diff --git a/apache2-CVE-2024-38473-1.patch b/apache2-CVE-2024-38473-1.patch new file mode 100644 index 0000000..89b2128 --- /dev/null +++ b/apache2-CVE-2024-38473-1.patch @@ -0,0 +1,39 @@ +From b10cb2d69184843832d501a615abe3e8e5e256dc Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 24 Jun 2024 17:52:31 +0000 +Subject: [PATCH] Merge r1918550 from trunk: + +mod_proxy: escape for non-proxypass configuration + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918559 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index c9cef7c44f5..17e39c95b8f 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1314,15 +1314,18 @@ static int proxy_handler(request_rec *r) + } + + if (!r->proxyreq) { ++ rc = DECLINED; + /* We may have forced the proxy handler via config or .htaccess */ + if (r->handler && + strncmp(r->handler, "proxy:", 6) == 0 && + strncmp(r->filename, "proxy:", 6) != 0) { + r->proxyreq = PROXYREQ_REVERSE; + r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL); ++ /* Still need to fixup/canonicalize r->filename */ ++ rc = proxy_fixup(r); + } +- else { +- return DECLINED; ++ if (rc != OK) { ++ return rc; + } + } else if (strncmp(r->filename, "proxy:", 6) != 0) { + return DECLINED; diff --git a/apache2-CVE-2024-38473-2.patch b/apache2-CVE-2024-38473-2.patch new file mode 100644 index 0000000..9301c70 --- /dev/null +++ b/apache2-CVE-2024-38473-2.patch @@ -0,0 +1,208 @@ +From 6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Wed, 26 Jun 2024 14:51:32 +0000 +Subject: [PATCH] mod_proxy: Fixup UDS filename for mod_proxy called through + r->handler. + +* modules/proxy/proxy_util.c: + Export ap_proxy_fixup_uds_filename() from fix_uds_filename. + Call it from ap_proxy_pre_request() even for rewritten balancer workers. + +* modules/proxy/mod_proxy.h: + Declare ap_proxy_fixup_uds_filename() + +* modules/proxy/mod_proxy.c: + Fixup UDS filename from r->handler in proxy_handler(). + +* include/ap_mmn.h: + Bump MMN minor for ap_proxy_fixup_uds_filename() + + +mod_proxy: follow up to r1918626: Simplify ap_proxy_fixup_uds_filename() and callers. + + +Merges r1918626, r1918647 from trunk +GH: closes #457 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918666 13f79535-47bb-0310-9956-ffa450edef68 +--- + include/ap_mmn.h | 3 ++- + modules/proxy/mod_proxy.c | 33 ++++++++++++++++++------------ + modules/proxy/mod_proxy.h | 8 ++++++++ + modules/proxy/proxy_util.c | 41 ++++++++++++++++++++++---------------- + 4 files changed, 54 insertions(+), 31 deletions(-) + +Index: httpd-2.4.58/modules/proxy/mod_proxy.c +=================================================================== +--- httpd-2.4.58.orig/modules/proxy/mod_proxy.c ++++ httpd-2.4.58/modules/proxy/mod_proxy.c +@@ -1227,6 +1227,7 @@ static int proxy_fixup(request_rec *r) + + return OK; /* otherwise; we've done the best we can */ + } ++ + /* Send a redirection if the request contains a hostname which is not */ + /* fully qualified, i.e. doesn't have a domain name appended. Some proxy */ + /* servers like Netscape's allow this and access hosts from the local */ +@@ -1280,7 +1281,7 @@ static int proxy_handler(request_rec *r) + ap_get_module_config(sconf, &proxy_module); + apr_array_header_t *proxies = conf->proxies; + struct proxy_remote *ents = (struct proxy_remote *) proxies->elts; +- int i, rc, access_status; ++ int rc = DECLINED, access_status, i; + int direct_connect = 0; + const char *str; + apr_int64_t maxfwd; +@@ -1295,22 +1296,28 @@ static int proxy_handler(request_rec *r) + return DECLINED; + } + +- if (!r->proxyreq) { +- rc = DECLINED; +- /* We may have forced the proxy handler via config or .htaccess */ +- if (r->handler && +- strncmp(r->handler, "proxy:", 6) == 0 && +- strncmp(r->filename, "proxy:", 6) != 0) { +- r->proxyreq = PROXYREQ_REVERSE; +- r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL); +- /* Still need to fixup/canonicalize r->filename */ ++ /* We may have forced the proxy handler via config or .htaccess */ ++ if (!r->proxyreq && r->handler && strncmp(r->handler, "proxy:", 6) == 0) { ++ char *old_filename = r->filename; ++ ++ r->proxyreq = PROXYREQ_REVERSE; ++ r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL); ++ ++ /* Still need to fixup/canonicalize r->filename */ ++ rc = ap_proxy_fixup_uds_filename(r); ++ if (rc <= OK) { + rc = proxy_fixup(r); + } + if (rc != OK) { +- return rc; ++ r->filename = old_filename; ++ r->proxyreq = 0; + } +- } else if (strncmp(r->filename, "proxy:", 6) != 0) { +- return DECLINED; ++ } ++ else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) { ++ rc = OK; ++ } ++ if (rc != OK) { ++ return rc; + } + + /* handle max-forwards / OPTIONS / TRACE */ +Index: httpd-2.4.58/modules/proxy/mod_proxy.h +=================================================================== +--- httpd-2.4.58.orig/modules/proxy/mod_proxy.h ++++ httpd-2.4.58/modules/proxy/mod_proxy.h +@@ -993,6 +993,14 @@ PROXY_DECLARE(proxy_balancer_shared *) a + proxy_balancer *balancer, + unsigned int *index); + ++/* ++ * Strip the UDS part of r->filename if any, and put the UDS path in ++ * r->notes ("uds_path") ++ * @param r current request ++ * @return OK if fixed up, DECLINED if not UDS, or an HTTP_XXX error ++ */ ++PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r); ++ + /** + * Get the most suitable worker and/or balancer for the request + * @param worker worker used for processing request +Index: httpd-2.4.58/modules/proxy/proxy_util.c +=================================================================== +--- httpd-2.4.58.orig/modules/proxy/proxy_util.c ++++ httpd-2.4.58/modules/proxy/proxy_util.c +@@ -2316,7 +2316,7 @@ static int ap_proxy_retry_worker(const c + * were passed a UDS url (eg: from mod_proxy) and adjust uds_path + * as required. + */ +-static int fix_uds_filename(request_rec *r, char **url) ++PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r) + { + char *uds_url = r->filename + 6, *origin_url; + +@@ -2324,7 +2324,6 @@ static int fix_uds_filename(request_rec + !ap_cstr_casecmpn(uds_url, "unix:", 5) && + (origin_url = ap_strchr(uds_url + 5, '|'))) { + char *uds_path = NULL; +- apr_size_t url_len; + apr_uri_t urisock; + apr_status_t rv; + +@@ -2339,20 +2338,20 @@ static int fix_uds_filename(request_rec + if (!uds_path) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292) + "Invalid proxy UDS filename (%s)", r->filename); +- return 0; ++ return HTTP_BAD_REQUEST; + } + apr_table_setn(r->notes, "uds_path", uds_path); + +- /* Remove the UDS path from *url and r->filename */ +- url_len = strlen(origin_url); +- *url = apr_pstrmemdup(r->pool, origin_url, url_len); +- memcpy(uds_url, *url, url_len + 1); +- + ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, +- "*: rewrite of url due to UDS(%s): %s (%s)", +- uds_path, *url, r->filename); ++ "*: fixup UDS from %s: %s (%s)", ++ r->filename, origin_url, uds_path); ++ ++ /* Overwrite the UDS part in place */ ++ memmove(uds_url, origin_url, strlen(origin_url) + 1); ++ return OK; + } +- return 1; ++ ++ return DECLINED; + } + + PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, +@@ -2371,9 +2370,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, + "%s: found worker %s for %s", + (*worker)->s->scheme, (*worker)->s->name_ex, *url); +- if (!forward && !fix_uds_filename(r, url)) { +- return