diff options
author | Jan Kaluza <jkaluza@redhat.com> | 2014-12-17 09:25:50 +0100 |
---|---|---|
committer | Jan Kaluza <jkaluza@redhat.com> | 2014-12-17 09:25:50 +0100 |
commit | af9996ce6998c4c343dc7ac5677fd4f159085480 (patch) | |
tree | af0275e44fcad8847289eb0c3582e87d911cb30d /httpd.spec | |
parent | 8c01244b3476e5ac55981a37fab133265188a371 (diff) | |
download | httpd-af9996ce6998c4c343dc7ac5677fd4f159085480.tar.gz httpd-af9996ce6998c4c343dc7ac5677fd4f159085480.tar.xz httpd-af9996ce6998c4c343dc7ac5677fd4f159085480.zip |
core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)
- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)
- mod_proxy_fcgi: fix a potential crash with long headers (CVE-2014-3583)
- mod_lua: fix handling of the Require line when a LuaAuthzProvider is used
in multiple Require directives with different arguments (CVE-2014-8109)
Diffstat (limited to 'httpd.spec')
-rw-r--r-- | httpd.spec | 19 |
1 files changed, 18 insertions, 1 deletions
@@ -14,7 +14,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.4.10 -Release: 14%{?dist} +Release: 15%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -72,6 +72,11 @@ Patch35: httpd-2.4.10-sslciphdefault.patch Patch55: httpd-2.4.4-malformed-host.patch Patch56: httpd-2.4.4-mod_unique_id.patch Patch57: httpd-2.4.10-sigint.patch +# Security fixes +Patch100: httpd-2.4.6-CVE-2013-5704.patch +Patch101: httpd-2.4.6-CVE-2014-3581.patch +Patch102: httpd-2.4.10-CVE-2014-3583.patch +Patch103: httpd-2.4.10-CVE-2014-8109.patch License: ASL 2.0 Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root @@ -216,6 +221,11 @@ interface for storing and accessing per-user session data. %patch56 -p1 -b .uniqueid %patch57 -p1 -b .sigint +%patch100 -p1 -b cve20135704 +%patch101 -p1 -b cve20143581 +%patch102 -p1 -b cve20143583 +%patch103 -p1 -b cve20148109 + # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -669,6 +679,13 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Dec 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.10-15 +- core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704) +- mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581) +- mod_proxy_fcgi: fix a potential crash with long headers (CVE-2014-3583) +- mod_lua: fix handling of the Require line when a LuaAuthzProvider is used + in multiple Require directives with different arguments (CVE-2014-8109) + * Tue Oct 14 2014 Joe Orton <jorton@redhat.com> - 2.4.10-14 - require apr-util 1.5.x |