update httpd to 2.4.51

2022-03-26 16:26:56 +08:00 · 2022-03-26 16:26:56 +08:00 · 84241df888
commit 84241df888
parent e51914c15c
34 changed files with 1089 additions and 669 deletions
--- a/backport-001-CVE-2021-39275.patch
+++ b/backport-001-CVE-2021-39275.patch
@ -1,23 +0,0 @@
 From d8bce6f575abb29997bba358b31842bf757776c6 Mon Sep 17 00:00:00 2001
 From: Eric Covener <covener@apache.org>
 Date: Wed, 4 Aug 2021 11:48:38 +0000
 Subject: [PATCH] fix ap_escape_quotes with pre-escaped quotes
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892012 13f79535-47bb-0310-9956-ffa450edef68
 ---
 server/util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/server/util.c b/server/util.c
 index 72aa54d31d1..2d7708ae851 100644
 --- a/server/util.c
 +++ b/server/util.c
@@ -2621,7 +2621,7 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
      * in front of every " that doesn't already have one.
      */
     while (*inchr != '\0') {
 -        if ((*inchr == '\\') && (inchr[1] != '\0')) {
 +        while ((*inchr == '\\') && (inchr[1] != '\0')) {
             *outchr++ = *inchr++;
             *outchr++ = *inchr++;
         }
--- a/backport-001-CVE-2021-40438.patch
+++ b/backport-001-CVE-2021-40438.patch
@ -1,55 +0,0 @@
 From 496c863776c68bd08cdbeb7d8fa5935ba63b76c2 Mon Sep 17 00:00:00 2001
 From: Yann Ylavic <ylavic@apache.org>
 Date: Fri, 3 Sep 2021 16:52:38 +0000
 Subject: [PATCH] Merge r1892814, r1892853 from trunk:
 mod_proxy: Faster unix socket path parsing in the "proxy:" URL.
 The actual r->filename format is "[proxy:]unix:path|url" for UDS, no need to
 strstr(,"unix:") since it's at the start of the string.
 mod_proxy: Follow up to r1892814.
 Save some few cycles in ap_proxy_de_socketfy() too.
 Submitted by: ylavic
 Reviewed by: ylavic, covener, rpluem
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1892874 13f79535-47bb-0310-9956-ffa450edef68
 ---
 modules/proxy/mod_proxy.c            | 2 +-
 modules/proxy/proxy_util.c           | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)
 create mode 100644 changes-entries/fix_uds_filename.txt
 diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
 index 60634d344c7..354bb8f660f 100644
 --- a/modules/proxy/mod_proxy.c
 +++ b/modules/proxy/mod_proxy.c
@@ -1975,7 +1975,7 @@ PROXY_DECLARE(const char *) ap_proxy_de_socketfy(apr_pool_t *p, const char *url)
      * the UDS path... ignore it
      */
     if (!ap_cstr_casecmpn(url, "unix:", 5) &&
 -        ((ptr = ap_strchr_c(url, '|')) != NULL)) {
 +        ((ptr = ap_strchr_c(url + 5, '|')) != NULL)) {
         /* move past the 'unix:...|' UDS path info */
         const char *ret, *c;
 diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
 index 3c4ea72aba7..812c32f3584 100644
 --- a/modules/proxy/proxy_util.c
 +++ b/modules/proxy/proxy_util.c
@@ -2281,8 +2281,8 @@ static void fix_uds_filename(request_rec *r, char **url)
     if (!r || !r->filename) return;
     if (!strncmp(r->filename, "proxy:", 6) &&
 -            (ptr2 = ap_strcasestr(r->filename, "unix:")) &&
 -            (ptr = ap_strchr(ptr2, '|'))) {
 +            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
 +            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
         apr_uri_t urisock;
         apr_status_t rv;
         *ptr = '\0';
--- a/backport-002-CVE-2021-39275.patch
+++ b/backport-002-CVE-2021-39275.patch
@ -1,32 +0,0 @@
 From e0fec7d48dab1924c5a6b48819ce1cf420733f62 Mon Sep 17 00:00:00 2001
 From: Ruediger Pluem <rpluem@apache.org>
 Date: Wed, 18 Aug 2021 14:35:41 +0000
 Subject: [PATCH] * Follow the same logic that is used for calculating the
 length
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892418 13f79535-47bb-0310-9956-ffa450edef68
 ---
 server/util.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)
 diff --git a/server/util.c b/server/util.c
 index e44e39afe3e..6bc5063bc39 100644
 --- a/server/util.c
 +++ b/server/util.c
@@ -2621,13 +2621,12 @@ AP_DECLARE(char *) ap_escape_quotes(apr_pool_t *p, const char *instring)
      * in front of every " that doesn't already have one.
