[packages/apache/APACHE_2_2] up to 2.2.34 (released 2017-07-11)

glen glen at pld-linux.org
Tue Aug 22 10:41:53 CEST 2017


commit ed6c45aef7132faacbc4dbebc7a29524fc0cbcbf
Author: Elan Ruusamäe <glen at pld-linux.org>
Date:   Tue Aug 22 11:35:05 2017 +0300

    up to 2.2.34 (released 2017-07-11)
    
    https://www.apache.org/dist/httpd/Announcement2.2.html
    
    Take note that Apache Web Server Project will provide no future release
    of the 2.2.x series, although some security patches may be published
    through December of 2017. These will be collected at the URL;
    
    http://www.apache.org/dist/httpd/patches/apply_to_2.2.34/

 CVE-2017-3167.patch | 163 ----------------------------------------------------
 CVE-2017-3169.patch |  76 ------------------------
 CVE-2017-7668.patch |  30 ----------
 CVE-2017-7679.patch |  25 --------
 apache.spec         |  17 ++----
 5 files changed, 4 insertions(+), 307 deletions(-)
---
diff --git a/apache.spec b/apache.spec
index 5608b6a..3bf4f74 100644
--- a/apache.spec
+++ b/apache.spec
@@ -43,12 +43,12 @@ Summary(pt_BR.UTF-8):	Servidor HTTPD para prover serviços WWW
 Summary(ru.UTF-8):	Самый популярный веб-сервер
 Summary(tr.UTF-8):	Lider WWW tarayıcı
 Name:		apache
-Version:	2.2.32
-Release:	2
+Version:	2.2.34
+Release:	1
 License:	Apache v2.0
 Group:		Networking/Daemons/HTTP
-Source0:	http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
-# Source0-md5:	8141657cf0c58f14de2a5ce9426df2bc
+Source0:	https://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
+# Source0-md5:	fc33e64a9d4bca2f7ef7023189cb5ee6
 Source1:	%{name}.init
 Source2:	%{name}.logrotate
 Source3:	%{name}.sysconfig
@@ -110,11 +110,6 @@ Patch28:	%{name}-mpm-itk.patch
 Patch29:	libtool-tag.patch
 Patch30:	%{name}-bug-39653.patch
 Patch31:	httpd-dummy-connection-result.patch
-# https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/
-Patch32:	CVE-2017-3167.patch
-Patch33:	CVE-2017-3169.patch
-Patch34:	CVE-2017-7668.patch
-Patch35:	CVE-2017-7679.patch
 URL:		http://httpd.apache.org/
 BuildRequires:	apr-devel >= %{apr_ver}
 BuildRequires:	apr-util-devel >= 1:1.3.10-2
@@ -1813,10 +1808,6 @@ Dwa programy testowe/przykładowe cgi: test-cgi and print-env.
 %patch29 -p1
 %patch30 -p1
 %patch31 -p1
-%patch32 -p0
-%patch33 -p0
-%patch34 -p0
-%patch35 -p0
 
