[apache2] 01/02: Add mitigation for HTTP_PROXY envvar issue
Stefan Fritsch
sf at moszumanska.debian.org
Thu Jul 21 21:26:21 UTC 2016
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch master
in repository apache2.
commit 78f36a97328572ae9d0fb84d6a6c20bc5e0ec80f
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Wed Jul 20 08:43:31 2016 +0200
Add mitigation for HTTP_PROXY envvar issue
---
debian/changelog | 8 ++++++++
debian/patches/CVE-2016-5387.patch | 17 +++++++++++++++++
debian/patches/series | 1 +
3 files changed, 26 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index da97fd8..665b690 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.4.23-2) UNRELEASED; urgency=high
+
+ * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
+ request header.
+ Don't pass through HTTP_PROXY in server/util_script.c
+
+ -- Stefan Fritsch <sf at debian.org> Thu, 21 Jul 2016 23:19:29 +0200
+
apache2 (2.4.23-1) unstable; urgency=high
* New upstream release
diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch
new file mode 100644
index 0000000..7badf02
--- /dev/null
+++ b/debian/patches/CVE-2016-5387.patch
@@ -0,0 +1,17 @@
+--- apache2.orig/server/util_script.c
++++ apache2/server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them
diff --git a/debian/patches/series b/debian/patches/series
index 4a1b914..6c75e38 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ reproducible_builds.diff
#suexec-custom.patch
fix_logresolve_segfault.patch
+CVE-2016-5387.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list