rpms/httpd
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass

Browse Source 
via AllowOverride FileInfo (CVE-2025-66200)
Resolves: RHEL-135039 - httpd: Apache HTTP Server: CGI environment variable
  override (CVE-2025-65082)
Resolves: RHEL-134471 - httpd: Apache HTTP Server: Server Side Includes adds
  query string to #exec cmd=... (CVE-2025-58098)
This commit is contained in:
Luboš Uhliarik 2025-12-12 18:13:50 +01:00
parent 2e8fbb8d23
commit e191e5355e
4 changed files with 176 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
httpd-2.4.37-CVE-2025-58098.patch Normal file
View File

@ -0,0 +1,36 @@
From ecc1b8f3817e3dcab9c1f24f905752d3c0a279af Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 1 Dec 2025 12:00:14 +0000
Subject: [PATCH] don't pass args for SSI request
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930161 13f79535-47bb-0310-9956-ffa450edef68
---
modules/generators/mod_cgid.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c
index b27dd802d80..94ad7ee8733 100644
--- a/modules/generators/mod_cgid.c
+++ b/modules/generators/mod_cgid.c
@@ -239,7 +239,7 @@ static char **create_argv(apr_pool_t *p, char *path, char *user, char *group,
char *w;
int idx = 0;
- if (!(*args) || ap_strchr_c(args, '=')) {
+ if (!args || !(*args) || ap_strchr_c(args, '=')) {
numwords = 0;
}
else {
@@ -932,7 +932,10 @@ static int cgid_server(void *data)
apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans);
}
- argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args);
+ /* Do not pass args in case of SSI requests */
+ argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL,
+ argv0,
+ cgid_req.req_type == SSI_REQ ? NULL : r->args);
/* We want to close sd2 for the new CGI process too.
* If it is left open it'll make ap_pass_brigade() block

64
httpd-2.4.37-CVE-2025-65082.patch Normal file
View File

@ -0,0 +1,64 @@
From e4f00c5eb71d8a7aa1f52b5279832986f669d463 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 1 Dec 2025 12:03:12 +0000
Subject: [PATCH] envvars from HTTP headers low precedence
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930163 13f79535-47bb-0310-9956-ffa450edef68
---
server/util_script.c | 26 +++++++++++++++++++++++---
1 file changed, 23 insertions(+), 3 deletions(-)
diff --git a/server/util_script.c b/server/util_script.c
index 72175e75824..6a18aec8c90 100644
--- a/server/util_script.c
+++ b/server/util_script.c
@@ -126,6 +126,8 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t)
}
}
for (i = 0; i < env_arr->nelts; ++i) {
+ int changed = 0;
+
if (!elts[i].key) {
continue;
}
@@ -133,18 +135,36 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t)
whack = env[j];
if (apr_isdigit(*whack)) {
*whack++ = '_';
+ changed = 1;
}
while (*whack != '=') {
#ifdef WIN32
- if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') {
+ if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') {
#else
- if (!apr_isalnum(*whack)) {
+ if (!apr_isalnum(*whack) && *whack != '_') {
#endif
*whack = '_';
+ changed = 1;
}
++whack;
}
- ++j;
+ if (changed) {
+ *whack = '\0';
+ /*
+ * If after cleaning up the key the key is identical to an existing key
+ * in the table drop this environment variable. This also prevents
+ * to override CGI reserved environment variables with variables whose
+ * names have an invalid character instead of '_', but are otherwise
+ * equal to the names CGI reserved environment variables.
+ */
+ if (!apr_table_get(t, env[j])) {
+ ++j;
+ *whack = '=';
+ }
+ }
+ else {
+ ++j;
+ }
}
env[j] = NULL;

