rpms/mod_http2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

resync

Browse Source 
Signed-off-by: Brian Stinson <bstinson@redhat.com>
This commit is contained in:
Brian Stinson 2023-04-27 18:19:09 -05:00
parent 51231bf4d0
commit d982638749
7 changed files with 32 additions and 108 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -1,2 +1 @@
SOURCES/mod_http2-1.15.7.tar.gz
/mod_http2-1.15.7.tar.gz
/mod_http2-1.*.tar.gz

10
gating.yaml
View File

@ -1,10 +0,0 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier2.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier3.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.acceptance-tier.functional}

14
mod_http2-1.14.1-buildfix.patch
View File

@ -1,14 +0,0 @@
diff -uap mod_http2-1.14.0/mod_http2/h2_from_h1.c.buildfix mod_http2-1.14.0/mod_http2/h2_from_h1.c
--- mod_http2-1.14.0/mod_http2/h2_from_h1.c.buildfix 2019-02-12 13:30:56.000000000 +0000
+++ mod_http2-1.14.0/mod_http2/h2_from_h1.c 2019-03-14 10:35:46.365678537 +0000
@@ -35,6 +35,10 @@
#include "h2_task.h"
#include "h2_util.h"
+#ifndef AP_STATUS_IS_HEADER_ONLY
+#define AP_STATUS_IS_HEADER_ONLY(x) ((x) == HTTP_NO_CONTENT || \
+ (x) == HTTP_NOT_MODIFIED)
+#endif
/* This routine is called by apr_table_do and merges all instances of
* the passed field values into a single array that will be further

65
mod_http2-1.15.14-openssl30.patch
View File

@ -1,65 +0,0 @@
commit 124c2ca0886b05d0871ee09466de555d757b72fc
Author: Joe Orton <jorton@redhat.com>
Date: Fri May 7 10:58:18 2021 +0100
Switch to using OpenSSL EVP_* API to avoid deprecation warnings
with OpenSSL 3.0.
diff --git a/mod_http2/h2_push.c b/mod_http2/h2_push.c
index 8ae0b49..0a90a5d 100644
--- a/mod_http2/h2_push.c
+++ b/mod_http2/h2_push.c
@@ -23,7 +23,7 @@
#include <apr_time.h>
#ifdef H2_OPENSSL
-#include <openssl/sha.h>
+#include <openssl/evp.h>
#endif
#include <httpd.h>
@@ -472,27 +472,32 @@ typedef struct h2_push_diary_entry {
#ifdef H2_OPENSSL
-static void sha256_update(SHA256_CTX *ctx, const char *s)
+static void sha256_update(EVP_MD_CTX *ctx, const char *s)
{
- SHA256_Update(ctx, s, strlen(s));
+ EVP_DigestUpdate(ctx, s, strlen(s));
}
static void calc_sha256_hash(h2_push_diary *diary, apr_uint64_t *phash, h2_push *push)
{
- SHA256_CTX sha256;
+ EVP_MD_CTX *md;
apr_uint64_t val;
- unsigned char hash[SHA256_DIGEST_LENGTH];
+ unsigned char hash[EVP_MAX_MD_SIZE];
+ unsigned len;
int i;
-
- SHA256_Init(&sha256);
- sha256_update(&sha256, push->req->scheme);
- sha256_update(&sha256, "://");
- sha256_update(&sha256, push->req->authority);
- sha256_update(&sha256, push->req->path);
- SHA256_Final(hash, &sha256);
+
+ md = EVP_MD_CTX_create();
+ ap_assert(md != NULL);
+
+ i = EVP_DigestInit_ex(md, EVP_sha256(), NULL);
+ ap_assert(i == 1);
+ sha256_update(md, push->req->scheme);
+ sha256_update(md, "://");
+ sha256_update(md, push->req->authority);
+ sha256_update(md, push->req->path);
+ EVP_DigestFinal(md, hash, &len);
val = 0;
- for (i = 0; i != sizeof(val); ++i)
+ for (i = 0; i != len; ++i)
val = val * 256 + hash[i];
*phash = val >> (64 - diary->mask_bits);
}

13
mod_http2-1.15.19-CVE-2021-44224.patch
View File

@ -1,13 +0,0 @@
diff --git a/mod_http2/h2_request.c b/mod_http2/h2_request.c
index 45df9b1..70241d4 100644
--- a/mod_http2/h2_request.c
+++ b/mod_http2/h2_request.c
@@ -371,7 +371,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
ap_add_input_filter_handle(ap_http_input_filter_handle,
NULL, r, r->connection);
- if ((access_status = ap_run_post_read_request(r))) {
+ if ((access_status = ap_post_read_request(r))) {
/* Request check post hooks failed. An example of this would be a
* request for a vhost where h2 is disabled --> 421.
*/

21
mod_http2-1.15.7-CVE-2023-25690.patch Normal file
View File

@ -0,0 +1,21 @@
diff --git a/mod_http2/mod_proxy_http2.c b/mod_http2/mod_proxy_http2.c
index 2208707..844653e 100644
--- a/mod_http2/mod_proxy_http2.c
+++ b/mod_http2/mod_proxy_http2.c
@@ -159,6 +159,16 @@ static int proxy_http2_canon(request_rec *r, char *url)
path = ap_proxy_canonenc(r->pool, url, (int)strlen(url),
enc_path, 0, r->proxyreq);
search = r->args;
+ if (search && *(ap_scan_vchar_obstext(search))) {
+ /*
+ * We have a raw control character or a ' ' in r->args.
+ * Correct encoding was missed.
+ */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412)
+ "To be forwarded query string contains control "
+ "characters or spaces");
+ return HTTP_FORBIDDEN;
+ }
}
break;
case PROXYREQ_PROXY:

14
mod_http2.spec
View File

@ -3,7 +3,7 @@
Name: mod_http2
Version: 1.15.7
Release: 7%{?dist}
Release: 8%{?dist}.3
Summary: module implementing HTTP/2 for Apache 2
Group: System Environment/Daemons
License: ASL 2.0
@ -14,11 +14,12 @@ Patch2: mod_http2-1.15.7-CVE-2020-11993.patch
Patch3: mod_http2-1.15.7-CVE-2021-33193.patch
Patch4: mod_http2-1.15.7-CVE-2021-44224.patch
Patch5: mod_http2-1.15.7-SNI.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
Patch6: mod_http2-1.15.7-CVE-2023-25690.patch
BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2
Requires: httpd-mmn = %{_httpd_mmn}
Requires: httpd >= 2.4.37-47
Conflicts: httpd < 2.4.25-8
Conflicts: httpd < 2.4.37-55
%description
The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on
@ -31,6 +32,7 @@ top of libnghttp2 for httpd 2.4 servers.
%patch3 -p1 -b .CVE-2021-33193
%patch4 -p1 -b .CVE-2021-44224
%patch5 -p1 -b .SNI
%patch6 -p1 -b .CVE-2023-25690
%build
%configure
@ -57,6 +59,10 @@ make check
%{_httpd_moddir}/mod_proxy_http2.so
%changelog
* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-8.3
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
with mod_rewrite and mod_proxy
* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 1.15.7-7
- Resolves: #2095650 - Dependency from mod_http2 on httpd broken