apache2 update for next buster point release?
Hello Release Managers,
I have been working on updating apache2 for stretch. Most of the open
CVEs affect both the stretch and buster versions of apache2 (in addition
to the bullseye version). For the buster/bullseye the CVEs have mostly
been marked "<no-dsa> (Minor issue; can be fixed in point release)".
Since buster will shortly transition to LTS, it seems likely that we
will want an update of apache2 in the final buster point release prior
to the LTS transition. The info at release.debian.org indicates that a
buster point release is planned for mid-June, which makes me think one
could be scheduled anytime.
I backported the patches for the CVEs fixed upstream in versions 2.4.53
and 2.4.54 and I am proposing an upload as described by the attached
debdiff. Please let me know if this would be acceptable. If so, I will
file the appropriate bug in the BTS and then proceed with the upload.
Regards,
-Roberto
P.S. I am not subscribed to either debian-release or debian-apache, so
CCs would be appreciated.
--
Roberto C. Sánchez
diff -Nru apache2-2.4.38/debian/changelog apache2-2.4.38/debian/changelog
--- apache2-2.4.38/debian/changelog 2021-12-21 11:50:43.000000000 -0500
+++ apache2-2.4.38/debian/changelog 2022-06-20 15:03:00.000000000 -0400
@@ -1,3 +1,20 @@
+apache2 (2.4.38-3+deb10u8) buster; urgency=medium
+
+ * Non-maintainer upload.
+ * CVE-2022-22719: denial of service in mod_lua via crafted request body.
+ * CVE-2022-22720: HTTP request smuggling.
+ * CVE-2022-22721: integer overflow leading to buffer overflow write.
+ * CVE-2022-23943: heap memory overwrite via crafted data in mod_sed.
+ * CVE-2022-26377: mod_proxy_ajp: Possible request smuggling.
+ * CVE-2022-28614: read beyond bounds via ap_rwrite().
+ * CVE-2022-28615: Read beyond bounds in ap_strcmp_match().
+ * CVE-2022-29404: Denial of service in mod_lua r:parsebody.
+ * CVE-2022-30522: mod_sed denial of service.
+ * CVE-2022-30556: Information Disclosure in mod_lua with websockets.
+ * CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism.
+
+ -- Roberto C. Sánchez <roberto@debian.org> Mon, 20 Jun 2022 15:03:00 -0400
+
apache2 (2.4.38-3+deb10u7) buster-security; urgency=medium
* Fix possible NULL dereference or SSRF in forward proxy configurations
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-22719.patch apache2-2.4.38/debian/patches/CVE-2022-22719.patch
--- apache2-2.4.38/debian/patches/CVE-2022-22719.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-22719.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,95 @@
+From 1b96582269d9ec7c82ee0fea1f67934e4b8176ad Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 7 Mar 2022 14:51:19 +0000
+Subject: [PATCH] mod_lua: Error out if lua_read_body() or lua_write_body()
+ fail.
+
+Otherwise r:requestbody() or r:parsebody() failures might go unnoticed for
+the user.
+
+
+Merge r1898689 from trunk.
+Submitted by: rpluem
+Reviewed by: rpluem, covener, ylavic
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898694 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/lua/lua_request.c | 33 ++++++++++++++++++++-------------
+ 1 file changed, 20 insertions(+), 13 deletions(-)
+
+diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
+index 493b2bb431..1eab7b6a47 100644
+--- a/modules/lua/lua_request.c
++++ b/modules/lua/lua_request.c
+@@ -235,14 +235,16 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
+ {
+ int rc = OK;
+
++ *rbuf = NULL;
++ *size = 0;
++
+ if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR))) {
+ return (rc);
+ }
+ if (ap_should_client_block(r)) {
+
+ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+- char argsbuffer[HUGE_STRING_LEN];
+- apr_off_t rsize, len_read, rpos = 0;
++ apr_off_t len_read, rpos = 0;
+ apr_off_t length = r->remaining;
+ /*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+
+@@ -250,18 +252,18 @@ static int lua_read_body(request_rec *r, const char **rbuf, apr_off_t *size,
+ return APR_EINCOMPLETE; /* Only room for incomplete data chunk :( */
+ }
+ *rbuf = (const char *) apr_pcalloc(r->pool, (apr_size_t) (length + 1));
+- *size = length;
+- while ((len_read = ap_get_client_block(r, argsbuffer, sizeof(argsbuffer))) > 0) {
+- if ((rpos + len_read) > length) {
+- rsize = length - rpos;
+- }
+- else {
+- rsize = len_read;
+- }
+-
+- memcpy((char *) *rbuf + rpos, argsbuffer, (size_t) rsize);
+- rpos += rsize;
++ while ((rpos < length)
++ && (len_read = ap_get_client_block(r, (char *) *rbuf + rpos,
++ length - rpos)) > 0) {
++ rpos += len_read;
++ }
++ if (len_read < 0) {
++ return APR_EINCOMPLETE;
+ }
++ *size = rpos;
++ }
++ else {
++ rc = DONE;
+ }
+
+ return (rc);
+@@ -278,6 +280,8 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
+ {
+ apr_status_t rc = OK;
+
++ *size = 0;
++
+ if ((rc = ap_setup_client_block(r, REQUEST_CHUNKED_ERROR)))
+ return rc;
+ if (ap_should_client_block(r)) {
+@@ -303,6 +307,9 @@ static apr_status_t lua_write_body(request_rec *r, apr_file_t *file, apr_off_t *
+ rpos += rsize;
+ }
+ }
++ else {
++ rc = DONE;
++ }
+
+ return rc;
+ }
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-22720.patch apache2-2.4.38/debian/patches/CVE-2022-22720.patch
--- apache2-2.4.38/debian/patches/CVE-2022-22720.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-22720.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,190 @@
+From 19aa2d83b379719420f3a178413325156d7a62f3 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 7 Mar 2022 14:46:08 +0000
+Subject: [PATCH] core: Simpler connection close logic if discarding the
+ request body fails.
+
+If ap_discard_request_body() sets AP_CONN_CLOSE by itself it simplifies and
+allows to consolidate end_output_stream() and error_output_stream().
+
+
+Merge r1898683 from trunk.
+Submitted by: ylavic, rpluem
+Reviewed by: ylavic, rpluem, covener
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898692 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/discard_body.diff | 2 +
+ modules/http/http_filters.c | 69 ++++++++++++++++---------------
+ server/protocol.c | 14 +++++--
+ 3 files changed, 48 insertions(+), 37 deletions(-)
+ create mode 100644 changes-entries/discard_body.diff
+
+diff --git a/changes-entries/discard_body.diff b/changes-entries/discard_body.diff
+new file mode 100644
+index 0000000000..6b467ac5ee
+--- /dev/null
++++ b/changes-entries/discard_body.diff
+@@ -0,0 +1,2 @@
++ *) core: Simpler connection close logic if discarding the request body fails.
++ [Yann Ylavic, Ruediger Pluem]
+\ No newline at end of file
+diff --git a/modules/http/http_filters.c b/modules/http/http_filters.c
+index d9b3621215..43e8c6dd5d 100644
+--- a/modules/http/http_filters.c
++++ b/modules/http/http_filters.c
+@@ -1598,9 +1598,9 @@ AP_DECLARE(int) ap_map_http_request_error(apr_status_t rv, int status)
+ */
+ AP_DECLARE(int) ap_discard_request_body(request_rec *r)
+ {
++ int rc = OK;
++ conn_rec *c = r->connection;
+ apr_bucket_brigade *bb;
+- int seen_eos;
+- apr_status_t rv;
+
+ /* Sometimes we'll get in a state where the input handling has
+ * detected an error where we want to drop the connection, so if
+@@ -1609,54 +1609,57 @@ AP_DECLARE(int) ap_discard_request_body(request_rec *r)
+ *
+ * This function is also a no-op on a subrequest.
+ */
+- if (r->main || r->connection->keepalive == AP_CONN_CLOSE ||
+- ap_status_drops_connection(r->status)) {
++ if (r->main || c->keepalive == AP_CONN_CLOSE) {
++ return OK;
++ }
++ if (ap_status_drops_connection(r->status)) {
++ c->keepalive = AP_CONN_CLOSE;
+ return OK;
+ }
+
+ bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
+- seen_eos = 0;
+- do {
+- apr_bucket *bucket;
++ for (;;) {
++ apr_status_t rv;
+
+ rv = ap_get_brigade(r->input_filters, bb, AP_MODE_READBYTES,
+ APR_BLOCK_READ, HUGE_STRING_LEN);
+-
+ if (rv != APR_SUCCESS) {
+- apr_brigade_destroy(bb);
+- return ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
++ rc = ap_map_http_request_error(rv, HTTP_BAD_REQUEST);
++ goto cleanup;
+ }
+
+- for (bucket = APR_BRIGADE_FIRST(bb);
+- bucket != APR_BRIGADE_SENTINEL(bb);
+- bucket = APR_BUCKET_NEXT(bucket))
+- {
+- const char *data;
+- apr_size_t len;
++ while (!APR_BRIGADE_EMPTY(bb)) {
++ apr_bucket *b = APR_BRIGADE_FIRST(bb);
+
+- if (APR_BUCKET_IS_EOS(bucket)) {
+- seen_eos = 1;
+- break;
+- }
+-
+- /* These are metadata buckets. */
+- if (bucket->length == 0) {
+- continue;
++ if (APR_BUCKET_IS_EOS(b)) {
++ goto cleanup;
+ }
+
+- /* We MUST read because in case we have an unknown-length
+- * bucket or one that morphs, we want to exhaust it.
++ /* There is no need to read empty or metadata buckets or
++ * buckets of known length, but we MUST read buckets of
++ * unknown length in order to exhaust them.
+ */
+- rv = apr_bucket_read(bucket, &data, &len, APR_BLOCK_READ);
+- if (rv != APR_SUCCESS) {
+- apr_brigade_destroy(bb);
+- return HTTP_BAD_REQUEST;
++ if (b->length == (apr_size_t)-1) {
++ apr_size_t len;
++ const char *data;
++
++ rv = apr_bucket_read(b, &data, &len, APR_BLOCK_READ);
++ if (rv != APR_SUCCESS) {
++ rc = HTTP_BAD_REQUEST;
++ goto cleanup;
++ }
+ }
++
++ apr_bucket_delete(b);
+ }
+- apr_brigade_cleanup(bb);
+- } while (!seen_eos);
++ }
+
+- return OK;
++cleanup:
++ apr_brigade_cleanup(bb);
++ if (rc != OK) {
++ c->keepalive = AP_CONN_CLOSE;
++ }
++ return rc;
+ }
+
+ /* Here we deal with getting the request message body from the client.
