Hello community,
here is the log from the commit of package apache2 for openSUSE:11.4
checked in at Mon Dec 5 17:55:22 CET 2011.
--------
--- old-versions/11.4/UPDATES/all/apache2/apache2.changes 2011-10-26 15:54:55.000000000 +0200
+++ 11.4/apache2/apache2.changes 2011-11-29 16:53:50.000000000 +0100
@@ -1,0 +2,21 @@
+Tue Nov 29 16:53:29 CET 2011 - draht@suse.de
+
+- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff re-worked:
+ len needs to be unsigned. int -> apr_size_t. [bnc#729181]
+
+-------------------------------------------------------------------
+Fri Nov 25 14:49:52 CET 2011 - draht@suse.de
+
+- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff fixes an
+ integer overflow in server/util.c also known as CVE-2011-3607.
+ [bnc#729181]
+- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff is a fix
+ for CVE-2011-4317, which is to be seen a variant of CVE-2011-3368
+ which was addressed below in
+ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff. [bnc#722545]
+- new template file: /etc/apache2/vhosts.d/vhost-ssl.template
+ allow TLSv1 only, browser match stuff commented out.
+- rc script /etc/init.d/apache2: handle reload with deleted binaries
+ by message to stdout only, but refrain from sending signals.
+
+-------------------------------------------------------------------
calling whatdependson for 11.4-i586
New:
----
httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff
httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
--- /var/tmp/diff_new_pack.eC6MIX/_old 2011-12-05 17:55:08.000000000 +0100
+++ /var/tmp/diff_new_pack.eC6MIX/_new 2011-12-05 17:55:08.000000000 +0100
@@ -69,7 +69,7 @@
Group: Productivity/Networking/Web/Servers
%define realver 2.2.17
Version: 2.2.17
-Release: 4.<RELEASE9>
+Release: 4.<RELEASE11>
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
# Add file to take mtime from it in prep section
@@ -129,6 +129,8 @@
Patch101: httpd-2.2.x-bnc713966-CVE-2011-3192.patch
Patch102: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
Patch103: httpd-2.2.x-CVE-2011-3348-mod_proxy_ajp.patch
+Patch104: httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff
+Patch105: httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff
Url: http://httpd.apache.org/
Icon: Apache.xpm
Summary: The Apache Web Server Version 2.2
@@ -358,6 +360,8 @@
%patch101 -p0
%patch102 -p0
%patch103 -p0
+%patch104 -p0
+%patch105 -p0
#
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
#
++++++ apache2-vhost-ssl.template ++++++
--- /var/tmp/diff_new_pack.eC6MIX/_old 2011-12-05 17:55:08.000000000 +0100
+++ /var/tmp/diff_new_pack.eC6MIX/_new 2011-12-05 17:55:08.000000000 +0100
@@ -13,20 +13,11 @@
# serve pages over an https connection. For detailing information about these
# directives see URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html
#
-# For the moment, see URL:http://www.modssl.org/docs/ for this info.
-# The documents are still being prepared from material donated by the
-# modssl project.
-#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
-# Until documentation is completed, please check http://www.modssl.org/
-# for additional config examples and module docmentation. Directives
-# and features of mod_ssl are largely unchanged from the mod_ssl project
-# for Apache 1.3.
-
<IfDefine SSL>
@@ -47,10 +38,21 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
+ # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only:
+ SSLProtocol all -SSLv2 -SSLv3
+
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
- SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ #
+ # formerly, this was set to the following:
+ # ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ #
+ # We now disable weak ciphers by default.
+ # Please see the documentation via the links above, and
+ # "openssl ciphers -v" for a complete list of ciphers that are
+ # available.
+ SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
@@ -185,9 +187,12 @@
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
- SetEnvIf User-Agent ".*MSIE.*" \
- nokeepalive ssl-unclean-shutdown \
- downgrade-1.0 force-response-1.0
+ # remark: The below configuration snippet is here for illustration purposes.
