SLFO-pool/apache2
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: SLFO-pool:1.1
Branches Tags
SLFO-pool:main
SLFO-pool:1.1
...
pull from: SLFO-pool:main
Branches Tags
SLFO-pool:main
SLFO-pool:1.1

2 Commits
1.1 ... main

Author SHA256 Message Date
Adrian Schröter
fe7b02a989 Sync from SUSE:SLFO:Main apache2 revision d5aa119141eedb6a8156b8b361bc099b 2025-01-13 22:11:04 +01:00
Adrian Schröter
f52833938c Sync from SUSE:SLFO:Main apache2 revision e3d6d70fb54538166908b35863ac2da4 2024-11-18 14:48:08 +01:00
35 changed files with 270 additions and 1989 deletions
Show Stats Expand all files Collapse all files

74
apache2-CVE-2023-38709.patch
View File

@ -1,74 +0,0 @@
Index: httpd-2.4.58/modules/http/http_filters.c
===================================================================
--- httpd-2.4.58.orig/modules/http/http_filters.c
+++ httpd-2.4.58/modules/http/http_filters.c
@@ -1353,6 +1353,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
*/
apr_table_clear(r->headers_out);
apr_table_clear(r->err_headers_out);
+ r->content_type = r->content_encoding = NULL;
+ r->content_languages = NULL;
+ r->clength = r->chunked = 0;
apr_brigade_cleanup(b);
/* Don't recall ap_die() if we come back here (from its own internal
@@ -1369,8 +1372,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
APR_BRIGADE_INSERT_TAIL(b, e);
e = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(b, e);
- r->content_type = r->content_encoding = NULL;
- r->content_languages = NULL;
ap_set_content_length(r, 0);
recursive_error = 1;
}
@@ -1397,6 +1398,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
if (!apr_is_empty_table(r->err_headers_out)) {
r->headers_out = apr_table_overlay(r->pool, r->err_headers_out,
r->headers_out);
+ apr_table_clear(r->err_headers_out);
}
/*
@@ -1416,6 +1418,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
fixup_vary(r);
}
+
+ /*
+ * Control cachability for non-cacheable responses if not already set by
+ * some other part of the server configuration.
+ */
+ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
+ char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
+ ap_recent_rfc822_date(date, r->request_time);
+ apr_table_addn(r->headers_out, "Expires", date);
+ }
+
/*
* Now remove any ETag response header field if earlier processing
* says so (such as a 'FileETag None' directive).
@@ -1428,6 +1441,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
basic_http_header_check(r, &protocol);
ap_set_keepalive(r);
+ /* 204/304 responses don't have content related headers */
if (AP_STATUS_IS_HEADER_ONLY(r->status)) {
apr_table_unset(r->headers_out, "Transfer-Encoding");
apr_table_unset(r->headers_out, "Content-Length");
@@ -1470,16 +1484,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_
apr_table_setn(r->headers_out, "Content-Language", field);
}
- /*
- * Control cachability for non-cacheable responses if not already set by
- * some other part of the server configuration.
- */
- if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) {
- char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN);
- ap_recent_rfc822_date(date, r->request_time);
- apr_table_addn(r->headers_out, "Expires", date);
- }
-
/* This is a hack, but I can't find anyway around it. The idea is that
* we don't want to send out 0 Content-Lengths if it is a head request.
* This happens when modules try to outsmart the server, and return

191
apache2-CVE-2024-24795.patch
View File

@ -1,191 +0,0 @@
Index: httpd-2.4.58/include/util_script.h
===================================================================
--- httpd-2.4.58.orig/include/util_script.h
+++ httpd-2.4.58/include/util_script.h
@@ -225,6 +225,8 @@ AP_DECLARE(int) ap_scan_script_header_er
*/
AP_DECLARE(void) ap_args_to_table(request_rec *r, apr_table_t **table);
+#define AP_TRUST_CGILIKE_CL_ENVVAR "ap_trust_cgilike_cl"
+
#ifdef __cplusplus
}
#endif
Index: httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c
===================================================================
--- httpd-2.4.58.orig/modules/aaa/mod_authnz_fcgi.c
+++ httpd-2.4.58/modules/aaa/mod_authnz_fcgi.c
@@ -571,6 +571,14 @@ static apr_status_t handle_response(cons
"parsing -> %d/%d",
fn, status, r->status);
+ /* FCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
if (rspbuf) { /* caller wants to see response body,
* if any
*/
Index: httpd-2.4.58/modules/generators/mod_cgi.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgi.c
+++ httpd-2.4.58/modules/generators/mod_cgi.c
@@ -935,9 +935,18 @@ static int cgi_handler(request_rec *r)
char sbuf[MAX_STRING_LEN];
int ret;
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX);
+
+ /* xCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (ret != OK) {
ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err);
/*
Index: httpd-2.4.58/modules/generators/mod_cgid.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgid.c
+++ httpd-2.4.58/modules/generators/mod_cgid.c
@@ -1616,9 +1616,18 @@ static int cgid_handler(request_rec *r)
b = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, b);
- if ((ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
- APLOG_MODULE_INDEX)))
- {
+ ret = ap_scan_script_header_err_brigade_ex(r, bb, sbuf,
+ APLOG_MODULE_INDEX);
+
+ /* xCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (ret != OK) {
ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL);
/*
Index: httpd-2.4.58/modules/proxy/ajp_header.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/ajp_header.c
+++ httpd-2.4.58/modules/proxy/ajp_header.c
@@ -17,6 +17,8 @@
#include "ajp_header.h"
#include "ajp.h"
+#include "util_script.h"
+
APLOG_USE_MODULE(proxy_ajp);
static const char *response_trans_headers[] = {
@@ -669,6 +671,14 @@ static apr_status_t ajp_unmarshal_respon
}
}
+ /* AJP has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
return APR_SUCCESS;
}
Index: httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_fcgi.c
+++ httpd-2.4.58/modules/proxy/mod_proxy_fcgi.c
@@ -779,6 +779,15 @@ recv_again:
status = ap_scan_script_header_err_brigade_ex(r, ob,
NULL, APLOG_MODULE_INDEX);
+
+ /* FCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
/* suck in all the rest */
if (status != OK) {
apr_bucket *tmp_b;
Index: httpd-2.4.58/modules/proxy/mod_proxy_scgi.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_scgi.c
+++ httpd-2.4.58/modules/proxy/mod_proxy_scgi.c
@@ -390,6 +390,14 @@ static int pass_response(request_rec *r,
return status;
}
+ /* SCGI has its own body framing mechanism which we don't
+ * match against any provided Content-Length, so let the
+ * core determine C-L vs T-E based on what's actually sent.
+ */
+ if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Transfer-Encoding");
+
conf = ap_get_module_config(r->per_dir_config, &proxy_scgi_module);
if (conf->sendfile && conf->sendfile != scgi_sendfile_off) {
short err = 1;
Index: httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_uwsgi.c
+++ httpd-2.4.58/modules/proxy/mod_proxy_uwsgi.c
@@ -404,6 +404,12 @@ static int uwsgi_response(request_rec *r
return HTTP_BAD_GATEWAY;
}
+ /* T-E wins over C-L */
+ if (apr_table_get(r->headers_out, "Transfer-Encoding")) {
+ apr_table_unset(r->headers_out, "Content-Length");
+ backend->close = 1;
+ }
+
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
ap_set_content_type(r, apr_pstrdup(r->pool, buf));
}
Index: httpd-2.4.58/modules/http/http_filters.c
===================================================================
--- httpd-2.4.58.orig/modules/http/http_filters.c
+++ httpd-2.4.58/modules/http/http_filters.c
@@ -778,6 +778,18 @@ static APR_INLINE int check_headers(requ
struct check_header_ctx ctx;
core_server_config *conf =
ap_get_core_module_config(r->server->module_config);
+ const char *val;
+
+ if ((val = apr_table_get(r->headers_out, "Transfer-Encoding"))) {
+ if (apr_table_get(r->headers_out, "Content-Length")) {
+ apr_table_unset(r->headers_out, "Content-Length");
+ r->connection->keepalive = AP_CONN_CLOSE;
+ }
+ if (!ap_is_chunked(r->pool, val)) {
+ r->connection->keepalive = AP_CONN_CLOSE;
+ return 0;
+ }
+ }
ctx.r = r;
ctx.strict = (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE);

45
apache2-CVE-2024-27316.patch
View File

@ -1,45 +0,0 @@
Index: modules/http2/h2_session.c
===================================================================
--- a/modules/http2/h2_session.c (revision 1916778)
+++ b/modules/http2/h2_session.c (revision 1916779)
@@ -319,9 +319,13 @@
status = h2_stream_add_header(stream, (const char *)name, namelen,
(const char *)value, valuelen);
- if (status != APR_SUCCESS
- && (!stream->rtmp
- || stream->rtmp->http_status == H2_HTTP_STATUS_UNSET)) {
+ if (status != APR_SUCCESS &&
+ (!stream->rtmp ||
+ stream->rtmp->http_status == H2_HTTP_STATUS_UNSET ||
+ /* We accept a certain amount of failures in order to reply
+ * with an informative HTTP error response like 413. But if the
+ * client is too wrong, we fail the request a RESET of the stream */
+ stream->request_headers_failed > 100)) {
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
return 0;
Index: modules/http2/h2_stream.c
===================================================================
--- a/modules/http2/h2_stream.c (revision 1916778)
+++ b/modules/http2/h2_stream.c (revision 1916779)
@@ -813,6 +813,7 @@
cleanup:
if (error) {
+ ++stream->request_headers_failed;
set_error_response(stream, error);
return APR_EINVAL;
}
Index: modules/http2/h2_stream.h
===================================================================
--- a/modules/http2/h2_stream.h (revision 1916778)
+++ b/modules/http2/h2_stream.h (revision 1916779)
@@ -91,6 +91,7 @@
struct h2_request *rtmp; /* request being assembled */
apr_table_t *trailers_in; /* optional, incoming trailers */
int request_headers_added; /* number of request headers added */
+ int request_headers_failed; /* number of request headers failed to add */
#if AP_HAS_RESPONSE_BUCKETS
ap_bucket_response *response; /* the final, non-interim response or NULL */

39
apache2-CVE-2024-38473-1.patch
View File

@ -1,39 +0,0 @@
From b10cb2d69184843832d501a615abe3e8e5e256dc Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 24 Jun 2024 17:52:31 +0000
Subject: [PATCH] Merge r1918550 from trunk:
mod_proxy: escape for non-proxypass configuration
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918559 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/mod_proxy.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index c9cef7c44f5..17e39c95b8f 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -1314,15 +1314,18 @@ static int proxy_handler(request_rec *r)
}
if (!r->proxyreq) {
+ rc = DECLINED;
/* We may have forced the proxy handler via config or .htaccess */
if (r->handler &&
strncmp(r->handler, "proxy:", 6) == 0 &&
strncmp(r->filename, "proxy:", 6) != 0) {
r->proxyreq = PROXYREQ_REVERSE;
r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
+ /* Still need to fixup/canonicalize r->filename */
+ rc = proxy_fixup(r);
}
- else {
- return DECLINED;
+ if (rc != OK) {
+ return rc;
}
} else if (strncmp(r->filename, "proxy:", 6) != 0) {
return DECLINED;