      */
     while (*inchr != '\0') {
 -        while ((*inchr == '\\') && (inchr[1] != '\0')) {
 -            *outchr++ = *inchr++;
 -            *outchr++ = *inchr++;
 -        }
         if (*inchr == '"') {
             *outchr++ = '\\';
         }
 +        if ((*inchr == '\\') && (inchr[1] != '\0')) {
 +            *outchr++ = *inchr++;
 +        }
         if (*inchr != '\0') {
             *outchr++ = *inchr++;
         }
--- a/backport-002-CVE-2021-40438.patch
+++ b/backport-002-CVE-2021-40438.patch
@ -1,115 +0,0 @@
 From d4901cb32133bc0e59ad193a29d1665597080d67 Mon Sep 17 00:00:00 2001
 From: Ruediger Pluem <rpluem@apache.org>
 Date: Wed, 8 Sep 2021 07:00:09 +0000
 Subject: [PATCH] Merge r1892986, r1892987 from trunk:
 mod_proxy: Follow up to r1892814.
 * modules/proxy/proxy_util.c(fix_uds_filename):
  Sanity checks on the configured UDS path, fail with 500 if invalid since
  continuing through proxy processing wouldn't work as expected.
 mod_proxy: Follow up to r1892986: APLOGNO()
 Stefan get out of this body! :)
 Submitted by: ylavic
 Reviewed by: rpluem, ylavic, covener
 Github: closes #265
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893101 13f79535-47bb-0310-9956-ffa450edef68
 ---
 modules/proxy/proxy_util.c | 55 +++++++++++++++++++++++---------------
 1 files changed, 34 insertions(+), 21 deletions(-)
 --- a/modules/proxy/proxy_util.c
 +++ b/modules/proxy/proxy_util.c
@@ -2088,33 +2088,42 @@ static int ap_proxy_retry_worker(const c
  * were passed a UDS url (eg: from mod_proxy) and adjust uds_path
  * as required.  
  */
 -static void fix_uds_filename(request_rec *r, char **url) 
 +static int fix_uds_filename(request_rec *r, char **url) 
 {
 -    char *ptr, *ptr2;
 -    if (!r || !r->filename) return;
 +    char *uds_url = r->filename + 6, *origin_url;
     if (!strncmp(r->filename, "proxy:", 6) &&
 -            !ap_cstr_casecmpn(r->filename + 6, "unix:", 5) &&
 -            (ptr2 = r->filename + 6 + 5, ptr = ap_strchr(ptr2, '|'))) {
 +            !ap_cstr_casecmpn(uds_url, "unix:", 5) &&
 +            (origin_url = ap_strchr(uds_url + 5, '|'))) {
 +        char *uds_path = NULL;
 +        apr_size_t url_len;
         apr_uri_t urisock;
         apr_status_t rv;
 -        *ptr = '\0';
 -        rv = apr_uri_parse(r->pool, ptr2, &urisock);
 -        if (rv == APR_SUCCESS) {
 -            char *rurl = ptr+1;
 -            char *sockpath = ap_runtime_dir_relative(r->pool, urisock.path);
 -            apr_table_setn(r->notes, "uds_path", sockpath);
 -            *url = apr_pstrdup(r->pool, rurl); /* so we get the scheme for the uds */
 -            /* r->filename starts w/ "proxy:", so add after that */
 -            memmove(r->filename+6, rurl, strlen(rurl)+1);
 -            ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
 -                    "*: rewrite of url due to UDS(%s): %s (%s)",
 -                    sockpath, *url, r->filename);
 +
 +        *origin_url = '\0';
 +        rv = apr_uri_parse(r->pool, uds_url, &urisock);
 +        *origin_url++ = '|';
 +
 +        if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) {
