Projects
Kolab:3.4:Updates
httpd
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
apache2.dsc
Changed
@@ -2,7 +2,7 @@ Source: apache2 Binary: apache2.2-common, apache2.2-bin, apache2-mpm-worker, apache2-mpm-prefork, apache2-mpm-event, apache2-mpm-itk, apache2-utils, apache2-suexec, apache2-suexec-custom, apache2, apache2-doc, apache2-prefork-dev, apache2-threaded-dev, apache2-dbg Architecture: any all -Version: 2.2.22-13.2+deb7u3 +Version: 2.2.22-13.2+deb7u4 Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Uploaders: Stefan Fritsch <sf@debian.org>, Steinar H. Gunderson <sesse@debian.org>, Arno Töll <arno@debian.org> Homepage: http://httpd.apache.org/
View file
debian.changelog
Changed
@@ -1,3 +1,27 @@ +apache2 (2.2.22-13.2+deb7u4) wheezy; urgency=medium + + * Non-maintainer upload. + * Merge patches from Debian 2.2.22-13+deb7u4. + + -- Christoph Erhardt <kolab@sicherha.de> Mon, 12 Jan 2015 13:59:06 +0100 + +apache2 (2.2.22-13+deb7u4) wheezy; urgency=medium + + * CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could + use this flaw to bypass intended mod_headers restrictions, allowing + them to send requests to applications that include headers that should + have been removed by mod_headers. + The new behavior is to not merge trailers into the headers autmatically. + A new directive "MergeTrailers" is introduced to restore the old + behavior. + * Fix hostname comparison with SNI to be case insensitive. Closes: #771199 + * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15). + Closes: #773841 + * Add paragraph about session ticket key life-time and forward secrecy to + README.Debian. Closes: #762619 + + -- Stefan Fritsch <sf@debian.org> Tue, 23 Dec 2014 23:44:24 +0100 + apache2 (2.2.22-13.2+deb7u3) wheezy-security; urgency=high * Non-maintainer upload.
View file
debian.tar.gz/README.Debian
Changed
@@ -11,6 +11,8 @@ Enabling SSL Creating self-signed certificates SSL workaround for MSIE + ECC keys and ECDH ciphers + Session ticket key life-time and forward secrecy Suexec @@ -246,6 +248,19 @@ A special compatibility fix for older Safari browsers is enabled if using an up-to-date libssl-1.0.0 (version 1.0.1e-2+deb7u8 or newer). +Session ticket key life-time and forward secrecy +------------------------------------------------ + +Apache uses TLS session tickets to improve handshake performance. By default, a +new session key key is (re-)generated at startup and at every graceful restart. +This means that an attacker that somehow gets access to the memory of the +running apache process may decrypt past connections that have used the current +session ticket key. This breaks forward secrecy even if the used cipher would +have provided forward secrecy. There is currently no way to change Apache's +behavior. If you want to mitigate this kind of attack, you should consider +increasing the frequency of graceful restarts by changing the log rotation in +/etc/logrotate.d/apache2 from weekly to daily. + Suexec ======
View file
debian.tar.gz/patches/CVE-2013-5704_trailers.patch
Added
@@ -0,0 +1,383 @@ +# http://svn,apache.org/r1619489 +# +# *) SECURITY: CVE-2013-5704 (cve.mitre.org) +# core: HTTP trailers could be used to replace HTTP headers +# late during request processing, potentially undoing or +# otherwise confusing modules that examined or modified +# request headers earlier. Adds "MergeTrailers" directive to restore +# legacy behavior. [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener] +# +Index: apache2/modules/loggers/mod_log_config.c +=================================================================== +--- apache2.orig/modules/loggers/mod_log_config.c ++++ apache2/modules/loggers/mod_log_config.c +@@ -412,6 +412,12 @@ + return ap_escape_logitem(r->pool, apr_table_get(r->headers_in, a)); + } + ++static const char *log_trailer_in(request_rec *r, char *a) ++{ ++ return ap_escape_logitem(r->pool, apr_table_get(r->trailers_in, a)); ++} ++ ++ + static APR_INLINE char *find_multiple_headers(apr_pool_t *pool, + const apr_table_t *table, + const char *key) +@@ -495,6 +501,11 @@ + return ap_escape_logitem(r->pool, cp); + } + ++static const char *log_trailer_out(request_rec *r, char *a) ++{ ++ return ap_escape_logitem(r->pool, apr_table_get(r->trailers_out, a)); ++} ++ + static const char *log_note(request_rec *r, char *a) + { + return ap_escape_logitem(r->pool, apr_table_get(r->notes, a)); +@@ -813,7 +824,7 @@ + static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa) + { + const char *s = *sa; +- ap_log_handler *handler; ++ ap_log_handler *handler = NULL; + + if (*s != '%') { + return parse_log_misc_string(p, it, sa); +@@ -883,7 +894,16 @@ + break; + + default: +- handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1); ++ /* check for '^' + two character format first */ ++ if (*s == '^' && *(s+1) && *(s+2)) { ++ handler = (ap_log_handler *)apr_hash_get(log_hash, s, 3); ++ if (handler) { ++ s += 3; ++ } ++ } ++ if (!handler) { ++ handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1); ++ } + if (!handler) { + char dummy[2]; + +@@ -1389,7 +1409,7 @@ + log_struct->func = handler; + log_struct->want_orig_default = def; + +- apr_hash_set(log_hash, tag, 1, (const void *)log_struct); ++ apr_hash_set(log_hash, tag, strlen(tag), (const void *)log_struct); + } + static ap_log_writer_init* ap_log_set_writer_init(ap_log_writer_init *handle) + { +@@ -1558,6 +1578,9 @@ + log_pfn_register(p, "U", log_request_uri, 1); + log_pfn_register(p, "s", log_status, 1); + log_pfn_register(p, "R", log_handler, 1); ++ ++ log_pfn_register(p, "^ti", log_trailer_in, 0); ++ log_pfn_register(p, "^to", log_trailer_out, 0); + } + + /* reset to default conditions */ +Index: apache2/modules/http/http_request.c +=================================================================== +--- apache2.orig/modules/http/http_request.c ++++ apache2/modules/http/http_request.c +@@ -384,8 +384,10 @@ + new->main = r->main; + + new->headers_in = r->headers_in; ++ new->trailers_in = r->trailers_in; + new->headers_out = apr_table_make(r->pool, 12); + new->err_headers_out = r->err_headers_out; ++ new->trailers_out = apr_table_make(r->pool, 5); + new->subprocess_env = rename_original_env(r->pool, r->subprocess_env); + new->notes = apr_table_make(r->pool, 5); + +@@ -495,6 +497,8 @@ + r->headers_out); + r->err_headers_out = apr_table_overlay(r->pool, rr->err_headers_out, + r->err_headers_out); ++ r->trailers_out = apr_table_overlay(r->pool, rr->trailers_out, ++ r->trailers_out); + r->subprocess_env = apr_table_overlay(r->pool, rr->subprocess_env, + r->subprocess_env); + +Index: apache2/modules/http/http_filters.c +=================================================================== +--- apache2.orig/modules/http/http_filters.c ++++ apache2/modules/http/http_filters.c +@@ -206,6 +206,49 @@ + } + + ++static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f, ++ apr_bucket_brigade *b, int merge) ++{ ++ int rv; ++ apr_bucket *e; ++ request_rec *r = f->r; ++ apr_table_t *saved_headers_in = r->headers_in; ++ int saved_status = r->status; ++ ++ r->status = HTTP_OK; ++ r->headers_in = r->trailers_in; ++ apr_table_clear(r->headers_in); ++ ctx->state = BODY_NONE; ++ ap_get_mime_headers(r); ++ ++ if(r->status == HTTP_OK) { ++ r->status = saved_status; ++ e = apr_bucket_eos_create(f->c->bucket_alloc); ++ APR_BRIGADE_INSERT_TAIL(b, e); ++ ctx->eos_sent = 1; ++ rv = APR_SUCCESS; ++ } ++ else { ++ const char *error_notes = apr_table_get(r->notes, ++ "error-notes"); ++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, ++ "Error while reading HTTP trailer: %i%s%s", ++ r->status, error_notes ? ": " : "", ++ error_notes ? error_notes : ""); ++ rv = APR_EINVAL; ++ } ++ ++ if(!merge) { ++ r->headers_in = saved_headers_in; ++ } ++ else { ++ r->headers_in = apr_table_overlay(r->pool, saved_headers_in, ++ r->trailers_in); ++ } ++ ++ return rv; ++} ++ + /* This is the HTTP_INPUT filter for HTTP requests and responses from + * proxied servers (mod_proxy). It handles chunked and content-length + * bodies. This can only be inserted/used after the headers +@@ -215,6 +258,7 @@ + ap_input_mode_t mode, apr_read_type_e block, + apr_off_t readbytes) + { ++ core_server_config *conf; + apr_bucket *e; + http_ctx_t *ctx = f->ctx; + apr_status_t rv; +@@ -222,6 +266,9 @@ + int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE; + apr_bucket_brigade *bb; + ++ conf = (core_server_config *) ++ ap_get_module_config(f->r->server->module_config, &core_module); ++ + /* just get out of the way of things we don't want. */ + if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) { + return ap_get_brigade(f->next, b, mode, block, readbytes); +@@ -395,13 +442,8 @@ + } + + if (!ctx->remaining) { +- /* Handle trailers by calling ap_get_mime_headers again! */ +- ctx->state = BODY_NONE; +- ap_get_mime_headers(f->r); +- e = apr_bucket_eos_create(f->c->bucket_alloc); +- APR_BRIGADE_INSERT_TAIL(b, e); +- ctx->eos_sent = 1; +- return APR_SUCCESS; ++ return read_chunked_trailers(ctx, f, b, ++ conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE); + } + } + } +@@ -501,13 +543,8 @@ + } +
View file
debian.tar.gz/patches/SNI_case_insensitve.diff
Added
@@ -0,0 +1,13 @@ +# https://svn.apache.org/viewvc?view=revision&revision=r1515565 +# http://bugs.debian.org/771199 +--- apache2.orig/modules/ssl/ssl_engine_kernel.c ++++ apache2/modules/ssl/ssl_engine_kernel.c +@@ -136,7 +136,7 @@ int ssl_hook_ReadReq(request_rec *r) + if (rv != APR_SUCCESS || scope_id) { + return HTTP_BAD_REQUEST; + } +- if (strcmp(host, servername)) { ++ if (strcasecmp(host, servername)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI and hostname %s provided" + " via HTTP are different", servername, host);
View file
debian.tar.gz/patches/mod_ssl_SSL_CLIENT_S_DN_UID.diff
Added
@@ -0,0 +1,13 @@ +# http://svn.apache.org/viewvc?view=revision&revision=1445112 +# http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773841 +--- apache2.orig/modules/ssl/ssl_engine_vars.c ++++ apache2/modules/ssl/ssl_engine_vars.c +@@ -431,7 +431,7 @@ static const struct { + { "S", NID_surname, 1 }, + { "D", NID_description, 1 }, + #ifdef NID_userId +- { "UID", NID_x500UniqueIdentifier, 1 }, ++ { "UID", NID_userId, 1 }, + #endif + { "Email", NID_pkcs9_emailAddress, 1 }, + { NULL, 0, 0 }
View file
debian.tar.gz/patches/series
Changed
@@ -45,3 +45,6 @@ CVE-2014-0226_scoreboard.patch CVE-2014-0231_mod_cgid-DoS.patch CVE-2014-0118_mod_deflate-DoS.patch +CVE-2013-5704_trailers.patch +SNI_case_insensitve.diff +mod_ssl_SSL_CLIENT_S_DN_UID.diff
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.