Compare commits

...

No commits in common. 'c9' and 'cs10' have entirely different histories.
c9 ... cs10

@ -15,6 +15,7 @@ LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_socache_module modules/mod_authn_socache.so
LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so

@ -4,7 +4,6 @@
#
#LoadModule asis_module modules/mod_asis.so
#LoadModule authnz_fcgi_module modules/mod_authnz_fcgi.so
#LoadModule buffer_module modules/mod_buffer.so
#LoadModule heartbeat_module modules/mod_heartbeat.so
#LoadModule heartmonitor_module modules/mod_heartmonitor.so

@ -5,6 +5,7 @@
]>
<!--
Copyright 2020 Red Hat, Inc.
Copyright 2018 Frank Dana
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
@ -70,7 +71,7 @@
<para>The version of <command>apachectl</command> used on this
system is a replacement script intended to be mostly (but not
completely) compatible with version provided with
completely) compatible with the version provided with
<emphasis>Apache httpd</emphasis>. This
<command>apachectl</command> mostly acts as a wrapper around
<command>systemctl</command> and manipulates the
@ -160,7 +161,7 @@
</varlistentry>
<varlistentry>
<term><option>configtest</option></term>
<term><option>configtest</option> | <option>-t</option></term>
<listitem>
<para>Run a configuration file syntax test. It parses the configuration
files and either reports <literal>Syntax OK</literal>
@ -173,7 +174,7 @@
<refsect1 id='bugs'>
<title>Bugs</title>
<para>Please report bugs by filing an issue in Bugzilla via <ulink url='https://bugzilla.redhat.com/'/>.</para>
<para>Please report bugs by filing an issue in @BUG_REPORT_URL@.</para>
</refsect1>
<refsect1>

@ -1,3 +1,6 @@
Upstream-Status: local customisation
diff --git a/support/apxs.in b/support/apxs.in
index b2705fa..c331631 100644
--- a/support/apxs.in

@ -1,3 +1,6 @@
Upstream-Status: local customisation
diff --git a/server/core.c b/server/core.c
index 79b2a82..dc0f17a 100644
--- a/server/core.c

@ -1,8 +1,8 @@
diff --git a/configure.in b/configure.in
index 7194de5..00e2369 100644
index f8f9442..f276550 100644
--- a/configure.in
+++ b/configure.in
@@ -843,9 +843,9 @@ APACHE_SUBST(INSTALL_SUEXEC)
@@ -786,9 +786,9 @@ APACHE_SUBST(INSTALL_SUEXEC)
dnl APR should go after the other libs, so the right symbols can be picked up
if test x${apu_found} != xobsolete; then

@ -1,3 +1,6 @@
Upstream-Status: in trunk, not proposed for 2.4.x
diff --git a/Makefile.in b/Makefile.in
index 6747aea..40c7076 100644
--- a/Makefile.in

@ -1,12 +1,5 @@
Reduce size of httpd binary by telling linker to export all symbols
from libmain.a, rather than bloating the symbol table with ap_hack_*
to do so indirectly.
Upstream: https://svn.apache.org/r1861685 (as new default-off configure option)
diff --git a/Makefile.in b/Makefile.in
index 40c7076..ac98e5f 100644
index bd8045c..d6733a5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -4,8 +4,15 @@ CLEAN_SUBDIRS = test
@ -40,10 +33,10 @@ index 8111877..f00bb3f 100644
eoc_bucket.c eor_bucket.c core_filters.c \
util_expr_parse.c util_expr_scan.c util_expr_eval.c
diff --git a/server/main.c b/server/main.c
index 62e06df..17c09ee 100644
index 7da7aa2..e63d2eb 100644
--- a/server/main.c
+++ b/server/main.c
@@ -835,17 +835,3 @@ int main(int argc, const char * const argv[])
@@ -857,17 +857,3 @@ int main(int argc, const char * const argv[])
return !OK;
}

@ -0,0 +1,64 @@
Upstream-Status: in trunk not in 2.4.x
diff --git a/configure.in b/configure.in
index 74015ca..8c0ee10 100644
--- httpd-2.4.54/modules/arch/unix/config5.m4.selinux
+++ httpd-2.4.54/modules/arch/unix/config5.m4
@@ -23,6 +23,11 @@
AC_MSG_WARN([Your system does not support systemd.])
enable_systemd="no"
else
+ AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(MOD_SYSTEMD_LDADD, [-lselinux])
+ ])
+
APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
fi
])
--- httpd-2.4.54/modules/arch/unix/mod_systemd.c.selinux
+++ httpd-2.4.54/modules/arch/unix/mod_systemd.c
@@ -35,6 +35,10 @@
#include <unistd.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
APR_DECLARE_OPTIONAL_FN(int,
ap_find_systemd_socket, (process_rec *, apr_port_t));
@@ -70,6 +74,20 @@
return apr_psprintf(p, "%s port %u", addr, sa->port);
}
+#ifdef HAVE_SELINUX
+static void log_selinux_context(void)
+{
+ char *con;
+
+ if (is_selinux_enabled() && getcon(&con) == 0) {
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+ freecon(con);
+ }
+}
+#endif
+
/* Report the service is ready in post_config, which could be during
* startup or after a reload. The server could still hit a fatal
* startup error after this point during ap_run_mpm(), so this is
@@ -87,6 +105,10 @@
if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG)
return OK;
+#ifdef HAVE_SELINUX
+ log_selinux_context();
+#endif
+
for (lr = ap_listeners; lr; lr = lr->next) {
char *s = dump_listener(lr, ptemp);

@ -1,60 +0,0 @@
diff --git a/configure.in b/configure.in
index 3932407..00e2369 100644
--- a/configure.in
+++ b/configure.in
@@ -531,6 +531,11 @@ gettid
dnl confirm that a void pointer is large enough to store a long integer
APACHE_CHECK_VOID_PTR_LEN
+AC_CHECK_LIB(selinux, is_selinux_enabled, [
+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
+ APR_ADDTO(HTTPD_LIBS, [-lselinux])
+])
+
if test $ac_cv_func_gettid = no; then
# On Linux before glibc 2.30, gettid() is only usable via syscall()
AC_CACHE_CHECK([for gettid() via syscall], ap_cv_gettid,
diff --git a/server/core.c b/server/core.c
index 8970a50..ff1024d 100644
--- a/server/core.c
+++ b/server/core.c
@@ -65,6 +65,10 @@
#include <unistd.h>
#endif
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#endif
+
/* LimitRequestBody handling */
#define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
@@ -5170,6 +5174,28 @@ static int core_post_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *pte
}
#endif
+#ifdef HAVE_SELINUX
+ {
+ static int already_warned = 0;
+ int is_enabled = is_selinux_enabled() > 0;
+
+ if (is_enabled && !already_warned) {
+ security_context_t con;
+
+ if (getcon(&con) == 0) {
+
+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+ "SELinux policy enabled; "
+ "httpd running as context %s", con);
+
+ already_warned = 1;
+
+ freecon(con);
+ }
+ }
+ }
+#endif
+
return OK;
}

@ -5,6 +5,8 @@ http://svn.apache.org/viewvc?view=revision&revision=1912718
http://svn.apache.org/viewvc?view=revision&revision=1913654
http://svn.apache.org/viewvc?view=revision&revision=1914438
Upstream-Status: in trunk, not proposed for 2.4.x
--- httpd-2.4.58/modules/dav/fs/config6.m4.r1912477+
+++ httpd-2.4.58/modules/dav/fs/config6.m4
@@ -20,4 +20,10 @@

@ -1,8 +1,6 @@
diff --git a/server/core.c b/server/core.c
index c36ff26..621c82a 100644
--- a/server/core.c
+++ b/server/core.c
@@ -3569,6 +3569,7 @@ enum server_token_type {
--- httpd-2.4.59/server/core.c.full-release
+++ httpd-2.4.59/server/core.c
@@ -3586,6 +3586,7 @@
SrvTk_MINIMAL, /* eg: Apache/2.0.41 */
SrvTk_OS, /* eg: Apache/2.0.41 (UNIX) */
SrvTk_FULL, /* eg: Apache/2.0.41 (UNIX) PHP/4.2.2 FooBar/1.2b */
@ -10,7 +8,7 @@ index c36ff26..621c82a 100644
SrvTk_PRODUCT_ONLY /* eg: Apache */
};
static enum server_token_type ap_server_tokens = SrvTk_FULL;
@@ -3645,7 +3646,10 @@ static void set_banner(apr_pool_t *pconf)
@@ -3662,7 +3663,10 @@
else if (ap_server_tokens == SrvTk_MAJOR) {
ap_add_version_component(pconf, AP_SERVER_BASEPRODUCT "/" AP_SERVER_MAJORVERSION);
}
@ -22,7 +20,7 @@ index c36ff26..621c82a 100644
ap_add_version_component(pconf, AP_SERVER_BASEVERSION " (" PLATFORM ")");
}
@@ -3653,7 +3657,7 @@ static void set_banner(apr_pool_t *pconf)
@@ -3670,7 +3674,7 @@
* Lock the server_banner string if we're not displaying
* the full set of tokens
*/
@ -31,7 +29,7 @@ index c36ff26..621c82a 100644
banner_locked++;
}
server_description = AP_SERVER_BASEVERSION " (" PLATFORM ")";
@@ -3686,8 +3690,11 @@ static const char *set_serv_tokens(cmd_parms *cmd, void *dummy,
@@ -3703,8 +3707,11 @@
else if (!ap_cstr_casecmp(arg, "Full")) {
ap_server_tokens = SrvTk_FULL;
}

@ -0,0 +1,11 @@
--- httpd-2.4.59/modules/ssl/ssl_private.h.no-engine
+++ httpd-2.4.59/modules/ssl/ssl_private.h
@@ -112,7 +112,7 @@
|| (defined(OPENSSL_API_LEVEL) && OPENSSL_API_LEVEL < 30000)) \
&& !defined(OPENSSL_NO_ENGINE)
#include <openssl/engine.h>
-#define MODSSL_HAVE_ENGINE_API 1
+#define MODSSL_HAVE_ENGINE_API 0
#endif
#ifndef MODSSL_HAVE_ENGINE_API
#define MODSSL_HAVE_ENGINE_API 0

@ -1,64 +0,0 @@
Index: modules/ssl/ssl_engine_pphrase.c
===================================================================
--- modules/ssl/ssl_engine_pphrase.c (revision 1920590)
+++ modules/ssl/ssl_engine_pphrase.c (working copy)
@@ -806,6 +806,9 @@
return APR_SUCCESS;
}
+/* Tries to load the key and optionally certificate via the ENGINE
+ * API. Returns APR_ENOTIMPL if the keypair could not be loaded via an
+ * ENGINE implementation. */
static apr_status_t modssl_load_keypair_engine(server_rec *s, apr_pool_t *pconf,
apr_pool_t *ptemp,
const char *vhostid,
@@ -831,7 +834,7 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10131)
"Init: Unrecognized private key identifier `%s'",
keyid);
- return ssl_die(s);
+ return APR_ENOTIMPL;
}
scheme = apr_pstrmemdup(ptemp, keyid, c - keyid);
@@ -839,8 +842,8 @@
ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(10132)
"Init: Failed to load engine for private key %s",
keyid);
- ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
- return ssl_die(s);
+ ssl_log_ssl_error(SSLLOG_MARK, APLOG_NOTICE, s);
+ return APR_ENOTIMPL;
}
if (!ENGINE_init(e)) {
@@ -996,15 +999,21 @@
X509 **pubkey, EVP_PKEY **privkey)
{
#if MODSSL_HAVE_ENGINE_API
- SSLModConfigRec *mc = myModConfig(s);
+ apr_status_t rv;
- /* For OpenSSL 3.x, use the STORE-based API if either ENGINE
- * support was not present compile-time, or if it's built but
- * SSLCryptoDevice is not configured. */
- if (mc->szCryptoDevice)
- return modssl_load_keypair_engine(s, pconf, ptemp,
- vhostid, certid, keyid,
- pubkey, privkey);
+ rv = modssl_load_keypair_engine(s, pconf, ptemp,
+ vhostid, certid, keyid,
+ pubkey, privkey);
+ if (rv == APR_SUCCESS) {
+ return rv;
+ }
+ /* If STORE support is not present, all errors are fatal here; if
+ * STORE is present and the ENGINE could not be loaded, ignore the
+ * error and fall through to try loading via the STORE API. */
+ else if (!MODSSL_HAVE_OPENSSL_STORE || rv != APR_ENOTIMPL) {
+ return ssl_die(s);
+ }
+
#endif
#if MODSSL_HAVE_OPENSSL_STORE
return modssl_load_keypair_store(s, ptemp, vhostid, certid, keyid,

