diff --git a/apache2-CVE-2023-38709.patch b/apache2-CVE-2023-38709.patch deleted file mode 100644 index f2d10e9..0000000 --- a/apache2-CVE-2023-38709.patch +++ /dev/null @@ -1,74 +0,0 @@ -Index: httpd-2.4.58/modules/http/http_filters.c -=================================================================== ---- httpd-2.4.58.orig/modules/http/http_filters.c -+++ httpd-2.4.58/modules/http/http_filters.c -@@ -1353,6 +1353,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ - */ - apr_table_clear(r->headers_out); - apr_table_clear(r->err_headers_out); -+ r->content_type = r->content_encoding = NULL; -+ r->content_languages = NULL; -+ r->clength = r->chunked = 0; - apr_brigade_cleanup(b); - - /* Don't recall ap_die() if we come back here (from its own internal -@@ -1369,8 +1372,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ - APR_BRIGADE_INSERT_TAIL(b, e); - e = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(b, e); -- r->content_type = r->content_encoding = NULL; -- r->content_languages = NULL; - ap_set_content_length(r, 0); - recursive_error = 1; - } -@@ -1397,6 +1398,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ - if (!apr_is_empty_table(r->err_headers_out)) { - r->headers_out = apr_table_overlay(r->pool, r->err_headers_out, - r->headers_out); -+ apr_table_clear(r->err_headers_out); - } - - /* -@@ -1416,6 +1418,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ - fixup_vary(r); - } - -+ -+ /* -+ * Control cachability for non-cacheable responses if not already set by -+ * some other part of the server configuration. -+ */ -+ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) { -+ char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); -+ ap_recent_rfc822_date(date, r->request_time); -+ apr_table_addn(r->headers_out, "Expires", date); -+ } -+ - /* - * Now remove any ETag response header field if earlier processing - * says so (such as a 'FileETag None' directive). -@@ -1428,6 +1441,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ - basic_http_header_check(r, &protocol); - ap_set_keepalive(r); - -+ /* 204/304 responses don't have content related headers */ - if (AP_STATUS_IS_HEADER_ONLY(r->status)) { - apr_table_unset(r->headers_out, "Transfer-Encoding"); - apr_table_unset(r->headers_out, "Content-Length"); -@@ -1470,16 +1484,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_ - apr_table_setn(r->headers_out, "Content-Language", field); - } - -- /* -- * Control cachability for non-cacheable responses if not already set by -- * some other part of the server configuration. -- */ -- if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) { -- char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); -- ap_recent_rfc822_date(date, r->request_time); -- apr_table_addn(r->headers_out, "Expires", date); -- } -- - /* This is a hack, but I can't find anyway around it. The idea is that - * we don't want to send out 0 Content-Lengths if it is a head request. - * This happens when modules try to outsmart the server, and return diff --git a/apache2-CVE-2024-24795.patch b/apache2-CVE-2024-24795.patch deleted file mode 100644 index 58e3a46..0000000 --- a/apache2-CVE-2024-24795.patch +++ /dev/null @@ -1,191 +0,0 @@ -Index: httpd-2.4.58/include/util_script.h -=================================================================== ---- httpd-2.4.58.orig/include/util_script.h -+++ httpd-2.4.58/include/util_script.h -@@ -225,6 +225,8 @@ AP_DECLARE(int) ap_scan_script_header_er - */ - AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table); - -+#define AP_TRUST_CGILIKE_CL_ENVVAR "ap_trust_cgilike_cl" -+ - #ifdef __cplusplus - } - #endif -Index: httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c -=================================================================== ---- httpd-2.4.58.orig/modules/aaa/mod_authnz_fcgi.c -+++ httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c -@@ -571,6 +571,14 @@ static apr_status_t handle_response(cons - "parsing -> %d/%d", - fn, status, r->status); - -+ /* FCGI has its own body framing mechanism which we don't -+ * match against any provided Content-Length, so let the -+ * core determine C-L vs T-E based on what's actually sent. -+ */ -+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) -+ apr_table_unset(r->headers_out, "Content-Length"); -+ apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ - if (rspbuf) { /* caller wants to see response body, - * if any - */ -Index: httpd-2.4.58/modules/generators/mod_cgi.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_cgi.c -+++ httpd-2.4.58/modules/generators/mod_cgi.c -@@ -935,9 +935,18 @@ static int cgi_handler(request_rec *r) - char sbuf[MAX_STRING_LEN]; - int ret; - -- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -- APLOG_MODULE_INDEX))) -- { -+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -+ APLOG_MODULE_INDEX); -+ -+ /* xCGI has its own body framing mechanism which we don't -+ * match against any provided Content-Length, so let the -+ * core determine C-L vs T-E based on what's actually sent. -+ */ -+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) -+ apr_table_unset(r->headers_out, "Content-Length"); -+ apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ -+ if (ret != OK) { - ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err); - - /* -Index: httpd-2.4.58/modules/generators/mod_cgid.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_cgid.c -+++ httpd-2.4.58/modules/generators/mod_cgid.c -@@ -1616,9 +1616,18 @@ static int cgid_handler(request_rec *r) - b = apr_bucket_eos_create(c->bucket_alloc); - APR_BRIGADE_INSERT_TAIL(bb, b); - -- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -- APLOG_MODULE_INDEX))) -- { -+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf, -+ APLOG_MODULE_INDEX); -+ -+ /* xCGI has its own body framing mechanism which we don't -+ * match against any provided Content-Length, so let the -+ * core determine C-L vs T-E based on what's actually sent. -+ */ -+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) -+ apr_table_unset(r->headers_out, "Content-Length"); -+ apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ -+ if (ret != OK) { - ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL); - - /* -Index: httpd-2.4.58/modules/proxy/ajp_header.c -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/ajp_header.c -+++ httpd-2.4.58/modules/proxy/ajp_header.c -@@ -17,6 +17,8 @@ - #include "ajp_header.h" - #include "ajp.h" - -+#include "util_script.h" -+ - APLOG_USE_MODULE(proxy_ajp); - - static const char *response_trans_headers[] = { -@@ -669,6 +671,14 @@ static apr_status_t ajp_unmarshal_respon - } - } - -+ /* AJP has its own body framing mechanism which we don't -+ * match against any provided Content-Length, so let the -+ * core determine C-L vs T-E based on what's actually sent. -+ */ -+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) -+ apr_table_unset(r->headers_out, "Content-Length"); -+ apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ - return APR_SUCCESS; - } - -Index: httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/mod_proxy_fcgi.c -+++ httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c -@@ -779,6 +779,15 @@ recv_again: - - status = ap_scan_script_header_err_brigade_ex(r, ob, - NULL, APLOG_MODULE_INDEX); -+ -+ /* FCGI has its own body framing mechanism which we don't -+ * match against any provided Content-Length, so let the -+ * core determine C-L vs T-E based on what's actually sent. -+ */ -+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) -+ apr_table_unset(r->headers_out, "Content-Length"); -+ apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ - /* suck in all the rest */ - if (status != OK) { - apr_bucket *tmp_b; -Index: httpd-2.4.58/modules/proxy/mod_proxy_scgi.c -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/mod_proxy_scgi.c -+++ httpd-2.4.58/modules/proxy/mod_proxy_scgi.c -@@ -390,6 +390,14 @@ static int pass_response(request_rec *r, - return status; - } - -+ /* SCGI has its own body framing mechanism which we don't -+ * match against any provided Content-Length, so let the -+ * core determine C-L vs T-E based on what's actually sent. -+ */ -+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) -+ apr_table_unset(r->headers_out, "Content-Length"); -+ apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ - conf = ap_get_module_config(r->per_dir_config, &proxy_scgi_module); - if (conf->sendfile && conf->sendfile != scgi_sendfile_off) { - short err = 1; -Index: httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/mod_proxy_uwsgi.c -+++ httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c -@@ -404,6 +404,12 @@ static int uwsgi_response(request_rec *r - return HTTP_BAD_GATEWAY; - } - -+ /* T-E wins over C-L */ -+ if (apr_table_get(r->headers_out, "Transfer-Encoding")) { -+ apr_table_unset(r->headers_out, "Content-Length"); -+ backend->close = 1; -+ } -+ - if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { - ap_set_content_type(r, apr_pstrdup(r->pool, buf)); - } -Index: httpd-2.4.58/modules/http/http_filters.c -=================================================================== ---- httpd-2.4.58.orig/modules/http/http_filters.c -+++ httpd-2.4.58/modules/http/http_filters.c -@@ -778,6 +778,18 @@ static APR_INLINE int check_headers(requ - struct check_header_ctx ctx; - core_server_config *conf = - ap_get_core_module_config(r->server->module_config); -+ const char *val; -+ -+ if ((val = apr_table_get(r->headers_out, "Transfer-Encoding"))) { -+ if (apr_table_get(r->headers_out, "Content-Length")) { -+ apr_table_unset(r->headers_out, "Content-Length"); -+ r->connection->keepalive = AP_CONN_CLOSE; -+ } -+ if (!ap_is_chunked(r->pool, val)) { -+ r->connection->keepalive = AP_CONN_CLOSE; -+ return 0; -+ } -+ } - - ctx.r = r; - ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE); diff --git a/apache2-CVE-2024-27316.patch b/apache2-CVE-2024-27316.patch deleted file mode 100644 index 10e01cc..0000000 --- a/apache2-CVE-2024-27316.patch +++ /dev/null @@ -1,45 +0,0 @@ -Index: modules/http2/h2_session.c -=================================================================== ---- a/modules/http2/h2_session.c (revision 1916778) -+++ b/modules/http2/h2_session.c (revision 1916779) -@@ -319,9 +319,13 @@ - - status = h2_stream_add_header(stream, (const char *)name, namelen, - (const char *)value, valuelen); -- if (status != APR_SUCCESS -- && (!stream->rtmp -- || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) { -+ if (status != APR_SUCCESS && -+ (!stream->rtmp || -+ stream->rtmp->http_status == H2_HTTP_STATUS_UNSET || -+ /* We accept a certain amount of failures in order to reply -+ * with an informative HTTP error response like 413. But if the -+ * client is too wrong, we fail the request a RESET of the stream */ -+ stream->request_headers_failed > 100)) { - return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; - } - return 0; -Index: modules/http2/h2_stream.c -=================================================================== ---- a/modules/http2/h2_stream.c (revision 1916778) -+++ b/modules/http2/h2_stream.c (revision 1916779) -@@ -813,6 +813,7 @@ - - cleanup: - if (error) { -+ ++stream->request_headers_failed; - set_error_response(stream, error); - return APR_EINVAL; - } -Index: modules/http2/h2_stream.h -=================================================================== ---- a/modules/http2/h2_stream.h (revision 1916778) -+++ b/modules/http2/h2_stream.h (revision 1916779) -@@ -91,6 +91,7 @@ - struct h2_request *rtmp; /* request being assembled */ - apr_table_t *trailers_in; /* optional, incoming trailers */ - int request_headers_added; /* number of request headers added */ -+ int request_headers_failed; /* number of request headers failed to add */ - - #if AP_HAS_RESPONSE_BUCKETS - ap_bucket_response *response; /* the final, non-interim response or NULL */ diff --git a/apache2-CVE-2024-36387.patch b/apache2-CVE-2024-36387.patch deleted file mode 100644 index 3f5b019..0000000 --- a/apache2-CVE-2024-36387.patch +++ /dev/null @@ -1,30 +0,0 @@ -commit 62aa64e5aea21dd969db97aded4443c98c0735ac -Author: Eric Covener -Date: Mon Jun 24 17:51:42 2024 +0000 - - Merge r1918548 from trunk: - - mod_http2: early exit if bb is null - - - - git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918557 13f79535-47bb-0310-9956-ffa450edef68 - -diff --git a/modules/http2/h2_c2.c b/modules/http2/h2_c2.c -index a955200944..c65a521ab8 100644 ---- a/modules/http2/h2_c2.c -+++ b/modules/http2/h2_c2.c -@@ -370,6 +370,13 @@ static apr_status_t h2_c2_filter_out(ap_filter_t* f, apr_bucket_brigade* bb) - h2_conn_ctx_t *conn_ctx = h2_conn_ctx_get(f->c); - apr_status_t rv; - -+ if (bb == NULL) { -+#if !AP_MODULE_MAGIC_AT_LEAST(20180720, 1) -+ f->c->data_in_output_filters = 0; -+#endif -+ return APR_SUCCESS; -+ } -+ - ap_assert(conn_ctx); - #if AP_HAS_RESPONSE_BUCKETS - if (!conn_ctx->has_final_response) { diff --git a/apache2-CVE-2024-38473-1.patch b/apache2-CVE-2024-38473-1.patch deleted file mode 100644 index 89b2128..0000000 --- a/apache2-CVE-2024-38473-1.patch +++ /dev/null @@ -1,39 +0,0 @@ -From b10cb2d69184843832d501a615abe3e8e5e256dc Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Mon, 24 Jun 2024 17:52:31 +0000 -Subject: [PATCH] Merge r1918550 from trunk: - -mod_proxy: escape for non-proxypass configuration - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918559 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/proxy/mod_proxy.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c -index c9cef7c44f5..17e39c95b8f 100644 ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -1314,15 +1314,18 @@ static int proxy_handler(request_rec *r) - } - - if (!r->proxyreq) { -+ rc = DECLINED; - /* We may have forced the proxy handler via config or .htaccess */ - if (r->handler && - strncmp(r->handler, "proxy:", 6) == 0 && - strncmp(r->filename, "proxy:", 6) != 0) { - r->proxyreq = PROXYREQ_REVERSE; - r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL); -+ /* Still need to fixup/canonicalize r->filename */ -+ rc = proxy_fixup(r); - } -- else { -- return DECLINED; -+ if (rc != OK) { -+ return rc; - } - } else if (strncmp(r->filename, "proxy:", 6) != 0) { - return DECLINED; diff --git a/apache2-CVE-2024-38473-2.patch b/apache2-CVE-2024-38473-2.patch deleted file mode 100644 index 9301c70..0000000 --- a/apache2-CVE-2024-38473-2.patch +++ /dev/null @@ -1,208 +0,0 @@ -From 6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Wed, 26 Jun 2024 14:51:32 +0000 -Subject: [PATCH] mod_proxy: Fixup UDS filename for mod_proxy called through - r->handler. - -* modules/proxy/proxy_util.c: - Export ap_proxy_fixup_uds_filename() from fix_uds_filename. - Call it from ap_proxy_pre_request() even for rewritten balancer workers. - -* modules/proxy/mod_proxy.h: - Declare ap_proxy_fixup_uds_filename() - -* modules/proxy/mod_proxy.c: - Fixup UDS filename from r->handler in proxy_handler(). - -* include/ap_mmn.h: - Bump MMN minor for ap_proxy_fixup_uds_filename() - - -mod_proxy: follow up to r1918626: Simplify ap_proxy_fixup_uds_filename() and callers. - - -Merges r1918626, r1918647 from trunk -GH: closes #457 - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918666 13f79535-47bb-0310-9956-ffa450edef68 ---- - include/ap_mmn.h | 3 ++- - modules/proxy/mod_proxy.c | 33 ++++++++++++++++++------------ - modules/proxy/mod_proxy.h | 8 ++++++++ - modules/proxy/proxy_util.c | 41 ++++++++++++++++++++++---------------- - 4 files changed, 54 insertions(+), 31 deletions(-) - -Index: httpd-2.4.58/modules/proxy/mod_proxy.c -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/mod_proxy.c -+++ httpd-2.4.58/modules/proxy/mod_proxy.c -@@ -1227,6 +1227,7 @@ static int proxy_fixup(request_rec *r) - - return OK; /* otherwise; we've done the best we can */ - } -+ - /* Send a redirection if the request contains a hostname which is not */ - /* fully qualified, i.e. doesn't have a domain name appended. Some proxy */ - /* servers like