packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-26690

Browse Source
This commit is contained in:
eaglegai 2021-06-23 14:09:51 +08:00
parent 45cf232cf3
commit dadc068f2d
2 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CVE-2021-26690.patch Normal file
View File

@ -0,0 +1,27 @@
From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 1 Mar 2021 20:07:08 +0000
Subject: [PATCH] mod_session: save one apr_strtok() in
session_identity_decode().
When the encoding is invalid (missing '='), no need to parse further.
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
---
modules/session/mod_session.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index a2b4a3e608b..01f41fe5d0f 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -413,8 +413,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
char *plast = NULL;
const char *psep = "=";
char *key = apr_strtok(pair, psep, &plast);
- char *val = apr_strtok(NULL, psep, &plast);
if (key && *key) {
+ char *val = apr_strtok(NULL, sep, &plast);
if (!val || !*val) {
apr_table_unset(z->entries, key);
}

9
httpd.spec
View File

@ -8,7 +8,7 @@
Name: httpd Name: httpd
Summary: Apache HTTP Server Summary: Apache HTTP Server
Version: 2.4.46 Version: 2.4.46
Release: 4 Release: 5
License: ASL 2.0 License: ASL 2.0
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -74,6 +74,7 @@ Patch20: CVE-2021-26691.patch
Patch21: CVE-2020-13950.patch Patch21: CVE-2020-13950.patch
Patch22: CVE-2020-35452.patch Patch22: CVE-2020-35452.patch
Patch23: CVE-2021-30641.patch Patch23: CVE-2021-30641.patch
Patch24: CVE-2021-26690.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -506,6 +507,12 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Wed Jun 23 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.46-5
- Type:cves
- ID:CVE-2021-26690
- SUG:NA
- DESC:fix CVE-2021-26690
* Tue Jun 22 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.46-4 * Tue Jun 22 2021 gaihuiying <gaihuiying1@huawei.com> - 2.4.46-4
- Type:cves - Type:cves
- ID:CVE-2021-30641 - ID:CVE-2021-30641