[Pkg-apache-commits] r1375 - in /branches/squeeze-apache2: changelog patches/00list patches/089_CVE-2011-3368.dpatch patches/090_CVE-2011-4317.dpatch patches/091_CVE-2011-3639.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Sat Dec 3 17:40:35 UTC 2011
Author: sf
Date: Sat Dec 3 17:40:34 2011
New Revision: 1375
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1375
Log:
Prevent unintended pattern expansion in some reverse proxy
configurations by strictly validating the request-URI. Fixes
CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
Added:
branches/squeeze-apache2/patches/089_CVE-2011-3368.dpatch (with props)
branches/squeeze-apache2/patches/090_CVE-2011-4317.dpatch (with props)
branches/squeeze-apache2/patches/091_CVE-2011-3639.dpatch (with props)
Modified:
branches/squeeze-apache2/changelog
branches/squeeze-apache2/patches/00list
Modified: branches/squeeze-apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/squeeze-apache2/changelog?rev=1375&op=diff
==============================================================================
--- branches/squeeze-apache2/changelog (original)
+++ branches/squeeze-apache2/changelog Sat Dec 3 17:40:34 2011
@@ -1,3 +1,11 @@
+apache2 (2.2.16-6+squeeze5) UNRELEASED; urgency=high
+
+ * Prevent unintended pattern expansion in some reverse proxy
+ configurations by strictly validating the request-URI. Fixes
+ CVE-2011-3368, CVE-2011-3639, CVE-2011-4317.
+
+ -- Stefan Fritsch <sf at debian.org> Sat, 03 Dec 2011 18:38:51 +0100
+
apache2 (2.2.16-6+squeeze4) squeeze; urgency=low
* Fix CVE-2011-3348: Possible denial of service in mod_proxy_ajp
Modified: branches/squeeze-apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/squeeze-apache2/patches/00list?rev=1375&op=diff
==============================================================================
--- branches/squeeze-apache2/patches/00list (original)
+++ branches/squeeze-apache2/patches/00list Sat Dec 3 17:40:34 2011
@@ -30,6 +30,9 @@
085_CVE-2011-3192.dpatch
086_range_regressions.dpatch
087_mod_proxy_ajp_CVE-2011-3348.dpatch
+089_CVE-2011-3368.dpatch
+090_CVE-2011-4317.dpatch
+091_CVE-2011-3639.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: branches/squeeze-apache2/patches/089_CVE-2011-3368.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/squeeze-apache2/patches/089_CVE-2011-3368.dpatch?rev=1375&op=file
==============================================================================
--- branches/squeeze-apache2/patches/089_CVE-2011-3368.dpatch (added)
+++ branches/squeeze-apache2/patches/089_CVE-2011-3368.dpatch Sat Dec 3 17:40:34 2011
@@ -1,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1179525
+
+ at DPATCH@
+commit d239e98144d468928fbd2d3f519bd9265d162932
+Author: Joe Orton <jorton at apache.org>
+Date: Thu Oct 6 07:39:13 2011 +0000
+
+ Merge r1179239 from trunk:
+
+ SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+ reverse proxy configurations by strictly validating the request-URI:
+
+ * server/protocol.c (read_request_line): Send a 400 response if the
+ request-URI does not match the grammar from RFC 2616. This ensures
+ the input string for RewriteRule et al really is an absolute path.
+
+ Reviewed by: jim, covener, rjung
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1179525 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/protocol.c b/server/protocol.c
+index 55468fc..b45851a 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -640,6 +640,25 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+
+ ap_parse_uri(r, uri);
+
++ /* RFC 2616:
++ * Request-URI = "*" | absoluteURI | abs_path | authority
++ *
++ * authority is a special case for CONNECT. If the request is not
++ * using CONNECT, and the parsed URI does not have scheme, and
++ * it does not begin with '/', and it is not '*', then, fail
++ * and give a 400 response. */
++ if (r->method_number != M_CONNECT
++ && !r->parsed_uri.scheme
++ && uri[0] != '/'
++ && !(uri[0] == '*' && uri[1] == '\0')) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "invalid request-URI %s", uri);
++ r->args = NULL;
++ r->hostname = NULL;
++ r->status = HTTP_BAD_REQUEST;
++ r->uri = apr_pstrdup(r->pool, uri);
++ }
++
+ if (ll[0]) {
+ r->assbackwards = 0;
+ pro = ll;
Propchange: branches/squeeze-apache2/patches/089_CVE-2011-3368.dpatch
------------------------------------------------------------------------------
svn:executable = *
Added: branches/squeeze-apache2/patches/090_CVE-2011-4317.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/squeeze-apache2/patches/090_CVE-2011-4317.dpatch?rev=1375&op=file
==============================================================================
--- branches/squeeze-apache2/patches/090_CVE-2011-4317.dpatch (added)
+++ branches/squeeze-apache2/patches/090_CVE-2011-4317.dpatch Sat Dec 3 17:40:34 2011
@@ -1,0 +1,70 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1209432
+
+ at DPATCH@
+commit 318b86756de2049f652561e1a66420b4a92d4a7e
+Author: Joe Orton <jorton at apache.org>
+Date: Fri Dec 2 12:04:20 2011 +0000
+
+ Fix for additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations. (CVE-2011-4317)
+
+ Thanks to Prutha Parikh from Qualys for reporting this issue.
