apache2: upgrade 2.4.46 -> 2.4.48

Source: https://git.openembedded.org/meta-openembedded https://git.openembedded.org/meta-openembedded MR: 112869, 112835, 105131, 112702, 112829 Type: Security Fix Disposition: Backport from https://git.openembedded.org/meta-openembedded/commit/meta-webserver/recipes-httpd/apache2?id=ba016d73b5233a43ec6e398b45445d13ddaad745 ChangeID: f3ac0bc1005c94a694573b823c8f3f7d4a15360c Description: Apache2 2.4.x is an LTS version with bug and CVE fixes. https://downloads.apache.org/httpd/CHANGES_2.4.48 Includes these CVE fixes: 2.4.48 CVE-2021-31618 2.4.47 CVE-2020-13938 CVE-2020-11985 CVE-2021-33193 CVE-2019-17567 Drop these patches included in update: CVE-2020-13950.patch CVE-2020-35452.patch CVE-2021-26690.patch CVE-2021-26691.patch CVE-2021-30641.patch Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit ba016d73b5233a43ec6e398b45445d13ddaad745) Signed-off-by: Armin Kuster <akuster@mvista.com>
author: Changqing Li <changqing.li@windriver.com> 2021-08-02 10:09:22 +0800
committer: Armin Kuster <akuster808@gmail.com> 2021-09-02 18:24:53 -0700
commit: ca550956aa919fb7f76c21c88676102902fbeec5 (patch)
tree: 57574b881fc9aabd58bd02f8710e7ce3b8d1b288
parent: b9fe34b1ad280d1ae7f8bc684715d2d1529c60fa (diff)
download: meta-openembedded-ca550956aa919fb7f76c21c88676102902fbeec5.tar.gz
6 files changed, 2 insertions, 241 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
deleted file mode 100644
index 4eb6b85b1..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001
-From: Yann Ylavic <ylavic@apache.org>
-Date: Mon, 11 May 2015 15:48:58 +0000
-Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection
- may be NULL during prefetch, don't try to dereference it! Still
- origin->keepalive will be set according to p_conn->close by the caller
- (proxy_http_handler).
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68
-Upstream-Status: Backport
-CVE: CVE-2020-35504
-Reference to upstream patch:
-https://bugzilla.redhat.com/show_bug.cgi?id=1966738
-https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- modules/proxy/mod_proxy_http.c | 2 --
- 1 file changed, 2 deletions(-)
-diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
-index ec1e042..5f507d5 100644
--- a/modules/proxy/mod_proxy_http.c
-+++ b/modules/proxy/mod_proxy_http.c
-@@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
-     apr_off_t bytes;
-     int force10, rv;
-     apr_read_type_e block;
-    conn_rec *origin = p_conn->connection;
- 
-     if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
-         if (req->expecting_100) {
-@@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
-                       "chunked body with Content-Length (C-L ignored)",
-                       c->client_ip, c->remote_host ? c->remote_host: "");
-         req->old_cl_val = NULL;
-        origin->keepalive = AP_CONN_CLOSE;
-         p_conn->close = 1;
-     }
- 
-- 
-2.7.4
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
deleted file mode 100644
index 001ca9252..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001
-From: Yann Ylavic <ylavic@apache.org>
-Date: Mon, 18 Jan 2021 17:39:12 +0000
-Subject: [PATCH] Merge r1885659 from trunk:
-mod_auth_digest: Fast validation of the nonce's base64 to fail early if
-                 the format can't match anyway.
-Submitted by: ylavic
-Reviewed by: ylavic, covener, jailletc36
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68
-Upstream-Status: Backport
-CVE: CVE-2020-35452
-Reference to upstream patch:
-https://security-tracker.debian.org/tracker/CVE-2020-35452
-https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- modules/aaa/mod_auth_digest.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
-index b760941..0825b1b 100644
--- a/modules/aaa/mod_auth_digest.c
-+++ b/modules/aaa/mod_auth_digest.c
-@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec *r, digest_header_rec *resp,
-     time_rec nonce_time;
-     char tmp, hash[NONCE_HASH_LEN+1];
- 
-    if (strlen(resp->nonce) != NONCE_LEN) {
-+    /* Since the time part of the nonce is a base64 encoding of an
-+     * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
-+     */
-+    if (strlen(resp->nonce) != NONCE_LEN
-+            || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
-         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
-                      "invalid nonce %s received - length is not %d",
-+                      "invalid nonce '%s' received - length is not %d "
-+                      "or time encoding is incorrect",
-                       resp->nonce, NONCE_LEN);
-         note_digest_auth_failure(r, conf, resp, 1);
-         return HTTP_UNAUTHORIZED;
-- 
-2.7.4
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
deleted file mode 100644
index d3aea9e12..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
-From: Yann Ylavic <ylavic@apache.org>
-Date: Mon, 1 Mar 2021 20:07:08 +0000
-Subject: [PATCH] mod_session: save one apr_strtok() in
- session_identity_decode().
