Date: Monday, September 18, 2017 @ 13:40:36 Author: anthraxx Revision: 305808
upgpkg: apache 2.4.27-2 (CVE-2017-9798) Added: apache/trunk/apache-2.2-optionsbleed-CVE-2017-9798.patch Modified: apache/trunk/PKGBUILD ---------------------------------------------+ PKGBUILD | 8 ++++++-- apache-2.2-optionsbleed-CVE-2017-9798.patch | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2017-09-18 13:37:02 UTC (rev 305807) +++ PKGBUILD 2017-09-18 13:40:36 UTC (rev 305808) @@ -5,7 +5,7 @@ pkgname=apache pkgver=2.4.27 -pkgrel=1 +pkgrel=2 pkgdesc='A high performance Unix-based HTTP server' arch=('i686' 'x86_64') url='http://www.apache.org/dist/httpd' @@ -33,6 +33,7 @@ httpd.logrotate httpd.service arch.layout + apache-2.2-optionsbleed-CVE-2017-9798.patch ) sha256sums=('71fcc128238a690515bd8174d5330a5309161ef314a326ae45c7c15ed139c13a' 'SKIP' @@ -40,7 +41,8 @@ '63da1a420f4714a3e7af2672d28384419cc7eedbe7bf35baebd02938fabc15bf' '0bbbfae23a917b2fce0bf8f900f60319b50769224a96314e9301a75ccd078e16' 'f574bac6d5f398e7a649fc0e1ca66ff01ad4ef34dac71258e93d8a9d9a2b3960' - 'dda05c6e76f12624e418ca18a36f2e90ec1c5b1cc52fed7142fce6076ec413f3') + 'dda05c6e76f12624e418ca18a36f2e90ec1c5b1cc52fed7142fce6076ec413f3' + '8278b462612dd64e1d6e9e7b6ef6141efc60917b3598ba20b4423998b2c05b01') validpgpkeys=('A93D62ECC3C8EA12DB220EC934EA76E6791485A8') # Jim Jagielski prepare() { @@ -55,6 +57,8 @@ # https://github.com/openssl/openssl/issues/2865 patch -Np1 -i ../openssl-malloc-init.patch + + patch -p1 -i ../apache-2.2-optionsbleed-CVE-2017-9798.patch } build() { Added: apache-2.2-optionsbleed-CVE-2017-9798.patch =================================================================== --- apache-2.2-optionsbleed-CVE-2017-9798.patch (rev 0) +++ apache-2.2-optionsbleed-CVE-2017-9798.patch 2017-09-18 13:40:36 UTC (rev 305808) @@ -0,0 +1,21 @@ +CVE-2017-9798 + +Backport from https://svn.apache.org/viewvc?view=revision&revision=1807655 + +diff --git a/server/core.c b/server/core.c +index f61699e..d24542e 100644 +--- a/server/core.c ++++ b/server/core.c +@@ -1809,6 +1809,12 @@ AP_CORE_DECLARE_NONSTD(const char *) ap_limit_section(cmd_parms *cmd, + /* method has not been registered yet, but resorce restriction + * is always checked before method handling, so register it. + */ ++ if (cmd->pool == cmd->temp_pool) { ++ /* In .htaccess, we can't globally register new methods. */ ++ return apr_psprintf(cmd->pool, "Could not register method '%s' " ++ "for %s from .htaccess configuration", ++ method, cmd->cmd->name); ++ } + methnum = ap_method_register(cmd->pool, + apr_pstrdup(cmd->pool, method)); +