diff --git a/SOURCES/config.layout b/SOURCES/config.layout new file mode 100644 index 0000000..7655acd --- /dev/null +++ b/SOURCES/config.layout @@ -0,0 +1,24 @@ +# Layout used in Fedora httpd packaging. + + prefix: /etc/httpd + localstatedir: /var + exec_prefix: /usr + bindir: ${exec_prefix}/bin + sbindir: ${exec_prefix}/sbin + libdir: ${exec_prefix}/lib + libexecdir: ${exec_prefix}/libexec + mandir: ${exec_prefix}/man + sysconfdir: /etc/httpd/conf + datadir: ${exec_prefix}/share/httpd + installbuilddir: ${libdir}/httpd/build + errordir: ${datadir}/error + iconsdir: ${datadir}/icons + htdocsdir: ${localstatedir}/www/html + manualdir: ${datadir}/manual + cgidir: ${localstatedir}/www/cgi-bin + includedir: ${exec_prefix}/include/httpd + runtimedir: ${prefix}/run + logfiledir: /var/log/httpd24 + statedir: ${prefix}/state + proxycachedir: ${localstatedir}/cache/httpd/proxy + diff --git a/SOURCES/httpd-2.4.3-layout.patch b/SOURCES/httpd-2.4.3-layout.patch deleted file mode 100644 index d60cf6c..0000000 --- a/SOURCES/httpd-2.4.3-layout.patch +++ /dev/null @@ -1,70 +0,0 @@ - -Add layout for Fedora. - ---- httpd-2.4.3/config.layout.layout -+++ httpd-2.4.3/config.layout -@@ -370,3 +370,27 @@ - logfiledir: ${localstatedir}/log/httpd - proxycachedir: ${localstatedir}/cache/httpd - -+ -+# Fedora/RHEL layout -+ -+ prefix: /usr -+ exec_prefix: ${prefix} -+ bindir: ${prefix}/bin -+ sbindir: ${prefix}/sbin -+ libdir: ${prefix}/lib -+ libexecdir: ${prefix}/libexec -+ mandir: ${prefix}/man -+ sysconfdir: /etc/httpd/conf -+ datadir: ${prefix}/share/httpd -+ installbuilddir: ${libdir}/httpd/build -+ errordir: ${datadir}/error -+ iconsdir: ${datadir}/icons -+ localstatedir: /var -+ htdocsdir: ${localstatedir}/www/html -+ manualdir: ${datadir}/manual -+ cgidir: ${localstatedir}/www/cgi-bin -+ includedir: ${prefix}/include/httpd -+ runtimedir: ${localstatedir}/run/httpd -+ logfiledir: /var/log/httpd24 -+ proxycachedir: ${localstatedir}/cache/httpd/proxy -+ -diff --git a/config.layout b/config.layout -index b471568..6860f3f 100644 ---- a/config.layout -+++ b/config.layout -@@ -128,31 +128,7 @@ - runtimedir: ${localstatedir}/run - logfiledir: ${localstatedir}/log/httpd - proxycachedir: ${localstatedir}/cache/httpd -- -- --# Layout used in Fedora httpd packaging. -- -- prefix: /usr -- exec_prefix: ${prefix} -- bindir: ${prefix}/bin -- sbindir: ${prefix}/sbin -- libdir: ${prefix}/lib -- libexecdir: ${prefix}/libexec -- mandir: ${prefix}/man -- sysconfdir: /etc/httpd/conf -- datadir: ${prefix}/share/httpd -- installbuilddir: ${libdir}/httpd/build -- errordir: ${datadir}/error -- iconsdir: ${datadir}/icons -- htdocsdir: /var/www/html -- manualdir: ${datadir}/manual -- cgidir: /var/www/cgi-bin -- includedir: ${prefix}/include/httpd -- localstatedir: /var -- runtimedir: /run/httpd -- logfiledir: ${localstatedir}/log/httpd -- proxycachedir: ${localstatedir}/cache/httpd/proxy -- -+ - - # According to the /opt filesystem conventions - diff --git a/SOURCES/httpd-2.4.34-CVE-2018-17189.patch b/SOURCES/httpd-2.4.34-CVE-2018-17189.patch new file mode 100644 index 0000000..c46464b --- /dev/null +++ b/SOURCES/httpd-2.4.34-CVE-2018-17189.patch @@ -0,0 +1,20 @@ +diff --git a/modules/http2/h2_conn.c b/modules/http2/h2_conn.c +index 2e956593aa..88da2bab3e 100644 +--- a/modules/http2/h2_conn.c ++++ b/modules/http2/h2_conn.c +@@ -354,6 +354,15 @@ apr_status_t h2_slave_run_pre_connection(conn_rec *slave, apr_socket_t *csd) + * (Not necessarily in pre_connection, but later. Set it here, so it + * is in place.) */ + slave->keepalives = 1; ++ /* We signal that this connection will be closed after the request. ++ * Which is true in that sense that we throw away all traffic data ++ * on this slave connection after each requests. Although we might ++ * reuse internal structures like memory pools. ++ * The wanted effect of this is that httpd does not try to clean up ++ * any dangling data on this connection when a request is done. Which ++ * is unneccessary on a h2 stream. ++ */ ++ slave->keepalive = AP_CONN_CLOSE; + return ap_run_pre_connection(slave, csd); + } + return APR_SUCCESS; diff --git a/SOURCES/httpd-2.4.34-CVE-2018-17199.patch b/SOURCES/httpd-2.4.34-CVE-2018-17199.patch new file mode 100644 index 0000000..6740399 --- /dev/null +++ b/SOURCES/httpd-2.4.34-CVE-2018-17199.patch @@ -0,0 +1,51 @@ +From 34f58ae20d9a85f2a1508a9a732874239491d456 Mon Sep 17 00:00:00 2001 +From: Hank Ibell +Date: Tue, 15 Jan 2019 19:54:41 +0000 +Subject: [PATCH] mod_session: Always decode session attributes early. + +Backport r1850947 from trunk +Submitted by: hwibell +Reviewed by: hwibell, covener, wrowe + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1851409 13f79535-47bb-0310-9956-ffa450edef68 +--- +diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c +index d517020d995..64e6e4a8132 