+diff --git a/server/protocol.c b/server/protocol.c
+index 2214f72b5a..298f61e1fb 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1687,23 +1687,29 @@ AP_DECLARE(void) ap_set_sub_req_protocol(request_rec *rnew,
+ rnew->main = (request_rec *) r;
+ }
+
+-static void end_output_stream(request_rec *r)
++static void end_output_stream(request_rec *r, int status)
+ {
+ conn_rec *c = r->connection;
+ apr_bucket_brigade *bb;
+ apr_bucket *b;
+
+ bb = apr_brigade_create(r->pool, c->bucket_alloc);
++ if (status != OK) {
++ b = ap_bucket_error_create(status, NULL, r->pool, c->bucket_alloc);
++ APR_BRIGADE_INSERT_TAIL(bb, b);
++ }
+ b = apr_bucket_eos_create(c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(bb, b);
++
+ ap_pass_brigade(r->output_filters, bb);
++ apr_brigade_cleanup(bb);
+ }
+
+ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
+ {
+ /* tell the filter chain there is no more content coming */
+ if (!sub->eos_sent) {
+- end_output_stream(sub);
++ end_output_stream(sub, OK);
+ }
+ }
+
+@@ -1714,11 +1720,11 @@ AP_DECLARE(void) ap_finalize_sub_req_protocol(request_rec *sub)
+ */
+ AP_DECLARE(void) ap_finalize_request_protocol(request_rec *r)
+ {
+- (void) ap_discard_request_body(r);
++ int status = ap_discard_request_body(r);
+
+ /* tell the filter chain there is no more content coming */
+ if (!r->eos_sent) {
+- end_output_stream(r);
++ end_output_stream(r, status);
+ }
+ }
+
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-22721.patch apache2-2.4.38/debian/patches/CVE-2022-22721.patch
--- apache2-2.4.38/debian/patches/CVE-2022-22721.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-22721.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,116 @@
+From 5a72f0fe6f2f8ce35c45242e99a421dc19251ab5 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 7 Mar 2022 14:48:54 +0000
+Subject: [PATCH] core: Make sure and check that LimitXMLRequestBody fits in
+ system memory.
+
+LimitXMLRequestBody can not exceed the size needed to ap_escape_html2() the
+body without failing to allocate memory, so enforce this at load time based
+on APR_SIZE_MAX, and make sure that ap_escape_html2() is within the bounds.
+
+Document the limits for LimitXMLRequestBody in our docs.
+
+
+Merge r1898686 from trunk.
+Submitted by: ylavic, rpluem
+Reviewed by: ylavic, covener, rpluem
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898693 13f79535-47bb-0310-9956-ffa450edef68
+---
+ changes-entries/AP_MAX_LIMIT_XML_BODY.diff | 2 ++
+ docs/manual/mod/core.xml | 12 +++++++++---
+ server/core.c | 9 +++++++++
+ server/util.c | 8 ++++++--
+ server/util_xml.c | 2 +-
+ 5 files changed, 27 insertions(+), 6 deletions(-)
+ create mode 100644 changes-entries/AP_MAX_LIMIT_XML_BODY.diff
+
+diff --git a/changes-entries/AP_MAX_LIMIT_XML_BODY.diff b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
+new file mode 100644
+index 0000000000..07fef3c624
+--- /dev/null
++++ b/changes-entries/AP_MAX_LIMIT_XML_BODY.diff
+@@ -0,0 +1,2 @@
++ *) core: Make sure and check that LimitXMLRequestBody fits in system memory.
++ [Ruediger Pluem, Yann Ylavic]
+\ No newline at end of file
+diff --git a/server/core.c b/server/core.c
+index 798212b480..090e397642 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -72,6 +72,8 @@
+ /* LimitXMLRequestBody handling */
+ #define AP_LIMIT_UNSET ((long) -1)
+ #define AP_DEFAULT_LIMIT_XML_BODY ((apr_size_t)1000000)
++/* Hard limit for ap_escape_html2() */
++#define AP_MAX_LIMIT_XML_BODY ((apr_size_t)(APR_SIZE_MAX / 6 - 1))
+
+ #define AP_MIN_SENDFILE_BYTES (256)
+
+@@ -3761,6 +3763,11 @@ static const char *set_limit_xml_req_body(cmd_parms *cmd, void *conf_,
+ if (conf->limit_xml_body < 0)
+ return "LimitXMLRequestBody requires a non-negative integer.";
+
++ /* zero is AP_MAX_LIMIT_XML_BODY (implicitly) */
++ if ((apr_size_t)conf->limit_xml_body > AP_MAX_LIMIT_XML_BODY)
++ return apr_psprintf(cmd->pool, "LimitXMLRequestBody must not exceed "
++ "%" APR_SIZE_T_FMT, AP_MAX_LIMIT_XML_BODY);
++
+ return NULL;
+ }
+
+@@ -3849,6 +3856,8 @@ AP_DECLARE(apr_size_t) ap_get_limit_xml_body(const request_rec *r)
+ conf = ap_get_core_module_config(r->per_dir_config);
+ if (conf->limit_xml_body == AP_LIMIT_UNSET)
+ return AP_DEFAULT_LIMIT_XML_BODY;
++ if (conf->limit_xml_body == 0)
++ return AP_MAX_LIMIT_XML_BODY;
+
+ return (apr_size_t)conf->limit_xml_body;
+ }
+diff --git a/server/util.c b/server/util.c
+index 6cfe0035c4..604be1a1ce 100644
+--- a/server/util.c
++++ b/server/util.c
+@@ -2142,11 +2142,14 @@ AP_DECLARE(char *) ap_escape_urlencoded(apr_pool_t *p, const char *buffer)
+
+ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
+ {
+- int i, j;
++ apr_size_t i, j;
+ char *x;
+
+ /* first, count the number of extra characters */
+- for (i = 0, j = 0; s[i] != '\0'; i++)
++ for (i = 0, j = 0; s[i] != '\0'; i++) {
++ if (i + j > APR_SIZE_MAX - 6) {
++ abort();
++ }
+ if (s[i] == '<' || s[i] == '>')
+ j += 3;
+ else if (s[i] == '&')
+@@ -2155,6 +2158,7 @@ AP_DECLARE(char *) ap_escape_html2(apr_pool_t *p, const char *s, int toasc)
+ j += 5;
+ else if (toasc && !apr_isascii(s[i]))
+ j += 5;
++ }
+
+ if (j == 0)
+ return apr_pstrmemdup(p, s, i);
+diff --git a/server/util_xml.c b/server/util_xml.c
+index 4845194656..22806fa8a4 100644
+--- a/server/util_xml.c
++++ b/server/util_xml.c
+@@ -85,7 +85,7 @@ AP_DECLARE(int) ap_xml_parse_input(request_rec * r, apr_xml_doc **pdoc)
+ }
+
+ total_read += len;
+- if (limit_xml_body && total_read > limit_xml_body) {
++ if (total_read > limit_xml_body) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00539)
+ "XML request body is larger than the configured "
+ "limit of %lu", (unsigned long)limit_xml_body);
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-23943-1.patch apache2-2.4.38/debian/patches/CVE-2022-23943-1.patch
--- apache2-2.4.38/debian/patches/CVE-2022-23943-1.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-23943-1.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,360 @@
+From 943f57b336f264d77e5b780c82ab73daf3d14deb Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Mon, 7 Mar 2022 14:52:42 +0000
+Subject: [PATCH] mod_sed: use size_t to allow for larger buffer sizes and
+ unsigned arithmetics.
+
+Let's switch to apr_size_t buffers and get rid of the ints.
+
+
+Merge r1898690 from trunk.
+Submitted by: rpluem
+Reviewed by: rpluem, covener, ylavic
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898695 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/filters/libsed.h | 12 +++---
+ modules/filters/mod_sed.c | 10 ++---
+ modules/filters/sed1.c | 79 +++++++++++++++++++++++----------------
+ 3 files changed, 58 insertions(+), 43 deletions(-)
+
+diff --git a/modules/filters/libsed.h b/modules/filters/libsed.h
+index 76cbc0ce8a..0256b1ea83 100644
+--- a/modules/filters/libsed.h
++++ b/modules/filters/libsed.h
+@@ -60,7 +60,7 @@ struct sed_label_s {
+ };
+
+ typedef apr_status_t (sed_err_fn_t)(void *data, const char *error);
+-typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, int sz);
++typedef apr_status_t (sed_write_fn_t)(void *ctx, char *buf, apr_size_t sz);
+
+ typedef struct sed_commands_s sed_commands_t;
+ #define NWFILES 11 /* 10 plus one for standard output */
+@@ -69,7 +69,7 @@ struct sed_commands_s {
+ sed_err_fn_t *errfn;
+ void *data;
+
+- unsigned lsize;
++ apr_size_t lsize;
+ char *linebuf;
+ char *lbend;
+ const char *saveq;
+@@ -116,15 +116,15 @@ struct sed_eval_s {
+ apr_int64_t lnum;
+ void *fout;
+
+- unsigned lsize;
++ apr_size_t lsize;
+ char *linebuf;
+ char *lspend;
+
+- unsigned hsize;
++ apr_size_t hsize;
+ char *holdbuf;
+ char *hspend;
+
+- unsigned gsize;
++ apr_size_t gsize;
+ char *genbuf;
+ char *lcomend;
+
+@@ -160,7 +160,7 @@ apr_status_t sed_init_eval(sed_eval_t *eval, sed_commands_t *commands,
+ sed_err_fn_t *errfn, void *data,
+ sed_write_fn_t *writefn, apr_pool_t *p);
+ apr_status_t sed_reset_eval(sed_eval_t *eval, sed_commands_t *commands, sed_err_fn_t *errfn, void *data);
+-apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout);
++apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout);
+ apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout);
+ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *f);
+ void sed_destroy_eval(sed_eval_t *eval);
+diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
+index 9b408029a8..7092dd5e7f 100644
+--- a/modules/filters/mod_sed.c
++++ b/modules/filters/mod_sed.c
+@@ -51,7 +51,7 @@ typedef struct sed_filter_ctxt
+ apr_bucket_brigade *bbinp;
+ char *outbuf;
+ char *curoutbuf;
+- int bufsize;
++ apr_size_t bufsize;
+ apr_pool_t *tpool;
+ int numbuckets;
+ } sed_filter_ctxt;
+@@ -100,7 +100,7 @@ static void alloc_outbuf(sed_filter_ctxt* ctx)
+ /* append_bucket
+ * Allocate a new bucket from buf and sz and append to ctx->bb
+ */
+-static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz)
++static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, apr_size_t sz)
+ {
+ apr_status_t status = APR_SUCCESS;
+ apr_bucket *b;
+@@ -133,7 +133,7 @@ static apr_status_t append_bucket(sed_filter_ctxt* ctx, char* buf, int sz)
+ */
+ static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx)
+ {
+- int size = ctx->curoutbuf - ctx->outbuf;
++ apr_size_t size = ctx->curoutbuf - ctx->outbuf;
+ char *out;
+ apr_status_t status = APR_SUCCESS;
+ if ((ctx->outbuf == NULL) || (size <=0))
+@@ -147,12 +147,12 @@ static apr_status_t flush_output_buffer(sed_filter_ctxt *ctx)
+ /* This is a call back function. When libsed wants to generate the output,
+ * this function will be invoked.
