diff --git a/httpd-2.4.37-CVE-2024-47252.patch b/httpd-2.4.37-CVE-2024-47252.patch new file mode 100644 index 0000000000000000000000000000000000000000..5f25b2b07b3d92322531e8112b84adec65593ced --- /dev/null +++ b/httpd-2.4.37-CVE-2024-47252.patch @@ -0,0 +1,44 @@ +From c01e60707048be14a510f0a92128a5227923215c Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 7 Jul 2025 12:03:42 +0000 +Subject: [PATCH] backport 1927034 from trunk + + escape ssl vars + +Reviewed By: rpluem, jorton, covener, ylavic + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927042 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_vars.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c +index 5724f18..0ddf9f7 100644 +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -1230,8 +1230,9 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a) + result = "-"; + else if (strEQ(a, "errstr")) + result = (char *)sslconn->verify_error; +- if (result != NULL && result[0] == NUL) +- result = NULL; ++ if (result) { ++ result = *result ? ap_escape_logitem(r->pool, result) : NULL; ++ } + return result; + } + +@@ -1244,8 +1245,9 @@ static const char *ssl_var_log_handler_x(request_rec *r, char *a) + char *result; + + result = ssl_var_lookup(r->pool, r->server, r->connection, r, a); +- if (result != NULL && result[0] == NUL) +- result = NULL; ++ if (result) { ++ result = *result ? ap_escape_logitem(r->pool, result) : NULL; ++ } + return result; + } + diff --git a/httpd-2.4.37-CVE-2025-23048.patch b/httpd-2.4.37-CVE-2025-23048.patch new file mode 100644 index 0000000000000000000000000000000000000000..d868acb07d808234fe484a7023339a9510fbe006 --- /dev/null +++ b/httpd-2.4.37-CVE-2025-23048.patch @@ -0,0 +1,56 @@ +From d76573e7608cbdeab6c6a658c427d900917bf955 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 7 Jul 2025 11:51:57 +0000 +Subject: [PATCH] update SNI validation + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1927035 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_kernel.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 9c51021..d912a87 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -371,19 +371,6 @@ int ssl_hook_ReadReq(request_rec *r) + " provided in HTTP request", servername); + return HTTP_BAD_REQUEST; + } +- if (r->server != handshakeserver +- && !ssl_server_compatible(sslconn->server, r->server)) { +- /* +- * The request does not select the virtual host that was +- * selected by the SNI and its SSL parameters are different +- */ +- +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) +- "Hostname %s provided via SNI and hostname %s provided" +- " via HTTP have no compatible SSL setup", +- servername, r->hostname); +- return HTTP_MISDIRECTED_REQUEST; +- } + } + else if (((sc->strict_sni_vhost_check == SSL_ENABLED_TRUE) + || hssc->strict_sni_vhost_check == SSL_ENABLED_TRUE) +@@ -404,6 +391,21 @@ int ssl_hook_ReadReq(request_rec *r) + "which is required to access this server.
\n"); + return HTTP_FORBIDDEN; + } ++ if (r->server != handshakeserver ++ && !ssl_server_compatible(sslconn->server, r->server)) { ++ /* ++ * The request does not select the virtual host that was ++ * selected for handshaking and its SSL parameters are different ++ */ ++ ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02032) ++ "Hostname %s %s and hostname %s provided" ++ " via HTTP have no compatible SSL setup", ++ servername ? servername : handshakeserver->server_hostname, ++ servername ? "provided via SNI" : "(default host as no SNI was provided)", ++ r->hostname); ++ return HTTP_MISDIRECTED_REQUEST; ++ } + } + #endif + modssl_set_app_data2(ssl, r); diff --git a/httpd-2.4.37-CVE-2025-49812.patch b/httpd-2.4.37-CVE-2025-49812.patch new file mode 100644 index 0000000000000000000000000000000000000000..f40ac793aebd4dc550bab072ff001f91a3a2551c --- /dev/null +++ b/httpd-2.4.37-CVE-2025-49812.patch @@ -0,0 +1,238 @@ +From 87a7351c755c9ef8ab386e3090e44838c2a06d48 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 7 Jul 2025 12:09:30 +0000 +Subject: [PATCH] backport 1927037 from trunk + + remove antiquated 'SSLEngine optional' TLS upgrade + +Reviewed By: rpluem, jorton, covener + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1927045 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/ssl/ssl_engine_config.c | 6 ++- + modules/ssl/ssl_engine_init.c | 6 +-- + modules/ssl/ssl_engine_kernel.c | 86 --------------------------------- + modules/ssl/ssl_private.h | 1 - + 4 files changed, 7 insertions(+), 92 deletions(-) + +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +index b50c259..b5f8bdf 100644 +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -617,7 +617,7 @@ static const char *ssl_hook_http_scheme(const request_rec *r) + { + SSLSrvConfigRec *sc = mySrvConfig(r->server); + +- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { ++ if (sc->enabled == SSL_ENABLED_FALSE) { + return NULL; + } + +@@ -628,7 +628,7 @@ static apr_port_t ssl_hook_default_port(const request_rec *r) + { + SSLSrvConfigRec *sc = mySrvConfig(r->server); + +- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { ++ if (sc->enabled == SSL_ENABLED_FALSE) { + return 0; + } + +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index ca5f702..7b3e212 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -739,11 +739,13 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) + return NULL; + } + else if (!strcasecmp(arg, "Optional")) { +- sc->enabled = SSL_ENABLED_OPTIONAL; ++ sc->enabled = SSL_ENABLED_FALSE; ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, APLOGNO(10510) ++ "'SSLEngine optional' is no longer supported"); + return NULL; + } + +- return "Argument must be On, Off, or Optional"; ++ return "Argument must be On or Off"; + } + + const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index e4f5fc8..ce8cb3a 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -410,7 +410,7 @@ apr_status_t ssl_init_Module(apr_pool_t *p, apr_pool_t *plog, + &ssl_module); + + sc = mySrvConfig(s); +- if (sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) { ++ if (sc->enabled == SSL_ENABLED_TRUE) { + if ((rv = ssl_run_init_server(s, p, 0, sc->server->ssl_ctx)) != APR_SUCCESS) { + return rv; + } +@@ -2016,9 +2016,9 @@ apr_status_t ssl_init_ConfigureServer(server_rec *s, + &ssl_module); + apr_status_t rv; + +- /* Initialize the server if SSL is enabled or optional. ++ /* Initialize the server if SSL is enabled. + */ +- if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) { ++ if (sc->enabled == SSL_ENABLED_TRUE) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914) + "Configuring server %s for SSL protocol", sc->vhost_id); + if ((rv = ssl_init_server_ctx(s, p, ptemp, sc, pphrases)) +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 40acb04..c13e86c 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -38,59 +38,6 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); + static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); + #endif + +-#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols" +-#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1" +-#define CONNECTION_HEADER "Connection: Upgrade" +- +-/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */ +-static apr_status_t upgrade_connection(request_rec *r) +-{ +- struct conn_rec *conn = r->connection; +- apr_bucket_brigade *bb; +- SSLConnRec *sslconn; +- apr_status_t rv; +- SSL *ssl; +- +- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028) +- "upgrading connection to TLS"); +- +- bb = apr_brigade_create(r->pool, conn->bucket_alloc); +- +- rv = ap_fputs(conn->output_filters, bb, SWITCH_STATUS_LINE CRLF +- UPGRADE_HEADER CRLF CONNECTION_HEADER CRLF CRLF); +- if (rv == APR_SUCCESS) { +- APR_BRIGADE_INSERT_TAIL(bb, +- apr_bucket_flush_create(conn->bucket_alloc)); +- rv = ap_pass_brigade(conn->output_filters, bb); +- } +- +- if (rv) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029) +- "failed to send 101 interim response for connection " +- "upgrade"); +- return rv; +- } +- +- ssl_init_ssl_connection(conn, r); +- +- sslconn = myConnConfig(conn); +- ssl = sslconn->ssl; +- +- /* Perform initial SSL handshake. */ +- SSL_set_accept_state(ssl); +- SSL_do_handshake(ssl); +- +- if (!SSL_is_init_finished(ssl)) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) +- "TLS upgrade handshake failed"); +- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +- +- return APR_ECONNABORTED; +- } +- +- return APR_SUCCESS; +-} +- + /* Perform a speculative (and non-blocking) read from the connection + * filters for the given request, to determine whether there is any + * pending data to read. Return non-zero if there is, else zero. */ +@@ -270,40 +217,17 @@ int ssl_hook_ReadReq(request_rec *r) + { + SSLSrvConfigRec *sc = mySrvConfig(r->server); + SSLConnRec *sslconn; +- const char *upgrade; + #ifdef HAVE_TLSEXT + const char *servername; + #endif + SSL *ssl; + +- /* Perform TLS upgrade here if "SSLEngine optional" is configured, +- * SSL is not already set up for this connection, and the client +- * has sent a suitable Upgrade header. */ +- if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection) +- && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL +- && ap_find_token(r->pool, upgrade, "TLS/1.0")) { +- if (upgrade_connection(r)) { +- return AP_FILTER_ERROR; +- } +- } +- + /* If we are on a slave connection, we do not expect to have an SSLConnRec, + * but our master connection might. */ + sslconn = myConnConfig(r->connection); + if (!(sslconn && sslconn->ssl) && r->connection->master) { + sslconn = myConnConfig(r->connection->master); + } +- +- /* If "SSLEngine optional" is configured, this is not an SSL +- * connection, and this isn't a subrequest, send an Upgrade +- * response header. Note this must happen before map_to_storage +- * and OPTIONS * request processing is completed. +- */ +- if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl) +- && !r->main) { +- apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); +- apr_table_mergen(r->headers_out, "Connection", "upgrade"); +- } + + if (!sslconn) { + return DECLINED; +@@ -1239,16 +1163,6 @@ int ssl_hook_Access(request_rec *r) + * Support for SSLRequireSSL directive + */ + if (dc->bSSLRequired && !ssl) { +- if ((sc->enabled == SSL_ENABLED_OPTIONAL) && !r->connection->master) { +- /* This vhost was configured for optional SSL, just tell the +- * client that we need to upgrade. +- */ +- apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); +- apr_table_setn(r->err_headers_out, "Connection", "Upgrade"); +- +- return HTTP_UPGRADE_REQUIRED; +- } +- + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) + "access to %s failed, reason: %s", + r->filename, "SSL connection required"); +@@ -1421,7 +1335,7 @@ int ssl_hook_UserCheck(request_rec *r) + * - ssl not enabled + * - client did not present a certificate + */ +- if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) ++ if (!((sc->enabled == SSL_ENABLED_TRUE) + && sslconn && sslconn->ssl && sslconn->client_cert) || + !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user) + { +@@ -1543,7 +1457,7 @@ int ssl_hook_Fixup(request_rec *r) + /* + * Check to see if SSL is on + */ +- if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) { ++ if (!((sc->enabled == SSL_ENABLED_TRUE) && sslconn && (ssl = sslconn->ssl))) { + return DECLINED; + } + +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index f8a1db7..2f8d4d3 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -468,7 +468,6 @@ typedef enum { + SSL_ENABLED_UNSET = UNSET, + SSL_ENABLED_FALSE = 0, + SSL_ENABLED_TRUE = 1, +- SSL_ENABLED_OPTIONAL = 3 + } ssl_enabled_t; + + /** diff --git a/httpd-2.4.37-r1855391.patch b/httpd-2.4.37-r1855391.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cab1b31658db9d01f44a902eae11558b5b06221 --- /dev/null +++ b/httpd-2.4.37-r1855391.patch @@ -0,0 +1,48 @@ +diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c +index 27c44b2..bfa8952 100644 +--- a/modules/http/http_filters.c ++++ b/modules/http/http_filters.c +@@ -1290,6 +1290,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + request_rec *r = f->r; + conn_rec *c = r->connection; + const char *clheader; ++ int header_only = (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)); + const char *protocol = NULL; + apr_bucket *e; + apr_bucket_brigade *b2; +@@ -1307,7 +1308,7 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + } + else if (ctx->headers_sent) { + /* Eat body if response must not have one. */ +- if (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)) { ++ if (header_only) { + /* Still next filters may be waiting for EOS, so pass it (alone) + * when encountered and be done with this filter. + */ +@@ -1526,14 +1527,21 @@ AP_CORE_DECLARE_NONSTD(apr_status_t) ap_http_header_filter(ap_filter_t *f, + + terminate_header(b2); + +- rv = ap_pass_brigade(f->next, b2); +- if (rv != APR_SUCCESS) { +- goto out; ++ if (header_only) { ++ e = APR_BRIGADE_LAST(b); ++ if (e != APR_BRIGADE_SENTINEL(b) && APR_BUCKET_IS_EOS(e)) { ++ APR_BUCKET_REMOVE(e); ++ APR_BRIGADE_INSERT_TAIL(b2, e); ++ ap_remove_output_filter(f); ++ } ++ apr_brigade_cleanup(b); + } ++ ++ rv = ap_pass_brigade(f->next, b2); ++ apr_brigade_cleanup(b2); + ctx->headers_sent = 1; + +- if (r->header_only || AP_STATUS_IS_HEADER_ONLY(r->status)) { +- apr_brigade_cleanup(b); ++ if (rv != APR_SUCCESS || header_only) { + goto out; + } + diff --git a/httpd.spec b/httpd.spec index 9f4b938508c4dfa2776b254756c41e61da015984..d71a5fbe4236a6fbf081beaf39dc2743e47a3b9d 100644 --- a/httpd.spec +++ b/httpd.spec @@ -11,275 +11,283 @@ %global mpm prefork %endif -Summary: Apache HTTP Server -Name: httpd -Version: 2.4.37 -Release: 65%{anolis_release}%{?dist}.3 -URL: https://httpd.apache.org/ -Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 -Source2: httpd.logrotate -Source3: instance.conf -Source4: httpd-ssl-pass-dialog -Source5: httpd.tmpfiles -Source6: httpd.service -Source7: action-graceful.sh -Source8: action-configtest.sh -Source10: httpd.conf -Source11: 00-base.conf -Source12: 00-mpm.conf -Source13: 00-lua.conf -Source14: 01-cgi.conf -Source15: 00-dav.conf -Source16: 00-proxy.conf -Source17: 00-ssl.conf -Source18: 01-ldap.conf -Source19: 00-proxyhtml.conf -Source20: userdir.conf -Source21: ssl.conf -Source22: welcome.conf -Source23: manual.conf -Source24: 00-systemd.conf -Source25: 01-session.conf -Source26: 10-listen443.conf -Source27: httpd.socket -Source28: 00-optional.conf +Summary: Apache HTTP Server +Name: httpd +Version: 2.4.37 +Release: 655%{anolis_release}%{?dist}.5 +URL: https://httpd.apache.org/ +Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 +Source2: httpd.logrotate +Source3: instance.conf +Source4: httpd-ssl-pass-dialog +Source5: httpd.tmpfiles +Source6: httpd.service +Source7: action-graceful.sh +Source8: action-configtest.sh +Source10: httpd.conf +Source11: 00-base.conf +Source12: 00-mpm.conf +Source13: 00-lua.conf +Source14: 01-cgi.conf +Source15: 00-dav.conf +Source16: 00-proxy.conf +Source17: 00-ssl.conf +Source18: 01-ldap.conf +Source19: 00-proxyhtml.conf +Source20: userdir.conf +Source21: ssl.conf +Source22: welcome.conf +Source23: manual.conf +Source24: 00-systemd.conf +Source25: 01-session.conf +Source26: 10-listen443.conf +Source27: httpd.socket +Source28: 00-optional.conf # Documentation -Source30: README.confd -Source31: README.confmod -Source32: httpd.service.xml -Source33: htcacheclean.service.xml -Source34: httpd.conf.xml -Source40: htcacheclean.service -Source41: htcacheclean.sysconf -Source42: httpd-init.service -Source43: httpd-ssl-gencerts -Source44: httpd@.service -Source45: config.layout -Source46: apache-poweredby.png +Source30: README.confd +Source31: README.confmod +Source32: httpd.service.xml +Source33: htcacheclean.service.xml +Source34: httpd.conf.xml +Source40: htcacheclean.service +Source41: htcacheclean.sysconf +Source42: httpd-init.service +Source43: httpd-ssl-gencerts +Source44: httpd@.service +Source45: config.layout +Source46: apache-poweredby.png # build/scripts patches # http://bugzilla.redhat.com/show_bug.cgi?id=1231924 # http://bugzilla.redhat.com/show_bug.cgi?id=842736 # http://bugzilla.redhat.com/show_bug.cgi?id=1214401 -Patch1: httpd-2.4.35-apachectl.patch -Patch2: httpd-2.4.28-apxs.patch -Patch3: httpd-2.4.35-deplibs.patch +Patch1: httpd-2.4.35-apachectl.patch +Patch2: httpd-2.4.28-apxs.patch +Patch3: httpd-2.4.35-deplibs.patch # Needed for socket activation and mod_systemd patch -Patch19: httpd-2.4.35-detect-systemd.patch +Patch19: httpd-2.4.35-detect-systemd.patch # Features/functional changes -Patch20: httpd-2.4.32-export.patch -Patch21: httpd-2.4.35-corelimit.patch -Patch22: httpd-2.4.35-selinux.patch +Patch20: httpd-2.4.32-export.patch +Patch21: httpd-2.4.35-corelimit.patch +Patch22: httpd-2.4.35-selinux.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1170215 -Patch23: httpd-2.4.28-icons.patch -Patch24: httpd-2.4.35-systemd.patch -Patch25: httpd-2.4.35-cachehardmax.patch -Patch26: httpd-2.4.28-socket-activation.patch +Patch23: httpd-2.4.28-icons.patch +Patch24: httpd-2.4.35-systemd.patch +Patch25: httpd-2.4.35-cachehardmax.patch +Patch26: httpd-2.4.28-socket-activation.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1109119 -Patch27: httpd-2.4.35-sslciphdefault.patch +Patch27: httpd-2.4.35-sslciphdefault.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1332242 -Patch28: httpd-2.4.28-statements-comment.patch +Patch28: httpd-2.4.28-statements-comment.patch # https://bugzilla.redhat.com/show_bug.cgi?id=811714 -Patch29: httpd-2.4.35-full-release.patch -Patch30: httpd-2.4.35-freebind.patch -Patch31: httpd-2.4.35-r1830819+.patch +Patch29: httpd-2.4.35-full-release.patch +Patch30: httpd-2.4.35-freebind.patch +Patch31: httpd-2.4.35-r1830819+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1638738 -Patch32: httpd-2.4.37-sslprotdefault.patch +Patch32: httpd-2.4.37-sslprotdefault.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1747898 -Patch33: httpd-2.4.37-mod-md-mod-ssl-hooks.patch +Patch33: httpd-2.4.37-mod-md-mod-ssl-hooks.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1725031 -Patch34: httpd-2.4.37-r1861793+.patch +Patch34: httpd-2.4.37-r1861793+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1704317 -Patch35: httpd-2.4.37-sslkeylogfile-support.patch +Patch35: httpd-2.4.37-sslkeylogfile-support.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1794728 -Patch36: httpd-2.4.37-session-expiry-updt-int.patch +Patch36: httpd-2.4.37-session-expiry-updt-int.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1209162 -Patch37: httpd-2.4.37-logjournal.patch +Patch37: httpd-2.4.37-logjournal.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1869576 -Patch38: httpd-2.4.37-pr37355.patch +Patch38: httpd-2.4.37-pr37355.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1896176 -Patch39: httpd-2.4.37-proxy-ws-idle-timeout.patch +Patch39: httpd-2.4.37-proxy-ws-idle-timeout.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1883648 -Patch40: httpd-2.4.37-ssl-proxy-chains.patch +Patch40: httpd-2.4.37-ssl-proxy-chains.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1935742 -Patch41: httpd-2.4.37-usertrack-samesite.patch +Patch41: httpd-2.4.37-usertrack-samesite.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 -Patch61: httpd-2.4.35-r1738878.patch +Patch61: httpd-2.4.35-r1738878.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1170206 -Patch62: httpd-2.4.35-r1633085.patch +Patch62: httpd-2.4.35-r1633085.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1448892 -Patch63: httpd-2.4.28-r1811831.patch +Patch63: httpd-2.4.28-r1811831.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1602548 -Patch65: httpd-2.4.35-r1842888.patch +Patch65: httpd-2.4.35-r1842888.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1653009 # https://bugzilla.redhat.com/show_bug.cgi?id=1672977 # https://bugzilla.redhat.com/show_bug.cgi?id=1673022 -Patch66: httpd-2.4.37-r1842929+.patch +Patch66: httpd-2.4.37-r1842929+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1630432 -Patch67: httpd-2.4.35-r1825120.patch +Patch67: httpd-2.4.35-r1825120.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1670716 -Patch68: httpd-2.4.37-fips-segfault.patch +Patch68: httpd-2.4.37-fips-segfault.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1669221 -Patch70: httpd-2.4.37-r1840554.patch +Patch70: httpd-2.4.37-r1840554.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1673022 -Patch71: httpd-2.4.37-mod-md-perms.patch +Patch71: httpd-2.4.37-mod-md-perms.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1724549 -Patch72: httpd-2.4.37-mod-mime-magic-strdup.patch +Patch72: httpd-2.4.37-mod-mime-magic-strdup.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1724034 -Patch73: httpd-2.4.35-ocsp-wrong-ctx.patch +Patch73: httpd-2.4.35-ocsp-wrong-ctx.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1633224 -Patch74: httpd-2.4.37-r1828172+.patch +Patch74: httpd-2.4.37-r1828172+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1775158 -Patch75: httpd-2.4.37-r1870095+.patch +Patch75: httpd-2.4.37-r1870095+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1771847 -Patch76: httpd-2.4.37-proxy-continue.patch -Patch77: httpd-2.4.37-balancer-failover.patch +Patch76: httpd-2.4.37-proxy-continue.patch +Patch77: httpd-2.4.37-balancer-failover.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1875844 -Patch78: httpd-2.4.37-r1881459.patch +Patch78: httpd-2.4.37-r1881459.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1891829 -Patch79: httpd-2.4.37-r1864000.patch +Patch79: httpd-2.4.37-r1864000.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1868608 -Patch80: httpd-2.4.37-r1872790.patch +Patch80: httpd-2.4.37-r1872790.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1861380 -Patch81: httpd-2.4.37-r1879224.patch +Patch81: httpd-2.4.37-r1879224.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1680118 -Patch82: httpd-2.4.37-r1877397.patch +Patch82: httpd-2.4.37-r1877397.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1847585 -Patch83: httpd-2.4.37-r1878890.patch +Patch83: httpd-2.4.37-r1878890.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1918741 -Patch84: httpd-2.4.37-r1878280.patch +Patch84: httpd-2.4.37-r1878280.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1891594 -Patch85: httpd-2.4.37-htcacheclean-dont-break.patch +Patch85: httpd-2.4.37-htcacheclean-dont-break.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1937334 -Patch86: httpd-2.4.37-r1873907.patch +Patch86: httpd-2.4.37-r1873907.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1680111 -Patch87: httpd-2.4.37-reply-two-tls-rec.patch +Patch87: httpd-2.4.37-reply-two-tls-rec.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1905613 -Patch88: httpd-2.4.37-r1845768+.patch +Patch88: httpd-2.4.37-r1845768+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2001046 -Patch89: httpd-2.4.37-r1862410.patch +Patch89: httpd-2.4.37-r1862410.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1984828 -Patch90: httpd-2.4.37-hcheck-mem-issues.patch +Patch90: httpd-2.4.37-hcheck-mem-issues.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2017543 -Patch91: httpd-2.4.37-add-SNI-support.patch +Patch91: httpd-2.4.37-add-SNI-support.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2159603 -Patch92: httpd-2.4.37-mod_status-duplicate-key.patch +Patch92: httpd-2.4.37-mod_status-duplicate-key.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2221083 -Patch93: httpd-2.4.37-r1885607.patch +Patch93: httpd-2.4.37-r1885607.patch # https://issues.redhat.com/browse/RHEL-14321 -Patch94: httpd-2.4.57-r1884505+.patch +Patch94: httpd-2.4.57-r1884505+.patch # https://bz.apache.org/bugzilla/show_bug.cgi?id=69197 -Patch95: httpd-2.4.37-r1919325.patch +Patch95: httpd-2.4.37-r1919325.patch # https://issues.redhat.com/browse/RHEL-56068 -Patch96: httpd-2.4.37-r1922080.patch +Patch96: httpd-2.4.37-r1922080.patch +# https://issues.redhat.com/browse/RHEL-87641 +Patch97: httpd-2.4.37-r1855391.patch # Security fixes -Patch200: httpd-2.4.37-r1851471.patch +Patch200: httpd-2.4.37-r1851471.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1694980 -Patch201: httpd-2.4.37-CVE-2019-0211.patch +Patch201: httpd-2.4.37-CVE-2019-0211.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1695025 -Patch202: httpd-2.4.37-CVE-2019-0215.patch +Patch202: httpd-2.4.37-CVE-2019-0215.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1696141 -Patch203: httpd-2.4.37-CVE-2019-0217.patch +Patch203: httpd-2.4.37-CVE-2019-0217.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1696097 -Patch204: httpd-2.4.37-CVE-2019-0220.patch +Patch204: httpd-2.4.37-CVE-2019-0220.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1741860 # https://bugzilla.redhat.com/show_bug.cgi?id=1741864 # https://bugzilla.redhat.com/show_bug.cgi?id=1741868 -Patch205: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch +Patch205: httpd-2.4.34-CVE-2019-9511-and-9516-and-9517.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1823259 # https://bugzilla.redhat.com/show_bug.cgi?id=1747284 # fixes both CVE-2020-1927 and CVE-2019-10098 -Patch206: httpd-2.4.37-CVE-2019-10098.patch +Patch206: httpd-2.4.37-CVE-2019-10098.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1747281 -Patch207: httpd-2.4.37-CVE-2019-10092.patch +Patch207: httpd-2.4.37-CVE-2019-10092.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1747291 -Patch208: httpd-2.4.37-CVE-2019-10097.patch +Patch208: httpd-2.4.37-CVE-2019-10097.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1820772 -Patch209: httpd-2.4.37-CVE-2020-1934.patch +Patch209: httpd-2.4.37-CVE-2020-1934.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1668493 -Patch210: httpd-2.4.37-CVE-2018-17199.patch +Patch210: httpd-2.4.37-CVE-2018-17199.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1866563 -Patch211: httpd-2.4.37-CVE-2020-11984.patch +Patch211: httpd-2.4.37-CVE-2020-11984.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1972500 -Patch212: httpd-2.4.37-CVE-2021-30641.patch +Patch212: httpd-2.4.37-CVE-2021-30641.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1968307 -Patch213: httpd-2.4.37-CVE-2021-26690.patch +Patch213: httpd-2.4.37-CVE-2021-26690.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005117 -Patch214: httpd-2.4.37-CVE-2021-40438.patch +Patch214: httpd-2.4.37-CVE-2021-40438.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1966732 -Patch215: httpd-2.4.37-CVE-2021-26691.patch +Patch215: httpd-2.4.37-CVE-2021-26691.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1968278 -Patch216: httpd-2.4.37-CVE-2020-35452.patch +Patch216: httpd-2.4.37-CVE-2020-35452.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005128 -Patch217: httpd-2.4.37-CVE-2021-34798.patch +Patch217: httpd-2.4.37-CVE-2021-34798.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005119 -Patch218: httpd-2.4.37-CVE-2021-39275.patch +Patch218: httpd-2.4.37-CVE-2021-39275.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2005124 -Patch219: httpd-2.4.37-CVE-2021-36160.patch +Patch219: httpd-2.4.37-CVE-2021-36160.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1966728 -Patch220: httpd-2.4.37-CVE-2021-33193.patch +Patch220: httpd-2.4.37-CVE-2021-33193.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034674 -Patch221: httpd-2.4.37-CVE-2021-44790.patch +Patch221: httpd-2.4.37-CVE-2021-44790.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2034672 -Patch222: httpd-2.4.37-CVE-2021-44224.patch +Patch222: httpd-2.4.37-CVE-2021-44224.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2064321 -Patch223: httpd-2.4.37-CVE-2022-22720.patch +Patch223: httpd-2.4.37-CVE-2022-22720.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1966738 -Patch224: httpd-2.4.37-CVE-2020-13950.patch +Patch224: httpd-2.4.37-CVE-2020-13950.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2064322 -Patch225: httpd-2.4.37-CVE-2022-22719.patch +Patch225: httpd-2.4.37-CVE-2022-22719.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2064320 -Patch226: httpd-2.4.37-CVE-2022-22721.patch +Patch226: httpd-2.4.37-CVE-2022-22721.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2065324 -Patch227: httpd-2.4.37-CVE-2022-23943.patch +Patch227: httpd-2.4.37-CVE-2022-23943.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095002 -Patch228: httpd-2.4.37-CVE-2022-28614.patch +Patch228: httpd-2.4.37-CVE-2022-28614.