+
+ * modules/proxy/mod_proxy.c (proxy_trans): Decline to handle the "*"
+ request-URI. Fail for cases where r->uri does not begin with a "/".
+
+ * modules/mappers/mod_rewrite.c (hook_uri2file): Likewise.
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1209432 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c
+index 470e01c..d29cb45 100644
+--- a/modules/mappers/mod_rewrite.c
++++ b/modules/mappers/mod_rewrite.c
+@@ -4419,6 +4419,18 @@ static int hook_uri2file(request_rec *r)
+ return DECLINED;
+ }
+
++ if (strcmp(r->unparsed_uri, "*") == 0) {
++ /* Don't apply rewrite rules to "*". */
++ return DECLINED;
++ }
++
++ /* Check that the URI is valid. */
++ if (!r->uri || r->uri[0] != '/') {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in request %s", r->the_request);
++ return HTTP_BAD_REQUEST;
++ }
++
+ /*
+ * add the SCRIPT_URL variable to the env. this is a bit complicated
+ * due to the fact that apache uses subrequests and internal redirects
+diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
+index 35195f8..8e90c9e 100644
+--- a/modules/proxy/mod_proxy.c
++++ b/modules/proxy/mod_proxy.c
+@@ -655,6 +655,18 @@ static int proxy_trans(request_rec *r)
+ return OK;
+ }
+
++ if (strcmp(r->unparsed_uri, "*") == 0) {
++ /* "*" cannot be proxied. */
++ return DECLINED;
++ }
++
++ /* Check that the URI is valid. */
++ if (!r->uri || r->uri[0] != '/') {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "Invalid URI in request %s", r->the_request);
++ return HTTP_BAD_REQUEST;
++ }
++
+ /* XXX: since r->uri has been manipulated already we're not really
+ * compliant with RFC1945 at this point. But this probably isn't
+ * an issue because this is a hybrid proxy/origin server.
Propchange: branches/squeeze-apache2/patches/090_CVE-2011-4317.dpatch
------------------------------------------------------------------------------
svn:executable = *
Added: branches/squeeze-apache2/patches/091_CVE-2011-3639.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/squeeze-apache2/patches/091_CVE-2011-3639.dpatch?rev=1375&op=file
==============================================================================
--- branches/squeeze-apache2/patches/091_CVE-2011-3639.dpatch (added)
+++ branches/squeeze-apache2/patches/091_CVE-2011-3639.dpatch Sat Dec 3 17:40:34 2011
@@ -1,0 +1,45 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 091_CVE-2011-3639.dpatch by Stefan Fritsch <sf at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1188745
+commit daadb710ab9c207e717a6cfdd5e9cf0ed3ba4f59
+Author: Ruediger Pluem <rpluem at apache.org>
+Date: Tue Oct 25 15:56:08 2011 +0000
+
+ * Correctly return a 400 (Bad request) in case of a HTTP/0.9 request like GET @example.org/foo
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1188745 13f79535-47bb-0310-9956-ffa450edef68
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' squeeze-apache2~/server/protocol.c squeeze-apache2/server/protocol.c
+--- squeeze-apache2~/server/protocol.c 2011-12-03 18:28:59.000000000 +0100
++++ squeeze-apache2/server/protocol.c 2011-12-03 18:33:23.331921967 +0100
+@@ -654,6 +654,7 @@
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
++ return 0;
+ }
+
+ if (ll[0]) {
+@@ -908,9 +909,17 @@
+
+ /* Get the request... */
+ if (!read_request_line(r, tmp_bb)) {
+- if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
+- ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+- "request failed: URI too long (longer than %d)", r->server->limit_req_line);
++ if (r->status == HTTP_REQUEST_URI_TOO_LARGE
++ || r->status == HTTP_BAD_REQUEST) {
++ if (r->status == HTTP_REQUEST_URI_TOO_LARGE) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "request failed: URI too long (longer than %d)",
++ r->server->limit_req_line);
++ }
++ else if (r->method == NULL) {
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "request failed: invalid characters in URI");
++ }
+ ap_send_error_response(r, 0);
+ ap_update_child_status(conn->sbh, SERVER_BUSY_LOG, r);
+ ap_run_log_transaction(r);
Propchange: branches/squeeze-apache2/patches/091_CVE-2011-3639.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-apache-commits
mailing list