Mailinglist Archive: opensuse-commit (1929 mails)
| < Previous | Next > |
commit apache2 for openSUSE:12.1
- From: root@xxxxxxxxxxxxxxx (h_root)
- Date: Tue, 25 Oct 2011 15:47:26 +0200
- Message-id: <20111025134726.30E48202CE@hilbert.suse.de>
Hello community,
here is the log from the commit of package apache2 for openSUSE:12.1 checked in
at 2011-10-25 15:46:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1/apache2 (Old)
and /work/SRC/openSUSE:12.1/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2", Maintainer is "draht@xxxxxxxx"
Changes:
--------
--- /work/SRC/openSUSE:12.1/apache2/apache2.changes 2011-10-24
12:27:19.000000000 +0200
+++ /work/SRC/openSUSE:12.1/.apache2.new/apache2.changes 2011-10-25
15:46:59.000000000 +0200
@@ -1,0 +2,13 @@
+Fri Oct 7 17:11:56 CEST 2011 - draht@xxxxxxx
+
+- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy
+ reverse exposure via RewriteRule or ProxyPassMatch directives.
+ This is CVE-2011-3368.
+
+-------------------------------------------------------------------
+Fri Oct 7 14:36:31 UTC 2011 - fcrozat@xxxxxxxx
+
+- Ensure service_add_pre macro is correctly called for
+ openSUSE 12.1 or later.
+
+-------------------------------------------------------------------
New:
----
httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.iLDScW/_old 2011-10-25 15:47:25.000000000 +0200
+++ /var/tmp/diff_new_pack.iLDScW/_new 2011-10-25 15:47:25.000000000 +0200
@@ -136,9 +136,10 @@
Patch102: httpd-keepalivetimeout-millisecs.patch
Patch104: httpd-mod_deflate_head.patch
Patch105: ssl-mode-release-buffers.patch
+Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
Url: http://httpd.apache.org/
Icon: Apache.xpm
-Summary: The Apache Web Server Version 2.0
+Summary: The Apache Web Server Version 2.2
AutoReqProv: on
Provides: httpd http_daemon %{apache_mmn} suse_help_viewer
Requires: %{pname}-MPM /etc/mime.types
@@ -194,7 +195,7 @@
Apache distribution.
See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
-http://httpd.apache.org/docs-2.0/upgrading.html.
+http://httpd.apache.org/docs-2.2/upgrading.html.
%if %worker
@@ -288,7 +289,7 @@
%package devel
License: ASLv..
-Summary: Apache 2.0 Header and Include Files
+Summary: Apache 2.2 Header and Include Files
Group: Development/Libraries/C and C++
Requires: %{name} = %{version} %{pname}-MPM
Requires: libapr1-devel libapr-util1-devel
@@ -358,6 +359,7 @@
%patch102
%patch104
%patch105
+%patch106
#
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
#
@@ -1012,19 +1014,18 @@
# | |
#
-# on Fedora, add the "apache" user
-%if %{?suse_version:0}%{!?suse_version:1}
-
%pre
+%if %{?suse_version:0}%{!?suse_version:1}
+# on Fedora, add the "apache" user
if ! /usr/bin/getent passwd %httpduser &>/dev/null; then
echo "Creating %httpduser user"
/usr/sbin/useradd -c "Apache" -u 48 \
-s /sbin/nologin -r -d %{localstatedir} %httpduser 2> /dev/null || :
fi
+%endif
%if 0%{?suse_version} >= 1210
%service_add_pre apache2.service
%endif
-%endif
%preun
%if 0%{?suse_version} >= 1210
++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++
diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c
--- ../httpd-2.2.21-o/server/protocol.c 2011-05-07 13:39:29.000000000 +0200
+++ ./server/protocol.c 2011-10-07 17:10:46.000000000 +0200
@@ -623,40 +623,64 @@
#if 0
/* XXX If we want to keep track of the Method, the protocol module should do
* it. That support isn't in the scoreboard yet. Hopefully next week
* sometime. rbb */
ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method",
r->method);
#endif
uri = ap_getword_white(r->pool, &ll);
/* Provide quick information about the request method as soon as known */
r->method_number = ap_method_number_of(r->method);
if (r->method_number == M_GET && r->method[0] == 'H') {
r->header_only = 1;
}
ap_parse_uri(r, uri);
+/*
+
https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch
+ This is the fix for CVE-2011-3368; via bnc#722545.
+ */
+
+ /* RFC 2616:
+ * Request-URI = "*" | absoluteURI | abs_path | authority
+ *
+ * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail
+ * and give a 400 response. */
+ if (r->method_number != M_CONNECT
+ && !r->parsed_uri.scheme
+ && uri[0] != '/'
+ && !(uri[0] == '*' && uri[1] == '\0')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid request-URI %s", uri);
+ r->args = NULL;
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
+ }
+
if (ll[0]) {
r->assbackwards = 0;
pro = ll;
len = strlen(ll);
} else {
r->assbackwards = 1;
pro = "HTTP/0.9";
len = 8;
}
r->protocol = apr_pstrmemdup(r->pool, pro, len);
/* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */
/* Avoid sscanf in the common case */
if (len == 8
&& pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P'
&& pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.'