+ */
+-static apr_status_t sed_write_output(void *dummy, char *buf, int sz)
++static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz)
+ {
+ /* dummy is basically filter context. Context is passed during invocation
+ * of sed_eval_buffer
+ */
+- int remainbytes = 0;
++ apr_size_t remainbytes = 0;
+ apr_status_t status = APR_SUCCESS;
+ sed_filter_ctxt *ctx = (sed_filter_ctxt *) dummy;
+ if (ctx->outbuf == NULL) {
+diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c
+index be03506788..67a8d06515 100644
+--- a/modules/filters/sed1.c
++++ b/modules/filters/sed1.c
+@@ -71,7 +71,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
+ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2);
+ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ step_vars_storage *step_vars);
+-static apr_status_t wline(sed_eval_t *eval, char *buf, int sz);
++static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz);
+ static apr_status_t arout(sed_eval_t *eval);
+
+ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
+@@ -92,11 +92,11 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
+ * grow_buffer
+ */
+ static void grow_buffer(apr_pool_t *pool, char **buffer,
+- char **spend, unsigned int *cursize,
+- unsigned int newsize)
++ char **spend, apr_size_t *cursize,
++ apr_size_t newsize)
+ {
+ char* newbuffer = NULL;
+- int spendsize = 0;
++ apr_size_t spendsize = 0;
+ if (*cursize >= newsize)
+ return;
+ /* Avoid number of times realloc is called. It could cause huge memory
+@@ -124,7 +124,7 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
+ /*
+ * grow_line_buffer
+ */
+-static void grow_line_buffer(sed_eval_t *eval, int newsize)
++static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
+ {
+ grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
+ &eval->lsize, newsize);
+@@ -133,7 +133,7 @@ static void grow_line_buffer(sed_eval_t *eval, int newsize)
+ /*
+ * grow_hold_buffer
+ */
+-static void grow_hold_buffer(sed_eval_t *eval, int newsize)
++static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
+ {
+ grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
+ &eval->hsize, newsize);
+@@ -142,7 +142,7 @@ static void grow_hold_buffer(sed_eval_t *eval, int newsize)
+ /*
+ * grow_gen_buffer
+ */
+-static void grow_gen_buffer(sed_eval_t *eval, int newsize,
++static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
+ char **gspend)
+ {
+ if (gspend == NULL) {
+@@ -156,9 +156,9 @@ static void grow_gen_buffer(sed_eval_t *eval, int newsize,
+ /*
+ * appendmem_to_linebuf
+ */
+-static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len)
++static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
+ {
+- unsigned int reqsize = (eval->lspend - eval->linebuf) + len;
++ apr_size_t reqsize = (eval->lspend - eval->linebuf) + len;
+ if (eval->lsize < reqsize) {
+ grow_line_buffer(eval, reqsize);
+ }
+@@ -169,21 +169,36 @@ static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, int len)
+ /*
+ * append_to_linebuf
+ */
+-static void append_to_linebuf(sed_eval_t *eval, const char* sz)
++static void append_to_linebuf(sed_eval_t *eval, const char* sz,
++ step_vars_storage *step_vars)
+ {
+- int len = strlen(sz);
++ apr_size_t len = strlen(sz);
++ char *old_linebuf = eval->linebuf;
+ /* Copy string including null character */
+ appendmem_to_linebuf(eval, sz, len + 1);
+ --eval->lspend; /* lspend will now point to NULL character */
++ /* Sync step_vars after a possible linebuf expansion */
++ if (step_vars && old_linebuf != eval->linebuf) {
++ if (step_vars->loc1) {
++ step_vars->loc1 = step_vars->loc1 - old_linebuf + eval->linebuf;
++ }
++ if (step_vars->loc2) {
++ step_vars->loc2 = step_vars->loc2 - old_linebuf + eval->linebuf;
++ }
++ if (step_vars->locs) {
++ step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf;
++ }
++ }
+ }
+
+ /*
+ * copy_to_linebuf
+ */
+-static void copy_to_linebuf(sed_eval_t *eval, const char* sz)
++static void copy_to_linebuf(sed_eval_t *eval, const char* sz,
++ step_vars_storage *step_vars)
+ {
+ eval->lspend = eval->linebuf;
+- append_to_linebuf(eval, sz);
++ append_to_linebuf(eval, sz, step_vars);
+ }
+
+ /*
+@@ -191,8 +206,8 @@ static void copy_to_linebuf(sed_eval_t *eval, const char* sz)
+ */
+ static void append_to_holdbuf(sed_eval_t *eval, const char* sz)
+ {
+- int len = strlen(sz);
+- unsigned int reqsize = (eval->hspend - eval->holdbuf) + len + 1;
++ apr_size_t len = strlen(sz);
++ apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1;
+ if (eval->hsize <= reqsize) {
+ grow_hold_buffer(eval, reqsize);
+ }
+@@ -215,8 +230,8 @@ static void copy_to_holdbuf(sed_eval_t *eval, const char* sz)
+ */
+ static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
+ {
+- int len = strlen(sz);
+- unsigned int reqsize = (*gspend - eval->genbuf) + len + 1;
++ apr_size_t len = strlen(sz);
++ apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1;
+ if (eval->gsize < reqsize) {
+ grow_gen_buffer(eval, reqsize, gspend);
+ }
+@@ -230,8 +245,8 @@ static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
+ */
+ static void copy_to_genbuf(sed_eval_t *eval, const char* sz)
+ {
+- int len = strlen(sz);
+- unsigned int reqsize = len + 1;
++ apr_size_t len = strlen(sz);
++ apr_size_t reqsize = len + 1;
+ if (eval->gsize < reqsize) {
+ grow_gen_buffer(eval, reqsize, NULL);
+ }
+@@ -353,7 +368,7 @@ apr_status_t sed_eval_file(sed_eval_t *eval, apr_file_t *fin, void *fout)
+ /*
+ * sed_eval_buffer
+ */
+-apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void *fout)
++apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz, void *fout)
+ {
+ apr_status_t rv;
+
+@@ -383,7 +398,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, int bufsz, void
+
+ while (bufsz) {
+ char *n;
+- int llen;
++ apr_size_t llen;
+
+ n = memchr(buf, '\n', bufsz);
+ if (n == NULL)
+@@ -442,7 +457,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
+ * buffer is not a newline.
