Projects
Kolab:3.4
httpd
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 8
View file
apache2.dsc
Changed
@@ -2,14 +2,14 @@ Source: apache2 Binary: apache2.2-common, apache2.2-bin, apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event, apache2-mpm-itk, apache2-utils, apache2-suexec, apache2-suexec-custom, apache2, apache2-doc, apache2-prefork-dev, apache2-threaded-dev, apache2-dbg Architecture: any all -Version: 2.2.22-13.2 +Version: 2.2.22-13.2+deb7u3 Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Stefan Fritsch <sf@debian.org>, Steinar H. Gunderson <sesse@debian.org>, Arno Töll <arno@debian.org> Homepage: http://httpd.apache.org/ Standards-Version: 3.9.3 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-apache/apache2.git Vcs-Git: git://git.debian.org/git/pkg-apache/apache2.git -Build-Depends: debhelper (>= 8.9.7~), lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev, openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 0.9.8m), sharutils, libcap-dev [linux-any], autoconf, autotools-dev +Build-Depends: debhelper (>= 8.9.7~), lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev, openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 1.0.1), sharutils, libcap-dev [linux-any], autoconf, autotools-dev Build-Conflicts: autoconf2.13 Package-List: apache2 deb httpd optional
View file
debian.changelog
Changed
@@ -1,3 +1,69 @@ +apache2 (2.2.22-13.2+deb7u3) wheezy-security; urgency=high + + * Non-maintainer upload. + * Merge patches from Debian up to 2.2.22-13+deb7u3. + + -- Christoph Erhardt <kolab@sicherha.de> Tue, 26 Aug 2014 18:00:50 +0200 + +apache2 (2.2.22-13+deb7u3) wheezy-security; urgency=high + + * CVE-2014-0226: Fix a race condition in scoreboard handling, + which could lead to a heap buffer overflow. + * CVE-2014-0231: mod_cgid: Fix a denial of service against CGI scripts + that do not consume stdin that could lead to lingering HTTPD child + processes filling up the scoreboard and eventually hanging the server. + By default, the client I/O timeout (Timeout directive) now applies to + communication with scripts. The CGIDScriptTimeout directive can be + used to set a different timeout for communication with scripts. + * CVE-2014-0118: mod_deflate: The DEFLATE input filter (inflates request + bodies) now limits the length and compression ratio of inflated request + bodies to avoid denial of sevice via highly compressed bodies. + By default, LimitRequestBody is applied after decompression. Fine-tuning + is possible with the new directives DeflateInflateLimitRequestBody, + DeflateInflateRatioLimit, and DeflateInflateRatioBurst. + + -- Stefan Fritsch <sf@debian.org> Wed, 23 Jul 2014 23:53:24 +0200 + +apache2 (2.2.22-13+deb7u2) wheezy; urgency=medium + + * Backport support for SSL ECC keys and ECDH ciphers. + + Bump build-dependency for libssl-dev to 1.0.1e-2+deb7u8 to get the + compatibility fix for older Safari browsers. Apache2 will still + run with older libssl-1.0.0 but without the compatibility fix. + + In case of problems, see README.Debian. + + * CVE-2013-6438: mod_dav: Fix potential denial of service from + specifically crafted DAV WRITE requests. + + * mod_log_config: Fix a bug that cookies whose values contain '=' would + only be logged partially. This is related to CVE-2014-0098, but Apache + 2.2.22 is not vulnerable to this issue. + + * mod_proxy: Fix crashes under high load with threaded mpms. + https://issues.apache.org/bugzilla/show_bug.cgi?id=50335 + + -- Stefan Fritsch <sf@debian.org> Sun, 25 May 2014 17:35:34 +0200 + +apache2 (2.2.22-13+deb7u1) wheezy; urgency=medium + + Low impact security fixes: + * CVE-2013-1862: mod_rewrite: Ensure that client data written to the + RewriteLog is escaped to prevent terminal escape sequences from entering + the log file. Closes: #722333 + * CVE-2013-1896: mod_dav: denial of service via MERGE request. + Closes: #717272 + * mod_dav: Fix segfaults in certain error conditions. + https://issues.apache.org/bugzilla/show_bug.cgi?id=52559 + + * Make apache2ctl create the necessary directories even if started with + special options for apache2. Closes: #731531 + * Adjust paragraph in README.Debian about MaxMemFree not working properly. + The issue has been fixed with apr 1.4.5-1. + + -- Stefan Fritsch <sf@debian.org> Fri, 31 Jan 2014 19:43:07 +0100 + apache2 (2.2.22-13.2) unstable; urgency=low * Ensure the init script takes in to account the executable basename (.prefork / .worker) @@ -10,6 +76,30 @@ -- Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> Tue, 8 Oct 2013 21:35:58 +0100 +apache2 (2.2.22-13) unstable; urgency=medium + + [ Stefan Fritsch ] + * Urgency medium for security fixes. + * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 + * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules. + * mod_log_forensic: Fix spurious '-' characters being logged, causing + false positives. Closes: #693292 + + [ Arno Töll ] + * Document APACHE_ARGUMENTS in envvars (Closes: #693299) + + -- Stefan Fritsch <sf@debian.org> Mon, 04 Mar 2013 22:21:05 +0100 + +apache2 (2.2.22-12) unstable; urgency=low + + * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is + "off". This mitigates impact of CRIME attacks. Fixes: + - "handling the CRIME attack" (Closes: #689936) + - "make it possible to disable ssl compression in apache2 mod_ssl" + (Closes: #674142) + + -- Arno Töll <arno@debian.org> Wed, 31 Oct 2012 00:23:59 +0100 + apache2 (2.2.22-12) unstable; urgency=low * Non-maintainer upload
View file
debian.control
Changed
@@ -3,7 +3,7 @@ Priority: optional Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Stefan Fritsch <sf@debian.org>, Steinar H. Gunderson <sesse@debian.org>, Arno Töll <arno@debian.org> -Build-Depends: debhelper (>= 8.9.7~), lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev, openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 0.9.8m), sharutils, libcap-dev [linux-any], autoconf, autotools-dev +Build-Depends: debhelper (>= 8.9.7~), lsb-release, libaprutil1-dev (>= 1.3.4), libapr1-dev, openssl, libpcre3-dev, mawk, zlib1g-dev, libssl-dev (>= 1.0.1), sharutils, libcap-dev [linux-any], autoconf, autotools-dev Build-Conflicts: autoconf2.13 Standards-Version: 3.9.3 Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-apache/apache2.git
View file
debian.tar.gz/NEWS
Changed
@@ -1,3 +1,12 @@ +apache2 (2.2.22-13+deb7u2) stable; urgency=medium + + * This release adds support for SSL/TLS ECC keys and ECDH ciphers. + + If this change causes problems with some older clients, see + /usr/share/doc/apache2/README.Debian.gz for a work-around. + + -- Stefan Fritsch <sf@debian.org> Sun, 25 May 2014 13:05:40 +0200 + apache2 (2.2.15-4) unstable; urgency=low * Note to people using mod_proxy as forward proxy, i.e. with
View file
debian.tar.gz/README.Debian
Changed
@@ -234,6 +234,18 @@ The default SSL virtual host in /etc/apache2/sites-available/default-ssl already contains this workaround. +ECC keys and ECDH ciphers +------------------------- + +The package in Debian has support for ECC keys and ECDH ciphers backported +from Apache 2.2.26. + +If these ciphers causes any problems, they may be disabled by adding ":!ECDH" +to the SSLCipherSuite directive in /etc/apache2/mods-enabled/ssl.conf . + +A special compatibility fix for older Safari browsers is enabled if using an +up-to-date libssl-1.0.0 (version 1.0.1e-2+deb7u8 or newer). + Suexec ====== @@ -392,10 +404,10 @@ * Tune StartServers, MaxRequestsPerChild, MinSpareThreads/MinSpareServers, MaxSpareThreads/MaxSpareServers in /etc/apache2/apache2.conf - * If you are really starved for memory, try adding 'MaxMemFree 4' to your - Apache configuration. This will reduce Apache's performance. - Because of the way Apache's memory allocator interacts with glibc's malloc, - higher values of MaxMemFree don't have much effect. + * To make Apache actually release free memory, try setting the 'MaxMemFree' + directive in your Apache configuration. A value of 2048 may be good as a + first try. If it does not help enough, you may try decreasing the value + down to 4, though this will reduce Apache's performance. 11) A PUT with mod_dav_fs fails with "Unable to PUT new contents for /... [403, #0]" even if Apache has permission to write the file.
