Fix 11 bugs / CVEs.
* Fix bsc#1263952 / CVE-2026-33857. * Fix bsc#1263954 / CVE-2026-33007. * Fix bsc#1264163 / CVE-2026-28780. * Fix bsc#1264150 / CVE-2026-29168. * Fix bsc#1263957 / CVE-2026-23918. * Fix bsc#1263953 / CVE-2026-33523. * Fix bsc#1263955 / CVE-2026-33006. * Fix bsc#1263956 / CVE-2026-29169. * Fix bsc#1263935 / CVE-2026-24072. * Fix bsc#1263950 / CVE-2026-34059. * Fix bsc#1263951 / CVE-2026-34032.
This commit is contained in:
@@ -1,3 +1,35 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed May 20 13:27:04 UTC 2026 - Martin Schreiner <martin.schreiner@suse.com>
|
||||
|
||||
* Fix bsc#1263952 / CVE-2026-33857.
|
||||
* Fix bsc#1263954 / CVE-2026-33007.
|
||||
* Fix bsc#1264163 / CVE-2026-28780.
|
||||
* Fix bsc#1264150 / CVE-2026-29168.
|
||||
* Add patch files:
|
||||
- CVE-2026-33857.patch
|
||||
- CVE-2026-33007.patch
|
||||
- CVE-2026-28780.patch
|
||||
- CVE-2026-29168.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 14 03:15:36 UTC 2026 - Martin Schreiner <martin.schreiner@suse.com>
|
||||
|
||||
* Fix bsc#1263957 / CVE-2026-23918.
|
||||
* Fix bsc#1263953 / CVE-2026-33523.
|
||||
* Fix bsc#1263955 / CVE-2026-33006.
|
||||
* Fix bsc#1263956 / CVE-2026-29169.
|
||||
* Fix bsc#1263935 / CVE-2026-24072.
|
||||
* Fix bsc#1263950 / CVE-2026-34059.
|
||||
* Fix bsc#1263951 / CVE-2026-34032.
|
||||
* Add patch files:
|
||||
- CVE-2026-23918.patch
|
||||
- CVE-2026-33523.patch
|
||||
- CVE-2026-33006.patch
|
||||
- CVE-2026-29169.patch
|
||||
- CVE-2026-24072.patch
|
||||
- CVE-2026-34059.patch
|
||||
- CVE-2026-34032.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 7 10:48:49 UTC 2026 - Martin Schreiner <martin.schreiner@suse.com>
|
||||
|
||||
|
||||
@@ -189,6 +189,28 @@ Patch100: apache-test-application-xml-type.patch
|
||||
# even if in live system I do not experience this inconsistency, let's turn off
|
||||
# these variables from the test
|
||||
Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263957
|
||||
Patch102: CVE-2026-23918.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263953
|
||||
Patch103: CVE-2026-33523.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263955
|
||||
Patch104: CVE-2026-33006.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263956
|
||||
Patch105: CVE-2026-29169.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263935
|
||||
Patch106: CVE-2026-24072.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263950
|
||||
Patch107: CVE-2026-34059.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263951
|
||||
Patch108: CVE-2026-34032.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263952
|
||||
Patch109: CVE-2026-33857.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1263954
|
||||
Patch110: CVE-2026-33007.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1264163
|
||||
Patch111: CVE-2026-28780.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1264150
|
||||
Patch112: CVE-2026-29168.patch
|
||||
BuildRequires: apache-rpm-macros-control
|
||||
#Since 2.4.7 the event MPM requires apr 1.5.0 or later.
|
||||
BuildRequires: apr-devel >= 1.5.0
|
||||
|
||||
@@ -0,0 +1,104 @@
|
||||
From e41e84e08e6186460e77a8357b5d5c571d33bd76 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Eissing <icing@apache.org>
|
||||
Date: Mon, 22 Dec 2025 12:16:34 +0000
|
||||
Subject: [PATCH] Merge /httpd/httpd/trunk:r1930444
|
||||
|
||||
*) mod_http2: update to version 2.0.37
|
||||
Prevent double purge of a stream, resulting in a double free.
|
||||
Fixes PR 69899.
