import httpd-2.4.37-56.module+el8.8.0+18016+180fdfbc
This commit is contained in:
parent
a38412b5b5
commit
5d88b9e3f2
|
@ -0,0 +1,20 @@
|
|||
diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c
|
||||
index 1ae5914027c..3f7822fc931 100644
|
||||
--- a/modules/dav/main/util.c
|
||||
+++ b/modules/dav/main/util.c
|
||||
@@ -801,8 +801,14 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih)
|
||||
"for the same state.");
|
||||
}
|
||||
condition = DAV_IF_COND_NOT;
|
||||
+ list += 2;
|
||||
+ }
|
||||
+ else {
|
||||
+ return dav_new_error(r->pool, HTTP_BAD_REQUEST,
|
||||
+ DAV_ERR_IF_UNK_CHAR, 0,
|
||||
+ "Invalid \"If:\" header: "
|
||||
+ "Unexpected character in List");
|
||||
}
|
||||
- list += 2;
|
||||
break;
|
||||
|
||||
case ' ':
|
|
@ -0,0 +1,23 @@
|
|||
From 5efc9507c487c37dfe2a279a4a0335cad701cd5f Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Tue, 10 Jan 2023 13:19:07 +0000
|
||||
Subject: [PATCH] cleanup on error
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1906540 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/proxy/mod_proxy_ajp.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
|
||||
index 9cd7adbcbbf..07f37392d88 100644
|
||||
--- a/modules/proxy/mod_proxy_ajp.c
|
||||
+++ b/modules/proxy/mod_proxy_ajp.c
|
||||
@@ -255,6 +255,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r,
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396)
|
||||
"%s Transfer-Encoding is not supported",
|
||||
tenc);
|
||||
+ /* We had a failure: Close connection to backend */
|
||||
+ conn->close = 1;
|
||||
return HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
} else {
|
|
@ -0,0 +1,129 @@
|
|||
From 8b6d55f6a047acf62675e32606b037f5eea8ccc7 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Tue, 10 Jan 2023 13:20:09 +0000
|
||||
Subject: [PATCH] Merge r1906539 from trunk:
|
||||
|
||||
fail on bad header
|
||||
|
||||
Submitted By: covener
|
||||
Reviewed By: covener, rpluem, gbechis
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1906541 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/proxy/mod_proxy_http.c | 46 ++++++++++++++++++++--------------
|
||||
server/protocol.c | 2 ++
|
||||
2 files changed, 29 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
|
||||
index d74ae054ac9..ec4e7fb06b5 100644
|
||||
--- a/modules/proxy/mod_proxy_http.c
|
||||
+++ b/modules/proxy/mod_proxy_http.c
|
||||
@@ -788,7 +788,7 @@ static void process_proxy_header(request_rec *r, proxy_dir_conf *c,
|
||||
* any sense at all, since we depend on buffer still containing
|
||||
* what was read by ap_getline() upon return.
|
||||
*/
|
||||
-static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
|
||||
+static apr_status_t ap_proxy_read_headers(request_rec *r, request_rec *rr,
|
||||
char *buffer, int size,
|
||||
conn_rec *c, int *pread_len)
|
||||
{
|
||||
@@ -820,19 +820,26 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
|
||||
rc = ap_proxygetline(tmp_bb, buffer, size, rr,
|
||||
AP_GETLINE_FOLD | AP_GETLINE_NOSPC_EOL, &len);
|
||||
|
||||
- if (len <= 0)
|
||||
- break;
|
||||
|
||||
- if (APR_STATUS_IS_ENOSPC(rc)) {
|
||||
- /* The header could not fit in the provided buffer, warn.
|
||||
- * XXX: falls through with the truncated header, 5xx instead?
