new version 2.4.61
This commit is contained in:
		
							parent
							
								
									14ca0d5a20
								
							
						
					
					
						commit
						6ad1ffded3
					
				
							
								
								
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										1
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -50,3 +50,4 @@ x86_64 | |||||||
| /httpd-2.4.57.tar.bz2.asc | /httpd-2.4.57.tar.bz2.asc | ||||||
| /httpd-2.4.58.tar.bz2.asc | /httpd-2.4.58.tar.bz2.asc | ||||||
| /httpd-2.4.59.tar.bz2.asc | /httpd-2.4.59.tar.bz2.asc | ||||||
|  | /httpd-2.4.61.tar.bz2.asc | ||||||
|  | |||||||
| @ -1,8 +1,8 @@ | |||||||
| diff --git a/server/listen.c b/server/listen.c
 | diff --git a/server/listen.c b/server/listen.c
 | ||||||
| index 5242c2a..e2e028a 100644
 | index 9577d60..d718db1 100644
 | ||||||
| --- a/server/listen.c
 | --- a/server/listen.c
 | ||||||
| +++ b/server/listen.c
 | +++ b/server/listen.c
 | ||||||
| @@ -34,6 +34,10 @@
 | @@ -35,6 +35,10 @@
 | ||||||
|  #include <unistd.h> |  #include <unistd.h> | ||||||
|  #endif |  #endif | ||||||
|   |   | ||||||
| @ -13,7 +13,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|  /* we know core's module_index is 0 */ |  /* we know core's module_index is 0 */ | ||||||
|  #undef APLOG_MODULE_INDEX |  #undef APLOG_MODULE_INDEX | ||||||
|  #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX |  #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX | ||||||
| @@ -59,9 +63,12 @@ static int ap_listenbacklog;
 | @@ -60,9 +64,12 @@ static int ap_listenbacklog;
 | ||||||
|  static int ap_listencbratio; |  static int ap_listencbratio; | ||||||
|  static int send_buffer_size; |  static int send_buffer_size; | ||||||
|  static int receive_buffer_size; |  static int receive_buffer_size; | ||||||
| @ -27,7 +27,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|  { |  { | ||||||
|      apr_socket_t *s = server->sd; |      apr_socket_t *s = server->sd; | ||||||
|      int one = 1; |      int one = 1; | ||||||
| @@ -94,20 +101,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
 | @@ -95,20 +102,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
 | ||||||
|          return stat; |          return stat; | ||||||
|      } |      } | ||||||
|   |   | ||||||
| @ -48,7 +48,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|      /* |      /* | ||||||
|       * To send data over high bandwidth-delay connections at full |       * To send data over high bandwidth-delay connections at full | ||||||
|       * speed we must force the TCP window to open wide enough to keep the |       * speed we must force the TCP window to open wide enough to keep the | ||||||
| @@ -169,21 +162,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
 | @@ -170,21 +163,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
 | ||||||
|      } |      } | ||||||
|  #endif |  #endif | ||||||
|   |   | ||||||
| @ -100,7 +100,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|      } |      } | ||||||
|   |   | ||||||
|  #ifdef WIN32 |  #ifdef WIN32 | ||||||
| @@ -315,6 +324,123 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to,
 | @@ -335,6 +344,123 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to,
 | ||||||
|      return found; |      return found; | ||||||
|  } |  } | ||||||
|   |   | ||||||
| @ -223,8 +223,8 @@ index 5242c2a..e2e028a 100644 | |||||||
| +
 | +
 | ||||||
|  static const char *alloc_listener(process_rec *process, const char *addr, |  static const char *alloc_listener(process_rec *process, const char *addr, | ||||||
|                                    apr_port_t port, const char* proto, |                                    apr_port_t port, const char* proto, | ||||||
