diff --git a/CVE-2019-0196.patch b/CVE-2019-0196.patch new file mode 100644 index 0000000000000000000000000000000000000000..2b3220612dbecaa22590ebe4343effa01b54a36e --- /dev/null +++ b/CVE-2019-0196.patch @@ -0,0 +1,28 @@ +From 0ab8232f93d1861a6d63ffcfc127c9fe7f701d78 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Tue, 5 Feb 2019 11:52:28 +0000 +Subject: [PATCH] Merge of r1852986 from trunk: + +mod_http2: disentangelment of stream and request method. + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1852989 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/http2/h2_request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/http2/h2_request.c b/modules/http2/h2_request.c +index 8899c4f..5ee88e9 100644 +--- a/modules/http2/h2_request.c ++++ b/modules/http2/h2_request.c +@@ -266,7 +266,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c) + + /* Time to populate r with the data we have. */ + r->request_time = req->request_time; +- r->method = req->method; ++ r->method = apr_pstrdup(r->pool, req->method); + /* Provide quick information about the request method as soon as known */ + r->method_number = ap_method_number_of(r->method); + if (r->method_number == M_GET && r->method[0] == 'H') { +-- +1.8.3.1 + diff --git a/CVE-2019-0197.patch b/CVE-2019-0197.patch new file mode 100644 index 0000000000000000000000000000000000000000..226e70a0f8647d3c2955e437f84c540fddb7fca2 --- /dev/null +++ b/CVE-2019-0197.patch @@ -0,0 +1,120 @@ +From 610b78f35a5dd12f953aac23d867c890c92c46d1 Mon Sep 17 00:00:00 2001 +From: Jim Jagielski +Date: Wed, 13 Mar 2019 12:30:20 +0000 +Subject: [PATCH] Merge r1852038, r1852101 from trunk: + +mod_http2: enable re-use of slave connections again. + +mod_http2: fixed slave connection keepalives counter. + +Submitted by: icing +Reviewed by: icing, ylavic, jim + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1855406 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/http2/h2_conn.c | 14 +++++++++----- + modules/http2/h2_mplx.c | 8 +++++++- + modules/http2/h2_task.c | 3 +-- + 3 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/modules/http2/h2_conn.c b/modules/http2/h2_conn.c +index f7f81be..dc2081e 100644 +--- a/modules/http2/h2_conn.c ++++ b/modules/http2/h2_conn.c +@@ -305,6 +305,10 @@ conn_rec *h2_slave_create(conn_rec *master, int slave_id, apr_pool_t *parent) + c->notes = apr_table_make(pool, 5); + c->input_filters = NULL; + c->output_filters = NULL; ++ c->keepalives = 0; ++#if AP_MODULE_MAGIC_AT_LEAST(20180903, 1) ++ c->filter_conn_ctx = NULL; ++#endif + c->bucket_alloc = apr_bucket_alloc_create(pool); + c->data_in_input_filters = 0; + c->data_in_output_filters = 0; +@@ -332,16 +336,15 @@ conn_rec *h2_slave_create(conn_rec *master, int slave_id, apr_pool_t *parent) + ap_set_module_config(c->conn_config, mpm, cfg); + } + +- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, +- "h2_stream(%ld-%d): created slave", master->id, slave_id); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, c, ++ "h2_slave(%s): created", c->log_id); + return c; + } + + void h2_slave_destroy(conn_rec *slave) + { +- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, slave, +- "h2_stream(%s): destroy slave", +- apr_table_get(slave->notes, H2_TASK_ID_NOTE)); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE3, 0, slave, ++ "h2_slave(%s): destroy", slave->log_id); + slave->sbh = NULL; + apr_pool_destroy(slave->pool); + } +@@ -365,6 +368,7 @@ apr_status_t h2_slave_run_pre_connection(conn_rec *slave, apr_socket_t *csd) + slave->keepalive = AP_CONN_CLOSE; + return ap_run_pre_connection(slave, csd); + } ++ ap_assert(slave->output_filters); + return APR_SUCCESS; + } + +diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c +index 05667ab..29f040c 100644 +--- a/modules/http2/h2_mplx.c ++++ b/modules/http2/h2_mplx.c +@@ -327,7 +327,8 @@ static int stream_destroy_iter(void *ctx, void *val) + && !task->rst_error); + } + +- if (reuse_slave && slave->keepalive == AP_CONN_KEEPALIVE) { ++ task->c = NULL; ++ if (reuse_slave) { + h2_beam_log(task->output.beam, m->c, APLOG_DEBUG, + APLOGNO(03385) "h2_task_destroy, reuse slave"); + h2_task_destroy(task); +@@ -437,6 +438,8 @@ void h2_mplx_release_and_join(h2_mplx *m, apr_thread_cond_t *wait) + apr_status_t status; + int i, wait_secs = 60; + ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c, ++ "h2_mplx(%ld): start release", m->id); + /* How to shut down a h2 connection: + * 0. abort and tell the workers that no more tasks will come from us */ + m->aborted = 1; +@@ -973,6 +976,9 @@ static apr_status_t unschedule_slow_tasks(h2_mplx *m) + */ + n = (m->tasks_active - m->limit_active - (int)h2_ihash_count(m->sredo)); + while (n > 0 && (stream = get_latest_repeatable_unsubmitted_stream(m))) { ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, m->c, ++ "h2_mplx(%s): unschedule, resetting task for redo later", ++ stream->task->id); + h2_task_rst(stream->task, H2_ERR_CANCEL); + h2_ihash_add(m->sredo, stream); + --n; +diff --git a/modules/http2/h2_task.c b/modules/http2/h2_task.c +index 86fb026..f4c875c 100644 +--- a/modules/http2/h2_task.c ++++ b/modules/http2/h2_task.c +@@ -504,7 +504,7 @@ static int h2_task_pre_conn(conn_rec* c, void *arg) + (void)arg; + if (h2_ctx_is_task(ctx)) { + ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c, +- "h2_h2, pre_connection, found stream task"); ++ "h2_slave(%s), pre_connection, adding filters", c->log_id); + ap_add_input_filter("H2_SLAVE_IN", NULL, NULL, c); + ap_add_output_filter("H2_PARSE_H1", NULL, NULL, c); + ap_add_output_filter("H2_SLAVE_OUT", NULL, NULL, c); +@@ -545,7 +545,6 @@ h2_task *h2_task_create(conn_rec *slave, int stream_id, + void h2_task_destroy(h2_task *task) + { + if (task->output.beam) { +- h2_beam_log(task->output.beam, task->c, APLOG_TRACE2, "task_destroy"); + h2_beam_destroy(task->output.beam); + task->output.beam = NULL; + } +-- +1.8.3.1 + diff --git a/CVE-2019-10092-1.patch b/CVE-2019-10092-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..44e3bfd98d2462cb47eb55f1219e9986619fd787 --- /dev/null +++ b/CVE-2019-10092-1.patch @@ -0,0 +1,211 @@ +From d656b2c1f4a152c5050f4a154461c4f4dbf3952b Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 2 Aug 2019 09:10:06 +0000 +Subject: [PATCH 1/2] Merge of r1864191 from trunk: + + *) core, proxy: remove request URL and headers from error docs (CVE-2019-10092) + [Eric Covener] + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864207 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/http/http_protocol.c | 86 +++++++++++++------------------------------ + modules/proxy/mod_proxy.c | 7 ++-- + modules/proxy/mod_proxy_ftp.c | 5 ++- + modules/proxy/proxy_util.c | 5 +-- + 4 files changed, 34 insertions(+), 69 deletions(-) + +diff --git a/modules/http/http_protocol.c b/modules/http/http_protocol.c +index 8543fd1..b85e2f7 100644 +--- a/modules/http/http_protocol.c ++++ b/modules/http/http_protocol.c +@@ -1133,13 +1133,10 @@ static const char *get_canned_error_string(int status, + "\">here.