HTTP_INTERNAL_SERVER_ERROR; +- } + access_status = OK; + } + else if (forward) { +@@ -2403,9 +2399,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + * regarding the Connection header in the request. + */ + apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1"); +- if (!fix_uds_filename(r, url)) { +- return HTTP_INTERNAL_SERVER_ERROR; +- } + } + } + } +@@ -2415,6 +2408,20 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + "all workers are busy. Unable to serve %s", *url); + access_status = HTTP_SERVICE_UNAVAILABLE; + } ++ ++ if (access_status == OK && r->proxyreq == PROXYREQ_REVERSE) { ++ int rc = ap_proxy_fixup_uds_filename(r); ++ if (ap_is_HTTP_ERROR(rc)) { ++ return rc; ++ } ++ /* If the URL has changed in r->filename, take everything after ++ * the "proxy:" prefix. ++ */ ++ if (rc == OK) { ++ *url = apr_pstrdup(r->pool, r->filename + 6); ++ } ++ } ++ + return access_status; + } + diff --git a/apache2-CVE-2024-38473-3.patch b/apache2-CVE-2024-38473-3.patch new file mode 100644 index 0000000..f24bb61 --- /dev/null +++ b/apache2-CVE-2024-38473-3.patch @@ -0,0 +1,51 @@ +From cc00cf6b4e37370897daddc307bf1deecf8fedfa Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 25 Jun 2024 20:20:05 +0000 +Subject: [PATCH] Merge r1918623 from trunk: + +fix comparison of local path on Windows + +Submitted By: Yann Ylavic + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918625 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/mappers/mod_rewrite.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +index 46ea16c8c64..e0390768267 100644 +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -653,6 +653,19 @@ static unsigned is_absolute_uri(char *uri, int *supportsqs) + return 0; + } + ++static int is_absolute_path(const char *path) ++{ ++#ifndef WIN32 ++ return (path[0] == '/'); ++#else ++#define IS_SLASH(c) ((c) == '/' || (c) == '\\') ++ /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */ ++ return ((IS_SLASH(path[0]) && path[1] == path[0]) ++ || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2]))); ++#undef IS_SLASH ++#endif ++} ++ + static const char c2x_table[] = "0123456789abcdef"; + + static APR_INLINE unsigned char *c2x(unsigned what, unsigned char prefix, +@@ -4351,7 +4364,9 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p, + * (1) it's an absolute URL path and + * (2) it's a full qualified URL + */ +- if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) { ++ if (!is_proxyreq ++ && !is_absolute_path(newuri) ++ && !is_absolute_uri(newuri, NULL)) { + if (ctx->perdir) { + rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", + newuri, ctx->perdir, newuri)); diff --git a/apache2-CVE-2024-38473-4.patch b/apache2-CVE-2024-38473-4.patch new file mode 100644 index 0000000..cfa0b06 --- /dev/null +++ b/apache2-CVE-2024-38473-4.patch @@ -0,0 +1,187 @@ +From 4326d6b9041a3bcb9b529f9163d0761c2d760700 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Wed, 26 Jun 2024 14:56:47 +0000 +Subject: [PATCH] factor out IS_SLASH, perdir fix + +in per-dir, the filename will be internally redirected, so / is OK too. + + +don't add / to / in the non-perdir + + +match AP_IS_SLASH macro + +followup to 1918651 + + +Merges r1918651, r1918652, r1918663 from trunk +Reviewed by: covener, ylavic, rpluem +GH: close #458 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918668 13f79535-47bb-0310-9956-ffa450edef68 +--- + include/ap_mmn.h | 3 ++- + include/httpd.h | 11 +++++++++++ + modules/mappers/mod_rewrite.c | 11 ++++------- + server/util.c | 31 ++++++++++--------------------- + 4 files changed, 27 insertions(+), 29 deletions(-) + +Index: httpd-2.4.58/include/httpd.h +=================================================================== +--- httpd-2.4.58.orig/include/httpd.h ++++ httpd-2.4.58/include/httpd.h +@@ -2663,6 +2663,17 @@ AP_DECLARE(const char *)ap_dir_fnmatch(a + */ + AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line); + ++/* Win32/NetWare/OS2 need to check for both forward and back slashes ++ * in ap_normalize_path() and ap_escape_url(). ++ */ ++#ifdef CASE_BLIND_FILESYSTEM ++#define AP_IS_SLASH(s) ((s == '/') || (s == '\\')) ++#define AP_SLASHES "/\\" ++#else ++#define AP_IS_SLASH(s) (s == '/') ++#define AP_SLASHES "/" ++#endif ++ + #ifdef __cplusplus + } + #endif +Index: httpd-2.4.58/modules/mappers/mod_rewrite.c +=================================================================== +--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c ++++ httpd-2.4.58/modules/mappers/mod_rewrite.c +@@ -655,14 +655,11 @@ static unsigned is_absolute_uri(char *ur + + static int is_absolute_path(const char *path) + { +-#ifndef WIN32 ++#ifndef CASE_BLIND_FILESYSTEM + return (path[0] == '/'); + #else +-#define IS_SLASH(c) ((c) == '/' || (c) == '\\') +- /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */ +- return ((IS_SLASH(path[0]) && path[1] == path[0]) +- || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2]))); +-#undef IS_SLASH ++ return ((AP_IS_SLASH(path[0]) && path[1] == path[0]) ++ || (apr_isalpha(path[0]) && path[1] == ':' && AP_IS_SLASH(path[2]))); + #endif + } + +@@ -4366,11 +4363,11 @@ static rule_return_type apply_rewrite_ru + */ + if (!is_proxyreq + && !is_absolute_path(newuri) ++ && !AP_IS_SLASH(*newuri) + && !is_absolute_uri(newuri, NULL)) { + if (ctx->perdir) { + rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", + newuri, ctx->perdir, newuri)); +- + newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL); + } + else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) { +Index: httpd-2.4.58/server/util.c +=================================================================== +--- httpd-2.4.58.orig/server/util.c ++++ httpd-2.4.58/server/util.c +@@ -75,17 +75,6 @@ + */ + #include "test_char.h" + +-/* Win32/NetWare/OS2 need to check for both forward and back slashes +- * in ap_normalize_path() and ap_escape_url(). +- */ +-#ifdef CASE_BLIND_FILESYSTEM +-#define IS_SLASH(s) ((s == '/') || (s == '\\')) +-#define SLASHES "/\\" +-#else +-#define IS_SLASH(s) (s == '/') +-#define SLASHES "/" +-#endif +- + /* we know core's module_index is 0 */ + #undef APLOG_MODULE_INDEX + #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX +@@ -492,7 +481,7 @@ AP_DECLARE(apr_status_t) ap_pregsub_ex(a + /* Forward declare */ + static char x2c(const char *what); + +-#define IS_SLASH_OR_NUL(s) (s == '\0' || IS_SLASH(s)) ++#define IS_SLASH_OR_NUL(s) (s == '\0' || AP_IS_SLASH(s)) + + /* + * Inspired by mod_jk's jk_servlet_normalize(). +@@ -504,7 +493,7 @@ AP_DECLARE(int) ap_normalize_path(char * + int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0; + int merge_slashes = (flags & AP_NORMALIZE_MERGE_SLASHES) != 0; + +- if (!IS_SLASH(path[0])) { ++ if (!AP_IS_SLASH(path[0])) { + /* Besides "OPTIONS *", a request-target should start with '/' + * per RFC 7230 section 5.3, so anything else is invalid. + */ +@@ -545,12 +534,12 @@ AP_DECLARE(int) ap_normalize_path(char * + } + } + +- if (w == 0 || IS_SLASH(path[w - 1])) { ++ if (w == 0 || AP_IS_SLASH(path[w - 1])) { + /* Collapse ///// sequences to / */ +- if (merge_slashes && IS_SLASH(path[l])) { ++ if (merge_slashes && AP_IS_SLASH(path[l])) { + do { + l++; +- } while (IS_SLASH(path[l])); ++ } while (AP_IS_SLASH(path[l])); + continue; + } + +@@ -579,7 +568,7 @@ AP_DECLARE(int) ap_normalize_path(char * + if (w > 