Fix 11 bugs / CVEs.

* Fix bsc#1263952 / CVE-2026-33857.
* Fix bsc#1263954 / CVE-2026-33007.
* Fix bsc#1264163 / CVE-2026-28780.
* Fix bsc#1264150 / CVE-2026-29168.
* Fix bsc#1263957 / CVE-2026-23918.
* Fix bsc#1263953 / CVE-2026-33523.
* Fix bsc#1263955 / CVE-2026-33006.
* Fix bsc#1263956 / CVE-2026-29169.
* Fix bsc#1263935 / CVE-2026-24072.
* Fix bsc#1263950 / CVE-2026-34059.
* Fix bsc#1263951 / CVE-2026-34032.
This commit is contained in:
Martin Jungblut Schreiner
2026-06-01 15:15:10 -03:00
parent bd7e7dc792
commit c686547ff4
13 changed files with 707 additions and 0 deletions
+32
View File
@@ -1,3 +1,35 @@
-------------------------------------------------------------------
Wed May 20 13:27:04 UTC 2026 - Martin Schreiner <martin.schreiner@suse.com>
* Fix bsc#1263952 / CVE-2026-33857.
* Fix bsc#1263954 / CVE-2026-33007.
* Fix bsc#1264163 / CVE-2026-28780.
* Fix bsc#1264150 / CVE-2026-29168.
* Add patch files:
- CVE-2026-33857.patch
- CVE-2026-33007.patch
- CVE-2026-28780.patch
- CVE-2026-29168.patch
-------------------------------------------------------------------
Thu May 14 03:15:36 UTC 2026 - Martin Schreiner <martin.schreiner@suse.com>
* Fix bsc#1263957 / CVE-2026-23918.
* Fix bsc#1263953 / CVE-2026-33523.
* Fix bsc#1263955 / CVE-2026-33006.
* Fix bsc#1263956 / CVE-2026-29169.
* Fix bsc#1263935 / CVE-2026-24072.
* Fix bsc#1263950 / CVE-2026-34059.
* Fix bsc#1263951 / CVE-2026-34032.
* Add patch files:
- CVE-2026-23918.patch
- CVE-2026-33523.patch
- CVE-2026-33006.patch
- CVE-2026-29169.patch
- CVE-2026-24072.patch
- CVE-2026-34059.patch
- CVE-2026-34032.patch
-------------------------------------------------------------------
Thu May 7 10:48:49 UTC 2026 - Martin Schreiner <martin.schreiner@suse.com>
+22
View File
@@ -189,6 +189,28 @@ Patch100: apache-test-application-xml-type.patch
# even if in live system I do not experience this inconsistency, let's turn off
# these variables from the test
Patch101: apache-test-turn-off-variables-in-ssl-var-lookup.patch
# PATCH-FIX-UPSTREAM bsc#1263957
Patch102: CVE-2026-23918.patch
# PATCH-FIX-UPSTREAM bsc#1263953
Patch103: CVE-2026-33523.patch
# PATCH-FIX-UPSTREAM bsc#1263955
Patch104: CVE-2026-33006.patch
# PATCH-FIX-UPSTREAM bsc#1263956
Patch105: CVE-2026-29169.patch
# PATCH-FIX-UPSTREAM bsc#1263935
Patch106: CVE-2026-24072.patch
# PATCH-FIX-UPSTREAM bsc#1263950
Patch107: CVE-2026-34059.patch
# PATCH-FIX-UPSTREAM bsc#1263951
Patch108: CVE-2026-34032.patch
# PATCH-FIX-UPSTREAM bsc#1263952
Patch109: CVE-2026-33857.patch
# PATCH-FIX-UPSTREAM bsc#1263954
Patch110: CVE-2026-33007.patch
# PATCH-FIX-UPSTREAM bsc#1264163
Patch111: CVE-2026-28780.patch
# PATCH-FIX-UPSTREAM bsc#1264150
Patch112: CVE-2026-29168.patch
BuildRequires: apache-rpm-macros-control
#Since 2.4.7 the event MPM requires apr 1.5.0 or later.
BuildRequires: apr-devel >= 1.5.0
+104
View File
@@ -0,0 +1,104 @@
From e41e84e08e6186460e77a8357b5d5c571d33bd76 Mon Sep 17 00:00:00 2001
From: Stefan Eissing <icing@apache.org>
Date: Mon, 22 Dec 2025 12:16:34 +0000
Subject: [PATCH] Merge /httpd/httpd/trunk:r1930444
*) mod_http2: update to version 2.0.37
Prevent double purge of a stream, resulting in a double free.
Fixes PR 69899.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1930796 13f79535-47bb-0310-9956-ffa450edef68
---
changes-entries/h2_v2.0.37.txt | 4 ++++
modules/http2/h2_mplx.c | 23 ++++++++++++++++++-----
modules/http2/h2_version.h | 4 ++--
3 files changed, 24 insertions(+), 7 deletions(-)
create mode 100644 changes-entries/h2_v2.0.37.txt
diff --git a/changes-entries/h2_v2.0.37.txt b/changes-entries/h2_v2.0.37.txt
new file mode 100644
index 00000000000..8f22cde5d8b
--- /dev/null
+++ b/changes-entries/h2_v2.0.37.txt
@@ -0,0 +1,4 @@
+ *) mod_http2: update to version 2.0.37
+ Prevent double purge of a stream, resulting in a double free.
+ Fixes PR 69899.
+ [Stefan Eissing]
diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c
index f9616aba048..75518f4eebf 100644
--- a/modules/http2/h2_mplx.c
+++ b/modules/http2/h2_mplx.c
@@ -126,12 +126,24 @@ int h2_mplx_c1_stream_is_running(h2_mplx *m, h2_stream *stream)
return rv;
}
+static int add_for_purge(h2_mplx *m, h2_stream *stream)
+{
+ int i;
+ for (i = 0; i < m->spurge->nelts; ++i) {
+ h2_stream *s = APR_ARRAY_IDX(m->spurge, i, h2_stream*);
+ if (s == stream) /* already scheduled for purging */
+ return FALSE;
+ }
+ APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+ return TRUE;
+}
+
static void c1c2_stream_joined(h2_mplx *m, h2_stream *stream)
{
ap_assert(!stream_is_running(stream));
h2_ihash_remove(m->shold, stream->id);
- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+ add_for_purge(m, stream);
}
static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
@@ -164,7 +176,7 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
H2_STRM_MSG(stream, "cleanup, c2 is done, move to spurge"));
/* processing has finished */
- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+ add_for_purge(m, stream);
}
else {
ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
@@ -178,9 +190,10 @@ static void m_stream_cleanup(h2_mplx *m, h2_stream *stream)
}
else {
/* never started */
- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
- H2_STRM_MSG(stream, "cleanup, never started, move to spurge"));
- APR_ARRAY_PUSH(m->spurge, h2_stream *) = stream;
+ int added = add_for_purge(m, stream);
+ if (added)
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c1,
+ H2_STRM_MSG(stream, "cleanup, never started, move to spurge"));
}
}
diff --git a/modules/http2/h2_version.h b/modules/http2/h2_version.h
index 8d38c34e786..8bcaf69e0a9 100644
--- a/modules/http2/h2_version.h
+++ b/modules/http2/h2_version.h
@@ -27,7 +27,7 @@
* @macro
* Version number of the http2 module as c string
*/
-#define MOD_HTTP2_VERSION "2.0.35"
+#define MOD_HTTP2_VERSION "2.0.37"
/**
* @macro
@@ -35,7 +35,7 @@
* release. This is a 24 bit number with 8 bits for major number, 8 bits
* for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
*/
-#define MOD_HTTP2_VERSION_NUM 0x020023
+#define MOD_HTTP2_VERSION_NUM 0x020025
#endif /* mod_h2_h2_version_h */
+96
View File
@@ -0,0 +1,96 @@
From 05e6c5086d6792b9105f88e1664b2614087f79d5 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:00:28 +0000
Subject: [PATCH] Merge r1933349 from trunk:
use AP_EXPR_FLAG_RESTRICTED in htaccess
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933350 13f79535-47bb-0310-9956-ffa450edef68
---
modules/mappers/mod_rewrite.c | 7 ++++++-
modules/metadata/mod_setenvif.c | 8 +++++++-
modules/proxy/mod_proxy_fcgi.c | 11 +++++++++--
3 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index ae0ceda0508..9b1c5b4b6ad 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -3679,12 +3679,17 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
newcond->regexp = regexp;
}
else if (newcond->ptype == CONDPAT_AP_EXPR) {
+ int in_htaccess = cmd->pool == cmd->temp_pool;
unsigned int flags = newcond->flags & CONDFLAG_NOVARY ?