-When the encoding is invalid (missing '='), no need to parse further.
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
-Upstream-Status: Backport
-CVE: CVE-2021-26690
-Reference to upstream patch:
-https://security-tracker.debian.org/tracker/CVE-2021-26690
-https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- modules/session/mod_session.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
-index ebd05b0..af70f6b 100644
--- a/modules/session/mod_session.c
-+++ b/modules/session/mod_session.c
-@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
-         char *plast = NULL;
-         const char *psep = "=";
-         char *key = apr_strtok(pair, psep, &plast);
-        char *val = apr_strtok(NULL, psep, &plast);
-         if (key && *key) {
-+            char *val = apr_strtok(NULL, sep, &plast);
-             if (!val || !*val) {
-                 apr_table_unset(z->entries, key);
-             }
-- 
-2.7.4
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
deleted file mode 100644
index f9cf868d0..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001
-From: Yann Ylavic <ylavic@apache.org>
-Date: Mon, 1 Mar 2021 20:13:54 +0000
-Subject: [PATCH] mod_session: account for the '&' in identity_concat().
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68
-Upstream-Status: Backport
-CVE: CVE-2021-26691
-Reference to upstream patch:
-https://bugzilla.redhat.com/show_bug.cgi?id=1966732
-https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- modules/session/mod_session.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
-index 7ee477c..ebd05b0 100644
--- a/modules/session/mod_session.c
-+++ b/modules/session/mod_session.c
-@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
- static int identity_count(void *v, const char *key, const char *val)
- {
-     int *count = v;
-    *count += strlen(key) * 3 + strlen(val) * 3 + 1;
-+    *count += strlen(key) * 3 + strlen(val) * 3 + 2;
-     return 1;
- }
- 
-- 
-2.7.4
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch
deleted file mode 100644
index 7f74c85e3..000000000
--- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch
+++ /dev/null
@@ -1,66 +0,0 @@
-From 6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 Mon Sep 17 00:00:00 2001
-From: Eric Covener <covener@apache.org>
-Date: Wed, 21 Apr 2021 01:02:11 +0000
-Subject: [PATCH] legacy default slash-matching behavior w/ 'MergeSlashes OFF'
-git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889036 13f79535-47bb-0310-9956-ffa450edef68
-Upstream-Status: Backport
-CVE: CVE-2021-30641
-Reference to upstream patch:
-https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
-https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3
-Signed-off-by: Li Wang <li.wang@windriver.com>
---
- server/request.c | 19 ++++++++++++++++---
- 1 file changed, 16 insertions(+), 3 deletions(-)
-diff --git a/server/request.c b/server/request.c
-index d5c558a..18625af 100644
--- a/server/request.c
-+++ b/server/request.c
-@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
- 
-     cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
-     cached = (cache->cached != NULL);
-    entry_uri = r->uri;
-+
-+   /*
-+    * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
-+    * have not been merged. But for Location walks we always go with merged
-+    * slashes no matter what merge_slashes is set to.
