[Pkg-apache-commits] r1179 - in /branches/lenny-apache2: ./ patches/

sf at alioth.debian.org sf at alioth.debian.org
Mon Apr 19 19:16:16 UTC 2010 

Author: sf
Date: Mon Apr 19 19:16:15 2010
New Revision: 1179

URL: http://svn.debian.org/wsvn/pkg-apache/?sc=1&rev=1179
Log:
- merge changes from DSA
- adjust changelog entry and patch numbering

Added:
    branches/lenny-apache2/patches/077_CVE-2010-0408.dpatch
    branches/lenny-apache2/patches/078_CVE-2010-0434.dpatch
    branches/lenny-apache2/patches/079_avoid_brigade_destroy.dpatch
      - copied unchanged from r1178, branches/lenny-apache2/patches/078_avoid_brigade_destroy.dpatch
Removed:
    branches/lenny-apache2/patches/077_CVE-2010-0408_mod_proxy_ajp_DoS.dpatch
    branches/lenny-apache2/patches/078_avoid_brigade_destroy.dpatch
Modified:
    branches/lenny-apache2/changelog
    branches/lenny-apache2/patches/00list

Modified: branches/lenny-apache2/changelog
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/changelog?rev=1179&op=diff
==============================================================================
--- branches/lenny-apache2/changelog (original)
+++ branches/lenny-apache2/changelog Mon Apr 19 19:16:15 2010
@@ -1,12 +1,19 @@
-apache2 (2.2.9-10+lenny7) UNRELEASED; urgency=low
-
-  * Security: CVE-2010-0408: Fix denial of service vulnerability in
-    mod_proxy_ajp.
+apache2 (2.2.9-10+lenny8) UNRELEASED; urgency=low
+
   * Add missing psmisc dependency for killall used in the init script.
     Closes: #568542
   * Fix potential memory leaks related to the usage of apr_brigade_destroy().
 
  -- Stefan Fritsch <sf at debian.org>  Tue, 02 Mar 2010 21:32:45 +0100
+
+apache2 (2.2.9-10+lenny7) stable-security; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fixed CVE-2010-0408: denial of service via crafted request in mod_proxy_ajp
+  * Fixed CVE-2010-0434: information disclosure via improper handling of
+    headers in subrequests
+
+ -- Giuseppe Iuculano <iuculano at debian.org>  Sun, 28 Mar 2010 17:50:02 +0200
 
 apache2 (2.2.9-10+lenny6) stable-security; urgency=high
 

Modified: branches/lenny-apache2/patches/00list
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/00list?rev=1179&op=diff
==============================================================================
--- branches/lenny-apache2/patches/00list (original)
+++ branches/lenny-apache2/patches/00list Mon Apr 19 19:16:15 2010
@@ -35,8 +35,9 @@
 074_CVE-2009-3094.dpatch
 075_CVE-2009-3095.dpatch
 076_CVE-2009-3555.dpatch
-077_CVE-2010-0408_mod_proxy_ajp_DoS.dpatch
-078_avoid_brigade_destroy.dpatch
+077_CVE-2010-0408.dpatch
+078_CVE-2010-0434.dpatch
+079_avoid_brigade_destroy.dpatch
 099_config_guess_sub_update
 200_cp_suexec.dpatch
 201_build_suexec-custom.dpatch

Added: branches/lenny-apache2/patches/077_CVE-2010-0408.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/077_CVE-2010-0408.dpatch?rev=1179&op=file
==============================================================================
--- branches/lenny-apache2/patches/077_CVE-2010-0408.dpatch (added)
+++ branches/lenny-apache2/patches/077_CVE-2010-0408.dpatch Mon Apr 19 19:16:15 2010
@@ -1,0 +1,17 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix denial of service via crafted request in mod_proxy_ajp
+# Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=917876
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apache2~/modules/proxy/mod_proxy_ajp.c apache2/modules/proxy/mod_proxy_ajp.c
+--- apache2~/modules/proxy/mod_proxy_ajp.c	2008-06-05 14:46:43.000000000 +0200
++++ apache2/modules/proxy/mod_proxy_ajp.c	2010-03-28 17:48:17.000000000 +0200
+@@ -231,7 +231,7 @@
+             ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
+                          "proxy: ap_get_brigade failed");
+             apr_brigade_destroy(input_brigade);
+-            return HTTP_INTERNAL_SERVER_ERROR;
++            return HTTP_BAD_REQUEST;
+         }
+ 
+         /* have something */

Added: branches/lenny-apache2/patches/078_CVE-2010-0434.dpatch
URL: http://svn.debian.org/wsvn/pkg-apache/branches/lenny-apache2/patches/078_CVE-2010-0434.dpatch?rev=1179&op=file
==============================================================================
--- branches/lenny-apache2/patches/078_CVE-2010-0434.dpatch (added)
+++ branches/lenny-apache2/patches/078_CVE-2010-0434.dpatch Mon Apr 19 19:16:15 2010
@@ -1,0 +1,49 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+# Description: fix information disclosure via improper handling of
+#  headers in subrequests
+# Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=917867
+# Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=48359
+
+ at DPATCH@
+diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apache2~/server/protocol.c apache2/server/protocol.c
+--- apache2~/server/protocol.c	2007-12-12 21:43:04.000000000 +0100
++++ apache2/server/protocol.c	2010-03-28 17:49:17.000000000 +0200
+@@ -1041,15 +1041,13 @@
+     return r;
+ }
+ 
+-/* if a request with a body creates a subrequest, clone the original request's
+- * input headers minus any headers pertaining to the body which has already
+- * been read.  out-of-line helper function for ap_set_sub_req_protocol.
++/* if a request with a body creates a subrequest, remove original request's
++ * input headers which pertain to the body which has already been read.
++ * out-of-line helper function for ap_set_sub_req_protocol.
+  */
+ 
+-static void clone_headers_no_body(request_rec *rnew,
+-                                  const request_rec *r)
++static void strip_headers_request_body(request_rec *rnew)
+ {
+-    rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
+     apr_table_unset(rnew->headers_in, "Content-Encoding");
+     apr_table_unset(rnew->headers_in, "Content-Language");
+     apr_table_unset(rnew->headers_in, "Content-Length");
+@@ -1083,15 +1081,14 @@
+ 
+     rnew->status          = HTTP_OK;
+ 
++    rnew->headers_in = apr_table_copy(rnew->pool, r->headers_in);
++
+     /* did the original request have a body?  (e.g. POST w/SSI tags)
+      * if so, make sure the subrequest doesn't inherit body headers
+      */
+     if (apr_table_get(r->headers_in, "Content-Length")
+         || apr_table_get(r->headers_in, "Transfer-Encoding")) {
+-        clone_headers_no_body(rnew, r);
+-    } else {
+-        /* no body (common case).  clone headers the cheap way */
+-        rnew->headers_in      = r->headers_in;
++        strip_headers_request_body(rnew);
+     }
+     rnew->subprocess_env  = apr_table_copy(rnew->pool, r->subprocess_env);
+     rnew->headers_out     = apr_table_make(rnew->pool, 5);

More information about the Pkg-apache-commits mailing list