Eric Covener [Mon, 21 Jul 2025 11:12:44 +0000 (11:12 +0000)]
fix `rewritecond expr` regression in 2.4.64
*) SECURITY: CVE-2025-54090: Apache HTTP Server: 'RewriteCond expr'
always evaluates to true in 2.4.64 (cve.mitre.org)
A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond
expr ..." tests evaluating as "true".
Users are recommended to upgrade to version 2.4.65, which fixes
the issue.
Joe Orton [Mon, 7 Jul 2025 09:15:21 +0000 (09:15 +0000)]
Merge r1926720, r1926722 from trunk:
* modules/ssl/ssl_private.h: For OpenSSL >= 3.5.0 drop $SSLKEYLOGFILE
handling inside mod_ssl where OpenSSL is built to handle that
internally in libssl.
* modules/ssl/ssl_private.h: Fix logic in r1926720 HAVE_OPENSSL_KEYLOG macro,
thanks to rpluem.
Yann Ylavic [Tue, 10 Jun 2025 11:04:01 +0000 (11:04 +0000)]
mod_asis: Fix the log level of the message AH01236
Change the log level from ERROR to DEBUG.
The message \"mod_asis: ap_pass_brigade failed for file ...\" was logged with
the level ERROR. This log level is inappropriate here, because a client can
trigger this log message by aborting the request.
Most other modules don't log at all or use the log level DEBUG when
ap_pass_brigade() fails.
Submitted by: Michael Kaufmann <mail michael-kaufmann.ch>
Github: closes #527
Yann Ylavic [Tue, 10 Jun 2025 11:00:37 +0000 (11:00 +0000)]
mod_session_dbd: set_cookie_name: ensure correct format
If args is an empty string, apr_strtok will return NULL and *last will never get set which results in a SIGSEGV in apr_isspace check
Submitted by: Thomas Meyer <thomas@m3y3r.de>
Github: closes #503
Follow-up to r1922931.
In set_cookie_name() and set_cookie_name2(), now that the empty 'name' argument is explicitly handled, the error message in check_string() can be simplified because the cookie name can't be empty anymore when this function is called.
Yann Ylavic [Tue, 10 Jun 2025 10:51:35 +0000 (10:51 +0000)]
Remove awk dependency when building using CMake. Before this awk was required
for -DWITH_MODULES option.
* build/build-modules-c.cmake:
(generate_builtin_modules_c): Function to generate modules.c.
* CMakeLists.txt
(): Use generate_builtin_modules_c() instead of `awk -f build/build-modules-c.awk`
to generate modules.c file.
* README.cmake:
(Prerequisites, How to build): Do not mention awk as prerequisite.
Follow-up to r1919413: CMake: Use configure_file() instead of file(write)
to generate modules.c file because configure_file() doesn't change
timestamp of file if contents is the the same.
Follow-up to r1919587: CMake: Fix type in variable name (MODULES_SYNMBOLS -> MODULES_SYMBOLS)
Merges r1919413, r1919587, r1919602 from trunk
Submitted by: ivan
Reviewed by: CTR
Yann Ylavic [Tue, 10 Jun 2025 10:43:58 +0000 (10:43 +0000)]
Merge r1912460, r1925743 from trunk:
mod_proxy: Consistently close the socket on failure to reuse the connection.
proxy_connection_create() and ap_proxy_connect_backend() sometimes close the
connection on failure, sometimes not. Always close it.
mod_proxy: restore reuse of ProxyRemote connections when possible.
Fixes a regression from 2.4.59 (r1913907).
For a reverse proxy setup with a worker (enablereuse=on) and a
forward/CONNECT ProxyRemote to reach it, an open connection/tunnel
to/through the remote proxy for the same origin server (and using the
same proxy auth) should be reusable. Avoid closing them like r1913534
did.
* modules/proxy/proxy_util.c:
Rename the struct to remote_connect_info since it's only used for
connecting through remote CONNECT proxies. Axe the use_http_connect
field, always true.
* modules/proxy/proxy_util.c(ap_proxy_connection_reusable):
Remote CONNECT (forward) proxy connections can be reused if the auth
and origin server infos are the same, so conn->forward != NULL is not
a condition to prevent reusability.
