Le 10/10/2019 à 22:04, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > Tags: buster > User: release.debian....@packages.debian.org > Usertags: pu > > Hi, > > CVE-2019-10092 patch added a regression (#941202). This patch fixes it > (taken from > https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?r1=1865749&r2=1865748&pathrev=1865749) > > Cheers, > Xavier
I forgot debdiff, sorry
diff --git a/debian/changelog b/debian/changelog index 4fa219d6..14ffbf5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +apache2 (2.4.38-3+deb10u2) buster; urgency=medium + + * Fix CVE-2019-10092 patch (Closes: #941202) + + -- Xavier Guimard <y...@debian.org> Thu, 10 Oct 2019 21:59:32 +0200 + apache2 (2.4.38-3+deb10u1) buster-security; urgency=high * Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092) diff --git a/debian/patches/CVE-2019-10092.patch b/debian/patches/CVE-2019-10092.patch index a558173f..e6bb1c52 100644 --- a/debian/patches/CVE-2019-10092.patch +++ b/debian/patches/CVE-2019-10092.patch @@ -1,10 +1,11 @@ Description: Fix for CVE-2019-10092 + Added also patch to fix #941202 Author: Stefan Eissing Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1864787 Bug: https://security-tracker.debian.org/tracker/CVE-2019-10092 Forwarded: not-needed Reviewed-By: Xavier Guimard <y...@debian.org> -Last-Update: 2019-08-17 +Last-Update: 2019-10-10 --- a/modules/proxy/mod_proxy_balancer.c +++ b/modules/proxy/mod_proxy_balancer.c @@ -21,7 +22,7 @@ Last-Update: 2019-08-17 + if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname) + return 0; + -+ return strcmp(uri.hostname, ap_get_server_name(r)) == 0; ++ return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0; +} + /* Manages the loadfactors and member status