diff --git a/httpd-2.4.37-r1922080.patch b/httpd-2.4.37-r1922080.patch new file mode 100644 index 0000000000000000000000000000000000000000..6a81fab7ed0e264e94687518c290d5162427fd06 --- /dev/null +++ b/httpd-2.4.37-r1922080.patch @@ -0,0 +1,64 @@ +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index 94ec87e..16ebd98 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1043,6 +1043,7 @@ static int proxy_handler(request_rec *r) + + r->proxyreq = PROXYREQ_REVERSE; + r->filename = apr_pstrcat(r->pool, r->handler, r->filename, NULL); ++ apr_table_setn(r->notes, "proxy-sethandler", "1"); + + /* Still need to fixup/canonicalize r->filename */ + rc = ap_proxy_fixup_uds_filename(r); +@@ -1055,6 +1056,7 @@ static int proxy_handler(request_rec *r) + } + } + else if (r->proxyreq && strncmp(r->filename, "proxy:", 6) == 0) { ++ apr_table_unset(r->notes, "proxy-sethandler"); + rc = OK; + } + if (rc != OK) { +diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c +index f9cf716..fa0b810 100644 +--- a/modules/proxy/mod_proxy_fcgi.c ++++ b/modules/proxy/mod_proxy_fcgi.c +@@ -63,6 +63,8 @@ static int proxy_fcgi_canon(request_rec *r, char *url) + apr_port_t port, def_port; + fcgi_req_config_t *rconf = NULL; + const char *pathinfo_type = NULL; ++ fcgi_dirconf_t *dconf = ap_get_module_config(r->per_dir_config, ++ &proxy_fcgi_module); + + if (ap_cstr_casecmpn(url, "fcgi:", 5) == 0) { + url += 5; +@@ -92,7 +94,29 @@ static int proxy_fcgi_canon(request_rec *r, char *url) + host = apr_pstrcat(r->pool, "[", host, "]", NULL); + } + +- if (apr_table_get(r->notes, "proxy-nocanon")) { ++ if (apr_table_get(r->notes, "proxy-sethandler") ++ || apr_table_get(r->notes, "proxy-nocanon")){ ++ ++ char *c = url; ++ ++ /* We do not call ap_proxy_canonenc_ex() on the path here, don't ++ * let control characters pass still, and for php-fpm no '?' either. ++ */ ++ if (FCGI_MAY_BE_FPM(dconf)) { ++ while (!apr_iscntrl(*c) && *c != '?') ++ c++; ++ } ++ else { ++ while (!apr_iscntrl(*c)) ++ c++; ++ } ++ if (*c) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10414) ++ "To be forwarded path contains control characters%s (%s)", ++ FCGI_MAY_BE_FPM(dconf) ? " or '?'" : "", url); ++ return HTTP_FORBIDDEN; ++ } ++ + path = url; /* this is the raw path */ + } + else { diff --git a/httpd.spec b/httpd.spec index a91a5bc6d65755ac1f0d7767c4be6e1397449f1c..9f4b938508c4dfa2776b254756c41e61da015984 100644 --- a/httpd.spec +++ b/httpd.spec @@ -11,273 +11,275 @@ %global mpm prefork %endif -Summary: Apache HTTP Server -Name: httpd -Version: 2.4.37 -Release: 65%{anolis_release}%{?dist}.2 -URL: https://httpd.apache.org/ -Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -Source2: httpd.logrotate -Source3: instance.conf -Source4: httpd-ssl-pass-dialog -Source5: httpd.tmpfiles -Source6: httpd.service -Source7: action-graceful.sh -Source8: action-configtest.sh -Source10: httpd.conf -Source11: 00-base.conf -Source12: 00-mpm.conf -Source13: 00-lua.conf -Source14: 01-cgi.conf -Source15: 00-dav.conf -Source16: 00-proxy.conf -Source17: 00-ssl.conf -Source18: 01-ldap.conf -Source19: 00-proxyhtml.conf -Source20: userdir.conf -Source21: ssl.conf -Source22: welcome.conf -Source23: manual.conf -Source24: 00-systemd.conf -Source25: 01-session.conf -Source26: 10-listen443.conf -Source27: httpd.socket -Source28: 00-optional.conf +Summary: Apache HTTP Server +Name: httpd +Version: 2.4.37 +Release: 65%{anolis_release}%{?dist}.3 +URL: https://httpd.apache.org/ +Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 +Source2: httpd.logrotate +Source3: instance.conf +Source4: httpd-ssl-pass-dialog +Source5: httpd.tmpfiles +Source6: httpd.service +Source7: action-graceful.sh +Source8: action-configtest.sh +Source10: httpd.conf +Source11: 00-base.conf +Source12: 00-mpm.conf +Source13: 00-lua.conf +Source14: 01-cgi.conf +Source15: 00-dav.conf +Source16: 00-proxy.conf +Source17: 00-ssl.conf +Source18: 