&& apr_isdigit(pro[7])) {
r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0');
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx
here is the log from the commit of package apache2 for openSUSE:12.1 checked in
at 2011-10-25 15:46:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1/apache2 (Old)
and /work/SRC/openSUSE:12.1/.apache2.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2", Maintainer is "draht@xxxxxxxx"
Changes:
--------
--- /work/SRC/openSUSE:12.1/apache2/apache2.changes 2011-10-24
12:27:19.000000000 +0200
+++ /work/SRC/openSUSE:12.1/.apache2.new/apache2.changes 2011-10-25
15:46:59.000000000 +0200
@@ -1,0 +2,13 @@
+Fri Oct 7 17:11:56 CEST 2011 - draht@xxxxxxx
+
+- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy
+ reverse exposure via RewriteRule or ProxyPassMatch directives.
+ This is CVE-2011-3368.
+
+-------------------------------------------------------------------
+Fri Oct 7 14:36:31 UTC 2011 - fcrozat@xxxxxxxx
+
+- Ensure service_add_pre macro is correctly called for
+ openSUSE 12.1 or later.
+
+-------------------------------------------------------------------
New:
----
httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.iLDScW/_old 2011-10-25 15:47:25.000000000 +0200
+++ /var/tmp/diff_new_pack.iLDScW/_new 2011-10-25 15:47:25.000000000 +0200
@@ -136,9 +136,10 @@
Patch102: httpd-keepalivetimeout-millisecs.patch
Patch104: httpd-mod_deflate_head.patch
Patch105: ssl-mode-release-buffers.patch
+Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
Url: http://httpd.apache.org/
Icon: Apache.xpm
-Summary: The Apache Web Server Version 2.0
+Summary: The Apache Web Server Version 2.2
AutoReqProv: on
Provides: httpd http_daemon %{apache_mmn} suse_help_viewer
Requires: %{pname}-MPM /etc/mime.types
@@ -194,7 +195,7 @@
Apache distribution.
See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
-http://httpd.apache.org/docs-2.0/upgrading.html.
+http://httpd.apache.org/docs-2.2/upgrading.html.
%if %worker
@@ -288,7 +289,7 @@
%package devel
License: ASLv..
-Summary: Apache 2.0 Header and Include Files
+Summary: Apache 2.2 Header and Include Files
Group: Development/Libraries/C and C++
Requires: %{name} = %{version} %{pname}-MPM
Requires: libapr1-devel libapr-util1-devel
@@ -358,6 +359,7 @@
%patch102
%patch104
%patch105
+%patch106
#
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
#
@@ -1012,19 +1014,18 @@
# | |
#
-# on Fedora, add the "apache" user
-%if %{?suse_version:0}%{!?suse_version:1}
-
%pre
+%if %{?suse_version:0}%{!?suse_version:1}
+# on Fedora, add the "apache" user
if ! /usr/bin/getent passwd %httpduser &>/dev/null; then
echo "Creating %httpduser user"
/usr/sbin/useradd -c "Apache" -u 48 \
-s /sbin/nologin -r -d %{localstatedir} %httpduser 2> /dev/null || :
fi
+%endif
%if 0%{?suse_version} >= 1210
%service_add_pre apache2.service
%endif
-%endif
%preun
%if 0%{?suse_version} >= 1210
++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++
diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c
--- ../httpd-2.2.21-o/server/protocol.c 2011-05-07 13:39:29.000000000 +0200
+++ ./server/protocol.c 2011-10-07 17:10:46.000000000 +0200
@@ -623,40 +623,64 @@
#if 0
/* XXX If we want to keep track of the Method, the protocol module should do
* it. That support isn't in the scoreboard yet. Hopefully next week
* sometime. rbb */
ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method",
r->method);
#endif
uri = ap_getword_white(r->pool, &ll);
/* Provide quick information about the request method as soon as known */
r->method_number = ap_method_number_of(r->method);
if (r->method_number == M_GET && r->method[0] == 'H') {
r->header_only = 1;
}
ap_parse_uri(r, uri);
+/*
+
https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch
+ This is the fix for CVE-2011-3368; via bnc#722545.
+ */
+
+ /* RFC 2616:
+ * Request-URI = "*" | absoluteURI | abs_path | authority
+ *
+ * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail
+ * and give a 400 response. */
+ if (r->method_number != M_CONNECT
+ && !r->parsed_uri.scheme
+ && uri[0] != '/'
+ && !(uri[0] == '*' && uri[1] == '\0')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid request-URI %s", uri);
+ r->args = NULL;
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
+ }
+
if (ll[0]) {
r->assbackwards = 0;
pro = ll;
len = strlen(ll);
} else {
r->assbackwards = 1;
pro = "HTTP/0.9";
len = 8;
}
r->protocol = apr_pstrmemdup(r->pool, pro, len);
/* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */
/* Avoid sscanf in the common case */
if (len == 8
&& pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P'
&& pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.'
&& apr_isdigit(pro[7])) {
r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0');
}
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx
| < Previous | Next > |