Hello community, here is the log from the commit of package apache2 for openSUSE:12.1 checked in at 2011-10-25 15:46:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1/apache2 (Old) and /work/SRC/openSUSE:12.1/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2", Maintainer is "draht@suse.com" Changes: -------- --- /work/SRC/openSUSE:12.1/apache2/apache2.changes 2011-10-24 12:27:19.000000000 +0200 +++ /work/SRC/openSUSE:12.1/.apache2.new/apache2.changes 2011-10-25 15:46:59.000000000 +0200 @@ -1,0 +2,13 @@ +Fri Oct 7 17:11:56 CEST 2011 - draht@suse.de + +- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy + reverse exposure via RewriteRule or ProxyPassMatch directives. + This is CVE-2011-3368. + +------------------------------------------------------------------- +Fri Oct 7 14:36:31 UTC 2011 - fcrozat@suse.com + +- Ensure service_add_pre macro is correctly called for + openSUSE 12.1 or later. + +------------------------------------------------------------------- New: ---- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.iLDScW/_old 2011-10-25 15:47:25.000000000 +0200 +++ /var/tmp/diff_new_pack.iLDScW/_new 2011-10-25 15:47:25.000000000 +0200 @@ -136,9 +136,10 @@ Patch102: httpd-keepalivetimeout-millisecs.patch Patch104: httpd-mod_deflate_head.patch Patch105: ssl-mode-release-buffers.patch +Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff Url: http://httpd.apache.org/ Icon: Apache.xpm -Summary: The Apache Web Server Version 2.0 +Summary: The Apache Web Server Version 2.2 AutoReqProv: on Provides: httpd http_daemon %{apache_mmn} suse_help_viewer Requires: %{pname}-MPM /etc/mime.types @@ -194,7 +195,7 @@ Apache distribution. See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and -http://httpd.apache.org/docs-2.0/upgrading.html. +http://httpd.apache.org/docs-2.2/upgrading.html. %if %worker @@ -288,7 +289,7 @@ %package devel License: ASLv.. -Summary: Apache 2.0 Header and Include Files +Summary: Apache 2.2 Header and Include Files Group: Development/Libraries/C and C++ Requires: %{name} = %{version} %{pname}-MPM Requires: libapr1-devel libapr-util1-devel @@ -358,6 +359,7 @@ %patch102 %patch104 %patch105 +%patch106 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -1012,19 +1014,18 @@ # | | # -# on Fedora, add the "apache" user -%if %{?suse_version:0}%{!?suse_version:1} - %pre +%if %{?suse_version:0}%{!?suse_version:1} +# on Fedora, add the "apache" user if ! /usr/bin/getent passwd %httpduser &>/dev/null; then echo "Creating %httpduser user" /usr/sbin/useradd -c "Apache" -u 48 \ -s /sbin/nologin -r -d %{localstatedir} %httpduser 2> /dev/null || : fi +%endif %if 0%{?suse_version} >= 1210 %service_add_pre apache2.service %endif -%endif %preun %if 0%{?suse_version} >= 1210 ++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++ diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c --- ../httpd-2.2.21-o/server/protocol.c 2011-05-07 13:39:29.000000000 +0200 +++ ./server/protocol.c 2011-10-07 17:10:46.000000000 +0200 @@ -623,40 +623,64 @@ #if 0 /* XXX If we want to keep track of the Method, the protocol module should do * it. That support isn't in the scoreboard yet. Hopefully next week * sometime. rbb */ ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method", r->method); #endif uri = ap_getword_white(r->pool, &ll); /* Provide quick information about the request method as soon as known */ r->method_number = ap_method_number_of(r->method); if (r->method_number == M_GET && r->method[0] == 'H') { r->header_only = 1; } ap_parse_uri(r, uri); +/* + https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch + This is the fix for CVE-2011-3368; via bnc#722545. + */ + + /* RFC 2616: + * Request-URI = "*" | absoluteURI | abs_path | authority + * + * authority is a special case for CONNECT. If the request is not + * using CONNECT, and the parsed URI does not have scheme, and + * it does not begin with '/', and it is not '*', then, fail + * and give a 400 response. */ + if (r->method_number != M_CONNECT + && !r->parsed_uri.scheme + && uri[0] != '/' + && !(uri[0] == '*' && uri[1] == '\0')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "invalid request-URI %s", uri); + r->args = NULL; + r->hostname = NULL; + r->status = HTTP_BAD_REQUEST; + r->uri = apr_pstrdup(r->pool, uri); + } + if (ll[0]) { r->assbackwards = 0; pro = ll; len = strlen(ll); } else { r->assbackwards = 1; pro = "HTTP/0.9"; len = 8; } r->protocol = apr_pstrmemdup(r->pool, pro, len); /* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */ /* Avoid sscanf in the common case */ if (len == 8 && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P' && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.' && apr_isdigit(pro[7])) { r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0'); } -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org