-+    */
-+    if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
-+        entry_uri = r->uri;
-+    }
-+    else {
-+        char *uri = apr_pstrdup(r->pool, r->uri);
-+        ap_no2slash(uri);
-+        entry_uri = uri;
-+    }
- 
-     /* If we have an cache->cached location that matches r->uri,
-      * and the vhost's list of locations hasn't changed, we can skip
-@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
-                     pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
-                 }
- 
-                if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
-+                if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
-                     continue;
-                 }
- 
-@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
-                         apr_table_setn(r->subprocess_env,
-                                        ((const char **)entry_core->refs->elts)[i],
-                                        apr_pstrndup(r->pool,
-                                       entry_uri + pmatch[i].rm_so,
-+                                       r->uri + pmatch[i].rm_so,
-                                        pmatch[i].rm_eo - pmatch[i].rm_so));
-                     }
-                 }
-- 
-2.7.4
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb
index 4fc1f1631..7af824dd1 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb
@@ -15,11 +15,6 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
           file://0007-apache2-allow-to-disable-selinux-support.patch \
           file://apache-configure_perlbin.patch \
           file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \
-           file://CVE-2020-13950.patch \
-           file://CVE-2020-35452.patch \
-           file://CVE-2021-26690.patch \
-           file://CVE-2021-26691.patch \
-           file://CVE-2021-30641.patch \
          "
 SRC_URI_append_class-target = " \
@@ -31,8 +26,8 @@ SRC_URI_append_class-target = " \
           "
 LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
-SRC_URI[md5sum] = "7d661ea5e736dac5e2761d9f49fe8361"
+SRC_URI[md5sum] = "a7088cec171b0d00bf43394ce64d3909"
-SRC_URI[sha256sum] = "740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea"
+SRC_URI[sha256sum] = "1bc826e7b2e88108c7e4bf43c026636f77a41d849cfb667aa7b5c0b86dbf966c"
 S = "${WORKDIR}/httpd-${PV}"
author	Changqing Li <changqing.li@windriver.com>	2021-08-02 10:09:22 +0800
committer	Armin Kuster <akuster808@gmail.com>	2021-09-02 18:24:53 -0700
commit	ca550956aa919fb7f76c21c88676102902fbeec5 (patch)
tree	57574b881fc9aabd58bd02f8710e7ce3b8d1b288
parent	b9fe34b1ad280d1ae7f8bc684715d2d1529c60fa (diff)
download	meta-openembedded-ca550956aa919fb7f76c21c88676102902fbeec5.tar.gz

diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch deleted file mode 100644 index 4eb6b85b1..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-13950.patch +++ /dev/null
@@ -1,45 +0,0 @@
1	From 8c162db8b65b2193e622b780e8c6516d4265f68b Mon Sep 17 00:00:00 2001
2	From: Yann Ylavic <ylavic@apache.org>
3	Date: Mon, 11 May 2015 15:48:58 +0000
4	Subject: [PATCH] mod_proxy_http: follow up to r1656259. The proxy connection
5	may be NULL during prefetch, don't try to dereference it! Still
6	origin->keepalive will be set according to p_conn->close by the caller
7	(proxy_http_handler).
8
9	git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1678771 13f79535-47bb-0310-9956-ffa450edef68
10
11	Upstream-Status: Backport
12	CVE: CVE-2020-35504
13
14	Reference to upstream patch:
15	https://bugzilla.redhat.com/show_bug.cgi?id=1966738
16	https://github.com/apache/httpd/commit/8c162db8b65b2193e622b780e8c6516d4265f68b
17
18	Signed-off-by: Li Wang <li.wang@windriver.com>
19	---
20	modules/proxy/mod_proxy_http.c \| 2 --
21	1 file changed, 2 deletions(-)
22
23	diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
24	index ec1e042..5f507d5 100644
25	--- a/modules/proxy/mod_proxy_http.c
26	+++ b/modules/proxy/mod_proxy_http.c
27	@@ -570,7 +570,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
28	apr_off_t bytes;
29	int force10, rv;
30	apr_read_type_e block;
31	- conn_rec *origin = p_conn->connection;
32
33	if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
34	if (req->expecting_100) {
35	@@ -630,7 +629,6 @@ static int ap_proxy_http_prefetch(proxy_http_req_t *req,
36	"chunked body with Content-Length (C-L ignored)",
37	c->client_ip, c->remote_host ? c->remote_host: "");
38	req->old_cl_val = NULL;
39	- origin->keepalive = AP_CONN_CLOSE;
40	p_conn->close = 1;
41	}
42
43	--
44	2.7.4
45


diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch deleted file mode 100644 index 001ca9252..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2020-35452.patch +++ /dev/null
@@ -1,49 +0,0 @@
1	From 3b6431eb9c9dba603385f70a2131ab4a01bf0d3b Mon Sep 17 00:00:00 2001
2	From: Yann Ylavic <ylavic@apache.org>
3	Date: Mon, 18 Jan 2021 17:39:12 +0000
4	Subject: [PATCH] Merge r1885659 from trunk:
5
6	mod_auth_digest: Fast validation of the nonce's base64 to fail early if
7	the format can't match anyway.
