diff --git a/SOURCES/mod_http2-1.15.19-CVE-2021-44224.patch b/SOURCES/mod_http2-1.15.19-CVE-2021-44224.patch new file mode 100644 index 0000000..11252ec --- /dev/null +++ b/SOURCES/mod_http2-1.15.19-CVE-2021-44224.patch @@ -0,0 +1,13 @@ +diff --git a/mod_http2/h2_request.c b/mod_http2/h2_request.c +index 45df9b1..70241d4 100644 +--- a/mod_http2/h2_request.c ++++ b/mod_http2/h2_request.c +@@ -371,7 +371,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c) + ap_add_input_filter_handle(ap_http_input_filter_handle, + NULL, r, r->connection); + +- if ((access_status = ap_run_post_read_request(r))) { ++ if ((access_status = ap_post_read_request(r))) { + /* Request check post hooks failed. An example of this would be a + * request for a vhost where h2 is disabled --> 421. + */ diff --git a/SOURCES/mod_http2-1.15.19-CVE-2023-25690.patch b/SOURCES/mod_http2-1.15.19-CVE-2023-25690.patch new file mode 100644 index 0000000..824e81d --- /dev/null +++ b/SOURCES/mod_http2-1.15.19-CVE-2023-25690.patch @@ -0,0 +1,30 @@ +diff --git a/mod_http2/mod_proxy_http2.c b/mod_http2/mod_proxy_http2.c +index 893aa8f..d52d5d9 100644 +--- a/mod_http2/mod_proxy_http2.c ++++ b/mod_http2/mod_proxy_http2.c +@@ -154,11 +154,25 @@ static int proxy_http2_canon(request_rec *r, char *url) + if (apr_table_get(r->notes, "proxy-nocanon")) { + path = url; /* this is the raw path */ + } ++ else if (apr_table_get(r->notes, "proxy-noencode")) { ++ path = url; /* this is the encoded path already */ ++ search = r->args; ++ } + else { + path = ap_proxy_canonenc(r->pool, url, (int)strlen(url), + enc_path, 0, r->proxyreq); + search = r->args; + } ++ if (search && *ap_scan_vchar_obstext(search)) { ++ /* ++ * We have a raw control character or a ' ' in r->args. ++ * Correct encoding was missed. ++ */ ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10412) ++ "To be forwarded query string contains control " ++ "characters or spaces"); ++ return HTTP_FORBIDDEN; ++ } + break; + case PROXYREQ_PROXY: + path = url; diff --git a/SPECS/mod_http2.spec b/SPECS/mod_http2.spec index 3835b43..e32a261 100644 --- a/SPECS/mod_http2.spec +++ b/SPECS/mod_http2.spec @@ -3,19 +3,26 @@ Name: mod_http2 Version: 1.15.19 -Release: 2%{?dist} +Release: 3%{?dist}.5 Summary: module implementing HTTP/2 for Apache 2 License: ASL 2.0 URL: https://icing.github.io/mod_h2/ Source0: https://github.com/icing/mod_h2/releases/download/v%{version}/mod_http2-%{version}.tar.gz Patch1: mod_http2-1.14.1-buildfix.patch Patch2: mod_http2-1.15.14-openssl30.patch + +# Security patches: +# https://bugzilla.redhat.com/show_bug.cgi?id=2034672 +Patch100: mod_http2-1.15.19-CVE-2021-44224.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2176209 +Patch101: mod_http2-1.15.19-CVE-2023-25690.patch + BuildRequires: make BuildRequires: gcc BuildRequires: pkgconfig, httpd-devel >= 2.4.20, libnghttp2-devel >= 1.7.0, openssl-devel >= 1.0.2 BuildRequires: autoconf, libtool, /usr/bin/hostname Requires: httpd-mmn = %{_httpd_mmn} -Conflicts: httpd < 2.4.25-8 +Conflicts: httpd < 2.4.53-7%{?dist}.4 %description The mod_h2 Apache httpd module implements the HTTP2 protocol (h2+h2c) on @@ -26,6 +33,9 @@ top of libnghttp2 for httpd 2.4 servers. %patch1 -p1 -b .buildfix %patch2 -p1 -b .openssl30 +%patch100 -p1 -b .CVE-2021-44224 +%patch101 -p1 -b .CVE-2023-25690 + %build autoreconf -i %configure --with-apxs=%{_httpd_apxs} @@ -49,6 +59,14 @@ echo "LoadModule proxy_http2_module modules/mod_proxy_http2.so" > %{buildroot}%{ %{_httpd_moddir}/mod_proxy_http2.so %changelog +* Thu Mar 16 2023 Luboš Uhliarik - 1.15.19-3.5 +- Resolves: #2177751 - CVE-2023-25690 httpd: HTTP request splitting with + mod_rewrite and mod_proxy + +* Mon Mar 21 2022 Luboš Uhliarik - 1.15.19-3 +- Resolves: #2066311 - CVE-2021-44224 httpd: possible NULL dereference or SSRF + in forward proxy configurations + * Mon Aug 09 2021 Mohan Boddu - 1.15.19-2 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688