01-ldap.conf +Source19: 00-proxyhtml.conf +Source20: userdir.conf +Source21: ssl.conf +Source22: welcome.conf +Source23: manual.conf +Source24: 00-systemd.conf +Source25: 01-session.conf +Source26: 10-listen443.conf +Source27: httpd.socket +Source28: 00-optional.conf # Documentation -Source30: README.confd -Source31: README.confmod -Source32: httpd.service.xml -Source33: htcacheclean.service.xml -Source34: httpd.conf.xml -Source40: htcacheclean.service -Source41: htcacheclean.sysconf -Source42: httpd-init.service -Source43: httpd-ssl-gencerts -Source44: httpd@.service -Source45: config.layout -Source46: apache-poweredby.png +Source30: README.confd +Source31: README.confmod +Source32: httpd.service.xml +Source33: htcacheclean.service.xml +Source34: httpd.conf.xml +Source40: htcacheclean.service +Source41: htcacheclean.sysconf +Source42: httpd-init.service +Source43: httpd-ssl-gencerts +Source44: httpd@.service +Source45: config.layout +Source46: apache-poweredby.png # build/scripts patches # http://bugzilla.redhat.com/show_bug.cgi?id=1231924 # http://bugzilla.redhat.com/show_bug.cgi?id=842736 # http://bugzilla.redhat.com/show_bug.cgi?id=1214401 -Patch1: httpd-2.4.35-apachectl.patch -Patch2: httpd-2.4.28-apxs.patch -Patch3: httpd-2.4.35-deplibs.patch +Patch1: httpd-2.4.35-apachectl.patch +Patch2: httpd-2.4.28-apxs.patch +Patch3: httpd-2.4.35-deplibs.patch # Needed for socket activation and mod_systemd patch -Patch19: httpd-2.4.35-detect-systemd.patch +Patch19: httpd-2.4.35-detect-systemd.patch # Features/functional changes -Patch20: httpd-2.4.32-export.patch -Patch21: httpd-2.4.35-corelimit.patch -Patch22: httpd-2.4.35-selinux.patch +Patch20: httpd-2.4.32-export.patch +Patch21: httpd-2.4.35-corelimit.patch +Patch22: httpd-2.4.35-selinux.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1170215 -Patch23: httpd-2.4.28-icons.patch -Patch24: httpd-2.4.35-systemd.patch -Patch25: httpd-2.4.35-cachehardmax.patch -Patch26: httpd-2.4.28-socket-activation.patch +Patch23: httpd-2.4.28-icons.patch +Patch24: httpd-2.4.35-systemd.patch +Patch25: httpd-2.4.35-cachehardmax.patch +Patch26: httpd-2.4.28-socket-activation.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1109119 -Patch27: httpd-2.4.35-sslciphdefault.patch +Patch27: httpd-2.4.35-sslciphdefault.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1332242 -Patch28: httpd-2.4.28-statements-comment.patch +Patch28: httpd-2.4.28-statements-comment.patch # https://bugzilla.redhat.com/show_bug.cgi?id=811714 -Patch29: httpd-2.4.35-full-release.patch -Patch30: httpd-2.4.35-freebind.patch -Patch31: httpd-2.4.35-r1830819+.patch +Patch29: httpd-2.4.35-full-release.patch +Patch30: httpd-2.4.35-freebind.patch +Patch31: httpd-2.4.35-r1830819+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1638738 -Patch32: httpd-2.4.37-sslprotdefault.patch +Patch32: httpd-2.4.37-sslprotdefault.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1747898 -Patch33: httpd-2.4.37-mod-md-mod-ssl-hooks.patch +Patch33: httpd-2.4.37-mod-md-mod-ssl-hooks.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1725031 -Patch34: httpd-2.4.37-r1861793+.patch +Patch34: httpd-2.4.37-r1861793+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1704317 -Patch35: httpd-2.4.37-sslkeylogfile-support.patch +Patch35: httpd-2.4.37-sslkeylogfile-support.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1794728 -Patch36: httpd-2.4.37-session-expiry-updt-int.patch +Patch36: httpd-2.4.37-session-expiry-updt-int.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1209162 -Patch37: httpd-2.4.37-logjournal.patch +Patch37: httpd-2.4.37-logjournal.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1869576 -Patch38: httpd-2.4.37-pr37355.patch +Patch38: httpd-2.4.37-pr37355.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1896176 -Patch39: httpd-2.4.37-proxy-ws-idle-timeout.patch +Patch39: httpd-2.4.37-proxy-ws-idle-timeout.