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1930796 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
changes-entries/h2_v2.0.37.txt | 4 ++++
|
||||
modules/http2/h2_mplx.c | 23 ++++++++++++++++++-----
|
||||
modules/http2/h2_version.h | 4 ++--
|
||||
3 files changed, 24 insertions(+), 7 deletions(-)
|
||||
create mode 100644 changes-entries/h2_v2.0.37.txt
|
||||
|
||||
diff --git a/changes-entries/h2_v2.0.37.txt b/changes-entries/h2_v2.0.37.txt
|
||||
new file mode 100644
|
||||
index 00000000000..8f22cde5d8b
|
||||
--- /dev/null
|
||||
+++ b/changes-entries/h2_v2.0.37.txt
|
||||
@@ -0,0 +1,4 @@
|
||||
+ *) mod_http2: update to version 2.0.37
|
||||
+ Prevent double purge of a stream, resulting in a double free.
|
||||
+ Fixes PR 69899.
|
||||
+ [Stefan Eissing]
|
||||
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
|
||||
index f9616aba048..75518f4eebf 100644
|
||||
--- a/modules/http2/h2_mplx.c
|
||||
+++ b/modules/http2/h2_mplx.c
|
||||
@@ -126,12 +126,24 @@ int h2_mplx_c1_stream_is_running(h2_mplx *m, h2_stream *stream)
|
||||
return rv;
|
||||
}
|
||||
|
||||
+static int add_for_purge(h2_mplx *m, h2_stream *stream)
|
||||
+{
|
||||
+ int i;
|
||||
+ for (i = 0; i < m->spurge->nelts; ++i) {
|
||||
+ h2_stream *s = APR_ARRAY_IDX(m->spurge, i, h2_stream*);
|
||||
+ if (s == stream) /* already scheduled for purging */
|
||||
+ return FALSE;
|
||||
+ }
|
||||
+ APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
|
||||
+ return TRUE;
|
||||
+}
|
||||
+
|
||||
static void c1c2_stream_joined(h2_mplx *m, h2_stream *stream)
|
||||
{
|
||||
ap_assert(!stream_is_running(stream));
|
||||
|
||||
h2_ihash_remove(m->shold, stream->id);
|
||||
- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
|
||||
+ add_for_purge(m, stream);
|
||||
}
|
||||
|
||||
static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
|
||||
@@ -164,7 +176,7 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
|
||||
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
|
||||
H2_STRM_MSG(stream, "cleanup, c2 is done, move to spurge"));
|
||||
/* processing has finished */
|
||||
- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
|
||||
+ add_for_purge(m, stream);
|
||||
}
|
||||
else {
|
||||
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
|
||||
@@ -178,9 +190,10 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
|
||||
}
|
||||
else {
|
||||
/* never started */
|
||||
- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
|
||||
- H2_STRM_MSG(stream, "cleanup, never started, move to spurge"));
|
||||
- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
|
||||
+ int added = add_for_purge(m, stream);
|
||||
+ if (added)
|
||||
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
|
||||
+ H2_STRM_MSG(stream, "cleanup, never started, move to spurge"));
|
||||
}
|
||||
}
|
||||
|
||||
diff --git a/modules/http2/h2_version.h b/modules/http2/h2_version.h
|
||||
index 8d38c34e786..8bcaf69e0a9 100644
|
||||
--- a/modules/http2/h2_version.h
|
||||
+++ b/modules/http2/h2_version.h
|
||||
@@ -27,7 +27,7 @@
|
||||
* @macro
|
||||
* Version number of the http2 module as c string
|
||||
*/
|
||||
-#define MOD_HTTP2_VERSION "2.0.35"
|
||||
+#define MOD_HTTP2_VERSION "2.0.37"
|
||||
|
||||
/**
|
||||
* @macro
|
||||
@@ -35,7 +35,7 @@
|
||||
* release. This is a 24 bit number with 8 bits for major number, 8 bits
|
||||
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
|
||||
*/
|
||||
-#define MOD_HTTP2_VERSION_NUM 0x020023
|
||||
+#define MOD_HTTP2_VERSION_NUM 0x020025
|
||||
|
||||
|
||||
#endif /* mod_h2_h2_version_h */
|
||||
@@ -0,0 +1,96 @@
|
||||
From 05e6c5086d6792b9105f88e1664b2614087f79d5 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 16:00:28 +0000
|
||||
Subject: [PATCH] Merge r1933349 from trunk:
|
||||
|
||||
use AP_EXPR_FLAG_RESTRICTED in htaccess
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933350 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/mappers/mod_rewrite.c | 7 ++++++-
|
||||
modules/metadata/mod_setenvif.c | 8 +++++++-
|
||||
modules/proxy/mod_proxy_fcgi.c | 11 +++++++++--
|
||||
3 files changed, 22 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
|
||||
index ae0ceda0508..9b1c5b4b6ad 100644
|
||||
--- a/modules/mappers/mod_rewrite.c
|
||||
+++ b/modules/mappers/mod_rewrite.c
|
||||
@@ -3679,12 +3679,17 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
|
||||
newcond->regexp = regexp;
|
||||
}
|
||||
else if (newcond->ptype == CONDPAT_AP_EXPR) {
|
||||
+ int in_htaccess = cmd->pool == cmd->temp_pool;
|
||||
unsigned int flags = newcond->flags & CONDFLAG_NOVARY ?
|
||||
AP_EXPR_FLAG_DONT_VARY : 0;
|
||||
+ /* Use restricted ap_expr() parser in htaccess context. */
|
||||
+ if (in_htaccess) flags |= AP_EXPR_FLAG_RESTRICTED;
|
||||
newcond->expr = ap_expr_parse_cmd(cmd, a2, flags, &err, NULL);
|
||||
if (err)
|
||||
return apr_psprintf(cmd->pool, "RewriteCond: cannot compile "
|
||||
- "expression \"%s\": %s", a2, err);
|
||||
+ "expression%s \"%s\" %s",
|
||||
+ in_htaccess ? " in htaccess context" : "",
|
||||
+ a2, err);
|
||||
}
|
||||
|
||||
return NULL;
|
||||
diff --git a/modules/metadata/mod_setenvif.c b/modules/metadata/mod_setenvif.c
|
||||
index 23d60cdba5a..b74c9c07dd9 100644
|
||||
--- a/modules/metadata/mod_setenvif.c
|
||||
+++ b/modules/metadata/mod_setenvif.c
|
||||
@@ -422,6 +422,12 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
|
||||
sei_cfg_rec *sconf;
|
||||
sei_entry *new;
|
||||
const char *err;
|
||||
+ unsigned int flags = 0;
|
||||
+
|
||||
+ /* Use restricted ap_expr() parser in htaccess context. */
|
||||
+ if (cmd->pool == cmd->temp_pool) {
|
||||
+ flags |= AP_EXPR_FLAG_RESTRICTED;
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Determine from our context into which record to put the entry.
|
||||
@@ -445,7 +451,7 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
|
||||
new->regex = NULL;
|
||||
new->pattern = NULL;
|
||||
new->preg = NULL;
|
||||
- new->expr = ap_expr_parse_cmd(cmd, expr, 0, &err, NULL);
|
||||
+ new->expr = ap_expr_parse_cmd(cmd, expr, flags, &err, NULL);
|
||||
if (err)
|
||||
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
|
||||
expr, err);
|
||||
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
|
||||
index 128cf1eac6f..ef090ddc771 100644
|
||||
--- a/modules/proxy/mod_proxy_fcgi.c
|
||||
+++ b/modules/proxy/mod_proxy_fcgi.c
|
||||
@@ -1338,9 +1338,15 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
|
||||
const char *err;
|
||||
sei_entry *new;
|
||||
const char *envvar = arg2;
|
||||
+ unsigned int flags = 0;
|
||||
+
|
||||
+ /* Use restricted ap_expr() parser in htaccess context. */
|
||||
+ if (cmd->pool == cmd->temp_pool) {
|
||||
+ flags |= AP_EXPR_FLAG_RESTRICTED;
|
||||
+ }
|
||||
|
||||
new = apr_array_push(dconf->env_fixups);
|
||||
- new->cond = ap_expr_parse_cmd(cmd, arg1, 0, &err, NULL);
|
||||
+ new->cond = ap_expr_parse_cmd(cmd, arg1, flags, &err, NULL);
|
||||
if (err) {
|
||||
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
|
||||
arg1, err);
|
||||
@@ -1367,7 +1373,8 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
|
||||
arg3 = "";
|
||||
