rpms/httpd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS httpd-2.4.62-13.el9

Browse Source
This commit is contained in:
AlmaLinux RelEng Bot 2026-03-30 10:32:38 -04:00
parent 2d885aa200
commit 6d37be100c
13 changed files with 1049 additions and 8821 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
SOURCES/KEYS
SOURCES/apache-poweredby.png
SOURCES/httpd-2.4.62.tar.bz2

1
.httpd.metadata
View File

@ -1,2 +1,3 @@
b2457e3ce46a7634bf9272a92b4214974b9bc9e0 SOURCES/KEYS
3a7449d6cff00e5ccb3ed8571f34c0528555d38f SOURCES/apache-poweredby.png
c968e2a0e556a8d3b7f6d6fc9732ddc456b5c229 SOURCES/httpd-2.4.62.tar.bz2

8818
SOURCES/KEYS
View File

File diff suppressed because it is too large Load Diff

36
SOURCES/httpd-2.4.62-CVE-2025-58098.patch Normal file
View File

@ -0,0 +1,36 @@
From ecc1b8f3817e3dcab9c1f24f905752d3c0a279af Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 1 Dec 2025 12:00:14 +0000
Subject: [PATCH] don't pass args for SSI request
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930161 13f79535-47bb-0310-9956-ffa450edef68
---
modules/generators/mod_cgid.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index b27dd802d80..94ad7ee8733 100644
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -239,7 +239,7 @@ static char **create_argv(apr_pool_t *p, char *path, char *user, char *group,
char *w;
int idx = 0;
- if (!(*args) || ap_strchr_c(args, '=')) {
+ if (!args || !(*args) || ap_strchr_c(args, '=')) {
numwords = 0;
}
else {
@@ -932,7 +932,10 @@ static int cgid_server(void *data)
apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans);
}
- argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args);
+ /* Do not pass args in case of SSI requests */
+ argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL,
+ argv0,
+ cgid_req.req_type == SSI_REQ ? NULL : r->args);
/* We want to close sd2 for the new CGI process too.
* If it is left open it'll make ap_pass_brigade() block

64
SOURCES/httpd-2.4.62-CVE-2025-65082.patch Normal file
View File

@ -0,0 +1,64 @@
From e4f00c5eb71d8a7aa1f52b5279832986f669d463 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 1 Dec 2025 12:03:12 +0000
Subject: [PATCH] envvars from HTTP headers low precedence
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930163 13f79535-47bb-0310-9956-ffa450edef68
---
server/util_script.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/server/util_script.c b/server/util_script.c
index 72175e75824..6a18aec8c90 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -126,6 +126,8 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t)
}
}
for (i = 0; i < env_arr->nelts; ++i) {
+ int changed = 0;
+
if (!elts[i].key) {
continue;
}
@@ -133,18 +135,36 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t)
whack = env[j];
if (apr_isdigit(*whack)) {
*whack++ = '_';
+ changed = 1;
}
while (*whack != '=') {
#ifdef WIN32
- if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') {
+ if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') {
#else
- if (!apr_isalnum(*whack)) {
+ if (!apr_isalnum(*whack) && *whack != '_') {
#endif
*whack = '_';
+ changed = 1;
}
++whack;
}
- ++j;
+ if (changed) {
+ *whack = '\0';
+ /*
+ * If after cleaning up the key the key is identical to an existing key
+ * in the table drop this environment variable. This also prevents
+ * to override CGI reserved environment variables with variables whose
+ * names have an invalid character instead of '_', but are otherwise
+ * equal to the names CGI reserved environment variables.
+ */
+ if (!apr_table_get(t, env[j])) {
+ ++j;
+ *whack = '=';
+ }
+ }
+ else {
+ ++j;
+ }
}
env[j] = NULL;

58
SOURCES/httpd-2.4.62-CVE-2025-66200.patch Normal file
View File

@ -0,0 +1,58 @@
From 9d26b95787b229a3f6195d7beead774d131eeda1 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 1 Dec 2025 12:04:29 +0000
Subject: [PATCH] don't use request notes for suexec
also, stop accepting the obscure "note" option in
RequestHeader, it is only documented/described as being
meant for Header (output filter).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930164 13f79535-47bb-0310-9956-ffa450edef68
---
modules/mappers/mod_userdir.c | 4 ++--
modules/metadata/mod_headers.c | 6 +++++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/modules/mappers/mod_userdir.c b/modules/mappers/mod_userdir.c
index 1ec0e90..0a34fd3 100644
--- a/modules/mappers/mod_userdir.c
+++ b/modules/mappers/mod_userdir.c
@@ -334,7 +334,7 @@ static int translate_userdir(request_rec *r)
r->finfo = statbuf;
/* For use in the get_suexec_identity phase */
- apr_table_setn(r->notes, "mod_userdir_user", user);
+ ap_set_module_config(r->request_config, &userdir_module, (void *)user);
return OK;
}
@@ -348,7 +348,7 @@ static ap_unix_identity_t *get_suexec_id_doer(const request_rec *r)
{
ap_unix_identity_t *ugid = NULL;
#if APR_HAS_USER
- const char *username = apr_table_get(r->notes, "mod_userdir_user");
+ const char *username = (const char*) ap_get_module_config(r->request_config, &userdir_module);
if (username == NULL) {
return NULL;
diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c
index 4838bd6..7fb2e6c 100644
--- a/modules/metadata/mod_headers.c
+++ b/modules/metadata/mod_headers.c
@@ -455,8 +455,12 @@ static APR_INLINE const char *header_inout_cmd(cmd_parms *cmd,
new->action = hdr_edit;
else if (!strcasecmp(action, "edit*"))
new->action = hdr_edit_r;
- else if (!strcasecmp(action, "note"))
- new->action = hdr_note;
+ else if (!strcasecmp(action, "note")) {
+ if (cmd->info == &hdr_in) {
+ return "RequestHeader does not support the 'note' action";
+ }
+ new->action = hdr_note;
+ }
else
return "first argument must be 'add', 'set', 'setifempty', 'append', 'merge', "
"'unset', 'echo', 'note', 'edit', or 'edit*'.";

