[SCM] Debian packaging for apache2 branch, master, updated. debian/2.4.4-6-15-gafc5456

Sat Jul 20 12:24:17 UTC 2013

The following commit has been merged in the master branch:
commit 44fab9a6fb56a08441ab003626a24f4da59109bd
Author: Arno Töll <arno at debian.org>
Date:   Sat Jul 20 13:13:23 2013 +0200

    Add DAV MERGE patch provided by Marc Deslauriers (Closes 717272)

diff --git a/debian/changelog b/debian/changelog
index 9ab3e7d..8010cce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-apache2 (2.4.4-7) UNRELEASED; urgency=low
+apache2 (2.4.4-7) unstable; urgency=low
 
   [ Arno Töll ]
   * Document our security model in our NEWS file and highlight we do not allow
@@ -10,13 +10,15 @@ apache2 (2.4.4-7) UNRELEASED; urgency=low
   * Mention that the dh_apache2 conditional must be present in postrm too (Closes: #716694)
   * Fix "dh_apache2 ignores alternative httpd on conf files" by correctly
     checking the supplied arguments, we were off by one (Closes: #717299).
+  * CVE-2013-1896: Add patch provided by Marc Deslauriers to fix a denial of service via MERGE
+    request (Closes: #717272)
 
   [ Stefan Fritsch ]
   * Don't fail package upgrade or removal just because the configuration is in
-    an inconsistent state. Closes: #716921
+    an inconsistent state (Closes: #716921, #717343).
   * Improve error output of init script.
 
- -- Arno Töll <arno at debian.org>  Sat, 20 Jul 2013 12:37:31 +0200
+ -- Arno Töll <arno at debian.org>  Sat, 20 Jul 2013 13:26:50 +0200
 
 apache2 (2.4.4-6) unstable; urgency=low
 
diff --git a/debian/patches/CVE-2013-1896.patch b/debian/patches/CVE-2013-1896.patch
new file mode 100644
index 0000000..be07788
--- /dev/null
+++ b/debian/patches/CVE-2013-1896.patch
@@ -0,0 +1,32 @@
+Description: fix denial of service via MERGE request
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1486461
+
+Index: apache2-2.4.4/modules/dav/main/mod_dav.c
+===================================================================
+--- apache2-2.4.4.orig/modules/dav/main/mod_dav.c	2011-12-04 19:08:01.000000000 -0500
++++ apache2-2.4.4/modules/dav/main/mod_dav.c	2013-07-18 11:20:33.353180556 -0400
+@@ -707,6 +707,12 @@
+ 
+     conf = ap_get_module_config(r->per_dir_config, &dav_module);
+     /* assert: conf->provider != NULL */
++    if (conf->provider == NULL) {
++        return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0,
++                             apr_psprintf(r->pool,
++				          "DAV not enabled for %s",
++					  ap_escape_html(r->pool, r->uri)));
++    }
+ 
+     /* resolve the resource */
+     err = (*conf->provider->repos->get_resource)(r, conf->dir,
+@@ -2683,11 +2689,6 @@
+                                   "Destination URI had an error.");
+     }
+ 
+-    if (dav_get_provider(lookup.rnew) == NULL) {
+-        return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED,
+-                                  "DAV not enabled for Destination URI.");
+-    }
+-
+     /* Resolve destination resource */
+     err = dav_get_resource(lookup.rnew, 0 /* label_allowed */,
+                            0 /* use_checked_in */, &resnew);
diff --git a/debian/patches/series b/debian/patches/series
index 7ac3cd6..fdb9562 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ itk-fix-htaccess-reads-for-persistent-connections.patch
 itk-rerun-configure.patch
 upstream-fixes
 allow-strtoul.patch
+CVE-2013-1896.patch

-- 
Debian packaging for apache2

