From f458dd971140c5b528cb713460139e4b59eef21d Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 24 Jan 2025 12:59:30 +0300 Subject: [PATCH] import httpd-2.4.62-1.el9_5.2 --- SOURCES/httpd-2.4.62-engine-fallback.patch | 64 ++++++++++ SOURCES/httpd-2.4.62-r1921299.patch | 133 +++++++++++++++++++++ SPECS/httpd.spec | 16 ++- 3 files changed, 212 insertions(+), 1 deletion(-) create mode 100644 SOURCES/httpd-2.4.62-engine-fallback.patch create mode 100644 SOURCES/httpd-2.4.62-r1921299.patch diff --git a/SOURCES/httpd-2.4.62-engine-fallback.patch b/SOURCES/httpd-2.4.62-engine-fallback.patch new file mode 100644 index 0000000..d10d2c5 --- /dev/null +++ b/SOURCES/httpd-2.4.62-engine-fallback.patch @@ -0,0 +1,64 @@ +Index: modules/ssl/ssl_engine_pphrase.c +=================================================================== +--- modules/ssl/ssl_engine_pphrase.c (revision 1920590) ++++ modules/ssl/ssl_engine_pphrase.c (working copy) +@@ -806,6 +806,9 @@ + return APR_SUCCESS; + } + ++/* Tries to load the key and optionally certificate via the ENGINE ++ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an ++ * ENGINE implementation. */ + static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf, + apr_pool_t *ptemp, + const char *vhostid, +@@ -831,7 +834,7 @@ + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131) + "Init: Unrecognized private key identifier `%s'", + keyid); +- return ssl_die(s); ++ return APR_ENOTIMPL; + } + + scheme = apr_pstrmemdup(ptemp, keyid, c - keyid); +@@ -839,8 +842,8 @@ + ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132) + "Init: Failed to load engine for private key %s", + keyid); +- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); +- return ssl_die(s); ++ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s); ++ return APR_ENOTIMPL; + } + + if (!ENGINE_init(e)) { +@@ -996,15 +999,21 @@ + X509 **pubkey, EVP_PKEY **privkey) + { + #if MODSSL_HAVE_ENGINE_API +- SSLModConfigRec *mc = myModConfig(s); ++ apr_status_t rv; + +- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE +- * support was not present compile-time, or if it's built but +- * SSLCryptoDevice is not configured. */ +- if (mc->szCryptoDevice) +- return modssl_load_keypair_engine(s, pconf, ptemp, +- vhostid, certid, keyid, +- pubkey, privkey); ++ rv = modssl_load_keypair_engine(s, pconf, ptemp, ++ vhostid, certid, keyid, ++ pubkey, privkey); ++ if (rv == APR_SUCCESS) { ++ return rv; ++ } ++ /* If STORE support is not present, all errors are fatal here; if ++ * STORE is present and the ENGINE could not be loaded, ignore the ++ * error and fall through to try loading via the STORE API. */ ++ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) { ++ return ssl_die(s); ++ } ++ + #endif + #if MODSSL_HAVE_OPENSSL_STORE + return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid, diff --git a/SOURCES/httpd-2.4.62-r1921299.patch b/SOURCES/httpd-2.4.62-r1921299.patch new file mode 100644 index 0000000..589e7e8 --- /dev/null +++ b/SOURCES/httpd-2.4.62-r1921299.patch @@ -0,0 +1,133 @@ +diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +index 53fb1e9..f735c50 100644 +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -4477,20 +4477,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p, + * ourself). + */ + if (p->flags & RULEFLAG_PROXY) { +- /* For rules evaluated in server context, the mod_proxy fixup +- * hook can be relied upon to escape the URI as and when +- * necessary, since it occurs later. If in directory context, +- * the ordering of the fixup hooks is forced such that +- * mod_proxy comes first, so the URI must be escaped here +- * instead. See PR 39746, 46428, and other headaches. */ +- if (ctx->perdir && (p->flags & RULEFLAG_NOESCAPE) == 0) { +- char *old_filename = r->filename; +- +- r->filename = ap_escape_uri(r->pool, r->filename); +- rewritelog((r, 2, ctx->perdir, "escaped URI in per-dir context " +- "for proxy, %s -> %s", old_filename, r->filename)); +- } +- + fully_qualify_uri(r); + + rewritelog((r, 2, ctx->perdir, "forcing proxy-throughput with %s", +@@ -5013,7 +4999,7 @@ static int hook_uri2file(request_rec *r) + } + if ((r->args != NULL) + && ((r->proxyreq == PROXYREQ_PROXY) +- || (rulestatus == ACTION_NOESCAPE))) { ++ || apr_table_get(r->notes, "proxy-nocanon"))) { + /* see proxy_http:proxy_http_canon() */ + r->filename = apr_pstrcat(r->pool, r->filename, + "?", r->args, NULL); +@@ -5304,13 +5290,28 @@ static int hook_fixup(request_rec *r) + if (to_proxyreq) { + /* it should go on as an internal proxy request */ + +- /* make sure the QUERY_STRING and +- * PATH_INFO parts get incorporated ++ /* check if the proxy module is enabled, so ++ * we can actually use it! ++ */ ++ if (!proxy_available) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10160) ++ "attempt to make remote request from mod_rewrite " ++ "without proxy enabled: %s", r->filename); ++ return HTTP_FORBIDDEN; ++ } ++ ++ if (rulestatus == ACTION_NOESCAPE) { ++ apr_table_setn(r->notes, "proxy-nocanon", "1"); ++ } ++ ++ /* make sure the QUERY_STRING gets incorporated in the case ++ * [NE] was specified on the Proxy rule. We are preventing ++ * mod_proxy canon handler from incorporating r->args as well ++ * as escaping the URL. + * (r->path_info was already appended by the + * rewriting engine because of the per-dir context!) + */ +- if (r->args != NULL) { +- /* see proxy_http:proxy_http_canon() */ ++ if ((r->args != NULL) && apr_table_get(r->notes, "proxy-nocanon")) { + r->filename = apr_pstrcat(r->pool, r->filename, + "?", r->args, NULL); + } +@@ -5610,10 +5611,7 @@ static void ap_register_rewrite_mapfunc(char *name, rewrite_mapfunc_t *func) + + static void register_hooks(apr_pool_t *p) + { +- /* fixup after mod_proxy, so that the proxied url will not +- * escaped accidentally by mod_proxy's fixup. +- */ +- static const char * const aszPre[]={ "mod_proxy.c", NULL }; ++ static const char * const aszModProxy[] = { "mod_proxy.c", NULL }; + + /* make the hashtable before registering the function, so that + * other modules are prevented from accessing uninitialized memory. +@@ -5625,10 +5623,12 @@ static void register_hooks(apr_pool_t *p) + ap_hook_pre_config(pre_config, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE); + ap_hook_child_init(init_child, NULL, NULL, APR_HOOK_MIDDLE); +- +- ap_hook_fixups(hook_fixup, aszPre, NULL, APR_HOOK_FIRST); ++ ++ /* allow to change the uri before mod_proxy takes over it */ ++ ap_hook_translate_name(hook_uri2file, NULL, aszModProxy, APR_HOOK_FIRST); ++ /* fixup before mod_proxy so that a [P] URL gets fixed up there */ ++ ap_hook_fixups(hook_fixup, NULL, aszModProxy, APR_HOOK_FIRST); + ap_hook_fixups(hook_mimetype, NULL, NULL, APR_HOOK_LAST); +- ap_hook_translate_name(hook_uri2file, NULL, NULL, APR_HOOK_FIRST); + } + + /* the main config structure */ +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index 8f13e68..bd0aa68 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -3344,27 +3344,26 @@ static int proxy_pre_config(apr_pool_t *pconf, apr_pool_t *plog, + } + static void register_hooks(apr_pool_t *p) + { +- /* fixup before mod_rewrite, so that the proxied url will not +- * escaped accidentally by our fixup. +- */ +- static const char * const aszSucc[] = { "mod_rewrite.c", NULL}; + /* Only the mpm_winnt has child init hook handler. + * make sure that we are called after the mpm + * initializes. + */ + static const char *const aszPred[] = { "mpm_winnt.c", "mod_proxy_balancer.c", + "mod_proxy_hcheck.c", NULL}; ++ static const char * const aszModRewrite[] = { "mod_rewrite.c", NULL }; ++ + /* handler */ + ap_hook_handler(proxy_handler, NULL, NULL, APR_HOOK_FIRST); + /* filename-to-URI translation */ + ap_hook_pre_translate_name(proxy_pre_translate_name, NULL, NULL, + APR_HOOK_MIDDLE); +- ap_hook_translate_name(proxy_translate_name, aszSucc, NULL, ++ /* mod_rewrite has a say on the uri before proxy translation */ ++ ap_hook_translate_name(proxy_translate_name, aszModRewrite, NULL, + APR_HOOK_FIRST); + /* walk entries and suppress default TRACE behavior */ + ap_hook_map_to_storage(proxy_map_location, NULL,NULL, APR_HOOK_FIRST); +- /* fixups */ +- ap_hook_fixups(proxy_fixup, NULL, aszSucc, APR_HOOK_FIRST); ++ /* fixup after mod_rewrite so that a [P] URL from there gets fixed up */ ++ ap_hook_fixups(proxy_fixup, aszModRewrite, NULL, APR_HOOK_FIRST); + /* post read_request handling */ + ap_hook_post_read_request(proxy_detect, NULL, NULL, APR_HOOK_FIRST); + /* pre config handling */ diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index bca1d25..499c182 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.62 -Release: 1%{?dist} +Release: 1%{?dist}.2 URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc @@ -96,6 +96,10 @@ Patch100: httpd-2.4.43-enable-sslv3.patch Patch101: httpd-2.4.48-full-release.patch # https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 Patch102: httpd-2.4.62-r1919325.patch +# https://issues.redhat.com/browse/RHEL-36755 +Patch103: httpd-2.4.62-engine-fallback.patch +# https://issues.redhat.com/browse/RHEL-68660 +Patch104: httpd-2.4.62-r1921299.patch # Security fixes # https://bugzilla.redhat.com/show_bug.cgi?id=... @@ -258,6 +262,8 @@ written in the Lua programming language. %patch100 -p1 -b .enable-sslv3 %patch101 -p1 -b .full-release %patch102 -p1 -b .r1919325 +%patch103 -p0 -b .engine-fallback +%patch104 -p1 -b .r1921299 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -819,6 +825,14 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Fri Jan 10 2025 Luboš Uhliarik - 2.4.62-1.2 +- Resolves: RHEL-73580 - RewriteRule proxying to UDS (unix domain socket) + configured in .htaccess doesn't work on httpd-2.4.62-1 + +* Thu Nov 28 2024 Luboš Uhliarik - 2.4.62-1.1 +- mod_ssl: fix loading keys via ENGINE API + Resolves: RHEL-69456 + * Sat Aug 03 2024 Luboš Uhliarik - 2.4.62-1 - new version 2.4.62 - Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix