Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
H
httpd
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Package Registry
Container Registry
Model registry
Operate
Environments
Terraform modules
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
staging
src-rhel
rpms
httpd
Commits
95f01242
Commit
95f01242
authored
1 year ago
by
CentOS Sources
Browse files
Options
Downloads
Patches
Plain Diff
import httpd-2.4.37-56.module+el8.8.0+18556+a66138c1.4
parent
4e835117
No related branches found
No related tags found
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
README.debrand
+0
-2
0 additions, 2 deletions
README.debrand
SOURCES/httpd-2.4.37-add-SNI-support.patch
+92
-0
92 additions, 0 deletions
SOURCES/httpd-2.4.37-add-SNI-support.patch
SPECS/httpd.spec
+26
-13
26 additions, 13 deletions
SPECS/httpd.spec
with
118 additions
and
15 deletions
README.debrand
deleted
100644 → 0
+
0
−
2
View file @
4e835117
Warning: This package was configured for automatic debranding, but the changes
failed to apply.
This diff is collapsed.
Click to expand it.
SOURCES/httpd-2.4.37-add-SNI-support.patch
0 → 100644
+
92
−
0
View file @
95f01242
commit 4c0e27d7bfbf46f14dfbd5d888e56c64ad8c8de5
Author: Tomas Korbar <tkorbar@redhat.com>
Date: Mon Sep 19 13:22:27 2022 +0200
Backport refactor of SNI support to httpd-2.4.37
diff --git a/modules/http2/mod_proxy_http2.c b/modules/http2/mod_proxy_http2.c
index a7e0dcd..31ccd32 100644
--- a/modules/http2/mod_proxy_http2.c
+++ b/modules/http2/mod_proxy_http2.c
@@ -591,16 +591,6 @@
run_connect:
}
if (!ctx->p_conn->data) {
- /* New conection: set a note on the connection what CN is
- * requested and what protocol we want */
- if (ctx->p_conn->ssl_hostname) {
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, status, ctx->owner,
- "set SNI to %s for (%s)",
- ctx->p_conn->ssl_hostname,
- ctx->p_conn->hostname);
- apr_table_setn(ctx->p_conn->connection->notes,
- "proxy-request-hostname", ctx->p_conn->ssl_hostname);
- }
if (ctx->is_ssl) {
apr_table_setn(ctx->p_conn->connection->notes,
"proxy-request-alpn-protos", "h2");
diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c
index 1b7bb81..c1c591a 100644
--- a/modules/proxy/mod_proxy_http.c
+++ b/modules/proxy/mod_proxy_http.c
@@ -2111,19 +2111,6 @@
static int proxy_http_handler(request_rec *r, proxy_worker *worker,
req->origin->keepalive = AP_CONN_CLOSE;
}
- /*
- * On SSL connections set a note on the connection what CN is
- * requested, such that mod_ssl can check if it is requested to do
- * so.
- *
- * https://github.com/apache/httpd/commit/7d272e2628b4ae05f68cdc74b070707250896a34
- */
- if (backend->ssl_hostname) {
- apr_table_setn(backend->connection->notes,
- "proxy-request-hostname",
- backend->ssl_hostname);
- }
-
/* Step Four: Send the Request
* On the off-chance that we forced a 100-Continue as a
* kinda HTTP ping test, allow for retries
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
index ec9a414..805820d 100644
--- a/modules/proxy/proxy_util.c
+++ b/modules/proxy/proxy_util.c
@@ -3261,6 +3261,16 @@
static int proxy_connection_create(const char *proxy_function,
backend_addr, conn->hostname);
return HTTP_INTERNAL_SERVER_ERROR;
}
+ if (conn->ssl_hostname) {
+ /* Set a note on the connection about what CN is requested,
+ * such that mod_ssl can check if it is requested to do so.
+ */
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, conn->connection,
+ "%s: set SNI to %s for (%s)", proxy_function,
+ conn->ssl_hostname, conn->hostname);
+ apr_table_setn(conn->connection->notes, "proxy-request-hostname",
+ conn->ssl_hostname);
+ }
}
else {
/* TODO: See if this will break FTP */
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 4e3875a..9b4280c 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -1273,7 +1273,6 @@
static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
((dc->proxy->ssl_check_peer_cn != FALSE) ||
(dc->proxy->ssl_check_peer_name == TRUE)) &&
hostname_note) {
- apr_table_unset(c->notes, "proxy-request-hostname");
if (!cert
|| modssl_X509_match_name(c->pool, cert, hostname_note,
TRUE, server) == FALSE) {
@@ -1290,7 +1289,6 @@
static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
hostname = ssl_var_lookup(NULL, server, c, NULL,
"SSL_CLIENT_S_DN_CN");
- apr_table_unset(c->notes, "proxy-request-hostname");
/* Do string match or simplest wildcard match if that
* fails. */
This diff is collapsed.
