diff options
author | Changqing Li <changqing.li@windriver.com> | 2021-08-02 10:09:22 +0800 |
---|---|---|
committer | Armin Kuster <akuster808@gmail.com> | 2021-09-02 18:24:53 -0700 |
commit | ca550956aa919fb7f76c21c88676102902fbeec5 (patch) | |
tree | 57574b881fc9aabd58bd02f8710e7ce3b8d1b288 | |
parent | b9fe34b1ad280d1ae7f8bc684715d2d1529c60fa (diff) | |
download | meta-openembedded-ca550956aa919fb7f76c21c88676102902fbeec5.tar.gz |
apache2: upgrade 2.4.46 -> 2.4.48
Source: https://git.openembedded.org/meta-openembedded
https://git.openembedded.org/meta-openembedded
MR: 112869, 112835, 105131, 112702, 112829
Type: Security Fix
Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?id=ba016d73b5233a43ec6e398b45445d13ddaad745
ChangeID: f3ac0bc1005c94a694573b823c8f3f7d4a15360c
Description:
Apache2 2.4.x is an LTS version with bug and CVE fixes.
https://downloads.apache.org/httpd/CHANGES_2.4.48
Includes these CVE fixes:
2.4.48
CVE-2021-31618
2.4.47
CVE-2020-13938
CVE-2020-11985
CVE-2021-33193
CVE-2019-17567
Drop these patches included in update:
CVE-2020-13950.patch
CVE-2020-35452.patch
CVE-2021-26690.patch
CVE-2021-26691.patch
CVE-2021-30641.patch
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit ba016d73b5233a43ec6e398b45445d13ddaad745)
Signed-off-by: Armin Kuster <akuster@mvista.com>
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch | 45 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch | 49 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch | 39 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch | 35 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch | 66 | ||||
-rw-r--r-- | meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb (renamed from meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb) | 9 |
6 files changed, 2 insertions, 241 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch deleted file mode 100644 index 4eb6b85b1..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch +++ /dev/null | |||
@@ -1,45 +0,0 @@ | |||
1 | From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001 | ||
2 | From: Yann Ylavic <ylavic@apache.org> | ||
3 | Date: Mon, 11 May 2015 15:48:58 +0000 | ||
4 | Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection | ||
5 | may be NULL during prefetch, don't try to dereference it! Still | ||
6 | origin->keepalive will be set according to p_conn->close by the caller | ||
7 | (proxy_http_handler). | ||
8 | |||
9 | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68 | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2020-35504 | ||
13 | |||
14 | Reference to upstream patch: | ||
15 | https://bugzilla.redhat.com/show_bug.cgi?id=1966738 | ||
16 | https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b | ||
17 | |||
18 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
19 | --- | ||
20 | modules/proxy/mod_proxy_http.c | 2 -- | ||
21 | 1 file changed, 2 deletions(-) | ||
22 | |||
23 | diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c | ||
24 | index ec1e042..5f507d5 100644 | ||
25 | --- a/modules/proxy/mod_proxy_http.c | ||
26 | +++ b/modules/proxy/mod_proxy_http.c | ||
27 | @@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req, | ||
28 | apr_off_t bytes; | ||
29 | int force10, rv; | ||
30 | apr_read_type_e block; | ||
31 | - conn_rec *origin = p_conn->connection; | ||
32 | |||
33 | if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) { | ||
34 | if (req->expecting_100) { | ||
35 | @@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req, | ||
36 | "chunked body with Content-Length (C-L ignored)", | ||
37 | c->client_ip, c->remote_host ? c->remote_host: ""); | ||
38 | req->old_cl_val = NULL; | ||
39 | - origin->keepalive = AP_CONN_CLOSE; | ||
40 | p_conn->close = 1; | ||
41 | } | ||
42 | |||
43 | -- | ||
44 | 2.7.4 | ||
45 | |||
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch deleted file mode 100644 index 001ca9252..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch +++ /dev/null | |||
@@ -1,49 +0,0 @@ | |||
1 | From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001 | ||
2 | From: Yann Ylavic <ylavic@apache.org> | ||
3 | Date: Mon, 18 Jan 2021 17:39:12 +0000 | ||
4 | Subject: [PATCH] Merge r1885659 from trunk: | ||
5 | |||
6 | mod_auth_digest: Fast validation of the nonce's base64 to fail early if | ||
7 | the format can't match anyway. | ||
8 | |||
9 | Submitted by: ylavic | ||
10 | Reviewed by: ylavic, covener, jailletc36 | ||
11 | |||
12 | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68 | ||
