[Pkg-apache-commits] r1013 - in /branches/lenny-apache2: changelog patches/00list patches/070_CVE-2009-1195_mod_include_noexec.dpatch patches/071_CVE-2009-1891.dpatch patches/072_CVE-2009-1890.dpatch patches/073_no_deflate_for_HEAD.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Thu Jul 30 19:03:51 UTC 2009
Author: sf
Date: Thu Jul 30 19:03:51 2009
New Revision: 1013
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1013
Log:
add security releases
Added:
branches/lenny-apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch
branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch
branches/lenny-apache2/patches/072_CVE-2009-1890.dpatch
branches/lenny-apache2/patches/073_no_deflate_for_HEAD.dpatch
Modified:
branches/lenny-apache2/changelog
branches/lenny-apache2/patches/00list
Modified: branches/lenny-apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/changelog?rev=1013&op=diff
==============================================================================
--- branches/lenny-apache2/changelog (original)
+++ branches/lenny-apache2/changelog Thu Jul 30 19:03:51 2009
@@ -1,4 +1,4 @@
-apache2 (2.2.9-10+lenny3) UNRELEASED; urgency=low
+apache2 (2.2.9-10+lenny5) UNRELEASED; urgency=low
* Take care to not override existing index.shtml files when upgrading from
before 2.2.8-1 (closes: #517089).
@@ -11,6 +11,24 @@
* Remove other_vhosts_access.log on package purge.
-- Stefan Fritsch <sf at debian.org> Mon, 02 Mar 2009 22:16:34 +0100
+
+apache2 (2.2.9-10+lenny4) stable-security; urgency=high
+
+ * Security fixes:
+ - CVE-2009-1890: denial of service in mod_proxy (closes: #536718)
+ - CVE-2009-1891: denial of service in mod_deflate (closes: #534712)
+ Also prevent compressing the content for HEAD requests.
+
+ -- Stefan Fritsch <sf at debian.org> Tue, 14 Jul 2009 21:53:01 +0200
+
+apache2 (2.2.9-10+lenny3) stable-security; urgency=high
+
+ * Security: CVE-2009-1195: In configurations using the AllowOverride
+ directive with certain Options= arguments, local users were not restricted
+ from executing commands from a Server-Side-Include script as intended
+ (closes: #530834).
+
+ -- Stefan Fritsch <sf at debian.org> Sat, 30 May 2009 14:54:22 +0200
apache2 (2.2.9-10+lenny2) testing-proposed-updates; urgency=low
Modified: branches/lenny-apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/00list?rev=1013&op=diff
==============================================================================
--- branches/lenny-apache2/patches/00list (original)
+++ branches/lenny-apache2/patches/00list Thu Jul 30 19:03:51 2009
@@ -28,6 +28,10 @@
067_check_pollset_create_error.dpatch
068_fix_deflate_etag_PR45023.dpatch
069_fix_mod_rewrite_B_PR45529.dpatch
+070_CVE-2009-1195_mod_include_noexec.dpatch
+071_CVE-2009-1891.dpatch
+072_CVE-2009-1890.dpatch
+073_no_deflate_for_HEAD.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: branches/lenny-apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch?rev=1013&op=file
==============================================================================
--- branches/lenny-apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch (added)
+++ branches/lenny-apache2/patches/070_CVE-2009-1195_mod_include_noexec.dpatch Thu Jul 30 19:03:51 2009
@@ -1,0 +1,150 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 070_CVE-2009-1195_mod_include_noexec.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: No description.
+
+ at DPATCH@
+diff -urNad apache2-2.2.9~/include/http_core.h apache2-2.2.9/include/http_core.h
+--- apache2-2.2.9~/include/http_core.h 2008-02-26 20:47:51.000000000 +0100
++++ apache2-2.2.9/include/http_core.h 2009-06-01 19:34:09.774738408 +0200
+@@ -65,7 +65,7 @@
+ #define OPT_NONE 0
+ /** Indexes directive */
+ #define OPT_INDEXES 1
+-/** Includes directive */
++/** SSI is enabled without exec= permission */
+ #define OPT_INCLUDES 2
+ /** FollowSymLinks directive */
+ #define OPT_SYM_LINKS 4
+@@ -80,9 +80,22 @@
+ /** MultiViews directive */
+ #define OPT_MULTI 128
+ /** All directives */
+-#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_SYM_LINKS|OPT_EXECCGI)
++#define OPT_ALL (OPT_INDEXES|OPT_INCLUDES|OPT_INCNOEXEC|OPT_SYM_LINKS|OPT_EXECCGI)
+ /** @} */
+
++#ifdef CORE_PRIVATE
++/* For internal use only - since 2.2.12, the OPT_INCNOEXEC bit is
++ * internally replaced by OPT_INC_WITH_EXEC. The internal semantics
++ * of the two SSI-related bits are hence:
++ *
++ * OPT_INCLUDES => "enable SSI, without exec= permission"
++ * OPT_INC_WITH_EXEC => "iff OPT_INCLUDES is set, also enable exec="
++ *
++ * The set of options exposed via ap_allow_options() retains the
++ * semantics of OPT_INCNOEXEC by flipping the bit. */
++#define OPT_INC_WITH_EXEC OPT_INCNOEXEC
++#endif
++
+ /**
+ * @defgroup get_remote_host Remote Host Resolution
+ * @ingroup APACHE_CORE_HTTPD
+diff -urNad apache2-2.2.9~/server/config.c apache2-2.2.9/server/config.c
+--- apache2-2.2.9~/server/config.c 2009-06-01 19:34:08.826702009 +0200
++++ apache2-2.2.9/server/config.c 2009-06-01 19:34:09.778739729 +0200
+@@ -1510,7 +1510,7 @@
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ parms.config_file = ap_pcfg_open_custom(p, "-c/-C directives",
+ &arr_parms, NULL,
+@@ -1642,7 +1642,7 @@
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ rv = ap_pcfg_openfile(&cfp, p, fname);
+ if (rv != APR_SUCCESS) {
+@@ -1781,7 +1781,7 @@
+ parms.temp_pool = ptemp;
+ parms.server = s;
+ parms.override = (RSRC_CONF | OR_ALL) & ~(OR_AUTHCFG | OR_LIMIT);
+- parms.override_opts = OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER | OPT_MULTI;
++ parms.override_opts = OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+ parms.limited = -1;
+
+ errmsg = ap_walk_config(conftree, &parms, s->lookup_defaults);
+diff -urNad apache2-2.2.9~/server/core.c apache2-2.2.9/server/core.c
+--- apache2-2.2.9~/server/core.c 2009-06-01 19:34:08.702731858 +0200
++++ apache2-2.2.9/server/core.c 2009-06-01 19:34:42.926701125 +0200
+@@ -108,8 +108,7 @@
+ conf->opts = dir ? OPT_UNSET : OPT_UNSET|OPT_ALL;
+ conf->opts_add = conf->opts_remove = OPT_NONE;
+ conf->override = dir ? OR_UNSET : OR_UNSET|OR_ALL;
+- conf->override_opts = OPT_UNSET | OPT_ALL | OPT_INCNOEXEC | OPT_SYM_OWNER
+- | OPT_MULTI;
++ conf->override_opts = OPT_UNSET | OPT_ALL | OPT_SYM_OWNER | OPT_MULTI;
+
+ conf->content_md5 = 2;
+ conf->accept_path_info = 3;
+@@ -242,8 +241,15 @@
+ conf->opts_remove = (conf->opts_remove & ~new->opts_add)
+ | new->opts_remove;
+ conf->opts = (conf->opts & ~conf->opts_remove) | conf->opts_add;
+- if ((base->opts & OPT_INCNOEXEC) && (new->opts & OPT_INCLUDES)) {
+- conf->opts = (conf->opts & ~OPT_INCNOEXEC) | OPT_INCLUDES;
++
++ /* If Includes was enabled with exec in the base config, but
++ * was enabled without exec in the new config, then disable
++ * exec in the merged set. */
++ if (((base->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ == (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ && ((new->opts & (OPT_INCLUDES|OPT_INC_WITH_EXEC))
++ == OPT_INCLUDES)) {
++ conf->opts &= ~OPT_INC_WITH_EXEC;
+ }
+ }
+ else {
+@@ -655,7 +661,16 @@
+ core_dir_config *conf =
+ (core_dir_config *)ap_get_module_config(r->per_dir_config, &core_module);
+
+- return conf->opts;
++ /* Per comment in http_core.h - the OPT_INC_WITH_EXEC bit is
++ * inverted, such that the exposed semantics match that of
++ * OPT_INCNOEXEC; i.e., the bit is only enabled if exec= is *not*
++ * permitted. */
++ if (conf->opts & OPT_INCLUDES) {
++ return conf->opts ^ OPT_INC_WITH_EXEC;
++ }
++ else {
++ return conf->opts;
++ }
+ }
+
+ AP_DECLARE(int) ap_allow_overrides(request_rec *r)
+@@ -1304,10 +1319,12 @@
+ opt = OPT_INDEXES;
+ }
+ else if (!strcasecmp(w, "Includes")) {
+- opt = OPT_INCLUDES;
++ /* If Includes is permitted, both Includes and
++ * IncludesNOEXEC may be changed. */
++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+ }
+ else if (!strcasecmp(w, "IncludesNOEXEC")) {
+- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++ opt = OPT_INCLUDES;
+ }
+ else if (!strcasecmp(w, "FollowSymLinks")) {
+ opt = OPT_SYM_LINKS;
+@@ -1428,10 +1445,10 @@
+ opt = OPT_INDEXES;
+ }
+ else if (!strcasecmp(w, "Includes")) {
+- opt = OPT_INCLUDES;
++ opt = (OPT_INCLUDES | OPT_INC_WITH_EXEC);
+ }
+ else if (!strcasecmp(w, "IncludesNOEXEC")) {
+- opt = (OPT_INCLUDES | OPT_INCNOEXEC);
++ opt = OPT_INCLUDES;
+ }
+ else if (!strcasecmp(w, "FollowSymLinks")) {
+ opt = OPT_SYM_LINKS;
Added: branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch?rev=1013&op=file
==============================================================================
--- branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch (added)
+++ branches/lenny-apache2/patches/071_CVE-2009-1891.dpatch Thu Jul 30 19:03:51 2009
@@ -1,0 +1,36 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_deflate DoS
+## DP: http://mail-archives.apache.org/mod_mbox/httpd-dev/200907.mbox/<20090703100048.GA4492@redhat.com>
+
+ at DPATCH@
+--- a/server/core_filters.c (revision 790833)
++++ a/server/core_filters.c (working copy)
+@@ -542,6 +542,12 @@
+ apr_read_type_e eblock = APR_NONBLOCK_READ;
+ apr_pool_t *input_pool = b->p;
+
++ /* Fail quickly if the connection has already been aborted. */
++ if (c->aborted) {
++ apr_brigade_cleanup(b);
++ return APR_ECONNABORTED;
++ }
++
+ if (ctx == NULL) {
+ ctx = apr_pcalloc(c->pool, sizeof(*ctx));
+ net->out_ctx = ctx;
+@@ -909,12 +909,9 @@
+ /* No need to check for SUCCESS, we did that above. */
+ if (!APR_STATUS_IS_EAGAIN(rv)) {
+ c->aborted = 1;
++ return APR_ECONNABORTED;
+ }
+
+- /* The client has aborted, but the request was successful. We
+- * will report success, and leave it to the access and error
+- * logs to note that the connection was aborted.
