From f5da3f64730f0abb0da4b77f17777ed5ab2138b1 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Jul 18 2016 14:11:58 +0000
Subject: import httpd24-httpd-2.4.18-11.el7


---

diff --git a/SOURCES/httpd-2.4.18-CVE-2016-4979.patch b/SOURCES/httpd-2.4.18-CVE-2016-4979.patch
new file mode 100644
index 0000000..de9a4d9
--- /dev/null
+++ b/SOURCES/httpd-2.4.18-CVE-2016-4979.patch
@@ -0,0 +1,13 @@
+# ./pullrev.sh 1750808
+http://svn.apache.org/viewvc?view=revision&revision=1750808
+
+--- httpd-2.4.18/modules/ssl/ssl_engine_kernel.c
++++ httpd-2.4.18/modules/ssl/ssl_engine_kernel.c
+@@ -727,6 +727,7 @@
+                      * on this connection.
+                      */
+                     apr_table_setn(r->notes, "ssl-renegotiate-forbidden", "verify-client");
++                    SSL_set_verify(ssl, verify_old, ssl_callback_SSLVerify);
+                     return HTTP_FORBIDDEN;
+                 }
+                 /* optimization */
diff --git a/SOURCES/httpd-2.4.18-CVE-2016-5387.patch b/SOURCES/httpd-2.4.18-CVE-2016-5387.patch
new file mode 100644
index 0000000..cfbd4a9
--- /dev/null
+++ b/SOURCES/httpd-2.4.18-CVE-2016-5387.patch
@@ -0,0 +1,16 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387
+
+--- httpd-2.4.18/server/util_script.c.cve5387
++++ httpd-2.4.18/server/util_script.c
+@@ -195,6 +195,10 @@
+             }
+         }
+ #endif
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            /* Don't pass through HTTP_PROXY */
++            continue;
++        }
+         else
+             add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val);
+     }
diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec
index 29d4a63..46482a7 100644
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -49,7 +49,7 @@
 Summary: Apache HTTP Server
 Name: %{?scl:%scl_prefix}httpd
 Version: 2.4.18
-Release: 10%{?dist}
+Release: 11%{?dist}
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
 Source1: index.html
@@ -118,6 +118,9 @@ Patch69: httpd-2.4.6-apachectl-httpd-env.patch
 Patch70: httpd-2.4.6-bomb.patch
 Patch71: httpd-2.4.18-apachectl-httpd-env2.patch
 Patch72: httpd-2.4.18-r1738229.patch
+# Security fixes
+Patch100: httpd-2.4.18-CVE-2016-5387.patch
+Patch101: httpd-2.4.18-CVE-2016-4979.patch
 License: ASL 2.0
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -308,6 +311,9 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH
 %patch70 -p1 -b .bomb
 %patch72 -p1 -b .r1738229
 
+%patch100 -p1 -b .cve5387
+%patch101 -p1 -b .cve4979
+
 # Patch in the vendor string and the release string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
 sed -i 's/@RELEASE@/%{release}/' server/core.c
@@ -937,6 +943,10 @@ rm -rf $RPM_BUILD_ROOT
 %endif
 
 %changelog
+* Wed Jul 13 2016 Joe Orton <jorton@redhat.com> - 2.4.18-11
+- add security fix for CVE-2016-5387
+- mod_ssl: add security fix for CVE-2016-4979
+
 * Fri Apr 15 2016 Joe Orton <jorton@redhat.com> - 2.4.18-10
 - load more built modules (including mod_http2) by default (#1302653)
 - lower log-level for mod_ssl NPN debugging (#1302653)