SLFO-pool/apache2
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main apache2 revision 82cb424ed6b0e811111746feed1311da

Browse Source
This commit is contained in:
Adrian Schröter 2024-08-07 22:02:25 +02:00
parent f2969034e9
commit 81edd98cc2
14 changed files with 302 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
apache2-CVE-2024-36387.patch
View File

@ -1,30 +0,0 @@
commit 62aa64e5aea21dd969db97aded4443c98c0735ac
Author: Eric Covener <covener@apache.org>
Date: Mon Jun 24 17:51:42 2024 +0000
Merge r1918548 from trunk:
mod_http2: early exit if bb is null
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/http2/h2_c2.c b/modules/http2/h2_c2.c
index a955200944..c65a521ab8 100644
--- a/modules/http2/h2_c2.c
+++ b/modules/http2/h2_c2.c
@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb)
h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c);
apr_status_t rv;
+ if (bb == NULL) {
+#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1)
+ f->c->data_in_output_filters = 0;
+#endif
+ return APR_SUCCESS;
+ }
+
ap_assert(conn_ctx);
#if AP_HAS_RESPONSE_BUCKETS
if (!conn_ctx->has_final_response) {

20
apache2-CVE-2024-38476-1.patch Normal file
View File

@ -0,0 +1,20 @@
--- a/include/http_protocol.h 2024/06/24 17:52:31 1918559
+++ b/include/http_protocol.h 2024/06/24 17:54:34 1918560
@@ -439,6 +439,17 @@
AP_DECLARE(void) ap_set_content_type(request_rec *r, const char *ct);
/**
+ * Set the content type for this request (r->content_type).
+ * @param r The current request
+ * @param ct The new content type
+ * @param trusted If non-zero, The content-type should come from a
+ * trusted source such as server configuration rather
+ * than application output.
+ * for the AddOutputFilterByType directive to work correctly.
+ */
+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted);
+
+/**
* Set the Accept-Ranges header for this response
* @param r The current request
*/

11
apache2-CVE-2024-38476-10.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/server/config.c 2024/06/24 17:52:31 1918559
+++ b/server/config.c 2024/06/24 17:54:34 1918560
@@ -418,7 +418,7 @@
}
if (!r->handler) {
- if (r->content_type) {
+ if (r->content_type && AP_REQUEST_IS_TRUSTED_CT(r)) {
handler = r->content_type;
if ((p=ap_strchr_c(handler, ';')) != NULL) {
char *new_handler = (char *)apr_pmemdup(r->pool, handler,

11
apache2-CVE-2024-38476-11.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/server/core.c 2024/06/24 17:52:31 1918559
+++ b/server/core.c 2024/06/24 17:54:34 1918560
@@ -4835,7 +4835,7 @@
/* Check for overrides with ForceType / SetHandler
*/
if (conf->mime_type && strcmp(conf->mime_type, "none"))
- ap_set_content_type(r, (char*) conf->mime_type);
+ ap_set_content_type_ex(r, (char*) conf->mime_type, 1);
if (conf->expr_handler) {
const char *err;

23
apache2-CVE-2024-38476-2.patch Normal file
View File

@ -0,0 +1,23 @@
--- a/include/httpd.h 2024/06/24 17:52:31 1918559
+++ b/include/httpd.h 2024/06/24 17:54:34 1918560
@@ -667,6 +667,7 @@
*
*/
#define AP_REQUEST_STRONG_ETAG 1 >> 0
+#define AP_REQUEST_TRUSTED_CT 1 << 1
/**
* This is a convenience macro to ease with getting specific request
@@ -689,6 +690,12 @@
AP_REQUEST_GET_BNOTE((r), AP_REQUEST_STRONG_ETAG)
/** @} */
+/**
+ * Returns true if the content-type field is from a trusted source
+ */
+#define AP_REQUEST_IS_TRUSTED_CT(r) \
+ (!!AP_REQUEST_GET_BNOTE((r), AP_REQUEST_TRUSTED_CT))
+/** @} */
/**
* @defgroup module_magic Module Magic mime types

17
apache2-CVE-2024-38476-3.patch Normal file
View File

@ -0,0 +1,17 @@
--- a/modules/http/http_protocol.c 2024/06/24 17:52:31 1918559
+++ b/modules/http/http_protocol.c 2024/06/24 17:54:34 1918560
@@ -1097,8 +1097,14 @@
}
else if (!r->content_type || strcmp(r->content_type, ct)) {
r->content_type = ct;
+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, 0);
}
}
+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted)
+{
+ ap_set_content_type(r, ct);
+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, trusted ? AP_REQUEST_TRUSTED_CT : 0);
+}
AP_DECLARE(void) ap_set_accept_ranges(request_rec *r)
{