13 | |||
14 | Upstream-Status: Backport | ||
15 | CVE: CVE-2020-35452 | ||
16 | |||
17 | Reference to upstream patch: | ||
18 | https://security-tracker.debian.org/tracker/CVE-2020-35452 | ||
19 | https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b | ||
20 | |||
21 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
22 | --- | ||
23 | modules/aaa/mod_auth_digest.c | 9 +++++++-- | ||
24 | 1 file changed, 7 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c | ||
27 | index b760941..0825b1b 100644 | ||
28 | --- a/modules/aaa/mod_auth_digest.c | ||
29 | +++ b/modules/aaa/mod_auth_digest.c | ||
30 | @@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp, | ||
31 | time_rec nonce_time; | ||
32 | char tmp, hash[NONCE_HASH_LEN+1]; | ||
33 | |||
34 | - if (strlen(resp->nonce) != NONCE_LEN) { | ||
35 | + /* Since the time part of the nonce is a base64 encoding of an | ||
36 | + * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. | ||
37 | + */ | ||
38 | + if (strlen(resp->nonce) != NONCE_LEN | ||
39 | + || resp->nonce[NONCE_TIME_LEN - 1] != '=') { | ||
40 | ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) | ||
41 | - "invalid nonce %s received - length is not %d", | ||
42 | + "invalid nonce '%s' received - length is not %d " | ||
43 | + "or time encoding is incorrect", | ||
44 | resp->nonce, NONCE_LEN); | ||
45 | note_digest_auth_failure(r, conf, resp, 1); | ||
46 | return HTTP_UNAUTHORIZED; | ||
47 | -- | ||
48 | 2.7.4 | ||
49 | |||
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch deleted file mode 100644 index d3aea9e12..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch +++ /dev/null | |||
@@ -1,39 +0,0 @@ | |||
1 | From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yann Ylavic <ylavic@apache.org> | ||
3 | Date: Mon, 1 Mar 2021 20:07:08 +0000 | ||
4 | Subject: [PATCH] mod_session: save one apr_strtok() in | ||
5 | session_identity_decode(). | ||
6 | |||
7 | When the encoding is invalid (missing '='), no need to parse further. | ||
8 | |||
9 | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68 | ||
10 | |||
11 | Upstream-Status: Backport | ||
12 | CVE: CVE-2021-26690 | ||
13 | |||
14 | Reference to upstream patch: | ||
15 | https://security-tracker.debian.org/tracker/CVE-2021-26690 | ||
16 | https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8 | ||
17 | |||
18 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
19 | --- | ||
20 | modules/session/mod_session.c | 2 +- | ||
21 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
22 | |||
23 | diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c | ||
24 | index ebd05b0..af70f6b 100644 | ||
25 | --- a/modules/session/mod_session.c | ||
26 | +++ b/modules/session/mod_session.c | ||
27 | @@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z) | ||
28 | char *plast = NULL; | ||
29 | const char *psep = "="; | ||
30 | char *key = apr_strtok(pair, psep, &plast); | ||
31 | - char *val = apr_strtok(NULL, psep, &plast); | ||
32 | if (key && *key) { | ||
33 | + char *val = apr_strtok(NULL, sep, &plast); | ||
34 | if (!val || !*val) { | ||
35 | apr_table_unset(z->entries, key); | ||
36 | } | ||
37 | -- | ||
38 | 2.7.4 | ||
39 | |||
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch deleted file mode 100644 index f9cf868d0..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch +++ /dev/null | |||
@@ -1,35 +0,0 @@ | |||
1 | From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001 | ||
2 | From: Yann Ylavic <ylavic@apache.org> | ||
3 | Date: Mon, 1 Mar 2021 20:13:54 +0000 | ||
4 | Subject: [PATCH] mod_session: account for the '&' in identity_concat(). | ||
5 | |||
6 | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-26691 | ||
10 | |||
11 | Reference to upstream patch: | ||
12 | https://bugzilla.redhat.com/show_bug.cgi?id=1966732 | ||
13 | https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b | ||
14 | |||
15 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
16 | --- | ||
17 | modules/session/mod_session.c | 2 +- | ||
18 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
19 | |||
20 | diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c | ||
21 | index 7ee477c..ebd05b0 100644 | ||
22 | --- a/modules/session/mod_session.c | ||
23 | +++ b/modules/session/mod_session.c | ||
24 | @@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z, | ||
25 | static int identity_count(void *v, const char *key, const char *val) | ||
26 | { | ||
27 | int *count = v; | ||
28 | - *count += strlen(key) * 3 + strlen(val) * 3 + 1; | ||
29 | + *count += strlen(key) * 3 + strlen(val) * 3 + 2; | ||
30 | return 1; | ||
31 | } | ||
32 | |||
33 | -- | ||
34 | 2.7.4 | ||
35 | |||
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch deleted file mode 100644 index 7f74c85e3..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch +++ /dev/null | |||
@@ -1,66 +0,0 @@ | |||
1 | From 6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eric Covener <covener@apache.org> | ||
3 | Date: Wed, 21 Apr 2021 01:02:11 +0000 | ||
4 | Subject: [PATCH] legacy default slash-matching behavior w/ 'MergeSlashes OFF' | ||
5 | |||
6 | git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889036 13f79535-47bb-0310-9956-ffa450edef68 | ||
7 | |||
8 | Upstream-Status: Backport | ||
9 | CVE: CVE-2021-30641 | ||
10 | |||
11 | Reference to upstream patch: | ||
12 | https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641 | ||
13 | https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 | ||
14 | |||
15 | Signed-off-by: Li Wang <li.wang@windriver.com> | ||
16 | --- | ||
17 | server/request.c | 19 ++++++++++++++++--- | ||
18 | 1 file changed, 16 insertions(+), 3 deletions(-) | ||
19 | |||
20 | diff --git a/server/request.c b/server/request.c | ||
21 | index d5c558a..18625af 100644 | ||
22 | --- a/server/request.c | ||
23 | +++ b/server/request.c | ||
24 | @@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) | ||
25 | |||
26 | cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); | ||
27 | cached = (cache->cached != NULL); | ||
28 | - entry_uri = r->uri; | ||
29 | + | ||
30 | + /* | ||
31 | + * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri | ||
32 | + * have not been merged. But for Location walks we always go with merged | ||
33 | + * slashes no matter what merge_slashes is set to. | ||
34 | + */ | ||
35 | + if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { | ||
36 | + entry_uri = r->uri; | ||
37 | + } | ||
38 | + else { | ||
39 | + char *uri = apr_pstrdup(r->pool, r->uri); | ||
40 | + ap_no2slash(uri); | ||
41 | + entry_uri = uri; | ||
42 | + } | ||
43 | |||
44 | /* If we have an cache->cached location that matches r->uri, | ||
45 | * and the vhost's list of locations hasn't changed, we can skip | ||
46 | @@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) | ||
47 | pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t)); | ||
48 | } | ||
49 | |||
50 | - if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) { | ||
51 | + if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) { | ||
52 | continue; | ||
53 | } | ||
54 | |||
55 | @@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r) | ||
56 | apr_table_setn(r->subprocess_env, | ||
57 | ((const char **)entry_core->refs->elts)[i], | ||
58 | apr_pstrndup(r->pool, | ||
59 | - entry_uri + pmatch[i].rm_so, | ||
60 | + r->uri + pmatch[i].rm_so, | ||
61 | pmatch[i].rm_eo - pmatch[i].rm_so)); | ||
62 | } | ||
63 | } | ||
64 | -- | ||
65 | 2.7.4 | ||
66 | |||
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb index 4fc1f1631..7af824dd1 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb | |||
@@ -15,11 +15,6 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \ | |||
15 | file://0007-apache2-allow-to-disable-selinux-support.patch \ | 15 | file://0007-apache2-allow-to-disable-selinux-support.patch \ |
16 | file://apache-configure_perlbin.patch \ | 16 | file://apache-configure_perlbin.patch \ |
17 | file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \ | 17 | file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \ |
18 | file://CVE-2020-13950.patch \ | ||
19 | file://CVE-2020-35452.patch \ | ||
20 | file://CVE-2021-26690.patch \ | ||
21 | file://CVE-2021-26691.patch \ | ||
22 | file://CVE-2021-30641.patch \ | ||
23 | " | 18 | " |
24 | 19 | ||
25 | SRC_URI_append_class-target = " \ | 20 | SRC_URI_append_class-target = " \ |
@@ -31,8 +26,8 @@ SRC_URI_append_class-target = " \ | |||
31 | " | 26 | " |
32 | 27 | ||
33 | LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" | 28 | LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3" |
34 | SRC_URI[md5sum] = "7d661ea5e736dac5e2761d9f49fe8361" | 29 | SRC_URI[md5sum] = "a7088cec171b0d00bf43394ce64d3909" |
35 | SRC_URI[sha256sum] = "740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea" | 30 | SRC_URI[sha256sum] = "1bc826e7b2e88108c7e4bf43c026636f77a41d849cfb667aa7b5c0b86dbf966c" |
36 | 31 | ||
37 | S = "${WORKDIR}/httpd-${PV}" | 32 | S = "${WORKDIR}/httpd-${PV}" |
38 | 33 | ||