[apache2] 01/02: Add mitigation for HTTP_PROXY envvar issue
Stefan Fritsch
sf at moszumanska.debian.org
Thu Jul 21 21:17:47 UTC 2016
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch jessie
in repository apache2.
commit 114720a122839b8d735e7fe01ca30a8108b8677e
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Wed Jul 20 08:43:31 2016 +0200
Add mitigation for HTTP_PROXY envvar issue
---
debian/changelog | 9 +++++++++
debian/patches/CVE-2016-5387.patch | 17 +++++++++++++++++
debian/patches/series | 1 +
3 files changed, 27 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 3396876..2ee2e0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+apache2 (2.4.10-10+deb8u5) jessie-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
+ request header.
+ Don't pass through HTTP_PROXY in server/util_script.c
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Wed, 20 Jul 2016 06:50:37 +0200
+
apache2 (2.4.10-10+deb8u4) jessie; urgency=medium
* Add versioned replaces/breaks for libapache2-mod-macro to apache2,
diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch
new file mode 100644
index 0000000..afc3b5f
--- /dev/null
+++ b/debian/patches/CVE-2016-5387.patch
@@ -0,0 +1,17 @@
+--- a/server/util_script.c
++++ b/server/util_script.c
+@@ -180,6 +180,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them
diff --git a/debian/patches/series b/debian/patches/series
index dc0983a..cdbc019 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,4 @@ define_restarts.diff
mpm_event_graceful_restart_deadlock.diff
mpm_event_crash.diff
split_logfile-strict.patch
+CVE-2016-5387.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list