diff --git a/backport-CVE-2023-25690.patch b/backport-CVE-2023-25690.patch deleted file mode 100644 index 03552c7..0000000 --- a/backport-CVE-2023-25690.patch +++ /dev/null @@ -1,205 +0,0 @@ -From d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51 Mon Sep 17 00:00:00 2001 -From: covener -Date: Mon, 6 Mar 2023 4:27:31 AM GMT+0800 -Subject: [PATCH] don't forward invalid query strings - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/d78a166fedd9d02c23e4b71d5f53bd9b2c4b9a51 - ---- - modules/http2/mod_proxy_http2.c | 14 ++++++++++++++ - modules/mappers/mod_rewrite.c | 22 ++++++++++++++++++++++ - modules/proxy/mod_proxy_ajp.c | 14 ++++++++++++++ - modules/proxy/mod_proxy_balancer.c | 14 ++++++++++++++ - modules/proxy/mod_proxy_http.c | 14 ++++++++++++++ - modules/proxy/mod_proxy_wstunnel.c | 14 ++++++++++++++ - 6 files changed, 92 insertions(+) - -diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c -index 3faf034..b316aa8 100644 ---- a/modules/http2/mod_proxy_http2.c -+++ b/modules/http2/mod_proxy_http2.c -@@ -154,10 +154,24 @@ static int proxy_http2_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, (int)strlen(url), - enc_path, 0, r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO() -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - break; - case PROXYREQ_PROXY: -diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c -index 9439965..f6398f1 100644 ---- a/modules/mappers/mod_rewrite.c -+++ b/modules/mappers/mod_rewrite.c -@@ -4729,6 +4729,17 @@ static int hook_uri2file(request_rec *r) - unsigned skip; - apr_size_t flen; - -+ if (r->args && *(ap_scan_vchar_obstext(r->args))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10410) -+ "Rewritten query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } -+ - if (ACTION_STATUS == rulestatus) { - int n = r->status; - -@@ -5013,6 +5024,17 @@ static int hook_fixup(request_rec *r) - if (rulestatus) { - unsigned skip; - -+ if (r->args && *(ap_scan_vchar_obstext(r->args))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10411) -+ "Rewritten query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } -+ - if (ACTION_STATUS == rulestatus) { - int n = r->status; - -diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c -index 1449aca..aa3441a 100644 ---- a/modules/proxy/mod_proxy_ajp.c -+++ b/modules/proxy/mod_proxy_ajp.c -@@ -65,10 +65,24 @@ static int proxy_ajp_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, - r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10406) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - if (path == NULL) - return HTTP_BAD_REQUEST; -diff --git a/modules/proxy/mod_proxy_balancer.c b/modules/proxy/mod_proxy_balancer.c -index f6fb634..de5ac8a 100644 ---- a/modules/proxy/mod_proxy_balancer.c -+++ b/modules/proxy/mod_proxy_balancer.c -@@ -102,10 +102,24 @@ static int proxy_balancer_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, - r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10407) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - if (path == NULL) - return HTTP_BAD_REQUEST; -diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c -index ec4e7fb..85f16f2 100644 ---- a/modules/proxy/mod_proxy_http.c -+++ b/modules/proxy/mod_proxy_http.c -@@ -121,10 +121,24 @@ static int proxy_http_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), - enc_path, 0, r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10408) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - break; - case PROXYREQ_PROXY: -diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c -index bcbba42..16502e2 100644 ---- a/modules/proxy/mod_proxy_wstunnel.c -+++ b/modules/proxy/mod_proxy_wstunnel.c -@@ -110,10 +110,24 @@ static int proxy_wstunnel_canon(request_rec *r, char *url) - if (apr_table_get(r->notes, "proxy-nocanon")) { - path = url; /* this is the raw path */ - } -+ else if (apr_table_get(r->notes, "proxy-noencode")) { -+ path = url; /* this is the encoded path already */ -+ search = r->args; -+ } - else { - path = ap_proxy_canonenc(r->pool, url, strlen(url), enc_path, 0, - r->proxyreq); - search = r->args; -+ if (search && *(ap_scan_vchar_obstext(search))) { -+ /* -+ * We have a raw control character or a ' ' in r->args. -+ * Correct encoding was missed. -+ */ -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10409) -+ "To be forwarded query string contains control " -+ "characters or spaces"); -+ return HTTP_FORBIDDEN; -+ } - } - if (path == NULL) - return HTTP_BAD_REQUEST; --- -2.27.0 - diff --git a/backport-CVE-2023-27522.patch b/backport-CVE-2023-27522.patch deleted file mode 100644 index 8a7f4f4..0000000 --- a/backport-CVE-2023-27522.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 0df5879df8f16b4101ea2365672178b4ae899e9e Mon Sep 17 00:00:00 2001 -From: ylavic -Date: Thu, 2 Mar 2023 11:10:54 PM GMT+0800 -Subject: [PATCH] mod_proxy_uwsgi:Stricter backend HTTP response parsing/validation - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/0df5879df8f16b4101ea2365672178b4ae899e9e - ---- - modules/proxy/mod_proxy_uwsgi.c | 49 +++++++++++++++++++++++---------- - 1 file changed, 35 insertions(+), 14 deletions(-) - -diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c -index e02450e..92e153c 100644 ---- a/modules/proxy/mod_proxy_uwsgi.c -+++ b/modules/proxy/mod_proxy_uwsgi.c -@@ -307,18 +307,16 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, - pass_bb = apr_brigade_create(r->pool, c->bucket_alloc); - - len = ap_getline(buffer, sizeof(buffer), rp, 1); -- - if (len <= 0) { -- /* oops */ -+ /* invalid or empty */ - return HTTP_INTERNAL_SERVER_ERROR; - } -- - backend->worker->s->read += len; -- -- if (len >= sizeof(buffer) - 1) { -- /* oops */ -+ if ((apr_size_t)len >= sizeof(buffer)) { -+ /* too long */ - return HTTP_INTERNAL_SERVER_ERROR; - } -+ - /* Position of http status code */ - if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) { - status_start = 9; -@@ -327,8 +325,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, - status_start = 7; - } - else { -- /* oops */ -- return HTTP_INTERNAL_SERVER_ERROR; -+ /* not HTTP */ -+ return HTTP_BAD_GATEWAY; - } - status_end = status_start + 3; - -@@ -348,21 +346,44 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, - } - r->status_line = apr_pstrdup(r->pool, &buffer[status_start]); - -- /* start parsing headers */ -+ /* parse headers */ - while ((len = ap_getline(buffer, sizeof(buffer), rp, 1)) > 0) { -+ if ((apr_size_t)len >= sizeof(buffer)) { -+ /* too long */ -+ len = -1; -+ break; -+ } - value = strchr(buffer, ':'); -- /* invalid header skip */ -- if (!value) -- continue; -- *value = '\0'; -- ++value; -+ if (!value) { -+ /* invalid header */ -+ len = -1; -+ break; -+ } -+ *value++ = '\0'; -+ if (*ap_scan_http_token(buffer)) { -+ /* invalid name */ -+ len = -1; -+ break; -+ } - while (apr_isspace(*value)) - ++value; - for (end = &value[strlen(value) - 1]; - end > value && apr_isspace(*end); --end) - *end = '\0'; -+ if (*ap_scan_http_field_content(value)) { -+ /* invalid value */ -+ len = -1; -+ break; -+ } - apr_table_add(r->headers_out, buffer, value); - } -+ if (len < 0) { -+ /* Reset headers, but not to NULL because things below the chain expect -+ * this to be non NULL e.g. the ap_content_length_filter. -+ */ -+ r->headers_out = apr_table_make(r->pool, 1); -+ return HTTP_BAD_GATEWAY; -+ } - - if ((buf = apr_table_get(r->headers_out, "Content-Type"))) { - ap_set_content_type(r, apr_pstrdup(r->pool, buf)); --- -2.27.0 - diff --git a/backport-CVE-2023-31122-out-of-bound-Read.patch b/backport-CVE-2023-31122-out-of-bound-Read.patch deleted file mode 100644 index aebeaeb..0000000 --- a/backport-CVE-2023-31122-out-of-bound-Read.patch +++ /dev/null @@ -1,28 +0,0 @@ -From c41eb3b14a3d1eb2e3c42c4728cc52a22748851a Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Mon, 16 Oct 2023 06:39:44 +0000 -Subject: [PATCH] mod_macro: out of bounds Read - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/c41eb3b14a3d1eb2e3c42c4728cc52a22748851a - ---- - modules/core/mod_macro.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/core/mod_macro.c b/modules/core/mod_macro.c -index 04af43b..cc42d0b 100644 ---- a/modules/core/mod_macro.c -+++ b/modules/core/mod_macro.c -@@ -465,7 +465,7 @@ static const char *process_content(apr_pool_t * pool, - for (i = 0; i < contents->nelts; i++) { - const char *errmsg; - /* copy the line and substitute macro parameters */ -- strncpy(line, ((char **) contents->elts)[i], MAX_STRING_LEN - 1); -+ apr_cpystrn(line, ((char **) contents->elts)[i], MAX_STRING_LEN); - errmsg = substitute_macro_args(line, MAX_STRING_LEN, - macro, replacements, used); - if (errmsg) { --- -2.23.0 - diff --git a/backport-CVE-2023-43622-fixed-a-bug-in-handling-of-stream-timeouts.patch b/backport-CVE-2023-43622-fixed-a-bug-in-handling-of-stream-timeouts.patch deleted file mode 100644 index da2f8bc..0000000 --- a/backport-CVE-2023-43622-fixed-a-bug-in-handling-of-stream-timeouts.patch +++ /dev/null @@ -1,134 +0,0 @@ -From 582c533c1728459eef5f8ec1a64b81fb093b26a8 Mon Sep 17 00:00:00 2001 -From: SteFan Eissing -Date: Mon, 16 Oct 2023 06:18:30 +0000 -Subject: [PATCH] mod_http2: fixed a bug in handling of stream timeouts. - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/582c533c1728459eef5f8ec1a64b81fb093b26a8 - ---- - changes-entries/h2_stream_timeout.txt | 2 ++ - modules/http2/h2_mplx.c | 25 +++++++++++++++++++++++++ - modules/http2/h2_mplx.h | 5 +++++ - modules/http2/h2_session.c | 10 +++++++++- - modules/http2/h2_stream.c | 8 ++++++++ - modules/http2/h2_stream.h | 2 ++ - 6 files changed, 51 insertions(+), 1 deletion(-) - create mode 100644 changes-entries/h2_stream_timeout.txt - -diff --git a/changes-entries/h2_stream_timeout.txt b/changes-entries/h2_stream_timeout.txt -new file mode 100644 -index 0000000..ab39b42 ---- /dev/null -+++ b/changes-entries/h2_stream_timeout.txt -@@ -0,0 +1,2 @@ -+* mod_http2: fixed a bug in handing of stream timeouts. -+ [Stefan Eissing] -diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c -index b4855af..e150cc3 100644 ---- a/modules/http2/h2_mplx.c -+++ b/modules/http2/h2_mplx.c -@@ -394,6 +394,31 @@ apr_status_t h2_mplx_c1_streams_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx) - return APR_SUCCESS; - } - -+typedef struct { -+ int stream_count; -+ int stream_want_send; -+} stream_iter_aws_t; -+ -+static int m_stream_want_send_data(void *ctx, void *stream) -+{ -+ stream_iter_aws_t *x = ctx; -+ ++x->stream_count; -+ if (h2_stream_wants_send_data(stream)) -+ ++x->stream_want_send; -+ return 1; -+} -+ -+int h2_mplx_c1_all_streams_want_send_data(h2_mplx *m) -+{ -+ stream_iter_aws_t x; -+ x.stream_count = 0; -+ x.stream_want_send = 0; -+ H2_MPLX_ENTER(m); -+ h2_ihash_iter(m->streams, m_stream_want_send_data, &x); -+ H2_MPLX_LEAVE(m); -+ return x.stream_count && (x.stream_count == x.stream_want_send); -+} -+ - static int m_report_stream_iter(void *ctx, void *val) { - h2_mplx *m = ctx; - h2_stream *stream = val; -diff --git a/modules/http2/h2_mplx.h b/modules/http2/h2_mplx.h -index f565a09..730bb16 100644 ---- a/modules/http2/h2_mplx.h -+++ b/modules/http2/h2_mplx.h -@@ -193,6 +193,11 @@ typedef int h2_mplx_stream_cb(struct h2_stream *s, void *userdata); - */ - apr_status_t h2_mplx_c1_streams_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx); - -+/** -+ * Return != 0 iff all open streams want to send data -+ */ -+int h2_mplx_c1_all_streams_want_send_data(h2_mplx *m) -+ - /** - * A stream has been RST_STREAM by the client. Abort - * any processing going on and remove from processing -diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c -index f740373..8aeff3c 100644 ---- a/modules/http2/h2_session.c -+++ b/modules/http2/h2_session.c -@@ -1931,7 +1931,15 @@ apr_status_t h2_session_process(h2_session *session, int async) - status = h2_mplx_c1_poll(session->mplx, session->s->timeout, - on_stream_input, on_stream_output, session); - if (APR_STATUS_IS_TIMEUP(status)) { -- if (session->open_streams == 0) { -+ /* If we timeout without streams open, no new request from client -+ * arrived. -+ * If we timeout without nghttp2 wanting to write something, bug -+ * all open streams have something to send, it means we are -+ * blocked on HTTP/2 flow control and the client did not send -+ * WINDOW_UPDATEs to us. */ -+ if (session->open_stream == 0 || -+ (!h2_session_want_send(session) && -+ h2_mplx_c1_all_streams_want_send_data(session->m))) { - h2_session_dispatch_event(session, H2_SESSION_EV_CONN_TIMEOUT, status, NULL); - break; - } -diff --git a/modules/http2/h2_stream.c b/modules/http2/h2_stream.c -index 17e5d34..c81c3e4 100644 ---- a/modules/http2/h2_stream.c -+++ b/modules/http2/h2_stream.c -@@ -1185,6 +1185,14 @@ int h2_stream_is_ready(h2_stream *stream) - return 0; - } - -+int h2_stream_wants_send_data(h2_stream *stream) -+{ -+ H2_STRM_ASSERT_MAGIC(stream, H2_STRM_MAGIC_OK); -+ return h2_stream_is_ready(stream) && -+ ((stream->out_buffer && !APR_BRIGADE_EMPTY(stream->out_buffer)) || -+ (stream->output && !h2_beam_empty(stream->output))); -+} -+ - int h2_stream_is_at(const h2_stream *stream, h2_stream_state_t state) - { - return stream->state == state; -diff --git a/modules/http2/h2_stream.h b/modules/http2/h2_stream.h -index 695d56a..647ef2d 100644 ---- a/modules/http2/h2_stream.h -+++ b/modules/http2/h2_stream.h -@@ -317,6 +317,8 @@ const char *h2_stream_state_str(const h2_stream *stream); - */ - int h2_stream_is_ready(h2_stream *stream); - -+int h2_stream_wants_send_data(h2_stream *stream); -+ - #define H2_STRM_MSG(s, msg) \ - "h2_stream(%d-%lu-%d,%s): "msg, s->session->child_num, \ - (unsigned long)s->session->id, s->id, h2_stream_state_str(s) --- -2.23.0 - diff --git a/backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch b/backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch deleted file mode 100644 index 652fc02..0000000 --- a/backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch +++ /dev/null @@ -1,139 +0,0 @@ -From decce82a706abd78dfc32821a03ad93841d7758a Mon Sep 17 00:00:00 2001 -From: Stefan Eissing -Date: Mon, 16 Oct 2023 09:05:00 +0000 -Subject: [PATCH] mod_http2: improved early cleanup of streams - -Conflict:NA -Reference:https://github.com/apache/httpd/commit/decce82a706abd78dfc32821a03ad93841d7758a - ---- - changes-entries/h2_cleanup.txt | 2 ++ - modules/http2/h2_mplx.c | 26 ++++++++++++++++++++++---- - modules/http2/h2_mplx.h | 3 ++- - modules/http2/h2_session.c | 18 +++++++++++++++++- - modules/http2/h2_stream.c | 2 +- - 5 files changed, 44 insertions(+), 7 deletions(-) - create mode 100644 changes-entries/h2_cleanup.txt - -diff --git a/changes-entries/h2_cleanup.txt