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1883648 -Patch40: httpd-2.4.37-ssl-proxy-chains.patch +Patch40: httpd-2.4.37-ssl-proxy-chains.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1935742 -Patch41: httpd-2.4.37-usertrack-samesite.patch +Patch41: httpd-2.4.37-usertrack-samesite.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 -Patch61: httpd-2.4.35-r1738878.patch +Patch61: httpd-2.4.35-r1738878.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1170206 -Patch62: httpd-2.4.35-r1633085.patch +Patch62: httpd-2.4.35-r1633085.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1448892 -Patch63: httpd-2.4.28-r1811831.patch +Patch63: httpd-2.4.28-r1811831.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1602548 -Patch65: httpd-2.4.35-r1842888.patch +Patch65: httpd-2.4.35-r1842888.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1653009 # https://bugzilla.redhat.com/show_bug.cgi?id=1672977 # https://bugzilla.redhat.com/show_bug.cgi?id=1673022 -Patch66: httpd-2.4.37-r1842929+.patch +Patch66: httpd-2.4.37-r1842929+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1630432 -Patch67: httpd-2.4.35-r1825120.patch +Patch67: httpd-2.4.35-r1825120.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1670716 -Patch68: httpd-2.4.37-fips-segfault.patch +Patch68: httpd-2.4.37-fips-segfault.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1669221 -Patch70: httpd-2.4.37-r1840554.patch +Patch70: httpd-2.4.37-r1840554.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1673022 -Patch71: httpd-2.4.37-mod-md-perms.patch +Patch71: httpd-2.4.37-mod-md-perms.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1724549 -Patch72: httpd-2.4.37-mod-mime-magic-strdup.patch +Patch72: httpd-2.4.37-mod-mime-magic-strdup.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1724034 -Patch73: httpd-2.4.35-ocsp-wrong-ctx.patch +Patch73: httpd-2.4.35-ocsp-wrong-ctx.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1633224 -Patch74: httpd-2.4.37-r1828172+.patch +Patch74: httpd-2.4.37-r1828172+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1775158 -Patch75: httpd-2.4.37-r1870095+.patch +Patch75: httpd-2.4.37-r1870095+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1771847 -Patch76: httpd-2.4.37-proxy-continue.patch -Patch77: httpd-2.4.37-balancer-failover.patch +Patch76: httpd-2.4.37-proxy-continue.patch +Patch77: httpd-2.4.37-balancer-failover.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1875844 -Patch78: httpd-2.4.37-r1881459.patch +Patch78: httpd-2.4.37-r1881459.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1891829 -Patch79: httpd-2.4.37-r1864000.patch +Patch79: httpd-2.4.37-r1864000.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1868608 -Patch80: httpd-2.4.37-r1872790.patch +Patch80: httpd-2.4.37-r1872790.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1861380 -Patch81: httpd-2.4.37-r1879224.patch +Patch81: httpd-2.4.37-r1879224.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1680118 -Patch82: httpd-2.4.37-r1877397.patch +Patch82: httpd-2.4.37-r1877397.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1847585 -Patch83: httpd-2.4.37-r1878890.patch +Patch83: httpd-2.4.37-r1878890.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1918741 -Patch84: httpd-2.4.37-r1878280.patch +Patch84: httpd-2.4.37-r1878280.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1891594 -Patch85: httpd-2.4.37-htcacheclean-dont-break.patch +Patch85: httpd-2.4.37-htcacheclean-dont-break.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1937334 -Patch86: httpd-2.4.37-r1873907.patch +Patch86: httpd-2.4.37-r1873907.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1680111 -Patch87: httpd-2.4.37-reply-two-tls-rec.patch +Patch87: httpd-2.4.37-reply-two-tls-rec.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1905613 -Patch88: httpd-2.4.37-r1845768+.patch +Patch88: httpd-2.4.37-r1845768+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2001046 -Patch89: httpd-2.4.37-r1862410.patch +Patch89: httpd-2.4.37-r1862410.