diff --git a/httpd-2.4.37-CVE-2025-58098.patch b/httpd-2.4.37-CVE-2025-58098.patch new file mode 100644 index 0000000..56eb1b1 --- /dev/null +++ b/httpd-2.4.37-CVE-2025-58098.patch @@ -0,0 +1,36 @@ +From ecc1b8f3817e3dcab9c1f24f905752d3c0a279af Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:00:14 +0000 +Subject: [PATCH] don't pass args for SSI request + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930161 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/generators/mod_cgid.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c +index b27dd802d80..94ad7ee8733 100644 +--- a/modules/generators/mod_cgid.c ++++ b/modules/generators/mod_cgid.c +@@ -239,7 +239,7 @@ static char **create_argv(apr_pool_t *p, char *path, char *user, char *group, + char *w; + int idx = 0; + +- if (!(*args) || ap_strchr_c(args, '=')) { ++ if (!args || !(*args) || ap_strchr_c(args, '=')) { + numwords = 0; + } + else { +@@ -932,7 +932,10 @@ static int cgid_server(void *data) + apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans); + } + +- argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args); ++ /* Do not pass args in case of SSI requests */ ++ argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, ++ argv0, ++ cgid_req.req_type == SSI_REQ ? NULL : r->args); + + /* We want to close sd2 for the new CGI process too. + * If it is left open it'll make ap_pass_brigade() block + diff --git a/httpd-2.4.37-CVE-2025-65082.patch b/httpd-2.4.37-CVE-2025-65082.patch new file mode 100644 index 0000000..20d2afa --- /dev/null +++ b/httpd-2.4.37-CVE-2025-65082.patch @@ -0,0 +1,64 @@ +From e4f00c5eb71d8a7aa1f52b5279832986f669d463 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:03:12 +0000 +Subject: [PATCH] envvars from HTTP headers low precedence + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930163 13f79535-47bb-0310-9956-ffa450edef68 +--- + server/util_script.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/server/util_script.c b/server/util_script.c +index 72175e75824..6a18aec8c90 100644 +--- a/server/util_script.c ++++ b/server/util_script.c +@@ -126,6 +126,8 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t) + } + } + for (i = 0; i < env_arr->nelts; ++i) { ++ int changed = 0; ++ + if (!elts[i].key) { + continue; + } +@@ -133,18 +135,36 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t) + whack = env[j]; + if (apr_isdigit(*whack)) { + *whack++ = '_'; ++ changed = 1; + } + while (*whack != '=') { + #ifdef WIN32 +- if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') { ++ if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') { + #else +- if (!apr_isalnum(*whack)) { ++ if (!apr_isalnum(*whack) && *whack != '_') { + #endif + *whack = '_'; ++ changed = 1; + } + ++whack; + } +- ++j; ++ if (changed) { ++ *whack = '\0'; ++ /* ++ * If after cleaning up the key the key is identical to an existing key ++ * in the table drop this environment variable. This also prevents ++ * to override CGI reserved environment variables with variables whose ++ * names have an invalid character instead of '_', but are otherwise ++ * equal to the names CGI reserved environment variables. ++ */ ++ if (!apr_table_get(t, env[j])) { ++ ++j; ++ *whack = '='; ++ } ++ } ++ else { ++ ++j; ++ } + } + + env[j] = NULL; + diff --git a/httpd-2.4.37-CVE-2025-66200.patch b/httpd-2.4.37-CVE-2025-66200.patch new file mode 100644 index 0000000..64616d8 --- /dev/null +++ b/httpd-2.4.37-CVE-2025-66200.patch @@ -0,0 +1,58 @@ +From 9d26b95787b229a3f6195d7beead774d131eeda1 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:04:29 +0000 +Subject: [PATCH] don't use request notes for suexec + +also, stop accepting the obscure "note" option in +RequestHeader, it is only documented/described as being +meant for Header (output filter). + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930164 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/mappers/mod_userdir.c | 4 ++-- + modules/metadata/mod_headers.c | 6 +++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/modules/mappers/mod_userdir.c b/modules/mappers/mod_userdir.c +index 1ec0e90..0a34fd3 100644 +--- a/modules/mappers/mod_userdir.c ++++ b/modules/mappers/mod_userdir.c +@@ -334,7 +334,7 @@ static int translate_userdir(request_rec *r) + r->finfo = statbuf; + + /* For use in the get_suexec_identity phase */ +- apr_table_setn(r->notes, "mod_userdir_user", user); ++ ap_set_module_config(r->request_config, &userdir_module, (void *)user); + + return OK; + } +@@ -348,7 +348,7 @@ static ap_unix_identity_t *get_suexec_id_doer(const request_rec *r) + { + ap_unix_identity_t *ugid = NULL; + #if APR_HAS_USER +- const char *username = apr_table_get(r->notes, "mod_userdir_user"); ++ const char *username = (const char*) ap_get_module_config(r->request_config, &userdir_module); + + if (username == NULL) { + return NULL; +diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c +index 4838bd6..7fb2e6c 100644 +--- a/modules/metadata/mod_headers.c ++++ b/modules/metadata/mod_headers.c +@@ -455,8 +455,12 @@ static APR_INLINE const char *header_inout_cmd(cmd_parms *cmd, + new->action = hdr_edit; + else if (!strcasecmp(action, "edit*")) + new->action = hdr_edit_r; +- else if (!strcasecmp(action, "note")) +- new->action = hdr_note; ++ else if (!strcasecmp(action, "note")) { ++ if (cmd->info == &hdr_in) { ++ return "RequestHeader does not support the 'note' action"; ++ } ++ new->action = hdr_note; ++ } + else + return "first argument must be 'add', 'set', 'setifempty', 'append', 'merge', " + "'unset', 'echo', 'note', 'edit', or 'edit*'."; diff --git a/httpd.spec b/httpd.spec index 1c57135..c709360 100644 --- a/httpd.spec +++ b/httpd.spec @@ -14,7 +14,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.37 -Release: 65%{?dist}.6 +Release: 65%{?dist}.7 URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source2: httpd.logrotate @@ -293,6 +293,12 @@ Patch250: httpd-2.4.37-CVE-2025-49812.patch # https://github.com/apache/httpd/pull/561 # https://bz.apache.org/bugzilla/show_bug.cgi?id=69743 Patch251: httpd-2.4.37-sslvhostsnipolicy.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2419262 +Patch252: httpd-2.4.37-CVE-2025-66200.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2419139 +Patch253: httpd-2.4.37-CVE-2025-65082.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2419365 +Patch254: httpd-2.4.37-CVE-2025-58098.patch License: ASL 2.0 Group: System Environment/Daemons @@ -534,6 +540,9 @@ interface for storing and accessing per-user session data. %patch249 -p1 -b .CVE-2024-47252 %patch250 -p1 -b .CVE-2025-49812 %patch251 -p1 -b .sslvhostsnipolicy +%patch252 -p1 -b .CVE-2025-66200 +%patch253 -p1 -b .CVE-2025-65082 +%patch254 -p1 -b .CVE-2025-58098 %patch96 -p1 -b .r1922080 @@ -1045,6 +1054,14 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Fri Dec 12 2025 Luboš Uhliarik - 2.4.37-65.7 +- Resolves: RHEL-135054 - httpd: Apache HTTP Server: mod_userdir+suexec bypass + via AllowOverride FileInfo (CVE-2025-66200) +- Resolves: RHEL-135039 - httpd: Apache HTTP Server: CGI environment variable + override (CVE-2025-65082) +- Resolves: RHEL-134471 - httpd: Apache HTTP Server: Server Side Includes adds + query string to #exec cmd=... (CVE-2025-58098) + * Fri Nov 07 2025 Luboš Uhliarik - 2.4.37-65.6 - Resolves: RHEL-127073 - mod_ssl: allow more fine grained SSL SNI vhost check to avoid unnecessary 421 errors after CVE-2025-23048 fix