import mod_http2-1.15.7-5.module+el8.7.0+18499+2e106f0b.4
This commit is contained in:
parent
0bfa611d9f
commit
5920b7dedd
21
SOURCES/mod_http2-1.15.7-CVE-2023-25690.patch
Normal file
21
SOURCES/mod_http2-1.15.7-CVE-2023-25690.patch
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
diff --git a/mod_http2/mod_proxy_http2.c b/mod_http2/mod_proxy_http2.c
|
||||||
|
index 2208707..844653e 100644
|
||||||
|
--- a/mod_http2/mod_proxy_http2.c
|
||||||
|
+++ b/mod_http2/mod_proxy_http2.c
|
||||||
|
@@ -159,6 +159,16 @@ static int proxy_http2_canon(request_rec *r, char *url)
|
||||||
|
path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
|
||||||
|
enc_path, 0, r->proxyreq);
|
||||||
|
search = r->args;
|
||||||
|
+ if (search && *(ap_scan_vchar_obstext(search))) {
|
||||||
|
+ /*
|
||||||
|
+ * We have a raw control character or a ' ' in r->args.
|
||||||
|
+ * Correct encoding was missed.
|
||||||
|
+ */
|
||||||
|
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
|
||||||
|
+ "To be forwarded query string contains control "
|
||||||
|
+ "characters or spaces");
|
||||||
|
+ return HTTP_FORBIDDEN;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
case PROXYREQ_PROXY:
|
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
Name: mod_http2
|
Name: mod_http2
|
||||||
Version: 1.15.7
|
Version: 1.15.7
|
||||||
Release: 5%{?dist}
|
Release: 5%{?dist}.4
|
||||||
Summary: module implementing HTTP/2 for Apache 2
|
Summary: module implementing HTTP/2 for Apache 2
|
||||||
Group: System Environment/Daemons
|
Group: System Environment/Daemons
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
@ -13,6 +13,8 @@ Patch1: mod_http2-1.15.7-CVE-2020-9490.patch
|
|||||||
Patch2: mod_http2-1.15.7-CVE-2020-11993.patch
|
Patch2: mod_http2-1.15.7-CVE-2020-11993.patch
|
||||||
Patch3: mod_http2-1.15.7-CVE-2021-33193.patch
|
Patch3: mod_http2-1.15.7-CVE-2021-33193.patch
|
||||||
Patch4: mod_http2-1.15.7-CVE-2021-44224.patch
|
Patch4: mod_http2-1.15.7-CVE-2021-44224.patch
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
|
||||||
|
Patch5: mod_http2-1.15.7-CVE-2023-25690.patch
|
||||||
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
|
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
|
||||||
Requires: httpd-mmn = %{_httpd_mmn}
|
Requires: httpd-mmn = %{_httpd_mmn}
|
||||||
Conflicts: httpd < 2.4.25-8
|
Conflicts: httpd < 2.4.25-8
|
||||||
@ -28,6 +30,7 @@ top of libnghttp2 for httpd 2.4 servers.
|
|||||||
%patch2 -p1 -b .CVE-2020-11993
|
%patch2 -p1 -b .CVE-2020-11993
|
||||||
%patch3 -p1 -b .CVE-2021-33193
|
%patch3 -p1 -b .CVE-2021-33193
|
||||||
%patch4 -p1 -b .CVE-2021-44224
|
%patch4 -p1 -b .CVE-2021-44224
|
||||||
|
%patch5 -p1 -b .CVE-2023-25690
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%configure
|
%configure
|
||||||
@ -54,6 +57,10 @@ make check
|
|||||||
%{_httpd_moddir}/mod_proxy_http2.so
|
%{_httpd_moddir}/mod_proxy_http2.so
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-5.4
|
||||||
|
- Resolves: #2177747 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
|
||||||
|
with mod_rewrite and mod_proxy
|
||||||
|
|
||||||
* Mon Jan 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-5
|
* Mon Jan 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-5
|
||||||
- Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference
|
- Resolves: #2035030 - CVE-2021-44224 httpd:2.4/httpd: possible NULL dereference
|
||||||
or SSRF in forward proxy configurations
|
or SSRF in forward proxy configurations
|
||||||
|
Loading…
Reference in New Issue
Block a user