208
apache2-CVE-2024-38473-2.patch
View File

@ -1,208 +0,0 @@
From 6b8e043ce4f27114e6ae1b8176b629b7cb3fbbce Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 26 Jun 2024 14:51:32 +0000
Subject: [PATCH] mod_proxy: Fixup UDS filename for mod_proxy called through
r->handler.
* modules/proxy/proxy_util.c:
Export ap_proxy_fixup_uds_filename() from fix_uds_filename.
Call it from ap_proxy_pre_request() even for rewritten balancer workers.
* modules/proxy/mod_proxy.h:
Declare ap_proxy_fixup_uds_filename()
* modules/proxy/mod_proxy.c:
Fixup UDS filename from r->handler in proxy_handler().
* include/ap_mmn.h:
Bump MMN minor for ap_proxy_fixup_uds_filename()
mod_proxy: follow up to r1918626: Simplify ap_proxy_fixup_uds_filename() and callers.
Merges r1918626, r1918647 from trunk
GH: closes #457
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918666 13f79535-47bb-0310-9956-ffa450edef68
---
include/ap_mmn.h | 3 ++-
modules/proxy/mod_proxy.c | 33 ++++++++++++++++++------------
modules/proxy/mod_proxy.h | 8 ++++++++
modules/proxy/proxy_util.c | 41 ++++++++++++++++++++++----------------
4 files changed, 54 insertions(+), 31 deletions(-)
Index: httpd-2.4.58/modules/proxy/mod_proxy.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy.c
+++ httpd-2.4.58/modules/proxy/mod_proxy.c
@@ -1227,6 +1227,7 @@ static int proxy_fixup(request_rec *r)
return OK; /* otherwise; we've done the best we can */
}
+
/* Send a redirection if the request contains a hostname which is not */
/* fully qualified, i.e. doesn't have a domain name appended. Some proxy */
/* servers like Netscape's allow this and access hosts from the local */
@@ -1280,7 +1281,7 @@ static int proxy_handler(request_rec *r)
ap_get_module_config(sconf, &proxy_module);
apr_array_header_t *proxies = conf->proxies;
struct proxy_remote *ents = (struct proxy_remote *) proxies->elts;
- int i, rc, access_status;
+ int rc = DECLINED, access_status, i;
int direct_connect = 0;
const char *str;
apr_int64_t maxfwd;
@@ -1295,22 +1296,28 @@ static int proxy_handler(request_rec *r)
return DECLINED;
}
- if (!r->proxyreq) {
- rc = DECLINED;
- /* We may have forced the proxy handler via config or .htaccess */
- if (r->handler &&
- strncmp(r->handler, "proxy:", 6) == 0 &&
- strncmp(r->filename, "proxy:", 6) != 0) {
- r->proxyreq = PROXYREQ_REVERSE;
- r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
- /* Still need to fixup/canonicalize r->filename */
+ /* We may have forced the proxy handler via config or .htaccess */
+ if (!r->proxyreq && r->handler && strncmp(r->handler, "proxy:", 6) == 0) {
+ char *old_filename = r->filename;
+
+ r->proxyreq = PROXYREQ_REVERSE;
+ r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL);
+
+ /* Still need to fixup/canonicalize r->filename */
+ rc = ap_proxy_fixup_uds_filename(r);
+ if (rc <= OK) {
rc = proxy_fixup(r);
}
if (rc != OK) {
- return rc;
+ r->filename = old_filename;
+ r->proxyreq = 0;
}
- } else if (strncmp(r->filename, "proxy:", 6) != 0) {
- return DECLINED;
+ }
+ else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) {
+ rc = OK;
+ }
+ if (rc != OK) {
+ return rc;
}
/* handle max-forwards / OPTIONS / TRACE */
Index: httpd-2.4.58/modules/proxy/mod_proxy.h
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy.h
+++ httpd-2.4.58/modules/proxy/mod_proxy.h
@@ -993,6 +993,14 @@ PROXY_DECLARE(proxy_balancer_shared *) a
proxy_balancer *balancer,
unsigned int *index);
+/*
+ * Strip the UDS part of r->filename if any, and put the UDS path in
+ * r->notes ("uds_path")
+ * @param r current request
+ * @return OK if fixed up, DECLINED if not UDS, or an HTTP_XXX error
+ */
+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r);
+
/**
* Get the most suitable worker and/or balancer for the request
* @param worker worker used for processing request
Index: httpd-2.4.58/modules/proxy/proxy_util.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/proxy_util.c
+++ httpd-2.4.58/modules/proxy/proxy_util.c
@@ -2316,7 +2316,7 @@ static int ap_proxy_retry_worker(const c
* were passed a UDS url (eg: from mod_proxy) and adjust uds_path
* as required.
*/
-static int fix_uds_filename(request_rec *r, char **url)
+PROXY_DECLARE(int) ap_proxy_fixup_uds_filename(request_rec *r)
{
char *uds_url = r->filename + 6, *origin_url;
@@ -2324,7 +2324,6 @@ static int fix_uds_filename(request_rec
!ap_cstr_casecmpn(uds_url, "unix:", 5) &&
(origin_url = ap_strchr(uds_url + 5, '|'))) {
char *uds_path = NULL;
- apr_size_t url_len;
apr_uri_t urisock;
apr_status_t rv;
@@ -2339,20 +2338,20 @@ static int fix_uds_filename(request_rec
if (!uds_path) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
"Invalid proxy UDS filename (%s)", r->filename);
- return 0;
+ return HTTP_BAD_REQUEST;
}
apr_table_setn(r->notes, "uds_path", uds_path);
- /* Remove the UDS path from *url and r->filename */
- url_len = strlen(origin_url);
- *url = apr_pstrmemdup(r->pool, origin_url, url_len);
- memcpy(uds_url, *url, url_len + 1);
-
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
- "*: rewrite of url due to UDS(%s): %s (%s)",
- uds_path, *url, r->filename);
+ "*: fixup UDS from %s: %s (%s)",
+ r->filename, origin_url, uds_path);
+
+ /* Overwrite the UDS part in place */
+ memmove(uds_url, origin_url, strlen(origin_url) + 1);
+ return OK;
}
- return 1;
+
+ return DECLINED;
}
PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
@@ -2371,9 +2370,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"%s: found worker %s for %s",
(*worker)->s->scheme, (*worker)->s->name_ex, *url);
- if (!forward && !fix_uds_filename(r, url)) {
- return HTTP_INTERNAL_SERVER_ERROR;
- }
access_status = OK;
}
else if (forward) {
@@ -2403,9 +2399,6 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
* regarding the Connection header in the request.
*/
apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
- if (!fix_uds_filename(r, url)) {
- return HTTP_INTERNAL_SERVER_ERROR;
- }
}
}
}
@@ -2415,6 +2408,20 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
"all workers are busy. Unable to serve %s", *url);
access_status = HTTP_SERVICE_UNAVAILABLE;
}
+
+ if (access_status == OK && r->proxyreq == PROXYREQ_REVERSE) {
+ int rc = ap_proxy_fixup_uds_filename(r);
+ if (ap_is_HTTP_ERROR(rc)) {
+ return rc;
+ }
+ /* If the URL has changed in r->filename, take everything after
+ * the "proxy:" prefix.
+ */
+ if (rc == OK) {
+ *url = apr_pstrdup(r->pool, r->filename + 6);
+ }
+ }
+
return access_status;
}

51
apache2-CVE-2024-38473-3.patch
View File

@ -1,51 +0,0 @@
From cc00cf6b4e37370897daddc307bf1deecf8fedfa Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Tue, 25 Jun 2024 20:20:05 +0000
Subject: [PATCH] Merge r1918623 from trunk:
fix comparison of local path on Windows
Submitted By: Yann Ylavic
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918625 13f79535-47bb-0310-9956-ffa450edef68
---
modules/mappers/mod_rewrite.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 46ea16c8c64..e0390768267 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -653,6 +653,19 @@ static unsigned is_absolute_uri(char *uri, int *supportsqs)
return 0;
}
+static int is_absolute_path(const char *path)
+{
+#ifndef WIN32
+ return (path[0] == '/');
+#else
+#define IS_SLASH(c) ((c) == '/' || (c) == '\\')
+ /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */
+ return ((IS_SLASH(path[0]) && path[1] == path[0])
+ || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2])));
+#undef IS_SLASH
+#endif
+}
+
static const char c2x_table[] = "0123456789abcdef";
static APR_INLINE unsigned char *c2x(unsigned what, unsigned char prefix,
@@ -4351,7 +4364,9 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
* (1) it's an absolute URL path and
* (2) it's a full qualified URL
*/
- if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) {
+ if (!is_proxyreq
+ && !is_absolute_path(newuri)
+ && !is_absolute_uri(newuri, NULL)) {
if (ctx->perdir) {
rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
newuri, ctx->perdir, newuri));

