SLFO-pool/apache2
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main apache2 revision a18c5bf5161e885c834e2d4c1ed9298e

Browse Source
This commit is contained in:
Adrian Schröter 2024-10-11 09:58:46 +02:00
parent 311d1fd033
commit ea25eba96a
3 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
apache2-CVE-2024-36387.patch Normal file
View File

@ -0,0 +1,30 @@
commit 62aa64e5aea21dd969db97aded4443c98c0735ac
Author: Eric Covener <covener@apache.org>
Date: Mon Jun 24 17:51:42 2024 +0000
Merge r1918548 from trunk:
mod_http2: early exit if bb is null
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/modules/http2/h2_c2.c b/modules/http2/h2_c2.c
index a955200944..c65a521ab8 100644
--- a/modules/http2/h2_c2.c
+++ b/modules/http2/h2_c2.c
@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb)
h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c);
apr_status_t rv;
+ if (bb == NULL) {
+#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1)
+ f->c->data_in_output_filters = 0;
+#endif
+ return APR_SUCCESS;
+ }
+
ap_assert(conn_ctx);
#if AP_HAS_RESPONSE_BUCKETS
if (!conn_ctx->has_final_response) {

7
apache2.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Wed Oct 2 18:22:25 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Security fix:
- CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2
* Added apache2-CVE-2024-36387.patch
-------------------------------------------------------------------
Thu Aug 22 18:37:23 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>

2
apache2.spec
View File

@ -235,6 +235,8 @@ Patch100: apache-test-application-xml-type.patch
# even if in live system I do not experience this inconsistency, let's turn off
# these variables from the test
Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch
# FIX-UPSTREAM: CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2
Patch102: apache2-CVE-2024-36387.patch
BuildRequires: apache-rpm-macros-control
#Since 2.4.7 the event MPM requires apr 1.5.0 or later.