diff --git a/.gitignore b/.gitignore index 260a2d6..9969f1d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ SOURCES/httpd-2.4.6.tar.bz2 -SOURCES/centos-noindex.tar.gz diff --git a/.httpd.metadata b/.httpd.metadata index 17ede1b..d335a99 100644 --- a/.httpd.metadata +++ b/.httpd.metadata @@ -1,2 +1 @@ 16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2 -6ce5ab3c765b9efeceb2e636e32373bc6e6ed489 SOURCES/centos-noindex.tar.gz diff --git a/SOURCES/httpd-2.4.6-CVE-2017-15715.patch b/SOURCES/httpd-2.4.6-CVE-2017-15715.patch new file mode 100644 index 0000000..74e3770 --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2017-15715.patch @@ -0,0 +1,190 @@ +diff --git a/include/ap_regex.h b/include/ap_regex.h +index 5122154..349ae83 100644 +--- a/include/ap_regex.h ++++ b/include/ap_regex.h +@@ -77,6 +77,8 @@ extern "C" { + #define AP_REG_NOMEM 0x20 /* nomem in our code */ + #define AP_REG_DOTALL 0x40 /* perl's /s flag */ + ++#define AP_REG_DOLLAR_ENDONLY 0x200 /**< '$' matches at end of subject string only */ ++ + /* Error values: */ + enum { + AP_REG_ASSERT = 1, /** internal error ? */ +@@ -100,6 +102,26 @@ typedef struct { + + /* The functions */ + ++/** ++ * Get default compile flags ++ * @return Bitwise OR of AP_REG_* flags ++ */ ++AP_DECLARE(int) ap_regcomp_get_default_cflags(void); ++ ++/** ++ * Set default compile flags ++ * @param cflags Bitwise OR of AP_REG_* flags ++ */ ++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags); ++ ++/** ++ * Get the AP_REG_* corresponding to the string. ++ * @param name The name (i.e. AP_REG_) ++ * @return The AP_REG_*, or zero if the string is unknown ++ * ++ */ ++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name); ++ + /** + * Compile a regular expression. + * @param preg Returned compiled regex +diff --git a/server/core.c b/server/core.c +index b3240a0..e073ddf 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -48,6 +48,7 @@ + #include "mod_core.h" + #include "mod_proxy.h" + #include "ap_listen.h" ++#include "ap_regex.h" + + #include "mod_so.h" /* for ap_find_loaded_module_symbol */ + +@@ -2646,6 +2647,58 @@ static const char *virtualhost_section(cmd_parms *cmd, void *dummy, + return errmsg; + } + ++static const char *set_regex_default_options(cmd_parms *cmd, ++ void *dummy, ++ const char *arg) ++{ ++ const command_rec *thiscmd = cmd->cmd; ++ int cflags, cflag; ++ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err != NULL) { ++ return err; ++ } ++ ++ cflags = ap_regcomp_get_default_cflags(); ++ while (*arg) { ++ const char *name = ap_getword_conf(cmd->pool, &arg); ++ int how = 0; ++ ++ if (strcasecmp(name, "none") == 0) { ++ cflags = 0; ++ continue; ++ } ++ ++ if (*name == '+') { ++ name++; ++ how = +1; ++ } ++ else if (*name == '-') { ++ name++; ++ how = -1; ++ } ++ ++ cflag = ap_regcomp_default_cflag_by_name(name); ++ if (!cflag) { ++ return apr_psprintf(cmd->pool, "%s: option '%s' unknown", ++ thiscmd->name, name); ++ } ++ ++ if (how > 0) { ++ cflags |= cflag; ++ } ++ else if (how < 0) { ++ cflags &= ~cflag; ++ } ++ else { ++ cflags = cflag; ++ } ++ } ++ ap_regcomp_set_default_cflags(cflags); ++ ++ return NULL; ++} ++ + static const char *set_server_alias(cmd_parms *cmd, void *dummy, + const char *arg) + { +@@ -4164,6 +4217,9 @@ AP_INIT_TAKE12("RLimitNPROC", no_set_limit, NULL, + OR_ALL, "soft/hard limits for max number of processes per uid"), + #endif + ++AP_INIT_RAW_ARGS("RegexDefaultOptions", set_regex_default_options, NULL, RSRC_CONF, ++ "default options for regexes (prefixed by '+' to add, '-' to del)"), ++ + /* internal recursion stopper */ + AP_INIT_TAKE12("LimitInternalRecursion", set_recursion_limit, NULL, RSRC_CONF, + "maximum recursion depth of internal redirects and subrequests"), +@@ -4569,6 +4625,8 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem + apr_pool_cleanup_register(pconf, NULL, reset_config_defines, + apr_pool_cleanup_null); + ++ ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY); ++ + mpm_common_pre_config(pconf); + + return OK; +diff --git a/server/util_pcre.c b/server/util_pcre.c +index 1e83cad..d7df400 100644 +--- a/server/util_pcre.c ++++ b/server/util_pcre.c +@@ -110,6 +110,38 @@ AP_DECLARE(void) ap_regfree(ap_regex_t *preg) + * Compile a regular expression * + *************************************************/ + ++static int default_cflags = AP_REG_DOLLAR_ENDONLY; ++ ++AP_DECLARE(int) ap_regcomp_get_default_cflags(void) ++{ ++ return default_cflags; ++} ++ ++AP_DECLARE(void) ap_regcomp_set_default_cflags(int cflags) ++{ ++ default_cflags = cflags; ++} ++ ++AP_DECLARE(int) ap_regcomp_default_cflag_by_name(const char *name) ++{ ++ int cflag = 0; ++ ++ if (strcasecmp(name, "ICASE") == 0) { ++ cflag = AP_REG_ICASE; ++ } ++ else if (strcasecmp(name, "DOTALL") == 0) { ++ cflag = AP_REG_DOTALL; ++ } ++ else if (strcasecmp(name, "DOLLAR_ENDONLY") == 0) { ++ cflag = AP_REG_DOLLAR_ENDONLY; ++ } ++ else if (strcasecmp(name, "EXTENDED") == 0) { ++ cflag = AP_REG_EXTENDED; ++ } ++ ++ return cflag; ++} ++ + /* + * Arguments: + * preg points to a structure for recording the compiled expression +@@ -126,12 +158,16 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags) + int errcode = 0; + int options = 0; + ++ cflags |= default_cflags; + if ((cflags & AP_REG_ICASE) != 0) + options |= PCRE_CASELESS; + if ((cflags & AP_REG_NEWLINE) != 0) + options |= PCRE_MULTILINE; + if ((cflags & AP_REG_DOTALL) != 0) + options |= PCRE_DOTALL; ++ if ((cflags & AP_REG_DOLLAR_ENDONLY) != 0) ++ options |= PCRE_DOLLAR_ENDONLY; ++ + + preg->re_pcre = + pcre_compile2(pattern, options, &errcode, &errorptr, &erroffset, NULL); diff --git a/SOURCES/httpd-2.4.6-CVE-2018-1283.patch b/SOURCES/httpd-2.4.6-CVE-2018-1283.patch new file mode 100644 index 0000000..c51bb4f --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2018-1283.patch @@ -0,0 +1,23 @@ +--- a/modules/session/mod_session.c 2018/02/16 13:39:47 1824476 ++++ b/modules/session/mod_session.c 2018/02/16 13:41:31 1824477 +@@ -510,12 +510,15 @@ + */ + ap_session_load(r, &z); + +- if (z && conf->env) { +- session_identity_encode(r, z); +- if (z->encoded) { +- apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded); +- z->encoded = NULL; ++ if (conf->env) { ++ if (z) { ++ session_identity_encode(r, z); ++ if (z->encoded) { ++ apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded); ++ z->encoded = NULL; ++ } + } ++ apr_table_unset(r->headers_in, "Session"); + } + + return