@ -1,8 +1,8 @@
diff --git a/docs/manual/mod/mod_proxy_wstunnel.html.en b/docs/manual/mod/mod_proxy_wstunnel.html.en
index 9f2c120..61ff7de 100644
index c5004b8..a0ae3c8 100644
--- a/docs/manual/mod/mod_proxy_wstunnel.html.en
+++ b/docs/manual/mod/mod_proxy_wstunnel.html.en
@@ -83,6 +83,7 @@ in the response <code>Upgrade</code></p>
@@ -96,6 +96,7 @@ WebSocket always happens.
<div id="quickview"><a href="https://www.apache.org/foundation/contributing.html" class="badge"><img src="https://www.apache.org/images/SupportApache-small.png" alt="Support Apache!" /></a><h3 class="directives">Directives</h3>
<ul id="toc">
<li><img alt="" src="../images/down.gif" /> <a href="#proxywebsocketfallbacktoproxyhttp">ProxyWebsocketFallbackToProxyHttp</a></li>
@ -10,7 +10,7 @@ index 9f2c120..61ff7de 100644
</ul>
<h3>Bugfix checklist</h3><ul class="seealso"><li><a href="https://www.apache.org/dist/httpd/CHANGES_2.4">httpd changelog</a></li><li><a href="https://bz.apache.org/bugzilla/buglist.cgi?bug_status=__open__&amp;list_id=144532&amp;product=Apache%20httpd-2&amp;query_format=specific&amp;order=changeddate%20DESC%2Cpriority%2Cbug_severity&amp;component=mod_proxy_wstunnel">Known issues</a></li><li><a href="https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2&amp;component=mod_proxy_wstunnel">Report a bug</a></li></ul><h3>See also</h3>
<ul class="seealso">
@@ -108,6 +109,23 @@ in the response <code>Upgrade</code></p>
@@ -121,6 +122,23 @@ WebSocket always happens.
WebSocket requests as in httpd 2.4.46 and earlier.</p>
</div>
@ -35,7 +35,7 @@ index 9f2c120..61ff7de 100644
<div class="bottomlang">
<p><span>Available Languages: </span><a href="../en/mod/mod_proxy_wstunnel.html" title="English">&nbsp;en&nbsp;</a> |
diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c
index bcbba42..c29ded1 100644
index 30ba1b4..e27e6f8 100644
--- a/modules/proxy/mod_proxy_wstunnel.c
+++ b/modules/proxy/mod_proxy_wstunnel.c
@@ -22,6 +22,7 @@ module AP_MODULE_DECLARE_DATA proxy_wstunnel_module;
@ -46,7 +46,7 @@ index bcbba42..c29ded1 100644
} proxyws_dir_conf;
static int can_fallback_to_proxy_http;
@@ -152,6 +153,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
@@ -176,6 +177,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
conn_rec *c = r->connection;
apr_socket_t *sock = conn->sock;
conn_rec *backconn = conn->connection;
@ -55,7 +55,7 @@ index bcbba42..c29ded1 100644
char *buf;
apr_bucket_brigade *header_brigade;
apr_bucket *e;
@@ -229,10 +232,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
@@ -253,10 +256,13 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r,
c->keepalive = AP_CONN_CLOSE;
do { /* Loop until done (one side closes the connection, or an error) */
@ -70,7 +70,7 @@ index bcbba42..c29ded1 100644
}
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02444) "error apr_poll()");
return HTTP_INTERNAL_SERVER_ERROR;
@@ -418,11 +424,26 @@ cleanup:
@@ -442,11 +448,26 @@ cleanup:
return status;
}
@ -97,7 +97,7 @@ index bcbba42..c29ded1 100644
new->fallback_to_proxy_http = 1;
return (void *) new;
@@ -465,7 +486,8 @@ static const command_rec ws_proxy_cmds[] =
@@ -489,7 +510,8 @@ static const command_rec ws_proxy_cmds[] =
proxyws_fallback_to_proxy_http, NULL, RSRC_CONF|ACCESS_CONF,
"whether to let mod_proxy_http handle the upgrade and tunneling, "
"On by default"),

@ -1,133 +0,0 @@
diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
index 53fb1e9..f735c50 100644
--- a/modules/mappers/mod_rewrite.c
+++ b/modules/mappers/mod_rewrite.c
@@ -4477,20 +4477,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p,
* ourself).
*/
if (p->flags & RULEFLAG_PROXY) {
- /* For rules evaluated in server context, the mod_proxy fixup
- * hook can be relied upon to escape the URI as and when
- * necessary, since it occurs later. If in directory context,
- * the ordering of the fixup hooks is forced such that
- * mod_proxy comes first, so the URI must be escaped here
- * instead. See PR 39746, 46428, and other headaches. */
- if (ctx->perdir && (p->flags & RULEFLAG_NOESCAPE) == 0) {
- char *old_filename = r->filename;
-
- r->filename = ap_escape_uri(r->pool, r->filename);
- rewritelog((r, 2, ctx->perdir, "escaped URI in per-dir context "
- "for proxy, %s -> %s", old_filename, r->filename));
- }
-
fully_qualify_uri(r);
rewritelog((r, 2, ctx->perdir, "forcing proxy-throughput with %s",
@@ -5013,7 +4999,7 @@ static int hook_uri2file(request_rec *r)
}
if ((r->args != NULL)
&& ((r->proxyreq == PROXYREQ_PROXY)
- || (rulestatus == ACTION_NOESCAPE))) {
+ || apr_table_get(r->notes, "proxy-nocanon"))) {
/* see proxy_http:proxy_http_canon() */
r->filename = apr_pstrcat(r->pool, r->filename,
"?", r->args, NULL);
@@ -5304,13 +5290,28 @@ static int hook_fixup(request_rec *r)
if (to_proxyreq) {
/* it should go on as an internal proxy request */
- /* make sure the QUERY_STRING and
- * PATH_INFO parts get incorporated
+ /* check if the proxy module is enabled, so
+ * we can actually use it!
+ */
+ if (!proxy_available) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10160)
+ "attempt to make remote request from mod_rewrite "
+ "without proxy enabled: %s", r->filename);
+ return HTTP_FORBIDDEN;
+ }
+
+ if (rulestatus == ACTION_NOESCAPE) {
+ apr_table_setn(r->notes, "proxy-nocanon", "1");
+ }
+
+ /* make sure the QUERY_STRING gets incorporated in the case
+ * [NE] was specified on the Proxy rule. We are preventing
+ * mod_proxy canon handler from incorporating r->args as well
+ * as escaping the URL.
* (r->path_info was already appended by the
* rewriting engine because of the per-dir context!)
*/
- if (r->args != NULL) {
- /* see proxy_http:proxy_http_canon() */
+ if ((r->args != NULL) && apr_table_get(r->notes, "proxy-nocanon")) {
r->filename = apr_pstrcat(r->pool, r->filename,
"?", r->args, NULL);
}
@@ -5610,10 +5611,7 @@ static void ap_register_rewrite_mapfunc(char *name, rewrite_mapfunc_t *func)
static void register_hooks(apr_pool_t *p)
{
- /* fixup after mod_proxy, so that the proxied url will not
- * escaped accidentally by mod_proxy's fixup.
- */
- static const char * const aszPre[]={ "mod_proxy.c", NULL };
+ static const char * const aszModProxy[] = { "mod_proxy.c", NULL };
/* make the hashtable before registering the function, so that
* other modules are prevented from accessing uninitialized memory.
@@ -5625,10 +5623,12 @@ static void register_hooks(apr_pool_t *p)
ap_hook_pre_config(pre_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE);
ap_hook_child_init(init_child, NULL, NULL, APR_HOOK_MIDDLE);
-
- ap_hook_fixups(hook_fixup, aszPre, NULL, APR_HOOK_FIRST);
+
+ /* allow to change the uri before mod_proxy takes over it */
+ ap_hook_translate_name(hook_uri2file, NULL, aszModProxy, APR_HOOK_FIRST);
+ /* fixup before mod_proxy so that a [P] URL gets fixed up there */
+ ap_hook_fixups(hook_fixup, NULL, aszModProxy, APR_HOOK_FIRST);
ap_hook_fixups(hook_mimetype, NULL, NULL, APR_HOOK_LAST);
- ap_hook_translate_name(hook_uri2file, NULL, NULL, APR_HOOK_FIRST);
}
/* the main config structure */
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
index 8f13e68..bd0aa68 100644
--- a/modules/proxy/mod_proxy.c
+++ b/modules/proxy/mod_proxy.c
@@ -3344,27 +3344,26 @@ static int proxy_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
}
static void register_hooks(apr_pool_t *p)
{
- /* fixup before mod_rewrite, so that the proxied url will not
- * escaped accidentally by our fixup.
- */
- static const char * const aszSucc[] = { "mod_rewrite.c", NULL};
/* Only the mpm_winnt has child init hook handler.
* make sure that we are called after the mpm
* initializes.
*/
static const char *const aszPred[] = { "mpm_winnt.c", "mod_proxy_balancer.c",
"mod_proxy_hcheck.c", NULL};
+ static const char * const aszModRewrite[] = { "mod_rewrite.c", NULL };
+
/* handler */
ap_hook_handler(proxy_handler, NULL, NULL, APR_HOOK_FIRST);
/* filename-to-URI translation */
ap_hook_pre_translate_name(proxy_pre_translate_name, NULL, NULL,
APR_HOOK_MIDDLE);
- ap_hook_translate_name(proxy_translate_name, aszSucc, NULL,
+ /* mod_rewrite has a say on the uri before proxy translation */
+ ap_hook_translate_name(proxy_translate_name, aszModRewrite, NULL,
APR_HOOK_FIRST);
/* walk <Proxy > entries and suppress default TRACE behavior */
ap_hook_map_to_storage(proxy_map_location, NULL,NULL, APR_HOOK_FIRST);
- /* fixups */
- ap_hook_fixups(proxy_fixup, NULL, aszSucc, APR_HOOK_FIRST);
+ /* fixup after mod_rewrite so that a [P] URL from there gets fixed up */
+ ap_hook_fixups(proxy_fixup, aszModRewrite, NULL, APR_HOOK_FIRST);
/* post read_request handling */
ap_hook_post_read_request(proxy_detect, NULL, NULL, APR_HOOK_FIRST);
/* pre config handling */