\n", + NULL)); + case HTTP_USE_PROXY: +- return(apr_pstrcat(p, +- "

This resource is only accessible " +- "through the proxy\n", +- ap_escape_html(r->pool, location), +- "
\nYou will need to configure " +- "your client to use that proxy.

\n", +- NULL)); ++ return("

This resource is only accessible " ++ "through the proxy\n" ++ "
\nYou will need to configure " ++ "your client to use that proxy.

\n"); + case HTTP_PROXY_AUTHENTICATION_REQUIRED: + case HTTP_UNAUTHORIZED: + return("

This server could not verify that you\n" +@@ -1155,34 +1152,20 @@ static const char *get_canned_error_string(int status, + "error-notes", + "

\n")); + case HTTP_FORBIDDEN: +- s1 = apr_pstrcat(p, +- "

You don't have permission to access ", +- ap_escape_html(r->pool, r->uri), +- "\non this server.
\n", +- NULL); +- return(add_optional_notes(r, s1, "error-notes", "

\n")); ++ return(add_optional_notes(r, "

You don't have permission to access this resource.", "error-notes", "

\n")); + case HTTP_NOT_FOUND: +- return(apr_pstrcat(p, +- "

The requested URL ", +- ap_escape_html(r->pool, r->uri), +- " was not found on this server.

\n", +- NULL)); ++ return("

The requested URL was not found on this server.

\n"); + case HTTP_METHOD_NOT_ALLOWED: + return(apr_pstrcat(p, + "

The requested method ", + ap_escape_html(r->pool, r->method), +- " is not allowed for the URL ", +- ap_escape_html(r->pool, r->uri), +- ".

\n", ++ " is not allowed for this URL.

\n", + NULL)); + case HTTP_NOT_ACCEPTABLE: +- s1 = apr_pstrcat(p, +- "

An appropriate representation of the " +- "requested resource ", +- ap_escape_html(r->pool, r->uri), +- " could not be found on this server.

\n", +- NULL); +- return(add_optional_notes(r, s1, "variant-list", "")); ++ return(add_optional_notes(r, ++ "

An appropriate representation of the requested resource " ++ "could not be found on this server.

\n", ++ "variant-list", "")); + case HTTP_MULTIPLE_CHOICES: + return(add_optional_notes(r, "", "variant-list", "")); + case HTTP_LENGTH_REQUIRED: +@@ -1193,18 +1176,13 @@ static const char *get_canned_error_string(int status, + NULL); + return(add_optional_notes(r, s1, "error-notes", "

\n")); + case HTTP_PRECONDITION_FAILED: +- return(apr_pstrcat(p, +- "

The precondition on the request " +- "for the URL ", +- ap_escape_html(r->pool, r->uri), +- " evaluated to false.

\n", +- NULL)); ++ return("

The precondition on the request " ++ "for this URL evaluated to false.

\n"); + case HTTP_NOT_IMPLEMENTED: + s1 = apr_pstrcat(p, + "

", +- ap_escape_html(r->pool, r->method), " to ", +- ap_escape_html(r->pool, r->uri), +- " not supported.
\n", ++ ap_escape_html(r->pool, r->method), " ", ++ " not supported for current URL.
\n", + NULL); + return(add_optional_notes(r, s1, "error-notes", "

\n")); + case HTTP_BAD_GATEWAY: +@@ -1212,29 +1190,19 @@ static const char *get_canned_error_string(int status, + "response from an upstream server.
" CRLF; + return(add_optional_notes(r, s1, "error-notes", "

\n")); + case HTTP_VARIANT_ALSO_VARIES: +- return(apr_pstrcat(p, +- "

A variant for the requested " +- "resource\n

\n",
+-                           ap_escape_html(r->pool, r->uri),
+-                           "\n
\nis itself a negotiable resource. " +- "This indicates a configuration error.