74
SOURCES/httpd-2.4.62-err-page-handling.patch Normal file
View File

@ -0,0 +1,74 @@
From d56df32f2cb71de3762747aec70bef03d79096b6 Mon Sep 17 00:00:00 2001
From: Jean-Frederic Clere <jfclere@gmail.com>
Date: Tue, 5 Mar 2024 10:34:50 +0100
Subject: [PATCH] When the error is broken (like missing error file) make sure
the error displays the right method and the correct Additionally message.
---
modules/http/http_protocol.c | 11 +++++++----
modules/http/http_request.c | 1 +
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c
index f1ed1f6cc20..fbec4e61c65 100644
--- a/modules/http/http_protocol.c
+++ b/modules/http/http_protocol.c
@@ -963,6 +963,9 @@ static const char *get_canned_error_string(int status,
{
apr_pool_t *p = r->pool;
const char *error_notes, *h1, *s1;
+ const char *method = r->method;
+ if (r->subprocess_env && apr_table_get(r->subprocess_env, "REQUEST_METHOD"))
+ method = apr_table_get(r->subprocess_env, "REQUEST_METHOD");
switch (status) {
case HTTP_MOVED_PERMANENTLY:
@@ -1007,7 +1010,7 @@ static const char *get_canned_error_string(int status,
case HTTP_METHOD_NOT_ALLOWED:
return(apr_pstrcat(p,
"<p>The requested method ",
- ap_escape_html(r->pool, r->method),
+ ap_escape_html(r->pool, method),
" is not allowed for this URL.</p>\n",
NULL));
case HTTP_NOT_ACCEPTABLE:
@@ -1020,7 +1023,7 @@ static const char *get_canned_error_string(int status,
case HTTP_LENGTH_REQUIRED:
s1 = apr_pstrcat(p,
"<p>A request of the requested method ",
- ap_escape_html(r->pool, r->method),
+ ap_escape_html(r->pool, method),
" requires a valid Content-length.<br />\n",
NULL);
return(add_optional_notes(r, s1, "error-notes", "</p>\n"));
@@ -1030,7 +1033,7 @@ static const char *get_canned_error_string(int status,
case HTTP_NOT_IMPLEMENTED:
s1 = apr_pstrcat(p,
"<p>",
- ap_escape_html(r->pool, r->method),
+ ap_escape_html(r->pool, method),
" not supported for current URL.<br />\n",
NULL);
return(add_optional_notes(r, s1, "error-notes", "</p>\n"));
@@ -1052,7 +1055,7 @@ static const char *get_canned_error_string(int status,
case HTTP_REQUEST_ENTITY_TOO_LARGE:
return(apr_pstrcat(p,
"The requested resource does not allow request data with ",
- ap_escape_html(r->pool, r->method),
+ ap_escape_html(r->pool, method),
" requests, or the amount of data provided in\n"
"the request exceeds the capacity limit.\n",
NULL));
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
index cb7af9cafb1..115f7035cf1 100644
--- a/modules/http/http_request.c
+++ b/modules/http/http_request.c
@@ -127,6 +127,7 @@ static void ap_die_r(int type, request_rec *r, int recursive_error)
*/
update_r_in_filters(r_1st_err->proto_output_filters, r, r_1st_err);
update_r_in_filters(r_1st_err->input_filters, r, r_1st_err);
+ recursive_error = type;
}
custom_response = NULL; /* Do NOT retry the custom thing! */

68
SOURCES/httpd-2.4.62-hcheck-stuck.patch Normal file
View File

@ -0,0 +1,68 @@
diff --git a/modules/proxy/mod_proxy_hcheck.c b/modules/proxy/mod_proxy_hcheck.c
index 70f1de8..70bfa26 100644
--- a/modules/proxy/mod_proxy_hcheck.c
+++ b/modules/proxy/mod_proxy_hcheck.c
@@ -992,12 +992,30 @@ static apr_status_t hc_watchdog_callback(int state, void *data,
sctx_t *ctx = (sctx_t *)data;
server_rec *s = ctx->s;
proxy_server_conf *conf;
+ proxy_worker **workers;
+ proxy_worker *worker;
+ apr_time_t now;
+ int i, n;
+
+ conf = (proxy_server_conf *) ap_get_module_config(s->module_config, &proxy_module);
+ balancer = (proxy_balancer *)conf->balancers->elts;
switch (state) {
case AP_WATCHDOG_STATE_STARTING:
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(03258)
"%s watchdog started.",
HCHECK_WATHCHDOG_NAME);
+ /* set last update time for all workers */
+ now = apr_time_now();
+ for (i = 0; i < conf->balancers->nelts; i++, balancer++) {
+ workers = (proxy_worker **)balancer->workers->elts;
+ for (n = 0; n < balancer->workers->nelts; n++, ++workers) {
+ worker = *workers;
+ if (worker->s->updated == 0) {
+ worker->s->updated = now;
+ }
+ }
+ }
#if HC_USE_THREADS
if (tpsize && hctp == NULL) {
rv = apr_thread_pool_create(&hctp, tpsize,
@@ -1023,21 +1041,13 @@ static apr_status_t hc_watchdog_callback(int state, void *data,
case AP_WATCHDOG_STATE_RUNNING:
/* loop thru all workers */
- if (s) {
- int i;
- conf = (proxy_server_conf *) ap_get_module_config(s->module_config, &proxy_module);
- balancer = (proxy_balancer *)conf->balancers->elts;
- ctx->s = s;
+ {
+ now = apr_time_now();
for (i = 0; i < conf->balancers->nelts; i++, balancer++) {
- int n;
- apr_time_t now;
- proxy_worker **workers;
- proxy_worker *worker;
/* Have any new balancers or workers been added dynamically? */
ap_proxy_sync_balancer(balancer, s, conf);
workers = (proxy_worker **)balancer->workers->elts;
- now = apr_time_now();
- for (n = 0; n < balancer->workers->nelts; n++) {
+ for (n = 0; n < balancer->workers->nelts; n++, workers++) {
worker = *workers;
if (!PROXY_WORKER_IS(worker, PROXY_WORKER_STOPPED) &&
(worker->s->method != NONE) &&
@@ -1077,7 +1087,6 @@ static apr_status_t hc_watchdog_callback(int state, void *data,
hc_check(NULL, baton);
}
}
- workers++;
}
}
}