}
|
||||
|
||||
- new->subst = ap_expr_parse_cmd(cmd, arg3, AP_EXPR_FLAG_STRING_RESULT, &err, NULL);
|
||||
+ flags |= AP_EXPR_FLAG_STRING_RESULT;
|
||||
+ new->subst = ap_expr_parse_cmd(cmd, arg3, flags, &err, NULL);
|
||||
if (err) {
|
||||
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
|
||||
arg3, err);
|
||||
@@ -0,0 +1,32 @@
|
||||
From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 15:57:55 +0000
|
||||
Subject: [PATCH] Merge r1933347 from trunk:
|
||||
|
||||
fix ajp_msg_check_header check
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/proxy/ajp_msg.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
|
||||
index 3d4186a521c..3454f621828 100644
|
||||
--- a/modules/proxy/ajp_msg.c
|
||||
+++ b/modules/proxy/ajp_msg.c
|
||||
@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len)
|
||||
msglen = ((head[2] & 0xff) << 8);
|
||||
msglen += (head[3] & 0xFF);
|
||||
|
||||
- if (msglen > msg->max_size) {
|
||||
+ if (msglen > (msg->max_size - AJP_HEADER_LEN)) {
|
||||
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081)
|
||||
"ajp_msg_check_header() incoming message is "
|
||||
"too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT,
|
||||
- msglen, msg->max_size);
|
||||
+ msglen, msg->max_size - AJP_HEADER_LEN);
|
||||
return AJP_ETOBIG;
|
||||
}
|
||||
|
||||
@@ -0,0 +1,55 @@
|
||||
From 5b1edb79aa2d0f8e4424de64879c46c1942e460a Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 16:02:37 +0000
|
||||
Subject: [PATCH] Merge r1933351 from trunk:
|
||||
|
||||
ocsp limits
|
||||
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933352 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/md/md_ocsp.c | 22 +++++++++++++++++++++-
|
||||
1 file changed, 21 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/md/md_ocsp.c b/modules/md/md_ocsp.c
|
||||
index d2dfd73b68b..b44458676f7 100644
|
||||
--- a/modules/md/md_ocsp.c
|
||||
+++ b/modules/md/md_ocsp.c
|
||||
@@ -46,7 +46,21 @@
|
||||
#include "md_ocsp.h"
|
||||
|
||||
#define MD_OCSP_ID_LENGTH SHA_DIGEST_LENGTH
|
||||
-
|
||||
+
|
||||
+/* Max acceptable OCSP response size (DER-encoded responses are typically <2 KiB) */
|
||||
+#define MD_OCSP_MAX_RESPONSE_LEN (64 * 1024)
|
||||
+/* Timeout for OCSP responses */
|
||||
+#define MD_OCSP_DEFAULT_TIMEOUT apr_time_from_sec(60)
|
||||
+/* Timeout for connecting to OCSP servers */
|
||||
+#define MD_OCSP_CONNECT_TIMEOUT apr_time_from_sec(30)
|
||||
+/*
|
||||
+ * Below this throughput in bytes per second an OCSP response is regarded as
|
||||
+ * stalled.
