diff --git a/SOURCES/httpd-2.4.37-CVE-2023-27522.patch b/SOURCES/httpd-2.4.37-CVE-2023-27522.patch new file mode 100644 index 0000000..8a8f7bd --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2023-27522.patch @@ -0,0 +1,89 @@ +diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c +index 9dcbed1..a1b564d 100644 +--- a/modules/proxy/mod_proxy_uwsgi.c ++++ b/modules/proxy/mod_proxy_uwsgi.c +@@ -304,18 +304,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, + pass_bb = apr_brigade_create(r->pool, c->bucket_alloc); + + len = ap_getline(buffer, sizeof(buffer), rp, 1); +- + if (len <= 0) { +- /* oops */ ++ /* invalid or empty */ + return HTTP_INTERNAL_SERVER_ERROR; + } +- + backend->worker->s->read += len; +- +- if (len >= sizeof(buffer) - 1) { +- /* oops */ ++ if ((apr_size_t)len >= sizeof(buffer)) { ++ /* too long */ + return HTTP_INTERNAL_SERVER_ERROR; + } ++ + /* Position of http status code */ + if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) { + status_start = 9; +@@ -324,8 +322,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, + status_start = 7; + } + else { +- /* oops */ +- return HTTP_INTERNAL_SERVER_ERROR; ++ /* not HTTP */ ++ return HTTP_BAD_GATEWAY; + } + status_end = status_start + 3; + +@@ -345,21 +343,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, + } + r->status_line = apr_pstrdup(r->pool, &buffer[status_start]); + +- /* start parsing headers */ ++ /* parse headers */ + while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) { ++ if ((apr_size_t)len >= sizeof(buffer)) { ++ /* too long */ ++ len = -1; ++ break; ++ } + value = strchr(buffer, ':'); +- /* invalid header skip */ +- if (!value) +- continue; +- *value = '\0'; +- ++value; ++ if (!value) { ++ /* invalid header */ ++ len = -1; ++ break; ++ } ++ *value++ = '\0'; ++ if (*ap_scan_http_token(buffer)) { ++ /* invalid name */ ++ len = -1; ++ break; ++ } + while (apr_isspace(*value)) + ++value; + for (end = &value[strlen(value) - 1]; + end > value && apr_isspace(*end); --end) + *end = '\0'; ++ if (*ap_scan_http_field_content(value)) { ++ /* invalid value */ ++ len = -1; ++ break; ++ } + apr_table_add(r->headers_out, buffer, value); + } ++ if (len < 0) { ++ /* Reset headers, but not to NULL because things below the chain expect ++ * this to be non NULL e.g. the ap_content_length_filter. ++ */ ++ r->headers_out = apr_table_make(r->pool, 1); ++ return HTTP_BAD_GATEWAY; ++ } + + if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { + ap_set_content_type(r, apr_pstrdup(r->pool, buf)); diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 69618a3..79ee2c2 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.37 -Release: 56%{?dist}.6.inferit +Release: 56%{?dist}.7.inferit URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source2: httpd.logrotate @@ -248,6 +248,8 @@ Patch236: httpd-2.4.37-CVE-2006-20001.patch Patch237: httpd-2.4.37-CVE-2022-36760.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2176209 Patch238: httpd-2.4.37-CVE-2023-25690.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2176211 +Patch239: httpd-2.4.37-CVE-2023-27522.patch License: ASL 2.0 Group: System Environment/Daemons @@ -469,6 +471,7 @@ interface for storing and accessing per-user session data. %patch236 -p1 -b .CVE-2006-20001 %patch237 -p1 -b .CVE-2022-36760 %patch238 -p1 -b .CVE-2023-25690 +%patch239 -p1 -b .CVE-2023-27522 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -976,6 +979,9 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Dec 19 2023 Sergey Cherevko - 2.4.37-56.7.inferit +- Update to version 2.4.37-56.7 + * Tue Dec 19 2023 Sergey Cherevko - 2.4.37-56.6.inferit - Update to version 2.4.37-56.6 @@ -983,6 +989,13 @@ rm -rf $RPM_BUILD_ROOT - MSVSphere changes, symlinking and creating alias for test-page-background.png (by Alexey Lyubimov ) - Rebuilt for MSVSphere 8.8 +* Sun Dec 10 2023 MSVSphere Packaging Team - 2.4.37-56.6 +- Rebuilt for MSVSphere 8.8 + +* Wed Aug 30 2023 Luboš Uhliarik - 2.4.37-56.7 +- Resolves: #2236177 - CVE-2023-27522 httpd:2.4/httpd: mod_proxy_uwsgi HTTP + response splitting + * Thu Apr 27 2023 Luboš Uhliarik - 2.4.37-56.6 - Resolves: #2190133 - mod_rewrite regression with CVE-2023-25690