import UBI mod_http2-2.0.26-2.el9_4
This commit is contained in:
parent
07619d83d8
commit
76352c0488
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/mod_http2-1.15.19.tar.gz
|
||||
SOURCES/mod_http2-2.0.26.tar.gz
|
||||
|
@ -1 +1 @@
|
||||
90be4a24989a8e0041d9cc20f7db34a453e4fa9f SOURCES/mod_http2-1.15.19.tar.gz
|
||||
cbfe42690c6a382da29ab728b1aa757af552acbc SOURCES/mod_http2-2.0.26.tar.gz
|
||||
|
@ -1,14 +0,0 @@
|
||||
diff -uap mod_http2-1.14.0/mod_http2/h2_from_h1.c.buildfix mod_http2-1.14.0/mod_http2/h2_from_h1.c
|
||||
--- mod_http2-1.14.0/mod_http2/h2_from_h1.c.buildfix 2019-02-12 13:30:56.000000000 +0000
|
||||
+++ mod_http2-1.14.0/mod_http2/h2_from_h1.c 2019-03-14 10:35:46.365678537 +0000
|
||||
@@ -35,6 +35,10 @@
|
||||
#include "h2_task.h"
|
||||
#include "h2_util.h"
|
||||
|
||||
+#ifndef AP_STATUS_IS_HEADER_ONLY
|
||||
+#define AP_STATUS_IS_HEADER_ONLY(x) ((x) == HTTP_NO_CONTENT || \
|
||||
+ (x) == HTTP_NOT_MODIFIED)
|
||||
+#endif
|
||||
|
||||
/* This routine is called by apr_table_do and merges all instances of
|
||||
* the passed field values into a single array that will be further
|
@ -1,65 +0,0 @@
|
||||
commit 124c2ca0886b05d0871ee09466de555d757b72fc
|
||||
Author: Joe Orton <jorton@redhat.com>
|
||||
Date: Fri May 7 10:58:18 2021 +0100
|
||||
|
||||
Switch to using OpenSSL EVP_* API to avoid deprecation warnings
|
||||
with OpenSSL 3.0.
|
||||
|
||||
diff --git a/mod_http2/h2_push.c b/mod_http2/h2_push.c
|
||||
index 8ae0b49..0a90a5d 100644
|
||||
--- a/mod_http2/h2_push.c
|
||||
+++ b/mod_http2/h2_push.c
|
||||
@@ -23,7 +23,7 @@
|
||||
#include <apr_time.h>
|
||||
|
||||
#ifdef H2_OPENSSL
|
||||
-#include <openssl/sha.h>
|
||||
+#include <openssl/evp.h>
|
||||
#endif
|
||||
|
||||
#include <httpd.h>
|
||||
@@ -472,27 +472,32 @@ typedef struct h2_push_diary_entry {
|
||||
|
||||
|
||||
#ifdef H2_OPENSSL
|
||||
-static void sha256_update(SHA256_CTX *ctx, const char *s)
|
||||
+static void sha256_update(EVP_MD_CTX *ctx, const char *s)
|
||||
{
|
||||
- SHA256_Update(ctx, s, strlen(s));
|
||||
+ EVP_DigestUpdate(ctx, s, strlen(s));
|
||||
}
|
||||
|
||||
static void calc_sha256_hash(h2_push_diary *diary, apr_uint64_t *phash, h2_push *push)
|
||||
{
|
||||
- SHA256_CTX sha256;
|
||||
+ EVP_MD_CTX *md;
|
||||
apr_uint64_t val;
|
||||
- unsigned char hash[SHA256_DIGEST_LENGTH];
|
||||
+ unsigned char hash[EVP_MAX_MD_SIZE];
|
||||
+ unsigned len;
