Compare commits
2 Commits
ff4c2c66c0
...
eea0259d74
Author | SHA1 | Date |
---|---|---|
Joe Orton | eea0259d74 | |
Joe Orton | 926baa67c3 |
|
@ -0,0 +1,3 @@
|
||||||
|
01044512374941fad939ec4b1537428cc7edc769 httpd-2.4.57.tar.bz2
|
||||||
|
5cac6152cf2f175cc35ca0cf9d00b797c949b273 httpd-2.4.57.tar.bz2.asc
|
||||||
|
b2457e3ce46a7634bf9272a92b4214974b9bc9e0 KEYS
|
|
@ -0,0 +1,39 @@
|
||||||
|
# ./pullrev.sh 1884505 1915625
|
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1884505
|
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1915625
|
||||||
|
|
||||||
|
--- httpd-2.4.57/modules/filters/mod_xml2enc.c
|
||||||
|
+++ httpd-2.4.57/modules/filters/mod_xml2enc.c
|
||||||
|
@@ -329,7 +329,7 @@
|
||||||
|
apr_bucket* bstart;
|
||||||
|
apr_size_t insz = 0;
|
||||||
|
int pending_meta = 0;
|
||||||
|
- char *ctype;
|
||||||
|
+ char *mtype;
|
||||||
|
char *p;
|
||||||
|
|
||||||
|
if (!ctx || !f->r->content_type) {
|
||||||
|
@@ -338,13 +338,17 @@
|
||||||
|
return ap_pass_brigade(f->next, bb) ;
|
||||||
|
}
|
||||||
|
|
||||||
|
- ctype = apr_pstrdup(f->r->pool, f->r->content_type);
|
||||||
|
- for (p = ctype; *p; ++p)
|
||||||
|
- if (isupper(*p))
|
||||||
|
- *p = tolower(*p);
|
||||||
|
+ /* Extract the media type, ignoring parameters in content-type. */
|
||||||
|
+ mtype = apr_pstrdup(f->r->pool, f->r->content_type);
|
||||||
|
+ if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0';
|
||||||
|
+ ap_str_tolower(mtype);
|
||||||
|
|
||||||
|
- /* only act if starts-with "text/" or contains "xml" */
|
||||||
|
- if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml")) {
|
||||||
|
+ /* Accept text/ types, plus any XML media type per RFC 7303. */
|
||||||
|
+ if (!(strncmp(mtype, "text/", 5) == 0
|
||||||
|
+ || strcmp(mtype, "application/xml") == 0
|
||||||
|
+ || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */
|
||||||
|
+ && (p = strstr(mtype, "+xml")) != NULL
|
||||||
|
+ && strlen(p) == 4 /* ensures +xml is a suffix */))) {
|
||||||
|
ap_remove_output_filter(f);
|
||||||
|
return ap_pass_brigade(f->next, bb) ;
|
||||||
|
}
|
|
@ -0,0 +1,91 @@
|
||||||
|
# ./pullrev.sh 1912081
|
||||||
|
http://svn.apache.org/viewvc?view=revision&revision=1912081
|
||||||
|
|
||||||
|
Upstream-Status: merged in 2.4.58
|
||||||
|
|
||||||
|
--- httpd-2.4.57/modules/dav/main/mod_dav.c
|
||||||
|
+++ httpd-2.4.57/modules/dav/main/mod_dav.c
|
||||||
|
@@ -81,6 +81,7 @@
|
||||||
|
const char *provider_name;
|
||||||
|
const dav_provider *provider;
|
||||||
|
const char *dir;
|
||||||
|
+ const char *base;
|
||||||
|
int locktimeout;
|
||||||
|
int allow_depthinfinity;
|
||||||
|
int allow_lockdiscovery;
|
||||||
|
@@ -196,6 +197,7 @@
|
||||||
|
|
||||||
|
newconf->locktimeout = DAV_INHERIT_VALUE(parent, child, locktimeout);
|
||||||
|
newconf->dir = DAV_INHERIT_VALUE(parent, child, dir);
|
||||||
|
+ newconf->base = DAV_INHERIT_VALUE(parent, child, base);
|
||||||
|
newconf->allow_depthinfinity = DAV_INHERIT_VALUE(parent, child,
|
||||||
|
allow_depthinfinity);
|
||||||
|
newconf->allow_lockdiscovery = DAV_INHERIT_VALUE(parent, child,
|
||||||
|
@@ -283,6 +285,18 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
+ * Command handler for the DAVBasePath directive, which is TAKE1
|
||||||
|
+ */
|
||||||
|
+static const char *dav_cmd_davbasepath(cmd_parms *cmd, void *config, const char *arg1)
|
||||||
|
+{
|
||||||
|
+ dav_dir_conf *conf = config;
|
||||||
|
+
|
||||||
|
+ conf->base = arg1;
|
||||||
|
+
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
* Command handler for the DAVDepthInfinity directive, which is FLAG.
