[packages/apache] - rel 2; fixes CVE-2016-5387

arekm arekm at pld-linux.org
Tue Jul 19 13:28:45 CEST 2016 

commit 4b310d240402f42d8115efa73bc10a295844f53d
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date:   Tue Jul 19 13:28:40 2016 +0200

    - rel 2; fixes CVE-2016-5387

 apache-CVE-2016-5387.patch | 19 +++++++++++++++++++
 apache.spec                |  4 +++-
 2 files changed, 22 insertions(+), 1 deletion(-)
---
diff --git a/apache.spec b/apache.spec
index c4e2b97..f4e8f1d 100644
--- a/apache.spec
+++ b/apache.spec
@@ -35,7 +35,7 @@ Summary(ru.UTF-8):	Самый популярный веб-сервер
 Summary(tr.UTF-8):	Lider WWW tarayıcı
 Name:		apache
 Version:	2.4.23
-Release:	1
+Release:	2
 License:	Apache v2.0
 Group:		Networking/Daemons/HTTP
 Source0:	http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
@@ -77,6 +77,7 @@ Patch1:		%{name}-layout.patch
 Patch2:		%{name}-suexec.patch
 Patch3:		%{name}-branding.patch
 Patch4:		%{name}-apr.patch
+Patch5:		apache-CVE-2016-5387.patch
 
 Patch7:		%{name}-syslibs.patch
 
@@ -2641,6 +2642,7 @@ Dwa programy testowe/przykładowe cgi: test-cgi and print-env.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 
 %patch7 -p1
 
diff --git a/apache-CVE-2016-5387.patch b/apache-CVE-2016-5387.patch
new file mode 100644
index 0000000..b8e9c14
--- /dev/null
+++ b/apache-CVE-2016-5387.patch
@@ -0,0 +1,19 @@
+diff --git a/server/util_script.c b/server/util_script.c
+index 5e071a2..443dfb6 100644
+--- a/server/util_script.c
++++ b/server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r)
+         else if (!ap_cstr_casecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!ap_cstr_casecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/apache.git/commitdiff/4b310d240402f42d8115efa73bc10a295844f53d

More information about the pld-cvs-commit mailing list