diff --git a/backport-CVE-2006-20001.patch b/backport-CVE-2006-20001.patch new file mode 100644 index 0000000000000000000000000000000000000000..16825cad88c8a695457ef1fc0027d2cc6228bc39 --- /dev/null +++ b/backport-CVE-2006-20001.patch @@ -0,0 +1,35 @@ +From b00b92bb9d1497414abf6ca1b679bcc8ad32a443 Mon Sep 17 00:00:00 2001 +From: notroj +Date: Mon, 9 Jan 2023 08:07:58 PM GMT+0800 +Subject: [PATCH] modules/dav/main/util(dav_process_if_header):Fix error + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/b00b92bb9d1497414abf6ca1b679bcc8ad32a443 + +--- + modules/dav/main/util.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c +index 9f24604..9860a35 100644 +--- a/modules/dav/main/util.c ++++ b/modules/dav/main/util.c +@@ -746,8 +746,14 @@ static dav_error * dav_process_if_header(request_rec *r, dav_if_header **p_ih) + "for the same state."); + } + condition = DAV_IF_COND_NOT; ++ list += 2; ++ } ++ else { ++ return dav_new_error(r->pool, HTTP_BAD_REQUEST, ++ DAV_ERR_IF_UNK_CHAR, 0, ++ "Invaild \"If:\" header: " ++ "Unexpected character in List"); + } +- list += 2; + break; + + case ' ': +-- +2.27.0 + diff --git a/backport-CVE-2022-36760.patch b/backport-CVE-2022-36760.patch new file mode 100644 index 0000000000000000000000000000000000000000..46972983a0e62d70984b005f6a594dbbd0de02b1 --- /dev/null +++ b/backport-CVE-2022-36760.patch @@ -0,0 +1,28 @@ +From 5efc9507c487c37dfe2a279a4a0335cad701cd5f Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 10 Jan 2023 09:19:03 PM GMT+0800 +Subject: [PATCH] mod_proxy_ajp:cleanup on error + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/5efc9507c487c37dfe2a279a4a0335cad701cd5f + +--- + modules/proxy/mod_proxy_ajp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c +index 5d6132a..8c2259e 100644 +--- a/modules/proxy/mod_proxy_ajp.c ++++ b/modules/proxy/mod_proxy_ajp.c +@@ -259,6 +259,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396) + "%s Transfer-Encoding is not supported", + tenc); ++ /* We had a failure : Close connection to backend */ ++ conn->close = 1; + return HTTP_INTERNAL_SERVER_ERROR; + } + } else { +-- +2.27.0 + diff --git a/backport-CVE-2022-37436.patch b/backport-CVE-2022-37436.patch new file mode 100644 index 0000000000000000000000000000000000000000..4082662e688923332407b1fed5b0918b9d98a297 --- /dev/null +++ b/backport-CVE-2022-37436.patch @@ -0,0 +1,127 @@ +From 2192bd4200083a0d20bf601c2fc9d635e7e4dbfc Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Tue, 10 Jan 2023 09:18:42 PM GMT+0800 +Subject: [PATCH] mod_proxy_http:fail on bad header + +Conflict:NA +Reference:https://github.com/apache/httpd/commit/2192bd4200083a0d20bf601c2fc9d635e7e4dbfc + +--- + modules/proxy/mod_proxy_http.c | 45 ++++++++++++++++++++-------------- + server/protocol.c | 2 ++ + 2 files changed, 28 insertions(+), 19 deletions(-) + +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index e2a6c7f..679ecdd 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -977,7 +977,7 @@ static void process_proxy_header(request_rec *r, proxy_dir_conf *c, + * any sense at all, since we depend on buffer still containing + * what was read by ap_getline() upon return. + */ +-static void ap_proxy_read_headers(request_rec *r, request_rec *rr, ++static apr_status_t ap_proxy_read_headers(request_rec *r, request_rec *rr, + char *buffer, int size, + conn_rec *c, int *pread_len) + { +@@ -1009,19 +1009,25 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + rc = ap_proxygetline(tmp_bb, buffer, size, rr, + AP_GETLINE_FOLD | AP_GETLINE_NOSPC_EOL, &len); + +- if (len <= 0) ++ if (rc != APR_SUCCESS) { ++ if (APR_STATUS_IS_ENOSPC(rc)) { ++ int trunc = (len > 128 ? 