 +            uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
         }
 -        else {
 -            *ptr = '|';
 +        if (!uds_path) {
 +            ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10292)
 +                    "Invalid proxy UDS filename (%s)", r->filename);
 +            return 0;
         }
 +        apr_table_setn(r->notes, "uds_path", uds_path);
 +
 +        /* Remove the UDS path from *url and r->filename */
 +        url_len = strlen(origin_url);
 +        *url = apr_pstrmemdup(r->pool, origin_url, url_len);
 +        memcpy(uds_url, *url, url_len + 1);
 +
 +        ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
 +                "*: rewrite of url due to UDS(%s): %s (%s)",
 +                uds_path, *url, r->filename);
     }
 +    return 1;
 }
 PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
@@ -2132,7 +2141,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
                           "%s: found worker %s for %s",
                           (*worker)->s->scheme, (*worker)->s->name, *url);
             *balancer = NULL;
 -            fix_uds_filename(r, url);
 +            if (!fix_uds_filename(r, url)) {
 +                return HTTP_INTERNAL_SERVER_ERROR;
 +            }
             access_status = OK;
         }
         else if (r->proxyreq == PROXYREQ_PROXY) {
@@ -2163,7 +2174,9 @@ PROXY_DECLARE(int) ap_proxy_pre_request(
                  * regarding the Connection header in the request.
                  */
                 apr_table_setn(r->subprocess_env, "proxy-nokeepalive", "1");
 -                fix_uds_filename(r, url);
 +                if (!fix_uds_filename(r, url)) {
 +                    return HTTP_INTERNAL_SERVER_ERROR;
 +                }
             }
         }
     }
--- a/backport-003-CVE-2021-40438.patch
+++ b/backport-003-CVE-2021-40438.patch
@ -1,30 +0,0 @@
 From 6e768a811c59ca6a0769b72681aaef381823339f Mon Sep 17 00:00:00 2001
 From: Stefan Eissing <icing@apache.org>
 Date: Thu, 23 Sep 2021 12:29:03 +0000
 Subject: [PATCH] Merge of r1893516 from trunk:
   *) mod_rewrite: Fix UDS ("unix:") scheme for [P] rules.  PR 57691 + 65590.
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893556 13f79535-47bb-0310-9956-ffa450edef68
 ---
 modules/mappers/mod_rewrite.c   | 7 +++++++
 1 files changed, 7 insertions(+)
 --- a/modules/mappers/mod_rewrite.c
 +++ b/modules/mappers/mod_rewrite.c
@@ -617,6 +617,13 @@ static unsigned is_absolute_uri(char *ur
             return 6;
         }
         break;
 +
 +    case 'u':
 +    case 'U':
 +        if (!ap_cstr_casecmpn(uri, "nix:", 4)) {        /* unix:     */
 +            *sqs = 1;
 +            return 5;
 +        }
     }
     return 0;
--- a/backport-004-CVE-2021-40438.patch
+++ b/backport-004-CVE-2021-40438.patch
@ -1,40 +0,0 @@
 From 81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c Mon Sep 17 00:00:00 2001
 From: Stefan Eissing <icing@apache.org>
 Date: Thu, 23 Sep 2021 12:31:53 +0000
 Subject: [PATCH] backport of 1893519,1893532 from trunk:
  *) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
     had no hostname ("unix:/..."), also in mod_rewrite's is_absolulte_uri().