\n", +- NULL)); ++ return("

A variant for the requested " ++ "resource\n

\n"
++               "\n
\nis itself a negotiable resource. " ++ "This indicates a configuration error.

\n"); + case HTTP_REQUEST_TIME_OUT: + return("

Server timeout waiting for the HTTP request from the client.

\n"); + case HTTP_GONE: +- return(apr_pstrcat(p, +- "

The requested resource
", +- ap_escape_html(r->pool, r->uri), +- "
\nis no longer available on this server " +- "and there is no forwarding address.\n" +- "Please remove all references to this " +- "resource.

\n", +- NULL)); ++ return("

The requested resource is no longer available on this server" ++ " and there is no forwarding address.\n" ++ "Please remove all references to this resource.

\n"); + case HTTP_REQUEST_ENTITY_TOO_LARGE: + return(apr_pstrcat(p, +- "The requested resource
", +- ap_escape_html(r->pool, r->uri), "
\n", +- "does not allow request data with ", ++ "The requested resource does not allow request data with ", + ap_escape_html(r->pool, r->method), + " requests, or the amount of data provided in\n" + "the request exceeds the capacity limit.\n", +@@ -1318,11 +1286,9 @@ static const char *get_canned_error_string(int status, + "the Server Name Indication (SNI) in use for this\n" + "connection.

\n"); + case HTTP_UNAVAILABLE_FOR_LEGAL_REASONS: +- s1 = apr_pstrcat(p, +- "

Access to ", ap_escape_html(r->pool, r->uri), +- "\nhas been denied for legal reasons.
\n", +- NULL); +- return(add_optional_notes(r, s1, "error-notes", "

\n")); ++ return(add_optional_notes(r, ++ "

Access to this URL has been denied for legal reasons.
\n", ++ "error-notes", "

\n")); + default: /* HTTP_INTERNAL_SERVER_ERROR */ + /* + * This comparison to expose error-notes could be modified to +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index 9e5de3d..af56af9 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1055,9 +1055,10 @@ static int proxy_handler(request_rec *r) + char *end; + maxfwd = apr_strtoi64(str, &end, 10); + if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) { +- return ap_proxyerror(r, HTTP_BAD_REQUEST, +- apr_psprintf(r->pool, +- "Max-Forwards value '%s' could not be parsed", str)); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() ++ "Max-Forwards value '%s' could not be parsed", str); ++ return ap_proxyerror(r, HTTP_BAD_REQUEST, ++ "Max-Forwards request header could not be parsed"); + } + else if (maxfwd == 0) { + switch (r->method_number) { +diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c +index 4a10987..8f6f853 100644 +--- a/modules/proxy/mod_proxy_ftp.c ++++ b/modules/proxy/mod_proxy_ftp.c +@@ -1024,8 +1024,9 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, + /* We break the URL into host, port, path-search */ + if (r->parsed_uri.hostname == NULL) { + if (APR_SUCCESS != apr_uri_parse(p, url, &uri)) { +- return ap_proxyerror(r, HTTP_BAD_REQUEST, +- apr_psprintf(p, "URI cannot be parsed: %s", url)); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() ++ "URI cannot be parsed: %s", url); ++ return ap_proxyerror(r, HTTP_BAD_REQUEST, "URI cannot be parsed"); + } + connectname = uri.hostname; + connectport = uri.port; +diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c +index 8cc9673..f6aef84 100644 +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -364,12 +364,9 @@ PROXY_DECLARE(char *) + + PROXY_DECLARE(int) ap_proxyerror(request_rec *r, int statuscode, const char *message) + { +- const char *uri = ap_escape_html(r->pool, r->uri); + apr_table_setn(r->notes, "error-notes", + apr_pstrcat(r->pool, +- "The proxy server could not handle the request ", ap_escape_html(r->pool, r->method), " ", uri, +- ".