View file
debian.tar.gz/apache2ctl
Changed
@@ -104,10 +104,35 @@ fi } +mkdir_chown () { + local OWNER="$1" + local DIR="$2" + local STAT="$(LC_ALL=C stat -c %F:%U $DIR 2> /dev/null || true)" + if [ "$STAT" = "" ] ; then + local TMPNAME=$(mktemp -d $DIR.XXXXXXXXXX) || exit 1 + chmod 755 $TMPNAME || exit 1 + chown $OWNER $TMPNAME || exit 1 + if ! mv -T $TMPNAME $DIR 2> /dev/null; then + rmdir $TMPNAME + # check for race with other apachectl + if [ "$(LC_ALL=C stat -c %F:%U $DIR 2>/dev/null)" != "directory:$OWNER" ] + then + echo Cannot create $DIR with owner $OWNER. + echo Please fix manually. Aborting. + exit 1 + fi + fi + elif [ "$STAT" != "directory:$OWNER" ] ; then + echo $DIR already exists but is not a directory owned by $OWNER. + echo Please fix manually. Aborting. + exit 1 + fi +} + +mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2} +mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} case $ARGV in start) - mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2} - install -d -o ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} # ssl_scache shouldn't be here if we're just starting up. # (this is bad if there are several apache2 instances running) rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache*
View file
debian.tar.gz/config-dir/envvars
Changed
@@ -37,3 +37,8 @@ ## If you need a higher file descriptor limit, uncomment and adjust the ## following line (default is 8192): #APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' + + +## If you would like to pass arguments to the web server, add them below +## to the APACHE_ARGUMENTS environment. +#export APACHE_ARGUMENTS=''
View file
debian.tar.gz/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch
Added
@@ -0,0 +1,204 @@ +# http://svn.apache.org/viewvc?view=revision&revision=r1447390 +# +# *) SECURITY: CVE-2012-3499 (cve.mitre.org) +# Various XSS flaws due to unescaped hostnames and URIs HTML output in +# mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. +# [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] +# +# *) SECURITY: CVE-2012-4558 (cve.mitre.org) +# XSS in mod_proxy_balancer manager interface. [Jim Jagielski, +# Niels Heinen <heinenn google com>] +Index: apache2/modules/ldap/util_ldap_cache_mgr.c +=================================================================== +--- apache2.orig/modules/ldap/util_ldap_cache_mgr.c ++++ apache2/modules/ldap/util_ldap_cache_mgr.c +@@ -541,7 +541,7 @@ + if (id) { + buf2 = apr_psprintf(p, + "<a href=\"%s?%s\">%s</a>", +- r->uri, ++ ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)), + id, + name); + } +Index: apache2/modules/proxy/mod_proxy_balancer.c +=================================================================== +--- apache2.orig/modules/proxy/mod_proxy_balancer.c ++++ apache2/modules/proxy/mod_proxy_balancer.c +@@ -818,7 +818,8 @@ + ap_rputs(DOCTYPE_HTML_3_2 + "<html><head><title>Balancer Manager</title></head>\n", r); + ap_rputs("<body><h1>Load Balancer Manager for ", r); +- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL); ++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)), ++ "</h1>\n\n", NULL); + ap_rvputs(r, "<dl><dt>Server Version: ", + ap_get_server_description(), "</dt>\n", NULL); + ap_rvputs(r, "<dt>Server Built: ", +@@ -853,7 +854,8 @@ + worker = (proxy_worker *)balancer->workers->elts; + for (n = 0; n < balancer->workers->nelts; n++) { + char fbuf[50]; +- ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=", ++ ap_rvputs(r, "<tr>\n<td><a href=\"", ++ ap_escape_uri(r->pool, r->uri), "?b=", + balancer->name + sizeof("balancer://") - 1, "&w=", + ap_escape_uri(r->pool, worker->name), + "&nonce=", balancer_nonce, +@@ -894,7 +896,7 @@ + ap_rputs("<h3>Edit worker settings for ", r); + ap_rvputs(r, wsel->name, "</h3>\n", NULL); + ap_rvputs(r, "<form method=\"GET\" action=\"", NULL); +- ap_rvputs(r, r->uri, "\">\n<dl>", NULL); ++ ap_rvputs(r, ap_escape_uri(r->pool, r->uri), "\">\n<dl>", NULL); + ap_rputs("<table><tr><td>Load factor:</td><td><input name=\"lf\" type=text ", r); + ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbfactor); + ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r); +Index: apache2/modules/proxy/mod_proxy_ftp.c +=================================================================== +--- apache2.orig/modules/proxy/mod_proxy_ftp.c ++++ apache2/modules/proxy/mod_proxy_ftp.c +@@ -365,7 +365,9 @@ + " </head>\n" + " <body>\n <h2>Directory of " + "<a href=\"/\">%s</a>/%s", +- site, basedir, escpath, site, basedir, escpath, site, str); ++ ap_escape_html(p, site), basedir, escpath, ++ ap_escape_uri(p, site), basedir, escpath, ++ ap_escape_uri(p, site), str); + + APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str), + p, c->bucket_alloc)); +Index: apache2/modules/mappers/mod_imagemap.c +=================================================================== +--- apache2.orig/modules/mappers/mod_imagemap.c ++++ apache2/modules/mappers/mod_imagemap.c +@@ -320,7 +320,7 @@ + /* + * returns the mapped URL or NULL. + */ +-static char *imap_url(request_rec *r, const char *base, const char *value) ++static const char *imap_url(request_rec *r, const char *base, const char *value) + { + /* translates a value into a URL. */ + int slen, clen; +@@ -342,7 +342,7 @@ + if (!strcasecmp(value, "referer")) { + referer = apr_table_get(r->headers_in, "Referer"); + if (referer && *referer) { +- return ap_escape_html(r->pool, referer); ++ return referer; + } + else { + /* XXX: This used to do *value = '\0'; ... which is totally bogus +@@ -459,7 +459,7 @@ + return my_base; + } + +-static int imap_reply(request_rec *r, char *redirect) ++static int imap_reply(request_rec *r, const char *redirect) + { + if (!strcasecmp(redirect, "error")) { + /* they actually requested an error! */ +@@ -523,42 +523,52 @@ + 'formatted' form */ + } + +-static void menu_default(request_rec *r, char *menu, char *href, char *text) ++static void menu_default(request_rec *r, const char *menu, const char *href, const char *text) + { ++ char *ehref, *etext; + if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) { + return; /* don't print such lines, these aren't + really href's */ + } ++ ++ ehref = ap_escape_uri(r->pool, href); ++ etext = ap_escape_html(r->pool, text); ++ + if (!strcasecmp(menu, "formatted")) { +- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "semiformatted")) { +- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "unformatted")) { +- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL); ++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL); + } + return; + } + +-static void menu_directive(request_rec *r, char *menu, char *href, char *text) ++static void menu_directive(request_rec *r, const char *menu, const char *href, const char *text) + { ++ char *ehref, *etext; + if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) { + return; /* don't print such lines, as this isn't + really an href */ + } ++ ++ ehref = ap_escape_uri(r->pool, href); ++ etext = ap_escape_html(r->pool, text); ++ + if (!strcasecmp(menu, "formatted")) { +- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "semiformatted")) { +- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "unformatted")) { +- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL); ++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL); + } + return; + } +@@ -574,9 +584,9 @@ + char *directive; + char *value; + char *href_text; +- char *base; +- char *redirect; +- char *mapdflt; ++ const char *base; ++ const char *redirect; ++ const char *mapdflt; + char *closest = NULL; + double closest_yet = -1; + apr_status_t status; +Index: apache2/modules/generators/mod_status.c +=================================================================== +--- apache2.orig/modules/generators/mod_status.c ++++ apache2/modules/generators/mod_status.c +@@ -409,7 +409,8 @@ + "<html><head>\n<title>Apache Status</title>\n</head><body>\n", + r); + ap_rputs("<h1>Apache Server Status for ", r); +- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL); ++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)), ++ "</h1>\n\n", NULL); + ap_rvputs(r, "<dl><dt>Server Version: ", + ap_get_server_description(), "</dt>\n", NULL); + ap_rvputs(r, "<dt>Server Built: ", +Index: apache2/modules/generators/mod_info.c +=================================================================== +--- apache2.orig/modules/generators/mod_info.c ++++ apache2/modules/generators/mod_info.c +@@ -371,7 +371,8 @@ + MODULE_MAGIC_NUMBER_MINOR); + ap_rprintf(r, + "<dt><strong>Hostname/port:</strong> " +- "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r),
View file
debian.tar.gz/patches/CVE-2013-1896.patch
Added
@@ -0,0 +1,31 @@ +# http://svn.apache.org/r1497101 +# http://svn.apache.org/r1497212 +Index: apache2/modules/dav/main/mod_dav.c +=================================================================== +--- apache2.orig/modules/dav/main/mod_dav.c ++++ apache2/modules/dav/main/mod_dav.c +@@ -719,6 +719,12 @@ + + conf = ap_get_module_config(r->per_dir_config, &dav_module); + /* assert: conf->provider != NULL */ ++ if (conf->provider == NULL) { ++ return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, ++ apr_psprintf(r->pool, ++ "DAV not enabled for %s", ++ ap_escape_html(r->pool, r->uri))); ++ } + + /* resolve the resource */ + err = (*conf->provider->repos->get_resource)(r, conf->dir, +@@ -2655,11 +2661,6 @@ + "Destination URI had an error."); + } + +- if (dav_get_provider(lookup.rnew) == NULL) { +- return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED, +- "DAV not enabled for Destination URI."); +- } +- + /* Resolve destination resource */ + err = dav_get_resource(lookup.rnew, 0 /* label_allowed */, + 0 /* use_checked_in */, &resnew);
View file
debian.tar.gz/patches/CVE-2014-0118_mod_deflate-DoS.patch
Added
@@ -0,0 +1,284 @@ +# https://svn.apache.org/r1611426 +# +# *) SECURITY: CVE-2014-0118 (cve.mitre.org) +# mod_deflate: The DEFLATE input filter (inflates request bodies) now +# limits the length and compression ratio of inflated request bodies to avoid +# denial of sevice via highly compressed bodies. See directives +# DeflateInflateLimitRequestBody, DeflateInflateRatioLimit, +# and DeflateInflateRatioBurst. [Yann Ylavic, Eric Covener] +# +Index: apache2/modules/filters/mod_deflate.c +=================================================================== +--- apache2.orig/modules/filters/mod_deflate.c ++++ apache2/modules/filters/mod_deflate.c +@@ -37,6 +37,7 @@ + #include "httpd.h" + #include "http_config.h" + #include "http_log.h" ++#include "http_core.h" + #include "apr_lib.h" + #include "apr_strings.h" + #include "apr_general.h" +@@ -51,6 +52,9 @@ + static const char deflateFilterName[] = "DEFLATE"; + module AP_MODULE_DECLARE_DATA deflate_module; + ++#define AP_INFLATE_RATIO_LIMIT 200 ++#define AP_INFLATE_RATIO_BURST 3 ++ + typedef struct deflate_filter_config_t + { + int windowSize; +@@ -62,6 +66,12 @@ typedef struct deflate_filter_config_t + char *note_output_name; + } deflate_filter_config; + ++typedef struct deflate_dirconf_t { ++ apr_off_t inflate_limit; ++ int ratio_limit, ++ ratio_burst; ++} deflate_dirconf_t; ++ + /* RFC 1952 Section 2.3 defines the gzip header: + * + * +---+---+---+---+---+---+---+---+---+---+ +@@ -193,6 +203,14 @@ static void *create_deflate_server_confi + return c; + } + ++static void *create_deflate_dirconf(apr_pool_t *p, char *dummy) ++{ ++ deflate_dirconf_t *dc = apr_pcalloc(p, sizeof(*dc)); ++ dc->ratio_limit = AP_INFLATE_RATIO_LIMIT; ++ dc->ratio_burst = AP_INFLATE_RATIO_BURST; ++ return dc; ++} ++ + static const char *deflate_set_window_size(cmd_parms *cmd, void *dummy, + const char *arg) + { +@@ -284,6 +302,55 @@ static const char *deflate_set_compressi + return NULL; + } + ++ ++static const char *deflate_set_inflate_limit(cmd_parms *cmd, void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ char *errp; ++ ++ if (APR_SUCCESS != apr_strtoff(&dc->inflate_limit, arg, &errp, 10)) { ++ return "DeflateInflateLimitRequestBody is not parsable."; ++ } ++ if (*errp || dc->inflate_limit < 0) { ++ return "DeflateInflateLimitRequestBody requires a non-negative integer."; ++ } ++ ++ return NULL; ++} ++ ++static const char *deflate_set_inflate_ratio_limit(cmd_parms *cmd, ++ void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ int i; ++ ++ i = atoi(arg); ++ if (i <= 0) ++ return "DeflateInflateRatioLimit must be positive"; ++ ++ dc->ratio_limit = i; ++ ++ return NULL; ++} ++ ++static const char *deflate_set_inflate_ratio_burst(cmd_parms *cmd, ++ void *dirconf, ++ const char *arg) ++{ ++ deflate_dirconf_t *dc = (deflate_dirconf_t*) dirconf; ++ int i; ++ ++ i = atoi(arg); ++ if (i <= 0) ++ return "DeflateInflateRatioBurst must be positive"; ++ ++ dc->ratio_burst = i; ++ ++ return NULL; ++} ++ + typedef struct deflate_ctx_t + { + z_stream stream; +@@ -294,8 +361,26 @@ typedef struct deflate_ctx_t + unsigned char *validation_buffer; + apr_size_t validation_buffer_length; + int inflate_init; ++ int ratio_hits; ++ apr_off_t inflate_total; + } deflate_ctx; + ++/* Check whether the (inflate) ratio exceeds the configured limit/burst. */ ++static int check_ratio(request_rec *r, deflate_ctx *ctx, ++ const deflate_dirconf_t *dc) ++{ ++ if (ctx->stream.total_in) { ++ int ratio = ctx->stream.total_out / ctx->stream.total_in; ++ if (ratio < dc->ratio_limit) { ++ ctx->ratio_hits = 0; ++ } ++ else if (++ctx->ratio_hits > dc->ratio_burst) { ++ return 0; ++ } ++ } ++ return 1; ++} ++ + /* Number of validation bytes (CRC and length) after the compressed data */ + #define VALIDATION_SIZE 8 + /* Do not update ctx->crc, see comment in flush_libz_buffer */ +@@ -744,6 +829,8 @@ static apr_status_t deflate_in_filter(ap + int zRC; + apr_status_t rv; + deflate_filter_config *c; ++ deflate_dirconf_t *dc; ++ apr_off_t inflate_limit; + + /* just get out of the way of things we don't want. */ + if (mode != AP_MODE_READBYTES) { +@@ -751,6 +838,7 @@ static apr_status_t deflate_in_filter(ap + } + + c = ap_get_module_config(r->server->module_config, &deflate_module); ++ dc = ap_get_module_config(r->per_dir_config, &deflate_module); + + if (!ctx) { + char deflate_hdr[10]; +@@ -803,11 +891,13 @@ static apr_status_t deflate_in_filter(ap + if (len != 10 || + deflate_hdr[0] != deflate_magic[0] || + deflate_hdr[1] != deflate_magic[1]) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: wrong/partial magic bytes"); + return APR_EGENERAL; + } + + /* We can't handle flags for now. */ + if (deflate_hdr[3] != 0) { ++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Failed to inflate input: cannot handle deflate flags"); + return APR_EGENERAL; + } + +@@ -831,6 +921,12 @@ static apr_status_t deflate_in_filter(ap + apr_brigade_cleanup(ctx->bb); + } + ++ inflate_limit = dc->inflate_limit; ++ if (inflate_limit == 0) { ++ /* The core is checking the deflated body, we'll check the inflated */ ++ inflate_limit = ap_get_limit_req_body(f->r); ++ } ++ + if (APR_BRIGADE_EMPTY(ctx->proc_bb)) { + rv = ap_get_brigade(f->next, ctx->bb, mode, block, readbytes); + +@@ -863,6 +959,17 @@ static apr_status_t deflate_in_filter(ap + + ctx->stream.next_out = ctx->buffer; + len = c->bufferSize - ctx->stream.avail_out; ++ ++ ctx->inflate_total += len; ++ if (inflate_limit && ctx->inflate_total > inflate_limit) { ++ inflateEnd(&ctx->stream); ++ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, ++ "Inflated content length of %" APR_OFF_T_FMT ++ " is larger than the configured limit" ++ " of %" APR_OFF_T_FMT, ++ ctx->inflate_total, inflate_limit);
View file
debian.tar.gz/patches/CVE-2014-0226_scoreboard.patch
Added
@@ -0,0 +1,89 @@ +# https://svn.apache.org/r1610515 +# +# SECURITY (CVE-2014-0226): Fix a race condition in scoreboard handling, +# which could lead to a heap buffer overflow. Thanks to Marek Kroemeke +# working with HP's Zero Day Initiative for reporting this. +# +# * include/scoreboard.h: Add ap_copy_scoreboard_worker. +# +# * server/scoreboard.c (ap_copy_scoreboard_worker): New function. +# +# * modules/generators/mod_status.c (status_handler): Use it. +# +Index: apache2/include/scoreboard.h +=================================================================== +--- apache2.orig/include/scoreboard.h ++++ apache2/include/scoreboard.h +@@ -189,7 +189,24 @@ AP_DECLARE(int) ap_update_child_status_f + int status, request_rec *r); + void ap_time_process_request(ap_sb_handle_t *sbh, int status); + ++/** Return a pointer to the worker_score for a given child, thread pair. ++ * @param child_num The child number. ++ * @param thread_num The thread number. ++ * @return A pointer to the worker_score structure. ++ * @deprecated This function is deprecated, use ap_copy_scoreboard_worker instead. ++ */ + AP_DECLARE(worker_score *) ap_get_scoreboard_worker(int x, int y); ++ ++/** Copy the contents of a worker's scoreboard entry. The contents of ++ * the worker_score structure are copied verbatim into the dest ++ * structure. ++ * @param dest Output parameter. ++ * @param child_num The child number. ++ * @param thread_num The thread number. ++ */ ++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, ++ int child_num, int thread_num); ++ + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x); + AP_DECLARE(global_score *) ap_get_scoreboard_global(void); + AP_DECLARE(lb_score *) ap_get_scoreboard_lb(int lb_num); +Index: apache2/modules/generators/mod_status.c +=================================================================== +--- apache2.orig/modules/generators/mod_status.c ++++ apache2/modules/generators/mod_status.c +@@ -241,7 +241,7 @@ static int status_handler(request_rec *r + #endif + int short_report; + int no_table_report; +- worker_score *ws_record; ++ worker_score *ws_record = apr_palloc(r->pool, sizeof *ws_record); + process_score *ps_record; + char *stat_buffer; + pid_t *pid_buffer, worker_pid; +@@ -333,7 +333,7 @@ static int status_handler(request_rec *r + for (j = 0; j < thread_limit; ++j) { + int indx = (i * thread_limit) + j; + +- ws_record = ap_get_scoreboard_worker(i, j); ++ ap_copy_scoreboard_worker(ws_record, i, j); + res = ws_record->status; + stat_buffer[indx] = status_flags[res]; + +Index: apache2/server/scoreboard.c +=================================================================== +--- apache2.orig/server/scoreboard.c ++++ apache2/server/scoreboard.c +@@ -510,6 +510,21 @@ AP_DECLARE(worker_score *) ap_get_scoreb + return &ap_scoreboard_image->servers[x][y]; + } + ++AP_DECLARE(void) ap_copy_scoreboard_worker(worker_score *dest, ++ int child_num, ++ int thread_num) ++{ ++ worker_score *ws = ap_get_scoreboard_worker(child_num, thread_num); ++ ++ memcpy(dest, ws, sizeof *ws); ++ ++ /* For extra safety, NUL-terminate the strings returned, though it ++ * should be true those last bytes are always zero anyway. */ ++ dest->client[sizeof(dest->client) - 1] = '\0'; ++ dest->request[sizeof(dest->request) - 1] = '\0'; ++ dest->vhost[sizeof(dest->vhost) - 1] = '\0'; ++} ++ + AP_DECLARE(process_score *) ap_get_scoreboard_process(int x) + { + if ((x < 0) || (server_limit < x)) {
View file
debian.tar.gz/patches/CVE-2014-0231_mod_cgid-DoS.patch