100644 +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -126,20 +126,23 @@ static apr_status_t ap_session_load(request_rec * r, session_rec ** z) + + /* found a session that hasn't expired? */ + now = apr_time_now(); ++ + if (zz) { +- if (zz->expiry && zz->expiry < now) { ++ /* load the session attibutes */ ++ rv = ap_run_session_decode(r, zz); ++ ++ /* having a session we cannot decode is just as good as having ++ none at all */ ++ if (OK != rv) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817) ++ "error while decoding the session, " ++ "session not loaded: %s", r->uri); + zz = NULL; + } +- else { +- /* having a session we cannot decode is just as good as having +- none at all */ +- rv = ap_run_session_decode(r, zz); +- if (OK != rv) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01817) +- "error while decoding the session, " +- "session not loaded: %s", r->uri); +- zz = NULL; +- } ++ ++ /* invalidate session if session is expired */ ++ if (zz && zz->expiry && zz->expiry < now) { ++ zz = NULL; + } + } + diff --git a/SOURCES/httpd-2.4.34-CVE-2019-0217.patch b/SOURCES/httpd-2.4.34-CVE-2019-0217.patch new file mode 100644 index 0000000..1614e72 --- /dev/null +++ b/SOURCES/httpd-2.4.34-CVE-2019-0217.patch @@ -0,0 +1,111 @@ +--- a/modules/aaa/mod_auth_digest.c 2019/03/12 09:24:19 1855297 ++++ b/modules/aaa/mod_auth_digest.c 2019/03/12 09:24:26 1855298 +@@ -92,7 +92,6 @@ + int check_nc; + const char *algorithm; + char *uri_list; +- const char *ha1; + } digest_config_rec; + + +@@ -153,6 +152,7 @@ + apr_time_t nonce_time; + enum hdr_sts auth_hdr_sts; + int needed_auth; ++ const char *ha1; + client_entry *client; + } digest_header_rec; + +@@ -1304,7 +1304,7 @@ + */ + + static authn_status get_hash(request_rec *r, const char *user, +- digest_config_rec *conf) ++ digest_config_rec *conf, const char **rethash) + { + authn_status auth_result; + char *password; +@@ -1356,7 +1356,7 @@ + } while (current_provider); + + if (auth_result == AUTH_USER_FOUND) { +- conf->ha1 = password; ++ *rethash = password; + } + + return auth_result; +@@ -1483,25 +1483,24 @@ + + /* RFC-2069 */ + static const char *old_digest(const request_rec *r, +- const digest_header_rec *resp, const char *ha1) ++ const digest_header_rec *resp) + { + const char *ha2; + + ha2 = ap_md5(r->pool, (unsigned char *)apr_pstrcat(r->pool, resp->method, ":", + resp->uri, NULL)); + return ap_md5(r->pool, +- (unsigned char *)apr_pstrcat(r->pool, ha1, ":", resp->nonce, +- ":", ha2, NULL)); ++ (unsigned char *)apr_pstrcat(r->pool, resp->ha1, ":", ++ resp->nonce, ":", ha2, NULL)); + } + + /* RFC-2617 */ + static const char *new_digest(const request_rec *r, +- digest_header_rec *resp, +- const digest_config_rec *conf) ++ digest_header_rec *resp) + { + const char *ha1, *ha2, *a2; + +- ha1 = conf->ha1; ++ ha1 = resp->ha1; + + a2 = apr_pstrcat(r->pool, resp->method, ":", resp->uri, NULL); + ha2 = ap_md5(r->pool, (const unsigned char *)a2); +@@ -1514,7 +1513,6 @@ + NULL)); + } + +- + static void copy_uri_components(apr_uri_t *dst, + apr_uri_t *src, request_rec *r) { + if (src->scheme && src->scheme[0] != '\0') { +@@ -1759,7 +1757,7 @@ + return HTTP_UNAUTHORIZED; + } + +- return_code = get_hash(r, r->user, conf); ++ return_code = get_hash(r, r->user, conf, &resp->ha1); + + if (return_code == AUTH_USER_NOT_FOUND) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01790) +@@ -1789,7 +1787,7 @@ + + if (resp->message_qop == NULL) { + /* old (rfc-2069) style digest */ +- if (strcmp(resp->digest, old_digest(r, resp, conf->ha1))) { ++ if (strcmp(resp->digest, old_digest(r, resp))) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01792) + "user %s: password mismatch: %s", r->user, + r->uri); +@@ -1819,7 +1817,7 @@ + return HTTP_UNAUTHORIZED; + } + +- exp_digest = new_digest(r, resp, conf); ++ exp_digest = new_digest(r, resp); + if (!exp_digest) { + /* we failed to allocate a client struct */ + return HTTP_INTERNAL_SERVER_ERROR; +@@ -1903,7 +1901,7 @@ + + /* calculate rspauth attribute + */ +- ha1 = conf->ha1; ++ ha1 = resp->ha1; + + a2 = apr_pstrcat(r->pool, ":", resp->uri, NULL); + ha2 = ap_md5(r->pool, (const unsigned char *)a2); diff --git a/SOURCES/httpd-2.4.34-CVE-2019-0220.patch b/SOURCES/httpd-2.4.34-CVE-2019-0220.patch new file mode 100644 index 0000000..9376205 --- /dev/null +++ b/SOURCES/httpd-2.4.34-CVE-2019-0220.patch @@ -0,0 +1,237 @@ +diff --git a/docs/manual/mod/core.html.en b/docs/manual/mod/core.html.en +index 3035537..df55e3b 100644 +--- a/docs/manual/mod/core.html.en ++++ b/docs/manual/mod/core.html.en +@@ -97,6 +97,7 @@ available +
  • MaxRangeOverlaps
    • +
  • MaxRangeReversals
    • +
  • MaxRanges
    • ++
  • MergeSlashes
    • +
  • MergeTrailers
    • +
  • Mutex
    • +
  • NameVirtualHost
    • +@@ -3463,6 +3464,30 @@ resource + + +
    top
    ++