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893559 13f79535-47bb-0310-9956-ffa450edef68
 ---
 modules/mappers/mod_rewrite.c          | 2 +-
 modules/proxy/proxy_util.c             | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)
 create mode 100644 changes-entries/uds_empty_hostname.txt
 --- a/modules/mappers/mod_rewrite.c
 +++ b/modules/mappers/mod_rewrite.c
@@ -622,7 +622,7 @@ static unsigned is_absolute_uri(char *ur
     case 'U':
         if (!ap_cstr_casecmpn(uri, "nix:", 4)) {        /* unix:     */
             *sqs = 1;
 -            return 5;
 +            return (uri[4] == '/' && uri[5] == '/') ? 7 : 5;
         }
     }
 --- a/modules/proxy/proxy_util.c
 +++ b/modules/proxy/proxy_util.c
@@ -2217,7 +2217,8 @@ static int fix_uds_filename(request_rec
         rv = apr_uri_parse(r->pool, uds_url, &urisock);
         *origin_url++ = '|';
 -        if (rv == APR_SUCCESS && urisock.path && !urisock.hostname) {
 +        if (rv == APR_SUCCESS && urisock.path && (!urisock.hostname
 +                                                  || !urisock.hostname[0])) {
             uds_path = ap_runtime_dir_relative(r->pool, urisock.path);
         }
         if (!uds_path) {
--- a/backport-CVE-2021-34798.patch
+++ b/backport-CVE-2021-34798.patch
@ -1,33 +0,0 @@
 From fa7b2a5250e54363b3a6c8ac3aaa7de4e8da9b2e Mon Sep 17 00:00:00 2001
 From: Yann Ylavic <ylavic@apache.org>
 Date: Tue, 7 Sep 2021 16:05:31 +0000
 Subject: [PATCH] Merge r1878092 from trunk:
 Fix a NULL pointer dereference
 * server/scoreboard.c (ap_increment_counts): In certain cases like certain
  invalid requests r->method might be NULL here. r->method_number defaults
  to M_GET and hence is M_GET in these cases.
 Submitted by: rpluem
 Reviewed by: covener, ylavic, jfclere
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1893051 13f79535-47bb-0310-9956-ffa450edef68
 ---
 server/scoreboard.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/server/scoreboard.c b/server/scoreboard.c
 index b40b45df590..12dd56abead 100644
 --- a/server/scoreboard.c
 +++ b/server/scoreboard.c
@@ -388,7 +388,7 @@ AP_DECLARE(void) ap_increment_counts(ap_sb_handle_t *sb, request_rec *r)
     if (pfn_ap_logio_get_last_bytes != NULL) {
         bytes = pfn_ap_logio_get_last_bytes(r->connection);
     }
 -    else if (r->method_number == M_GET && r->method[0] == 'H') {
 +    else if (r->method_number == M_GET && r->method && r->method[0] == 'H') {
         bytes = 0;
     }
     else {
--- a/backport-CVE-2021-36160.patch
+++ b/backport-CVE-2021-36160.patch
@ -1,62 +0,0 @@
 From b364cad72b48dd40fbc2850e525b845406520f0b Mon Sep 17 00:00:00 2001
 From: Yann Ylavic <ylavic@apache.org>
 Date: Thu, 2 Sep 2021 09:53:43 +0000
 Subject: [PATCH] mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
 When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
 worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
 directly from the given URL.
