Address CVE-2017-9798 by applying upstream patch

Reference RHBZ #1490344
This commit is contained in:
Jeroen van Meeuwen (Ergo Project) 2017-09-21 19:28:15 +02:00
parent b022e3b523
commit fd03d5ee37
2 changed files with 23 additions and 3 deletions

View File

@ -0,0 +1,15 @@
--- httpd/httpd/branches/2.4.x/server/core.c 2017/08/16 16:50:29 1805223
+++ httpd/httpd/branches/2.4.x/server/core.c 2017/09/08 13:13:11 1807754
@@ -2266,6 +2266,12 @@
/* method has not been registered yet, but resource restriction
* is always checked before method handling, so register it.
*/
+ if (cmd->pool == cmd->temp_pool) {
+ /* In .htaccess, we can't globally register new methods. */
+ return apr_psprintf(cmd->pool, "Could not register method '%s' "
+ "for %s from .htaccess configuration",
+ method, cmd->cmd->name);
+ }
methnum = ap_method_register(cmd->pool,
apr_pstrdup(cmd->pool, method));
}

View File

@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.27
Release: 7%{?dist}
Release: 8%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: index.html
@ -72,7 +72,8 @@ Patch56: httpd-2.4.4-mod_unique_id.patch
Patch57: httpd-2.4.10-sigint.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch58: httpd-2.4.25-r1738878.patch
Patch59: httpd-2.4.27-r1808230.patch
Patch59: httpd-2.4.27-CVE-2017-9798.patch
Patch60: httpd-2.4.27-r1808230.patch
# Security fixes
License: ASL 2.0
@ -219,7 +220,8 @@ interface for storing and accessing per-user session data.
%patch56 -p1 -b .uniqueid
%patch57 -p1 -b .sigint
%patch58 -p1 -b .r1738878
%patch59 -p1 -b .r1808230
%patch59 -p4 -b .cve-2017-9798
%patch60 -p1 -b .r1808230
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -705,6 +707,9 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Thu Sep 21 2017 Jeroen van Meeuwen <kanarip@fedoraproject.org> - 2.4.27-8
- Address CVE-2017-9798 by applying patch from upstream (#1490344)
* Wed Sep 13 2017 Joe Orton <jorton@redhat.com> - 2.4.27-7
- add new content-length filter (upstream PR 61222)