|
||||||
|
*/
|
||||||
|
static const char *dav_cmd_davdepthinfinity(cmd_parms *cmd, void *config,
|
||||||
|
@@ -748,7 +762,7 @@
|
||||||
|
int use_checked_in, dav_resource **res_p)
|
||||||
|
{
|
||||||
|
dav_dir_conf *conf;
|
||||||
|
- const char *label = NULL;
|
||||||
|
+ const char *label = NULL, *base;
|
||||||
|
dav_error *err;
|
||||||
|
|
||||||
|
/* if the request target can be overridden, get any target selector */
|
||||||
|
@@ -765,11 +779,27 @@
|
||||||
|
ap_escape_html(r->pool, r->uri)));
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Take the repos root from DAVBasePath if configured, else the
|
||||||
|
+ * path of the enclosing section. */
|
||||||
|
+ base = conf->base ? conf->base : conf->dir;
|
||||||
|
+
|
||||||
|
/* resolve the resource */
|
||||||
|
- err = (*conf->provider->repos->get_resource)(r, conf->dir,
|
||||||
|
+ err = (*conf->provider->repos->get_resource)(r, base,
|
||||||
|
label, use_checked_in,
|
||||||
|
res_p);
|
||||||
|
if (err != NULL) {
|
||||||
|
+ /* In the error path, give a hint that DavBasePath needs to be
|
||||||
|
+ * used if the location was configured via a regex match. */
|
||||||
|
+ if (!conf->base) {
|
||||||
|
+ core_dir_config *cdc = ap_get_core_module_config(r->per_dir_config);
|
||||||
|
+
|
||||||
|
+ if (cdc->r) {
|
||||||
|
+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(10484)
|
||||||
|
+ "failed to find repository for location configured "
|
||||||
|
+ "via regex match - missing DAVBasePath?");
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
err = dav_push_error(r->pool, err->status, 0,
|
||||||
|
"Could not fetch resource information.", err);
|
||||||
|
return err;
|
||||||
|
@@ -5164,6 +5194,10 @@
|
||||||
|
AP_INIT_TAKE1("DAV", dav_cmd_dav, NULL, ACCESS_CONF,
|
||||||
|
"specify the DAV provider for a directory or location"),
|
||||||
|
|
||||||
|
+ /* per directory/location */
|
||||||
|
+ AP_INIT_TAKE1("DAVBasePath", dav_cmd_davbasepath, NULL, ACCESS_CONF,
|
||||||
|
+ "specify the DAV repository base URL"),
|
||||||
|
+
|
||||||
|
/* per directory/location, or per server */
|
||||||
|
AP_INIT_TAKE1("DAVMinTimeout", dav_cmd_davmintimeout, NULL,
|
||||||
|
ACCESS_CONF|RSRC_CONF,
|
15
httpd.spec
15
httpd.spec
|
@ -13,7 +13,7 @@
|
||||||
Summary: Apache HTTP Server
|
Summary: Apache HTTP Server
|
||||||
Name: httpd
|
Name: httpd
|
||||||
Version: 2.4.57
|
Version: 2.4.57
|
||||||
Release: 7%{?dist}
|
Release: 8%{?dist}
|
||||||
URL: https://httpd.apache.org/
|
URL: https://httpd.apache.org/
|
||||||
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
|
||||||
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
|
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
|
||||||
|
@ -96,6 +96,8 @@ Patch50: httpd-2.4.57-r1825120.patch