112
SOURCES/httpd-2.4.62-r1931452.patch Normal file
View File

@ -0,0 +1,112 @@
From d56527579e6a56ebfc265f3a059694a58e7e8c71 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Wed, 21 Jan 2026 11:05:12 +0000
Subject: [PATCH] core: Add millisecond support to ErrorLogFormat time
specifiers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
%{m} prints the timestamp in millisecond-resolution.
* include/util_time.h:
Define new AP_CTIME_OPTION_MSEC option for printing time in milliseconds
format.
* server/util_time.c (ap_recent_ctime_ex):
Handle AP_CTIME_OPTION_MSEC to print time in a millisecond format.
* server/log.c (log_ctime):
Recognize the m time option in both fast-path and composite %{...}t formats.
Submitted by: Luboš Uhliarik <luhliari redhat.com>
Github: closes #597
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1931452 13f79535-47bb-0310-9956-ffa450edef68
---
include/util_time.h | 2 ++
server/log.c | 8 +++++++-
server/util_time.c | 17 +++++++++++++++--
5 files changed, 30 insertions(+), 3 deletions(-)
create mode 100644 changes-entries/log-msec.txt
diff --git a/include/util_time.h b/include/util_time.h
index 1ba6353c025..c149e52166a 100644
--- a/include/util_time.h
+++ b/include/util_time.h
@@ -49,6 +49,8 @@ extern "C" {
#define AP_CTIME_OPTION_COMPACT 0x2
/* Add timezone offset from GMT ([+-]hhmm) */
#define AP_CTIME_OPTION_GMTOFF 0x4
+/* Add sub second timestamps with millisecond resolution */
+#define AP_CTIME_OPTION_MSEC 0x8
/**
diff --git a/server/log.c b/server/log.c
index 91dcf2c3eb0..d5236f45f86 100644
--- a/server/log.c
+++ b/server/log.c
@@ -585,9 +585,15 @@ static int log_ctime(const ap_errorlog_info *info, const char *arg,
if (arg[0] == 'u' && !arg[1]) { /* no ErrorLogFormat (fast path) */
option |= AP_CTIME_OPTION_USEC;
}
- else if (!ap_strchr_c(arg, '%')) { /* special "%{cuz}t" formats */
+ else if (arg[0] == 'm' && !arg[1]) { /* no ErrorLogFormat (fast path) - msec */
+ option |= AP_CTIME_OPTION_MSEC;
+ }
+ else if (!ap_strchr_c(arg, '%')) { /* special "%{mcuz}t" formats */
while (*arg) {
switch (*arg++) {
+ case 'm':
+ option |= AP_CTIME_OPTION_MSEC;
+ break;
case 'u':
option |= AP_CTIME_OPTION_USEC;
break;
diff --git a/server/util_time.c b/server/util_time.c
index 8dcf2fb293f..020fced8b10 100644
--- a/server/util_time.c
+++ b/server/util_time.c
@@ -24,6 +24,11 @@
* */
#define AP_CTIME_USEC_LENGTH 7
+/* Number of characters needed to format the millisecond part of a timestamp.
+ * Milliseconds have 3 digits plus one separator character makes 4.
+ * */
+#define AP_CTIME_MSEC_LENGTH 4
+
/* Length of ISO 8601 date/time (including trailing '\0') */
#define AP_CTIME_COMPACT_LEN 20
@@ -184,6 +189,9 @@ AP_DECLARE(apr_status_t) ap_recent_ctime_ex(char *date_str, apr_time_t t,
if (option & AP_CTIME_OPTION_USEC) {
needed += AP_CTIME_USEC_LENGTH;
}
+ else if (option & AP_CTIME_OPTION_MSEC) {
+ needed += AP_CTIME_MSEC_LENGTH;
+ }
if (option & AP_CTIME_OPTION_GMTOFF) {
needed += AP_CTIME_GMTOFF_LEN;
@@ -244,11 +252,16 @@ AP_DECLARE(apr_status_t) ap_recent_ctime_ex(char *date_str, apr_time_t t,
*date_str++ = ':';
*date_str++ = xt.tm_sec / 10 + '0';
*date_str++ = xt.tm_sec % 10 + '0';
- if (option & AP_CTIME_OPTION_USEC) {
+ if (option & (AP_CTIME_OPTION_USEC|AP_CTIME_OPTION_MSEC)) {
int div;
int usec = (int)xt.tm_usec;
*date_str++ = '.';
- for (div=100000; div>0; div=div/10) {
+ div = 100000;
+ if (!(option & AP_CTIME_OPTION_USEC)) {
+ usec = usec / 1000;
+ div = 100;
+ }
+ for (; div>0; div=div/10) {
*date_str++ = usec / div + '0';
usec = usec % div;
}