@ -26,8 +26,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
PrivateTmp=true
DevicePolicy=closed
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
OOMPolicy=continue
PrivateDevices=yes
PrivateTmp=true
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target

@ -175,7 +175,7 @@ Wants=network-online.target</programlisting>
<para>System packages (including the httpd package itself) may
restart the httpd service automatically after packages are
upgraded, installed, or removed. This is done using the
<command>systemctl try-restart httpd.service</command>, which
<command>systemctl try-restart httpd.service</command> command, which
stops then starts the service if it is running.</para>
<para>To disable automatic restarts, create the file
@ -183,8 +183,9 @@ Wants=network-online.target</programlisting>
When <command>httpd</command> interfaces are added in an update,
it may not be safe to <emphasis>reload</emphasis> a running
service after upgrading, if updated modules require interfaces
only available in the updated httpd. It is recommended to allow
automatic restarts for this reason.</para>
only available in the updated <command>httpd</command> binary.
It is recommended to allow automatic restarts for this
reason.</para>
</refsect2>
<refsect2>
@ -230,7 +231,16 @@ Wants=network-online.target</programlisting>
<refsect2>
<title>Process policies and restrictions</title>
<para>The httpd service uses the following options:
<para>The <command>httpd.service</command> unit enables a
variety of sandboxing options. Many of these prevent the service
from changing the system configuration or attributes of the
kernel - such as <emphasis>ProtectClock</emphasis> and
<emphasis>ProtectKernelModules</emphasis>. See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information on these options. Particular notice should
be taken of the following:
<itemizedlist>
<listitem><para><emphasis>PrivateTmp</emphasis> is enabled by
@ -246,13 +256,21 @@ Wants=network-online.target</programlisting>
the policy to <emphasis>continue</emphasis>, httpd will
continue to run (and recover) if a single child is terminated
because of excess memory consumption.</para></listitem>
</itemizedlist>
See
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
and
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
for more information.</para>
<listitem><para><emphasis>ProtectHome</emphasis> is set to
<emphasis>read-only</emphasis> by default. CGI scripts run via
<emphasis>UserDir</emphasis> will not be able modify any
content in <filename>/home</filename> by
default.</para></listitem>
<listitem><para><emphasis>ProtectSystem</emphasis> is set to
<emphasis>yes</emphasis> by default; this mounts various
system paths like <filename>/usr</filename> and
<filename>/boot</filename> as read-only by
default.</para></listitem>
</itemizedlist></para>
</refsect2>
<refsect2>

@ -19,8 +19,25 @@ ExecReload=/usr/sbin/httpd $OPTIONS -k graceful -f conf/%i.conf
# Send SIGWINCH for graceful stop
KillSignal=SIGWINCH
KillMode=mixed
PrivateTmp=true
DevicePolicy=closed
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
OOMPolicy=continue
PrivateDevices=yes
PrivateTmp=true
ProtectClock=yes
ProtectControlGroups=yes
ProtectHome=read-only
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=yes
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target

