[apache2] 01/01: import 2.4.25-3+deb9u3 security update
Stefan Fritsch
sf at moszumanska.debian.org
Mon Oct 2 07:38:38 UTC 2017
This is an automated email from the git hooks/post-receive script.
sf pushed a commit to branch stretch
in repository apache2.
commit aac953c9485c1f2eb6e9d697413c11e50c9c9094
Author: Stefan Fritsch <sf at sfritsch.de>
Date: Mon Oct 2 09:37:51 2017 +0200
import 2.4.25-3+deb9u3 security update
---
debian/changelog | 8 +++++
...ow-Methods-registration-at-run-time-.htac.patch | 35 ++++++++++++++++++++++
debian/patches/series | 2 ++
3 files changed, 45 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 51ef728..d884166 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.4.25-3+deb9u3) stretch-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * CVE-2017-9798: Use-after-free by limiting unregistered HTTP method
+ (Closes: #876109)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Tue, 19 Sep 2017 20:58:57 +0200
+
apache2 (2.4.25-3+deb9u2) stretch-security; urgency=medium
* CVE-2017-9788: mod_auth_digest: Fix leak of uninitialized memory
diff --git a/debian/patches/core-Disallow-Methods-registration-at-run-time-.htac.patch b/debian/patches/core-Disallow-Methods-registration-at-run-time-.htac.patch
new file mode 100644
index 0000000..feaa3b2
--- /dev/null
+++ b/debian/patches/core-Disallow-Methods-registration-at-run-time-.htac.patch
@@ -0,0 +1,35 @@
+From: Yann Ylavic <ylavic at apache.org>
+Date: Thu, 7 Sep 2017 22:43:41 +0000
+Subject: core: Disallow Methods' registration at run time (.htaccess), they
+ may be used only if registered at init time (httpd.conf).
+Origin: https://github.com/apache/httpd/commit/29afdd2550b3d30a8defece2b95ae81edcf66ac9
+Bug-Debian: https://bugs.debian.org/876109
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-9798
+
+Calling ap_method_register() in children processes is not the right scope
+since it won't be shared for all requests.
+
+
+git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1807655 13f79535-47bb-0310-9956-ffa450edef68
+---
+
+diff --git a/server/core.c b/server/core.c
+index 76adb4d869..c9b6837bd4 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -2331,6 +2331,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd,
+ /* method has not been registered yet, but resource restriction
+ * is always checked before method handling, so register it.
+ */
++ if (cmd->pool == cmd->temp_pool) {
++ /* In .htaccess, we can't globally register new methods. */
++ return apr_psprintf(cmd->pool, "Could not register method '%s' "
++ "for %s from .htaccess configuration",
++ method, cmd->cmd->name);
++ }
+ methnum = ap_method_register(cmd->pool,
+ apr_pstrdup(cmd->pool, method));
+ }
+--
+2.14.1
+
diff --git a/debian/patches/series b/debian/patches/series
index dcdf8c3..98eb09d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -17,3 +17,5 @@ CVE-2017-7659.diff
CVE-2017-7668.diff
CVE-2017-7679.diff
CVE-2017-9788-mod_auth_digest.diff
+
+core-Disallow-Methods-registration-at-run-time-.htac.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-apache/apache2.git
More information about the Pkg-apache-commits
mailing list