Added
@@ -0,0 +1,155 @@ +# https://svn.apache.org/r1611185 +# +# *) SECURITY: CVE-2014-0231 (cve.mitre.org) +# mod_cgid: Fix a denial of service against CGI scripts that do +# not consume stdin that could lead to lingering HTTPD child processes +# filling up the scoreboard and eventually hanging the server. By +# default, the client I/O timeout (Timeout directive) now applies to +# communication with scripts. The CGIDScriptTimeout directive can be +# used to set a different timeout for communication with scripts. +# [Rainer Jung, Eric Covener, Yann Ylavic] +Index: apache2/modules/generators/mod_cgid.c +=================================================================== +--- apache2.orig/modules/generators/mod_cgid.c ++++ apache2/modules/generators/mod_cgid.c +@@ -93,6 +93,10 @@ static const char *sockname; + static pid_t parent_pid; + static ap_unix_identity_t empty_ugid = { (uid_t)-1, (gid_t)-1, -1 }; + ++typedef struct { ++ apr_interval_time_t timeout; ++} cgid_dirconf; ++ + /* The APR other-child API doesn't tell us how the daemon exited + * (SIGSEGV vs. exit(1)). The other-child maintenance function + * needs to decide whether to restart the daemon after a failure +@@ -934,7 +938,14 @@ static void *merge_cgid_config(apr_pool_ + return overrides->logname ? overrides : base; + } + ++static void *create_cgid_dirconf(apr_pool_t *p, char *dummy) ++{ ++ cgid_dirconf *c = (cgid_dirconf *) apr_pcalloc(p, sizeof(cgid_dirconf)); ++ return c; ++} ++ + static const char *set_scriptlog(cmd_parms *cmd, void *dummy, const char *arg) ++ + { + server_rec *s = cmd->server; + cgid_server_conf *conf = ap_get_module_config(s->module_config, +@@ -987,7 +998,16 @@ static const char *set_script_socket(cmd + + return NULL; + } ++static const char *set_script_timeout(cmd_parms *cmd, void *dummy, const char *arg) ++{ ++ cgid_dirconf *dc = dummy; + ++ if (ap_timeout_parameter_parse(arg, &dc->timeout, "s") != APR_SUCCESS) { ++ return "CGIDScriptTimeout has wrong format"; ++ } ++ ++ return NULL; ++} + static const command_rec cgid_cmds[] = + { + AP_INIT_TAKE1("ScriptLog", set_scriptlog, NULL, RSRC_CONF, +@@ -999,6 +1019,10 @@ static const command_rec cgid_cmds[] = + AP_INIT_TAKE1("ScriptSock", set_script_socket, NULL, RSRC_CONF, + "the name of the socket to use for communication with " + "the cgi daemon."), ++ AP_INIT_TAKE1("CGIDScriptTimeout", set_script_timeout, NULL, RSRC_CONF | ACCESS_CONF, ++ "The amount of time to wait between successful reads from " ++ "the CGI script, in seconds."), ++ + {NULL} + }; + +@@ -1335,11 +1359,15 @@ static int cgid_handler(request_rec *r) + apr_file_t *tempsock; + struct cleanup_script_info *info; + apr_status_t rv; ++ cgid_dirconf *dc; + + if (strcmp(r->handler,CGI_MAGIC_TYPE) && strcmp(r->handler,"cgi-script")) + return DECLINED; + + conf = ap_get_module_config(r->server->module_config, &cgid_module); ++ dc = ap_get_module_config(r->per_dir_config, &cgid_module); ++ ++ + is_included = !strcmp(r->protocol, "INCLUDED"); + + if ((argv0 = strrchr(r->filename, '/')) != NULL) +@@ -1412,6 +1440,12 @@ static int cgid_handler(request_rec *r) + */ + + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); ++ if (dc->timeout > 0) { ++ apr_file_pipe_timeout_set(tempsock, dc->timeout); ++ } ++ else { ++ apr_file_pipe_timeout_set(tempsock, r->server->timeout); ++ } + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); + + if ((argv0 = strrchr(r->filename, '/')) != NULL) +@@ -1487,6 +1521,10 @@ static int cgid_handler(request_rec *r) + if (rv != APR_SUCCESS) { + /* silly script stopped reading, soak up remaining message */ + child_stopped_reading = 1; ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, ++ "Error writing request body to script %s", ++ r->filename); ++ + } + } + apr_brigade_cleanup(bb); +@@ -1577,7 +1615,13 @@ static int cgid_handler(request_rec *r) + return HTTP_MOVED_TEMPORARILY; + } + +- ap_pass_brigade(r->output_filters, bb); ++ rv = ap_pass_brigade(r->output_filters, bb); ++ if (rv != APR_SUCCESS) { ++ /* APLOG_ERR because the core output filter message is at error, ++ * but doesn't know it's passing CGI output ++ */ ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "Failed to flush CGI output to client"); ++ } + } + + if (nph) { +@@ -1707,6 +1751,8 @@ static int include_cmd(include_ctx_t *ct + request_rec *r = f->r; + cgid_server_conf *conf = ap_get_module_config(r->server->module_config, + &cgid_module); ++ cgid_dirconf *dc = ap_get_module_config(r->per_dir_config, &cgid_module); ++ + struct cleanup_script_info *info; + + add_ssi_vars(r); +@@ -1736,6 +1782,13 @@ static int include_cmd(include_ctx_t *ct + * get rid of the cleanup we registered when we created the socket. + */ + apr_os_pipe_put_ex(&tempsock, &sd, 1, r->pool); ++ if (dc->timeout > 0) { ++ apr_file_pipe_timeout_set(tempsock, dc->timeout); ++ } ++ else { ++ apr_file_pipe_timeout_set(tempsock, r->server->timeout); ++ } ++ + apr_pool_cleanup_kill(r->pool, (void *)((long)sd), close_unix_socket); + + APR_BRIGADE_INSERT_TAIL(bb, apr_bucket_pipe_create(tempsock, +@@ -1841,7 +1894,7 @@ static void register_hook(apr_pool_t *p) + + module AP_MODULE_DECLARE_DATA cgid_module = { + STANDARD20_MODULE_STUFF, +- NULL, /* dir config creater */ ++ create_cgid_dirconf, /* dir config creater */ + NULL, /* dir merger --- default is to override */ + create_cgid_config, /* server config */ + merge_cgid_config, /* merge server config */
View file
debian.tar.gz/patches/SSL-ECC.patch
Added
