Projects
Kolab:3.4:Updates
httpd
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 5
View file
apache2.dsc
Changed
@@ -2,7 +2,7 @@ Source: apache2 Binary: apache2.2-common, apache2.2-bin, apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event, apache2-mpm-itk, apache2-utils, apache2-suexec, apache2-suexec-custom, apache2, apache2-doc, apache2-prefork-dev, apache2-threaded-dev, apache2-dbg Architecture: any all -Version: 2.2.22-13.2+deb7u6 +Version: 2.2.22-13.2+deb7u7 Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Stefan Fritsch <sf@debian.org>, Steinar H. Gunderson <sesse@debian.org>, Arno Töll <arno@debian.org> Homepage: http://httpd.apache.org/
View file
debian.changelog
Changed
@@ -1,3 +1,19 @@ +apache2 (2.2.22-13.2+deb7u7) wheezy-security; urgency=high + + * Non-maintainer upload. + * Merge patches from Debian 2.2.22-13+deb7u7. + + -- Christoph Erhardt <kolab@sicherha.de> Sun, 11 Sep 2016 20:50:48 +0200 + +apache2 (2.2.22-13+deb7u7) wheezy-security; urgency=high + + * Non-maintainer upload. + * CVE-2016-5387: Sets environmental variable based on user supplied Proxy + request header. + Don't pass through HTTP_PROXY in server/util_script.c + + -- Salvatore Bonaccorso <carnil@debian.org> Wed, 20 Jul 2016 07:03:46 +0200 + apache2 (2.2.22-13.2+deb7u6) wheezy-security; urgency=medium * Non-maintainer upload.
View file
debian.tar.gz/patches/CVE-2016-5387.patch
Added
@@ -0,0 +1,17 @@ +--- a/server/util_script.c ++++ b/server/util_script.c +@@ -180,6 +180,14 @@ AP_DECLARE(void) ap_add_common_vars(requ + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them
View file
debian.tar.gz/patches/series
Changed
@@ -51,3 +51,4 @@ DH-SSLCertificateFile.patch CVE-2015-3183.patch SSL_CTX_use_certificate_clear_errors.diff +CVE-2016-5387.patch
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.