diff --git a/SOURCES/httpd-2.4.37-CVE-2023-31122.patch b/SOURCES/httpd-2.4.37-CVE-2023-31122.patch new file mode 100644 index 0000000..c2aa207 --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2023-31122.patch @@ -0,0 +1,11 @@ +--- a/modules/core/mod_macro.c 2023/10/16 06:19:16 1912992 ++++ b/modules/core/mod_macro.c 2023/10/16 06:38:32 1912993 +@@ -483,7 +483,7 @@ + for (i = 0; i < contents->nelts; i++) { + const char *errmsg; + /* copy the line and substitute macro parameters */ +- strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1); ++ apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN); + errmsg = substitute_macro_args(line, MAX_STRING_LEN, + macro, replacements, used); + if (errmsg) { diff --git a/SOURCES/httpd-2.4.37-CVE-2023-38709.patch b/SOURCES/httpd-2.4.37-CVE-2023-38709.patch new file mode 100644 index 0000000..53bbbd4 --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2023-38709.patch @@ -0,0 +1,74 @@ +diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c +index 393343a..16cb23c 100644 +--- a/modules/http/http_filters.c ++++ b/modules/http/http_filters.c +@@ -1348,6 +1348,9 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + */ + apr_table_clear(r->headers_out); + apr_table_clear(r->err_headers_out); ++ r->content_type = r->content_encoding = NULL; ++ r->content_languages = NULL; ++ r->clength = r->chunked = 0; + apr_brigade_cleanup(b); + + /* Don't recall ap_die() if we come back here (from its own internal +@@ -1364,8 +1367,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + APR_BRIGADE_INSERT_TAIL(b, e); + e = apr_bucket_eos_create(c->bucket_alloc); + APR_BRIGADE_INSERT_TAIL(b, e); +- r->content_type = r->content_encoding = NULL; +- r->content_languages = NULL; + ap_set_content_length(r, 0); + recursive_error = 1; + } +@@ -1392,6 +1393,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + if (!apr_is_empty_table(r->err_headers_out)) { + r->headers_out = apr_table_overlay(r->pool, r->err_headers_out, + r->headers_out); ++ apr_table_clear(r->err_headers_out); + } + + /* +@@ -1411,6 +1413,17 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + fixup_vary(r); + } + ++ ++ /* ++ * Control cachability for non-cacheable responses if not already set by ++ * some other part of the server configuration. ++ */ ++ if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) { ++ char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); ++ ap_recent_rfc822_date(date, r->request_time); ++ apr_table_addn(r->headers_out, "Expires", date); ++ } ++ + /* + * Now remove any ETag response header field if earlier processing + * says so (such as a 'FileETag None' directive). +@@ -1423,6 +1436,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + basic_http_header_check(r, &protocol); + ap_set_keepalive(r); + ++ /* 204/304 responses don't have content related headers */ + if (AP_STATUS_IS_HEADER_ONLY(r->status)) { + apr_table_unset(r->headers_out, "Transfer-Encoding"); + apr_table_unset(r->headers_out, "Content-Length"); +@@ -1465,16 +1479,6 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + apr_table_setn(r->headers_out, "Content-Language", field); + } + +- /* +- * Control cachability for non-cacheable responses if not already set by +- * some other part of the server configuration. +- */ +- if (r->no_cache && !apr_table_get(r->headers_out, "Expires")) { +- char *date = apr_palloc(r->pool, APR_RFC822_DATE_LEN); +- ap_recent_rfc822_date(date, r->request_time); +- apr_table_addn(r->headers_out, "Expires", date); +- } +- + /* This is a hack, but I can't find anyway around it. The idea is that + * we don't want to send out 0 Content-Lengths if it is a head request. + * This happens when modules