* modules/proxy/proxy_util.c(ap_proxy_determine_connection):
Fix the checks around conn->forward reuse and connection cleanup if
that's not possible.
* server/listen.c: duplicate sockets correctly when using systemd socket
activation, fix addrlen in getsockname() call.
Follow up r1608686, pass process to alloc_systemd_listener.
* server/listen.c: detect systemd socket activation using sd_listen_fds(),
drop the support for "Listen systemd" and use standard Listen syntax instead.
This allows using the same configuration file with or without socket activation
and allows setting protocol when using socket activation.
Remove libsystemd dependency from main httpd binary
Until this change httpd was linking libsystemd to the main httpd binary. If you want to run lightweight version of httpd in container, sometimes you just want to install
httpd binary with as little dependencies as possible to make container small in size and do not pull uncencessary dependencies and libraries.
This change will move all systemd library calls from listen.c to mod_systemd module and remove systemd linking from the main httpd bin.
Fixed mixed declaration and wrongly declared variable.
mod_systemd: Axe APR_OPTIONAL_FN redeclarations to avoid compiler warning.
ap_find_systemd_socket() and ap_systemd_listen_fds() are already declared in
"ap_listen.h", so just include them.
mod_systemd: if SELinux is available and enabled, log the SELinux
context at startup, since this may vary when httpd is started via
systemd vs being started directly.
* modules/arch/unix/mod_systemd.c (systemd_post_config):
Do nothing for the pre-config iteration.
Log the SELinux context if available.
Remove some dead code. Updating 'last' is pointless here.
Ensure that ALL fields of the ap_listen_rec structure are initialized
alloc_listener initializes more fields in the created ap_listen_rec structure
than alloc_systemd_listener as it has more data to add to this structure.
Ensure that all fields of the ap_listen_rec structure are initialized at
least with 0 as later code using this structure depends on this.
Stefan Eissing [Tue, 3 Jun 2025 08:20:55 +0000 (08:20 +0000)]
Merge modules/md/md_version.h
*) mod_md: update to version 2.5.2
- Fixed TLS-ALPN-01 challenges when multiple `MDPrivateKeys` are specified
with EC keys before RSA ones. Fixes #377. [Stefan Eissing]
- Fixed missing newlines in the status page output. [Andreas Groth]
Stefan Eissing [Tue, 3 Jun 2025 08:07:31 +0000 (08:07 +0000)]
Merge of /httpd/httpd/trunk:r1925975
*) mod_http2: update to version 2.0.32
The code setting the connection window size was set wrong,
preventing `H2WindowSize` to work.
Fixed <https://github.com/icing/mod_h2/issues/300>.
Stefan Eissing [Tue, 3 Jun 2025 07:48:08 +0000 (07:48 +0000)]
Merge /httpd/httpd/trunk:r1924554
* mod_proxy_http2: revert r1912193 for detecting broken backend connections
as this interferes with backend selection who a node is unresponsive.
PR69624.
*) mod_http2: update to version 2.0.30
- Fixed bug in handling over long response headers. When the 64 KB limit
of nghttp2 was exceeded, the request was not reset and the client was
left hanging, waiting for it. Now the stream is reset.
- Added new directive `H2MaxHeaderBlockLen` to set the limit on response
header sizes.
- Fixed handling of Timeout vs. KeepAliveTimeout when first request on a
connection was reset.
Joe Orton [Wed, 9 Apr 2025 16:02:25 +0000 (16:02 +0000)]
Merge r1923271, r1923300, r1923302 from trunk:
CI: Add 64-bit ARM job to Linux workflow. See:
https://github.blog/changelog/2025-01-16-linux-arm64-hosted-runners-now-available-for-free-in-public-repositories-public-preview/
Disable the arm64 job, it appears there are not enough runners.
CI: Retry arm64 workflow with the correct label this time.
Joe Orton [Wed, 9 Apr 2025 15:18:19 +0000 (15:18 +0000)]
Merge r1924958 from trunk:
CI: Use the git commit hash to determine the revision of APR/APR-util
from the github repos, and build exactly that, rather than relying on SVN:
- works if apr/apr-util moves to a r/w git in the future
- removes a race for branches where the git revision tested
could be different to the SVN revision retrieved before
projects / thirdparty / apache / httpd.git / log
