diff --git a/.gitignore b/.gitignore index e95623d..3ff9b43 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/mod_http2-1.15.19.tar.gz +SOURCES/mod_http2-2.0.26.tar.gz diff --git a/.mod_http2.metadata b/.mod_http2.metadata index 6e7a106..7da7b2f 100644 --- a/.mod_http2.metadata +++ b/.mod_http2.metadata @@ -1 +1 @@ -90be4a24989a8e0041d9cc20f7db34a453e4fa9f SOURCES/mod_http2-1.15.19.tar.gz +cbfe42690c6a382da29ab728b1aa757af552acbc SOURCES/mod_http2-2.0.26.tar.gz diff --git a/SOURCES/mod_http2-1.14.1-buildfix.patch b/SOURCES/mod_http2-1.14.1-buildfix.patch deleted file mode 100644 index 25ff1fa..0000000 --- a/SOURCES/mod_http2-1.14.1-buildfix.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -uap mod_http2-1.14.0/mod_http2/h2_from_h1.c.buildfix mod_http2-1.14.0/mod_http2/h2_from_h1.c ---- mod_http2-1.14.0/mod_http2/h2_from_h1.c.buildfix 2019-02-12 13:30:56.000000000 +0000 -+++ mod_http2-1.14.0/mod_http2/h2_from_h1.c 2019-03-14 10:35:46.365678537 +0000 -@@ -35,6 +35,10 @@ - #include "h2_task.h" - #include "h2_util.h" - -+#ifndef AP_STATUS_IS_HEADER_ONLY -+#define AP_STATUS_IS_HEADER_ONLY(x) ((x) == HTTP_NO_CONTENT || \ -+ (x) == HTTP_NOT_MODIFIED) -+#endif - - /* This routine is called by apr_table_do and merges all instances of - * the passed field values into a single array that will be further diff --git a/SOURCES/mod_http2-1.15.14-openssl30.patch b/SOURCES/mod_http2-1.15.14-openssl30.patch deleted file mode 100644 index 69a28f4..0000000 --- a/SOURCES/mod_http2-1.15.14-openssl30.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit 124c2ca0886b05d0871ee09466de555d757b72fc -Author: Joe Orton -Date: Fri May 7 10:58:18 2021 +0100 - - Switch to using OpenSSL EVP_* API to avoid deprecation warnings - with OpenSSL 3.0. - -diff --git a/mod_http2/h2_push.c b/mod_http2/h2_push.c -index 8ae0b49..0a90a5d 100644 ---- a/mod_http2/h2_push.c -+++ b/mod_http2/h2_push.c -@@ -23,7 +23,7 @@ - #include - - #ifdef H2_OPENSSL --#include -+#include - #endif - - #include -@@ -472,27 +472,32 @@ typedef struct h2_push_diary_entry { - - - #ifdef H2_OPENSSL --static void sha256_update(SHA256_CTX *ctx, const char *s) -+static void sha256_update(EVP_MD_CTX *ctx, const char *s) - { -- SHA256_Update(ctx, s, strlen(s)); -+ EVP_DigestUpdate(ctx, s, strlen(s)); - } - - static void calc_sha256_hash(h2_push_diary *diary, apr_uint64_t *phash, h2_push *push) - { -- SHA256_CTX sha256; -+ EVP_MD_CTX *md; - apr_uint64_t val; -- unsigned char hash[SHA256_DIGEST_LENGTH]; -+ unsigned char hash[EVP_MAX_MD_SIZE]; -+ unsigned len; - int i; -- -- SHA256_Init(&sha256); -- sha256_update(&sha256, push->req->scheme); -- sha256_update(&sha256, "://"); -- sha256_update(&sha256, push->req->authority); -- sha256_update(&sha256, push->req->path); -- SHA256_Final(hash, &sha256); -+ -+ md = EVP_MD_CTX_create(); -+ ap_assert(md != NULL); -+ -+ i = EVP_DigestInit_ex(md, EVP_sha256(), NULL); -+ ap_assert(i == 1); -+ sha256_update(md, push->req->scheme); -+ sha256_update(md, "://"); -+ sha256_update(md, push->req->authority); -+ sha256_update(md, push->req->path); -+ EVP_DigestFinal(md, hash, &len); - - val = 0; -- for (i = 0; i != sizeof(val); ++i) -+ for (i = 0; i != len; ++i) - val = val * 256 + hash[i]; - *phash = val >> (64 - diary->mask_bits); - } diff --git a/SOURCES/mod_http2-1.15.19-CVE-2021-44224.patch b/SOURCES/mod_http2-1.15.19-CVE-2021-44224.patch deleted file mode 100644 index 11252ec..0000000 --- a/SOURCES/mod_http2-1.15.19-CVE-2021-44224.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/mod_http2/h2_request.c b/mod_http2/h2_request.c -index 45df9b1..70241d4 100644 ---- a/mod_http2/h2_request.c -+++ b/mod_http2/h2_request.c -@@ -371,7 +371,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c) - ap_add_input_filter_handle(ap_http_input_filter_handle, - NULL, r, r->connection); - -- if ((access_status = ap_run_post_read_request(r))) { -+ if ((access_status = ap_post_read_request(r))) { - /* Request check post hooks failed. An example of this would be a - * request for a vhost where h2 is disabled --> 421. - */ diff --git a/SOURCES/mod_http2-1.15.19-CVE-2023-25690.patch b/SOURCES/mod_http2-1.15.19-CVE-2023-25690.patch deleted file mode 100644 index 824e81d..0000000 --- a/SOURCES/mod_http2-1.15.19-CVE-2023-25690.