|
||||
int i;
|
||||
-
|
||||
- SHA256_Init(&sha256);
|
||||
- sha256_update(&sha256, push->req->scheme);
|
||||
- sha256_update(&sha256, "://");
|
||||
- sha256_update(&sha256, push->req->authority);
|
||||
- sha256_update(&sha256, push->req->path);
|
||||
- SHA256_Final(hash, &sha256);
|
||||
+
|
||||
+ md = EVP_MD_CTX_create();
|
||||
+ ap_assert(md != NULL);
|
||||
+
|
||||
+ i = EVP_DigestInit_ex(md, EVP_sha256(), NULL);
|
||||
+ ap_assert(i == 1);
|
||||
+ sha256_update(md, push->req->scheme);
|
||||
+ sha256_update(md, "://");
|
||||
+ sha256_update(md, push->req->authority);
|
||||
+ sha256_update(md, push->req->path);
|
||||
+ EVP_DigestFinal(md, hash, &len);
|
||||
|
||||
val = 0;
|
||||
- for (i = 0; i != sizeof(val); ++i)
|
||||
+ for (i = 0; i != len; ++i)
|
||||
val = val * 256 + hash[i];
|
||||
*phash = val >> (64 - diary->mask_bits);
|
||||
}
|
@ -1,13 +0,0 @@
|
||||
diff --git a/mod_http2/h2_request.c b/mod_http2/h2_request.c
|
||||
index 45df9b1..70241d4 100644
|
||||
--- a/mod_http2/h2_request.c
|
||||
+++ b/mod_http2/h2_request.c
|
||||
@@ -371,7 +371,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
|
||||
ap_add_input_filter_handle(ap_http_input_filter_handle,
|
||||
NULL, r, r->connection);
|
||||
|
||||
- if ((access_status = ap_run_post_read_request(r))) {
|
||||
+ if ((access_status = ap_post_read_request(r))) {
|
||||
/* Request check post hooks failed. An example of this would be a
|
||||
* request for a vhost where h2 is disabled --> 421.
|
||||
*/
|
@ -1,30 +0,0 @@
|
||||
diff --git a/mod_http2/mod_proxy_http2.c b/mod_http2/mod_proxy_http2.c
|
||||
index 893aa8f..d52d5d9 100644
|
||||
--- a/mod_http2/mod_proxy_http2.c
|
||||
+++ b/mod_http2/mod_proxy_http2.c
|
||||
@@ -154,11 +154,25 @@ static int proxy_http2_canon(request_rec *r, char *url)
|
||||
if (apr_table_get(r->notes, "proxy-nocanon")) {
|
||||
path = url; /* this is the raw path */
|
||||
}
|
||||
+ else if (apr_table_get(r->notes, "proxy-noencode")) {
|
||||
+ path = url; /* this is the encoded path already */
|
||||
+ search = r->args;
|
||||
+ }
|
||||
else {
|
||||
path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
|
||||
enc_path, 0, r->proxyreq);
|
||||
search = r->args;
|
||||
}
|
||||
+ if (search && *ap_scan_vchar_obstext(search)) {
|
||||
+ /*
|
||||
+ * We have a raw control character or a ' ' in r->args.
|
||||
+ * Correct encoding was missed.