187
apache2-CVE-2024-38473-4.patch
View File

@ -1,187 +0,0 @@
From 4326d6b9041a3bcb9b529f9163d0761c2d760700 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Wed, 26 Jun 2024 14:56:47 +0000
Subject: [PATCH] factor out IS_SLASH, perdir fix
in per-dir, the filename will be internally redirected, so / is OK too.
don't add / to / in the non-perdir
match AP_IS_SLASH macro
followup to 1918651
Merges r1918651, r1918652, r1918663 from trunk
Reviewed by: covener, ylavic, rpluem
GH: close #458
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1918668 13f79535-47bb-0310-9956-ffa450edef68
---
include/ap_mmn.h | 3 ++-
include/httpd.h | 11 +++++++++++
modules/mappers/mod_rewrite.c | 11 ++++-------
server/util.c | 31 ++++++++++---------------------
4 files changed, 27 insertions(+), 29 deletions(-)
Index: httpd-2.4.58/include/httpd.h
===================================================================
--- httpd-2.4.58.orig/include/httpd.h
+++ httpd-2.4.58/include/httpd.h
@@ -2663,6 +2663,17 @@ AP_DECLARE(const char *)ap_dir_fnmatch(a
*/
AP_DECLARE(int) ap_is_chunked(apr_pool_t *p, const char *line);
+/* Win32/NetWare/OS2 need to check for both forward and back slashes
+ * in ap_normalize_path() and ap_escape_url().
+ */
+#ifdef CASE_BLIND_FILESYSTEM
+#define AP_IS_SLASH(s) ((s == '/') || (s == '\\'))
+#define AP_SLASHES "/\\"
+#else
+#define AP_IS_SLASH(s) (s == '/')
+#define AP_SLASHES "/"
+#endif
+
#ifdef __cplusplus
}
#endif
Index: httpd-2.4.58/modules/mappers/mod_rewrite.c
===================================================================
--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c
+++ httpd-2.4.58/modules/mappers/mod_rewrite.c
@@ -655,14 +655,11 @@ static unsigned is_absolute_uri(char *ur
static int is_absolute_path(const char *path)
{
-#ifndef WIN32
+#ifndef CASE_BLIND_FILESYSTEM
return (path[0] == '/');
#else
-#define IS_SLASH(c) ((c) == '/' || (c) == '\\')
- /* "//", "\\", "x:/" and "x:\" are absolute paths on Windows */
- return ((IS_SLASH(path[0]) && path[1] == path[0])
- || (apr_isalpha(path[0]) && path[1] == ':' && IS_SLASH(path[2])));
-#undef IS_SLASH
+ return ((AP_IS_SLASH(path[0]) && path[1] == path[0])
+ || (apr_isalpha(path[0]) && path[1] == ':' && AP_IS_SLASH(path[2])));
#endif
}
@@ -4366,11 +4363,11 @@ static rule_return_type apply_rewrite_ru
*/
if (!is_proxyreq
&& !is_absolute_path(newuri)
+ && !AP_IS_SLASH(*newuri)
&& !is_absolute_uri(newuri, NULL)) {
if (ctx->perdir) {
rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
newuri, ctx->perdir, newuri));
-
newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL);
}
else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) {
Index: httpd-2.4.58/server/util.c
===================================================================
--- httpd-2.4.58.orig/server/util.c
+++ httpd-2.4.58/server/util.c
@@ -75,17 +75,6 @@
*/
#include "test_char.h"
-/* Win32/NetWare/OS2 need to check for both forward and back slashes
- * in ap_normalize_path() and ap_escape_url().
- */
-#ifdef CASE_BLIND_FILESYSTEM
-#define IS_SLASH(s) ((s == '/') || (s == '\\'))
-#define SLASHES "/\\"
-#else
-#define IS_SLASH(s) (s == '/')
-#define SLASHES "/"
-#endif
-
/* we know core's module_index is 0 */
#undef APLOG_MODULE_INDEX
#define APLOG_MODULE_INDEX AP_CORE_MODULE_INDEX
@@ -492,7 +481,7 @@ AP_DECLARE(apr_status_t) ap_pregsub_ex(a
/* Forward declare */
static char x2c(const char *what);
-#define IS_SLASH_OR_NUL(s) (s == '\0' || IS_SLASH(s))
+#define IS_SLASH_OR_NUL(s) (s == '\0' || AP_IS_SLASH(s))
/*
* Inspired by mod_jk's jk_servlet_normalize().
@@ -504,7 +493,7 @@ AP_DECLARE(int) ap_normalize_path(char *
int decode_unreserved = (flags & AP_NORMALIZE_DECODE_UNRESERVED) != 0;
int merge_slashes = (flags & AP_NORMALIZE_MERGE_SLASHES) != 0;
- if (!IS_SLASH(path[0])) {
+ if (!AP_IS_SLASH(path[0])) {
/* Besides "OPTIONS *", a request-target should start with '/'
* per RFC 7230 section 5.3, so anything else is invalid.
*/
@@ -545,12 +534,12 @@ AP_DECLARE(int) ap_normalize_path(char *
}
}
- if (w == 0 || IS_SLASH(path[w - 1])) {
+ if (w == 0 || AP_IS_SLASH(path[w - 1])) {
/* Collapse ///// sequences to / */
- if (merge_slashes && IS_SLASH(path[l])) {
+ if (merge_slashes && AP_IS_SLASH(path[l])) {
do {
l++;
- } while (IS_SLASH(path[l]));
+ } while (AP_IS_SLASH(path[l]));
continue;
}
@@ -579,7 +568,7 @@ AP_DECLARE(int) ap_normalize_path(char *
if (w > 1) {
do {
w--;
- } while (w && !IS_SLASH(path[w - 1]));
+ } while (w && !AP_IS_SLASH(path[w - 1]));
}
else {
/* Already at root, ignore and return a failure
@@ -1915,7 +1904,7 @@ static int unescape_url(char *url, const
char decoded;
decoded = x2c(y + 1);
if ((decoded == '\0')
- || (forbid_slashes && IS_SLASH(decoded))
+ || (forbid_slashes && AP_IS_SLASH(decoded))
|| (forbid && ap_strchr_c(forbid, decoded))) {
badpath = 1;
*x = decoded;
@@ -1923,7 +1912,7 @@ static int unescape_url(char *url, const
}
else if ((keep_unreserved && TEST_CHAR(decoded,
T_URI_UNRESERVED))
- || (keep_slashes && IS_SLASH(decoded))
+ || (keep_slashes && AP_IS_SLASH(decoded))
|| (reserved && ap_strchr_c(reserved, decoded))) {
*x++ = *y++;
*x++ = *y++;
@@ -1950,7 +1939,7 @@ static int unescape_url(char *url, const
AP_DECLARE(int) ap_unescape_url(char *url)
{
/* Traditional */
- return unescape_url(url, SLASHES, NULL, 0);
+ return unescape_url(url, AP_SLASHES, NULL, 0);
}
AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes)
{
@@ -1960,7 +1949,7 @@ AP_DECLARE(int) ap_unescape_url_keep2f(c
return unescape_url(url, NULL, NULL, 0);
} else {
/* reserve (do not decode) encoded slashes */
- return unescape_url(url, NULL, SLASHES, 0);
+ return unescape_url(url, NULL, AP_SLASHES, 0);
}
}
AP_DECLARE(int) ap_unescape_url_ex(char *url, unsigned int flags)

17
apache2-CVE-2024-38474.patch
View File

@ -1,17 +0,0 @@
Index: httpd-2.4.58/modules/mappers/mod_rewrite.c
===================================================================
--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c
+++ httpd-2.4.58/modules/mappers/mod_rewrite.c
@@ -4537,6 +4560,12 @@ static int apply_rewrite_list(request_re
return ACTION_STATUS_SET;
}
+
+ /* Error while evaluating rule, r->status set */
+ if (RULE_RC_STATUS_SET == rc) {
+ return ACTION_STATUS_SET;
+ }
+
/*
* The rule sets the response code (implies match-only)
*/

23
apache2-CVE-2024-38475-1.patch
View File

@ -1,23 +0,0 @@
Index: httpd-2.4.58/docs/manual/mod/mod_rewrite.html.en
===================================================================
--- httpd-2.4.58.orig/docs/manual/mod/mod_rewrite.html.en
+++ httpd-2.4.58/docs/manual/mod/mod_rewrite.html.en
@@ -1451,6 +1451,18 @@ cannot use <code>$N</code> in the substi
<td>Force the <a class="glossarylink" href="../glossary.html#mime-type" title="see glossary">MIME-type</a> of the target file
to be the specified type. <em><a href="../rewrite/flags.html#flag_t">details ...</a></em></td>
</tr>
+ <tr>
+ <td>UnsafeAllow3F</td>
+ <td>Allows substitutions from URL's that may be unsafe.
+ <em><a href="../rewrite/flags.html#flag_unsafe_allow_3f">details ...</a></em>
+ </td>
+ </tr>
+ <tr>
+ <td>UnsafePrefixStat</td>
+ <td>Allows potentially unsafe substitutions from a leading variable or backreference to a filesystem path.</td>
+ <em><a href="../rewrite/flags.html#flag_unsafe_prefix_stat">details ...</a></em>
+ </td>
+ </tr>
</table>
<div class="note"><h3>Home directory expansion</h3>

31
apache2-CVE-2024-38475-2.patch
View File

@ -1,31 +0,0 @@
Index: httpd-2.4.58/docs/manual/rewrite/flags.html.en
===================================================================
--- httpd-2.4.58.orig/docs/manual/rewrite/flags.html.en
+++ httpd-2.4.58/docs/manual/rewrite/flags.html.en
@@ -820,8 +820,25 @@ otherwise the MIME-type set with this fl
re-processing (including subsequent rounds of mod_rewrite processing).
The <code>L</code> flag can be useful in this context to end the
<em>current</em> round of mod_rewrite processing.</p>
+</div>
-</div></div>
+<div class="section">
+ <h2><a name="flag_unsafe_allow_3f" id="flag_unsafe_allow_3f">UnsafeAllow3F</a></h2>
+ <p> Setting this flag is required to allow a rewrite to continue If the
+ HTTP request being written has an encoded question mark, '%3f', and the
+ rewritten result has a '?' in the substiution. This protects from a malicious
+ URL taking advantage of a capture and re-substitution of the encoded
+ question mark.</p>
+</div>
+<div class="section" id="flag_unsafe_prefix_status">
+ <h2><a name="flag_unsafe_prefix_status" id="flag_unsafe_prefix_status">UnsafePrefixStat</a></h2>
+ <p> Setting this flag is required in server-scoped substitutions
+ start with a variable or backreference and resolve to a filesystem path.
+ These substitutions are not prefixed with the document root.
+ This protects from a malicious URL causing the expanded substitution to
+ map to an unexpected filesystem location.</p>
+ </div>
+</div>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/rewrite/flags.html" title="English">&nbsp;en&nbsp;</a> |
<a href="../fr/rewrite/flags.html" hreflang="fr" rel="alternate" title="Français">&nbsp;fr&nbsp;</a></p>