Netscape's allow this and access hosts from the local */ -@@ -1280,7 +1281,7 @@ static int proxy_handler(request_rec *r) - ap_get_module_config(sconf, &proxy_module); - apr_array_header_t *proxies = conf->proxies; - struct proxy_remote *ents = (struct proxy_remote *) proxies->elts; -- int i, rc, access_status; -+ int rc = DECLINED, access_status, i; - int direct_connect = 0; - const char *str; - apr_int64_t maxfwd; -@@ -1295,22 +1296,28 @@ static int proxy_handler(request_rec *r) - return DECLINED; - } - -- if (!r->proxyreq) { -- rc = DECLINED; -- /* We may have forced the proxy handler via config or .htaccess */ -- if (r->handler && -- strncmp(r->handler, "proxy:", 6) == 0 && -- strncmp(r->filename, "proxy:", 6) != 0) { -- r->proxyreq = PROXYREQ_REVERSE; -- r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL); -- /* Still need to fixup/canonicalize r->filename */ -+ /* We may have forced the proxy handler via config or .htaccess */ -+ if (!r->proxyreq && r->handler && strncmp(r->handler, "proxy:", 6) == 0) { -+ char *old_filename = r->filename; -+ -+ r->proxyreq = PROXYREQ_REVERSE; -+ r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL); -+ -+ /* Still need to fixup/canonicalize r->filename */ -+ rc = ap_proxy_fixup_uds_filename(r); -+ if (rc <= OK) { - rc = proxy_fixup(r); - } - if (rc != OK) { -- return rc; -+ r->filename = old_filename; -+ r->proxyreq = 0; - } -- } else if (strncmp(r->filename, "proxy:", 6) != 0) { -- return DECLINED; -+ } -+ else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) { -+ rc = OK; -+ } -+ if (rc != OK) { -+ return rc; - } - - /* handle max-forwards / OPTIONS / TRACE */ -Index: httpd-2.4.58/modules/proxy/mod_proxy.h -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/mod_proxy.h -+++ httpd-2.4.58/modules/proxy/mod_proxy.h -@@ -993,6 +993,14 @@ PROXY_DECLARE(proxy_balancer_shared *) a - proxy_balancer *balancer, - unsigned int *index); - -+/* -+ * Strip the UDS part of r->filename if any, and put the UDS path in -+ * r->notes ("uds_path") -+ * @param r current request -+ * @return OK if fixed up, DECLINED if not UDS, or an HTTP_XXX error -+ */ -+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r); -+ - /** - * Get the most suitable worker and/or balancer for the request - * @param worker worker used for processing request -Index: httpd-2.4.58/modules/proxy/proxy_util.c -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/proxy_util.c -+++ httpd-2.4.58/modules/proxy/proxy_util.c -@@ -2316,7 +2316,7 @@ static int ap_proxy_retry_worker(const c - * were passed a UDS url (eg: from mod_proxy) and adjust uds_path - * as required. - */ --static int fix_uds_filename(request_rec *r, char **url) -+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r) - { - char *uds_url = r->filename + 6, *origin_url; - -@@ -2324,7 +2324,6 @@ static int fix_uds_filename(request_rec - !ap_cstr_casecmpn(uds_url, "unix:", 5) && - (origin_url = ap_strchr(uds_url + 5, '|'))) { - char *uds_path = NULL; -- apr_size_t url_len; - apr_uri_t urisock; - apr_status_t rv; - -@@ -2339,20 +2338,20 @@ static int fix_uds_filename(request_rec - if (!uds_path) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292) - "Invalid proxy UDS filename (%s)", r->filename); -- return 0; -+ return HTTP_BAD_REQUEST; - } - apr_table_setn(r->notes, "uds_path", uds_path); - -- /* Remove the UDS path from *url and r->filename */ -- url_len = strlen(origin_url); -- *url = apr_pstrmemdup(r->pool, origin_url, url_len); -- memcpy(uds_url, *url, url_len + 1); -- - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, -- "*: rewrite of url due to UDS(%s): %s (%s)", -- uds_path, *url, r->filename); -+ "*: fixup UDS from %s: %s (%s)", -+ r->filename, origin_url, uds_path); -+ -+ /* Overwrite the UDS part in place */ -+ memmove(uds_url, origin_url, strlen(origin_url) + 1); -+ return OK; - } -- return 1; -+ -+ return DECLINED; - } - - PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, -@@ -2371,9 +2370,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request( - ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, - "%s: found worker %s for %s", - (*worker)->s->scheme, (*worker)->s->name_ex, *url); -- if (!forward && !fix_uds_filename(r, url)) { -- return HTTP_INTERNAL_SERVER_ERROR; -- } - access_status = OK; - } - else if (forward) { -@@ -2403,9 +2399,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request( - * regarding the Connection header in the request. - */ - apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1"); -- if (!fix_uds_filename(r, url)) { -- return HTTP_INTERNAL_SERVER_ERROR; -- } - } - } - } -@@ -2415,6 +2408,20 @@ PROXY_DECLARE(int) ap_proxy_pre_request( - "all workers are busy. Unable to serve %s", *url); - access_status = HTTP_SERVICE_UNAVAILABLE; - } -+ -+ if (access_status == OK && r->proxyreq == PROXYREQ_REVERSE) { -+ int rc = ap_proxy_fixup_uds_filename(r); -+ if (ap_is_HTTP_ERROR(rc)) { -+ return rc; -+ } -+ /* If the URL has changed in r->filename, take everything after -+ * the "proxy:" prefix. -+ */ -+ if (rc == OK) { -+ *url = apr_pstrdup(r->pool, r->filename + 6); -+ } -+ } -+ - return access_status; - } - diff --git a/apache2-CVE-2024-38473-3.patch b/apache2-CVE-2024-38473-3.patch deleted file mode 100644 index f24bb61..0000000 --- a/apache2-CVE-2024-38473-3.patch +++ /dev/null @@ -1,51 +0,0 @@ -From cc00cf6b4e37370897daddc307bf1deecf8fedfa Mon Sep 17 00:00:00 2001 -From: Eric Covener -Date: Tue, 25 Jun 2024 20:20:05 +0000 -Subject: [PATCH] Merge r1918623 from trunk: - -fix comparison of local path on Windows - -Submitted By: Yann Ylavic - - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918625 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/mappers/mod_rewrite.c | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c -index 46ea16c8c64..e0390768267 100644 ---- a/modules/mappers/mod_rewrite.c -+++ b/modules/mappers/mod_rewrite.c -@@ -653,6 +653,19 @@ static unsigned is_absolute_uri(char *uri, int *supportsqs) - return 0; - } - -+static int is_absolute_path(const char *path) -+{ -+#ifndef WIN32 -+ return (path[0] == '/'); -+#else -+#define IS_SLASH(c) ((c) == '/' || (c) == '\\') -+ /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */ -+ return ((IS_SLASH(path[0]) && path[1] == path[0]) -+ || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2]))); -+#undef IS_SLASH -+#endif -+} -+ - static const char c2x_table[] = "0123456789abcdef"; - - static APR_INLINE unsigned char *c2x(unsigned what, unsigned char prefix, -@@ -4351,7 +4364,9 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p, - * (1) it's an absolute URL path and - * (2) it's a full qualified URL - */ -- if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) { -+ if (!is_proxyreq -+ && !is_absolute_path(newuri) -+ && !is_absolute_uri(newuri, NULL)) { - if (ctx->perdir) { - rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", - newuri, ctx->perdir, newuri)); diff --git a/apache2-CVE-2024-38473-4.patch b/apache2-CVE-2024-38473-4.patch deleted file mode 100644 index cfa0b06..0000000 --- a/apache2-CVE-2024-38473-4.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 4326d6b9041a3bcb9b529f9163d0761c2d760700 Mon Sep 17 00:00:00 2001 -From: Yann Ylavic -Date: Wed, 26 Jun 2024 14:56:47 +0000 -Subject: [PATCH] factor out IS_SLASH, perdir fix - -in per-dir, the filename will be internally redirected, so / is OK too. - - -don't add / to / in the non-perdir - - -match AP_IS_SLASH macro - -followup to 1918651 - - -Merges r1918651, r1918652, r1918663 from trunk -Reviewed by: covener, ylavic, rpluem -GH: close #458 - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918668 13f79535-47bb-0310-9956-ffa450edef68 ---- - include/ap_mmn.h | 3 ++- - include/httpd.h | 11 +++++++++++ - modules/mappers/mod_rewrite.c | 11 ++++------- - server/util.c | 31 ++++++++++--------------------- - 4 files changed, 27 insertions(+), 29 deletions(-) - -Index: httpd-2.4.58/include/httpd.h -=================================================================== ---- httpd-2.4.58.orig/include/httpd.h -+++ httpd-2.4.58/include/httpd.h -@@ -2663,6 +2663,17 @@ AP_DECLARE(const char *)ap_dir_fnmatch(a - */ - AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line); - -+/* Win32/NetWare/OS2 need to check for both forward and back slashes -+ * in ap_normalize_path() and ap_escape_url(). -+ */ -+#ifdef CASE_BLIND_FILESYSTEM -+#define AP_IS_SLASH(s) ((s == '/') || (s == '\\')) -+#define AP_SLASHES "/\\" -+#else -+#define AP_IS_SLASH(s) (s == '/') -+#define AP_SLASHES "/" -+#endif -+ - #ifdef __cplusplus - } - #endif -Index: httpd-2.4.58/modules/mappers/mod_rewrite.c -=================================================================== ---- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c -+++ httpd-2.4.58/modules/mappers/mod_rewrite.c -@@ -655,14 +655,11 @@ static unsigned is_absolute_uri(char *ur - - static int is_absolute_path(const char *path) - { --#ifndef WIN32 -+#ifndef CASE_BLIND_FILESYSTEM - return (path[0] == '/'); - #else --#define IS_SLASH(c) ((c) == '/' || (c) == '\\') -- /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */ -- return ((IS_SLASH(path[0]) && path[1] == path[0]) -- || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2]))); --#undef IS_SLASH -+ return ((AP_IS_SLASH(path[0]) && path[1] == path[0]) -+ || (apr_isalpha(path[0]) && path[1] == ':' && AP_IS_SLASH(path[2]))); - #endif - } - -@@ -4366,11 +4363,11 @@ static rule_return_type apply_rewrite_ru - */ - if (!is_proxyreq - && !is_absolute_path(newuri) -+ && !AP_IS_SLASH(*newuri) - && !is_absolute_uri(newuri, NULL)) { - if (ctx->perdir) { - rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", - newuri, ctx->perdir, newuri)); -- - newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL); - } - else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) { -Index: httpd-2.4.58/server/util.c -=================================================================== ---- httpd-2.4.58.orig/server/util.c -+++ httpd-2.4.58/server/util.c -@@ -75,17 +75,6 @@ - */ - #include "test_char.h" - --/* Win32/NetWare/OS2 need to check for both forward and back slashes -- * in ap_normalize_path() and ap_escape_url(). -- */ --#ifdef CASE_BLIND_FILESYSTEM --#define IS_SLASH(s) ((s == '/') || (s == '\\')) --#define SLASHES "/\\" --#else --#define IS_SLASH(s) (s == '/') --#define SLASHES "/" --#endif -- - /* we know core's module_index is 0 */ - #undef APLOG_MODULE_INDEX - #define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX -@@ -492,7 +481,7 @@ AP_DECLARE(apr_status_t) ap_pregsub_ex(a - /* Forward declare */ - static char x2c(const char *what); - --#define IS_SLASH_OR_NUL(s) (s == '\0' || IS_SLASH(s)) -+#define IS_SLASH_OR_NUL(s) (s == '\0' || AP_IS_SLASH(s)) - - /* - * Inspired by mod_jk's jk_servlet_normalize(). -@@ -504,7 +493,7 @@ AP_DECLARE(int) ap_normalize_path(char * - int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0; - int merge_slashes = (flags & AP_NORMALIZE_MERGE_SLASHES) != 0; - -- if (!IS_SLASH(path[0])) { -+ if (!AP_IS_SLASH(path[0])) { - /* Besides "OPTIONS *", a request-target should start with '/' - * per RFC 7230 section 5.3, so anything else is invalid. - */ -@@ -545,12 +534,12 @@ AP_DECLARE(int) ap_normalize_path(char * - } - } - -- if (w == 0 || IS_SLASH(path[w - 1])) { -+ if (w == 0 || AP_IS_SLASH(path[w - 1])) { - /* Collapse ///// sequences to / */ -- if (merge_slashes && IS_SLASH(path[l])) { -+ if (merge_slashes && AP_IS_SLASH(path[l])) { - do { - l++; -- } while (IS_SLASH(path[l])); -+ } while (AP_IS_SLASH(path[l])); - continue; - } - -@@ -579,7 +568,7 @@ AP_DECLARE(int) ap_normalize_path(char * - if (w > 1) { - do { - w--; -- } while (w && !IS_SLASH(path[w - 1])); -+ } while (w && !AP_IS_SLASH(path[w - 1])); - } - else { - /* Already at root, ignore and return a failure -@@ -1915,7 +1904,7 @@ static int unescape_url(char *url, const - char decoded; - decoded = x2c(y + 1); - if ((decoded == '\0') -- || (forbid_slashes && IS_SLASH(decoded)) -+ || (forbid_slashes && AP_IS_SLASH(decoded)) - || (forbid && ap_strchr_c(forbid, decoded))) { - badpath = 1; - *x = decoded; -@@ -1923,7 +1912,7 @@ static int unescape_url(char *url, const - } - else if ((keep_unreserved && TEST_CHAR(decoded, - T_URI_UNRESERVED)) -- || (keep_slashes && IS_SLASH(decoded)) -+ || (keep_slashes && AP_IS_SLASH(decoded)) - || (reserved && ap_strchr_c(reserved, decoded))) { - *x++ = *y++; - *x++ = *y++; -@@ -1950,7 +1939,7 @@ static int unescape_url(char *url, const - AP_DECLARE(int) ap_unescape_url(char *url) - { - /* Traditional */ -- return unescape_url(url, SLASHES, NULL, 0); -+ return unescape_url(url, AP_SLASHES, NULL, 0); - } - AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes) - { -@@ -1960,7 +1949,7 @@ AP_DECLARE(int) ap_unescape_url_keep2f(c - return unescape_url(url, NULL, NULL, 0); - } else { - /* reserve (do not decode) encoded slashes */ -- return unescape_url(url, NULL, SLASHES, 0); -+ return unescape_url(url, NULL, AP_SLASHES, 0); - } - } - AP_DECLARE(int) ap_unescape_url_ex(char *url, unsigned int flags) diff --git a/apache2-CVE-2024-38474.patch b/apache2-CVE-2024-38474.patch deleted file mode 100644 index f582438..0000000 --- a/apache2-CVE-2024-38474.patch +++ /dev/null @@ -1,17 +0,0 @@ -Index: httpd-2.4.58/modules/mappers/mod_rewrite.c -=================================================================== ---- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c -+++ httpd-2.4.58/modules/mappers/mod_rewrite.c -@@ -4537,6 +4560,12 @@ static int apply_rewrite_list(request_re - return ACTION_STATUS_SET; - } - -+ -+ /* Error while evaluating rule, r->status set */ -+ if (RULE_RC_STATUS_SET == rc) { -+ return ACTION_STATUS_SET; -+ } -+ - /* - * The rule sets the response code (implies match-only) - */ diff --git a/apache2-CVE-2024-38475-1.patch b/apache2-CVE-2024-38475-1.patch deleted file mode 100644 index 753609f..0000000 --- a/apache2-CVE-2024-38475-1.patch +++ /dev/null @@ -1,23 +0,0 @@ -Index: httpd-2.4.58/docs/manual/mod/mod_rewrite.html.en -=================================================================== ---- httpd-2.4.58.orig/docs/manual/mod/mod_rewrite.html.en -+++ httpd-2.4.58/docs/manual/mod/mod_rewrite.html.en -@@ -1451,6 +1451,18 @@ cannot use $N in the substi - Force the MIME-type of the target file - to be the specified type. details ... - -+ -+ UnsafeAllow3F -+ Allows substitutions from URL's that may be unsafe. -+ details ... -+ -+ -+ -+ UnsafePrefixStat -+ Allows potentially unsafe substitutions from a leading variable or backreference to a filesystem path. -+ details ... -+ -+ - - -

Home directory expansion

diff --git a/apache2-CVE-2024-38475-2.patch b/apache2-CVE-2024-38475-2.patch deleted file mode 100644 index 4fa7fa1..0000000 --- a/apache2-CVE-2024-38475-2.patch +++ /dev/null @@ -1,31 +0,0 @@ -Index: httpd-2.4.58/docs/manual/rewrite/flags.html.en -=================================================================== ---- httpd-2.4.58.orig/docs/manual/rewrite/flags.html.en -+++ httpd-2.4.58/docs/manual/rewrite/flags.html.en -@@ -820,8 +820,25 @@ otherwise the MIME-type set with this fl - re-processing (including subsequent rounds of mod_rewrite processing). - The L flag can be useful in this context to end the - current round of mod_rewrite processing.

-+
- -- -+
-+

UnsafeAllow3F

-+

Setting this flag is required to allow a rewrite to continue If the -+ HTTP request being written has an encoded question mark, '%3f', and the -+ rewritten result has a '?' in the substiution. This protects from a malicious -+ URL taking advantage of a capture and re-substitution of the encoded -+ question mark.

-+
-+
-+

UnsafePrefixStat

-+

Setting this flag is required in server-scoped substitutions -+ start with a variable or backreference and resolve to a filesystem path. -+ These substitutions are not prefixed with the document root. -+ This protects from a malicious URL causing the expanded substitution to -+ map to an unexpected filesystem location.

