diff --git a/.gitignore b/.gitignore index 4c70af4..2c3e956 100644 --- a/.gitignore +++ b/.gitignore @@ -2,4 +2,3 @@ SOURCES/htcacheclean.service.xml SOURCES/httpd-2.4.37.tar.bz2 SOURCES/httpd.conf.xml SOURCES/httpd.service.xml -SOURCES/centos-noindex-8.0.tar.gz diff --git a/.httpd.metadata b/.httpd.metadata index 000b59a..091ca86 100644 --- a/.httpd.metadata +++ b/.httpd.metadata @@ -2,4 +2,3 @@ a34c31169efbe6140496c37801489610461bdf9b SOURCES/htcacheclean.service.xml 4a38471de821288b0300148016f2b03dfee8adf2 SOURCES/httpd-2.4.37.tar.bz2 fa18caadd0afbddc2c7a7fc404bf4f2b41867148 SOURCES/httpd.conf.xml 888df830bdc465de3bced6f075c33380018e544f SOURCES/httpd.service.xml -6aa65f45c247226fc922c455e0187abd90c839e8 SOURCES/centos-noindex-8.0.tar.gz diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch b/SOURCES/httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch new file mode 100644 index 0000000..7cee845 --- /dev/null +++ b/SOURCES/httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch @@ -0,0 +1,19 @@ +diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c +index 16e39be..2543693 100644 +--- a/server/mpm/event/event.c ++++ b/server/mpm/event/event.c +@@ -1111,10 +1111,11 @@ read_request: + "network write failure in core output filter"); + cs->pub.state = CONN_STATE_LINGER; + } +- else if (c->data_in_output_filters) { ++ else if (c->data_in_output_filters || ++ cs->pub.sense == CONN_SENSE_WANT_READ) { + /* Still in WRITE_COMPLETION_STATE: +- * Set a write timeout for this connection, and let the +- * event thread poll for writeability. ++ * Set a read/write timeout for this connection, and let the ++ * event thread poll for read/writeability. + */ + cs->queue_timestamp = apr_time_now(); + notify_suspend(cs); diff --git a/SOURCES/index.html b/SOURCES/index.html new file mode 100644 index 0000000..06ad3fc --- /dev/null +++ b/SOURCES/index.html @@ -0,0 +1,123 @@ + + + + + Test Page for the Apache HTTP Server on Red Hat Enterprise Linux + + + + + +

Red Hat Enterprise Linux Test Page

+ +
+
+

This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the Apache HTTP server installed at this site is working properly.

+
+
+ +
+
+

If you are a member of the general public:

+ +

The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.

+ +

If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.

+ +

For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".

+ +

For information on Red Hat Enterprise Linux, please visit the Red Hat, Inc. website. The documentation for Red Hat Enterprise Linux is available on the Red Hat, Inc. website.

+
+
+ +
+

If you are the website administrator:

+ +

You may now add content to the directory /var/www/html/. Note that until you do so, people visiting your website will see this page, and not your content. To prevent this page from ever being used, follow the instructions in the file /etc/httpd/conf.d/welcome.conf.

+ +

You are free to use the image below on web sites powered by the Apache HTTP Server:

+ +

[ Powered by Apache ]

+ +
+
+
+ + diff --git a/SOURCES/welcome.conf b/SOURCES/welcome.conf index 7fdc0d5..5d1e452 100644 --- a/SOURCES/welcome.conf +++ b/SOURCES/welcome.conf @@ -6,25 +6,13 @@ # NOTE: if this file is removed, it will be restored on upgrades. # - Options -Indexes - ErrorDocument 403 /noindex/index.html + Options -Indexes + ErrorDocument 403 /.noindex.html -Alias /noindex /usr/share/httpd/noindex - - Options MultiViews - DirectoryIndex index.html - - AddLanguage en-US .en-US - AddLanguage es-ES .es-ES - AddLanguage zh-CN .zh-CN - AddLanguage zh-HK .zh-HK - AddLanguage zh-TW .zh-TW - - LanguagePriority en - ForceLanguagePriority Fallback - - AllowOverride None - Require all granted + AllowOverride None + Require all granted + +Alias /.noindex.html /usr/share/httpd/noindex/index.html diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 9d8f9bc..0709068 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -13,10 +13,10 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.37 -Release: 11%{?dist} +Release: 12%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -Source1: centos-noindex-8.0.tar.gz +Source1: index.html Source2: httpd.logrotate Source3: instance.conf Source4: httpd-ssl-pass-dialog @@ -113,6 +113,10 @@ Patch200: httpd-2.4.37-r1851471.patch Patch201: httpd-2.4.37-CVE-2019-0211.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1695025 Patch202: httpd-2.4.37-CVE-2019-0215.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1741860 +# https://bugzilla.redhat.com/show_bug.cgi?id=1741864 +# https://bugzilla.redhat.com/show_bug.cgi?id=1741868 +Patch203: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch License: ASL 2.0 Group: System Environment/Daemons @@ -280,6 +284,7 @@ interface for storing and accessing per-user session data. %patch200 -p1 -b .r1851471 %patch201 -p1 -b .CVE-2019-0211 %patch202 -p1 -b .CVE-2019-0215 +%patch203 -p1 -b .CVE-2019-9511-and-9516-and-9517 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -479,7 +484,8 @@ EOF # Handle contentdir mkdir $RPM_BUILD_ROOT%{contentdir}/noindex -tar xzf %{SOURCE1} -C $RPM_BUILD_ROOT%{contentdir}/noindex/ --strip-components=1 +install -m 644 -p $RPM_SOURCE_DIR/index.html \ + $RPM_BUILD_ROOT%{contentdir}/noindex/index.html rm -rf %{contentdir}/htdocs # remove manual sources @@ -694,7 +700,7 @@ rm -rf $RPM_BUILD_ROOT %{contentdir}/error/README %{contentdir}/error/*.var %{contentdir}/error/include/*.html -%{contentdir}/noindex/* +%{contentdir}/noindex/index.html %attr(0710,root,apache) %dir /run/httpd %attr(0700,apache,apache) %dir /run/httpd/htcacheclean @@ -783,12 +789,13 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Sun May 26 2019 Alain Reguera Delgado - 2.4.37-11.el8.centos -- Remove index.html, add centos-noindex-8.0.tar.gz -- Update welcome.conf to support content negotiation based on locale - -* Tue May 07 2019 CentOS Sources - 2.4.37-11.el8.centos -- Apply debranding changes +* Thu Aug 29 2019 Lubos Uhliarik - 2.4.37-12 +- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount + of data request leads to denial of service +- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length + headers leads to denial of service +- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request + for large response leads to denial of service * Wed Apr 03 2019 Lubos Uhliarik - 2.4.37-11 - Resolves: #1695431 - CVE-2019-0211 httpd: privilege escalation