70
apache2-CVE-2024-38476-4.patch Normal file
View File

@ -0,0 +1,70 @@
--- a/modules/http/mod_mime.c 2024/06/24 17:52:31 1918559
+++ b/modules/http/mod_mime.c 2024/06/24 17:54:34 1918560
@@ -759,7 +759,7 @@
int found_metadata = 0;
if (r->finfo.filetype == APR_DIR) {
- ap_set_content_type(r, DIR_MAGIC_TYPE);
+ ap_set_content_type_ex(r, DIR_MAGIC_TYPE, 1);
return OK;
}
@@ -850,7 +850,7 @@
if (exinfo == NULL || !exinfo->forced_type) {
if ((type = apr_hash_get(mime_type_extensions, ext,
APR_HASH_KEY_STRING)) != NULL) {
- ap_set_content_type(r, (char*) type);
+ ap_set_content_type_ex(r, (char*) type, 1);
found = 1;
}
}
@@ -859,7 +859,7 @@
/* empty string is treated as special case for RemoveType */
if (exinfo->forced_type && *exinfo->forced_type) {
- ap_set_content_type(r, exinfo->forced_type);
+ ap_set_content_type_ex(r, exinfo->forced_type, 1);
found = 1;
}
@@ -964,33 +964,33 @@
memcpy(tmp, ctp->subtype, ctp->subtype_len);
tmp += ctp->subtype_len;
*tmp = 0;
- ap_set_content_type(r, base_content_type);
+ ap_set_content_type_ex(r, base_content_type, AP_REQUEST_IS_TRUSTED_CT(r));
while (pp != NULL) {
if (charset && !strcmp(pp->attr, "charset")) {
if (!override) {
- ap_set_content_type(r,
+ ap_set_content_type_ex(r,
apr_pstrcat(r->pool,
r->content_type,
"; charset=",
charset,
- NULL));
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
override = 1;
}
}
else {
- ap_set_content_type(r,
+ ap_set_content_type_ex(r,
apr_pstrcat(r->pool,
r->content_type,
"; ", pp->attr,
"=", pp->val,
- NULL));
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
}
pp = pp->next;
}
if (charset && !override) {
- ap_set_content_type(r, apr_pstrcat(r->pool, r->content_type,
+ ap_set_content_type_ex(r, apr_pstrcat(r->pool, r->content_type,
"; charset=", charset,
- NULL));
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
}
}
}

15
apache2-CVE-2024-38476-5.patch Normal file
View File

@ -0,0 +1,15 @@
--- a/modules/mappers/mod_actions.c 2024/06/24 17:52:31 1918559
+++ b/modules/mappers/mod_actions.c 2024/06/24 17:54:34 1918560
@@ -182,8 +182,10 @@
return DECLINED;
/* Second, check for actions (which override the method scripts) */
- action = r->handler ? r->handler :
- ap_field_noparam(r->pool, r->content_type);
+ action = r->handler;
+ if (!action && AP_REQUEST_IS_TRUSTED_CT(r)) {
+ action = ap_field_noparam(r->pool, r->content_type);
+ }
if (action && (t = apr_table_get(conf->action_types, action))) {
int virtual = (*t++ == '0' ? 0 : 1);

29
apache2-CVE-2024-38476-6.patch Normal file
View File

@ -0,0 +1,29 @@
--- a/modules/mappers/mod_negotiation.c 2024/06/24 17:52:31 1918559
+++ b/modules/mappers/mod_negotiation.c 2024/06/24 17:54:34 1918560
@@ -1167,7 +1167,7 @@
* might be doing.
*/
if (sub_req->handler && !sub_req->content_type) {
- ap_set_content_type(sub_req, CGI_MAGIC_TYPE);
+ ap_set_content_type_ex(sub_req, CGI_MAGIC_TYPE, 1);
}
/*
@@ -3003,14 +3003,14 @@
/* set MIME type and charset as negotiated */
if (best->mime_type && *best->mime_type) {
if (best->content_charset && *best->content_charset) {
- ap_set_content_type(r, apr_pstrcat(r->pool,
+ ap_set_content_type_ex(r, apr_pstrcat(r->pool,
best->mime_type,
"; charset=",
best->content_charset,
- NULL));
+ NULL), 1);
}
else {
- ap_set_content_type(r, apr_pstrdup(r->pool, best->mime_type));
+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, best->mime_type), 1);
}
}

