diff --git a/SOURCES/httpd-2.4.53-CVE-2023-25690.patch b/SOURCES/httpd-2.4.53-CVE-2023-25690.patch
new file mode 100644
index 0000000..4835b5c
--- /dev/null
+++ b/SOURCES/httpd-2.4.53-CVE-2023-25690.patch
@@ -0,0 +1,407 @@
+diff --git a/docs/manual/rewrite/flags.html.en b/docs/manual/rewrite/flags.html.en
+index 7cd4990..2242312 100644
+--- a/docs/manual/rewrite/flags.html.en
++++ b/docs/manual/rewrite/flags.html.en
+@@ -85,10 +85,6 @@ of how you might use them.
+ In 2.4.26 and later, you can limit the escaping to specific characters
+-in backreferences by listing them: [B=#?;]
. Note: The space
+-character can be used in the list of characters to escape, but it cannot be
+-the last character in the list.
+
+ In 2.4.26 and later, you can limit the escaping to specific characters
++in backreferences by listing them: [B=#?;]
. Note: The space
++character can be used in the list of characters to escape, but you must quote
++the entire third argument of RewriteRule
++and the space must not be the last character in the list.
++
++
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 9439965..5195cee 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -173,6 +173,7 @@ static const char* really_last_key = "rewrite_really_last";
+ #define RULEFLAG_END (1<<17)
+ #define RULEFLAG_ESCAPENOPLUS (1<<18)
+ #define RULEFLAG_QSLAST (1<<19)
++#define RULEFLAG_QSNONE (1<<20) /* programattic only */
+
+ /* return code of the rewrite rule
+ * the result may be escaped - or not
+@@ -769,11 +770,19 @@ static char *escape_absolute_uri(apr_pool_t *p, char *uri, unsigned scheme)
+ * split out a QUERY_STRING part from
+ * the current URI string
+ */
+-static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+- int qslast)
++static void splitout_queryargs(request_rec *r, int flags)
+ {
+ char *q;
+ int split, skip;
++ int qsappend = flags & RULEFLAG_QSAPPEND;
++ int qsdiscard = flags & RULEFLAG_QSDISCARD;
++ int qslast = flags & RULEFLAG_QSLAST;
++
++ if (flags & RULEFLAG_QSNONE) {
++ rewritelog((r, 2, NULL, "discarding query string, no parse from substitution"));
++ r->args = NULL;
++ return;
++ }
+
+ /* don't touch, unless it's a scheme for which a query string makes sense.
+ * See RFC 1738 and RFC 2368.
+@@ -798,7 +807,7 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+ olduri = apr_pstrdup(r->pool, r->filename);
+ *q++ = '\0';
+ if (qsappend) {
+- if (*q) {
++ if (*q) {
+ r->args = apr_pstrcat(r->pool, q, "&" , r->args, NULL);
+ }
+ }
+@@ -806,9 +815,9 @@ static void splitout_queryargs(request_rec *r, int qsappend, int qsdiscard,
+ r->args = apr_pstrdup(r->pool, q);
+ }
+
+- if (r->args) {
++ if (r->args) {
+ len = strlen(r->args);
+-
++
+ if (!len) {
+ r->args = NULL;
+ }
+@@ -2761,7 +2770,7 @@ static apr_status_t rewritelock_remove(void *data)
+ * XXX: what an inclined parser. Seems we have to leave it so
+ * for backwards compat. *sigh*
+ */
+-static int parseargline(char *str, char **a1, char **a2, char **a3)
++static int parseargline(char *str, char **a1, char **a2, char **a2_end, char **a3)
+ {
+ char quote;
+
+@@ -2812,8 +2821,10 @@ static int parseargline(char *str, char **a1, char **a2, char **a3)
+
+ if (!*str) {
+ *a3 = NULL; /* 3rd argument is optional */
++ *a2_end = str;
+ return 0;
+ }
++ *a2_end = str;
+ *str++ = '\0';
+
+ while (apr_isspace(*str)) {
+@@ -3353,7 +3364,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+ rewrite_server_conf *sconf;
+ rewritecond_entry *newcond;
+ ap_regex_t *regexp;
+- char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+ const char *err;
+
+ sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3371,7 +3382,7 @@ static const char *cmd_rewritecond(cmd_parms *cmd, void *in_dconf,
+ * of the argument line. So we can use a1 .. a3 without
+ * copying them again.
