4bd05b999fd41fe04702e5e5500a2628c0f0d6da..2a6ec313c8d6b3aab27f649ba47e551e77345762
2017-10-11 CentOS Sources
debrand httpd-2.4.6-67.el7_4.5
2a6ec3 diff | tree
2017-10-11 CentOS Sources
import httpd-2.4.6-67.el7_4.5
3540ca diff | tree
1 files added
1 files modified
27 ■■■■■ changed files
SOURCES/httpd-2.4.6-CVE-2017-9798.patch 17 ●●●●● patch | view | raw | blame | history
SPECS/httpd.spec 10 ●●●● patch | view | raw | blame | history
SOURCES/httpd-2.4.6-CVE-2017-9798.patch
New file
@@ -0,0 +1,17 @@
diff --git a/server/core.c b/server/core.c
index f60e8fa..245fcb6 100644
--- a/server/core.c
+++ b/server/core.c
@@ -2061,6 +2061,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd,
             /* method has not been registered yet, but resorce restriction
              * is always checked before method handling, so register it.
              */
+            if (cmd->pool == cmd->temp_pool) {
+                /* In .htaccess, we can't globally register new methods. */
+                return apr_psprintf(cmd->pool, "Could not register method '%s' "
+                                    "for %s from .htaccess configuration",
+                                     method, cmd->cmd->name);
+            }
             methnum = ap_method_register(cmd->pool,
                                          apr_pstrdup(cmd->pool, method));
         }
SPECS/httpd.spec
@@ -15,7 +15,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.6
Release: 67%{?dist}.2
Release: 67%{?dist}.5
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source1: centos-noindex.tar.gz
@@ -176,6 +176,7 @@
Patch217: httpd-2.4.6-CVE-2017-7668.patch
Patch218: httpd-2.4.6-CVE-2017-7679.patch
Patch219: httpd-2.4.6-CVE-2017-9788.patch
Patch220: httpd-2.4.6-CVE-2017-9798.patch
License: ASL 2.0
Group: System Environment/Daemons
@@ -400,6 +401,7 @@
%patch217 -p1 -b .cve7668
%patch218 -p1 -b .cve7679
%patch219 -p1 -b .cve9788
%patch220 -p1 -b .cve9798
# Patch in the vendor string and the release string
sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -831,12 +833,16 @@
%{_sysconfdir}/rpm/macros.httpd
%changelog
* Tue Aug 15 2017 CentOS Sources <bugs@centos.org> - 2.4.6-67.el7.centos.2
* Wed Oct 11 2017 CentOS Sources <bugs@centos.org> - 2.4.6-67.el7.centos.5
- Remove index.html, add centos-noindex.tar.gz
- change vstring
- change symlink for poweredby.png
- update welcome.conf with proper aliases
* Tue Sep 19 2017 LuboŇ° Uhliarik <luhliari@redhat.com> - 2.4.6-67.5
- Resolves: #1493064 - CVE-2017-9798 httpd: Use-after-free by limiting
  unregistered HTTP method
* Wed Jul 26 2017 LuboŇ° Uhliarik <luhliari@redhat.com> - 2.4.6-67.2
- Resolves: #1463194 - CVE-2017-3167 httpd: ap_get_basic_auth_pw()
  authentication bypass