|
||||
- */
|
||||
- int trunc = (len > 128 ? 128 : len) / 2;
|
||||
- ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124)
|
||||
- "header size is over the limit allowed by "
|
||||
- "ResponseFieldSize (%d bytes). "
|
||||
- "Bad response header: '%.*s[...]%s'",
|
||||
- size, trunc, buffer, buffer + len - trunc);
|
||||
+ if (rc != APR_SUCCESS) {
|
||||
+ if (APR_STATUS_IS_ENOSPC(rc)) {
|
||||
+ int trunc = (len > 128 ? 128 : len) / 2;
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124)
|
||||
+ "header size is over the limit allowed by "
|
||||
+ "ResponseFieldSize (%d bytes). "
|
||||
+ "Bad response header: '%.*s[...]%s'",
|
||||
+ size, trunc, buffer, buffer + len - trunc);
|
||||
+ }
|
||||
+ else {
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10404)
|
||||
+ "Error reading headers from backend");
|
||||
+ }
|
||||
+ r->headers_out = NULL;
|
||||
+ return rc;
|
||||
+ }
|
||||
+
|
||||
+ if (len <= 0) {
|
||||
+ break;
|
||||
}
|
||||
else {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer);
|
||||
@@ -855,7 +862,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
|
||||
if (psc->badopt == bad_error) {
|
||||
/* Nope, it wasn't even an extra HTTP header. Give up. */
|
||||
r->headers_out = NULL;
|
||||
- return;
|
||||
+ return APR_EINVAL;
|
||||
}
|
||||
else if (psc->badopt == bad_body) {
|
||||
/* if we've already started loading headers_out, then
|
||||
@@ -869,13 +876,13 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
|
||||
"in headers returned by %s (%s)",
|
||||
r->uri, r->method);
|
||||
*pread_len = len;
|
||||
- return;
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
else {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099)
|
||||
"No HTTP headers returned by %s (%s)",
|
||||
r->uri, r->method);
|
||||
- return;
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -905,6 +912,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
|
||||
process_proxy_header(r, dconf, buffer, value);
|
||||
saw_headers = 1;
|
||||
}
|
||||
+ return APR_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
@@ -1218,10 +1226,10 @@ int ap_proxy_http_process_response(proxy_http_req_t *req)
|
||||
"Set-Cookie", NULL);
|
||||
|
||||
/* shove the headers direct into r->headers_out */
|
||||
- ap_proxy_read_headers(r, backend->r, buffer, response_field_size,
|
||||
- origin, &pread_len);
|
||||
+ rc = ap_proxy_read_headers(r, backend->r, buffer, response_field_size,
|
||||
+ origin, &pread_len);
|
||||
|
||||
- if (r->headers_out == NULL) {
|
||||
+ if (rc != APR_SUCCESS || r->headers_out == NULL) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106)
|
||||
"bad HTTP/%d.%d header returned by %s (%s)",
|
||||
major, minor, r->uri, r->method);
|
||||
diff --git a/server/protocol.c b/server/protocol.c
|
||||
index 7adc7f75c10..6f9540ad1de 100644
|
||||
--- a/server/protocol.c
|
||||
+++ b/server/protocol.c
|
||||
@@ -508,6 +508,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n,
|
||||
/* PR#43039: We shouldn't accept NULL bytes within the line */
|
||||
bytes_handled = strlen(*s);
|
||||
if (bytes_handled < *read) {
|
||||
+ ap_log_data(APLOG_MARK, APLOG_DEBUG, ap_server_conf,
|
||||
+ "NULL bytes in header", *s, *read, 0);
|
||||
*read = bytes_handled;
|
||||
if (rv == APR_SUCCESS) {
|
||||
rv = APR_EINVAL;
|
|
@ -0,0 +1,92 @@
|
|||
commit 4c0e27d7bfbf46f14dfbd5d888e56c64ad8c8de5
|
||||
Author: Tomas Korbar <tkorbar@redhat.com>
|
||||
Date: Mon Sep 19 13:22:27 2022 +0200
|
||||
|
||||
Backport refactor of SNI support to httpd-2.4.37
|
||||
|
||||
diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
|
||||
index a7e0dcd..31ccd32 100644
|
||||
--- a/modules/http2/mod_proxy_http2.c
|
||||
+++ b/modules/http2/mod_proxy_http2.c
|
||||
@@ -591,16 +591,6 @@ run_connect:
|
||||
}
|
||||
|
||||
if (!ctx->p_conn->data) {
|
||||
- /* New conection: set a note on the connection what CN is
|
||||
- * requested and what protocol we want */
|
||||
- if (ctx->p_conn->ssl_hostname) {
|
||||
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner,
|
||||
- "set SNI to %s for (%s)",
|
||||
- ctx->p_conn->ssl_hostname,
|
||||
- ctx->p_conn->hostname);
|
||||
- apr_table_setn(ctx->p_conn->connection->notes,
|
||||
- "proxy-request-hostname", ctx->p_conn->ssl_hostname);
|
||||
- }
|
||||
if (ctx->is_ssl) {
|
||||
apr_table_setn(ctx->p_conn->connection->notes,
|
||||
"proxy-request-alpn-protos", "h2");
|
||||
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
|
||||
index 1b7bb81..c1c591a 100644
|
||||
--- a/modules/proxy/mod_proxy_http.c
|
||||
+++ b/modules/proxy/mod_proxy_http.c
|
||||
@@ -2111,19 +2111,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker,
|
||||
req->origin->keepalive = AP_CONN_CLOSE;
|
||||
}
|
||||
|
||||
- /*
|
||||
- * On SSL connections set a note on the connection what CN is
|
||||
- * requested, such that mod_ssl can check if it is requested to do
|
||||
- * so.
