From 1613bac9d05369b2c06807719a2d6c85592eaa21 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 1 Jul 2024 19:06:36 +0200 Subject: Merging debian version 2.4.60-1. Signed-off-by: Daniel Baumann --- debian/apache2-utils.ufw.profile | 14 ++++ debian/apache2.dirs | 1 + debian/apache2.install | 1 + debian/apache2.postrm | 1 + debian/changelog | 25 +++++++ debian/control | 5 +- debian/index.html | 4 +- debian/patches/fhs_compliance.patch | 4 +- debian/tests/CVE-2023-25690 | 110 +++++++++++++++++++++++++++ debian/tests/control | 8 ++ debian/tests/uwsgi | 145 ++++++++++++++++++++++++++++++++++++ 11 files changed, 312 insertions(+), 6 deletions(-) create mode 100644 debian/apache2-utils.ufw.profile create mode 100644 debian/tests/CVE-2023-25690 create mode 100644 debian/tests/uwsgi diff --git a/debian/apache2-utils.ufw.profile b/debian/apache2-utils.ufw.profile new file mode 100644 index 0000000..974a655 --- /dev/null +++ b/debian/apache2-utils.ufw.profile @@ -0,0 +1,14 @@ +[Apache] +title=Web Server +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80/tcp + +[Apache Secure] +title=Web Server (HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=443/tcp + +[Apache Full] +title=Web Server (HTTP,HTTPS) +description=Apache v2 is the next generation of the omnipresent Apache web server. +ports=80,443/tcp diff --git a/debian/apache2.dirs b/debian/apache2.dirs index 6089013..1aa6d3c 100644 --- a/debian/apache2.dirs +++ b/debian/apache2.dirs @@ -10,3 +10,4 @@ var/cache/apache2/mod_cache_disk var/lib/apache2 var/log/apache2 var/www/html +/etc/ufw/applications.d/apache2 diff --git a/debian/apache2.install b/debian/apache2.install index b6ad789..92865fc 100644 --- a/debian/apache2.install +++ b/debian/apache2.install @@ -8,3 +8,4 @@ debian/config-dir/*.conf /etc/apache2 debian/config-dir/envvars /etc/apache2 debian/config-dir/magic /etc/apache2 debian/debhelper/apache2-maintscript-helper /usr/share/apache2/ +debian/apache2-utils.ufw.profile /etc/ufw/applications.d/ diff --git a/debian/apache2.postrm b/debian/apache2.postrm index a68583c..21d748e 100644 --- a/debian/apache2.postrm +++ b/debian/apache2.postrm @@ -33,6 +33,7 @@ is_default_index_html () { 776221a94e5a174dc2396c0f3f6b6a74 c481228d439cbb54bdcedbaec5bbb11a e2620d4a5a0f8d80dd4b16de59af981f + 58d03fa9125ca62b1019ce77c8accaa6 EOF } diff --git a/debian/changelog b/debian/changelog index cd9a501..5960e4a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,28 @@ +apache2 (2.4.60-1) unstable; urgency=medium + + [ Bastien Roucariès ] + * Forward port CVE-2023-25690 uwsgi tests + * Fix depends of uwsgi test + * Use python3 uwsgi plugin + * Encode bytes for uwsgi test + + [ Bryce Harrington ] + * Add UFW profile integration (Closes: #1071705) + + [Chris Murray] + * Use https instead of http in doc (LP: #2045055) + + [ Yadd ] + * Bump liblua from liblua5.3-dev to liblua5.4-dev (Closes: #1071701) + * Update test framework + * releasing package apache2 version 2.4.59-1~deb12u1 + * New upstream version (CLoses: CVE-2024-36387, CVE-2024-38472, + CVE-2024-38473, CVE-2024-38474, CVE-2024-38475, CVE-2024-38476, + CVE-2024-38477, CVE-2024-39573) + * Unfuzz patches + + -- Yadd Mon, 01 Jul 2024 18:04:08 +0400 + apache2 (2.4.59-2~progress7.99u1) graograman-backports; urgency=medium * Uploading to graograman-backports, remaining changes: diff --git a/debian/control b/debian/control index e577fb2..52cc370 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,7 @@ Build-Depends: debhelper-compat (= 13), libapr1-dev, libaprutil1-dev, libbrotli-dev, - liblua5.3-dev, + liblua5.4-dev, libnghttp2-dev, libpcre2-dev, libssl-dev, @@ -48,7 +48,8 @@ Depends: apache2-bin (= ${binary:Version}), ssl-cert | dehydrated Suggests: apache2-doc, apache2-suexec-pristine | apache2-suexec-custom, - www-browser + www-browser, + ufw Pre-Depends: ${misc:Pre-Depends} Provides: httpd, httpd-cgi diff --git a/debian/index.html b/debian/index.html index 766401d..d1415e2 100644 --- a/debian/index.html +++ b/debian/index.html @@ -326,7 +326,7 @@

By default, Debian does not allow access through the web browser to any file apart of those located in /var/www, - public_html + public_html directories (when enabled) and /usr/share (for web applications). If your site is using a web document root located elsewhere (such as in /srv) you may need to whitelist your @@ -347,7 +347,7 @@

Please use the reportbug tool to report bugs in the Apache2 package with Debian. However, check existing bug reports before reporting a new bug.

diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch index 986d8bc..50755a8 100644 --- a/debian/patches/fhs_compliance.patch +++ b/debian/patches/fhs_compliance.patch @@ -6,7 +6,7 @@ Last-Update: 2023-10-19 --- a/configure +++ b/configure -@@ -42812,13 +42812,13 @@ +@@ -42844,13 +42844,13 @@ ap_prefix="${ap_cur}" @@ -25,7 +25,7 @@ Last-Update: 2023-10-19 perlbin=`$ac_aux_dir/PrintPath perl` --- a/configure.in +++ b/configure.in -@@ -928,11 +928,11 @@ +@@ -934,11 +934,11 @@ echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c APR_EXPAND_VAR(ap_prefix, $prefix) diff --git a/debian/tests/CVE-2023-25690 b/debian/tests/CVE-2023-25690 new file mode 100644 index 0000000..2aa916f --- /dev/null +++ b/debian/tests/CVE-2023-25690 @@ -0,0 +1,110 @@ +#!/bin/bash + +# test CVE-2023-25690 +set -eux + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + + +function exit_handler() +{ + # fix cp: cannot access '/tmp/autopkgtest-lxc.x06nhp9r/downtmp/CVE-2023-25690-artifacts/apache2': Permission denied + chmod -R a+rwX "$AUTOPKGTEST_ARTIFACTS/apache2" || true + systemctl status apache2.service || true + systemctl stop apache2 || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.8080.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log || true +} +trap exit_handler EXIT + + +a2enmod proxy +a2enmod proxy_http +a2enmod rewrite + +rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS" +rm /var/log/apache2/* +mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2 + +tee /etc/apache2/ports.conf <<'EOF' +Listen 80 +Listen 8080 +EOF + + +tee /etc/apache2/sites-available/000-default.conf <<'EOF' + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.8080.log + CustomLog ${APACHE_LOG_DIR}/access.8080.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + LogLevel alert rewrite:trace6 + LogLevel error proxy:trace6 + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + RewriteEngine on + RewriteRule "^/here/(.*)" "http://localhost:8080/index.html?$1" [P] + ProxyPassReverse "/here/" "http://localhost:8080/" + +EOF + +systemctl restart apache2 + +CHOKEURL="http://localhost/here/index.html%20HTTP/1.1%0d%0aHost:%20localhost%0d%0aConnection:%20keep-alive%0d%0a%0d%0aGET%20/BAD.html%20HTTP/1.1%0d%0aFoo:%20bar HTTP/1.1" +wget -S -q --output-document - "$CHOKEURL" || true +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) +(wget -S -q --output-document /dev/null "$CHOKEURL" 2>&1 || true) | grep -e '^[[:space:]]*HTTP/1.1 4[[:digit:]][[:digit:]] ' + +cat $AUTOPKGTEST_ARTIFACTS/apache2/access.8080.log | grep '] "GET /BAD.html HTTP/1.1"' && exit 1 + +exit 0 + diff --git a/debian/tests/control b/debian/tests/control index 2453137..1298110 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -27,3 +27,11 @@ Tests: chroot Features: no-build-needed Restrictions: needs-root allow-stderr breaks-testbed Depends: apache2, wget, dpkg-dev, gcc + +Tests: uwsgi +Restrictions: allow-stderr, needs-root +Depends: apache2, uwsgi, wget, uwsgi-plugin-python3, rsync, netcat-openbsd | netcat-traditional + +Tests: CVE-2023-25690 +Restrictions: allow-stderr, needs-root, isolation-container +Depends: apache2, rsync, curl, wget diff --git a/debian/tests/uwsgi b/debian/tests/uwsgi new file mode 100644 index 0000000..3350144 --- /dev/null +++ b/debian/tests/uwsgi @@ -0,0 +1,145 @@ +#!/bin/bash +set -eux + +RC=0 +fail () { + echo "FAIL: $@" >&2 + RC=1 +} + + +function exit_handler() +{ + systemctl stop apache2 || true + if test -f /run/uwsgi/uwsgi.pid; then + kill -TERM $(cat /run/uwsgi/uwsgi.pid) + fi + cat $AUTOPKGTEST_ARTIFACTS/apache2/error.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/access.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.log || true + cat $AUTOPKGTEST_ARTIFACTS/apache2/uwsgi.error.log || true +} +trap exit_handler EXIT + + +a2enmod proxy +a2enmod proxy_uwsgi + +rsync -a /var/log/apache2 "$AUTOPKGTEST_ARTIFACTS" +rm /var/log/apache2/* +mount -o bind "$AUTOPKGTEST_ARTIFACTS/apache2" /var/log/apache2 + +tee /etc/apache2/sites-available/000-default.conf <<'EOF' + + # The ServerName directive sets the request scheme, hostname and port that + # the server uses to identify itself. This is used when creating + # redirection URLs. In the context of virtual hosts, the ServerName + # specifies what hostname must appear in the request's Host: header to + # match this virtual host. For the default virtual host (this file) this + # value is not decisive as it is used as a last resort host regardless. + # However, you must set it for any further virtual host explicitly. + #ServerName www.example.com + + ServerAdmin webmaster@localhost + DocumentRoot /var/www/html + + # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, + # error, crit, alert, emerg. + # It is also possible to configure the loglevel for particular + # modules, e.g. + #LogLevel info ssl:warn + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + # For most configuration files from conf-available/, which are + # enabled or disabled at a global level, it is possible to + # include a line for only one particular virtual host. For example the + # following line enables the CGI configuration for this host only + # after it has been globally disabled with "a2disconf". + #Include conf-available/serve-cgi-bin.conf + ProxyPass "/uwsgi" "unix:/run/uwsgi/test.socket|uwsgi://localhost" + +EOF + +systemctl restart apache2 + +test -d /etc/uwsgi/ || mkdir /etc/uwsgi + + + +tee /etc/systemd/system/uwsgi-app@.socket <