diff --git a/.gitignore b/.gitignore index a6c7776..c4c6257 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,4 @@ x86_64 /httpd-2.4.17.tar.bz2 /httpd-2.4.18.tar.bz2 /httpd-2.4.23.tar.bz2 +/httpd-2.4.25.tar.bz2 diff --git a/httpd-2.4.18-CVE-2016-5387.patch b/httpd-2.4.18-CVE-2016-5387.patch deleted file mode 100644 index cfbd4a9..0000000 --- a/httpd-2.4.18-CVE-2016-5387.patch +++ /dev/null @@ -1,16 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5387 - ---- httpd-2.4.18/server/util_script.c.cve5387 -+++ httpd-2.4.18/server/util_script.c -@@ -195,6 +195,10 @@ - } - } - #endif -+ else if (!strcasecmp(hdrs[i].key, "Proxy")) { -+ /* Don't pass through HTTP_PROXY */ -+ continue; -+ } - else - add_unless_null(e, http2env(r, hdrs[i].key), hdrs[i].val); - } diff --git a/httpd-2.4.23-CVE-2016-8740.patch b/httpd-2.4.23-CVE-2016-8740.patch deleted file mode 100644 index d7328d6..0000000 --- a/httpd-2.4.23-CVE-2016-8740.patch +++ /dev/null @@ -1,32 +0,0 @@ ---- a/modules/http2/h2_stream.c (revision 1771866) -+++ b/modules/http2/h2_stream.c (working copy) -@@ -322,18 +322,18 @@ - HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE); - } - } -- } -- -- if (h2_stream_is_scheduled(stream)) { -- return h2_request_add_trailer(stream->request, stream->pool, -- name, nlen, value, vlen); -- } -- else { -- if (!input_open(stream)) { -- return APR_ECONNRESET; -+ -+ if (h2_stream_is_scheduled(stream)) { -+ return h2_request_add_trailer(stream->request, stream->pool, -+ name, nlen, value, vlen); - } -- return h2_request_add_header(stream->request, stream->pool, -- name, nlen, value, vlen); -+ else { -+ if (!input_open(stream)) { -+ return APR_ECONNRESET; -+ } -+ return h2_request_add_header(stream->request, stream->pool, -+ name, nlen, value, vlen); -+ } - } - } - diff --git a/httpd-2.4.4-malformed-host.patch b/httpd-2.4.4-malformed-host.patch deleted file mode 100644 index 57975e5..0000000 --- a/httpd-2.4.4-malformed-host.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/server/protocol.c b/server/protocol.c -index e1ef204..d6d9165 100644 ---- a/server/protocol.c -+++ b/server/protocol.c -@@ -1049,6 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn) - * now read. may update status. - */ - ap_update_vhost_from_headers(r); -+ access_status = r->status; - - /* Toggle to the Host:-based vhost's timeout mode to fetch the - * request body and send the response body, if needed. diff --git a/httpd.spec b/httpd.spec index aebc0dc..836c9a9 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,8 +7,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.23 -Release: 5%{?dist} +Version: 2.4.25 +Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -63,12 +63,10 @@ Patch31: httpd-2.4.18-sslmultiproxy.patch Patch34: httpd-2.4.17-socket-activation.patch Patch35: httpd-2.4.17-sslciphdefault.patch # Bug fixes -Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch Patch57: httpd-2.4.10-sigint.patch # Security fixes -Patch100: httpd-2.4.18-CVE-2016-5387.patch -Patch101: httpd-2.4.23-CVE-2016-8740.patch + License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -209,13 +207,9 @@ interface for storing and accessing per-user session data. %patch34 -p1 -b .socketactivation %patch35 -p1 -b .sslciphdefault -%patch55 -p1 -b .malformedhost %patch56 -p1 -b .uniqueid %patch57 -p1 -b .sigint -%patch100 -p1 -b .cve5387 -%patch101 -p1 -b .cve8740 - # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -687,6 +681,9 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Thu Dec 22 2016 Luboš Uhliarik - 2.4.25-1 +- new version 2.4.25 + * Mon Dec 05 2016 Luboš Uhliarik - 2.4.23-5 - Resolves: #1401528 - CVE-2016-8740 httpd: Incomplete handling of LimitRequestFields directive in mod_http2 diff --git a/sources b/sources index 05fe32f..f90dcc6 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -04f19c60e810c028f5240a062668a688 httpd-2.4.23.tar.bz2 +SHA512 (httpd-2.4.25.tar.bz2) = 6ba4ce1dcef71416cf1c0de2468c002767b5637a75744daf5beb0edd045749a751b3826c4132f594c48e4b33ca8e1b25ebfb63ac4c8b759ca066a89d3261fb22