new version 2.4.61

2024-07-03 21:31:08 +02:00 · 2024-07-03 21:31:08 +02:00 · 6ad1ffded3
commit 6ad1ffded3
parent 14ca0d5a20
8 changed files with 42 additions and 2713 deletions
--- a/.gitignore
+++ b/.gitignore
@ -50,3 +50,4 @@ x86_64
 /httpd-2.4.57.tar.bz2.asc
 /httpd-2.4.58.tar.bz2.asc
 /httpd-2.4.59.tar.bz2.asc
 /httpd-2.4.61.tar.bz2.asc
--- a/httpd-2.4.43-socket-activation.patch
+++ b/httpd-2.4.43-socket-activation.patch
@ -1,8 +1,8 @@
 diff --git a/server/listen.c b/server/listen.c
-index 5242c2a..e2e028a 100644
+index 9577d60..d718db1 100644
 --- a/server/listen.c
 +++ b/server/listen.c
-@@ -34,6 +34,10 @@
+@@ -35,6 +35,10 @@
 #include <unistd.h>
 #endif
@ -13,7 +13,7 @@ index 5242c2a..e2e028a 100644
 /* we know core's module_index is 0 */
 #undef APLOG_MODULE_INDEX
 #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
-@@ -59,9 +63,12 @@ static int ap_listenbacklog;
+@@ -60,9 +64,12 @@ static int ap_listenbacklog;
 static int ap_listencbratio;
 static int send_buffer_size;
 static int receive_buffer_size;
@ -27,7 +27,7 @@ index 5242c2a..e2e028a 100644
 {
     apr_socket_t *s = server->sd;
     int one = 1;
-@@ -94,20 +101,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
+@@ -95,20 +102,6 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
         return stat;
     }
@ -48,7 +48,7 @@ index 5242c2a..e2e028a 100644
     /*
      * To send data over high bandwidth-delay connections at full
      * speed we must force the TCP window to open wide enough to keep the
-@@ -169,21 +162,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
+@@ -170,21 +163,37 @@ static apr_status_t make_sock(apr_pool_t *p, ap_listen_rec *server)
     }
 #endif
@ -100,7 +100,7 @@ index 5242c2a..e2e028a 100644
     }
 #ifdef WIN32
-@@ -315,6 +324,123 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to,
+@@ -335,6 +344,123 @@ static int find_listeners(ap_listen_rec **from, ap_listen_rec **to,
     return found;
 }
@ -223,8 +223,8 @@ index 5242c2a..e2e028a 100644
 +
 static const char *alloc_listener(process_rec *process, const char *addr,
                                   apr_port_t port, const char* proto,
-                                   void *slave)
+                                   const char *scope_id, void *slave,
-@@ -495,7 +621,7 @@ static int open_listeners(apr_pool_t *pool)
+@@ -529,7 +655,7 @@ static int open_listeners(apr_pool_t *pool)
                 }
             }
 #endif
@ -233,7 +233,7 @@ index 5242c2a..e2e028a 100644
                 ++num_open;
             }
             else {
-@@ -607,8 +733,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s)
+@@ -641,8 +767,28 @@ AP_DECLARE(int) ap_setup_listeners(server_rec *s)
         }
     }
@ -264,7 +264,7 @@ index 5242c2a..e2e028a 100644
     }
     for (lr = ap_listeners; lr; lr = lr->next) {
-@@ -698,7 +844,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s,
+@@ -732,7 +878,7 @@ AP_DECLARE(apr_status_t) ap_duplicate_listeners(apr_pool_t *p, server_rec *s,
                             duplr->bind_addr);
                 return stat;
             }
@ -273,7 +273,7 @@ index 5242c2a..e2e028a 100644
 #if AP_NONBLOCK_WHEN_MULTI_LISTEN
             use_nonblock = (ap_listeners && ap_listeners->next);
             stat = apr_socket_opt_set(duplr->sd, APR_SO_NONBLOCK, use_nonblock);
-@@ -825,6 +971,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
+@@ -859,6 +1005,11 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
     if (argc < 1 || argc > 2) {
         return "Listen requires 1 or 2 arguments.";
     }
@ -285,7 +285,7 @@ index 5242c2a..e2e028a 100644
     rv = apr_parse_addr_port(&host, &scope_id, &port, argv[0], cmd->pool);
     if (rv != APR_SUCCESS) {
-@@ -856,6 +1007,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
+@@ -894,6 +1045,12 @@ AP_DECLARE_NONSTD(const char *) ap_set_listener(cmd_parms *cmd, void *dummy,
         ap_str_tolower(proto);
     }
@ -295,6 +295,6 @@ index 5242c2a..e2e028a 100644
 +    }
 +#endif
 +