11
apache2-CVE-2024-38476-7.patch Normal file
View File

@ -0,0 +1,11 @@
--- a/modules/mappers/mod_rewrite.c 2024/06/24 17:52:31 1918559
+++ b/modules/mappers/mod_rewrite.c 2024/06/24 17:54:34 1918560
@@ -5333,7 +5333,7 @@
rewritelog((r, 1, NULL, "force filename %s to have MIME-type '%s'",
r->filename, t));
- ap_set_content_type(r, t);
+ ap_set_content_type_ex(r, t, 1);
}
/* handler */

28
apache2-CVE-2024-38476-8.patch Normal file
View File

@ -0,0 +1,28 @@
--- a/modules/metadata/mod_headers.c 2024/06/24 17:52:31 1918559
+++ b/modules/metadata/mod_headers.c 2024/06/24 17:54:34 1918560
@@ -783,14 +783,14 @@
break;
case hdr_set:
if (!ap_cstr_casecmp(hdr->header, "Content-Type")) {
- ap_set_content_type(r, process_tags(hdr, r));
+ ap_set_content_type_ex(r, process_tags(hdr, r), 1);
}
apr_table_setn(headers, hdr->header, process_tags(hdr, r));
break;
case hdr_setifempty:
if (NULL == apr_table_get(headers, hdr->header)) {
if (!ap_cstr_casecmp(hdr->header, "Content-Type")) {
- ap_set_content_type(r, process_tags(hdr, r));
+ ap_set_content_type_ex(r, process_tags(hdr, r), 1);
}
apr_table_setn(headers, hdr->header, process_tags(hdr, r));
}
@@ -809,7 +809,7 @@
const char *repl = process_regexp(hdr, r->content_type, r);
if (repl == NULL)
return 0;
- ap_set_content_type(r, repl);
+ ap_set_content_type_ex(r, repl, 1);
}
if (apr_table_get(headers, hdr->header)) {
edit_do ed;

20
apache2-CVE-2024-38476-9.patch Normal file
View File

@ -0,0 +1,20 @@
--- a/modules/metadata/mod_mime_magic.c 2024/06/24 17:52:31 1918559
+++ b/modules/metadata/mod_mime_magic.c 2024/06/24 17:54:34 1918560
@@ -788,7 +788,7 @@
/* XXX: this could be done at config time I'm sure... but I'm
* confused by all this magic_rsl stuff. -djg */
ap_content_type_tolower(tmp);
- ap_set_content_type(r, tmp);
+ ap_set_content_type_ex(r, tmp, 1);
if (state == rsl_encoding) {
tmp = rsl_strdup(r, encoding_frag,
@@ -2326,7 +2326,7 @@
/* extract content type/encoding/language from sub-request */
if (sub->content_type) {
- ap_set_content_type(r, apr_pstrdup(r->pool, sub->content_type));
+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, sub->content_type), 1);
#if MIME_MAGIC_DEBUG
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01557)
MODNAME ": subrequest %s got %s",

21
apache2.changes
View File

@ -1,10 +1,3 @@
-------------------------------------------------------------------
Wed Jul 17 04:59:12 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Security fix:
- CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2
* Added apache2-CVE-2024-36387.patch
-------------------------------------------------------------------
Mon Jul 8 10:53:20 UTC 2024 - David Anes <david.anes@suse.com>
@ -17,6 +10,20 @@ Mon Jul 8 10:53:20 UTC 2024 - David Anes <david.anes@suse.com>
* Added apache2-CVE-2024-38475-1.patch
* Added apache2-CVE-2024-38475-2.patch
* Added apache2-CVE-2024-38475-3.patch
- CVE-2024-38476, bsc#1227269: Server may use exploitable/malicious
backend application output to run local handlers via internal
redirect
* Added apache2-CVE-2024-38476-1.patch
* Added apache2-CVE-2024-38476-2.patch
* Added apache2-CVE-2024-38476-3.patch
* Added apache2-CVE-2024-38476-4.patch
* Added apache2-CVE-2024-38476-5.patch
* Added apache2-CVE-2024-38476-6.patch
* Added apache2-CVE-2024-38476-7.patch
* Added apache2-CVE-2024-38476-8.patch
* Added apache2-CVE-2024-38476-9.patch
* Added apache2-CVE-2024-38476-10.patch
* Added apache2-CVE-2024-38476-11.patch
-------------------------------------------------------------------
Thu Jun 13 16:50:39 UTC 2024 - pgajdos@suse.com

