SLFO-pool/apache2
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main apache2 revision addbe510a07221a22827f860a472748a

Browse Source
This commit is contained in:
Adrian Schröter 2024-06-08 17:38:24 +02:00
parent 80a23ce35f
commit e467032439
5 changed files with 331 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
apache2-CVE-2023-38709.patch Normal file
View File

@ -0,0 +1,74 @@
Index: httpd-2.4.58/modules/http/http_filters.c
===================================================================
--- httpd-2.4.58.orig/modules/http/http_filters.c
+++ httpd-2.4.58/modules/http/http_filters.c
@@ -1353,6 +1353,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
*/
apr_table_clear(r->headers_out);
apr_table_clear(r->err_headers_out);
+ r->content_type = r->content_encoding = NULL;
+ r->content_languages = NULL;
+ r->clength = r->chunked = 0;
apr_brigade_cleanup(b);
/* Don't recall ap_die() if we come back here (from its own internal
@@ -1369,8 +1372,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
APR_BRIGADE_INSERT_TAIL(b, e);
e = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(b, e);
- r->content_type = r->content_encoding = NULL;
- r->content_languages = NULL;
ap_set_content_length(r, 0);
recursive_error = 1;
}
@@ -1397,6 +1398,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
if (!apr_is_empty_table(r->err_headers_out)) {
r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
r->headers_out);
+ apr_table_clear(r->err_headers_out);
}
/*
@@ -1416,6 +1418,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
fixup_vary(r);
}
+
+ /*
+ * Control cachability for non-cacheable responses if not already set by
+ * some other part of the server configuration.
+ */
+ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
+ char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
+ ap_recent_rfc822_date(date, r->request_time);
+ apr_table_addn(r->headers_out, "Expires", date);
+ }
+
/*
* Now remove any ETag response header field if earlier processing
* says so (such as a 'FileETag None' directive).
@@ -1428,6 +1441,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
basic_http_header_check(r, &protocol);
ap_set_keepalive(r);
+ /* 204/304 responses don't have content related headers */
if (AP_STATUS_IS_HEADER_ONLY(r->status)) {
apr_table_unset(r->headers_out, "Transfer-Encoding");
apr_table_unset(r->headers_out, "Content-Length");
@@ -1470,16 +1484,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
apr_table_setn(r->headers_out, "Content-Language", field);
}
- /*
- * Control cachability for non-cacheable responses if not already set by
- * some other part of the server configuration.
- */
- if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
- char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
- ap_recent_rfc822_date(date, r->request_time);
- apr_table_addn(r->headers_out, "Expires", date);
- }
-
/* This is a hack, but I can't find anyway around it. The idea is that
* we don't want to send out 0 Content-Lengths if it is a head request.
* This happens when modules try to outsmart the server, and return

191
apache2-CVE-2024-24795.patch Normal file
View File

@ -0,0 +1,191 @@
Index: httpd-2.4.58/include/util_script.h
===================================================================
--- httpd-2.4.58.orig/include/util_script.h
+++ httpd-2.4.58/include/util_script.h
@@ -225,6 +225,8 @@ AP_DECLARE(int) ap_scan_script_header_er
*/
AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table);
+#define AP_TRUST_CGILIKE_CL_ENVVAR "ap_trust_cgilike_cl"
+
#ifdef __cplusplus
}
#endif
Index: httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c
===================================================================
--- httpd-2.4.58.orig/modules/aaa/mod_authnz_fcgi.c
+++ httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c
@@ -571,6 +571,14 @@ static apr_status_t handle_response(cons
"parsing -> %d/%d",
fn, status, r->status);
+ /* FCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
if (rspbuf) { /* caller wants to see response body,
* if any
*/
Index: httpd-2.4.58/modules/generators/mod_cgi.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgi.c
+++ httpd-2.4.58/modules/generators/mod_cgi.c
@@ -935,9 +935,18 @@ static int cgi_handler(request_rec *r)
char sbuf[MAX_STRING_LEN];
int ret;
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX);
+
+ /* xCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (ret != OK) {
ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err);
/*
Index: httpd-2.4.58/modules/generators/mod_cgid.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgid.c
+++ httpd-2.4.58/modules/generators/mod_cgid.c
@@ -1616,9 +1616,18 @@ static int cgid_handler(request_rec *r)
b = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, b);
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX);
+
+ /* xCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (ret != OK) {
ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL);
/*
Index: httpd-2.4.58/modules/proxy/ajp_header.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/ajp_header.c
+++ httpd-2.4.58/modules/proxy/ajp_header.c
@@ -17,6 +17,8 @@
#include "ajp_header.h"
#include "ajp.h"
+#include "util_script.h"
+
APLOG_USE_MODULE(proxy_ajp);
static const char *response_trans_headers[] = {
@@ -669,6 +671,14 @@ static apr_status_t ajp_unmarshal_respon
}
}
+ /* AJP has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
return APR_SUCCESS;
}
Index: httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_fcgi.c
+++ httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c
@@ -779,6 +779,15 @@ recv_again:
status = ap_scan_script_header_err_brigade_ex(r, ob,
NULL, APLOG_MODULE_INDEX);
+
+ /* FCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
/* suck in all the rest */
if (status != OK) {
apr_bucket *tmp_b;
Index: httpd-2.4.58/modules/proxy/mod_proxy_scgi.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_scgi.c
+++ httpd-2.4.58/modules/proxy/mod_proxy_scgi.c
@@ -390,6 +390,14 @@ static int pass_response(request_rec *r,
return status;
}
+ /* SCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
conf = ap_get_module_config(r->per_dir_config, &proxy_scgi_module);
if (conf->sendfile && conf->sendfile != scgi_sendfile_off) {
short err = 1;
Index: httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_uwsgi.c
+++ httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c
@@ -404,6 +404,12 @@ static int uwsgi_response(request_rec *r
return HTTP_BAD_GATEWAY;
}
+ /* T-E wins over C-L */
+ if (apr_table_get(r->headers_out, "Transfer-Encoding")) {
+ apr_table_unset(r->headers_out, "Content-Length");
+ backend->close = 1;
+ }
+
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
ap_set_content_type(r, apr_pstrdup(r->pool, buf));
}
Index: httpd-2.4.58/modules/http/http_filters.c
===================================================================
--- httpd-2.4.58.orig/modules/http/http_filters.c
+++ httpd-2.4.58/modules/http/http_filters.c
@@ -778,6 +778,18 @@ static APR_INLINE int check_headers(requ
struct check_header_ctx ctx;
core_server_config *conf =
ap_get_core_module_config(r->server->module_config);
+ const char *val;
+
+ if ((val = apr_table_get(r->headers_out, "Transfer-Encoding"))) {
+ if (apr_table_get(r->headers_out, "Content-Length")) {
+ apr_table_unset(r->headers_out, "Content-Length");
+ r->connection->keepalive = AP_CONN_CLOSE;
+ }
+ if (!ap_is_chunked(r->pool, val)) {
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return 0;
+ }
+ }
ctx.r = r;
ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);