\n" ++ "The proxy server could not handle the request

" + "Reason: ", ap_escape_html(r->pool, message), + "

", + NULL)); +-- +1.8.3.1 + diff --git a/CVE-2019-10092-2.patch b/CVE-2019-10092-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..2dca5a8b08eb088dca819c714a82bb1f4fa4ebc4 --- /dev/null +++ b/CVE-2019-10092-2.patch @@ -0,0 +1,42 @@ +From b66f9e4fdae9a75955a478da83a5637afaa6cf38 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Thu, 8 Aug 2019 13:09:10 +0000 +Subject: [PATCH 2/2] Merge r1864699 from trunk: + +lognos + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864702 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy.c | 2 +- + modules/proxy/mod_proxy_ftp.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index af56af9..eee6a0f 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -1055,7 +1055,7 @@ static int proxy_handler(request_rec *r) + char *end; + maxfwd = apr_strtoi64(str, &end, 10); + if (maxfwd < 0 || maxfwd == APR_INT64_MAX || *end) { +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10188) + "Max-Forwards value '%s' could not be parsed", str); + return ap_proxyerror(r, HTTP_BAD_REQUEST, + "Max-Forwards request header could not be parsed"); +diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c +index 8f6f853..1557301 100644 +--- a/modules/proxy/mod_proxy_ftp.c ++++ b/modules/proxy/mod_proxy_ftp.c +@@ -1024,7 +1024,7 @@ static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, + /* We break the URL into host, port, path-search */ + if (r->parsed_uri.hostname == NULL) { + if (APR_SUCCESS != apr_uri_parse(p, url, &uri)) { +- ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO() ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(10189) + "URI cannot be parsed: %s", url); + return ap_proxyerror(r, HTTP_BAD_REQUEST, "URI cannot be parsed"); + } +-- +1.8.3.1 + diff --git a/CVE-2019-10097.patch b/CVE-2019-10097.patch new file mode 100644 index 0000000000000000000000000000000000000000..f0a976561cbd7bb7079990b283a1b21d33cfae08 --- /dev/null +++ b/CVE-2019-10097.patch @@ -0,0 +1,87 @@ +From 1c598076631973877437a91fcb37753bd93112eb Mon Sep 17 00:00:00 2001 +From: Jim Jagielski +Date: Wed, 7 Aug 2019 11:14:58 +0000 +Subject: [PATCH] Merge r1864526 from trunk: + +* modules/metadata/mod_remoteip.c (remoteip_process_v2_header, + remoteip_input_filter): Add sanity checks. + +Submitted by: jorton, Daniel McCarney + +Submitted by: jorton +Reviewed by: jorton, covener, jim + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864613 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/metadata/mod_remoteip.c | 36 +++++++++++++++++++++++++++--------- + 1 file changed, 27 insertions(+), 9 deletions(-) + +diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c +index 4572ce1..a0cbc0f 100644 +--- a/modules/metadata/mod_remoteip.c ++++ b/modules/metadata/mod_remoteip.c +@@ -987,15 +987,13 @@ static remoteip_parse_status_t remoteip_process_v2_header(conn_rec *c, + return HDR_ERROR; + #endif + default: +- /* unsupported protocol, keep local connection address */ +- return HDR_DONE; ++ /* unsupported protocol */ ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10183) ++ "RemoteIPProxyProtocol: unsupported protocol %.2hx", ++ (unsigned short)hdr->v2.fam); ++ return HDR_ERROR; + } + break; /* we got a sockaddr now */ +- +- case 0x00: /* LOCAL command */ +- /* keep local connection address for LOCAL */ +- return HDR_DONE; +- + default: + /* not a supported command */ + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03507) +@@ -1087,11 +1085,24 