import UBI httpd-2.4.37-65.module+el8.10.0+23369+11a81384.5

SOURCES/httpd-2.4.37-CVE-2024-47252.patch

@@ -0,0 +1,44 @@
+From c01e60707048be14a510f0a92128a5227923215c Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 7 Jul 2025 12:03:42 +0000
+Subject: [PATCH] backport 1927034 from trunk
+
+  escape ssl vars
+
+Reviewed By: rpluem, jorton, covener, ylavic
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927042 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/ssl/ssl_engine_vars.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
+index 5724f18..0ddf9f7 100644
+--- a/modules/ssl/ssl_engine_vars.c
++++ b/modules/ssl/ssl_engine_vars.c
+@@ -1230,8 +1230,9 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a)
+         result = "-";
+     else if (strEQ(a, "errstr"))
+         result = (char *)sslconn->verify_error;
+-    if (result != NULL && result[0] == NUL)
+-        result = NULL;
++    if (result) {
++        result = *result ? ap_escape_logitem(r->pool, result) : NULL;
++    }
+     return result;
+ }
+ 
+@@ -1244,8 +1245,9 @@ static const char *ssl_var_log_handler_x(request_rec *r, char *a)
+     char *result;
+ 
+     result = ssl_var_lookup(r->pool, r->server, r->connection, r, a);
+-    if (result != NULL && result[0] == NUL)
+-        result = NULL;
++    if (result) {
++        result = *result ? ap_escape_logitem(r->pool, result) : NULL;
++    }
+     return result;
+ }
+ 

SOURCES/httpd-2.4.37-CVE-2025-23048.patch

@@ -0,0 +1,56 @@
+From d76573e7608cbdeab6c6a658c427d900917bf955 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 7 Jul 2025 11:51:57 +0000
+Subject: [PATCH] update SNI validation
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927035 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/ssl/ssl_engine_kernel.c | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index 9c51021..d912a87 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -371,19 +371,6 @@ int ssl_hook_ReadReq(request_rec *r)
+                             " provided in HTTP request", servername);
+                 return HTTP_BAD_REQUEST;
+             }
+-            if (r->server != handshakeserver 
+-                && !ssl_server_compatible(sslconn->server, r->server)) {
+-                /* 
+-                 * The request does not select the virtual host that was
+-                 * selected by the SNI and its SSL parameters are different
+-                 */
+-                
+-                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032)
+-                             "Hostname %s provided via SNI and hostname %s provided"
+-                             " via HTTP have no compatible SSL setup",
+-                             servername, r->hostname);
+-                return HTTP_MISDIRECTED_REQUEST;
+-            }
+         }
+         else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
+                   || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE)
+@@ -404,6 +391,21 @@ int ssl_hook_ReadReq(request_rec *r)
+                            "which is required to access this server.<br />\n");
+             return HTTP_FORBIDDEN;
+         }
++        if (r->server != handshakeserver
++            && !ssl_server_compatible(sslconn->server, r->server)) {
++            /*
++             * The request does not select the virtual host that was
++             * selected for handshaking and its SSL parameters are different
++             */
++
++            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032)
++                         "Hostname %s %s and hostname %s provided"
++                         " via HTTP have no compatible SSL setup",
++                         servername ? servername : handshakeserver->server_hostname,
++                         servername ? "provided via SNI" : "(default host as no SNI was provided)",
++                         r->hostname);
++            return HTTP_MISDIRECTED_REQUEST;
++        }
+     }
+ #endif
+     modssl_set_app_data2(ssl, r);

SOURCES/httpd-2.4.37-CVE-2025-49812.patch

@@ -0,0 +1,238 @@
+From 87a7351c755c9ef8ab386e3090e44838c2a06d48 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Mon, 7 Jul 2025 12:09:30 +0000
+Subject: [PATCH] backport 1927037 from trunk
+
+  remove antiquated 'SSLEngine optional' TLS upgrade
+
+Reviewed By: rpluem, jorton, covener
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927045 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/ssl/ssl_engine_config.c |  6 ++-
+ modules/ssl/ssl_engine_init.c   |  6 +--
+ modules/ssl/ssl_engine_kernel.c | 86 ---------------------------------
+ modules/ssl/ssl_private.h       |  1 -
+ 4 files changed, 7 insertions(+), 92 deletions(-)
+
+diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c
+index b50c259..b5f8bdf 100644
+--- a/modules/ssl/mod_ssl.c
++++ b/modules/ssl/mod_ssl.c
+@@ -617,7 +617,7 @@ static const char *ssl_hook_http_scheme(const request_rec *r)
+ {
+     SSLSrvConfigRec *sc = mySrvConfig(r->server);
+ 
+-    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
++    if (sc->enabled == SSL_ENABLED_FALSE) {
+         return NULL;
+     }
+ 
+@@ -628,7 +628,7 @@ static apr_port_t ssl_hook_default_port(const request_rec *r)
+ {
+     SSLSrvConfigRec *sc = mySrvConfig(r->server);
+ 
+-    if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) {
++    if (sc->enabled == SSL_ENABLED_FALSE) {
+         return 0;
+     }
+ 
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index ca5f702..7b3e212 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -739,11 +739,13 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg)
+         return NULL;
+     }
+     else if (!strcasecmp(arg, "Optional")) {
+-        sc->enabled = SSL_ENABLED_OPTIONAL;
++        sc->enabled = SSL_ENABLED_FALSE;
++        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, APLOGNO(10510)
++                     "'SSLEngine optional' is no longer supported");
+         return NULL;
+     }
+ 
+-    return "Argument must be On, Off, or Optional";
++    return "Argument must be On or Off";
+ }
+ 
+ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag)
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index e4f5fc8..ce8cb3a 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -410,7 +410,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+                                                     &ssl_module);
+ 
+         sc = mySrvConfig(s);
+-        if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) {
++        if (sc->enabled == SSL_ENABLED_TRUE) {
+             if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) {
+                 return rv;
+             }
+@@ -2016,9 +2016,9 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s,
+                                                 &ssl_module);
+     apr_status_t rv;
+ 
+-    /* Initialize the server if SSL is enabled or optional.
++    /* Initialize the server if SSL is enabled.
+      */
+-    if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) {
++    if (sc->enabled == SSL_ENABLED_TRUE) {
+         ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914)
+                      "Configuring server %s for SSL protocol", sc->vhost_id);
+         if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases))
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index 40acb04..c13e86c 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -38,59 +38,6 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
+ static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s);
+ #endif
+ 
+-#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols"
+-#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1"
+-#define CONNECTION_HEADER "Connection: Upgrade"
+-
+-/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */
+-static apr_status_t upgrade_connection(request_rec *r)
+-{
+-    struct conn_rec *conn = r->connection;
+-    apr_bucket_brigade *bb;
+-    SSLConnRec *sslconn;
+-    apr_status_t rv;
+-    SSL *ssl;
+-
+-    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028)
+-                  "upgrading connection to TLS");
+-
+-    bb = apr_brigade_create(r->pool, conn->bucket_alloc);
+-
+-    rv = ap_fputs(conn->output_filters, bb, SWITCH_STATUS_LINE CRLF
+-                  UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF);
+-    if (rv == APR_SUCCESS) {
+-        APR_BRIGADE_INSERT_TAIL(bb,
+-                                apr_bucket_flush_create(conn->bucket_alloc));