51
apache2.spec
View File

@ -181,9 +181,42 @@ Patch2: apache2-logresolve-tmp-security.patch
Patch3: apache2-LimitRequestFieldSize-limits-headers.patch
# [fate317766] backport of an upstream commit
Patch4: apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch
# FIX-UPSTREAM: CVE-2024-39573, bsc#1227271: potential SSRF in mod_rewrite
# - https://svn.apache.org/viewvc?view=revision&revision=1918600
Patch5: apache2-CVE-2024-39573.patch
# CVE-2023-38709 [bsc#1222330], HTTP response splitting
Patch6: apache2-CVE-2023-38709.patch
# CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Patch7: apache2-CVE-2024-27316.patch
# CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
Patch8: apache2-CVE-2024-24795.patch
# https://github.com/apache/httpd/pull/444/commits/c2fffd29b0f58bdc9caaaff4fec68e17a676f182
Patch9: apache2-issue-444.patch
# FIX-UPSTREAM: CVE-2024-38477, bsc#1227270: null pointer dereference in mod_proxy
# - https://svn.apache.org/viewvc?view=revision&revision=1918607
Patch10: apache2-CVE-2024-38477.patch
# FIX-UPSTREAM: CVE-2024-38475, bsc#1227268: Improper escaping of output in mod_rewrite
# - https://svn.apache.org/viewvc?view=revision&revision=1918561
Patch11: apache2-CVE-2024-38475-1.patch
Patch12: apache2-CVE-2024-38475-2.patch
Patch13: apache2-CVE-2024-38475-3.patch
# FIX-UPSTREAM: CVE-2024-38476, bsc#1227269: Server may use exploitable/malicious
# backend application output to run local handlers via internal
# redirect
# - https://svn.apache.org/viewvc?view=revision&revision=1918560
Patch14: apache2-CVE-2024-38476-1.patch
Patch15: apache2-CVE-2024-38476-2.patch
Patch16: apache2-CVE-2024-38476-3.patch
Patch17: apache2-CVE-2024-38476-4.patch
Patch18: apache2-CVE-2024-38476-5.patch
Patch19: apache2-CVE-2024-38476-6.patch
Patch20: apache2-CVE-2024-38476-7.patch
Patch21: apache2-CVE-2024-38476-8.patch
Patch22: apache2-CVE-2024-38476-9.patch
Patch23: apache2-CVE-2024-38476-10.patch
Patch24: apache2-CVE-2024-38476-11.patch
# PATCH: https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2
Patch100: apache-test-application-xml-type.patch
# PATCH: /test_ssl_var_lookup?SSL_SERVER_SAN_DNS_0 returns <build-host-name>
@ -193,24 +226,6 @@ Patch100: apache-test-application-xml-type.patch
# even if in live system I do not experience this inconsistency, let's turn off
# these variables from the test
Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch
# CVE-2023-38709 [bsc#1222330], HTTP response splitting
Patch102: apache2-CVE-2023-38709.patch
# CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Patch103: apache2-CVE-2024-27316.patch
# CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
Patch104: apache2-CVE-2024-24795.patch
# https://github.com/apache/httpd/pull/444/commits/c2fffd29b0f58bdc9caaaff4fec68e17a676f182
Patch105: apache2-issue-444.patch
# FIX-UPSTREAM: CVE-2024-38477, bsc#1227270: null pointer dereference in mod_proxy
# - https://svn.apache.org/viewvc?view=revision&revision=1918607
Patch106: apache2-CVE-2024-38477.patch
# FIX-UPSTREAM: CVE-2024-38475, bsc#1227268: Improper escaping of output in mod_rewrite
# - https://svn.apache.org/viewvc?view=revision&revision=1918561
Patch107: apache2-CVE-2024-38475-1.patch
Patch108: apache2-CVE-2024-38475-2.patch
Patch109: apache2-CVE-2024-38475-3.patch
# FIX-UPSTREAM: CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2
Patch110: apache2-CVE-2024-36387.patch
BuildRequires: apache-rpm-macros-control
#Since 2.4.7 the event MPM requires apr 1.5.0 or later.