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095006 -Patch229: httpd-2.4.37-CVE-2022-28615.patch +Patch229: httpd-2.4.37-CVE-2022-28615.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095015 -Patch230: httpd-2.4.37-CVE-2022-30522.patch +Patch230: httpd-2.4.37-CVE-2022-30522.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095018 -Patch231: httpd-2.4.37-CVE-2022-30556.patch +Patch231: httpd-2.4.37-CVE-2022-30556.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095020 -Patch232: httpd-2.4.37-CVE-2022-31813.patch +Patch232: httpd-2.4.37-CVE-2022-31813.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2095012 -Patch233: httpd-2.4.37-CVE-2022-29404.patch +Patch233: httpd-2.4.37-CVE-2022-29404.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2094997 -Patch234: httpd-2.4.37-CVE-2022-26377.patch +Patch234: httpd-2.4.37-CVE-2022-26377.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2161773 -Patch235: httpd-2.4.37-CVE-2022-37436.patch +Patch235: httpd-2.4.37-CVE-2022-37436.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2161774 -Patch236: httpd-2.4.37-CVE-2006-20001.patch +Patch236: httpd-2.4.37-CVE-2006-20001.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2161777 -Patch237: httpd-2.4.37-CVE-2022-36760.patch +Patch237: httpd-2.4.37-CVE-2022-36760.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2176209 -Patch238: httpd-2.4.37-CVE-2023-25690.patch +Patch238: httpd-2.4.37-CVE-2023-25690.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2176211 -Patch239: httpd-2.4.37-CVE-2023-27522.patch +Patch239: httpd-2.4.37-CVE-2023-27522.patch # https://issues.redhat.com/browse/RHEL-14448 -Patch240: httpd-2.4.37-CVE-2023-31122.patch +Patch240: httpd-2.4.37-CVE-2023-31122.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2273491 -Patch241: httpd-2.4.37-CVE-2023-38709.patch +Patch241: httpd-2.4.37-CVE-2023-38709.patch # CVE-2024-38474 and CVE-2024-38475 fixed in one patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295013 # https://bugzilla.redhat.com/show_bug.cgi?id=2295014 -Patch242: httpd-2.4.37-CVE-2024-38474+.patch +Patch242: httpd-2.4.37-CVE-2024-38474+.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295012 -Patch243: httpd-2.4.37-CVE-2024-38473.patch +Patch243: httpd-2.4.37-CVE-2024-38473.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295016 -Patch244: httpd-2.4.37-CVE-2024-38477.patch +Patch244: httpd-2.4.37-CVE-2024-38477.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295022 -Patch245: httpd-2.4.37-CVE-2024-39573.patch +Patch245: httpd-2.4.37-CVE-2024-39573.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2295015 -Patch246: httpd-2.4.37-CVE-2024-38476.patch +Patch246: httpd-2.4.37-CVE-2024-38476.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2297362 # https://bugzilla.redhat.com/show_bug.cgi?id=2295761 -Patch247: httpd-2.4.37-CVE-2024-39884+.patch +Patch247: httpd-2.4.37-CVE-2024-39884+.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2374576 +Patch248: httpd-2.4.37-CVE-2025-23048.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2374571 +Patch249: httpd-2.4.37-CVE-2024-47252.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2374580 +Patch250: httpd-2.4.37-CVE-2025-49812.patch # Add by Anolis Patch1000: 1000-httpd-anolis-rebrand.patch @@ -308,17 +316,17 @@ Requires(pre): httpd-filesystem Requires(preun): systemd-units Requires(postun): systemd-units Requires(post): systemd-units -Conflicts: apr < 1.5.0-1 +Conflicts: apr < 1.5.0-1 %description The Apache HTTP Server is a powerful, efficient, and extensible web server. %package devel -Group: Development/Libraries -Summary: Development interfaces for the Apache HTTP server -Requires: apr-devel, apr-util-devel, pkgconfig -Requires: httpd = %{version}-%{release} +Group: Development/Libraries +Summary: Development interfaces for the Apache HTTP server +Requires: apr-devel, apr-util-devel, pkgconfig +Requires: httpd = %{version}-%{release} %description devel The httpd-devel package contains the APXS binary and other files @@ -330,11 +338,11 @@ able to compile or develop additional modules for Apache, you need to install this package. %package manual -Group: Documentation -Summary: Documentation for the Apache HTTP server -Requires: httpd = %{version}-%{release} -Obsoletes: secureweb-manual, apache-manual -BuildArch: noarch +Group: Documentation +Summary: Documentation for the Apache HTTP server +Requires: httpd = %{version}-%{release} +Obsoletes: secureweb-manual, apache-manual +BuildArch: noarch %description manual The httpd-manual package contains the complete manual and @@ -342,9 +350,9 @@ reference guide for the Apache HTTP server. The information can also be found at http://httpd.apache.org/docs/2.2/. %package filesystem -Group: System Environment/Daemons -Summary: The basic