| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| fhs_compliance.patch | Fix up FHS file locations for apache2 droppings. | Adam Conrad <adconrad@0c3.net> | not-needed | 2023-10-19 | ||
| no_LD_LIBRARY_PATH.patch | Remove LD_LIBRARY_PATH from envvars-std | Adam Conrad <adconrad@0c3.net> | no | 2012-04-15 | ||
| suexec-CVE-2007-1742.patch | Fix race condition with chdir Fix /var/www* being accepted as docroot instead of /var/www/* (the same for public_html* instead of public_html/* ) |
Stefan Fritsch <sf@debian.org> | yes | upstream | 2014-05-29 | |
| customize_apxs.patch | Adapt apxs to Debian specific changes - Make apxs2 use a2enmod and /etc/apache2/mods-available - Make libtool happier - Use LDFLAGS from config_vars.mk, allows one to override them |
Stefan Fritsch <sf@debian.org> | not-needed | 2012-03-17 | ||
| build_suexec-custom.patch | add suexec-custom to the build system | Stefan Fritsch <sf@debian.org> | not-needed | 2012-02-25 | ||
| reproducible_builds.diff | Make builds reproducible Don't use __DATE__ __TIME__. Use changelog date instead. Sort exported symbols. |
Jean-Michel Vourgère <nirgal@debian.org> | no | 2015-08-11 | ||
| fix-macro.patch | add macro_ignore_empty and macro_ignore_bad_nesting parameters | Upstream authors | not-needed | upstream, https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/core/mod_macro.c?r1=1770843&r2=1770842&pathrev=1770843 | 2021-10-25 | |
| 0008-CVE-2024-38474-regression-mod_rewrite-Better-questio.patch | CVE-2024-38474 regression mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F. PR 69197. Track in do_expand() whether a '?' in the uri-path comes from a literal in the substitution string or from an expansion (variable, lookup, ...). In the former case it's safe to assume that it's the query-string separator but for the other case it's not (could be a decoded %3f from r->uri). This allows to avoid [UnsafeAllow3F] for most cases. Merges r1919325 from trunk Reviewed by: ylavic, covener, jorton |
Yann Ylavic <ylavic@apache.org> | yes | upstream | https://github.com/apache/httpd/commit/a0a68b99d131741c1867cff321424892838fc4b3 | 2024-07-27 |
| 0009-CVE-2024-38474-regression-mod_rewrite-Improve-safe-q.patch | CVE-2024-38474 regression mod_rewrite: Improve safe question mark detection Trunk version of patch: https://svn.apache.org/r1920566 Backport version for 2.4.x of patch: Trunk version of patch works svn merge -c 1920566 ^/httpd/httpd/trunk . +1: rpluem, covener, jorton |
Eric Covener <covener@apache.org> | no | https://github.com/apache/httpd/commit/c91445b7f905587aa86ad552f4a1a3f29345e695 | 2024-09-27 | |
| 0010-VE-2024-39884-Regression-Remove-support-for-Request-.patch | VE-2024-39884 Regression Remove support for Request-Range header sent by Navigator 2-3 and MSIE 3 Strings are from configuration and thus trusted Submitted by: sf, rpluem Reviewed by: rpluem, covener, jorton |
Eric Covener <covener@apache.org> | yes | debian upstream | https://github.com/apache/httpd/commit/5f82765bc640ddb6a13a681464856bf8f8a5cb10 | 2024-09-27 |
| 0011-CVE-2024-38473-Regression-error-parsing-URL-Invalid-.patch | CVE-2024-38473 Regression error parsing URL //: Invalid host/port [PATCH] Merge r1919532, r1919533 from trunk: *) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs in <Location> (incomplete fix in 2.4.62). PR 69160. When SetHandler "unix:..." is used in a <Location "/path"> block, the path gets appended (including $DOCUMENT_ROOT somehow) to r->filename hence the current checks in fixup_uds_filename() to add "localhost" when missing don't work. Fix them. mod_proxy: Allow for empty UDS URL hostname in ProxyPass workers too. Using "unix:/udspath|scheme:" or "unix:/udspath|scheme://" for a ProxyPass URL does not work currently, while it works for SetHandler "proxy:unix:...". Submitted by: ylavic Reviewed by: ylavic, covener, rpluem |
Eric Covener <covener@apache.org> | yes | debian upstream | https://github.com/apache/httpd/commit/cbf81b46440fc7759205ea715ebc452bdab7d937 | 2024-09-27 |
| 0012-CVE-2024-38473-regression-mod_proxy_fcgi-1-5-Don-t-r.patch | CVE-2024-38473 regression mod_proxy_fcgi [1/5] : Don't re-encode SCRIPT_FILENAME. PR 69203 Before r1918550 (r1918559 in 2.4.60), "SetHandler proxy:..." configurations did not pass through proxy_fixup() hence the proxy_canon_handler hooks, leaving fcgi's SCRIPT_FILENAME environment variable (from r->filename) decoded, or more exactly not re-encoded. We still want to call ap_proxy_canon_url() for "fcgi:" to handle/strip the UDS "unix:" case and check that r->filename is valid and contains no controls, but proxy_fcgi_canon() will not ap_proxy_canonenc_ex() thus re-encode anymore. Note that this will do the same for "ProxyPass fcgi:...", there is no reason that using SetHandler or ProxyPass don't result in the same thing. If an opt in/out makes sense we should probably look at ProxyFCGIBackendType. |
Yann Ylavic <ylavic@apache.org> | no | https://github.com/apache/httpd/pull/470/commits/690d14bcad1df3f08152cb9ea41c21ae5d85aa1b | 2024-08-01 | |
| 0013-CVE-2024-38473-regression-mod_proxy_fcgi-2-5-Follow-.patch | CVE-2024-38473 regression mod_proxy_fcgi [2/5] Follow up to r1919620: CHANGES entry indent. | Yann Ylavic <ylavic@apache.org> | no | https://github.com/apache/httpd/pull/470/commits/b8b45e0a83d78b40c5378e46d467c8cc09a77a8c | 2024-08-01 | |
| 0014-CVE-2024-38473-regression-mod_proxy_fcgi-3-5-Follow-.patch | CVE-2024-38473 regression mod_proxy_fcgi [3/5] Follow up to r1919620: init path after "proxy:" is skipped. | Yann Ylavic <ylavic@apache.org> | no | https://github.com/apache/httpd/pull/470/commits/fed3dde1989f164766ac7bd120ff83a3d4dce056 | 2024-08-01 | |
| 0015-CVE-2024-38473-regression-mod_proxy_fcgi-4-5-Follow-.patch | CVE-2024-38473 regression mod_proxy_fcgi [4/5] Follow up to r1919620: Restore r->filename re-encoding for ProxyPass URLs. | Yann Ylavic <ylavic@apache.org> | no | https://github.com/apache/httpd/pull/470/commits/d4f6ad9ec6e8f23d85784aec7474f4dca78348db | 2024-08-02 | |
| 0016-CVE-2024-38473-regression-mod_proxy_fcgi-5-5-mod_pro.patch | CVE-2024-38473 regression mod_proxy_fcgi [5/5] mod_proxy_fgci: Follow up to r1919628: Simplify. Variable from_handler is used once so axe it. |
Yann Ylavic <ylavic@apache.org> | no | https://github.com/apache/httpd/pull/470/commits/07279f7c0ced31e2b18f17c0375217df427b2aa9 | 2024-10-10 | |
| 0017-When-a-rewrite-to-proxy-is-configured-in-the-server-.patch | When a rewrite to proxy is configured in the server config, a check is made to make sure mod_proxy is active. But the same is not done if a rewrite to proxy is configured in an .htaccess file. Basically this patch is the block of code from hook_uri2file that does the proxy check, copied to hook_fixup. Patch provided by Michael Streeter [mstreeter1 gmail.com], slightly modified to use a new APLOGNO PR 56264 mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs. PR 69235. When mod_rewrite sets a "proxy:" URL with [P], it should be canonicalized by mod_proxy still, notably to handle any "unix:" local socket part. To avoid double encoding in perdir context, a follow up commit should remove the ap_escape_uri() done in mod_rewrite since it's now on mod_proxy to canonicalize, per PR 69260. * Leave the proper escaping of the URL and the adding of r->args to the proxy module which runs after us after r1920570. Just take care to add r->args in case the proxy rule has the [NE] flag set and tell the proxy module to not escape in this case. * Mention the additional bug Submitted by: jailletc36, ylavic, rpluem Reviewed by: rpluem, ylavic, covener |
Ruediger Pluem <rpluem@apache.org> | yes | debian upstream | backport, https://github.com/apache/httpd/commit/88ebfaa60d3a1987dda88d74eb820294c16edc3d | 2024-10-14 |