    MergeSlashes Directive

    ++ ++ ++ ++ ++ ++ ++ ++ ++
    Description:Controls whether the server merges consecutive slashes in URLs.
    Syntax:MergeSlashes ON | OFF
    Default:MergeSlashes ON
    Context:server config, virtual host
    Status:Core
    Module:core
    Compatibility:Available in Apache HTTP Server 2.4.6 in Red Hat Enterprise Linux 7
    ++

    By default, the server merges (or collapses) multiple consecutive slash ++ ('/') characters in the path component of the request URL.

    ++ ++

    When mapping URL's to the filesystem, these multiple slashes are not ++ significant. However, URL's handled other ways, such as by CGI or proxy, ++ might prefer to retain the significance of multiple consecutive slashes. ++ In these cases MergeSlashes can be set to ++ OFF to retain the multiple consecutive slashes. In these ++ configurations, regular expressions used in the configuration file that match ++ the path component of the URL (LocationMatch, ++ RewriteRule, ...) need to take into account multiple ++ consecutive slashes.

    ++
    ++
    top
    +

    MergeTrailers Directive

    + + +diff --git a/include/http_core.h b/include/http_core.h +index 35df5dc..8e10988 100644 +--- a/include/http_core.h ++++ b/include/http_core.h +@@ -740,7 +740,7 @@ typedef struct { + #define AP_HTTP_METHODS_LENIENT 1 + #define AP_HTTP_METHODS_REGISTERED 2 + char http_methods; +- ++ unsigned int merge_slashes; + } core_server_config; + + /* for AddOutputFiltersByType in core.c */ +diff --git a/include/httpd.h b/include/httpd.h +index d792308..6c2d882 100644 +--- a/include/httpd.h ++++ b/include/httpd.h +@@ -1693,11 +1693,21 @@ AP_DECLARE(int) ap_unescape_url_keep2f(char *url, int decode_slashes); + AP_DECLARE(int) ap_unescape_urlencoded(char *query); + + /** +- * Convert all double slashes to single slashes +- * @param name The string to convert ++ * Convert all double slashes to single slashes, except where significant ++ * to the filesystem on the current platform. ++ * @param name The string to convert, assumed to be a filesystem path + */ + AP_DECLARE(void) ap_no2slash(char *name); + ++/** ++ * Convert all double slashes to single slashes, except where significant ++ * to the filesystem on the current platform. ++ * @param name The string to convert ++ * @param is_fs_path if set to 0, the significance of any double-slashes is ++ * ignored. ++ */ ++AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path); ++ + /** + * Remove all ./ and xx/../ substrings from a file name. Also remove + * any leading ../ or /../ substrings. +diff --git a/server/core.c b/server/core.c +index ed1e3b3..ea786a3 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -491,6 +491,7 @@ static void *create_core_server_config(apr_pool_t *a, server_rec *s) + */ + + conf->trace_enable = AP_TRACE_UNSET; ++ conf->merge_slashes = AP_CORE_CONFIG_UNSET; + + conf->protocols = apr_array_make(a, 5, sizeof(const char *)); + conf->protocols_honor_order = -1; +@@ -559,7 +560,9 @@ static void *merge_core_server_configs(apr_pool_t *p, void *basev, void *virtv) + conf->protocols_honor_order = ((virt->protocols_honor_order < 0)? + base->protocols_honor_order : + virt->protocols_honor_order); +- ++ ++ AP_CORE_MERGE_FLAG(merge_slashes, conf, base, virt); ++ + return conf; + } + +@@ -1867,6 +1870,13 @@ static const char *set_qualify_redirect_url(cmd_parms *cmd, void *d_, int flag) + return NULL; + } + ++static const char *set_core_server_flag(cmd_parms *cmd, void *s_, int flag) ++{ ++ core_server_config *conf = ++ ap_get_core_module_config(cmd->server->module_config); ++ return ap_set_flag_slot(cmd, conf, flag); ++} ++ + static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[]) + { + core_dir_config *d = d_; +@@ -4570,6 +4580,10 @@ AP_INIT_ITERATE("HttpProtocolOptions", set_http_protocol_options, NULL, RSRC_CON + "'Unsafe' or 'Strict' (default). Sets HTTP acceptance rules"), + AP_INIT_ITERATE("RegisterHttpMethod", set_http_method, NULL, RSRC_CONF, + "Registers non-standard HTTP methods"), ++AP_INIT_FLAG("MergeSlashes", set_core_server_flag, ++ (void *)APR_OFFSETOF(core_server_config, merge_slashes), ++ RSRC_CONF, ++ "Controls whether consecutive slashes in the URI path are merged"), + { NULL } + }; + +diff --git a/server/request.c b/server/request.c +index dbe3e07..d5c558a 100644 +--- a/server/request.c ++++ b/server/request.c +@@ -167,6 +167,8 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) + int file_req = (r->main && r->filename); + int access_status; + core_dir_config *d; ++ core_server_config *sconf = ++ ap_get_core_module_config(r->server->module_config); + + /* Ignore embedded %2F's in path for proxy requests */ + if (!r->proxyreq && r->parsed_uri.path) { +@@ -191,6 +193,12 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r) + } + + ap_getparents(r->uri); /* OK --- shrinking transformations... */ ++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { ++ ap_no2slash(r->uri); ++ if (r->parsed_uri.path) { ++ ap_no2slash(r->parsed_uri.path); ++ } ++ } + + /* All file subrequests are a huge pain... they cannot bubble through the + * next several steps. Only file subrequests are allowed an empty uri, +@@ -1411,20 +1419,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + + cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); + cached = (cache->cached != NULL); +- +- /* Location and LocationMatch differ on their behaviour w.r.t. multiple +- * slashes. Location matches multiple slashes with a single slash, +- * LocationMatch doesn't. An exception, for backwards brokenness is +- * absoluteURIs... in which case neither match multiple slashes. +- */ +- if (r->uri[0] != '/') { +- entry_uri = r->uri; +- } +- else { +- char *uri = apr_pstrdup(r->pool, r->uri); +- ap_no2slash(uri); +- entry_uri = uri; +- } ++ entry_uri = r->uri; + + /* If we have an cache->cached location that matches r->uri, + * and the vhost's list of locations hasn't changed, we can skip +@@ -1491,7 +1486,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t)); + } + +- if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) { ++ if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) { + continue; + } + +@@ -1501,7 +1496,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) + apr_table_setn(r->subprocess_env, + ((const char **)entry_core->refs->elts)[i], + apr_pstrndup(r->pool, +- r->uri + pmatch[i].rm_so, ++ entry_uri + pmatch[i].rm_so, + pmatch[i].rm_eo - pmatch[i].rm_so)); + } + } +diff --git a/server/util.c b/server/util.c +index 8df1a4c..1549ab1 100644 +--- a/server/util.c ++++ b/server/util.c +@@ -561,16 +561,20 @@ AP_DECLARE(void) ap_getparents(char *name) + name[l] = '\0'; + } + } +- +-AP_DECLARE(void) ap_no2slash(char *name) ++AP_DECLARE(void) ap_no2slash_ex(char *name, int is_fs_path) + { ++ + char *d, *s; + ++ if (!*name) { ++ return; ++ } ++ + s = d = name; + + #ifdef HAVE_UNC_PATHS + /* Check for UNC names. Leave leading two slashes. */ +- if (s[0] == '/' && s[1] == '/') ++ if (is_fs_path && s[0] == '/' && s[1] == '/') + *d++ = *s++; + #endif + +@@ -587,6 +591,10 @@ AP_DECLARE(void) ap_no2slash(char *name) + *d = '\0'; + } + ++AP_DECLARE(void) ap_no2slash(char *name) ++{ ++ ap_no2slash_ex(name, 1); ++} + + /* + * copy at most n leading directories of s into d diff --git a/SOURCES/httpd-2.4.34-CVE-2019-10092.patch b/SOURCES/httpd-2.4.34-CVE-2019-10092.patch new file mode 100644 index 0000000..e9fbfd2 --- /dev/null +++ b/SOURCES/httpd-2.4.34-CVE-2019-10092.patch @@ -0,0 +1,206 @@ +From c0ce3a729218279a6b4b03aab7a71bb8ae9d6259 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Fri, 2 Aug 2019 01:27:37 +0000 +Subject: [PATCH] remove request details from error documents (CVE-2019-10092). + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1864191 13f79535-47bb-0310-9956-ffa450edef68 +--- + CHANGES | 2 + + modules/http/http_protocol.c | 86 +++++++++++------------------------ + modules/proxy/mod_proxy.c | 7 +-- + modules/proxy/mod_proxy_ftp.c | 5 +- + modules/proxy/proxy_util.c | 5 +- + 5 files changed, 36 insertions(+), 69 deletions(-) + +diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c +index 8543fd1..b85e2f7 100644 +--- a/modules/http/http_protocol.c ++++ b/modules/http/http_protocol.c +@@ -1133,13 +1133,10 @@ static const char *get_canned_error_string(int status, + "\">here.

    \n", + NULL)); + case HTTP_USE_PROXY: +- return(apr_pstrcat(p, +- "

    This resource is only accessible " +- "through the proxy\n", +- ap_escape_html(r->pool, location), +- "
    \nYou will need to configure " +- "your client to use that proxy.

    \n", +- NULL)); ++ return("

    This resource is only accessible " ++ "through the proxy\n" ++ "
    \nYou will need to configure " ++ "your client to use that proxy.

    \n"); + case HTTP_PROXY_AUTHENTICATION_REQUIRED: + case HTTP_UNAUTHORIZED: + return("

    This server could not verify that you\n" +@@ -1155,34 +1152,20 @@ static const char *get_canned_error_string(int status, + "error-notes", + "

    \n")); + case HTTP_FORBIDDEN: +- s1 = apr_pstrcat(p, +- "

    You don't have permission to access ", +- ap_escape_html(r->pool, r->uri), +- "\non this server.
    \n", +- NULL); +- return(add_optional_notes(r, s1, "error-notes", "

    \n")); ++ return(add_optional_notes(r, "

    You don't have permission to access this resource.", "error-notes", "

    \n")); + case HTTP_NOT_FOUND: +- return(apr_pstrcat(p, +- "

    The requested URL ", +- ap_escape_html(r->pool, r->uri), +- " was not found on this server.

    \n", +- NULL)); ++ return("

    The requested URL was not found on this server.

    \n"); + case HTTP_METHOD_NOT_ALLOWED: + return(apr_pstrcat(p, + "

    The requested method ", + ap_escape_html(r->pool, r->method), +- " is not allowed for the URL ", +- ap_escape_html(r->pool, r->uri), +- ".