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1984828 -Patch90: httpd-2.4.37-hcheck-mem-issues.patch +Patch90: httpd-2.4.37-hcheck-mem-issues.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2017543 -Patch91: httpd-2.4.37-add-SNI-support.patch +Patch91: httpd-2.4.37-add-SNI-support.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2159603 -Patch92: httpd-2.4.37-mod_status-duplicate-key.patch +Patch92: httpd-2.4.37-mod_status-duplicate-key.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2221083 -Patch93: httpd-2.4.37-r1885607.patch +Patch93: httpd-2.4.37-r1885607.patch # https://issues.redhat.com/browse/RHEL-14321 -Patch94: httpd-2.4.57-r1884505+.patch +Patch94: httpd-2.4.57-r1884505+.patch # https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 -Patch95: httpd-2.4.37-r1919325.patch +Patch95: httpd-2.4.37-r1919325.patch +# https://issues.redhat.com/browse/RHEL-56068 +Patch96: httpd-2.4.37-r1922080.patch # Security fixes -Patch200: httpd-2.4.37-r1851471.patch +Patch200: httpd-2.4.37-r1851471.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1694980 -Patch201: httpd-2.4.37-CVE-2019-0211.patch +Patch201: httpd-2.4.37-CVE-2019-0211.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1695025 -Patch202: httpd-2.4.37-CVE-2019-0215.patch +Patch202: httpd-2.4.37-CVE-2019-0215.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1696141 -Patch203: httpd-2.4.37-CVE-2019-0217.patch +Patch203: httpd-2.4.37-CVE-2019-0217.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1696097 -Patch204: httpd-2.4.37-CVE-2019-0220.patch +Patch204: httpd-2.4.37-CVE-2019-0220.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1741860 # https://bugzilla.redhat.com/show_bug.cgi?id=1741864 # https://bugzilla.redhat.com/show_bug.cgi?id=1741868 -Patch205: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch +Patch205: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1823259 # https://bugzilla.redhat.com/show_bug.cgi?id=1747284 # fixes both CVE-2020-1927 and CVE-2019-10098 -Patch206: httpd-2.4.37-CVE-2019-10098.patch +Patch206: httpd-2.4.37-CVE-2019-10098.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1747281 -Patch207: httpd-2.4.37-CVE-2019-10092.patch +Patch207: httpd-2.4.37-CVE-2019-10092.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1747291 -Patch208: httpd-2.4.37-CVE-2019-10097.patch +Patch208: httpd-2.4.37-CVE-2019-10097.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1820772 -Patch209: httpd-2.4.37-CVE-2020-1934.patch +Patch209: httpd-2.4.37-CVE-2020-1934.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1668493 -Patch210: httpd-2.4.37-CVE-2018-17199.patch +Patch210: httpd-2.4.37-CVE-2018-17199.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1866563 -Patch211: httpd-2.4.37-CVE-2020-11984.patch +Patch211: httpd-2.4.37-CVE-2020-11984.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1972500 -Patch212: httpd-2.4.37-CVE-2021-30641.patch +Patch212: httpd-2.4.37-CVE-2021-30641.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1968307 -Patch213: httpd-2.4.37-CVE-2021-26690.patch +Patch213: httpd-2.4.37-CVE-2021-26690.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005117 -Patch214: httpd-2.4.37-CVE-2021-40438.patch +Patch214: httpd-2.4.37-CVE-2021-40438.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1966732 -Patch215: httpd-2.4.37-CVE-2021-26691.patch +Patch215: httpd-2.4.37-CVE-2021-26691.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1968278 -Patch216: httpd-2.4.37-CVE-2020-35452.patch +Patch216: httpd-2.4.37-CVE-2020-35452.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005128 -Patch217: httpd-2.4.37-CVE-2021-34798.patch +Patch217: httpd-2.4.37-CVE-2021-34798.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005119 -Patch218: httpd-2.4.37-CVE-2021-39275.patch +Patch218: httpd-2.4.37-CVE-2021-39275.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005124 -Patch219: httpd-2.4.37-CVE-2021-36160.patch +Patch219: httpd-2.4.37-CVE-2021-36160.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1966728 -Patch220: httpd-2.4.37-CVE-2021-33193.patch +Patch220: httpd-2.4.37-CVE-2021-33193.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034674 -Patch221: httpd-2.4.37-CVE-2021-44790.patch +Patch221: httpd-2.4.37-CVE-2021-44790.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034672 -Patch222: httpd-2.4.37-CVE-2021-44224.patch +Patch222: httpd-2.4.37-CVE-2021-44224.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2064321 -Patch223: httpd-2.4.37-CVE-2022-22720.patch +Patch223: httpd-2.4.37-CVE-2022-22720.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1966738 -Patch224: httpd-2.4.37-CVE-2020-13950.patch +Patch224: httpd-2.4.37-CVE-2020-13950.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2064322 -Patch225: httpd-2.4.37-CVE-2022-22719.patch +Patch225: httpd-2.4.37-CVE-2022-22719.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2064320 -Patch226: httpd-2.4.37-CVE-2022-22721.patch +Patch226: httpd-2.4.37-CVE-2022-22721.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2065324 -Patch227: httpd-2.4.37-CVE-2022-23943.patch +Patch227: httpd-2.4.37-CVE-2022-23943.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095002 -Patch228: httpd-2.4.37-CVE-2022-28614.patch +Patch228: httpd-2.4.37-CVE-2022-28614.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095006 -Patch229: httpd-2.4.37-CVE-2022-28615.patch +Patch229: httpd-2.4.37-CVE-2022-28615.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095015 -Patch230: httpd-2.4.37-CVE-2022-30522.patch +Patch230: httpd-2.4.37-CVE-2022-30522.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095018 -Patch231: httpd-2.4.37-CVE-2022-30556.patch +Patch231: httpd-2.4.37-CVE-2022-30556.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095020 -Patch232: httpd-2.4.37-CVE-2022-31813.patch +Patch232: httpd-2.4.37-CVE-2022-31813.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095012 -Patch233: httpd-2.4.37-CVE-2022-29404.patch +Patch233: httpd-2.4.37-CVE-2022-29404.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2094997 -Patch234: httpd-2.4.37-CVE-2022-26377.patch +Patch234: httpd-2.4.37-CVE-2022-26377.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2161773 -Patch235: httpd-2.4.37-CVE-2022-37436.patch +Patch235: httpd-2.4.37-CVE-2022-37436.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2161774 -Patch236: httpd-2.4.37-CVE-2006-20001.patch +Patch236: httpd-2.4.37-CVE-2006-20001.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2161777 -Patch237: httpd-2.4.37-CVE-2022-36760.patch +Patch237: httpd-2.4.37-CVE-2022-36760.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2176209 -Patch238: httpd-2.4.37-CVE-2023-25690.patch +Patch238: httpd-2.4.37-CVE-2023-25690.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2176211 -Patch239: httpd-2.4.37-CVE-2023-27522.patch +Patch239: httpd-2.4.37-CVE-2023-27522.patch # https://issues.redhat.com/browse/RHEL-14448 -Patch240: httpd-2.4.37-CVE-2023-31122.patch +Patch240: httpd-2.4.37-CVE-2023-31122.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2273491 -Patch241: httpd-2.4.37-CVE-2023-38709.patch +Patch241: httpd-2.4.37-CVE-2023-38709.patch # CVE-2024-38474 and CVE-2024-38475 fixed in one patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295013 # https://bugzilla.redhat.com/show_bug.cgi?id=2295014 -Patch242: httpd-2.4.37-CVE-2024-38474+.patch +Patch242: httpd-2.4.37-CVE-2024-38474+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295012 -Patch243: httpd-2.4.37-CVE-2024-38473.patch +Patch243: httpd-2.4.37-CVE-2024-38473.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295016 -Patch244: httpd-2.4.37-CVE-2024-38477.patch +Patch244: httpd-2.4.37-CVE-2024-38477.