Hello community, here is the log from the commit of package apache2 for openSUSE:12.1:Update:Test checked in at 2011-11-28 18:42:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.1:Update:Test/apache2 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.apache2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2", Maintainer is "draht@suse.com" Changes: -------- --- /work/SRC/openSUSE:12.1:Update:Test/apache2/apache2.changes 2011-11-28 18:42:46.000000000 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.apache2.new/apache2.changes 2011-11-28 18:42:47.000000000 +0100 @@ -1,0 +2,12 @@ +Fri Nov 25 14:49:52 CET 2011 - draht@suse.de + +- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff is a fix + for CVE-2011-4317, which is to be seen a variant of CVE-2011-3368 + which was addressed below in + httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff. [bnc#722545] +- new template file: /etc/apache2/vhosts.d/vhost-ssl.template + allow TLSv1 only, browser match stuff commented out. +- rc script /etc/init.d/apache2: handle reload with deleted binaries + by message to stdout only, but refrain from sending signals. + +------------------------------------------------------------------- New: ---- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.Lpa4O7/_old 2011-11-28 18:42:48.000000000 +0100 +++ /var/tmp/diff_new_pack.Lpa4O7/_new 2011-11-28 18:42:48.000000000 +0100 @@ -137,6 +137,7 @@ Patch104: httpd-mod_deflate_head.patch Patch105: ssl-mode-release-buffers.patch Patch106: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff +Patch107: httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -360,6 +361,7 @@ %patch104 %patch105 %patch106 +%patch107 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # ++++++ apache2-vhost-ssl.template ++++++ --- /var/tmp/diff_new_pack.Lpa4O7/_old 2011-11-28 18:42:48.000000000 +0100 +++ /var/tmp/diff_new_pack.Lpa4O7/_new 2011-11-28 18:42:48.000000000 +0100 @@ -182,9 +182,9 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - SetEnvIf User-Agent ".*MSIE [1-5].*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 +# SetEnvIf User-Agent ".*MSIE [1-5].*" \ +# nokeepalive ssl-unclean-shutdown \ +# downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a ++++++ httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff ++++++ diff -rNU 20 ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c ./modules/mappers/mod_rewrite.c --- ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c 2009-07-10 14:20:45.000000000 +0200 +++ ./modules/mappers/mod_rewrite.c 2011-11-24 04:08:35.000000000 +0100 @@ -4230,40 +4230,47 @@ /* * only do something under runtime if the engine is really enabled, * else return immediately! */ if (conf->state == ENGINE_DISABLED) { return DECLINED; } /* * check for the ugly API case of a virtual host section where no * mod_rewrite directives exists. In this situation we became no chance * by the API to setup our default per-server config so we have to * on-the-fly assume we have the default config. But because the default * config has a disabled rewriting engine we are lucky because can * just stop operating now. */ if (conf->server != r->server) { return DECLINED; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects */ if (r->main == NULL) { var = apr_table_get(r->subprocess_env, REDIRECT_ENVVAR_SCRIPT_URL); if (var == NULL) { apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, r->uri); } else { apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var); } } else { var = apr_table_get(r->main->subprocess_env, ENVVAR_SCRIPT_URL); apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var); } /* diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy.c ./modules/proxy/mod_proxy.c --- ../httpd-2.2.12-o/modules/proxy/mod_proxy.c 2009-01-31 21:58:07.000000000 +0100 +++ ./modules/proxy/mod_proxy.c 2011-11-24 04:08:35.000000000 +0100 @@ -527,40 +527,47 @@ proxy_server_conf *conf = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module); int i, len; struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts; proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config, &proxy_module); const char *fake; const char *real; ap_regmatch_t regm[AP_MAX_REG_MATCH]; ap_regmatch_t reg1[AP_MAX_REG_MATCH]; char *found = NULL; int mismatch = 0; if (r->proxyreq) { /* someone has already set up the proxy, it was possibly ourselves * in proxy_detect */ return OK; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* XXX: since r->uri has been manipulated already we're not really * compliant with RFC1945 at this point. But this probably isn't * an issue because this is a hybrid proxy/origin server. */ for (i = 0; i < conf->aliases->nelts; i++) { unsigned int nocanon = ent[i].flags & PROXYPASS_NOCANON; const char *use_uri = nocanon ? r->unparsed_uri : r->uri; if ((dconf->interpolate_env == 1) && (ent[i].flags & PROXYPASS_INTERPOLATE)) { fake = proxy_interpolate(r, ent[i].fake); real = proxy_interpolate(r, ent[i].real); } else { fake = ent[i].fake; real = ent[i].real; } if (ent[i].regex) { if (!ap_regexec(ent[i].regex, r->uri, AP_MAX_REG_MATCH, regm, 0)) { if ((real[0] == '!') && (real[1] == '\0')) { ++++++ rc.apache2 ++++++ --- /var/tmp/diff_new_pack.Lpa4O7/_old 2011-11-28 18:42:48.000000000 +0100 +++ /var/tmp/diff_new_pack.Lpa4O7/_new 2011-11-28 18:42:48.000000000 +0100 @@ -162,6 +162,8 @@ echo -n "(not running)" else pid=$(<$pidfile) + # re-read exe symlink, it could be (deleted) in the meanwhile. + apache_bin=$(readlink /proc/$pid/exe 2>/dev/null) kill -TERM $pid 2>/dev/null case $? in 1) echo -n "(not running)";; @@ -175,7 +177,7 @@ if ! test -f /proc/$pid/exe; then break fi - if test "$(readlink /proc/$pid/exe 2>/dev/null)" = $apache_bin; then + if test "$(readlink /proc/$pid/exe 2>/dev/null)" = "$apache_bin"; then usleep 500000 else break @@ -261,6 +263,23 @@ rc_status ;; reload|force-reload|graceful) + # check if there is a deleted binary. If there is, then logrotate + # or other occasions will fail to reload, as dlopen(3) of apache + # modules is prone to fail due to symbol mismatches. + # in this case, we only complain and fail. + if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi + executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null ) + case "$executable" in + *httpd*delete*) + echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! " + rc_failed 1 + rc_status -v + rc_exit + ;; + *) + ;; + esac + echo -n "Reload httpd2 (graceful restart)" cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t &> $logdir/rc$pname.out; then -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org