Hello community, here is the log from the commit of package apache2 for openSUSE:11.4 checked in at Mon Dec 5 17:55:22 CET 2011.
-------- --- old-versions/11.4/UPDATES/all/apache2/apache2.changes 2011-10-26 15:54:55.000000000 +0200 +++ 11.4/apache2/apache2.changes 2011-11-29 16:53:50.000000000 +0100 @@ -1,0 +2,21 @@ +Tue Nov 29 16:53:29 CET 2011 - [email protected] + +- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff re-worked: + len needs to be unsigned. int -> apr_size_t. [bnc#729181] + +------------------------------------------------------------------- +Fri Nov 25 14:49:52 CET 2011 - [email protected] + +- httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff fixes an + integer overflow in server/util.c also known as CVE-2011-3607. + [bnc#729181] +- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff is a fix + for CVE-2011-4317, which is to be seen a variant of CVE-2011-3368 + which was addressed below in + httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff. [bnc#722545] +- new template file: /etc/apache2/vhosts.d/vhost-ssl.template + allow TLSv1 only, browser match stuff commented out. +- rc script /etc/init.d/apache2: handle reload with deleted binaries + by message to stdout only, but refrain from sending signals. + +------------------------------------------------------------------- calling whatdependson for 11.4-i586 New: ---- httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.eC6MIX/_old 2011-12-05 17:55:08.000000000 +0100 +++ /var/tmp/diff_new_pack.eC6MIX/_new 2011-12-05 17:55:08.000000000 +0100 @@ -69,7 +69,7 @@ Group: Productivity/Networking/Web/Servers %define realver 2.2.17 Version: 2.2.17 -Release: 4.<RELEASE9> +Release: 4.<RELEASE11> #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 # Add file to take mtime from it in prep section @@ -129,6 +129,8 @@ Patch101: httpd-2.2.x-bnc713966-CVE-2011-3192.patch Patch102: httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff Patch103: httpd-2.2.x-CVE-2011-3348-mod_proxy_ajp.patch +Patch104: httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff +Patch105: httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -358,6 +360,8 @@ %patch101 -p0 %patch102 -p0 %patch103 -p0 +%patch104 -p0 +%patch105 -p0 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # ++++++ apache2-vhost-ssl.template ++++++ --- /var/tmp/diff_new_pack.eC6MIX/_old 2011-12-05 17:55:08.000000000 +0100 +++ /var/tmp/diff_new_pack.eC6MIX/_new 2011-12-05 17:55:08.000000000 +0100 @@ -13,20 +13,11 @@ # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # -# For the moment, see <URL:http://www.modssl.org/docs/> for this info. -# The documents are still being prepared from material donated by the -# modssl project. -# # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # -# Until documentation is completed, please check http://www.modssl.org/ -# for additional config examples and module docmentation. Directives -# and features of mod_ssl are largely unchanged from the mod_ssl project -# for Apache 1.3. - <IfDefine SSL> <IfDefine !NOSSL> @@ -47,10 +38,21 @@ # Enable/Disable SSL for this virtual host. SSLEngine on + # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS only: + SSLProtocol all -SSLv2 -SSLv3 + # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. - SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + # + # formerly, this was set to the following: + # ### SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL + # + # We now disable weak ciphers by default. + # Please see the documentation via the links above, and + # "openssl ciphers -v" for a complete list of ciphers that are + # available. + SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If @@ -185,9 +187,12 @@ # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. - SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 + # remark: The below configuration snippet is here for illustration purposes. + # Browser specific deficiencies exist, but generally all of them + # should handle SSL/TLS encapsulated connections well. + #SetEnvIf User-Agent ".*MSIE.*" \ + # nokeepalive ssl-unclean-shutdown \ + # downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a ++++++ httpd-2.2.x-CVE-2011-3368_CVE-2011-4317-bnc722545.diff ++++++ diff -rNU 20 ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c ./modules/mappers/mod_rewrite.c --- ../httpd-2.2.12-o/modules/mappers/mod_rewrite.c 2009-07-10 14:20:45.000000000 +0200 +++ ./modules/mappers/mod_rewrite.c 2011-11-24 04:08:35.000000000 +0100 @@ -4230,40 +4230,47 @@ /* * only do something under runtime if the engine is really enabled, * else return immediately! */ if (conf->state == ENGINE_DISABLED) { return DECLINED; } /* * check for the ugly API case of a virtual host section where no * mod_rewrite directives exists. In this situation we became no chance * by the API to setup our default per-server config so we have to * on-the-fly assume we have the default config. But because the default * config has a disabled rewriting engine we are lucky because can * just stop operating now. */ if (conf->server != r->server) { return DECLINED; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* * add the SCRIPT_URL variable to the env. this is a bit complicated * due to the fact that apache uses subrequests and internal redirects */ if (r->main == NULL) { var = apr_table_get(r->subprocess_env, REDIRECT_ENVVAR_SCRIPT_URL); if (var == NULL) { apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, r->uri); } else { apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var); } } else { var = apr_table_get(r->main->subprocess_env, ENVVAR_SCRIPT_URL); apr_table_setn(r->subprocess_env, ENVVAR_SCRIPT_URL, var); } /* diff -rNU 20 ../httpd-2.2.12-o/modules/proxy/mod_proxy.c ./modules/proxy/mod_proxy.c --- ../httpd-2.2.12-o/modules/proxy/mod_proxy.c 2009-01-31 21:58:07.000000000 +0100 +++ ./modules/proxy/mod_proxy.c 2011-11-24 04:08:35.000000000 +0100 @@ -527,40 +527,47 @@ proxy_server_conf *conf = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module); int i, len; struct proxy_alias *ent = (struct proxy_alias *) conf->aliases->elts; proxy_dir_conf *dconf = ap_get_module_config(r->per_dir_config, &proxy_module); const char *fake; const char *real; ap_regmatch_t regm[AP_MAX_REG_MATCH]; ap_regmatch_t reg1[AP_MAX_REG_MATCH]; char *found = NULL; int mismatch = 0; if (r->proxyreq) { /* someone has already set up the proxy, it was possibly ourselves * in proxy_detect */ return OK; } + /* Check that the URI is valid. */ + if (!r->uri || r->uri[0] != '/') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "Invalid URI in request %s", r->the_request); + return HTTP_BAD_REQUEST; + } + /* XXX: since r->uri has been manipulated already we're not really * compliant with RFC1945 at this point. But this probably isn't * an issue because this is a hybrid proxy/origin server. */ for (i = 0; i < conf->aliases->nelts; i++) { unsigned int nocanon = ent[i].flags & PROXYPASS_NOCANON; const char *use_uri = nocanon ? r->unparsed_uri : r->uri; if ((dconf->interpolate_env == 1) && (ent[i].flags & PROXYPASS_INTERPOLATE)) { fake = proxy_interpolate(r, ent[i].fake); real = proxy_interpolate(r, ent[i].real); } else { fake = ent[i].fake; real = ent[i].real; } if (ent[i].regex) { if (!ap_regexec(ent[i].regex, r->uri, AP_MAX_REG_MATCH, regm, 0)) { if ((real[0] == '!') && (real[1] == '\0')) { ++++++ httpd-2.2.x-bnc729181-CVE-2011-3607-int_overflow.diff ++++++ diff -rNU 20 ../httpd-2.2.17-o/server/util.c ./server/util.c --- ../httpd-2.2.17-o/server/util.c 2010-10-07 18:56:54.000000000 +0200 +++ ./server/util.c 2011-11-29 17:49:15.000000000 +0100 @@ -349,72 +349,80 @@ * passed ap_regexec(). pmatch should not be greater than the maximum number * of subexpressions - i.e. one more than the re_nsub member of ap_regex_t. * * input should be the string with the $-expressions, source should be the * string that was matched against. * * It returns the substituted string, or NULL on error. * * Parts of this code are based on Henry Spencer's regsub(), from his * AT&T V8 regexp package. */ AP_DECLARE(char *) ap_pregsub(apr_pool_t *p, const char *input, const char *source, size_t nmatch, ap_regmatch_t pmatch[]) { const char *src = input; char *dest, *dst; char c; size_t no; - int len; + apr_size_t len; if (!source) return NULL; if (!nmatch) return apr_pstrdup(p, src); /* First pass, find the size */ len = 0; while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else no = 10; if (no > 9) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) src++; len++; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { + if (APR_SIZE_MAX - len <= pmatch[no].rm_eo - pmatch[no].rm_so) { + ap_log_error(APLOG_MARK, APLOG_WARNING, APR_ENOMEM, NULL, + "integer overflow or out of memory condition." ); + return NULL; + } len += pmatch[no].rm_eo - pmatch[no].rm_so; } } dest = dst = apr_pcalloc(p, len + 1); + if(!dest) + return NULL; + /* Now actually fill in the string */ src = input; while ((c = *src++) != '\0') { if (c == '&') no = 0; else if (c == '$' && apr_isdigit(*src)) no = *src++ - '0'; else no = 10; if (no > 9) { /* Ordinary character. */ if (c == '\\' && (*src == '$' || *src == '&')) c = *src++; *dst++ = c; } else if (no < nmatch && pmatch[no].rm_so < pmatch[no].rm_eo) { len = pmatch[no].rm_eo - pmatch[no].rm_so; memcpy(dst, source + pmatch[no].rm_so, len); ++++++ rc.apache2 ++++++ --- /var/tmp/diff_new_pack.eC6MIX/_old 2011-12-05 17:55:08.000000000 +0100 +++ /var/tmp/diff_new_pack.eC6MIX/_new 2011-12-05 17:55:08.000000000 +0100 @@ -6,9 +6,8 @@ # Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH # # Authors: Rolf Haberrecker <[email protected]>, 2001 -# Peter Poeml <[email protected]>, 2002, 2003, 2004, 2005, 2006, 2007, -# 2008, 2009, 2010 -# +# Peter Poeml <[email protected]>, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# Roman Drahtmueller <[email protected]>, 2009-2012 # # /etc/init.d/apache2 # @@ -161,6 +160,8 @@ echo -n "(not running)" else pid=$(<$pidfile) + # re-read exe symlink, it could be (deleted) in the meanwhile. + apache_bin=$(readlink /proc/$pid/exe 2>/dev/null) kill -TERM $pid 2>/dev/null case $? in 1) echo -n "(not running)";; @@ -174,7 +175,7 @@ if ! test -f /proc/$pid/exe; then break fi - if test "$(readlink /proc/$pid/exe 2>/dev/null)" = $apache_bin; then + if test "$(readlink /proc/$pid/exe 2>/dev/null)" = "$apache_bin"; then usleep 500000 else break @@ -260,7 +261,24 @@ rc_status ;; reload|force-reload|graceful) + # check if there is a deleted binary. If there is, then logrotate + # or other occasions will fail to reload, as dlopen(3) of apache + # modules is prone to fail due to symbol mismatches. + # in this case, we only complain and fail. + if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi + executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null ) + case "$executable" in + *httpd*delete*) + echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! " + rc_failed 1 + rc_status -v + rc_exit + ;; + *) + ;; + esac echo -n "Reload httpd2 (graceful restart)" + cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t &> $logdir/rc$pname.out; then killproc -USR1 $apache_bin || return=$rc_failed continue with "q"... Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
