From 5d88b9e3f25b8728aa61996b6c694699b7afa13a Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 10:42:41 +0000 Subject: [PATCH] import httpd-2.4.37-56.module+el8.8.0+18016+180fdfbc --- SOURCES/httpd-2.4.37-CVE-2006-20001.patch | 20 ++++ SOURCES/httpd-2.4.37-CVE-2022-36760.patch | 23 ++++ SOURCES/httpd-2.4.37-CVE-2022-37436.patch | 129 +++++++++++++++++++++ SOURCES/httpd-2.4.37-add-SNI-support.patch | 92 +++++++++++++++ SOURCES/httpd-init.service | 1 + SOURCES/httpd-ssl-gencerts | 1 + SPECS/httpd.spec | 40 ++++++- 7 files changed, 302 insertions(+), 4 deletions(-) create mode 100644 SOURCES/httpd-2.4.37-CVE-2006-20001.patch create mode 100644 SOURCES/httpd-2.4.37-CVE-2022-36760.patch create mode 100644 SOURCES/httpd-2.4.37-CVE-2022-37436.patch create mode 100644 SOURCES/httpd-2.4.37-add-SNI-support.patch diff --git a/SOURCES/httpd-2.4.37-CVE-2006-20001.patch b/SOURCES/httpd-2.4.37-CVE-2006-20001.patch new file mode 100644 index 0000000..26c9363 --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2006-20001.patch @@ -0,0 +1,20 @@ +diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c +index 1ae5914027c..3f7822fc931 100644 +--- a/modules/dav/main/util.c ++++ b/modules/dav/main/util.c +@@ -801,8 +801,14 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) + "for the same state."); + } + condition = DAV_IF_COND_NOT; ++ list += 2; ++ } ++ else { ++ return dav_new_error(r->pool, HTTP_BAD_REQUEST, ++ DAV_ERR_IF_UNK_CHAR, 0, ++ "Invalid \"If:\" header: " ++ "Unexpected character in List"); + } +- list += 2; + break; + + case ' ': diff --git a/SOURCES/httpd-2.4.37-CVE-2022-36760.patch b/SOURCES/httpd-2.4.37-CVE-2022-36760.patch new file mode 100644 index 0000000..5a34c30 --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2022-36760.patch @@ -0,0 +1,23 @@ +From 5efc9507c487c37dfe2a279a4a0335cad701cd5f Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 10 Jan 2023 13:19:07 +0000 +Subject: [PATCH] cleanup on error + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1906540 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy_ajp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c +index 9cd7adbcbbf..07f37392d88 100644 +--- a/modules/proxy/mod_proxy_ajp.c ++++ b/modules/proxy/mod_proxy_ajp.c +@@ -255,6 +255,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396) + "%s Transfer-Encoding is not supported", + tenc); ++ /* We had a failure: Close connection to backend */ ++ conn->close = 1; + return HTTP_INTERNAL_SERVER_ERROR; + } + } else { diff --git a/SOURCES/httpd-2.4.37-CVE-2022-37436.patch b/SOURCES/httpd-2.4.37-CVE-2022-37436.patch new file mode 100644 index 0000000..26311e8 --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2022-37436.patch @@ -0,0 +1,129 @@ +From 8b6d55f6a047acf62675e32606b037f5eea8ccc7 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 10 Jan 2023 13:20:09 +0000 +Subject: [PATCH] Merge r1906539 from trunk: + +fail on bad header + +Submitted By: covener +Reviewed By: covener, rpluem, gbechis + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1906541 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy_http.c | 46 ++++++++++++++++++++-------------- + server/protocol.c | 2 ++ + 2 files changed, 29 insertions(+), 19 deletions(-) + +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index d74ae054ac9..ec4e7fb06b5 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -788,7 +788,7 @@ static void process_proxy_header(request_rec *r, proxy_dir_conf *c, + * any sense at all, since we depend on buffer still containing + * what was read by ap_getline() upon return. + */ +-static void ap_proxy_read_headers(request_rec *r, request_rec *rr, ++static apr_status_t ap_proxy_read_headers(request_rec *r, request_rec *rr, + char *buffer, int size, + conn_rec *c, int *pread_len) + { +@@ -820,19 +820,26 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + rc = ap_proxygetline(tmp_bb, buffer, size, rr, + AP_GETLINE_FOLD | AP_GETLINE_NOSPC_EOL, &len); + +- if (len <= 0) +- break; + +- if (APR_STATUS_IS_ENOSPC(rc)) { +- /* The header could not fit in the provided buffer, warn. +- * XXX: falls through with the truncated header, 5xx instead? +- */ +- int trunc = (len > 128 ? 