diff --git a/CVE-2016-1000104.patch b/CVE-2016-1000104.patch new file mode 100644 index 0000000..6b3438e --- /dev/null +++ b/CVE-2016-1000104.patch @@ -0,0 +1,23 @@ +Index: mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c +=================================================================== +--- mod_fcgid-2.3.9.orig/modules/fcgid/mod_fcgid.c ++++ mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c +@@ -155,9 +155,15 @@ static void fcgid_add_cgi_vars(request_r + * consistent with legacy mod_fcgid behavior and mod_fastcgi + * prior to 2.4.7 + */ +- apr_table_setn(r->subprocess_env, *hdr, val); +- /* standard munging of header name (upcase, HTTP_, etc.) */ +- apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val); ++ /* boo#988492 httpoxy don't set HTTP_PROXY */ ++ if ( strcasecmp(*hdr, "HTTP_PROXY") != 0 && strcasecmp(*hdr, "HTTP-PROXY") != 0) { ++ apr_table_setn(r->subprocess_env, *hdr, val); ++ } ++ /* boo#988492 httpoxy don't set HTTP_PROXY */ ++ if ( strcasecmp(*hdr, "PROXY") != 0 ) { ++ /* standard munging of header name (upcase, HTTP_, etc.) */ ++ apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val); ++ } + } + } + } diff --git a/mod_fcgid.spec b/mod_fcgid.spec index b2c2adc..11b335b 100644 --- a/mod_fcgid.spec +++ b/mod_fcgid.spec @@ -1,12 +1,13 @@ Name: mod_fcgid Version: 2.3.9 -Release: 20 +Release: 21 Summary: High performance alternative to mod_cgi or mod_cgid License: ASL 2.0 URL: http://httpd.apache.org/mod_fcgid/ Source0: http://www.apache.org/dist/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2 Source1: mod_fcgid-tmpfs.conf Source2: fcgid24.conf +Patch0: CVE-2016-1000104.patch BuildRequires: coreutils gcc httpd-devel >= 2.0 make pkgconfig sed perl Requires: httpd-mmn = %{_httpd_mmn} Requires: systemd @@ -54,6 +55,9 @@ install -p -m644 %{SOURCE1} %{buildroot}%{_tmpfilesdir}/mod_fcgid.conf %doc build/fixconf.sed %changelog +* Wed Jul 13 2022 yaoxin - 2.3.9-21 +- Fix CVE-2016-1000104 + * Fri Jan 7 2022 liyanan - 2.3.9-20 - Add the perl dependency