[SCM] Debian packaging for apache2 branch, master, updated. debian/2.2.22-12-3-g087b370
Stefan Fritsch
sf at sfritsch.de
Sat Feb 23 11:00:28 UTC 2013
The following commit has been merged in the master branch:
commit 844e790a9784c2204c43717a0c2e564ee8ab1397
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Sat Feb 23 11:51:01 2013 +0100
CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
diff --git a/debian/changelog b/debian/changelog
index 8d5cf12..23a9c34 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,9 @@
apache2 (2.2.22-13) UNRELEASED; urgency=low
+ [ Stefan Fritsch ]
+ * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
+
+ [ Arno Töll ]
* Document APACHE_ARGUMENTS in envvars (Closes: #693299)
-- Arno Töll <arno at debian.org> Fri, 16 Nov 2012 01:07:59 +0100
diff --git a/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch b/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch
new file mode 100644
index 0000000..b801753
--- /dev/null
+++ b/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch
@@ -0,0 +1,204 @@
+# http://svn.apache.org/viewvc?view=revision&revision=r1447390
+#
+# *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+# Various XSS flaws due to unescaped hostnames and URIs HTML output in
+# mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+# [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+#
+# *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+# XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+# Niels Heinen <heinenn google com>]
+Index: apache2/modules/ldap/util_ldap_cache_mgr.c
+===================================================================
+--- apache2.orig/modules/ldap/util_ldap_cache_mgr.c
++++ apache2/modules/ldap/util_ldap_cache_mgr.c
+@@ -541,7 +541,7 @@
+ if (id) {
+ buf2 = apr_psprintf(p,
+ "<a href=\"%s?%s\">%s</a>",
+- r->uri,
++ ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)),
+ id,
+ name);
+ }
+Index: apache2/modules/proxy/mod_proxy_balancer.c
+===================================================================
+--- apache2.orig/modules/proxy/mod_proxy_balancer.c
++++ apache2/modules/proxy/mod_proxy_balancer.c
+@@ -818,7 +818,8 @@
+ ap_rputs(DOCTYPE_HTML_3_2
+ "<html><head><title>Balancer Manager</title></head>\n", r);
+ ap_rputs("<body><h1>Load Balancer Manager for ", r);
+- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
++ "</h1>\n\n", NULL);
+ ap_rvputs(r, "<dl><dt>Server Version: ",
+ ap_get_server_description(), "</dt>\n", NULL);
+ ap_rvputs(r, "<dt>Server Built: ",
+@@ -853,7 +854,8 @@
+ worker = (proxy_worker *)balancer->workers->elts;
+ for (n = 0; n < balancer->workers->nelts; n++) {
+ char fbuf[50];
+- ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=",
++ ap_rvputs(r, "<tr>\n<td><a href=\"",
++ ap_escape_uri(r->pool, r->uri), "?b=",
+ balancer->name + sizeof("balancer://") - 1, "&w=",
+ ap_escape_uri(r->pool, worker->name),
+ "&nonce=", balancer_nonce,
+@@ -894,7 +896,7 @@
+ ap_rputs("<h3>Edit worker settings for ", r);
+ ap_rvputs(r, wsel->name, "</h3>\n", NULL);
+ ap_rvputs(r, "<form method=\"GET\" action=\"", NULL);
+- ap_rvputs(r, r->uri, "\">\n<dl>", NULL);
++ ap_rvputs(r, ap_escape_uri(r->pool, r->uri), "\">\n<dl>", NULL);
+ ap_rputs("<table><tr><td>Load factor:</td><td><input name=\"lf\" type=text ", r);
+ ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbfactor);
+ ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r);
+Index: apache2/modules/proxy/mod_proxy_ftp.c
+===================================================================
+--- apache2.orig/modules/proxy/mod_proxy_ftp.c
++++ apache2/modules/proxy/mod_proxy_ftp.c
+@@ -365,7 +365,9 @@
+ " </head>\n"
+ " <body>\n <h2>Directory of "
+ "<a href=\"/\">%s</a>/%s",
+- site, basedir, escpath, site, basedir, escpath, site, str);
++ ap_escape_html(p, site), basedir, escpath,
++ ap_escape_uri(p, site), basedir, escpath,
++ ap_escape_uri(p, site), str);
+
+ APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str),
+ p, c->bucket_alloc));
+Index: apache2/modules/mappers/mod_imagemap.c
+===================================================================
+--- apache2.orig/modules/mappers/mod_imagemap.c
++++ apache2/modules/mappers/mod_imagemap.c
+@@ -320,7 +320,7 @@
+ /*
+ * returns the mapped URL or NULL.