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295022 -Patch245: httpd-2.4.37-CVE-2024-39573.patch +Patch245: httpd-2.4.37-CVE-2024-39573.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295015 -Patch246: httpd-2.4.37-CVE-2024-38476.patch +Patch246: httpd-2.4.37-CVE-2024-38476.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2297362 # https://bugzilla.redhat.com/show_bug.cgi?id=2295761 -Patch247: httpd-2.4.37-CVE-2024-39884+.patch +Patch247: httpd-2.4.37-CVE-2024-39884+.patch # Add by Anolis Patch1000: 1000-httpd-anolis-rebrand.patch @@ -285,38 +287,38 @@ Patch1001: 1001-httpd-anolis-support-loongarch64.patch Patch2000: httpd-2.4.37-sw.patch # End -License: ASL 2.0 -Group: System Environment/Daemons -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root -BuildRequires: autoconf, perl-interpreter, perl-generators, pkgconfig, findutils, xmlto -BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel -BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0 -BuildRequires: systemd-devel +License: ASL 2.0 +Group: System Environment/Daemons +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root +BuildRequires: autoconf, perl-interpreter, perl-generators, pkgconfig, findutils, xmlto +BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel +BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0 +BuildRequires: systemd-devel # web server testpage added to redhat-logos in 82.0 (rhbz1896319) # new logo requires new footer copyring which was added in rhbz1934800 -Requires: /etc/mime.types, system-logos-httpd -Obsoletes: httpd-suexec -Provides: webserver -Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} -Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} -Requires: httpd-tools = %{version}-%{release} -Requires: httpd-filesystem = %{version}-%{release} -Requires: mod_http2 >= 1.15.7-5 +Requires: /etc/mime.types, system-logos-httpd +Obsoletes: httpd-suexec +Provides: webserver +Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} +Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} +Requires: httpd-tools = %{version}-%{release} +Requires: httpd-filesystem = %{version}-%{release} +Requires: mod_http2 >= 1.15.7-5 Requires(pre): httpd-filesystem Requires(preun): systemd-units Requires(postun): systemd-units Requires(post): systemd-units -Conflicts: apr < 1.5.0-1 +Conflicts: apr < 1.5.0-1 %description The Apache HTTP Server is a powerful, efficient, and extensible web server. %package devel -Group: Development/Libraries -Summary: Development interfaces for the Apache HTTP server -Requires: apr-devel, apr-util-devel, pkgconfig -Requires: httpd = %{version}-%{release} +Group: Development/Libraries +Summary: Development interfaces for the Apache HTTP server +Requires: apr-devel, apr-util-devel, pkgconfig +Requires: httpd = %{version}-%{release} %description devel The httpd-devel package contains the APXS binary and other files @@ -328,11 +330,11 @@ able to compile or develop additional modules for Apache, you need to install this package. %package manual -Group: Documentation -Summary: Documentation for the Apache HTTP server -Requires: httpd = %{version}-%{release} -Obsoletes: secureweb-manual, apache-manual -BuildArch: noarch +Group: Documentation +Summary: Documentation for the Apache HTTP server +Requires: httpd = %{version}-%{release} +Obsoletes: secureweb-manual, apache-manual +BuildArch: noarch %description manual The httpd-manual package contains the complete manual and @@ -340,9 +342,9 @@ reference guide for the Apache HTTP server. The information can also be found at http://httpd.apache.org/docs/2.2/. %package filesystem -Group: System Environment/Daemons -Summary: The basic directory layout for the Apache HTTP server -BuildArch: noarch +Group: System Environment/Daemons +Summary: The basic directory layout for the Apache HTTP server +BuildArch: noarch Requires(pre): /usr/sbin/useradd %description