+-        rv = ap_pass_brigade(conn->output_filters, bb);
+-    }
+-
+-    if (rv) {
+-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029)
+-                      "failed to send 101 interim response for connection "
+-                      "upgrade");
+-        return rv;
+-    }
+-
+-    ssl_init_ssl_connection(conn, r);
+-
+-    sslconn = myConnConfig(conn);
+-    ssl = sslconn->ssl;
+-
+-    /* Perform initial SSL handshake. */
+-    SSL_set_accept_state(ssl);
+-    SSL_do_handshake(ssl);
+-
+-    if (!SSL_is_init_finished(ssl)) {
+-        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030)
+-                      "TLS upgrade handshake failed");
+-        ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server);
+-
+-        return APR_ECONNABORTED;
+-    }
+-
+-    return APR_SUCCESS;
+-}
+-
+ /* Perform a speculative (and non-blocking) read from the connection
+  * filters for the given request, to determine whether there is any
+  * pending data to read.  Return non-zero if there is, else zero. */
+@@ -270,40 +217,17 @@ int ssl_hook_ReadReq(request_rec *r)
+ {
+     SSLSrvConfigRec *sc = mySrvConfig(r->server);
+     SSLConnRec *sslconn;
+-    const char *upgrade;
+ #ifdef HAVE_TLSEXT
+     const char *servername;
+ #endif
+     SSL *ssl;
+ 
+-    /* Perform TLS upgrade here if "SSLEngine optional" is configured,
+-     * SSL is not already set up for this connection, and the client
+-     * has sent a suitable Upgrade header. */
+-    if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection)
+-        && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL
+-        && ap_find_token(r->pool, upgrade, "TLS/1.0")) {
+-        if (upgrade_connection(r)) {
+-            return AP_FILTER_ERROR;
+-        }
+-    }
+-
+     /* If we are on a slave connection, we do not expect to have an SSLConnRec,
+      * but our master connection might. */
+     sslconn = myConnConfig(r->connection);
+     if (!(sslconn && sslconn->ssl) && r->connection->master) {
+         sslconn = myConnConfig(r->connection->master);
+     }
+-    
+-    /* If "SSLEngine optional" is configured, this is not an SSL
+-     * connection, and this isn't a subrequest, send an Upgrade
+-     * response header.  Note this must happen before map_to_storage
+-     * and OPTIONS * request processing is completed.
+-     */
+-    if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl)
+-        && !r->main) {
+-        apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
+-        apr_table_mergen(r->headers_out, "Connection", "upgrade");
+-    }
+ 
+     if (!sslconn) {
+         return DECLINED;
+@@ -1239,16 +1163,6 @@ int ssl_hook_Access(request_rec *r)
+      * Support for SSLRequireSSL directive
+      */
+     if (dc->bSSLRequired && !ssl) {
+-        if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) {
+-            /* This vhost was configured for optional SSL, just tell the
+-             * client that we need to upgrade.
+-             */
+-            apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1");
+-            apr_table_setn(r->err_headers_out, "Connection", "Upgrade");
+-
+-            return HTTP_UPGRADE_REQUIRED;
+-        }
+-
+         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219)
+                       "access to %s failed, reason: %s",
+                       r->filename, "SSL connection required");
+@@ -1421,7 +1335,7 @@ int ssl_hook_UserCheck(request_rec *r)
+      * - ssl not enabled
+      * - client did not present a certificate
+      */
+-    if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL)
++    if (!((sc->enabled == SSL_ENABLED_TRUE)
+           && sslconn && sslconn->ssl && sslconn->client_cert) ||
+         !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user)
+     {
+@@ -1543,7 +1457,7 @@ int ssl_hook_Fixup(request_rec *r)
+     /*
+      * Check to see if SSL is on
+      */
+-    if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) {
++    if (!((sc->enabled == SSL_ENABLED_TRUE) && sslconn && (ssl = sslconn->ssl))) {
+         return DECLINED;
+     }
+ 
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index f8a1db7..2f8d4d3 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -468,7 +468,6 @@ typedef enum {
+     SSL_ENABLED_UNSET    = UNSET,
+     SSL_ENABLED_FALSE    = 0,
+     SSL_ENABLED_TRUE     = 1,
+-    SSL_ENABLED_OPTIONAL = 3
+ } ssl_enabled_t;
+ 
+ /**