+ */
+ /* Assure space for NULL */
+- append_to_linebuf(eval, "");
++ append_to_linebuf(eval, "", NULL);
+ }
+
+ *eval->lspend = '\0';
+@@ -666,7 +681,7 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
+ lp = step_vars->loc2;
+ step_vars->loc2 = sp - eval->genbuf + eval->linebuf;
+ append_to_genbuf(eval, lp, &sp);
+- copy_to_linebuf(eval, eval->genbuf);
++ copy_to_linebuf(eval, eval->genbuf, step_vars);
+ return rv;
+ }
+
+@@ -676,8 +691,8 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
+ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2)
+ {
+ char *sp = asp;
+- int n = al2 - al1;
+- unsigned int reqsize = (sp - eval->genbuf) + n + 1;
++ apr_size_t n = al2 - al1;
++ apr_size_t reqsize = (sp - eval->genbuf) + n + 1;
+
+ if (eval->gsize < reqsize) {
+ grow_gen_buffer(eval, reqsize, &sp);
+@@ -735,7 +750,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ }
+
+ p1++;
+- copy_to_linebuf(eval, p1);
++ copy_to_linebuf(eval, p1, step_vars);
+ eval->jflag++;
+ break;
+
+@@ -745,12 +760,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ break;
+
+ case GCOM:
+- copy_to_linebuf(eval, eval->holdbuf);
++ copy_to_linebuf(eval, eval->holdbuf, step_vars);
+ break;
+
+ case CGCOM:
+- append_to_linebuf(eval, "\n");
+- append_to_linebuf(eval, eval->holdbuf);
++ append_to_linebuf(eval, "\n", step_vars);
++ append_to_linebuf(eval, eval->holdbuf, step_vars);
+ break;
+
+ case HCOM:
+@@ -881,7 +896,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ if (rv != APR_SUCCESS)
+ return rv;
+ }
+- append_to_linebuf(eval, "\n");
++ append_to_linebuf(eval, "\n", step_vars);
+ eval->pending = ipc->next;
+ break;
+
+@@ -956,7 +971,7 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+
+ case XCOM:
+ copy_to_genbuf(eval, eval->linebuf);
+- copy_to_linebuf(eval, eval->holdbuf);
++ copy_to_linebuf(eval, eval->holdbuf, step_vars);
+ copy_to_holdbuf(eval, eval->genbuf);
+ break;
+
+@@ -1013,7 +1028,7 @@ static apr_status_t arout(sed_eval_t *eval)
+ /*
+ * wline
+ */
+-static apr_status_t wline(sed_eval_t *eval, char *buf, int sz)
++static apr_status_t wline(sed_eval_t *eval, char *buf, apr_size_t sz)
+ {
+ apr_status_t rv = APR_SUCCESS;
+ rv = eval->writefn(eval->fout, buf, sz);
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-23943-2.patch apache2-2.4.38/debian/patches/CVE-2022-23943-2.patch
--- apache2-2.4.38/debian/patches/CVE-2022-23943-2.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-23943-2.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,63 @@
+From e266bd09c313a668d7cca17a8b096d189148be49 Mon Sep 17 00:00:00 2001
+From: Ruediger Pluem <rpluem@apache.org>
+Date: Wed, 9 Mar 2022 07:41:40 +0000
+Subject: [PATCH] Merge r1898735 from trunk:
+
+* Improve the logic flow
+
+Reviewed by: rpluem, covener, ylavic
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1898772 13f79535-47bb-0310-9956-ffa450edef68
+---
+ modules/filters/mod_sed.c | 30 +++++++++++++++++++-----------
+ 1 file changed, 19 insertions(+), 11 deletions(-)
+
+diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
+index 7092dd5e7f..4bdb4ce33a 100644
+--- a/modules/filters/mod_sed.c
++++ b/modules/filters/mod_sed.c
+@@ -168,21 +168,29 @@ static apr_status_t sed_write_output(void *dummy, char *buf, apr_size_t sz)
+ }
+ /* buffer is now full */
+ status = append_bucket(ctx, ctx->outbuf, ctx->bufsize);
+- /* old buffer is now used so allocate new buffer */
+- alloc_outbuf(ctx);
+- /* if size is bigger than the allocated buffer directly add to output
+- * brigade */
+- if ((status == APR_SUCCESS) && (sz >= ctx->bufsize)) {
+- char* newbuf = apr_pmemdup(ctx->tpool, buf, sz);
+- status = append_bucket(ctx, newbuf, sz);
+- /* pool might get clear after append_bucket */
+- if (ctx->outbuf == NULL) {
++ if (status == APR_SUCCESS) {
++ /* if size is bigger than the allocated buffer directly add to output
++ * brigade */
++ if (sz >= ctx->bufsize) {
++ char* newbuf = apr_pmemdup(ctx->tpool, buf, sz);
++ status = append_bucket(ctx, newbuf, sz);
++ if (status == APR_SUCCESS) {
++ /* old buffer is now used so allocate new buffer */
++ alloc_outbuf(ctx);
++ }
++ else {
++ clear_ctxpool(ctx);
++ }
++ }
++ else {
++ /* old buffer is now used so allocate new buffer */
+ alloc_outbuf(ctx);
++ memcpy(ctx->curoutbuf, buf, sz);
++ ctx->curoutbuf += sz;
+ }
+ }
+ else {
+- memcpy(ctx->curoutbuf, buf, sz);
+- ctx->curoutbuf += sz;
++ clear_ctxpool(ctx);
+ }
+ }
+ else {
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-26377.patch apache2-2.4.38/debian/patches/CVE-2022-26377.patch
--- apache2-2.4.38/debian/patches/CVE-2022-26377.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-26377.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,39 @@
+From f7f15f3d8bfe3032926c8c39eb8434529f680bd4 Mon Sep 17 00:00:00 2001
+From: Yann Ylavic <ylavic@apache.org>
+Date: Wed, 1 Jun 2022 13:48:21 +0000
+Subject: [PATCH] mod_proxy_ajp: T-E has precedence over C-L.
+
+Merge r1901521 from trunk.
+Submitted by: rpluem
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901522 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/f7f15f3d8bfe3032926c8c39eb8434529f680bd4
+---
+ modules/proxy/mod_proxy_ajp.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/modules/proxy/mod_proxy_ajp.c
++++ b/modules/proxy/mod_proxy_ajp.c
+@@ -245,9 +245,18 @@
+ /* read the first bloc of data */
+ input_brigade = apr_brigade_create(p, r->connection->bucket_alloc);
+ tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
+- if (tenc && (strcasecmp(tenc, "chunked") == 0)) {
+- /* The AJP protocol does not want body data yet */
+- ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870) "request is chunked");
++ if (tenc) {
++ if (strcasecmp(tenc, "chunked") == 0) {
++ /* The AJP protocol does not want body data yet */
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(00870)
++ "request is chunked");
++ }
++ else {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10396)
++ "%s Transfer-Encoding is not supported",
++ tenc);
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
+ } else {
+ /* Get client provided Content-Length header */
+ content_length = get_content_length(r);
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-28614.patch apache2-2.4.38/debian/patches/CVE-2022-28614.patch
--- apache2-2.4.38/debian/patches/CVE-2022-28614.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-28614.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,65 @@
+From 8c14927162cf3b4f810683e1c5505e9ef9e1f123 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:34:16 +0000
+Subject: [PATCH] Merge r1901500 from trunk:
+
+handle large writes in ap_rputs
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901501 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/8c14927162cf3b4f810683e1c5505e9ef9e1f123
+---
+ include/http_protocol.h | 22 +++++++++++++++++++++-
+ server/protocol.c | 3 +++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/include/http_protocol.h b/include/http_protocol.h
+index 20bd202226..94c481e5f4 100644
+--- a/include/http_protocol.h
++++ b/include/http_protocol.h
+@@ -475,7 +475,27 @@ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r);
+ */
+ static APR_INLINE int ap_rputs(const char *str, request_rec *r)
+ {
+- return ap_rwrite(str, (int)strlen(str), r);
++ apr_size_t len;
++
++ len = strlen(str);
++
++ for (;;) {
++ if (len <= INT_MAX) {
++ return ap_rwrite(str, (int)len, r);
++ }
++ else {
++ int rc;
++
++ rc = ap_rwrite(str, INT_MAX, r);
++ if (rc < 0) {
++ return rc;
++ }
++ else {
++ str += INT_MAX;
++ len -= INT_MAX;
++ }
++ }
++ }
+ }
+
+ /**
+diff --git a/server/protocol.c b/server/protocol.c
+index 298f61e1fb..7adc7f75c1 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -2128,6 +2128,9 @@ AP_DECLARE(int) ap_rputc(int c, request_rec *r)
+
+ AP_DECLARE(int) ap_rwrite(const void *buf, int nbyte, request_rec *r)
+ {
++ if (nbyte < 0)
++ return -1;
++
+ if (r->connection->aborted)
+ return -1;
+
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-28615.patch apache2-2.4.38/debian/patches/CVE-2022-28615.patch
--- apache2-2.4.38/debian/patches/CVE-2022-28615.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-28615.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,35 @@
+From 6503d09ab51047554c384a6d03646ce1a8848120 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:21:45 +0000
+Subject: [PATCH] Merge r1901494 from trunk:
+
+fix types
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901495 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/6503d09ab51047554c384a6d03646ce1a8848120
+---
+ server/util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/server/util.c
++++ b/server/util.c
+@@ -186,7 +186,7 @@
+ */
+ AP_DECLARE(int) ap_strcmp_match(const char *str, const char *expected)
+ {
+- int x, y;
++ apr_size_t x, y;
+
+ for (x = 0, y = 0; expected[y]; ++y, ++x) {
+ if ((!str[x]) && (expected[y] != '*'))
+@@ -210,7 +210,7 @@
+
+ AP_DECLARE(int) ap_strcasecmp_match(const char *str, const char *expected)
+ {
+- int x, y;
++ apr_size_t x, y;
+
+ for (x = 0, y = 0; expected[y]; ++y, ++x) {
+ if (!str[x] && expected[y] != '*')
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-29404.patch apache2-2.4.38/debian/patches/CVE-2022-29404.patch
--- apache2-2.4.38/debian/patches/CVE-2022-29404.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-29404.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,82 @@
+From ce259c4061905bf834f9af51c92456cfe8335ddc Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:31:48 +0000
+Subject: [PATCH] Merge r1901497 from trunk:
+
+use a liberal default limit for LimitRequestBody of 1GB
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901499 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/ce259c4061905bf834f9af51c92456cfe8335ddc
+---
+ modules/http/http_filters.c | 6 ++++++
+ modules/proxy/mod_proxy_http.c | 14 --------------
+ server/core.c | 2 +-
+ 3 files changed, 7 insertions(+), 15 deletions(-)
+
+--- a/modules/http/http_filters.c
++++ b/modules/http/http_filters.c
+@@ -1657,6 +1657,7 @@
+ {
+ const char *tenc = apr_table_get(r->headers_in, "Transfer-Encoding");
+ const char *lenp = apr_table_get(r->headers_in, "Content-Length");
++ apr_off_t limit_req_body = ap_get_limit_req_body(r);
+
+ r->read_body = read_policy;
+ r->read_chunked = 0;
+@@ -1695,6 +1696,11 @@
+ return HTTP_REQUEST_ENTITY_TOO_LARGE;
+ }
+
++ if (limit_req_body > 0 && (r->remaining > limit_req_body)) {
++ /* will be logged when the body is discarded */
++ return HTTP_REQUEST_ENTITY_TOO_LARGE;
++ }
++
+ #ifdef AP_DEBUG
+ {
+ /* Make sure ap_getline() didn't leave any droppings. */
+--- a/server/core.c
++++ b/server/core.c
+@@ -61,7 +61,7 @@
+
+ /* LimitRequestBody handling */
+ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
+-#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
++#define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 1<<30) /* 1GB */
+
+ /* LimitXMLRequestBody handling */
+ #define AP_LIMIT_UNSET ((long) -1)
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -512,12 +512,9 @@
+ apr_bucket *e;
+ apr_off_t bytes, bytes_spooled = 0, fsize = 0;
+ apr_file_t *tmpfile = NULL;
+- apr_off_t limit;
+
+ body_brigade = apr_brigade_create(p, bucket_alloc);
+
+- limit = ap_get_limit_req_body(r);
+-
+ while (!APR_BUCKET_IS_EOS(APR_BRIGADE_FIRST(input_brigade)))
+ {
+ /* If this brigade contains EOS, either stop or remove it. */
+@@ -532,17 +529,6 @@
+ apr_brigade_length(input_brigade, 1, &bytes);
+
+ if (bytes_spooled + bytes > MAX_MEM_SPOOL) {
+- /*
+- * LimitRequestBody does not affect Proxy requests (Should it?).
