diff --git a/backport-CVE-2025-58098.patch b/backport-CVE-2025-58098.patch new file mode 100644 index 0000000000000000000000000000000000000000..d8f10a636754391e6cc242d96300831756e38991 --- /dev/null +++ b/backport-CVE-2025-58098.patch @@ -0,0 +1,42 @@ +From 57a2fd2b3464bf2e1ae8a04a12196aed1bac279e Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:05:19 +0000 +Subject: [PATCH] Merge r1930161 from trunk: + +don't pass args for SSI request + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1930165 13f79535-47bb-0310-9956-ffa450edef68 + +Reference:https://github.com/apache/httpd/commit/57a2fd2b3464bf2e1ae8a04a12196aed1bac279e +Conflict:no +--- + modules/generators/mod_cgid.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/modules/generators/mod_cgid.c b/modules/generators/mod_cgid.c +index f21eb12f741..a0ef2b51699 100644 +--- a/modules/generators/mod_cgid.c ++++ b/modules/generators/mod_cgid.c +@@ -239,7 +239,7 @@ static char **create_argv(apr_pool_t *p, char *path, char *user, char *group, + char *w; + int idx = 0; + +- if (!(*args) || ap_strchr_c(args, '=')) { ++ if (!args || !(*args) || ap_strchr_c(args, '=')) { + numwords = 0; + } + else { +@@ -932,7 +932,10 @@ static int cgid_server(void *data) + apr_pool_userdata_set(r, ERRFN_USERDATA_KEY, apr_pool_cleanup_null, ptrans); + } + +- argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, argv0, r->args); ++ /* Do not pass args in case of SSI requests */ ++ argv = (const char * const *)create_argv(r->pool, NULL, NULL, NULL, ++ argv0, ++ cgid_req.req_type == SSI_REQ ? NULL : r->args); + + /* We want to close sd2 for the new CGI process too. + * If it is left open it'll make ap_pass_brigade() block diff --git a/backport-CVE-2025-65082.patch b/backport-CVE-2025-65082.patch new file mode 100644 index 0000000000000000000000000000000000000000..cc5e02a32dffa6a5550be22f539c96987101e9aa --- /dev/null +++ b/backport-CVE-2025-65082.patch @@ -0,0 +1,70 @@ +From 383d5465ef649594f7c4fbce557655240164b779 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:06:00 +0000 +Subject: [PATCH] Merge r1930163 from trunk: + +envvars from HTTP headers low precedence + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1930167 13f79535-47bb-0310-9956-ffa450edef68 + +Reference:https://github.com/apache/httpd/commit/383d5465ef649594f7c4fbce557655240164b779 +Conflict:no +--- + server/util_script.c | 26 +++++++++++++++++++++++--- + 1 file changed, 23 insertions(+), 3 deletions(-) + +diff --git a/server/util_script.c b/server/util_script.c +index 72175e75824..6a18aec8c90 100644 +--- a/server/util_script.c ++++ b/server/util_script.c +@@ -126,6 +126,8 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t) + } + } + for (i = 0; i < env_arr->nelts; ++i) { ++ int changed = 0; ++ + if (!elts[i].key) { + continue; + } +@@ -133,18 +135,36 @@ AP_DECLARE(char **) ap_create_environment(apr_pool_t *p, apr_table_t *t) + whack = env[j]; + if (apr_isdigit(*whack)) { + *whack++ = '_'; ++ changed = 1; + } + while (*whack != '=') { + #ifdef WIN32 +- if (!apr_isalnum(*whack) && *whack != '(' && *whack != ')') { ++ if (!apr_isalnum(*whack) && *whack != '_' && *whack != '(' && *whack != ')') { + #else +- if (!apr_isalnum(*whack)) { ++ if (!apr_isalnum(*whack) && *whack != '_') { + #endif + *whack = '_'; ++ changed = 1; + } + ++whack; + } +- ++j; ++ if (changed) { ++ *whack = '\0'; ++ /* ++ * If after cleaning up the key the key is identical to an existing key ++ * in the table drop this environment variable. This also prevents ++ * to override CGI reserved environment variables with variables whose ++ * names have an invalid character instead of '_', but are otherwise ++ * equal to the names CGI reserved environment variables. ++ */ ++ if (!apr_table_get(t, env[j])) { ++ ++j; ++ *whack = '='; ++ } ++ } ++ else { ++ ++j; ++ } + } + + env[j] = NULL; diff --git a/backport-CVE-2025-66200.patch b/backport-CVE-2025-66200.patch new file mode 100644 index 0000000000000000000000000000000000000000..93faaafb04fe877aae4c1643157ab9789d3dc5e0 --- /dev/null +++ b/backport-CVE-2025-66200.patch @@ -0,0 +1,63 @@ +From 4dcf39ab51efec5eedaa9abce111b035952d0548 Mon Sep 17 00:00:00 2001 +From: Eric Covener +Date: Mon, 1 Dec 2025 12:06:46 +0000 +Subject: [PATCH] Merge r1930164 from trunk: + +don't use request notes for suexec + +also, stop accepting the obscure "note" option in +RequestHeader, it is only documented/described as being +meant for Header (output filter). + + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1930168 13f79535-47bb-0310-9956-ffa450edef68 + +Reference:https://github.com/apache/httpd/commit/4dcf39ab51efec5eedaa9abce111b035952d0548 +Conflict:no +--- + modules/mappers/mod_userdir.c | 4 ++-- + modules/metadata/mod_headers.c | 6 +++++- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/modules/mappers/mod_userdir.c b/modules/mappers/mod_userdir.c +index 1ec0e9010d2..0a34fd35b17 100644 +--- a/modules/mappers/mod_userdir.c ++++ b/modules/mappers/mod_userdir.c +@@ -334,7 +334,7 @@ static int translate_userdir(request_rec *r) + r->finfo = statbuf; + + /* For use in the get_suexec_identity phase */ +- apr_table_setn(r->notes, "mod_userdir_user", user); ++ ap_set_module_config(r->request_config, &userdir_module, (void *)user); + + return OK; + } +@@ -348,7 +348,7 @@ static ap_unix_identity_t *get_suexec_id_doer(const request_rec *r) + { + ap_unix_identity_t *ugid = NULL; + #if APR_HAS_USER +- const char *username = apr_table_get(r->notes, "mod_userdir_user"); ++ const char *username = (const char*) ap_get_module_config(r->request_config, &userdir_module); + + if (username == NULL) { + return NULL; +diff --git a/modules/metadata/mod_headers.c b/modules/metadata/mod_headers.c +index f08382d61f0..f514b4bc6a0 100644 +--- a/modules/metadata/mod_headers.c ++++ b/modules/metadata/mod_headers.c +@@ -455,8 +455,12 @@ static APR_INLINE const char *header_inout_cmd(cmd_parms *cmd, + new->action = hdr_edit; + else if (!strcasecmp(action, "edit*")) + new->action = hdr_edit_r; +- else if (!strcasecmp(action, "note")) ++ else if (!strcasecmp(action, "note")) { ++ if (cmd->info == &hdr_in) { ++ return "RequestHeader does not support the 'note' action"; ++ } + new->action = hdr_note; ++ } + else + return "first argument must be 'add', 'set', 'setifempty', 'append', 'merge', " + "'unset', 'echo', 'note', 'edit', or 'edit*'."; diff --git a/httpd.spec b/httpd.spec index 64853ddb2b513fb27c3373cf2bb50a1eb805dc17..12de844f442192b5273b3f386c000f963024f5e2 100644 --- a/httpd.spec +++ b/httpd.spec @@ -8,7 +8,7 @@ Name: httpd Summary: Apache HTTP Server Version: 2.4.58 -Release: 10 +Release: 11 License: ASL 2.0 URL: https://httpd.apache.org/ Source0: https://archive.apache.org/dist/httpd/httpd-%{version}.tar.bz2 @@ -103,6 +103,9 @@ Patch49: backport-CVE-2025-23048.patch Patch50: backport-CVE-2024-47252.patch Patch51: backport-CVE-2024-43204.patch Patch52: backport-CVE-2024-42516.patch +Patch53: backport-CVE-2025-58098.patch +Patch54: backport-CVE-2025-65082.patch +Patch55: backport-CVE-2025-66200.patch BuildRequires: gcc autoconf pkgconfig findutils xmlto perl-interpreter perl-generators systemd-devel BuildRequires: zlib-devel libselinux-devel lua-devel brotli-devel @@ -540,6 +543,12 @@ exit $rv %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Tue Dec 16 2025 tangce - 2.4.58-11 +- Type:CVE +- CVE:CVE-2025-58098,CVE-2025-65082,CVE-2025-66200 +- SUG:NA +- DESC:fix CVE-2025-58098,CVE-2025-65082,CVE-2025-66200 + * Wed Aug 13 2025 yanglu - 2.4.58-10 - Type:CVE - CVE:CVE-2025-49812,CVE-2025-23048,CVE-2024-47252,CVE-2024-43204,CVE-2024-42516