 # using system apr, apr-util and pcre
 %{__rm} -r srclib/{apr,apr-util,pcre}
diff --git a/CVE-2017-3167.patch b/CVE-2017-3167.patch
deleted file mode 100644
index b6d139d..0000000
--- a/CVE-2017-3167.patch
+++ /dev/null
@@ -1,163 +0,0 @@
-
-    Merge https://svn.apache.org/r1796348 from trunk:
-    
-      *) SECURITY: CVE-2017-3167 (cve.mitre.org)
-         Use of the ap_get_basic_auth_pw() by third-party modules outside of the
-         authentication phase may lead to authentication requirements being
-         bypassed.
-         [Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]
-    
-    
-    Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener
-    Reviewed By: covener, ylavic, wrowe
-
-diff --git include/ap_mmn.h include/ap_mmn.h
-index ce330a5..fcbce6f 100644
---- include/ap_mmn.h
-+++ include/ap_mmn.h
-@@ -167,6 +167,8 @@
-  *                      and ap_scan_vchar_obstext()
-  *                      Replaced fold boolean with with multiple bit flags
-  *                      to ap_[r]getline()
-+ * 20051115.43 (2.2.33)  Add ap_get_basic_auth_components() and deprecate
-+ *                       ap_get_basic_auth_pw()
-  */
- 
- #define MODULE_MAGIC_COOKIE 0x41503232UL /* "AP22" */
-@@ -174,7 +176,7 @@
- #ifndef MODULE_MAGIC_NUMBER_MAJOR
- #define MODULE_MAGIC_NUMBER_MAJOR 20051115
- #endif
--#define MODULE_MAGIC_NUMBER_MINOR 42                    /* 0...n */
-+#define MODULE_MAGIC_NUMBER_MINOR 43                    /* 0...n */
- 
- /**
-  * Determine if the server's current MODULE_MAGIC_NUMBER is at least a
-diff --git include/http_protocol.h include/http_protocol.h
-index 1fed3b5..3fed9b2 100644
---- include/http_protocol.h
-+++ include/http_protocol.h
-@@ -486,7 +486,11 @@ AP_DECLARE(void) ap_note_basic_auth_failure(request_rec *r);
- AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
- 
- /**
-- * Get the password from the request headers
-+ * Get the password from the request headers. This function has multiple side
-+ * effects due to its prior use in the old authentication framework.
-+ * ap_get_basic_auth_components() should be preferred.
-+ *
-+ * @deprecated @see ap_get_basic_auth_components
-  * @param r The current request
-  * @param pw The password as set in the headers
-  * @return 0 (OK) if it set the 'pw' argument (and assured
-@@ -499,6 +503,25 @@ AP_DECLARE(void) ap_note_digest_auth_failure(request_rec *r);
-  */
- AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw);
- 
-+#define AP_GET_BASIC_AUTH_PW_NOTE "AP_GET_BASIC_AUTH_PW_NOTE"
-+
-+/**
-+ * Get the username and/or password from the request's Basic authentication
-+ * headers. Unlike ap_get_basic_auth_pw(), calling this function has no side
-+ * effects on the passed request_rec.
-+ *
-+ * @param r The current request
-+ * @param username If not NULL, set to the username sent by the client
-+ * @param password If not NULL, set to the password sent by the client
-+ * @return APR_SUCCESS if the credentials were successfully parsed and returned;
-+ *         APR_EINVAL if there was no authentication header sent or if the
-+ *         client was not using the Basic authentication scheme. username and
-+ *         password are unchanged on failure.
-+ */
-+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
-+                                                      const char **username,
-+                                                      const char **password);
-+
- /**
-  * parse_uri: break apart the uri
-  * @warning Side Effects: 
-diff --git server/protocol.c server/protocol.c
-index bd75766..2705bba 100644
---- server/protocol.c
-+++ server/protocol.c
-@@ -1594,6 +1594,7 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
- 
-     t = ap_pbase64decode(r->pool, auth_line);
-     r->user = ap_getword_nulls (r->pool, &t, ':');
-+    apr_table_setn(r->notes, AP_GET_BASIC_AUTH_PW_NOTE, "1");
-     r->ap_auth_type = "Basic";
- 
-     *pw = t;
-@@ -1601,6 +1602,53 @@ AP_DECLARE(int) ap_get_basic_auth_pw(request_rec *r, const char **pw)
-     return OK;
