diff --git a/backport-CVE-2025-58098.patch b/backport-CVE-2025-58098.patch new file mode 100644 index 0000000000000000000000000000000000000000..7921c7846f2bee0961586da9c6168bad741e67fe --- /dev/null +++ b/backport-CVE-2025-58098.patch @@ -0,0 +1,35 @@ +From ecc1b8f3817e3dcab9c1f24f905752d3c0a279af Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:00:14 +0000 +Subject: [PATCH] don't pass args for SSI request + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930161 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/generators/mod_cgid.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c +index b27dd802d80..94ad7ee8733 100644 +--- a/modules/generators/mod_cgid.c ++++ b/modules/generators/mod_cgid.c +@@ -239,7 +239,7 @@ static char **create_argv(apr_pool_t *p, char *path, char *user, char *group, + char *w; + int idx = 0; + +- if (!(*args) || ap_strchr_c(args, '=')) { ++ if (!args || !(*args) || ap_strchr_c(args, '=')) { + numwords = 0; + } + else { +@@ -932,7 +932,10 @@ static int cgid_server(void *data) + apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans); + } + +- argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args); ++ /* Do not pass args in case of SSI requests */ ++ argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, ++ argv0, ++ cgid_req.req_type == SSI_REQ ? NULL : r->args); + + /* We want to close sd2 for the new CGI process too. + * If it is left open it'll make ap_pass_brigade() block diff --git a/backport-CVE-2025-65082.patch b/backport-CVE-2025-65082.patch new file mode 100644 index 0000000000000000000000000000000000000000..0d97f5101ce34e99419576a9c5871b7c68c35b4d --- /dev/null +++ b/backport-CVE-2025-65082.patch @@ -0,0 +1,63 @@ +From e4f00c5eb71d8a7aa1f52b5279832986f669d463 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:03:12 +0000 +Subject: [PATCH] envvars from HTTP headers low precedence + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930163 13f79535-47bb-0310-9956-ffa450edef68 +--- + server/util_script.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/server/util_script.c b/server/util_script.c +index 72175e75824..6a18aec8c90 100644 +--- a/server/util_script.c ++++ b/server/util_script.c +@@ -126,6 +126,8 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t) + } + } + for (i = 0; i < env_arr->nelts; ++i) { ++ int changed = 0; ++ + if (!elts[i].key) { + continue; + } +@@ -133,18 +135,36 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t) + whack = env[j]; + if (apr_isdigit(*whack)) { + *whack++ = '_'; ++ changed = 1; + } + while (*whack != '=') { + #ifdef WIN32 +- if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') { ++ if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') { + #else +- if (!apr_isalnum(*whack)) { ++ if (!apr_isalnum(*whack) && *whack != '_') { + #endif + *whack = '_'; ++ changed = 1; + } + ++whack; + } +- ++j; ++ if (changed) { ++ *whack = '\0'; ++ /* ++ * If after cleaning up the key the key is identical to an existing key ++ * in the table drop this environment variable. This also prevents ++ * to override CGI reserved environment variables with variables whose ++ * names have an invalid character instead of '_', but are otherwise ++ * equal to the names CGI reserved environment variables. ++ */ ++ if (!apr_table_get(t, env[j])) { ++ ++j; ++ *whack = '='; ++ } ++ } ++ else { ++ ++j; ++ } + } + + env[j] = NULL; diff --git a/backport-CVE-2025-66200.patch b/backport-CVE-2025-66200.patch new file mode 100644 index 0000000000000000000000000000000000000000..7d64851a57a50bb2202bde8b647a91315144a01d --- /dev/null +++ b/backport-CVE-2025-66200.patch @@ -0,0 +1,57 @@ +From 9d26b95787b229a3f6195d7beead774d131eeda1 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:04:29 +0000 +Subject: [PATCH] don't use request notes for suexec + +also, stop accepting the obscure "note" option in +RequestHeader, it is only documented/described as being +meant for Header (output filter). + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1930164 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/mappers/mod_userdir.c | 4 ++-- + modules/metadata/mod_headers.c | 6 +++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/modules/mappers/mod_userdir.c b/modules/mappers/mod_userdir.c +index b8b9e92d3e7..cae15bef876 100644 +--- a/modules/mappers/mod_userdir.c ++++ b/modules/mappers/mod_userdir.c +@@ -343,7 +343,7 @@ static int translate_userdir(request_rec *r) + r->finfo = statbuf; + + /* For use in the get_suexec_identity phase */ +- apr_table_setn(r->notes, "mod_userdir_user", user); ++ ap_set_module_config(r->request_config, &userdir_module, (void *)user); + + return OK; + } +@@ -359,7 +359,7 @@ static ap_unix_identity_t *get_suexec_id_doer(const request_rec *r) + { + ap_unix_identity_t *ugid = NULL; + #if APR_HAS_USER +- const char *username = apr_table_get(r->notes, "mod_userdir_user"); ++ const char *username = (const char*) ap_get_module_config(r->request_config, &userdir_module); + + if (username == NULL) { + return NULL; +diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c +index bd499955292..7662dfcde55 100644 +--- a/modules/metadata/mod_headers.c ++++ b/modules/metadata/mod_headers.c +@@ -455,8 +455,12 @@ static APR_INLINE const char *header_inout_cmd(cmd_parms *cmd, + new->action = hdr_edit; + else if (!strcasecmp(action, "edit*")) + new->action = hdr_edit_r; +- else if (!strcasecmp(action, "note")) ++ else if (!strcasecmp(action, "note")) { ++ if (cmd->info == &hdr_in) { ++ return "RequestHeader does not support the 'note' action"; ++ } + new->action = hdr_note; ++ } + else + return "first argument must be 'add', 'set', 'setifempty', 'append', 'merge', " + "'unset', 'echo', 'note', 'edit', or 'edit*'."; diff --git a/httpd.spec b/httpd.spec index 58144f66a1cf15533626412023e569e0d124ddc2..574ef2734819bf182258ae76f1d93ba4d5b1dc8b 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.51 -Release: 26 +Release: 27 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -143,6 +143,9 @@ patch89: backport-CVE-2024-47252.patch Patch90: backport-CVE-2024-43204.patch Patch91: backport-CVE-2024-42516.patch Patch92: backport-mod_proxy-SetEnv-proxy-nohalfclose-to-disable-half-close-tunneling.patch +Patch93: backport-CVE-2025-58098.patch +Patch94: backport-CVE-2025-66200.patch +Patch95: backport-CVE-2025-65082.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -579,6 +582,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Dec 10 2025 Hongyu Pu - 2.4.51-27 +- Type:CVE +- ID:CVE-2025-58098,CVE-2025-66200,CVE-2025-65082 +- SUG:NA +- DSEC:fix some CVEs + * Wed Dec 3 2025 zhaoyonghao - 2.4.51-26 - Type:bugfix - CVE: