import httpd-2.4.37-12.module+el8.0.0+4096+eb40e6da

f45152a5 · CentOS Sources · b2bd2280 · f45152a5 · f45152a5 · b2bd2280
Commit f45152a5 authored 5 years ago by CentOS Sources
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,3 @@ SOURCES/htcacheclean.service.xml
 SOURCES/httpd-2.4.37.tar.bz2
 SOURCES/httpd.conf.xml
 SOURCES/httpd.service.xml
-SOURCES/centos-noindex-8.0.tar.gz
--- a/.httpd.metadata
+++ b/.httpd.metadata
@@ -2,4 +2,3 @@ a34c31169efbe6140496c37801489610461bdf9b SOURCES/htcacheclean.service.xml
 4a38471de821288b0300148016f2b03dfee8adf2 SOURCES/httpd-2.4.37.tar.bz2
 fa18caadd0afbddc2c7a7fc404bf4f2b41867148 SOURCES/httpd.conf.xml
 888df830bdc465de3bced6f075c33380018e544f SOURCES/httpd.service.xml
-6aa65f45c247226fc922c455e0187abd90c839e8 SOURCES/centos-noindex-8.0.tar.gz
--- a/README.debrand
+++ b/README.debrand
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
--- a/SOURCES/httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch
+++ b/SOURCES/httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch
+diff --git a/server/mpm/event/event.c b/server/mpm/event/event.c
+index 16e39be..2543693 100644
+--- a/server/mpm/event/event.c
+++ b/server/mpm/event/event.c
+@@ -1111,10 +1111,11 @@ read_request:
+                           "network write failure in core output filter");
+             cs->pub.state = CONN_STATE_LINGER;
+         }
+-        else if (c->data_in_output_filters) {
+        else if (c->data_in_output_filters ||
+                 cs->pub.sense == CONN_SENSE_WANT_READ) {
+             /* Still in WRITE_COMPLETION_STATE:
+-             * Set a write timeout for this connection, and let the
+-             * event thread poll for writeability.
+             * Set a read/write timeout for this connection, and let the
+             * event thread poll for read/writeability.
+              */
+             cs->queue_timestamp = apr_time_now();
+             notify_suspend(cs);
--- a/SOURCES/index.html
+++ b/SOURCES/index.html
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
+
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+	<head>
+		<title>Test Page for the Apache HTTP Server on Red Hat Enterprise Linux</title>
+		<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+		<style type="text/css">
+			/*<![CDATA[*/
+			body {
+				background-color: #fff;
+				color: #000;
+				font-size: 0.9em;
+				font-family: sans-serif,helvetica;
+				margin: 0;
+				padding: 0;
+			}
+			:link {
+				color: #c00;
+			}
+			:visited {
+				color: #c00;
+			}
+			a:hover {
+				color: #f50;
+			}
+			h1 {
+				text-align: center;
+				margin: 0;
+				padding: 0.6em 2em 0.4em;
+				background-color: #900;
+				color: #fff;
+				font-weight: normal;
+				font-size: 1.75em;
+				border-bottom: 2px solid #000;
+			}
+			h1 strong {
+				font-weight: bold;
+			}
+			h2 {
+				font-size: 1.1em;
+				font-weight: bold;
+			}
+			hr {
+				display: none;
+			}
+			.content {
+				padding: 1em 5em;
+			}
+			.content-columns {
+				/* Setting relative positioning allows for 
+				absolute positioning for sub-classes */
+				position: relative;
+				padding-top: 1em;
+			}
+			.content-column-left {
+				/* Value for IE/Win; will be overwritten for other browsers */
+				width: 47%;
+				padding-right: 3%;
+				float: left;
+				padding-bottom: 2em;
+			}
+			.content-column-left hr {
+				display: none;
+			}
+			.content-column-right {
+				/* Values for IE/Win; will be overwritten for other browsers */
+				width: 47%;
+				padding-left: 3%;
+				float: left;
+				padding-bottom: 2em;
+			}
+			.content-columns>.content-column-left, .content-columns>.content-column-right {
+				/* Non-IE/Win */
+			}
+			img {
+				border: 2px solid #fff;
+				padding: 2px;
+				margin: 2px;
+			}
+			a:hover img {
+				border: 2px solid #f50;
+			}
+			/*]]>*/
+		</style>
+	</head>
+
+	<body>
+		<h1>Red Hat Enterprise Linux <strong>Test Page</strong></h1>
+
+		<div class="content">
+			<div class="content-middle">
+				<p>This page is used to test the proper operation of the Apache HTTP server after it has been installed. If you can read this page, it means that the Apache HTTP server installed at this site is working properly.</p>
+			</div>
+			<hr />
+
+			<div class="content-columns">
+				<div class="content-column-left">
+					<h2>If you are a member of the general public:</h2>
+
+					<p>The fact that you are seeing this page indicates that the website you just visited is either experiencing problems, or is undergoing routine maintenance.</p>
+
+					<p>If you would like to let the administrators of this website know that you've seen this page instead of the page you expected, you should send them e-mail. In general, mail sent to the name "webmaster" and directed to the website's domain should reach the appropriate person.</p>
+
+					<p>For example, if you experienced problems while visiting www.example.com, you should send e-mail to "webmaster@example.com".</p>
+
+					<p>For information on Red Hat Enterprise Linux, please visit the <a href="http://www.redhat.com/">Red Hat, Inc. website</a>. The documentation for Red Hat Enterprise Linux is <a href="http://www.redhat.com/docs/manuals/enterprise/">available on the Red Hat, Inc. website</a>.</p>
+					<hr />
+				</div>
+
+				<div class="content-column-right">
+					<h2>If you are the website administrator:</h2>
+
+					<p>You may now add content to the directory <tt>/var/www/html/</tt>. Note that until you do so, people visiting your website will see this page, and not your content. To prevent this page from ever being used, follow the instructions in the file <tt>/etc/httpd/conf.d/welcome.conf</tt>.</p>
+
+                                        <p>You are free to use the image below on web sites powered by the Apache HTTP Server:</p>
+					
+                                        <p align="center"><a href="http://httpd.apache.org/"><img src="/icons/apache_pb2.gif" alt="[ Powered by Apache ]"/></a></p>
+
+				</div>
+			</div>
+		</div>
+	</body>
+</html>
--- a/SOURCES/welcome.conf
+++ b/SOURCES/welcome.conf
@@ -6,25 +6,13 @@
 # NOTE: if this file is removed, it will be restored on upgrades.
 #
 <LocationMatch "^/+$">
-  Options -Indexes
-  ErrorDocument 403 /noindex/index.html
+    Options -Indexes
+    ErrorDocument 403 /.noindex.html
 </LocationMatch>

-Alias /noindex /usr/share/httpd/noindex
-
 <Directory /usr/share/httpd/noindex>
-  Options MultiViews
-  DirectoryIndex index.html
-
-  AddLanguage en-US .en-US
-  AddLanguage es-ES .es-ES
-  AddLanguage zh-CN .zh-CN
-  AddLanguage zh-HK .zh-HK
-  AddLanguage zh-TW .zh-TW
-
-  LanguagePriority en
-  ForceLanguagePriority Fallback
-
-  AllowOverride None
-  Require all granted
+    AllowOverride None
+    Require all granted
 </Directory>
+
+Alias /.noindex.html /usr/share/httpd/noindex/index.html
--- a/SPECS/httpd.spec
+++ b/SPECS/httpd.spec
@@ -13,10 +13,10 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.4.37
-Release: 11%{?dist}
+Release: 12%{?dist}
 URL: https://httpd.apache.org/
 Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
-Source1: centos-noindex-8.0.tar.gz
+Source1: index.html
 Source2: httpd.logrotate
 Source3: instance.conf
 Source4: httpd-ssl-pass-dialog
@@ -113,6 +113,10 @@ Patch200: httpd-2.4.37-r1851471.patch
 Patch201: httpd-2.4.37-CVE-2019-0211.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1695025
 Patch202: httpd-2.4.37-CVE-2019-0215.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1741860
+# https://bugzilla.redhat.com/show_bug.cgi?id=1741864
+# https://bugzilla.redhat.com/show_bug.cgi?id=1741868
+Patch203: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch

 License: ASL 2.0
 Group: System Environment/Daemons
@@ -280,6 +284,7 @@ interface for storing and accessing per-user session data.
 %patch200 -p1 -b .r1851471
 %patch201 -p1 -b .CVE-2019-0211
 %patch202 -p1 -b .CVE-2019-0215
+%patch203 -p1 -b .CVE-2019-9511-and-9516-and-9517

 # Patch in the vendor string
 sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h
@@ -479,7 +484,8 @@ EOF

 # Handle contentdir
 mkdir $RPM_BUILD_ROOT%{contentdir}/noindex
-tar xzf %{SOURCE1} -C $RPM_BUILD_ROOT%{contentdir}/noindex/ --strip-components=1
+install -m 644 -p $RPM_SOURCE_DIR/index.html \
+        $RPM_BUILD_ROOT%{contentdir}/noindex/index.html
 rm -rf %{contentdir}/htdocs

 # remove manual sources
@@ -694,7 +700,7 @@ rm -rf $RPM_BUILD_ROOT
 %{contentdir}/error/README
 %{contentdir}/error/*.var
 %{contentdir}/error/include/*.html
-%{contentdir}/noindex/*
+%{contentdir}/noindex/index.html

 %attr(0710,root,apache) %dir /run/httpd
 %attr(0700,apache,apache) %dir /run/httpd/htcacheclean
@@ -783,12 +789,13 @@ rm -rf $RPM_BUILD_ROOT
 %{_rpmconfigdir}/macros.d/macros.httpd

 %changelog
-* Sun May 26 2019 Alain Reguera Delgado <areguera@centosproject.org> - 2.4.37-11.el8.centos
- Remove index.html, add centos-noindex-8.0.tar.gz
- Update welcome.conf to support content negotiation based on locale
-
-* Tue May 07 2019 CentOS Sources <bugs@centos.org> - 2.4.37-11.el8.centos
- Apply debranding changes
+* Thu Aug 29 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-12
+- Resolves: #1744997 - CVE-2019-9511 httpd:2.4/mod_http2: HTTP/2: large amount
+  of data request leads to denial of service
+- Resolves: #1745084 - CVE-2019-9516 httpd:2.4/mod_http2: HTTP/2: 0-length
+  headers leads to denial of service
+- Resolves: #1745152 - CVE-2019-9517 httpd:2.4/mod_http2: HTTP/2: request
+  for large response leads to denial of service

 * Wed Apr 03 2019 Lubos Uhliarik <luhliari@redhat.com> - 2.4.37-11
 - Resolves: #1695431 - CVE-2019-0211 httpd: privilege escalation