Resolves: #2097032 - CVE-2022-28615 httpd: out-of-bounds read in

ap_strcmp_match()

- uncomment previous security patch200 - it was commented out by mistake

httpd-2.4.53-CVE-2022-28615.patch

@@ -0,0 +1,22 @@
+diff --git a/server/util.c b/server/util.c
+index 604be1a..6808164 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -185,7 +185,7 @@ AP_DECLARE(char *) ap_ht_time(apr_pool_t *p, apr_time_t t, const char *fmt,
+  */
+ AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected)
+ {
+-    int x, y;
++    apr_size_t x, y;
+ 
+     for (x = 0, y = 0; expected[y]; ++y, ++x) {
+         if (expected[y] == '*') {
+@@ -209,7 +209,7 @@ AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected)
+ 
+ AP_DECLARE(int) ap_strcasecmp_match(const char *str, const char *expected)
+ {
+-    int x, y;
++    apr_size_t x, y;
+ 
+     for (x = 0, y = 0; expected[y]; ++y, ++x) {
+         if (!str[x] && expected[y] != '*')

httpd.spec

@@ -118,6 +118,8 @@ Patch68: httpd-2.4.53-r1878890.patch
 # Security fixes
 # https://bugzilla.redhat.com/show_bug.cgi?id=2094997
 Patch200: httpd-2.4.53-CVE-2022-26377.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2095006
+Patch201: httpd-2.4.53-CVE-2022-28615.patch
 
 License: ASL 2.0
 BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@@ -285,7 +287,8 @@ written in the Lua programming language.
 %patch67 -p1 -b .r1811831
 %patch68 -p1 -b .r1878890
 
-##patch200 -p1 -b .CVE-2022-26377
+%patch200 -p1 -b .CVE-2022-26377
+%patch201 -p1 -b .CVE-2022-28615
 
 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -848,6 +851,8 @@ exit $rv
 * Wed Jul 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-7
 - Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request
   smuggling
+- Resolves: #2097032 - CVE-2022-28615 httpd: out-of-bounds read in 
+  ap_strcmp_match()
 
 * Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
 - Related: #2065677 - httpd minimisation for ubi-micro