From 196c8aa588a765e8787f963362b68728a5714cc8b69d1a352236359eae37f392 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Fri, 18 Oct 2024 15:37:00 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main apache2 revision 8c49b3d9c05f28876dd3503c4f797d74 --- apache2-CVE-2024-40725.patch | 29 +++++++++++++++++++++++++++++ apache2.changes | 7 +++++++ apache2.spec | 2 ++ 3 files changed, 38 insertions(+) create mode 100644 apache2-CVE-2024-40725.patch diff --git a/apache2-CVE-2024-40725.patch b/apache2-CVE-2024-40725.patch new file mode 100644 index 0000000..e10e658 --- /dev/null +++ b/apache2-CVE-2024-40725.patch @@ -0,0 +1,29 @@ +From a7d24b4ea9a6ea35878fd33075365328caafcf91 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 15 Jul 2024 12:08:30 +0000 +Subject: [PATCH] Merge r1919247 from trunk: + +copy the trusted flag from the subrequest + +Submitted By: covener +Reviewed By: covener, ylavic, gbechis + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1919249 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/http/http_request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/http/http_request.c b/modules/http/http_request.c +index 71ecc2bbab1..7e9477be1f1 100644 +--- a/modules/http/http_request.c ++++ b/modules/http/http_request.c +@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r) + r->args = rr->args; + r->finfo = rr->finfo; + r->handler = rr->handler; +- ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r)); ++ ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(rr)); + r->content_encoding = rr->content_encoding; + r->content_languages = rr->content_languages; + r->per_dir_config = rr->per_dir_config; diff --git a/apache2.changes b/apache2.changes index ebc16c3..80fc185 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Oct 3 02:39:41 UTC 2024 - Martin Schreiner + +- Apply fix for CVE-2024-40725, bsc#1228097. + Patch file added: + * apache2-CVE-2024-40725.patch + ------------------------------------------------------------------- Wed Oct 2 18:22:25 UTC 2024 - Martin Schreiner diff --git a/apache2.spec b/apache2.spec index 096f5bb..5641349 100644 --- a/apache2.spec +++ b/apache2.spec @@ -225,6 +225,8 @@ Patch28: apache2-CVE-2024-38473-3.patch Patch29: apache2-CVE-2024-38473-4.patch # FIX-UPSTREAM: CVE-2024-39884, bsc#1227353: source code disclosure with handlers configured via AddType Patch30: apache2-CVE-2024-39884.patch +# FIX-UPSTREAM: CVE-2024-40725, bsc#1229087: source code disclosure of local content +Patch31: apache2-CVE-2024-40725.patch # PATCH: https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2 Patch100: apache-test-application-xml-type.patch