8
9	Submitted by: ylavic
10	Reviewed by: ylavic, covener, jailletc36
11
12	git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1885666 13f79535-47bb-0310-9956-ffa450edef68
13
14	Upstream-Status: Backport
15	CVE: CVE-2020-35452
16
17	Reference to upstream patch:
18	https://security-tracker.debian.org/tracker/CVE-2020-35452
19	https://github.com/apache/httpd/commit/3b6431eb9c9dba603385f70a2131ab4a01bf0d3b
20
21	Signed-off-by: Li Wang <li.wang@windriver.com>
22	---
23	modules/aaa/mod_auth_digest.c \| 9 +++++++--
24	1 file changed, 7 insertions(+), 2 deletions(-)
25
26	diff --git a/modules/aaa/mod_auth_digest.c b/modules/aaa/mod_auth_digest.c
27	index b760941..0825b1b 100644
28	--- a/modules/aaa/mod_auth_digest.c
29	+++ b/modules/aaa/mod_auth_digest.c
30	@@ -1422,9 +1422,14 @@ static int check_nonce(request_rec r, digest_header_rec resp,
31	time_rec nonce_time;
32	char tmp, hash[NONCE_HASH_LEN+1];
33
34	- if (strlen(resp->nonce) != NONCE_LEN) {
35	+ /* Since the time part of the nonce is a base64 encoding of an
36	+ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
37	+ */
38	+ if (strlen(resp->nonce) != NONCE_LEN
39	+ \|\| resp->nonce[NONCE_TIME_LEN - 1] != '=') {
40	ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
41	- "invalid nonce %s received - length is not %d",
42	+ "invalid nonce '%s' received - length is not %d "
43	+ "or time encoding is incorrect",
44	resp->nonce, NONCE_LEN);
45	note_digest_auth_failure(r, conf, resp, 1);
46	return HTTP_UNAUTHORIZED;
47	--
48	2.7.4
49


diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch deleted file mode 100644 index d3aea9e12..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26690.patch +++ /dev/null
@@ -1,39 +0,0 @@
1	From 67bd9bfe6c38831e14fe7122f1d84391472498f8 Mon Sep 17 00:00:00 2001
2	From: Yann Ylavic <ylavic@apache.org>
3	Date: Mon, 1 Mar 2021 20:07:08 +0000
4	Subject: [PATCH] mod_session: save one apr_strtok() in
5	session_identity_decode().
6
7	When the encoding is invalid (missing '='), no need to parse further.
8
9	git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887050 13f79535-47bb-0310-9956-ffa450edef68
10
11	Upstream-Status: Backport
12	CVE: CVE-2021-26690
13
14	Reference to upstream patch:
15	https://security-tracker.debian.org/tracker/CVE-2021-26690
16	https://github.com/apache/httpd/commit/67bd9bfe6c38831e14fe7122f1d84391472498f8
17
18	Signed-off-by: Li Wang <li.wang@windriver.com>
19	---
20	modules/session/mod_session.c \| 2 +-
21	1 file changed, 1 insertion(+), 1 deletion(-)
22
23	diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
24	index ebd05b0..af70f6b 100644
25	--- a/modules/session/mod_session.c
26	+++ b/modules/session/mod_session.c
27	@@ -404,8 +404,8 @@ static apr_status_t session_identity_decode(request_rec * r, session_rec * z)
28	char *plast = NULL;
29	const char *psep = "=";
30	char *key = apr_strtok(pair, psep, &plast);
31	- char *val = apr_strtok(NULL, psep, &plast);
32	if (key && *key) {
33	+ char *val = apr_strtok(NULL, sep, &plast);
34	if (!val \|\| !*val) {
35	apr_table_unset(z->entries, key);
36	}
37	--
38	2.7.4
39


diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch deleted file mode 100644 index f9cf868d0..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-26691.patch +++ /dev/null
@@ -1,35 +0,0 @@
1	From 7e09dd714fc62c08c5b0319ed7b9702594faf49b Mon Sep 17 00:00:00 2001
2	From: Yann Ylavic <ylavic@apache.org>
3	Date: Mon, 1 Mar 2021 20:13:54 +0000
4	Subject: [PATCH] mod_session: account for the '&' in identity_concat().
5
6	git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1887052 13f79535-47bb-0310-9956-ffa450edef68
7
8	Upstream-Status: Backport
9	CVE: CVE-2021-26691
10
11	Reference to upstream patch:
12	https://bugzilla.redhat.com/show_bug.cgi?id=1966732
13	https://github.com/apache/httpd/commit/7e09dd714fc62c08c5b0319ed7b9702594faf49b
14
15	Signed-off-by: Li Wang <li.wang@windriver.com>
16	---
17	modules/session/mod_session.c \| 2 +-
18	1 file changed, 1 insertion(+), 1 deletion(-)
19
20	diff --git a/modules/session/mod_session.c b/modules/session/mod_session.c
21	index 7ee477c..ebd05b0 100644
22	--- a/modules/session/mod_session.c
23	+++ b/modules/session/mod_session.c
24	@@ -317,7 +317,7 @@ static apr_status_t ap_session_set(request_rec * r, session_rec * z,
25	static int identity_count(void v, const char key, const char *val)
26	{
27	int *count = v;
28	- count += strlen(key) 3 + strlen(val) * 3 + 1;
29	+ count += strlen(key) 3 + strlen(val) * 3 + 2;
30	return 1;
31	}
32
33	--
34	2.7.4
35


diff --git a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch b/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch deleted file mode 100644 index 7f74c85e3..000000000 --- a/meta-webserver/recipes-httpd/apache2/apache2/CVE-2021-30641.patch +++ /dev/null
@@ -1,66 +0,0 @@
1	From 6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3 Mon Sep 17 00:00:00 2001
2	From: Eric Covener <covener@apache.org>
3	Date: Wed, 21 Apr 2021 01:02:11 +0000
4	Subject: [PATCH] legacy default slash-matching behavior w/ 'MergeSlashes OFF'
5
6	git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1889036 13f79535-47bb-0310-9956-ffa450edef68
7
8	Upstream-Status: Backport
9	CVE: CVE-2021-30641
10
11	Reference to upstream patch:
12	https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
13	https://github.com/apache/httpd/commit/6141d5aa3f5cf8f1b89472e7fdb66578810d0ae3
14
15	Signed-off-by: Li Wang <li.wang@windriver.com>
16	---
17	server/request.c \| 19 ++++++++++++++++---
18	1 file changed, 16 insertions(+), 3 deletions(-)
19
20	diff --git a/server/request.c b/server/request.c
21	index d5c558a..18625af 100644
22	--- a/server/request.c
23	+++ b/server/request.c
24	@@ -1419,7 +1419,20 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
25
26	cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
27	cached = (cache->cached != NULL);
28	- entry_uri = r->uri;
29	+
30	+ /*
31	+ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
32	+ * have not been merged. But for Location walks we always go with merged
33	+ * slashes no matter what merge_slashes is set to.
34	+ */
35	+ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
36	+ entry_uri = r->uri;
37	+ }
38	+ else {
39	+ char *uri = apr_pstrdup(r->pool, r->uri);
40	+ ap_no2slash(uri);
41	+ entry_uri = uri;
42	+ }
43
44	/* If we have an cache->cached location that matches r->uri,
45	* and the vhost's list of locations hasn't changed, we can skip
46	@@ -1486,7 +1499,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
47	pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
48	}
49
50	- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
51	+ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
52	continue;
53	}
54
55	@@ -1496,7 +1509,7 @@ AP_DECLARE(int) ap_location_walk(request_rec *r)
56	apr_table_setn(r->subprocess_env,
57	((const char **)entry_core->refs->elts)[i],
58	apr_pstrndup(r->pool,
59	- entry_uri + pmatch[i].rm_so,
60	+ r->uri + pmatch[i].rm_so,
61	pmatch[i].rm_eo - pmatch[i].rm_so));
62	}
63	}
64	--
65	2.7.4
66


diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb index 4fc1f1631..7af824dd1 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.46.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.48.bb
@@ -15,11 +15,6 @@ SRC_URI = "${APACHE_MIRROR}/httpd/httpd-${PV}.tar.bz2 \
15	file://0007-apache2-allow-to-disable-selinux-support.patch \	15	file://0007-apache2-allow-to-disable-selinux-support.patch \
16	file://apache-configure_perlbin.patch \	16	file://apache-configure_perlbin.patch \
17	file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \	17	file://0001-support-apxs.in-force-destdir-to-be-empty-string.patch \
18	file://CVE-2020-13950.patch \
19	file://CVE-2020-35452.patch \
20	file://CVE-2021-26690.patch \
21	file://CVE-2021-26691.patch \
22	file://CVE-2021-30641.patch \
23	"	18	"
24		19
25	SRC_URI_append_class-target = " \	20	SRC_URI_append_class-target = " \
@@ -31,8 +26,8 @@ SRC_URI_append_class-target = " \
31	"	26	"
32		27
33	LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"	28	LIC_FILES_CHKSUM = "file://LICENSE;md5=bddeddfac80b2c9a882241d008bb41c3"
34	SRC_URI[md5sum] = "7d661ea5e736dac5e2761d9f49fe8361"	29	SRC_URI[md5sum] = "a7088cec171b0d00bf43394ce64d3909"
35	SRC_URI[sha256sum] = "740eddf6e1c641992b22359cabc66e6325868c3c5e2e3f98faf349b61ecf41ea"	30	SRC_URI[sha256sum] = "1bc826e7b2e88108c7e4bf43c026636f77a41d849cfb667aa7b5c0b86dbf966c"
36		31
37	S = "${WORKDIR}/httpd-${PV}"	32	S = "${WORKDIR}/httpd-${PV}"
38		33