-+
-+ -
-

Available Languages:  en  | -  fr 

diff --git a/apache2-CVE-2024-38475-3.patch b/apache2-CVE-2024-38475-3.patch deleted file mode 100644 index 0c37c13..0000000 --- a/apache2-CVE-2024-38475-3.patch +++ /dev/null @@ -1,383 +0,0 @@ -Index: httpd-2.4.58/modules/mappers/mod_rewrite.c -=================================================================== ---- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c -+++ httpd-2.4.58/modules/mappers/mod_rewrite.c -@@ -177,6 +177,8 @@ static const char* really_last_key = "re - #define RULEFLAG_QSLAST (1<<19) - #define RULEFLAG_QSNONE (1<<20) /* programattic only */ - #define RULEFLAG_ESCAPECTLS (1<<21) -+#define RULEFLAG_UNSAFE_PREFIX_STAT (1<<22) -+#define RULEFLAG_UNSAFE_ALLOW3F (1<<23) - - /* return code of the rewrite rule - * the result may be escaped - or not -@@ -184,7 +186,7 @@ static const char* really_last_key = "re - #define ACTION_NORMAL (1<<0) - #define ACTION_NOESCAPE (1<<1) - #define ACTION_STATUS (1<<2) -- -+#define ACTION_STATUS_SET (1<<3) - - #define MAPTYPE_TXT (1<<0) - #define MAPTYPE_DBM (1<<1) -@@ -208,6 +210,7 @@ static const char* really_last_key = "re - #define OPTION_IGNORE_INHERIT (1<<8) - #define OPTION_IGNORE_CONTEXT_INFO (1<<9) - #define OPTION_LEGACY_PREFIX_DOCROOT (1<<10) -+#define OPTION_UNSAFE_PREFIX_STAT (1<<12) - - #ifndef RAND_MAX - #define RAND_MAX 32767 -@@ -301,6 +304,14 @@ typedef enum { - CONDPAT_AP_EXPR - } pattern_type; - -+typedef enum { -+ RULE_RC_NOMATCH = 0, /* the rule didn't match */ -+ RULE_RC_MATCH = 1, /* a matching rule w/ substitution */ -+ RULE_RC_NOSUB = 2, /* a matching rule w/ no substitution */ -+ RULE_RC_STATUS_SET = 3 /* a matching rule that has set an HTTP error -+ to be returned in r->status */ -+} rule_return_type; -+ - typedef struct { - char *input; /* Input string of RewriteCond */ - char *pattern; /* the RegExp pattern string */ -@@ -927,10 +938,15 @@ static void fully_qualify_uri(request_re - return; - } - -+static int startsWith(request_rec *r, const char *haystack, const char *needle) { -+ int rc = (ap_strstr_c(haystack, needle) == haystack); -+ rewritelog((r, 5, NULL, "prefix_stat startsWith(%s, %s) %d", haystack, needle, rc)); -+ return rc; -+} - /* -- * stat() only the first segment of a path -+ * stat() only the first segment of a path, and only if it matches the output of the last matching rule - */ --static int prefix_stat(const char *path, apr_pool_t *pool) -+static int prefix_stat(request_rec *r, const char *path, apr_pool_t *pool, rewriterule_entry *lastsub) - { - const char *curpath = path; - const char *root; -@@ -964,10 +980,36 @@ static int prefix_stat(const char *path, - apr_finfo_t sb; - - if (apr_stat(&sb, statpath, APR_FINFO_MIN, pool) == APR_SUCCESS) { -- return 1; -+ if (!lastsub) { -+ rewritelog((r, 3, NULL, "prefix_stat no lastsub subst prefix %s", statpath)); -+ return 1; -+ } -+ -+ rewritelog((r, 3, NULL, "prefix_stat compare statpath %s and lastsub output %s STATOK %d ", -+ statpath, lastsub->output, lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT)); -+ if (lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT) { -+ return 1; -+ } -+ else { -+ const char *docroot = ap_document_root(r); -+ const char *context_docroot = ap_context_document_root(r); -+ /* -+ * As an example, path (r->filename) is /var/foo/bar/baz.html -+ * even if the flag is not set, we can accept a rule that -+ * began with a literal /var (stapath), or if the entire path -+ * starts with the docroot or context document root -+ */ -+ if (startsWith(r, lastsub->output, statpath) || -+ startsWith(r, path, docroot) || -+ ((docroot != context_docroot) && -+ startsWith(r, path, context_docroot))) { -+ return 1; -+ } -+ } - } - } - -+ /* prefix will be added */ - return 0; - } - -@@ -3072,6 +3114,9 @@ static const char *cmd_rewriteoptions(cm - else if (!strcasecmp(w, "legacyprefixdocroot")) { - options |= OPTION_LEGACY_PREFIX_DOCROOT; - } -+ else if (!strcasecmp(w, "UnsafePrefixStat")) { -+ options |= OPTION_UNSAFE_PREFIX_STAT; -+ } - else { - return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '", - w, "'", NULL); -@@ -3780,6 +3825,18 @@ static const char *cmd_rewriterule_setfl - ++error; - } - break; -+ case 'u': -+ case 'U': -+ if (!strcasecmp(key, "nsafePrefixStat")){ -+ cfg->flags |= (RULEFLAG_UNSAFE_PREFIX_STAT); -+ } -+ else if(!strcasecmp(key, "nsafeAllow3F")) { -+ cfg->flags |= RULEFLAG_UNSAFE_ALLOW3F; -+ } -+ else { -+ ++error; -+ } -+ break; - default: - ++error; - break; -@@ -4138,7 +4195,8 @@ static APR_INLINE void force_type_handle - /* - * Apply a single RewriteRule - */ --static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx) -+static rule_return_type apply_rewrite_rule(rewriterule_entry *p, -+ rewrite_ctx *ctx) - { - ap_regmatch_t regmatch[AP_MAX_REG_MATCH]; - apr_array_header_t *rewriteconds; -@@ -4189,7 +4247,7 @@ static int apply_rewrite_rule(rewriterul - rc = !ap_regexec(p->regexp, ctx->uri, AP_MAX_REG_MATCH, regmatch, 0); - if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) || - (!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) { -- return 0; -+ return RULE_RC_NOMATCH; - } - - /* It matched, wow! Now it's time to prepare the context structure for -@@ -4240,7 +4298,7 @@ static int apply_rewrite_rule(rewriterul - } - } - else if (!rc) { -- return 0; -+ return RULE_RC_NOMATCH; - } - - /* If some HTTP header was involved in the condition, remember it -@@ -4260,6 +4318,15 @@ static int apply_rewrite_rule(rewriterul - newuri = do_expand(p->output, ctx, p); - rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri, - newuri)); -+ if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) && -+ ap_strcasestr(r->unparsed_uri, "%3f") && -+ ap_strchr_c(newuri, '?')) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() -+ "Unsafe URL with %%3f URL rewritten without " -+ "UnsafeAllow3F"); -+ r->status = HTTP_FORBIDDEN; -+ return RULE_RC_STATUS_SET; -+ } - } - - /* expand [E=var:val] and [CO=] */ -@@ -4277,7 +4344,7 @@ static int apply_rewrite_rule(rewriterul - r->status = p->forced_responsecode; - } - -- return 2; -+ return RULE_RC_NOSUB; - } - - /* Add the previously stripped per-directory location prefix, unless -@@ -4343,7 +4410,7 @@ static int apply_rewrite_rule(rewriterul - r->filename)); - - r->filename = apr_pstrcat(r->pool, "proxy:", r->filename, NULL); -- return 1; -+ return RULE_RC_MATCH; - } - - /* If this rule is explicitly forced for HTTP redirection -@@ -4358,7 +4425,7 @@ static int apply_rewrite_rule(rewriterul - r->filename)); - - r->status = p->forced_responsecode; -- return 1; -+ return RULE_RC_MATCH; - } - - /* Special Rewriting Feature: Self-Reduction -@@ -4380,7 +4447,7 @@ static int apply_rewrite_rule(rewriterul - "with %s", p->forced_responsecode, r->filename)); - - r->status = p->forced_responsecode; -- return 1; -+ return RULE_RC_MATCH; - } - - /* Finally remember the forced mime-type */ -@@ -4389,7 +4456,7 @@ static int apply_rewrite_rule(rewriterul - /* Puuhhhhhhhh... WHAT COMPLICATED STUFF ;_) - * But now we're done for this particular rule. - */ -- return 1; -+ return RULE_RC_MATCH; - } - - /* -@@ -4397,13 +4464,13 @@ static int apply_rewrite_rule(rewriterul - * i.e. a list of rewrite rules - */ - static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules, -- char *perdir) -+ char *perdir, rewriterule_entry **lastsub) - { - rewriterule_entry *entries; - rewriterule_entry *p; - int i; - int changed; -- int rc; -+ rule_return_type rc; - int s; - rewrite_ctx *ctx; - int round = 1; -@@ -4411,6 +4478,7 @@ static int apply_rewrite_list(request_re - ctx = apr_palloc(r->pool, sizeof(*ctx)); - ctx->perdir = perdir; - ctx->r = r; -+ *lastsub = NULL; - - /* - * Iterate over all existing rules -@@ -4438,7 +4506,12 @@ static int apply_rewrite_list(request_re - ctx->vary = NULL; - rc = apply_rewrite_rule(p, ctx); - -- if (rc) { -+ if (rc != RULE_RC_NOMATCH) { -+ -+ if (!(p->flags & RULEFLAG_NOSUB)) { -+ rewritelog((r, 2, perdir, "setting lastsub to rule with output %s", p->output)); -+ *lastsub = p; -+ } - - /* Catch looping rules with pathinfo growing unbounded */ - if ( strlen( r->filename ) > 2*r->server->limit_req_line ) { -@@ -4458,6 +4531,12 @@ static int apply_rewrite_list(request_re - apr_table_merge(r->headers_out, "Vary", ctx->vary); - } - -+ -+ /* Error while evaluating rule, r->status set */ -+ if (RULE_RC_STATUS_SET == rc) { -+ return ACTION_STATUS_SET; -+ } -+ - /* - * The rule sets the response code (implies match-only) - */ -@@ -4468,7 +4547,7 @@ static int apply_rewrite_list(request_re - /* - * Indicate a change if this was not a match-only rule. - */ -- if (rc != 2) { -+ if (rc != RULE_RC_NOSUB) { - changed = ((p->flags & RULEFLAG_NOESCAPE) - ? ACTION_NOESCAPE : ACTION_NORMAL); - } -@@ -4657,6 +4736,7 @@ static int hook_uri2file(request_rec *r) - int rulestatus; - void *skipdata; - const char *oargs; -+ rewriterule_entry *lastsub = NULL; - - /* - * retrieve the config structures -@@ -4768,7 +4848,7 @@ static int hook_uri2file(request_rec *r) - /* - * now apply the rules ... - */ -- rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL); -+ rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL, &lastsub); - apr_table_setn(r->notes, "mod_rewrite_rewritten", - apr_psprintf(r->pool,"%d",rulestatus)); - } -@@ -4806,6 +4886,9 @@ static int hook_uri2file(request_rec *r) - r->status = HTTP_OK; - return n; - } -+ else if (ACTION_STATUS_SET == rulestatus) { -+ return r->status; -+ } - - if (to_proxyreq) { - /* it should be go on as an internal proxy request */ -@@ -4925,23 +5008,29 @@ static int hook_uri2file(request_rec *r) - return HTTP_BAD_REQUEST; - } - -- /* if there is no valid prefix, we call -- * the translator from the core and -- * prefix the filename with document_root -+ /* We have r->filename as a path in a server-context rewrite without -+ * the PT flag. The historical behavior is to treat it as a verbatim -+ * filesystem path iff the first component of the path exists and is -+ * readable by httpd. Otherwise, it is interpreted as DocumentRoot -+ * relative. - * - * NOTICE: - * We cannot leave out the prefix_stat because -- * - when we always prefix with document_root -- * then no absolute path can be created, e.g. via -- * emulating a ScriptAlias directive, etc. -- * - when we always NOT prefix with document_root -+ * - If we always prefix with document_root -+ * then no absolute path can could ever be used in -+ * a substitution. e.g. emulating an Alias. -+ * - If we never prefix with document_root - * then the files under document_root have to - * be references directly and document_root - * gets never used and will be a dummy parameter - -- * this is also bad -+ * this is also bad. -+ * - Later addition: This part is questionable. -+ * If we had never prefixed, users would just -+ * need %{DOCUMENT_ROOT} in substitutions or the -+ * [PT] flag. - * - * BUT: -- * Under real Unix systems this is no problem, -+ * Under real Unix systems this is no perf problem, - * because we only do stat() on the first directory - * and this gets cached by the kernel for along time! - */ -@@ -4950,7 +5039,9 @@ static int hook_uri2file(request_rec *r) - uri_reduced = apr_table_get(r->notes, "mod_rewrite_uri_reduced"); - } - -- if (!prefix_stat(r->filename, r->pool) || uri_reduced != NULL) { -+ if (!prefix_stat(r, r->filename, r->pool, -+ conf->options & OPTION_UNSAFE_PREFIX_STAT ? NULL : lastsub) -+ || uri_reduced != NULL) { - int res; - char *tmp = r->uri; - -@@ -4995,6 +5086,7 @@ static int hook_fixup(request_rec *r) - char *ofilename, *oargs; - int is_proxyreq; - void *skipdata; -+ rewriterule_entry *lastsub; - - dconf = (rewrite_perdir_conf *)ap_get_module_config(r->per_dir_config, - &rewrite_module); -@@ -5079,7 +5171,7 @@ static int hook_fixup(request_rec *r) - /* - * now apply the rules ... - */ -- rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory); -+ rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory, &lastsub); - if (rulestatus) { - unsigned skip_absolute = is_absolute_uri(r->filename, NULL); - int to_proxyreq = 0; -@@ -5108,6 +5200,9 @@ static int hook_fixup(request_rec *r) - r->status = HTTP_OK; - return n; - } -+ else if (ACTION_STATUS_SET == rulestatus) { -+ return r->status; -+ } - - if (to_proxyreq) { - /* it should go on as an internal proxy request */ diff --git a/apache2-CVE-2024-38476-1.patch b/apache2-CVE-2024-38476-1.patch deleted file mode 100644 index 128a51c..0000000 --- a/apache2-CVE-2024-38476-1.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/include/http_protocol.h 2024/06/24 17:52:31 1918559 -+++ b/include/http_protocol.h 2024/06/24 17:54:34 1918560 -@@ -439,6 +439,17 @@ - AP_DECLARE(void) ap_set_content_type(request_rec *r, const char *ct); - - /** -+ * Set the content type for this request (r->content_type). -+ * @param r The current request -+ * @param ct The new content type -+ * @param trusted If non-zero, The content-type should come from a -+ * trusted source such as server configuration rather -+ * than application output. -+ * for the AddOutputFilterByType directive to work correctly. -+ */ -+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted); -+ -+/** - * Set the Accept-Ranges header for this response - * @param r The current request - */ diff --git a/apache2-CVE-2024-38476-10.patch b/apache2-CVE-2024-38476-10.patch deleted file mode 100644 index ca235d1..0000000 --- a/apache2-CVE-2024-38476-10.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/server/config.c 2024/06/24 17:52:31 1918559 -+++ b/server/config.c 2024/06/24 17:54:34 1918560 -@@ -418,7 +418,7 @@ - } - - if (!r->handler) { -- if (r->content_type) { -+ if (r->content_type && AP_REQUEST_IS_TRUSTED_CT(r)) { - handler = r->content_type; - if ((p=ap_strchr_c(handler, ';')) != NULL) { - char *new_handler = (char *)apr_pmemdup(r->pool, handler, diff --git a/apache2-CVE-2024-38476-11.patch b/apache2-CVE-2024-38476-11.patch deleted file mode 100644 index ba60538..0000000 --- a/apache2-CVE-2024-38476-11.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/server/core.c 2024/06/24 17:52:31 1918559 -+++ b/server/core.c 2024/06/24 17:54:34 1918560 -@@ -4835,7 +4835,7 @@ - /* Check for overrides with ForceType / SetHandler - */ - if (conf->mime_type && strcmp(conf->mime_type, "none")) -- ap_set_content_type(r, (char*) conf->mime_type); -+ ap_set_content_type_ex(r, (char*) conf->mime_type, 1); - - if (conf->expr_handler) { - const char *err; diff --git a/apache2-CVE-2024-38476-2.patch b/apache2-CVE-2024-38476-2.patch deleted file mode 100644 index 46ba81f..0000000 --- a/apache2-CVE-2024-38476-2.