try to outsmart the server, and return diff --git a/SOURCES/httpd-2.4.57-r1884505+.patch b/SOURCES/httpd-2.4.57-r1884505+.patch new file mode 100644 index 0000000..97bc6a8 --- /dev/null +++ b/SOURCES/httpd-2.4.57-r1884505+.patch @@ -0,0 +1,39 @@ +# ./pullrev.sh 1884505 1915625 +http://svn.apache.org/viewvc?view=revision&revision=1884505 +http://svn.apache.org/viewvc?view=revision&revision=1915625 + +--- httpd-2.4.57/modules/filters/mod_xml2enc.c ++++ httpd-2.4.57/modules/filters/mod_xml2enc.c +@@ -329,7 +329,7 @@ + apr_bucket* bstart; + apr_size_t insz = 0; + int pending_meta = 0; +- char *ctype; ++ char *mtype; + char *p; + + if (!ctx || !f->r->content_type) { +@@ -338,13 +338,17 @@ + return ap_pass_brigade(f->next, bb) ; + } + +- ctype = apr_pstrdup(f->r->pool, f->r->content_type); +- for (p = ctype; *p; ++p) +- if (isupper(*p)) +- *p = tolower(*p); ++ /* Extract the media type, ignoring parameters in content-type. */ ++ mtype = apr_pstrdup(f->r->pool, f->r->content_type); ++ if ((p = ap_strchr(mtype, ';')) != NULL) *p = '\0'; ++ ap_str_tolower(mtype); + +- /* only act if starts-with "text/" or contains "xml" */ +- if (strncmp(ctype, "text/", 5) && !strstr(ctype, "xml")) { ++ /* Accept text/ types, plus any XML media type per RFC 7303. */ ++ if (!(strncmp(mtype, "text/", 5) == 0 ++ || strcmp(mtype, "application/xml") == 0 ++ || (strlen(mtype) > 7 /* minimum 'a/b+xml' length */ ++ && (p = strstr(mtype, "+xml")) != NULL ++ && strlen(p) == 4 /* ensures +xml is a suffix */))) { + ap_remove_output_filter(f); + return ap_pass_brigade(f->next, bb) ; + } diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index db45480..84da882 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.37 -Release: 62%{?dist} +Release: 65%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source2: httpd.logrotate @@ -169,6 +169,8 @@ Patch91: httpd-2.4.37-add-SNI-support.patch Patch92: httpd-2.4.37-mod_status-duplicate-key.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2221083 Patch93: httpd-2.4.37-r1885607.patch +# https://issues.redhat.com/browse/RHEL-14321 +Patch94: httpd-2.4.57-r1884505+.patch # Security fixes Patch200: httpd-2.4.37-r1851471.patch @@ -254,6 +256,10 @@ Patch237: httpd-2.4.37-CVE-2022-36760.patch Patch238: httpd-2.4.37-CVE-2023-25690.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2176211 Patch239: httpd-2.4.37-CVE-2023-27522.patch +# https://issues.redhat.com/browse/RHEL-14448 +Patch240: httpd-2.4.37-CVE-2023-31122.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2273491 +Patch241: httpd-2.4.37-CVE-2023-38709.patch License: ASL 2.0 Group: System Environment/Daemons @@ -437,6 +443,7 @@ interface for storing and accessing per-user session data. %patch91 -p1 -b .SNI %patch92 -p1 -b .mod_status-dupl %patch93 -p1 -b .r1885607 +%patch94 -p1 -b .r1884505+ %patch200 -p1 -b .r1851471 %patch201 -p1 -b .CVE-2019-0211 @@ -478,6 +485,8 @@ interface for storing and accessing per-user session data. %patch237 -p1 -b .CVE-2022-36760 %patch238 -p1 -b .CVE-2023-25690 %patch239 -p1 -b .CVE-2023-27522 +%patch240 -p1 -b .CVE-2023-31122 +%patch241 -p1 -b .CVE-2023-38709 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -983,6 +992,18 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Jun 12 2024 Luboš Uhliarik - 2.4.37-65 +- Resolves: RHEL-31857 - httpd:2.4/httpd: HTTP response + splitting (CVE-2023-38709) + +* Fri Feb 16 2024 Joe Orton - 2.4.37-64 +- Resolves: RHEL-14448 - httpd: mod_macro: out-of-bounds read + vulnerability (CVE-2023-31122) + +* Wed Feb 14 2024 Joe Orton - 2.4.37-63 +- mod_xml2enc: fix media type handling + Resolves: RHEL-14321 + * Sun Dec 10 2023 MSVSphere Packaging Team - 2.4.37-62 - Rebuilt for MSVSphere 8.8