- }
- 
-+AP_DECLARE(apr_status_t) ap_get_basic_auth_components(const request_rec *r,
-+                                                      const char **username,
-+                                                      const char **password)
-+{
-+    const char *auth_header;
-+    const char *credentials;
-+    const char *decoded;
-+    const char *user;
-+
-+    auth_header = (PROXYREQ_PROXY == r->proxyreq) ? "Proxy-Authorization"
-+                                                  : "Authorization";
-+    credentials = apr_table_get(r->headers_in, auth_header);
-+
-+    if (!credentials) {
-+        /* No auth header. */
-+        return APR_EINVAL;
-+    }
-+
-+    if (strcasecmp(ap_getword(r->pool, &credentials, ' '), "Basic")) {
-+        /* These aren't Basic credentials. */
-+        return APR_EINVAL;
-+    }
-+
-+    while (*credentials == ' ' || *credentials == '\t') {
-+        credentials++;
-+    }
-+
-+    /* XXX Our base64 decoding functions don't actually error out if the string
-+     * we give it isn't base64; they'll just silently stop and hand us whatever
-+     * they've parsed up to that point.
-+     *
-+     * Since this function is supposed to be a drop-in replacement for the
-+     * deprecated ap_get_basic_auth_pw(), don't fix this for 2.4.x.
-+     */
-+    decoded = ap_pbase64decode(r->pool, credentials);
-+    user = ap_getword_nulls(r->pool, &decoded, ':');
-+
-+    if (username) {
-+        *username = user;
-+    }
-+    if (password) {
-+        *password = decoded;
-+    }
-+
-+    return APR_SUCCESS;
-+}
-+
- struct content_length_ctx {
-     int data_sent;  /* true if the C-L filter has already sent at
-                      * least one bucket on to the next output filter
-diff --git server/request.c server/request.c
-index 7005ca9..f81bbe0 100644
---- server/request.c
-+++ server/request.c
-@@ -179,6 +179,14 @@ AP_DECLARE(int) ap_process_request_internal(request_rec *r)
-         r->ap_auth_type = r->prev->ap_auth_type;
-     }
-     else {
-+        /* A module using a confusing API (ap_get_basic_auth_pw) caused
-+        ** r->user to be filled out prior to check_authn hook. We treat
-+        ** it is inadvertent.
-+        */
-+        if (r->user && apr_table_get(r->notes, AP_GET_BASIC_AUTH_PW_NOTE)) { 
-+            r->user = NULL;
-+        }
-+
-         switch (ap_satisfies(r)) {
-         case SATISFY_ALL:
-         case SATISFY_NOSPEC:
diff --git a/CVE-2017-3169.patch b/CVE-2017-3169.patch
deleted file mode 100644
index c423b4c..0000000
--- a/CVE-2017-3169.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-
-    Merge https://svn.apache.org/r1796343  from trunk:
-    
-      *) SECURITY: CVE-2017-3169 (cve.mitre.org)
-         mod_ssl may dereference a NULL pointer when third-party modules call
-         ap_hook_process_connection() during an HTTP request to an HTTPS port.
-         [Yann Ylavic]
-    
-    
-    Submitted By: ylavic
-    Reviewed By: covener, ylavic, wrowe
-
-diff --git modules/ssl/ssl_engine_io.c modules/ssl/ssl_engine_io.c
-index d6016d3..c633be1 100644
---- modules/ssl/ssl_engine_io.c
-+++ modules/ssl/ssl_engine_io.c
-@@ -865,19 +865,20 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
-                                sizeof(HTTP_ON_HTTPS_PORT) - 1, \
-                                alloc)
- 
--static void ssl_io_filter_disable(SSLConnRec *sslconn, ap_filter_t *f)
-+static void ssl_io_filter_disable(SSLConnRec *sslconn,
-+                                  bio_filter_in_ctx_t *inctx)
- {
--    bio_filter_in_ctx_t *inctx = f->ctx;
-     SSL_free(inctx->ssl);
-     sslconn->ssl = NULL;
-     inctx->ssl = NULL;
-     inctx->filter_ctx->pssl = NULL;
- }
- 
--static apr_status_t ssl_io_filter_error(ap_filter_t *f,
-+static apr_status_t ssl_io_filter_error(bio_filter_in_ctx_t *inctx,
-                                         apr_bucket_brigade *bb,
-                                         apr_status_t status)
- {
-+    ap_filter_t *f = inctx->f;
-     SSLConnRec *sslconn = myConnConfig(f->c);