-     return alloc_listener(cmd->server->process, host, port, proto, NULL);
+     return alloc_listener(cmd->server->process, host, port, proto,
                           scope_id, NULL, cmd->temp_pool);
 }
--- a/httpd-2.4.59-gettid.patch
+++ b/httpd-2.4.59-gettid.patch
@ -1,14 +0,0 @@
 Upstream-Status: not pushed upstream
 --- httpd-2.4.54/server/log.c.gettid
 +++ httpd-2.4.54/server/log.c
@@ -968,7 +972,7 @@
 #if APR_HAS_THREADS
         field_start = len;
         len += cpystrn(buf + len, ":tid ", buflen - len);
 -        item_len = log_tid(info, NULL, buf + len, buflen - len);
 +        item_len = log_tid(info, "g", buf + len, buflen - len);
         if (!item_len)
             len = field_start;
         else
--- a/httpd-2.4.59-pr426.patch
+++ b/httpd-2.4.59-pr426.patch
@ -1,244 +0,0 @@
 https://github.com/apache/httpd/pull/426.patch
 Upstream-Status: in trunk, proposed for 2.4.60
 --- httpd-2.4.59/modules/ssl/ssl_engine_init.c.mr426
 +++ httpd-2.4.59/modules/ssl/ssl_engine_init.c
@@ -880,6 +880,13 @@
     }
 #endif
 +#ifdef SSL_OP_NO_RENEGOTIATION
 +    /* For server-side SSL_CTX, disable renegotiation by default.. */
 +    if (!mctx->pkp) {
 +        SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION);
 +    }
 +#endif
 +
 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
     /* For server-side SSL_CTX, enable ignoring unexpected EOF */
     /* (OpenSSL 1.1.1 behavioural compatibility).. */
@@ -908,6 +915,14 @@
     }
 }
 +#ifdef SSL_OP_NO_RENEGOTIATION
 +/* OpenSSL-level renegotiation protection. */
 +#define MODSSL_BLOCKS_RENEG (0)
 +#else
 +/* mod_ssl-level renegotiation protection. */
 +#define MODSSL_BLOCKS_RENEG (1)
 +#endif
 +
 static void ssl_init_ctx_callbacks(server_rec *s,
                                    apr_pool_t *p,
                                    apr_pool_t *ptemp,
@@ -921,7 +936,13 @@
     SSL_CTX_set_tmp_dh_callback(ctx,  ssl_callback_TmpDH);
 #endif
 -    SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
 +    /* The info callback is used for debug-level tracing.  For OpenSSL
 +     * versions where SSL_OP_NO_RENEGOTIATION is not available, the
 +     * callback is also used to prevent use of client-initiated
 +     * renegotiation.  Enable it in either case. */
 +    if (APLOGdebug(s) || MODSSL_BLOCKS_RENEG) {
 +        SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
 +    }
 #ifdef HAVE_TLS_ALPN
     SSL_CTX_set_alpn_select_cb(ctx, ssl_callback_alpn_select, NULL);
 --- httpd-2.4.59/modules/ssl/ssl_engine_io.c.mr426
 +++ httpd-2.4.59/modules/ssl/ssl_engine_io.c
@@ -208,11 +208,13 @@
     BIO_clear_retry_flags(bio);
 +#ifndef SSL_OP_NO_RENEGOTIATION
     /* Abort early if the client has initiated a renegotiation. */
     if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
         outctx->rc = APR_ECONNABORTED;
         return -1;
     }
 +#endif
     ap_log_cerror(APLOG_MARK, APLOG_TRACE6, 0, outctx->c,
                   "bio_filter_out_write: %i bytes", inl);
@@ -473,11 +475,13 @@
     BIO_clear_retry_flags(bio);
 +#ifndef SSL_OP_NO_RENEGOTIATION
     /* Abort early if the client has initiated a renegotiation. */
     if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
         inctx->rc = APR_ECONNABORTED;
         return -1;
     }
 +#endif
     if (!inctx->bb) {
         inctx->rc = APR_EOF;
 --- httpd-2.4.59/modules/ssl/ssl_engine_kernel.c.mr426
 +++ httpd-2.4.59/modules/ssl/ssl_engine_kernel.c
@@ -992,7 +992,7 @@
             /* Toggle the renegotiation state to allow the new
              * handshake to proceed. */
 -            sslconn->reneg_state = RENEG_ALLOW;
 +            modssl_set_reneg_state(sslconn, RENEG_ALLOW);
             SSL_renegotiate(ssl);
             SSL_do_handshake(ssl);
@@ -1019,7 +1019,7 @@
              */
             SSL_peek(ssl, peekbuf, 0);
 -            sslconn->reneg_state = RENEG_REJECT;
 +            modssl_set_reneg_state(sslconn, RENEG_REJECT);
             if (!SSL_is_init_finished(ssl)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02261)