|
||||
+ */
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
|
||||
+ "To be forwarded query string contains control "
|
||||
+ "characters or spaces");
|
||||
+ return HTTP_FORBIDDEN;
|
||||
+ }
|
||||
break;
|
||||
case PROXYREQ_PROXY:
|
||||
path = url;
|
@ -10,10 +10,10 @@ Subject: [PATCH] RESET stream after 100 failed incoming headers
|
||||
3 files changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c
|
||||
index 1915855..d9c077a 100644
|
||||
index 1e560e47..6d379cc5 100644
|
||||
--- a/mod_http2/h2_session.c
|
||||
+++ b/mod_http2/h2_session.c
|
||||
@@ -311,9 +311,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
|
||||
@@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame,
|
||||
|
||||
status = h2_stream_add_header(stream, (const char *)name, namelen,
|
||||
(const char *)value, valuelen);
|
||||
@ -31,10 +31,10 @@ index 1915855..d9c077a 100644
|
||||
}
|
||||
return 0;
|
||||
diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c
|
||||
index 4fec537..2b2caaf 100644
|
||||
index f6c92024..ee87555f 100644
|
||||
--- a/mod_http2/h2_stream.c
|
||||
+++ b/mod_http2/h2_stream.c
|
||||
@@ -764,6 +764,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
|
||||
@@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream,
|
||||
|
||||
cleanup:
|
||||
if (error) {
|
||||
@ -43,14 +43,15 @@ index 4fec537..2b2caaf 100644
|
||||
return APR_EINVAL;
|
||||
}
|
||||
diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h
|
||||
index 08f7888..baf8b50 100644
|
||||
index d68d4260..405978a4 100644
|
||||
--- a/mod_http2/h2_stream.h
|
||||
+++ b/mod_http2/h2_stream.h
|
||||
@@ -75,6 +75,7 @@ struct h2_stream {
|
||||
@@ -91,6 +91,7 @@ struct h2_stream {
|
||||
struct h2_request *rtmp; /* request being assembled */
|
||||
apr_table_t *trailers; /* optional incoming trailers */
|
||||
apr_table_t *trailers_in; /* optional, incoming trailers */
|
||||
int request_headers_added; /* number of request headers added */
|
||||
+ int request_headers_failed; /* number of request headers failed to add */
|
||||
|
||||
struct h2_bucket_beam *input;
|
||||
apr_bucket_brigade *in_buffer;
|
||||
|
||||
#if AP_HAS_RESPONSE_BUCKETS
|
||||
ap_bucket_response *response; /* the final, non-interim response or NULL */
|
||||
|
@ -2,22 +2,18 @@
|
||||
%{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)}
|
||||
|
||||
Name: mod_http2
|
||||
Version: 1.15.19
|
||||
Release: 5%{?dist}.1
|
||||
Version: 2.0.26
|
||||
Release: 2%{?dist}
|
||||
Summary: module implementing HTTP/2 for Apache 2
|
||||
License: ASL 2.0
|
||||
URL: https://icing.github.io/mod_h2/
|
||||
Source0: https://github.com/icing/mod_h2/releases/download/v%{version}/mod_http2-%{version}.tar.gz
|
||||
Patch1: mod_http2-1.14.1-buildfix.patch
|
||||
Patch2: mod_http2-1.15.14-openssl30.patch
|
||||
# Patch1: ...
|
||||
|
||||
# Security patches:
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2034672
|
||||
Patch100: mod_http2-1.15.19-CVE-2021-44224.patch
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
|
||||
Patch101: mod_http2-1.15.19-CVE-2023-25690.patch
|
||||
#
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2268277
|
||||
Patch102: mod_http2-1.15.19-CVE-2024-27316.patch
|
||||
Patch100: mod_http2-2.0.26-CVE-2024-27316.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc
|
||||
@ -32,13 +28,7 @@ The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on
|
||||
top of libnghttp2 for httpd 2.4 servers.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%patch1 -p1 -b .buildfix
|
||||
%patch2 -p1 -b .openssl30
|
||||
|
||||
%patch100 -p1 -b .CVE-2021-44224
|
||||
%patch101 -p1 -b .CVE-2023-25690
|
||||
%patch102 -p1 -b .CVE-2024-27316
|
||||
%autosetup -p1
|
||||
|
||||
%build
|
||||
autoreconf -i
|
||||
@ -63,10 +53,13 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{
|
||||
%{_httpd_moddir}/mod_proxy_http2.so
|
||||
|
||||
%changelog
|
||||
* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-5.1
|
||||
- Resolves: RHEL-29826 - mod_http2: httpd: CONTINUATION frames
|
||||
* Fri Apr 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-2
|
||||
- Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames
|
||||
DoS (CVE-2024-27316)
|
||||
|
||||
* Thu Jan 18 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.0.26-1
|
||||
- Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26
|
||||
|
||||
* Wed Aug 16 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.19-5
|
||||
- Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with
|
||||
mod_rewrite and mod_proxy
|
||||
|
Loading…
Reference in New Issue
Block a user