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892805 13f79535-47bb-0310-9956-ffa450edef68
 ---
 changes-entries/uwsgi_path_info.txt |  1 +
 modules/proxy/mod_proxy_uwsgi.c     | 22 +++++-----------------
 1 files changed, 5 insertions(+), 17 deletions(-)
 create mode 100644 changes-entries/uwsgi_path_info.txt
 diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c
 index 7723d7b5c4f..971eaa59dc0 100644
 --- a/modules/proxy/mod_proxy_uwsgi.c
 +++ b/modules/proxy/mod_proxy_uwsgi.c
@@ -456,11 +456,8 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
                          const char *proxyname, apr_port_t proxyport)
 {
     int status;
 -    int delta = 0;
 -    int decode_status;
     proxy_conn_rec *backend = NULL;
     apr_pool_t *p = r->pool;
 -    size_t w_len;
     char server_portstr[32];
     char *u_path_info;
     apr_uri_t *uri;
@@ -472,23 +469,14 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker,
     uri = apr_palloc(r->pool, sizeof(*uri));
 -    /* ADD PATH_INFO */
 -#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
 -    w_len = strlen(worker->s->name);
 -#else
 -    w_len = strlen(worker->name);
 -#endif
 -    u_path_info = r->filename + 6 + w_len;
 -    if (u_path_info[0] != '/') {
 -        delta = 1;
 -    }
 -    decode_status = ap_unescape_url(url + w_len - delta);
 -    if (decode_status) {
 +    /* ADD PATH_INFO (unescaped) */
 +    u_path_info = ap_strchr(url + sizeof(UWSGI_SCHEME) + 2, '/');
 +    if (!u_path_info || ap_unescape_url(u_path_info) != OK) {
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10100)
 -                      "unable to decode uri: %s", url + w_len - delta);
 +                      "unable to decode uwsgi uri: %s", url);
         return HTTP_INTERNAL_SERVER_ERROR;
     }
 -    apr_table_add(r->subprocess_env, "PATH_INFO", url + w_len - delta);
 +    apr_table_add(r->subprocess_env, "PATH_INFO", u_path_info);
     /* Create space for state information */
--- a/backport-CVE-2021-44790.patch
+++ b/backport-CVE-2021-44790.patch
@ -13,7 +13,7 @@ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896039
 1 file changed, 1 insertion(+)
 diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
-index 67ff432..493b2bb 100644
+index 67ff432e51f..493b2bb431c 100644
 --- a/modules/lua/lua_request.c
 +++ b/modules/lua/lua_request.c
@@ -410,6 +410,7 @@ static int req_parsebody(lua_State *L)
@ -24,6 +24,3 @@ index 67ff432..493b2bb 100644
             vlen = end - crlf - 8;
             buffer = (char *) apr_pcalloc(r->pool, vlen+1);
             memcpy(buffer, crlf + 4, vlen);
 -- 
 1.8.3.1
--- a/backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
+++ b/backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
@ -1,74 +0,0 @@
 From 9226cbc6b92492615856b567ac7f7557f196634b Mon Sep 17 00:00:00 2001
 From: Christophe Jaillet <jailletc36@apache.org>
 Date: Tue, 10 Aug 2021 18:49:20 +0000
 Subject: [PATCH] Follow up to 1892038, 1892063.
 Improve fix to please a fuzzer which reports:
   util.c:2713:26: runtime error: signed integer overflow:
   9999999999999999 * 1000 cannot be represented in type 'long'
 Compute the maximum limit for each case 's', 'h', 'ms' and 'mi' and make sure that the input is below this value.
 While at it, move a comment to make things more consistent and use 'apr_time_from_msec() instead of hand writing it.
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892185 13f79535-47bb-0310-9956-ffa450edef68
 ---
 server/util.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)
 diff --git a/server/util.c b/server/util.c
 index 4a35eac6b0c..d87417f7621 100644
 --- a/server/util.c
 +++ b/server/util.c
@@ -2668,6 +2668,7 @@ AP_DECLARE(char *) ap_append_pid(apr_pool_t *p, const char *string,
  * in timeout_parameter.
  * @return Status value indicating whether the parsing was successful or not.