383
apache2-CVE-2024-38475-3.patch
View File

@ -1,383 +0,0 @@
Index: httpd-2.4.58/modules/mappers/mod_rewrite.c
===================================================================
--- httpd-2.4.58.orig/modules/mappers/mod_rewrite.c
+++ httpd-2.4.58/modules/mappers/mod_rewrite.c
@@ -177,6 +177,8 @@ static const char* really_last_key = "re
#define RULEFLAG_QSLAST (1<<19)
#define RULEFLAG_QSNONE (1<<20) /* programattic only */
#define RULEFLAG_ESCAPECTLS (1<<21)
+#define RULEFLAG_UNSAFE_PREFIX_STAT (1<<22)
+#define RULEFLAG_UNSAFE_ALLOW3F (1<<23)
/* return code of the rewrite rule
* the result may be escaped - or not
@@ -184,7 +186,7 @@ static const char* really_last_key = "re
#define ACTION_NORMAL (1<<0)
#define ACTION_NOESCAPE (1<<1)
#define ACTION_STATUS (1<<2)
-
+#define ACTION_STATUS_SET (1<<3)
#define MAPTYPE_TXT (1<<0)
#define MAPTYPE_DBM (1<<1)
@@ -208,6 +210,7 @@ static const char* really_last_key = "re
#define OPTION_IGNORE_INHERIT (1<<8)
#define OPTION_IGNORE_CONTEXT_INFO (1<<9)
#define OPTION_LEGACY_PREFIX_DOCROOT (1<<10)
+#define OPTION_UNSAFE_PREFIX_STAT (1<<12)
#ifndef RAND_MAX
#define RAND_MAX 32767
@@ -301,6 +304,14 @@ typedef enum {
CONDPAT_AP_EXPR
} pattern_type;
+typedef enum {
+ RULE_RC_NOMATCH = 0, /* the rule didn't match */
+ RULE_RC_MATCH = 1, /* a matching rule w/ substitution */
+ RULE_RC_NOSUB = 2, /* a matching rule w/ no substitution */
+ RULE_RC_STATUS_SET = 3 /* a matching rule that has set an HTTP error
+ to be returned in r->status */
+} rule_return_type;
+
typedef struct {
char *input; /* Input string of RewriteCond */
char *pattern; /* the RegExp pattern string */
@@ -927,10 +938,15 @@ static void fully_qualify_uri(request_re
return;
}
+static int startsWith(request_rec *r, const char *haystack, const char *needle) {
+ int rc = (ap_strstr_c(haystack, needle) == haystack);
+ rewritelog((r, 5, NULL, "prefix_stat startsWith(%s, %s) %d", haystack, needle, rc));
+ return rc;
+}
/*
- * stat() only the first segment of a path
+ * stat() only the first segment of a path, and only if it matches the output of the last matching rule
*/
-static int prefix_stat(const char *path, apr_pool_t *pool)
+static int prefix_stat(request_rec *r, const char *path, apr_pool_t *pool, rewriterule_entry *lastsub)
{
const char *curpath = path;
const char *root;
@@ -964,10 +980,36 @@ static int prefix_stat(const char *path,
apr_finfo_t sb;
if (apr_stat(&sb, statpath, APR_FINFO_MIN, pool) == APR_SUCCESS) {
- return 1;
+ if (!lastsub) {
+ rewritelog((r, 3, NULL, "prefix_stat no lastsub subst prefix %s", statpath));
+ return 1;
+ }
+
+ rewritelog((r, 3, NULL, "prefix_stat compare statpath %s and lastsub output %s STATOK %d ",
+ statpath, lastsub->output, lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT));
+ if (lastsub->flags & RULEFLAG_UNSAFE_PREFIX_STAT) {
+ return 1;
+ }
+ else {
+ const char *docroot = ap_document_root(r);
+ const char *context_docroot = ap_context_document_root(r);
+ /*
+ * As an example, path (r->filename) is /var/foo/bar/baz.html
+ * even if the flag is not set, we can accept a rule that
+ * began with a literal /var (stapath), or if the entire path
+ * starts with the docroot or context document root
+ */
+ if (startsWith(r, lastsub->output, statpath) ||
+ startsWith(r, path, docroot) ||
+ ((docroot != context_docroot) &&
+ startsWith(r, path, context_docroot))) {
+ return 1;
+ }
+ }
}
}
+ /* prefix will be added */
return 0;
}
@@ -3072,6 +3114,9 @@ static const char *cmd_rewriteoptions(cm
else if (!strcasecmp(w, "legacyprefixdocroot")) {
options |= OPTION_LEGACY_PREFIX_DOCROOT;
}
+ else if (!strcasecmp(w, "UnsafePrefixStat")) {
+ options |= OPTION_UNSAFE_PREFIX_STAT;
+ }
else {
return apr_pstrcat(cmd->pool, "RewriteOptions: unknown option '",
w, "'", NULL);
@@ -3780,6 +3825,18 @@ static const char *cmd_rewriterule_setfl
++error;
}
break;
+ case 'u':
+ case 'U':
+ if (!strcasecmp(key, "nsafePrefixStat")){
+ cfg->flags |= (RULEFLAG_UNSAFE_PREFIX_STAT);
+ }
+ else if(!strcasecmp(key, "nsafeAllow3F")) {
+ cfg->flags |= RULEFLAG_UNSAFE_ALLOW3F;
+ }
+ else {
+ ++error;
+ }
+ break;
default:
++error;
break;
@@ -4138,7 +4195,8 @@ static APR_INLINE void force_type_handle
/*
* Apply a single RewriteRule
*/
-static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
+ rewrite_ctx *ctx)
{
ap_regmatch_t regmatch[AP_MAX_REG_MATCH];
apr_array_header_t *rewriteconds;
@@ -4189,7 +4247,7 @@ static int apply_rewrite_rule(rewriterul
rc = !ap_regexec(p->regexp, ctx->uri, AP_MAX_REG_MATCH, regmatch, 0);
if (! (( rc && !(p->flags & RULEFLAG_NOTMATCH)) ||
(!rc && (p->flags & RULEFLAG_NOTMATCH)) ) ) {
- return 0;
+ return RULE_RC_NOMATCH;
}
/* It matched, wow! Now it's time to prepare the context structure for
@@ -4240,7 +4298,7 @@ static int apply_rewrite_rule(rewriterul
}
}
else if (!rc) {
- return 0;
+ return RULE_RC_NOMATCH;
}
/* If some HTTP header was involved in the condition, remember it
@@ -4260,6 +4318,15 @@ static int apply_rewrite_rule(rewriterul
newuri = do_expand(p->output, ctx, p);
rewritelog((r, 2, ctx->perdir, "rewrite '%s' -> '%s'", ctx->uri,
newuri));
+ if (!(p->flags & RULEFLAG_UNSAFE_ALLOW3F) &&
+ ap_strcasestr(r->unparsed_uri, "%3f") &&
+ ap_strchr_c(newuri, '?')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO()
+ "Unsafe URL with %%3f URL rewritten without "
+ "UnsafeAllow3F");
+ r->status = HTTP_FORBIDDEN;
+ return RULE_RC_STATUS_SET;
+ }
}
/* expand [E=var:val] and [CO=<cookie>] */
@@ -4277,7 +4344,7 @@ static int apply_rewrite_rule(rewriterul
r->status = p->forced_responsecode;
}
- return 2;
+ return RULE_RC_NOSUB;
}
/* Add the previously stripped per-directory location prefix, unless
@@ -4343,7 +4410,7 @@ static int apply_rewrite_rule(rewriterul
r->filename));
r->filename = apr_pstrcat(r->pool, "proxy:", r->filename, NULL);
- return 1;
+ return RULE_RC_MATCH;
}
/* If this rule is explicitly forced for HTTP redirection
@@ -4358,7 +4425,7 @@ static int apply_rewrite_rule(rewriterul
r->filename));
r->status = p->forced_responsecode;
- return 1;
+ return RULE_RC_MATCH;
}
/* Special Rewriting Feature: Self-Reduction
@@ -4380,7 +4447,7 @@ static int apply_rewrite_rule(rewriterul
"with %s", p->forced_responsecode, r->filename));
r->status = p->forced_responsecode;
- return 1;
+ return RULE_RC_MATCH;
}
/* Finally remember the forced mime-type */
@@ -4389,7 +4456,7 @@ static int apply_rewrite_rule(rewriterul
/* Puuhhhhhhhh... WHAT COMPLICATED STUFF ;_)
* But now we're done for this particular rule.
*/
- return 1;
+ return RULE_RC_MATCH;
}
/*
@@ -4397,13 +4464,13 @@ static int apply_rewrite_rule(rewriterul
* i.e. a list of rewrite rules
*/
static int apply_rewrite_list(request_rec *r, apr_array_header_t *rewriterules,
- char *perdir)
+ char *perdir, rewriterule_entry **lastsub)
{
rewriterule_entry *entries;
rewriterule_entry *p;
int i;
int changed;
- int rc;
+ rule_return_type rc;
int s;
rewrite_ctx *ctx;
int round = 1;
@@ -4411,6 +4478,7 @@ static int apply_rewrite_list(request_re
ctx = apr_palloc(r->pool, sizeof(*ctx));
ctx->perdir = perdir;
ctx->r = r;
+ *lastsub = NULL;
/*
* Iterate over all existing rules
@@ -4438,7 +4506,12 @@ static int apply_rewrite_list(request_re
ctx->vary = NULL;
rc = apply_rewrite_rule(p, ctx);
- if (rc) {
+ if (rc != RULE_RC_NOMATCH) {
+
+ if (!(p->flags & RULEFLAG_NOSUB)) {
+ rewritelog((r, 2, perdir, "setting lastsub to rule with output %s", p->output));
+ *lastsub = p;
+ }
/* Catch looping rules with pathinfo growing unbounded */
if ( strlen( r->filename ) > 2*r->server->limit_req_line ) {
@@ -4458,6 +4531,12 @@ static int apply_rewrite_list(request_re
apr_table_merge(r->headers_out, "Vary", ctx->vary);
}
+
+ /* Error while evaluating rule, r->status set */
+ if (RULE_RC_STATUS_SET == rc) {
+ return ACTION_STATUS_SET;
+ }
+
/*
* The rule sets the response code (implies match-only)
*/
@@ -4468,7 +4547,7 @@ static int apply_rewrite_list(request_re
/*
* Indicate a change if this was not a match-only rule.
*/
- if (rc != 2) {
+ if (rc != RULE_RC_NOSUB) {
changed = ((p->flags & RULEFLAG_NOESCAPE)
? ACTION_NOESCAPE : ACTION_NORMAL);
}
@@ -4657,6 +4736,7 @@ static int hook_uri2file(request_rec *r)
int rulestatus;
void *skipdata;
const char *oargs;
+ rewriterule_entry *lastsub = NULL;
/*
* retrieve the config structures
@@ -4768,7 +4848,7 @@ static int hook_uri2file(request_rec *r)
/*
* now apply the rules ...
*/
- rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL);
+ rulestatus = apply_rewrite_list(r, conf->rewriterules, NULL, &lastsub);
apr_table_setn(r->notes, "mod_rewrite_rewritten",
apr_psprintf(r->pool,"%d",rulestatus));
}
@@ -4806,6 +4886,9 @@ static int hook_uri2file(request_rec *r)
r->status = HTTP_OK;
return n;
}
+ else if (ACTION_STATUS_SET == rulestatus) {
+ return r->status;
+ }
if (to_proxyreq) {
/* it should be go on as an internal proxy request */
@@ -4925,23 +5008,29 @@ static int hook_uri2file(request_rec *r)
return HTTP_BAD_REQUEST;
}
- /* if there is no valid prefix, we call
- * the translator from the core and
- * prefix the filename with document_root
+ /* We have r->filename as a path in a server-context rewrite without
+ * the PT flag. The historical behavior is to treat it as a verbatim
+ * filesystem path iff the first component of the path exists and is
+ * readable by httpd. Otherwise, it is interpreted as DocumentRoot
+ * relative.
*
* NOTICE:
* We cannot leave out the prefix_stat because
- * - when we always prefix with document_root
- * then no absolute path can be created, e.g. via
- * emulating a ScriptAlias directive, etc.
- * - when we always NOT prefix with document_root
+ * - If we always prefix with document_root
+ * then no absolute path can could ever be used in
+ * a substitution. e.g. emulating an Alias.
+ * - If we never prefix with document_root
* then the files under document_root have to
* be references directly and document_root
* gets never used and will be a dummy parameter -
- * this is also bad
+ * this is also bad.
+ * - Later addition: This part is questionable.
+ * If we had never prefixed, users would just
+ * need %{DOCUMENT_ROOT} in substitutions or the
+ * [PT] flag.
*
* BUT:
- * Under real Unix systems this is no problem,
+ * Under real Unix systems this is no perf problem,
* because we only do stat() on the first directory
* and this gets cached by the kernel for along time!
*/
@@ -4950,7 +5039,9 @@ static int hook_uri2file(request_rec *r)
uri_reduced = apr_table_get(r->notes, "mod_rewrite_uri_reduced");
}
- if (!prefix_stat(r->filename, r->pool) || uri_reduced != NULL) {
+ if (!prefix_stat(r, r->filename, r->pool,
+ conf->options & OPTION_UNSAFE_PREFIX_STAT ? NULL : lastsub)
+ || uri_reduced != NULL) {
int res;
char *tmp = r->uri;
@@ -4995,6 +5086,7 @@ static int hook_fixup(request_rec *r)
char *ofilename, *oargs;
int is_proxyreq;
void *skipdata;
+ rewriterule_entry *lastsub;
dconf = (rewrite_perdir_conf *)ap_get_module_config(r->per_dir_config,
&rewrite_module);
@@ -5079,7 +5171,7 @@ static int hook_fixup(request_rec *r)
/*
* now apply the rules ...
*/
- rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory);
+ rulestatus = apply_rewrite_list(r, dconf->rewriterules, dconf->directory, &lastsub);
if (rulestatus) {
unsigned skip_absolute = is_absolute_uri(r->filename, NULL);
int to_proxyreq = 0;
@@ -5108,6 +5200,9 @@ static int hook_fixup(request_rec *r)
r->status = HTTP_OK;
return n;
}
+ else if (ACTION_STATUS_SET == rulestatus) {
+ return r->status;
+ }
if (to_proxyreq) {
/* it should go on as an internal proxy request */

20
apache2-CVE-2024-38476-1.patch
View File

@ -1,20 +0,0 @@
--- a/include/http_protocol.h 2024/06/24 17:52:31 1918559
+++ b/include/http_protocol.h 2024/06/24 17:54:34 1918560
@@ -439,6 +439,17 @@
AP_DECLARE(void) ap_set_content_type(request_rec *r, const char *ct);
/**
+ * Set the content type for this request (r->content_type).
+ * @param r The current request
+ * @param ct The new content type
+ * @param trusted If non-zero, The content-type should come from a
+ * trusted source such as server configuration rather
+ * than application output.
+ * for the AddOutputFilterByType directive to work correctly.
+ */
+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted);
+
+/**
* Set the Accept-Ranges header for this response
* @param r The current request
*/

11
apache2-CVE-2024-38476-10.patch
View File

@ -1,11 +0,0 @@
--- a/server/config.c 2024/06/24 17:52:31 1918559
+++ b/server/config.c 2024/06/24 17:54:34 1918560
@@ -418,7 +418,7 @@
}
if (!r->handler) {
- if (r->content_type) {
+ if (r->content_type && AP_REQUEST_IS_TRUSTED_CT(r)) {
handler = r->content_type;
if ((p=ap_strchr_c(handler, ';')) != NULL) {
char *new_handler = (char *)apr_pmemdup(r->pool, handler,

11
apache2-CVE-2024-38476-11.patch
View File

@ -1,11 +0,0 @@
--- a/server/core.c 2024/06/24 17:52:31 1918559
+++ b/server/core.c 2024/06/24 17:54:34 1918560
@@ -4835,7 +4835,7 @@
/* Check for overrides with ForceType / SetHandler
*/
if (conf->mime_type && strcmp(conf->mime_type, "none"))
- ap_set_content_type(r, (char*) conf->mime_type);
+ ap_set_content_type_ex(r, (char*) conf->mime_type, 1);
if (conf->expr_handler) {
const char *err;