AP_EXPR_FLAG_DONT_VARY : 0;
+ /* Use restricted ap_expr() parser in htaccess context. */
+ if (in_htaccess) flags |= AP_EXPR_FLAG_RESTRICTED;
newcond->expr = ap_expr_parse_cmd(cmd, a2, flags, &err, NULL);
if (err)
return apr_psprintf(cmd->pool, "RewriteCond: cannot compile "
- "expression \"%s\": %s", a2, err);
+ "expression%s \"%s\" %s",
+ in_htaccess ? " in htaccess context" : "",
+ a2, err);
}
return NULL;
diff --git a/modules/metadata/mod_setenvif.c b/modules/metadata/mod_setenvif.c
index 23d60cdba5a..b74c9c07dd9 100644
--- a/modules/metadata/mod_setenvif.c
+++ b/modules/metadata/mod_setenvif.c
@@ -422,6 +422,12 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
sei_cfg_rec *sconf;
sei_entry *new;
const char *err;
+ unsigned int flags = 0;
+
+ /* Use restricted ap_expr() parser in htaccess context. */
+ if (cmd->pool == cmd->temp_pool) {
+ flags |= AP_EXPR_FLAG_RESTRICTED;
+ }
/*
* Determine from our context into which record to put the entry.
@@ -445,7 +451,7 @@ static const char *add_setenvifexpr(cmd_parms *cmd, void *mconfig,
new->regex = NULL;
new->pattern = NULL;
new->preg = NULL;
- new->expr = ap_expr_parse_cmd(cmd, expr, 0, &err, NULL);
+ new->expr = ap_expr_parse_cmd(cmd, expr, flags, &err, NULL);
if (err)
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
expr, err);
diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
index 128cf1eac6f..ef090ddc771 100644
--- a/modules/proxy/mod_proxy_fcgi.c
+++ b/modules/proxy/mod_proxy_fcgi.c
@@ -1338,9 +1338,15 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
const char *err;
sei_entry *new;
const char *envvar = arg2;
+ unsigned int flags = 0;
+
+ /* Use restricted ap_expr() parser in htaccess context. */
+ if (cmd->pool == cmd->temp_pool) {
+ flags |= AP_EXPR_FLAG_RESTRICTED;
+ }
new = apr_array_push(dconf->env_fixups);
- new->cond = ap_expr_parse_cmd(cmd, arg1, 0, &err, NULL);
+ new->cond = ap_expr_parse_cmd(cmd, arg1, flags, &err, NULL);
if (err) {
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
arg1, err);
@@ -1367,7 +1373,8 @@ static const char *cmd_setenv(cmd_parms *cmd, void *in_dconf,
arg3 = "";
}
- new->subst = ap_expr_parse_cmd(cmd, arg3, AP_EXPR_FLAG_STRING_RESULT, &err, NULL);
+ flags |= AP_EXPR_FLAG_STRING_RESULT;
+ new->subst = ap_expr_parse_cmd(cmd, arg3, flags, &err, NULL);
if (err) {
return apr_psprintf(cmd->pool, "Could not parse expression \"%s\": %s",
arg3, err);
+32
View File
@@ -0,0 +1,32 @@
From d04119e6e591f7b21222e749387a8b39e9092a1b Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:57:55 +0000
Subject: [PATCH] Merge r1933347 from trunk:
fix ajp_msg_check_header check
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933348 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_msg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 3d4186a521c..3454f621828 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -166,11 +166,11 @@ apr_status_t ajp_msg_check_header(ajp_msg_t *msg, apr_size_t *len)
msglen = ((head[2] & 0xff) << 8);
msglen += (head[3] & 0xFF);
- if (msglen > msg->max_size) {
+ if (msglen > (msg->max_size - AJP_HEADER_LEN)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, NULL, APLOGNO(01081)