58
httpd-2.4.37-CVE-2025-66200.patch Normal file
View File

@ -0,0 +1,58 @@
From 9d26b95787b229a3f6195d7beead774d131eeda1 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 1 Dec 2025 12:04:29 +0000
Subject: [PATCH] don't use request notes for suexec
also, stop accepting the obscure "note" option in
RequestHeader, it is only documented/described as being
meant for Header (output filter).
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930164 13f79535-47bb-0310-9956-ffa450edef68
---
modules/mappers/mod_userdir.c | 4 ++--
modules/metadata/mod_headers.c | 6 +++++-
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/modules/mappers/mod_userdir.c b/modules/mappers/mod_userdir.c
index 1ec0e90..0a34fd3 100644
--- a/modules/mappers/mod_userdir.c
+++ b/modules/mappers/mod_userdir.c
@@ -334,7 +334,7 @@ static int translate_userdir(request_rec *r)
r->finfo = statbuf;
/* For use in the get_suexec_identity phase */
- apr_table_setn(r->notes, "mod_userdir_user", user);
+ ap_set_module_config(r->request_config, &userdir_module, (void *)user);
return OK;
}
@@ -348,7 +348,7 @@ static ap_unix_identity_t *get_suexec_id_doer(const request_rec *r)
{
ap_unix_identity_t *ugid = NULL;
#if APR_HAS_USER
- const char *username = apr_table_get(r->notes, "mod_userdir_user");
+ const char *username = (const char*) ap_get_module_config(r->request_config, &userdir_module);
if (username == NULL) {
return NULL;
diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c
index 4838bd6..7fb2e6c 100644
--- a/modules/metadata/mod_headers.c
+++ b/modules/metadata/mod_headers.c
@@ -455,8 +455,12 @@ static APR_INLINE const char *header_inout_cmd(cmd_parms *cmd,
new->action = hdr_edit;
else if (!strcasecmp(action, "edit*"))
new->action = hdr_edit_r;
- else if (!strcasecmp(action, "note"))
- new->action = hdr_note;
+ else if (!strcasecmp(action, "note")) {
+ if (cmd->info == &hdr_in) {
+ return "RequestHeader does not support the 'note' action";
+ }
+ new->action = hdr_note;
+ }
else
return "first argument must be 'add', 'set', 'setifempty', 'append', 'merge', "
"'unset', 'echo', 'note', 'edit', or 'edit*'.";

19
httpd.spec
View File

@ -14,7 +14,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.37
Release: 65%{?dist}.6
Release: 65%{?dist}.7
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source2: httpd.logrotate
@ -293,6 +293,12 @@ Patch250: httpd-2.4.37-CVE-2025-49812.patch
# https://github.com/apache/httpd/pull/561
# https://bz.apache.org/bugzilla/show_bug.cgi?id=69743
Patch251: httpd-2.4.37-sslvhostsnipolicy.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2419262
Patch252: httpd-2.4.37-CVE-2025-66200.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2419139
Patch253: httpd-2.4.37-CVE-2025-65082.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2419365
Patch254: httpd-2.4.37-CVE-2025-58098.patch
License: ASL 2.0
Group: System Environment/Daemons
@ -534,6 +540,9 @@ interface for storing and accessing per-user session data.
%patch249 -p1 -b .CVE-2024-47252
%patch250 -p1 -b .CVE-2025-49812
%patch251 -p1 -b .sslvhostsnipolicy
%patch252 -p1 -b .CVE-2025-66200
%patch253 -p1 -b .CVE-2025-65082
%patch254 -p1 -b .CVE-2025-58098
%patch96 -p1 -b .r1922080
@ -1045,6 +1054,14 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri Dec 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.7
- Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass
via AllowOverride FileInfo (CVE-2025-66200)
- Resolves: RHEL-135039 - httpd: Apache HTTP Server: CGI environment variable
override (CVE-2025-65082)
- Resolves: RHEL-134471 - httpd: Apache HTTP Server: Server Side Includes adds
query string to #exec cmd=... (CVE-2025-58098)
* Fri Nov 07 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.6
- Resolves: RHEL-127073 - mod_ssl: allow more fine grained SSL SNI vhost check
to avoid unnecessary 421 errors after CVE-2025-23048 fix