[apache2] 03/05: tweaks for 2.4.25

Stefan Fritsch sf at moszumanska.debian.org
Wed Dec 21 23:09:04 UTC 2016 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit 76380918b81ccaca788e5d8c5f7be91305522222
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Wed Dec 21 23:24:49 2016 +0100

    tweaks for 2.4.25
    
    * add changelog entry
    * remove obsolete patch CVE-2016-5387.patch
    * refresh other patches
---
 debian/changelog                          | 27 +++++++++++++++++++++++++++
 debian/patches/CVE-2016-5387.patch        | 17 -----------------
 debian/patches/build_suexec-custom.patch  | 12 ++++++------
 debian/patches/fhs_compliance.patch       |  4 ++--
 debian/patches/series                     |  1 -
 debian/patches/suexec-CVE-2007-1742.patch |  6 +++---
 6 files changed, 38 insertions(+), 29 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 46674d9..553ea30 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
+apache2 (2.4.25-1) UNRELEASED; urgency=medium
+
+  [ New upstream release ]
+  * Security: CVE-2016-0736:
+    mod_session_crypto: Authenticate the session data/cookie with a MAC to
+    prevent deciphering or tampering with a padding oracle attack.
+  * Security: CVE-2016-2161:
+    mod_auth_digest: Prevent segfaults during client entry allocation when the
+    shared memory space is exhausted.
+  * Security: CVE-2016-5387:
+    Mitigate [f]cgi "httpoxy" issues.
+  * Security: CVE-2016-8740:
+    mod_http2: Mitigate DoS memory exhaustion via endless CONTINUATION frames.
+    Closes: #847124
+  * Security: CVE-2016-8743:
+    Enforce HTTP request grammar corresponding to RFC7230 for request lines
+    and request headers, to prevent response splitting and cache pollution by
+    malicious clients or downstream proxies.
+  * The stricter HTTP enforcement may cause compatibility problems with
+    non-conforming clients. Fine-tuning is possible with the new
+    HttpProtocolOptions directive.
+  * mpm_event: Fix "scoreboard full" errors. Closes: #834708 LP: #1466926
+  * mod_http2: Many fixes and support for early pushes using the new
+    H2PushResource directive.
+
+ -- Stefan Fritsch <sf at debian.org>  Wed, 21 Dec 2016 23:06:49 +0100
+
 apache2 (2.4.23-8) unstable; urgency=medium
 
   * Move the mod_ssl_openssl.h header and the dependency on libssl-dev to a
diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch
deleted file mode 100644
index 7badf02..0000000
--- a/debian/patches/CVE-2016-5387.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- apache2.orig/server/util_script.c
-+++ apache2/server/util_script.c
-@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
-         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
-             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
-         }
-+        /* HTTP_PROXY collides with a popular envvar used to configure
-+         * proxies, don't let clients set/override it.  But, if you must...
-+         */
-+#ifndef SECURITY_HOLE_PASS_PROXY
-+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
-+            ;
-+        }
-+#endif
-         /*
-          * You really don't want to disable this check, since it leaves you
-          * wide open to CGIs stealing passwords and people viewing them
diff --git a/debian/patches/build_suexec-custom.patch b/debian/patches/build_suexec-custom.patch
index 13d0b5a..7069486 100644
--- a/debian/patches/build_suexec-custom.patch
+++ b/debian/patches/build_suexec-custom.patch
@@ -2,9 +2,9 @@ Description: add suexec-custom to the build system
 Forwarded: not-needed
 Author: Stefan Fritsch <sf at debian.org>
 Last-Update: 2012-02-25
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -239,14 +239,16 @@
+--- apache2.orig/Makefile.in
++++ apache2/Makefile.in
+@@ -260,14 +260,16 @@ install-man:
  	fi
  
  install-suexec:
@@ -25,8 +25,8 @@ Last-Update: 2012-02-25
  
  x-local-distclean:
  	@rm -rf autom4te.cache
---- a/support/Makefile.in
-+++ b/support/Makefile.in
+--- apache2.orig/support/Makefile.in
++++ apache2/support/Makefile.in
 @@ -1,7 +1,7 @@
  DISTCLEAN_TARGETS = apxs apachectl dbmmanage log_server_status \
  	logresolve.pl phf_abuse_log.cgi split-logfile envvars-std
@@ -36,7 +36,7 @@ Last-Update: 2012-02-25
  
  bin_PROGRAMS = htpasswd htdigest htdbm ab logresolve httxt2dbm
  sbin_PROGRAMS = htcacheclean rotatelogs $(NONPORTABLE_SUPPORT)
-@@ -72,9 +72,13 @@
+@@ -72,9 +72,13 @@ checkgid_OBJECTS = checkgid.lo
  checkgid: $(checkgid_OBJECTS)
  	$(LINK) $(checkgid_LTFLAGS) $(checkgid_OBJECTS) $(PROGRAM_LDADD)
  
diff --git a/debian/patches/fhs_compliance.patch b/debian/patches/fhs_compliance.patch
index af5125a..145ee99 100644
--- a/debian/patches/fhs_compliance.patch
+++ b/debian/patches/fhs_compliance.patch
@@ -6,7 +6,7 @@ Index: apache2/configure
 ===================================================================
 --- apache2.orig/configure
 +++ apache2/configure
-@@ -33031,17 +33031,17 @@ ap_prefix="${ap_cur}"
+@@ -36453,17 +36453,17 @@ ap_prefix="${ap_cur}"
  
  
  cat >>confdefs.h <<_ACEOF
@@ -31,7 +31,7 @@ Index: apache2/configure.in
 ===================================================================
 --- apache2.orig/configure.in
 +++ apache2/configure.in
-@@ -826,11 +826,11 @@ rm -f modules.c
+@@ -834,11 +834,11 @@ rm -f modules.c
  echo $MODLIST | $AWK -f $srcdir/build/build-modules-c.awk > modules.c
  
  APR_EXPAND_VAR(ap_prefix, $prefix)
diff --git a/debian/patches/series b/debian/patches/series
index 6c75e38..4a1b914 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,4 +9,3 @@ reproducible_builds.diff
 #suexec-custom.patch
 
 fix_logresolve_segfault.patch
-CVE-2016-5387.patch
diff --git a/debian/patches/suexec-CVE-2007-1742.patch b/debian/patches/suexec-CVE-2007-1742.patch
index 5655522..a667936 100644
--- a/debian/patches/suexec-CVE-2007-1742.patch
+++ b/debian/patches/suexec-CVE-2007-1742.patch
@@ -14,7 +14,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
  
  #include <stdio.h>
  #include <stdarg.h>
-@@ -256,11 +257,12 @@ int main(int argc, char *argv[])
+@@ -257,11 +258,12 @@ int main(int argc, char *argv[])
      char *actual_gname;     /* actual group name         */
      char *cmd;              /* command to be executed    */
      char cwd[AP_MAXPATH];   /* current working directory */
@@ -28,7 +28,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
  
      /*
       * Start with a "clean" environment
-@@ -502,11 +504,16 @@ int main(int argc, char *argv[])
+@@ -503,11 +505,16 @@ int main(int argc, char *argv[])
          exit(111);
      }
  
@@ -46,7 +46,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=44752
              log_err("cannot get docroot information (%s)\n", target_homedir);
              exit(112);
          }
-@@ -514,12 +521,16 @@ int main(int argc, char *argv[])
+@@ -515,12 +522,16 @@ int main(int argc, char *argv[])
      else {
          if (((chdir(AP_DOC_ROOT)) != 0) ||
              ((getcwd(dwd, AP_MAXPATH)) == NULL) ||

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list