[SCM] Debian packaging for apache2 branch, master, updated. debian/2.2.22-3-35-g8a474cf
Stefan Fritsch
sf at sfritsch.de
Fri Jun 22 21:54:08 UTC 2012
The following commit has been merged in the master branch:
commit 8a474cf54e18c969c7e7bdc32f0d09412a924ac4
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Fri Jun 22 23:23:11 2012 +0200
Backport fix for CVE-2012-2687 in mod_negotiation
diff --git a/debian/changelog b/debian/changelog
index 9feaa04..ed8abbf 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,8 @@
apache2 (2.2.22-8) UNRELEASED; urgency=low
+ * CVE-2012-2687: mod_negotiation: Escape filenames in variant list to prevent
+ a possible XSS for a site where untrusted users can upload files to a
+ location with MultiViews enabled.
* Fix "contradictory comment in /etc/apache2/apache2.conf about the
.load suffix" (Closes: #676975). Hopefully you are now happy, Vincent. :-)
diff --git a/debian/patches/087_mod_negotiation_CVE-2012-2687.patch b/debian/patches/087_mod_negotiation_CVE-2012-2687.patch
new file mode 100644
index 0000000..ebbbc8a
--- /dev/null
+++ b/debian/patches/087_mod_negotiation_CVE-2012-2687.patch
@@ -0,0 +1,33 @@
+commit 706691e6fd5445f6d60456f55c5647e788e7b3ad
+Author: Joe Orton <jorton at apache.org>
+Date: Wed Jun 13 15:33:48 2012 +0000
+
+ SECURITY: CVE-2012-2687 (cve.mitre.org):
+
+ mod_negotiation: Escape filenames in variant list to prevent an
+ possible XSS for a site where untrusted users can upload files to a
+ location with MultiViews enabled.
+
+ * modules/mappers/mod_negotiation.c (make_variant_list): Escape
+ filenames in variant list.
+
+ Submitted by: Niels Heinen <heinenn google.com>
+
+
+ git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1349905 13f79535-47bb-0310-9956-ffa450edef68
+Index: apache2/modules/mappers/mod_negotiation.c
+===================================================================
+--- apache2.orig/modules/mappers/mod_negotiation.c 2012-06-22 23:17:12.000000000 +0200
++++ apache2/modules/mappers/mod_negotiation.c 2012-06-22 23:22:12.775905499 +0200
+@@ -2658,9 +2658,9 @@
+ * need to change the calculation of max_vlist_array above.
+ */
+ *((const char **) apr_array_push(arr)) = "<li><a href=\"";
+- *((const char **) apr_array_push(arr)) = filename;
++ *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename);
+ *((const char **) apr_array_push(arr)) = "\">";
+- *((const char **) apr_array_push(arr)) = filename;
++ *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
+ *((const char **) apr_array_push(arr)) = "</a> ";
+ *((const char **) apr_array_push(arr)) = description;
+
diff --git a/debian/patches/series b/debian/patches/series
index 28d4ea9..15b506b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -22,6 +22,7 @@
084_customize_apxs.patch
085_mod_cache_partial_content-2.2.x.patch
086_upstream_trunk_bugfixes.patch
+087_mod_negotiation_CVE-2012-2687.patch
201_build_suexec-custom
# The patch below must not be applied by quilt at extraction time. It depends
# on some script-fu to be executed before. Have a look
--
Debian packaging for apache2
More information about the Pkg-apache-commits
mailing list