|
||||
+ */
|
||||
+#define MD_OCSP_STALLING_BYTES 10
|
||||
+/* Maximum duration for a stalled period during an OCSP response */
|
||||
+#define MD_OCSP_STALLING_TIME apr_time_from_sec(30)
|
||||
+
|
||||
struct md_ocsp_reg_t {
|
||||
apr_pool_t *p;
|
||||
md_store_t *store;
|
||||
@@ -901,6 +915,12 @@ void md_ocsp_renew(md_ocsp_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp, apr_tim
|
||||
|
||||
rv = md_http_create(&http, ptemp, reg->user_agent, reg->proxy_url);
|
||||
if (APR_SUCCESS != rv) goto cleanup;
|
||||
+
|
||||
+ md_http_set_response_limit(http, MD_OCSP_MAX_RESPONSE_LEN);
|
||||
+ md_http_set_timeout_default(http, MD_OCSP_DEFAULT_TIMEOUT);
|
||||
+ md_http_set_connect_timeout_default(http, MD_OCSP_CONNECT_TIMEOUT);
|
||||
+ md_http_set_stalling_default(http, MD_OCSP_STALLING_BYTES,
|
||||
+ MD_OCSP_STALLING_TIME);
|
||||
|
||||
rv = md_http_multi_perform(http, next_todo, &ctx);
|
||||
|
||||
@@ -0,0 +1,38 @@
|
||||
From 225dc070adba11040b774cf641e1d8bc79941643 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 16:04:35 +0000
|
||||
Subject: [PATCH] Merge r1933353 from trunk:
|
||||
|
||||
mod_dav_lock: use the right dav_lock_discovery
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933354 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/dav/lock/locks.c | 12 ++++++------
|
||||
1 file changed, 6 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/modules/dav/lock/locks.c b/modules/dav/lock/locks.c
|
||||
index 0f072ec0647..d357e4572d1 100644
|
||||
--- a/modules/dav/lock/locks.c
|
||||
+++ b/modules/dav/lock/locks.c
|
||||
@@ -1190,13 +1190,13 @@ static dav_error * dav_generic_refresh_locks(dav_lockdb *lockdb,
|
||||
}
|
||||
if (dav_generic_do_refresh(dp_scan, ltl, new_time)) {
|
||||
/* the lock was refreshed. return the lock. */
|
||||
- newlock = dav_generic_alloc_lock(lockdb, ip->key, dp->locktoken);
|
||||
+ newlock = dav_generic_alloc_lock(lockdb, ip->key, dp_scan->locktoken);
|
||||
newlock->is_locknull = !resource->exists;
|
||||
- newlock->scope = dp->f.scope;
|
||||
- newlock->type = dp->f.type;
|
||||
- newlock->depth = dp->f.depth;
|
||||
- newlock->timeout = dp->f.timeout;
|
||||
- newlock->owner = dp->owner;
|
||||
+ newlock->scope = dp_scan->f.scope;
|
||||
+ newlock->type = dp_scan->f.type;
|
||||
+ newlock->depth = dp_scan->f.depth;
|
||||
+ newlock->timeout = dp_scan->f.timeout;
|
||||
+ newlock->owner = dp_scan->owner;
|
||||
newlock->auth_user = dp_scan->auth_user;
|
||||
|
||||
newlock->next = *locks;
|
||||
@@ -0,0 +1,140 @@
|
||||
From 4833b58c484c4eb8b429887b472bf4967cf88320 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 16:26:29 +0000
|
||||
Subject: [PATCH] Merge r1933355 from trunk:
|
||||
|
||||
mod_auth_digest: use apr_crypto_equals
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933356 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
configure.in | 4 ++--
|
||||
modules/aaa/mod_auth_digest.c | 45 ++++++++++++++---------------------
|
||||
2 files changed, 20 insertions(+), 29 deletions(-)
|
||||
|
||||
diff --git a/configure.in b/configure.in
|
||||
index d2a009d7902..d49cb28465a 100644
|
||||
--- a/configure.in
|
||||
+++ b/configure.in
|
||||
@@ -431,10 +431,10 @@ if test "${apu_found}" = "yes"; then
|
||||
# we need to add the APR includes to CPPFLAGS
|
||||
apu_ckver_CPPFLAGS="$CPPFLAGS"
|
||||
CPPFLAGS="$CPPFLAGS `$apr_config --includes`"
|
||||
- APACHE_CHECK_APxVER([apu], 1, 3)
|
||||
+ APACHE_CHECK_APxVER([apu], 1, 6)
|
||||
CPPFLAGS="$apu_ckver_CPPFLAGS"
|
||||
else
|
||||
- APACHE_CHECK_APxVER([apu], 1, 3)
|
||||
+ APACHE_CHECK_APxVER([apu], 1, 6)
|
||||
fi
|
||||
fi
|
||||
|
||||
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
|
||||
index 791cec2bc7c..3ef5f256de0 100644
|
||||
--- a/modules/aaa/mod_auth_digest.c
|
||||