1) { + do { + w--; +- } while (w && !IS_SLASH(path[w - 1])); ++ } while (w && !AP_IS_SLASH(path[w - 1])); + } + else { + /* Already at root, ignore and return a failure +@@ -1915,7 +1904,7 @@ static int unescape_url(char *url, const + char decoded; + decoded = x2c(y + 1); + if ((decoded == '\0') +- || (forbid_slashes && IS_SLASH(decoded)) ++ || (forbid_slashes && AP_IS_SLASH(decoded)) + || (forbid && ap_strchr_c(forbid, decoded))) { + badpath = 1; + *x = decoded; +@@ -1923,7 +1912,7 @@ static int unescape_url(char *url, const + } + else if ((keep_unreserved && TEST_CHAR(decoded, + T_URI_UNRESERVED)) +- || (keep_slashes && IS_SLASH(decoded)) ++ || (keep_slashes && AP_IS_SLASH(decoded)) + || (reserved && ap_strchr_c(reserved, decoded))) { + *x++ = *y++; + *x++ = *y++; +@@ -1950,7 +1939,7 @@ static int unescape_url(char *url, const + AP_DECLARE(int) ap_unescape_url(char *url) + { + /* Traditional */ +- return unescape_url(url, SLASHES, NULL, 0); ++ return unescape_url(url, AP_SLASHES, NULL, 0); + } + AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes) + { +@@ -1960,7 +1949,7 @@ AP_DECLARE(int) ap_unescape_url_keep2f(c + return unescape_url(url, NULL, NULL, 0); + } else { + /* reserve (do not decode) encoded slashes */ +- return unescape_url(url, NULL, SLASHES, 0); ++ return unescape_url(url, NULL, AP_SLASHES, 0); + } + } + AP_DECLARE(int) ap_unescape_url_ex(char *url, unsigned int flags) diff --git a/apache2-CVE-2024-38474.patch b/apache2-CVE-2024-38474.patch new file mode 100644 index 0000000..f582438 --- /dev/null +++ b/apache2-CVE-2024-38474.patch @@ -0,0 +1,17 @@ +Index: httpd-2.4.58/modules/mappers/mod_rewrite.c +=================================================================== +--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c ++++ httpd-2.4.58/modules/mappers/mod_rewrite.c +@@ -4537,6 +4560,12 @@ static int apply_rewrite_list(request_re + return ACTION_STATUS_SET; + } + ++ ++ /* Error while evaluating rule, r->status set */ ++ if (RULE_RC_STATUS_SET == rc) { ++ return ACTION_STATUS_SET; ++ } ++ + /* + * The rule sets the response code (implies match-only) + */ diff --git a/apache2-CVE-2024-39884.patch b/apache2-CVE-2024-39884.patch new file mode 100644 index 0000000..cc19ea9 --- /dev/null +++ b/apache2-CVE-2024-39884.patch @@ -0,0 +1,266 @@ +Index: httpd-2.4.58/modules/cluster/mod_heartmonitor.c +=================================================================== +--- httpd-2.4.58.orig/modules/cluster/mod_heartmonitor.c ++++ httpd-2.4.58/modules/cluster/mod_heartmonitor.c +@@ -782,7 +782,7 @@ static int hm_handler(request_rec *r) + hmserver.seen = apr_time_now(); + hm_update_stat(ctx, &hmserver, r->pool); + +- ap_set_content_type(r, "text/plain"); ++ ap_set_content_type_ex(r, "text/plain", 1); + ap_set_content_length(r, 2); + ap_rputs("OK", r); + ap_rflush(r); +Index: httpd-2.4.58/modules/dav/main/mod_dav.c +=================================================================== +--- httpd-2.4.58.orig/modules/dav/main/mod_dav.c ++++ httpd-2.4.58/modules/dav/main/mod_dav.c +@@ -355,7 +355,7 @@ static int dav_error_response(request_re + r->status = status; + r->status_line = ap_get_status_line(status); + +- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); ++ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); + + /* begin the response now... */ + ap_rvputs(r, +@@ -386,7 +386,7 @@ static int dav_error_response_tag(reques + { + r->status = err->status; + +- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); ++ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); + + ap_rputs(DAV_XML_HEADER DEBUG_CR + "status = status; +- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); ++ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); + + /* Send the headers and actual multistatus response now... */ + ap_fputs(r->output_filters, bb, DAV_XML_HEADER DEBUG_CR +@@ -2016,7 +2016,7 @@ static int dav_method_options(request_re + + /* send the options response */ + r->status = HTTP_OK; +- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); ++ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); + + /* send the headers and response body */ + ap_rputs(DAV_XML_HEADER DEBUG_CR +@@ -3328,7 +3328,7 @@ static int dav_method_lock(request_rec * + (*locks_hooks->close_lockdb)(lockdb); + + r->status = HTTP_OK; +- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); ++ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); + + ap_rputs(DAV_XML_HEADER DEBUG_CR "" DEBUG_CR, r); + if (lock == NULL) +Index: httpd-2.4.58/modules/examples/mod_example_hooks.c +=================================================================== +--- httpd-2.4.58.orig/modules/examples/mod_example_hooks.c ++++ httpd-2.4.58/modules/examples/mod_example_hooks.c +@@ -993,7 +993,7 @@ static int x_handler(request_rec *r) + * Set the Content-type header. Note that we do not actually have to send + * the headers: this is done by the http core. + */ +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type_ex(r, "text/html", 1); + /* + * If we're only supposed to send header information (HEAD request), we're + * already there. +Index: httpd-2.4.58/modules/filters/mod_data.c +=================================================================== +--- httpd-2.4.58.orig/modules/filters/mod_data.c ++++ httpd-2.4.58/modules/filters/mod_data.c +@@ -117,7 +117,7 @@ static apr_status_t data_out_filter(ap_f + } + } + +- ap_set_content_type(r, "text/plain"); ++ ap_set_content_type_ex(r, "text/plain", 1); + + } + +Index: httpd-2.4.58/modules/filters/mod_include.c +=================================================================== +--- httpd-2.4.58.orig/modules/filters/mod_include.c ++++ httpd-2.4.58/modules/filters/mod_include.c +@@ -3972,7 +3972,7 @@ static int include_fixup(request_rec *r) + if (r->handler && (strcmp(r->handler, "server-parsed") == 0)) + { + if (!r->content_type || !*r->content_type) { +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type_ex(r, "text/html", 1); + } + r->handler = "default-handler"; + } +Index: httpd-2.4.58/modules/filters/mod_proxy_html.c +=================================================================== +--- httpd-2.4.58.orig/modules/filters/mod_proxy_html.c ++++ httpd-2.4.58/modules/filters/mod_proxy_html.c +@@ -952,7 +952,7 @@ static apr_status_t proxy_html_filter(ap + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r, APLOGNO(01422) + "No i18n support found. Install mod_xml2enc if required"); + enc = XML_CHAR_ENCODING_NONE; +- ap_set_content_type(f->r, "text/html;charset=utf-8"); ++ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1); + } + else { + /* if we wanted a non-default charset_out, insert the +@@ -968,7 +968,7 @@ static apr_status_t proxy_html_filter(ap + cenc, NULL)); + } + else /* Normal case, everything worked, utf-8 output */ +- ap_set_content_type(f->r, "text/html;charset=utf-8"); ++ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1); + } + + ap_fputs(f->next, ctxt->bb, ctxt->cfg->doctype); +Index: httpd-2.4.58/modules/generators/mod_cgi.c +=================================================================== +--- httpd-2.4.58.orig/modules/generators/mod_cgi.c ++++ httpd-2.4.58/modules/generators/mod_cgi.c +@@ -1085,7 +1085,7 @@ static apr_status_t include_cgi(include_ + /* Force sub_req to be treated as a CGI request, even if ordinary + * typing rules would have called it something else. + */ +- ap_set_content_type(rr, CGI_MAGIC_TYPE); ++ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1); + + /* Run it. */ + rr_status = ap_run_sub_req(rr); +Index: httpd-2.4.58/modules/generators/mod_cgid.c +=================================================================== +--- httpd-2.4.58.orig/modules/generators/mod_cgid.c ++++ httpd-2.4.58/modules/generators/mod_cgid.c +@@ -1765,7 +1765,7 @@ static apr_status_t include_cgi(include_ + /* Force sub_req to be treated as a CGI request, even if ordinary + * typing rules would have called it something else. + */ +- ap_set_content_type(rr, CGI_MAGIC_TYPE); ++ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1); + + /* Run it. */ + rr_status = ap_run_sub_req(rr); +Index: httpd-2.4.58/modules/generators/mod_info.c +=================================================================== +--- httpd-2.4.58.orig/modules/generators/mod_info.c ++++ httpd-2.4.58/modules/generators/mod_info.c +@@ -784,7 +784,7 @@ static int display_info(request_rec * r) + return DECLINED; + } + +- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); ++ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); + + ap_rputs(DOCTYPE_XHTML_1_0T + "\n" +Index: httpd-2.4.58/modules/generators/mod_status.c +=================================================================== +--- httpd-2.4.58.orig/modules/generators/mod_status.c ++++ httpd-2.4.58/modules/generators/mod_status.c +@@ -273,7 +273,7 @@ static int status_handler(request_rec *r + if (r->method_number != M_GET) + return DECLINED; + +- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); ++ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); + + /* + * Simple table-driven form data set parser that lets you alter the header +@@ -301,7 +301,7 @@ static int status_handler(request_rec *r + no_table_report = 1; + break; + case STAT_OPT_AUTO: +- ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); ++ ap_set_content_type_ex(r, "text/plain; charset=ISO-8859-1", 1); + short_report = 1; + break; + } +Index: httpd-2.4.58/modules/http/http_filters.c +=================================================================== +--- httpd-2.4.58.orig/modules/http/http_filters.c ++++ httpd-2.4.58/modules/http/http_filters.c +@@ -1261,7 +1261,7 @@ AP_DECLARE_NONSTD(int) ap_send_http_trac + } + } + +- ap_set_content_type(r, "message/http"); ++ ap_set_content_type_ex(r, "message/http", 1); + + /* Now we recreate the request, and echo it back */ + +Index: httpd-2.4.58/modules/http/http_protocol.c +=================================================================== +--- httpd-2.4.58.orig/modules/http/http_protocol.c ++++ httpd-2.4.58/modules/http/http_protocol.c +@@ -1443,10 +1443,10 @@ AP_DECLARE(void) ap_send_error_response( + request_conf->suppress_charset = 1; /* avoid adding default + * charset later + */ +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type_ex(r, "text/html", 1); + } + else { +- ap_set_content_type(r, "text/html; charset=iso-8859-1"); ++ ap_set_content_type_ex(r, "text/html; charset=iso-8859-1", 1); + } + + if ((status == HTTP_METHOD_NOT_ALLOWED) +Index: httpd-2.4.58/modules/ldap/util_ldap.c +=================================================================== +--- httpd-2.4.58.orig/modules/ldap/util_ldap.c ++++ httpd-2.4.58/modules/ldap/util_ldap.c +@@ -171,7 +171,7 @@ static int util_ldap_handler(request_rec + st = (util_ldap_state_t *) ap_get_module_config(r->server->module_config, + &ldap_module); + +- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); ++ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); + + if (r->header_only) + return OK; +Index: httpd-2.4.58/modules/mappers/mod_imagemap.c +=================================================================== +--- httpd-2.4.58.orig/modules/mappers/mod_imagemap.c ++++ httpd-2.4.58/modules/mappers/mod_imagemap.c +@@ -475,7 +475,7 @@ static int imap_reply(request_rec *r, co + + static void menu_header(request_rec *r, char *menu) + { +- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); ++ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); + + ap_rvputs(r, DOCTYPE_HTML_3_2, "\nMenu for ", + ap_escape_html(r->pool, r->uri), +Index: httpd-2.4.58/modules/http/http_request.c +=================================================================== +--- httpd-2.4.58.orig/modules/http/http_request.c ++++ httpd-2.4.58/modules/http/http_request.c +@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redire + r->args = rr->args; + r->finfo = rr->finfo; + r->handler = rr->handler; +- ap_set_content_type(r, rr->content_type); ++ ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r)); + r->content_encoding = rr->content_encoding; + r->content_languages = rr->content_languages; + r->per_dir_config = rr->per_dir_config; +Index: httpd-2.4.58/modules/proxy/mod_proxy_balancer.c +=================================================================== +--- httpd-2.4.58.orig/modules/proxy/mod_proxy_balancer.c ++++ httpd-2.4.58/modules/proxy/mod_proxy_balancer.c +@@ -1471,7 +1471,7 @@ static void balancer_display_page(reques + + if (usexml) { + char date[APR_RFC822_DATE_LEN]; +- ap_set_content_type(r, "text/xml"); ++ ap_set_content_type_ex(r, "text/xml", 1); + ap_rputs("<?xml version='1.0' encoding='UTF-8' ?>\n", r); + ap_rputs("<httpd:manager xmlns:httpd='http://httpd.apache.org'>\n", r); + ap_rputs(" <httpd:balancers>\n", r); diff --git a/apache2.changes b/apache2.changes index 1f32ecb..bd7bbc6 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,23 @@ +------------------------------------------------------------------- +Thu Aug 22 18:37:23 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com> + +- Apply fix for CVE-2024-39884, bsc#1227353. + Patch file added: + * apache2-CVE-2024-39884.patch + +------------------------------------------------------------------- +Wed Aug 14 14:56:03 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com> + +- Apply fix for CVE-2024-38474, bsc#1227278. + Patch file added: + * apache2-CVE-2024-38474.patch +- Apply fix for CVE-2024-38473, bsc#1227276. + Patch files added: + * apache2-CVE-2024-38473-1.patch + * apache2-CVE-2024-38473-2.patch + * apache2-CVE-2024-38473-3.patch + * apache2-CVE-2024-38473-4.patch + ------------------------------------------------------------------- Mon Jul 8 10:53:20 UTC 2024 - David Anes <david.anes@suse.com> diff --git a/apache2.spec b/apache2.spec index 9147883..ea8f77d 100644 --- a/apache2.spec +++ b/apache2.spec @@ -216,6 +216,15 @@ Patch21: apache2-CVE-2024-38476-8.patch Patch22: apache2-CVE-2024-38476-9.patch Patch23: apache2-CVE-2024-38476-10.patch Patch24: apache2-CVE-2024-38476-11.patch +# FIX-UPSTREAM: CVE-2024-38474, bsc#1227278: Substitution encoding issue in mod_rewrite +Patch25: apache2-CVE-2024-38474.patch +# FIX-UPSTREAM: CVE-2024-38473, bsc#1227276: Encoding problem in mod_proxy +Patch26: apache2-CVE-2024-38473-1.patch +Patch27: apache2-CVE-2024-38473-2.patch +Patch28: apache2-CVE-2024-38473-3.patch +Patch29: apache2-CVE-2024-38473-4.patch +# FIX-UPSTREAM: CVE-2024-39884, bsc#1227353: source code disclosure with handlers configured via AddType +Patch30: apache2-CVE-2024-39884.patch # PATCH: https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2 Patch100: apache-test-application-xml-type.patch