128 : len) / 2; ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) ++ "header size is over the limit allowed by " ++ "ResponseFieldSize (%d bytes). " ++ "Bad response header: '%.*s[...]%s'", ++ size, trunc, buffer, buffer + len - trunc); ++ } ++ else { ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10404) ++ "Error reading headers from backend"); ++ } ++ r->headers_out = NULL; ++ return rc; ++ } ++ ++ if (len <= 0) { + break; +- +- if (APR_STATUS_IS_ENOSPC(rc)) { +- /* The header could not fit in the provided buffer, warn. +- * XXX: falls through with the truncated header, 5xx instead? +- */ +- int trunc = (len > 128 ? 128 : len) / 2; +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, rc, r, APLOGNO(10124) +- "header size is over the limit allowed by " +- "ResponseFieldSize (%d bytes). " +- "Bad response header: '%.*s[...]%s'", +- size, trunc, buffer, buffer + len - trunc); + } + else { + ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer); +@@ -1044,7 +1050,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + if (psc->badopt == bad_error) { + /* Nope, it wasn't even an extra HTTP header. Give up. */ + r->headers_out = NULL; +- return; ++ return APR_EINVAL; + } + else if (psc->badopt == bad_body) { + /* if we've already started loading headers_out, then +@@ -1058,13 +1064,13 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + "in headers returned by %s (%s)", + r->uri, r->method); + *pread_len = len; +- return; ++ return APR_SUCCESS; + } + else { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099) + "No HTTP headers returned by %s (%s)", + r->uri, r->method); +- return; ++ return APR_SUCCESS; + } + } + } +@@ -1094,6 +1100,7 @@ static void ap_proxy_read_headers(request_rec *r, request_rec *rr, + process_proxy_header(r, dconf, buffer, value); + saw_headers = 1; + } ++ return APR_SUCCESS; + } + + +@@ -1359,10 +1366,10 @@ int ap_proxy_http_process_response(proxy_http_req_t *req) + "Set-Cookie", NULL); + + /* shove the headers direct into r->headers_out */ +- ap_proxy_read_headers(r, backend->r, buffer, response_field_size, +- origin, &pread_len); ++ rc = ap_proxy_read_headers(r, backend->r, buffer, response_field_size, ++ origin, &pread_len); + +- if (r->headers_out == NULL) { ++ if (rc != APR_SUCCESS || r->headers_out == NULL) { + ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106) + "bad HTTP/%d.%d header returned by %s (%s)", + major, minor, r->uri, r->method); +diff --git a/server/protocol.c b/server/protocol.c +index cf6ca19..f818e39 100644 +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -509,6 +509,8 @@ cleanup: + bytes_handled = strlen(*s); + if (bytes_handled < *read) { + *read = bytes_handled; ++ ap_log_data(APLOG_MARK, APLOG_DEBUG, ap_server_conf, ++ "NULL bytes in headers", *s, *read, 0); + if (rv == APR_SUCCESS) { + rv = APR_EINVAL; + } +-- +2.27.0 + diff --git a/httpd.spec b/httpd.spec index 6610d8e421a120c5571fb78104046e86b1cf7b3c..14ecf3f15c1af96dedc06e3cf6241cdd51a75608 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.43 -Release: 19 +Release: 20 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -100,6 +100,9 @@ Patch46: backport-CVE-2022-30522.patch Patch47: backport-CVE-2022-28615.patch Patch48: backport-CVE-2022-31813.patch Patch49: backport-CVE-2022-28330.patch +Patch50: backport-CVE-2006-20001.patch +Patch51: backport-CVE-2022-36760.patch +Patch52: backport-CVE-2022-37436.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -536,6 +539,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Feb 2 2023 chengyechun - 2.4.43-20 +- Type:CVE +- ID:CVE-2022-36760, CVE-2006-20001, CVE-2022-37436 +- SUG:restart +- DESC:fix CVE-2022-36760,CVE-2006-20001,CVE-2022-37436 + * Wed Dec 21 2022 chengyechun - 2.4.43-19 - Type:CVE - ID:NA