import UBI httpd-2.4.37-65.module+el8.10.0+21982+14717793

2024-07-01 13:02:36 +00:00 · 2024-07-01 13:02:36 +00:00 · c90dc6a0af
parent 414eaf2ac7
commit c90dc6a0af
2 changed files with 82 additions and 1 deletions
--- a/SOURCES/httpd-2.4.37-CVE-2023-38709.patch
+++ b/SOURCES/httpd-2.4.37-CVE-2023-38709.patch
@ -0,0 +1,74 @@
+diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
+index 393343a..16cb23c 100644
+--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
+@@ -1348,6 +1348,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+          */
+         apr_table_clear(r->headers_out);
+         apr_table_clear(r->err_headers_out);
+        r->content_type = r->content_encoding = NULL;
+        r->content_languages = NULL;
+        r->clength = r->chunked = 0;
+         apr_brigade_cleanup(b);
+ 
+         /* Don't recall ap_die() if we come back here (from its own internal
+@@ -1364,8 +1367,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+         APR_BRIGADE_INSERT_TAIL(b, e);
+         e = apr_bucket_eos_create(c->bucket_alloc);
+         APR_BRIGADE_INSERT_TAIL(b, e);
+-        r->content_type = r->content_encoding = NULL;
+-        r->content_languages = NULL;
+         ap_set_content_length(r, 0);
+         recursive_error = 1;
+     }
+@@ -1392,6 +1393,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+     if (!apr_is_empty_table(r->err_headers_out)) {
+         r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
+                                            r->headers_out);
+        apr_table_clear(r->err_headers_out);
+     }
+ 
+     /*
+@@ -1411,6 +1413,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+         fixup_vary(r);
+     }
+ 
+
+    /*
+     * Control cachability for non-cacheable responses if not already set by
+     * some other part of the server configuration.
+     */
+    if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
+        char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
+        ap_recent_rfc822_date(date, r->request_time);
+        apr_table_addn(r->headers_out, "Expires", date);
+    }
+
+     /*
+      * Now remove any ETag response header field if earlier processing
+      * says so (such as a 'FileETag None' directive).
+@@ -1423,6 +1436,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+     basic_http_header_check(r, &protocol);
+     ap_set_keepalive(r);
+ 
+    /* 204/304 responses don't have content related headers */
+     if (AP_STATUS_IS_HEADER_ONLY(r->status)) {
+         apr_table_unset(r->headers_out, "Transfer-Encoding");
+         apr_table_unset(r->headers_out, "Content-Length");
+@@ -1465,16 +1479,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+         apr_table_setn(r->headers_out, "Content-Language", field);
+     }
+ 
+-    /*
+-     * Control cachability for non-cacheable responses if not already set by
+-     * some other part of the server configuration.
+-     */
+-    if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
+-        char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
+-        ap_recent_rfc822_date(date, r->request_time);
+-        apr_table_addn(r->headers_out, "Expires", date);
+-    }
+-
+     /* This is a hack, but I can't find anyway around it.  The idea is that
+      * we don't want to send out 0 Content-Lengths if it is a head request.
+      * This happens when modules try to outsmart the server, and return
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 64%{?dist}
+Release: 65%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@ -258,6 +258,8 @@ Patch238: httpd-2.4.37-CVE-2023-25690.patch
 Patch239: httpd-2.4.37-CVE-2023-27522.patch
 # https://issues.redhat.com/browse/RHEL-14448
 Patch240: httpd-2.4.37-CVE-2023-31122.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2273491
+Patch241: httpd-2.4.37-CVE-2023-38709.patch

 License: ASL 2.0
 Group: System Environment/Daemons
@ -484,6 +486,7 @@ interface for storing and accessing per-user session data.
 %patch238 -p1 -b .CVE-2023-25690
 %patch239 -p1 -b .CVE-2023-27522
 %patch240 -p1 -b .CVE-2023-31122
+%patch241 -p1 -b .CVE-2023-38709

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -989,6 +992,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
+* Wed Jun 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65
+- Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response
+  splitting (CVE-2023-38709)
+
 * Fri Feb 16 2024 Joe Orton <jorton@redhat.com> - 2.4.37-64
 - Resolves: RHEL-14448 - httpd: mod_macro: out-of-bounds read
  vulnerability (CVE-2023-31122)