From 2d2437e886218b8f1171416c5c526cf9bb21c08c Mon Sep 17 00:00:00 2001
From: Pawel <pawelwi@microsoft.com>
Date: Tue, 6 Oct 2020 07:13:19 -0700
Subject: [PATCH] Adding a .nopatch for CVE-2007-0086.

---
 SPECS/httpd/CVE-2007-0086.nopatch | 9 +++++++++
 SPECS/httpd/httpd.spec            | 6 +++++-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/httpd/CVE-2007-0086.nopatch

diff --git a/SPECS/httpd/CVE-2007-0086.nopatch b/SPECS/httpd/CVE-2007-0086.nopatch
new file mode 100644
index 00000000000..07fd829297b
--- /dev/null
+++ b/SPECS/httpd/CVE-2007-0086.nopatch
@@ -0,0 +1,9 @@
+# CVE-2007-0086 has been disputed to be an actual vulnerability. Official Red Hat statement from 1st of November 2007:
+
+    "Red Hat does not consider this issue to be a security vulnerability. The pottential attacker has to send acknowledgement
+     packets periodically to make server generate traffic. Exactly the same effect could be achieved by simply downloading the file.
+     The statement that setting the TCP window size to arbitrarily high value would permit the attacker to disconnect and stop
+     sending ACKs is false, because Red Hat Enterprise Linux limits the size of the TCP send buffer to 4MB by default."
+
+In case of CBL-Mariner the default max TCP send buffer size is set to 4 MBs as well.
+The configuration is available under '/proc/sys/net/ipv4/tcp_wmem'.
\ No newline at end of file
diff --git a/SPECS/httpd/httpd.spec b/SPECS/httpd/httpd.spec
index 4b9aecdbf47..4602395e33b 100644
--- a/SPECS/httpd/httpd.spec
+++ b/SPECS/httpd/httpd.spec
@@ -1,7 +1,7 @@
 Summary:        The Apache HTTP Server
 Name:           httpd
 Version:        2.4.46
-Release:        2%{?dist}
+Release:        3%{?dist}
 License:        ASL 2.0
 URL:            https://httpd.apache.org/
 Group:          Applications/System
@@ -15,6 +15,8 @@ Patch1:         httpd-uncomment-ServerName.patch
 Patch100: CVE-1999-0236.nopatch
 # CVE-1999-1412 applies only to MacOS X
 Patch101: CVE-1999-1412.nopatch
+# CVE-2007-0086 has been disputed to not be a vulnerability since 2007 due to default system configurations securing against it.
+Patch102: CVE-2007-0086.nopatch
 
 BuildRequires:  openssl
 BuildRequires:  openssl-devel
@@ -190,6 +192,8 @@ fi
 %{_bindir}/dbmmanage
 
 %changelog
+*   Tue Oct 06 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.46-3
+-   Mark CVE-2007-0086 as nopatch
 *   Mon Sep 28 2020 Daniel McIlvaney <damcilva@microsoft.com> 2.4.46-2
 -   Mark CVE-1999-0236 CVE-1999-1412 as nopatch
 *   Tue Aug 18 2020 Pawel Winogrodzki <pawelwi@microsoft.com> 2.4.46-1