+ */
+- if (parseargline(str, &a1, &a2, &a3)) {
++ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
+ return apr_pstrcat(cmd->pool, "RewriteCond: bad argument line '", str,
+ "'", NULL);
+ }
+@@ -3779,7 +3790,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ rewrite_server_conf *sconf;
+ rewriterule_entry *newrule;
+ ap_regex_t *regexp;
+- char *a1 = NULL, *a2 = NULL, *a3 = NULL;
++ char *a1 = NULL, *a2 = NULL, *a2_end, *a3 = NULL;
+ const char *err;
+
+ sconf = ap_get_module_config(cmd->server->module_config, &rewrite_module);
+@@ -3793,7 +3804,7 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ }
+
+ /* parse the argument line ourself */
+- if (parseargline(str, &a1, &a2, &a3)) {
++ if (parseargline(str, &a1, &a2, &a2_end, &a3)) {
+ return apr_pstrcat(cmd->pool, "RewriteRule: bad argument line '", str,
+ "'", NULL);
+ }
+@@ -3840,6 +3851,16 @@ static const char *cmd_rewriterule(cmd_parms *cmd, void *in_dconf,
+ newrule->flags |= RULEFLAG_NOSUB;
+ }
+
++ if (*(a2_end-1) == '?') {
++ /* a literal ? at the end of the unsubstituted rewrite rule */
++ newrule->flags |= RULEFLAG_QSNONE;
++ }
++ else if (newrule->flags & RULEFLAG_QSDISCARD) {
++ if (NULL == ap_strchr(newrule->output, '?')) {
++ newrule->flags |= RULEFLAG_QSNONE;
++ }
++ }
++
+ /* now, if the server or per-dir config holds an
+ * array of RewriteCond entries, we take it for us
+ * and clear the array
+@@ -4245,9 +4266,7 @@ static int apply_rewrite_rule(rewriterule_entry *p, rewrite_ctx *ctx)
+ r->path_info = NULL;
+ }
+
+- splitout_queryargs(r, p->flags & RULEFLAG_QSAPPEND,
+- p->flags & RULEFLAG_QSDISCARD,
+- p->flags & RULEFLAG_QSLAST);
++ splitout_queryargs(r, p->flags);
+
+ /* Add the previously stripped per-directory location prefix, unless
+ * (1) it's an absolute URL path and
+@@ -4729,6 +4748,17 @@ static int hook_uri2file(request_rec *r)
+ unsigned skip;
+ apr_size_t flen;
+
++ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410)
++ "Rewritten query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
++
+ if (ACTION_STATUS == rulestatus) {
+ int n = r->status;
+
+@@ -5013,6 +5043,17 @@ static int hook_fixup(request_rec *r)
+ if (rulestatus) {
+ unsigned skip;
+
++ if (r->args && *(ap_scan_vchar_obstext(r->args))) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411)
++ "Rewritten query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
++
+ if (ACTION_STATUS == rulestatus) {
+ int n = r->status;
+
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 5759513..d64739b 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -960,6 +960,8 @@ PROXY_DECLARE(int) ap_proxy_trans_match(request_rec *r, struct proxy_alias *ent,
+ }
+
+ if (found) {
++ unsigned int encoded = ent->flags & PROXYPASS_MAP_ENCODED;
++
+ /* A proxy module is assigned this URL, check whether it's interested
+ * in the request itself (e.g. proxy_wstunnel cares about Upgrade
+ * requests only, and could hand over to proxy_http otherwise).
+@@ -979,6 +981,9 @@ PROXY_DECLARE(int) ap_proxy_trans_match(request_rec *r, struct proxy_alias *ent,
+ if (ent->flags & PROXYPASS_NOQUERY) {
+ apr_table_setn(r->notes, "proxy-noquery", "1");
+ }
++ if (encoded) {
++ apr_table_setn(r->notes, "proxy-noencode", "1");
++ }
+
+ if (servlet_uri) {
+ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, APLOGNO(10248)
+@@ -992,13 +997,13 @@ PROXY_DECLARE(int) ap_proxy_trans_match(request_rec *r, struct proxy_alias *ent,
+ */
+ AP_DEBUG_ASSERT(strlen(r->uri) >= strlen(servlet_uri));
+ strcpy(r->uri, servlet_uri);
+- return DONE;
+ }
+-
+- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, APLOGNO(03464)
+- "URI path '%s' matches proxy handler '%s'", r->uri,
+- found);
+- return OK;
++ else {
++ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, APLOGNO(03464)
++ "URI path '%s' matches proxy handler '%s'", r->uri,
++ found);
++ }
++ return (encoded) ? DONE : OK;
+ }
+
+ return HTTP_CONTINUE;
+diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c
+index d34fc57..1978425 100644
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -65,11 +65,25 @@ static int proxy_ajp_canon(request_rec *r, char *url)
+ if (apr_table_get(r->notes, "proxy-nocanon")) {
+ path = url; /* this is the raw path */
+ }
++ else if (apr_table_get(r->notes, "proxy-noencode")) {
++ path = url; /* this is the encoded path already */
++ search = r->args;
++ }
+ else {
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
+ }
++ if (search && *ap_scan_vchar_obstext(search)) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
+
+diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c
+index 3304c93..f1a3c62 100644
+--- a/modules/proxy/mod_proxy_balancer.c
++++ b/modules/proxy/mod_proxy_balancer.c
+@@ -102,11 +102,25 @@ static int proxy_balancer_canon(request_rec *r, char *url)