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- a/include/httpd.h 2024/06/24 17:52:31 1918559 -+++ b/include/httpd.h 2024/06/24 17:54:34 1918560 -@@ -667,6 +667,7 @@ - * - */ - #define AP_REQUEST_STRONG_ETAG 1 >> 0 -+#define AP_REQUEST_TRUSTED_CT 1 << 1 - - /** - * This is a convenience macro to ease with getting specific request -@@ -689,6 +690,12 @@ - AP_REQUEST_GET_BNOTE((r), AP_REQUEST_STRONG_ETAG) - /** @} */ - -+/** -+ * Returns true if the content-type field is from a trusted source -+ */ -+#define AP_REQUEST_IS_TRUSTED_CT(r) \ -+ (!!AP_REQUEST_GET_BNOTE((r), AP_REQUEST_TRUSTED_CT)) -+/** @} */ - - /** - * @defgroup module_magic Module Magic mime types diff --git a/apache2-CVE-2024-38476-3.patch b/apache2-CVE-2024-38476-3.patch deleted file mode 100644 index bb912df..0000000 --- a/apache2-CVE-2024-38476-3.patch +++ /dev/null @@ -1,17 +0,0 @@ ---- a/modules/http/http_protocol.c 2024/06/24 17:52:31 1918559 -+++ b/modules/http/http_protocol.c 2024/06/24 17:54:34 1918560 -@@ -1097,8 +1097,14 @@ - } - else if (!r->content_type || strcmp(r->content_type, ct)) { - r->content_type = ct; -+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, 0); - } - } -+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted) -+{ -+ ap_set_content_type(r, ct); -+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, trusted ? AP_REQUEST_TRUSTED_CT : 0); -+} - - AP_DECLARE(void) ap_set_accept_ranges(request_rec *r) - { diff --git a/apache2-CVE-2024-38476-4.patch b/apache2-CVE-2024-38476-4.patch deleted file mode 100644 index 1988822..0000000 --- a/apache2-CVE-2024-38476-4.patch +++ /dev/null @@ -1,70 +0,0 @@ ---- a/modules/http/mod_mime.c 2024/06/24 17:52:31 1918559 -+++ b/modules/http/mod_mime.c 2024/06/24 17:54:34 1918560 -@@ -759,7 +759,7 @@ - int found_metadata = 0; - - if (r->finfo.filetype == APR_DIR) { -- ap_set_content_type(r, DIR_MAGIC_TYPE); -+ ap_set_content_type_ex(r, DIR_MAGIC_TYPE, 1); - return OK; - } - -@@ -850,7 +850,7 @@ - if (exinfo == NULL || !exinfo->forced_type) { - if ((type = apr_hash_get(mime_type_extensions, ext, - APR_HASH_KEY_STRING)) != NULL) { -- ap_set_content_type(r, (char*) type); -+ ap_set_content_type_ex(r, (char*) type, 1); - found = 1; - } - } -@@ -859,7 +859,7 @@ - - /* empty string is treated as special case for RemoveType */ - if (exinfo->forced_type && *exinfo->forced_type) { -- ap_set_content_type(r, exinfo->forced_type); -+ ap_set_content_type_ex(r, exinfo->forced_type, 1); - found = 1; - } - -@@ -964,33 +964,33 @@ - memcpy(tmp, ctp->subtype, ctp->subtype_len); - tmp += ctp->subtype_len; - *tmp = 0; -- ap_set_content_type(r, base_content_type); -+ ap_set_content_type_ex(r, base_content_type, AP_REQUEST_IS_TRUSTED_CT(r)); - while (pp != NULL) { - if (charset && !strcmp(pp->attr, "charset")) { - if (!override) { -- ap_set_content_type(r, -+ ap_set_content_type_ex(r, - apr_pstrcat(r->pool, - r->content_type, - "; charset=", - charset, -- NULL)); -+ NULL), AP_REQUEST_IS_TRUSTED_CT(r)); - override = 1; - } - } - else { -- ap_set_content_type(r, -+ ap_set_content_type_ex(r, - apr_pstrcat(r->pool, - r->content_type, - "; ", pp->attr, - "=", pp->val, -- NULL)); -+ NULL), AP_REQUEST_IS_TRUSTED_CT(r)); - } - pp = pp->next; - } - if (charset && !override) { -- ap_set_content_type(r, apr_pstrcat(r->pool, r->content_type, -+ ap_set_content_type_ex(r, apr_pstrcat(r->pool, r->content_type, - "; charset=", charset, -- NULL)); -+ NULL), AP_REQUEST_IS_TRUSTED_CT(r)); - } - } - } diff --git a/apache2-CVE-2024-38476-5.patch b/apache2-CVE-2024-38476-5.patch deleted file mode 100644 index 429e5e2..0000000 --- a/apache2-CVE-2024-38476-5.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- a/modules/mappers/mod_actions.c 2024/06/24 17:52:31 1918559 -+++ b/modules/mappers/mod_actions.c 2024/06/24 17:54:34 1918560 -@@ -182,8 +182,10 @@ - return DECLINED; - - /* Second, check for actions (which override the method scripts) */ -- action = r->handler ? r->handler : -- ap_field_noparam(r->pool, r->content_type); -+ action = r->handler; -+ if (!action && AP_REQUEST_IS_TRUSTED_CT(r)) { -+ action = ap_field_noparam(r->pool, r->content_type); -+ } - - if (action && (t = apr_table_get(conf->action_types, action))) { - int virtual = (*t++ == '0' ? 0 : 1); diff --git a/apache2-CVE-2024-38476-6.patch b/apache2-CVE-2024-38476-6.patch deleted file mode 100644 index e51b561..0000000 --- a/apache2-CVE-2024-38476-6.patch +++ /dev/null @@ -1,29 +0,0 @@ ---- a/modules/mappers/mod_negotiation.c 2024/06/24 17:52:31 1918559 -+++ b/modules/mappers/mod_negotiation.c 2024/06/24 17:54:34 1918560 -@@ -1167,7 +1167,7 @@ - * might be doing. - */ - if (sub_req->handler && !sub_req->content_type) { -- ap_set_content_type(sub_req, CGI_MAGIC_TYPE); -+ ap_set_content_type_ex(sub_req, CGI_MAGIC_TYPE, 1); - } - - /* -@@ -3003,14 +3003,14 @@ - /* set MIME type and charset as negotiated */ - if (best->mime_type && *best->mime_type) { - if (best->content_charset && *best->content_charset) { -- ap_set_content_type(r, apr_pstrcat(r->pool, -+ ap_set_content_type_ex(r, apr_pstrcat(r->pool, - best->mime_type, - "; charset=", - best->content_charset, -- NULL)); -+ NULL), 1); - } - else { -- ap_set_content_type(r, apr_pstrdup(r->pool, best->mime_type)); -+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, best->mime_type), 1); - } - } - diff --git a/apache2-CVE-2024-38476-7.patch b/apache2-CVE-2024-38476-7.patch deleted file mode 100644 index 61a775c..0000000 --- a/apache2-CVE-2024-38476-7.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- a/modules/mappers/mod_rewrite.c 2024/06/24 17:52:31 1918559 -+++ b/modules/mappers/mod_rewrite.c 2024/06/24 17:54:34 1918560 -@@ -5333,7 +5333,7 @@ - rewritelog((r, 1, NULL, "force filename %s to have MIME-type '%s'", - r->filename, t)); - -- ap_set_content_type(r, t); -+ ap_set_content_type_ex(r, t, 1); - } - - /* handler */ diff --git a/apache2-CVE-2024-38476-8.patch b/apache2-CVE-2024-38476-8.patch deleted file mode 100644 index ed1155e..0000000 --- a/apache2-CVE-2024-38476-8.patch +++ /dev/null @@ -1,28 +0,0 @@ ---- a/modules/metadata/mod_headers.c 2024/06/24 17:52:31 1918559 -+++ b/modules/metadata/mod_headers.c 2024/06/24 17:54:34 1918560 -@@ -783,14 +783,14 @@ - break; - case hdr_set: - if (!ap_cstr_casecmp(hdr->header, "Content-Type")) { -- ap_set_content_type(r, process_tags(hdr, r)); -+ ap_set_content_type_ex(r, process_tags(hdr, r), 1); - } - apr_table_setn(headers, hdr->header, process_tags(hdr, r)); - break; - case hdr_setifempty: - if (NULL == apr_table_get(headers, hdr->header)) { - if (!ap_cstr_casecmp(hdr->header, "Content-Type")) { -- ap_set_content_type(r, process_tags(hdr, r)); -+ ap_set_content_type_ex(r, process_tags(hdr, r), 1); - } - apr_table_setn(headers, hdr->header, process_tags(hdr, r)); - } -@@ -809,7 +809,7 @@ - const char *repl = process_regexp(hdr, r->content_type, r); - if (repl == NULL) - return 0; -- ap_set_content_type(r, repl); -+ ap_set_content_type_ex(r, repl, 1); - } - if (apr_table_get(headers, hdr->header)) { - edit_do ed; diff --git a/apache2-CVE-2024-38476-9.patch b/apache2-CVE-2024-38476-9.patch deleted file mode 100644 index 5fc785a..0000000 --- a/apache2-CVE-2024-38476-9.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/modules/metadata/mod_mime_magic.c 2024/06/24 17:52:31 1918559 -+++ b/modules/metadata/mod_mime_magic.c 2024/06/24 17:54:34 1918560 -@@ -788,7 +788,7 @@ - /* XXX: this could be done at config time I'm sure... but I'm - * confused by all this magic_rsl stuff. -djg */ - ap_content_type_tolower(tmp); -- ap_set_content_type(r, tmp); -+ ap_set_content_type_ex(r, tmp, 1); - - if (state == rsl_encoding) { - tmp = rsl_strdup(r, encoding_frag, -@@ -2326,7 +2326,7 @@ - - /* extract content type/encoding/language from sub-request */ - if (sub->content_type) { -- ap_set_content_type(r, apr_pstrdup(r->pool, sub->content_type)); -+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, sub->content_type), 1); - #if MIME_MAGIC_DEBUG - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01557) - MODNAME ": subrequest %s got %s", diff --git a/apache2-CVE-2024-38477.patch b/apache2-CVE-2024-38477.patch deleted file mode 100644 index 28d7a6b..0000000 --- a/apache2-CVE-2024-38477.patch +++ /dev/null @@ -1,27 +0,0 @@ ---- a/modules/proxy/proxy_util.c 2024/06/25 17:29:06 1918606 -+++ b/modules/proxy/proxy_util.c 2024/06/25 17:29:32 1918607 -@@ -3113,6 +3113,13 @@ - apr_pstrcat(p,"URI cannot be parsed: ", *url, - NULL)); - } -+ -+ if (!uri->hostname) { -+ return ap_proxyerror(r, HTTP_BAD_REQUEST, -+ apr_pstrcat(p,"URI has no hostname: ", *url, -+ NULL)); -+ } -+ - if (!uri->port) { - uri->port = ap_proxy_port_of_scheme(uri->scheme); - } -@@ -4496,6 +4503,10 @@ - - /* Compute Host header */ - if (dconf->preserve_host == 0) { -+ if (!uri->hostname) { -+ rc = HTTP_BAD_REQUEST; -+ goto cleanup; -+ } - if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */ - if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) { - host = apr_pstrcat(r->pool, "[", uri->hostname, "]:", diff --git a/apache2-CVE-2024-39573.patch b/apache2-CVE-2024-39573.patch deleted file mode 100644 index daceace..0000000 --- a/apache2-CVE-2024-39573.patch +++ /dev/null @@ -1,54 +0,0 @@ ---- a/modules/mappers/mod_rewrite.c 2024/06/25 15:22:28 1918599 -+++ b/modules/mappers/mod_rewrite.c 2024/06/25 15:28:00 1918600 -@@ -4347,6 +4347,32 @@ - return 2; - } - -+ /* Add the previously stripped per-directory location prefix, unless -+ * (1) it's an absolute URL path and -+ * (2) it's a full qualified URL -+ */ -+ if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) { -+ if (ctx->perdir) { -+ rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", -+ newuri, ctx->perdir, newuri)); -+ -+ newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL); -+ } -+ else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) { -+ /* Not an absolute URI-path and the scheme (if any) is unknown, -+ * and it won't be passed to fully_qualify_uri() below either, -+ * so add an implicit '/' prefix. This avoids potentially a common -+ * rule like "RewriteRule ^/some/path(.*) $1" that is given a path -+ * like "/some/pathscheme:..." to produce the fully qualified URL -+ * "scheme:..." which could be misinterpreted later. -+ */ -+ rewritelog((r, 3, ctx->perdir, "add root prefix: %s -> /%s", -+ newuri, newuri)); -+ -+ newuri = apr_pstrcat(r->pool, "/", newuri, NULL); -+ } -+ } -+ - /* Now adjust API's knowledge about r->filename and r->args */ - r->filename = newuri; - -@@ -4356,18 +4382,6 @@ - - splitout_queryargs(r, p->flags); - -- /* Add the previously stripped per-directory location prefix, unless -- * (1) it's an absolute URL path and -- * (2) it's a full qualified URL -- */ -- if ( ctx->perdir && !is_proxyreq && *r->filename != '/' -- && !is_absolute_uri(r->filename, NULL)) { -- rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s", -- r->filename, ctx->perdir, r->filename)); -- -- r->filename = apr_pstrcat(r->pool, ctx->perdir, r->filename, NULL); -- } -- - /* If this rule is forced for proxy throughput - * (`RewriteRule ... ... [P]') then emulate mod_proxy's - * URL-to-filename handler to be sure mod_proxy is triggered diff --git a/apache2-CVE-2024-39884.patch b/apache2-CVE-2024-39884.patch deleted file mode 100644 index cc19ea9..0000000 --- a/apache2-CVE-2024-39884.patch +++ /dev/null @@ -1,266 +0,0 @@ -Index: httpd-2.4.58/modules/cluster/mod_heartmonitor.c -=================================================================== ---- httpd-2.4.58.orig/modules/cluster/mod_heartmonitor.c -+++ httpd-2.4.58/modules/cluster/mod_heartmonitor.c -@@ -782,7 +782,7 @@ static int hm_handler(request_rec *r) - hmserver.seen = apr_time_now(); - hm_update_stat(ctx, &hmserver, r->pool); - -- ap_set_content_type(r, "text/plain"); -+ ap_set_content_type_ex(r, "text/plain", 1); - ap_set_content_length(r, 2); - ap_rputs("OK", r); - ap_rflush(r); -Index: httpd-2.4.58/modules/dav/main/mod_dav.c -=================================================================== ---- httpd-2.4.58.orig/modules/dav/main/mod_dav.c -+++ httpd-2.4.58/modules/dav/main/mod_dav.c -@@ -355,7 +355,7 @@ static int dav_error_response(request_re - r->status = status; - r->status_line = ap_get_status_line(status); - -- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); -+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); - - /* begin the response now... */ - ap_rvputs(r, -@@ -386,7 +386,7 @@ static int dav_error_response_tag(reques - { - r->status = err->status; - -- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); -+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); - - ap_rputs(DAV_XML_HEADER DEBUG_CR - "status = status; -- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); -+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); - - /* Send the headers and actual multistatus response now... */ - ap_fputs(r->output_filters, bb, DAV_XML_HEADER DEBUG_CR -@@ -2016,7 +2016,7 @@ static int dav_method_options(request_re - - /* send the options response */ - r->status = HTTP_OK; -- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); -+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); - - /* send the headers and response body */ - ap_rputs(DAV_XML_HEADER DEBUG_CR -@@ -3328,7 +3328,7 @@ static int dav_method_lock(request_rec * - (*locks_hooks->close_lockdb)(lockdb); - - r->status = HTTP_OK; -- ap_set_content_type(r, DAV_XML_CONTENT_TYPE); -+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1); - - ap_rputs(DAV_XML_HEADER DEBUG_CR "" DEBUG_CR, r); - if (lock == NULL) -Index: httpd-2.4.58/modules/examples/mod_example_hooks.c -=================================================================== ---- httpd-2.4.58.orig/modules/examples/mod_example_hooks.c -+++ httpd-2.4.58/modules/examples/mod_example_hooks.c -@@ -993,7 +993,7 @@ static int x_handler(request_rec *r) - * Set the Content-type header. Note that we do not actually have to send - * the headers: this is done by the http core. - */ -- ap_set_content_type(r, "text/html"); -+ ap_set_content_type_ex(r, "text/html", 1); - /* - * If we're only supposed to send header information (HEAD request), we're - * already there. -Index: httpd-2.4.58/modules/filters/mod_data.c -=================================================================== ---- httpd-2.4.58.orig/modules/filters/mod_data.c -+++ httpd-2.4.58/modules/filters/mod_data.c -@@ -117,7 +117,7 @@ static apr_status_t data_out_filter(ap_f - } - } - -- ap_set_content_type(r, "text/plain"); -+ ap_set_content_type_ex(r, "text/plain", 1); - - } - -Index: httpd-2.4.58/modules/filters/mod_include.c -=================================================================== ---- httpd-2.4.58.orig/modules/filters/mod_include.c -+++ httpd-2.4.58/modules/filters/mod_include.c -@@ -3972,7 +3972,7 @@ static int include_fixup(request_rec *r) - if (r->handler && (strcmp(r->handler, "server-parsed") == 0)) - { - if (!r->content_type || !