diff -Nru apache2-2.4.46/debian/apache2ctl apache2-2.4.46/debian/apache2ctl --- apache2-2.4.46/debian/apache2ctl 2021-03-09 00:45:35.000000000 +0000 +++ apache2-2.4.46/debian/apache2ctl 2021-11-14 23:50:00.000000000 +0000 @@ -143,21 +143,6 @@ fi } -need_systemd () { - # Detect if systemd is in use and should be used for managing - # the Apache2 httpd service. Returns 0 if so, 1 otherwise. - if [ -z "${APACHE_STARTED_BY_SYSTEMD}" ]; then - case "$(readlink -f /proc/1/exe)" in - *systemd*) - return 0 - ;; - esac - # With Docker, /proc/1 is not necessarily an init system, - # so fallback to checking in /run. - [ -d /run/systemd/system ] - fi - return 1 -} [ ! -d ${APACHE_RUN_DIR:-/var/run/apache2} ] && mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2} [ ! -d ${APACHE_LOCK_DIR:-/var/lock/apache2} ] && mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} @@ -168,38 +153,38 @@ # (this is bad if there are several apache2 instances running) rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache* - if need_systemd; then + need_systemd=false + if [ -z "$APACHE_STARTED_BY_SYSTEMD" ] ; then + case "$(readlink -f /proc/1/exe)" in + *systemd*) + need_systemd=true + ;; + *) + ;; + esac + fi + if $need_systemd ; then # If running on systemd we should not start httpd without systemd # or systemd will get confused about the status of httpd. - echo "Invoking 'systemctl start ${APACHE_SYSTEMD_SERVICE}'." - echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info." - systemctl start "${APACHE_SYSTEMD_SERVICE}" + echo "Invoking 'systemctl start $APACHE_SYSTEMD_SERVICE'." + echo "Use 'systemctl status $APACHE_SYSTEMD_SERVICE' for more info." + systemctl start "$APACHE_SYSTEMD_SERVICE" else unset APACHE_STARTED_BY_SYSTEMD - ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}" + $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV" fi ERROR=$? ;; stop|graceful-stop) - ${HTTPD} ${APACHE_ARGUMENTS} -k "$ARGV" + $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV" ERROR=$? ;; restart|graceful) if $HTTPD ${APACHE_ARGUMENTS} -t 2> /dev/null ; then - if need_systemd; then - # If running on systemd we should not directly restart httpd since - # systemd would be confused about httpd's status. - # (See LP: #1832182) - echo "Invoking 'systemctl restart ${APACHE_SYSTEMD_SERVICE}'." - echo "Use 'systemctl status ${APACHE_SYSTEMD_SERVICE}' for more info." - systemctl restart "${APACHE_SYSTEMD_SERVICE}" - else - unset APACHE_STARTED_BY_SYSTEMD - ${HTTPD} ${APACHE_ARGUMENTS} -k "${ARGV}" - fi + $HTTPD ${APACHE_ARGUMENTS} -k "$ARGV" else - ${HTTPD} ${APACHE_ARGUMENTS} -t + $HTTPD ${APACHE_ARGUMENTS} -t fi ERROR=$? ;; diff -Nru apache2-2.4.46/debian/changelog apache2-2.4.46/debian/changelog --- apache2-2.4.46/debian/changelog 2021-09-28 10:57:42.000000000 +0000 +++ apache2-2.4.46/debian/changelog 2022-01-05 14:38:48.000000000 +0000 @@ -1,3 +1,30 @@ +apache2 (2.4.46-4ubuntu1.5) hirsute-security; urgency=medium + + * SECURITY UPDATE: DoS or SSRF via forward proxy + - debian/patches/CVE-2021-44224-1.patch: enforce that fully qualified + uri-paths not to be forward-proxied have an http(s) scheme, and that + the ones to be forward proxied have a hostname in + include/http_protocol.h, modules/http/http_request.c, + modules/http2/h2_request.c, modules/proxy/mod_proxy.c, + modules/proxy/proxy_util.c, server/protocol.c. + - debian/patches/CVE-2021-44224-2.patch: don't prevent forwarding URIs + w/ no hostname in modules/proxy/mod_proxy.c, + modules/proxy/proxy_util.c. + - CVE-2021-44224 + * SECURITY UPDATE: overflow in mod_lua multipart parser + - debian/patches/CVE-2021-44790.patch: improve error handling in + modules/lua/lua_request.c. + - CVE-2021-44790 + + -- Marc Deslauriers Wed, 05 Jan 2022 09:38:48 -0500 + +apache2 (2.4.46-4ubuntu1.4) hirsute; urgency=medium + + * Revert fix from 2.4.46-1ubuntu2, due to performance regression. + (LP 1832182) + + -- Bryce Harrington Sun, 14 Nov 2021 23:50:00 +0000 + apache2 (2.4.46-4ubuntu1.3) hirsute-security; urgency=medium * SECURITY REGRESSION: Issues in UDS URIs (LP: #1945311) diff -Nru apache2-2.4.46/debian/patches/CVE-2021-44224-1.patch apache2-2.4.46/debian/patches/CVE-2021-44224-1.patch --- apache2-2.4.46/debian/patches/CVE-2021-44224-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.46/debian/patches/CVE-2021-44224-1.patch 2022-01-05 14:37:20.000000000 +0000 @@ -0,0 +1,286 @@ +Backport of: + +From a962ba73047b5478d702c8ad09fd1a167e1d3736 Mon Sep 17 00:00:00 2001 +From: Yann Ylavic +Date: Tue, 14 Dec 2021 15:35:56 +0000 +Subject: [PATCH] Merge r1895914, r1895921 from trunk: + + *) http: Enforce that fully qualified uri-paths not to be forward-proxied + have an http(s) scheme, and that the ones to be forward proxied have a + hostname, per HTTP specifications. + trunk patch: http://svn.apache.org/r1895914 + http://svn.apache.org/r1895921 + 2.4.x patch: https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/286.patch + backport PR: https://github.com/apache/httpd/pull/286 + +1: ylavic, minfrin, gbechis + + +mod_proxy: Detect unix: scheme syntax errors at load time. + +* modules/proxy/mod_proxy.c(add_pass, add_member, set_proxy_param, + proxysection): + Check return value of ap_proxy_de_socketfy(). + +* modules/proxy/proxy_util.c(ap_proxy_get_worker_ex): + Check return value of ap_proxy_de_socketfy(). + + + +http: Enforce that fully qualified uri-paths not to be forward-proxied + have an http(s) scheme, and that the ones to be forward proxied have a + hostname, per HTTP specifications. + +The early checks avoid failing the request later on and thus save cycles +for those invalid cases. + + +Submitted by: ylavic +Reviewed by: ylavic, minfrin, gbechis +Closes #286 + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1895955 13f79535-47bb-0310-9956-ffa450edef68 +--- + CHANGES | 4 ++++ + include/ap_mmn.h | 3 ++- + include/http_protocol.h | 7 ++++++ + modules/http/http_request.c | 2 +- + modules/http2/h2_request.c | 2 +- + modules/proxy/mod_proxy.c | 44 ++++++++++++++++++++++++++----------- + modules/proxy/proxy_util.c | 3 +++ + server/protocol.c | 23 ++++++++++++++++++- + 8 files changed, 71 insertions(+), 17 deletions(-) + +#diff --git a/CHANGES b/CHANGES +#index 910a689445c..12ad612d5cb 100644 +#--- a/CHANGES +#+++ b/CHANGES +#@@ -1,6 +1,10 @@ +# -*- coding: utf-8 -*- +# Changes with Apache 2.4.52 +# +#+ *) http: Enforce that fully qualified uri-paths not to be forward-proxied +#+ have an http(s) scheme, and that the ones to be forward proxied have a +#+ hostname, per HTTP specifications. [Ruediger Pluem, Yann Ylavic] +#+ +# *) OpenSSL autoconf detection improvement: pick up openssl.pc in the +# specified openssl path. [Joe Orton] +# +#diff --git a/include/ap_mmn.h b/include/ap_mmn.h +#index fe24261ee87..90ff1a86a6f 100644 +#--- a/include/ap_mmn.h +#+++ b/include/ap_mmn.h +#@@ -586,6 +586,7 @@ +# * dav_find_attr(). +# * 20120211.120 (2.4.51-dev) Add dav_liveprop_elem structure and +# * dav_get_liveprop_element(). +#+ * 20120211.121 (2.4.51-dev) Add ap_post_read_request() +# * +# */ +# +#@@ -594,7 +595,7 @@ +# #ifndef MODULE_MAGIC_NUMBER_MAJOR +# #define MODULE_MAGIC_NUMBER_MAJOR 20120211 +# #endif +#-#define MODULE_MAGIC_NUMBER_MINOR 120 /* 0...n */ +#+#define MODULE_MAGIC_NUMBER_MINOR 121 /* 0...n */ +# +# /** +# * Determine if the server's