Fix for CVE-2024-27316
This commit is contained in:
parent
f716275667
commit
02c9d0f5d9
55
SOURCES/mod_http2-1.15.7-CVE-2024-27316.patch
Normal file
55
SOURCES/mod_http2-1.15.7-CVE-2024-27316.patch
Normal file
@ -0,0 +1,55 @@
|
|||||||
|
From 134e28ae5abc997fe064995627b3ebe247a5d5d8 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Stefan Eissing <stefan@eissing.org>
|
||||||
|
Date: Fri, 23 Feb 2024 15:13:56 +0100
|
||||||
|
Subject: [PATCH] RESET stream after 100 failed incoming headers
|
||||||
|
|
||||||
|
---
|
||||||
|
mod_http2/h2_session.c | 10 +++++++---
|
||||||
|
mod_http2/h2_stream.c | 1 +
|
||||||
|
mod_http2/h2_stream.h | 1 +
|
||||||
|
3 files changed, 9 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
|
||||||
|
index a5cc306..4b38518 100644
|
||||||
|
--- a/mod_http2/h2_session.c
|
||||||
|
+++ b/mod_http2/h2_session.c
|
||||||
|
@@ -311,7 +311,12 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
|
||||||
|
|
||||||
|
status = h2_stream_add_header(stream, (const char *)name, namelen,
|
||||||
|
(const char *)value, valuelen);
|
||||||
|
- if (status != APR_SUCCESS && !h2_stream_is_ready(stream)) {
|
||||||
|
+ if (status != APR_SUCCESS
|
||||||
|
+ && (!h2_stream_is_ready(stream) ||
|
||||||
|
+ /* We accept a certain amount of failures in order to reply
|
||||||
|
+ * with an informative HTTP error response like 413. But of the
|
||||||
|
+ * client is too wrong, we fail the request an RESET the stream */
|
||||||
|
+ stream->request_headers_failed > 100)) {
|
||||||
|
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
|
||||||
|
}
|
||||||
|
return 0;
|
||||||
|
diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
|
||||||
|
index 6136baa..d3c4d99 100644
|
||||||
|
--- a/mod_http2/h2_stream.c
|
||||||
|
+++ b/mod_http2/h2_stream.c
|
||||||
|
@@ -733,6 +733,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
|
||||||
|
}
|
||||||
|
|
||||||
|
if (error) {
|
||||||
|
+ ++stream->request_headers_failed;
|
||||||
|
set_error_response(stream, error);
|
||||||
|
return APR_EINVAL;
|
||||||
|
}
|
||||||
|
diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
|
||||||
|
index 79cb39d..4ddf1a2 100644
|
||||||
|
--- a/mod_http2/h2_stream.h
|
||||||
|
+++ b/mod_http2/h2_stream.h
|
||||||
|
@@ -75,7 +75,8 @@ struct h2_stream {
|
||||||
|
struct h2_request *rtmp; /* request being assembled */
|
||||||
|
apr_table_t *trailers; /* optional incoming trailers */
|
||||||
|
int request_headers_added; /* number of request headers added */
|
||||||
|
-
|
||||||
|
+ int request_headers_failed; /* number of request headers failed to add */
|
||||||
|
+
|
||||||
|
struct h2_bucket_beam *input;
|
||||||
|
apr_bucket_brigade *in_buffer;
|
||||||
|
int in_window_size;
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
Name: mod_http2
|
Name: mod_http2
|
||||||
Version: 1.15.7
|
Version: 1.15.7
|
||||||
Release: 8%{?dist}.3
|
Release: 8%{?dist}.5.alma.1
|
||||||
Summary: module implementing HTTP/2 for Apache 2
|
Summary: module implementing HTTP/2 for Apache 2
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
@ -16,6 +16,9 @@ Patch4: mod_http2-1.15.7-CVE-2021-44224.patch
|
|||||||
Patch5: mod_http2-1.15.7-SNI.patch
|
Patch5: mod_http2-1.15.7-SNI.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
|
||||||
Patch6: mod_http2-1.15.7-CVE-2023-25690.patch
|
Patch6: mod_http2-1.15.7-CVE-2023-25690.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2268277
|
||||||
|
Patch7: mod_http2-1.15.7-CVE-2024-27316.patch
|
||||||
|
|
||||||
|
|
||||||
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
|
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
|
||||||
Requires: httpd-mmn = %{_httpd_mmn}
|
Requires: httpd-mmn = %{_httpd_mmn}
|
||||||
@ -33,6 +36,7 @@ top of libnghttp2 for httpd 2.4 servers.
|
|||||||
%patch4 -p1 -b .CVE-2021-44224
|
%patch4 -p1 -b .CVE-2021-44224
|
||||||
%patch5 -p1 -b .SNI
|
%patch5 -p1 -b .SNI
|
||||||
%patch6 -p1 -b .CVE-2023-25690
|
%patch6 -p1 -b .CVE-2023-25690
|
||||||
|
%patch7 -p1 -b .CVE-2024-27316
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure
|
%configure
|
||||||
@ -59,6 +63,10 @@ make check
|
|||||||
%{_httpd_moddir}/mod_proxy_http2.so
|
%{_httpd_moddir}/mod_proxy_http2.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Apr 12 2024 Andrew Lukoshko <alukoshko@almalinux.org> - 1.15.7-8.5.alma.1
|
||||||
|
- Resolves: RHEL-29817 - httpd:2.4/mod_http2: httpd: CONTINUATION frames
|
||||||
|
DoS (CVE-2024-27316)
|
||||||
|
|
||||||
* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-8.3
|
* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-8.3
|
||||||
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
|
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
|
||||||
with mod_rewrite and mod_proxy
|
with mod_rewrite and mod_proxy
|
||||||
|
Loading…
Reference in New Issue
Block a user