b/changes-entries/h2_cleanup.txt -new file mode 100644 -index 0000000..305f24a ---- /dev/null -+++ b/changes-entries/h2_cleanup.txt -@@ -0,0 +1,2 @@ -+* mod_http2: improved early cleanup of streams. -+ [Stefan Eissing] -diff --git a/modules/http2/h2_mplx.c b/modules/http2/h2_mplx.c -index 99c47ea..b4855af 100644 ---- a/modules/http2/h2_mplx.c -+++ b/modules/http2/h2_mplx.c -@@ -1064,14 +1064,32 @@ static int reset_is_acceptable(h2_stream *stream) - return 1; /* otherwise, be forgiving */ - } - --apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id) -+apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id, h2_stream * stream) - { -- h2_stream *stream; - apr_status_t status = APR_SUCCESS; -+ int registered; - - H2_MPLX_ENTER_ALWAYS(m); -- stream = h2_ihash_get(m->streams, stream_id); -- if (stream && !reset_is_acceptable(stream)) { -+ registered = (h2_ihash_get(m->streams, stream_id) != NULL); -+ if (!stream) { -+ /* a RST might arrive so late, we have already forgotten -+ * about it. Seems ok. */ -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1, -+ H2_MPLX_MSG(m, "RST on unknown stream %d"), stream_id); -+ AP_DEBUG_ASSERT(!registered); -+ } -+ else if (!registered) { -+ /* a RST on a stream that mplx has not been told about, but -+ * which the session knows. Very early and annoying. */ -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, m->c1 -+ H2_STRM_MSG(stream, "very early RST, drop")); -+ h2_stream_set_monitor(stream, NULL); -+ h2_stream_rst(stream, H2_ERR_STREAM_CLOSED); -+ h2_stream_dispatch(stream, H2_SEV_EOS_SENT); -+ m_stream_cleanup(m, stream); -+ m_be_annoyed(m); -+ } -+ else if (!reset_is_acceptable(stream)) { - m_be_annoyed(m); - } - H2_MPLX_LEAVE(m); -diff --git a/modules/http2/h2_mplx.h b/modules/http2/h2_mplx.h -index 1f79aa8..f565a09 100644 ---- a/modules/http2/h2_mplx.h -+++ b/modules/http2/h2_mplx.h -@@ -198,7 +198,8 @@ apr_status_t h2_mplx_c1_streams_do(h2_mplx *m, h2_mplx_stream_cb *cb, void *ctx) - * any processing going on and remove from processing - * queue. - */ --apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id); -+apr_status_t h2_mplx_c1_client_rst(h2_mplx *m, int stream_id, -+ struct h2_stream *stream); - - /** - * Get readonly access to a stream for a secondary connection. -diff --git a/modules/http2/h2_session.c b/modules/http2/h2_session.c -index 7ba49cf..f740373 100644 ---- a/modules/http2/h2_session.c -+++ b/modules/http2/h2_session.c -@@ -402,6 +402,10 @@ static int on_frame_recv_cb(nghttp2_session *ng2s, - H2_SSSN_STRM_MSG(session, frame->hd.stream_id, - "RST_STREAM by client, error=%d"), - (int)frame->rst_stream.error_code); -+ if (stream) { -+ rv = h2_stream_recv_frame(stream, NGHTTP2_RST_STREAM, frame->hd.flags, -+ frame->hd.length + H2_FRAME_HDR_LEN); -+ } - if (stream && stream->initiated_on) { - /* A stream reset on a request we sent it. Normal, when the - * client does not want it. */ -@@ -410,7 +414,8 @@ static int on_frame_recv_cb(nghttp2_session *ng2s, - else { - /* A stream reset on a request it sent us. Could happen in a browser - * when the user navigates away or cancels loading - maybe. */ -- h2_mplx_c1_client_rst(session->mplx, frame->hd.stream_id); -+ h2_mplx_c1_client_rst(session->mplx, frame->hd.stream_id, -+ stream); - } - ++session->streams_reset; - break; -@@ -813,6 +818,17 @@ static apr_status_t session_cleanup(h2_session *session, const char *trigger) - "goodbye, clients will be confused, should not happen")); - } - -+ if (!h2_iq_empty(session->ready_to_process)) { -+ int sid; -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, -+ H2_SSSN_LOG(APLOG(), session, -+ "cleanup, resetting %d stream in ready-to-process"), -+ h2_iq_count(session->ready_to_process)); -+ while ((sid = h2_iq_shift(session->ready_to_process)) > 0) { -+ h2_mplx_c1_client_rst(session->mplx, sid, get_stream(session, sid)); -+ } -+ } -+ - transit(session, trigger, H2_SESSION_ST_CLEANUP); - h2_mplx_c1_destroy(session->mplx); - session->mplx = NULL; -diff --git a/modules/http2/h2_stream.c b/modules/http2/h2_stream.c -index cf6f798..17e5d34 100644 ---- a/modules/http2/h2_stream.c -+++ b/modules/http2/h2_stream.c -@@ -125,7 +125,7 @@ static int trans_on_event[][H2_SS_MAX] = { - { S_XXX, S_ERR, S_ERR, S_CL_L, S_CLS, S_XXX, S_XXX, S_XXX, },/* EV_CLOSED_L*/ - { S_ERR, S_ERR, S_ERR, S_CL_R, S_ERR, S_CLS, S_NOP, S_NOP, },/* EV_CLOSED_R*/ - { S_CLS, S_CLS, S_CLS, S_CLS, S_CLS, S_CLS, S_NOP, S_NOP, },/* EV_CANCELLED*/ --{ S_NOP, S_XXX, S_XXX, S_XXX, S_XXX, S_CLS, S_CLN, S_XXX, },/* EV_EOS_SENT*/ -+{ S_NOP, S_XXX, S_XXX, S_XXX, S_XXX, S_CLS, S_CLN, S_NOP, },/* EV_EOS_SENT*/ - { S_NOP, S_XXX, S_CLS, S_XXX, S_XXX, S_CLS, S_XXX, S_XXX, },/* EV_IN_ERROR*/ - }; - --- -2.23.0 - diff --git a/backport-fix-memory-leak-in-calc_sha256_hash.patch b/backport-fix-memory-leak-in-calc_sha256_hash.patch deleted file mode 100644 index e16fc2a..0000000 --- a/backport-fix-memory-leak-in-calc_sha256_hash.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ff558f52f528dd21eb0a77de74d828e1459cdd62 Mon Sep 17 00:00:00 2001 -From: Joe Orton -Date: Fri, 7 Jul 2023 08:04:38 PM GMT+0800 -Subject: [PATCH] fix memory leak in calc_sha256_hash - -Conflict:NA -Reference:https://github.com/apache/httpd/commmit/ff558f52f528dd21eb0a77de74d828e1459cdd62 - ---- - modules/http2/h2_push.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/modules/http2/h2_push.c b/modules/http2/h2_push.c -index 462c470..dd0928b 100644 ---- a/modules/http2/h2_push.c -+++ b/modules/http2/h2_push.c -@@ -502,6 +502,7 @@ static void calc_sha256_hash(h2_push_diary *diary, apr_uint64_t *phash, h2_push - sha256_update(md, push->req->authority); - sha256_update(md, push->req->path); - EVP_DigestFinal(md, hash, &len); -+ EVP_MD_CTX_destroy(md); - - val = 0; - for (i = 0; i != len; ++i) --- -2.23.0 - diff --git a/httpd-2.4.55.tar.bz2 b/httpd-2.4.55.tar.bz2 deleted file mode 100644 index c4b735c..0000000 Binary files a/httpd-2.4.55.tar.bz2 and /dev/null differ diff --git a/httpd-2.4.58.tar.bz2 b/httpd-2.4.58.tar.bz2 new file mode 100644 index 0000000..9e972b5 Binary files /dev/null and b/httpd-2.4.58.tar.bz2 differ diff --git a/httpd.spec b/httpd.spec index de2a481..cac6cd0 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,8 +7,8 @@ Name: httpd Summary: Apache HTTP Server -Version: 2.4.55 -Release: 5 +Version: 2.4.58 +Release: 1 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -69,12 +69,6 @@ Patch15: backport-httpd-2.4.43-gettid.patch Patch16: backport-httpd-2.4.43-r1861793+.patch Patch17: backport-httpd-2.4.48-r1828172+.patch Patch18: backport-httpd-2.4.46-htcacheclean-dont-break.patch -Patch19: backport-CVE-2023-27522.patch -Patch20: backport-CVE-2023-25690.patch -Patch21: backport-fix-memory-leak-in-calc_sha256_hash.patch -Patch22: backport-CVE-2023-31122-out-of-bound-Read.patch -Patch23: backport-CVE-2023-45802-improved-early-cleanup-of-streams.patch -Patch24: backport-CVE-2023-43622-fixed-a-bug-in-handling-of-stream-timeouts.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -511,6 +505,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Jan 29 2024 chengyechun - 2.4.58-1 +- Type:enhancement +- ID:NA +- SUG:NA +- DESC:update to httpd-2.4.58 + * Fri Nov 03 2023 chengyechun - 2.4.55-5 - Type:CVE - ID:CVE-2023-31122, CVE-2023-45802, CVE-2023-43622