OK; diff --git a/SOURCES/httpd-2.4.6-CVE-2018-1303.patch b/SOURCES/httpd-2.4.6-CVE-2018-1303.patch new file mode 100644 index 0000000..f0b6bde --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2018-1303.patch @@ -0,0 +1,12 @@ +--- a/modules/cache/mod_cache_socache.c 2018/02/16 13:32:48 1824474 ++++ b/modules/cache/mod_cache_socache.c 2018/02/16 13:34:35 1824475 +@@ -213,7 +213,8 @@ + "Premature end of cache headers."); + return APR_EGENERAL; + } +- while (apr_isspace(buffer[colon])) { ++ /* Do not go past the \r from above as apr_isspace('\r') is true */ ++ while (apr_isspace(buffer[colon]) && (colon < *slider)) { + colon++; + } + apr_table_addn(table, apr_pstrndup(r->pool, (const char *) buffer diff --git a/SOURCES/httpd-2.4.6-CVE-2018-17199.patch b/SOURCES/httpd-2.4.6-CVE-2018-17199.patch new file mode 100644 index 0000000..70bfea2 --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2018-17199.patch @@ -0,0 +1,46 @@ +diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c +index 7213eb3..3e73c7a 100644 +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -126,15 +126,9 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z) + + /* found a session that hasn't expired? */ + now = apr_time_now(); +- if (!zz || (zz->expiry && zz->expiry < now)) { +- +- /* no luck, create a blank session */ +- zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec)); +- zz->pool = r->pool; +- zz->entries = apr_table_make(zz->pool, 10); +- +- } +- else { ++ ++ if (zz){ ++ /* load the session attibutes */ + rv = ap_run_session_decode(r, zz); + if (OK != rv) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817) +@@ -142,8 +136,22 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z) + "session not loaded: %s", r->uri); + return rv; + } ++ ++ /* invalidate session if session is expired */ ++ if (zz && zz->expiry && zz->expiry < now){ ++ zz = NULL; ++ } + } + ++ if (!zz || (zz->expiry && zz->expiry < now)) { ++ ++ /* no luck, create a blank session */ ++ zz = (session_rec *) apr_pcalloc(r->pool, sizeof(session_rec)); ++ zz->pool = r->pool; ++ zz->entries = apr_table_make(zz->pool, 10); ++ ++ } ++ + /* make sure the expiry is set, if present */ + if (!zz->expiry && dconf->maxage) { + zz->expiry = now + dconf->maxage * APR_USEC_PER_SEC; diff --git a/SOURCES/httpd-2.4.6-CVE-2019-10098.patch b/SOURCES/httpd-2.4.6-CVE-2019-10098.patch new file mode 100644 index 0000000..f8298cc --- /dev/null +++ b/SOURCES/httpd-2.4.6-CVE-2019-10098.patch @@ -0,0 +1,91 @@ +diff --git a/include/ap_regex.h b/include/ap_regex.h +index 349ae83..952e77a 100644 +--- a/include/ap_regex.h ++++ b/include/ap_regex.h +@@ -79,6 +79,12 @@ extern "C" { + + #define AP_REG_DOLLAR_ENDONLY 0x200 /**< '$' matches at end of subject string only */ + ++#define AP_REG_NO_DEFAULT 0x400 /**< Don't implicitely add AP_REG_DEFAULT options */ ++ ++#define AP_REG_MATCH "MATCH_" /**< suggested prefix for ap_regname */ ++ ++#define AP_REG_DEFAULT (AP_REG_DOTALL|AP_REG_DOLLAR_ENDONLY) ++ + /* Error values: */ + enum { + AP_REG_ASSERT = 1, /** internal error ? */ +diff --git a/modules/filters/mod_substitute.c b/modules/filters/mod_substitute.c +index 15cd8ee..69af111 100644 +--- a/modules/filters/mod_substitute.c ++++ b/modules/filters/mod_substitute.c +@@ -599,8 +599,10 @@ static const char *set_pattern(cmd_parms *cmd, void *cfg, const char *line) + + /* first see if we can compile the regex */ + if (!is_pattern) { +- r = ap_pregcomp(cmd->pool, from, AP_REG_EXTENDED | +- (ignore_case ? AP_REG_ICASE : 0)); ++ int flags = AP_REG_NO_DEFAULT ++ | (ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY) ++ | (ignore_case ? AP_REG_ICASE : 0); ++ r = ap_pregcomp(cmd->pool, from, flags); + if (!r) + return "Substitute could not compile regex"; + } +diff --git a/server/core.c b/server/core.c +index d4af287..6ae0f5f 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -4625,7 +4625,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem + apr_pool_cleanup_register(pconf, NULL, reset_config_defines, + apr_pool_cleanup_null); + +- ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY); ++ ap_regcomp_set_default_cflags(AP_REG_DEFAULT); + + mpm_common_pre_config(pconf); + +diff --git a/server/util_pcre.c b/server/util_pcre.c +index d7df400..f778c75 100644 +--- a/server/util_pcre.c ++++ b/server/util_pcre.c +@@ -110,7 +110,7 @@ AP_DECLARE(void) ap_regfree(ap_regex_t *preg) + * Compile a regular expression * + *************************************************/ + +-static int default_cflags = AP_REG_DOLLAR_ENDONLY; ++static int default_cflags = AP_REG_DEFAULT; + + AP_DECLARE(int) ap_regcomp_get_default_cflags(void) + { +@@ -158,7 +158,8 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t * preg, const char *pattern, int cflags) + int errcode = 0; + int options = 0; + +- cflags |= default_cflags; ++ if ((cflags & AP_REG_NO_DEFAULT) == 0) ++ cflags |= default_cflags; + if ((cflags & AP_REG_ICASE) != 0) + options |= PCRE_CASELESS; + if ((cflags & AP_REG_NEWLINE) != 0) +diff --git a/server/util_regex.c b/server/util_regex.c +index 73eccec..5038b99 100644 +--- a/server/util_regex.c ++++ b/server/util_regex.c +@@ -93,6 +93,7 @@ AP_DECLARE(ap_rxplus_t*) ap_rxplus_compile(apr_pool_t *pool, + } + + /* anything after the current delimiter is flags */ ++ ret->flags = ap_regcomp_get_default_cflags() & AP_REG_DOLLAR_ENDONLY; + while (*++endp) { + switch (*endp) { + case 'i': ret->flags |= AP_REG_ICASE; break; +@@ -105,7 +106,7 @@ AP_DECLARE(ap_rxplus_t*) ap_rxplus_compile(apr_pool_t *pool, + default: break; /* we should probably be stricter here */ + } + } +- if (ap_regcomp(&ret->rx, rxstr, ret->flags) == 0) { ++ if (ap_regcomp(&ret->rx, rxstr, AP_REG_NO_DEFAULT | ret->flags) == 0) { + apr_pool_cleanup_register(pool, &ret->rx, rxplus_cleanup, + apr_pool_cleanup_null); + } diff --git a/SOURCES/httpd-2.4.6-session-expiry-updt-int.patch b/SOURCES/httpd-2.4.6-session-expiry-updt-int.patch new file mode 100644 index 0000000..56d6c53 --- /dev/null +++ b/SOURCES/httpd-2.4.6-session-expiry-updt-int.patch @@ -0,0 +1,194 @@ +diff --git a/docs/manual/mod/mod_session.html.en b/docs/manual/mod/mod_session.html.en +index 96a61e6..4ecc97d 100644 +--- a/docs/manual/mod/mod_session.html.en ++++ b/docs/manual/mod/mod_session.html.en +@@ -69,6 +69,7 @@ +
  • SessionHeader
  • +
  • SessionInclude
  • +
  • SessionMaxAge
  • ++
  • SessionExpiryUpdateInterval
  • + +

    Topics

    +