From 78d820a076f89151dbfa8a52b7ca4b3cfb8d1650 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 09 2021 19:30:22 +0000 Subject: import httpd-2.4.37-43.module+el8.5.0+13064+c4b14997 --- diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/httpd-2.4.37-CVE-2021-26691.patch b/SOURCES/httpd-2.4.37-CVE-2021-26691.patch new file mode 100644 index 0000000..786aea2 --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2021-26691.patch @@ -0,0 +1,13 @@ +diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c +index 049255d..af70f6b 100644 +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z, + static int identity_count(void *v, const char *key, const char *val) + { + int *count = v; +- *count += strlen(key) * 3 + strlen(val) * 3 + 1; ++ *count += strlen(key) * 3 + strlen(val) * 3 + 2; + return 1; + } + diff --git a/SOURCES/httpd-2.4.37-CVE-2021-40438.patch b/SOURCES/httpd-2.4.37-CVE-2021-40438.patch new file mode 100644 index 0000000..39758c7 --- /dev/null +++ b/SOURCES/httpd-2.4.37-CVE-2021-40438.patch @@ -0,0 +1,126 @@ +diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +index fb897a9..38dbb24 100644 +--- a/modules/mappers/mod_rewrite.c ++++ b/modules/mappers/mod_rewrite.c +@@ -619,6 +619,13 @@ static unsigned is_absolute_uri(char *uri, int *supportsqs) + return 6; + } + break; ++ ++ case 'u': ++ case 'U': ++ if (!ap_cstr_casecmpn(uri, "nix:", 4)) { /* unix: */ ++ *sqs = 1; ++ return (uri[4] == '/' && uri[5] == '/') ? 7 : 5; ++ } + } + + return 0; +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index f383996..6a9ef55 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1717,7 +1717,8 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url) + * the UDS path... ignore it + */ + if (!strncasecmp(url, "unix:", 5) && +- ((ptr = ap_strchr_c(url, '|')) != NULL)) { ++ ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) { ++ + /* move past the 'unix:...|' UDS path info */ + const char *ret, *c; + +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index 7714b6c..3dd570c 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -2084,33 +2084,45 @@ static int ap_proxy_retry_worker(const char *proxy_function, proxy_worker *worke + * were passed a UDS url (eg: from mod_proxy) and adjust uds_path + * as required. + */ +-static void fix_uds_filename(request_rec *r, char **url) ++static int fix_uds_filename(request_rec *r, char **url) + { +- char *ptr, *ptr2; +- if (!r || !r->filename) return; ++ char *uds_url = r->filename + 6, *origin_url; + + if (!strncmp(r->filename, "proxy:", 6) && +- (ptr2 = ap_strcasestr(r->filename, "unix:")) && +- (ptr = ap_strchr(ptr2, '|'))) { ++ !ap_cstr_casecmpn(uds_url, "unix:", 5) && ++ (origin_url = ap_strchr(uds_url + 5, '|'))) { ++ char *uds_path = NULL; ++ apr_size_t url_len; + apr_uri_t urisock; + apr_status_t rv; +- *ptr = '\0'; +- rv = apr_uri_parse(r->pool, ptr2, &urisock); +- if (rv == APR_SUCCESS) { +- char *rurl = ptr+1; +- char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path); +- apr_table_setn(r->notes, "uds_path", sockpath); +- *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */ +- /* r->filename starts w/ "proxy:", so add after that */ +- memmove(r->filename+6, rurl, strlen(rurl)+1); +- ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, +- "*: rewrite of url due to UDS(%s): %s (%s)", +- sockpath, *url, r->filename); +- } +- else { +- *ptr = '|'; +- } +- } ++ ++ *origin_url = '\0'; ++ rv = apr_uri_parse(r->pool, uds_url, &urisock); ++ *origin_url++ = '|'; ++ ++ if (rv == APR_SUCCESS && urisock.path && (!urisock.hostname ++ || !urisock.hostname[0])) { ++ uds_path = ap_runtime_dir_relative(r->pool, urisock.path); ++ } ++ ++ if (!uds_path) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292) ++ "Invalid proxy UDS filename (%s)", r->filename); ++ return 0; ++ } ++ apr_table_setn(r->notes, "uds_path", uds_path); ++ ++ /* Remove the UDS path from *url and r->filename */ ++ url_len = strlen(origin_url); ++ *url = apr_pstrmemdup(r->pool, origin_url, url_len); ++ memcpy(uds_url, *url, url_len + 1); ++ ++ ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, ++ "*: rewrite of url due to UDS(%s): %s (%s)", ++ uds_path, *url, r->filename); ++ } ++ ++ return 1; + } + + PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, +@@ -2128,7 +2140,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, + "%s: found worker %s for %s", + (*worker)->s->scheme, (*worker)->s->name, *url); + *balancer = NULL; +- fix_uds_filename(r, url); ++ if (!fix_uds_filename(r, url)) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + access_status = OK; + } + else if (r->proxyreq == PROXYREQ_PROXY) { +@@ -2159,7 +2173,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker, + * regarding the Connection header in the request. + */ + apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1"); +- fix_uds_filename(r, url); ++ if (!fix_uds_filename(r, url)) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + } + } + } diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 61f7b44..1964e91 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.37 -Release: 41%{?dist} +Release: 43%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source2: httpd.logrotate @@ -192,6 +192,10 @@ Patch211: httpd-2.4.37-CVE-2020-11984.patch Patch212: httpd-2.4.37-CVE-2021-30641.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1968307 Patch213: httpd-2.4.37-CVE-2021-26690.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2005117 +Patch214: httpd-2.4.37-CVE-2021-40438.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1966732 +Patch215: httpd-2.4.37-CVE-2021-26691.patch License: ASL 2.0 Group: System Environment/Daemons @@ -385,6 +389,8 @@ interface for storing and accessing per-user session data. %patch211 -p1 -b .CVE-2020-11984 %patch212 -p1 -b .CVE-2021-30641 %patch213 -p1 -b .CVE-2021-26690 +%patch214 -p1 -b .CVE-2021-40438 +%patch215 -p1 -b .CVE-2021-26691 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -890,8 +896,15 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Tue Nov 09 2021 CentOS Sources - 2.4.37-41.el8.centos -- Apply debranding changes +* Tue Oct 26 2021 Luboš Uhliarik - 2.4.37-43 +- Related: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via + a crafted request uri-path + +* Thu Sep 30 2021 Luboš Uhliarik - 2.4.37-42 +- Resolves: #2007235 - CVE-2021-40438 httpd:2.4/httpd: mod_proxy: SSRF via + a crafted request uri-path +- Resolves: #2014063 - CVE-2021-26691 httpd:2.4/httpd: Heap overflow in + mod_session * Fri Jul 09 2021 Luboš Uhliarik - 2.4.37-41 - Resolves: #1680111 - httpd sends reply to HTTPS GET using two TLS records