@@ -1078,7 +1078,7 @@
         (sc->server->auth.verify_mode != SSL_CVERIFY_UNSET)) {
         int vmode_inplace, vmode_needed;
         int change_vmode = FALSE;
 -        int old_state, n, rc;
 +        int n, rc;
         vmode_inplace = SSL_get_verify_mode(ssl);
         vmode_needed = SSL_VERIFY_NONE;
@@ -1180,8 +1180,6 @@
                 return HTTP_FORBIDDEN;
             }
 -            old_state = sslconn->reneg_state;
 -            sslconn->reneg_state = RENEG_ALLOW;
             modssl_set_app_data2(ssl, r);
             SSL_do_handshake(ssl);
@@ -1191,7 +1189,6 @@
              */
             SSL_peek(ssl, peekbuf, 0);
 -            sslconn->reneg_state = old_state;
             modssl_set_app_data2(ssl, NULL);
             /*
@@ -2263,8 +2260,8 @@
 /*
  * This callback function is executed while OpenSSL processes the SSL
  * handshake and does SSL record layer stuff.  It's used to trap
 - * client-initiated renegotiations, and for dumping everything to the
 - * log.
 + * client-initiated renegotiations (where SSL_OP_NO_RENEGOTIATION is
 + * not available), and for dumping everything to the log.
  */
 void ssl_callback_Info(const SSL *ssl, int where, int rc)
 {
@@ -2276,14 +2273,12 @@
         return;
     }
 -    /* With TLS 1.3 this callback may be called multiple times on the first
 -     * negotiation, so the below logic to detect renegotiations can't work.
 -     * Fortunately renegotiations are forbidden starting with TLS 1.3, and
 -     * this is enforced by OpenSSL so there's nothing to be done here.
 -     */
 -#if SSL_HAVE_PROTOCOL_TLSV1_3
 -    if (SSL_version(ssl) < TLS1_3_VERSION)
 -#endif
 +#ifndef SSL_OP_NO_RENEGOTIATION
 +    /* With OpenSSL < 1.1.1 (implying TLS v1.2 or earlier), this
 +     * callback is used to block client-initiated renegotiation.  With
 +     * TLSv1.3 it is unnecessary since renegotiation is forbidden at
 +     * protocol level.  Otherwise (TLSv1.2 with OpenSSL >=1.1.1),
 +     * SSL_OP_NO_RENEGOTIATION is used to block renegotiation. */
     {
         SSLConnRec *sslconn;
@@ -2308,6 +2303,7 @@
             sslconn->reneg_state = RENEG_REJECT;
         }
     }
 +#endif
     s = mySrvFromConn(c);
     if (s && APLOGdebug(s)) {
 --- httpd-2.4.59/modules/ssl/ssl_private.h.mr426
 +++ httpd-2.4.59/modules/ssl/ssl_private.h
@@ -558,6 +558,16 @@
     apr_time_t     source_mtime;
 } ssl_asn1_t;
 +typedef enum {
 +    RENEG_INIT = 0, /* Before initial handshake */
 +    RENEG_REJECT,   /* After initial handshake; any client-initiated
 +                     * renegotiation should be rejected */
 +    RENEG_ALLOW,    /* A server-initiated renegotiation is taking
 +                     * place (as dictated by configuration) */
 +    RENEG_ABORT     /* Renegotiation initiated by client, abort the
 +                     * connection */
 +} modssl_reneg_state;
 +
 /**
  * Define the mod_ssl per-module configuration structure
  * (i.e. the global configuration for each httpd process)
@@ -589,18 +599,13 @@
         NON_SSL_SET_ERROR_MSG  /* Need to set the error message */
     } non_ssl_request;
 -    /* Track the handshake/renegotiation state for the connection so
 -     * that all client-initiated renegotiations can be rejected, as a
 -     * partial fix for CVE-2009-3555. */
 -    enum {
 -        RENEG_INIT = 0, /* Before initial handshake */
 -        RENEG_REJECT,   /* After initial handshake; any client-initiated
 -                         * renegotiation should be rejected */
 -        RENEG_ALLOW,    /* A server-initiated renegotiation is taking
 -                         * place (as dictated by configuration) */
 -        RENEG_ABORT     /* Renegotiation initiated by client, abort the
 -                         * connection */
 -    } reneg_state;
 +#ifndef SSL_OP_NO_RENEGOTIATION
 +    /* For OpenSSL < 1.1.1, track the handshake/renegotiation state
 +     * for the connection to block client-initiated renegotiations.