23
apache2-CVE-2024-38476-2.patch
View File

@ -1,23 +0,0 @@
--- a/include/httpd.h 2024/06/24 17:52:31 1918559
+++ b/include/httpd.h 2024/06/24 17:54:34 1918560
@@ -667,6 +667,7 @@
*
*/
#define AP_REQUEST_STRONG_ETAG 1 >> 0
+#define AP_REQUEST_TRUSTED_CT 1 << 1
/**
* This is a convenience macro to ease with getting specific request
@@ -689,6 +690,12 @@
AP_REQUEST_GET_BNOTE((r), AP_REQUEST_STRONG_ETAG)
/** @} */
+/**
+ * Returns true if the content-type field is from a trusted source
+ */
+#define AP_REQUEST_IS_TRUSTED_CT(r) \
+ (!!AP_REQUEST_GET_BNOTE((r), AP_REQUEST_TRUSTED_CT))
+/** @} */
/**
* @defgroup module_magic Module Magic mime types

17
apache2-CVE-2024-38476-3.patch
View File

@ -1,17 +0,0 @@
--- a/modules/http/http_protocol.c 2024/06/24 17:52:31 1918559
+++ b/modules/http/http_protocol.c 2024/06/24 17:54:34 1918560
@@ -1097,8 +1097,14 @@
}
else if (!r->content_type || strcmp(r->content_type, ct)) {
r->content_type = ct;
+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, 0);
}
}
+AP_DECLARE(void) ap_set_content_type_ex(request_rec *r, const char *ct, int trusted)
+{
+ ap_set_content_type(r, ct);
+ AP_REQUEST_SET_BNOTE(r, AP_REQUEST_TRUSTED_CT, trusted ? AP_REQUEST_TRUSTED_CT : 0);
+}
AP_DECLARE(void) ap_set_accept_ranges(request_rec *r)
{

70
apache2-CVE-2024-38476-4.patch
View File

@ -1,70 +0,0 @@
--- a/modules/http/mod_mime.c 2024/06/24 17:52:31 1918559
+++ b/modules/http/mod_mime.c 2024/06/24 17:54:34 1918560
@@ -759,7 +759,7 @@
int found_metadata = 0;
if (r->finfo.filetype == APR_DIR) {
- ap_set_content_type(r, DIR_MAGIC_TYPE);
+ ap_set_content_type_ex(r, DIR_MAGIC_TYPE, 1);
return OK;
}
@@ -850,7 +850,7 @@
if (exinfo == NULL || !exinfo->forced_type) {
if ((type = apr_hash_get(mime_type_extensions, ext,
APR_HASH_KEY_STRING)) != NULL) {
- ap_set_content_type(r, (char*) type);
+ ap_set_content_type_ex(r, (char*) type, 1);
found = 1;
}
}
@@ -859,7 +859,7 @@
/* empty string is treated as special case for RemoveType */
if (exinfo->forced_type && *exinfo->forced_type) {
- ap_set_content_type(r, exinfo->forced_type);
+ ap_set_content_type_ex(r, exinfo->forced_type, 1);
found = 1;
}
@@ -964,33 +964,33 @@
memcpy(tmp, ctp->subtype, ctp->subtype_len);
tmp += ctp->subtype_len;
*tmp = 0;
- ap_set_content_type(r, base_content_type);
+ ap_set_content_type_ex(r, base_content_type, AP_REQUEST_IS_TRUSTED_CT(r));
while (pp != NULL) {
if (charset && !strcmp(pp->attr, "charset")) {
if (!override) {
- ap_set_content_type(r,
+ ap_set_content_type_ex(r,
apr_pstrcat(r->pool,
r->content_type,
"; charset=",
charset,
- NULL));
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
override = 1;
}
}
else {
- ap_set_content_type(r,
+ ap_set_content_type_ex(r,
apr_pstrcat(r->pool,
r->content_type,
"; ", pp->attr,
"=", pp->val,
- NULL));
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
}
pp = pp->next;
}
if (charset && !override) {
- ap_set_content_type(r, apr_pstrcat(r->pool, r->content_type,
+ ap_set_content_type_ex(r, apr_pstrcat(r->pool, r->content_type,
"; charset=", charset,
- NULL));
+ NULL), AP_REQUEST_IS_TRUSTED_CT(r));
}
}
}

15
apache2-CVE-2024-38476-5.patch
View File

@ -1,15 +0,0 @@
--- a/modules/mappers/mod_actions.c 2024/06/24 17:52:31 1918559
+++ b/modules/mappers/mod_actions.c 2024/06/24 17:54:34 1918560
@@ -182,8 +182,10 @@
return DECLINED;
/* Second, check for actions (which override the method scripts) */
- action = r->handler ? r->handler :
- ap_field_noparam(r->pool, r->content_type);
+ action = r->handler;
+ if (!action && AP_REQUEST_IS_TRUSTED_CT(r)) {
+ action = ap_field_noparam(r->pool, r->content_type);
+ }
if (action && (t = apr_table_get(conf->action_types, action))) {
int virtual = (*t++ == '0' ? 0 : 1);

29
apache2-CVE-2024-38476-6.patch
View File

@ -1,29 +0,0 @@
--- a/modules/mappers/mod_negotiation.c 2024/06/24 17:52:31 1918559
+++ b/modules/mappers/mod_negotiation.c 2024/06/24 17:54:34 1918560
@@ -1167,7 +1167,7 @@
* might be doing.
*/
if (sub_req->handler && !sub_req->content_type) {
- ap_set_content_type(sub_req, CGI_MAGIC_TYPE);
+ ap_set_content_type_ex(sub_req, CGI_MAGIC_TYPE, 1);
}
/*
@@ -3003,14 +3003,14 @@
/* set MIME type and charset as negotiated */
if (best->mime_type && *best->mime_type) {
if (best->content_charset && *best->content_charset) {
- ap_set_content_type(r, apr_pstrcat(r->pool,
+ ap_set_content_type_ex(r, apr_pstrcat(r->pool,
best->mime_type,
"; charset=",
best->content_charset,
- NULL));
+ NULL), 1);
}
else {
- ap_set_content_type(r, apr_pstrdup(r->pool, best->mime_type));
+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, best->mime_type), 1);
}
}

11
apache2-CVE-2024-38476-7.patch
View File

@ -1,11 +0,0 @@
--- a/modules/mappers/mod_rewrite.c 2024/06/24 17:52:31 1918559
+++ b/modules/mappers/mod_rewrite.c 2024/06/24 17:54:34 1918560
@@ -5333,7 +5333,7 @@
rewritelog((r, 1, NULL, "force filename %s to have MIME-type '%s'",
r->filename, t));
- ap_set_content_type(r, t);
+ ap_set_content_type_ex(r, t, 1);
}
/* handler */

28
apache2-CVE-2024-38476-8.patch
View File

@ -1,28 +0,0 @@
--- a/modules/metadata/mod_headers.c 2024/06/24 17:52:31 1918559
+++ b/modules/metadata/mod_headers.c 2024/06/24 17:54:34 1918560
@@ -783,14 +783,14 @@
break;
case hdr_set:
if (!ap_cstr_casecmp(hdr->header, "Content-Type")) {
- ap_set_content_type(r, process_tags(hdr, r));
+ ap_set_content_type_ex(r, process_tags(hdr, r), 1);
}
apr_table_setn(headers, hdr->header, process_tags(hdr, r));
break;
case hdr_setifempty:
if (NULL == apr_table_get(headers, hdr->header)) {
if (!ap_cstr_casecmp(hdr->header, "Content-Type")) {
- ap_set_content_type(r, process_tags(hdr, r));
+ ap_set_content_type_ex(r, process_tags(hdr, r), 1);
}
apr_table_setn(headers, hdr->header, process_tags(hdr, r));
}
@@ -809,7 +809,7 @@
const char *repl = process_regexp(hdr, r->content_type, r);
if (repl == NULL)
return 0;
- ap_set_content_type(r, repl);
+ ap_set_content_type_ex(r, repl, 1);
}
if (apr_table_get(headers, hdr->header)) {
edit_do ed;

20
apache2-CVE-2024-38476-9.patch
View File

@ -1,20 +0,0 @@
--- a/modules/metadata/mod_mime_magic.c 2024/06/24 17:52:31 1918559
+++ b/modules/metadata/mod_mime_magic.c 2024/06/24 17:54:34 1918560
@@ -788,7 +788,7 @@
/* XXX: this could be done at config time I'm sure... but I'm
* confused by all this magic_rsl stuff. -djg */
ap_content_type_tolower(tmp);
- ap_set_content_type(r, tmp);
+ ap_set_content_type_ex(r, tmp, 1);
if (state == rsl_encoding) {
tmp = rsl_strdup(r, encoding_frag,
@@ -2326,7 +2326,7 @@
/* extract content type/encoding/language from sub-request */
if (sub->content_type) {
- ap_set_content_type(r, apr_pstrdup(r->pool, sub->content_type));
+ ap_set_content_type_ex(r, apr_pstrdup(r->pool, sub->content_type), 1);
#if MIME_MAGIC_DEBUG
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01557)
MODNAME ": subrequest %s got %s",

27
apache2-CVE-2024-38477.patch
View File

@ -1,27 +0,0 @@
--- a/modules/proxy/proxy_util.c 2024/06/25 17:29:06 1918606
+++ b/modules/proxy/proxy_util.c 2024/06/25 17:29:32 1918607
@@ -3113,6 +3113,13 @@
apr_pstrcat(p,"URI cannot be parsed: ", *url,
NULL));
}
+
+ if (!uri->hostname) {
+ return ap_proxyerror(r, HTTP_BAD_REQUEST,
+ apr_pstrcat(p,"URI has no hostname: ", *url,
+ NULL));
+ }
+
if (!uri->port) {
uri->port = ap_proxy_port_of_scheme(uri->scheme);
}
@@ -4496,6 +4503,10 @@
/* Compute Host header */
if (dconf->preserve_host == 0) {
+ if (!uri->hostname) {
+ rc = HTTP_BAD_REQUEST;
+ goto cleanup;
+ }
if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */
if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) {
host = apr_pstrcat(r->pool, "[", uri->hostname, "]:",

54
apache2-CVE-2024-39573.patch
View File

@ -1,54 +0,0 @@
--- a/modules/mappers/mod_rewrite.c 2024/06/25 15:22:28 1918599
+++ b/modules/mappers/mod_rewrite.c 2024/06/25 15:28:00 1918600
@@ -4347,6 +4347,32 @@
return 2;
}
+ /* Add the previously stripped per-directory location prefix, unless
+ * (1) it's an absolute URL path and
+ * (2) it's a full qualified URL
+ */
+ if (!is_proxyreq && *newuri != '/' && !is_absolute_uri(newuri, NULL)) {
+ if (ctx->perdir) {
+ rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
+ newuri, ctx->perdir, newuri));
+
+ newuri = apr_pstrcat(r->pool, ctx->perdir, newuri, NULL);
+ }
+ else if (!(p->flags & (RULEFLAG_PROXY | RULEFLAG_FORCEREDIRECT))) {
+ /* Not an absolute URI-path and the scheme (if any) is unknown,
+ * and it won't be passed to fully_qualify_uri() below either,
+ * so add an implicit '/' prefix. This avoids potentially a common
+ * rule like "RewriteRule ^/some/path(.*) $1" that is given a path
+ * like "/some/pathscheme:..." to produce the fully qualified URL
+ * "scheme:..." which could be misinterpreted later.
+ */
+ rewritelog((r, 3, ctx->perdir, "add root prefix: %s -> /%s",
+ newuri, newuri));
+
+ newuri = apr_pstrcat(r->pool, "/", newuri, NULL);
+ }
+ }
+
/* Now adjust API's knowledge about r->filename and r->args */
r->filename = newuri;
@@ -4356,18 +4382,6 @@
splitout_queryargs(r, p->flags);
- /* Add the previously stripped per-directory location prefix, unless
- * (1) it's an absolute URL path and
- * (2) it's a full qualified URL
- */
- if ( ctx->perdir && !is_proxyreq && *r->filename != '/'
- && !is_absolute_uri(r->filename, NULL)) {
- rewritelog((r, 3, ctx->perdir, "add per-dir prefix: %s -> %s%s",
- r->filename, ctx->perdir, r->filename));
-
- r->filename = apr_pstrcat(r->pool, ctx->perdir, r->filename, NULL);
- }
-
/* If this rule is forced for proxy throughput
* (`RewriteRule ... ... [P]') then emulate mod_proxy's
* URL-to-filename handler to be sure mod_proxy is triggered