554
SOURCES/httpd-2.4.62-sslvhostsnipolicy.patch Normal file
View File

@ -0,0 +1,554 @@
From f063cc14f9aae9c19de45dfa3c48828a75249e05 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Tue, 11 Nov 2025 10:23:22 +0100
Subject: [PATCH] mod_ssl: Add SSLVHostSNIPolicy directive to set the
compatibility level required for VirtualHost matching.
For "secure" and "authonly" modes, a hash of the policy-relevant vhost
configuration is created and stored in the post_config hooks, reducing
the runtime code complexity (and overhead).
* modules/ssl/ssl_engine_kernel.c (ssl_check_vhost_sni_policy): New
function, replacing ssl_server_compatible et al.
* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLVHostSNIPolicy): New
function.
* modules/ssl/ssl_engine_init.c (md5_strarray_cmp, md5_strarray_hash,
hash_sni_policy_pk, hash_sni_policy_auth, create_sni_policy_hash):
New functions.
(ssl_init_Module): Invoke create_sni_policy_hash to store the hash
for every SSLSrvConfigRec.
* modules/ssl/ssl_private.h (SSLModConfigRec): Add snivh_policy field.
(SSLSrvConfigRec): Add sni_policy_hash field.
PR: 69743
GitHub: closes #561
---
docs/manual/mod/mod_ssl.html.en | 77 ++++++++++++++++++
modules/ssl/mod_ssl.c | 2 +
modules/ssl/ssl_engine_config.c | 41 ++++++++++
modules/ssl/ssl_engine_init.c | 107 +++++++++++++++++++++++++
modules/ssl/ssl_engine_kernel.c | 133 ++++++--------------------------
modules/ssl/ssl_private.h | 17 ++++
6 files changed, 267 insertions(+), 110 deletions(-)
diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en
index 3fc8a48..6a929ea 100644
--- a/docs/manual/mod/mod_ssl.html.en
+++ b/docs/manual/mod/mod_ssl.html.en
@@ -125,6 +125,7 @@ to provide the cryptography engine.</p>
<li><img alt="" src="../images/down.gif" /> <a href="#sslusestapling">SSLUseStapling</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslverifyclient">SSLVerifyClient</a></li>
<li><img alt="" src="../images/down.gif" /> <a href="#sslverifydepth">SSLVerifyDepth</a></li>
+<li><img alt="" src="../images/down.gif" /> <a href="#sslvhostsnipolicy">SSLVHostSNIPolicy</a></li>
</ul>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_ssl">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_ssl">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
@@ -2863,6 +2864,82 @@ known to the server (i.e. the CA's certificate is under
<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVerifyDepth 10</pre>
</div>
+</div>
+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
+<div class="directive-section"><h2><a name="SSLVHostSNIPolicy" id="SSLVHostSNIPolicy">SSLVHostSNIPolicy</a> <a name="sslvhostsnipolicy" id="sslvhostsnipolicy">Directive</a> <a title="Permanent link" href="#sslvhostsnipolicy" class="permalink">&para;</a></h2>
+<table class="directive">
+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Set compatibility policy for SNI client access to virtual hosts.</td></tr>
+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>SSLVHostSNIPolicy strict|secure|authonly|insecure</code></td></tr>
+<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>SSLVHostSNIPolicy secure</code></td></tr>
+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config</td></tr>
+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_ssl</td></tr>
+<tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.4.62 in Red Hat Enterprise Linux 9</td></tr>
+</table><p>This directive sets the policy applied when checking whether the
+<code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code>
+identified by the <code>Host</code> request header in an HTTP request
+is compatible with the <code class="directive"><a href="../mod/core.html#virtualhost">&lt;VirtualHost&gt;</a></code> identified from the SNI
+extension sent during the initial TLS connection handshake. If an HTTP
+request is associated with a virtual host which has an incompatible
+SSL/TLS configuration under the policy used, an HTTP error response
+with status code 421 ("Misdirected Request") will be sent.</p>
+
+<p>The policy also applies to TLS connections where an SNI extension
+is not sent during the handshake, implicitly using the default or
+first virtual host definition. If the Host header in an HTTP request
+on such a connection identifies any other non-default virtual host,
+the compatibility policy is tested.</p>
+
+<p>The <code>strict</code> policy blocks all HTTP requests which are
+identified with a different virtual host to that identifed by SNI.
+The <code>insecure</code> policy allows all HTTP requests regardless
+of virtual host identified; such a configuration may be vulnerable to
+<a href="https://httpd.apache.org/security/vulnerabilities_24.html">CVE-2025-23048</a>.
+</p>
+
+<p>The (default) <code>secure</code>, and <code>authonly</code>
+policies compare specific aspects of the SSL configuration for the two
+virtual hosts, which are grouped into two categories:
+
+<ul>
+ <li><strong>server certificate/key, or protocol/cipher
+ restrictions</strong>: directives which determine the server
+ certificate or key (<code class="directive"><a href="#sslcertificatekeyfile">SSLCertificateKeyFile</a></code> etc), cipher or
+ protocol restrictions (<code class="directive"><a href="#sslciphersuite">SSLCipherSuite</a></code> and <code class="directive"><a href="#sslprotocol">SSLProtocol</a></code>)</li>
+
+ <li><strong>client vertification and authentication
+ settings</strong>: directives which affect TLS client certificate
+ verification or authentication, such as <code class="directive"><a href="#sslverifyclient">SSLVerifyClient</a></code>, <code class="directive"><a href="#sslverifymode">SSLVerifyMode</a></code>, <code class="directive"><a href="#sslcacertificatepath">SSLCACertificatePath</a></code>, <code class="directive"><a href="#sslsrpverifierfile">SSLSRPVerifierFile</a></code>; any use of <code class="directive"><a href="#sslopensslconfcmd">SSLOpenSSLConfCmd</a></code></li>
+</ul>
+
+This table illustrates whether an HTTP request will be blocked or
+allowed when the virtual host configurations differ as described,
+under each different policy setting:
+
+<table class="bordered"><tr class="header">
+ <th>Policy mode</th>
+ <th>Any VirtualHost mismatch</th>
+ <th>Server certificate/key, <br />or protocol/cipher restrictions</th>
+ <th>Client verification/<br />authentication settings</th>
+</tr>
+<tr>
+ <td><code>strict</code><td>blocked</td><td>blocked</td><td>blocked</td></td>
+</tr>
+<tr class="odd">
+ <td><code>secure</code><td>allowed</td><td>blocked</td><td>blocked</td></td>
+</tr>
+<tr>
+ <td><code>authonly</code><td>allowed</td><td>blocked</td><td>allowed</td></td>
+</tr>
+<tr class="odd">
+ <td><code>insecure</code><td>allowed</td><td>allowed</td><td>allowed</td></td>
+</tr>
+</table>
+</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLVHostSNIPolicy authonly</pre>
+</div>
+
+
</div>
</div>
<div class="bottomlang">
diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
index fb66d18..c0fdafd 100644
--- a/modules/ssl/mod_ssl.c
+++ b/modules/ssl/mod_ssl.c
@@ -80,6 +80,8 @@ static const command_rec ssl_config_cmds[] = {
SSL_CMD_SRV(RandomSeed, TAKE23,
"SSL Pseudo Random Number Generator (PRNG) seeding source "
"('startup|connect builtin|file:/path|exec:/path [bytes]')")
+ SSL_CMD_SRV(VHostSNIPolicy, TAKE1,
+ "SSL VirtualHost SNI compatibility policy setting")
/*
* Per-server context configuration directives
diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
index c5dce7f..f856b18 100644
--- a/modules/ssl/ssl_engine_config.c
+++ b/modules/ssl/ssl_engine_config.c
@@ -82,6 +82,9 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
#ifdef HAVE_FIPS
mc->fips = UNSET;
#endif
+#ifdef HAVE_TLSEXT
+ mc->snivh_policy = MODSSL_SNIVH_SECURE;
+#endif
apr_pool_userdata_set(mc, SSL_MOD_CONFIG_KEY,
apr_pool_cleanup_null,
@@ -1918,6 +1921,44 @@ const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag
#endif
}
+const char *ssl_cmd_SSLVHostSNIPolicy(cmd_parms *cmd, void *dcfg, const char *arg)
+{
+#ifdef HAVE_TLSEXT
+ SSLModConfigRec *mc = myModConfig(cmd->server);
+ const char *err;
+
+ if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) {
+ return err;
+ }
+ if (!mc) {
+ return "SSLVHostSNIPolicy cannot be used inside SSLPolicyDefine";
+ }
+
+ if (strcEQ(arg, "secure")) {
+ mc->snivh_policy = MODSSL_SNIVH_SECURE;
+ }
+ else if (strcEQ(arg, "strict")) {
+ mc->snivh_policy = MODSSL_SNIVH_STRICT;
+ }
+ else if (strcEQ(arg, "insecure")) {
+ mc->snivh_policy = MODSSL_SNIVH_INSECURE;
+ }
+ else if (strcEQ(arg, "authonly")) {
+ mc->snivh_policy = MODSSL_SNIVH_AUTHONLY;
+ }
+ else {
+ return apr_psprintf(cmd->pool, "Invalid SSLVhostSNIPolicy "
+ "argument '%s'", arg);
+ }
+
+ return NULL;
+#else
+ return "SSLVHostSNIPolicy cannot be used, OpenSSL is not built with "
+ "support for TLS extensions and SNI indication. Refer to the "
+ "documentation, and build a compatible version of OpenSSL."
+#endif
+}
+
#ifdef HAVE_OCSP_STAPLING
const char *ssl_cmd_SSLStaplingCache(cmd_parms *cmd,
diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
index 309a7a4..6208564 100644
--- a/modules/ssl/ssl_engine_init.c
+++ b/modules/ssl/ssl_engine_init.c
@@ -30,6 +30,7 @@
#include "mpm_common.h"
#include "mod_md.h"
+#include "util_md5.h"
static apr_status_t ssl_init_ca_cert_path(server_rec *, apr_pool_t *, const char *,
STACK_OF(X509_NAME) *, STACK_OF(X509_INFO) *);
@@ -186,6 +187,110 @@ static void ssl_add_version_components(apr_pool_t *ptemp, apr_pool_t *pconf,
modver, AP_SERVER_BASEVERSION, incver);
}
+#ifdef HAVE_TLSEXT
+/* Helper functions to create the SNI vhost policy hash. The policy
+ * hash captures the configuration elements relevant to the mode
+ * selected at runtime by SSLVHostSNIPolicy. */
+
+#define md5_str_update(ctx_, pfx_, str_) do { apr_md5_update(ctx_, pfx_, strlen(pfx_)); apr_md5_update(ctx_, str_, strlen(str_)); } while (0)
+#define md5_ifstr_update(ctx_, pfx_, str_) do { apr_md5_update(ctx_, pfx_, strlen(pfx_)); if (str_) apr_md5_update(ctx_, str_, strlen(str_)); } while (0)