"ajp_msg_check_header() incoming message is "
"too big %" APR_SIZE_T_FMT ", max is %" APR_SIZE_T_FMT,
- msglen, msg->max_size);
+ msglen, msg->max_size - AJP_HEADER_LEN);
return AJP_ETOBIG;
}
+55
View File
@@ -0,0 +1,55 @@
From 5b1edb79aa2d0f8e4424de64879c46c1942e460a Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:02:37 +0000
Subject: [PATCH] Merge r1933351 from trunk:
ocsp limits
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933352 13f79535-47bb-0310-9956-ffa450edef68
---
modules/md/md_ocsp.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/modules/md/md_ocsp.c b/modules/md/md_ocsp.c
index d2dfd73b68b..b44458676f7 100644
--- a/modules/md/md_ocsp.c
+++ b/modules/md/md_ocsp.c
@@ -46,7 +46,21 @@
#include "md_ocsp.h"
#define MD_OCSP_ID_LENGTH SHA_DIGEST_LENGTH
-
+
+/* Max acceptable OCSP response size (DER-encoded responses are typically <2 KiB) */
+#define MD_OCSP_MAX_RESPONSE_LEN (64 * 1024)
+/* Timeout for OCSP responses */
+#define MD_OCSP_DEFAULT_TIMEOUT apr_time_from_sec(60)
+/* Timeout for connecting to OCSP servers */
+#define MD_OCSP_CONNECT_TIMEOUT apr_time_from_sec(30)
+/*
+ * Below this throughput in bytes per second an OCSP response is regarded as
+ * stalled.
+ */
+#define MD_OCSP_STALLING_BYTES 10
+/* Maximum duration for a stalled period during an OCSP response */
+#define MD_OCSP_STALLING_TIME apr_time_from_sec(30)
+
struct md_ocsp_reg_t {
apr_pool_t *p;
md_store_t *store;
@@ -901,6 +915,12 @@ void md_ocsp_renew(md_ocsp_reg_t *reg, apr_pool_t *p, apr_pool_t *ptemp, apr_tim
rv = md_http_create(&http, ptemp, reg->user_agent, reg->proxy_url);
if (APR_SUCCESS != rv) goto cleanup;
+
+ md_http_set_response_limit(http, MD_OCSP_MAX_RESPONSE_LEN);
+ md_http_set_timeout_default(http, MD_OCSP_DEFAULT_TIMEOUT);
+ md_http_set_connect_timeout_default(http, MD_OCSP_CONNECT_TIMEOUT);
+ md_http_set_stalling_default(http, MD_OCSP_STALLING_BYTES,
+ MD_OCSP_STALLING_TIME);
rv = md_http_multi_perform(http, next_todo, &ctx);
+38
View File
@@ -0,0 +1,38 @@
From 225dc070adba11040b774cf641e1d8bc79941643 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:04:35 +0000
Subject: [PATCH] Merge r1933353 from trunk:
mod_dav_lock: use the right dav_lock_discovery
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933354 13f79535-47bb-0310-9956-ffa450edef68
---
modules/dav/lock/locks.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/modules/dav/lock/locks.c b/modules/dav/lock/locks.c
index 0f072ec0647..d357e4572d1 100644
--- a/modules/dav/lock/locks.c
+++ b/modules/dav/lock/locks.c
@@ -1190,13 +1190,13 @@ static dav_error * dav_generic_refresh_locks(dav_lockdb *lockdb,
}
if (dav_generic_do_refresh(dp_scan, ltl, new_time)) {
/* the lock was refreshed. return the lock. */
- newlock = dav_generic_alloc_lock(lockdb, ip->key, dp->locktoken);
+ newlock = dav_generic_alloc_lock(lockdb, ip->key, dp_scan->locktoken);
newlock->is_locknull = !resource->exists;
- newlock->scope = dp->f.scope;
- newlock->type = dp->f.type;
- newlock->depth = dp->f.depth;
- newlock->timeout = dp->f.timeout;