266
apache2-CVE-2024-39884.patch
View File

@ -1,266 +0,0 @@
Index: httpd-2.4.58/modules/cluster/mod_heartmonitor.c
===================================================================
--- httpd-2.4.58.orig/modules/cluster/mod_heartmonitor.c
+++ httpd-2.4.58/modules/cluster/mod_heartmonitor.c
@@ -782,7 +782,7 @@ static int hm_handler(request_rec *r)
hmserver.seen = apr_time_now();
hm_update_stat(ctx, &hmserver, r->pool);
- ap_set_content_type(r, "text/plain");
+ ap_set_content_type_ex(r, "text/plain", 1);
ap_set_content_length(r, 2);
ap_rputs("OK", r);
ap_rflush(r);
Index: httpd-2.4.58/modules/dav/main/mod_dav.c
===================================================================
--- httpd-2.4.58.orig/modules/dav/main/mod_dav.c
+++ httpd-2.4.58/modules/dav/main/mod_dav.c
@@ -355,7 +355,7 @@ static int dav_error_response(request_re
r->status = status;
r->status_line = ap_get_status_line(status);
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
/* begin the response now... */
ap_rvputs(r,
@@ -386,7 +386,7 @@ static int dav_error_response_tag(reques
{
r->status = err->status;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
ap_rputs(DAV_XML_HEADER DEBUG_CR
"<D:error xmlns:D=\"DAV:\"", r);
@@ -544,7 +544,7 @@ DAV_DECLARE(void) dav_begin_multistatus(
{
/* Set the correct status and Content-Type */
r->status = status;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
/* Send the headers and actual multistatus response now... */
ap_fputs(r->output_filters, bb, DAV_XML_HEADER DEBUG_CR
@@ -2016,7 +2016,7 @@ static int dav_method_options(request_re
/* send the options response */
r->status = HTTP_OK;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
/* send the headers and response body */
ap_rputs(DAV_XML_HEADER DEBUG_CR
@@ -3328,7 +3328,7 @@ static int dav_method_lock(request_rec *
(*locks_hooks->close_lockdb)(lockdb);
r->status = HTTP_OK;
- ap_set_content_type(r, DAV_XML_CONTENT_TYPE);
+ ap_set_content_type_ex(r, DAV_XML_CONTENT_TYPE, 1);
ap_rputs(DAV_XML_HEADER DEBUG_CR "<D:prop xmlns:D=\"DAV:\">" DEBUG_CR, r);
if (lock == NULL)
Index: httpd-2.4.58/modules/examples/mod_example_hooks.c
===================================================================
--- httpd-2.4.58.orig/modules/examples/mod_example_hooks.c
+++ httpd-2.4.58/modules/examples/mod_example_hooks.c
@@ -993,7 +993,7 @@ static int x_handler(request_rec *r)
* Set the Content-type header. Note that we do not actually have to send
* the headers: this is done by the http core.
*/
- ap_set_content_type(r, "text/html");
+ ap_set_content_type_ex(r, "text/html", 1);
/*
* If we're only supposed to send header information (HEAD request), we're
* already there.
Index: httpd-2.4.58/modules/filters/mod_data.c
===================================================================
--- httpd-2.4.58.orig/modules/filters/mod_data.c
+++ httpd-2.4.58/modules/filters/mod_data.c
@@ -117,7 +117,7 @@ static apr_status_t data_out_filter(ap_f
}
}
- ap_set_content_type(r, "text/plain");
+ ap_set_content_type_ex(r, "text/plain", 1);
}
Index: httpd-2.4.58/modules/filters/mod_include.c
===================================================================
--- httpd-2.4.58.orig/modules/filters/mod_include.c
+++ httpd-2.4.58/modules/filters/mod_include.c
@@ -3972,7 +3972,7 @@ static int include_fixup(request_rec *r)
if (r->handler && (strcmp(r->handler, "server-parsed") == 0))
{
if (!r->content_type || !*r->content_type) {
- ap_set_content_type(r, "text/html");
+ ap_set_content_type_ex(r, "text/html", 1);
}
r->handler = "default-handler";
}
Index: httpd-2.4.58/modules/filters/mod_proxy_html.c
===================================================================
--- httpd-2.4.58.orig/modules/filters/mod_proxy_html.c
+++ httpd-2.4.58/modules/filters/mod_proxy_html.c
@@ -952,7 +952,7 @@ static apr_status_t proxy_html_filter(ap
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, f->r, APLOGNO(01422)
"No i18n support found. Install mod_xml2enc if required");
enc = XML_CHAR_ENCODING_NONE;
- ap_set_content_type(f->r, "text/html;charset=utf-8");
+ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1);
}
else {
/* if we wanted a non-default charset_out, insert the
@@ -968,7 +968,7 @@ static apr_status_t proxy_html_filter(ap
cenc, NULL));
}
else /* Normal case, everything worked, utf-8 output */
- ap_set_content_type(f->r, "text/html;charset=utf-8");
+ ap_set_content_type_ex(f->r, "text/html;charset=utf-8", 1);
}
ap_fputs(f->next, ctxt->bb, ctxt->cfg->doctype);
Index: httpd-2.4.58/modules/generators/mod_cgi.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgi.c
+++ httpd-2.4.58/modules/generators/mod_cgi.c
@@ -1085,7 +1085,7 @@ static apr_status_t include_cgi(include_
/* Force sub_req to be treated as a CGI request, even if ordinary
* typing rules would have called it something else.
*/
- ap_set_content_type(rr, CGI_MAGIC_TYPE);
+ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1);
/* Run it. */
rr_status = ap_run_sub_req(rr);
Index: httpd-2.4.58/modules/generators/mod_cgid.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgid.c
+++ httpd-2.4.58/modules/generators/mod_cgid.c
@@ -1765,7 +1765,7 @@ static apr_status_t include_cgi(include_
/* Force sub_req to be treated as a CGI request, even if ordinary
* typing rules would have called it something else.
*/
- ap_set_content_type(rr, CGI_MAGIC_TYPE);
+ ap_set_content_type_ex(rr, CGI_MAGIC_TYPE, 1);
/* Run it. */
rr_status = ap_run_sub_req(rr);
Index: httpd-2.4.58/modules/generators/mod_info.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_info.c
+++ httpd-2.4.58/modules/generators/mod_info.c
@@ -784,7 +784,7 @@ static int display_info(request_rec * r)
return DECLINED;
}
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
ap_rputs(DOCTYPE_XHTML_1_0T
"<html xmlns=\"http://www.w3.org/1999/xhtml\">\n"
Index: httpd-2.4.58/modules/generators/mod_status.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_status.c
+++ httpd-2.4.58/modules/generators/mod_status.c
@@ -273,7 +273,7 @@ static int status_handler(request_rec *r
if (r->method_number != M_GET)
return DECLINED;
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
/*
* Simple table-driven form data set parser that lets you alter the header
@@ -301,7 +301,7 @@ static int status_handler(request_rec *r
no_table_report = 1;
break;
case STAT_OPT_AUTO:
- ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/plain; charset=ISO-8859-1", 1);
short_report = 1;
break;
}
Index: httpd-2.4.58/modules/http/http_filters.c
===================================================================
--- httpd-2.4.58.orig/modules/http/http_filters.c
+++ httpd-2.4.58/modules/http/http_filters.c
@@ -1261,7 +1261,7 @@ AP_DECLARE_NONSTD(int) ap_send_http_trac
}
}
- ap_set_content_type(r, "message/http");
+ ap_set_content_type_ex(r, "message/http", 1);
/* Now we recreate the request, and echo it back */
Index: httpd-2.4.58/modules/http/http_protocol.c
===================================================================
--- httpd-2.4.58.orig/modules/http/http_protocol.c
+++ httpd-2.4.58/modules/http/http_protocol.c
@@ -1443,10 +1443,10 @@ AP_DECLARE(void) ap_send_error_response(
request_conf->suppress_charset = 1; /* avoid adding default
* charset later
*/
- ap_set_content_type(r, "text/html");
+ ap_set_content_type_ex(r, "text/html", 1);
}
else {
- ap_set_content_type(r, "text/html; charset=iso-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=iso-8859-1", 1);
}
if ((status == HTTP_METHOD_NOT_ALLOWED)
Index: httpd-2.4.58/modules/ldap/util_ldap.c
===================================================================
--- httpd-2.4.58.orig/modules/ldap/util_ldap.c
+++ httpd-2.4.58/modules/ldap/util_ldap.c
@@ -171,7 +171,7 @@ static int util_ldap_handler(request_rec
st = (util_ldap_state_t *) ap_get_module_config(r->server->module_config,
&ldap_module);
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
if (r->header_only)
return OK;
Index: httpd-2.4.58/modules/mappers/mod_imagemap.c
===================================================================
--- httpd-2.4.58.orig/modules/mappers/mod_imagemap.c
+++ httpd-2.4.58/modules/mappers/mod_imagemap.c
@@ -475,7 +475,7 @@ static int imap_reply(request_rec *r, co
static void menu_header(request_rec *r, char *menu)
{
- ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ ap_set_content_type_ex(r, "text/html; charset=ISO-8859-1", 1);
ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
ap_escape_html(r->pool, r->uri),
Index: httpd-2.4.58/modules/http/http_request.c
===================================================================
--- httpd-2.4.58.orig/modules/http/http_request.c
+++ httpd-2.4.58/modules/http/http_request.c
@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redire
r->args = rr->args;
r->finfo = rr->finfo;
r->handler = rr->handler;
- ap_set_content_type(r, rr->content_type);
+ ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r));
r->content_encoding = rr->content_encoding;
r->content_languages = rr->content_languages;
r->per_dir_config = rr->per_dir_config;
Index: httpd-2.4.58/modules/proxy/mod_proxy_balancer.c
===================================================================
--- httpd-2.4.58.orig/modules/proxy/mod_proxy_balancer.c
+++ httpd-2.4.58/modules/proxy/mod_proxy_balancer.c
@@ -1471,7 +1471,7 @@ static void balancer_display_page(reques
if (usexml) {
char date[APR_RFC822_DATE_LEN];
- ap_set_content_type(r, "text/xml");
+ ap_set_content_type_ex(r, "text/xml", 1);
ap_rputs("<?xml version='1.0' encoding='UTF-8' ?>\n", r);
ap_rputs("<httpd:manager xmlns:httpd='http://httpd.apache.org'>\n", r);
ap_rputs(" <httpd:balancers>\n", r);

29
apache2-CVE-2024-40725.patch
View File

@ -1,29 +0,0 @@
From a7d24b4ea9a6ea35878fd33075365328caafcf91 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Mon, 15 Jul 2024 12:08:30 +0000
Subject: [PATCH] Merge r1919247 from trunk:
copy the trusted flag from the subrequest
Submitted By: covener
Reviewed By: covener, ylavic, gbechis
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1919249 13f79535-47bb-0310-9956-ffa450edef68
---
modules/http/http_request.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
index 71ecc2bbab1..7e9477be1f1 100644
--- a/modules/http/http_request.c
+++ b/modules/http/http_request.c
@@ -708,7 +708,7 @@ AP_DECLARE(void) ap_internal_fast_redirect(request_rec *rr, request_rec *r)
r->args = rr->args;
r->finfo = rr->finfo;
r->handler = rr->handler;
- ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(r));
+ ap_set_content_type_ex(r, rr->content_type, AP_REQUEST_IS_TRUSTED_CT(rr));
r->content_encoding = rr->content_encoding;
r->content_languages = rr->content_languages;
r->per_dir_config = rr->per_dir_config;