+- */
+ return APR_SUCCESS;
+ }
+
Added: branches/lenny-apache2/patches/072_CVE-2009-1890.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/072_CVE-2009-1890.dpatch?rev=1013&op=file
==============================================================================
--- branches/lenny-apache2/patches/072_CVE-2009-1890.dpatch (added)
+++ branches/lenny-apache2/patches/072_CVE-2009-1890.dpatch Thu Jul 30 19:03:51 2009
@@ -1,0 +1,46 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_proxy DoS
+## DP: http://svn.apache.org/viewvc?view=rev&revision=790587
+
+ at DPATCH@
+index bc59aad..bdfe594 100644
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -427,10 +427,16 @@ static int stream_reqbody_cl(apr_pool_t *p,
+ apr_off_t bytes_streamed = 0;
+
+ if (old_cl_val) {
++ char *endstr;
++
+ add_cl(p, bucket_alloc, header_brigade, old_cl_val);
+- if (APR_SUCCESS != (status = apr_strtoff(&cl_val, old_cl_val, NULL,
+- 0))) {
+- return HTTP_INTERNAL_SERVER_ERROR;
++ status = apr_strtoff(&cl_val, old_cl_val, &endstr, 10);
++
++ if (status || *endstr || endstr == old_cl_val || cl_val < 0) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r,
++ "proxy: could not parse request Content-Length (%s)",
++ old_cl_val);
++ return HTTP_BAD_REQUEST;
+ }
+ }
+ terminate_headers(bucket_alloc, header_brigade);
+@@ -463,8 +469,13 @@ static int stream_reqbody_cl(apr_pool_t *p,
+ *
+ * Prevents HTTP Response Splitting.
+ */
+- if (bytes_streamed > cl_val)
+- continue;
++ if (bytes_streamed > cl_val) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "proxy: read more bytes of request body than expected "
++ "(got %" APR_OFF_T_FMT ", expected %" APR_OFF_T_FMT ")",
++ bytes_streamed, cl_val);
++ return HTTP_INTERNAL_SERVER_ERROR;
++ }
+
+ if (header_brigade) {
+ /* we never sent the header brigade, so go ahead and
Added: branches/lenny-apache2/patches/073_no_deflate_for_HEAD.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/073_no_deflate_for_HEAD.dpatch?rev=1013&op=file
==============================================================================
--- branches/lenny-apache2/patches/073_no_deflate_for_HEAD.dpatch (added)
+++ branches/lenny-apache2/patches/073_no_deflate_for_HEAD.dpatch Thu Jul 30 19:03:51 2009
@@ -1,0 +1,29 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: mod_deflate DoS
+## DP: This should switch off deflate for HEAD requests
+
+ at DPATCH@
+--- a/modules/filters/mod_deflate.c (revision 793927)
++++ a/modules/filters/mod_deflate.c (working copy)
+@@ -629,6 +629,19 @@
+ apr_bucket *b;
+ apr_size_t len;
+
++ /*
++ * Optimization: If we are a HEAD request and bytes_sent is not zero
++ * it means that we have passed the content-length filter once and
++ * have more data to sent. This means that the content-length filter
++ * could not determine our content-length for the response to the
++ * HEAD request anyway (the associated GET request would deliver the
++ * body in chunked encoding) and we can stop compressing.
++ */
++ if (r->header_only && r->bytes_sent) {
++ ap_remove_output_filter(f);
++ return ap_pass_brigade(f->next, bb);
++ }
++
+ e = APR_BRIGADE_FIRST(bb);
+
+ if (APR_BUCKET_IS_EOS(e)) {
More information about the Pkg-apache-commits
mailing list