+++ b/modules/aaa/mod_auth_digest.c
|
||||
@@ -73,6 +73,7 @@
|
||||
#include "apr_shm.h"
|
||||
#include "apr_rmm.h"
|
||||
#include "ap_provider.h"
|
||||
+#include "apr_crypto.h" /* for apr_crypto_equals */
|
||||
|
||||
#include "mod_auth.h"
|
||||
|
||||
@@ -100,10 +101,17 @@ typedef struct digest_config_struct {
|
||||
#define DFLT_NONCE_LIFE apr_time_from_sec(300)
|
||||
#define NEXTNONCE_DELTA apr_time_from_sec(30)
|
||||
|
||||
-
|
||||
+/* The server nonce has fixed length and is the concatenation of:
|
||||
+ * base64(apr_time_t timestamp) + hex(SHA1(realm+time[+opaque])) */
|
||||
#define NONCE_TIME_LEN (((sizeof(apr_time_t)+2)/3)*4)
|
||||
#define NONCE_HASH_LEN (2*APR_SHA1_DIGESTSIZE)
|
||||
#define NONCE_LEN (int )(NONCE_TIME_LEN + NONCE_HASH_LEN)
|
||||
+/* Evaluates to true if nonce string is valid. Since the time part of
|
||||
+ * the nonce is a base64 encoding of an apr_time_t (8 bytes), it
|
||||
+ * must end with a '='. */
|
||||
+#define VALID_NONCE(n_) ((n_) && strlen((n_)) == NONCE_LEN && (n_)[NONCE_TIME_LEN - 1] == '=')
|
||||
+
|
||||
+#define MD5_DIGEST_LEN (2*APR_MD5_DIGESTSIZE) /* ignoring trailing \0 */
|
||||
|
||||
#define SECRET_LEN 20
|
||||
#define RETAINED_DATA_ID "mod_auth_digest"
|
||||
@@ -1017,8 +1025,9 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
|
||||
resp->nonce_count = apr_pstrdup(r->pool, value);
|
||||
}
|
||||
|
||||
- if (!resp->username || !resp->realm || !resp->nonce || !resp->uri
|
||||
- || !resp->digest
|
||||
+ if (!resp->username || !resp->realm || !resp->uri
|
||||
+ || !VALID_NONCE(resp->nonce)
|
||||
+ || !resp->digest || strlen(resp->digest) != MD5_DIGEST_LEN
|
||||
|| (resp->message_qop && (!resp->cnonce || !resp->nonce_count))) {
|
||||
resp->auth_hdr_sts = INVALID;
|
||||
return !OK;
|
||||
@@ -1070,14 +1079,9 @@ static int parse_hdr_and_update_nc(request_rec *r)
|
||||
}
|
||||
|
||||
|
||||
-/*
|
||||
- * Nonce generation code
|
||||
- */
|
||||
-
|
||||
-/* The hash part of the nonce is a SHA-1 hash of the time, realm, server host
|
||||
- * and port, opaque, and our secret.
|
||||
- */
|
||||
-static void gen_nonce_hash(char *hash, const char *timestr, const char *opaque,
|
||||
+/* Writes the hash part of the server nonce to hash, which must be of
|
||||
+ * minimum size (NONCE_HASH_LEN+1). */
|
||||
+static void gen_nonce_hash(char hash[NONCE_HASH_LEN+1], const char *timestr, const char *opaque,
|
||||
const server_rec *server,
|
||||
const digest_config_rec *conf)
|
||||
{
|
||||
@@ -1426,19 +1430,6 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
|
||||
time_rec nonce_time;
|
||||
char tmp, hash[NONCE_HASH_LEN+1];
|
||||
|
||||
- /* Since the time part of the nonce is a base64 encoding of an
|
||||
- * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
|
||||
- */
|
||||
- if (strlen(resp->nonce) != NONCE_LEN
|
||||
- || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
|
||||
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
|
||||
- "invalid nonce '%s' received - length is not %d "
|
||||
- "or time encoding is incorrect",
|
||||
- resp->nonce, NONCE_LEN);
|
||||
- note_digest_auth_failure(r, conf, resp, 1);
|
||||
- return HTTP_UNAUTHORIZED;
|
||||
- }
|
||||
-
|
||||
tmp = resp->nonce[NONCE_TIME_LEN];
|
||||
resp->nonce[NONCE_TIME_LEN] = '\0';
|
||||
apr_base64_decode_binary(nonce_time.arr, resp->nonce);
|
||||
@@ -1446,7 +1437,7 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
|
||||
resp->nonce[NONCE_TIME_LEN] = tmp;
|
||||
resp->nonce_time = nonce_time.time;
|
||||
|
||||
- if (strcmp(hash, resp->nonce+NONCE_TIME_LEN)) {
|
||||
+ if (!apr_crypto_equals(hash, resp->nonce+NONCE_TIME_LEN, NONCE_HASH_LEN)) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01776)
|
||||
"invalid nonce %s received - hash is not %s",
|
||||
resp->nonce, hash);