36
apache2-issue-444.patch
View File

@ -1,36 +0,0 @@
Index: httpd-2.4.58/modules/generators/mod_cgid.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgid.c
+++ httpd-2.4.58/modules/generators/mod_cgid.c
@@ -1625,7 +1625,12 @@ static int cgid_handler(request_rec *r)
*/
if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
apr_table_unset(r->headers_out, "Content-Length");
- apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (apr_table_get(r->headers_out, "Transfer-Encoding") != NULL) {
+ apr_brigade_cleanup(bb);
+ return log_scripterror(r, conf, HTTP_BAD_GATEWAY, 0, APLOGNO(10501)
+ "script sent Transfer-Encoding");
+ }
if (ret != OK) {
ret = log_script(r, conf, ret, dbuf, sbuf, bb, NULL);
Index: httpd-2.4.58/modules/generators/mod_cgi.c
===================================================================
--- httpd-2.4.58.orig/modules/generators/mod_cgi.c
+++ httpd-2.4.58/modules/generators/mod_cgi.c
@@ -944,7 +944,12 @@ static int cgi_handler(request_rec *r)
*/
if (!apr_table_get(r->subprocess_env, AP_TRUST_CGILIKE_CL_ENVVAR))
apr_table_unset(r->headers_out, "Content-Length");
- apr_table_unset(r->headers_out, "Transfer-Encoding");
+
+ if (apr_table_get(r->headers_out, "Transfer-Encoding") != NULL) {
+ apr_brigade_cleanup(bb);
+ return log_scripterror(r, conf, HTTP_BAD_GATEWAY, 0, APLOGNO(10501),
+ "script sent Transfer-Encoding");
+ }
if (ret != OK) {
ret = log_script(r, conf, ret, dbuf, sbuf, bb, script_err);

243
apache2.changes
View File

@ -1,3 +1,239 @@
-------------------------------------------------------------------
Mon Jan 6 22:03:13 UTC 2025 - Martin Schreiner <martin.schreiner@suse.com>
- Update to 2.4.62 (jsc#PED-11927).
- Update test suite to svn1921782.
- Remove unneeded patches, they've all been merged upstream and are
part of the 2.4.62 release.
* apache2-CVE-2023-38709.patch
* apache2-CVE-2024-24795.patch
* apache2-CVE-2024-27316.patch
* apache2-CVE-2024-36387.patch
* apache2-CVE-2024-38473-1.patch
* apache2-CVE-2024-38473-2.patch
* apache2-CVE-2024-38473-3.patch
* apache2-CVE-2024-38473-4.patch
* apache2-CVE-2024-38474.patch
* apache2-CVE-2024-38475-1.patch
* apache2-CVE-2024-38475-2.patch
* apache2-CVE-2024-38475-3.patch
* apache2-CVE-2024-38476-1.patch
* apache2-CVE-2024-38476-10.patch
* apache2-CVE-2024-38476-11.patch
* apache2-CVE-2024-38476-2.patch
* apache2-CVE-2024-38476-3.patch
* apache2-CVE-2024-38476-4.patch
* apache2-CVE-2024-38476-5.patch
* apache2-CVE-2024-38476-6.patch
* apache2-CVE-2024-38476-7.patch
* apache2-CVE-2024-38476-8.patch
* apache2-CVE-2024-38476-9.patch
* apache2-CVE-2024-38477.patch
* apache2-CVE-2024-39573.patch
* apache2-CVE-2024-39884.patch
* apache2-CVE-2024-40725.patch
* apache2-fips-compatibility-01.patch
* apache2-fips-compatibility-02.patch
* apache2-fips-compatibility-03.patch
* apache2-issue-444.patch
- Changes from 2.4.62:
* Applied trunk fix r1919860 which is proposed for backport, see
UNCList config errors.
* SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to a
malicious server via SSRF and malicious requests. Users are
recommended to upgrade to version 2.4.62 which fixes this issue.
* SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org) A
partial fix for CVE-2024-39884 in the core of Apache HTTP Server
2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted. Users are
recommended to upgrade to version 2.4.62, which fixes this issue.
* mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO,
SCRIPT_NAME) for "balancer:" URLs set via SetHandler, also
allowing for "unix:" sockets with BalancerMember(s). PR 69168.
* mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:"
URLs. PR 69160
* mod_ssl: Fix crashes in PKCS#11 ENGINE support with OpenSSL 3.2.
* mod_ssl: Add support for loading certs/keys from pkcs11: URIs via
OpenSSL 3.x providers.
* mod_ssl: Restore SSL dumping on trace7 loglevel with OpenSSL >=
3.0.
* mpm_worker: Fix possible warning (AH00045) about children
processes not terminating timely.
- Changes from 2.4.61:
* SECURITY: CVE-2024-39884: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org) A
regression in the core of Apache HTTP Server 2.4.60 ignores some
use of the legacy content-type based configuration of handlers.
"AddType" and similar configuration, under some circumstances
where files are requested indirectly, result in source code
disclosure of local content. For example, PHP scripts may be
served instead of interpreted. Users are recommended to upgrade
to version 2.4.61, which fixes this issue.
- Changes from 2.4.60:
* SECURITY: CVE-2024-39573: Apache HTTP Server: mod_rewrite proxy
handler substitution (cve.mitre.org) Potential SSRF in mod_rewrite
in Apache HTTP Server 2.4.59 and earlier allows an attacker to
cause unsafe RewriteRules to unexpectedly setup URL's to be
handled by mod_proxy.
* SECURITY: CVE-2024-38477: Apache HTTP Server: Crash resulting in
Denial of Service in mod_proxy via a malicious request
(cve.mitre.org) null pointer dereference in mod_proxy in Apache
HTTP Server 2.4.59 and earlier allows an attacker to crash the
server via a malicious request.
* SECURITY: CVE-2024-38476: Apache HTTP Server may use
exploitable/malicious backend application output to run local
handlers via internal redirect (cve.mitre.org) Vulnerability in
core of Apache HTTP Server 2.4.59 and earlier are vulnerably to
information disclosure, SSRF or local script execution via backend
applications whose response headers are malicious or exploitable.
Note: Some legacy uses of the 'AddType' directive to connect a
request to a handler must be ported to 'AddHandler' after this fix.
* SECURITY: CVE-2024-38475: Apache HTTP Server weakness in
mod_rewrite when first segment of substitution matches filesystem
path. (cve.mitre.org) Improper escaping of output in mod_rewrite
in Apache HTTP Server 2.4.59 and earlier allows an attacker to map
URLs to filesystem locations that are permitted to be served by
the server but are not intentionally/directly reachable by any
URL, resulting in code execution or source code disclosure.
Substitutions in server context that use a backreferences or
variables as the first segment of the substitution are affected.
Some unsafe RewiteRules will be broken by this change and the
rewrite flag "UnsafePrefixStat" can be used to opt back in once
ensuring the substitution is appropriately constrained.
* SECURITY: CVE-2024-38474: Apache HTTP Server weakness with encoded
question marks in backreferences (cve.mitre.org) Substitution
encoding issue in mod_rewrite in Apache HTTP Server 2.4.59 and
earlier allows attacker to execute scripts in directories
permitted by the configuration but not directly reachable by any
URL or source disclosure of scripts meant to only to be executed
as CGI.
Note: Some RewriteRules that capture and substitute unsafely will
now fail unless rewrite flag "UnsafeAllow3F" is specified.
* SECURITY: CVE-2024-38473: Apache HTTP Server proxy encoding
problem (cve.mitre.org) Encoding problem in mod_proxy in Apache
HTTP Server 2.4.59 and earlier allows request URLs with incorrect
encoding to be sent to backend services, potentially bypassing
authentication via crafted requests.
* SECURITY: CVE-2024-38472: Apache HTTP Server on WIndows UNC SSRF
(cve.mitre.org) SSRF in Apache HTTP Server on Windows allows to
potentially leak NTML hashes to a malicious server via SSRF and
malicious requests or content.
Note: Existing configurations that access UNC paths will have to
configure new directive "UNCList" to allow access during request
processing.
* SECURITY: CVE-2024-36387: Apache HTTP Server: DoS by Null
pointer in websocket over HTTP/2 (cve.mitre.org)
Serving WebSocket protocol upgrades over a HTTP/2 connection
could result in a Null Pointer dereference, leading to a crash
of the server process, degrading performance.
* mod_proxy: Fix DNS requests and connections closed before the
configured addressTTL. BZ 69126.
* core: On Linux, log the real thread ID in error logs.
* core: Support zone/scope in IPv6 link-local addresses in Listen and
VirtualHost directives (requires APR 1.7.x or later). PR 59396
* mod_ssl: Reject client-initiated renegotiation with a TLS alert
(rather than connection closure).
* Updated mime.types.
* mod_ssl: Fix a regression that causes the default DH parameters
for a key no longer set and thus effectively disabling DH ciphers
when no explicit DH parameters are set. PR 68863
* mod_cgid: Optional support for file descriptor passing, fixing
error log handling (configure --enable-cgid-fdpassing) on Unix
platforms. PR 54221.
* mod_cgid/mod_cgi: Distinguish script stderr output clearly in
error logs. PR 61980.
* mod_tls: update version of rustls-ffi to v0.13.0.
* mod_md:
- Using OCSP stapling information to trigger certificate renewals.
- Added directive `MDCheckInterval` to control how often the
server checks for detected revocations. Added proposals for
configurations in the README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate`
entry which is allowed in RFC 6960. Treat those as having an
update interval of 12 hours.
- Adapt OpenSSL usage to changes in their API.
- Changes from 2.4.59:
* SECURITY: CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by
memory exhaustion on endless continuation frames (cve.mitre.org)
HTTP/2 incoming headers exceeding the limit are temporarily
buffered in nghttp2 in order to generate an informative HTTP 413
response. If a client does not stop sending headers, this leads
to memory exhaustion.
* SECURITY: CVE-2024-24795: Apache HTTP Server: HTTP Response
Splitting in multiple modules (cve.mitre.org) HTTP Response
splitting in multiple modules in Apache HTTP Server allows an
attacker that can inject malicious response headers into backend
applications to cause an HTTP desynchronization attack. Users are
recommended to upgrade to version 2.4.59, which fixes this issue.
* SECURITY: CVE-2023-38709: Apache HTTP Server: HTTP response
splitting (cve.mitre.org) Faulty input validation in the core of
Apache allows malicious or exploitable backend/content generators
to split HTTP responses. This issue affects Apache HTTP Server:
through 2.4.58.
* mod_deflate: Fixes and better logging for handling various error
and edge cases.
* Add CGIScriptTimeout to mod_cgi.
* mod_xml2enc: Tolerate libxml2 2.12.0 and later. PR 68610
* mod_slotmem_shm: Use ap_os_is_path_absolute() to make it portable.
* mod_ssl: Use OpenSSL-standard functions to assemble CA name lists
for SSLCACertificatePath/SSLCADNRequestPath. Names will now be
consistently sorted. PR 61574.
* mod_xml2enc: Update check to accept any text/ media type or any
XML media type per RFC 7303, avoiding corruption of Microsoft
OOXML formats. PR 64339.
* mod_http2: v2.0.26 with the following fixes:
- Fixed `Date` header on requests upgraded from HTTP/1.1
(h2c). Fixes https://github.com/icing/mod_h2/issues/272 .
- Fixed small memory leak in h2 header bucket free.
* htcacheclean: In -a/-A mode, list all files per subdirectory
rather than only one. PR 65091.
* mod_ssl: SSLProxyMachineCertificateFile/Path may reference files
which include CA certificates; those CA certs are treated as if
configured with SSLProxyMachineCertificateChainFile.
* htpasswd, htdbm, dbmmanage: Update help&docs to refer to
"hashing", rather than "encrypting" passwords.
* mod_ssl: Fix build with LibreSSL 2.0.7+. PR 64047.
* htpasswd: Add support for passwords using SHA-2.
* core: Allow mod_env to override system environment vars.
* Allow mod_dav_fs to tolerate race conditions between PROPFIND and
an operation which removes a directory/file between apr_dir_read()
and apr_stat(). Current behaviour is to abort the connection which
seems inferior to tolerating (and logging) the error.
* mod_ldap: HTML-escape data in the ldap-status handler.
* mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is
set. Allow for "SSLCryptoDevice builtin" if the ENGINE API is not
available, notably with OpenSSL >= 3. PR 68080.
* mod_ssl: Improve compatibility with OpenSSL 3, fix build warnings
about deprecated ENGINE_ API, honor OPENSSL_API_COMPAT setting
while defaulting to compatibitily with version 1.1.1 (including
ENGINEs / SSLCryptoDevice).
* mod_ssl: release memory to the OS when needed.
* mod_proxy: Ignore (and warn about) enablereuse=on for
ProxyPassMatch when some dollar substitution (backreference)
happens in the hostname or port part of the URL.
* mod_proxy: Allow to set a TTL for how long DNS resolutions to
backend systems are cached.
* mod_proxy: Add optional third argument for ProxyRemote, which
configures Basic authentication credentials to pass to the remote
proxy. PR 37355.
-------------------------------------------------------------------
Sat Nov 16 12:31:03 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Add patches to improve FIPS compatibility (bsc#1220681):
* apache2-fips-compatibility-01.patch
* apache2-fips-compatibility-02.patch
* apache2-fips-compatibility-03.patch
- Fix build for SLFO:Main (bsc#1232273).
* Fix contributed by Petr Gajdos.
-------------------------------------------------------------------
Thu Oct 3 02:39:41 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
@ -5,6 +241,13 @@ Thu Oct 3 02:39:41 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
Patch file added:
* apache2-CVE-2024-40725.patch
-------------------------------------------------------------------
Wed Oct 2 18:22:25 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>
- Security fix:
- CVE-2024-36387, bsc#1227272: DoS by null pointer in websocket over HTTP/2
* Added apache2-CVE-2024-36387.patch
-------------------------------------------------------------------
Thu Aug 22 18:37:23 UTC 2024 - Martin Schreiner <martin.schreiner@suse.com>

