Hello community, here is the log from the commit of package apache2-mod_fcgid for openSUSE:Factory checked in at 2016-07-30 00:28:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/apache2-mod_fcgid (Old) and /work/SRC/openSUSE:Factory/.apache2-mod_fcgid.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2-mod_fcgid" Changes: -------- --- /work/SRC/openSUSE:Factory/apache2-mod_fcgid/apache2-mod_fcgid.changes 2015-09-24 06:14:20.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.apache2-mod_fcgid.new/apache2-mod_fcgid.changes 2016-07-30 00:28:27.000000000 +0200 @@ -1,0 +2,8 @@ +Wed Jul 27 13:35:31 UTC 2016 - kstreitova@suse.com + +- add mod_fcgid-2.3.9-CVE-2016-1000104.patch - don't allow setting + the HTTP_PROXY environment variable from a http header + [CVE-2016-1000104], [bsc#988492] +- run spec-cleaner to clean specfile + +------------------------------------------------------------------- New: ---- mod_fcgid-2.3.9-CVE-2016-1000104.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2-mod_fcgid.spec ++++++ --- /var/tmp/diff_new_pack.yttzrI/_old 2016-07-30 00:28:28.000000000 +0200 +++ /var/tmp/diff_new_pack.yttzrI/_new 2016-07-30 00:28:28.000000000 +0200 @@ -1,7 +1,7 @@ # # spec file for package apache2-mod_fcgid # -# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,30 +17,26 @@ Name: apache2-mod_fcgid -# Version: 2.3.9 Release: 0 -# Summary: Alternative FastCGI module for Apache2 License: GPL-2.0+ Group: Productivity/Networking/Web/Servers -# Url: http://httpd.apache.org/mod_fcgid/ Source: http://mirror.synyx.de/apache/httpd/mod_fcgid/mod_fcgid-%{version}.tar.bz2 Source1: apache2-mod_fcgid.conf Patch0: mod_fcgid-2.3.5_suse_paths.patch +# PATCH-FIX-UPSTREAM bsc#988492 kstreitova@suse.com -- don't allow setting the HTTP_PROXY variable +Patch1: mod_fcgid-2.3.9-CVE-2016-1000104.patch BuildRequires: apache-rpm-macros BuildRequires: apache2-devel Requires: %{apache_mmn} Requires: %{apache_suse_maintenance_mmn} Requires: apache2 -# -# BuildRoot: %{_tmppath}/%{name}-%{version}-build %description -A binary compatibile alternative to the Apache -module mod_fastcgi. +A binary compatibile alternative to the Apache module mod_fastcgi. The module implements an efficient process pool management for external CGI program invocation. The pool of CGI programs is mapped against the @@ -56,13 +52,14 @@ %prep %setup -q -n mod_fcgid-%{version} %patch0 +%patch1 -p1 %build APXS="%{apache_apxs}-prefork" ./configure.apxs make %{?_smp_mflags} %install -make DESTDIR=%{buildroot} install %{?_smp_mflags} +make %{?_smp_mflags} DESTDIR=%{buildroot} install install -D -m 0644 %{SOURCE1} %{buildroot}%{apache_sysconfdir}/conf.d/mod_fcgid.conf install -d -m 0755 %{buildroot}%{_localstatedir}/lib/apache2/fcgid/ @@ -70,8 +67,8 @@ set +x mkdir -p %{apache_test_module_dir} cp %{SOURCE1} %{apache_test_module_dir}/mod_fcgid-test.conf -mkdir -p "%{apache_test_module_dir}/var/lib/apache2/fcgid/" -sed -i "s:/var/lib:%{apache_test_module_dir}/var/lib:" %{apache_test_module_dir}/mod_fcgid-test.conf +mkdir -p "%{apache_test_module_dir}%{_localstatedir}/lib/apache2/fcgid/" +sed -i "s:%{_localstatedir}/lib:%{apache_test_module_dir}%{_localstatedir}/lib:" %{apache_test_module_dir}/mod_fcgid-test.conf %apache_test_module_load -m fcgid -i mod_fcgid-test.conf set -x ++++++ mod_fcgid-2.3.9-CVE-2016-1000104.patch ++++++ Index: mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c =================================================================== --- mod_fcgid-2.3.9.orig/modules/fcgid/mod_fcgid.c +++ mod_fcgid-2.3.9/modules/fcgid/mod_fcgid.c @@ -155,9 +155,15 @@ static void fcgid_add_cgi_vars(request_r * consistent with legacy mod_fcgid behavior and mod_fastcgi * prior to 2.4.7 */ - apr_table_setn(r->subprocess_env, *hdr, val); - /* standard munging of header name (upcase, HTTP_, etc.) */ - apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val); + /* boo#988492 httpoxy don't set HTTP_PROXY */ + if ( strcasecmp(*hdr, "HTTP_PROXY") != 0 && strcasecmp(*hdr, "HTTP-PROXY") != 0) { + apr_table_setn(r->subprocess_env, *hdr, val); + } + /* boo#988492 httpoxy don't set HTTP_PROXY */ + if ( strcasecmp(*hdr, "PROXY") != 0 ) { + /* standard munging of header name (upcase, HTTP_, etc.) */ + apr_table_setn(r->subprocess_env, http2env(r->pool, *hdr), val); + } } } }