|
||||||
Patch52: httpd-2.4.53-separate-systemd-fns.patch
|
Patch52: httpd-2.4.53-separate-systemd-fns.patch
|
||||||
# https://issues.redhat.com/browse/RHEL-5071
|
# https://issues.redhat.com/browse/RHEL-5071
|
||||||
Patch53: httpd-2.4.57-r1912477+.patch
|
Patch53: httpd-2.4.57-r1912477+.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-6600
|
||||||
|
Patch54: httpd-2.4.57-r1912081.patch
|
||||||
|
|
||||||
|
|
||||||
# Bug fixes
|
# Bug fixes
|
||||||
|
@ -118,7 +120,8 @@ Patch69: httpd-2.4.57-covscan.patch
|
||||||
Patch70: httpd-2.4.57-mod_status-duplicate-key.patch
|
Patch70: httpd-2.4.57-mod_status-duplicate-key.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2217726
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2217726
|
||||||
Patch71: httpd-2.4.57-davenoent.patch
|
Patch71: httpd-2.4.57-davenoent.patch
|
||||||
|
# https://issues.redhat.com/browse/RHEL-17686
|
||||||
|
Patch72: httpd-2.4.57-r1884505+.patch
|
||||||
|
|
||||||
# Security fixes
|
# Security fixes
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=...
|
# https://bugzilla.redhat.com/show_bug.cgi?id=...
|
||||||
|
@ -284,6 +287,7 @@ written in the Lua programming language.
|
||||||
%patch50 -p1 -b .r1825120
|
%patch50 -p1 -b .r1825120
|
||||||
%patch52 -p1 -b .separatesystemd
|
%patch52 -p1 -b .separatesystemd
|
||||||
%patch53 -p1 -b .r1912477+
|
%patch53 -p1 -b .r1912477+
|
||||||
|
%patch54 -p1 -b .r1912081
|
||||||
|
|
||||||
%patch60 -p1 -b .enable-sslv3
|
%patch60 -p1 -b .enable-sslv3
|
||||||
%patch61 -p1 -b .htcacheclean-dont-break
|
%patch61 -p1 -b .htcacheclean-dont-break
|
||||||
|
@ -295,6 +299,7 @@ written in the Lua programming language.
|
||||||
%patch69 -p1 -b .covstan
|
%patch69 -p1 -b .covstan
|
||||||
%patch70 -p1 -b .duplicate-key
|
%patch70 -p1 -b .duplicate-key
|
||||||
%patch71 -p1 -b .davenoent
|
%patch71 -p1 -b .davenoent
|
||||||
|
%patch72 -p1 -b .r1884505+
|
||||||
|
|
||||||
%patch200 -p1 -b .CVE-2023-31122
|
%patch200 -p1 -b .CVE-2023-31122
|
||||||
|
|
||||||
|
@ -857,6 +862,12 @@ exit $rv
|
||||||
%{_rpmconfigdir}/macros.d/macros.httpd
|
%{_rpmconfigdir}/macros.d/macros.httpd
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Feb 7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
|
||||||
|
- mod_xml2enc: fix media type handling
|
||||||
|
Resolves: RHEL-17686
|
||||||
|
- mod_dav: add DavBasePath
|
||||||
|
Resolves: RHEL-6600
|
||||||
|
|
||||||
* Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
|
* Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
|
||||||
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
|
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
|
||||||
vulnerability (CVE-2023-31122)
|
vulnerability (CVE-2023-31122)
|
||||||
|
|
Loading…
Reference in New Issue