55
apache2.spec
View File

@ -18,7 +18,7 @@
%global upstream_name httpd
%global testsuite_name %{upstream_name}-framework
%global tversion svn1901574
%global tversion svn1921782
%global flavor @BUILD_FLAVOR@%{nil}
%define mpm %{nil}
%if "%{flavor}" == "prefork" || "%{flavor}" == "test_prefork"
@ -107,7 +107,7 @@
%define build_http2 1
Name: apache2%{psuffix}
Version: 2.4.58
Version: 2.4.62
Release: 0
Summary: The Apache HTTPD Server
License: Apache-2.0
@ -181,53 +181,6 @@ Patch2: apache2-logresolve-tmp-security.patch
Patch3: apache2-LimitRequestFieldSize-limits-headers.patch
# [fate317766] backport of an upstream commit
Patch4: apache2-HttpContentLengthHeadZero-HttpExpectStrict.patch
# FIX-UPSTREAM: CVE-2024-39573, bsc#1227271: potential SSRF in mod_rewrite
# - https://svn.apache.org/viewvc?view=revision&revision=1918600
Patch5: apache2-CVE-2024-39573.patch
# CVE-2023-38709 [bsc#1222330], HTTP response splitting
Patch6: apache2-CVE-2023-38709.patch
# CVE-2024-27316 [bsc#1221401], HTTP/2 CONTINUATION frames can be utilized for DoS attacks
Patch7: apache2-CVE-2024-27316.patch
# CVE-2024-24795 [bsc#1222332], HTTP Response Splitting in multiple modules
Patch8: apache2-CVE-2024-24795.patch
# https://github.com/apache/httpd/pull/444/commits/c2fffd29b0f58bdc9caaaff4fec68e17a676f182
Patch9: apache2-issue-444.patch
# FIX-UPSTREAM: CVE-2024-38477, bsc#1227270: null pointer dereference in mod_proxy
# - https://svn.apache.org/viewvc?view=revision&revision=1918607
Patch10: apache2-CVE-2024-38477.patch
# FIX-UPSTREAM: CVE-2024-38475, bsc#1227268: Improper escaping of output in mod_rewrite
# - https://svn.apache.org/viewvc?view=revision&revision=1918561
Patch11: apache2-CVE-2024-38475-1.patch
Patch12: apache2-CVE-2024-38475-2.patch
Patch13: apache2-CVE-2024-38475-3.patch
# FIX-UPSTREAM: CVE-2024-38476, bsc#1227269: Server may use exploitable/malicious
# backend application output to run local handlers via internal
# redirect
# - https://svn.apache.org/viewvc?view=revision&revision=1918560
Patch14: apache2-CVE-2024-38476-1.patch
Patch15: apache2-CVE-2024-38476-2.patch
Patch16: apache2-CVE-2024-38476-3.patch
Patch17: apache2-CVE-2024-38476-4.patch
Patch18: apache2-CVE-2024-38476-5.patch
Patch19: apache2-CVE-2024-38476-6.patch
Patch20: apache2-CVE-2024-38476-7.patch
Patch21: apache2-CVE-2024-38476-8.patch
Patch22: apache2-CVE-2024-38476-9.patch
Patch23: apache2-CVE-2024-38476-10.patch
Patch24: apache2-CVE-2024-38476-11.patch
# FIX-UPSTREAM: CVE-2024-38474, bsc#1227278: Substitution encoding issue in mod_rewrite
Patch25: apache2-CVE-2024-38474.patch
# FIX-UPSTREAM: CVE-2024-38473, bsc#1227276: Encoding problem in mod_proxy
Patch26: apache2-CVE-2024-38473-1.patch
Patch27: apache2-CVE-2024-38473-2.patch
Patch28: apache2-CVE-2024-38473-3.patch
Patch29: apache2-CVE-2024-38473-4.patch
# FIX-UPSTREAM: CVE-2024-39884, bsc#1227353: source code disclosure with handlers configured via AddType
Patch30: apache2-CVE-2024-39884.patch
# FIX-UPSTREAM: CVE-2024-40725, bsc#1229087: source code disclosure of local content
Patch31: apache2-CVE-2024-40725.patch
# PATCH: https://marc.info/?l=apache-httpd-users&m=147448312531134&w=2
Patch100: apache-test-application-xml-type.patch
# PATCH: /test_ssl_var_lookup?SSL_SERVER_SAN_DNS_0 returns <build-host-name>
@ -548,7 +501,8 @@ done
mkdir -p %{buildroot}%{logfiledir} \
%{buildroot}%{proxycachedir} \
%{buildroot}%{localstatedir} \
%{buildroot}%{libexecdir}
%{buildroot}%{libexecdir} \
%{buildroot}%{datadir}/htdocs
# save MODULE_MAGIC_NUMBER
mkdir -p %{buildroot}/%{_libexecdir}
@ -930,6 +884,7 @@ exit 0
%{_datadir}/apache2
%{iconsdir}
%{errordir}
%{datadir}
%{_mandir}/man8/httpd.8.*
%{_mandir}/man8/suexec.8.*
%doc support/SHA1

BIN
httpd-2.4.58.tar.bz2 (Stored with Git LFS)
View File

Binary file not shown.

17
httpd-2.4.58.tar.bz2.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQIzBAABCgAdFiEEJvUe+agvSstD8ZA+03fJ59GUTGYFAmUtUXcACgkQ03fJ59GU
TGZJnA/+KAE23IcOsePVK93RsfY2pCXvrQWH2vRaPQOV68lMMyI9I3D7Dd6ZbOIL
kfdcuMydaOzkwAzgM9dgfC2PF5rO/8LDHtieBRfLNVjcK7ngatZLzRU+2qARk4PG
bxfnpVzpnshBTkMuQ0C3nr6mi+bXQgdbbSLXGS5SOBqckBMfkpEXzArU8PU0EQwT
u3Id+eAqWtxXtwRKz+lRNwLzmyiXc8a1YwXJh5d2ldrL+WlFA1cts+k3nR5YPzF1
QsHLkoTuiAbXpRYHJg83AAENVxYPvwttIdthLeQtUgV6dcoiAuJzOt0/EBnUN5B3
J+T10z4zvXN0MogTVceAFfySZ6fQrR5PXs3raepDjo/AtVH9dvSQdXhpOGtyiCI9
4eabSL69Z7r+Nr3UzVLVYb4Uan5Z7G1UkKQNxJVJSR4mzitf1d3Fylw52ivBGnLv
OMcY1/b3Kx0m69dIiIlLPnG7UMgHwqgYcxJKomjI9opdobmpK42u8ZjOEYFoNAtk
sINfcehp83WwxdDuvpuSFNYWQXGhKONAZIyCW8lAuFWBG8oXra5osWY176OSUGTu
Ah+pM1NlbwL45r5kw+3t4L/3Hhx+dDqtI8jrQYReN/u4dBuIcqqLT1Ik2WjBuTyE
QiY/ZOzdxO7UAGYvgFyMHX+KsuqrxZKHd1JN2+TzHhEtstSICnE=
=CtTT
-----END PGP SIGNATURE-----

BIN
httpd-2.4.62.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
httpd-2.4.62.tar.bz2.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEZbLUT+dL1ePeOsPwgngd5G1ZVPoFAmaVEjgACgkQgngd5G1Z
VPqlUA//dMZ01CalmRf4Li2gDH+ETlQXkMST+2IYNCWZzV78g5wfjpZtApKOk+6O
73WxdNSvnB15CJVIi/wXN/8ZQHu3u9kHCHw+ydDhOq7CiSAe1x5k0PcodR+me299
PErBiAaBct+oJOnPCRdw5c5g3jomZgg1Nt5xS5NmI83UnbT9KHd92nNFdIjp6nFE
mKzsQSWSSXkObj83inJ3HvT8ALGr5TpMjHSJAC/YP9B9FuTW4lQh0XFEESz6LcR/
Z8GWAV0qfauRhNYcp5qYcVdreVAk0J9vfnruv9OdYsMI/sDM2PYAyDk9pCMuVIfv
PuZd8n/EpMuQfeWBOLzkft2TjNYx0UAt0xLK0/FLQqbZSKgCxce3mnbm0N3qXl8h
OpWYC86h4y4shaBOCAHI4oqRFbIlbf9bssMRSYfBYTJ1k8zmADWAhIsr5276A33G
S8Z+Ah1XeYkvy1blSJDRqECAPLtAXgesLadpkTKTwu+9BmHXYllSmfdhW8D3v6SA
Ab7RMonp7poBexO0o0mm14cEAwetffUhSrFfvGp7sTBjQYH3s309HtRBuLJOwmP2
uZvAKo84nJVaZIe7TTjpA/om7sq08Jq8xdzGbEhfGnOrtg/34d3K5S9tDvBMkmDq
HfYjFxCmfTbUDy4nqVNZcwno6jApweon+KAHbG/vJ2uMWozn2Bo=
=Lelg
-----END PGP SIGNATURE-----

BIN
httpd-framework-svn1901574.tar.bz2 (Stored with Git LFS)
View File

Binary file not shown.

BIN
httpd-framework-svn1921782.tar.bz2 (Stored with Git LFS) Normal file
View File

Binary file not shown.