diff --git a/apache2-CVE-2024-36387.patch b/apache2-CVE-2024-36387.patch deleted file mode 100644 index 3f5b019..0000000 --- a/apache2-CVE-2024-36387.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit 62aa64e5aea21dd969db97aded4443c98c0735ac -Author: Eric Covener -Date: Mon Jun 24 17:51:42 2024 +0000 - - Merge r1918548 from trunk: - - mod_http2: early exit if bb is null - - - - git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68 - -diff --git a/modules/http2/h2_c2.c b/modules/http2/h2_c2.c -index a955200944..c65a521ab8 100644 ---- a/modules/http2/h2_c2.c -+++ b/modules/http2/h2_c2.c -@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb) - h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c); - apr_status_t rv; - -+ if (bb == NULL) { -+#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1) -+ f->c->data_in_output_filters = 0; -+#endif -+ return APR_SUCCESS; -+ } -+ - ap_assert(conn_ctx); - #if AP_HAS_RESPONSE_BUCKETS - if (!conn_ctx->has_final_response) { diff --git a/apache2.changes b/apache2.changes index 80fc185..1a5f224 100644 --- a/apache2.changes +++ b/apache2.changes @@ -5,13 +5,6 @@ Thu Oct 3 02:39:41 UTC 2024 - Martin Schreiner Patch file added: * apache2-CVE-2024-40725.patch -------------------------------------------------------------------- -Wed Oct 2 18:22:25 UTC 2024 - Martin Schreiner - -- Security fix: - - CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2 - * Added apache2-CVE-2024-36387.patch - ------------------------------------------------------------------- Thu Aug 22 18:37:23 UTC 2024 - Martin Schreiner diff --git a/apache2.spec b/apache2.spec index 5641349..6cc1006 100644 --- a/apache2.spec +++ b/apache2.spec @@ -237,8 +237,6 @@ Patch100: apache-test-application-xml-type.patch # even if in live system I do not experience this inconsistency, let's turn off # these variables from the test Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch -# FIX-UPSTREAM: CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2 -Patch102: apache2-CVE-2024-36387.patch BuildRequires: apache-rpm-macros-control #Since 2.4.7 the event MPM requires apr 1.5.0 or later.