- newlock->owner = dp->owner;
+ newlock->scope = dp_scan->f.scope;
+ newlock->type = dp_scan->f.type;
+ newlock->depth = dp_scan->f.depth;
+ newlock->timeout = dp_scan->f.timeout;
+ newlock->owner = dp_scan->owner;
newlock->auth_user = dp_scan->auth_user;
newlock->next = *locks;
+140
View File
@@ -0,0 +1,140 @@
From 4833b58c484c4eb8b429887b472bf4967cf88320 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:26:29 +0000
Subject: [PATCH] Merge r1933355 from trunk:
mod_auth_digest: use apr_crypto_equals
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933356 13f79535-47bb-0310-9956-ffa450edef68
---
configure.in | 4 ++--
modules/aaa/mod_auth_digest.c | 45 ++++++++++++++---------------------
2 files changed, 20 insertions(+), 29 deletions(-)
diff --git a/configure.in b/configure.in
index d2a009d7902..d49cb28465a 100644
--- a/configure.in
+++ b/configure.in
@@ -431,10 +431,10 @@ if test "${apu_found}" = "yes"; then
# we need to add the APR includes to CPPFLAGS
apu_ckver_CPPFLAGS="$CPPFLAGS"
CPPFLAGS="$CPPFLAGS `$apr_config --includes`"
- APACHE_CHECK_APxVER([apu], 1, 3)
+ APACHE_CHECK_APxVER([apu], 1, 6)
CPPFLAGS="$apu_ckver_CPPFLAGS"
else
- APACHE_CHECK_APxVER([apu], 1, 3)
+ APACHE_CHECK_APxVER([apu], 1, 6)
fi
fi
diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
index 791cec2bc7c..3ef5f256de0 100644
--- a/modules/aaa/mod_auth_digest.c
+++ b/modules/aaa/mod_auth_digest.c
@@ -73,6 +73,7 @@
#include "apr_shm.h"
#include "apr_rmm.h"
#include "ap_provider.h"
+#include "apr_crypto.h" /* for apr_crypto_equals */
#include "mod_auth.h"
@@ -100,10 +101,17 @@ typedef struct digest_config_struct {
#define DFLT_NONCE_LIFE apr_time_from_sec(300)
#define NEXTNONCE_DELTA apr_time_from_sec(30)
-
+/* The server nonce has fixed length and is the concatenation of:
+ * base64(apr_time_t timestamp) + hex(SHA1(realm+time[+opaque])) */
#define NONCE_TIME_LEN (((sizeof(apr_time_t)+2)/3)*4)
#define NONCE_HASH_LEN (2*APR_SHA1_DIGESTSIZE)
#define NONCE_LEN (int )(NONCE_TIME_LEN + NONCE_HASH_LEN)
+/* Evaluates to true if nonce string is valid. Since the time part of
+ * the nonce is a base64 encoding of an apr_time_t (8 bytes), it
+ * must end with a '='. */
+#define VALID_NONCE(n_) ((n_) && strlen((n_)) == NONCE_LEN && (n_)[NONCE_TIME_LEN - 1] == '=')
+
+#define MD5_DIGEST_LEN (2*APR_MD5_DIGESTSIZE) /* ignoring trailing \0 */
#define SECRET_LEN 20
#define RETAINED_DATA_ID "mod_auth_digest"
@@ -1017,8 +1025,9 @@ static int get_digest_rec(request_rec *r, digest_header_rec *resp)
resp->nonce_count = apr_pstrdup(r->pool, value);
}
- if (!resp->username || !resp->realm || !resp->nonce || !resp->uri
- || !resp->digest
+ if (!resp->username || !resp->realm || !resp->uri
+ || !VALID_NONCE(resp->nonce)
+ || !resp->digest || strlen(resp->digest) != MD5_DIGEST_LEN
|| (resp->message_qop && (!resp->cnonce || !resp->nonce_count))) {
resp->auth_hdr_sts = INVALID;
return !OK;
@@ -1070,14 +1079,9 @@ static int parse_hdr_and_update_nc(request_rec *r)
}
-/*
- * Nonce generation code
- */
-
-/* The hash part of the nonce is a SHA-1 hash of the time, realm, server host
- * and port, opaque, and our secret.