+ # Browser specific deficiencies exist, but generally all of them
+ # should handle SSL/TLS encapsulated connections well.
+ #SetEnvIf User-Agent ".*MSIE.*" \
+ # nokeepalive ssl-unclean-shutdown \
+ # downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
++++++ httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff ++++++
diff -rNU 20 ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c ./modules/mappers/mod_rewrite.c
--- ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c 2009-07-10 14:20:45.000000000 +0200
+++ ./modules/mappers/mod_rewrite.c 2011-11-24 04:08:35.000000000 +0100
@@ -4230,40 +4230,47 @@
/*
* only do something under runtime if the engine is really enabled,
* else return immediately!
*/
if (conf->state == ENGINE_DISABLED) {
return DECLINED;
}
/*
* check for the ugly API case of a virtual host section where no
* mod_rewrite directives exists. In this situation we became no chance
* by the API to setup our default per-server config so we have to
* on-the-fly assume we have the default config. But because the default
* config has a disabled rewriting engine we are lucky because can
* just stop operating now.
*/
if (conf->server != r->server) {
return DECLINED;
}
+ /* Check that the URI is valid. */
+ if (!r->uri || r->uri[0] != '/') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in request %s", r->the_request);
+ return HTTP_BAD_REQUEST;
+ }
+
/*
* add the SCRIPT_URL variable to the env. this is a bit complicated
* due to the fact that apache uses subrequests and internal redirects
*/
if (r->main == NULL) {
var = apr_table_get(r->subprocess_env, REDIRECT_ENVVAR_SCRIPT_URL);
if (var == NULL) {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, r->uri);
}
else {
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
}
else {
var = apr_table_get(r->main->subprocess_env, ENVVAR_SCRIPT_URL);
apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var);
}
/*
diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy.c ./modules/proxy/mod_proxy.c
--- ../httpd-2.2.12-o/modules/proxy/mod_proxy.c 2009-01-31 21:58:07.000000000 +0100
+++ ./modules/proxy/mod_proxy.c 2011-11-24 04:08:35.000000000 +0100
@@ -527,40 +527,47 @@
proxy_server_conf *conf =
(proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
int i, len;
struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts;
proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config,
&proxy_module);
const char *fake;
const char *real;
ap_regmatch_t regm[AP_MAX_REG_MATCH];
ap_regmatch_t reg1[AP_MAX_REG_MATCH];
char *found = NULL;
int mismatch = 0;
if (r->proxyreq) {
/* someone has already set up the proxy, it was possibly ourselves
* in proxy_detect
*/
return OK;
}
+ /* Check that the URI is valid. */
+ if (!r->uri || r->uri[0] != '/') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "Invalid URI in request %s", r->the_request);
+ return HTTP_BAD_REQUEST;
+ }
+
/* XXX: since r->uri has been manipulated already we're not really
* compliant with RFC1945 at this point. But this probably isn't
* an issue because this is a hybrid proxy/origin server.
*/
for (i = 0; i < conf->aliases->nelts; i++) {
unsigned int nocanon = ent[i].flags & PROXYPASS_NOCANON;
const char *use_uri = nocanon ? r->unparsed_uri : r->uri;
if ((dconf->interpolate_env == 1)
&& (ent[i].flags & PROXYPASS_INTERPOLATE)) {
fake = proxy_interpolate(r, ent[i].fake);
real = proxy_interpolate(r, ent[i].real);
}
else {
fake = ent[i].fake;
real = ent[i].real;
}
if (ent[i].regex) {
if (!ap_regexec(ent[i].regex, r->uri, AP_MAX_REG_MATCH, regm, 0)) {
if ((real[0] == '!') && (real[1] == '\0')) {
++++++ httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff ++++++
diff -rNU 20 ../httpd-2.2.17-o/server/util.c ./server/util.c
--- ../httpd-2.2.17-o/server/util.c 2010-10-07 18:56:54.000000000 +0200
+++ ./server/util.c 2011-11-29 17:49:15.000000000 +0100
@@ -349,72 +349,80 @@
* passed ap_regexec(). pmatch should not be greater than the maximum number
* of subexpressions - i.e. one more than the re_nsub member of ap_regex_t.
*
* input should be the string with the $-expressions, source should be the
* string that was matched against.
*
* It returns the substituted string, or NULL on error.
*
* Parts of this code are based on Henry Spencer's regsub(), from his
* AT&T V8 regexp package.
*/
AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input,
const char *source, size_t nmatch,
ap_regmatch_t pmatch[])
{
const char *src = input;
char *dest, *dst;
char c;
size_t no;
- int len;
+ apr_size_t len;
if (!source)
return NULL;
if (!nmatch)
return apr_pstrdup(p, src);
/* First pass, find the size */
len = 0;
while ((c = *src++) != '\0') {
if (c == '&')
no = 0;
else if (c == '$' && apr_isdigit(*src))
no = *src++ - '0';
else
no = 10;
if (no > 9) { /* Ordinary character. */
if (c == '\\' && (*src == '$' || *src == '&'))
src++;
len++;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
+ if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) {
+ ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL,
+ "integer overflow or out of memory condition." );
+ return NULL;
+ }
len += pmatch[no].rm_eo - pmatch[no].rm_so;
}
}
dest = dst = apr_pcalloc(p, len + 1);
+ if(!dest)
+ return NULL;
+
/* Now actually fill in the string */
src = input;
while ((c = *src++) != '\0') {
if (c == '&')
no = 0;
else if (c == '$' && apr_isdigit(*src))
no = *src++ - '0';
else
no = 10;
if (no > 9) { /* Ordinary character. */
if (c == '\\' && (*src == '$' || *src == '&'))
c = *src++;
*dst++ = c;
}
else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) {
len = pmatch[no].rm_eo - pmatch[no].rm_so;
memcpy(dst, source + pmatch[no].rm_so, len);
++++++ rc.apache2 ++++++
--- /var/tmp/diff_new_pack.eC6MIX/_old 2011-12-05 17:55:08.000000000 +0100
+++ /var/tmp/diff_new_pack.eC6MIX/_new 2011-12-05 17:55:08.000000000 +0100
@@ -6,9 +6,8 @@
# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
#
# Authors: Rolf Haberrecker , 2001
-# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007,
-# 2008, 2009, 2010
-#
+# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007, 2008
+# Roman Drahtmueller , 2009-2012
#
# /etc/init.d/apache2
#
@@ -161,6 +160,8 @@
echo -n "(not running)"
else
pid=$(<$pidfile)
+ # re-read exe symlink, it could be (deleted) in the meanwhile.
+ apache_bin=$(readlink /proc/$pid/exe 2>/dev/null)
kill -TERM $pid 2>/dev/null
case $? in
1) echo -n "(not running)";;
@@ -174,7 +175,7 @@
if ! test -f /proc/$pid/exe; then
break
fi
- if test "$(readlink /proc/$pid/exe 2>/dev/null)" = $apache_bin; then
+ if test "$(readlink /proc/$pid/exe 2>/dev/null)" = "$apache_bin"; then
usleep 500000
else
break
@@ -260,7 +261,24 @@
rc_status
;;
reload|force-reload|graceful)
+ # check if there is a deleted binary. If there is, then logrotate
+ # or other occasions will fail to reload, as dlopen(3) of apache
+ # modules is prone to fail due to symbol mismatches.
+ # in this case, we only complain and fail.
+ if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi
+ executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null )
+ case "$executable" in
+ *httpd*delete*)
+ echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! "
+ rc_failed 1
+ rc_status -v
+ rc_exit
+ ;;
+ *)
+ ;;
+ esac
echo -n "Reload httpd2 (graceful restart)"
+
cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@")
if eval $cmdline -t &> $logdir/rc$pname.out; then
killproc -USR1 $apache_bin || return=$rc_failed
continue with "q"...
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org