*r->content_type) { -- ap_set_content_type(r, "text/html"); -+ ap_set_content_type_ex(r, "text/html", 1); - } - r->handler = "default-handler"; - } -Index: httpd-2.4.58/modules/filters/mod_proxy_html.c -=================================================================== ---- httpd-2.4.58.orig/modules/filters/mod_proxy_html.c -+++ httpd-2.4.58/modules/filters/mod_proxy_html.c -@@ -952,7 +952,7 @@ static apr_status_t proxy_html_filter(ap - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r, APLOGNO(01422) - "No i18n support found. Install mod_xml2enc if required"); - enc = XML_CHAR_ENCODING_NONE; -- ap_set_content_type(f->r, "text/html;charset=utf-8"); -+ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1); - } - else { - /* if we wanted a non-default charset_out, insert the -@@ -968,7 +968,7 @@ static apr_status_t proxy_html_filter(ap - cenc, NULL)); - } - else /* Normal case, everything worked, utf-8 output */ -- ap_set_content_type(f->r, "text/html;charset=utf-8"); -+ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1); - } - - ap_fputs(f->next, ctxt->bb, ctxt->cfg->doctype); -Index: httpd-2.4.58/modules/generators/mod_cgi.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_cgi.c -+++ httpd-2.4.58/modules/generators/mod_cgi.c -@@ -1085,7 +1085,7 @@ static apr_status_t include_cgi(include_ - /* Force sub_req to be treated as a CGI request, even if ordinary - * typing rules would have called it something else. - */ -- ap_set_content_type(rr, CGI_MAGIC_TYPE); -+ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1); - - /* Run it. */ - rr_status = ap_run_sub_req(rr); -Index: httpd-2.4.58/modules/generators/mod_cgid.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_cgid.c -+++ httpd-2.4.58/modules/generators/mod_cgid.c -@@ -1765,7 +1765,7 @@ static apr_status_t include_cgi(include_ - /* Force sub_req to be treated as a CGI request, even if ordinary - * typing rules would have called it something else. - */ -- ap_set_content_type(rr, CGI_MAGIC_TYPE); -+ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1); - - /* Run it. */ - rr_status = ap_run_sub_req(rr); -Index: httpd-2.4.58/modules/generators/mod_info.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_info.c -+++ httpd-2.4.58/modules/generators/mod_info.c -@@ -784,7 +784,7 @@ static int display_info(request_rec * r) - return DECLINED; - } - -- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); -+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); - - ap_rputs(DOCTYPE_XHTML_1_0T - "\n" -Index: httpd-2.4.58/modules/generators/mod_status.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_status.c -+++ httpd-2.4.58/modules/generators/mod_status.c -@@ -273,7 +273,7 @@ static int status_handler(request_rec *r - if (r->method_number != M_GET) - return DECLINED; - -- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); -+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); - - /* - * Simple table-driven form data set parser that lets you alter the header -@@ -301,7 +301,7 @@ static int status_handler(request_rec *r - no_table_report = 1; - break; - case STAT_OPT_AUTO: -- ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); -+ ap_set_content_type_ex(r, "text/plain; charset=ISO-8859-1", 1); - short_report = 1; - break; - } -Index: httpd-2.4.58/modules/http/http_filters.c -=================================================================== ---- httpd-2.4.58.orig/modules/http/http_filters.c -+++ httpd-2.4.58/modules/http/http_filters.c -@@ -1261,7 +1261,7 @@ AP_DECLARE_NONSTD(int) ap_send_http_trac - } - } - -- ap_set_content_type(r, "message/http"); -+ ap_set_content_type_ex(r, "message/http", 1); - - /* Now we recreate the request, and echo it back */ - -Index: httpd-2.4.58/modules/http/http_protocol.c -=================================================================== ---- httpd-2.4.58.orig/modules/http/http_protocol.c -+++ httpd-2.4.58/modules/http/http_protocol.c -@@ -1443,10 +1443,10 @@ AP_DECLARE(void) ap_send_error_response( - request_conf->suppress_charset = 1; /* avoid adding default - * charset later - */ -- ap_set_content_type(r, "text/html"); -+ ap_set_content_type_ex(r, "text/html", 1); - } - else { -- ap_set_content_type(r, "text/html; charset=iso-8859-1"); -+ ap_set_content_type_ex(r, "text/html; charset=iso-8859-1", 1); - } - - if ((status == HTTP_METHOD_NOT_ALLOWED) -Index: httpd-2.4.58/modules/ldap/util_ldap.c -=================================================================== ---- httpd-2.4.58.orig/modules/ldap/util_ldap.c -+++ httpd-2.4.58/modules/ldap/util_ldap.c -@@ -171,7 +171,7 @@ static int util_ldap_handler(request_rec - st = (util_ldap_state_t *) ap_get_module_config(r->server->module_config, - &ldap_module); - -- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); -+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); - - if (r->header_only) - return OK; -Index: httpd-2.4.58/modules/mappers/mod_imagemap.c -=================================================================== ---- httpd-2.4.58.orig/modules/mappers/mod_imagemap.c -+++ httpd-2.4.58/modules/mappers/mod_imagemap.c -@@ -475,7 +475,7 @@ static int imap_reply(request_rec *r, co - - static void menu_header(request_rec *r, char *menu) - { -- ap_set_content_type(r, "text/html; charset=ISO-8859-1"); -+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1); - - ap_rvputs(r, DOCTYPE_HTML_3_2, "\nMenu for ", - ap_escape_html(r->pool, r->uri), -Index: httpd-2.4.58/modules/http/http_request.c -=================================================================== ---- httpd-2.4.58.orig/modules/http/http_request.c -+++ httpd-2.4.58/modules/http/http_request.c -@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redire - r->args = rr->args; - r->finfo = rr->finfo; - r->handler = rr->handler; -- ap_set_content_type(r, rr->content_type); -+ ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r)); - r->content_encoding = rr->content_encoding; - r->content_languages = rr->content_languages; - r->per_dir_config = rr->per_dir_config; -Index: httpd-2.4.58/modules/proxy/mod_proxy_balancer.c -=================================================================== ---- httpd-2.4.58.orig/modules/proxy/mod_proxy_balancer.c -+++ httpd-2.4.58/modules/proxy/mod_proxy_balancer.c -@@ -1471,7 +1471,7 @@ static void balancer_display_page(reques - - if (usexml) { - char date[APR_RFC822_DATE_LEN]; -- ap_set_content_type(r, "text/xml"); -+ ap_set_content_type_ex(r, "text/xml", 1); - ap_rputs("<?xml version='1.0' encoding='UTF-8' ?>\n", r); - ap_rputs("<httpd:manager xmlns:httpd='http://httpd.apache.org'>\n", r); - ap_rputs(" <httpd:balancers>\n", r); diff --git a/apache2-CVE-2024-40725.patch b/apache2-CVE-2024-40725.patch deleted file mode 100644 index e10e658..0000000 --- a/apache2-CVE-2024-40725.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a7d24b4ea9a6ea35878fd33075365328caafcf91 Mon Sep 17 00:00:00 2001 -From: Eric Covener <covener@apache.org> -Date: Mon, 15 Jul 2024 12:08:30 +0000 -Subject: [PATCH] Merge r1919247 from trunk: - -copy the trusted flag from the subrequest - -Submitted By: covener -Reviewed By: covener, ylavic, gbechis - - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1919249 13f79535-47bb-0310-9956-ffa450edef68 ---- - modules/http/http_request.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/http/http_request.c b/modules/http/http_request.c -index 71ecc2bbab1..7e9477be1f1 100644 ---- a/modules/http/http_request.c -+++ b/modules/http/http_request.c -@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r) - r->args = rr->args; - r->finfo = rr->finfo; - r->handler = rr->handler; -- ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r)); -+ ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(rr)); - r->content_encoding = rr->content_encoding; - r->content_languages = rr->content_languages; - r->per_dir_config = rr->per_dir_config; diff --git a/apache2-fips-compatibility-01.patch b/apache2-fips-compatibility-01.patch deleted file mode 100644 index a475586..0000000 --- a/apache2-fips-compatibility-01.patch +++ /dev/null @@ -1,25 +0,0 @@ -From e2d689b4b25008e9d3e701e86c052e877452e1cc Mon Sep 17 00:00:00 2001 -From: StephenWall <35972871+StephenWall@users.noreply.github.com> -Date: Tue, 16 Jan 2024 08:26:12 -0500 -Subject: [PATCH] Check SSL_CTX_new() return value - -SSL_CTX_new() will return NULL if there was an error creating a new SSL context. ---- - modules/ssl/ssl_engine_init.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c -index 30fd6c5e4b5..2107cf44d7c 100644 ---- a/modules/ssl/ssl_engine_init.c -+++ b/modules/ssl/ssl_engine_init.c -@@ -738,6 +738,10 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, - TLS_server_method(); /* server */ - #endif - ctx = SSL_CTX_new(method); -+ if(ctx == NULL) { -+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); -+ return ssl_die(s); -+ } - - mctx->ssl_ctx = ctx; - diff --git a/apache2-fips-compatibility-02.patch b/apache2-fips-compatibility-02.patch deleted file mode 100644 index ac8d87f..0000000 --- a/apache2-fips-compatibility-02.patch +++ /dev/null @@ -1,849 +0,0 @@ -# ./pullrev.sh 1913912 1915067 - -http://svn.apache.org/viewvc?view=revision&revision=1913912 -http://svn.apache.org/viewvc?view=revision&revision=1915067 - -Upstream-Status: merged for 2.4.59 - ---- httpd-2.4.58/modules/ssl/mod_ssl.c.r1913912 -+++ httpd-2.4.58/modules/ssl/mod_ssl.c -@@ -25,8 +25,7 @@ - */ - - #include "ssl_private.h" --#include "mod_ssl.h" --#include "mod_ssl_openssl.h" -+ - #include "util_md5.h" - #include "util_mutex.h" - #include "ap_provider.h" -@@ -75,11 +74,9 @@ - SSL_CMD_SRV(SessionCache, TAKE1, - "SSL Session Cache storage " - "('none', 'nonenotnull', 'dbm:/path/to/file')") --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - SSL_CMD_SRV(CryptoDevice, TAKE1, - "SSL external Crypto Device usage " - "('builtin', '...')") --#endif - SSL_CMD_SRV(RandomSeed, TAKE23, - "SSL Pseudo Random Number Generator (PRNG) seeding source " - "('startup|connect builtin|file:/path|exec:/path [bytes]')") ---- httpd-2.4.58/modules/ssl/mod_ssl_openssl.h.r1913912 -+++ httpd-2.4.58/modules/ssl/mod_ssl_openssl.h -@@ -30,14 +30,17 @@ - - /* OpenSSL headers */ - --#ifndef SSL_PRIVATE_H - #include <openssl/opensslv.h> --#if (OPENSSL_VERSION_NUMBER >= 0x10001000) -+#if OPENSSL_VERSION_NUMBER >= 0x30000000 -+#include <openssl/macros.h> /* for OPENSSL_API_LEVEL */ -+#endif -+#if OPENSSL_VERSION_NUMBER >= 0x10001000 - /* must be defined before including ssl.h */ - #define OPENSSL_NO_SSL_INTERN - #endif - #include <openssl/ssl.h> --#endif -+#include <openssl/evp.h> -+#include <openssl/x509.h> - - /** - * init_server hook -- allow SSL_CTX-specific initialization to be performed by ---- httpd-2.4.58/modules/ssl/ssl_engine_config.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_engine_config.c -@@ -27,6 +27,7 @@ - damned if you don't.'' - -- Unknown */ - #include "ssl_private.h" -+ - #include "util_mutex.h" - #include "ap_provider.h" - -@@ -593,14 +594,15 @@ - return NULL; - } - --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - const char *ssl_cmd_SSLCryptoDevice(cmd_parms *cmd, - void *dcfg, - const char *arg) - { - SSLModConfigRec *mc = myModConfig(cmd->server); - const char *err; -+#if MODSSL_HAVE_ENGINE_API - ENGINE *e; -+#endif - - if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY))) { - return err; -@@ -609,13 +611,16 @@ - if (strcEQ(arg, "builtin")) { - mc->szCryptoDevice = NULL; - } -+#if MODSSL_HAVE_ENGINE_API - else if ((e = ENGINE_by_id(arg))) { - mc->szCryptoDevice = arg; - ENGINE_free(e); - } -+#endif - else { - err = "SSLCryptoDevice: Invalid argument; must be one of: " - "'builtin' (none)"; -+#if MODSSL_HAVE_ENGINE_API - e = ENGINE_get_first(); - while (e) { - err = apr_pstrcat(cmd->pool, err, ", '", ENGINE_get_id(e), -@@ -624,12 +629,12 @@ - * on the 'old' e, per the docs in engine.h. */ - e = ENGINE_get_next(e); - } -+#endif - return err; - } - - return NULL; - } --#endif - - const char *ssl_cmd_SSLRandomSeed(cmd_parms *cmd, - void *dcfg, ---- httpd-2.4.58/modules/ssl/ssl_engine_init.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_engine_init.c -@@ -27,8 +27,7 @@ - see Recursive.'' - -- Unknown */ - #include "ssl_private.h" --#include "mod_ssl.h" --#include "mod_ssl_openssl.h" -+ - #include "mpm_common.h" - #include "mod_md.h" - -@@ -218,6 +217,16 @@ - } - #endif - -+static APR_INLINE unsigned long modssl_runtime_lib_version(void) -+{ -+#if MODSSL_USE_OPENSSL_PRE_1_1_API -+ return SSLeay(); -+#else -+ return OpenSSL_version_num(); -+#endif -+} -+ -+ - /* - * Per-module initialization - */ -@@ -225,18 +234,22 @@ - apr_pool_t *ptemp, - server_rec *base_server) - { -+ unsigned long runtime_lib_version = modssl_runtime_lib_version(); - SSLModConfigRec *mc = myModConfig(base_server); - SSLSrvConfigRec *sc; - server_rec *s; - apr_status_t rv; - apr_array_header_t *pphrases; - -- if (SSLeay() < MODSSL_LIBRARY_VERSION) { -+ AP_DEBUG_ASSERT(mc); -+ -+ if (runtime_lib_version < MODSSL_LIBRARY_VERSION) { - ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01882) - "Init: this version of mod_ssl was compiled against " -- "a newer library (%s, version currently loaded is %s)" -+ "a newer library (%s (%s), version currently loaded is 0x%lX)" - " - may result in undefined or erroneous behavior", -- MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT); -+ MODSSL_LIBRARY_TEXT, MODSSL_LIBRARY_DYNTEXT, -+ runtime_lib_version); - } - - /* We initialize mc->pid per-process in the child init, -@@ -313,11 +326,9 @@ - /* - * SSL external crypto device ("engine") support - */ --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - if ((rv = ssl_init_Engine(base_server, p)) != APR_SUCCESS) { - return rv; - } --#endif - - ap_log_error(APLOG_MARK, APLOG_INFO, 0, base_server, APLOGNO(01883) - "Init: Initialized %s library", MODSSL_LIBRARY_NAME); -@@ -473,9 +484,9 @@ - * Support for external a Crypto Device ("engine"), usually - * a hardware accelerator card for crypto operations. - */ --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) - apr_status_t ssl_init_Engine(server_rec *s, apr_pool_t *p) - { -+#if MODSSL_HAVE_ENGINE_API - SSLModConfigRec *mc = myModConfig(s); - ENGINE *e; - -@@ -507,10 +518,9 @@ - - ENGINE_free(e); - } -- -+#endif - return APR_SUCCESS; - } --#endif - - #ifdef HAVE_TLSEXT - static apr_status_t ssl_init_ctx_tls_extensions(server_rec *s, -@@ -1320,15 +1330,6 @@ - return 0; - } - --static APR_INLINE int modssl_DH_bits(DH *dh) --{ --#if OPENSSL_VERSION_NUMBER < 0x30000000L -- return DH_bits(dh); --#else -- return BN_num_bits(DH_get0_p(dh)); --#endif --} -- - /* SSL_CTX_use_PrivateKey_file() can fail either because the private - * key was encrypted, or due to a mismatch between an already-loaded - * cert and the key - a common misconfiguration - from calling -@@ -1354,15 +1355,10 @@ - SSLModConfigRec *mc = myModConfig(s); - const char *vhost_id = mctx->sc->vhost_id, *key_id, *certfile, *keyfile; - int i; -- X509 *cert; -- DH *dh; -+ EVP_PKEY *pkey; - #ifdef HAVE_ECC -- EC_GROUP *ecparams = NULL; -- int nid; -- EC_KEY *eckey = NULL; --#endif --#ifndef HAVE_SSL_CONF_CMD -- SSL *ssl; -+ EC_GROUP *ecgroup = NULL; -+ int curve_nid = 0; - #endif - - /* no OpenSSL default prompts for any of the SSL_CTX_use_* calls, please */ -@@ -1373,7 +1369,7 @@ - (certfile = APR_ARRAY_IDX(mctx->pks->cert_files, i, - const char *)); - i++) { -- EVP_PKEY *pkey; -+ X509 *cert = NULL; - const char *engine_certfile = NULL; - - key_id = apr_psprintf(ptemp, "%s:%d", vhost_id, i); -@@ -1416,8 +1412,6 @@ - if (modssl_is_engine_id(keyfile)) { - apr_status_t rv; - -- cert = NULL; -- - if ((rv = modssl_load_engine_keypair(s, ptemp, vhost_id, - engine_certfile, keyfile, - &cert, &pkey))) { -@@ -1488,22 +1482,21 @@ - * assume that if SSL_CONF is available, it's OpenSSL 1.0.2 or later, - * and SSL_CTX_get0_certificate is implemented.) - */ -- if (!