- */
-static void gen_nonce_hash(char *hash, const char *timestr, const char *opaque,
+/* Writes the hash part of the server nonce to hash, which must be of
+ * minimum size (NONCE_HASH_LEN+1). */
+static void gen_nonce_hash(char hash[NONCE_HASH_LEN+1], const char *timestr, const char *opaque,
const server_rec *server,
const digest_config_rec *conf)
{
@@ -1426,19 +1430,6 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
time_rec nonce_time;
char tmp, hash[NONCE_HASH_LEN+1];
- /* Since the time part of the nonce is a base64 encoding of an
- * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
- */
- if (strlen(resp->nonce) != NONCE_LEN
- || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
- "invalid nonce '%s' received - length is not %d "
- "or time encoding is incorrect",
- resp->nonce, NONCE_LEN);
- note_digest_auth_failure(r, conf, resp, 1);
- return HTTP_UNAUTHORIZED;
- }
-
tmp = resp->nonce[NONCE_TIME_LEN];
resp->nonce[NONCE_TIME_LEN] = '\0';
apr_base64_decode_binary(nonce_time.arr, resp->nonce);
@@ -1446,7 +1437,7 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
resp->nonce[NONCE_TIME_LEN] = tmp;
resp->nonce_time = nonce_time.time;
- if (strcmp(hash, resp->nonce+NONCE_TIME_LEN)) {
+ if (!apr_crypto_equals(hash, resp->nonce+NONCE_TIME_LEN, NONCE_HASH_LEN)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01776)
"invalid nonce %s received - hash is not %s",
resp->nonce, hash);
@@ -1796,7 +1787,7 @@ static int authenticate_digest_user(request_rec *r)
if (resp->message_qop == NULL) {
/* old (rfc-2069) style digest */
- if (strcmp(resp->digest, old_digest(r, resp))) {
+ if (!apr_crypto_equals(resp->digest, old_digest(r, resp), MD5_DIGEST_LEN)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792)
"user %s: password mismatch: %s", r->user,
r->uri);
@@ -1831,7 +1822,7 @@ static int authenticate_digest_user(request_rec *r)
/* we failed to allocate a client struct */
return HTTP_INTERNAL_SERVER_ERROR;
}
- if (strcmp(resp->digest, exp_digest)) {
+ if (!apr_crypto_equals(resp->digest, exp_digest, MD5_DIGEST_LEN)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01794)
"user %s: password mismatch: %s", r->user,
r->uri);
+32
View File
@@ -0,0 +1,32 @@
From d80685a9e0241d99e94aa2fc0aa491d90c4ae9e8 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:29:24 +0000
Subject: [PATCH] Merge r1933357 from trunk:
mod_authn_socache: validate URL earlier
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933358 13f79535-47bb-0310-9956-ffa450edef68
---
modules/aaa/mod_authn_socache.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/modules/aaa/mod_authn_socache.c b/modules/aaa/mod_authn_socache.c
index 0e4454a4b12..0834ab43d32 100644
--- a/modules/aaa/mod_authn_socache.c
+++ b/modules/aaa/mod_authn_socache.c
@@ -266,11 +266,10 @@ static const command_rec authn_cache_cmds[] =
static const char *construct_key(request_rec *r, const char *context,
const char *user, const char *realm)
{
+ const char *slash = ap_strrchr_c(r->uri, '/');
/* handle "special" context values */
- if (!strcmp(context, directory)) {
- /* FIXME: are we at risk of this blowing up? */
+ if (!strcmp(context, directory) && slash) {
char *new_context;
- char *slash = strrchr(r->uri, '/');
new_context = apr_palloc(r->pool, slash - r->uri +
strlen(r->server->server_hostname) + 1);
strcpy(new_context, r->server->server_hostname);
+30
View File
@@ -0,0 +1,30 @@
From 0218d4b9c1c0706df4bd7a3e3b15f71d4b66126a Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 16:32:29 +0000
Subject: [PATCH] Merge r1933359 from trunk:
scan outgoing status line for newlines and controls
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933360 13f79535-47bb-0310-9956-ffa450edef68
---
modules/http/http_filters.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
index 732fb8eb6a7..9f7f3fca6b6 100644
--- a/modules/http/http_filters.c
+++ b/modules/http/http_filters.c
@@ -1013,6 +1013,11 @@ static apr_status_t validate_status_line(request_rec *r)
r->status_line = apr_pstrcat(r->pool, r->status_line, " ", NULL);