|
||||
@@ -1796,7 +1787,7 @@ static int authenticate_digest_user(request_rec *r)
|
||||
|
||||
if (resp->message_qop == NULL) {
|
||||
/* old (rfc-2069) style digest */
|
||||
- if (strcmp(resp->digest, old_digest(r, resp))) {
|
||||
+ if (!apr_crypto_equals(resp->digest, old_digest(r, resp), MD5_DIGEST_LEN)) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792)
|
||||
"user %s: password mismatch: %s", r->user,
|
||||
r->uri);
|
||||
@@ -1831,7 +1822,7 @@ static int authenticate_digest_user(request_rec *r)
|
||||
/* we failed to allocate a client struct */
|
||||
return HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
- if (strcmp(resp->digest, exp_digest)) {
|
||||
+ if (!apr_crypto_equals(resp->digest, exp_digest, MD5_DIGEST_LEN)) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01794)
|
||||
"user %s: password mismatch: %s", r->user,
|
||||
r->uri);
|
||||
@@ -0,0 +1,32 @@
|
||||
From d80685a9e0241d99e94aa2fc0aa491d90c4ae9e8 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 16:29:24 +0000
|
||||
Subject: [PATCH] Merge r1933357 from trunk:
|
||||
|
||||
mod_authn_socache: validate URL earlier
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933358 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/aaa/mod_authn_socache.c | 5 ++---
|
||||
1 file changed, 2 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
|
||||
index 0e4454a4b12..0834ab43d32 100644
|
||||
--- a/modules/aaa/mod_authn_socache.c
|
||||
+++ b/modules/aaa/mod_authn_socache.c
|
||||
@@ -266,11 +266,10 @@ static const command_rec authn_cache_cmds[] =
|
||||
static const char *construct_key(request_rec *r, const char *context,
|
||||
const char *user, const char *realm)
|
||||
{
|
||||
+ const char *slash = ap_strrchr_c(r->uri, '/');
|
||||
/* handle "special" context values */
|
||||
- if (!strcmp(context, directory)) {
|
||||
- /* FIXME: are we at risk of this blowing up? */
|
||||
+ if (!strcmp(context, directory) && slash) {
|
||||
char *new_context;
|
||||
- char *slash = strrchr(r->uri, '/');
|
||||
new_context = apr_palloc(r->pool, slash - r->uri +
|
||||
strlen(r->server->server_hostname) + 1);
|
||||
strcpy(new_context, r->server->server_hostname);
|
||||
@@ -0,0 +1,30 @@
|
||||
From 0218d4b9c1c0706df4bd7a3e3b15f71d4b66126a Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 16:32:29 +0000
|
||||
Subject: [PATCH] Merge r1933359 from trunk:
|
||||
|
||||
scan outgoing status line for newlines and controls
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933360 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/http/http_filters.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
|
||||
index 732fb8eb6a7..9f7f3fca6b6 100644
|
||||
--- a/modules/http/http_filters.c
|
||||
+++ b/modules/http/http_filters.c
|
||||
@@ -1013,6 +1013,11 @@ static apr_status_t validate_status_line(request_rec *r)
|
||||
r->status_line = apr_pstrcat(r->pool, r->status_line, " ", NULL);
|
||||
return APR_EGENERAL;
|
||||
}
|
||||
+ /* Check for newlines and control characters */
|
||||
+ if (len > 4 && *ap_scan_http_field_content(r->status_line + 4)) {
|
||||
+ r->status_line = NULL;
|
||||
+ return APR_EGENERAL;
|
||||
+ }
|
||||
return APR_SUCCESS;
|
||||
}
|
||||
return APR_EGENERAL;
|
||||
@@ -0,0 +1,63 @@
|
||||
From 493eb23e5cc18c3a7be53977c182ff5d1360c64c Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 15:48:41 +0000
|
||||
Subject: [PATCH] Merge r1933340 from trunk:
|
||||
|
||||
fix length checks in AJP msg_get functions
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933341 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/proxy/ajp_msg.c | 10 +++++-----
|
||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
|
||||
index 3367b5df4aa..36533c59059 100644
|
||||
--- a/modules/proxy/ajp_msg.c
|
||||
+++ b/modules/proxy/ajp_msg.c
