rpms/httpd/FC-4 httpd-2.0.52-CAN-2005-1268.patch, NONE, 1.1 httpd-2.0.52-CAN-2005-2088.patch, NONE, 1.1 httpd-2.0.52-sslbuff.patch, NONE, 1.1 httpd-2.0.54-digest.patch, NONE, 1.1 httpd-2.0.54-include.patch, NONE, 1.1 .cvsignore, 1.13, 1.14 httpd.spec, 1.70, 1.71
fedora-cvs-commits at redhat.com
fedora-cvs-commits at redhat.com
Tue Jul 26 09:21:42 UTC 2005
Author: jorton
Update of /cvs/dist/rpms/httpd/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv27364
Modified Files:
.cvsignore httpd.spec
Added Files:
httpd-2.0.52-CAN-2005-1268.patch
httpd-2.0.52-CAN-2005-2088.patch httpd-2.0.52-sslbuff.patch
httpd-2.0.54-digest.patch httpd-2.0.54-include.patch
Log Message:
* Tue Jul 26 2005 Joe Orton <jorton at redhat.com> 2.0.54-10.1
- add security fix for C-L vs T-E handling (#162245, CVE CAN-2005-2088)
- mod_ssl: add security fix for CRL overflow (CVE CAN-2005-1268)
- mod_ssl: fix to enable output buffering (upstream #35279)
- mod_include: fix variable corruption in nested includes (upstream #12655)
- mod_auth_digest: fix hostinfo comparison in CONNECT requests
httpd-2.0.52-CAN-2005-1268.patch:
ssl_engine_kernel.c | 2 +-
1 files changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE httpd-2.0.52-CAN-2005-1268.patch ---
Merge r179781 from trunk:
* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify_CRL): Fix
off-by-one.
PR: 35081
Submitted by: Marc Stern <mstern csc.com>
Reviewed by: jorton, trawick, pquerna
--- 2.0.x/modules/ssl/ssl_engine_kernel.c
+++ 2.0.x/modules/ssl/ssl_engine_kernel.c
@@ -1398,7 +1398,7 @@
BIO_printf(bio, ", nextUpdate: ");
ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
- n = BIO_read(bio, buff, sizeof(buff));
+ n = BIO_read(bio, buff, sizeof(buff) - 1);
buff[n] = '\0';
BIO_free(bio);
httpd-2.0.52-CAN-2005-2088.patch:
modules/proxy/proxy_http.c | 7 +++++++
server/protocol.c | 9 +++++++++
2 files changed, 16 insertions(+)
--- NEW FILE httpd-2.0.52-CAN-2005-2088.patch ---
--- httpd-2.0.52/modules/proxy/proxy_http.c.can2088
+++ httpd-2.0.52/modules/proxy/proxy_http.c
@@ -390,6 +390,13 @@
int counter, seen_eos;
apr_status_t status;
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")) {
+ /* Reject chunked requests. */
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "proxy_http: chunked requests not supported");
+ return HTTP_LENGTH_REQUIRED;
+ }
+
/*
* Send the HTTP/1.1 request to the remote server
*/
--- httpd-2.0.52/server/protocol.c.can2088
+++ httpd-2.0.52/server/protocol.c
@@ -962,6 +962,15 @@
ap_run_log_transaction(r);
return r;
}
+
+ if (apr_table_get(r->headers_in, "Transfer-Encoding")
+ && apr_table_get(r->headers_in, "Content-Length")) {
+ /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+ * and Content-Length are received, the latter MUST be
+ * ignored"; so unset it here to prevent any confusion
+ * later. */
+ apr_table_unset(r->headers_in, "Content-Length");
+ }
}
ap_add_input_filter_handle(ap_http_input_filter_handle,
httpd-2.0.52-sslbuff.patch:
ssl_engine_io.c | 2 ++
1 files changed, 2 insertions(+)
--- NEW FILE httpd-2.0.52-sslbuff.patch ---
Fix to initialize the ->nobuffer field correctly.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35279
--- httpd-2.0.52/modules/ssl/ssl_engine_io.c.sslbuff
+++ httpd-2.0.52/modules/ssl/ssl_engine_io.c
@@ -1404,6 +1405,8 @@
filter_ctx->pbioWrite = BIO_new(&bio_filter_out_method);
filter_ctx->pbioWrite->ptr = (void *)bio_filter_out_ctx_new(filter_ctx, c);
+ filter_ctx->nobuffer = 0;
+
ssl_io_input_add_filter(filter_ctx, c, ssl);
SSL_set_bio(ssl, filter_ctx->pbioRead, filter_ctx->pbioWrite);
httpd-2.0.54-digest.patch:
mod_auth_digest.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletion(-)
--- NEW FILE httpd-2.0.54-digest.patch ---
--- httpd-2.0.54/modules/aaa/mod_auth_digest.c.digest
+++ httpd-2.0.54/modules/aaa/mod_auth_digest.c
@@ -1504,6 +1504,8 @@
else {
dst->query = src->query;
}
+
+ dst->hostinfo = src->hostinfo;
}
/* These functions return 0 if client is OK, and proper error status
@@ -1631,7 +1633,7 @@
}
if (r->method_number == M_CONNECT) {
- if (strcmp(resp->uri, r_uri.hostinfo)) {
+ if (!r_uri.hostinfo || strcmp(resp->uri, r_uri.hostinfo)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Digest: uri mismatch - <%s> does not match "
"request-uri <%s>", resp->uri, r_uri.hostinfo);
httpd-2.0.54-include.patch:
mod_include.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
--- NEW FILE httpd-2.0.54-include.patch ---
http://svn.apache.org/viewcvs?rev=179763&view=rev
* modules/filters/mod_include.c (handle_include): Fix possible
variable corruption with nested includes.