directory layout for the Apache HTTP server -BuildArch: noarch +Group: System Environment/Daemons +Summary: The basic directory layout for the Apache HTTP server +BuildArch: noarch Requires(pre): /usr/sbin/useradd %description filesystem @@ -353,24 +361,24 @@ for the Apache HTTP server including the correct permissions for the directories. %package tools -Group: System Environment/Daemons -Summary: Tools for use with the Apache HTTP Server +Group: System Environment/Daemons +Summary: Tools for use with the Apache HTTP Server %description tools The httpd-tools package contains tools which can be used with the Apache HTTP Server. %package -n mod_ssl -Group: System Environment/Daemons -Summary: SSL/TLS module for the Apache HTTP Server -Epoch: 1 -BuildRequires: openssl-devel +Group: System Environment/Daemons +Summary: SSL/TLS module for the Apache HTTP Server +Epoch: 1 +BuildRequires: openssl-devel Requires(pre): httpd-filesystem -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -Requires: sscg >= 3.0.0-7, /usr/bin/hostname -Obsoletes: stronghold-mod_ssl +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Requires: sscg >= 3.0.0-7, /usr/bin/hostname +Obsoletes: stronghold-mod_ssl # Require an OpenSSL which supports PROFILE=SYSTEM -Conflicts: openssl-libs < 1:1.0.1h-4 +Conflicts: openssl-libs < 1:1.0.1h-4 %description -n mod_ssl The mod_ssl module provides strong cryptography for the Apache Web @@ -378,31 +386,31 @@ server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. %package -n mod_proxy_html -Group: System Environment/Daemons -Summary: HTML and XML content filters for the Apache HTTP Server -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -BuildRequires: libxml2-devel -Epoch: 1 -Obsoletes: mod_proxy_html < 1:2.4.1-2 +Group: System Environment/Daemons +Summary: HTML and XML content filters for the Apache HTTP Server +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +BuildRequires: libxml2-devel +Epoch: 1 +Obsoletes: mod_proxy_html < 1:2.4.1-2 %description -n mod_proxy_html The mod_proxy_html and mod_xml2enc modules provide filters which can transform and modify HTML and XML content. %package -n mod_ldap -Group: System Environment/Daemons -Summary: LDAP authentication modules for the Apache HTTP Server -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} -Requires: apr-util-ldap +Group: System Environment/Daemons +Summary: LDAP authentication modules for the Apache HTTP Server +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Requires: apr-util-ldap %description -n mod_ldap The mod_ldap and mod_authnz_ldap modules add support for LDAP authentication to the Apache HTTP Server. %package -n mod_session -Group: System Environment/Daemons -Summary: Session interface for the Apache HTTP Server -Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +Group: System Environment/Daemons +Summary: Session interface for the Apache HTTP Server +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} %description -n mod_session The mod_session module and associated backends provide an abstract @@ -470,6 +478,7 @@ interface for storing and accessing per-user session data. %patch92 -p1 -b .mod_status-dupl %patch93 -p1 -b .r1885607 %patch94 -p1 -b .r1884505+ +%patch97 -p1 -b .r1855391 %patch200 -p1 -b .r1851471 %patch201 -p1 -b .CVE-2019-0211 @@ -522,6 +531,9 @@ interface for storing and accessing per-user session data. %patch95 -p1 -b .r1919325 %patch246 -p1 -b .CVE-2024-38476 %patch247 -p1 -b .CVE-2024-39884+ +%patch248 -p1 -b .CVE-2025-23048 +%patch249 -p1 -b .CVE-2024-47252 +%patch250 -p1 -b .CVE-2025-49812 # Add by Anolis %patch1000 -p1 %patch1001 -p1 @@ -1034,13 +1046,23 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog -* Thu Feb 20 2025 zhangbinchen - 2.4.37-65.0.1.3 +* Tue Sep 09 2025 zhangbinchen - 2.4.37-65.0.1.5 - Rebrand for Anolis OS - Requires system-logos-httpd - Support loongarch64 platform(Liwei Ge) cherry-pick `add sw patch #400077d851a81ce23aa39db271e26c3df254ae53`. (nijie@wxiat.com) cherry-pick `change sw patch #bdacf2efe00d8445328f798df8c5520728801e8c`. (nijie@wxiat.com) +* Mon Jul 28 2025 Luboš Uhliarik - 2.4.37-65.5 +- Resolves: RHEL-99944 - CVE-2025-49812 httpd: HTTP Session Hijack via a TLS upgrade +- Resolves: RHEL-99969 - CVE-2024-47252 httpd: insufficient escaping of + user-supplied data in mod_ssl +- Resolves: RHEL-99961 - CVE-2025-23048 httpd: access control bypass by trusted + clients is possible using TLS 1.3 session resumption + +* Tue Apr 22 2025 Luboš Uhliarik - 2.4.37-65.4 +- Resolves: RHEL-87641 - apache Bug 63192 - mod_ratelimit breaks HEAD requests + * Wed Jan 29 2025 Luboš Uhliarik - 2.4.37-65.3 - Resolves: RHEL-56068 - Apache HTTPD no longer parse PHP files with unicode characters in the name