|
||||
@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
|
||||
{
|
||||
apr_uint32_t value;
|
||||
|
||||
- if ((msg->pos + 3) > msg->len) {
|
||||
+ if ((msg->pos + 3) >= msg->len) {
|
||||
return ajp_log_overflow(msg, "ajp_msg_get_uint32");
|
||||
}
|
||||
|
||||
@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
|
||||
{
|
||||
apr_uint16_t value;
|
||||
|
||||
- if ((msg->pos + 1) > msg->len) {
|
||||
+ if ((msg->pos + 1) >= msg->len) {
|
||||
return ajp_log_overflow(msg, "ajp_msg_get_uint16");
|
||||
}
|
||||
|
||||
@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
|
||||
{
|
||||
apr_uint16_t value;
|
||||
|
||||
- if ((msg->pos + 1) > msg->len) {
|
||||
+ if ((msg->pos + 1) >= msg->len) {
|
||||
return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
|
||||
}
|
||||
|
||||
@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
|
||||
*/
|
||||
apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
|
||||
{
|
||||
- if (msg->pos > msg->len) {
|
||||
+ if (msg->pos >= msg->len) {
|
||||
return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
|
||||
}
|
||||
|
||||
@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
|
||||
apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
|
||||
{
|
||||
|
||||
- if (msg->pos > msg->len) {
|
||||
+ if (msg->pos >= msg->len) {
|
||||
return ajp_log_overflow(msg, "ajp_msg_get_uint8");
|
||||
}
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
From b8def8fe323f7f67d0e03bb83c67d66bd8d7fcb2 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 15:50:50 +0000
|
||||
Subject: [PATCH] Merge r1933342 from trunk:
|
||||
|
||||
fix ajp_msg_get_string buffer checks
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933343 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/proxy/ajp_msg.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
|
||||
index 36533c59059..3d4186a521c 100644
|
||||
--- a/modules/proxy/ajp_msg.c
|
||||
+++ b/modules/proxy/ajp_msg.c
|
||||
@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
|
||||
status = ajp_msg_get_uint16(msg, &size);
|
||||
start = msg->pos;
|
||||
|
||||
- if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
|
||||
+ if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
|
||||
+ return ajp_log_overflow(msg, "ajp_msg_get_string");
|
||||
+ }
|
||||
+
|
||||
+ /* Verify that the expected null terminator is actually present */
|
||||
+ if (msg->buf[start + size] != '\0') {
|
||||
return ajp_log_overflow(msg, "ajp_msg_get_string");
|
||||
}
|
||||
|
||||
@@ -0,0 +1,31 @@
|
||||
From a3d32288317a87b1398825f2167e0ae083ed43da Mon Sep 17 00:00:00 2001
|
||||
From: Eric Covener <covener@apache.org>
|
||||
Date: Sun, 26 Apr 2026 15:55:26 +0000
|
||||
Subject: [PATCH] Merge r1933344 from trunk:
|
||||
|
||||
fix ajp_parse_data message len check
|
||||
+lognos
|
||||
|
||||
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933346 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
modules/proxy/ajp_header.c | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
|
||||
index 00db324e426..334d0aebb12 100644
|
||||
--- a/modules/proxy/ajp_header.c
|
||||
+++ b/modules/proxy/ajp_header.c
|
||||
@@ -835,6 +835,11 @@ apr_status_t ajp_parse_data(request_rec *r, ajp_msg_t *msg,
|
||||
* 1 : The last byte of this message always seems to be
|
||||
* 0x00 and is not part of the chunk.
|
||||
*/
|
||||
+ if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) {
|
||||
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546)
|
||||
+ "ajp_parse_data: Message too small");
|
||||
+ return AJP_EBAD_HEADER;
|
||||
+ }
|
||||
expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
|
||||
if (*len != expected_len) {
|
||||
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998)
|
||||
Reference in New Issue
Block a user