PR: 12655
--- httpd-2.0.54/modules/filters/mod_include.c.include
+++ httpd-2.0.54/modules/filters/mod_include.c
@@ -788,11 +788,11 @@
CREATE_ERROR_BUCKET(ctx, tmp_buck, head_ptr,
*inserted_head);
}
-
- /* destroy the sub request */
- if (rr != NULL) {
- ap_destroy_sub_req(rr);
- }
+
+ /* Do *not* destroy the subrequest here; it may have allocated
+ * variables in this r->subprocess_env in the subrequest's
+ * r->pool, so that pool must survive as long as this request.
+ * Yes, this is a memory leak. */
}
else {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/.cvsignore,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- .cvsignore 18 Apr 2005 08:10:30 -0000 1.13
+++ .cvsignore 26 Jul 2005 09:21:39 -0000 1.14
@@ -1 +1,2 @@
httpd-2.0.54.tar.gz
+httpd-2.0.54
Index: httpd.spec
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/httpd.spec,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- httpd.spec 23 May 2005 12:10:13 -0000 1.70
+++ httpd.spec 26 Jul 2005 09:21:39 -0000 1.71
@@ -7,7 +7,7 @@
Summary: Apache HTTP Server
Name: httpd
Version: 2.0.54
-Release: 10
+Release: 10.1
URL: http://httpd.apache.org/
Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
Source1: index.html
@@ -50,6 +50,9 @@
Patch33: httpd-2.0.54-ldapconn.patch
Patch34: httpd-2.0.52-pipedlog1.patch
Patch35: httpd-2.0.52-pipedlog2.patch
+Patch36: httpd-2.0.52-sslbuff.patch
+Patch37: httpd-2.0.54-include.patch
+Patch38: httpd-2.0.54-digest.patch
# Features/functional changes
Patch70: httpd-2.0.48-release.patch
Patch71: httpd-2.0.40-xfsz.patch
@@ -69,6 +72,9 @@
Patch90: httpd-2.0.49-workerstack.patch
Patch91: httpd-2.0.46-testhook.patch
Patch92: httpd-2.0.46-dumpcerts.patch
+# Security fixes
+Patch110: httpd-2.0.52-CAN-2005-1268.patch
+Patch111: httpd-2.0.52-CAN-2005-2088.patch
License: Apache Software License
Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-root
@@ -158,6 +164,9 @@
%patch33 -p1 -b .ldapconn
%patch34 -p1 -b .pipedlog1
%patch35 -p1 -b .pipedlog2
+%patch36 -p1 -b .sslbuff
+%patch37 -p1 -b .include
+%patch38 -p1 -b .digest
%patch71 -p0 -b .xfsz
%patch72 -p1 -b .pod
@@ -177,6 +186,9 @@
%patch91 -p1 -b .testhook
%patch92 -p1 -b .dumpcerts
+%patch110 -p1 -b .can1268
+%patch111 -p1 -b .can2088
+
# Patch in vendor/release string
sed "s/@RELEASE@/%{vstring}/" < %{PATCH70} | patch -p1
@@ -546,6 +558,13 @@
%{_libdir}/httpd/build/libtool
%changelog
+* Tue Jul 26 2005 Joe Orton <jorton at redhat.com> 2.0.54-10.1
+- add security fix for C-L vs T-E handling (#162245, CVE CAN-2005-2088)
+- mod_ssl: add security fix for CRL overflow (CVE CAN-2005-1268)
+- mod_ssl: fix to enable output buffering (upstream #35279)
+- mod_include: fix variable corruption in nested includes (upstream #12655)
+- mod_auth_digest: fix hostinfo comparison in CONNECT requests
+
* Mon May 23 2005 Joe Orton <jorton at redhat.com> 2.0.54-10
- remove broken symlink (Robert Scheck, #158404)
More information about the fedora-cvs-commits
mailing list