From 6b2a1af96ef14db65a87736b46e01c6f1dde1c8e Mon Sep 17 00:00:00 2001 From: zhuhong_bo Date: Wed, 10 Dec 2025 15:03:13 +0800 Subject: [PATCH] fix cve CVE-2024-47252 CVE-2025-49812 --- httpd-2.4.6-CVE-2024-47252.patch | 40 ++++++ httpd-2.4.6-CVE-2025-49812.patch | 230 +++++++++++++++++++++++++++++++ httpd.spec | 9 +- 3 files changed, 278 insertions(+), 1 deletion(-) create mode 100644 httpd-2.4.6-CVE-2024-47252.patch create mode 100644 httpd-2.4.6-CVE-2025-49812.patch diff --git a/httpd-2.4.6-CVE-2024-47252.patch b/httpd-2.4.6-CVE-2024-47252.patch new file mode 100644 index 0000000..d2368c1 --- /dev/null +++ b/httpd-2.4.6-CVE-2024-47252.patch @@ -0,0 +1,40 @@ +From f6d8ab3895cd0c34a60796f55b05585e85e2bf61 Mon Sep 17 00:00:00 2001 +From: zhuhong_bo +Date: Wed, 10 Dec 2025 13:54:47 +0800 +Subject: [PATCH] fix cve CVE-2024-47252 + +--- + modules/ssl/ssl_engine_vars.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c +index e25a6d4..942d726 100644 +--- a/modules/ssl/ssl_engine_vars.c ++++ b/modules/ssl/ssl_engine_vars.c +@@ -1180,8 +1180,9 @@ static const char *ssl_var_log_handler_c(request_rec *r, char *a) + result = "-"; + else if (strEQ(a, "errstr")) + result = (char *)sslconn->verify_error; +- if (result != NULL && result[0] == NUL) +- result = NULL; ++ if (result) { ++ result = *result ? ap_escape_logitem(r->pool, result) : NULL; ++ } + return result; + } + +@@ -1194,8 +1195,9 @@ static const char *ssl_var_log_handler_x(request_rec *r, char *a) + char *result; + + result = ssl_var_lookup(r->pool, r->server, r->connection, r, a); +- if (result != NULL && result[0] == NUL) +- result = NULL; ++ if (result) { ++ result = *result ? ap_escape_logitem(r->pool, result) : NULL; ++ } + return result; + } + +-- +1.8.3.1 + diff --git a/httpd-2.4.6-CVE-2025-49812.patch b/httpd-2.4.6-CVE-2025-49812.patch new file mode 100644 index 0000000..afde9c0 --- /dev/null +++ b/httpd-2.4.6-CVE-2025-49812.patch @@ -0,0 +1,230 @@ +From f6e639c92713bcf9a547a3ba2dac742d4ecee5e8 Mon Sep 17 00:00:00 2001 +From: zhuhong_bo +Date: Wed, 10 Dec 2025 16:04:08 +0800 +Subject: [PATCH] fix cve CVE-2025-49812 + +--- + modules/ssl/mod_ssl.c | 4 +- + modules/ssl/ssl_engine_config.c | 6 ++- + modules/ssl/ssl_engine_init.c | 5 ++- + modules/ssl/ssl_engine_kernel.c | 87 +---------------------------------------- + modules/ssl/ssl_private.h | 3 +- + 5 files changed, 12 insertions(+), 93 deletions(-) + +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +index e637a9d..4fb0751 100644 +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -537,7 +537,7 @@ static const char *ssl_hook_http_scheme(const request_rec *r) + { + SSLSrvConfigRec *sc = mySrvConfig(r->server); + +- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { ++ if (sc->enabled == SSL_ENABLED_FALSE) { + return NULL; + } + +@@ -548,7 +548,7 @@ static apr_port_t ssl_hook_default_port(const request_rec *r) + { + SSLSrvConfigRec *sc = mySrvConfig(r->server); + +- if (sc->enabled == SSL_ENABLED_FALSE || sc->enabled == SSL_ENABLED_OPTIONAL) { ++ if (sc->enabled == SSL_ENABLED_FALSE) { + return 0; + } + +diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c +index 714aee9..2ad9534 100644 +--- a/modules/ssl/ssl_engine_config.c ++++ b/modules/ssl/ssl_engine_config.c +@@ -609,11 +609,13 @@ const char *ssl_cmd_SSLEngine(cmd_parms *cmd, void *dcfg, const char *arg) + return NULL; + } + else if (!strcasecmp(arg, "Optional")) { +- sc->enabled = SSL_ENABLED_OPTIONAL; ++ sc->enabled = SSL_ENABLED_FALSE; ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, cmd->server, APLOGNO(10510) ++ "'SSLEngine optional' is no longer supported"); + return NULL; + } + +- return "Argument must be On, Off, or Optional"; ++ return "Argument must be On or Off"; + } + + const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag) +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index 814ec4f..b197fae 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -1,6 +1,7 @@ + /* Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. ++ * + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at +@@ -1413,9 +1414,9 @@ void ssl_init_ConfigureServer(server_rec *s, + apr_pool_t *ptemp, + SSLSrvConfigRec *sc) + { +- /* Initialize the server if SSL is enabled or optional. ++ /* Initialize the server if SSL is enabled. + */ +- if ((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) { ++ if (sc->enabled == SSL_ENABLED_TRUE) { + ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, APLOGNO(01914) + "Configuring server %s for SSL protocol", sc->vhost_id); + ssl_init_server_ctx(s, p, ptemp, sc); +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index d6903f7..7d9c045 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -36,59 +36,6 @@ static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); + static int ssl_find_vhost(void *servername, conn_rec *c, server_rec *s); + #endif + +-#define SWITCH_STATUS_LINE "HTTP/1.1 101 Switching Protocols" +-#define UPGRADE_HEADER "Upgrade: TLS/1.0, HTTP/1.1" +-#define CONNECTION_HEADER "Connection: Upgrade" +- +-/* Perform an upgrade-to-TLS for the given request, per RFC 2817. */ +-static apr_status_t upgrade_connection(request_rec *r) +-{ +- struct conn_rec *conn = r->connection; +- apr_bucket_brigade *bb; +- SSLConnRec *sslconn; +- apr_status_t rv; +- SSL *ssl; +- +- ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(02028) +- "upgrading connection to TLS"); +- +- bb = apr_brigade_create(r->pool, conn->bucket_alloc); +- +- rv = ap_fputstrs(conn->output_filters, bb, SWITCH_STATUS_LINE, CRLF, +- UPGRADE_HEADER, CRLF, CONNECTION_HEADER, CRLF, CRLF, NULL); +- if (rv == APR_SUCCESS) { +- APR_BRIGADE_INSERT_TAIL(bb, +- apr_bucket_flush_create(conn->bucket_alloc)); +- rv = ap_pass_brigade(conn->output_filters, bb); +- } +- +- if (rv) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02029) +- "failed to send 101 interim response for connection " +- "upgrade"); +- return rv; +- } +- +- ssl_init_ssl_connection(conn, r); +- +- sslconn = myConnConfig(conn); +- ssl = sslconn->ssl; +- +- /* Perform initial SSL handshake. */ +- SSL_set_accept_state(ssl); +- SSL_do_handshake(ssl); +- +- if (SSL_get_state(ssl) != SSL_ST_OK) { +- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02030) +- "TLS upgrade handshake failed"); +- ssl_log_ssl_error(SSLLOG_MARK, APLOG_ERR, r->server); +- +- return APR_ECONNABORTED; +- } +- +- return APR_SUCCESS; +-} +- + /* Perform a speculative (and non-blocking) read from the connection + * filters for the given request, to determine whether there is any + * pending data to read. Return non-zero if there is, else zero. */ +@@ -119,23 +66,11 @@ int ssl_hook_ReadReq(request_rec *r) + { + SSLSrvConfigRec *sc = mySrvConfig(r->server); + SSLConnRec *sslconn; +- const char *upgrade; + #ifndef OPENSSL_NO_TLSEXT + const char *servername; + #endif + SSL *ssl; + +- /* Perform TLS upgrade here if "SSLEngine optional" is configured, +- * SSL is not already set up for this connection, and the client +- * has sent a suitable Upgrade header. */ +- if (sc->enabled == SSL_ENABLED_OPTIONAL && !myConnConfig(r->connection) +- && (upgrade = apr_table_get(r->headers_in, "Upgrade")) != NULL +- && ap_find_token(r->pool, upgrade, "TLS/1.0")) { +- if (upgrade_connection(r)) { +- return HTTP_INTERNAL_SERVER_ERROR; +- } +- } +- + sslconn = myConnConfig(r->connection); + if (!sslconn) { + return DECLINED; +@@ -313,15 +248,6 @@ int ssl_hook_Access(request_rec *r) + * Support for SSLRequireSSL directive + */ + if (dc->bSSLRequired && !ssl) { +- if (sc->enabled == SSL_ENABLED_OPTIONAL) { +- /* This vhost was configured for optional SSL, just tell the +- * client that we need to upgrade. +- */ +- apr_table_setn(r->err_headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); +- apr_table_setn(r->err_headers_out, "Connection", "Upgrade"); +- +- return HTTP_UPGRADE_REQUIRED; +- } + + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(02219) + "access to %s failed, reason: %s", +@@ -1021,7 +947,7 @@ int ssl_hook_UserCheck(request_rec *r) + * - ssl not enabled + * - client did not present a certificate + */ +- if (!((sc->enabled == SSL_ENABLED_TRUE || sc->enabled == SSL_ENABLED_OPTIONAL) ++ if (!((sc->enabled == SSL_ENABLED_TRUE) + && sslconn && sslconn->ssl && sslconn->client_cert) || + !(dc->nOptions & SSL_OPT_FAKEBASICAUTH) || r->user) + { +@@ -1135,19 +1061,10 @@ int ssl_hook_Fixup(request_rec *r) + SSL *ssl; + int i; + +- /* If "SSLEngine optional" is configured, this is not an SSL +- * connection, and this isn't a subrequest, send an Upgrade +- * response header. */ +- if (sc->enabled == SSL_ENABLED_OPTIONAL && !(sslconn && sslconn->ssl) +- && !r->main) { +- apr_table_setn(r->headers_out, "Upgrade", "TLS/1.0, HTTP/1.1"); +- apr_table_mergen(r->headers_out, "Connection", "upgrade"); +- } +- + /* + * Check to see if SSL is on + */ +- if (!(((sc->enabled == SSL_ENABLED_TRUE) || (sc->enabled == SSL_ENABLED_OPTIONAL)) && sslconn && (ssl = sslconn->ssl))) { ++ if (!((sc->enabled == SSL_ENABLED_TRUE) && sslconn && (ssl = sslconn->ssl))) { + return DECLINED; + } + +diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h +index 2d505f9..14b37b2 100644 +--- a/modules/ssl/ssl_private.h ++++ b/modules/ssl/ssl_private.h +@@ -413,8 +413,7 @@ typedef unsigned int ssl_pathcheck_t; + typedef enum { + SSL_ENABLED_UNSET = UNSET, + SSL_ENABLED_FALSE = 0, +- SSL_ENABLED_TRUE = 1, +- SSL_ENABLED_OPTIONAL = 3 ++ SSL_ENABLED_TRUE = 1 + } ssl_enabled_t; + + /** +-- +1.8.3.1 + diff --git a/httpd.spec b/httpd.spec index 30dde21..c5edfe7 100644 --- a/httpd.spec +++ b/httpd.spec @@ -15,7 +15,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.6 -Release: 99%{?dist}.3 +Release: 99%{?dist}.6 URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -257,6 +257,8 @@ Patch250: 0001-HTTP_BAD_REQUEST.patch Patch251: 0001-cleanup.patch Patch252: 0001-cve-fix-CVE-2024-38476.patch #end +Patch253: httpd-2.4.6-CVE-2024-47252.patch +Patch254: httpd-2.4.6-CVE-2025-49812.patch License: ASL 2.0 Group: System Environment/Daemons @@ -532,6 +534,8 @@ rm modules/ssl/ssl_engine_dh.c %patch250 -p1 -b .HTTP_BAD_REQUEST %patch251 -p1 -b .cleanup %patch252 -p1 -b .cve-fix-CVE-2024-38476 +%patch253 -p1 -b .CVE-2024-47252 +%patch254 -p1 -b .CVE-2025-49812 # need to be applied in the end since security patches # are changing the code that present in this patch @@ -965,6 +969,9 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/rpm/macros.httpd %changelog +* Tue Dec 09 2025 zhuhongbo - 2.4.6-99.6 +- cve: fix cve CVE-2024-47252 CVE-2025-49812 + * Mon Oct 14 2024 zhuhongbo - 2.4.6-99.3 - update to httpd-2.4.6-99.3 - cve:fix CVE-2024-38476 -- Gitee