From d2c986969d44b1e186ca04f004d1d80a0f4117a2 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Mon, 22 Dec 2025 21:29:08 +0000
Subject: [PATCH] import UBI httpd-2.4.62-7.el9_7.3

---
 SOURCES/httpd-2.4.62-CVE-2025-58098.patch | 36 +++++++++++++
 SOURCES/httpd-2.4.62-CVE-2025-65082.patch | 64 +++++++++++++++++++++++
 SOURCES/httpd-2.4.62-CVE-2025-66200.patch | 58 ++++++++++++++++++++
 SPECS/httpd.spec                          | 19 ++++++-
 4 files changed, 176 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/httpd-2.4.62-CVE-2025-58098.patch
 create mode 100644 SOURCES/httpd-2.4.62-CVE-2025-65082.patch
 create mode 100644 SOURCES/httpd-2.4.62-CVE-2025-66200.patch

diff --git a/SOURCES/httpd-2.4.62-CVE-2025-58098.patch b/SOURCES/httpd-2.4.62-CVE-2025-58098.patch
new file mode 100644
index 0000000..56eb1b1
--- /dev/null
+++ b/SOURCES/httpd-2.4.62-CVE-2025-58098.patch
@@ -0,0 +1,36 @@
+From ecc1b8f3817e3dcab9c1f24f905752d3c0a279af Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 1 Dec 2025 12:00:14 +0000
+Subject: [PATCH] don't pass args for SSI request
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930161 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/generators/mod_cgid.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
+index b27dd802d80..94ad7ee8733 100644
+--- a/modules/generators/mod_cgid.c
++++ b/modules/generators/mod_cgid.c
+@@ -239,7 +239,7 @@ static char **create_argv(apr_pool_t *p, char *path, char *user, char *group,
+     char *w;
+     int idx = 0;
+ 
+-    if (!(*args) || ap_strchr_c(args, '=')) {
++    if (!args || !(*args) || ap_strchr_c(args, '=')) {
+         numwords = 0;
+     }
+     else {
+@@ -932,7 +932,10 @@ static int cgid_server(void *data)
+                 apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans);
+             }
+ 
+-            argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args);
++            /* Do not pass args in case of SSI requests */
++            argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL,
++                                                     argv0,
++                                                     cgid_req.req_type == SSI_REQ ? NULL : r->args);
+ 
+            /* We want to close sd2 for the new CGI process too.
+             * If it is left open it'll make ap_pass_brigade() block
+
diff --git a/SOURCES/httpd-2.4.62-CVE-2025-65082.patch b/SOURCES/httpd-2.4.62-CVE-2025-65082.patch
new file mode 100644
index 0000000..20d2afa
--- /dev/null
+++ b/SOURCES/httpd-2.4.62-CVE-2025-65082.patch
@@ -0,0 +1,64 @@
+From e4f00c5eb71d8a7aa1f52b5279832986f669d463 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 1 Dec 2025 12:03:12 +0000
+Subject: [PATCH] envvars from HTTP headers low precedence
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930163 13f79535-47bb-0310-9956-ffa450edef68
+---
+ server/util_script.c | 26 +++++++++++++++++++++++---
+ 1 file changed, 23 insertions(+), 3 deletions(-)
+
+diff --git a/server/util_script.c b/server/util_script.c
+index 72175e75824..6a18aec8c90 100644
+--- a/server/util_script.c
++++ b/server/util_script.c
+@@ -126,6 +126,8 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t)
+         }
+     }
+     for (i = 0; i < env_arr->nelts; ++i) {
++        int changed = 0;
++
+         if (!elts[i].key) {
+             continue;
+         }
+@@ -133,18 +135,36 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t)
+         whack = env[j];
+         if (apr_isdigit(*whack)) {
+             *whack++ = '_';
++            changed = 1;
+         }
+         while (*whack != '=') {
+ #ifdef WIN32
+-            if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') {
++            if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') {
+ #else
+-            if (!apr_isalnum(*whack)) {
++            if (!apr_isalnum(*whack) && *whack != '_') {
+ #endif
+                 *whack = '_';
++                changed = 1;
+             }
+             ++whack;
+         }
+-        ++j;
++        if (changed) {
++            *whack = '\0';
++            /*
++             * If after cleaning up the key the key is identical to an existing key
++             * in the table drop this environment variable. This also prevents
++             * to override CGI reserved environment variables with variables whose
++             * names have an invalid character instead of '_', but are otherwise
++             * equal to the names CGI reserved environment variables.
++             */