@@ -0,0 +1,332 @@ +# https://svn.apache.org/r1540727 +# +# Backport from 2.2.26: mod_ssl: enable support for ECC keys and ECDH ciphers. +# +diff --git a/modules/ssl/mod_ssl.c b/modules/ssl/mod_ssl.c +index b9e3f93..19794f0 100644 +--- a/modules/ssl/mod_ssl.c ++++ b/modules/ssl/mod_ssl.c +@@ -441,6 +441,9 @@ int ssl_init_ssl_connection(conn_rec *c) + */ + SSL_set_tmp_rsa_callback(ssl, ssl_callback_TmpRSA); + SSL_set_tmp_dh_callback(ssl, ssl_callback_TmpDH); ++#ifndef OPENSSL_NO_EC ++ SSL_set_tmp_ecdh_callback(ssl, ssl_callback_TmpECDH); ++#endif + + SSL_set_verify_result(ssl, X509_V_OK); + +diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c +index dcae945..d8b4802 100644 +--- a/modules/ssl/ssl_engine_init.c ++++ b/modules/ssl/ssl_engine_init.c +@@ -72,6 +72,9 @@ static void ssl_tmp_keys_free(server_rec *s) + + MODSSL_TMP_KEYS_FREE(mc, RSA); + MODSSL_TMP_KEYS_FREE(mc, DH); ++#ifndef OPENSSL_NO_EC ++ MODSSL_TMP_KEY_FREE(mc, EC_KEY, SSL_TMP_KEY_EC_256); ++#endif + } + + static int ssl_tmp_key_init_rsa(server_rec *s, +@@ -133,6 +136,40 @@ static int ssl_tmp_key_init_dh(server_rec *s, + return OK; + } + ++#ifndef OPENSSL_NO_EC ++static int ssl_tmp_key_init_ec(server_rec *s, ++ int bits, int idx) ++{ ++ SSLModConfigRec *mc = myModConfig(s); ++ EC_KEY *ecdh = NULL; ++ ++ /* XXX: Are there any FIPS constraints we should enforce? */ ++ ++ if (bits != 256) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Init: Failed to generate temporary " ++ "%d bit EC parameters, only 256 bits supported", bits); ++ return !OK; ++ } ++ ++ if ((ecdh = EC_KEY_new()) == NULL || ++ EC_KEY_set_group(ecdh, EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) != 1) ++ { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++ "Init: Failed to generate temporary " ++ "%d bit EC parameters", bits); ++ return !OK; ++ } ++ ++ mc->pTmpKeys[idx] = ecdh; ++ return OK; ++} ++ ++#define MODSSL_TMP_KEY_INIT_EC(s, bits) \ ++ ssl_tmp_key_init_ec(s, bits, SSL_TMP_KEY_EC_##bits) ++ ++#endif ++ + #define MODSSL_TMP_KEY_INIT_RSA(s, bits) \ + ssl_tmp_key_init_rsa(s, bits, SSL_TMP_KEY_RSA_##bits) + +@@ -157,6 +194,15 @@ static int ssl_tmp_keys_init(server_rec *s) + return !OK; + } + ++#ifndef OPENSSL_NO_EC ++ ap_log_error(APLOG_MARK, APLOG_INFO, 0, s, ++ "Init: Generating temporary EC parameters (256 bits)"); ++ ++ if (MODSSL_TMP_KEY_INIT_EC(s, 256)) { ++ return !OK; ++ } ++#endif ++ + return OK; + } + +@@ -399,7 +445,11 @@ static void ssl_init_server_check(server_rec *s, + * Check for problematic re-initializations + */ + if (mctx->pks->certs[SSL_AIDX_RSA] || +- mctx->pks->certs[SSL_AIDX_DSA]) ++ mctx->pks->certs[SSL_AIDX_DSA] ++#ifndef OPENSSL_NO_EC ++ || mctx->pks->certs[SSL_AIDX_ECC] ++#endif ++ ) + { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, + "Illegal attempt to re-initialise SSL for server " +@@ -599,6 +649,9 @@ static void ssl_init_ctx_callbacks(server_rec *s, + + SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA); + SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); ++#ifndef OPENSSL_NO_EC ++ SSL_CTX_set_tmp_ecdh_callback(ctx,ssl_callback_TmpECDH); ++#endif + + SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + } +@@ -866,9 +919,16 @@ static int ssl_server_import_key(server_rec *s, + ssl_asn1_t *asn1; + MODSSL_D2I_PrivateKey_CONST unsigned char *ptr; + const char *type = ssl_asn1_keystr(idx); +- int pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA; ++ int pkey_type; + EVP_PKEY *pkey; + ++#ifndef OPENSSL_NO_EC ++ if (idx == SSL_AIDX_ECC) ++ pkey_type = EVP_PKEY_EC; ++ else ++#endif ++ pkey_type = (idx == SSL_AIDX_RSA) ? EVP_PKEY_RSA : EVP_PKEY_DSA; ++ + if (!(asn1 = ssl_asn1_table_get(mc->tPrivateKey, id))) { + return FALSE; + } +@@ -979,19 +1039,39 @@ static void ssl_init_server_certs(server_rec *s, + modssl_ctx_t *mctx) + { + const char *rsa_id, *dsa_id; ++#ifndef OPENSSL_NO_EC ++ const char *ecc_id; ++#endif + const char *vhost_id = mctx->sc->vhost_id; + int i; + int have_rsa, have_dsa; ++#ifndef OPENSSL_NO_EC ++ int have_ecc; ++#endif + + rsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_RSA); + dsa_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_DSA); ++#ifndef OPENSSL_NO_EC ++ ecc_id = ssl_asn1_table_keyfmt(ptemp, vhost_id, SSL_AIDX_ECC); ++#endif + + have_rsa = ssl_server_import_cert(s, mctx, rsa_id, SSL_AIDX_RSA); + have_dsa = ssl_server_import_cert(s, mctx, dsa_id, SSL_AIDX_DSA); ++#ifndef OPENSSL_NO_EC ++ have_ecc = ssl_server_import_cert(s, mctx, ecc_id, SSL_AIDX_ECC); ++#endif + +- if (!(have_rsa || have_dsa)) { ++ if (!(have_rsa || have_dsa ++#ifndef OPENSSL_NO_EC ++ || have_ecc ++#endif ++)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++#ifndef OPENSSL_NO_EC ++ "Oops, no RSA, DSA or ECC server certificate found " ++#else + "Oops, no RSA or DSA server certificate found " ++#endif + "for '%s:%d'?!", s->server_hostname, s->port); + ssl_die(); + } +@@ -1002,10 +1082,21 @@ static void ssl_init_server_certs(server_rec *s, + + have_rsa = ssl_server_import_key(s, mctx, rsa_id, SSL_AIDX_RSA); + have_dsa = ssl_server_import_key(s, mctx, dsa_id, SSL_AIDX_DSA); ++#ifndef OPENSSL_NO_EC ++ have_ecc = ssl_server_import_key(s, mctx, ecc_id, SSL_AIDX_ECC); ++#endif + +- if (!(have_rsa || have_dsa)) { ++ if (!(have_rsa || have_dsa ++#ifndef OPENSSL_NO_EC ++ || have_ecc ++#endif ++ )) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, ++#ifndef OPENSSL_NO_EC ++ "Oops, no RSA, DSA or ECC server private key found?!"); ++#else + "Oops, no RSA or DSA server private key found?!"); ++#endif + ssl_die(); + } + } +diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c +index 6cb2087..28bc47a 100644 +--- a/modules/ssl/ssl_engine_kernel.c ++++ b/modules/ssl/ssl_engine_kernel.c +@@ -1267,6 +1267,27 @@ DH *ssl_callback_TmpDH(SSL *ssl, int export, int keylen)
View file
debian.tar.gz/patches/cookie-logging-CVE-2014-0098.diff
Added
@@ -0,0 +1,81 @@ +#commit 57beef76acf54b147116636b98f9e0ea56ee503f +#Author: Rainer Jung <rjung@apache.org> +#Date: Sat Aug 18 09:32:36 2012 +0000 +# +# mod_log_config: %{abc}C truncates cookies whose values contain '='. +# PR 53104 +# +# Backport of r1328133 from trunk resp. r1359690 from 2.4. +# +# Submitted by: gregames +# Reviewed by: trawick, wrowe +# Backported by: rjung +# +# +# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1374538 13f79535-47bb-0310-9956-ffa450edef68 +# +#commit 4bab699bdccdd3f48943d6ae224a1253a9a1a0d2 +#Author: Ruediger Pluem <rpluem@apache.org> +#Date: Wed Mar 12 12:41:07 2014 +0000 +# +# Merge r1575400 from trunk: +# +# CVE-2014-0098 (reported by Rainer Canavan <rainer-apache 7val com>) +# Segfaults w/ truncated cookie logging. +# +# Clean up the cookie logging parser to recognize only the cookie=value pairs, +# not valueless cookies. This refactors multiple passes over the same string +# buffer into a single pass parser. +# +# Submitted by: wrowe +# Reviewed by: rpluem, jim +# +# Reviewed by: wrowe, ylavic, jim +# +# +# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576716 13f79535-47bb-0310-9956-ffa450edef68 +# +Index: apache2/modules/loggers/mod_log_config.c +=================================================================== +--- apache2.orig/modules/loggers/mod_log_config.c ++++ apache2/modules/loggers/mod_log_config.c +@@ -524,14 +524,24 @@ + + while ((cookie = apr_strtok(cookies, ";", &last1))) { + char *name = apr_strtok(cookie, "=", &last2); +- if (name) { +- char *value; +- apr_collapse_spaces(name, name); ++ /* last2 points to the next char following an '=' delim, ++ or the trailing NUL char of the string */ ++ char *value = last2; ++ if (name && *name && value && *value) { ++ char *last = value - 2; ++ /* Move past leading WS */ ++ name += strspn(name, " \t"); ++ while (last >= name && apr_isspace(*last)) { ++ *last = '\0'; ++ --last; ++ } + +- if (!strcasecmp(name, a) && (value = apr_strtok(NULL, "=", &last2))) { +- char *last; +- value += strspn(value, " \t"); /* Move past leading WS */ +- last = value + strlen(value) - 1; ++ if (!strcasecmp(name, a)) { ++ /* last1 points to the next char following the ';' delim, ++ or the trailing NUL char of the string */ ++ last = last1 - (*last1 ? 