|                                    void *slave) |                                    const char *scope_id, void *slave, | ||||||
| @@ -495,7 +621,7 @@ static int open_listeners(apr_pool_t *pool)
 | @@ -529,7 +655,7 @@ static int open_listeners(apr_pool_t *pool)
 | ||||||
|                  } |                  } | ||||||
|              } |              } | ||||||
|  #endif |  #endif | ||||||
| @ -233,7 +233,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|                  ++num_open; |                  ++num_open; | ||||||
|              } |              } | ||||||
|              else { |              else { | ||||||
| @@ -607,8 +733,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s)
 | @@ -641,8 +767,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s)
 | ||||||
|          } |          } | ||||||
|      } |      } | ||||||
|   |   | ||||||
| @ -264,7 +264,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|      } |      } | ||||||
|   |   | ||||||
|      for (lr = ap_listeners; lr; lr = lr->next) { |      for (lr = ap_listeners; lr; lr = lr->next) { | ||||||
| @@ -698,7 +844,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s,
 | @@ -732,7 +878,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s,
 | ||||||
|                              duplr->bind_addr); |                              duplr->bind_addr); | ||||||
|                  return stat; |                  return stat; | ||||||
|              } |              } | ||||||
| @ -273,7 +273,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|  #if AP_NONBLOCK_WHEN_MULTI_LISTEN |  #if AP_NONBLOCK_WHEN_MULTI_LISTEN | ||||||
|              use_nonblock = (ap_listeners && ap_listeners->next); |              use_nonblock = (ap_listeners && ap_listeners->next); | ||||||
|              stat = apr_socket_opt_set(duplr->sd, APR_SO_NONBLOCK, use_nonblock); |              stat = apr_socket_opt_set(duplr->sd, APR_SO_NONBLOCK, use_nonblock); | ||||||
| @@ -825,6 +971,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
 | @@ -859,6 +1005,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
 | ||||||
|      if (argc < 1 || argc > 2) { |      if (argc < 1 || argc > 2) { | ||||||
|          return "Listen requires 1 or 2 arguments."; |          return "Listen requires 1 or 2 arguments."; | ||||||
|      } |      } | ||||||
| @ -285,7 +285,7 @@ index 5242c2a..e2e028a 100644 | |||||||
|   |   | ||||||
|      rv = apr_parse_addr_port(&host, &scope_id, &port, argv[0], cmd->pool); |      rv = apr_parse_addr_port(&host, &scope_id, &port, argv[0], cmd->pool); | ||||||
|      if (rv != APR_SUCCESS) { |      if (rv != APR_SUCCESS) { | ||||||
| @@ -856,6 +1007,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
 | @@ -894,6 +1045,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
 | ||||||
|          ap_str_tolower(proto); |          ap_str_tolower(proto); | ||||||
|      } |      } | ||||||
|   |   | ||||||
| @ -295,6 +295,6 @@ index 5242c2a..e2e028a 100644 | |||||||
| +    }
 | +    }
 | ||||||
| +#endif
 | +#endif
 | ||||||
| +
 | +
 | ||||||
|      return alloc_listener(cmd->server->process, host, port, proto, NULL); |      return alloc_listener(cmd->server->process, host, port, proto, | ||||||
|  |                            scope_id, NULL, cmd->temp_pool); | ||||||
|  } |  } | ||||||
|   |  | ||||||
|  | |||||||
| @ -1,14 +0,0 @@ | |||||||
| 
 |  | ||||||
| Upstream-Status: not pushed upstream |  | ||||||
| 
 |  | ||||||
| --- httpd-2.4.54/server/log.c.gettid
 |  | ||||||
| +++ httpd-2.4.54/server/log.c
 |  | ||||||
| @@ -968,7 +972,7 @@
 |  | ||||||
|  #if APR_HAS_THREADS |  | ||||||