++            if (!apr_table_get(t, env[j])) {
++                ++j;
++                *whack = '=';
++            }
++        }
++        else {
++            ++j;
++        }
+     }
+ 
+     env[j] = NULL;
+
diff --git a/SOURCES/httpd-2.4.62-CVE-2025-66200.patch b/SOURCES/httpd-2.4.62-CVE-2025-66200.patch
new file mode 100644
index 0000000..64616d8
--- /dev/null
+++ b/SOURCES/httpd-2.4.62-CVE-2025-66200.patch
@@ -0,0 +1,58 @@
+From 9d26b95787b229a3f6195d7beead774d131eeda1 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 1 Dec 2025 12:04:29 +0000
+Subject: [PATCH] don't use request notes for suexec
+
+also, stop accepting the obscure "note" option in
+RequestHeader, it is only documented/described as being
+meant for Header (output filter).
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930164 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/mappers/mod_userdir.c  | 4 ++--
+ modules/metadata/mod_headers.c | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/modules/mappers/mod_userdir.c b/modules/mappers/mod_userdir.c
+index 1ec0e90..0a34fd3 100644
+--- a/modules/mappers/mod_userdir.c
++++ b/modules/mappers/mod_userdir.c
+@@ -334,7 +334,7 @@ static int translate_userdir(request_rec *r)
+                 r->finfo = statbuf;
+ 
+             /* For use in the get_suexec_identity phase */
+-            apr_table_setn(r->notes, "mod_userdir_user", user);
++            ap_set_module_config(r->request_config, &userdir_module, (void *)user);
+ 
+             return OK;
+         }
+@@ -348,7 +348,7 @@ static ap_unix_identity_t *get_suexec_id_doer(const request_rec *r)
+ {
+     ap_unix_identity_t *ugid = NULL;
+ #if APR_HAS_USER
+-    const char *username = apr_table_get(r->notes, "mod_userdir_user");
++    const char *username = (const char*) ap_get_module_config(r->request_config, &userdir_module);
+ 
+     if (username == NULL) {
+         return NULL;
+diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c
+index 4838bd6..7fb2e6c 100644
+--- a/modules/metadata/mod_headers.c
++++ b/modules/metadata/mod_headers.c
+@@ -455,8 +455,12 @@ static APR_INLINE const char *header_inout_cmd(cmd_parms *cmd,
+         new->action = hdr_edit;
+     else if (!strcasecmp(action, "edit*"))
+         new->action = hdr_edit_r;
+-    else if (!strcasecmp(action, "note"))
+-        new->action = hdr_note;
++    else if (!strcasecmp(action, "note")) {
++        if (cmd->info == &hdr_in) {
++            return "RequestHeader does not support the 'note' action";
++        }
++         new->action = hdr_note;
++    }
+     else
+         return "first argument must be 'add', 'set', 'setifempty', 'append', 'merge', "
+                "'unset', 'echo', 'note', 'edit', or 'edit*'.";
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 8e7ca87..e53d26b 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -14,7 +14,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.62
-Release: 7%{?dist}.2
+Release: 7%{?dist}.3
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -125,6 +125,12 @@ Patch202: httpd-2.4.62-CVE-2025-49812.patch
 # https://github.com/apache/httpd/pull/561
 # https://bz.apache.org/bugzilla/show_bug.cgi?id=69743
 Patch203: httpd-2.4.62-sslvhostsnipolicy.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2419262
+Patch204: httpd-2.4.62-CVE-2025-66200.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2419139
+Patch205: httpd-2.4.62-CVE-2025-65082.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2419365
+Patch206: httpd-2.4.62-CVE-2025-58098.patch
 
 
 License: ASL 2.0
@@ -293,6 +299,9 @@ written in the Lua programming language.
 %patch201 -p1 -b .CVE-2024-47252
 %patch202 -p1 -b .CVE-2025-49812
 %patch203 -p1 -b .sslvhostsnipolicy
+%patch204 -p1 -b .CVE-2025-66200
+%patch205 -p1 -b .CVE-2025-65082
+%patch206 -p1 -b .CVE-2025-58098
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -858,6 +867,14 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-7.3
+- Resolves: RHEL-135063 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
+  via AllowOverride FileInfo (CVE-2025-66200)
+- Resolves: RHEL-135048 - httpd: Apache HTTP Server: CGI environment variable
+  override (CVE-2025-65082)
+- Resolves: RHEL-134480 - httpd: Apache HTTP Server: Server Side Includes adds
+  query string to #exec cmd=... (CVE-2025-58098)
+
 * Wed Nov 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-7.2
 - Resolves: RHEL-123850 - mod_proxy_hcheck may stop healthchecks after a child
   process is reclaimed