AlmaLinux changes
This commit is contained in:
commit
eddf0294a3
13
SOURCES/httpd-2.4.37-CVE-2021-26691.patch
Normal file
13
SOURCES/httpd-2.4.37-CVE-2021-26691.patch
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
|
||||||
|
index 049255d..af70f6b 100644
|
||||||
|
--- a/modules/session/mod_session.c
|
||||||
|
+++ b/modules/session/mod_session.c
|
||||||
|
@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
|
||||||
|
static int identity_count(void *v, const char *key, const char *val)
|
||||||
|
{
|
||||||
|
int *count = v;
|
||||||
|
- *count += strlen(key) * 3 + strlen(val) * 3 + 1;
|
||||||
|
+ *count += strlen(key) * 3 + strlen(val) * 3 + 2;
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
126
SOURCES/httpd-2.4.37-CVE-2021-40438.patch
Normal file
126
SOURCES/httpd-2.4.37-CVE-2021-40438.patch
Normal file
@ -0,0 +1,126 @@
|
|||||||
|
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
|
||||||
|
index fb897a9..38dbb24 100644
|
||||||
|
--- a/modules/mappers/mod_rewrite.c
|
||||||
|
+++ b/modules/mappers/mod_rewrite.c
|
||||||
|
@@ -619,6 +619,13 @@ static unsigned is_absolute_uri(char *uri, int *supportsqs)
|
||||||
|
return 6;
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
+
|
||||||
|
+ case 'u':
|
||||||
|
+ case 'U':
|
||||||
|
+ if (!ap_cstr_casecmpn(uri, "nix:", 4)) { /* unix: */
|
||||||
|
+ *sqs = 1;
|
||||||
|
+ return (uri[4] == '/' && uri[5] == '/') ? 7 : 5;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
|
||||||
|
index f383996..6a9ef55 100644
|
||||||
|
--- a/modules/proxy/mod_proxy.c
|
||||||
|
+++ b/modules/proxy/mod_proxy.c
|
||||||
|
@@ -1717,7 +1717,8 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
|
||||||
|
* the UDS path... ignore it
|
||||||
|
*/
|
||||||
|
if (!strncasecmp(url, "unix:", 5) &&
|
||||||
|
- ((ptr = ap_strchr_c(url, '|')) != NULL)) {
|
||||||
|
+ ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
|
||||||
|
+
|
||||||
|
/* move past the 'unix:...|' UDS path info */
|
||||||
|
const char *ret, *c;
|
||||||
|
|
||||||
|
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
|
||||||
|
index 7714b6c..3dd570c 100644
|
||||||
|
--- a/modules/proxy/proxy_util.c
|
||||||
|
+++ b/modules/proxy/proxy_util.c
|
||||||
|
@@ -2084,33 +2084,45 @@ static int ap_proxy_retry_worker(const char *proxy_function, proxy_worker *worke
|
||||||
|
* were passed a UDS url (eg: from mod_proxy) and adjust uds_path
|
||||||
|
* as required.
|
||||||
|
*/
|
||||||
|
-static void fix_uds_filename(request_rec *r, char **url)
|
||||||
|
+static int fix_uds_filename(request_rec *r, char **url)
|
||||||
|
{
|
||||||
|
- char *ptr, *ptr2;
|
||||||
|
- if (!r || !r->filename) return;
|
||||||
|
+ char *uds_url = r->filename + 6, *origin_url;
|
||||||
|
|
||||||
|
if (!strncmp(r->filename, "proxy:", 6) &&
|
||||||
|
- (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
|
||||||
|
- (ptr = ap_strchr(ptr2, '|'))) {
|
||||||
|
+ !ap_cstr_casecmpn(uds_url, "unix:", 5) &&
|
||||||
|
+ (origin_url = ap_strchr(uds_url + 5, '|'))) {
|
||||||
|
+ char *uds_path = NULL;
|
||||||
|
+ apr_size_t url_len;
|
||||||
|
apr_uri_t urisock;
|
||||||
|
apr_status_t rv;
|
||||||
|
- *ptr = '\0';
|
||||||
|
- rv = apr_uri_parse(r->pool, ptr2, &urisock);
|
||||||
|
- if (rv == APR_SUCCESS) {
|
||||||
|
- char *rurl = ptr+1;
|
||||||
|
- char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path);
|
||||||
|
- apr_table_setn(r->notes, "uds_path", sockpath);
|
||||||
|
- *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */
|
||||||
|
- /* r->filename starts w/ "proxy:", so add after that */
|
||||||
|
- memmove(r->filename+6, rurl, strlen(rurl)+1);
|
||||||
|
- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
||||||
|
- "*: rewrite of url due to UDS(%s): %s (%s)",
|
||||||
|
- sockpath, *url, r->filename);
|
||||||
|
- }
|
||||||
|
- else {
|
||||||
|
- *ptr = '|';
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
+
|
||||||
|
+ *origin_url = '\0';
|
||||||
|
+ rv = apr_uri_parse(r->pool, uds_url, &urisock);
|
||||||
|
+ *origin_url++ = '|';
|
||||||
|
+
|
||||||
|
+ if (rv == APR_SUCCESS && urisock.path && (!urisock.hostname
|
||||||
|
+ || !urisock.hostname[0])) {
|
||||||
|
+ uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!uds_path) {
|
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
|
||||||
|
+ "Invalid proxy UDS filename (%s)", r->filename);
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
+ apr_table_setn(r->notes, "uds_path", uds_path);
|
||||||
|
+
|
||||||
|
+ /* Remove the UDS path from *url and r->filename */
|
||||||
|
+ url_len = strlen(origin_url);
|
||||||
|
+ *url = apr_pstrmemdup(r->pool, origin_url, url_len);
|
||||||
|
+ memcpy(uds_url, *url, url_len + 1);
|
||||||
|
+
|
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
||||||
|
+ "*: rewrite of url due to UDS(%s): %s (%s)",
|
||||||
|
+ uds_path, *url, r->filename);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
||||||
|
@@ -2128,7 +2140,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
||||||
|
"%s: found worker %s for %s",
|
||||||
|
(*worker)->s->scheme, (*worker)->s->name, *url);
|
||||||
|
*balancer = NULL;
|
||||||
|
- fix_uds_filename(r, url);
|
||||||
|
+ if (!fix_uds_filename(r, url)) {
|
||||||
|
+ return HTTP_INTERNAL_SERVER_ERROR;
|
||||||
|
+ }
|
||||||
|
access_status = OK;
|
||||||
|
}
|
||||||
|
else if (r->proxyreq == PROXYREQ_PROXY) {
|
||||||
|
@@ -2159,7 +2173,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
||||||
|
* regarding the Connection header in the request.
|
||||||
|
*/
|
||||||
|
apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
|
||||||
|
- fix_uds_filename(r, url);
|
||||||
|
+ if (!fix_uds_filename(r, url)) {
|
||||||
|
+ return HTTP_INTERNAL_SERVER_ERROR;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
@ -14,7 +14,7 @@
|
|||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.37
|
Version: 2.4.37
|
||||||
Release: 41%{?dist}
|
Release: 43%{?dist}
|
||||||
URL: https://httpd.apache.org/
|
URL: https://httpd.apache.org/
|
||||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source2: httpd.logrotate
|
Source2: httpd.logrotate
|
||||||
@ -193,6 +193,10 @@ Patch211: httpd-2.4.37-CVE-2020-11984.patch
|
|||||||
Patch212: httpd-2.4.37-CVE-2021-30641.patch
|
Patch212: httpd-2.4.37-CVE-2021-30641.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1968307
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1968307
|
||||||
Patch213: httpd-2.4.37-CVE-2021-26690.patch
|
Patch213: httpd-2.4.37-CVE-2021-26690.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2005117
|
||||||
|
Patch214: httpd-2.4.37-CVE-2021-40438.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1966732
|
||||||
|
Patch215: httpd-2.4.37-CVE-2021-26691.patch
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
@ -386,6 +390,8 @@ interface for storing and accessing per-user session data.
|
|||||||
%patch211 -p1 -b .CVE-2020-11984
|
%patch211 -p1 -b .CVE-2020-11984
|
||||||
%patch212 -p1 -b .CVE-2021-30641
|
%patch212 -p1 -b .CVE-2021-30641
|
||||||
%patch213 -p1 -b .CVE-2021-26690
|
%patch213 -p1 -b .CVE-2021-26690
|
||||||
|
%patch214 -p1 -b .CVE-2021-40438
|
||||||
|
%patch215 -p1 -b .CVE-2021-26691
|
||||||
|
|
||||||
# Patch in the vendor string
|
# Patch in the vendor string
|
||||||
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
|
||||||
@ -891,9 +897,19 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Sun Oct 10 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-41.alma
|
* Wed Oct 27 2021 Andrew Lukoshko <alukoshko@almalinux.org> - 2.4.37-43.alma
|
||||||
- include AlmaLinux in version string
|
- include AlmaLinux in version string
|
||||||
|
|
||||||
|
* Tue Oct 26 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-43
|
||||||
|
- Related: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
|
||||||
|
a crafted request uri-path
|
||||||
|
|
||||||
|
* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-42
|
||||||
|
- Resolves: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via
|
||||||
|
a crafted request uri-path
|
||||||
|
- Resolves: #2014063 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in
|
||||||
|
mod_session
|
||||||
|
|
||||||
* Fri Jul 09 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-41
|
* Fri Jul 09 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-41
|
||||||
- Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records
|
- Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records
|
||||||
- Resolves: #1905613 - mod_ssl does not like valid certificate chain
|
- Resolves: #1905613 - mod_ssl does not like valid certificate chain
|
||||||
|
Loading…
Reference in New Issue
Block a user