+- * Let it take effect if we decide to store the body in a
+- * temporary file on disk.
+- */
+- if (limit && (bytes_spooled + bytes > limit)) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01088)
+- "Request body is larger than the configured "
+- "limit of %" APR_OFF_T_FMT, limit);
+- return HTTP_REQUEST_ENTITY_TOO_LARGE;
+- }
+ /* can't spool any more in memory; write latest brigade to disk */
+ if (tmpfile == NULL) {
+ const char *temp_dir;
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-30522.patch apache2-2.4.38/debian/patches/CVE-2022-30522.patch
--- apache2-2.4.38/debian/patches/CVE-2022-30522.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-30522.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,561 @@
+From db47781128e42bd49f55076665b3f6ca4e2bc5e2 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:50:40 +0000
+Subject: [PATCH] Merge r1901506 from trunk:
+
+limit mod_sed memory use
+
+Resync mod_sed.c with trunk due to merge conflicts.
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901509 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/db47781128e42bd49f55076665b3f6ca4e2bc5e2
+---
+ modules/filters/mod_sed.c | 75 ++++++++----------
+ modules/filters/sed1.c | 158 +++++++++++++++++++++++++++-----------
+ 2 files changed, 147 insertions(+), 86 deletions(-)
+
+diff --git a/modules/filters/mod_sed.c b/modules/filters/mod_sed.c
+index 4bdb4ce33a..12cb04a20f 100644
+--- a/modules/filters/mod_sed.c
++++ b/modules/filters/mod_sed.c
+@@ -59,7 +59,7 @@ typedef struct sed_filter_ctxt
+ module AP_MODULE_DECLARE_DATA sed_module;
+
+ /* This function will be call back from libsed functions if there is any error
+- * happend during execution of sed scripts
++ * happened during execution of sed scripts
+ */
+ static apr_status_t log_sed_errf(void *data, const char *error)
+ {
+@@ -277,7 +277,7 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
+ apr_bucket_brigade *bb)
+ {
+ apr_bucket *b;
+- apr_status_t status;
++ apr_status_t status = APR_SUCCESS;
+ sed_config *cfg = ap_get_module_config(f->r->per_dir_config,
+ &sed_module);
+ sed_filter_ctxt *ctx = f->ctx;
+@@ -302,9 +302,9 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
+ return status;
+ ctx = f->ctx;
+ apr_table_unset(f->r->headers_out, "Content-Length");
+- }
+
+- ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
++ ctx->bb = apr_brigade_create(f->r->pool, f->c->bucket_alloc);
++ }
+
+ /* Here is the main logic. Iterate through all the buckets, read the
+ * content of the bucket, call sed_eval_buffer on the data.
+@@ -326,63 +326,52 @@ static apr_status_t sed_response_filter(ap_filter_t *f,
+ * in sed's internal buffer which can't be flushed until new line
+ * character is arrived.
+ */
+- for (b = APR_BRIGADE_FIRST(bb); b != APR_BRIGADE_SENTINEL(bb);) {
+- const char *buf = NULL;
+- apr_size_t bytes = 0;
++ while (!APR_BRIGADE_EMPTY(bb)) {
++ b = APR_BRIGADE_FIRST(bb);
+ if (APR_BUCKET_IS_EOS(b)) {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+ /* Now clean up the internal sed buffer */
+ sed_finalize_eval(&ctx->eval, ctx);
+ status = flush_output_buffer(ctx);
+ if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ break;
+ }
++ /* Move the eos bucket to ctx->bb brigade */
+ APR_BUCKET_REMOVE(b);
+- /* Insert the eos bucket to ctx->bb brigade */
+ APR_BRIGADE_INSERT_TAIL(ctx->bb, b);
+- b = b1;
+ }
+ else if (APR_BUCKET_IS_FLUSH(b)) {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+- APR_BUCKET_REMOVE(b);
+ status = flush_output_buffer(ctx);
+ if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ break;
+ }
++ /* Move the flush bucket to ctx->bb brigade */
++ APR_BUCKET_REMOVE(b);
+ APR_BRIGADE_INSERT_TAIL(ctx->bb, b);
+- b = b1;
+- }
+- else if (APR_BUCKET_IS_METADATA(b)) {
+- b = APR_BUCKET_NEXT(b);
+ }
+- else if (apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ)
+- == APR_SUCCESS) {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+- status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
+- if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ else {
++ if (!APR_BUCKET_IS_METADATA(b)) {
++ const char *buf = NULL;
++ apr_size_t bytes = 0;
++
++ status = apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ);
++ if (status == APR_SUCCESS) {
++ status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
++ }
++ if (status != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, f->r, APLOGNO(10394) "error evaluating sed on output");
++ break;
++ }
+ }
+- APR_BUCKET_REMOVE(b);
+ apr_bucket_delete(b);
+- b = b1;
+- }
+- else {
+- apr_bucket *b1 = APR_BUCKET_NEXT(b);
+- APR_BUCKET_REMOVE(b);
+- b = b1;
+ }
+ }
+- apr_brigade_cleanup(bb);
+- status = flush_output_buffer(ctx);
+- if (status != APR_SUCCESS) {
+- clear_ctxpool(ctx);
+- return status;
++ if (status == APR_SUCCESS) {
++ status = flush_output_buffer(ctx);
+ }
+ if (!APR_BRIGADE_EMPTY(ctx->bb)) {
+- status = ap_pass_brigade(f->next, ctx->bb);
++ if (status == APR_SUCCESS) {
++ status = ap_pass_brigade(f->next, ctx->bb);
++ }
+ apr_brigade_cleanup(ctx->bb);
+ }
+ clear_ctxpool(ctx);
+@@ -433,7 +422,7 @@ static apr_status_t sed_request_filter(ap_filter_t *f,
+ * the buckets in bbinp and read the data from buckets and invoke
+ * sed_eval_buffer on the data. libsed will generate its output using
+ * sed_write_output which will add data in ctx->bb. Do it until it have
+- * atleast one bucket in ctx->bb. At the end of data eos bucket
++ * at least one bucket in ctx->bb. At the end of data eos bucket
+ * should be there.
+ *
+ * Once eos bucket is seen, then invoke sed_finalize_eval to clear the
+@@ -475,8 +464,10 @@ static apr_status_t sed_request_filter(ap_filter_t *f,
+ if (apr_bucket_read(b, &buf, &bytes, APR_BLOCK_READ)
+ == APR_SUCCESS) {
+ status = sed_eval_buffer(&ctx->eval, buf, bytes, ctx);
+- if (status != APR_SUCCESS)
++ if (status != APR_SUCCESS) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, f->r, APLOGNO(10395) "error evaluating sed on input");
+ return status;
++ }
+ flush_output_buffer(ctx);
+ }
+ }
+diff --git a/modules/filters/sed1.c b/modules/filters/sed1.c
+index 67a8d06515..047f49ba13 100644
+--- a/modules/filters/sed1.c
++++ b/modules/filters/sed1.c
+@@ -87,18 +87,20 @@ static void eval_errf(sed_eval_t *eval, const char *fmt, ...)