+ if (apr_table_get(r->notes, "proxy-nocanon")) {
+ path = url; /* this is the raw path */
+ }
++ else if (apr_table_get(r->notes, "proxy-noencode")) {
++ path = url; /* this is the encoded path already */
++ search = r->args;
++ }
+ else {
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
+ }
++ if (search && *ap_scan_vchar_obstext(search)) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
+
+diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c
+index 3382b9b..a89b9a9 100644
+--- a/modules/proxy/mod_proxy_fcgi.c
++++ b/modules/proxy/mod_proxy_fcgi.c
+@@ -92,8 +92,9 @@ static int proxy_fcgi_canon(request_rec *r, char *url)
+ host = apr_pstrcat(r->pool, "[", host, "]", NULL);
+ }
+
+- if (apr_table_get(r->notes, "proxy-nocanon")) {
+- path = url; /* this is the raw path */
++ if (apr_table_get(r->notes, "proxy-nocanon")
++ || apr_table_get(r->notes, "proxy-noencode")) {
++ path = url; /* this is the raw/encoded path */
+ }
+ else {
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
+index 0392ac7..c4d7db0 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -121,11 +121,25 @@ static int proxy_http_canon(request_rec *r, char *url)
+ if (apr_table_get(r->notes, "proxy-nocanon")) {
+ path = url; /* this is the raw path */
+ }
++ else if (apr_table_get(r->notes, "proxy-noencode")) {
++ path = url; /* this is the encoded path already */
++ search = r->args;
++ }
+ else {
+ path = ap_proxy_canonenc(r->pool, url, strlen(url),
+ enc_path, 0, r->proxyreq);
+ search = r->args;
+ }
++ if (search && *ap_scan_vchar_obstext(search)) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ break;
+ case PROXYREQ_PROXY:
+ path = url;
+diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
+index e02450e..1b23904 100644
+--- a/modules/proxy/mod_proxy_uwsgi.c
++++ b/modules/proxy/mod_proxy_uwsgi.c
+@@ -84,8 +84,14 @@ static int uwsgi_canon(request_rec *r, char *url)
+ host = apr_pstrcat(r->pool, "[", host, "]", NULL);
+ }
+
+- path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+- r->proxyreq);
++ if (apr_table_get(r->notes, "proxy-nocanon")
++ || apr_table_get(r->notes, "proxy-noencode")) {
++ path = url; /* this is the raw/encoded path */
++ }
++ else {
++ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
++ r->proxyreq);
++ }
+ if (!path) {
+ return HTTP_BAD_REQUEST;
+ }
+diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
+index c29ded1..3a68b85 100644
+--- a/modules/proxy/mod_proxy_wstunnel.c
++++ b/modules/proxy/mod_proxy_wstunnel.c
+@@ -111,11 +111,25 @@ static int proxy_wstunnel_canon(request_rec *r, char *url)
+ if (apr_table_get(r->notes, "proxy-nocanon")) {
+ path = url; /* this is the raw path */
+ }
++ else if (apr_table_get(r->notes, "proxy-noencode")) {
++ path = url; /* this is the encoded path already */
++ search = r->args;
++ }
+ else {
+ path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0,
+ r->proxyreq);
+ search = r->args;
+ }
++ if (search && *ap_scan_vchar_obstext(search)) {
++ /*
++ * We have a raw control character or a ' ' in r->args.
++ * Correct encoding was missed.
++ */
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409)
++ "To be forwarded query string contains control "
++ "characters or spaces");
++ return HTTP_FORBIDDEN;
++ }
+ if (path == NULL)
+ return HTTP_BAD_REQUEST;
+
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 2f9b851..5746150 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.53
-Release: 7%{?dist}.1
+Release: 7%{?dist}.5
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@@ -136,6 +136,8 @@ Patch207: httpd-2.4.53-CVE-2022-37436.patch
Patch208: httpd-2.4.53-CVE-2006-20001.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2161777
Patch209: httpd-2.4.53-CVE-2022-36760.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=2176209
+Patch210: httpd-2.4.53-CVE-2023-25690.patch
License: ASL 2.0
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
@@ -166,6 +168,7 @@ Requires: httpd-filesystem = %{version}-%{release}
Requires(pre): httpd-filesystem
Conflicts: apr < 1.5.0-1
Conflicts: httpd < 2.4.53-3
+Conflicts: mod_http2 < 1.15.19-3%{?dist}.4
Obsoletes: mod_proxy_uwsgi < 2.0.17.1-2
%description core
@@ -313,6 +316,7 @@ written in the Lua programming language.
%patch207 -p1 -b .CVE-2022-37436
%patch208 -p1 -b .CVE-2006-20001
%patch209 -p1 -b .CVE-2022-36760
+%patch210 -p1 -b .CVE-2023-25690
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -872,6 +876,10 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
+* Thu Mar 16 2023 Luboš Uhliarik
- 2.4.53-7.5
+- Resolves: #2177751 - CVE-2023-25690 httpd: HTTP request splitting with
+ mod_rewrite and mod_proxy
+
* Wed Mar 15 2023 MSVSphere Packaging Team - 2.4.53-7
- Rebuilt for MSVSphere 9.1.