diff --git a/httpd-2.4.53-CVE-2022-28615.patch b/httpd-2.4.53-CVE-2022-28615.patch new file mode 100644 index 0000000..75a3d0f --- /dev/null +++ b/httpd-2.4.53-CVE-2022-28615.patch @@ -0,0 +1,22 @@ +diff --git a/server/util.c b/server/util.c +index 604be1a..6808164 100644 +--- a/server/util.c ++++ b/server/util.c +@@ -185,7 +185,7 @@ AP_DECLARE(char *) ap_ht_time(apr_pool_t *p, apr_time_t t, const char *fmt, + */ + AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected) + { +- int x, y; ++ apr_size_t x, y; + + for (x = 0, y = 0; expected[y]; ++y, ++x) { + if (expected[y] == '*') { +@@ -209,7 +209,7 @@ AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected) + + AP_DECLARE(int) ap_strcasecmp_match(const char *str, const char *expected) + { +- int x, y; ++ apr_size_t x, y; + + for (x = 0, y = 0; expected[y]; ++y, ++x) { + if (!str[x] && expected[y] != '*') diff --git a/httpd.spec b/httpd.spec index 080ee35..c937067 100644 --- a/httpd.spec +++ b/httpd.spec @@ -118,6 +118,8 @@ Patch68: httpd-2.4.53-r1878890.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=2094997 Patch200: httpd-2.4.53-CVE-2022-26377.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2095006 +Patch201: httpd-2.4.53-CVE-2022-28615.patch License: ASL 2.0 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto @@ -285,7 +287,8 @@ written in the Lua programming language. %patch67 -p1 -b .r1811831 %patch68 -p1 -b .r1878890 -##patch200 -p1 -b .CVE-2022-26377 +%patch200 -p1 -b .CVE-2022-26377 +%patch201 -p1 -b .CVE-2022-28615 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -848,6 +851,8 @@ exit $rv * Wed Jul 20 2022 Luboš Uhliarik - 2.4.53-7 - Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling +- Resolves: #2097032 - CVE-2022-28615 httpd: out-of-bounds read in + ap_strcmp_match() * Mon Jun 27 2022 Luboš Uhliarik - 2.4.53-6 - Related: #2065677 - httpd minimisation for ubi-micro