URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -102,13 +102,17 @@ Patch103: httpd-2.4.62-engine-fallback.patch Patch104: httpd-2.4.62-r1921299.patch # https://issues.redhat.com/browse/RHEL-66488 Patch105: httpd-2.4.62-r1922080.patch +# https://issues.redhat.com/browse/RHEL-99815 +Patch106: httpd-2.4.62-r1926107.patch # Security fixes -# https://bugzilla.redhat.com/show_bug.cgi?id=... # -# https://bugzilla.redhat.com/show_bug.cgi?id= -# Patch200: httpd-2.4.X-CVE-XXXX-YYYYY.patch - +# https://bugzilla.redhat.com/show_bug.cgi?id=2374576 +Patch200: httpd-2.4.62-CVE-2025-23048.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2374571 +Patch201: httpd-2.4.62-CVE-2024-47252.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2374580 +Patch202: httpd-2.4.62-CVE-2025-49812.patch License: ASL 2.0 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto @@ -267,6 +271,11 @@ written in the Lua programming language. %patch103 -p0 -b .engine-fallback %patch104 -p1 -b .r1921299 %patch105 -p1 -b .r1922080 +%patch106 -p1 -b .r1926107 + +%patch200 -p1 -b .CVE-2025-23048 +%patch201 -p1 -b .CVE-2024-47252 +%patch202 -p1 -b .CVE-2025-49812 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -828,6 +837,17 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Jul 15 2025 Luboš Uhliarik - 2.4.62-4.4 +- Resolves: RHEL-99949 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade + +* Mon Jul 14 2025 Luboš Uhliarik - 2.4.62-4.1 +- Resolves: RHEL-99972 - CVE-2024-47252 httpd: insufficient escaping of + user-supplied data in mod_ssl +- Resolves: RHEL-99963 - CVE-2025-23048 httpd: access control bypass by trusted + clients is possible using TLS 1.3 session resumption +- Resolves: RHEL-102079 - stickysession field does not work when specifying it + in the query parameter after upgrade to 9.5 + * Wed Jan 29 2025 Luboš Uhliarik - 2.4.62-4 - Resolves: RHEL-66488 - Apache HTTPD no longer parse PHP files with unicode characters in the name