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/mod_http2/mod_proxy_http2.c b/mod_http2/mod_proxy_http2.c -index 893aa8f..d52d5d9 100644 ---- a/mod_http2/mod_proxy_http2.c -+++ b/mod_http2/mod_proxy_http2.c -@@ -154,11 +154,25 @@ static int proxy_http2_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, (int)strlen(url), - enc_path, 0, r->proxyreq); - search = r->args; - } -+ if (search && *ap_scan_vchar_obstext(search)) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - break; - case PROXYREQ_PROXY: - path = url; diff --git a/SOURCES/mod_http2-1.15.19-CVE-2024-27316.patch b/SOURCES/mod_http2-2.0.26-CVE-2024-27316.patch similarity index 80% rename from SOURCES/mod_http2-1.15.19-CVE-2024-27316.patch rename to SOURCES/mod_http2-2.0.26-CVE-2024-27316.patch index cdecf1e..ac52022 100644 --- a/SOURCES/mod_http2-1.15.19-CVE-2024-27316.patch +++ b/SOURCES/mod_http2-2.0.26-CVE-2024-27316.patch @@ -10,10 +10,10 @@ Subject: [PATCH] RESET stream after 100 failed incoming headers 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/mod_http2/h2_session.c b/mod_http2/h2_session.c -index 1915855..d9c077a 100644 +index 1e560e47..6d379cc5 100644 --- a/mod_http2/h2_session.c +++ b/mod_http2/h2_session.c -@@ -311,9 +311,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame, +@@ -319,9 +319,13 @@ static int on_header_cb(nghttp2_session *ngh2, const nghttp2_frame *frame, status = h2_stream_add_header(stream, (const char *)name, namelen, (const char *)value, valuelen); @@ -31,10 +31,10 @@ index 1915855..d9c077a 100644 } return 0; diff --git a/mod_http2/h2_stream.c b/mod_http2/h2_stream.c -index 4fec537..2b2caaf 100644 +index f6c92024..ee87555f 100644 --- a/mod_http2/h2_stream.c +++ b/mod_http2/h2_stream.c -@@ -764,6 +764,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream, +@@ -813,6 +813,7 @@ apr_status_t h2_stream_add_header(h2_stream *stream, cleanup: if (error) { @@ -43,14 +43,15 @@ index 4fec537..2b2caaf 100644 return APR_EINVAL; } diff --git a/mod_http2/h2_stream.h b/mod_http2/h2_stream.h -index 08f7888..baf8b50 100644 +index d68d4260..405978a4 100644 --- a/mod_http2/h2_stream.h +++ b/mod_http2/h2_stream.h -@@ -75,6 +75,7 @@ struct h2_stream { +@@ -91,6 +91,7 @@ struct h2_stream { struct h2_request *rtmp; /* request being assembled */ - apr_table_t *trailers; /* optional incoming trailers */ + apr_table_t *trailers_in; /* optional, incoming trailers */ int request_headers_added; /* number of request headers added */ + int request_headers_failed; /* number of request headers failed to add */ - - struct h2_bucket_beam *input; - apr_bucket_brigade *in_buffer; + + #if AP_HAS_RESPONSE_BUCKETS + ap_bucket_response *response; /* the final, non-interim response or NULL */ + diff --git a/SPECS/mod_http2.spec b/SPECS/mod_http2.spec index f21d9da..113fbc6 100644 --- a/SPECS/mod_http2.spec +++ b/SPECS/mod_http2.spec @@ -2,22 +2,18 @@ %{!?_httpd_mmn: %global _httpd_mmn %(cat %{_includedir}/httpd/.mmn 2>/dev/null || echo 0-0)} Name: mod_http2 -Version: 1.15.19 -Release: 5%{?dist}.1 +Version: 2.0.26 +Release: 2%{?dist} Summary: module implementing HTTP/2 for Apache 2 License: ASL 2.0 URL: https://icing.github.io/mod_h2/ Source0: https://github.com/icing/mod_h2/releases/download/v%{version}/mod_http2-%{version}.tar.gz -Patch1: mod_http2-1.14.1-buildfix.patch -Patch2: mod_http2-1.15.14-openssl30.patch +# Patch1: ... # Security patches: -# https://bugzilla.redhat.com/show_bug.cgi?id=2034672 -Patch100: mod_http2-1.15.19-CVE-2021-44224.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2176209 -Patch101: mod_http2-1.15.19-CVE-2023-25690.patch +# # https://bugzilla.redhat.com/show_bug.cgi?id=2268277 -Patch102: mod_http2-1.15.19-CVE-2024-27316.patch +Patch100: mod_http2-2.0.26-CVE-2024-27316.patch BuildRequires: make BuildRequires: gcc @@ -32,13 +28,7 @@ The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on top of libnghttp2 for httpd 2.4 servers. %prep -%setup -q -%patch1 -p1 -b .buildfix -%patch2 -p1 -b .openssl30 - -%patch100 -p1 -b .CVE-2021-44224 -%patch101 -p1 -b .CVE-2023-25690 -%patch102 -p1 -b .CVE-2024-27316 +%autosetup -p1 %build autoreconf -i @@ -63,10 +53,13 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{ %{_httpd_moddir}/mod_proxy_http2.so %changelog -* Fri Apr 05 2024 Luboš Uhliarik - 1.15.19-5.1 -- Resolves: RHEL-29826 - mod_http2: httpd: CONTINUATION frames +* Fri Apr 05 2024 Luboš Uhliarik - 2.0.26-2 +- Resolves: RHEL-31855 - mod_http2: httpd: CONTINUATION frames DoS (CVE-2024-27316) +* Thu Jan 18 2024 Luboš Uhliarik - 2.0.26-1 +- Resolves: RHEL-14691 - mod_http2 rebase to 2.0.26 + * Wed Aug 16 2023 Luboš Uhliarik - 1.15.19-5 - Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy