[Pkg-apache-commits] [SCM] Debian packaging for apache2 (Apache HTTPD 2.x) branch, squeeze, updated. a40771997c44c700df5a3baf73d15af08b31aa9f
Stefan Fritsch
sf at sfritsch.de
Sun Feb 5 20:35:45 UTC 2012
The following commit has been merged in the squeeze branch:
commit 9469afe8b83dc37895f32abb7b26d827be0c71ee
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sat Feb 4 17:53:57 2012 +0100
CVE-2012-0053: Fix an issue in code 400 error responses that could
expose "httpOnly" cookies.
diff --git a/debian/changelog b/debian/changelog
index 04322c7..640690b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,6 +7,8 @@ apache2 (2.2.16-6+squeeze5) UNRELEASED; urgency=high
privilege escalation.
* CVE-2012-0031: Fix client process being able to crash parent process
during shutdown.
+ * CVE-2012-0053: Fix an issue in code 400 error responses that could expose
+ "httpOnly" cookies.
-- Stefan Fritsch <sf at debian.org> Sat, 03 Dec 2011 18:38:51 +0100
diff --git a/debian/patches/00list b/debian/patches/00list
index 32b1e0c..94c19d7 100644
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -35,6 +35,7 @@
091_CVE-2011-3639.dpatch
092_CVE-2011-3607.dpatch
093_CVE-2012-0031.dpatch
+094_CVE-2012-0053.dpatch
099_config_guess_sub_update
200_cp_suexec.dpatch
201_build_suexec-custom.dpatch
diff --git a/debian/patches/094_CVE-2012-0053.dpatch b/debian/patches/094_CVE-2012-0053.dpatch
new file mode 100644
index 0000000..23b49ae
--- /dev/null
+++ b/debian/patches/094_CVE-2012-0053.dpatch
@@ -0,0 +1,105 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: backport of upstream r1235454
+commit 2bb066730e059da7127804a2dd9c999b50934a67
+Author: Eric Covener <covener at apache.org>
+Date: Tue Jan 24 20:02:19 2012 +0000
+
+ backport r1234837 from trunk:
+
+ CVE-2012-0053: Fix an issue in error responses that could expose
+ "httpOnly" cookies when no custom ErrorDocument is specified for
+ status code 400.
+
+ Reviewed By: covener, trawick, gregames
+
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@1235454 13f79535-47bb-0310-9956-ffa450edef68
+
+diff --git a/server/protocol.c b/server/protocol.c
+index 2e3ce93..796ae58 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -670,6 +670,16 @@ static int read_request_line(request_rec *r, apr_bucket_brigade *bb)
+ return 1;
+ }
+
++/* get the length of the field name for logging, but no more than 80 bytes */
++#define LOG_NAME_MAX_LEN 80
++static int field_name_len(const char *field)
++{
++ const char *end = ap_strchr_c(field, ':');
++ if (end == NULL || end - field > LOG_NAME_MAX_LEN)
++ return LOG_NAME_MAX_LEN;
++ return end - field;
++}
++
+ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb)
+ {
+ char *last_field = NULL;
+@@ -709,12 +719,15 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
+ /* insure ap_escape_html will terminate correctly */
+ field[len - 1] = '\0';
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Size of a request header field "
+ "exceeds server limit.<br />\n"
+- "<pre>\n",
+- ap_escape_html(r->pool, field),
+- "</pre>\n", NULL));
++ "<pre>\n%.*s\n</pre>/n",
++ field_name_len(field),
++ ap_escape_html(r->pool, field)));
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "Request header exceeds LimitRequestFieldSize: "
++ "%.*s", field_name_len(field), field);
+ }
+ return;
+ }
+@@ -735,13 +748,17 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
+ * overflow (last_field) as the field with the problem
+ */
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Size of a request header field "
+ "after folding "
+ "exceeds server limit.<br />\n"
+- "<pre>\n",
+- ap_escape_html(r->pool, last_field),
+- "</pre>\n", NULL));
++ "<pre>\n%.*s\n</pre>\n",
++ field_name_len(last_field),
++ ap_escape_html(r->pool, last_field)));
++ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
++ "Request header exceeds LimitRequestFieldSize "
++ "after folding: %.*s",
++ field_name_len(last_field), last_field);
+ return;
+ }
+
+@@ -773,13 +790,18 @@ AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r, apr_bucket_brigade *bb
+ if (!(value = strchr(last_field, ':'))) { /* Find ':' or */
+ r->status = HTTP_BAD_REQUEST; /* abort bad request */
+ apr_table_setn(r->notes, "error-notes",
+- apr_pstrcat(r->pool,
++ apr_psprintf(r->pool,
+ "Request header field is "
+ "missing ':' separator.<br />\n"
+- "<pre>\n",
++ "<pre>\n%.*s</pre>\n",
++ (int)LOG_NAME_MAX_LEN,
+ ap_escape_html(r->pool,
+- last_field),
+- "</pre>\n", NULL));
++ last_field)));
++ ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
++ "Request header field is missing ':' "
++ "separator: %.*s", (int)LOG_NAME_MAX_LEN,
++ last_field);
++
+ return;
+ }
+
--
Debian packaging for apache2 (Apache HTTPD 2.x)
More information about the Pkg-apache-commits
mailing list