2 : 1); ++ /* Move past leading WS */ ++ value += strspn(value, " \t"); + while (last >= value && apr_isspace(*last)) { + *last = '\0'; + --last; +@@ -540,6 +550,7 @@ + return ap_escape_logitem(r->pool, value); + } + } ++ /* Iterate the remaining tokens using apr_strtok(NULL, ...) */ + cookies = NULL; + } + }
View file
debian.tar.gz/patches/disable-ssl-compression.patch
Changed
@@ -7,6 +7,7 @@ Origin: upstream, https://issues.apache.org/bugzilla/attachment.cgi?id=28804 Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=53219 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=674142 + --- a/modules/ssl/mod_ssl.c +++ b/modules/ssl/mod_ssl.c @@ -146,6 +146,9 @@ @@ -21,31 +22,41 @@ SSL_CMD_ALL(UserName, TAKE1, --- a/modules/ssl/ssl_engine_config.c +++ b/modules/ssl/ssl_engine_config.c -@@ -178,6 +178,7 @@ +@@ -178,6 +178,9 @@ #ifdef HAVE_FIPS sc->fips = UNSET; #endif ++#ifndef OPENSSL_NO_COMP + sc->compression = UNSET; ++#endif modssl_ctx_init_proxy(sc, p); -@@ -275,6 +276,7 @@ +@@ -275,6 +278,9 @@ #ifdef HAVE_FIPS cfgMergeBool(fips); #endif ++#ifndef OPENSSL_NO_COMP + cfgMergeBool(compression); ++#endif modssl_ctx_cfg_merge_proxy(base->proxy, add->proxy, mrg->proxy); -@@ -708,6 +710,17 @@ +@@ -708,6 +714,23 @@ } +const char *ssl_cmd_SSLCompression(cmd_parms *cmd, void *dcfg, int flag) +{ -+#if defined(SSL_OP_NO_COMPRESSION) || OPENSSL_VERSION_NUMBER >= 0x00908000L ++#if !defined(OPENSSL_NO_COMP) + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ sc->compression = flag?TRUE:FALSE; ++#ifndef SSL_OP_NO_COMPRESSION ++ const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY); ++ if (err) ++ return "This version of openssl does not support configuring " ++ "compression within <VirtualHost> sections."; ++#endif ++ sc->compression = flag ? TRUE : FALSE; + return NULL; +#else + return "Setting Compression mode unsupported; not implemented by the SSL library"; @@ -57,22 +68,19 @@ #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE --- a/modules/ssl/ssl_engine_init.c +++ b/modules/ssl/ssl_engine_init.c -@@ -532,6 +532,21 @@ +@@ -532,6 +532,18 @@ } #endif ++ ++#ifndef OPENSSL_NO_COMP ++ if (sc->compression != TRUE) { +#ifdef SSL_OP_NO_COMPRESSION -+ /* OpenSSL >= 1.0 only */ -+ if (sc->compression == FALSE) { ++ /* OpenSSL >= 1.0 only */ + SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION); -+ } +#elif OPENSSL_VERSION_NUMBER >= 0x00908000L -+ /* workaround for OpenSSL 0.9.8 */ -+ if (sc->compression == FALSE) { -+ SSL_CTX * tls_ctx; -+ STACK_OF(SSL_COMP)* comp_methods; -+ comp_methods = SSL_COMP_get_compression_methods(); -+ sk_SSL_COMP_zero(comp_methods); ++ sk_SSL_COMP_zero(SSL_COMP_get_compression_methods()); ++#endif + } +#endif + @@ -81,15 +89,29 @@ SSL_CTX_set_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); --- a/modules/ssl/ssl_private.h +++ b/modules/ssl/ssl_private.h -@@ -495,6 +495,7 @@ +@@ -64,6 +64,11 @@ + #define HAVE_TLSV1_X + #endif + ++#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ ++ && OPENSSL_VERSION_NUMBER < 0x00908000L ++#define OPENSSL_NO_COMP ++#endif ++ + #include "ssl_util_ssl.h" + + /** The #ifdef macros are only defined AFTER including the above +@@ -495,6 +500,9 @@ #ifdef HAVE_FIPS BOOL fips; #endif ++#ifndef OPENSSL_NO_COMP + BOOL compression; ++#endif }; /** -@@ -551,6 +552,7 @@ +@@ -551,6 +559,7 @@ const char *ssl_cmd_SSLCARevocationPath(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCARevocationFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLHonorCipherOrder(cmd_parms *cmd, void *dcfg, int flag);
View file
debian.tar.gz/patches/mod_dav-CVE-2013-6438.patch
Added
@@ -0,0 +1,34 @@ +# commit 9ea49621699c2a5ead8bc9ffb8afa6167d31a826 +# Author: Ruediger Pluem <rpluem@apache.org> +# Date: Wed Mar 12 11:50:49 2014 +0000 +# +# Merge r1556428 from trunk: +# +# mod_dav: Keep track of length of cdata properly when removing leading spaces. +# +# * modules/dav/main/util.c +# (dav_xml_get_cdata): reduce len variable when increasing cdata pointer. +# +# Submitted by: Amin Tora <Amin.Tora neustar.biz> +# +# Reviewed by: breser, rpluem, gstein, wrowe +# +# +# git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1576706 13f79535-47bb-0310-9956-ffa450edef68 +# +diff --git a/modules/dav/main/util.c b/modules/dav/main/util.c +index ddbd621..ba856fa 100644 +--- a/modules/dav/main/util.c ++++ b/modules/dav/main/util.c +@@ -372,8 +372,10 @@ DAV_DECLARE(const char *) dav_xml_get_cdata(const apr_xml_elem *elem, apr_pool_t + + if (strip_white) { + /* trim leading whitespace */ +- while (apr_isspace(*cdata)) /* assume: return false for '\0' */ ++ while (apr_isspace(*cdata)) { /* assume: return false for '\0' */ + ++cdata; ++ --len; ++ } + + /* trim trailing whitespace */ + while (len-- > 0 && apr_isspace(cdata[len]))
View file
debian.tar.gz/patches/mod_dav_crash_PR_52559.patch
Added