@ -4,16 +4,28 @@
%define mmn 20120211
%define mmnisa %{mmn}%{__isa_name}%{__isa_bits}
%define vstring %(source /etc/os-release; echo ${NAME})
%define bugurl %(source /etc/os-release; echo ${BUG_REPORT_URL})
%if 0%{?fedora} > 26 || 0%{?rhel} > 7
%global mpm event
%else
%global mpm prefork
%endif
%if 0%{?fedora} > 35 || 0%{?rhel} > 9
%bcond_without pcre2
%bcond_with pcre
%else
%bcond_with pcre2
%bcond_without pcre
%endif
# Similar issue to https://bugzilla.redhat.com/show_bug.cgi?id=2043092
%undefine _package_note_flags
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.62
Release: 1%{?dist}.2
Release: 5%{?dist}
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2.asc
@ -65,57 +77,60 @@ Source48: apache-poweredby.png
Source49: httpd.sysusers
# build/scripts patches
Patch1: httpd-2.4.59-full-release.patch
Patch2: httpd-2.4.43-apxs.patch
Patch3: httpd-2.4.59-deplibs.patch
Patch3: httpd-2.4.43-deplibs.patch
# Needed for socket activation and mod_systemd patch
Patch19: httpd-2.4.53-detect-systemd.patch
# Features/functional changes
Patch21: httpd-2.4.48-r1842929+.patch
Patch22: httpd-2.4.43-mod_systemd.patch
Patch23: httpd-2.4.48-export.patch
Patch24: httpd-2.4.43-corelimit.patch
Patch25: httpd-2.4.57-selinux.patch
Patch26: httpd-2.4.53-icons.patch
Patch27: httpd-2.4.43-cachehardmax.patch
Patch28: httpd-2.4.62-socket-activation.patch
Patch29: httpd-2.4.43-sslciphdefault.patch
Patch30: httpd-2.4.43-sslprotdefault.patch
Patch31: httpd-2.4.43-logjournal.patch
Patch32: httpd-2.4.48-proxy-ws-idle-timeout.patch
Patch20: httpd-2.4.48-r1842929+.patch
Patch21: httpd-2.4.43-mod_systemd.patch
Patch22: httpd-2.4.53-export.patch
Patch23: httpd-2.4.43-corelimit.patch
Patch24: httpd-2.4.54-icons.patch
Patch25: httpd-2.4.43-cachehardmax.patch
Patch26: httpd-2.4.43-socket-activation.patch
Patch27: httpd-2.4.43-sslciphdefault.patch
Patch29: httpd-2.4.43-sslprotdefault.patch
Patch30: httpd-2.4.43-logjournal.patch
Patch31: httpd-2.4.53-separate-systemd-fns.patch
Patch32: httpd-2.4.58-r1912477+.patch
Patch33: httpd-2.4.54-selinux.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1949606
Patch33: httpd-2.4.62-freebind.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2065677
Patch34: httpd-2.4.53-separate-systemd-fns.patch
# https://issues.redhat.com/browse/RHEL-5071
Patch35: httpd-2.4.57-r1912477+.patch
Patch34: httpd-2.4.62-freebind.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1947496
Patch35: httpd-2.4.62-proxy-ws-idle-timeout.patch
# Bug fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=1397243
Patch100: httpd-2.4.43-enable-sslv3.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1932442
Patch101: httpd-2.4.48-full-release.patch
Patch60: httpd-2.4.43-enable-sslv3.patch
Patch61: httpd-2.4.59-no-engine.patch
# https://bz.apache.org/bugzilla/show_bug.cgi?id=69197
Patch102: httpd-2.4.62-r1919325.patch
# https://issues.redhat.com/browse/RHEL-36755
Patch103: httpd-2.4.62-engine-fallback.patch
# https://issues.redhat.com/browse/RHEL-68660
Patch104: httpd-2.4.62-r1921299.patch
Patch62: httpd-2.4.62-r1919325.patch
# Security fixes
# https://bugzilla.redhat.com/show_bug.cgi?id=...
#
# https://bugzilla.redhat.com/show_bug.cgi?id=
# Patch200: httpd-2.4.X-CVE-XXXX-YYYYY.patch
# Patch200: ...
# Apache-2.0: everything
# BSD-3-Clause: util_pcre.c, ap_regex.h
# metamail AND HPND-sell-variant:: server/util_md5.c:
# Spencer-94: modules/metadata/mod_mime_magic.c
License: Apache-2.0 AND (BSD-3-Clause AND metamail AND HPND-sell-variant AND Spencer-94)
License: ASL 2.0
BuildRequires: gcc, autoconf, pkgconfig, findutils, xmlto
BuildRequires: perl-interpreter, perl-generators, systemd-devel
BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel
BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0
BuildRequires: gnupg2
BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0
BuildRequires: openldap-devel
BuildRequires: systemd-rpm-macros
Requires: system-logos-httpd
%if %{with pcre2}
BuildRequires: pcre2-devel
%endif
%if %{with pcre}
BuildRequires: pcre-devel > 5.0
%endif
BuildRequires: gnupg2
Requires: system-logos(httpd-logo-ng)
Provides: webserver
Requires: httpd-core = 0:%{version}-%{release}
Recommends: mod_http2, mod_lua
@ -133,10 +148,12 @@ Provides: mod_proxy_uwsgi = %{version}-%{release}
Requires: /etc/mime.types
Requires: httpd-tools = %{version}-%{release}
Requires: httpd-filesystem = %{version}-%{release}
%if 0%{?fedora} > 39 || 0%{?rhel} > 9
Requires: apr-util-1(dbm)%{_isa}
%endif
Requires(pre): httpd-filesystem
Conflicts: apr < 1.5.0-1
Conflicts: httpd < 2.4.53-3
Conflicts: mod_http2 < 1.15.19-3
Conflicts: httpd < 2.4.53-2
Obsoletes: mod_proxy_uwsgi < 2.0.17.1-2
%description core
@ -144,8 +161,8 @@ The httpd-core package contains essential httpd binaries.
%package devel
Summary: Development interfaces for the Apache HTTP Server
Requires: apr-devel, apr-util-devel, pkgconfig
Requires: httpd-core = %{version}-%{release}
Requires: apr-devel, apr-util-devel, pkgconfig, libtool
Requires: httpd-core = 0:%{version}-%{release}
%description devel
The httpd-devel package contains the APXS binary and other files
@ -189,9 +206,11 @@ Epoch: 1
BuildRequires: openssl-devel
Requires(pre): httpd-filesystem
Requires: httpd-core = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
Requires: sscg >= 3.0.0-7, /usr/bin/hostname
Requires: sscg >= 3.0.3, /usr/bin/hostname
# Require an OpenSSL which supports PROFILE=SYSTEM
Conflicts: openssl-libs < 1:1.0.1h-4
# mod_ssl/mod_nss cannot both be loaded simultaneously
Conflicts: mod_nss
%description -n mod_ssl
The mod_ssl module provides strong cryptography for the Apache HTTP
@ -237,33 +256,7 @@ written in the Lua programming language.
%prep
%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
%setup -q
%patch2 -p1 -b .apxs
%patch3 -p1 -b .deplibs
%patch19 -p1 -b .detectsystemd
%patch21 -p1 -b .r1842929+
%patch22 -p1 -b .mod_systemd
%patch23 -p1 -b .export
%patch24 -p1 -b .corelimit
%patch25 -p1 -b .selinux
%patch26 -p1 -b .icons
%patch27 -p1 -b .cachehardmax
%patch28 -p1 -b .socketactivation
%patch29 -p1 -b .sslciphdefault
%patch30 -p1 -b .sslprotdefault
%patch31 -p1 -b .logjournal
%patch32 -p1 -b .proxy-ws-idle-timeout
%patch33 -p1 -b .freebind
%patch34 -p1 -b .separatesystemd
%patch35 -p1 -b .r1912477+
%patch100 -p1 -b .enable-sslv3
%patch101 -p1 -b .full-release
%patch102 -p1 -b .r1919325
%patch103 -p0 -b .engine-fallback
%patch104 -p1 -b .r1921299
%autosetup -p1 -S gendiff
# Patch in the vendor string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@ -303,16 +296,16 @@ s,@DOCROOT@,%{docroot},g
s,@LOGDIR@,%{_localstatedir}/log/httpd,g
' < $RPM_SOURCE_DIR/httpd.conf.xml \
> httpd.conf.xml
sed 's|@BUG_REPORT_URL@|%{bugurl}|g' < $RPM_SOURCE_DIR/apachectl.xml > apachectl.xml
xmlto man ./httpd.conf.xml
xmlto man $RPM_SOURCE_DIR/htcacheclean.service.xml
xmlto man $RPM_SOURCE_DIR/httpd.service.xml
# apachectl.xml => apachectl.8
xmlto man %{SOURCE47}
xmlto man apachectl.xml
: Building with MMN %{mmn}, MMN-ISA %{mmnisa}
: Default MPM is %{mpm}, vendor string is '%{vstring}'
: Regex Engine: PCRE=%{with pcre} PCRE2=%{with pcre2}
%build
# forcibly prevent use of bundled apr, apr-util, pcre
@ -325,11 +318,7 @@ autoheader && autoconf || exit 1
%{__perl} -pi -e "s:\@exp_installbuilddir\@:%{_libdir}/httpd/build:g" \
support/apxs.in
export CFLAGS=$RPM_OPT_FLAGS
export LDFLAGS="-Wl,-z,relro,-z,now"
# Hard-code path to links to avoid unnecessary builddep
export LYNX_PATH=/usr/bin/links
%set_build_flags
# Build the daemon
./configure \