SOURCES/httpd-2.4.37-r1855391.patch

@@ -0,0 +1,48 @@
+diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
+index 27c44b2..bfa8952 100644
+--- a/modules/http/http_filters.c
++++ b/modules/http/http_filters.c
+@@ -1290,6 +1290,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+     request_rec *r = f->r;
+     conn_rec *c = r->connection;
+     const char *clheader;
++    int header_only = (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status));
+     const char *protocol = NULL;
+     apr_bucket *e;
+     apr_bucket_brigade *b2;
+@@ -1307,7 +1308,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+     }
+     else if (ctx->headers_sent) {
+         /* Eat body if response must not have one. */
+-        if (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)) {
++        if (header_only) {
+             /* Still next filters may be waiting for EOS, so pass it (alone)
+              * when encountered and be done with this filter.
+              */
+@@ -1526,14 +1527,21 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f,
+ 
+     terminate_header(b2);
+ 
+-    rv = ap_pass_brigade(f->next, b2);
+-    if (rv != APR_SUCCESS) {
+-        goto out;
++    if (header_only) {
++        e = APR_BRIGADE_LAST(b);
++        if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) {
++            APR_BUCKET_REMOVE(e);
++            APR_BRIGADE_INSERT_TAIL(b2, e);
++            ap_remove_output_filter(f);
++        }
++        apr_brigade_cleanup(b);
+     }
++
++    rv = ap_pass_brigade(f->next, b2);
++    apr_brigade_cleanup(b2);
+     ctx->headers_sent = 1;
+ 
+-    if (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)) {
+-        apr_brigade_cleanup(b);
++    if (rv != APR_SUCCESS || header_only) {
+         goto out;
+     }
+ 

SPECS/httpd.spec

@@ -13,7 +13,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 65%{?dist}.3
+Release: 65%{?dist}.5
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source2: httpd.logrotate
@@ -175,6 +175,8 @@ Patch94: httpd-2.4.57-r1884505+.patch
 Patch95: httpd-2.4.37-r1919325.patch
 # https://issues.redhat.com/browse/RHEL-56068
 Patch96: httpd-2.4.37-r1922080.patch
+# https://issues.redhat.com/browse/RHEL-87641
+Patch97: httpd-2.4.37-r1855391.patch
 
 # Security fixes
 Patch200: httpd-2.4.37-r1851471.patch
@@ -279,6 +281,12 @@ Patch246: httpd-2.4.37-CVE-2024-38476.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2297362
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295761
 Patch247: httpd-2.4.37-CVE-2024-39884+.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2374576
+Patch248: httpd-2.4.37-CVE-2025-23048.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2374571
+Patch249: httpd-2.4.37-CVE-2024-47252.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2374580
+Patch250: httpd-2.4.37-CVE-2025-49812.patch
 
 License: ASL 2.0
 Group: System Environment/Daemons
@@ -463,6 +471,7 @@ interface for storing and accessing per-user session data.
 %patch92 -p1 -b .mod_status-dupl
 %patch93 -p1 -b .r1885607
 %patch94 -p1 -b .r1884505+
+%patch97 -p1 -b .r1855391
 
 %patch200 -p1 -b .r1851471
 %patch201 -p1 -b .CVE-2019-0211
@@ -515,6 +524,9 @@ interface for storing and accessing per-user session data.
 %patch95 -p1 -b .r1919325
 %patch246 -p1 -b .CVE-2024-38476
 %patch247 -p1 -b .CVE-2024-39884+
+%patch248 -p1 -b .CVE-2025-23048
+%patch249 -p1 -b .CVE-2024-47252
+%patch250 -p1 -b .CVE-2025-49812
 
 %patch96 -p1 -b .r1922080
 
@@ -1022,6 +1034,16 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd
 
 %changelog
+* Mon Jul 28 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.5
+- Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade
+- Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of
+  user-supplied data in mod_ssl
+- Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted
+  clients is possible using TLS 1.3 session resumption
+
+* Tue Apr 22 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.4
+- Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests
+
 * Wed Jan 29 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-65.3
 - Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with
   unicode characters in the name