diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/httpd-2.4.37-add-SNI-support.patch b/SOURCES/httpd-2.4.37-add-SNI-support.patch new file mode 100644 index 0000000..8b8d9ad --- /dev/null +++ b/SOURCES/httpd-2.4.37-add-SNI-support.patch @@ -0,0 +1,92 @@ +commit 4c0e27d7bfbf46f14dfbd5d888e56c64ad8c8de5 +Author: Tomas Korbar +Date: Mon Sep 19 13:22:27 2022 +0200 + + Backport refactor of SNI support to httpd-2.4.37 + +diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c +index a7e0dcd..31ccd32 100644 +--- a/modules/http2/mod_proxy_http2.c ++++ b/modules/http2/mod_proxy_http2.c +@@ -591,16 +591,6 @@ run_connect: + } + + if (!ctx->p_conn->data) { +- /* New conection: set a note on the connection what CN is +- * requested and what protocol we want */ +- if (ctx->p_conn->ssl_hostname) { +- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner, +- "set SNI to %s for (%s)", +- ctx->p_conn->ssl_hostname, +- ctx->p_conn->hostname); +- apr_table_setn(ctx->p_conn->connection->notes, +- "proxy-request-hostname", ctx->p_conn->ssl_hostname); +- } + if (ctx->is_ssl) { + apr_table_setn(ctx->p_conn->connection->notes, + "proxy-request-alpn-protos", "h2"); +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index 1b7bb81..c1c591a 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -2111,19 +2111,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, + req->origin->keepalive = AP_CONN_CLOSE; + } + +- /* +- * On SSL connections set a note on the connection what CN is +- * requested, such that mod_ssl can check if it is requested to do +- * so. +- * +- * https://github.com/apache/httpd/commit/7d272e2628b4ae05f68cdc74b070707250896a34 +- */ +- if (backend->ssl_hostname) { +- apr_table_setn(backend->connection->notes, +- "proxy-request-hostname", +- backend->ssl_hostname); +- } +- + /* Step Four: Send the Request + * On the off-chance that we forced a 100-Continue as a + * kinda HTTP ping test, allow for retries +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index ec9a414..805820d 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -3261,6 +3261,16 @@ static int proxy_connection_create(const char *proxy_function, + backend_addr, conn->hostname); + return HTTP_INTERNAL_SERVER_ERROR; + } ++ if (conn->ssl_hostname) { ++ /* Set a note on the connection about what CN is requested, ++ * such that mod_ssl can check if it is requested to do so. ++ */ ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection, ++ "%s: set SNI to %s for (%s)", proxy_function, ++ conn->ssl_hostname, conn->hostname); ++ apr_table_setn(conn->connection->notes, "proxy-request-hostname", ++ conn->ssl_hostname); ++ } + } + else { + /* TODO: See if this will break FTP */ +diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c +index 4e3875a..9b4280c 100644 +--- a/modules/ssl/ssl_engine_io.c ++++ b/modules/ssl/ssl_engine_io.c +@@ -1273,7 +1273,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + ((dc->proxy->ssl_check_peer_cn != FALSE) || + (dc->proxy->ssl_check_peer_name == TRUE)) && + hostname_note) { +- apr_table_unset(c->notes, "proxy-request-hostname"); + if (!cert + || modssl_X509_match_name(c->pool, cert, hostname_note, + TRUE, server) == FALSE) { +@@ -1290,7 +1289,6 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) + + hostname = ssl_var_lookup(NULL, server, c, NULL, + "SSL_CLIENT_S_DN_CN"); +- apr_table_unset(c->notes, "proxy-request-hostname"); + + /* Do string match or simplest wildcard match if that + * fails. */ diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index c4b209d..8493acc 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,7 +13,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.37 -Release: 51%{?dist}.5 +Release: 56%{?dist}.4 URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source2: httpd.logrotate @@ -163,6 +163,8 @@ Patch88: httpd-2.4.37-r1845768+.patch Patch89: httpd-2.4.37-r1862410.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1984828 Patch90: httpd-2.4.37-hcheck-mem-issues.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2017543 +Patch91: httpd-2.4.37-add-SNI-support.patch # Security fixes Patch200: httpd-2.4.37-r1851471.patch @@ -263,7 +265,7 @@ Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} Requires: httpd-tools = %{version}-%{release} Requires: httpd-filesystem = %{version}-%{release} -Requires: mod_http2 +Requires: mod_http2 >= 1.15.7-5 Requires(pre): httpd-filesystem Requires(preun): systemd-units Requires(postun): systemd-units @@ -327,7 +329,7 @@ Epoch: 1 BuildRequires: openssl-devel Requires(pre): httpd-filesystem Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -Requires: sscg >= 2.2.0 +Requires: sscg >= 3.0.0-7, /usr/bin/hostname Obsoletes: stronghold-mod_ssl # Require an OpenSSL which supports PROFILE=SYSTEM Conflicts: openssl-libs < 1:1.0.1h-4 @@ -426,6 +428,7 @@ interface for storing and accessing per-user session data. %patch88 -p1 -b .r1845768+ %patch89 -p1 -b .r1862410 %patch90 -p1 -b .hcheck-mem-issues +%patch91 -p1 -b .SNI %patch200 -p1 -b .r1851471 %patch201 -p1 -b .CVE-2019-0211 @@ -971,21 +974,31 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Thu Apr 06 2023 CentOS Sources - 2.4.37-51.el8.centos.5 -- Apply debranding changes - -* Sat Mar 18 2023 Luboš Uhliarik - 2.4.37-51.5 -- Resolves: #2177747 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting +* Sat Mar 18 2023 Luboš Uhliarik - 2.4.37-56.4 +- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting with mod_rewrite and mod_proxy -* Tue Jan 31 2023 Luboš Uhliarik - 2.4.37-51.1 -- Resolves: #2165967 - prevent sscg creating /dhparams.pem -- Resolves: #2165976 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write +* Tue Jan 31 2023 Luboš Uhliarik - 2.4.37-56 +- Resolves: #2162499 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write of zero byte -- Resolves: #2165977 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting -- Resolves: #2165978 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request +- Resolves: #2162485 - CVE-2022-37436 httpd: mod_proxy: HTTP response splitting +- Resolves: #2162509 - CVE-2022-36760 httpd: mod_proxy_ajp: Possible request smuggling +* Thu Jan 26 2023 Luboš Uhliarik - 2.4.37-55 +- Resolves: #2155961 - prevent sscg creating /dhparams.pem + +* Thu Dec 08 2022 Luboš Uhliarik - 2.4.37-54 +- Resolves: #2095650 - Dependency from mod_http2 on httpd broken + +* Wed Nov 09 2022 Luboš Uhliarik - 2.4.37-53 +- Resolves: #2050888 - httpd with SSL fails to start unless hostname command + was installed + +* Mon Sep 19 2022 Tomas Korbar - 2.4.37-52 +- Add the SNI support in mod_proxy_wstunnel module for Apache httpd +- Resolves: rhbz#2017543 + * Mon Jul 25 2022 Luboš Uhliarik - 2.4.37-51 - Resolves: #2097015 - CVE-2022-28614 httpd:2.4/httpd: out-of-bounds read via ap_rwrite()