45
apache2-CVE-2024-27316.patch Normal file
View File

@ -0,0 +1,45 @@
Index: modules/http2/h2_session.c
===================================================================
--- a/modules/http2/h2_session.c (revision 1916778)
+++ b/modules/http2/h2_session.c (revision 1916779)
@@ -319,9 +319,13 @@
status = h2_stream_add_header(stream, (const char *)name, namelen,
(const char *)value, valuelen);
- if (status != APR_SUCCESS
- && (!stream->rtmp
- || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) {
+ if (status != APR_SUCCESS &&
+ (!stream->rtmp ||
+ stream->rtmp->http_status == H2_HTTP_STATUS_UNSET ||
+ /* We accept a certain amount of failures in order to reply
+ * with an informative HTTP error response like 413. But if the
+ * client is too wrong, we fail the request a RESET of the stream */
+ stream->request_headers_failed > 100)) {
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
return 0;
Index: modules/http2/h2_stream.c
===================================================================
--- a/modules/http2/h2_stream.c (revision 1916778)
+++ b/modules/http2/h2_stream.c (revision 1916779)
@@ -813,6 +813,7 @@
cleanup:
if (error) {
+ ++stream->request_headers_failed;
set_error_response(stream, error);
return APR_EINVAL;
}
Index: modules/http2/h2_stream.h
===================================================================
--- a/modules/http2/h2_stream.h (revision 1916778)
+++ b/modules/http2/h2_stream.h (revision 1916779)
@@ -91,6 +91,7 @@
struct h2_request *rtmp; /* request being assembled */
apr_table_t *trailers_in; /* optional, incoming trailers */
int request_headers_added; /* number of request headers added */
+ int request_headers_failed; /* number of request headers failed to add */
#if AP_HAS_RESPONSE_BUCKETS
ap_bucket_response *response; /* the final, non-interim response or NULL */

12
apache2.changes
View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Tue Apr 30 13:44:03 UTC 2024 - pgajdos@suse.com
- security update
- added patches
fix CVE-2023-38709 [bsc#1222330], HTTP response splitting
+ apache2-CVE-2023-38709.patch
fix CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
+ apache2-CVE-2024-24795.patch
fix CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
+ apache2-CVE-2024-27316.patch
-------------------------------------------------------------------
Thu Oct 19 14:23:08 UTC 2023 - David Anes <david.anes@suse.com>

9
apache2.spec
View File

@ -190,6 +190,12 @@ Patch100: apache-test-application-xml-type.patch
# even if in live system I do not experience this inconsistency, let's turn off
# these variables from the test
Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch
# CVE-2023-38709 [bsc#1222330], HTTP response splitting
Patch102: apache2-CVE-2023-38709.patch
# CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Patch103: apache2-CVE-2024-27316.patch
# CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
Patch104: apache2-CVE-2024-24795.patch
BuildRequires: apache-rpm-macros-control
#Since 2.4.7 the event MPM requires apr 1.5.0 or later.
BuildRequires: apr-devel >= 1.5.0
@ -320,6 +326,9 @@ provides HTTP services in sync with the current HTTP standards.
%patch4 -p1
%patch100 -p1
%patch101 -p1
%patch102 -p1
%patch103 -p1
%patch104 -p1
#
# BUILD