diff --git a/apache2.changes b/apache2.changes index 8781acf..7659790 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,24 @@ +------------------------------------------------------------------- +Tue Jul 12 14:49:09 UTC 2016 - kstreitova@suse.com + +- add httpd-2.4.x-fate317766-config-control-two-protocol-options.diff + Introduces directives to control two protocol options: + * HttpContentLengthHeadZero - allow Content-Length of 0 to be + returned on HEAD + * HttpExpectStrict - allow admin to control whether we must + see "100-continue" + [bsc#894225], [fate#317766] + +------------------------------------------------------------------- +Wed Jul 6 16:16:57 UTC 2016 - crrodriguez@opensuse.org + +- version 2.4.23 +* Fixes CVE-2016-4979 [bsc#987365] +* mod_proxy_hcheck was missing due to upstream bug. +* mod_proxy_fdpass needs explicit configure line now. +* Full list of changes: + http://www-eu.apache.org/dist//httpd/CHANGES_2.4.23 + ------------------------------------------------------------------- Thu May 26 08:13:16 UTC 2016 - pgajdos@suse.com diff --git a/apache2.spec b/apache2.spec index d39a19a..c06ea6f 100644 --- a/apache2.spec +++ b/apache2.spec @@ -51,7 +51,7 @@ %endif Name: apache2 -Version: 2.4.20 +Version: 2.4.23 Release: 0 Summary: The Apache Web Server Version 2.4 License: Apache-2.0 @@ -124,6 +124,8 @@ Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch # PATCH-FIX-UPSTREAM marguerite@opensuse.org -- compability for lua 5.2+ https://bz.apache.org/bugzilla/show_bug.cgi?id=58188 Patch114: httpd-2.4.12-lua-5.2.patch +# PATCH-FEATURE-UPSTREAM kstreitova@suse.com -- backport of HttpContentLengthHeadZero and HttpExpectStrict +Patch115: httpd-2.4.x-fate317766-config-control-two-protocol-options.diff BuildRequires: apache-rpm-macros-control BuildRequires: automake BuildRequires: db-devel @@ -311,6 +313,7 @@ to administrators of web servers in general. %endif %patch111 -p1 %patch114 -p1 +%patch115 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # install READMEs a=$(basename %{SOURCE22}) @@ -379,6 +382,7 @@ function configure { --enable-proxy-connect \ --enable-proxy-ftp \ --enable-proxy-http \ + --enable-proxy-fdpass \ --enable-cache \ --enable-disk-cache \ --enable-mem-cache \ @@ -916,6 +920,7 @@ mv %{buildroot}/%{sysconfdir}/original . %{_libdir}/%{name}-prefork/mod_proxy_fcgi.so %{_libdir}/%{name}-prefork/mod_proxy_fdpass.so %{_libdir}/%{name}-prefork/mod_proxy_ftp.so +%{_libdir}/%{name}-prefork/mod_proxy_hcheck.so %{_libdir}/%{name}-prefork/mod_proxy_html.so %{_libdir}/%{name}-prefork/mod_proxy_http.so %{_libdir}/%{name}-prefork/mod_proxy_scgi.so @@ -1040,6 +1045,7 @@ mv %{buildroot}/%{sysconfdir}/original . %{_libdir}/%{name}-worker/mod_proxy_fcgi.so %{_libdir}/%{name}-worker/mod_proxy_fdpass.so %{_libdir}/%{name}-worker/mod_proxy_ftp.so +%{_libdir}/%{name}-worker/mod_proxy_hcheck.so %{_libdir}/%{name}-worker/mod_proxy_html.so %{_libdir}/%{name}-worker/mod_proxy_http.so %{_libdir}/%{name}-worker/mod_proxy_scgi.so @@ -1164,6 +1170,7 @@ mv %{buildroot}/%{sysconfdir}/original . %{_libdir}/%{name}-event/mod_proxy_fcgi.so %{_libdir}/%{name}-event/mod_proxy_fdpass.so %{_libdir}/%{name}-event/mod_proxy_ftp.so +%{_libdir}/%{name}-event/mod_proxy_hcheck.so %{_libdir}/%{name}-event/mod_proxy_html.so %{_libdir}/%{name}-event/mod_proxy_http.so %{_libdir}/%{name}-event/mod_proxy_scgi.so diff --git a/httpd-2.4.20.tar.bz2 b/httpd-2.4.20.tar.bz2 deleted file mode 100644 index 9699f6b..0000000 --- a/httpd-2.4.20.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0e76a375ed3dbac636f50ac39de966ece443751fe4d62392f9a360a19d94d0da -size 6331344 diff --git a/httpd-2.4.23.tar.bz2 b/httpd-2.4.23.tar.bz2 new file mode 100644 index 0000000..bc4062c --- /dev/null +++ b/httpd-2.4.23.