[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/httpd/FC-4 httpd-2.0.52-CAN-2005-1268.patch, NONE, 1.1 httpd-2.0.52-CAN-2005-2088.patch, NONE, 1.1 httpd-2.0.52-sslbuff.patch, NONE, 1.1 httpd-2.0.54-digest.patch, NONE, 1.1 httpd-2.0.54-include.patch, NONE, 1.1 .cvsignore, 1.13, 1.14 httpd.spec, 1.70, 1.71



Author: jorton

Update of /cvs/dist/rpms/httpd/FC-4
In directory cvs.devel.redhat.com:/tmp/cvs-serv27364

Modified Files:
	.cvsignore httpd.spec 
Added Files:
	httpd-2.0.52-CAN-2005-1268.patch 
	httpd-2.0.52-CAN-2005-2088.patch httpd-2.0.52-sslbuff.patch 
	httpd-2.0.54-digest.patch httpd-2.0.54-include.patch 
Log Message:
* Tue Jul 26 2005 Joe Orton <jorton redhat com> 2.0.54-10.1
- add security fix for C-L vs T-E handling (#162245, CVE CAN-2005-2088)
- mod_ssl: add security fix for CRL overflow (CVE CAN-2005-1268)
- mod_ssl: fix to enable output buffering (upstream #35279)
- mod_include: fix variable corruption in nested includes (upstream #12655)
- mod_auth_digest: fix hostinfo comparison in CONNECT requests


httpd-2.0.52-CAN-2005-1268.patch:
 ssl_engine_kernel.c |    2 +-
 1 files changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE httpd-2.0.52-CAN-2005-1268.patch ---

Merge r179781 from trunk:

* modules/ssl/ssl_engine_kernel.c (ssl_callback_SSLVerify_CRL): Fix
off-by-one.

PR: 35081
Submitted by: Marc Stern <mstern csc.com>
Reviewed by: jorton, trawick, pquerna

--- 2.0.x/modules/ssl/ssl_engine_kernel.c
+++ 2.0.x/modules/ssl/ssl_engine_kernel.c
@@ -1398,7 +1398,7 @@
             BIO_printf(bio, ", nextUpdate: ");
             ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
 
-            n = BIO_read(bio, buff, sizeof(buff));
+            n = BIO_read(bio, buff, sizeof(buff) - 1);
             buff[n] = '\0';
 
             BIO_free(bio);

httpd-2.0.52-CAN-2005-2088.patch:
 modules/proxy/proxy_http.c |    7 +++++++
 server/protocol.c          |    9 +++++++++
 2 files changed, 16 insertions(+)

--- NEW FILE httpd-2.0.52-CAN-2005-2088.patch ---
--- httpd-2.0.52/modules/proxy/proxy_http.c.can2088
+++ httpd-2.0.52/modules/proxy/proxy_http.c
@@ -390,6 +390,13 @@
     int counter, seen_eos;
     apr_status_t status;
 
+    if (apr_table_get(r->headers_in, "Transfer-Encoding")) {
+        /* Reject chunked requests. */
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "proxy_http: chunked requests not supported");
+        return HTTP_LENGTH_REQUIRED;
+    }
+
     /*
      * Send the HTTP/1.1 request to the remote server
      */
--- httpd-2.0.52/server/protocol.c.can2088
+++ httpd-2.0.52/server/protocol.c
@@ -962,6 +962,15 @@
             ap_run_log_transaction(r);
             return r;
         }
+
+        if (apr_table_get(r->headers_in, "Transfer-Encoding")
+            && apr_table_get(r->headers_in, "Content-Length")) {
+            /* 2616 section 4.4, point 3: "if both Transfer-Encoding
+             * and Content-Length are received, the latter MUST be
+             * ignored"; so unset it here to prevent any confusion
+             * later. */
+            apr_table_unset(r->headers_in, "Content-Length");
+        }
     }
 
     ap_add_input_filter_handle(ap_http_input_filter_handle,

httpd-2.0.52-sslbuff.patch:
 ssl_engine_io.c |    2 ++
 1 files changed, 2 insertions(+)

--- NEW FILE httpd-2.0.52-sslbuff.patch ---

Fix to initialize the ->nobuffer field correctly.

http://issues.apache.org/bugzilla/show_bug.cgi?id=35279

--- httpd-2.0.52/modules/ssl/ssl_engine_io.c.sslbuff
+++ httpd-2.0.52/modules/ssl/ssl_engine_io.c
@@ -1404,6 +1405,8 @@
     filter_ctx->pbioWrite       = BIO_new(&bio_filter_out_method);
     filter_ctx->pbioWrite->ptr  = (void *)bio_filter_out_ctx_new(filter_ctx, c);
 
+    filter_ctx->nobuffer = 0;
+
     ssl_io_input_add_filter(filter_ctx, c, ssl);
 
     SSL_set_bio(ssl, filter_ctx->pbioRead, filter_ctx->pbioWrite);

httpd-2.0.54-digest.patch:
 mod_auth_digest.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletion(-)