|
||||
- *
|
||||
- * https://github.com/apache/httpd/commit/7d272e2628b4ae05f68cdc74b070707250896a34
|
||||
- */
|
||||
- if (backend->ssl_hostname) {
|
||||
- apr_table_setn(backend->connection->notes,
|
||||
- "proxy-request-hostname",
|
||||
- backend->ssl_hostname);
|
||||
- }
|
||||
-
|
||||
/* Step Four: Send the Request
|
||||
* On the off-chance that we forced a 100-Continue as a
|
||||
* kinda HTTP ping test, allow for retries
|
||||
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
|
||||
index ec9a414..805820d 100644
|
||||
--- a/modules/proxy/proxy_util.c
|
||||
+++ b/modules/proxy/proxy_util.c
|
||||
@@ -3261,6 +3261,16 @@ static int proxy_connection_create(const char *proxy_function,
|
||||
backend_addr, conn->hostname);
|
||||
return HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
+ if (conn->ssl_hostname) {
|
||||
+ /* Set a note on the connection about what CN is requested,
|
||||
+ * such that mod_ssl can check if it is requested to do so.
|
||||
+ */
|
||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection,
|
||||
+ "%s: set SNI to %s for (%s)", proxy_function,
|
||||
+ conn->ssl_hostname, conn->hostname);
|
||||
+ apr_table_setn(conn->connection->notes, "proxy-request-hostname",
|
||||
+ conn->ssl_hostname);
|
||||
+ }
|
||||
}
|
||||
else {
|
||||
/* TODO: See if this will break FTP */
|
||||
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
|
||||
index 4e3875a..9b4280c 100644
|
||||
--- a/modules/ssl/ssl_engine_io.c
|
||||
+++ b/modules/ssl/ssl_engine_io.c
|
||||
@@ -1273,7 +1273,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
|
||||
((dc->proxy->ssl_check_peer_cn != FALSE) ||
|
||||
(dc->proxy->ssl_check_peer_name == TRUE)) &&
|
||||
hostname_note) {
|
||||
- apr_table_unset(c->notes, "proxy-request-hostname");
|
||||
if (!cert
|
||||
|| modssl_X509_match_name(c->pool, cert, hostname_note,
|
||||
TRUE, server) == FALSE) {
|
||||
@@ -1290,7 +1289,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
|
||||
|
||||
hostname = ssl_var_lookup(NULL, server, c, NULL,
|
||||
"SSL_CLIENT_S_DN_CN");
|
||||
- apr_table_unset(c->notes, "proxy-request-hostname");
|
||||
|
||||
/* Do string match or simplest wildcard match if that
|
||||
* fails. */
|
|
@ -8,5 +8,6 @@ ConditionPathExists=|!/etc/pki/tls/private/localhost.key
|
|||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=no
|
||||
PrivateTmp=true
|
||||
|
||||
ExecStart=/usr/libexec/httpd-ssl-gencerts
|
||||
|
|
|
@ -33,6 +33,7 @@ sscg -q \
|
|||
--cert-file /etc/pki/tls/certs/localhost.crt \
|
||||
--cert-key-file /etc/pki/tls/private/localhost.key \
|
||||
--ca-file /etc/pki/tls/certs/localhost.crt \
|
||||
--dhparams-file /tmp/dhparams.pem \
|
||||
--lifetime 365 \
|
||||
--hostname $FQDN \
|
||||
--email root@$FQDN
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
Summary: Apache HTTP Server
|
||||
Name: httpd
|
||||
Version: 2.4.37
|
||||
Release: 51%{?dist}
|
||||
Release: 56%{?dist}
|
||||
URL: https://httpd.apache.org/
|
||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||
Source2: httpd.logrotate
|
||||
|
@ -163,6 +163,8 @@ Patch88: httpd-2.4.37-r1845768+.patch
|
|||
Patch89: httpd-2.4.37-r1862410.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1984828
|
||||
Patch90: httpd-2.4.37-hcheck-mem-issues.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2017543
|
||||
Patch91: httpd-2.4.37-add-SNI-support.patch
|
||||
|
||||
# Security fixes
|
||||
Patch200: httpd-2.4.37-r1851471.patch
|
||||
|
@ -238,7 +240,12 @@ Patch232: httpd-2.4.37-CVE-2022-31813.patch