filesystem @@ -351,24 +353,24 @@ for the Apache HTTP server including the correct permissions for the directories. %package tools -Group: System Environment/Daemons -Summary: Tools for use with the Apache HTTP Server +Group: System Environment/Daemons +Summary: Tools for use with the Apache HTTP Server %description tools The httpd-tools package contains tools which can be used with the Apache HTTP Server. %package -n mod_ssl -Group: System Environment/Daemons -Summary: SSL/TLS module for the Apache HTTP Server -Epoch: 1 -BuildRequires: openssl-devel +Group: System Environment/Daemons +Summary: SSL/TLS module for the Apache HTTP Server +Epoch: 1 +BuildRequires: openssl-devel Requires(pre): httpd-filesystem -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -Requires: sscg >= 3.0.0-7, /usr/bin/hostname -Obsoletes: stronghold-mod_ssl +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Requires: sscg >= 3.0.0-7, /usr/bin/hostname +Obsoletes: stronghold-mod_ssl # Require an OpenSSL which supports PROFILE=SYSTEM -Conflicts: openssl-libs < 1:1.0.1h-4 +Conflicts: openssl-libs < 1:1.0.1h-4 %description -n mod_ssl The mod_ssl module provides strong cryptography for the Apache Web @@ -376,31 +378,31 @@ server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. %package -n mod_proxy_html -Group: System Environment/Daemons -Summary: HTML and XML content filters for the Apache HTTP Server -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -BuildRequires: libxml2-devel -Epoch: 1 -Obsoletes: mod_proxy_html < 1:2.4.1-2 +Group: System Environment/Daemons +Summary: HTML and XML content filters for the Apache HTTP Server +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +BuildRequires: libxml2-devel +Epoch: 1 +Obsoletes: mod_proxy_html < 1:2.4.1-2 %description -n mod_proxy_html The mod_proxy_html and mod_xml2enc modules provide filters which can transform and modify HTML and XML content. %package -n mod_ldap -Group: System Environment/Daemons -Summary: LDAP authentication modules for the Apache HTTP Server -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -Requires: apr-util-ldap +Group: System Environment/Daemons +Summary: LDAP authentication modules for the Apache HTTP Server +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Requires: apr-util-ldap %description -n mod_ldap The mod_ldap and mod_authnz_ldap modules add support for LDAP authentication to the Apache HTTP Server. %package -n mod_session -Group: System Environment/Daemons -Summary: Session interface for the Apache HTTP Server -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Group: System Environment/Daemons +Summary: Session interface for the Apache HTTP Server +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} %description -n mod_session The mod_session module and associated backends provide an abstract @@ -526,6 +528,8 @@ interface for storing and accessing per-user session data. %patch2000 -p1 # End +%patch96 -p1 -b .r1922080 + # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h sed -i 's/@RELEASE@/%{release}/' server/core.c @@ -1030,14 +1034,17 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Tue Aug 13 2024 zhangbinchen - 2.4.37-65.0.1.2 +* Thu Feb 20 2025 zhangbinchen - 2.4.37-65.0.1.3 - Rebrand for Anolis OS - Requires system-logos-httpd - Support loongarch64 platform(Liwei Ge) -- add patch for CVE-2023-27522(guo.chuang@zte.com.cn) cherry-pick `add sw patch #400077d851a81ce23aa39db271e26c3df254ae53`. (nijie@wxiat.com) cherry-pick `change sw patch #bdacf2efe00d8445328f798df8c5520728801e8c`. (nijie@wxiat.com) +* Wed Jan 29 2025 Luboš Uhliarik - 2.4.37-65.3 +- Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with + unicode characters in the name + * Tue Aug 06 2024 Luboš Uhliarik - 2.4.37-65.2 - Resolves: RHEL-46040 - httpd:2.4/httpd: Security issues via backend applications whose response headers are malicious or exploitable (CVE-2024-38476)