    \n", ++ " is not allowed for this URL.

    \n", + NULL)); + case HTTP_NOT_ACCEPTABLE: +- s1 = apr_pstrcat(p, +- "

    An appropriate representation of the " +- "requested resource ", +- ap_escape_html(r->pool, r->uri), +- " could not be found on this server.

    \n", +- NULL); +- return(add_optional_notes(r, s1, "variant-list", "")); ++ return(add_optional_notes(r, ++ "

    An appropriate representation of the requested resource " ++ "could not be found on this server.

    \n", ++ "variant-list", "")); + case HTTP_MULTIPLE_CHOICES: + return(add_optional_notes(r, "", "variant-list", "")); + case HTTP_LENGTH_REQUIRED: +@@ -1193,18 +1176,13 @@ static const char *get_canned_error_string(int status, + NULL); + return(add_optional_notes(r, s1, "error-notes", "

    \n")); + case HTTP_PRECONDITION_FAILED: +- return(apr_pstrcat(p, +- "

    The precondition on the request " +- "for the URL ", +- ap_escape_html(r->pool, r->uri), +- " evaluated to false.

    \n", +- NULL)); ++ return("

    The precondition on the request " ++ "for this URL evaluated to false.

    \n"); + case HTTP_NOT_IMPLEMENTED: + s1 = apr_pstrcat(p, + "

    ", +- ap_escape_html(r->pool, r->method), " to ", +- ap_escape_html(r->pool, r->uri), +- " not supported.
    \n", ++ ap_escape_html(r->pool, r->method), " ", ++ " not supported for current URL.
    \n", + NULL); + return(add_optional_notes(r, s1, "error-notes", "

    \n")); + case HTTP_BAD_GATEWAY: +@@ -1212,29 +1190,19 @@ static const char *get_canned_error_string(int status, + "response from an upstream server.
    " CRLF; + return(add_optional_notes(r, s1, "error-notes", "

    \n")); + case HTTP_VARIANT_ALSO_VARIES: +- return(apr_pstrcat(p, +- "

    A variant for the requested " +- "resource\n

    \n",
+-                           ap_escape_html(r->pool, r->uri),
+-                           "\n
    \nis itself a negotiable resource. " +- "This indicates a configuration error.

    \n", +- NULL)); ++ return("

    A variant for the requested " ++ "resource\n

    \n"
++               "\n
    \nis itself a negotiable resource. " ++ "This indicates a configuration error.

    \n"); + case HTTP_REQUEST_TIME_OUT: + return("

    Server timeout waiting for the HTTP request from the client.

    \n"); + case HTTP_GONE: +- return(apr_pstrcat(p, +- "

    The requested resource
    ", +- ap_escape_html(r->pool, r->uri), +- "
    \nis no longer available on this server " +- "and there is no forwarding address.\n" +- "Please remove all references to this " +- "resource.

    \n", +- NULL)); ++ return("

    The requested resource is no longer available on this server" ++ " and there is no forwarding address.\n" ++ "Please remove all references to this resource.

    \n"); + case HTTP_REQUEST_ENTITY_TOO_LARGE: + return(apr_pstrcat(p, +- "The requested resource
    ", +- ap_escape_html(r->pool, r->uri), "
    \n", +- "does not allow request data with ", ++ "The requested resource does not allow request data with ", + ap_escape_html(r->pool, r->method), + " requests, or the amount of data provided in\n" + "the request exceeds the capacity limit.\n", +@@ -1318,11 +1286,9 @@ static const char *get_canned_error_string(int status, + "the Server Name Indication (SNI) in use for this\n" + "connection.

    \n"); + case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS: +- s1 = apr_pstrcat(p, +- "

    Access to ", ap_escape_html(r->pool, r->uri), +- "\nhas been denied for legal reasons.
    \n", +- NULL); +- return(add_optional_notes(r, s1, "error-notes", "

    \n")); ++ return(add_optional_notes(r, ++ "

    Access to this URL has been denied for legal reasons.
    \n", ++ "error-notes", "

    \n")); + default: /* HTTP_INTERNAL_SERVER_ERROR */ + /* + * This comparison to expose error-notes could be modified to +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index 2336496..e6120d2 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1049,9 +1049,10 @@ static int proxy_handler(request_rec *r) + char *end; + maxfwd = apr_strtoi64(str, &end, 10); + if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) { +- return ap_proxyerror(r, HTTP_BAD_REQUEST, +- apr_psprintf(r->pool, +- "Max-Forwards value '%s' could not be parsed", str)); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() ++ "Max-Forwards value '%s' could not be parsed", str); ++ return ap_proxyerror(r, HTTP_BAD_REQUEST, ++ "Max-Forwards request header could not be parsed"); + } + else if (maxfwd == 0) { + switch (r->method_number) { +diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c +index 4a10987..8f6f853 100644 +--- a/modules/proxy/mod_proxy_ftp.c ++++ b/modules/proxy/mod_proxy_ftp.c +@@ -1024,8 +1024,9 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, + /* We break the URL into host, port, path-search */ + if (r->parsed_uri.hostname == NULL) { + if (APR_SUCCESS != apr_uri_parse(p, url, &uri)) { +- return ap_proxyerror(r, HTTP_BAD_REQUEST, +- apr_psprintf(p, "URI cannot be parsed: %s", url)); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() ++ "URI cannot be parsed: %s", url); ++ return ap_proxyerror(r, HTTP_BAD_REQUEST, "URI cannot be parsed"); + } + connectname = uri.hostname; + connectport = uri.port; +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index 7b76144..4f6c458 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -364,12 +364,9 @@ PROXY_DECLARE(char *) + + PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message) + { +- const char *uri = ap_escape_html(r->pool, r->uri); + apr_table_setn(r->notes, "error-notes", + apr_pstrcat(r->pool, +- "The proxy server could not handle the request ", ap_escape_html(r->pool, r->method), " ", uri, +- ".

    \n" ++ "The proxy server could not handle the request

    " + "Reason: ", ap_escape_html(r->pool, message), + "