@@ -0,0 +1,81 @@ +# http://svn.apache.org/r1497455 +# mod_dav: When a PROPPATCH attempts to remove a non-existent dead +# property on a resource for which there is no dead property in the same +# namespace httpd segfaults. +# +# http://svn.apache.org/r1497457 +# mod_dav: Do not fail PROPPATCH when prop namespace is not known. +# +# http://svn.apache.org/r1497463 +# mod_dav: Do not segfault on PROPFIND with a zero length DBM. +# +Index: apache2/modules/dav/fs/dbm.c +=================================================================== +--- apache2.orig/modules/dav/fs/dbm.c ++++ apache2/modules/dav/fs/dbm.c +@@ -191,7 +191,15 @@ + + dav_error * dav_dbm_fetch(dav_db *db, apr_datum_t key, apr_datum_t *pvalue) + { +- apr_status_t status = apr_dbm_fetch(db->file, key, pvalue); ++ apr_status_t status; ++ ++ if (!key.dptr) { ++ /* no key could be created (namespace not known) => no value */ ++ memset(pvalue, 0, sizeof(*pvalue)); ++ status = APR_SUCCESS; ++ } else { ++ status = apr_dbm_fetch(db->file, key, pvalue); ++ } + + return dav_fs_dbm_error(db, NULL, status); + } +@@ -729,6 +737,10 @@ + static dav_error * dav_propdb_apply_rollback(dav_db *db, + dav_deadprop_rollback *rollback) + { ++ if (!rollback) { ++ return NULL; /* no rollback, nothing to do */ ++ } ++ + if (rollback->value.dptr == NULL) { + /* don't fail if the thing isn't really there. */ + (void) dav_dbm_delete(db, rollback->key); +Index: apache2/modules/dav/main/props.c +=================================================================== +--- apache2.orig/modules/dav/main/props.c ++++ apache2/modules/dav/main/props.c +@@ -594,13 +594,14 @@ + if (propdb->db != NULL) { + dav_xmlns_info *xi = dav_xmlns_create(propdb->p); + dav_prop_name name; ++ dav_error *err; + + /* define (up front) any namespaces the db might need */ + (void) (*db_hooks->define_namespaces)(propdb->db, xi); + + /* get the first property name, beginning the scan */ +- (void) (*db_hooks->first_name)(propdb->db, &name); +- while (name.ns != NULL) { ++ err = (*db_hooks->first_name)(propdb->db, &name); ++ while (!err && name.ns) { + + /* + ** We also look for <DAV:getcontenttype> and +@@ -619,7 +620,6 @@ + } + + if (what == DAV_PROP_INSERT_VALUE) { +- dav_error *err; + int found; + + if ((err = (*db_hooks->output_value)(propdb->db, &name, +@@ -638,7 +638,7 @@ + } + + next_key: +- (void) (*db_hooks->next_name)(propdb->db, &name); ++ err = (*db_hooks->next_name)(propdb->db, &name); + } + + /* all namespaces have been entered into xi. generate them into
View file
debian.tar.gz/patches/mod_log_forensic_693292.patch
Added
@@ -0,0 +1,20 @@ +http://svn.apache.org/viewvc?view=revision&revision=r1410954 + + Don't log a spurious "-" if a request has been rejected + before mod_log_forensic could attach its id to it. + + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693292 + +diff --git a/modules/loggers/mod_log_forensic.c b/modules/loggers/mod_log_forensic.c +index add3eb9..7cbb76d 100644 +--- a/modules/loggers/mod_log_forensic.c ++++ b/modules/loggers/mod_log_forensic.c +@@ -240,7 +240,7 @@ static int log_after(request_rec *r) + apr_size_t l, n; + apr_status_t rv; + +- if (!cfg->fd) { ++ if (!cfg->fd || id == NULL) { + return DECLINED; + } +
View file
debian.tar.gz/patches/mod_proxy-crash-PR_50335.patch
Added
@@ -0,0 +1,46 @@ +# https://svn.apache.org/r1576714 +# https://svn.apache.org/r1573067 +# https://issues.apache.org/bugzilla/show_bug.cgi?id=50335 +# +# Fix crashes in mod_proxy with threaded mpms under high load +# +--- apache2.orig/modules/proxy/mod_proxy_http.c ++++ apache2/modules/proxy/mod_proxy_http.c +@@ -267,6 +267,9 @@ + if (transferred != -1) + conn->worker->s->transferred += transferred; + status = ap_pass_brigade(origin->output_filters, bb); ++ /* Cleanup the brigade now to avoid buckets lifetime ++ * issues in case of error returned below. */ ++ apr_brigade_cleanup(bb); + if (status != APR_SUCCESS) { + ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server, + "proxy: pass request body failed to %pI (%s)", +@@ -286,7 +289,6 @@ + return HTTP_BAD_REQUEST; + } + } +- apr_brigade_cleanup(bb); + return OK; + } + +@@ -709,7 +711,7 @@ + int force10, rv; + apr_table_t *headers_in_copy; + +- header_brigade = apr_brigade_create(p, origin->bucket_alloc); ++ header_brigade = apr_brigade_create(p, bucket_alloc); + + /* + * Send the HTTP/1.1 request to the remote server +@@ -1864,6 +1866,10 @@ + } + } while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES)); + ++ /* We have to cleanup bb brigade, because buckets inserted to it could be ++ * created from scpool and this pool can be freed before this brigade. */ ++ apr_brigade_cleanup(bb); ++ + /* See define of AP_MAX_INTERIM_RESPONSES for why */ + if (interim_response >= AP_MAX_INTERIM_RESPONSES) { + return ap_proxyerror(r, HTTP_BAD_GATEWAY,
View file
debian.tar.gz/patches/mod_rewrite-CVE-2013-1862.patch
Added
@@ -0,0 +1,46 @@ +#Index: CHANGES +#=================================================================== +#--- CHANGES (revision 1469310) +#+++ CHANGES (working copy) +#@@ -1,8 +1,11 @@ +# -*- coding: utf-8 -*- +# Changes with Apache 2.2.25 +# +#+ *) SECURITY: CVE-2013-1862 (cve.mitre.org) +#+ mod_rewrite: Ensure that client data written to the RewriteLog is +#+ escaped to prevent terminal escape sequences from entering the +#+ log file. [Joe Orton] +# +#- +# Changes with Apache 2.2.24 +# +# *) SECURITY: CVE-2012-3499 (cve.mitre.org) +Index: modules/mappers/mod_rewrite.c +=================================================================== +--- a/modules/mappers/mod_rewrite.c (revision 1469310) ++++ b/modules/mappers/mod_rewrite.c (working copy) +@@ -500,11 +500,11 @@ + + logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] " + "(%d) %s%s%s%s" APR_EOL_STR, +- rhost ? rhost : "UNKNOWN-HOST", +- rname ? rname : "-", +- r->user ? (*r->user ? r->user : "\"\"") : "-", ++ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST", ++ rname ? ap_escape_logitem(r->pool, rname) : "-", ++ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-", + current_logtime(r), +- ap_get_server_name(r), ++ ap_escape_logitem(r->pool, ap_get_server_name(r)), + (void *)(r->server), + (void *)r, + r->main ? "subreq" : "initial", +@@ -514,7 +514,7 @@ + perdir ? "[perdir " : "", + perdir ? perdir : "", + perdir ? "] ": "", +- text); ++ ap_escape_logitem(r->pool, text)); + + nbytes = strlen(logline); + apr_file_write(conf->rewritelogfp, logline, &nbytes);
View file
debian.tar.gz/patches/series
Changed
@@ -33,3 +33,15 @@ dbmmanage-perl-510.patch SSLProtocol-tls11-12.2.patch disable-ssl-compression.patch +CVE-2012-3499_CVE-2012-4558_XSS.patch +mod_log_forensic_693292.patch +mod_rewrite-CVE-2013-1862.patch +CVE-2013-1896.patch +mod_dav_crash_PR_52559.patch +mod_dav-CVE-2013-6438.patch +cookie-logging-CVE-2014-0098.diff +SSL-ECC.patch +mod_proxy-crash-PR_50335.patch +CVE-2014-0226_scoreboard.patch +CVE-2014-0231_mod_cgid-DoS.patch +CVE-2014-0118_mod_deflate-DoS.patch
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.