-     apr_bucket *bucket;
-     int send_eos = 1;
-@@ -891,7 +892,7 @@ static apr_status_t ssl_io_filter_error(ap_filter_t *f,
-             ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, sslconn->server);
- 
-             sslconn->non_ssl_request = NON_SSL_SEND_HDR_SEP;
--            ssl_io_filter_disable(sslconn, f);
-+            ssl_io_filter_disable(sslconn, inctx);
- 
-             /* fake the request line */
-             bucket = HTTP_ON_HTTPS_PORT_BUCKET(f->c->bucket_alloc);
-@@ -1407,7 +1408,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
-      * rather than have SSLEngine On configured.
-      */
-     if ((status = ssl_io_filter_connect(inctx->filter_ctx)) != APR_SUCCESS) {
--        return ssl_io_filter_error(f, bb, status);
-+        return ssl_io_filter_error(inctx, bb, status);
-     }
- 
-     if (is_init) {
-@@ -1443,7 +1444,7 @@ static apr_status_t ssl_io_filter_input(ap_filter_t *f,
- 
-     /* Handle custom errors. */
-     if (status != APR_SUCCESS) {
--        return ssl_io_filter_error(f, bb, status);
-+        return ssl_io_filter_error(inctx, bb, status);
-     }
- 
-     /* Create a transient bucket out of the decrypted data. */
-@@ -1486,7 +1487,7 @@ static apr_status_t ssl_io_filter_output(ap_filter_t *f,
-     inctx->block = APR_BLOCK_READ;
- 
-     if ((status = ssl_io_filter_connect(filter_ctx)) != APR_SUCCESS) {
--        return ssl_io_filter_error(f, bb, status);
-+        return ssl_io_filter_error(inctx, bb, status);
-     }
- 
-     while (!APR_BRIGADE_EMPTY(bb)) {
diff --git a/CVE-2017-7668.patch b/CVE-2017-7668.patch
deleted file mode 100644
index 4470475..0000000
--- a/CVE-2017-7668.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-
-    Merge r1796350 from trunk:
-
-      *) SECURITY: CVE-2017-7668 (cve.mitre.org)
-         The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
-         bug in token list parsing, which allows ap_find_token() to search past
-         the end of its input string. By maliciously crafting a sequence of
-         request headers, an attacker may be able to cause a segmentation fault,
-         or to force ap_find_token() to return an incorrect value.
-    
-    Submitted By: jchampion
-    Reviewed By: jchampion, wrowe, ylavic
-    
-diff --git server/util.c server/util.c
-index 054cc17..9a805b6 100644
---- server/util.c
-+++ server/util.c
-@@ -1513,10 +1513,8 @@ AP_DECLARE(int) ap_find_token(apr_pool_t *p, const char *line, const char *tok)
- 
-     s = (const unsigned char *)line;
-     for (;;) {
--        /* find start of token, skip all stop characters, note NUL
--         * isn't a token stop, so we don't need to test for it
--         */
--        while (TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
-+        /* find start of token, skip all stop characters */
-+        while (*s && TEST_CHAR(*s, T_HTTP_TOKEN_STOP)) {
-             ++s;
-         }
-         if (!*s) {
diff --git a/CVE-2017-7679.patch b/CVE-2017-7679.patch
deleted file mode 100644
index adcd541..0000000
--- a/CVE-2017-7679.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-
-    Merge r1797550 from trunk:
-
-      *) SECURITY: CVE-2017-7679 (cve.mitre.org)
-         mod_mime can read one byte past the end of a buffer when sending a
-         malicious Content-Type response header.  [Yann Ylavic]
-    
-    Submitted By: ylavic
-    
-diff --git modules/http/mod_mime.c modules/http/mod_mime.c
-index eed6ebd..f3c643c 100644
---- modules/http/mod_mime.c
-+++ modules/http/mod_mime.c
-@@ -528,9 +528,9 @@ static int is_quoted_pair(const char *s)
-     int res = -1;
-     int c;
- 
--    if (((s + 1) != NULL) && (*s == '\\')) {
-+    if (*s == '\\') {
-         c = (int) *(s + 1);
--        if (apr_isascii(c)) {
-+        if (c && apr_isascii(c)) {
-             res = 1;
-         }
-     }
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/apache.git/commitdiff/ed6c45aef7132faacbc4dbebc7a29524fc0cbcbf



More information about the pld-cvs-commit mailing list