[Pkg-apache-commits] r979 - in /trunk/apache2: changelog patches/00list patches/072_CVE-2009-1890.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Fri Jul 10 19:59:38 UTC 2009
Author: sf
Date: Fri Jul 10 19:59:37 2009
New Revision: 979
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=979
Log:
CVE-2009-1890
Added:
trunk/apache2/patches/072_CVE-2009-1890.dpatch (with props)
Modified:
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=979&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Fri Jul 10 19:59:37 2009
@@ -1,7 +1,8 @@
apache2 (2.2.11-7) UNRELEASED; urgency=low
* Security fixes:
- CVE-2009-1891: denial of service in mod_deflate
+ - CVE-2009-1890: denial of service in mod_proxy
+ - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
* Add symlinks for the debug info to the mpm packages.
* Be slightly more informative in the default index.html without pointing
to Apache or Debian (LP: #89364)
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=979&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Fri Jul 10 19:59:37 2009
@@ -22,6 +22,7 @@
069_backports_from_2.2.12.dpatch
070_CVE-2009-1195_mod_include_noexec.dpatch
071_CVE-2009-1891.dpatch
+072_CVE-2009-1890.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/072_CVE-2009-1890.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/072_CVE-2009-1890.dpatch?rev=979&op=file
==============================================================================
--- trunk/apache2/patches/072_CVE-2009-1890.dpatch (added)
+++ trunk/apache2/patches/072_CVE-2009-1890.dpatch Fri Jul 10 19:59:37 2009
@@ -1,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_proxy DoS
+## DP: http://svn.apache.org/viewvc?view=rev&revision=790587
+
+ at DPATCH@
+index bc59aad..bdfe594 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -427,10 +427,16 @@ static int stream_reqbody_cl(apr_pool_t *p,
+ apr_off_t bytes_streamed = 0;
+
+ if (old_cl_val) {
++ char *endstr;
++
+ add_cl(p, bucket_alloc, header_brigade, old_cl_val);
+- if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
+- 0))) {
+- return HTTP_INTERNAL_SERVER_ERROR;
++ status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
++
++ if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++ "proxy: could not parse request Content-Length (%s)",
++ old_cl_val);
++ return HTTP_BAD_REQUEST;
+ }
+ }
+ terminate_headers(bucket_alloc, header_brigade);
+@@ -463,8 +469,13 @@ static int stream_reqbody_cl(apr_pool_t *p,
+ *
+ * Prevents HTTP Response Splitting.
+ */
+- if (bytes_streamed > cl_val)
+- continue;
++ if (bytes_streamed > cl_val) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "proxy: read more bytes of request body than expected "
++ "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
++ bytes_streamed, cl_val);
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
+
+ if (header_brigade) {
+ /* we never sent the header brigade, so go ahead and
Propchange: trunk/apache2/patches/072_CVE-2009-1890.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-apache-commits
mailing list