    ", + NULL)); diff --git a/SOURCES/httpd-2.4.34-CVE-2019-10097.patch b/SOURCES/httpd-2.4.34-CVE-2019-10097.patch new file mode 100644 index 0000000..137210a --- /dev/null +++ b/SOURCES/httpd-2.4.34-CVE-2019-10097.patch @@ -0,0 +1,86 @@ +From e3f30ad646f18c23b95ec1a62ea38f2a7848fb36 Mon Sep 17 00:00:00 2001 +From: Jim Jagielski +Date: Wed, 7 Aug 2019 11:14:58 +0000 +Subject: [PATCH] Merge r1864526 from trunk: + +* modules/metadata/mod_remoteip.c (remoteip_process_v2_header, + remoteip_input_filter): Add sanity checks. + +Submitted by: jorton, Daniel McCarney + +Submitted by: jorton +Reviewed by: jorton, covener, jim + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864613 13f79535-47bb-0310-9956-ffa450edef68 +--- + STATUS | 5 ----- + modules/metadata/mod_remoteip.c | 36 ++++++++++++++++++++++++--------- + 2 files changed, 27 insertions(+), 14 deletions(-) + +diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c +index 4572ce12a95..a0cbc0ff77c 100644 +--- a/modules/metadata/mod_remoteip.c ++++ b/modules/metadata/mod_remoteip.c +@@ -987,15 +987,13 @@ static remoteip_parse_status_t remoteip_process_v2_header(conn_rec *c, + return HDR_ERROR; + #endif + default: +- /* unsupported protocol, keep local connection address */ +- return HDR_DONE; ++ /* unsupported protocol */ ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10183) ++ "RemoteIPProxyProtocol: unsupported protocol %.2hx", ++ (unsigned short)hdr->v2.fam); ++ return HDR_ERROR; + } + break; /* we got a sockaddr now */ +- +- case 0x00: /* LOCAL command */ +- /* keep local connection address for LOCAL */ +- return HDR_DONE; +- + default: + /* not a supported command */ + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03507) +@@ -1087,11 +1085,24 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f, + /* try to read a header's worth of data */ + while (!ctx->done) { + if (APR_BRIGADE_EMPTY(ctx->bb)) { +- ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, +- ctx->need - ctx->rcvd); ++ apr_off_t got, want = ctx->need - ctx->rcvd; ++ ++ ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, want); + if (ret != APR_SUCCESS) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10184) ++ "failed reading input"); + return ret; + } ++ ++ ret = apr_brigade_length(ctx->bb, 1, &got); ++ if (ret || got > want) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10185) ++ "RemoteIPProxyProtocol header too long, " ++ "got %" APR_OFF_T_FMT " expected %" APR_OFF_T_FMT, ++ got, want); ++ f->c->aborted = 1; ++ return APR_ECONNABORTED; ++ } + } + if (APR_BRIGADE_EMPTY(ctx->bb)) { + return block == APR_NONBLOCK_READ ? APR_SUCCESS : APR_EOF; +@@ -1139,6 +1150,13 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f, + if (ctx->rcvd >= MIN_V2_HDR_LEN) { + ctx->need = MIN_V2_HDR_LEN + + remoteip_get_v2_len((proxy_header *) ctx->header); ++ if (ctx->need > sizeof(proxy_v2)) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(10186) ++ "RemoteIPProxyProtocol protocol header length too long"); ++ f->c->aborted = 1; ++ apr_brigade_destroy(ctx->bb); ++ return APR_ECONNABORTED; ++ } + } + if (ctx->rcvd >= ctx->need) { + psts = remoteip_process_v2_header(f->c, conn_conf, diff --git a/SOURCES/httpd-2.4.34-mod-md-perms.patch b/SOURCES/httpd-2.4.34-mod-md-perms.patch new file mode 100644 index 0000000..78c0fc3 --- /dev/null +++ b/SOURCES/httpd-2.4.34-mod-md-perms.patch @@ -0,0 +1,44 @@ +diff --git a/modules/md/mod_md_os.c b/modules/md/mod_md_os.c +index f96d566..8df0248 100644 +--- a/modules/md/mod_md_os.c ++++ b/modules/md/mod_md_os.c +@@ -41,14 +41,20 @@ + + apr_status_t md_try_chown(const char *fname, unsigned int uid, int gid, apr_pool_t *p) + { +-#if AP_NEED_SET_MUTEX_PERMS +- if (-1 == chown(fname, (uid_t)uid, (gid_t)gid)) { +- apr_status_t rv = APR_FROM_OS_ERROR(errno); +- if (!APR_STATUS_IS_ENOENT(rv)) { +- ap_log_perror(APLOG_MARK, APLOG_ERR, rv, p, APLOGNO(10082) +- "Can't change owner of %s", fname); ++#if AP_NEED_SET_MUTEX_PERMS && HAVE_UNISTD_H ++ /* Since we only switch user when running as root, we only need to chown directories ++ * in that case. Otherwise, the server will ignore any "user/group" directives and ++ * child processes have the same privileges as the parent. ++ */ ++ if (!geteuid()) { ++ if (-1 == chown(fname, (uid_t)uid, (gid_t)gid)) { ++ apr_status_t rv = APR_FROM_OS_ERROR(errno); ++ if (!APR_STATUS_IS_ENOENT(rv)) { ++ ap_log_perror(APLOG_MARK, APLOG_ERR, rv, p, APLOGNO(10082) ++ "Can't change owner of %s", fname); ++ } ++ return rv; + } +- return rv; + } + return APR_SUCCESS; + #else +@@ -58,11 +64,7 @@ apr_status_t md_try_chown(const char *fname, unsigned int uid, int gid, apr_pool + + apr_status_t md_make_worker_accessible(const char *fname, apr_pool_t *p) + { +-#if AP_NEED_SET_MUTEX_PERMS + return md_try_chown(fname, ap_unixd_config.user_id, -1, p); +-#else +- return APR_ENOTIMPL; +-#endif + } + + #ifdef WIN32 diff --git a/SOURCES/httpd-2.4.34-r1840554.patch b/SOURCES/httpd-2.4.34-r1840554.patch new file mode 100644 index 0000000..87f6d35 --- /dev/null +++ b/SOURCES/httpd-2.4.34-r1840554.patch @@ -0,0 +1,35 @@ +diff --git a/modules/arch/unix/mod_systemd.c b/modules/arch/unix/mod_systemd.c +index 9359d38..6d0cb3b 100644 +--- a/modules/arch/unix/mod_systemd.c ++++ b/modules/arch/unix/mod_systemd.c +@@ -49,6 +49,21 @@ static int systemd_pre_config(apr_pool_t *pconf, apr_pool_t *plog, + return OK; + } + ++/* Report the service is ready in post_config, which could be during ++ * startup or after a reload. The server could still hit a fatal ++ * startup error after this point during ap_run_mpm(), so this is ++ * perhaps too early, but by post_config listen() has been called on ++ * the TCP ports so new connections will not be rejected. There will ++ * always be a possible async failure event simultaneous to the ++ * service reporting "ready", so this should be good enough. */ ++static int systemd_post_config_last(apr_pool_t *p, apr_pool_t *plog, ++ apr_pool_t *ptemp, server_rec *main_server) ++{ ++ sd_notify(0, "READY=1\n" ++ "STATUS=Configuration loaded.