  */
 +#define CHECK_OVERFLOW(a, b) if (a > b) return APR_ERANGE
 AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
                                                const char *timeout_parameter,
                                                apr_interval_time_t *timeout,
@@ -2697,10 +2698,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
     switch (*time_str) {
         /* Time is in seconds */
     case 's':
 +        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX));
         check = apr_time_from_sec(tout);
         break;
 +        /* Time is in hours */
     case 'h':
 -        /* Time is in hours */
 +        CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 3600));
         check = apr_time_from_sec(tout * 3600);
         break;
     case 'm':
@@ -2710,10 +2713,12 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
         switch (*(++time_str)) {
         /* Time is in milliseconds */
         case 's':
 -            check = tout * 1000;
 +            CHECK_OVERFLOW(tout, apr_time_as_msec(APR_INT64_MAX));
 +            check = apr_time_from_msec(tout);
             break;
         /* Time is in minutes */
         case 'i':
 +            CHECK_OVERFLOW(tout, apr_time_sec(APR_INT64_MAX / 60));
             check = apr_time_from_sec(tout * 60);
             break;
         default:
@@ -2724,12 +2729,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
     default:
         return APR_EGENERAL;
     }
 -    if (check > APR_INT64_MAX || check < 0) { 
 -        return APR_ERANGE;
 -    }
 -    *timeout = (apr_interval_time_t) check;
 +
 +    *timeout = (apr_interval_time_t)check;
     return APR_SUCCESS;
 }
 +#undef CHECK_OVERFLOW
 AP_DECLARE(int) ap_parse_strict_length(apr_off_t *len, const char *str)
 {
--- a/backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
+++ b/backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
@ -1,71 +0,0 @@
 From 7ea44d0402334e40f31730d889c5ad60e158692d Mon Sep 17 00:00:00 2001
 From: Eric Covener <covener@apache.org>
 Date: Fri, 6 Aug 2021 13:10:45 +0000
 Subject: [PATCH] fix int overflow in ap_timeout_parameter_parse
 signed integer overflow in ap_timeout_parameter_parse under fuzzing
 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1892038 13f79535-47bb-0310-9956-ffa450edef68
 ---
 server/util.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)
 diff --git a/server/util.c b/server/util.c
 index 2d7708ae851..6f9dbd4d657 100644
 --- a/server/util.c
 +++ b/server/util.c
@@ -2676,6 +2676,7 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
     char *endp;
     const char *time_str;
     apr_int64_t tout;
 +    apr_uint64_t check;
     tout = apr_strtoi64(timeout_parameter, &endp, 10);
     if (errno) {
@@ -2688,14 +2689,18 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
         time_str = endp;
     }
 +    if (tout < 0) { 
 +        return APR_ERANGE;
 +    }
 +
     switch (*time_str) {
         /* Time is in seconds */
     case 's':
 -        *timeout = (apr_interval_time_t) apr_time_from_sec(tout);
 +        check = apr_time_from_sec(tout);
         break;
     case 'h':
         /* Time is in hours */
 -        *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 3600);
 +        check = apr_time_from_sec(tout * 3600);
         break;
     case 'm':
         switch (*(++time_str)) {
@@ -2705,11 +2710,11 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
         switch (*(++time_str)) {
         /* Time is in milliseconds */
