Kolab Groupware OBS

apache2.dsc Changed

debian.changelog Changed

@@ -1,3 +1,27 @@
+apache2 (2.2.22-13.2+deb7u4) wheezy; urgency=medium
+
+  * Non-maintainer upload.
+  * Merge patches from Debian 2.2.22-13+deb7u4.
+
+ -- Christoph Erhardt <kolab@sicherha.de>  Mon, 12 Jan 2015 13:59:06 +0100
+
+apache2 (2.2.22-13+deb7u4) wheezy; urgency=medium
+
+  * CVE-2013-5704: Fix handling of chunk trailers. A remote attacker could
+    use this flaw to bypass intended mod_headers restrictions, allowing
+    them to send requests to applications that include headers that should
+    have been removed by mod_headers.
+    The new behavior is to not merge trailers into the headers autmatically.
+    A new directive "MergeTrailers" is introduced to restore the old
+    behavior.
+  * Fix hostname comparison with SNI to be case insensitive. Closes: #771199
+  * Fix valule of SSL_CLIENT_S_DN_UID in mod_ssl (broken in 2.2.15).
+    Closes: #773841
+  * Add paragraph about session ticket key life-time and forward secrecy to
+    README.Debian. Closes: #762619
+
+ -- Stefan Fritsch <sf@debian.org>  Tue, 23 Dec 2014 23:44:24 +0100
+
 apache2 (2.2.22-13.2+deb7u3) wheezy-security; urgency=high
 
   * Non-maintainer upload.

debian.tar.gz/README.Debian Changed

@@ -11,6 +11,8 @@
 		Enabling SSL
 		Creating self-signed certificates
 		SSL workaround for MSIE
+		ECC keys and ECDH ciphers
+		Session ticket key life-time and forward secrecy
 
 	Suexec
 	
@@ -246,6 +248,19 @@
 A special compatibility fix for older Safari browsers is enabled if using an
 up-to-date libssl-1.0.0 (version 1.0.1e-2+deb7u8 or newer).
 
+Session ticket key life-time and forward secrecy
+------------------------------------------------
+
+Apache uses TLS session tickets to improve handshake performance. By default, a
+new session key key is (re-)generated at startup and at every graceful restart.
+This means that an attacker that somehow gets access to the memory of the
+running apache process may decrypt past connections that have used the current
+session ticket key. This breaks forward secrecy even if the used cipher would
+have provided forward secrecy. There is currently no way to change Apache's
+behavior. If you want to mitigate this kind of attack, you should consider
+increasing the frequency of graceful restarts by changing the log rotation in
+/etc/logrotate.d/apache2 from weekly to daily.
+
 