(cert = SSL_CTX_get0_certificate(mctx->ssl_ctx))) { -+ cert = SSL_CTX_get0_certificate(mctx->ssl_ctx); - #else -- ssl = SSL_new(mctx->ssl_ctx); -+ { -+ SSL *ssl = SSL_new(mctx->ssl_ctx); - if (ssl) { - /* Workaround bug in SSL_get_certificate in OpenSSL 0.9.8y */ - SSL_set_connect_state(ssl); - cert = SSL_get_certificate(ssl); -+ SSL_free(ssl); -+ } - } -- if (!ssl || !cert) { - #endif -+ if (!cert) { - ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(02566) - "Unable to retrieve certificate %s", key_id); --#ifndef HAVE_SSL_CONF_CMD -- if (ssl) -- SSL_free(ssl); --#endif - return APR_EGENERAL; - } - -@@ -1525,10 +1518,6 @@ - } - #endif - --#ifndef HAVE_SSL_CONF_CMD -- SSL_free(ssl); --#endif -- - ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(02568) - "Certificate and private key %s configured from %s and %s", - key_id, certfile, keyfile); -@@ -1538,15 +1527,33 @@ - * Try to read DH parameters from the (first) SSLCertificateFile - */ - certfile = APR_ARRAY_IDX(mctx->pks->cert_files, 0, const char *); -- if (certfile && !modssl_is_engine_id(certfile) -- && (dh = ssl_dh_GetParamFromFile(certfile))) { -- /* ### This should be replaced with SSL_CTX_set0_tmp_dh_pkey() -- * for OpenSSL 3.0+. */ -+ if (certfile && !modssl_is_engine_id(certfile)) { -+ int done = 0, num_bits = 0; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ DH *dh = modssl_dh_from_file(certfile); -+ if (dh) { -+ num_bits = DH_bits(dh); - SSL_CTX_set_tmp_dh(mctx->ssl_ctx, dh); -+ DH_free(dh); -+ done = 1; -+ } -+#else -+ pkey = modssl_dh_pkey_from_file(certfile); -+ if (pkey) { -+ num_bits = EVP_PKEY_get_bits(pkey); -+ if (!SSL_CTX_set0_tmp_dh_pkey(mctx->ssl_ctx, pkey)) { -+ EVP_PKEY_free(pkey); -+ } -+ else { -+ done = 1; -+ } -+ } -+#endif -+ if (done) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02540) - "Custom DH parameters (%d bits) for %s loaded from %s", -- modssl_DH_bits(dh), vhost_id, certfile); -- DH_free(dh); -+ num_bits, vhost_id, certfile); -+ } - } - #if !MODSSL_USE_OPENSSL_PRE_1_1_API - else { -@@ -1561,13 +1568,27 @@ - * Similarly, try to read the ECDH curve name from SSLCertificateFile... - */ - if (certfile && !modssl_is_engine_id(certfile) -- && (ecparams = ssl_ec_GetParamFromFile(certfile)) -- && (nid = EC_GROUP_get_curve_name(ecparams)) -- && (eckey = EC_KEY_new_by_curve_name(nid))) { -+ && (ecgroup = modssl_ec_group_from_file(certfile)) -+ && (curve_nid = EC_GROUP_get_curve_name(ecgroup))) { -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+ EC_KEY *eckey = EC_KEY_new_by_curve_name(curve_nid); -+ if (eckey) { - SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); -+ EC_KEY_free(eckey); -+ } -+ else { -+ curve_nid = 0; -+ } -+#else -+ if (!SSL_CTX_set1_curves(mctx->ssl_ctx, &curve_nid, 1)) { -+ curve_nid = 0; -+ } -+#endif -+ if (curve_nid) { - ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(02541) - "ECDH curve %s for %s specified in %s", -- OBJ_nid2sn(nid), vhost_id, certfile); -+ OBJ_nid2sn(curve_nid), vhost_id, certfile); -+ } - } - /* - * ...otherwise, enable auto curve selection (OpenSSL 1.0.2) -@@ -1575,18 +1596,20 @@ - * ECDH is always enabled in 1.1.0 unless excluded from SSLCipherList - */ - #if MODSSL_USE_OPENSSL_PRE_1_1_API -- else { -+ if (!curve_nid) { - #if defined(SSL_CTX_set_ecdh_auto) - SSL_CTX_set_ecdh_auto(mctx->ssl_ctx, 1); - #else -- eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); -+ EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); -+ if (eckey) { - SSL_CTX_set_tmp_ecdh(mctx->ssl_ctx, eckey); -+ EC_KEY_free(eckey); -+ } - #endif - } - #endif - /* OpenSSL assures us that _free() is NULL-safe */ -- EC_KEY_free(eckey); -- EC_GROUP_free(ecparams); -+ EC_GROUP_free(ecgroup); - #endif - - return APR_SUCCESS; ---- httpd-2.4.58/modules/ssl/ssl_engine_io.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_engine_io.c -@@ -28,8 +28,7 @@ - core keeps dumping.'' - -- Unknown */ - #include "ssl_private.h" --#include "mod_ssl.h" --#include "mod_ssl_openssl.h" -+ - #include "apr_date.h" - - APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, proxy_post_handshake, -@@ -2283,14 +2282,7 @@ - ssl_io_filter_cleanup, apr_pool_cleanup_null); - - if (APLOG_CS_IS_LEVEL(c, mySrvFromConn(c), APLOG_TRACE4)) { -- BIO *rbio = SSL_get_rbio(ssl), -- *wbio = SSL_get_wbio(ssl); -- BIO_set_callback(rbio, ssl_io_data_cb); -- BIO_set_callback_arg(rbio, (void *)ssl); -- if (wbio && wbio != rbio) { -- BIO_set_callback(wbio, ssl_io_data_cb); -- BIO_set_callback_arg(wbio, (void *)ssl); -- } -+ modssl_set_io_callbacks(ssl); - } - - return; -@@ -2374,13 +2366,22 @@ - "+-------------------------------------------------------------------------+"); - } - --long ssl_io_data_cb(BIO *bio, int cmd, -- const char *argp, -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+static long modssl_io_cb(BIO *bio, int cmd, const char *argp, -+ size_t len, int argi, long argl, int rc, -+ size_t *processed) -+#else -+static long modssl_io_cb(BIO *bio, int cmd, const char *argp, - int argi, long argl, long rc) -+#endif - { - SSL *ssl; - conn_rec *c; - server_rec *s; -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ (void)len; -+ (void)processed; -+#endif - - if ((ssl = (SSL *)BIO_get_callback_arg(bio)) == NULL) - return rc; -@@ -2402,7 +2403,7 @@ - "%s: %s %ld/%d bytes %s BIO#%pp [mem: %pp] %s", - MODSSL_LIBRARY_NAME, - (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "write" : "read"), -- rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"), -+ (long)rc, argi, (cmd == (BIO_CB_WRITE|BIO_CB_RETURN) ? "to" : "from"), - bio, argp, dump); - if (*dump != '\0' && argp != NULL) - ssl_io_data_dump(c, s, argp, rc); -@@ -2417,3 +2418,25 @@ - } - return rc; - } -+ -+static APR_INLINE void set_bio_callback(BIO *bio, void *arg) -+{ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ BIO_set_callback_ex(bio, modssl_io_cb); -+#else -+ BIO_set_callback(bio, modssl_io_cb); -+#endif -+ BIO_set_callback_arg(bio, arg); -+} -+ -+void modssl_set_io_callbacks(SSL *ssl) -+{ -+ BIO *rbio = SSL_get_rbio(ssl), -+ *wbio = SSL_get_wbio(ssl); -+ if (rbio) { -+ set_bio_callback(rbio, ssl); -+ } -+ if (wbio && wbio != rbio) { -+ set_bio_callback(wbio, ssl); -+ } -+} ---- httpd-2.4.58/modules/ssl/ssl_engine_kernel.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_engine_kernel.c -@@ -2581,6 +2581,7 @@ - sc->server->pks->service_unavailable : 0; - - ap_update_child_status_from_server(c->sbh, SERVER_BUSY_READ, c, s); -+ - /* - * There is one special filter callback, which is set - * very early depending on the base_server's log level. -@@ -2589,14 +2590,7 @@ - * we need to set that callback here. - */ - if (APLOGtrace4(s)) { -- BIO *rbio = SSL_get_rbio(ssl), -- *wbio = SSL_get_wbio(ssl); -- BIO_set_callback(rbio, ssl_io_data_cb); -- BIO_set_callback_arg(rbio, (void *)ssl); -- if (wbio && wbio != rbio) { -- BIO_set_callback(wbio, ssl_io_data_cb); -- BIO_set_callback_arg(wbio, (void *)ssl); -- } -+ modssl_set_io_callbacks(ssl); - } - - return 1; ---- httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c -@@ -30,6 +30,8 @@ - -- Clifford Stoll */ - #include "ssl_private.h" - -+#include <openssl/ui.h> -+ - typedef struct { - server_rec *s; - apr_pool_t *p; -@@ -606,8 +608,7 @@ - return (len); - } - -- --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) -+#if MODSSL_HAVE_ENGINE_API - - /* OpenSSL UI implementation for passphrase entry; largely duplicated - * from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be -@@ -831,7 +832,7 @@ - const char *certid, const char *keyid, - X509 **pubkey, EVP_PKEY **privkey) - { --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) -+#if MODSSL_HAVE_ENGINE_API - const char *c, *scheme; - ENGINE *e; - UI_METHOD *ui_method = get_passphrase_ui(p); ---- httpd-2.4.58/modules/ssl/ssl_private.h.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_private.h -@@ -83,16 +83,13 @@ - - #include "ap_expr.h" - --/* OpenSSL headers */ --#include <openssl/opensslv.h> --#if (OPENSSL_VERSION_NUMBER >= 0x10001000) --/* must be defined before including ssl.h */ --#define OPENSSL_NO_SSL_INTERN --#endif --#if OPENSSL_VERSION_NUMBER >= 0x30000000 --#include <openssl/core_names.h> -+/* keep first for compat API */ -+#ifndef OPENSSL_API_COMPAT -+#define OPENSSL_API_COMPAT 0x10101000 /* for ENGINE_ API */ - #endif --#include <openssl/ssl.h> -+#include "mod_ssl_openssl.h" -+ -+/* OpenSSL headers */ - #include <openssl/err.h> - #include <openssl/x509.h> - #include <openssl/pem.h> -@@ -102,12 +99,23 @@ - #include <openssl/x509v3.h> - #include <openssl/x509_vfy.h> - #include <openssl/ocsp.h> -+#include <openssl/dh.h> -+#if OPENSSL_VERSION_NUMBER >= 0x30000000 -+#include <openssl/core_names.h> -+#endif - - /* Avoid tripping over an engine build installed globally and detected - * when the user points at an explicit non-engine flavor of OpenSSL - */ --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) -+#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) \ -+ && (OPENSSL_VERSION_NUMBER < 0x30000000 \ -+ || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \ -+ && !defined(OPENSSL_NO_ENGINE) - #include <openssl/engine.h> -+#define MODSSL_HAVE_ENGINE_API 1 -+#endif -+#ifndef MODSSL_HAVE_ENGINE_API -+#define MODSSL_HAVE_ENGINE_API 0 - #endif - - #if (OPENSSL_VERSION_NUMBER < 0x0090801f) -@@ -142,10 +150,18 @@ - * include most changes from OpenSSL >= 1.1 (new functions, macros, - * deprecations, ...), so we have to work around this... - */ --#define MODSSL_USE_OPENSSL_PRE_1_1_API (LIBRESSL_VERSION_NUMBER < 0x2070000f) -+#if LIBRESSL_VERSION_NUMBER < 0x2070000f -+#define MODSSL_USE_OPENSSL_PRE_1_1_API 1 -+#else -+#define MODSSL_USE_OPENSSL_PRE_1_1_API 0 -+#endif - #else /* defined(LIBRESSL_VERSION_NUMBER) */ --#define MODSSL_USE_OPENSSL_PRE_1_1_API (OPENSSL_VERSION_NUMBER < 0x10100000L) -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+#define MODSSL_USE_OPENSSL_PRE_1_1_API 1 -+#else -+#define MODSSL_USE_OPENSSL_PRE_1_1_API 0 - #endif -+#endif /* defined(LIBRESSL_VERSION_NUMBER) */ - - #if defined(OPENSSL_FIPS) || OPENSSL_VERSION_NUMBER >= 0x30000000L - #define HAVE_FIPS -@@ -211,7 +227,10 @@ - #endif - - /* Secure Remote Password */ --#if !defined(OPENSSL_NO_SRP) && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB) -+#if !defined(OPENSSL_NO_SRP) \ -+ && (OPENSSL_VERSION_NUMBER < 0x30000000L \ -+ || (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \ -+ && defined(SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB) - #define HAVE_SRP - #include <openssl/srp.h> - #endif -@@ -254,6 +273,14 @@ - #endif - #endif - -+/* those may be deprecated */ -+#ifndef X509_get_notBefore -+#define X509_get_notBefore X509_getm_notBefore -+#endif -+#ifndef X509_get_notAfter -+#define X509_get_notAfter X509_getm_notAfter -+#endif -+ - #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER) - #define HAVE_OPENSSL_KEYLOG - #endif -@@ -1019,7 +1046,7 @@ - /** I/O */ - void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *); - void ssl_io_filter_register(apr_pool_t *); --long ssl_io_data_cb(BIO *, int, const char *, int, long, long); -+void modssl_set_io_callbacks(SSL *ssl); - - /* ssl_io_buffer_fill fills the setaside buffering of the HTTP request - * to allow an SSL renegotiation to take place. */ -@@ -1057,9 +1084,13 @@ - X509 **pubkey, EVP_PKEY **privkey); - - /** Diffie-Hellman Parameter Support */ --DH *ssl_dh_GetParamFromFile(const char *); -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+DH *modssl_dh_from_file(const char *); -+#else -+EVP_PKEY *modssl_dh_pkey_from_file(const char *); -+#endif - #ifdef HAVE_ECC --EC_GROUP *ssl_ec_GetParamFromFile(const char *); -+EC_GROUP *modssl_ec_group_from_file(const char *); - #endif - - /* Store the EVP_PKEY key (serialized into DER) in the hash table with ---- httpd-2.4.58/modules/ssl/ssl_util.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_util.c -@@ -476,7 +476,7 @@ - - int modssl_is_engine_id(const char *name) - { --#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_INIT) -+#if MODSSL_HAVE_ENGINE_API - /* ### Can handle any other special ENGINE key names here? */ - return strncmp(name, "pkcs11:", 7) == 0; - #else ---- httpd-2.4.58/modules/ssl/ssl_util_ssl.