         case 's':
 -            *timeout = (apr_interval_time_t) tout * 1000;
 +            check = tout * 1000;
             break;
         /* Time is in minutes */
         case 'i':
 -            *timeout = (apr_interval_time_t) apr_time_from_sec(tout * 60);
 +            check = apr_time_from_sec(tout * 60);
             break;
         default:
             return APR_EGENERAL;
@@ -2719,6 +2724,10 @@ AP_DECLARE(apr_status_t) ap_timeout_parameter_parse(
     default:
         return APR_EGENERAL;
     }
 +    if (check > APR_INT64_MAX || check < 0) { 
 +        return APR_ERANGE;
 +    }
 +    *timeout = (apr_interval_time_t) check;
     return APR_SUCCESS;
 }
--- a/backport-httpd-2.4.1-apctl.patch
+++ b/backport-httpd-2.4.1-apctl.patch
--- a/backport-httpd-2.4.1-corelimit.patch
+++ b/backport-httpd-2.4.1-corelimit.patch
--- a/backport-httpd-2.4.1-deplibs.patch
+++ b/backport-httpd-2.4.1-deplibs.patch
--- a/backport-httpd-2.4.17-socket-activation.patch
+++ b/backport-httpd-2.4.17-socket-activation.patch
--- a/backport-httpd-2.4.2-icons.patch
+++ b/backport-httpd-2.4.2-icons.patch
--- a/backport-httpd-2.4.25-selinux.patch
+++ b/backport-httpd-2.4.25-selinux.patch
--- a/backport-httpd-2.4.3-apctl-systemd.patch
+++ b/backport-httpd-2.4.3-apctl-systemd.patch
--- a/backport-httpd-2.4.33-export.patch
+++ b/backport-httpd-2.4.33-export.patch
--- a/backport-httpd-2.4.34-enable-sslv3.patch
+++ b/backport-httpd-2.4.34-enable-sslv3.patch
@ -2,12 +2,14 @@ diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
 index 517ce30..075f7e1 100644
 --- a/modules/ssl/ssl_engine_config.c
 +++ b/modules/ssl/ssl_engine_config.c
-@@ -1474,6 +1474,8 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
+@@ -1474,6 +1474,10 @@ static const char *ssl_cmd_protocol_parse(cmd_parms *parms,
 #endif
         else if (strcEQ(w, "all")) {
             thisopt = SSL_PROTOCOL_ALL;
 +#ifndef OPENSSL_NO_SSL3
 +            // by default, ALL kw doesn't turn on SSLv3
 +            thisopt &= ~SSL_PROTOCOL_SSLV3;
 +#endif
         }
         else {
             return apr_pstrcat(parms->temp_pool,
--- a/backport-httpd-2.4.34-sslciphdefault.patch
+++ b/backport-httpd-2.4.34-sslciphdefault.patch
--- a/backport-httpd-2.4.34-sslprotdefault.patch
+++ b/backport-httpd-2.4.34-sslprotdefault.patch
--- a/backport-httpd-2.4.4-cachehardmax.patch
+++ b/backport-httpd-2.4.4-cachehardmax.patch
--- a/backport-httpd-2.4.43-detect-systemd.patch
+++ b/backport-httpd-2.4.43-detect-systemd.patch
--- a/backport-httpd-2.4.43-gettid.patch
+++ b/backport-httpd-2.4.43-gettid.patch
--- a/backport-httpd-2.4.43-r1861793+.patch
+++ b/backport-httpd-2.4.43-r1861793+.patch
--- a/backport-httpd-2.4.46-htcacheclean-dont-break.patch
+++ b/backport-httpd-2.4.46-htcacheclean-dont-break.patch
--- a/backport-httpd-2.4.48-r1828172+.patch
+++ b/backport-httpd-2.4.48-r1828172+.patch
--- a/backport-httpd-2.4.9-apxs.patch
+++ b/backport-httpd-2.4.9-apxs.patch
--- a/backport-layout_add_openEuler.patch
+++ b/backport-layout_add_openEuler.patch
--- a/httpd-2.4.48.tar.bz2
+++ b/httpd-2.4.48.tar.bz2
--- a/httpd-2.4.51.tar.bz2
+++ b/httpd-2.4.51.tar.bz2
--- a/httpd.conf
+++ b/httpd.conf
@ -35,8 +35,10 @@ ServerRoot "/etc/httpd"
 # ports, instead of the default. See also the <VirtualHost>
 # directive.
 #
-# Change this to Listen on specific IP addresses as shown below to 
+# Change this to Listen on a specific IP address, but note that if            
-# prevent Apache from glomming onto all bound IP addresses.
+# httpd.service is enabled to run at boot time, the address may not be            
 # available when the service starts.  See the httpd.service(8) man            
 # page for more information.
 #
 #Listen 12.34.56.78:80
 Listen 80
--- a/httpd.spec
+++ b/httpd.spec
@ -7,8 +7,8 @@
 Name:             httpd
 Summary:          Apache HTTP Server
-Version:          2.4.48
+Version:          2.4.51
-Release:          6
+Release:          1
 License:          ASL 2.0
 URL:              https://httpd.apache.org/
 Source0:          https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -50,36 +50,26 @@ Source42:         httpd-init.service
 Source43:         httpd-ssl-gencerts
 Source44:         httpd@.service
-Patch0:           httpd-2.4.1-apctl.patch
+Patch0:           backport-httpd-2.4.1-apctl.patch
-Patch1:           httpd-2.4.9-apxs.patch
+Patch1:           backport-httpd-2.4.9-apxs.patch
-Patch2:           httpd-2.4.1-deplibs.patch
+Patch2:           backport-httpd-2.4.1-deplibs.patch
-Patch3:           httpd-2.4.3-apctl-systemd.patch
+Patch3:           backport-httpd-2.4.3-apctl-systemd.patch
-Patch4:           httpd-2.4.43-detect-systemd.patch
+Patch4:           backport-httpd-2.4.43-detect-systemd.patch
-Patch5:           httpd-2.4.33-export.patch
+Patch5:           backport-httpd-2.4.33-export.patch
-Patch6:           httpd-2.4.1-corelimit.patch
+Patch6:           backport-httpd-2.4.1-corelimit.patch
-Patch7:           httpd-2.4.25-selinux.patch
+Patch7:           backport-httpd-2.4.25-selinux.patch
-Patch8:           httpd-2.4.2-icons.patch
+Patch8:           backport-httpd-2.4.2-icons.patch
-Patch9:           httpd-2.4.4-cachehardmax.patch
+Patch9:           backport-httpd-2.4.4-cachehardmax.patch
-Patch10:          httpd-2.4.17-socket-activation.patch
+Patch10:          backport-httpd-2.4.17-socket-activation.patch
-Patch11:          httpd-2.4.34-sslciphdefault.patch
+Patch11:          backport-httpd-2.4.34-sslciphdefault.patch
-Patch12:          httpd-2.4.34-sslprotdefault.patch
+Patch12:          backport-httpd-2.4.34-sslprotdefault.patch
-Patch13:          httpd-2.4.34-enable-sslv3.patch
+Patch13:          backport-httpd-2.4.34-enable-sslv3.patch
-Patch14:          layout_add_openEuler.patch
+Patch14:          backport-layout_add_openEuler.patch
-Patch16:          httpd-2.4.43-gettid.patch
+Patch15:          backport-httpd-2.4.43-gettid.patch
-Patch17:          httpd-2.4.43-r1861793+.patch
+Patch16:          backport-httpd-2.4.43-r1861793+.patch
-Patch18:          httpd-2.4.43-r1828172+.patch 
+Patch17:          backport-httpd-2.4.48-r1828172+.patch
-Patch19:          httpd-2.4.46-htcacheclean-dont-break.patch 
+Patch18:          backport-httpd-2.4.46-htcacheclean-dont-break.patch 
-Patch20:          backport-CVE-2021-34798.patch
+Patch19:          backport-CVE-2021-44790.patch
 Patch21:          backport-CVE-2021-36160.patch
 Patch22:          backport-001-CVE-2021-40438.patch
 Patch23:          backport-002-CVE-2021-40438.patch
 Patch24:          backport-003-CVE-2021-40438.patch
 Patch25:          backport-004-CVE-2021-40438.patch
 Patch26:          backport-001-CVE-2021-39275.patch
 Patch27:          backport-002-CVE-2021-39275.patch
 Patch28:          backport-fix-int-overflow-in-ap_timeout_parameter_parse.patch
 Patch29:          backport-Improve-fix-to-please-a-fuzzer-which-reports-overflow.patch
 Patch30:	  backport-CVE-2021-44790.patch
 BuildRequires:    gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
 BuildRequires:    zlib-devel libselinux-devel lua-devel brotli-devel
@ -512,6 +502,12 @@ exit $rv
 %{_rpmconfigdir}/macros.d/macros.httpd
 %changelog
 * Sat Mar 26 2022 yanglu <yanglu72@h-partners.com> - 2.4.51-1
 - Type:requirement
 - ID:NA
 - SUG:NA
 - DESC:update httpd to 2.4.51
 * Mon Jan 24 2022 quanhongfei <quanhongfei@huawei.com> - 2.4.48-6
 - Type:bugfix
 - ID:NA
@ -522,7 +518,7 @@ exit $rv
 - Type:cves
 - ID:NA
 - SUG:restart
- DESC:fix CVE-2021-44224
+- DESC:fix CVE-2021-44790
 * Fri Nov 05 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.48-4
 - Type:bugfix