[apache2] 01/02: Add mitigation for HTTP_PROXY envvar issue

Stefan Fritsch sf at moszumanska.debian.org
Thu Jul 21 21:17:47 UTC 2016 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch jessie
in repository apache2.

commit 114720a122839b8d735e7fe01ca30a8108b8677e
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Wed Jul 20 08:43:31 2016 +0200

    Add mitigation for HTTP_PROXY envvar issue
---
 debian/changelog                   |  9 +++++++++
 debian/patches/CVE-2016-5387.patch | 17 +++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 27 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 3396876..2ee2e0f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+apache2 (2.4.10-10+deb8u5) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
+    request header.
+    Don't pass through HTTP_PROXY in server/util_script.c
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Wed, 20 Jul 2016 06:50:37 +0200
+
 apache2 (2.4.10-10+deb8u4) jessie; urgency=medium
 
   * Add versioned replaces/breaks for libapache2-mod-macro to apache2,
diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch
new file mode 100644
index 0000000..afc3b5f
--- /dev/null
+++ b/debian/patches/CVE-2016-5387.patch
@@ -0,0 +1,17 @@
+--- a/server/util_script.c
++++ b/server/util_script.c
+@@ -180,6 +180,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff --git a/debian/patches/series b/debian/patches/series
index dc0983a..cdbc019 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -18,3 +18,4 @@ define_restarts.diff
 mpm_event_graceful_restart_deadlock.diff
 mpm_event_crash.diff
 split_logfile-strict.patch
+CVE-2016-5387.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list