mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-09 18:45:54 +02:00
ee1d6a7c3a
For details see: https://dlcdn.apache.org/httpd/CHANGES_2.4.56 "Changes with Apache 2.4.56 *) SECURITY: CVE-2023-27522: Apache HTTP Server: mod_proxy_uwsgi HTTP response splitting (cve.mitre.org) HTTP Response Smuggling vulnerability in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.55. Special characters in the origin response header can truncate/split the response forwarded to the client. Credits: Dimas Fariski Setyawan Putra (nyxsorcerer) *) SECURITY: CVE-2023-25690: HTTP request splitting with mod_rewrite and mod_proxy (cve.mitre.org) Some mod_proxy configurations on Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP Request Smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution. For example, something like: RewriteEngine on RewriteRule "^/here/(.*)" " http://example.com:8080/elsewhere?$1" http://example.com:8080/elsewhere ; [P] ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/ Request splitting/smuggling could result in bypass of access controls in the proxy server, proxying unintended URLs to existing origin servers, and cache poisoning. Credits: Lars Krapf of Adobe *) rotatelogs: Add -T flag to allow subsequent rotated logfiles to be truncated without the initial logfile being truncated. [Eric Covener] *) mod_ldap: LDAPConnectionPoolTTL should accept negative values in order to allow connections of any age to be reused. Up to now, a negative value was handled as an error when parsing the configuration file. PR 66421. [nailyk <bzapache nailyk.fr>, Christophe Jaillet] *) mod_proxy_ajp: Report an error if the AJP backend sends an invalid number of headers. [Ruediger Pluem] *) mod_md: - Enabling ED25519 support and certificate transparency information when building with libressl v3.5.0 and newer. Thanks to Giovanni Bechis. - MDChallengeDns01 can now be configured for individual domains. Thanks to Jérôme Billiras (@bilhackmac) for the initial PR. - Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge teardown not being invoked as it should. [Stefan Eissing] *) mod_http2: client resets of HTTP/2 streams led to unwanted 500 errors reported in access logs and error documents. The processing of the reset was correct, only unneccesary reporting was caused. [Stefan Eissing] *) mod_proxy_uwsgi: Stricter backend HTTP response parsing/validation. [Yann Ylavic]" Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
123 lines
5.4 KiB
Plaintext
123 lines
5.4 KiB
Plaintext
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
|
|
###############################################################################
|
|
# Definitions
|
|
###############################################################################
|
|
|
|
include Config
|
|
|
|
VER = 2.4.56
|
|
|
|
THISAPP = httpd-$(VER)
|
|
DL_FILE = $(THISAPP).tar.bz2
|
|
DL_FROM = $(URL_IPFIRE)
|
|
|
|
DIR_APP = $(DIR_SRC)/$(THISAPP)
|
|
|
|
TARGET = $(DIR_INFO)/$(THISAPP)
|
|
|
|
DEPS = aprutil pcre
|
|
|
|
###############################################################################
|
|
# Top-level Rules
|
|
###############################################################################
|
|
|
|
objects = $(DL_FILE)
|
|
|
|
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
|
|
|
|
$(DL_FILE)_BLAKE2 = f9aaf5038543aeec79d5b8615b1b2120fe321966280574c685070f2356f8f1dba1d55a9a25f46cb5ecdd6e3f03785fe7a4e1b965506896cb889720728aa18101
|
|
|
|
install : $(TARGET)
|
|
|
|
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
|
|
|
|
download :$(patsubst %,$(DIR_DL)/%,$(objects))
|
|
|
|
b2 : $(subst %,%_BLAKE2,$(objects))
|
|
|
|
###############################################################################
|
|
# Downloading, checking, b2sum
|
|
###############################################################################
|
|
|
|
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
|
|
@$(CHECK)
|
|
|
|
$(patsubst %,$(DIR_DL)/%,$(objects)) :
|
|
@$(LOAD)
|
|
|
|
$(subst %,%_BLAKE2,$(objects)) :
|
|
@$(B2SUM)
|
|
|
|
###############################################################################
|
|
# Installation Details
|
|
###############################################################################
|
|
|
|
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
|
|
@$(PREBUILD)
|
|
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
|
|
### Add IPFire's layout, too
|
|
echo "# IPFire layout" >> $(DIR_APP)/config.layout
|
|
echo "<Layout IPFire>" >> $(DIR_APP)/config.layout
|
|
echo " prefix: /usr" >> $(DIR_APP)/config.layout
|
|
echo " exec_prefix: /usr" >> $(DIR_APP)/config.layout
|
|
echo " bindir: /usr/bin" >> $(DIR_APP)/config.layout
|
|
echo " sbindir: /usr/sbin" >> $(DIR_APP)/config.layout
|
|
echo " libdir: /usr/lib" >> $(DIR_APP)/config.layout
|
|
echo " libexecdir: /usr/lib/apache" >> $(DIR_APP)/config.layout
|
|
echo " mandir: /usr/share/man" >> $(DIR_APP)/config.layout
|
|
echo " sysconfdir: /etc/httpd/conf" >> $(DIR_APP)/config.layout
|
|
echo " datadir: /srv/web/ipfire" >> $(DIR_APP)/config.layout
|
|
echo " installbuilddir: /usr/lib/apache/build" >> $(DIR_APP)/config.layout
|
|
echo " errordir: /srv/web/ipfire/error" >> $(DIR_APP)/config.layout
|
|
echo " iconsdir: /srv/web/ipfire/icons" >> $(DIR_APP)/config.layout
|
|
echo " htdocsdir: /srv/web/ipfire/htdocs" >> $(DIR_APP)/config.layout
|
|
echo " manualdir: /srv/web/ipfire/manual" >> $(DIR_APP)/config.layout
|
|
echo " cgidir: /srv/web/ipfire/cgi-bin" >> $(DIR_APP)/config.layout
|
|
echo " includedir: /usr/include/apache" >> $(DIR_APP)/config.layout
|
|
echo " localstatedir: /srv/web/ipfire" >> $(DIR_APP)/config.layout
|
|
echo " runtimedir: /var/run" >> $(DIR_APP)/config.layout
|
|
echo " logfiledir: /var/log/httpd" >> $(DIR_APP)/config.layout
|
|
echo " proxycachedir: /var/cache/apache/proxy" >> $(DIR_APP)/config.layout
|
|
echo "</Layout>" >> $(DIR_APP)/config.layout
|
|
|
|
cd $(DIR_APP) && ./configure --enable-layout=IPFire \
|
|
--enable-ssl --enable-mods-shared=all --enable-proxy --with-mpm=event --disable-lua --disable-md
|
|
cd $(DIR_APP) && make $(MAKETUNING)
|
|
cd $(DIR_APP) && make install
|
|
chown -v root:root /usr/lib/apache/httpd.exp \
|
|
/usr/bin/{apxs,dbmmanage} \
|
|
/usr/sbin/apachectl \
|
|
/usr/share/man/man1/{ab,apxs,dbmmanage,ht{dbm,digest,passwd,txt2dbm},logresolve}.1 \
|
|
/usr/share/man/man8/{apachectl,htcacheclean,httpd}.8 \
|
|
/usr/share/man/man8/{rotatelogs,suexec}.8
|
|
|
|
# Install apache config
|
|
cp -rf $(DIR_CONF)/httpd/* /etc/httpd/conf
|
|
touch /etc/httpd/conf/hostname.conf
|
|
|
|
# Create captive logging directory
|
|
-mkdir -pv /var/log/httpd/captive
|
|
|
|
@rm -rf $(DIR_APP)
|
|
@$(POSTBUILD)
|