diff --git a/backport-fix-overlong-scheme-check.patch b/backport-fix-overlong-scheme-check.patch new file mode 100644 index 0000000000000000000000000000000000000000..4812a0f08a00fc51c9cfa9f4ef70392c1862a2f8 --- /dev/null +++ b/backport-fix-overlong-scheme-check.patch @@ -0,0 +1,54 @@ +From 9f7d27daddf1c1df1f6f6b56c756c04fe51470b5 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 2 Mar 2021 20:50:40 +0000 +Subject: [PATCH] Merge r1886141, r1886151 from trunk: + +* We need to check for (!scheme && (u = strchr(url, ':')) && (u - url) > 14) + later as (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') is true + for requests with the CONNECT method which we need to decline. But in many + cases requests with the CONNECT method have (u - url) > 14 as in this + case (u - url) is the length of the FQDN the forward proxy should connect + to. + + +mod_proxy_http: follow up to r1886141, axe overlong scheme check. + +Since mod_proxy can see CONNECT URIs, "hostname:port" versus "scheme:" +is hardly distinguishable (we don't want to limit the length of hostnames), +and we don't allocate the scheme anymore while parsing, let's simply decline +unrecognized schemes (overlong or not) and be caught by the no-handler case +if there really is no proxy handler interested. + + +Submitted by: rpluem, ylavic +Reviewed by: ylavic, covener, icing + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1887118 13f79535-47bb-0310-9956-ffa450edef68 + +Conflict:httpd-2.4.43 don`t have should_send_brigade function +Reference:https://github.com/apache/httpd/commit/9f7d27dad + +--- + modules/proxy/mod_proxy_http.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c +index 14f94b1..ada5ae0 100644 +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -2120,11 +2120,6 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, + is_ssl = 0; + } + if (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') { +- if (!scheme && (u = strchr(url, ':')) && (u - url) > 14) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10262) +- "overlong proxy URL scheme in %s", url); +- return HTTP_BAD_REQUEST; +- } + ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01113) + "HTTP: declining URL %s", url); + return DECLINED; /* only interested in HTTP, WS or FTP via proxy */ +-- +2.33.0 + diff --git a/httpd.spec b/httpd.spec index b2c84caebc7c85ee59904c9839b0a480415657f4..d1fdda1ead7ae21458000b8635906ec9df6f89b9 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.43 -Release: 24 +Release: 25 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -115,6 +115,7 @@ Patch61: backport-Use-ap_os_is_path_absolute-to-make-it-portable.patch Patch62: backport-CVE-2024-24795-let-httpd-handle-CL-TE-for-non-http-handlers.patch Patch63: backport-CVE-2023-38709-header-validation-after-content.patch Patch64: backport-CVE-2024-27316-bail-after-too-many-failed-reads.patch +Patch65: backport-fix-overlong-scheme-check.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -551,7 +552,13 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Mon May 06 2024 chengyechun - 2.4.43-24 +* Sat Mar 01 2025 chengyechun - 2.4.43-25 +- Type:bugfix +- ID: +- SUG:NA +- DESC:fix overlong scheme-check + +* Mon May 06 2024 chengyechun - 2.4.43-24 - Type:CVE - ID:CVE-2024-24795,CVE-2023-38709,CVE-2024-27316 - SUG:NA