Compare commits
2 Commits
ff4c2c66c0
...
eea0259d74
Author | SHA1 | Date |
---|---|---|
Joe Orton | eea0259d74 | |
Joe Orton | 926baa67c3 |
|
@ -0,0 +1,3 @@
|
|||
01044512374941fad939ec4b1537428cc7edc769 httpd-2.4.57.tar.bz2
|
||||
5cac6152cf2f175cc35ca0cf9d00b797c949b273 httpd-2.4.57.tar.bz2.asc
|
||||
b2457e3ce46a7634bf9272a92b4214974b9bc9e0 KEYS
|
|
@ -0,0 +1,39 @@
|
|||
# ./pullrev.sh 1884505 1915625
|
||||
http://svn.apache.org/viewvc?view=revision&revision=1884505
|
||||
http://svn.apache.org/viewvc?view=revision&revision=1915625
|
||||
|
||||
--- httpd-2.4.57/modules/filters/mod_xml2enc.c
|
||||
+++ httpd-2.4.57/modules/filters/mod_xml2enc.c
|
||||
@@ -329,7 +329,7 @@
|
||||
apr_bucket* bstart;
|
||||
apr_size_t insz = 0;
|
||||
int pending_meta = 0;
|
||||
- char *ctype;
|
||||
+ char *mtype;
|
||||
char *p;
|
||||
|
||||
if (!ctx || !f->r->content_type) {
|
||||
@@ -338,13 +338,17 @@
|
||||
return ap_pass_brigade(f->next, bb) ;
|
||||
}
|
||||
|
||||
- ctype = apr_pstrdup(f->r->pool, f->r->content_type);
|
||||
- for (p = ctype; *p; ++p)
|
||||
- if (isupper(*p))
|
||||
- *p = tolower(*p);
|
||||
+ /* Extract the media type, ignoring parameters in content-type. */
|
||||
+ mtype = apr_pstrdup(f->r->pool, f->r->content_type);
|
||||
+ if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0';
|
||||
+ ap_str_tolower(mtype);
|
||||
|
||||
- /* only act if starts-with "text/" or contains "xml" */
|
||||
- if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml")) {
|
||||
+ /* Accept text/ types, plus any XML media type per RFC 7303. */
|
||||
+ if (!(strncmp(mtype, "text/", 5) == 0
|
||||
+ || strcmp(mtype, "application/xml") == 0
|
||||
+ || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */
|
||||
+ && (p = strstr(mtype, "+xml")) != NULL
|
||||
+ && strlen(p) == 4 /* ensures +xml is a suffix */))) {
|
||||
ap_remove_output_filter(f);
|
||||
return ap_pass_brigade(f->next, bb) ;
|
||||
}
|
|
@ -0,0 +1,91 @@
|
|||
# ./pullrev.sh 1912081
|
||||
http://svn.apache.org/viewvc?view=revision&revision=1912081
|
||||
|
||||
Upstream-Status: merged in 2.4.58
|
||||
|
||||
--- httpd-2.4.57/modules/dav/main/mod_dav.c
|
||||
+++ httpd-2.4.57/modules/dav/main/mod_dav.c
|
||||
@@ -81,6 +81,7 @@
|
||||
const char *provider_name;
|
||||
const dav_provider *provider;
|
||||
const char *dir;
|
||||
+ const char *base;
|
||||
int locktimeout;
|
||||
int allow_depthinfinity;
|
||||
int allow_lockdiscovery;
|
||||
@@ -196,6 +197,7 @@
|
||||
|
||||
newconf->locktimeout = DAV_INHERIT_VALUE(parent, child, locktimeout);
|
||||
newconf->dir = DAV_INHERIT_VALUE(parent, child, dir);
|
||||
+ newconf->base = DAV_INHERIT_VALUE(parent, child, base);
|
||||
newconf->allow_depthinfinity = DAV_INHERIT_VALUE(parent, child,
|
||||
allow_depthinfinity);
|
||||
newconf->allow_lockdiscovery = DAV_INHERIT_VALUE(parent, child,
|
||||
@@ -283,6 +285,18 @@
|
||||
}
|
||||
|
||||
/*
|
||||
+ * Command handler for the DAVBasePath directive, which is TAKE1
|
||||
+ */
|
||||
+static const char *dav_cmd_davbasepath(cmd_parms *cmd, void *config, const char *arg1)
|
||||
+{
|
||||
+ dav_dir_conf *conf = config;
|
||||
+
|
||||
+ conf->base = arg1;
|
||||
+
|
||||
+ return NULL;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
* Command handler for the DAVDepthInfinity directive, which is FLAG.
