[apache2] 03/05: tweaks for 2.4.25
Stefan Fritsch
sf at moszumanska.debian.org
Wed Dec 21 23:09:04 UTC 2016
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit 76380918b81ccaca788e5d8c5f7be91305522222
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Wed Dec 21 23:24:49 2016 +0100
tweaks for 2.4.25
* add changelog entry
* remove obsolete patch CVE-2016-5387.patch
* refresh other patches
---
debian/changelog | 27 +++++++++++++++++++++++++++
debian/patches/CVE-2016-5387.patch | 17 -----------------
debian/patches/build_suexec-custom.patch | 12 ++++++------
debian/patches/fhs_compliance.patch | 4 ++--
debian/patches/series | 1 -
debian/patches/suexec-CVE-2007-1742.patch | 6 +++---
6 files changed, 38 insertions(+), 29 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 46674d9..553ea30 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
+apache2 (2.4.25-1) UNRELEASED; urgency=medium
+
+ [ New upstream release ]
+ * Security: CVE-2016-0736:
+ mod_session_crypto: Authenticate the session data/cookie with a MAC to
+ prevent deciphering or tampering with a padding oracle attack.
+ * Security: CVE-2016-2161:
+ mod_auth_digest: Prevent segfaults during client entry allocation when the
+ shared memory space is exhausted.
+ * Security: CVE-2016-5387:
+ Mitigate [f]cgi "httpoxy" issues.
+ * Security: CVE-2016-8740:
+ mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
+ Closes: #847124
+ * Security: CVE-2016-8743:
+ Enforce HTTP request grammar corresponding to RFC7230 for request lines
+ and request headers, to prevent response splitting and cache pollution by
+ malicious clients or downstream proxies.
+ * The stricter HTTP enforcement may cause compatibility problems with
+ non-conforming clients. Fine-tuning is possible with the new
+ HttpProtocolOptions directive.
+ * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
+ * mod_http2: Many fixes and support for early pushes using the new
+ H2PushResource directive.
+
+ -- Stefan Fritsch <sf at debian.org> Wed, 21 Dec 2016 23:06:49 +0100
+
apache2 (2.4.23-8) unstable; urgency=medium
* Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch
deleted file mode 100644
index 7badf02..0000000
--- a/debian/patches/CVE-2016-5387.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- apache2.orig/server/util_script.c
-+++ apache2/server/util_script.c
-@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
- else if (!strcasecmp(hdrs[i].key, "Content-length")) {
- apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
- }
-+ /* HTTP_PROXY collides with a popular envvar used to configure
-+ * proxies, don't let clients set/override it. But, if you must...
-+ */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+ ;
-+ }
-+#endif
- /*
- * You really don't want to disable this check, since it leaves you
- * wide open to CGIs stealing passwords and people viewing them
diff --git a/debian/patches/build_suexec-custom.patch b/debian/patches/build_suexec-custom.patch
index 13d0b5a..7069486 100644
--- a/debian/patches/build_suexec-custom.patch
+++ b/debian/patches/build_suexec-custom.patch
@@ -2,9 +2,9 @@ Description: add suexec-custom to the build system
Forwarded: not-needed
Author: Stefan Fritsch <sf at debian.org>
Last-Update: 2012-02-25
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -239,14 +239,16 @@
+--- apache2.orig/Makefile.in
++++ apache2/Makefile.in
+@@ -260,14 +260,16 @@ install-man:
fi
install-suexec:
@@ -25,8 +25,8 @@ Last-Update: 2012-02-25
x-local-distclean:
@rm -rf autom4te.cache
---- a/support/Makefile.in
-+++ b/support/Makefile.in
+--- apache2.orig/support/Makefile.in
++++ apache2/support/Makefile.in
@@ -1,7 +1,7 @@
DISTCLEAN_TARGETS = apxs apachectl dbmmanage log_server_status \
logresolve.pl phf_abuse_log.cgi split-logfile envvars-std
@@ -36,7 +36,7 @@ Last-Update: 2012-02-25
bin_PROGRAMS = htpasswd htdigest htdbm ab logresolve httxt2dbm
sbin_PROGRAMS = htcacheclean rotatelogs $(NONPORTABLE_SUPPORT)
-@@ -72,9 +72,13 @@
+@@ -72,9 +72,13 @@ checkgid_OBJECTS = checkgid.lo
checkgid: $(checkgid_OBJECTS)
$(LINK) $(checkgid_LTFLAGS) $(checkgid_OBJECTS) $(PROGRAM_LDADD)
diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch
index af5125a..145ee99 100644
--- a/debian/patches/fhs_compliance.patch
+++ b/debian/patches/fhs_compliance.patch
@@ -6,7 +6,7 @@ Index: apache2/configure
===================================================================
--- apache2.orig/configure
+++ apache2/configure
-@@ -33031,17 +33031,17 @@ ap_prefix="${ap_cur}"
+@@ -36453,17 +36453,17 @@ ap_prefix="${ap_cur}"
cat >>confdefs.h <<_ACEOF
@@ -31,7 +31,7 @@ Index: apache2/configure.in
===================================================================
--- apache2.orig/configure.in
+++ apache2/configure.in
-@@ -826,11 +826,11 @@ rm -f modules.c
+@@ -834,11 +834,11 @@ rm -f modules.c
echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c
APR_EXPAND_VAR(ap_prefix, $prefix)
diff --git a/debian/patches/series b/debian/patches/series
index 6c75e38..4a1b914 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,4 +9,3 @@ reproducible_builds.diff
#suexec-custom.patch
fix_logresolve_segfault.patch
-CVE-2016-5387.patch
diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch
index 5655522..a667936 100644
--- a/debian/patches/suexec-CVE-2007-1742.patch
+++ b/debian/patches/suexec-CVE-2007-1742.patch
@@ -14,7 +14,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
#include <stdio.h>
#include <stdarg.h>
-@@ -256,11 +257,12 @@ int main(int argc, char *argv[])
+@@ -257,11 +258,12 @@ int main(int argc, char *argv[])
char *actual_gname; /* actual group name */
char *cmd; /* command to be executed */
char cwd[AP_MAXPATH]; /* current working directory */
@@ -28,7 +28,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
/*
* Start with a "clean" environment
-@@ -502,11 +504,16 @@ int main(int argc, char *argv[])
+@@ -503,11 +505,16 @@ int main(int argc, char *argv[])
exit(111);
}
@@ -46,7 +46,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
log_err("cannot get docroot information (%s)\n", target_homedir);
exit(112);
}
-@@ -514,12 +521,16 @@ int main(int argc, char *argv[])
+@@ -515,12 +522,16 @@ int main(int argc, char *argv[])
else {
if (((chdir(AP_DOC_ROOT)) != 0) ||
((getcwd(dwd, AP_MAXPATH)) == NULL) ||
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list