[Pkg-apache-commits] r1367 - in /trunk/apache2: changelog patches/00list patches/083_CVE-2011-3368.dpatch
sf at alioth.debian.org
sf at alioth.debian.org
Tue Oct 11 20:40:19 UTC 2011
Author: sf
Date: Tue Oct 11 20:40:19 2011
New Revision: 1367
URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1367
Log:
Fix CVE-2011-3368: Prevent unintended pattern expansion in some
reverse proxy configurations by strictly validating the request-URI
Added:
trunk/apache2/patches/083_CVE-2011-3368.dpatch (with props)
Modified:
trunk/apache2/changelog
trunk/apache2/patches/00list
Modified: trunk/apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/changelog?rev=1367&op=diff
==============================================================================
--- trunk/apache2/changelog (original)
+++ trunk/apache2/changelog Tue Oct 11 20:40:19 2011
@@ -1,5 +1,7 @@
-apache2 (2.2.21-2) UNRELEASED; urgency=low
-
+apache2 (2.2.21-2) UNRELEASED; urgency=high
+
+ * Fix CVE-2011-3368: Prevent unintended pattern expansion in some
+ reverse proxy configurations by strictly validating the request-URI.
* Correctly set permissions of suexec.load even if umask is 0002 during
build. LP: #872000
Modified: trunk/apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/00list?rev=1367&op=diff
==============================================================================
--- trunk/apache2/patches/00list (original)
+++ trunk/apache2/patches/00list Tue Oct 11 20:40:19 2011
@@ -22,6 +22,7 @@
077_CacheIgnoreURLSessionIdentifiers.dpatch
079_polish_translation.dpatch
082_ab_num_requests
+083_CVE-2011-3368.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
Added: trunk/apache2/patches/083_CVE-2011-3368.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/trunk/apache2/patches/083_CVE-2011-3368.dpatch?rev=1367&op=file
==============================================================================
--- trunk/apache2/patches/083_CVE-2011-3368.dpatch (added)
+++ trunk/apache2/patches/083_CVE-2011-3368.dpatch Tue Oct 11 20:40:19 2011
@@ -1,0 +1,54 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Upstream r1179525
+
+ at DPATCH@
+commit d239e98144d468928fbd2d3f519bd9265d162932
+Author: Joe Orton <jorton at apache.org>
+Date: Thu Oct 6 07:39:13 2011 +0000
+
+ Merge r1179239 from trunk:
+
+ SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some
+ reverse proxy configurations by strictly validating the request-URI:
+
+ * server/protocol.c (read_request_line): Send a 400 response if the
+ request-URI does not match the grammar from RFC 2616. This ensures
+ the input string for RewriteRule et al really is an absolute path.
+
+ Reviewed by: jim, covener, rjung
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1179525 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/protocol.c b/server/protocol.c
+index 55468fc..b45851a 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -640,6 +640,25 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+
+ ap_parse_uri(r, uri);
+
++ /* RFC 2616:
++ * Request-URI = "*" | absoluteURI | abs_path | authority
++ *
++ * authority is a special case for CONNECT. If the request is not
++ * using CONNECT, and the parsed URI does not have scheme, and
++ * it does not begin with '/', and it is not '*', then, fail
++ * and give a 400 response. */
++ if (r->method_number != M_CONNECT
++ && !r->parsed_uri.scheme
++ && uri[0] != '/'
++ && !(uri[0] == '*' && uri[1] == '\0')) {
++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
++ "invalid request-URI %s", uri);
++ r->args = NULL;
++ r->hostname = NULL;
++ r->status = HTTP_BAD_REQUEST;
++ r->uri = apr_pstrdup(r->pool, uri);
++ }
++
+ if (ll[0]) {
+ r->assbackwards = 0;
+ pro = ll;
Propchange: trunk/apache2/patches/083_CVE-2011-3368.dpatch
------------------------------------------------------------------------------
svn:executable = *
More information about the Pkg-apache-commits
mailing list