+ }
+
+ #define INIT_BUF_SIZE 1024
++#define MAX_BUF_SIZE 1024*8192
+
+ /*
+ * grow_buffer
+ */
+-static void grow_buffer(apr_pool_t *pool, char **buffer,
++static apr_status_t grow_buffer(apr_pool_t *pool, char **buffer,
+ char **spend, apr_size_t *cursize,
+ apr_size_t newsize)
+ {
+ char* newbuffer = NULL;
+ apr_size_t spendsize = 0;
+- if (*cursize >= newsize)
+- return;
++ if (*cursize >= newsize) {
++ return APR_SUCCESS;
++ }
+ /* Avoid number of times realloc is called. It could cause huge memory
+ * requirement if line size is huge e.g 2 MB */
+ if (newsize < *cursize * 2) {
+@@ -107,6 +109,9 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
+
+ /* Align it to 4 KB boundary */
+ newsize = (newsize + ((1 << 12) - 1)) & ~((1 << 12) - 1);
++ if (newsize > MAX_BUF_SIZE) {
++ return APR_ENOMEM;
++ }
+ newbuffer = apr_pcalloc(pool, newsize);
+ if (*spend && *buffer && (*cursize > 0)) {
+ spendsize = *spend - *buffer;
+@@ -119,63 +124,77 @@ static void grow_buffer(apr_pool_t *pool, char **buffer,
+ if (spend != buffer) {
+ *spend = *buffer + spendsize;
+ }
++ return APR_SUCCESS;
+ }
+
+ /*
+ * grow_line_buffer
+ */
+-static void grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
++static apr_status_t grow_line_buffer(sed_eval_t *eval, apr_size_t newsize)
+ {
+- grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
++ return grow_buffer(eval->pool, &eval->linebuf, &eval->lspend,
+ &eval->lsize, newsize);
+ }
+
+ /*
+ * grow_hold_buffer
+ */
+-static void grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
++static apr_status_t grow_hold_buffer(sed_eval_t *eval, apr_size_t newsize)
+ {
+- grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
++ return grow_buffer(eval->pool, &eval->holdbuf, &eval->hspend,
+ &eval->hsize, newsize);
+ }
+
+ /*
+ * grow_gen_buffer
+ */
+-static void grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
++static apr_status_t grow_gen_buffer(sed_eval_t *eval, apr_size_t newsize,
+ char **gspend)
+ {
++ apr_status_t rc = 0;
+ if (gspend == NULL) {
+ gspend = &eval->genbuf;
+ }
+- grow_buffer(eval->pool, &eval->genbuf, gspend,
+- &eval->gsize, newsize);
+- eval->lcomend = &eval->genbuf[71];
++ rc = grow_buffer(eval->pool, &eval->genbuf, gspend,
++ &eval->gsize, newsize);
++ if (rc == APR_SUCCESS) {
++ eval->lcomend = &eval->genbuf[71];
++ }
++ return rc;
+ }
+
+ /*
+ * appendmem_to_linebuf
+ */
+-static void appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
++static apr_status_t appendmem_to_linebuf(sed_eval_t *eval, const char* sz, apr_size_t len)
+ {
++ apr_status_t rc = 0;
+ apr_size_t reqsize = (eval->lspend - eval->linebuf) + len;
+ if (eval->lsize < reqsize) {
+- grow_line_buffer(eval, reqsize);
++ rc = grow_line_buffer(eval, reqsize);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(eval->lspend, sz, len);
+ eval->lspend += len;
++ return APR_SUCCESS;
+ }
+
+ /*
+ * append_to_linebuf
+ */
+-static void append_to_linebuf(sed_eval_t *eval, const char* sz,
++static apr_status_t append_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars_storage *step_vars)
+ {
+ apr_size_t len = strlen(sz);
+ char *old_linebuf = eval->linebuf;
++ apr_status_t rc = 0;
+ /* Copy string including null character */
+- appendmem_to_linebuf(eval, sz, len + 1);
++ rc = appendmem_to_linebuf(eval, sz, len + 1);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ --eval->lspend; /* lspend will now point to NULL character */
+ /* Sync step_vars after a possible linebuf expansion */
+ if (step_vars && old_linebuf != eval->linebuf) {
+@@ -189,68 +208,84 @@ static void append_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars->locs = step_vars->locs - old_linebuf + eval->linebuf;
+ }
+ }
++ return APR_SUCCESS;
+ }
+
+ /*
+ * copy_to_linebuf
+ */
+-static void copy_to_linebuf(sed_eval_t *eval, const char* sz,
++static apr_status_t copy_to_linebuf(sed_eval_t *eval, const char* sz,
+ step_vars_storage *step_vars)
+ {
+ eval->lspend = eval->linebuf;
+- append_to_linebuf(eval, sz, step_vars);
++ return append_to_linebuf(eval, sz, step_vars);
+ }
+
+ /*
+ * append_to_holdbuf
+ */
+-static void append_to_holdbuf(sed_eval_t *eval, const char* sz)
++static apr_status_t append_to_holdbuf(sed_eval_t *eval, const char* sz)
+ {
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = (eval->hspend - eval->holdbuf) + len + 1;
++ apr_status_t rc = 0;
+ if (eval->hsize <= reqsize) {
+- grow_hold_buffer(eval, reqsize);
++ rc = grow_hold_buffer(eval, reqsize);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(eval->hspend, sz, len + 1);
+ /* hspend will now point to NULL character */
+ eval->hspend += len;
++ return APR_SUCCESS;
+ }
+
+ /*
+ * copy_to_holdbuf
+ */
+-static void copy_to_holdbuf(sed_eval_t *eval, const char* sz)
++static apr_status_t copy_to_holdbuf(sed_eval_t *eval, const char* sz)
+ {
+ eval->hspend = eval->holdbuf;
+- append_to_holdbuf(eval, sz);
++ return append_to_holdbuf(eval, sz);
+ }
+
+ /*
+ * append_to_genbuf
+ */
+-static void append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
++static apr_status_t append_to_genbuf(sed_eval_t *eval, const char* sz, char **gspend)
+ {
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = (*gspend - eval->genbuf) + len + 1;
++ apr_status_t rc = 0;
+ if (eval->gsize < reqsize) {
+- grow_gen_buffer(eval, reqsize, gspend);
++ rc = grow_gen_buffer(eval, reqsize, gspend);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(*gspend, sz, len + 1);
+ /* *gspend will now point to NULL character */
+ *gspend += len;
++ return APR_SUCCESS;
+ }
+
+ /*
+ * copy_to_genbuf
+ */
+-static void copy_to_genbuf(sed_eval_t *eval, const char* sz)
++static apr_status_t copy_to_genbuf(sed_eval_t *eval, const char* sz)
+ {
+ apr_size_t len = strlen(sz);
+ apr_size_t reqsize = len + 1;
++ apr_status_t rc = APR_SUCCESS;;
+ if (eval->gsize < reqsize) {
+- grow_gen_buffer(eval, reqsize, NULL);
++ rc = grow_gen_buffer(eval, reqsize, NULL);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+ memcpy(eval->genbuf, sz, len + 1);
++ return rc;
+ }
+
+ /*
+@@ -397,6 +432,7 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
+ }
+
+ while (bufsz) {
++ apr_status_t rc = 0;
+ char *n;
+ apr_size_t llen;
+
+@@ -411,7 +447,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
+ break;
+ }
+
+- appendmem_to_linebuf(eval, buf, llen + 1);
++ rc = appendmem_to_linebuf(eval, buf, llen + 1);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ --eval->lspend;
+ /* replace new line character with NULL */
+ *eval->lspend = '\0';
+@@ -426,7 +465,10 @@ apr_status_t sed_eval_buffer(sed_eval_t *eval, const char *buf, apr_size_t bufsz
+
+ /* Save the leftovers for later */
+ if (bufsz) {
+- appendmem_to_linebuf(eval, buf, bufsz);
++ apr_status_t rc = appendmem_to_linebuf(eval, buf, bufsz);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+
+ return APR_SUCCESS;
+@@ -448,6 +490,7 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
+ /* Process leftovers */
+ if (eval->lspend > eval->linebuf) {
+ apr_status_t rv;
++ apr_status_t rc = 0;
+
+ if (eval->lreadyflag) {
+ eval->lreadyflag = 0;
+@@ -457,7 +500,10 @@ apr_status_t sed_finalize_eval(sed_eval_t *eval, void *fout)
+ * buffer is not a newline.
+ */
+ /* Assure space for NULL */
+- append_to_linebuf(eval, "", NULL);
++ rc = append_to_linebuf(eval, "", NULL);
++ if (rc != APR_SUCCESS) {
++ return rc;
++ }
+ }
+
+ *eval->lspend = '\0';
+@@ -655,11 +701,15 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
+ sp = eval->genbuf;
+ rp = rhsbuf;
+ sp = place(eval, sp, lp, step_vars->loc1);
++ if (sp == NULL) {
++ return APR_EGENERAL;
++ }
+ while ((c = *rp++) != 0) {
+ if (c == '&') {
+ sp = place(eval, sp, step_vars->loc1, step_vars->loc2);
+- if (sp == NULL)
++ if (sp == NULL) {
+ return APR_EGENERAL;
++ }
+ }
+ else if (c == '\\') {
+ c = *rp++;
+@@ -675,13 +725,19 @@ static apr_status_t dosub(sed_eval_t *eval, char *rhsbuf, int n,
+ *sp++ = c;
+ if (sp >= eval->genbuf + eval->gsize) {
+ /* expand genbuf and set the sp appropriately */
+- grow_gen_buffer(eval, eval->gsize + 1024, &sp);
++ rv = grow_gen_buffer(eval, eval->gsize + 1024, &sp);
++ if (rv != APR_SUCCESS) {
++ return rv;
++ }
+ }
+ }
+ lp = step_vars->loc2;
+ step_vars->loc2 = sp - eval->genbuf + eval->linebuf;
+- append_to_genbuf(eval, lp, &sp);
+- copy_to_linebuf(eval, eval->genbuf, step_vars);
++ rv = append_to_genbuf(eval, lp, &sp);
++ if (rv != APR_SUCCESS) {
++ return rv;
++ }
++ rv = copy_to_linebuf(eval, eval->genbuf, step_vars);
+ return rv;
+ }
+
+@@ -695,7 +751,10 @@ static char *place(sed_eval_t *eval, char *asp, char *al1, char *al2)
+ apr_size_t reqsize = (sp - eval->genbuf) + n + 1;
+
+ if (eval->gsize < reqsize) {
+- grow_gen_buffer(eval, reqsize, &sp);
++ apr_status_t rc = grow_gen_buffer(eval, reqsize, &sp);
++ if (rc != APR_SUCCESS) {
++ return NULL;
++ }
+ }
+ memcpy(sp, al1, n);
+ return sp + n;
+@@ -750,7 +809,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ }
+
+ p1++;
+- copy_to_linebuf(eval, p1, step_vars);
++ rv = copy_to_linebuf(eval, p1, step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ eval->jflag++;
+ break;
+
+@@ -760,21 +820,27 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ break;
+
+ case GCOM:
+- copy_to_linebuf(eval, eval->holdbuf, step_vars);
++ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case CGCOM:
+- append_to_linebuf(eval, "\n", step_vars);
+- append_to_linebuf(eval, eval->holdbuf, step_vars);
++ rv = append_to_linebuf(eval, "\n", step_vars);
++ if (rv != APR_SUCCESS) return rv;
++ rv = append_to_linebuf(eval, eval->holdbuf, step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case HCOM:
+- copy_to_holdbuf(eval, eval->linebuf);
++ rv = copy_to_holdbuf(eval, eval->linebuf);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case CHCOM:
+- append_to_holdbuf(eval, "\n");
+- append_to_holdbuf(eval, eval->linebuf);
++ rv = append_to_holdbuf(eval, "\n");
++ if (rv != APR_SUCCESS) return rv;
++ rv = append_to_holdbuf(eval, eval->linebuf);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case ICOM:
+@@ -896,7 +962,8 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ if (rv != APR_SUCCESS)
+ return rv;
+ }
+- append_to_linebuf(eval, "\n", step_vars);
++ rv = append_to_linebuf(eval, "\n", step_vars);
++ if (rv != APR_SUCCESS) return rv;
+ eval->pending = ipc->next;
+ break;
+
+@@ -970,9 +1037,12 @@ static apr_status_t command(sed_eval_t *eval, sed_reptr_t *ipc,
+ break;
+
+ case XCOM:
+- copy_to_genbuf(eval, eval->linebuf);
+- copy_to_linebuf(eval, eval->holdbuf, step_vars);
+- copy_to_holdbuf(eval, eval->genbuf);
++ rv = copy_to_genbuf(eval, eval->linebuf);
++ if (rv != APR_SUCCESS) return rv;
++ rv = copy_to_linebuf(eval, eval->holdbuf, step_vars);
++ if (rv != APR_SUCCESS) return rv;
++ rv = copy_to_holdbuf(eval, eval->genbuf);
++ if (rv != APR_SUCCESS) return rv;
+ break;
+
+ case YCOM:
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-30556.patch apache2-2.4.38/debian/patches/CVE-2022-30556.patch
--- apache2-2.4.38/debian/patches/CVE-2022-30556.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-30556.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,250 @@
+From 3a561759fcb37af179585adb8478922dc9bc6a85 Mon Sep 17 00:00:00 2001
+From: Eric Covener <covener@apache.org>
+Date: Wed, 1 Jun 2022 12:36:39 +0000
+Subject: [PATCH] Merge r1901502 from trunk:
+
+use filters consistently
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901503 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/3a561759fcb37af179585adb8478922dc9bc6a85
+---
+ modules/lua/lua_request.c | 144 ++++++++++++++------------------------
+ 1 file changed, 53 insertions(+), 91 deletions(-)
+
+diff --git a/modules/lua/lua_request.c b/modules/lua/lua_request.c
+index a3e3b613bc..2ec453e86b 100644
+--- a/modules/lua/lua_request.c
++++ b/modules/lua/lua_request.c
+@@ -2227,23 +2227,20 @@ static int lua_websocket_greet(lua_State *L)
+ return 0;
+ }
+
+-static apr_status_t lua_websocket_readbytes(conn_rec* c, char* buffer,
+- apr_off_t len)
++static apr_status_t lua_websocket_readbytes(conn_rec* c,
++ apr_bucket_brigade *brigade,
++ char* buffer, apr_off_t len)
+ {
+- apr_bucket_brigade *brigade = apr_brigade_create(c->pool, c->bucket_alloc);
++ apr_size_t delivered;
+ apr_status_t rv;
++
+ rv = ap_get_brigade(c->input_filters, brigade, AP_MODE_READBYTES,
+ APR_BLOCK_READ, len);
+ if (rv == APR_SUCCESS) {
+- if (!APR_BRIGADE_EMPTY(brigade)) {
+- apr_bucket* bucket = APR_BRIGADE_FIRST(brigade);
+- const char* data = NULL;
+- apr_size_t data_length = 0;
+- rv = apr_bucket_read(bucket, &data, &data_length, APR_BLOCK_READ);
+- if (rv == APR_SUCCESS) {
+- memcpy(buffer, data, len);
+- }
+- apr_bucket_delete(bucket);
++ delivered = len;
++ rv = apr_brigade_flatten(brigade, buffer, &delivered);
++ if ((rv == APR_SUCCESS) && (delivered < len)) {
++ rv = APR_INCOMPLETE;
+ }
+ }
+ apr_brigade_cleanup(brigade);
+@@ -2273,35 +2270,28 @@ static int lua_websocket_peek(lua_State *L)
+
+ static int lua_websocket_read(lua_State *L)
+ {
+- apr_socket_t *sock;
+ apr_status_t rv;
+ int do_read = 1;
+ int n = 0;
+- apr_size_t len = 1;
+ apr_size_t plen = 0;
+ unsigned short payload_short = 0;
+ apr_uint64_t payload_long = 0;
+ unsigned char *mask_bytes;
+ char byte;
+- int plaintext;
+-
+-
++ apr_bucket_brigade *brigade;
++ conn_rec* c;
++
+ request_rec *r = ap_lua_check_request_rec(L, 1);
+- plaintext = ap_lua_ssl_is_https(r->connection) ? 0 : 1;
++ c = r->connection;
+
+-
+ mask_bytes = apr_pcalloc(r->pool, 4);
+- sock = ap_get_conn_socket(r->connection);
++
++ brigade = apr_brigade_create(r->pool, c->bucket_alloc);
+
+ while (do_read) {
+ do_read = 0;
+ /* Get opcode and FIN bit */
+- if (plaintext) {
+- rv = apr_socket_recv(sock, &byte, &len);
+- }
+- else {
+- rv = lua_websocket_readbytes(r->connection, &byte, 1);
+- }
++ rv = lua_websocket_readbytes(c, brigade, &byte, 1);
+ if (rv == APR_SUCCESS) {
+ unsigned char ubyte, fin, opcode, mask, payload;
+ ubyte = (unsigned char)byte;
+@@ -2311,12 +2301,7 @@ static int lua_websocket_read(lua_State *L)
+ opcode = ubyte & 0xf;
+
+ /* Get the payload length and mask bit */
+- if (plaintext) {
+- rv = apr_socket_recv(sock, &byte, &len);
+- }
+- else {
+- rv = lua_websocket_readbytes(r->connection, &byte, 1);
+- }
++ rv = lua_websocket_readbytes(c, brigade, &byte, 1);
+ if (rv == APR_SUCCESS) {
+ ubyte = (unsigned char)byte;
+ /* Mask is the first bit */
+@@ -2327,40 +2312,25 @@ static int lua_websocket_read(lua_State *L)
+
+ /* Extended payload? */
+ if (payload == 126) {
+- len = 2;
+- if (plaintext) {
+- /* XXX: apr_socket_recv does not receive len bits, only up to len bits! */
+- rv = apr_socket_recv(sock, (char*) &payload_short, &len);
+- }
+- else {
+- rv = lua_websocket_readbytes(r->connection,
+- (char*) &payload_short, 2);
+- }
+- payload_short = ntohs(payload_short);
++ rv = lua_websocket_readbytes(c, brigade,
++ (char*) &payload_short, 2);
+
+- if (rv == APR_SUCCESS) {
+- plen = payload_short;
+- }
+- else {
++ if (rv != APR_SUCCESS) {
+ return 0;
+ }
++
++ plen = ntohs(payload_short);
+ }
+ /* Super duper extended payload? */
+ if (payload == 127) {
+- len = 8;
+- if (plaintext) {
+- rv = apr_socket_recv(sock, (char*) &payload_long, &len);
+- }
+- else {
+- rv = lua_websocket_readbytes(r->connection,
+- (char*) &payload_long, 8);
+- }
+- if (rv == APR_SUCCESS) {
+- plen = ap_ntoh64(&payload_long);
+- }
+- else {
++ rv = lua_websocket_readbytes(c, brigade,
++ (char*) &payload_long, 8);
++
++ if (rv != APR_SUCCESS) {
+ return 0;
+ }
++
++ plen = ap_ntoh64(&payload_long);
+ }
+ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03210)
+ "Websocket: Reading %" APR_SIZE_T_FMT " (%s) bytes, masking is %s. %s",
+@@ -2369,46 +2339,27 @@ static int lua_websocket_read(lua_State *L)
+ mask ? "on" : "off",
+ fin ? "This is a final frame" : "more to follow");
+ if (mask) {
+- len = 4;
+- if (plaintext) {
+- rv = apr_socket_recv(sock, (char*) mask_bytes, &len);
+- }
+- else {
+- rv = lua_websocket_readbytes(r->connection,
+- (char*) mask_bytes, 4);
+- }
++ rv = lua_websocket_readbytes(c, brigade,
++ (char*) mask_bytes, 4);
++
+ if (rv != APR_SUCCESS) {
+ return 0;
+ }
+ }
+ if (plen < (HUGE_STRING_LEN*1024) && plen > 0) {
+ apr_size_t remaining = plen;
+- apr_size_t received;
+- apr_off_t at = 0;
+ char *buffer = apr_palloc(r->pool, plen+1);
+ buffer[plen] = 0;
+
+- if (plaintext) {
+- while (remaining > 0) {
+- received = remaining;
+- rv = apr_socket_recv(sock, buffer+at, &received);
+- if (received > 0 ) {
+- remaining -= received;
+- at += received;
+- }
+- }
+- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
+- "Websocket: Frame contained %" APR_OFF_T_FMT " bytes, pushed to Lua stack",
+- at);
+- }
+- else {
+- rv = lua_websocket_readbytes(r->connection, buffer,
+- remaining);
+- ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
+- "Websocket: SSL Frame contained %" APR_SIZE_T_FMT " bytes, "\
+- "pushed to Lua stack",
+- remaining);
++ rv = lua_websocket_readbytes(c, brigade, buffer, remaining);
++
++ if (rv != APR_SUCCESS) {
++ return 0;
+ }
++
++ ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
++ "Websocket: Frame contained %" APR_SIZE_T_FMT \
++ " bytes, pushed to Lua stack", remaining);
+ if (mask) {
+ for (n = 0; n < plen; n++) {
+ buffer[n] ^= mask_bytes[n%4];
+@@ -2420,14 +2371,25 @@ static int lua_websocket_read(lua_State *L)
+ return 2;
+ }
+
+-
+ /* Decide if we need to react to the opcode or not */
+ if (opcode == 0x09) { /* ping */
+ char frame[2];
+- plen = 2;
++ apr_bucket *b;
++
+ frame[0] = 0x8A;
+ frame[1] = 0;
+- apr_socket_send(sock, frame, &plen); /* Pong! */
++
++ /* Pong! */
++ b = apr_bucket_transient_create(frame, 2, c->bucket_alloc);
++ APR_BRIGADE_INSERT_TAIL(brigade, b);
++
++ rv = ap_pass_brigade(c->output_filters, brigade);
++ apr_brigade_cleanup(brigade);
++
++ if (rv != APR_SUCCESS) {
++ return 0;
++ }
++
+ do_read = 1;
+ }
+ }
+--
+2.30.2
+
diff -Nru apache2-2.4.38/debian/patches/CVE-2022-31813.patch apache2-2.4.38/debian/patches/CVE-2022-31813.patch
--- apache2-2.4.38/debian/patches/CVE-2022-31813.patch 1969-12-31 19:00:00.000000000 -0500
+++ apache2-2.4.38/debian/patches/CVE-2022-31813.patch 2022-06-20 15:03:00.000000000 -0400
@@ -0,0 +1,242 @@
+From 956f708b094698ac9ad570d640d4f30eb0df7305 Mon Sep 17 00:00:00 2001
+From: Stefan Eissing <icing@apache.org>
+Date: Wed, 1 Jun 2022 07:51:04 +0000
+Subject: [PATCH] Merge r1901461 from trunk via #320:
+
+ *) mod_proxy: ap_proxy_create_hdrbrgd() to clear hop-by-hop first and fixup last.
