[apache2] 01/01: Import 2.4.10-10+deb8u11 security update

Mon Oct 2 07:33:06 UTC 2017

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch jessie
in repository apache2.

commit bcac165237f5b9968eb24bb82dc66271250f86ef
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Mon Oct 2 09:32:04 2017 +0200

    Import 2.4.10-10+deb8u11 security update
---
 debian/changelog                                   |  8 ++++++
 ...ow-Methods-registration-at-run-time-.htac.patch | 30 ++++++++++++++++++++++
 debian/patches/series                              |  2 ++
 3 files changed, 40 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 398fee2..ebb3e4e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.4.10-10+deb8u11) jessie-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
+    (Closes: #876109)
+
+ -- Salvatore Bonaccorso <carnil at debian.org>  Tue, 19 Sep 2017 21:08:12 +0200
+
 apache2 (2.4.10-10+deb8u10) jessie-security; urgency=medium
 
   * CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory
diff --git a/debian/patches/core-Disallow-Methods-registration-at-run-time-.htac.patch b/debian/patches/core-Disallow-Methods-registration-at-run-time-.htac.patch
new file mode 100644
index 0000000..b6cd812
--- /dev/null
+++ b/debian/patches/core-Disallow-Methods-registration-at-run-time-.htac.patch
@@ -0,0 +1,30 @@
+From: Yann Ylavic <ylavic at apache.org>
+Date: Thu, 7 Sep 2017 22:43:41 +0000
+Subject: core: Disallow Methods' registration at run time (.htaccess), they
+ may be used only if registered at init time (httpd.conf).
+Origin: https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9
+Bug-Debian: https://bugs.debian.org/876109
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9798
+
+Calling ap_method_register() in children processes is not the right scope
+since it won't be shared for all requests.
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68
+---
+
+--- a/server/core.c
++++ b/server/core.c
+@@ -2056,6 +2056,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_
+             /* method has not been registered yet, but resorce restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method '%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+         }
diff --git a/debian/patches/series b/debian/patches/series
index c600844..de921ce 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -30,3 +30,5 @@ CVE-2017-3169.diff
 CVE-2017-7668.diff
 CVE-2017-7679.diff
 CVE-2017-9788-mod_auth_digest.diff
+
+core-Disallow-Methods-registration-at-run-time-.htac.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