|          field_start = len; |  | ||||||
|          len += cpystrn(buf + len, ":tid ", buflen - len); |  | ||||||
| -        item_len = log_tid(info, NULL, buf + len, buflen - len);
 |  | ||||||
| +        item_len = log_tid(info, "g", buf + len, buflen - len);
 |  | ||||||
|          if (!item_len) |  | ||||||
|              len = field_start; |  | ||||||
|          else |  | ||||||
| @ -1,244 +0,0 @@ | |||||||
| 
 |  | ||||||
| https://github.com/apache/httpd/pull/426.patch |  | ||||||
| 
 |  | ||||||
| Upstream-Status: in trunk, proposed for 2.4.60 |  | ||||||
| 
 |  | ||||||
| --- httpd-2.4.59/modules/ssl/ssl_engine_init.c.mr426
 |  | ||||||
| +++ httpd-2.4.59/modules/ssl/ssl_engine_init.c
 |  | ||||||
| @@ -880,6 +880,13 @@
 |  | ||||||
|      } |  | ||||||
|  #endif |  | ||||||
|   |  | ||||||
| +#ifdef SSL_OP_NO_RENEGOTIATION
 |  | ||||||
| +    /* For server-side SSL_CTX, disable renegotiation by default.. */
 |  | ||||||
| +    if (!mctx->pkp) {
 |  | ||||||
| +        SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
 |  | ||||||
| +    }
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|  #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF |  | ||||||
|      /* For server-side SSL_CTX, enable ignoring unexpected EOF */ |  | ||||||
|      /* (OpenSSL 1.1.1 behavioural compatibility).. */ |  | ||||||
| @@ -908,6 +915,14 @@
 |  | ||||||
|      } |  | ||||||
|  } |  | ||||||
|   |  | ||||||
| +#ifdef SSL_OP_NO_RENEGOTIATION
 |  | ||||||
| +/* OpenSSL-level renegotiation protection. */
 |  | ||||||
| +#define MODSSL_BLOCKS_RENEG (0)
 |  | ||||||
| +#else
 |  | ||||||
| +/* mod_ssl-level renegotiation protection. */
 |  | ||||||
| +#define MODSSL_BLOCKS_RENEG (1)
 |  | ||||||
| +#endif
 |  | ||||||
| +
 |  | ||||||
|  static void ssl_init_ctx_callbacks(server_rec *s, |  | ||||||
|                                     apr_pool_t *p, |  | ||||||
|                                     apr_pool_t *ptemp, |  | ||||||
| @@ -921,7 +936,13 @@
 |  | ||||||
|      SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH); |  | ||||||
|  #endif |  | ||||||
|   |  | ||||||
| -    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
 |  | ||||||
| +    /* The info callback is used for debug-level tracing.  For OpenSSL
 |  | ||||||
| +     * versions where SSL_OP_NO_RENEGOTIATION is not available, the
 |  | ||||||
| +     * callback is also used to prevent use of client-initiated
 |  | ||||||
| +     * renegotiation.  Enable it in either case. */
 |  | ||||||
| +    if (APLOGdebug(s) || MODSSL_BLOCKS_RENEG) {
 |  | ||||||
| +        SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
 |  | ||||||
| +    }
 |  | ||||||
|   |  | ||||||
|  #ifdef HAVE_TLS_ALPN |  | ||||||
|      SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL); |  | ||||||
| --- httpd-2.4.59/modules/ssl/ssl_engine_io.c.mr426
 |  | ||||||
| +++ httpd-2.4.59/modules/ssl/ssl_engine_io.c
 |  | ||||||
| @@ -208,11 +208,13 @@
 |  | ||||||
|   |  | ||||||
|      BIO_clear_retry_flags(bio); |  | ||||||
|   |  | ||||||
| +#ifndef SSL_OP_NO_RENEGOTIATION
 |  | ||||||
|      /* Abort early if the client has initiated a renegotiation. */ |  | ||||||
|      if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) { |  | ||||||
|          outctx->rc = APR_ECONNABORTED; |  | ||||||
|          return -1; |  | ||||||
|      } |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|      ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c, |  | ||||||
|                    "bio_filter_out_write: %i bytes", inl); |  | ||||||
| @@ -473,11 +475,13 @@
 |  | ||||||
|   |  | ||||||
|      BIO_clear_retry_flags(bio); |  | ||||||
|   |  | ||||||
| +#ifndef SSL_OP_NO_RENEGOTIATION
 |  | ||||||
|      /* Abort early if the client has initiated a renegotiation. */ |  | ||||||
|      if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) { |  | ||||||
|          inctx->rc = APR_ECONNABORTED; |  | ||||||
|          return -1; |  | ||||||
|      } |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|      if (!inctx->bb) { |  | ||||||
|          inctx->rc = APR_EOF; |  | ||||||
| --- httpd-2.4.59/modules/ssl/ssl_engine_kernel.c.mr426
 |  | ||||||
| +++ httpd-2.4.59/modules/ssl/ssl_engine_kernel.c
 |  | ||||||
| @@ -992,7 +992,7 @@
 |  | ||||||
|   |  | ||||||
|              /* Toggle the renegotiation state to allow the new |  | ||||||
|               * handshake to proceed. */ |  | ||||||
| -            sslconn->reneg_state = RENEG_ALLOW;
 |  | ||||||
| +            modssl_set_reneg_state(sslconn, RENEG_ALLOW);
 |  | ||||||
|   |  | ||||||
|              SSL_renegotiate(ssl); |  | ||||||
|              SSL_do_handshake(ssl); |  | ||||||
| @@ -1019,7 +1019,7 @@
 |  | ||||||
|               */ |  | ||||||
|              SSL_peek(ssl, peekbuf, 0); |  | ||||||
|   |  | ||||||
| -            sslconn->reneg_state = RENEG_REJECT;
 |  | ||||||
| +            modssl_set_reneg_state(sslconn, RENEG_REJECT);
 |  | ||||||
|   |  | ||||||
|              if (!SSL_is_init_finished(ssl)) { |  | ||||||
|                  ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261) |  | ||||||
| @@ -1078,7 +1078,7 @@
 |  | ||||||
|          (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) { |  | ||||||
|          int vmode_inplace, vmode_needed; |  | ||||||
|          int change_vmode = FALSE; |  | ||||||
| -        int old_state, n, rc;
 |  | ||||||
| +        int n, rc;
 |  | ||||||
|   |  | ||||||
|          vmode_inplace = SSL_get_verify_mode(ssl); |  | ||||||
|          vmode_needed = SSL_VERIFY_NONE; |  | ||||||
| @@ -1180,8 +1180,6 @@
 |  | ||||||
|                  return HTTP_FORBIDDEN; |  | ||||||
|              } |  | ||||||
|               |  | ||||||
| -            old_state = sslconn->reneg_state;
 |  | ||||||
| -            sslconn->reneg_state = RENEG_ALLOW;
 |  | ||||||
|              modssl_set_app_data2(ssl, r); |  | ||||||
|   |  | ||||||
|              SSL_do_handshake(ssl); |  | ||||||
| @@ -1191,7 +1189,6 @@
 |  | ||||||
|               */ |  | ||||||
|              SSL_peek(ssl, peekbuf, 0); |  | ||||||
|   |  | ||||||
| -            sslconn->reneg_state = old_state;
 |  | ||||||
|              modssl_set_app_data2(ssl, NULL); |  | ||||||
|   |  | ||||||
|              /* |  | ||||||
| @@ -2263,8 +2260,8 @@
 |  | ||||||
|  /* |  | ||||||
|   * This callback function is executed while OpenSSL processes the SSL |  | ||||||
|   * handshake and does SSL record layer stuff.  It's used to trap |  | ||||||
| - * client-initiated renegotiations, and for dumping everything to the
 |  | ||||||
| - * log.
 |  | ||||||
| + * client-initiated renegotiations (where SSL_OP_NO_RENEGOTIATION is
 |  | ||||||
| + * not available), and for dumping everything to the log.
 |  | ||||||
|   */ |  | ||||||
|  void ssl_callback_Info(const SSL *ssl, int where, int rc) |  | ||||||
|  { |  | ||||||
| @@ -2276,14 +2273,12 @@
 |  | ||||||
|          return; |  | ||||||
|      } |  | ||||||
|   |  | ||||||
| -    /* With TLS 1.3 this callback may be called multiple times on the first
 |  | ||||||
| -     * negotiation, so the below logic to detect renegotiations can't work.
 |  | ||||||
| -     * Fortunately renegotiations are forbidden starting with TLS 1.3, and
 |  | ||||||
| -     * this is enforced by OpenSSL so there's nothing to be done here.
 |  | ||||||
| -     */
 |  | ||||||
| -#if SSL_HAVE_PROTOCOL_TLSV1_3
 |  | ||||||
| -    if (SSL_version(ssl) < TLS1_3_VERSION)
 |  | ||||||
| -#endif
 |  | ||||||
| +#ifndef SSL_OP_NO_RENEGOTIATION
 |  | ||||||
| +    /* With OpenSSL < 1.1.1 (implying TLS v1.2 or earlier), this
 |  | ||||||
| +     * callback is used to block client-initiated renegotiation.  With
 |  | ||||||
| +     * TLSv1.3 it is unnecessary since renegotiation is forbidden at
 |  | ||||||
| +     * protocol level.  Otherwise (TLSv1.2 with OpenSSL >=1.1.1),
 |  | ||||||
| +     * SSL_OP_NO_RENEGOTIATION is used to block renegotiation. */
 |  | ||||||
|      { |  | ||||||
|          SSLConnRec *sslconn; |  | ||||||
|   |  | ||||||
| @@ -2308,6 +2303,7 @@
 |  | ||||||
|              sslconn->reneg_state = RENEG_REJECT; |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|      s = mySrvFromConn(c); |  | ||||||
|      if (s && APLOGdebug(s)) { |  | ||||||
| --- httpd-2.4.59/modules/ssl/ssl_private.h.mr426
 |  | ||||||
| +++ httpd-2.4.59/modules/ssl/ssl_private.h
 |  | ||||||
| @@ -558,6 +558,16 @@
 |  | ||||||
|      apr_time_t     source_mtime; |  | ||||||
|  } ssl_asn1_t; |  | ||||||
|   |  | ||||||
| +typedef enum {
 |  | ||||||
| +    RENEG_INIT = 0, /* Before initial handshake */
 |  | ||||||
| +    RENEG_REJECT,   /* After initial handshake; any client-initiated
 |  | ||||||
| +                     * renegotiation should be rejected */
 |  | ||||||
| +    RENEG_ALLOW,    /* A server-initiated renegotiation is taking
 |  | ||||||
| +                     * place (as dictated by configuration) */
 |  | ||||||
| +    RENEG_ABORT     /* Renegotiation initiated by client, abort the
 |  | ||||||
| +                     * connection */
 |  | ||||||
| +} modssl_reneg_state;
 |  | ||||||
| +
 |  | ||||||
|  /** |  | ||||||
|   * Define the mod_ssl per-module configuration structure |  | ||||||
|   * (i.e. the global configuration for each httpd process) |  | ||||||
| @@ -589,18 +599,13 @@
 |  | ||||||
|          NON_SSL_SET_ERROR_MSG  /* Need to set the error message */ |  | ||||||
|      } non_ssl_request; |  | ||||||
|   |  | ||||||
| -    /* Track the handshake/renegotiation state for the connection so
 |  | ||||||
| -     * that all client-initiated renegotiations can be rejected, as a
 |  | ||||||
| -     * partial fix for CVE-2009-3555. */
 |  | ||||||
| -    enum {
 |  | ||||||
| -        RENEG_INIT = 0, /* Before initial handshake */
 |  | ||||||
| -        RENEG_REJECT,   /* After initial handshake; any client-initiated
 |  | ||||||
| -                         * renegotiation should be rejected */
 |  | ||||||
| -        RENEG_ALLOW,    /* A server-initiated renegotiation is taking
 |  | ||||||
| -                         * place (as dictated by configuration) */
 |  | ||||||
| -        RENEG_ABORT     /* Renegotiation initiated by client, abort the
 |  | ||||||
| -                         * connection */
 |  | ||||||
| -    } reneg_state;
 |  | ||||||
| +#ifndef SSL_OP_NO_RENEGOTIATION
 |  | ||||||
| +    /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
 |  | ||||||
| +     * for the connection to block client-initiated renegotiations.
 |  | ||||||
| +     * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
 |  | ||||||
| +     * the SSL * options state with equivalent effect. */
 |  | ||||||
| +    modssl_reneg_state reneg_state;
 |  | ||||||
| +#endif
 |  | ||||||
|   |  | ||||||
|      server_rec *server; |  | ||||||
|      SSLDirConfigRec *dc; |  | ||||||
| @@ -1207,6 +1212,9 @@
 |  | ||||||
|   * the configured ENGINE. */ |  | ||||||
|  int modssl_is_engine_id(const char *name); |  | ||||||
|   |  | ||||||