+#define md5_fmt_update(ctx_, fmt_, i_) do { char s_[128]; apr_snprintf(s_, sizeof s_, fmt_, i_); \
+ apr_md5_update(ctx_, s_, strlen(s_)); } while (0)
+
+static int md5_strarray_cmp(const void *p1, const void *p2)
+{
+ return strcmp(*(char **)p1, *(char **)p2);
+}
+
+/* Hashes an array of strings in sorted order. */
+static void md5_strarray_hash(apr_pool_t *ptemp, apr_md5_ctx_t *hash,
+ const char *pfx, apr_array_header_t *s)
+{
+ char **elts = apr_pmemdup(ptemp, s->elts, s->nelts * sizeof *elts);
+ int i;
+
+ qsort(elts, s->nelts, sizeof(char *), md5_strarray_cmp);
+
+ apr_md5_update(hash, pfx, strlen(pfx));
+ for (i = 0; i < s->nelts; i++) {
+ md5_str_update(hash, "elm:", elts[i]);
+ }
+}
+
+static void hash_sni_policy_pk(apr_pool_t *ptemp, apr_md5_ctx_t *hash, modssl_ctx_t *ctx)
+{
+ md5_fmt_update(hash, "protocol:%d", ctx->protocol);
+
+ md5_ifstr_update(hash, "ciphers:", ctx->auth.cipher_suite);
+ md5_ifstr_update(hash, "tls13_ciphers:", ctx->auth.tls13_ciphers);
+
+ md5_strarray_hash(ptemp, hash, "cert_files:", ctx->pks->cert_files);
+ md5_strarray_hash(ptemp, hash, "key_files:", ctx->pks->key_files);
+}
+
+static void hash_sni_policy_auth(apr_md5_ctx_t *hash, modssl_ctx_t *ctx)
+{
+ modssl_pk_server_t *pks = ctx->pks;
+ modssl_auth_ctx_t *a = &ctx->auth;
+
+ md5_fmt_update(hash, "verify_depth:%d", a->verify_depth);
+ md5_fmt_update(hash, "verify_mode:%d", a->verify_mode);
+
+ md5_ifstr_update(hash, "ca_name_path:", pks->ca_name_path);
+ md5_ifstr_update(hash, "ca_name_file:", pks->ca_name_file);
+ md5_ifstr_update(hash, "ca_cert_path:", a->ca_cert_path);
+ md5_ifstr_update(hash, "ca_cert_file:", a->ca_cert_file);
+ md5_ifstr_update(hash, "crl_path:", ctx->crl_path);
+ md5_ifstr_update(hash, "crl_file:", ctx->crl_file);
+ md5_fmt_update(hash, "crl_check_mask:%d", ctx->crl_check_mask);
+ md5_fmt_update(hash, "ocsp_mask:%d", ctx->ocsp_mask);
+ md5_fmt_update(hash, "ocsp_force_default:%d", ctx->ocsp_force_default);
+ md5_ifstr_update(hash, "ocsp_responder:", ctx->ocsp_responder);
+
+#ifdef HAVE_SRP
+ md5_ifstr_update(hash, "srp_vfile:", ctx->srp_vfile);
+#endif
+
+#ifdef HAVE_SSL_CONF_CMD
+ {
+ apr_array_header_t *parms = ctx->ssl_ctx_param;
+ int n;
+
+ for (n = 0; n < parms->nelts; n++) {
+ ssl_ctx_param_t *p = &APR_ARRAY_IDX(parms, n, ssl_ctx_param_t);
+
+ md5_str_update(hash, "param:", p->name);
+ md5_str_update(hash, "value:", p->value);
+ }
+ }
+#endif
+}
+#endif
+
+static char *create_sni_policy_hash(apr_pool_t *p, apr_pool_t *ptemp,
+ modssl_snivhpolicy_t policy,
+ SSLSrvConfigRec *sc)
+{
+ char *rv = NULL;
+#ifdef HAVE_TLSEXT
+ if (policy != MODSSL_SNIVH_STRICT && policy != MODSSL_SNIVH_INSECURE) {
+ apr_md5_ctx_t hash;
+ unsigned char digest[APR_MD5_DIGESTSIZE];
+
+ /* Create the vhost policy hash for comparison later. */
+ apr_md5_init(&hash);
+ hash_sni_policy_auth(&hash, sc->server);
+ if (policy == MODSSL_SNIVH_SECURE)
+ hash_sni_policy_pk(ptemp, &hash, sc->server);
+ apr_md5_final(digest, &hash);
+
+ rv = apr_palloc(p, 2 * APR_MD5_DIGESTSIZE + 1);
+ ap_bin2hex(digest, APR_MD5_DIGESTSIZE, rv); /* sets final '\0' */
+ }
+#endif
+ return rv;
+}
+
/* _________________________________________________________________
**
** Let other answer special connection attempts.
@@ -439,6 +544,8 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
return rv;
}
}
+
+ sc->sni_policy_hash = create_sni_policy_hash(p, ptemp, mc->snivh_policy, sc);
}
/*
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 33aa1f7..83ae90e 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -101,112 +101,28 @@ static int fill_reneg_buffer(request_rec *r, SSLDirConfigRec *dc)
}
#ifdef HAVE_TLSEXT
-static int ap_array_same_str_set(apr_array_header_t *s1, apr_array_header_t *s2)
+/* Check whether a transition from vhost sc1 to sc2 from SNI to Host:
+ * vhost selection is permitted according to the SSLVHostSNIPolicy
+ * setting. Returns 1 if the policy treats the vhosts as compatible,
+ * else 0. */
+static int ssl_check_vhost_sni_policy(SSLSrvConfigRec *sc1,
+ SSLSrvConfigRec *sc2)
{
- int i;
- const char *c;
-
- if (s1 == s2) {
+ modssl_snivhpolicy_t policy = sc1->mc->snivh_policy;
+
+ /* Policy: insecure => allow everything. */
+ if (policy == MODSSL_SNIVH_INSECURE)
return 1;
- }
- else if (!s1 || !s2 || (s1->nelts != s2->nelts)) {
- return 0;
- }
- for (i = 0; i < s1->nelts; i++) {
- c = APR_ARRAY_IDX(s1, i, const char *);
- if (!c || !ap_array_str_contains(s2, c)) {
- return 0;
- }
- }
- return 1;
-}
+ /* Policy: strict => fail for any vhost transition. */
+ if (policy == MODSSL_SNIVH_STRICT)
+ return sc1 == sc2;
-static int ssl_pk_server_compatible(modssl_pk_server_t *pks1,
- modssl_pk_server_t *pks2)
-{
- if (!pks1 || !pks2) {
- return 0;
- }
- /* both have the same certificates? */
- if ((pks1->ca_name_path != pks2->ca_name_path)
- && (!pks1->ca_name_path || !pks2->ca_name_path
- || strcmp(pks1->ca_name_path, pks2->ca_name_path))) {
- return 0;
- }
- if ((pks1->ca_name_file != pks2->ca_name_file)
