[apache2] 04/08: CVE-2018-1283: Tampering of mod_session data for CGI applications

Stefan Fritsch sf at moszumanska.debian.org
Sat Mar 31 09:17:25 UTC 2018 

This is an automated email from the git hooks/post-receive script.

sf pushed a commit to branch stretch
in repository apache2.

commit 9f7b28004ac897ccbe02328d57af2370ca0857ee
Author: Stefan Fritsch <sf at sfritsch.de>
Date:   Fri Mar 30 16:13:47 2018 +0200

    CVE-2018-1283: Tampering of mod_session data for CGI applications
---
 debian/changelog                              |  1 +
 debian/patches/CVE-2018-1283-mod_session.diff | 25 +++++++++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 27 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 27a4c5b..6a476d0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,7 @@ apache2 (2.4.25-3+deb9u4) UNRELEASED; urgency=medium
     the input string only, excluding matching the end of any embedded
     newline characters. Behavior can be changed with new directive
     'RegexDefaultOptions'.
+  * CVE-2018-1283: Tampering of mod_session data for CGI applications.
 
  -- Stefan Fritsch <sf at debian.org>  Fri, 30 Mar 2018 16:01:25 +0200
 
diff --git a/debian/patches/CVE-2018-1283-mod_session.diff b/debian/patches/CVE-2018-1283-mod_session.diff
new file mode 100644
index 0000000..4a41895
--- /dev/null
+++ b/debian/patches/CVE-2018-1283-mod_session.diff
@@ -0,0 +1,25 @@
+# CVE-2018-1283
+# https://svn.apache.org/r1824477
+--- apache2.orig/modules/session/mod_session.c
++++ apache2/modules/session/mod_session.c
+@@ -510,12 +510,15 @@ static int session_fixups(request_rec *
+      */
+     ap_session_load(r, &z);
+ 
+-    if (z && conf->env) {
+-        session_identity_encode(r, z);
+-        if (z->encoded) {
+-            apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded);
+-            z->encoded = NULL;
++    if (conf->env) {
++        if (z) {
++            session_identity_encode(r, z);
++            if (z->encoded) {
++                apr_table_set(r->subprocess_env, HTTP_SESSION, z->encoded);
++                z->encoded = NULL;
++            }
+         }
++        apr_table_unset(r->headers_in, "Session");
+     }
+ 
+     return OK;
diff --git a/debian/patches/series b/debian/patches/series
index da10a42..7f21218 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -21,3 +21,4 @@ CVE-2017-9788-mod_auth_digest.diff
 core-Disallow-Methods-registration-at-run-time-.htac.patch
 CVE-2017-15710-mod_authnz_ldap.diff
 CVE-2017-15715-regex-line-endings.diff
+CVE-2018-1283-mod_session.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git

More information about the Pkg-apache-commits mailing list