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f, + /* try to read a header's worth of data */ + while (!ctx->done) { + if (APR_BRIGADE_EMPTY(ctx->bb)) { +- ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, +- ctx->need - ctx->rcvd); ++ apr_off_t got, want = ctx->need - ctx->rcvd; ++ ++ ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, want); + if (ret != APR_SUCCESS) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10184) ++ "failed reading input"); + return ret; + } ++ ++ ret = apr_brigade_length(ctx->bb, 1, &got); ++ if (ret || got > want) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10185) ++ "RemoteIPProxyProtocol header too long, " ++ "got %" APR_OFF_T_FMT " expected %" APR_OFF_T_FMT, ++ got, want); ++ f->c->aborted = 1; ++ return APR_ECONNABORTED; ++ } + } + if (APR_BRIGADE_EMPTY(ctx->bb)) { + return block == APR_NONBLOCK_READ ? APR_SUCCESS : APR_EOF; +@@ -1139,6 +1150,13 @@ static apr_status_t remoteip_input_filter(ap_filter_t *f, + if (ctx->rcvd >= MIN_V2_HDR_LEN) { + ctx->need = MIN_V2_HDR_LEN + + remoteip_get_v2_len((proxy_header *) ctx->header); ++ if (ctx->need > sizeof(proxy_v2)) { ++ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(10186) ++ "RemoteIPProxyProtocol protocol header length too long"); ++ f->c->aborted = 1; ++ apr_brigade_destroy(ctx->bb); ++ return APR_ECONNABORTED; ++ } + } + if (ctx->rcvd >= ctx->need) { + psts = remoteip_process_v2_header(f->c, conn_conf, +-- +1.8.3.1 + diff --git a/CVE-2019-10098.patch b/CVE-2019-10098.patch new file mode 100644 index 0000000000000000000000000000000000000000..874cf9df792600cb9ac9293d02cd9a5a64fe7687 --- /dev/null +++ b/CVE-2019-10098.patch @@ -0,0 +1,29 @@ +From 950e6da61ffb4a2a616fe4d99550ba664bdeaf17 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Fri, 2 Aug 2019 09:24:58 +0000 +Subject: [PATCH] Merge of r1864192 from trunk: + + *) core, rewrite: Set PCRE_DOTALL by default + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864213 13f79535-47bb-0310-9956-ffa450edef68 +--- + server/util_pcre.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/server/util_pcre.c b/server/util_pcre.c +index f2cb1bb..35831f5 100644 +--- a/server/util_pcre.c ++++ b/server/util_pcre.c +@@ -120,7 +120,8 @@ AP_DECLARE(void) ap_regfree(ap_regex_t *preg) + * Compile a regular expression * + *************************************************/ + +-static int default_cflags = AP_REG_DOLLAR_ENDONLY; ++static int default_cflags = AP_REG_DOTALL | ++ AP_REG_DOLLAR_ENDONLY; + + AP_DECLARE(int) ap_regcomp_get_default_cflags(void) + { +-- +1.8.3.1 + diff --git a/httpd.spec b/httpd.spec index 19eecd51c42422e4c730df61a51eb84c41b50698..26da9b630fe81d8faf26178da67421b2e0132cd9 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.34 -Release: 15 +Release: 16 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -98,6 +98,12 @@ Patch6023: CVE-2019-0220-1.patch Patch6024: CVE-2019-0220-2.patch Patch6025: CVE-2019-0220-3.patch Patch6026: CVE-2018-17199.patch +Patch6027: CVE-2019-10092-1.patch +Patch6028: CVE-2019-10092-2.patch +Patch6029: CVE-2019-10098.patch +Patch6030: CVE-2019-0196.patch +Patch6031: CVE-2019-0197.patch +Patch6032: CVE-2019-10097.patch Patch9000: layout_add_openEuler.patch @@ -536,6 +542,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Apr 15 2020 chenzhen - 2.4.34-16 +- Type:cves +- ID:CVE-2019-10092 CVE-2019-10097 CVE-2019-10098 CVE-2019-0196 CVE-2019-0197 +- SUG:NA +- DESC:fix CVE-2019-10092 CVE-2019-10097 CVE-2019-10098 CVE-2019-0196 CVE-2019-0197 + * Mon Feb 03 2020 yanzhihua - 2.4.34-15 - Type:cves - ID:CVE-2018-17199