|
|||
Patch233: httpd-2.4.37-CVE-2022-29404.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2094997
|
||||
Patch234: httpd-2.4.37-CVE-2022-26377.patch
|
||||
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2161773
|
||||
Patch235: httpd-2.4.37-CVE-2022-37436.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2161774
|
||||
Patch236: httpd-2.4.37-CVE-2006-20001.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2161777
|
||||
Patch237: httpd-2.4.37-CVE-2022-36760.patch
|
||||
|
||||
License: ASL 2.0
|
||||
Group: System Environment/Daemons
|
||||
|
@ -256,7 +263,7 @@ Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
|
|||
Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}
|
||||
Requires: httpd-tools = %{version}-%{release}
|
||||
Requires: httpd-filesystem = %{version}-%{release}
|
||||
Requires: mod_http2
|
||||
Requires: mod_http2 >= 1.15.7-5
|
||||
Requires(pre): httpd-filesystem
|
||||
Requires(preun): systemd-units
|
||||
Requires(postun): systemd-units
|
||||
|
@ -320,7 +327,7 @@ Epoch: 1
|
|||
BuildRequires: openssl-devel
|
||||
Requires(pre): httpd-filesystem
|
||||
Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
|
||||
Requires: sscg >= 2.2.0
|
||||
Requires: sscg >= 3.0.0-7, /usr/bin/hostname
|
||||
Obsoletes: stronghold-mod_ssl
|
||||
# Require an OpenSSL which supports PROFILE=SYSTEM
|
||||
Conflicts: openssl-libs < 1:1.0.1h-4
|
||||
|
@ -419,6 +426,7 @@ interface for storing and accessing per-user session data.
|
|||
%patch88 -p1 -b .r1845768+
|
||||
%patch89 -p1 -b .r1862410
|
||||
%patch90 -p1 -b .hcheck-mem-issues
|
||||
%patch91 -p1 -b .SNI
|
||||
|
||||
%patch200 -p1 -b .r1851471
|
||||
%patch201 -p1 -b .CVE-2019-0211
|
||||
|
@ -455,6 +463,9 @@ interface for storing and accessing per-user session data.
|
|||
%patch232 -p1 -b .CVE-2022-31813
|
||||
%patch233 -p1 -b .CVE-2022-29404
|
||||
%patch234 -p1 -b .CVE-2022-26377
|
||||
%patch235 -p1 -b .CVE-2022-37436
|
||||
%patch236 -p1 -b .CVE-2006-20001
|
||||
%patch237 -p1 -b .CVE-2022-36760
|
||||
|
||||
# Patch in the vendor string
|
||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||
|
@ -960,6 +971,27 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||
|
||||
%changelog
|
||||
* Tue Jan 31 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56
|
||||
- Resolves: #2162499 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write
|
||||
of zero byte
|
||||
- Resolves: #2162485 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
|
||||
- Resolves: #2162509 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request
|
||||
smuggling
|
||||
|
||||
* Thu Jan 26 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-55
|
||||
- Resolves: #2155961 - prevent sscg creating /dhparams.pem
|
||||
|
||||
* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-54
|
||||
- Resolves: #2095650 - Dependency from mod_http2 on httpd broken
|
||||
|
||||
* Wed Nov 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-53
|
||||
- Resolves: #2050888 - httpd with SSL fails to start unless hostname command
|
||||
was installed
|
||||
|
||||
* Mon Sep 19 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.37-52
|
||||
- Add the SNI support in mod_proxy_wstunnel module for Apache httpd
|
||||
- Resolves: rhbz#2017543
|
||||
|
||||
* Mon Jul 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51
|
||||
- Resolves: #2097015 - CVE-2022-28614 httpd:2.4/httpd: out-of-bounds read via
|
||||
ap_rwrite()
|
||||
|
|
Loading…
Reference in New Issue