\n"); ++ return OK; ++} ++ + static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type) + { + int rv; +@@ -125,6 +140,8 @@ static void systemd_register_hooks(apr_pool_t *p) + { + /* Enable ap_extended_status. */ + ap_hook_pre_config(systemd_pre_config, NULL, NULL, APR_HOOK_LAST); ++ /* Signal service is ready. */ ++ ap_hook_post_config(systemd_post_config_last, NULL, NULL, APR_HOOK_REALLY_LAST); + /* We know the PID in this hook ... */ + ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST); + /* Used to update httpd's status line using sd_notifyf */ diff --git a/SOURCES/httpd-2.4.34-r1842929+.patch b/SOURCES/httpd-2.4.34-r1842929+.patch new file mode 100644 index 0000000..cf7dc9d --- /dev/null +++ b/SOURCES/httpd-2.4.34-r1842929+.patch @@ -0,0 +1,265 @@ +diff --git a/Makefile.in b/Makefile.in +index 33ff8fb..c22ce4c 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -213,6 +213,7 @@ install-cgi: + install-other: + @test -d $(DESTDIR)$(logfiledir) || $(MKINSTALLDIRS) $(DESTDIR)$(logfiledir) + @test -d $(DESTDIR)$(runtimedir) || $(MKINSTALLDIRS) $(DESTDIR)$(runtimedir) ++ @test -d $(DESTDIR)$(statedir) || $(MKINSTALLDIRS) $(DESTDIR)$(statedir) + @for ext in dll x; do \ + file=apachecore.$$ext; \ + if test -f $$file; then \ +diff --git a/acinclude.m4 b/acinclude.m4 +index 0ad0c13..a8c2804 100644 +--- a/acinclude.m4 ++++ b/acinclude.m4 +@@ -45,6 +45,7 @@ AC_DEFUN([APACHE_GEN_CONFIG_VARS],[ + APACHE_SUBST(installbuilddir) + APACHE_SUBST(runtimedir) + APACHE_SUBST(proxycachedir) ++ APACHE_SUBST(statedir) + APACHE_SUBST(other_targets) + APACHE_SUBST(progname) + APACHE_SUBST(prefix) +@@ -663,6 +664,7 @@ AC_DEFUN([APACHE_EXPORT_ARGUMENTS],[ + APACHE_SUBST_EXPANDED_ARG(runtimedir) + APACHE_SUBST_EXPANDED_ARG(logfiledir) + APACHE_SUBST_EXPANDED_ARG(proxycachedir) ++ APACHE_SUBST_EXPANDED_ARG(statedir) + ]) + + dnl +diff --git a/configure.in b/configure.in +index a208b53..de6a8ad 100644 +--- a/configure.in ++++ b/configure.in +@@ -41,7 +41,7 @@ dnl Something seems broken here. + AC_PREFIX_DEFAULT(/usr/local/apache2) + + dnl Get the layout here, so we can pass the required variables to apr +-APR_ENABLE_LAYOUT(Apache, [errordir iconsdir htdocsdir cgidir]) ++APR_ENABLE_LAYOUT(Apache, [errordir iconsdir htdocsdir cgidir statedir]) + + dnl reparse the configure arguments. + APR_PARSE_ARGUMENTS +diff --git a/include/ap_config_layout.h.in b/include/ap_config_layout.h.in +index 2b4a70c..e076f41 100644 +--- a/include/ap_config_layout.h.in ++++ b/include/ap_config_layout.h.in +@@ -60,5 +60,7 @@ + #define DEFAULT_REL_LOGFILEDIR "@rel_logfiledir@" + #define DEFAULT_EXP_PROXYCACHEDIR "@exp_proxycachedir@" + #define DEFAULT_REL_PROXYCACHEDIR "@rel_proxycachedir@" ++#define DEFAULT_EXP_STATEDIR "@exp_statedir@" ++#define DEFAULT_REL_STATEDIR "@rel_statedir@" + + #endif /* AP_CONFIG_LAYOUT_H */ +diff --git a/include/http_config.h b/include/http_config.h +index adc5825..effccc1 100644 +--- a/include/http_config.h ++++ b/include/http_config.h +@@ -757,6 +757,14 @@ AP_DECLARE(char *) ap_server_root_relative(apr_pool_t *p, const char *fname); + */ + AP_DECLARE(char *) ap_runtime_dir_relative(apr_pool_t *p, const char *fname); + ++/** ++ * Compute the name of a persistent state file (e.g. a database or ++ * long-lived cache) relative to the appropriate state directory. ++ * Absolute paths are returned as-is. The state directory is ++ * configured via the DefaultStateDir directive or at build time. ++ */ ++AP_DECLARE(char *) ap_state_dir_relative(apr_pool_t *p, const char *fname); ++ + /* Finally, the hook for dynamically loading modules in... */ + + /** +diff --git a/modules/dav/fs/mod_dav_fs.c b/modules/dav/fs/mod_dav_fs.c +index addfd7e..2389f8f 100644 +--- a/modules/dav/fs/mod_dav_fs.c ++++ b/modules/dav/fs/mod_dav_fs.c +@@ -29,6 +29,10 @@ typedef struct { + + extern module AP_MODULE_DECLARE_DATA dav_fs_module; + ++#ifndef DEFAULT_DAV_LOCKDB ++#define DEFAULT_DAV_LOCKDB "davlockdb" ++#endif ++ + const char *dav_get_lockdb_path(const request_rec *r) + { + dav_fs_server_conf *conf; +@@ -57,6 +61,24 @@ static void *dav_fs_merge_server_config(apr_pool_t *p, + return newconf; + } + ++static apr_status_t dav_fs_post_config(apr_pool_t *p, apr_pool_t *plog, ++ apr_pool_t *ptemp, server_rec *base_server) ++{ ++ server_rec *s; ++ ++ for (s = base_server; s; s = s->next) { ++ dav_fs_server_conf *conf; ++ ++ conf = ap_get_module_config(s->module_config, &dav_fs_module); ++ ++ if (!conf->lockdb_path) { ++ conf->lockdb_path = ap_state_dir_relative(p, DEFAULT_DAV_LOCKDB); ++ } ++ } ++ ++ return OK; ++} ++ + /* + * Command handler for the DAVLockDB directive, which is TAKE1 + */ +@@ -87,6 +109,8 @@ static const command_rec dav_fs_cmds[] = + + static void register_hooks(apr_pool_t *p) + { ++ ap_hook_post_config(dav_fs_post_config, NULL, NULL, APR_HOOK_MIDDLE); ++ + dav_hook_gather_propsets(dav_fs_gather_propsets, NULL, NULL, + APR_HOOK_MIDDLE); + dav_hook_find_liveprop(dav_fs_find_liveprop, NULL, NULL, APR_HOOK_MIDDLE); +diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c +index e968da3..b248cca 100644 +--- a/modules/md/mod_md_config.c ++++ b/modules/md/mod_md_config.c +@@ -58,10 +58,18 @@ + #define MD_DEFAULT_STORE_DIR "state/md" + #endif + ++#ifndef MD_DEFAULT_BASE_DIR ++#define MD_DEFAULT_BASE_DIR "md" ++#endif ++ + /* Default settings for the global conf */ + static md_mod_conf_t defmc = { + NULL, +- MD_DEFAULT_STORE_DIR, ++#if 1 ++ NULL, /* apply default state-dir-relative */ ++#else ++ MD_DEFAULT_BASE_DIR, ++#endif + NULL, + NULL, + 80, +@@ -868,6 +876,12 @@ apr_status_t md_config_post_config(server_rec *s, apr_pool_t *p) + if (mc->hsts_max_age > 0) { + mc->hsts_header = apr_psprintf(p, "max-age=%d", mc->hsts_max_age); + } ++ ++#if 1 ++ if (mc->base_dir == NULL) { ++ mc->base_dir = ap_state_dir_relative(p, MD_DEFAULT_BASE_DIR); ++ } ++#endif + + return APR_SUCCESS; + } +diff --git a/server/core.c b/server/core.c +index ea786a3..0da1fd0 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -133,6 +133,8 @@ AP_DECLARE_DATA int ap_main_state = AP_SQ_MS_INITIAL_STARTUP; + AP_DECLARE_DATA int ap_run_mode = AP_SQ_RM_UNKNOWN; + AP_DECLARE_DATA int ap_config_generation = 0; + ++static const char *core_state_dir; ++ + static void *create_core_dir_config(apr_pool_t *a, char *dir) + { + core_dir_config *conf; +@@ -1414,12 +1416,15 @@ AP_DECLARE(const char *) ap_resolve_env(apr_pool_t *p, const char * word) + return res_buf; + } + +-static int reset_config_defines(void *dummy) ++/* pconf cleanup - clear global variables set from config here. */ ++static apr_status_t reset_config(void *dummy) + { + ap_server_config_defines = saved_server_config_defines; + saved_server_config_defines = NULL; + server_config_defined_vars = NULL; +- return OK; ++ core_state_dir = NULL; ++ ++ return APR_SUCCESS; + } + + /* +@@ -3115,6 +3120,24 @@ static const char *set_runtime_dir(cmd_parms *cmd, void *dummy, const char *arg) + return NULL; + } + ++static const char *set_state_dir(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ ++ if (err != NULL) { ++ return err; ++ } ++ ++ if ((apr_filepath_merge((char**)&core_state_dir, NULL, ++ ap_server_root_relative(cmd->temp_pool, arg), ++ APR_FILEPATH_TRUENAME, cmd->pool) != APR_SUCCESS) ++ || !ap_is_directory(cmd->temp_pool, core_state_dir)) { ++ return "DefaultStateDir must be a valid directory, absolute or relative to ServerRoot"; ++ } ++ ++ return NULL; ++} ++ + static const char *set_timeout(cmd_parms *cmd, void *dummy, const char *arg) + { + const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_CONTEXT); +@@ -4416,6 +4439,8 @@ AP_INIT_TAKE1("ServerRoot", set_server_root, NULL, RSRC_CONF | EXEC_ON_READ, + "Common directory of server-related files (logs, confs, etc.)"), + AP_INIT_TAKE1("DefaultRuntimeDir", set_runtime_dir, NULL, RSRC_CONF | EXEC_ON_READ, + "Common directory for run-time files (shared memory, locks, etc.)"), ++AP_INIT_TAKE1("DefaultStateDir", set_state_dir, NULL, RSRC_CONF | EXEC_ON_READ, ++ "Common directory for persistent state (databases, long-lived caches, etc.)"), + AP_INIT_TAKE1("ErrorLog", set_server_string_slot, + (void *)APR_OFFSETOF(server_rec, error_fname), RSRC_CONF, + "The filename of the error log"), +@@ -4943,8 +4968,7 @@ static int core_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptem + + if (!saved_server_config_defines) + init_config_defines(pconf); +- apr_pool_cleanup_register(pconf, NULL, reset_config_defines, +- apr_pool_cleanup_null); ++ apr_pool_cleanup_register(pconf, NULL, reset_config, apr_pool_cleanup_null); + + ap_regcomp_set_default_cflags(AP_REG_DOLLAR_ENDONLY); + +@@ -5213,6 +5237,27 @@ AP_DECLARE(int) ap_state_query(int query) + } + } + ++AP_DECLARE(char *) ap_state_dir_relative(apr_pool_t *p, const char *file) ++{ ++ char *newpath = NULL; ++ apr_status_t rv; ++ const char *state_dir; ++ ++ state_dir = core_state_dir ++ ? core_state_dir ++ : ap_server_root_relative(p, DEFAULT_REL_STATEDIR); ++ ++ rv = apr_filepath_merge(&newpath, state_dir, file, APR_FILEPATH_TRUENAME, p); ++ if (newpath && (rv == APR_SUCCESS || APR_STATUS_IS_EPATHWILD(rv) ++ || APR_STATUS_IS_ENOENT(rv) ++ || APR_STATUS_IS_ENOTDIR(rv))) { ++ return newpath; ++ } ++ else { ++ return NULL; ++ } ++} ++ + static apr_random_t *rng = NULL; + #if APR_HAS_THREADS + static apr_thread_mutex_t *rng_mutex = NULL; diff --git a/SOURCES/httpd-2.4.34-r1844002.patch b/SOURCES/httpd-2.4.34-r1844002.patch new file mode 100644 index 0000000..09c7db5 --- /dev/null +++ b/SOURCES/httpd-2.4.34-r1844002.patch @@ -0,0 +1,11 @@ +--- a/modules/ssl/ssl_engine_config.c 2018/10/16 12:53:18 1844001 ++++ b/modules/ssl/ssl_engine_config.c 2018/10/16 12:55:01 1844002 +@@ -433,6 +433,8 @@ + cfgMergeString(pkp->cert_file); + cfgMergeString(pkp->cert_path); + cfgMergeString(pkp->ca_cert_file); ++ cfgMergeString(pkp->certs); ++ cfgMergeString(pkp->ca_certs); + } + + void *ssl_config_perdir_merge(apr_pool_t *p, void *basev, void *addv) diff --git a/SOURCES/httpd-2.4.34-r1847288.patch b/SOURCES/httpd-2.4.34-r1847288.patch new file mode 100644 index 0000000..280a015 --- /dev/null +++ b/SOURCES/httpd-2.4.34-r1847288.patch @@ -0,0 +1,47 @@ +# ./pullrev.sh 1847288 +http://svn.apache.org/viewvc?view=revision&revision=1847288 + +https://bugzilla.redhat.com/show_bug.cgi?id=1725922 + +--- httpd-2.4.25/modules/session/mod_session_cookie.c ++++ httpd-2.4.25/modules/session/mod_session_cookie.c +@@ -67,7 +67,7 @@ + if (conf->name_set) { + if (z->encoded && z->encoded[0]) { + ap_cookie_write(r, conf->name, z->encoded, conf->name_attrs, +- z->maxage, r->headers_out, r->err_headers_out, ++ z->maxage, r->err_headers_out, + NULL); + } + else { +@@ -80,7 +80,7 @@ + if (conf->name2_set) { + if (z->encoded && z->encoded[0]) { + ap_cookie_write2(r, conf->name2, z->encoded, conf->name2_attrs, +- z->maxage, r->headers_out, r->err_headers_out, ++ z->maxage, r->err_headers_out, + NULL); + } + else { +diff --git a/modules/session/mod_session_cookie.c b/modules/session/mod_session_cookie.c +index a010ee7..fee7c36 100644 +--- a/modules/session/mod_session_cookie.c ++++ b/modules/session/mod_session_cookie.c +@@ -71,7 +71,7 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z) + NULL); + } + else { +- ap_cookie_remove(r, conf->name, conf->name_attrs, r->headers_out, ++ ap_cookie_remove(r, conf->name, conf->name_attrs, + r->err_headers_out, NULL); + } + } +@@ -85,7 +85,7 @@ static apr_status_t session_cookie_save(request_rec * r, session_rec * z) + } + else { + ap_cookie_remove2(r, conf->name2, conf->name2_attrs, +- r->headers_out, r->err_headers_out, NULL); ++ r->err_headers_out, NULL); + } + } + diff --git a/SOURCES/httpd-2.4.34-r1865740.patch b/SOURCES/httpd-2.4.34-r1865740.patch new file mode 100644 index 0000000..adb5dac --- /dev/null +++ b/SOURCES/httpd-2.4.34-r1865740.patch @@ -0,0 +1,35 @@ +From b2c35e93608e737d28d8dd51ad15972df5c72f71 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Fri, 23 Aug 2019 10:31:01 +0000 +Subject: [PATCH] mod_ssl: OCSP does not apply to proxy mode, fix verify + context. + +Since ssl_callback_SSLVerify() is called for both server and proxy modes, +use myCtxConfig()->ocsp_mask to check the right mode/configuration (i.e. +none for proxy in any case). + +PR 63679. +Submitted by: Lubos Uhliarik + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1865740 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_kernel.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + + +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index e34fc55..d6aa051 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -1651,8 +1651,8 @@ int ssl_callback_SSLVerify(int ok, X509_STORE_CTX *ctx) + /* + * Perform OCSP-based revocation checks + */ +- if (ok && ((sc->server->ocsp_mask & SSL_OCSPCHECK_CHAIN) || +- (errdepth == 0 && (sc->server->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { ++ if (ok && ((mctx->ocsp_mask & SSL_OCSPCHECK_CHAIN) || ++ (errdepth == 0 && (mctx->ocsp_mask & SSL_OCSPCHECK_LEAF)))) { + /* If there was an optional verification error, it's not + * possible to perform OCSP validation since the issuer may be + * missing/untrusted. Fail in that case. */ diff --git a/SPECS/httpd.spec b/SPECS/httpd.spec index 9faf814..109c619 100644 --- a/SPECS/httpd.spec +++ b/SPECS/httpd.spec @@ -51,7 +51,7 @@ Summary: Apache HTTP Server Name: %{?scl:%scl_prefix}httpd Version: 2.4.34 -Release: 8%{?dist}.1 +Release: 15%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -82,6 +82,7 @@ Source27: action-configtest.sh Source28: 00-optional.conf Source29: httpd-scl-wrapper Source30: 01-md.conf +Source31: config.layout # Documentation Source40: htcacheclean.service @@ -93,7 +94,6 @@ Source43: README.confd Patch1: httpd-2.4.1-apctl.patch Patch2: httpd-2.4.25-apxs.patch Patch3: httpd-2.4.1-deplibs.patch -Patch5: httpd-2.4.3-layout.patch Patch6: httpd-2.4.3-apctl-systemd.patch Patch7: httpd-2.4.34-skiplist.patch Patch8: httpd-2.4.25-detect-systemd.patch @@ -118,16 +118,39 @@ Patch77: httpd-2.4.34-scl-libcurl.patch Patch78: httpd-2.4.33-mddefault.patch Patch79: httpd-2.4.34-r1836472.patch Patch80: httpd-2.4.34-statements-comment.