From fe182f3d405b932d5bc2f2e7400fa96eff84e5ab Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Mon, 28 Sep 2020 13:04:36 -0700
Subject: [PATCH 1/2] Nopatch httpd CVE-1999-0236, CVE-1999-1412

Signed-off-by: Daniel McIlvaney <damcilva@microsoft.com>
---
 SPECS/httpd/CVE-1999-0236.nopatch |  1 +
 SPECS/httpd/CVE-1999-1412.nopatch |  1 +
 SPECS/httpd/httpd.spec            | 28 ++++++++++++++++------------
 cgmanifest.json                   |  4 ++--
 4 files changed, 20 insertions(+), 14 deletions(-)
 create mode 100644 SPECS/httpd/CVE-1999-0236.nopatch
 create mode 100644 SPECS/httpd/CVE-1999-1412.nopatch

diff --git a/SPECS/httpd/CVE-1999-0236.nopatch b/SPECS/httpd/CVE-1999-0236.nopatch
new file mode 100644
index 00000000000..6203cad9936
--- /dev/null
+++ b/SPECS/httpd/CVE-1999-0236.nopatch
@@ -0,0 +1 @@
+# CVE-1999-0236 must be mitigated by the user. See "Server Side Includes" on https://httpd.apache.org/docs/2.4/misc/security_tips.html
\ No newline at end of file
diff --git a/SPECS/httpd/CVE-1999-1412.nopatch b/SPECS/httpd/CVE-1999-1412.nopatch
new file mode 100644
index 00000000000..72ff0709300
--- /dev/null
+++ b/SPECS/httpd/CVE-1999-1412.nopatch
@@ -0,0 +1 @@
+# CVE-1999-1412 applies only to MacOS X
\ No newline at end of file
diff --git a/SPECS/httpd/httpd.spec b/SPECS/httpd/httpd.spec
index 16a0ff832c0..365ed0f313b 100644
--- a/SPECS/httpd/httpd.spec
+++ b/SPECS/httpd/httpd.spec
@@ -1,7 +1,7 @@
 Summary:        The Apache HTTP Server
 Name:           httpd
 Version:        2.4.46
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        ASL 2.0
 URL:            https://httpd.apache.org/
 Group:          Applications/System
@@ -11,6 +11,11 @@ Source0:        https://archive.apache.org/dist/%{name}/%{name}-%{version}.tar.b
 Patch0:         httpd-blfs_layout-1.patch
 Patch1:         httpd-uncomment-ServerName.patch
 
+# CVE-1999-0236 must be mitigated by the user. See "Server Side Includes" at https://httpd.apache.org/docs/2.4/misc/security_tips.html
+Patch100: CVE-1999-0236.nopatch
+# CVE-1999-1412 applies only to MacOS X
+Patch101: CVE-1999-1412.nopatch
+
 BuildRequires:  openssl
 BuildRequires:  openssl-devel
 BuildRequires:  pcre-devel
@@ -185,17 +190,16 @@ fi
 %{_bindir}/dbmmanage
 
 %changelog
-* Tue Aug 18 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.46-1
-- Updated to 2.4.46 to resolve CVE-2020-11984.
-
-* Tue May 19 2020 Ruying Chen <v-ruyche@microsoft.com> 2.4.43-1
-- Updated to 2.4.43 to resolve the following CVEs
-- CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097
-- CVE-2019-10098, CVE-2020-1927, CVE-2020-1934
-
-* Sat May 09 00:20:57 PST 2020 Nick Samson <nisamson@microsoft.com> - 2.4.39-4
-- Added %%license line automatically
-
+*   Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 2.4.46-2
+-   Mark CVE-1999-0236 CVE-1999-1412 as nopatch
+*   Tue Aug 18 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.46-1
+-   Updated to 2.4.46 to resolve CVE-2020-11984.
+*   Tue May 19 2020 Ruying Chen <v-ruyche@microsoft.com> 2.4.43-1
+-   Updated to 2.4.43 to resolve the following CVEs
+-   CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097
+-   CVE-2019-10098, CVE-2020-1927, CVE-2020-1934
+*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 2.4.39-4
+-   Added %%license line automatically
 *   Tue Apr 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.39-3
 -   Updated and verified 'Source0', 'Patch0' and 'URL' tags.
 -   License verified.
diff --git a/cgmanifest.json b/cgmanifest.json
index bfcf937566a..462543a8a2c 100644
--- a/cgmanifest.json
+++ b/cgmanifest.json
@@ -1466,8 +1466,8 @@
         "type": "other",
         "other": {
           "name": "httpd",
-          "version": "2.4.43",
-          "downloadUrl": "https://archive.apache.org/dist/httpd/httpd-2.4.43.tar.bz2"
+          "version": "2.4.46",
+          "downloadUrl": "https://archive.apache.org/dist/httpd/httpd-2.4.46.tar.bz2"
         }
       }
     },

From 9d042e824f6fdd211c21387615fc7c9e8ca6f6fe Mon Sep 17 00:00:00 2001
From: Daniel McIlvaney <damcilva@microsoft.com>
Date: Tue, 29 Sep 2020 13:01:36 -0700
Subject: [PATCH 2/2] Update SPECS/httpd/httpd.spec

---
 SPECS/httpd/httpd.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SPECS/httpd/httpd.spec b/SPECS/httpd/httpd.spec
index 365ed0f313b..4b9aecdbf47 100644
--- a/SPECS/httpd/httpd.spec
+++ b/SPECS/httpd/httpd.spec
@@ -198,7 +198,7 @@ fi
 -   Updated to 2.4.43 to resolve the following CVEs
 -   CVE-2019-10081, CVE-2019-10082, CVE-2019-10092, CVE-2019-10097
 -   CVE-2019-10098, CVE-2020-1927, CVE-2020-1934
-*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> - 2.4.39-4
+*   Sat May 09 2020 Nick Samson <nisamson@microsoft.com> 2.4.39-4
 -   Added %%license line automatically
 *   Tue Apr 07 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.39-3
 -   Updated and verified 'Source0', 'Patch0' and 'URL' tags.