From: Arkadiusz Miśkiewicz Date: Thu, 26 Jan 2023 06:57:53 +0000 (+0100) Subject: Up to 2.4.55; fixes CVE-2022-37436, CVE-2022-36760, CVE-2006-20001 X-Git-Tag: auto/th/apache-2.4.55-1 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=213941685021c4022ecdfa1a2844a57602c09ff6;p=packages%2Fapache.git Up to 2.4.55; fixes CVE-2022-37436, CVE-2022-36760, CVE-2006-20001 --- diff --git a/apache.spec b/apache.spec index 390fece..ead015a 100644 --- a/apache.spec +++ b/apache.spec @@ -34,12 +34,12 @@ Summary(pt_BR.UTF-8): Servidor HTTPD para prover serviços WWW Summary(ru.UTF-8): Самый популярный веб-сервер Summary(tr.UTF-8): Lider WWW tarayıcı Name: apache -Version: 2.4.54 +Version: 2.4.55 Release: 1 License: Apache v2.0 Group: Networking/Daemons/HTTP Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -# Source0-md5: 861b43073ab416d689f1fc4dfa087711 +# Source0-md5: b6a8b9d8741db43cf5b4dd8e9bdb0ce7 Source1: %{name}.init Source2: %{name}.logrotate Source3: %{name}.sysconfig @@ -79,6 +79,7 @@ Patch2: %{name}-suexec.patch Patch3: %{name}-branding.patch Patch4: %{name}-apr.patch Patch7: %{name}-syslibs.patch +Patch8: http2-500.patch Patch10: httpd-2.0.46-dav401dest.patch Patch14: httpd-2.0.48-corelimit.patch @@ -2692,6 +2693,7 @@ Dwa programy testowe/przykładowe cgi: test-cgi and print-env. %patch4 -p1 %patch7 -p1 +%patch8 -p1 %patch10 -p1 diff --git a/http2-500.patch b/http2-500.patch new file mode 100644 index 0000000..e75fbef --- /dev/null +++ b/http2-500.patch @@ -0,0 +1,35 @@ +commit a829ac7f3f543ce6849d563aed4b6d602a7ca0e7 +Author: Stefan Eissing +Date: Wed Jan 18 20:02:25 2023 +0000 + + *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors + reported in access logs and error documents. The processing of the + reset was correct, only unneccesary reporting was caused. + + + + git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1906775 13f79535-47bb-0310-9956-ffa450edef68 + +diff --git a/changes-entries/h2-rst-access-500-fix.txt b/changes-entries/h2-rst-access-500-fix.txt +new file mode 100644 +index 0000000000..d165fa3bc8 +--- /dev/null ++++ b/changes-entries/h2-rst-access-500-fix.txt +@@ -0,0 +1,4 @@ ++ *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors ++ reported in access logs and error documents. The processing of the ++ reset was correct, only unneccesary reporting was caused. ++ [Stefan Eissing] +diff --git a/modules/http2/h2_c2_filter.c b/modules/http2/h2_c2_filter.c +index f537a19f07..37254fc1d7 100644 +--- a/modules/http2/h2_c2_filter.c ++++ b/modules/http2/h2_c2_filter.c +@@ -615,7 +615,7 @@ apr_status_t h2_c2_filter_catch_h1_out(ap_filter_t* f, apr_bucket_brigade* bb) + ap_assert(conn_ctx); + H2_FILTER_LOG("c2_catch_h1_out", f->c, APLOG_TRACE2, 0, "check", bb); + +- if (!conn_ctx->has_final_response) { ++ if (!f->c->aborted && !conn_ctx->has_final_response) { + if (!parser) { + parser = apr_pcalloc(f->c->pool, sizeof(*parser)); + parser->id = apr_psprintf(f->c->pool, "%s-%d", conn_ctx->id, conn_ctx->stream_id);