+
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1901480 13f79535-47bb-0310-9956-ffa450edef68
+Origin: https://github.com/apache/httpd/commit/956f708b094698ac9ad570d640d4f30eb0df7305
+---
+ modules/proxy/proxy_util.c | 153 ++++++++++++++++++++++-----------------------
+ 1 file changed, 77 insertions(+), 76 deletions(-)
+
+--- a/modules/proxy/proxy_util.c
++++ b/modules/proxy/proxy_util.c
+@@ -3396,12 +3396,14 @@
+ char **old_cl_val,
+ char **old_te_val)
+ {
++ int rc = OK;
+ conn_rec *c = r->connection;
+ int counter;
+ char *buf;
++ apr_table_t *saved_headers_in = r->headers_in;
++ const char *saved_host = apr_table_get(saved_headers_in, "Host");
+ const apr_array_header_t *headers_in_array;
+ const apr_table_entry_t *headers_in;
+- apr_table_t *saved_headers_in;
+ apr_bucket *e;
+ int do_100_continue;
+ conn_rec *origin = p_conn->connection;
+@@ -3437,6 +3439,52 @@
+ ap_xlate_proto_to_ascii(buf, strlen(buf));
+ e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(header_brigade, e);
++
++ /*
++ * Make a copy on r->headers_in for the request we make to the backend,
++ * modify the copy in place according to our configuration and connection
++ * handling, use it to fill in the forwarded headers' brigade, and finally
++ * restore the saved/original ones in r->headers_in.
++ *
++ * Note: We need to take r->pool for apr_table_copy as the key / value
++ * pairs in r->headers_in have been created out of r->pool and
++ * p might be (and actually is) a longer living pool.
++ * This would trigger the bad pool ancestry abort in apr_table_copy if
++ * apr is compiled with APR_POOL_DEBUG.
++ *
++ * icing: if p indeed lives longer than r->pool, we should allocate
++ * all new header values from r->pool as well and avoid leakage.
++ */
++ r->headers_in = apr_table_copy(r->pool, saved_headers_in);
++
++ /* Return the original Transfer-Encoding and/or Content-Length values
++ * then drop the headers, they must be set by the proxy handler based
++ * on the actual body being forwarded.
++ */
++ if ((*old_te_val = (char *)apr_table_get(r->headers_in,
++ "Transfer-Encoding"))) {
++ apr_table_unset(r->headers_in, "Transfer-Encoding");
++ }
++ if ((*old_cl_val = (char *)apr_table_get(r->headers_in,
++ "Content-Length"))) {
++ apr_table_unset(r->headers_in, "Content-Length");
++ }
++
++ /* Clear out hop-by-hop request headers not to forward */
++ if (ap_proxy_clear_connection(r, r->headers_in) < 0) {
++ rc = HTTP_BAD_REQUEST;
++ goto cleanup;
++ }
++
++ /* RFC2616 13.5.1 says we should strip these */
++ apr_table_unset(r->headers_in, "Keep-Alive");
++ apr_table_unset(r->headers_in, "Upgrade");
++ apr_table_unset(r->headers_in, "Trailer");
++ apr_table_unset(r->headers_in, "TE");
++
++ /* We used to send `Host: ` always first, so let's keep it that
++ * way. No telling which legacy backend is relying no this.
++ */
+ if (dconf->preserve_host == 0) {
+ if (ap_strchr_c(uri->hostname, ':')) { /* if literal IPv6 address */
+ if (uri->port_str && uri->port != DEFAULT_HTTP_PORT) {
+@@ -3458,7 +3506,7 @@
+ /* don't want to use r->hostname, as the incoming header might have a
+ * port attached
+ */
+- const char* hostname = apr_table_get(r->headers_in,"Host");
++ const char* hostname = saved_host;
+ if (!hostname) {
+ hostname = r->server->server_hostname;
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01092)
+@@ -3472,21 +3520,7 @@
+ ap_xlate_proto_to_ascii(buf, strlen(buf));
+ e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc);
+ APR_BRIGADE_INSERT_TAIL(header_brigade, e);
+-
+- /*
+- * Save the original headers in here and restore them when leaving, since
+- * we will apply proxy purpose only modifications (eg. clearing hop-by-hop
+- * headers, add Via or X-Forwarded-* or Expect...), whereas the originals
+- * will be needed later to prepare the correct response and logging.
+- *
+- * Note: We need to take r->pool for apr_table_copy as the key / value
+- * pairs in r->headers_in have been created out of r->pool and
+- * p might be (and actually is) a longer living pool.
+- * This would trigger the bad pool ancestry abort in apr_table_copy if
+- * apr is compiled with APR_POOL_DEBUG.
+- */
+- saved_headers_in = r->headers_in;
+- r->headers_in = apr_table_copy(r->pool, saved_headers_in);
++ apr_table_unset(r->headers_in, "Host");
+
+ /* handle Via */
+ if (conf->viaopt == via_block) {
+@@ -3561,8 +3595,6 @@
+ */
+ if (dconf->add_forwarded_headers) {
+ if (PROXYREQ_REVERSE == r->proxyreq) {
+- const char *buf;
+-
+ /* Add X-Forwarded-For: so that the upstream has a chance to
+ * determine, where the original request came from.
+ */
+@@ -3572,8 +3604,9 @@
+ /* Add X-Forwarded-Host: so that upstream knows what the
+ * original request hostname was.
+ */
+- if ((buf = apr_table_get(r->headers_in, "Host"))) {
+- apr_table_mergen(r->headers_in, "X-Forwarded-Host", buf);
++ if (saved_host) {
++ apr_table_mergen(r->headers_in, "X-Forwarded-Host",
++ saved_host);
+ }
+
+ /* Add X-Forwarded-Server: so that upstream knows what the
+@@ -3585,67 +3618,37 @@
+ }
+ }
+
+- proxy_run_fixups(r);
+- if (ap_proxy_clear_connection(r, r->headers_in) < 0) {
+- return HTTP_BAD_REQUEST;
++ /* Do we want to strip Proxy-Authorization ?
++ * If we haven't used it, then NO
++ * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
++ * So let's make it configurable by env.
++ */
++ if (r->user != NULL /* we've authenticated */
++ && !apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
++ apr_table_unset(r->headers_in, "Proxy-Authorization");
+ }
+
++ /* for sub-requests, ignore freshness/expiry headers */
++ if (r->main) {
++ apr_table_unset(r->headers_in, "If-Match");
++ apr_table_unset(r->headers_in, "If-Modified-Since");
++ apr_table_unset(r->headers_in, "If-Range");
++ apr_table_unset(r->headers_in, "If-Unmodified-Since");
++ apr_table_unset(r->headers_in, "If-None-Match");
++ }
++
++ /* run hook to fixup the request we are about to send */
++ proxy_run_fixups(r);
++
+ /* send request headers */
+ headers_in_array = apr_table_elts(r->headers_in);
+ headers_in = (const apr_table_entry_t *) headers_in_array->elts;
+ for (counter = 0; counter < headers_in_array->nelts; counter++) {
+ if (headers_in[counter].key == NULL
+- || headers_in[counter].val == NULL
+-
+- /* Already sent */
+- || !strcasecmp(headers_in[counter].key, "Host")
+-
+- /* Clear out hop-by-hop request headers not to send
+- * RFC2616 13.5.1 says we should strip these headers
+- */
+- || !strcasecmp(headers_in[counter].key, "Keep-Alive")
+- || !strcasecmp(headers_in[counter].key, "TE")
+- || !strcasecmp(headers_in[counter].key, "Trailer")
+- || !strcasecmp(headers_in[counter].key, "Upgrade")
+-
+- ) {
+- continue;
+- }
+- /* Do we want to strip Proxy-Authorization ?
+- * If we haven't used it, then NO
+- * If we have used it then MAYBE: RFC2616 says we MAY propagate it.
+- * So let's make it configurable by env.
+- */
+- if (!strcasecmp(headers_in[counter].key,"Proxy-Authorization")) {
+- if (r->user != NULL) { /* we've authenticated */
+- if (!apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) {
+- continue;
+- }
+- }
+- }
+-
+- /* Skip Transfer-Encoding and Content-Length for now.
+- */
+- if (!strcasecmp(headers_in[counter].key, "Transfer-Encoding")) {
+- *old_te_val = headers_in[counter].val;
+- continue;
+- }
+- if (!strcasecmp(headers_in[counter].key, "Content-Length")) {
+- *old_cl_val = headers_in[counter].val;
++ || headers_in[counter].val == NULL) {
+ continue;
+ }
+
+- /* for sub-requests, ignore freshness/expiry headers */
+- if (r->main) {
+- if ( !strcasecmp(headers_in[counter].key, "If-Match")
+- || !strcasecmp(headers_in[counter].key, "If-Modified-Since")
+- || !strcasecmp(headers_in[counter].key, "If-Range")
+- || !strcasecmp(headers_in[counter].key, "If-Unmodified-Since")
+- || !strcasecmp(headers_in[counter].key, "If-None-Match")) {
+- continue;
+- }
+- }
+-
+ buf = apr_pstrcat(p, headers_in[counter].key, ": ",
+ headers_in[counter].val, CRLF,
+ NULL);
+@@ -3654,11 +3657,9 @@
+ APR_BRIGADE_INSERT_TAIL(header_brigade, e);
+ }
+
+- /* Restore the original headers in (see comment above),
+- * we won't modify them anymore.
+- */
++cleanup:
+ r->headers_in = saved_headers_in;
+- return OK;
++ return rc;
+ }
+
+ PROXY_DECLARE(int) ap_proxy_pass_brigade(apr_bucket_alloc_t *bucket_alloc,
diff -Nru apache2-2.4.38/debian/patches/series apache2-2.4.38/debian/patches/series
--- apache2-2.4.38/debian/patches/series 2021-12-21 11:50:43.000000000 -0500
+++ apache2-2.4.38/debian/patches/series 2022-06-20 15:03:00.000000000 -0400
@@ -37,3 +37,15 @@
CVE-2021-44224-2.patch
CVE-2021-44790.patch
CVE-2021-36160-2.patch
+CVE-2022-22719.patch
+CVE-2022-22720.patch
+CVE-2022-22721.patch
+CVE-2022-23943-1.patch
+CVE-2022-23943-2.patch
+CVE-2022-26377.patch
+CVE-2022-28614.patch
+CVE-2022-28615.patch
+CVE-2022-29404.patch
+CVE-2022-30522.patch
+CVE-2022-30556.patch
+CVE-2022-31813.patch
Reply to: