Hello community, here is the log from the commit of package apache2 checked in at Mon Aug 27 17:26:37 CEST 2007. -------- --- apache2/apache2.changes 2007-07-18 16:06:17.000000000 +0200 +++ /mounts/work_src_done/STABLE/apache2/apache2.changes 2007-08-23 12:11:26.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Aug 23 11:27:19 CEST 2007 - mskibbe@suse.de + +- Bug 289996 - VUL-0: mod_status XSS in public server status page +- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service + +------------------------------------------------------------------- New: ---- apache2-mod_cache-CVE-2007-1863.patch apache2-mod_status-CVE-2006-5752.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.r11056/_old 2007-08-27 17:21:31.000000000 +0200 +++ /var/tmp/diff_new_pack.r11056/_new 2007-08-27 17:21:31.000000000 +0200 @@ -55,7 +55,7 @@ Group: Productivity/Networking/Web/Servers %define realver 2.2.4 Version: 2.2.4 -Release: 44 +Release: 57 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -110,6 +110,8 @@ Patch68: httpd-2.2.3-AddDirectoryIndexCharset.patch Patch69: httpd-2.2.x.doublefree.patch Patch150: mod_dbd.c-issue18989-autoconnect.dif +Patch151: apache2-mod_status-CVE-2006-5752.patch +Patch152: apache2-mod_cache-CVE-2007-1863.patch URL: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.0 @@ -321,6 +323,8 @@ %patch67 -p1 %patch68 -p1 %patch69 -p0 +%patch151 -p0 +%patch152 -p0 cp -p %{S:150} modules/database/mod_dbd.c #%patch150 -p0 # @@ -1056,6 +1060,9 @@ fi %changelog +* Thu Aug 23 2007 - mskibbe@suse.de +- Bug 289996 - VUL-0: mod_status XSS in public server status page +- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service * Wed Jul 18 2007 - skh@suse.de - split off apache2-utils subpackage, containing all helper tools that are useful for system administrators in general (b.n.c. #272292 and ++++++ apache2-mod_cache-CVE-2007-1863.patch ++++++ Index: modules/cache/cache_util.c ================================================================================ --- CHANGES +++ CHANGES @@ -1,6 +1,10 @@ -*- coding: utf-8 -*- Changes with Apache 2.2.3 + *) SECURITY: CVE-2007-1863 (cve.mitre.org) + mod_cache: Prevent segmentation fault if a Cache-Control header has + no value [Niklas Edmundsson] + *) SECURITY: CVE-2006-3747 (cve.mitre.org) mod_rewrite: Fix an off-by-one security problem in the ldap scheme handling. For some RewriteRules this could lead to a pointer being --- modules/cache/cache_util.c +++ modules/cache/cache_util.c @@ -231,7 +231,8 @@ age = ap_cache_current_age(info, age_c, r->request_time); /* extract s-maxage */ - if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { + if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) + && val != NULL) { smaxage = apr_atoi64(val); } else { @@ -240,7 +241,8 @@ /* extract max-age from request */ if (!conf->ignorecachecontrol - && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { + && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) + && val != NULL) { maxage_req = apr_atoi64(val); } else { @@ -248,7 +250,8 @@ } /* extract max-age from response */ - if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { + if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) + && val != NULL) { maxage_cresp = apr_atoi64(val); } else { @@ -270,7 +273,20 @@ /* extract max-stale */ if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { - maxstale = apr_atoi64(val); + if(val != NULL) { + maxstale = apr_atoi64(val); + } + else { + /* + * If no value is assigned to max-stale, then the client is willing + * to accept a stale response of any age (RFC2616 14.9.3). We will + * set it to one year in this case as this situation is somewhat + * similar to a "never expires" Expires header (RFC2616 14.21) + * which is set to a date one year from the time the response is + * sent in this case. + */ + maxstale = APR_INT64_C(86400*365); + } } else { maxstale = 0; @@ -278,7 +294,8 @@ /* extract min-fresh */ if (!conf->ignorecachecontrol - && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { + && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) + && val != NULL) { minfresh = apr_atoi64(val); } else { @@ -407,6 +424,9 @@ next - val_start); } } + else { + *val = NULL; + } } return 1; } ++++++ apache2-mod_status-CVE-2006-5752.patch ++++++ --- modules/generators/mod_status.c 2007/06/20 17:22:08 549158 +++ modules/generators/mod_status.c 2007/06/20 17:29:24 549159 @@ -270,7 +270,7 @@ if (r->method_number != M_GET) return DECLINED; - ap_set_content_type(r, "text/html"); + ap_set_content_type(r, "text/html; charset=ISO-8859-1"); /* * Simple table-driven form data set parser that lets you alter the header @@ -299,7 +299,7 @@ no_table_report = 1; break; case STAT_OPT_AUTO: - ap_set_content_type(r, "text/plain"); + ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); short_report = 1; break; } @@ -673,7 +673,8 @@ ap_escape_html(r->pool, ws_record->client), ap_escape_html(r->pool, - ws_record->request), + ap_escape_logitem(r->pool, + ws_record->request)), ap_escape_html(r->pool, ws_record->vhost)); } @@ -763,7 +764,8 @@ ap_escape_html(r->pool, ws_record->vhost), ap_escape_html(r->pool, - ws_record->request)); + ap_escape_logitem(r->pool, + ws_record->request))); } /* no_table_report */ } /* for (j...) */ } /* for (i...) */ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org