| +/* Set the renegotation state for connection. */
 |  | ||||||
| +void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state);
 |  | ||||||
| +
 |  | ||||||
|  #endif /* SSL_PRIVATE_H */ |  | ||||||
|  /** @} */ |  | ||||||
|   |  | ||||||
| --- httpd-2.4.59/modules/ssl/ssl_util_ssl.c.mr426
 |  | ||||||
| +++ httpd-2.4.59/modules/ssl/ssl_util_ssl.c
 |  | ||||||
| @@ -612,3 +612,19 @@
 |  | ||||||
|      } |  | ||||||
|      return rv; |  | ||||||
|  } |  | ||||||
| +
 |  | ||||||
| +void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
 |  | ||||||
| +{
 |  | ||||||
| +#ifdef SSL_OP_NO_RENEGOTIATION
 |  | ||||||
| +    switch (state) {
 |  | ||||||
| +    case RENEG_ALLOW:
 |  | ||||||
| +        SSL_clear_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION);
 |  | ||||||
| +        break;
 |  | ||||||
| +    default:
 |  | ||||||
| +        SSL_set_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION);
 |  | ||||||
| +        break;
 |  | ||||||
| +    }
 |  | ||||||
| +#else
 |  | ||||||
| +    sslconn->reneg_state = state;
 |  | ||||||
| +#endif
 |  | ||||||
| +}
 |  | ||||||
| @ -1,54 +0,0 @@ | |||||||
| # ./pullrev.sh 1916863 |  | ||||||
| http://svn.apache.org/viewvc?view=revision&revision=1916863 |  | ||||||
| 
 |  | ||||||
| Upstream-Status: in trunk, not proposed for 2.4.x |  | ||||||
| 
 |  | ||||||
| --- httpd-2.4.59/modules/ssl/ssl_engine_init.c
 |  | ||||||
| +++ httpd-2.4.59/modules/ssl/ssl_engine_init.c
 |  | ||||||
| @@ -1416,6 +1416,7 @@
 |  | ||||||
|      const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; |  | ||||||
|      int i; |  | ||||||
|      EVP_PKEY *pkey; |  | ||||||
| +    int custom_dh_done = 0;
 |  | ||||||
|  #ifdef HAVE_ECC |  | ||||||
|      EC_GROUP *ecgroup = NULL; |  | ||||||
|      int curve_nid = 0; |  | ||||||
| @@ -1591,14 +1592,14 @@
 |  | ||||||
|       */ |  | ||||||
|      certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); |  | ||||||
|      if (certfile && !modssl_is_engine_id(certfile)) { |  | ||||||
| -        int done = 0, num_bits = 0;
 |  | ||||||
| +        int num_bits = 0;
 |  | ||||||
|  #if OPENSSL_VERSION_NUMBER < 0x30000000L |  | ||||||
|          DH *dh = modssl_dh_from_file(certfile); |  | ||||||
|          if (dh) { |  | ||||||
|              num_bits = DH_bits(dh); |  | ||||||
|              SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); |  | ||||||
|              DH_free(dh); |  | ||||||
| -            done = 1;
 |  | ||||||
| +            custom_dh_done = 1;
 |  | ||||||
|          } |  | ||||||
|  #else |  | ||||||
|          pkey = modssl_dh_pkey_from_file(certfile); |  | ||||||
| @@ -1608,18 +1609,18 @@
 |  | ||||||
|                  EVP_PKEY_free(pkey); |  | ||||||
|              } |  | ||||||
|              else { |  | ||||||
| -                done = 1;
 |  | ||||||
| +                custom_dh_done = 1;
 |  | ||||||
|              } |  | ||||||
|          } |  | ||||||
|  #endif |  | ||||||
| -        if (done) {
 |  | ||||||
| +        if (custom_dh_done) {
 |  | ||||||
|              ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) |  | ||||||
|                           "Custom DH parameters (%d bits) for %s loaded from %s", |  | ||||||
|                           num_bits, vhost_id, certfile); |  | ||||||
|          } |  | ||||||
|      } |  | ||||||
|  #if !MODSSL_USE_OPENSSL_PRE_1_1_API |  | ||||||
| -    else {
 |  | ||||||
| +    if (!custom_dh_done) {
 |  | ||||||
|          /* If no parameter is manually configured, enable auto |  | ||||||
|           * selection. */ |  | ||||||
|          SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1); |  | ||||||
										
											
												File diff suppressed because it is too large
												Load Diff
											
										
									
								
							
							
								
								
									
										41
									
								
								httpd.spec
									
									
									
									
									
								
							
							
						
						
									
										41
									
								
								httpd.spec
									
									
									
									
									
								
							| @ -24,8 +24,8 @@ | |||||||
| 
 | 
 | ||||||
| Summary: Apache HTTP Server | Summary: Apache HTTP Server | ||||||
| Name: httpd | Name: httpd | ||||||
| Version: 2.4.59 | Version: 2.4.61 | ||||||
| Release: 4.4%{?dist} | Release: 1%{?dist} | ||||||
| URL: https://httpd.apache.org/ | URL: https://httpd.apache.org/ | ||||||
| Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 | Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 | ||||||
| Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc | Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc | ||||||
| @ -87,25 +87,21 @@ Patch20: httpd-2.4.48-r1842929+.patch | |||||||
| Patch21: httpd-2.4.43-mod_systemd.patch | Patch21: httpd-2.4.43-mod_systemd.patch | ||||||
| Patch22: httpd-2.4.53-export.patch | Patch22: httpd-2.4.53-export.patch | ||||||
| Patch23: httpd-2.4.43-corelimit.patch | Patch23: httpd-2.4.43-corelimit.patch | ||||||
| Patch24: httpd-2.4.59-gettid.patch | Patch24: httpd-2.4.54-icons.patch | ||||||
| Patch25: httpd-2.4.54-icons.patch | Patch25: httpd-2.4.43-cachehardmax.patch | ||||||
| Patch26: httpd-2.4.43-cachehardmax.patch | Patch26: httpd-2.4.43-socket-activation.patch | ||||||
| Patch27: httpd-2.4.43-socket-activation.patch | Patch27: httpd-2.4.43-sslciphdefault.patch | ||||||
| Patch28: httpd-2.4.43-sslciphdefault.patch |  | ||||||
| Patch29: httpd-2.4.43-sslprotdefault.patch | Patch29: httpd-2.4.43-sslprotdefault.patch | ||||||
| Patch31: httpd-2.4.59-unifycgid.patch | Patch30: httpd-2.4.43-logjournal.patch | ||||||
| Patch32: httpd-2.4.43-logjournal.patch | Patch31: httpd-2.4.53-separate-systemd-fns.patch | ||||||
| Patch33: httpd-2.4.53-separate-systemd-fns.patch | Patch32: httpd-2.4.58-r1912477+.patch | ||||||
| Patch34: httpd-2.4.58-r1912477+.patch | Patch33: httpd-2.4.58-r1914365.patch | ||||||
| Patch36: httpd-2.4.58-r1914365.patch | Patch34: httpd-2.4.54-selinux.patch | ||||||
| Patch37: httpd-2.4.54-selinux.patch |  | ||||||
| 
 | 
 | ||||||
| # Bug fixes | # Bug fixes | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 | # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 | ||||||
| Patch60: httpd-2.4.43-enable-sslv3.patch | Patch60: httpd-2.4.43-enable-sslv3.patch | ||||||
| Patch61: httpd-2.4.59-r1916863.patch | Patch61: httpd-2.4.59-no-engine.patch | ||||||
| Patch62: httpd-2.4.59-pr426.patch |  | ||||||
| Patch63: httpd-2.4.59-no-engine.patch |  | ||||||
| 
 | 
 | ||||||
| # Security fixes | # Security fixes | ||||||
| # Patch200: ... | # Patch200: ... | ||||||
| @ -829,6 +825,19 @@ exit $rv | |||||||
| %{_rpmconfigdir}/macros.d/macros.httpd | %{_rpmconfigdir}/macros.d/macros.httpd | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Wed Jul 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.61-1 | ||||||
|  | - new version 2.4.61 | ||||||
|  | - Resolves: RHEL-45753 - httpd: Potential SSRF in  | ||||||
|  |   mod_rewrite (CVE-2024-39573) | ||||||
|  | - Resolves: RHEL-45757 - httpd: null pointer dereference in | ||||||
|  |   mod_proxy (CVE-2024-38477) | ||||||
|  | - Resolves: RHEL-45776 - httpd: Improper escaping of output in | ||||||
|  |   mod_rewrite (CVE-2024-38475) | ||||||
|  | - Resolves: RHEL-45791 - httpd: Encoding problem in  | ||||||
|  |   mod_proxy (CVE-2024-38473) | ||||||
|  | - Resolves: RHEL-45811 - httpd: Substitution encoding issue in  | ||||||
|  |   mod_rewrite (CVE-2024-38474) | ||||||
|  | 
 | ||||||
| * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.59-4.4 | * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.59-4.4 | ||||||
| - Bump release for June 2024 mass rebuild | - Bump release for June 2024 mass rebuild | ||||||
| 
 | 
 | ||||||
|  | |||||||
							
								
								
									
										4
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								sources
									
									
									
									
									
								
							| @ -1,3 +1,3 @@ | |||||||
|  | SHA512 (httpd-2.4.61.tar.bz2) = 00656220ecc2b80788f539536553f0a3a57602fb981be22e63af87d0f98ffe5da3056e722ce52ae8cf9c2111ad1922b3aaea1fd7d69d0ed76795199203d593ff | ||||||
|  | SHA512 (httpd-2.4.61.tar.bz2.asc) = fed6eb8ed866eba25c64bf89e959bca3dcc548134340c1c8cedbd78b93223dfd641fb2e6ab0d82f129504f7caf6f579b6f40ad03267fc9018efb0779ffcb2f64 | ||||||
| SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192 | SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192 | ||||||
| SHA512 (httpd-2.4.59.tar.bz2) = 209da0bbac5e2564d4590302515b35495be6402273ff4024aa93e85e44554c95e053201d606383936425a41e1b5b97e6b40055dcbb385eb691a5029a6f3158c2 |  | ||||||
| SHA512 (httpd-2.4.59.tar.bz2.asc) = 85237e204e57d930e2b7a85a21f8d593e81895f96350c3a345978538a536f3c0614ba89256905c0aa558880fc6fb10608b8dd7cbd026af326b1d83601c267f2d |  | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user