packages/httpd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-26691

Browse Source
This commit is contained in:
yangl777 2021-06-16 10:03:56 +08:00
parent 34d9fca361
commit eac31ac02c
2 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
CVE-2021-26691.patch Normal file
View File

@ -0,0 +1,31 @@
From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001
From: Yann Ylavic <ylavic@apache.org>
Date: Mon, 1 Mar 2021 20:13:54 +0000
Subject: [PATCH] mod_session: account for the '&' in identity_concat().
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68
---
modules/session/mod_session.c | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
index 01f41fe5d0f..a41e58444f9 100644
--- a/modules/session/mod_session.c
+++ b/modules/session/mod_session.c
@@ -326,7 +326,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
static int identity_count(void *v, const char *key, const char *val)
{
int *count = v;
- *count += strlen(key) * 3 + strlen(val) * 3 + 1;
+ *count += strlen(key) * 3 + strlen(val) * 3 + 2;
return 1;
}
@@ -362,7 +362,6 @@ static int identity_concat(void *v, const char *key, const char *val)
*/
static apr_status_t session_identity_encode(request_rec * r, session_rec * z)
{
-
char *buffer = NULL;
int length = 0;
if (z->expiry) {

9
httpd.spec
View File

@ -8,7 +8,7 @@
Name: httpd Name: httpd
Summary: Apache HTTP Server Summary: Apache HTTP Server
Version: 2.4.46 Version: 2.4.46
Release: 1 Release: 2
License: ASL 2.0 License: ASL 2.0
URL: https://httpd.apache.org/ URL: https://httpd.apache.org/
Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@ -70,6 +70,7 @@ Patch16: httpd-2.4.43-gettid.patch
Patch17: httpd-2.4.43-r1861793+.patch Patch17: httpd-2.4.43-r1861793+.patch
Patch18: httpd-2.4.43-r1828172+.patch Patch18: httpd-2.4.43-r1828172+.patch
Patch19: httpd-2.4.46-htcacheclean-dont-break.patch Patch19: httpd-2.4.46-htcacheclean-dont-break.patch
Patch20: CVE-2021-26691.patch
BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel
BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel
@ -502,6 +503,12 @@ exit $rv
%{_rpmconfigdir}/macros.d/macros.httpd %{_rpmconfigdir}/macros.d/macros.httpd
%changelog %changelog
* Wed Jun 16 2021 yanglu <yanglu72@huawei.com> - 2.4.46-2
- Type:cves
- ID:CVE-2021-26691
- SUG:NA
- DESC:fix CVE-2021-26691
* Tue Jan 26 2021 xihaochen<xihaochen@huawei.com> - 2.4.46-1 * Tue Jan 26 2021 xihaochen<xihaochen@huawei.com> - 2.4.46-1
- Type:requirements - Type:requirements
- ID:NA - ID:NA