--- NEW FILE httpd-2.0.54-digest.patch ---
--- httpd-2.0.54/modules/aaa/mod_auth_digest.c.digest
+++ httpd-2.0.54/modules/aaa/mod_auth_digest.c
@@ -1504,6 +1504,8 @@
     else {
         dst->query = src->query;
     }
+
+    dst->hostinfo = src->hostinfo;
 }
 
 /* These functions return 0 if client is OK, and proper error status
@@ -1631,7 +1633,7 @@
         }
 
         if (r->method_number == M_CONNECT) {
-            if (strcmp(resp->uri, r_uri.hostinfo)) {
+            if (!r_uri.hostinfo || strcmp(resp->uri, r_uri.hostinfo)) {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
                               "Digest: uri mismatch - <%s> does not match "
                               "request-uri <%s>", resp->uri, r_uri.hostinfo);

httpd-2.0.54-include.patch:
 mod_include.c |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

--- NEW FILE httpd-2.0.54-include.patch ---

http://svn.apache.org/viewcvs?rev=179763&view=rev

* modules/filters/mod_include.c (handle_include): Fix possible
variable corruption with nested includes.

PR: 12655

--- httpd-2.0.54/modules/filters/mod_include.c.include
+++ httpd-2.0.54/modules/filters/mod_include.c
@@ -788,11 +788,11 @@
                     CREATE_ERROR_BUCKET(ctx, tmp_buck, head_ptr, 
                                         *inserted_head);
                 }
-
-                /* destroy the sub request */
-                if (rr != NULL) {
-                    ap_destroy_sub_req(rr);
-                }
+                
+                /* Do *not* destroy the subrequest here; it may have allocated
+                 * variables in this r->subprocess_env in the subrequest's
+                 * r->pool, so that pool must survive as long as this request.
+                 * Yes, this is a memory leak. */
             }
             else {
                 ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,


Index: .cvsignore
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/.cvsignore,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- .cvsignore	18 Apr 2005 08:10:30 -0000	1.13
+++ .cvsignore	26 Jul 2005 09:21:39 -0000	1.14
@@ -1 +1,2 @@
 httpd-2.0.54.tar.gz
+httpd-2.0.54


Index: httpd.spec
===================================================================
RCS file: /cvs/dist/rpms/httpd/FC-4/httpd.spec,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- httpd.spec	23 May 2005 12:10:13 -0000	1.70
+++ httpd.spec	26 Jul 2005 09:21:39 -0000	1.71
@@ -7,7 +7,7 @@
 Summary: Apache HTTP Server
 Name: httpd
 Version: 2.0.54
-Release: 10
+Release: 10.1
 URL: http://httpd.apache.org/
 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz
 Source1: index.html
@@ -50,6 +50,9 @@
 Patch33: httpd-2.0.54-ldapconn.patch
 Patch34: httpd-2.0.52-pipedlog1.patch
 Patch35: httpd-2.0.52-pipedlog2.patch
+Patch36: httpd-2.0.52-sslbuff.patch
+Patch37: httpd-2.0.54-include.patch
+Patch38: httpd-2.0.54-digest.patch
 # Features/functional changes
 Patch70: httpd-2.0.48-release.patch
 Patch71: httpd-2.0.40-xfsz.patch
@@ -69,6 +72,9 @@
 Patch90: httpd-2.0.49-workerstack.patch
 Patch91: httpd-2.0.46-testhook.patch
 Patch92: httpd-2.0.46-dumpcerts.patch
+# Security fixes
+Patch110: httpd-2.0.52-CAN-2005-1268.patch
+Patch111: httpd-2.0.52-CAN-2005-2088.patch
 License: Apache Software License
 Group: System Environment/Daemons
 BuildRoot: %{_tmppath}/%{name}-root
@@ -158,6 +164,9 @@
 %patch33 -p1 -b .ldapconn
 %patch34 -p1 -b .pipedlog1
 %patch35 -p1 -b .pipedlog2
+%patch36 -p1 -b .sslbuff
+%patch37 -p1 -b .include
+%patch38 -p1 -b .digest
 
 %patch71 -p0 -b .xfsz
 %patch72 -p1 -b .pod
@@ -177,6 +186,9 @@
 %patch91 -p1 -b .testhook
 %patch92 -p1 -b .dumpcerts
 
+%patch110 -p1 -b .can1268
+%patch111 -p1 -b .can2088
+
 # Patch in vendor/release string
 sed "s/@RELEASE@/%{vstring}/" < %{PATCH70} | patch -p1
 
@@ -546,6 +558,13 @@
 %{_libdir}/httpd/build/libtool
 
 %changelog
+* Tue Jul 26 2005 Joe Orton <jorton redhat com> 2.0.54-10.1
+- add security fix for C-L vs T-E handling (#162245, CVE CAN-2005-2088)
+- mod_ssl: add security fix for CRL overflow (CVE CAN-2005-1268)
+- mod_ssl: fix to enable output buffering (upstream #35279)
+- mod_include: fix variable corruption in nested includes (upstream #12655)
+- mod_auth_digest: fix hostinfo comparison in CONNECT requests
+
 * Mon May 23 2005 Joe Orton <jorton redhat com> 2.0.54-10
 - remove broken symlink (Robert Scheck, #158404)
 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]