Click to expand it.
SPECS/httpd.spec
+
26
−
13
View file @
95f01242
...
...
@@ -13,7 +13,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.4.37
Release: 5
1
%{?dist}.
5
Release: 5
6
%{?dist}.
4
URL: https://httpd.apache.org/
Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
Source2: httpd.logrotate
...
...
@@ -163,6 +163,8 @@ Patch88: httpd-2.4.37-r1845768+.patch
Patch89: httpd-2.4.37-r1862410.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1984828
Patch90: httpd-2.4.37-hcheck-mem-issues.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2017543
Patch91: httpd-2.4.37-add-SNI-support.patch
# Security fixes
Patch200: httpd-2.4.37-r1851471.patch
...
...
@@ -263,7 +265,7 @@ Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release}
Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa}
Requires: httpd-tools = %{version}-%{release}
Requires: httpd-filesystem = %{version}-%{release}
Requires: mod_http2
Requires: mod_http2
>= 1.15.7-5
Requires(pre): httpd-filesystem
Requires(preun): systemd-units
Requires(postun): systemd-units
...
...
@@ -327,7 +329,7 @@ Epoch: 1
BuildRequires: openssl-devel
Requires(pre): httpd-filesystem
Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa}
Requires: sscg >=
2.2.0
Requires: sscg >=
3.0.0-7, /usr/bin/hostname
Obsoletes: stronghold-mod_ssl
# Require an OpenSSL which supports PROFILE=SYSTEM
Conflicts: openssl-libs < 1:1.0.1h-4
...
...
@@ -426,6 +428,7 @@ interface for storing and accessing per-user session data.
%patch88 -p1 -b .r1845768+
%patch89 -p1 -b .r1862410
%patch90 -p1 -b .hcheck-mem-issues
%patch91 -p1 -b .SNI
%patch200 -p1 -b .r1851471
%patch201 -p1 -b .CVE-2019-0211
...
...
@@ -971,21 +974,31 @@ rm -rf $RPM_BUILD_ROOT
%{_rpmconfigdir}/macros.d/macros.httpd
%changelog
* Thu Apr 06 2023 CentOS Sources <bugs@centos.org> - 2.4.37-51.el8.centos.5
- Apply debranding changes
* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51.5
- Resolves: #2177747 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
* Sat Mar 18 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56.4
- Resolves: #2177748 - CVE-2023-25690 httpd:2.4/httpd: HTTP request splitting
with mod_rewrite and mod_proxy
* Tue Jan 31 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51.1
- Resolves: #2165967 - prevent sscg creating /dhparams.pem
- Resolves: #2165976 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write
* Tue Jan 31 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-56
- Resolves: #2162499 - CVE-2006-20001 httpd: mod_dav: out-of-bounds read/write
of zero byte
- Resolves: #216
5977
- CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
- Resolves: #216
5978
- CVE-2022-36760 httpd: mod_proxy_ajp: Possible request
- Resolves: #216
2485
- CVE-2022-37436 httpd: mod_proxy: HTTP response splitting
- Resolves: #216
2509
- CVE-2022-36760 httpd: mod_proxy_ajp: Possible request
smuggling
* Thu Jan 26 2023 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-55
- Resolves: #2155961 - prevent sscg creating /dhparams.pem
* Thu Dec 08 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-54
- Resolves: #2095650 - Dependency from mod_http2 on httpd broken
* Wed Nov 09 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-53
- Resolves: #2050888 - httpd with SSL fails to start unless hostname command
was installed
* Mon Sep 19 2022 Tomas Korbar <tkorbar@redhat.com> - 2.4.37-52
- Add the SNI support in mod_proxy_wstunnel module for Apache httpd
- Resolves: rhbz#2017543
* Mon Jul 25 2022 Luboš Uhliarik <luhliari@redhat.com> - 2.4.37-51
- Resolves: #2097015 - CVE-2022-28614 httpd:2.4/httpd: out-of-bounds read via
ap_rwrite()
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment