[apache2] 01/02: Add mitigation for HTTP_PROXY envvar issue

Stefan Fritsch sf at moszumanska.debian.org
Thu Jul 21 21:26:21 UTC 2016 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch master
in repository apache2.

commit 78f36a97328572ae9d0fb84d6a6c20bc5e0ec80f
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Wed Jul 20 08:43:31 2016 +0200

    Add mitigation for HTTP_PROXY envvar issue
---
 debian/changelog                   |  8 ++++++++
 debian/patches/CVE-2016-5387.patch | 17 +++++++++++++++++
 debian/patches/series              |  1 +
 3 files changed, 26 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index da97fd8..665b690 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.4.23-2) UNRELEASED; urgency=high
+
+  * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
+    request header.
+    Don't pass through HTTP_PROXY in server/util_script.c
+
+ -- Stefan Fritsch <sf at debian.org>  Thu, 21 Jul 2016 23:19:29 +0200
+
 apache2 (2.4.23-1) unstable; urgency=high
 
   * New upstream release
diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch
new file mode 100644
index 0000000..7badf02
--- /dev/null
+++ b/debian/patches/CVE-2016-5387.patch
@@ -0,0 +1,17 @@
+--- apache2.orig/server/util_script.c
++++ apache2/server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff --git a/debian/patches/series b/debian/patches/series
index 4a1b914..6c75e38 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ reproducible_builds.diff
 #suexec-custom.patch
 
 fix_logresolve_segfault.patch
+CVE-2016-5387.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list