current MODULE_MAGIC_NUMBER is at least a +--- a/include/http_protocol.h ++++ b/include/http_protocol.h +@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(req + AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, + apr_bucket_brigade *bb); + ++/** ++ * Run post_read_request hook and validate. ++ * @param r The current request ++ * @return OK or HTTP_... ++ */ ++AP_DECLARE(int) ap_post_read_request(request_rec *r); ++ + /* Finish up stuff after a request */ + + /** +--- a/modules/http/http_request.c ++++ b/modules/http/http_request.c +@@ -680,7 +680,7 @@ static request_rec *internal_internal_re + * to do their thing on internal redirects as well. Perhaps this is a + * misnamed function. + */ +- if ((access_status = ap_run_post_read_request(new))) { ++ if ((access_status = ap_post_read_request(new))) { + ap_die(access_status, new); + return NULL; + } +--- a/modules/http2/h2_request.c ++++ b/modules/http2/h2_request.c +@@ -265,7 +265,7 @@ request_rec *h2_request_create_rec(const + ap_add_input_filter_handle(ap_http_input_filter_handle, + NULL, r, r->connection); + +- if ((access_status = ap_run_post_read_request(r))) { ++ if ((access_status = ap_post_read_request(r))) { + /* Request check post hooks failed. An example of this would be a + * request for a vhost where h2 is disabled --> 421. + */ +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -582,13 +582,13 @@ static int proxy_detect(request_rec *r) + + /* Ick... msvc (perhaps others) promotes ternary short results to int */ + +- if (conf->req && r->parsed_uri.scheme) { ++ if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) { + /* but it might be something vhosted */ +- if (!(r->parsed_uri.hostname +- && !strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) +- && ap_matches_request_vhost(r, r->parsed_uri.hostname, +- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port +- : ap_default_port(r))))) { ++ if (strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 ++ || !ap_matches_request_vhost(r, r->parsed_uri.hostname, ++ (apr_port_t)(r->parsed_uri.port_str ++ ? r->parsed_uri.port ++ : ap_default_port(r)))) { + r->proxyreq = PROXYREQ_PROXY; + r->uri = r->unparsed_uri; + r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL); +@@ -1734,6 +1734,7 @@ static const char * + struct proxy_alias *new; + char *f = cmd->path; + char *r = NULL; ++ const char *real; + char *word; + apr_table_t *params = apr_table_make(cmd->pool, 5); + const apr_array_header_t *arr; +@@ -1799,6 +1800,10 @@ static const char * + if (r == NULL) { + return "ProxyPass|ProxyPassMatch needs a path when not defined in a location"; + } ++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) { ++ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL"; ++ } ++ + + /* if per directory, save away the single alias */ + if (cmd->path) { +@@ -1815,7 +1820,7 @@ static const char * + } + + new->fake = apr_pstrdup(cmd->pool, f); +- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r)); ++ new->real = apr_pstrdup(cmd->pool, real); + new->flags = flags; + if (use_regex) { + new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED); +@@ -2300,6 +2305,7 @@ static const char *add_member(cmd_parms + proxy_worker *worker; + char *path = cmd->path; + char *name = NULL; ++ const char *real; + char *word; + apr_table_t *params = apr_table_make(cmd->pool, 5); + const apr_array_header_t *arr; +@@ -2340,6 +2346,9 @@ static const char *add_member(cmd_parms + return "BalancerMember must define balancer name when outside section"; + if (!name) + return "BalancerMember must define remote proxy server"; ++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { ++ return "BalancerMember uses an invalid \"unix:\" URL"; ++ } + + ap_str_tolower(path); /* lowercase scheme://hostname */ + +@@ -2352,7 +2361,7 @@ static const char *add_member(cmd_parms + } + + /* Try to find existing worker */ +- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, ap_proxy_de_socketfy(cmd->temp_pool, name)); ++ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real); + if (!worker) { + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147) + "Defining worker '%s' for balancer '%s'", +@@ -2441,7 +2450,13 @@ static const char * + } + } + else { +- worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, ap_proxy_de_socketfy(cmd->temp_pool, name)); ++ const char *real; ++ ++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) { ++ return "ProxySet uses an invalid \"unix:\" URL"; ++ } ++ ++ worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, real); + if (!worker) { + if (in_proxy_section) { + err = ap_proxy_define_worker(cmd->pool, &worker, NULL, +@@ -2583,8 +2598,14 @@ static const char *proxysection(cmd_parm + } + } + else { ++ const char *real; ++ ++ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) { ++ return " uses an invalid \"unix:\" URL"; ++ } ++ + worker = ap_proxy_get_worker(cmd->temp_pool, NULL, sconf, +- ap_proxy_de_socketfy(cmd->temp_pool, (char*)conf->p)); ++ real); + if (!worker) { + err = ap_proxy_define_worker(cmd->pool, &worker, NULL, + sconf, conf->p, 0); +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -1678,6 +1678,9 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_g + } + + url = ap_proxy_de_socketfy(p, url); ++ if (!url) { ++ return NULL; ++ } + + c = ap_strchr_c(url, ':'); + if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') { +--- a/server/protocol.c ++++ b/server/protocol.c +@@ -1545,7 +1545,7 @@ request_rec *ap_read_request(conn_rec *c + /* we may have switched to another server */ + apply_server_config(r); + +- if ((access_status = ap_run_post_read_request(r))) { ++ if ((access_status = ap_post_read_request(r))) { + goto die; + } + +@@ -1600,6 +1600,27 @@ ignore: + return NULL; + } + ++AP_DECLARE(int) ap_post_read_request(request_rec *r) ++{ ++ int status; ++ ++ if ((status = ap_run_post_read_request(r))) { ++ return status; ++ } ++ ++ /* Enforce http(s) only scheme for non-forward-proxy requests */ ++ if (!r->proxyreq ++ && r->parsed_uri.scheme ++ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0 ++ || (r->parsed_uri.scheme[4] != '\0' ++ && (apr_tolower(r->parsed_uri.scheme[4]) != 's' ++ || r->parsed_uri.scheme[5] != '\0')))) { ++ return HTTP_BAD_REQUEST; ++ } ++ ++ return OK; ++} ++ + /* if a request with a body creates a subrequest, remove original request's + * input headers which pertain to the body which has already been read. + * out-of-line helper function for ap_set_sub_req_protocol. diff -Nru apache2-2.4.46/debian/patches/CVE-2021-44224-2.patch apache2-2.4.46/debian/patches/CVE-2021-44224-2.patch --- apache2-2.4.46/debian/patches/CVE-2021-44224-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.46/debian/patches/CVE-2021-44224-2.patch 2022-01-05 14:38:36.000000000 +0000 @@ -0,0 +1,73 @@ +Backport of: + +From a0521d289ae14e4ac004811dc1ef91b3e118a2f6 Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 16 Dec 2021 11:23:49 +0000 +Subject: [PATCH] Merge of r1895981,r1895986 from trunk: + + *) mod_proxy: Don't prevent forwarding URIs w/ no hostname. + (fix for r1895955 already in 2.4.x) + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896044 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/proxy/mod_proxy.c | 5 +++-- + modules/proxy/mod_proxy.h | 1 + + modules/proxy/proxy_util.c | 22 ++++++++++++---------- + 3 files changed, 16 insertions(+), 12 deletions(-) + +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -582,9 +582,10 @@ static int proxy_detect(request_rec *r) + + /* Ick... msvc (perhaps others) promotes ternary short results to int */ + +- if (conf->req && r->parsed_uri.scheme && r->parsed_uri.hostname) { ++ if (conf->req && r->parsed_uri.scheme) { + /* but it might be something vhosted */ +- if (strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 ++ if (!r->parsed_uri.hostname ++ || strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0 + || !ap_matches_request_vhost(r, r->parsed_uri.hostname, + (apr_port_t)(r->parsed_uri.port_str + ? r->parsed_uri.port +--- a/modules/proxy/proxy_util.c ++++ b/modules/proxy/proxy_util.c +@@ -2150,22 +2150,21 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + + access_status = proxy_run_pre_request(worker, balancer, r, conf, url); + if (access_status == DECLINED && *balancer == NULL) { ++ const int forward = (r->proxyreq == PROXYREQ_PROXY); + *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url); + if (*worker) { + ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, + "%s: found worker %s for %s", + (*worker)->s->scheme, (*worker)->s->name, *url); +- *balancer = NULL; +- if (!fix_uds_filename(r, url)) { ++ if (!forward && !fix_uds_filename(r, url)) { + return HTTP_INTERNAL_SERVER_ERROR; + } + access_status = OK; + } +- else if (r->proxyreq == PROXYREQ_PROXY) { ++ else if (forward) { + if (conf->forward) { + ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, + "*: found forward proxy worker for %s", *url); +- *balancer = NULL; + *worker = conf->forward; + access_status = OK; + /* +@@ -2179,8 +2178,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request( + else if (r->proxyreq == PROXYREQ_REVERSE) { + if (conf->reverse) { + ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, +- "*: using default reverse proxy worker for %s (no keepalive)", *url); +- *balancer = NULL; ++ "*: using default reverse proxy worker for %s " ++ "(no keepalive)", *url); + *worker = conf->reverse; + access_status = OK; + /* diff -Nru apache2-2.4.46/debian/patches/CVE-2021-44790.patch apache2-2.4.46/debian/patches/CVE-2021-44790.patch --- apache2-2.4.46/debian/patches/CVE-2021-44790.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.4.46/debian/patches/CVE-2021-44790.patch 2022-01-05 14:38:41.000000000 +0000 @@ -0,0 +1,26 @@ +From 07b9768cef6a224d256358c404c6ed5622d8acce Mon Sep 17 00:00:00 2001 +From: Stefan Eissing +Date: Thu, 16 Dec 2021 11:15:47 +0000 +Subject: [PATCH] Merge r1895970 from trunk: + + *) mod_lua: Improve error handling + + + +git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1896039 13f79535-47bb-0310-9956-ffa450edef68 +--- + modules/lua/lua_request.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c +index 67ff432e51f..493b2bb431c 100644 +--- a/modules/lua/lua_request.c ++++ b/modules/lua/lua_request.c +@@ -410,6 +410,7 @@ static int req_parsebody(lua_State *L) + if (end == NULL) break; + key = (char *) apr_pcalloc(r->pool, 256); + filename = (char *) apr_pcalloc(r->pool, 256); ++ if (end - crlf <= 8) break; + vlen = end - crlf - 8; + buffer = (char *) apr_pcalloc(r->pool, vlen+1); + memcpy(buffer, crlf + 4, vlen); diff -Nru apache2-2.4.46/debian/patches/series apache2-2.4.46/debian/patches/series --- apache2-2.4.46/debian/patches/series 2021-09-28 10:57:35.000000000 +0000 +++ apache2-2.4.46/debian/patches/series 2022-01-05 14:38:41.000000000 +0000 @@ -26,3 +26,6 @@ CVE-2021-33193.patch CVE-2021-40438-2.patch CVE-2021-40438-3.patch +CVE-2021-44224-1.patch +CVE-2021-44224-2.patch +CVE-2021-44790.patch