- && (!pks1->ca_name_file || !pks2->ca_name_file
- || strcmp(pks1->ca_name_file, pks2->ca_name_file))) {
- return 0;
- }
- if (!ap_array_same_str_set(pks1->cert_files, pks2->cert_files)
- || !ap_array_same_str_set(pks1->key_files, pks2->key_files)) {
- return 0;
- }
- return 1;
-}
+ /* For authonly/secure policy, compare the hash. */
+ AP_DEBUG_ASSERT(sc1->sni_policy_hash);
+ AP_DEBUG_ASSERT(sc2->sni_policy_hash);
-static int ssl_auth_compatible(modssl_auth_ctx_t *a1,
- modssl_auth_ctx_t *a2)
-{
- if (!a1 || !a2) {
- return 0;
- }
- /* both have the same verification */
- if ((a1->verify_depth != a2->verify_depth)
- || (a1->verify_mode != a2->verify_mode)) {
- return 0;
- }
- /* both have the same ca path/file */
- if ((a1->ca_cert_path != a2->ca_cert_path)
- && (!a1->ca_cert_path || !a2->ca_cert_path
- || strcmp(a1->ca_cert_path, a2->ca_cert_path))) {
- return 0;
- }
- if ((a1->ca_cert_file != a2->ca_cert_file)
- && (!a1->ca_cert_file || !a2->ca_cert_file
- || strcmp(a1->ca_cert_file, a2->ca_cert_file))) {
- return 0;
- }
- /* both have the same ca cipher suite string */
- if ((a1->cipher_suite != a2->cipher_suite)
- && (!a1->cipher_suite || !a2->cipher_suite
- || strcmp(a1->cipher_suite, a2->cipher_suite))) {
- return 0;
- }
- /* both have the same ca cipher suite string */
- if ((a1->tls13_ciphers != a2->tls13_ciphers)
- && (!a1->tls13_ciphers || !a2->tls13_ciphers
- || strcmp(a1->tls13_ciphers, a2->tls13_ciphers))) {
- return 0;
- }
- return 1;
-}
-
-static int ssl_ctx_compatible(modssl_ctx_t *ctx1,
- modssl_ctx_t *ctx2)
-{
- if (!ctx1 || !ctx2
- || (ctx1->protocol != ctx2->protocol)
- || !ssl_auth_compatible(&ctx1->auth, &ctx2->auth)
- || !ssl_pk_server_compatible(ctx1->pks, ctx2->pks)) {
- return 0;
- }
- return 1;
-}
-
-static int ssl_server_compatible(server_rec *s1, server_rec *s2)
-{
- SSLSrvConfigRec *sc1 = s1? mySrvConfig(s1) : NULL;
- SSLSrvConfigRec *sc2 = s2? mySrvConfig(s2) : NULL;
-
- /* both use the same TLS protocol? */
- if (!sc1 || !sc2
- || !ssl_ctx_compatible(sc1->server, sc2->server)) {
- return 0;
- }
-
- return 1;
+ return strcmp(sc1->sni_policy_hash, sc2->sni_policy_hash) == 0;
}
#endif
@@ -275,6 +191,8 @@ int ssl_hook_ReadReq(request_rec *r)
server_rec *handshakeserver = sslconn->server;
SSLSrvConfigRec *hssc = mySrvConfig(handshakeserver);
+ AP_DEBUG_ASSERT(hssc);
+
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
/*
* The SNI extension supplied a hostname. So don't accept requests
@@ -315,19 +233,14 @@ int ssl_hook_ReadReq(request_rec *r)
"which is required to access this server.<br />\n");
return HTTP_FORBIDDEN;
}
- if (r->server != handshakeserver
- && !ssl_server_compatible(sslconn->server, r->server)) {
- /*
- * The request does not select the virtual host that was
- * selected for handshaking and its SSL parameters are different
- */
-
+ /* Enforce SSL SNI vhost compatibility policy. */
+ if (!ssl_check_vhost_sni_policy(sc, hssc)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032)
"Hostname %s %s and hostname %s provided"
- " via HTTP have no compatible SSL setup",
+ " via HTTP have no compatible SSL setup for policy '%s'",
servername ? servername : handshakeserver->server_hostname,
servername ? "provided via SNI" : "(default host as no SNI was provided)",
- r->hostname);
+ r->hostname, MODSSL_SNIVH_NAME(sc->mc->snivh_policy));
return HTTP_MISDIRECTED_REQUEST;
}
}
diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
index aaa75aa..cfa847a 100644
--- a/modules/ssl/ssl_private.h
+++ b/modules/ssl/ssl_private.h
@@ -548,6 +548,19 @@ typedef struct {
int nBytes;
} ssl_randseed_t;
+/* SNI vhost compatibility policy. */
+typedef enum {
+ MODSSL_SNIVH_STRICT = 0,
+ MODSSL_SNIVH_SECURE = 1,
+ MODSSL_SNIVH_AUTHONLY = 2,
+ MODSSL_SNIVH_INSECURE = 3
+} modssl_snivhpolicy_t;
+
+/* Maps modssl_snivhpolicy_t back into a config option string. */
+#define MODSSL_SNIVH_NAME(p_) ((p_) == MODSSL_SNIVH_STRICT ? "strict" : \
+ ((p_) == MODSSL_SNIVH_SECURE ? "secure" : \
+ ((p_) == MODSSL_SNIVH_AUTHONLY ? "authonly" : "insecure" )))
+
/**
* Define the structure of an ASN.1 anything
*/
@@ -681,6 +694,8 @@ typedef struct {
#ifdef HAVE_FIPS
BOOL fips;
#endif
+
+ modssl_snivhpolicy_t snivh_policy;
} SSLModConfigRec;
/** Structure representing configured filenames for certs and keys for
@@ -835,6 +850,7 @@ struct SSLSrvConfigRec {
modssl_ctx_t *server;
#ifdef HAVE_TLSEXT
ssl_enabled_t strict_sni_vhost_check;
+ const char *sni_policy_hash;
#endif
#ifndef OPENSSL_NO_COMP
BOOL compression;
@@ -910,6 +926,7 @@ const char *ssl_cmd_SSLRequire(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLUserName(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLRenegBufferSize(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLStrictSNIVHostCheck(cmd_parms *cmd, void *dcfg, int flag);
+const char *ssl_cmd_SSLVHostSNIPolicy(cmd_parms *cmd, void *dcfg, const char *arg);
const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag);
const char *ssl_cmd_SSLProxyEngine(cmd_parms *cmd, void *dcfg, int flag);
--
2.44.0

7
SOURCES/httpd.tmpfiles
View File

@ -1,2 +1,9 @@
d /run/httpd 710 root apache
d /run/httpd/htcacheclean 700 apache apache
d /var/log/httpd 700 root root -
d /var/www 755 root root -
d /var/www/html 755 root root -
d /var/www/cgi-bin 755 root root -
d /var/lib/httpd 700 apache apache -
d /var/cache/httpd 700 apache apache -
d /var/cache/httpd/proxy 700 apache apache -

15
SOURCES/snipolicy.conf Normal file
View File

@ -0,0 +1,15 @@
#
# Vendor override: Set the default SNI virtual host policy to "authonly"
# to preserve compatibility between virtual hosts which differ only in
# certificate or key configuration. This overrides the hard-coded
# mod_ssl default mode of "secure".
#
# See the directive documentation for more information:
# https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslvhostsnipolicy
#
# NOTE: if this file is removed, it will be restored on upgrades.
# To disable the override, comment-out the lines below.
#
<IfDirective SSLVHostSNIPolicy>
SSLVHostSNIPolicy authonly
</IfDirective>

62
SPECS/httpd.spec
View File

@ -4,6 +4,7 @@
%define mmn 20120211
%define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
%define vstring %(source /etc/os-release; echo ${NAME})
%define vprefix %(source /etc/os-release; echo ${ID})
%if 0%{?fedora} > 26 || 0%{?rhel} > 7
%global mpm event
%else
@ -13,7 +14,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.62
Release: 7%{?dist}
Release: 13%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -53,6 +54,7 @@ Source32: httpd.service.xml
Source33: htcacheclean.service.xml
Source34: httpd.conf.xml
Source35: 00-brotli.conf
Source36: snipolicy.conf
Source40: htcacheclean.service
Source41: htcacheclean.sysconf
Source42: httpd-init.service
@ -92,6 +94,8 @@ Patch35: httpd-2.4.57-r1912477+.patch
Patch36: httpd-2.4.62-r1926064.patch
# https://issues.redhat.com/browse/RHEL-106043
Patch37: httpd-2.4.62-r1926317.patch
# https://issues.redhat.com/browse/RHEL-129692
Patch38: httpd-2.4.62-r1931452.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
@ -108,6 +112,10 @@ Patch104: httpd-2.4.62-r1921299.patch
Patch105: httpd-2.4.62-r1922080.patch
# https://issues.redhat.com/browse/RHEL-99815
Patch106: httpd-2.4.62-r1926107.patch
# https://issues.redhat.com/browse/RHEL-105446
Patch107: httpd-2.4.62-hcheck-stuck.patch
# https://issues.redhat.com/browse/RHEL-131827
Patch108: httpd-2.4.62-err-page-handling.patch
# Security fixes
#
@ -117,6 +125,16 @@ Patch200: httpd-2.4.62-CVE-2025-23048.patch
Patch201: httpd-2.4.62-CVE-2024-47252.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2374580
Patch202: httpd-2.4.62-CVE-2025-49812.patch
# CVE-2025-23048 follow-up
# https://github.com/apache/httpd/pull/561
# https://bz.apache.org/bugzilla/show_bug.cgi?id=69743
Patch203: httpd-2.4.62-sslvhostsnipolicy.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2419262
Patch204: httpd-2.4.62-CVE-2025-66200.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2419139
Patch205: httpd-2.4.62-CVE-2025-65082.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2419365
Patch206: httpd-2.4.62-CVE-2025-58098.patch
License: ASL 2.0
@ -271,6 +289,7 @@ written in the Lua programming language.
%patch35 -p1 -b .r1912477+
%patch36 -p1 -b .r1926064
%patch37 -p1 -b .r1926317
%patch38 -p1 -b .r1931452
%patch100 -p1 -b .enable-sslv3
%patch101 -p1 -b .full-release
@ -279,10 +298,16 @@ written in the Lua programming language.
%patch104 -p1 -b .r1921299
%patch105 -p1 -b .r1922080
%patch106 -p1 -b .r1926107
%patch107 -p1 -b .hcheck-stuck
%patch108 -p1 -b .err-page-handling
%patch200 -p1 -b .CVE-2025-23048
%patch201 -p1 -b .CVE-2024-47252
%patch202 -p1 -b .CVE-2025-49812
%patch203 -p1 -b .sslvhostsnipolicy
%patch204 -p1 -b .CVE-2025-66200
%patch205 -p1 -b .CVE-2025-65082
%patch206 -p1 -b .CVE-2025-58098
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -331,7 +356,7 @@ xmlto man $RPM_SOURCE_DIR/httpd.service.xml
xmlto man %{SOURCE47}
: Building with MMN %{mmn}, MMN-ISA %{mmnisa}
: Default MPM is %{mpm}, vendor string is '%{vstring}'
: Default MPM is %{mpm}, vendor string is '%{vstring}', prefix is '%{vprefix}'
%build
# forcibly prevent use of bundled apr, apr-util, pcre
@ -436,10 +461,12 @@ mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d
install -m 644 -p $RPM_SOURCE_DIR/10-listen443.conf \
$RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d/10-listen443.conf
for f in welcome.conf ssl.conf manual.conf userdir.conf; do
for f in welcome.conf ssl.conf manual.conf userdir.conf snipolicy.conf; do
install -m 644 -p $RPM_SOURCE_DIR/$f \
$RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/$f
done
mv $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/snipolicy.conf \
$RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/%{vprefix}-snipolicy.conf
# Split-out extra config shipped as default in conf.d:
for f in autoindex; do
@ -723,6 +750,7 @@ exit $rv
%config(noreplace) %{_sysconfdir}/httpd/conf.d/*.conf
%exclude %{_sysconfdir}/httpd/conf.d/ssl.conf
%exclude %{_sysconfdir}/httpd/conf.d/*snipolicy.conf
%exclude %{_sysconfdir}/httpd/conf.d/manual.conf
%dir %{_sysconfdir}/httpd/conf.modules.d
@ -808,6 +836,7 @@ exit $rv
%{_libdir}/httpd/modules/mod_ssl.so
%config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-ssl.conf
%config(noreplace) %{_sysconfdir}/httpd/conf.d/ssl.conf
%config(noreplace) %{_sysconfdir}/httpd/conf.d/*snipolicy.conf
%attr(0700,apache,root) %dir %{_localstatedir}/cache/httpd/ssl
%{_unitdir}/httpd-init.service
%{_libexecdir}/httpd-ssl-pass-dialog
@ -844,6 +873,33 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Thu Feb 12 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-13
- Resolves: RHEL-129692 - [RFE] Need miliseconds time stamp in ErrorLogFormat
* Thu Jan 08 2026 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-12
- Resolves: RHEL-135064 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
via AllowOverride FileInfo (CVE-2025-66200)
- Resolves: RHEL-135049 - httpd: Apache HTTP Server: CGI environment variable
override (CVE-2025-65082)
- Resolves: RHEL-134481 - httpd: Apache HTTP Server: Server Side Includes adds
query string to #exec cmd=... (CVE-2025-58098)
* Fri Dec 19 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-11
- Resolves: RHEL-131827 - Fix error page messaging when error handling fails
* Thu Nov 06 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-10
- Resolves: RHEL-119000 - mod_ssl: allow more fine grained SSL SNI vhost check
to avoid unnecessary 421 errors after CVE-2025-23048 fix
- mod_ssl: add conf.d/snipolicy.conf to set 'SSLVHostSNIPolicy authonly' default
* Fri Oct 24 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-9
- Resolves: RHEL-105446 - mod_proxy_hcheck may stop healthchecks after a child
process is reclaimed
* Mon Oct 13 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-8
- Resolves: RHEL-114501 Image mode: The dir /var/www is not created when
updating system in image mode
* Sat Aug 16 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-7
- Resolves: RHEL-99815 - stickysession field does not work when specifying
it in the query parameter after upgrade to 9.5