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_util_ssl.c -@@ -464,29 +464,52 @@ - ** _________________________________________________________________ - */ - --DH *ssl_dh_GetParamFromFile(const char *file) -+#if OPENSSL_VERSION_NUMBER < 0x30000000L -+DH *modssl_dh_from_file(const char *file) - { -- DH *dh = NULL; -+ DH *dh; - BIO *bio; - - if ((bio = BIO_new_file(file, "r")) == NULL) - return NULL; - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); - BIO_free(bio); -- return (dh); -+ -+ return dh; -+} -+#else -+EVP_PKEY *modssl_dh_pkey_from_file(const char *file) -+{ -+ EVP_PKEY *pkey; -+ BIO *bio; -+ -+ if ((bio = BIO_new_file(file, "r")) == NULL) -+ return NULL; -+ pkey = PEM_read_bio_Parameters(bio, NULL); -+ BIO_free(bio); -+ -+ return pkey; - } -+#endif - - #ifdef HAVE_ECC --EC_GROUP *ssl_ec_GetParamFromFile(const char *file) -+EC_GROUP *modssl_ec_group_from_file(const char *file) - { -- EC_GROUP *group = NULL; -+ EC_GROUP *group; - BIO *bio; - - if ((bio = BIO_new_file(file, "r")) == NULL) - return NULL; -+#if OPENSSL_VERSION_NUMBER < 0x30000000L - group = PEM_read_bio_ECPKParameters(bio, NULL, NULL, NULL); -+#else -+ group = PEM_ASN1_read_bio((void *)d2i_ECPKParameters, -+ PEM_STRING_ECPARAMETERS, bio, -+ NULL, NULL, NULL); -+#endif - BIO_free(bio); -- return (group); -+ -+ return group; - } - #endif - ---- httpd-2.4.58/modules/ssl/ssl_util_stapling.c.r1913912 -+++ httpd-2.4.58/modules/ssl/ssl_util_stapling.c -@@ -29,9 +29,9 @@ - -- Alexei Sayle */ - - #include "ssl_private.h" -+ - #include "ap_mpm.h" - #include "apr_thread_mutex.h" --#include "mod_ssl_openssl.h" - - APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(ssl, SSL, int, init_stapling_status, - (server_rec *s, apr_pool_t *p, ---- httpd-2.4.58/support/ab.c.r1913912 -+++ httpd-2.4.58/support/ab.c -@@ -166,13 +166,18 @@ - - #if defined(HAVE_OPENSSL) - --#include <openssl/rsa.h> -+#include <openssl/evp.h> - #include <openssl/crypto.h> - #include <openssl/x509.h> - #include <openssl/pem.h> - #include <openssl/err.h> - #include <openssl/ssl.h> - #include <openssl/rand.h> -+#include <openssl/opensslv.h> -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+#include <openssl/core_names.h> -+#endif -+ - #define USE_SSL - - #define SK_NUM(x) sk_X509_num(x) -@@ -555,22 +560,33 @@ - * - */ - #ifdef USE_SSL --static long ssl_print_cb(BIO *bio,int cmd,const char *argp,int argi,long argl,long ret) -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+static long ssl_print_cb(BIO *bio, int cmd, const char *argp, -+ size_t len, int argi, long argl, int ret, -+ size_t *processed) -+#else -+static long ssl_print_cb(BIO *bio, int cmd, const char *argp, -+ int argi, long argl, long ret) -+#endif - { - BIO *out; -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ (void)len; -+ (void)processed; -+#endif - - out=(BIO *)BIO_get_callback_arg(bio); - if (out == NULL) return(ret); - - if (cmd == (BIO_CB_READ|BIO_CB_RETURN)) { - BIO_printf(out,"read from %p [%p] (%d bytes => %ld (0x%lX))\n", -- bio, argp, argi, ret, ret); -+ bio, argp, argi, (long)ret, (long)ret); - BIO_dump(out,(char *)argp,(int)ret); - return(ret); - } - else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN)) { - BIO_printf(out,"write to %p [%p] (%d bytes => %ld (0x%lX))\n", -- bio, argp, argi, ret, ret); -+ bio, argp, argi, (long)ret, (long)ret); - BIO_dump(out,(char *)argp,(int)ret); - } - return ret; -@@ -765,17 +781,29 @@ - break; - #ifndef OPENSSL_NO_EC - case EVP_PKEY_EC: { -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ size_t len; -+ char cname[80]; -+ if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME, -+ cname, sizeof(cname), &len)) { -+ cname[0] = '?'; -+ len = 1; -+ } -+ cname[len] = '\0'; -+#else - const char *cname = NULL; - EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); - int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); - EC_KEY_free(ec); - cname = EC_curve_nid2nist(nid); -- if (!cname) -+ if (!cname) { - cname = OBJ_nid2sn(nid); -- -+ if (!cname) -+ cname = "?"; -+ } -+#endif - apr_snprintf(ssl_tmp_key, 128, "ECDH %s %d bits", -- cname, -- EVP_PKEY_bits(key)); -+ cname, EVP_PKEY_bits(key)); - break; - } - #endif -@@ -1428,7 +1456,11 @@ - SSL_set_bio(c->ssl, bio, bio); - SSL_set_connect_state(c->ssl); - if (verbosity >= 4) { -+#if OPENSSL_VERSION_NUMBER >= 0x30000000L -+ BIO_set_callback_ex(bio, ssl_print_cb); -+#else - BIO_set_callback(bio, ssl_print_cb); -+#endif - BIO_set_callback_arg(bio, (void *)bio_err); - } - #ifdef HAVE_TLSEXT diff --git a/apache2-fips-compatibility-03.patch b/apache2-fips-compatibility-03.patch deleted file mode 100644 index 7717a31..0000000 --- a/apache2-fips-compatibility-03.patch +++ /dev/null @@ -1,221 +0,0 @@ -# ./pullrev.sh 1914365 -http://svn.apache.org/viewvc?view=revision&revision=1914365 - -Upstream-Status: in trunk, not proposed for 2.4.x - ---- httpd-2.4.58/modules/ssl/ssl_engine_init.c.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_engine_init.c -@@ -1421,8 +1421,10 @@ - if (cert) { - if (SSL_CTX_use_certificate(mctx->ssl_ctx, cert) < 1) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10137) -- "Failed to configure engine certificate %s, check %s", -- key_id, certfile); -+ "Failed to configure certificate %s from %s, check %s", -+ key_id, mc->szCryptoDevice ? -+ mc->szCryptoDevice : "provider", -+ certfile); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return APR_EGENERAL; - } -@@ -1433,8 +1435,9 @@ - - if (SSL_CTX_use_PrivateKey(mctx->ssl_ctx, pkey) < 1) { - ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10130) -- "Failed to configure private key %s from engine", -- keyfile); -+ "Failed to configure private key %s from %s", -+ keyfile, mc->szCryptoDevice ? -+ mc->szCryptoDevice : "provider"); - ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); - return APR_EGENERAL; - } ---- httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_engine_pphrase.c -@@ -31,6 +31,9 @@ - #include "ssl_private.h" - - #include <openssl/ui.h> -+#if MODSSL_HAVE_OPENSSL_STORE -+#include <openssl/store.h> -+#endif - - typedef struct { - server_rec *s; -@@ -608,7 +611,7 @@ - return (len); - } - --#if MODSSL_HAVE_ENGINE_API -+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE - - /* OpenSSL UI implementation for passphrase entry; largely duplicated - * from ssl_pphrase_Handle_CB but adjusted for UI API. TODO: Might be -@@ -826,13 +829,14 @@ - } - #endif - -- --apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, -+#if MODSSL_HAVE_ENGINE_API -+static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *p, - const char *vhostid, -- const char *certid, const char *keyid, -- X509 **pubkey, EVP_PKEY **privkey) -+ const char *certid, -+ const char *keyid, -+ X509 **pubkey, -+ EVP_PKEY **privkey) - { --#if MODSSL_HAVE_ENGINE_API - const char *c, *scheme; - ENGINE *e; - UI_METHOD *ui_method = get_passphrase_ui(p); -@@ -906,6 +910,118 @@ - ENGINE_free(e); - - return APR_SUCCESS; -+} -+#endif -+ -+#if MODSSL_HAVE_OPENSSL_STORE -+static OSSL_STORE_INFO *modssl_load_store_uri(server_rec *s, apr_pool_t *p, -+ const char *vhostid, -+ const char *uri, int info_type) -+{ -+ OSSL_STORE_CTX *sctx; -+ UI_METHOD *ui_method = get_passphrase_ui(p); -+ pphrase_cb_arg_t ppcb; -+ OSSL_STORE_INFO *info = NULL; -+ -+ memset(&ppcb, 0, sizeof ppcb); -+ ppcb.s = s; -+ ppcb.p = p; -+ ppcb.bPassPhraseDialogOnce = TRUE; -+ ppcb.key_id = vhostid; -+ ppcb.pkey_file = uri; -+ -+ sctx = OSSL_STORE_open(uri, ui_method, &ppcb, NULL, NULL); -+ if (!sctx) { -+ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(10491) -+ "Init: OSSL_STORE_open failed for PKCS#11 URI `%s'", -+ uri); -+ return NULL; -+ } -+ -+ while (!OSSL_STORE_eof(sctx)) { -+ info = OSSL_STORE_load(sctx); -+ if (!info) -+ break; -+ -+ if (OSSL_STORE_INFO_get_type(info) == info_type) -+ break; -+ -+ OSSL_STORE_INFO_free(info); -+ info = NULL; -+ } -+ -+ OSSL_STORE_close(sctx); -+ -+ return info; -+} -+ -+static apr_status_t modssl_load_keypair_store(server_rec *s, apr_pool_t *p, -+ const char *vhostid, -+ const char *certid, -+ const char *keyid, -+ X509 **pubkey, -+ EVP_PKEY **privkey) -+{ -+ OSSL_STORE_INFO *info = NULL; -+ -+ *privkey = NULL; -+ *pubkey = NULL; -+ -+ info = modssl_load_store_uri(s, p, vhostid, keyid, OSSL_STORE_INFO_PKEY); -+ if (!info) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10492) -+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'", -+ keyid); -+ return ssl_die(s); -+ } -+ -+ *privkey = OSSL_STORE_INFO_get1_PKEY(info); -+ OSSL_STORE_INFO_free(info); -+ if (!*privkey) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10493) -+ "Init: OSSL_STORE_INFO_PKEY lookup failed for private key identifier `%s'", -+ keyid); -+ return ssl_die(s); -+ } -+ -+ if (certid) { -+ info = modssl_load_store_uri(s, p, vhostid, certid, OSSL_STORE_INFO_CERT); -+ if (!info) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10494) -+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'", -+ keyid); -+ return ssl_die(s); -+ } -+ -+ *pubkey = OSSL_STORE_INFO_get1_CERT(info); -+ OSSL_STORE_INFO_free(info); -+ if (!*pubkey) { -+ ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10495) -+ "Init: OSSL_STORE_INFO_CERT lookup failed for certificate identifier `%s'", -+ certid); -+ return ssl_die(s); -+ } -+ } -+ -+ return APR_SUCCESS; -+} -+#endif -+ -+apr_status_t modssl_load_engine_keypair(server_rec *s, apr_pool_t *p, -+ const char *vhostid, -+ const char *certid, const char *keyid, -+ X509 **pubkey, EVP_PKEY **privkey) -+{ -+#if MODSSL_HAVE_OPENSSL_STORE -+ SSLModConfigRec *mc = myModConfig(s); -+ -+ if (!mc->szCryptoDevice) -+ return modssl_load_keypair_store(s, p, vhostid, certid, keyid, -+ pubkey, privkey); -+#endif -+#if MODSSL_HAVE_ENGINE_API -+ return modssl_load_keypair_engine(s, p, vhostid, certid, keyid, -+ pubkey, privkey); - #else - return APR_ENOTIMPL; - #endif ---- httpd-2.4.58/modules/ssl/ssl_private.h.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_private.h -@@ -118,6 +118,15 @@ - #define MODSSL_HAVE_ENGINE_API 0 - #endif - -+/* Use OpenSSL 3.x STORE for loading URI keys and certificates starting with -+ * OpenSSL 3.0 -+ */ -+#if OPENSSL_VERSION_NUMBER >= 0x30000000 -+#define MODSSL_HAVE_OPENSSL_STORE 1 -+#else -+#define MODSSL_HAVE_OPENSSL_STORE 0 -+#endif -+ - #if (OPENSSL_VERSION_NUMBER < 0x0090801f) - #error mod_ssl requires OpenSSL 0.9.8a or later - #endif ---- httpd-2.4.58/modules/ssl/ssl_util.c.r1914365 -+++ httpd-2.4.58/modules/ssl/ssl_util.c -@@ -476,7 +476,7 @@ - - int modssl_is_engine_id(const char *name) - { --#if MODSSL_HAVE_ENGINE_API -+#if MODSSL_HAVE_ENGINE_API || MODSSL_HAVE_OPENSSL_STORE - /* ### Can handle any other special ENGINE key names here? */ - return strncmp(name, "pkcs11:", 7) == 0; - #else diff --git a/apache2-issue-444.patch b/apache2-issue-444.patch deleted file mode 100644 index 6e1320c..0000000 --- a/apache2-issue-444.patch +++ /dev/null @@ -1,36 +0,0 @@ -Index: httpd-2.4.58/modules/generators/mod_cgid.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_cgid.c -+++ httpd-2.4.58/modules/generators/mod_cgid.c -@@ -1625,7 +1625,12 @@ static int cgid_handler(request_rec *r) - */ - if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) - apr_table_unset(r->headers_out, "Content-Length"); -- apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ -+ if (apr_table_get(r->headers_out, "Transfer-Encoding") != NULL) { -+ apr_brigade_cleanup(bb); -+ return log_scripterror(r, conf, HTTP_BAD_GATEWAY, 0, APLOGNO(10501) -+ "script sent Transfer-Encoding"); -+ } - - if (ret != OK) { - ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL); -Index: httpd-2.4.58/modules/generators/mod_cgi.c -=================================================================== ---- httpd-2.4.58.orig/modules/generators/mod_cgi.c -+++ httpd-2.4.58/modules/generators/mod_cgi.c -@@ -944,7 +944,12 @@ static int cgi_handler(request_rec *r) - */ - if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR)) - apr_table_unset(r->headers_out, "Content-Length"); -- apr_table_unset(r->headers_out, "Transfer-Encoding"); -+ -+ if (apr_table_get(r->headers_out, "Transfer-Encoding") != NULL) { -+ apr_brigade_cleanup(bb); -+ return log_scripterror(r, conf, HTTP_BAD_GATEWAY, 0, APLOGNO(10501), -+ "script sent Transfer-Encoding"); -+ } - - if (ret != OK) { - ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err); diff --git a/apache2.changes b/apache2.changes index bac1a5a..e81b057 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,229 @@ +------------------------------------------------------------------- +Mon Jan 6 22:03:13 UTC 2025 - Martin Schreiner <martin.schreiner@suse.com> + +- Update to 2.4.62 (jsc#PED-11927). +- Update test suite to svn1921782. +- Remove unneeded patches, they've all been merged upstream and are + part of the 2.4.62 release. + * apache2-CVE-2023-38709.patch + * apache2-CVE-2024-24795.patch + * apache2-CVE-2024-27316.patch + * apache2-CVE-2024-36387.patch + * apache2-CVE-2024-38473-1.patch + * apache2-CVE-2024-38473-2.patch + * apache2-CVE-2024-38473-3.patch + * apache2-CVE-2024-38473-4.patch + * apache2-CVE-2024-38474.patch + * apache2-CVE-2024-38475-1.patch + * apache2-CVE-2024-38475-2.patch + * apache2-CVE-2024-38475-3.patch + * apache2-CVE-2024-38476-1.patch + * apache2-CVE-2024-38476-10.patch + * apache2-CVE-2024-38476-11.patch + * apache2-CVE-2024-38476-2.patch + * apache2-CVE-2024-38476-3.patch + * apache2-CVE-2024-38476-4.patch + * apache2-CVE-2024-38476-5.patch + * apache2-CVE-2024-38476-6.patch + * apache2-CVE-2024-38476-7.patch + * apache2-CVE-2024-38476-8.patch + * apache2-CVE-2024-38476-9.patch + * apache2-CVE-2024-38477.patch + * apache2-CVE-2024-39573.patch + * apache2-CVE-2024-39884.patch + * apache2-CVE-2024-40725.patch + * apache2-fips-compatibility-01.patch + * apache2-fips-compatibility-02.patch + * apache2-fips-compatibility-03.patch + * apache2-issue-444.patch +- Changes from 2.4.62: + * Applied trunk fix r1919860 which is proposed for backport, see + UNCList config errors. + * SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with + mod_rewrite in server/vhost context on Windows (cve.mitre.org) + SSRF in Apache HTTP Server on Windows with mod_rewrite in + server/vhost context, allows to potentially leak NTML hashes to a + malicious server via SSRF and malicious requests. Users are + recommended to upgrade to version 2.4.62 which fixes this issue. + * SECURITY: CVE-2024-40725: Apache HTTP Server: source code + disclosure with handlers configured via AddType (cve.mitre.org) A + partial fix for CVE-2024-39884 in the core of Apache HTTP Server + 2.4.61 ignores some use of the legacy content-type based + configuration of handlers. "AddType" and similar configuration, + under some circumstances where files are requested indirectly, + result in source code disclosure of local content. For example, + PHP scripts may be served instead of interpreted. Users are + recommended to upgrade to version 2.4.62, which fixes this issue. + * mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, + SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also + allowing for "unix:" sockets with BalancerMember(s). PR 69168. + * mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" + URLs. PR 69160 + * mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2. + * mod_ssl: Add support for loading certs/keys from pkcs11: URIs via + OpenSSL 3.x providers. + * mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >= + 3.0. + * mpm_worker: Fix possible warning (AH00045) about children + processes not terminating timely. +- Changes from 2.4.61: + * SECURITY: CVE-2024-39884: Apache HTTP Server: source code + disclosure with handlers configured via AddType (cve.mitre.org) A + regression in the core of Apache HTTP Server 2.4.60 ignores some + use of the legacy content-type based configuration of handlers. + "AddType" and similar configuration, under some circumstances + where files are requested indirectly, result in source code + disclosure of local content. For example, PHP scripts may be + served instead of interpreted. Users are recommended to upgrade + to version 2.4.61, which fixes this issue. +- Changes from 2.4.60: + * SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy + handler substitution (cve.mitre.org) Potential SSRF in mod_rewrite + in Apache HTTP Server 2.4.59 and earlier allows an attacker to + cause unsafe RewriteRules to unexpectedly setup URL's to be + handled by mod_proxy. + * SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in + Denial of Service in mod_proxy via a malicious request + (cve.mitre.org) null pointer dereference in mod_proxy in Apache + HTTP Server 2.4.59 and earlier allows an attacker to crash the + server via a malicious request. + * SECURITY: CVE-2024-38476: Apache HTTP Server may use + exploitable/malicious backend application output to run local + handlers via internal redirect (cve.mitre.org) Vulnerability in + core of Apache HTTP Server 2.4.59 and earlier are vulnerably to + information disclosure, SSRF or local script execution via backend + applications whose response headers are malicious or exploitable. + Note: Some legacy uses of the 'AddType' directive to connect a + request to a handler must be ported to 'AddHandler' after this fix. + * SECURITY: CVE-2024-38475: Apache HTTP Server weakness in + mod_rewrite when first segment of substitution matches filesystem + path. (cve.mitre.org) Improper escaping of output in mod_rewrite + in Apache HTTP Server 2.4.59 and earlier allows an attacker to map + URLs to filesystem locations that are permitted to be served by + the server but are not intentionally/directly reachable by any + URL, resulting in code execution or source code disclosure. + Substitutions in server context that use a backreferences or + variables as the first segment of the substitution are affected. + Some unsafe RewiteRules will be broken by this change and the + rewrite flag "UnsafePrefixStat" can be used to opt back in once + ensuring the substitution is appropriately constrained. + * SECURITY: CVE-2024-38474: Apache HTTP Server weakness with encoded + question marks in backreferences (cve.mitre.org) Substitution + encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and + earlier allows attacker to execute scripts in directories + permitted by the configuration but not directly reachable by any + URL or source disclosure of scripts meant to only to be executed + as CGI. + Note: Some RewriteRules that capture and substitute unsafely will + now fail unless rewrite flag "UnsafeAllow3F" is specified. + * SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding + problem (cve.mitre.org) Encoding problem in mod_proxy in Apache + HTTP Server 2.4.59 and earlier allows request URLs with incorrect + encoding to be sent to backend services, potentially bypassing + authentication via crafted requests. + * SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF + (cve.mitre.org) SSRF in Apache HTTP Server on Windows allows to + potentially leak NTML hashes to a malicious server via SSRF and + malicious requests or content. + Note: Existing configurations that access UNC paths will have to + configure new directive "UNCList" to allow access during request + processing. + * SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null + pointer in websocket over HTTP/2 (cve.mitre.org) + Serving WebSocket protocol upgrades over a HTTP/2 connection + could result in a Null Pointer dereference, leading to a crash + of the server process, degrading performance. + * mod_proxy: Fix DNS requests and connections closed before the + configured addressTTL. BZ 69126. + * core: On Linux, log the real thread ID in error logs. + * core: Support zone/scope in IPv6 link-local addresses in Listen and + VirtualHost directives (requires APR 1.7.x or later). PR 59396 + * mod_ssl: Reject client-initiated renegotiation with a TLS alert + (rather than connection closure). + * Updated mime.types. + * mod_ssl: Fix a regression that causes the default DH parameters + for a key no longer set and thus effectively disabling DH ciphers + when no explicit DH parameters are set. PR 68863 + * mod_cgid: Optional support for file descriptor passing, fixing + error log handling (configure --enable-cgid-fdpassing) on Unix + platforms. PR 54221. + * mod_cgid/mod_cgi: Distinguish script stderr output clearly in + error logs. PR 61980. + * mod_tls: update version of rustls-ffi to v0.13.0. + * mod_md: + - Using OCSP stapling information to trigger certificate renewals. + - Added directive `MDCheckInterval` to control how often the + server checks for detected revocations. Added proposals for + configurations in the README.md chapter "Revocations". + - OCSP stapling: accept OCSP responses without a `nextUpdate` + entry which is allowed in RFC 6960. Treat those as having an + update interval of 12 hours. + - Adapt OpenSSL usage to changes in their API. +- Changes from 2.4.59: + * SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by + memory exhaustion on endless continuation frames (cve.mitre.org) + HTTP/2 incoming headers exceeding the limit are temporarily + buffered in nghttp2 in order to generate an informative HTTP 413 + response. If a client does not stop sending headers, this leads + to memory exhaustion. + * SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response + Splitting in multiple modules (cve.mitre.org) HTTP Response + splitting in multiple modules in Apache HTTP Server allows an + attacker that can inject malicious response headers into backend + applications to cause an HTTP desynchronization attack. Users are + recommended to upgrade to version 2.4.59, which fixes this issue. + * SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response + splitting (cve.mitre.org) Faulty input validation in the core of + Apache allows malicious or exploitable backend/content generators + to split HTTP responses. This issue affects Apache HTTP Server: + through 2.4.58. + * mod_deflate: Fixes and better logging for handling various error + and edge cases. + * Add CGIScriptTimeout to mod_cgi. + * mod_xml2enc: Tolerate libxml2 2.12.0 and later. PR 68610 + * mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable. + * mod_ssl: Use OpenSSL-standard functions to assemble CA name lists + for SSLCACertificatePath/SSLCADNRequestPath. Names will now be + consistently sorted. PR 61574. + * mod_xml2enc: Update check to accept any text/ media type or any + XML media type per RFC 7303, avoiding corruption of Microsoft + OOXML formats. PR 64339. + * mod_http2: v2.0.26 with the following fixes: + - Fixed `Date` header on requests upgraded from HTTP/1.1 + (h2c). Fixes https://github.com/icing/mod_h2/issues/272 . + - Fixed small memory leak in h2 header bucket free. + * htcacheclean: In -a/-A mode, list all files per subdirectory + rather than only one. PR 65091. + * mod_ssl: SSLProxyMachineCertificateFile/Path may reference files + which include CA certificates; those CA certs are treated as if + configured with SSLProxyMachineCertificateChainFile. + * htpasswd, htdbm, dbmmanage: Update help&docs to refer to + "hashing", rather than "encrypting" passwords. + * mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047. + * htpasswd: Add support for passwords using SHA-2. + * core: Allow mod_env to override system environment vars. + * Allow mod_dav_fs to tolerate race conditions between PROPFIND and + an operation which removes a directory/file between apr_dir_read() + and apr_stat(). Current behaviour is to abort the connection which + seems inferior to tolerating (and logging) the error. + * mod_ldap: HTML-escape data in the ldap-status handler. + * mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is + set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not + available, notably with OpenSSL >= 3. PR 68080. + * mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings + about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting + while defaulting to compatibitily with version 1.1.1 (including + ENGINEs / SSLCryptoDevice). + * mod_ssl: release memory to the OS when needed. + * mod_proxy: Ignore (and warn about) enablereuse=on for + ProxyPassMatch when some dollar substitution (backreference) + happens in the hostname or port part of the URL. + * mod_proxy: Allow to set a TTL for how long DNS resolutions to + backend systems are cached. + * mod_proxy: Add optional third argument for ProxyRemote, which + configures Basic authentication credentials to pass to the remote + proxy. PR 37355. + ------------------------------------------------------------------- Sat Nov 16 12:31:03 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com> diff --git a/apache2.spec b/apache2.spec index 6e1ddfd..fd60dcf 100644 --- a/apache2.spec +++ b/apache2.spec @@ -18,7 +18,7 @@ %global upstream_name httpd %global testsuite_name %{upstream_name}-framework -%global tversion svn1901574 +%global tversion svn1921782 %global flavor @BUILD_FLAVOR@%{nil} %define mpm %{nil} %if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork" @@ -107,7 +107,7 @@ %define build_http2 1 Name: apache2%{psuffix} -Version: 2.4.58 +Version: 2.4.62 Release: 0 Summary: The Apache HTTPD Server License: Apache-2.0 @@ -181,53 +181,6 @@ Patch2: apache2-logresolve-tmp-security.patch Patch3: apache2-LimitRequestFieldSize-limits-headers.patch # [fate317766] backport of an upstream commit Patch4: apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch - -# FIX-UPSTREAM: CVE-2024-39573, bsc#1227271: potential SSRF in mod_rewrite -# - https://svn.apache.org/viewvc?view=revision&revision=1918600 -Patch5: apache2-CVE-2024-39573.patch -# CVE-2023-38709 [bsc#1222330], HTTP response splitting -Patch6: apache2-CVE-2023-38709.patch -# CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks -Patch7: apache2-CVE-2024-27316.patch -# CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules -Patch8: apache2-CVE-2024-24795.patch -# https://github.com/apache/httpd/pull/444/commits/c2fffd29b0f58bdc9caaaff4fec68e17a676f182 -Patch9: apache2-issue-444.patch -# FIX-UPSTREAM: CVE-2024-38477, bsc#1227270: null pointer dereference in mod_proxy -# - https://svn.apache.org/viewvc?view=revision&revision=1918607 -Patch10: apache2-CVE-2024-38477.patch -# FIX-UPSTREAM: CVE-2024-38475, bsc#1227268: Improper escaping of output in mod_rewrite -# - https://svn.apache.org/viewvc?view=revision&revision=1918561 -Patch11: apache2-CVE-2024-38475-1.patch -Patch12: apache2-CVE-2024-38475-2.patch -Patch13: apache2-CVE-2024-38475-3.patch -# FIX-UPSTREAM: CVE-2024-38476, bsc#1227269: Server may use exploitable/malicious -# backend application output to run local handlers via internal -# redirect -# - https://svn.apache.org/viewvc?view=revision&revision=1918560 -Patch14: apache2-CVE-2024-38476-1.patch -Patch15: apache2-CVE-2024-38476-2.patch -Patch16: apache2-CVE-2024-38476-3.patch -Patch17: apache2-CVE-2024-38476-4.patch -Patch18: apache2-CVE-2024-38476-5.patch -Patch19: apache2-CVE-2024-38476-6.patch -Patch20: apache2-CVE-2024-38476-7.patch -Patch21: apache2-CVE-2024-38476-8.patch -Patch22: apache2-CVE-2024-38476-9.patch -Patch23: apache2-CVE-2024-38476-10.patch -Patch24: apache2-CVE-2024-38476-11.patch -# FIX-UPSTREAM: CVE-2024-38474, bsc#1227278: Substitution encoding issue in mod_rewrite -Patch25: apache2-CVE-2024-38474.patch -# FIX-UPSTREAM: CVE-2024-38473, bsc#1227276: Encoding problem in mod_proxy -Patch26: apache2-CVE-2024-38473-1.patch -Patch27: apache2-CVE-2024-38473-2.patch -Patch28: apache2-CVE-2024-38473-3.patch -Patch29: apache2-CVE-2024-38473-4.patch -# FIX-UPSTREAM: CVE-2024-39884, bsc#1227353: source code disclosure with handlers configured via AddType -Patch30: apache2-CVE-2024-39884.patch -# FIX-UPSTREAM: CVE-2024-40725, bsc#1229087: source code disclosure of local content -Patch31: apache2-CVE-2024-40725.patch - # PATCH: https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2 Patch100: apache-test-application-xml-type.patch # PATCH: /test_ssl_var_lookup?SSL_SERVER_SAN_DNS_0 returns <build-host-name> @@ -237,12 +190,6 @@ Patch100: apache-test-application-xml-type.patch # even if in live system I do not experience this inconsistency, let's turn off # these variables from the test Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch -# FIX-UPSTREAM: CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2 -Patch102: apache2-CVE-2024-36387.patch -# [boo#1220681] apache refuses to start, asking for a rebuild with FIPS support -Patch103: apache2-fips-compatibility-01.patch -Patch104: apache2-fips-compatibility-02.patch -Patch105: apache2-fips-compatibility-03.patch BuildRequires: apache-rpm-macros-control #Since 2.4.7 the event MPM requires apr 1.5.0 or later. diff --git a/httpd-2.4.58.tar.bz2 b/httpd-2.4.58.tar.bz2 deleted file mode 100644 index 6c29532..0000000 --- a/httpd-2.4.58.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:fa16d72a078210a54c47dd5bef2f8b9b8a01d94909a51453956b3ec6442ea4c5 -size 7485817 diff --git a/httpd-2.4.58.tar.bz2.asc b/httpd-2.4.58.tar.bz2.asc deleted file mode 100644 index 5945b61..0000000 --- a/httpd-2.4.58.tar.bz2.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Comment: GPGTools - https://gpgtools.org - -iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmUtUXcACgkQ03fJ59GU -TGZJnA/+KAE23IcOsePVK93RsfY2pCXvrQWH2vRaPQOV68lMMyI9I3D7Dd6ZbOIL -kfdcuMydaOzkwAzgM9dgfC2PF5rO/8LDHtieBRfLNVjcK7ngatZLzRU+2qARk4PG -bxfnpVzpnshBTkMuQ0C3nr6mi+bXQgdbbSLXGS5SOBqckBMfkpEXzArU8PU0EQwT -u3Id+eAqWtxXtwRKz+lRNwLzmyiXc8a1YwXJh5d2ldrL+WlFA1cts+k3nR5YPzF1 -QsHLkoTuiAbXpRYHJg83AAENVxYPvwttIdthLeQtUgV6dcoiAuJzOt0/EBnUN5B3 -J+T10z4zvXN0MogTVceAFfySZ6fQrR5PXs3raepDjo/AtVH9dvSQdXhpOGtyiCI9 -4eabSL69Z7r+Nr3UzVLVYb4Uan5Z7G1UkKQNxJVJSR4mzitf1d3Fylw52ivBGnLv -OMcY1/b3Kx0m69dIiIlLPnG7UMgHwqgYcxJKomjI9opdobmpK42u8ZjOEYFoNAtk -sINfcehp83WwxdDuvpuSFNYWQXGhKONAZIyCW8lAuFWBG8oXra5osWY176OSUGTu -Ah+pM1NlbwL45r5kw+3t4L/3Hhx+dDqtI8jrQYReN/u4dBuIcqqLT1Ik2WjBuTyE -QiY/ZOzdxO7UAGYvgFyMHX+KsuqrxZKHd1JN2+TzHhEtstSICnE= -=CtTT ------END PGP SIGNATURE----- diff --git a/httpd-2.4.62.tar.bz2 b/httpd-2.4.62.tar.bz2 new file mode 100644 index 0000000..1bd8237 --- /dev/null +++ b/httpd-2.4.62.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:674188e7bf44ced82da8db522da946849e22080d73d16c93f7f4df89e25729ec +size 7521661 diff --git a/httpd-2.4.62.tar.bz2.asc b/httpd-2.4.62.tar.bz2.asc new file mode 100644 index 0000000..553ae17 --- /dev/null +++ b/httpd-2.4.62.tar.bz2.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmaVEjgACgkQgngd5G1Z +VPqlUA//dMZ01CalmRf4Li2gDH+ETlQXkMST+2IYNCWZzV78g5wfjpZtApKOk+6O +73WxdNSvnB15CJVIi/wXN/8ZQHu3u9kHCHw+ydDhOq7CiSAe1x5k0PcodR+me299 +PErBiAaBct+oJOnPCRdw5c5g3jomZgg1Nt5xS5NmI83UnbT9KHd92nNFdIjp6nFE +mKzsQSWSSXkObj83inJ3HvT8ALGr5TpMjHSJAC/YP9B9FuTW4lQh0XFEESz6LcR/ +Z8GWAV0qfauRhNYcp5qYcVdreVAk0J9vfnruv9OdYsMI/sDM2PYAyDk9pCMuVIfv +PuZd8n/EpMuQfeWBOLzkft2TjNYx0UAt0xLK0/FLQqbZSKgCxce3mnbm0N3qXl8h +OpWYC86h4y4shaBOCAHI4oqRFbIlbf9bssMRSYfBYTJ1k8zmADWAhIsr5276A33G +S8Z+Ah1XeYkvy1blSJDRqECAPLtAXgesLadpkTKTwu+9BmHXYllSmfdhW8D3v6SA +Ab7RMonp7poBexO0o0mm14cEAwetffUhSrFfvGp7sTBjQYH3s309HtRBuLJOwmP2 +uZvAKo84nJVaZIe7TTjpA/om7sq08Jq8xdzGbEhfGnOrtg/34d3K5S9tDvBMkmDq +HfYjFxCmfTbUDy4nqVNZcwno6jApweon+KAHbG/vJ2uMWozn2Bo= +=Lelg +-----END PGP SIGNATURE----- diff --git a/httpd-framework-svn1901574.tar.bz2 b/httpd-framework-svn1901574.tar.bz2 deleted file mode 100644 index 8348900..0000000 --- a/httpd-framework-svn1901574.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:3622bd4619ba0949bb61ec5dcd1f4e2271b40cfbed214f0f52f9b6bd0053803c -size 726259 diff --git a/httpd-framework-svn1921782.tar.bz2 b/httpd-framework-svn1921782.tar.bz2 new file mode 100644 index 0000000..f324b8e --- /dev/null +++ b/httpd-framework-svn1921782.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d87718d8db23c4a2c5fa1c0991e00103f0cfcb4f237364df3f0969e33ba517c +size 1228913