@ -357,22 +346,33 @@ export LYNX_PATH=/usr/bin/links
--with-suexec-uidmin=1000 --with-suexec-gidmin=1000 \
--with-brotli \
--enable-pie \
--with-pcre=/usr/bin/pcre-config \
%if %{with pcre2}
--with-pcre2=%{_bindir}/pcre2-config \
%endif
%if %{with pcre}
--with-pcre=%{_bindir}/pcre-config \
%endif
--enable-mods-shared=all \
--enable-ssl --with-ssl --disable-distcache \
--enable-proxy --enable-proxy-fdpass \
--enable-cache \
--enable-disk-cache \
--enable-ldap --enable-authnz-ldap \
--enable-cgid --enable-cgi \
--enable-cgid --enable-cgi --enable-authnz-fcgi \
--enable-cgid-fdpassing \
--enable-authn-anon --enable-authn-alias \
--enable-authnz-fcgi \
--enable-systemd \
--disable-imagemap --disable-file-cache \
--disable-http2 \
--disable-md \
$*
if grep -q ac_cv_have_threadsafe_pollset=no config.log; then
cat config.log
: Failed to find thread-safe APR.
exit 1
fi
%make_build
%install
@ -411,8 +411,9 @@ touch -r $RPM_SOURCE_DIR/00-mpm.conf \
# install systemd override drop directory
# Web application packages can drop snippets into this location if
# they need ExecStart[pre|post].
mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.service.d
mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d
mkdir $RPM_BUILD_ROOT%{_unitdir}/httpd.service.d \
$RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/httpd.service.d
install -m 644 -p $RPM_SOURCE_DIR/10-listen443.conf \
$RPM_BUILD_ROOT%{_unitdir}/httpd.socket.d/10-listen443.conf
@ -477,6 +478,7 @@ cat > $RPM_BUILD_ROOT%{_rpmconfigdir}/macros.d/macros.httpd <<EOF
%%_httpd_contentdir %{contentdir}
%%_httpd_moddir %%{_libdir}/httpd/modules
%%_httpd_requires Requires: httpd-mmn = %%{_httpd_mmn}
%%_httpd_statedir %%{_localstatedir}/lib/httpd
EOF
# Handle contentdir
@ -512,9 +514,10 @@ ln -s ../../pixmaps/poweredby.png \
$RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png
# Symlink for the system logo
%if 0%{?rhel} >= 9
ln -s ../../pixmaps/system-noindex-logo.png \
$RPM_BUILD_ROOT%{contentdir}/icons/system_noindex_logo.png
%endif
# symlinks for /etc/httpd
rmdir $RPM_BUILD_ROOT/etc/httpd/{state,run}
@ -578,9 +581,12 @@ sed -i '/instdso/s,top_srcdir,top_builddir,' \
cp -p $RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk \
$RPM_BUILD_ROOT%{_libdir}/httpd/build/vendor_config_vars.mk
# Sanitize CFLAGS in standard config_vars.mk
sed '/^CFLAGS/s,=.*$,= -O2 -g -Wall,' \
# Sanitize CFLAGS & LIBTOOL in standard config_vars.mk
sed -e '/^[A-Z]*FLAGS = /s,-specs[^ ]*,,g' \
-e '/^LIBTOOL/s,/.*/libtool,%{_bindir}/libtool,' \
-i $RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk
diff -u $RPM_BUILD_ROOT%{_libdir}/httpd/build/vendor_config_vars.mk \
$RPM_BUILD_ROOT%{_libdir}/httpd/build/config_vars.mk || true
sed 's/config_vars.mk/vendor_config_vars.mk/' \
$RPM_BUILD_ROOT%{_bindir}/apxs \
@ -609,7 +615,6 @@ rm -rf $RPM_BUILD_ROOT/etc/httpd/conf/{original,extra}
%pre filesystem
%sysusers_create_compat %{SOURCE49}
%post
%systemd_post httpd.service htcacheclean.service httpd.socket
@ -677,7 +682,6 @@ exit $rv
%config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-brotli.conf
%config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/00-systemd.conf
%{_libdir}/httpd/modules/mod_brotli.so
%{_libdir}/httpd/modules/mod_systemd.so
@ -687,7 +691,6 @@ exit $rv
%{_unitdir}/*.socket
%files core
%doc ABOUT_APACHE README CHANGES LICENSE VERSIONING NOTICE
%doc docs/conf/extra/*.conf
%doc instance.conf server-status.conf
@ -697,6 +700,7 @@ exit $rv
%{_sysconfdir}/httpd/state
%{_sysconfdir}/httpd/run
%dir %{_sysconfdir}/httpd/conf
%config(noreplace) %{_sysconfdir}/httpd/conf/httpd.conf
%config(noreplace) %{_sysconfdir}/httpd/conf/magic
@ -761,6 +765,7 @@ exit $rv
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
%files filesystem
%dir %{_sysconfdir}/httpd
%dir %{_sysconfdir}/httpd/conf.d
@ -772,6 +777,7 @@ exit $rv
%dir %{contentdir}/icons
%attr(755,root,root) %dir %{_unitdir}/httpd.service.d
%attr(755,root,root) %dir %{_unitdir}/httpd.socket.d
%attr(755,root,root) %dir %{_sysconfdir}/systemd/system/httpd.service.d
%{_sysusersdir}/httpd.conf
%files tools
@ -825,234 +831,243 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Fri Jan 10 2025 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1.2
- Resolves: RHEL-73580 - RewriteRule proxying to UDS (unix domain socket)
configured in .htaccess doesn't work on httpd-2.4.62-1
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.62-5
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018
* Mon Aug 12 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-4
- Resolves: RHEL-50031 - httpd default config changes
* Thu Aug 08 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-3
- Resolves: RHEL-53632 - RFE: httpd, add IP_FREEBIND support for Listen
- Resolves: RHEL-53722 - [RFE] ProxyWebsocketIdleTimeout from
httpd mod_proxy_wstunnel
* Thu Nov 28 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1.1
- mod_ssl: fix loading keys via ENGINE API
Resolves: RHEL-69456
* Sat Aug 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-2
- Resolves: RHEL-52722 - Regression introduced by CVE-2024-38474 fix
* Sat Aug 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1
* Fri Jul 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.62-1
- new version 2.4.62
- Resolves: RHEL-52724 - Regression introduced by CVE-2024-38474 fix
- Resolves: RHEL-33446
* Fri Jul 19 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-7
- Resolves: RHEL-49856: htcacheclean.service missing [Install] section
* Wed Jul 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.61-1
- new version 2.4.61
- Resolves: RHEL-45753 - httpd: Potential SSRF in
mod_rewrite (CVE-2024-39573)
- Resolves: RHEL-45757 - httpd: null pointer dereference in
mod_proxy (CVE-2024-38477)
- Resolves: RHEL-45776 - httpd: Improper escaping of output in
mod_rewrite (CVE-2024-38475)
- Resolves: RHEL-45791 - httpd: Encoding problem in
mod_proxy (CVE-2024-38473)
- Resolves: RHEL-45811 - httpd: Substitution encoding issue in
mod_rewrite (CVE-2024-38474)
- Resolves: RHEL-46051 - httpd: Security issues via backend applications
whose response headers are malicious or exploitable (CVE-2024-38476)
* Thu May 30 2024 Joe Orton <jorton@redhat.com> - 2.4.59-6
- mod_ssl: restore SSL_OP_NO_RENEGOTIATE support
Related: RHEL-14668
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.59-4.4
- Bump release for June 2024 mass rebuild
* Tue May 21 2024 Joe Orton <jorton@redhat.com> - 2.4.59-5
- mod_ssl: defer ENGINE_finish() calls to a cleanup
Resolves: RHEL-36755
* Thu May 23 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.4
- mod_ssl: disable ENGINE support
Resolves: RHEL-33734
* Mon May 20 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-4
- Resolves: RHEL-6575 - [RFE] httpd use systemd-sysusers
* Fri May 17 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.2
- mod_ssl: use SSL_OP_NO_RENEGOTIATION
* Wed May 08 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-3
- Related: RHEL-14668 - RFE: httpd rebase to 2.4.59
* Fri May 3 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3.1
- apachectl(8): use BUG_REPORT_URL from /etc/os-release
- apachectl(8): fix grammar (#2278748)
- httpd.service.xml(8): mention ProtectSystem= setting
* Wed May 8 2024 Joe Orton <jorton@redhat.com> - 2.4.59-2
- Resolves: RHEL-35870 - httpd mod_cgi/cgid unification
* Wed May 1 2024 Joe Orton <jorton@redhat.com> - 2.4.59-3
- add ServerTokens: Full-Release support
* Fri May 03 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.59-1