 Suexec
 ======

debian.tar.gz/patches/CVE-2013-5704_trailers.patch Added

@@ -0,0 +1,383 @@
+# http://svn,apache.org/r1619489
+#
+#  *) SECURITY: CVE-2013-5704 (cve.mitre.org)
+#     core: HTTP trailers could be used to replace HTTP headers
+#     late during request processing, potentially undoing or
+#     otherwise confusing modules that examined or modified
+#     request headers earlier.  Adds "MergeTrailers" directive to restore
+#     legacy behavior.  [Edward Lu, Yann Ylavic, Joe Orton, Eric Covener]
+#
+Index: apache2/modules/loggers/mod_log_config.c
+===================================================================
+--- apache2.orig/modules/loggers/mod_log_config.c
++++ apache2/modules/loggers/mod_log_config.c
+@@ -412,6 +412,12 @@
+     return ap_escape_logitem(r->pool, apr_table_get(r->headers_in, a));
+ }
+ 
++static const char *log_trailer_in(request_rec *r, char *a)
++{
++    return ap_escape_logitem(r->pool, apr_table_get(r->trailers_in, a));
++}
++
++
+ static APR_INLINE char *find_multiple_headers(apr_pool_t *pool,
+                                               const apr_table_t *table,
+                                               const char *key)
+@@ -495,6 +501,11 @@
+     return ap_escape_logitem(r->pool, cp);
+ }
+ 
++static const char *log_trailer_out(request_rec *r, char *a)
++{
++    return ap_escape_logitem(r->pool, apr_table_get(r->trailers_out, a));
++}
++
+ static const char *log_note(request_rec *r, char *a)
+ {
+     return ap_escape_logitem(r->pool, apr_table_get(r->notes, a));
+@@ -813,7 +824,7 @@
+ static char *parse_log_item(apr_pool_t *p, log_format_item *it, const char **sa)
+ {
+     const char *s = *sa;
+-    ap_log_handler *handler;
++    ap_log_handler *handler = NULL;
+ 
+     if (*s != '%') {
+         return parse_log_misc_string(p, it, sa);
+@@ -883,7 +894,16 @@
+             break;
+ 
+         default:
+-            handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1);
++            /* check for '^' + two character format first */
++            if (*s == '^' && *(s+1) && *(s+2)) { 
++                handler = (ap_log_handler *)apr_hash_get(log_hash, s, 3); 
++                if (handler) { 
++                   s += 3;
++                }
++            }
++            if (!handler) {  
++                handler = (ap_log_handler *)apr_hash_get(log_hash, s++, 1);  
++            }
+             if (!handler) {
+                 char dummy[2];
+ 
+@@ -1389,7 +1409,7 @@
+     log_struct->func = handler;
+     log_struct->want_orig_default = def;
+ 
+-    apr_hash_set(log_hash, tag, 1, (const void *)log_struct);
++    apr_hash_set(log_hash, tag, strlen(tag), (const void *)log_struct);
+ }
+ static ap_log_writer_init* ap_log_set_writer_init(ap_log_writer_init *handle)
+ {
+@@ -1558,6 +1578,9 @@
+         log_pfn_register(p, "U", log_request_uri, 1);
+         log_pfn_register(p, "s", log_status, 1);
+         log_pfn_register(p, "R", log_handler, 1);
++
++        log_pfn_register(p, "^ti", log_trailer_in, 0);
++        log_pfn_register(p, "^to", log_trailer_out, 0);
+     }
+ 
+     /* reset to default conditions */
+Index: apache2/modules/http/http_request.c
+===================================================================
+--- apache2.orig/modules/http/http_request.c
++++ apache2/modules/http/http_request.c
+@@ -384,8 +384,10 @@
+     new->main            = r->main;
+ 
+     new->headers_in      = r->headers_in;
++    new->trailers_in     = r->trailers_in;
+     new->headers_out     = apr_table_make(r->pool, 12);
+     new->err_headers_out = r->err_headers_out;
++    new->trailers_out    = apr_table_make(r->pool, 5);
+     new->subprocess_env  = rename_original_env(r->pool, r->subprocess_env);
+     new->notes           = apr_table_make(r->pool, 5);
+ 
+@@ -495,6 +497,8 @@
+                                        r->headers_out);
+     r->err_headers_out = apr_table_overlay(r->pool, rr->err_headers_out,
+                                            r->err_headers_out);
++    r->trailers_out = apr_table_overlay(r->pool, rr->trailers_out,
++                                           r->trailers_out);
+     r->subprocess_env = apr_table_overlay(r->pool, rr->subprocess_env,
+                                           r->subprocess_env);
+ 
+Index: apache2/modules/http/http_filters.c
+===================================================================
+--- apache2.orig/modules/http/http_filters.c
++++ apache2/modules/http/http_filters.c
+@@ -206,6 +206,49 @@
+ }
+ 
+ 
++static apr_status_t read_chunked_trailers(http_ctx_t *ctx, ap_filter_t *f,
++                                          apr_bucket_brigade *b, int merge)
++{
++    int rv;
++    apr_bucket *e;
++    request_rec *r = f->r;
++    apr_table_t *saved_headers_in = r->headers_in;
++    int saved_status = r->status;
++
++    r->status = HTTP_OK;
++    r->headers_in = r->trailers_in;
++    apr_table_clear(r->headers_in);
++    ctx->state = BODY_NONE;
++    ap_get_mime_headers(r);
++
++    if(r->status == HTTP_OK) {
++        r->status = saved_status;
++        e = apr_bucket_eos_create(f->c->bucket_alloc);
++        APR_BRIGADE_INSERT_TAIL(b, e);
++        ctx->eos_sent = 1;
++        rv = APR_SUCCESS;
++    }
++    else {
++        const char *error_notes = apr_table_get(r->notes,
++                                                "error-notes");
++        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, 
++                      "Error while reading HTTP trailer: %i%s%s",
++                      r->status, error_notes ? ": " : "",
++                      error_notes ? error_notes : "");
++        rv = APR_EINVAL;
++    }
++
++    if(!merge) {
++        r->headers_in = saved_headers_in;
++    }
++    else {
++        r->headers_in = apr_table_overlay(r->pool, saved_headers_in,
++                r->trailers_in);
++    }
++
++    return rv;
++}
++
+ /* This is the HTTP_INPUT filter for HTTP requests and responses from
+  * proxied servers (mod_proxy).  It handles chunked and content-length
+  * bodies.  This can only be inserted/used after the headers
+@@ -215,6 +258,7 @@
+                             ap_input_mode_t mode, apr_read_type_e block,
+                             apr_off_t readbytes)
+ {
++    core_server_config *conf;
+     apr_bucket *e;
+     http_ctx_t *ctx = f->ctx;
+     apr_status_t rv;
+@@ -222,6 +266,9 @@
+     int http_error = HTTP_REQUEST_ENTITY_TOO_LARGE;
+     apr_bucket_brigade *bb;
+ 
++    conf = (core_server_config *)
++        ap_get_module_config(f->r->server->module_config, &core_module);
++
+     /* just get out of the way of things we don't want. */
+     if (mode != AP_MODE_READBYTES && mode != AP_MODE_GETLINE) {
+         return ap_get_brigade(f->next, b, mode, block, readbytes);
+@@ -395,13 +442,8 @@
+             }
+ 
+             if (!ctx->remaining) {
+-                /* Handle trailers by calling ap_get_mime_headers again! */
+-                ctx->state = BODY_NONE;
+-                ap_get_mime_headers(f->r);
+-                e = apr_bucket_eos_create(f->c->bucket_alloc);
+-                APR_BRIGADE_INSERT_TAIL(b, e);
+-                ctx->eos_sent = 1;
+-                return APR_SUCCESS;
++                return read_chunked_trailers(ctx, f, b,
++                        conf->merge_trailers == AP_MERGE_TRAILERS_ENABLE);
+             }
+         }
+     }
+@@ -501,13 +543,8 @@
+                 }
+

debian.tar.gz/patches/SNI_case_insensitve.diff Added

debian.tar.gz/patches/mod_ssl_SSL_CLIENT_S_DN_UID.diff Added

debian.tar.gz/patches/series Changed

Changes of Revision 2