128 : len) / 2; +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) +- "header size is over the limit allowed by " +- "ResponseFieldSize (%d bytes). " +- "Bad response header: '%.*s[...]%s'", +- size, trunc, buffer, buffer + len - trunc); ++ if (rc != APR_SUCCESS) { ++ if (APR_STATUS_IS_ENOSPC(rc)) { ++ int trunc = (len > 128 ? 128 : len) / 2; ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) ++ "header size is over the limit allowed by " ++ "ResponseFieldSize (%d bytes). " ++ "Bad response header: '%.*s[...]%s'", ++ size, trunc, buffer, buffer + len - trunc); ++ } ++ else { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10404) ++ "Error reading headers from backend"); ++ } ++ r->headers_out = NULL; ++ return rc; ++ } ++ ++ if (len <= 0) { ++ break; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer); +@@ -855,7 +862,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + if (psc->badopt == bad_error) { + /* Nope, it wasn't even an extra HTTP header. Give up. */ + r->headers_out = NULL; +- return; ++ return APR_EINVAL; + } + else if (psc->badopt == bad_body) { + /* if we've already started loading headers_out, then +@@ -869,13 +876,13 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + "in headers returned by %s (%s)", + r->uri, r->method); + *pread_len = len; +- return; ++ return APR_SUCCESS; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099) + "No HTTP headers returned by %s (%s)", + r->uri, r->method); +- return; ++ return APR_SUCCESS; + } + } + } +@@ -905,6 +912,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + process_proxy_header(r, dconf, buffer, value); + saw_headers = 1; + } ++ return APR_SUCCESS; + } + + +@@ -1218,10 +1226,10 @@ int ap_proxy_http_process_response(proxy_http_req_t *req) + "Set-Cookie", NULL); + + /* shove the headers direct into r->headers_out */ +- ap_proxy_read_headers(r, backend->r, buffer, response_field_size, +- origin, &pread_len); ++ rc = ap_proxy_read_headers(r, backend->r, buffer, response_field_size, ++ origin, &pread_len); + +- if (r->headers_out == NULL) { ++ if (rc != APR_SUCCESS || r->headers_out == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106) + "bad HTTP/%d.%d header returned by %s (%s)", + major, minor, r->uri, r->method); +diff --git a/server/protocol.c b/server/protocol.c +index 7adc7f75c10..6f9540ad1de 100644 +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -508,6 +508,8 @@ AP_DECLARE(apr_status_t) ap_rgetline_core(char **s, apr_size_t n, + /* PR#43039: We shouldn't accept NULL bytes within the line */ + bytes_handled = strlen(*s); + if (bytes_handled < *read) { ++ ap_log_data(APLOG_MARK, APLOG_DEBUG, ap_server_conf, ++ "NULL bytes in header", *s, *read, 0); + *read = bytes_handled; + if (rv == APR_SUCCESS) { + rv = APR_EINVAL; diff --git a/SOURCES/httpd-2.4.37-add-SNI-support.patch b/SOURCES/httpd-2.4.37-add-SNI-support.patch new file mode 100644 index 0000000..8b8d9ad --- /dev/null +++ b/SOURCES/httpd-2.4.37-add-SNI-support.patch @@ -0,0 +1,92 @@ +commit 4c0e27d7bfbf46f14dfbd5d888e56c64ad8c8de5 +Author: Tomas Korbar +Date: Mon Sep 19 13:22:27 2022 +0200 + + Backport refactor of SNI support to httpd-2.4.37 + +diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c +index a7e0dcd..31ccd32 100644 +--- a/modules/http2/mod_proxy_http2.c ++++ b/modules/http2/mod_proxy_http2.c +@@ -591,16 +591,6 @@ run_connect: + } + + if (!ctx->p_conn->data) { +- /* New conection: set a note on the connection what CN is +- * requested and what protocol we want */ +- if (ctx->p_conn->ssl_hostname) { +- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner, +- "set SNI to %s for (%s)", +- ctx->p_conn->ssl_hostname, +- ctx->p_conn->hostname); +- apr_table_setn(ctx->p_conn->connection->notes, +- "proxy-request-hostname", ctx->p_conn->ssl_hostname); +- } + if (ctx->is_ssl) { + apr_table_setn(ctx->p_conn->connection->notes, + "proxy-request-alpn-protos", "h2"); +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index 1b7bb81..c1c591a 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -2111,19 +2111,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, + req->origin->keepalive = AP_CONN_CLOSE; + } + +- /* +- * On SSL connections set a note on the connection what CN is +- * requested, such that mod_ssl can check if it is requested to do +- * so. +- * +- * https://github.com/apache/httpd/commit/7d272e2628b4ae05f68cdc74b070707250896a34 +- */ +- if (backend->ssl_hostname) { +- apr_table_setn(backend->connection->notes, +- "proxy-request-hostname", +- backend->ssl_hostname); +- } +- + /* Step Four: Send the Request + * On the off-chance that we forced a 100-Continue as a + * kinda HTTP ping test, allow for retries +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index ec9a414..805820d 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -3261,6 +3261,16 @@ static int proxy_connection_create(const char *proxy_function, + backend_addr, conn->hostname); + return HTTP_INTERNAL_SERVER_ERROR; + } ++ if (conn->ssl_hostname) { ++ /* Set a note on the connection about what CN is requested, ++ * such that mod_ssl can check if it is requested to do so. ++ */ ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection, ++ "%s: set SNI to %s for (%s)", proxy_function, ++ conn->ssl_hostname, conn->hostname); ++ apr_table_setn(conn->connection->notes, "proxy-request-hostname", ++ conn->ssl_hostname); ++ } + } + else { + /* TODO: See if this will break FTP */ +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c +index 4e3875a..9b4280c 100644 +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -1273,7 +1273,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + ((dc->proxy->ssl_check_peer_cn != FALSE) || + (dc->proxy->ssl_check_peer_name == TRUE)) && + hostname_note) { +- apr_table_unset(c->notes, "proxy-request-hostname"); + if (!cert + || modssl_X509_match_name(c->pool, cert, hostname_note, + TRUE, server) == FALSE) { +@@ -1290,7 +1289,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + + hostname = ssl_var_lookup(NULL, server, c, NULL, + "SSL_CLIENT_S_DN_CN"); +- apr_table_unset(c->notes, "proxy-request-hostname"); + + /* Do string match or simplest wildcard match if that + * fails. */ diff --git a/SOURCES/httpd-init.service b/SOURCES/httpd-init.service index 3074778..704c314 100644 --- a/SOURCES/httpd-init.service +++ b/SOURCES/httpd-init.service @@ -8,5 +8,6 @@ ConditionPathExists=|!/etc/pki/tls/private/localhost.key [Service] Type=oneshot RemainAfterExit=no +PrivateTmp=true ExecStart=/usr/libexec/httpd-ssl-gencerts diff --git a/SOURCES/httpd-ssl-gencerts b/SOURCES/httpd-ssl-gencerts index 350f5b5..5c271f7 100755 --- a/SOURCES/httpd-ssl-gencerts +++ b/SOURCES/httpd-ssl-gencerts @@ -33,6 +33,7 @@ sscg -q \ --cert-file /etc/pki/tls/certs/localhost.crt \ --cert-key-file /etc/pki/tls/private/localhost.key \ --ca-file /etc/pki/tls/certs/localhost.crt \ + --dhparams-file /tmp/dhparams.pem \ --lifetime 365 \ --hostname $FQDN \ --email root@$FQDN diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index c97fc9a..8e5a5d6 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.37 -Release: 51%{?dist} +Release: 56%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source2: httpd.logrotate @@ -163,6 +163,8 @@ Patch88: httpd-2.4.37-r1845768+.patch Patch89: httpd-2.4.37-r1862410.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1984828 Patch90: httpd-2.4.37-hcheck-mem-issues.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2017543 +Patch91: httpd-2.4.37-add-SNI-support.patch # Security fixes Patch200: httpd-2.4.37-r1851471.patch @@ -238,7 +240,12 @@ Patch232: httpd-2.4.37-CVE-2022-31813.patch Patch233: httpd-2.4.37-CVE-2022-29404.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2094997 Patch234: httpd-2.4.37-CVE-2022-26377.patch - +# https://bugzilla.redhat.com/show_bug.cgi?id=2161773 +Patch235: httpd-2.4.37-CVE-2022-37436.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2161774 +Patch236: httpd-2.4.37-CVE-2006-20001.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2161777 +Patch237: httpd-2.4.37-CVE-2022-36760.patch License: ASL 2.0 Group: System Environment/Daemons @@ -256,7 +263,7 @@ Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} Requires: httpd-tools = %{version}-%{release} Requires: httpd-filesystem = %{version}-%{release} -Requires: mod_http2 +Requires: mod_http2 >= 1.15.7-5 Requires(pre): httpd-filesystem Requires(preun): systemd-units Requires(postun): systemd-units @@ -320,7 +327,7 @@ Epoch: 1 BuildRequires: openssl-devel Requires(pre): httpd-filesystem Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -Requires: sscg >= 2.2.0 +Requires: sscg >= 3.0.0-7, /usr/bin/hostname Obsoletes: stronghold-mod_ssl # Require an OpenSSL which supports PROFILE=SYSTEM Conflicts: openssl-libs < 1:1.0.1h-4 @@ -419,6 +426,7 @@ interface for storing and accessing per-user session data. %patch88 -p1 -b .r1845768+ %patch89 -p1 -b .r1862410 %patch90 -p1 -b .hcheck-mem-issues +%patch91 -p1 -b .SNI %patch200 -p1 -b .r1851471 %patch201 -p1 -b .CVE-2019-0211 @@ -455,6 +463,9 @@ interface for storing and accessing per-user session data. %patch232 -p1 -b .CVE-2022-31813 %patch233 -p1 -b .CVE-2022-29404 %patch234 -p1 -b .CVE-2022-26377 +%patch235 -p1 -b .CVE-2022-37436 +%patch236 -p1 -b .CVE-2006-20001 +%patch237 -p1 -b .CVE-2022-36760 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -960,6 +971,27 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Jan 31 2023 Luboš Uhliarik - 2.4.37-56 +- Resolves: #2162499 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write + of zero byte +- Resolves: #2162485 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting +- Resolves: #2162509 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request + smuggling + +* Thu Jan 26 2023 Luboš Uhliarik - 2.4.37-55 +- Resolves: #2155961 - prevent sscg creating /dhparams.pem + +* Thu Dec 08 2022 Luboš Uhliarik - 2.4.37-54 +- Resolves: #2095650 - Dependency from mod_http2 on httpd broken + +* Wed Nov 09 2022 Luboš Uhliarik - 2.4.37-53 +- Resolves: #2050888 - httpd with SSL fails to start unless hostname command + was installed + +* Mon Sep 19 2022 Tomas Korbar - 2.4.37-52 +- Add the SNI support in mod_proxy_wstunnel module for Apache httpd +- Resolves: rhbz#2017543 + * Mon Jul 25 2022 Luboš Uhliarik - 2.4.37-51 - Resolves: #2097015 - CVE-2022-28614 httpd:2.4/httpd: out-of-bounds read via ap_rwrite()