|
||||
*/
|
||||
static const char *dav_cmd_davdepthinfinity(cmd_parms *cmd, void *config,
|
||||
@@ -748,7 +762,7 @@
|
||||
int use_checked_in, dav_resource **res_p)
|
||||
{
|
||||
dav_dir_conf *conf;
|
||||
- const char *label = NULL;
|
||||
+ const char *label = NULL, *base;
|
||||
dav_error *err;
|
||||
|
||||
/* if the request target can be overridden, get any target selector */
|
||||
@@ -765,11 +779,27 @@
|
||||
ap_escape_html(r->pool, r->uri)));
|
||||
}
|
||||
|
||||
+ /* Take the repos root from DAVBasePath if configured, else the
|
||||
+ * path of the enclosing section. */
|
||||
+ base = conf->base ? conf->base : conf->dir;
|
||||
+
|
||||
/* resolve the resource */
|
||||
- err = (*conf->provider->repos->get_resource)(r, conf->dir,
|
||||
+ err = (*conf->provider->repos->get_resource)(r, base,
|
||||
label, use_checked_in,
|
||||
res_p);
|
||||
if (err != NULL) {
|
||||
+ /* In the error path, give a hint that DavBasePath needs to be
|
||||
+ * used if the location was configured via a regex match. */
|
||||
+ if (!conf->base) {
|
||||
+ core_dir_config *cdc = ap_get_core_module_config(r->per_dir_config);
|
||||
+
|
||||
+ if (cdc->r) {
|
||||
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(10484)
|
||||
+ "failed to find repository for location configured "
|
||||
+ "via regex match - missing DAVBasePath?");
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
err = dav_push_error(r->pool, err->status, 0,
|
||||
"Could not fetch resource information.", err);
|
||||
return err;
|
||||
@@ -5164,6 +5194,10 @@
|
||||
AP_INIT_TAKE1("DAV", dav_cmd_dav, NULL, ACCESS_CONF,
|
||||
"specify the DAV provider for a directory or location"),
|
||||
|
||||
+ /* per directory/location */
|
||||
+ AP_INIT_TAKE1("DAVBasePath", dav_cmd_davbasepath, NULL, ACCESS_CONF,
|
||||
+ "specify the DAV repository base URL"),
|
||||
+
|
||||
/* per directory/location, or per server */
|
||||
AP_INIT_TAKE1("DAVMinTimeout", dav_cmd_davmintimeout, NULL,
|
||||
ACCESS_CONF|RSRC_CONF,
|
15
httpd.spec
15
httpd.spec
|
@ -13,7 +13,7 @@
|
|||
Summary: Apache HTTP Server
|
||||
Name: httpd
|
||||
Version: 2.4.57
|
||||
Release: 7%{?dist}
|
||||
Release: 8%{?dist}
|
||||
URL: https://httpd.apache.org/
|
||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
|
||||
|
@ -96,6 +96,8 @@ Patch50: httpd-2.4.57-r1825120.patch
|
|||
Patch52: httpd-2.4.53-separate-systemd-fns.patch
|
||||
# https://issues.redhat.com/browse/RHEL-5071
|
||||
Patch53: httpd-2.4.57-r1912477+.patch
|
||||
# https://issues.redhat.com/browse/RHEL-6600
|
||||
Patch54: httpd-2.4.57-r1912081.patch
|
||||
|
||||
|
||||
# Bug fixes
|
||||
|
@ -118,7 +120,8 @@ Patch69: httpd-2.4.57-covscan.patch
|
|||
Patch70: httpd-2.4.57-mod_status-duplicate-key.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2217726
|
||||
Patch71: httpd-2.4.57-davenoent.patch
|
||||
|
||||
# https://issues.redhat.com/browse/RHEL-17686
|
||||
Patch72: httpd-2.4.57-r1884505+.patch
|
||||
|
||||
# Security fixes
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=...
|
||||
|
@ -284,6 +287,7 @@ written in the Lua programming language.
|
|||
%patch50 -p1 -b .r1825120
|
||||
%patch52 -p1 -b .separatesystemd
|
||||
%patch53 -p1 -b .r1912477+
|
||||
%patch54 -p1 -b .r1912081
|
||||
|
||||
%patch60 -p1 -b .enable-sslv3
|
||||
%patch61 -p1 -b .htcacheclean-dont-break
|
||||
|
@ -295,6 +299,7 @@ written in the Lua programming language.
|
|||
%patch69 -p1 -b .covstan
|
||||
%patch70 -p1 -b .duplicate-key
|
||||
%patch71 -p1 -b .davenoent
|
||||
%patch72 -p1 -b .r1884505+
|
||||
|
||||
%patch200 -p1 -b .CVE-2023-31122
|
||||
|
||||
|
@ -857,6 +862,12 @@ exit $rv
|
|||
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||
|
||||
%changelog
|
||||
* Wed Feb 7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
|
||||
- mod_xml2enc: fix media type handling
|
||||
Resolves: RHEL-17686
|
||||
- mod_dav: add DavBasePath
|
||||
Resolves: RHEL-6600
|
||||
|
||||
* Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
|
||||
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
|
||||
vulnerability (CVE-2023-31122)
|
||||
|
|
Loading…
Reference in New Issue