- new version 2.4.59
- Resolves: RHEL-14668 - RFE: httpd rebase to 2.4.59
- Resolves: RHEL-31856 - httpd: HTTP response splitting
(CVE-2023-38709)
- Resolves: RHEL-31859 - httpd: HTTP Response Splitting in multiple
modules (CVE-2024-24795)
* Mon Apr 15 2024 Joe Orton <jorton@redhat.com> - 2.4.59-2
- mod_ssl: add DH param handling fix (r1916863)
* Wed Feb 7 2024 Joe Orton <jorton@redhat.com> - 2.4.57-8
- mod_xml2enc: fix media type handling
Resolves: RHEL-17686
- mod_dav: add DavBasePath
Resolves: RHEL-6600
* Fri Apr 5 2024 Joe Orton <jorton@redhat.com> - 2.4.59-1
- update to 2.4.59
* Mon Feb 05 2024 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-7
- Resolves: RHEL-14447 - httpd: mod_macro: out-of-bounds read
vulnerability (CVE-2023-31122)
* Thu Mar 28 2024 Joe Orton <jorton@redhat.com> - 2.4.58-8
- rebuild to fix changelog ordering
* Wed Oct 4 2023 Joe Orton <jorton@redhat.com> - 2.4.57-6
- Resolves: RHEL-5071 - mod_dav_fs: add DavLockDBType
- mod_dav_fs: add global mutex around lockdb interaction
* Thu Mar 7 2024 Rahul Sundaram <sundaram@fedoraproject.org> - 2.4.58-7
- Update Systemd security settings as part of https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
- updated httpd.service(5) (Joe Orton)
* Thu Jul 20 2023 Tomas Korbar <tkorbar@redhat.com> - 2.4.57-5
- Fix issue found by covscan
- Related: #2222001
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.58-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jul 18 2023 Joe Orton <jorton@redhat.com> - 2.4.57-4
- Resolves: #2217726 - Make PROPFIND tolerant of deletion race
* Sat Jan 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.58-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Tue Jul 11 2023 Tomas Korbar <tkorbar@redhat.com> - 2.4.57-3
- Resolves: #2222001 - mod_status lists BusyWorkers IdleWorkers keys twice
* Fri Jan 5 2024 Joe Orton <jorton@redhat.com> - 2.4.58-4
- fix OpenSSL 3.0 deprecation warnings (r1913912, r1915067)
- mod_ssl: move to provider API for pkcs11 support (#2253014)
* Fri Apr 14 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-2
- Resolves: #2186645 - Fix issue found by covscan in httpd package
- Resolves: #2173295 - Include Apache httpd module mod_authnz_fcgi
* Fri Dec 8 2023 Joe Orton <jorton@redhat.com> - 2.4.58-3
- mod_dav_fs: add DAVLockDBType, use global lock around lockdb
- fix build with libxml2 2.12
* Thu Nov 2 2023 Joe Orton <jorton@redhat.com> - 2.4.58-2
- add dependency on apr-util-1(dbm) so a DBM provider is present
* Fri Oct 20 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.58-1
- new version 2.4.58
* Fri Oct 06 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-4
- SPDX migration
* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.57-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jul 5 2023 Joe Orton <jorton@redhat.com> - 2.4.57-2
- package /etc/systemd/httpd/httpd.service.d
- also sanitize LDFLAGS/CXXFLAGS in non-vendor config_vars.mk
* Tue Apr 11 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.57-1
- Resolves: #2184403 - rebase httpd to 2.4.57
- Resolves: #2177753 - CVE-2023-25690 httpd: HTTP request splitting with
mod_rewrite and mod_proxy
* Mon Jan 30 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-11
- Resolves: #2162500 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write
of zero byte
- Resolves: #2162486 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
- Resolves: #2162510 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request
smuggling
* Tue Jan 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-10
- Resolves: #2160667 - prevent sscg creating /dhparams.pem
* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-9
- Resolves: #2143176 - Dependency from mod_http2 on httpd broken
* Tue Dec 06 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-8
- Resolves: #2151313 - reduce AH03408 log level from WARNING to INFO
* Wed Jul 20 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-7
- Resolves: #2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request
smuggling
- Resolves: #2097032 - CVE-2022-28615 httpd: out-of-bounds read in
ap_strcmp_match()
- Resolves: #2098248 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped
by hop-by-hop mechanism
- Resolves: #2097016 - CVE-2022-28614 httpd: out-of-bounds read via ap_rwrite()
- Resolves: #2097452 - CVE-2022-29404 httpd: mod_lua: DoS in r:parsebody
- Resolves: #2097459 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability
- Resolves: #2097481 - CVE-2022-30556 httpd: mod_lua: Information disclosure
with websockets
* Mon Jun 27 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-6
- Related: #2065677 - httpd minimisation for ubi-micro
* Fri Jun 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-5
- Resolves: #2098056 - mod_ldap: High CPU usage at apr_ldap_rebind_remove()
* Thu Jun 16 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-4
- Resolves: #2095838 - mod_mime_magic: invalid type 0 in mconvert()
* Wed Jun 01 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-3
- Resolves: #2065677 - httpd minimisation for ubi-micro
- minimize httpd dependencies (new httpd-core package)
- mod_systemd and mod_brotli are now packaged in the main httpd package
* Tue May 31 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-1
- new version 2.4.53
- Resolves: #2079939 - httpd rebase to 2.4.53
- Resolves: #2075406 - httpd.conf uses icon bomb.gif for all files/dirs ending
with core
- new version 2.4.57
* Mon Apr 11 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-8
- Resolves: #2073459 - Cannot override LD_LIBARY_PATH in Apache HTTPD using
SetEnv or PassEnv
* Thu Mar 09 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.56-1
- new version 2.4.56
* Mon Mar 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-7
- Resolves: #2065251 - CVE-2022-22720 httpd: HTTP request smuggling
vulnerability in Apache HTTP Server 2.4.52 and earlier
- Resolves: #2066311 - CVE-2021-44224 httpd: possible NULL dereference or SSRF
in forward proxy configurations
* Tue Mar 7 2023 Joe Orton <jorton@redhat.com> - 2.4.55-3
- build and load mod_authnz_fcgi
* Mon Jan 10 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-5
- Resolves: #2035064 - CVE-2021-44790 httpd: mod_lua: possible buffer overflow
when parsing multipart content
* Fri Feb 03 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.55-2
- rebuilt with new apr/apr-util
* Mon Dec 06 2021 Neal Gompa <ngompa@centosproject.org> - 2.4.51-4
- Use NAME from os-release(5) for vendor string
Resolves: #2029071 - httpd on CentOS identifies as RHEL
* Wed Jan 25 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.55-1
- new version 2.4.55
* Fri Dec 3 2021 Joe Orton <jorton@redhat.com> - 2.4.51-3
- add fixes for static analyzer issues (#1938740)
* Tue Jan 24 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-12
- prevent sscg writing /dhparams.pem
* Mon Nov 08 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-2
- Resolves: #2005416 - httpd default configuration changes
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.54-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Tue Oct 19 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.51-1
- new version 2.4.51 (#2011090)
* Tue Dec 20 2022 Joe Orton <jorton@redhat.com> - 2.4.54-10
- htcacheclean.service: add [Install] section, PrivateTmp=yes,
Environment=LANG=C (#2149714)
* Fri Sep 17 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1
- new version 2.4.49 (#2005339)
* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-9
- move SELinux context logging to mod_systemd
* Wed Sep 15 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-18
- Resolves: #2004143 - RFE: mod_ssl: allow sending multiple CA names which
differ only in case
* Mon Dec 19 2022 Joe Orton <jorton@redhat.com> - 2.4.54-8
- define _httpd_statedir macro
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-17
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Nov 30 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-7
- reduce AH03408 level to INFO in proxy_util.c
* Fri Aug 06 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-16
- Resolves: #1956386 - Apache trademark update - new logo
* Thu Oct 13 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-6
- Provide a sysusers.d file to get user() and group() provides (#2134430)
* Fri Aug 6 2021 Florian Weimer <fweimer@redhat.com> - 2.4.48-14
- Rebuild to pick up new build flags from redhat-rpm-config (#1984652)
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.54-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Wed Jul 28 2021 Joe Orton <jorton@redhat.com> - 2.4.48-13
- mod_ssl: OpenSSL 3 compatibility update (#1986822)
* Fri Jun 24 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-4
- fix downgrade/upgrade issues
- mod_ssl and other modules should depend only on httpd-core package
* Thu Jul 15 2021 Joe Orton <jorton@redhat.com> - 2.4.48-12
- mod_ssl: add SSLKEYLOGFILE support (#1982656)
* Fri Jun 17 2022 Joe Orton <jorton@redhat.com> - 2.4.54-3
- update PCRE config selection
* Mon Jul 12 2021 Joe Orton <jorton@redhat.com> - 2.4.48-11
- mod_cgid: fix doubled script timeout (#1977234)
* Thu Jun 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.54-2
- new version 2.4.54
* Fri Jul 9 2021 Joe Orton <jorton@redhat.com> - 2.4.48-10
- fix release in ServerTokens Full-Release (#1932442)
* Mon May 16 2022 Joe Orton <jorton@redhat.com> - 2.4.53-7
- disable package notes
* Wed Jul 7 2021 Joe Orton <jorton@redhat.com> - 2.4.48-9
- use OOMPolicy=continue in httpd.service, httpd@.service (#1947475)
* Fri May 13 2022 Joe Orton <jorton@redhat.com> - 2.4.53-6
- use %%set_build_flags macro
* Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-8
- Resolves: #1950021 - [RFE] Update httpd directive SSLProxyMachineCertificateFile
to be able to handle certs without matching private key
* Thu Apr 21 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-5
- don't use bomb.gif icon for all files/dirs ending with core
* Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-7
- Resolves: #1950011 - unorderly connection close when client attempts
renegotiation
* Wed Apr 20 2022 Joe Orton <jorton@redhat.com> - 2.4.53-4
- switch to PCRE2 for new releases
* Thu Jul 01 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-6
- Resolves: #1932442 - "ServerTokens Full-Release" support
* Thu Apr 07 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-3
- Related: #2070517 - fix issue when mod_systemd is not loaded
* Fri Jun 25 2021 Joe Orton <jorton@redhat.com> - 2.4.48-5
- mod_ssl: fix loading encrypted privkeys with OpenSSL 3.0 (#1976080)
* Wed Mar 30 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-2
- Resolves: #2070517 - Allow install httpd with smaller footprint
- try to minimize httpd dependencies (new httpd-core package)
- mod_systemd and mod_brotli are now in the main httpd package
* Fri Jun 25 2021 Joe Orton <jorton@redhat.com> - 2.4.48-4
- add OpenSSL v3 compatibility fixes (#1975201)
* Thu Mar 17 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.53-1
- new version 2.4.53
- fixes CVE-2022-23943, CVE-2022-22721, CVE-2022-22720 and CVE-2022-22719
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.48-3
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Feb 1 2022 Joe Orton <jorton@redhat.com> - 2.4.52-5
- rebuild for new OpenLDAP (#2032699)
* Tue Jun 08 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-2
- Resolves: #1947099 - centralizing default index.html for httpd
* Mon Jan 31 2022 Joe Orton <jorton@redhat.com> - 2.4.52-4
- add libtool to Requires: for httpd-devel (#2048281)
* Wed Jun 02 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-1
- new version 2.4.48
- Resolves: #1952817 - rebase to 2.4.48
* Fri Jan 28 2022 Joe Orton <jorton@redhat.com> - 2.4.52-3
- use LIBTOOL=/usr/bin/libtool in the non-vendor config_vars.mk
* Wed May 26 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.46-15
- Resolves: #1949606 - RFE: httpd, add IP_FREEBIND support for Listen
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.52-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Wed Dec 22 2021 Joe Orton <jorton@redhat.com> - 2.4.52-1
- update to 2.4.52
* Mon Dec 06 2021 Neal Gompa <ngompa@fedoraproject.org> - 2.4.51-3
- Use NAME from os-release(5) for vendor string
Related: #2029071 - httpd on CentOS identifies as RHEL
* Wed May 19 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-14
- Resolves: #1949969 - httpd : mod_proxy should allow to specify
Proxy-Authorization in ProxyRemote directive
* Tue Oct 12 2021 Joe Orton <jorton@redhat.com> - 2.4.51-2
- mod_ssl: updated patch for OpenSSL 3.0 compatibility (#2007178)
- mod_deflate/core: add two brigade handling correctness fixes
* Thu Apr 22 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-13
- Resolves: #1952546 - mod_proxy_wstunnel.html is a malformed XML
* Thu Oct 07 2021 Patrick Uiterwijk <patrick@puiterwijk.org> - 2.4.51-1
- new version 2.4.51
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 2.4.46-12
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Oct 05 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.50-1
- new version 2.4.50
* Tue Apr 13 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-11
- Resolves: #1947496 - [RFE] ProxyWebsocketIdleTimeout from httpd mod_proxy_wstunnel
* Wed Sep 22 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-3
- Rebuilt for CI testing
* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-10
* Thu Sep 16 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.49-1
- new version 2.4.49 (#2004776)
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 2.4.48-8
- Rebuilt with OpenSSL 3.0.0
* Fri Aug 06 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-7
- add symlink to system logo for noindex test page
* Fri Aug 6 2021 Joe Orton <jorton@redhat.com> - 2.4.48-4
- add OpenSSL 3.x compatibility patch
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.48-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jul 16 2021 Joe Orton <jorton@redhat.com> - 2.4.48-2
- mod_cgi/mod_cgid: update to unification from trunk
- httpd.conf: add note on care with Listen and starting at boot
* Wed Jun 02 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.48-1
- new version 2.4.48
- Resolves: #1964746 - httpd-2.4.48 is available
* Mon May 03 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-13
- Related: #1934739 - Apache trademark update - new logo
* Fri Apr 9 2021 Joe Orton <jorton@redhat.com> - 2.4.46-12
- use OOMPolicy=continue in httpd.service, httpd@.service (#1947475)
* Wed Mar 31 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-11
- Resolves: #1934739 - Apache trademark update - new logo
* Tue Feb 23 2021 Joe Orton <jorton@redhat.com> - 2.4.46-10
- add Conflicts: with mod_nss
- drop use of apr_ldap_rebind (r1878890, #1847585)
* Mon Feb 01 2021 Lubos Uhliarik <luhliari@redhat.com> - 2.4.46-9
- Resolves: #1914182 - RFE: CustomLog should be able to use journald

Loading…
Cancel
Save