 +     * For OpenSSL >=1.1.1, the SSL_OP_NO_RENEGOTIATION flag is used in
 +     * the SSL * options state with equivalent effect. */
 +    modssl_reneg_state reneg_state;
 +#endif
     server_rec *server;
     SSLDirConfigRec *dc;
@@ -1207,6 +1212,9 @@
  * the configured ENGINE. */
 int modssl_is_engine_id(const char *name);
 +/* Set the renegotation state for connection. */
 +void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state);
 +
 #endif /* SSL_PRIVATE_H */
 /** @} */
 --- httpd-2.4.59/modules/ssl/ssl_util_ssl.c.mr426
 +++ httpd-2.4.59/modules/ssl/ssl_util_ssl.c
@@ -612,3 +612,19 @@
     }
     return rv;
 }
 +
 +void modssl_set_reneg_state(SSLConnRec *sslconn, modssl_reneg_state state)
 +{
 +#ifdef SSL_OP_NO_RENEGOTIATION
 +    switch (state) {
 +    case RENEG_ALLOW:
 +        SSL_clear_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION);
 +        break;
 +    default:
 +        SSL_set_options(sslconn->ssl, SSL_OP_NO_RENEGOTIATION);
 +        break;
 +    }
 +#else
 +    sslconn->reneg_state = state;
 +#endif
 +}
--- a/httpd-2.4.59-r1916863.patch
+++ b/httpd-2.4.59-r1916863.patch
@ -1,54 +0,0 @@
 # ./pullrev.sh 1916863
 http://svn.apache.org/viewvc?view=revision&revision=1916863
 Upstream-Status: in trunk, not proposed for 2.4.x
 --- httpd-2.4.59/modules/ssl/ssl_engine_init.c
 +++ httpd-2.4.59/modules/ssl/ssl_engine_init.c
@@ -1416,6 +1416,7 @@
     const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile;
     int i;
     EVP_PKEY *pkey;
 +    int custom_dh_done = 0;
 #ifdef HAVE_ECC
     EC_GROUP *ecgroup = NULL;
     int curve_nid = 0;
@@ -1591,14 +1592,14 @@
      */
     certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *);
     if (certfile && !modssl_is_engine_id(certfile)) {
 -        int done = 0, num_bits = 0;
 +        int num_bits = 0;
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
         DH *dh = modssl_dh_from_file(certfile);
         if (dh) {
             num_bits = DH_bits(dh);
             SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh);
             DH_free(dh);
 -            done = 1;
 +            custom_dh_done = 1;
         }
 #else
         pkey = modssl_dh_pkey_from_file(certfile);
@@ -1608,18 +1609,18 @@
                 EVP_PKEY_free(pkey);
             }
             else {
 -                done = 1;
 +                custom_dh_done = 1;
             }
         }
 #endif
 -        if (done) {
 +        if (custom_dh_done) {
             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540)
                          "Custom DH parameters (%d bits) for %s loaded from %s",
                          num_bits, vhost_id, certfile);
         }
     }
 #if !MODSSL_USE_OPENSSL_PRE_1_1_API
 -    else {
 +    if (!custom_dh_done) {
         /* If no parameter is manually configured, enable auto
          * selection. */
         SSL_CTX_set_dh_auto(mctx->ssl_ctx, 1);
--- a/httpd-2.4.59-unifycgid.patch
+++ b/httpd-2.4.59-unifycgid.patch
--- a/httpd.spec
+++ b/httpd.spec
@ -24,8 +24,8 @@
 Summary: Apache HTTP Server
 Name: httpd
-Version: 2.4.59
+Version: 2.4.61
-Release: 4.4%{?dist}
+Release: 1%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -87,25 +87,21 @@ Patch20: httpd-2.4.48-r1842929+.patch
 Patch21: httpd-2.4.43-mod_systemd.patch
 Patch22: httpd-2.4.53-export.patch
 Patch23: httpd-2.4.43-corelimit.patch
-Patch24: httpd-2.4.59-gettid.patch
+Patch24: httpd-2.4.54-icons.patch
-Patch25: httpd-2.4.54-icons.patch
+Patch25: httpd-2.4.43-cachehardmax.patch
-Patch26: httpd-2.4.43-cachehardmax.patch
+Patch26: httpd-2.4.43-socket-activation.patch
-Patch27: httpd-2.4.43-socket-activation.patch
+Patch27: httpd-2.4.43-sslciphdefault.patch
 Patch28: httpd-2.4.43-sslciphdefault.patch
 Patch29: httpd-2.4.43-sslprotdefault.patch
-Patch31: httpd-2.4.59-unifycgid.patch
+Patch30: httpd-2.4.43-logjournal.patch
-Patch32: httpd-2.4.43-logjournal.patch
+Patch31: httpd-2.4.53-separate-systemd-fns.patch
-Patch33: httpd-2.4.53-separate-systemd-fns.patch
+Patch32: httpd-2.4.58-r1912477+.patch
-Patch34: httpd-2.4.58-r1912477+.patch
+Patch33: httpd-2.4.58-r1914365.patch
-Patch36: httpd-2.4.58-r1914365.patch
+Patch34: httpd-2.4.54-selinux.patch
 Patch37: httpd-2.4.54-selinux.patch
 # Bug fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=1397243
 Patch60: httpd-2.4.43-enable-sslv3.patch
-Patch61: httpd-2.4.59-r1916863.patch
+Patch61: httpd-2.4.59-no-engine.patch
 Patch62: httpd-2.4.59-pr426.patch
 Patch63: httpd-2.4.59-no-engine.patch
 # Security fixes
 # Patch200: ...
@ -829,6 +825,19 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Wed Jul 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.61-1
 - new version 2.4.61
 - Resolves: RHEL-45753 - httpd: Potential SSRF in 
  mod_rewrite (CVE-2024-39573)
 - Resolves: RHEL-45757 - httpd: null pointer dereference in
  mod_proxy (CVE-2024-38477)
 - Resolves: RHEL-45776 - httpd: Improper escaping of output in
  mod_rewrite (CVE-2024-38475)
 - Resolves: RHEL-45791 - httpd: Encoding problem in 
  mod_proxy (CVE-2024-38473)
 - Resolves: RHEL-45811 - httpd: Substitution encoding issue in 
  mod_rewrite (CVE-2024-38474)
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.59-4.4
 - Bump release for June 2024 mass rebuild
--- a/4
+++ b/4
@ -1,3 +1,3 @@
 SHA512 (httpd-2.4.61.tar.bz2) = 00656220ecc2b80788f539536553f0a3a57602fb981be22e63af87d0f98ffe5da3056e722ce52ae8cf9c2111ad1922b3aaea1fd7d69d0ed76795199203d593ff
 SHA512 (httpd-2.4.61.tar.bz2.asc) = fed6eb8ed866eba25c64bf89e959bca3dcc548134340c1c8cedbd78b93223dfd641fb2e6ab0d82f129504f7caf6f579b6f40ad03267fc9018efb0779ffcb2f64
 SHA512 (KEYS) = 88c848b7ab9e4915d6625dcad3e8328673b0448f2ce76f2c44eecc612cf6afbce3287a4ee7219a44c6fcc61d5ecb2a1a8545456a4a16b90400263d7249cbf192
 SHA512 (httpd-2.4.59.tar.bz2) = 209da0bbac5e2564d4590302515b35495be6402273ff4024aa93e85e44554c95e053201d606383936425a41e1b5b97e6b40055dcbb385eb691a5029a6f3158c2
 SHA512 (httpd-2.4.59.tar.bz2.asc) = 85237e204e57d930e2b7a85a21f8d593e81895f96350c3a345978538a536f3c0614ba89256905c0aa558880fc6fb10608b8dd7cbd026af326b1d83601c267f2d