diff --git a/fix-CVE-2009-3555.patch b/fix-CVE-2009-3555.patch new file mode 100644 index 0000000000000000000000000000000000000000..52e29e8ef1e6ab38f70c12642a55bb0692373dfe --- /dev/null +++ b/fix-CVE-2009-3555.patch @@ -0,0 +1,88 @@ +From 702e7f7d1e004e03fc3392ab902c3642ced48255 Mon Sep 17 00:00:00 2001 +From: dufuhang +Date: Tue, 14 May 2024 14:09:59 +0800 +Subject: [PATCH] Fail if SSLInsecureRenegotiation is used with mod_ssl, + CVE-2009-3555 is now approaching 15 years old. + +* modules/ssl/ssl_engine_config.c (ssl_cmd_SSLInsecureRenegotiation): + Fail if used. + (ssl_config_server_new, ssl_config_server_merge): Remove insecure + reneg handling. + +* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol): Remove + insecure_reneg handling. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1917600 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_config.c | 11 +---------- + modules/ssl/ssl_engine_init.c | 5 ----- + modules/ssl/ssl_private.h | 1 - + 3 files changed, 1 insertion(+), 16 deletions(-) + +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 82ef221..7c92e7f 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -223,7 +223,6 @@ static SSLSrvConfigRec *ssl_config_server_new(apr_pool_t *p) + sc->vhost_id_len = 0; /* set during module init */ + sc->session_cache_timeout = UNSET; + sc->cipher_server_pref = UNSET; +- sc->insecure_reneg = UNSET; + #ifdef HAVE_TLSEXT + sc->strict_sni_vhost_check = SSL_ENABLED_UNSET; + #endif +@@ -396,7 +395,6 @@ void *ssl_config_server_merge(apr_pool_t *p, void *basev, void *addv) + cfgMerge(enabled, SSL_ENABLED_UNSET); + cfgMergeInt(session_cache_timeout); + cfgMergeBool(cipher_server_pref); +- cfgMergeBool(insecure_reneg); + #ifdef HAVE_TLSEXT + cfgMerge(strict_sni_vhost_check, SSL_ENABLED_UNSET); + #endif +@@ -889,14 +887,7 @@ const char *ssl_cmd_SSLSessionTickets(cmd_parms *cmd, void *dcfg, int flag) + + const char *ssl_cmd_SSLInsecureRenegotiation(cmd_parms *cmd, void *dcfg, int flag) + { +-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +- SSLSrvConfigRec *sc = mySrvConfig(cmd->server); +- sc->insecure_reneg = flag?TRUE:FALSE; +- return NULL; +-#else +- return "The SSLInsecureRenegotiation directive is not available " +- "with this SSL library"; +-#endif ++ return "The SSLInsecureRenegotiation directive is no longer supported"; + } + + +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index e42672e..bbe77c5 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -827,11 +827,6 @@ static apr_status_t ssl_init_ctx_protocol(server_rec *s, + } + #endif + +-#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION +- if (sc->insecure_reneg == TRUE) { +- SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); +- } +-#endif + + SSL_CTX_set_app_data(ctx, s); + +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index cd8df07..a7233a4 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -793,7 +793,6 @@ struct SSLSrvConfigRec { + int vhost_id_len; + int session_cache_timeout; + BOOL cipher_server_pref; +- BOOL insecure_reneg; + modssl_ctx_t *server; + #ifdef HAVE_TLSEXT + ssl_enabled_t strict_sni_vhost_check; +-- +2.27.0 + diff --git a/httpd.spec b/httpd.spec index e0592ba606941aac5a824bdcd46e5389298c2881..35ce9d3717848fb3c869db503be6b37636e52194 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.58 -Release: 3 +Release: 4 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -77,7 +77,7 @@ Patch23: backport-CVE-2023-38709-header-validation-after-content.patch Patch24: backport-CVE-2024-27316-bail-after-too-many-failed-reads.patch Patch25: backport-remove-dependency-on-xmlstring-header.patch Patch26: backport-only-allocate-a-heap-heap-buffer.patch - +Patch27: backport-fix-CVE-2009-3555.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel BuildRequires: apr-devel >= 1.5.0 apr-util-devel >= 1.5.0 pcre2-devel @@ -513,6 +513,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue May 14 2024 dufuhang - 2.4.58-4 +- Type:CVE +- ID:CVE-2009-3555 +- SUG:NA +- DESC:Fail if SSLInsecureRenegotiation is used with mod_ssl + * Wed May 22 2024 zhangyaqi - 2.4.58-3 - Type:bugfix - ID:NA diff --git a/modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch b/modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch new file mode 100644 index 0000000000000000000000000000000000000000..5892b898fcb585caa0d45623f31a5874fc97029b --- /dev/null +++ b/modules-proxy-mod_proxy_fcgi.c-dispatch-Only-allocat.patch @@ -0,0 +1,31 @@ +From 71f55c425e500c166cec4b6cb7bd83426c51534c Mon Sep 17 00:00:00 2001 +From: dufuhang +Date: Fri, 17 May 2024 17:08:57 +0800 +Subject: [PATCH] modules/proxy/mod_proxy_fcgi.c (dispatch): Only allocate a + heap buffer if the configured size is greater than the stack-allocated + buffer. + +--- + modules/proxy/mod_proxy_fcgi.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c +index d420df6..dacf3aa 100644 +--- a/modules/proxy/mod_proxy_fcgi.c ++++ b/modules/proxy/mod_proxy_fcgi.c +@@ -569,7 +569,11 @@ static apr_status_t dispatch(proxy_conn_rec *conn, proxy_dir_conf *conf, + *err = NULL; + if (conn->worker->s->io_buffer_size_set) { + iobuf_size = conn->worker->s->io_buffer_size; +- iobuf = apr_palloc(r->pool, iobuf_size); ++ /* Allocate a buffer if the configured size is larger than the ++ * stack buffer, otherwise use the stack buffer. */ ++ if (iobuf_size > AP_IOBUFSIZE) { ++ iobuf = apr_palloc(r->pool, iobuf_size); ++ } + } + + pfd.desc_type = APR_POLL_SOCKET; +-- +2.27.0 +