[arch-commits] Commit in apache/trunk (2 files)

Levente Polyak Mon, 18 Sep 2017 06:40:54 -0700

    Date: Monday, September 18, 2017 @ 13:40:36
  Author: anthraxx
Revision: 305808


upgpkg: apache 2.4.27-2 (CVE-2017-9798)

Added:
  apache/trunk/apache-2.2-optionsbleed-CVE-2017-9798.patch
Modified:
  apache/trunk/PKGBUILD

---------------------------------------------+
 PKGBUILD                                    |    8 ++++++--
 apache-2.2-optionsbleed-CVE-2017-9798.patch |   21 +++++++++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2017-09-18 13:37:02 UTC (rev 305807)
+++ PKGBUILD    2017-09-18 13:40:36 UTC (rev 305808)
@@ -5,7 +5,7 @@
 
 pkgname=apache
 pkgver=2.4.27
-pkgrel=1
+pkgrel=2
 pkgdesc='A high performance Unix-based HTTP server'
 arch=('i686' 'x86_64')
 url='http://www.apache.org/dist/httpd'
@@ -33,6 +33,7 @@
     httpd.logrotate
     httpd.service
     arch.layout
+    apache-2.2-optionsbleed-CVE-2017-9798.patch
 )
 sha256sums=('71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a'
             'SKIP'
@@ -40,7 +41,8 @@
             '63da1a420f4714a3e7af2672d28384419cc7eedbe7bf35baebd02938fabc15bf'
             '0bbbfae23a917b2fce0bf8f900f60319b50769224a96314e9301a75ccd078e16'
             'f574bac6d5f398e7a649fc0e1ca66ff01ad4ef34dac71258e93d8a9d9a2b3960'
-            'dda05c6e76f12624e418ca18a36f2e90ec1c5b1cc52fed7142fce6076ec413f3')
+            'dda05c6e76f12624e418ca18a36f2e90ec1c5b1cc52fed7142fce6076ec413f3'
+            '8278b462612dd64e1d6e9e7b6ef6141efc60917b3598ba20b4423998b2c05b01')
 validpgpkeys=('A93D62ECC3C8EA12DB220EC934EA76E6791485A8') # Jim Jagielski
 
 prepare() {
@@ -55,6 +57,8 @@
 
   # https://github.com/openssl/openssl/issues/2865
   patch -Np1 -i ../openssl-malloc-init.patch
+
+  patch -p1 -i ../apache-2.2-optionsbleed-CVE-2017-9798.patch
 }
 
 build() {

Added: apache-2.2-optionsbleed-CVE-2017-9798.patch
===================================================================
--- apache-2.2-optionsbleed-CVE-2017-9798.patch                         (rev 0)
+++ apache-2.2-optionsbleed-CVE-2017-9798.patch 2017-09-18 13:40:36 UTC (rev 
305808)
@@ -0,0 +1,21 @@
+CVE-2017-9798
+
+Backport from https://svn.apache.org/viewvc?view=revision&revision=1807655
+
+diff --git a/server/core.c b/server/core.c
+index f61699e..d24542e 100644
+--- a/server/core.c
++++ b/server/core.c
+@@ -1809,6 +1809,12 @@ AP_CORE_DECLARE_NONSTD(const char *) 
ap_limit_section(cmd_parms *cmd,
+             /* method has not been registered yet, but resorce restriction
+              * is always checked before method handling, so register it.
+              */
++            if (cmd->pool == cmd->temp_pool) {
++                /* In .htaccess, we can't globally register new methods. */
++                return apr_psprintf(cmd->pool, "Could not register method 
'%s' "
++                                   "for %s from .htaccess configuration",
++                                    method, cmd->cmd->name);
++            }
+             methnum = ap_method_register(cmd->pool,
+                                          apr_pstrdup(cmd->pool, method));
+

[arch-commits] Commit in apache/trunk (2 files)

Reply via email to