+ */
+-static char *imap_url(request_rec *r, const char *base, const char *value)
++static const char *imap_url(request_rec *r, const char *base, const char *value)
+ {
+ /* translates a value into a URL. */
+ int slen, clen;
+@@ -342,7 +342,7 @@
+ if (!strcasecmp(value, "referer")) {
+ referer = apr_table_get(r->headers_in, "Referer");
+ if (referer && *referer) {
+- return ap_escape_html(r->pool, referer);
++ return referer;
+ }
+ else {
+ /* XXX: This used to do *value = '\0'; ... which is totally bogus
+@@ -459,7 +459,7 @@
+ return my_base;
+ }
+
+-static int imap_reply(request_rec *r, char *redirect)
++static int imap_reply(request_rec *r, const char *redirect)
+ {
+ if (!strcasecmp(redirect, "error")) {
+ /* they actually requested an error! */
+@@ -523,42 +523,52 @@
+ 'formatted' form */
+ }
+
+-static void menu_default(request_rec *r, char *menu, char *href, char *text)
++static void menu_default(request_rec *r, const char *menu, const char *href, const char *text)
+ {
++ char *ehref, *etext;
+ if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
+ return; /* don't print such lines, these aren't
+ really href's */
+ }
++
++ ehref = ap_escape_uri(r->pool, href);
++ etext = ap_escape_html(r->pool, text);
++
+ if (!strcasecmp(menu, "formatted")) {
+- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
+ "</a></pre>\n", NULL);
+ }
+ if (!strcasecmp(menu, "semiformatted")) {
+- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
+ "</a></pre>\n", NULL);
+ }
+ if (!strcasecmp(menu, "unformatted")) {
+- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
+ }
+ return;
+ }
+
+-static void menu_directive(request_rec *r, char *menu, char *href, char *text)
++static void menu_directive(request_rec *r, const char *menu, const char *href, const char *text)
+ {
++ char *ehref, *etext;
+ if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
+ return; /* don't print such lines, as this isn't
+ really an href */
+ }
++
++ ehref = ap_escape_uri(r->pool, href);
++ etext = ap_escape_html(r->pool, text);
++
+ if (!strcasecmp(menu, "formatted")) {
+- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text,
++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext,
+ "</a></pre>\n", NULL);
+ }
+ if (!strcasecmp(menu, "semiformatted")) {
+- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text,
++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext,
+ "</a></pre>\n", NULL);
+ }
+ if (!strcasecmp(menu, "unformatted")) {
+- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
+ }
+ return;
+ }
+@@ -574,9 +584,9 @@
+ char *directive;
+ char *value;
+ char *href_text;
+- char *base;
+- char *redirect;
+- char *mapdflt;
++ const char *base;
++ const char *redirect;
++ const char *mapdflt;
+ char *closest = NULL;
+ double closest_yet = -1;
+ apr_status_t status;
+Index: apache2/modules/generators/mod_status.c
+===================================================================
+--- apache2.orig/modules/generators/mod_status.c
++++ apache2/modules/generators/mod_status.c
+@@ -409,7 +409,8 @@
+ "<html><head>\n<title>Apache Status</title>\n</head><body>\n",
+ r);
+ ap_rputs("<h1>Apache Server Status for ", r);
+- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
++ "</h1>\n\n", NULL);
+ ap_rvputs(r, "<dl><dt>Server Version: ",
+ ap_get_server_description(), "</dt>\n", NULL);
+ ap_rvputs(r, "<dt>Server Built: ",
+Index: apache2/modules/generators/mod_info.c
+===================================================================
+--- apache2.orig/modules/generators/mod_info.c
++++ apache2/modules/generators/mod_info.c
+@@ -371,7 +371,8 @@
+ MODULE_MAGIC_NUMBER_MINOR);
+ ap_rprintf(r,
+ "<dt><strong>Hostname/port:</strong> "
+- "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r),
++ "<tt>%s:%u</tt></dt>\n",
++ ap_escape_html(r->pool, ap_get_server_name(r)),
+ ap_get_server_port(r));
+ ap_rprintf(r,
+ "<dt><strong>Timeouts:</strong> "
diff --git a/debian/patches/series b/debian/patches/series
index e7b9b3f..89c016a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -33,3 +33,4 @@
dbmmanage-perl-510.patch
SSLProtocol-tls11-12.2.patch
disable-ssl-compression.patch
+CVE-2012-3499_CVE-2012-4558_XSS.patch
--
Debian packaging for apache2
More information about the Pkg-apache-commits
mailing list