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58 +size 6351875 diff --git a/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff b/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff new file mode 100644 index 0000000..16e8a20 --- /dev/null +++ b/httpd-2.4.x-fate317766-config-control-two-protocol-options.diff @@ -0,0 +1,192 @@ +From 530b5797af919d6d7ab7d6418d9feeb1abb914ae Mon Sep 17 00:00:00 2001 +From: Justin Erenkrantz +Date: Mon, 30 Dec 2013 20:01:14 +0000 +Subject: [PATCH] Add directives to control two protocol options: + + HttpContentLengthHeadZero - allow Content-Length of 0 to be returned on HEAD + HttpExpectStrict - allow admin to control whether we must see "100-continue" + +This is helpful when using Ceph's radosgw and httpd. + +Inspired by: Yehuda Sadeh +See https://github.com/ceph/apache2/commits/precise + +* include/http_core.h + (core_server_config): Add http_cl_head_zero and http_expect_strict fields. +* modules/http/http_filters.c + (ap_http_header_filter): Only clear out the C-L if http_cl_head_zero is not + explictly set. +* server/core.c + (merge_core_server_configs): Add new fields. + (set_cl_head_zero, set_expect_strict): New config helpers. + (HttpContentLengthHeadZero, HttpExpectStrict): Declare new directives. +* server/protocol.c + (ap_read_request): Allow http_expect_strict to control if we return 417. +* include/ap_mmn.h + (MODULE_MAGIC_NUMBER_MAJOR, MODULE_MAGIC_NUMBER_MINOR): Bump. +* CHANGES: Add a brief description. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1554303 13f79535-47bb-0310-9956-ffa450edef68 + +Conflicts: + CHANGES + include/ap_mmn.h + include/http_core.h + server/core.c +--- + CHANGES | 3 +++ + include/ap_mmn.h | 4 +++- + include/http_core.h | 9 +++++++++ + modules/http/http_filters.c | 10 +++++++++- + server/core.c | 36 ++++++++++++++++++++++++++++++++++++ + server/protocol.c | 25 +++++++++++++++++-------- + 6 files changed, 77 insertions(+), 10 deletions(-) + +Index: include/http_core.h +=================================================================== +--- include/http_core.h.orig 2016-01-20 15:10:51.651189219 +0100 ++++ include/http_core.h 2016-01-20 15:12:18.983188213 +0100 +@@ -694,6 +694,15 @@ + #define AP_MERGE_TRAILERS_DISABLE 2 + int merge_trailers; + ++#define AP_HTTP_CL_HEAD_ZERO_UNSET 0 ++#define AP_HTTP_CL_HEAD_ZERO_ENABLE 1 ++#define AP_HTTP_CL_HEAD_ZERO_DISABLE 2 ++ int http_cl_head_zero; ++ ++#define AP_HTTP_EXPECT_STRICT_UNSET 0 ++#define AP_HTTP_EXPECT_STRICT_ENABLE 1 ++#define AP_HTTP_EXPECT_STRICT_DISABLE 2 ++ int http_expect_strict; + + + apr_array_header_t *protocols; +Index: modules/http/http_filters.c +=================================================================== +--- modules/http/http_filters.c.orig 2015-07-08 10:59:36.000000000 +0200 ++++ modules/http/http_filters.c 2016-01-20 15:10:51.651189219 +0100 +@@ -1175,6 +1175,7 @@ + header_filter_ctx *ctx = f->ctx; + const char *ctype; + ap_bucket_error *eb = NULL; ++ core_server_config *conf; + + AP_DEBUG_ASSERT(!r->main); + +@@ -1315,10 +1316,17 @@ + * zero C-L to the client. We can't just remove the C-L filter, + * because well behaved 2.0 handlers will send their data down the stack, + * and we will compute a real C-L for the head request. RBB ++ * ++ * Allow modification of this behavior through the ++ * HttpContentLengthHeadZero directive. ++ * ++ * The default (unset) behavior is to squelch the C-L in this case. + */ ++ conf = ap_get_core_module_config(r->server->module_config); + if (r->header_only + && (clheader = apr_table_get(r->headers_out, "Content-Length")) +- && !strcmp(clheader, "0")) { ++ && !strcmp(clheader, "0") ++ && conf->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_ENABLE) { + apr_table_unset(r->headers_out, "Content-Length"); + } + +Index: server/core.c +=================================================================== +--- server/core.c.orig 2015-11-19 20:55:25.000000000 +0100 ++++ server/core.c 2016-01-20 15:13:29.575187399 +0100 +@@ -503,6 +503,12 @@ + if (virt->trace_enable != AP_TRACE_UNSET) + conf->trace_enable = virt->trace_enable; + ++ if (virt->http_cl_head_zero != AP_HTTP_CL_HEAD_ZERO_UNSET) ++ conf->http_cl_head_zero = virt->http_cl_head_zero; ++ ++ if (virt->http_expect_strict != AP_HTTP_EXPECT_STRICT_UNSET) ++ conf->http_expect_strict = virt->http_expect_strict; ++ + /* no action for virt->accf_map, not allowed per-vhost */ + + if (virt->protocol) +@@ -3756,6 +3762,32 @@ + return NULL; + } + ++static const char *set_cl_head_zero(cmd_parms *cmd, void *dummy, int arg) ++{ ++ core_server_config *conf = ++ ap_get_core_module_config(cmd->server->module_config); ++ ++ if (arg) { ++ conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_ENABLE; ++ } else { ++ conf->http_cl_head_zero = AP_HTTP_CL_HEAD_ZERO_DISABLE; ++ } ++ return NULL; ++} ++ ++static const char *set_expect_strict(cmd_parms *cmd, void *dummy, int arg) ++{ ++ core_server_config *conf = ++ ap_get_core_module_config(cmd->server->module_config); ++ ++ if (arg) { ++ conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_ENABLE; ++ } else { ++ conf->http_expect_strict = AP_HTTP_EXPECT_STRICT_DISABLE; ++ } ++ return NULL; ++} ++ + static apr_hash_t *errorlog_hash; + + static int log_constant_item(const ap_errorlog_info *info, const char *arg, +@@ -4273,6 +4305,10 @@ + "'on' (default), 'off' or 'extended' to trace request body content"), + AP_INIT_FLAG("MergeTrailers", set_merge_trailers, NULL, RSRC_CONF, + "merge request trailers into request headers or not"), ++AP_INIT_FLAG("HttpContentLengthHeadZero", set_cl_head_zero, NULL, OR_OPTIONS, ++ "whether to permit Content-Length of 0 responses to HEAD requests"), ++AP_INIT_FLAG("HttpExpectStrict", set_expect_strict, NULL, OR_OPTIONS, ++ "whether to return a 417 if a client doesn't send 100-Continue"), + AP_INIT_ITERATE("Protocols", set_protocols, NULL, RSRC_CONF, + "Controls which protocols are allowed"), + AP_INIT_TAKE1("ProtocolsHonorOrder", set_protocols_honor_order, NULL, RSRC_CONF, +Index: server/protocol.c +=================================================================== +--- server/protocol.c.orig 2015-11-26 14:42:42.000000000 +0100 ++++ server/protocol.c 2016-01-20 15:10:51.651189219 +0100 +@@ -1144,14 +1144,23 @@ + r->expecting_100 = 1; + } + else { +- r->status = HTTP_EXPECTATION_FAILED; +- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570) +- "client sent an unrecognized expectation value of " +- "Expect: %s", expect); +- ap_send_error_response(r, 0); +- ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); +- ap_run_log_transaction(r); +- goto traceout; ++ core_server_config *conf; ++ ++ conf = ap_get_core_module_config(r->server->module_config); ++ if (conf->http_expect_strict != AP_HTTP_EXPECT_STRICT_DISABLE) { ++ r->status = HTTP_EXPECTATION_FAILED; ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(00570) ++ "client sent an unrecognized expectation value " ++ "of Expect: %s", expect); ++ ap_send_error_response(r, 0); ++ ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r); ++ ap_run_log_transaction(r); ++ goto traceout; ++ } else { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00570) ++ "client sent an unrecognized expectation value " ++ "of Expect (not fatal): %s", expect); ++ } + } + } +