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1707636 +Patch81: httpd-2.4.34-r1844002.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1669213 +Patch82: httpd-2.4.34-r1840554.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1673019 +Patch83: httpd-2.4.34-mod-md-perms.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1673019 +Patch84: httpd-2.4.34-r1842929+.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1725922 +Patch85: httpd-2.4.34-r1847288.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1744120 +Patch86: httpd-2.4.34-r1865740.patch # Security fixes Patch200: httpd-2.4.34-CVE-2018-11763.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1694980 Patch201: httpd-2.4.34-CVE-2019-0211.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1696095 +Patch202: httpd-2.4.34-CVE-2019-0220.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1696140 +Patch203: httpd-2.4.34-CVE-2019-0217.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1677498 +Patch204: httpd-2.4.34-CVE-2018-17199.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1741860 # https://bugzilla.redhat.com/show_bug.cgi?id=1741864 # https://bugzilla.redhat.com/show_bug.cgi?id=1741868 -Patch202: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch - +Patch205: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1668497 +Patch206: httpd-2.4.34-CVE-2018-17189.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1747282 +Patch207: httpd-2.4.34-CVE-2019-10092.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1747290 +Patch208: httpd-2.4.34-CVE-2019-10097.patch License: ASL 2.0 Group: System Environment/Daemons @@ -305,7 +328,6 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH %patch1 -p1 -b .apctl %patch2 -p1 -b .apxs %patch3 -p1 -b .deplibs -%patch5 -p1 -b .layout %if %{use_systemd} %patch6 -p1 -b .apctlsystemd %patch7 -p1 -b .skiplist @@ -333,10 +355,22 @@ export LD_LIBRARY_PATH=%{_libdir}:$LD_LIBRARY_PATH %patch78 -p1 -b .md_default %patch79 -p1 -b .r1836472 %patch80 -p1 -b .statementscomment +%patch81 -p1 -b .r1844002 +%patch82 -p1 -b .r1840554 +%patch83 -p1 -b .mod-md-perms +%patch84 -p1 -b .r1842929+ +%patch85 -p1 -b .r1847288 +%patch86 -p1 -b .r1865740 %patch200 -p1 -b .CVE-2018-11763 %patch201 -p1 -b .CVE-2019-0211 -%patch202 -p1 -b .CVE-2019-9511-and-9516-and-9517 +%patch202 -p1 -b .CVE-2019-0220 +%patch203 -p1 -b .CVE-2019-0217 +%patch204 -p1 -b .CVE-2018-17199 +%patch205 -p1 -b .CVE-2019-9511-and-9516-and-9517 +%patch206 -p1 -b .CVE-2018-17189 +%patch207 -p1 -b .CVE-2019-10092 +%patch208 -p1 -b .CVE-2019-10097 # Patch in the vendor string and the release string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -355,6 +389,9 @@ fi : Building with MMN %{mmn}, MMN-ISA %{mmnisa} and vendor string '%{vstring}' +# Provide default layout +cp $RPM_SOURCE_DIR/config.layout . + %build # forcibly prevent use of bundled apr, apr-util, pcre rm -rf srclib/{apr,apr-util,pcre} @@ -619,6 +656,7 @@ ln -s /usr/share/pixmaps/poweredby.png \ $RPM_BUILD_ROOT%{contentdir}/icons/poweredby.png # symlinks for /etc/httpd +rmdir $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/{state,run} ln -s %{httpd_logdir} $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/logs ln -s %{_localstatedir}/lib/httpd $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/state ln -s %{_localstatedir}/run/httpd $RPM_BUILD_ROOT/%{_sysconfdir}/httpd/run @@ -1000,14 +1038,45 @@ rm -rf $RPM_BUILD_ROOT %endif %changelog -* Thu Aug 29 2019 Lubos Uhliarik - 2.4.34-8.1 -- Resolves: #1745694 - CVE-2019-9511 httpd24-httpd: HTTP/2: large amount of data - request leads to denial of service -- Resolves: #1745679 - CVE-2019-9516 httpd24-httpd: HTTP/2: 0-length headers +* Wed Nov 13 2019 Lubos Uhliarik - 2.4.34-15 +- Related: #1725922 - duplicated cookie in Apache httpd with mod_session + +* Tue Oct 08 2019 Lubos Uhliarik - 2.4.34-14 +- Resolves: #1743996 (CVE-2019-10097) - CVE-2019-10097 httpd: null-pointer + dereference in mod_remoteip +- Resolves: #1747282 - CVE-2019-10092 httpd24-httpd: httpd: limited cross-site + scripting in mod_proxy error page + +* Tue Oct 08 2019 Lubos Uhliarik - 2.4.34-13 +- Resolves: #1744120 - Unexpected OCSP in proxy SSL connection + +* Fri Oct 04 2019 Joe Orton - 2.4.34-12 +- Resolves: #1725922 - duplicated cookie in Apache httpd with mod_session + +* Tue Sep 24 2019 Lubos Uhliarik - 2.4.34-11 +- Resolves: #1678567 (CVE-2018-17189) - CVE-2018-17189 httpd: mod_http2: + DoS via slow, unneeded request bodies + +* Wed Aug 28 2019 Lubos Uhliarik - 2.4.34-10 +- Resolves: #1745695 - CVE-2019-9511 httpd24-httpd: HTTP/2: large amount of + data request leads to denial of service +- Resolves: #1745680 - CVE-2019-9516 httpd24-httpd: HTTP/2: 0-length headers leads to denial of service -- Resolves: #1745682 - CVE-2019-9517 httpd24-httpd: HTTP/2: request for large +- Resolves: #1745683 - CVE-2019-9517 httpd24-httpd: HTTP/2: request for large response leads to denial of service +* Wed Aug 07 2019 Lubos Uhliarik - 2.4.34-9 +- Resolves: #1696140 - CVE-2019-0217 httpd24-httpd: httpd: mod_auth_digest: + access control bypass due to race condition +- Resolves: #1696095 - CVE-2019-0220 httpd24-httpd: httpd: URL normalization + inconsistency +- Resolves: #1677498 - CVE-2018-17199 httpd24-httpd: httpd: mod_session_cookie + does not respect expiry time +- Resolves: #1707636 - fix a regression introduced in r1740928 +- Resolves: #1669213 - `ExtendedStatus Off` directive when using mod_systemd + causes systemctl to hang +- Resolves: #1673019 - httpd can not be started with mod_md enabled + * Wed Apr 03 2019 Lubos Uhliarik - 2.4.34-8 - Resolves: #1695429 - CVE-2019-0211 httpd24-httpd: httpd: privilege escalation from modules scripts
    Description:Determines whether trailers are merged into headers