return APR_EGENERAL;
}
+ /* Check for newlines and control characters */
+ if (len > 4 && *ap_scan_http_field_content(r->status_line + 4)) {
+ r->status_line = NULL;
+ return APR_EGENERAL;
+ }
return APR_SUCCESS;
}
return APR_EGENERAL;
+63
View File
@@ -0,0 +1,63 @@
From 493eb23e5cc18c3a7be53977c182ff5d1360c64c Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:48:41 +0000
Subject: [PATCH] Merge r1933340 from trunk:
fix length checks in AJP msg_get functions
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933341 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_msg.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 3367b5df4aa..36533c59059 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -395,7 +395,7 @@ apr_status_t ajp_msg_get_uint32(ajp_msg_t *msg, apr_uint32_t *rvalue)
{
apr_uint32_t value;
- if ((msg->pos + 3) > msg->len) {
+ if ((msg->pos + 3) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint32");
}
@@ -420,7 +420,7 @@ apr_status_t ajp_msg_get_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
{
apr_uint16_t value;
- if ((msg->pos + 1) > msg->len) {
+ if ((msg->pos + 1) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint16");
}
@@ -443,7 +443,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
{
apr_uint16_t value;
- if ((msg->pos + 1) > msg->len) {
+ if ((msg->pos + 1) >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_peek_uint16");
}
@@ -464,7 +464,7 @@ apr_status_t ajp_msg_peek_uint16(ajp_msg_t *msg, apr_uint16_t *rvalue)
*/
apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
{
- if (msg->pos > msg->len) {
+ if (msg->pos >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_peek_uint8");
}
@@ -482,7 +482,7 @@ apr_status_t ajp_msg_peek_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
apr_status_t ajp_msg_get_uint8(ajp_msg_t *msg, apr_byte_t *rvalue)
{
- if (msg->pos > msg->len) {
+ if (msg->pos >= msg->len) {
return ajp_log_overflow(msg, "ajp_msg_get_uint8");
}
+32
View File
@@ -0,0 +1,32 @@
From b8def8fe323f7f67d0e03bb83c67d66bd8d7fcb2 Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:50:50 +0000
Subject: [PATCH] Merge r1933342 from trunk:
fix ajp_msg_get_string buffer checks
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933343 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_msg.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/modules/proxy/ajp_msg.c b/modules/proxy/ajp_msg.c
index 36533c59059..3d4186a521c 100644
--- a/modules/proxy/ajp_msg.c
+++ b/modules/proxy/ajp_msg.c
@@ -507,7 +507,12 @@ apr_status_t ajp_msg_get_string(ajp_msg_t *msg, const char **rvalue)
status = ajp_msg_get_uint16(msg, &size);
start = msg->pos;
- if ((status != APR_SUCCESS) || (size + start > msg->max_size)) {
+ if ((status != APR_SUCCESS) || (size + start >= msg->len)) {
+ return ajp_log_overflow(msg, "ajp_msg_get_string");
+ }
+
+ /* Verify that the expected null terminator is actually present */
+ if (msg->buf[start + size] != '\0') {
return ajp_log_overflow(msg, "ajp_msg_get_string");
}
+31
View File
@@ -0,0 +1,31 @@
From a3d32288317a87b1398825f2167e0ae083ed43da Mon Sep 17 00:00:00 2001
From: Eric Covener <covener@apache.org>
Date: Sun, 26 Apr 2026 15:55:26 +0000
Subject: [PATCH] Merge r1933344 from trunk:
fix ajp_parse_data message len check
+lognos
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1933346 13f79535-47bb-0310-9956-ffa450edef68
---
modules/proxy/ajp_header.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c
index 00db324e426..334d0aebb12 100644
--- a/modules/proxy/ajp_header.c
+++ b/modules/proxy/ajp_header.c
@@ -835,6 +835,11 @@ apr_status_t ajp_parse_data(request_rec *r, ajp_msg_t *msg,
* 1 : The last byte of this message always seems to be
* 0x00 and is not part of the chunk.
*/
+ if (msg->len < AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10546)
+ "ajp_parse_data: Message too small");
+ return AJP_EBAD_HEADER;
+ }
expected_len = msg->len - (AJP_HEADER_LEN + AJP_HEADER_SZ_LEN + 1 + 1);
if (*len != expected_len) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00998)