CVE-2016-5387/apache2

Salvatore Bonaccorso Wed, 20 Jul 2016 00:31:36 -0700

Hi LTS team,

I have prepared an update for the mitigation of "httpoxy" in apache2
(CVE-2016-5387).


Unless someone of the team want's to actually do the upload I could do
it, since already prepared. But just let me know.

Regards,
Salvatore

diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog
--- apache2-2.2.22/debian/changelog     2015-08-18 11:41:11.000000000 +0200
+++ apache2-2.2.22/debian/changelog     2016-07-20 07:04:30.000000000 +0200
@@ -1,3 +1,12 @@
+apache2 (2.2.22-13+deb7u7) wheezy-security; urgency=high
+
+  * Non-maintainer upload.
+  * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
+    request header.
+    Don't pass through HTTP_PROXY in server/util_script.c
+
+ -- Salvatore Bonaccorso <[email protected]>  Wed, 20 Jul 2016 07:03:46 +0200
+
 apache2 (2.2.22-13+deb7u6) wheezy-security; urgency=medium
 
   * Fix regression causing spurious errors when loading certificate chain.
diff -Nru apache2-2.2.22/debian/patches/CVE-2016-5387.patch 
apache2-2.2.22/debian/patches/CVE-2016-5387.patch
--- apache2-2.2.22/debian/patches/CVE-2016-5387.patch   1970-01-01 
01:00:00.000000000 +0100
+++ apache2-2.2.22/debian/patches/CVE-2016-5387.patch   2016-07-20 
07:04:30.000000000 +0200
@@ -0,0 +1,17 @@
+--- a/server/util_script.c
++++ b/server/util_script.c
+@@ -180,6 +180,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff -Nru apache2-2.2.22/debian/patches/series 
apache2-2.2.22/debian/patches/series
--- apache2-2.2.22/debian/patches/series        2015-08-18 09:47:23.000000000 
+0200
+++ apache2-2.2.22/debian/patches/series        2016-07-20 07:04:30.000000000 
+0200
@@ -51,3 +51,4 @@
 DH-SSLCertificateFile.patch
 CVE-2015-3183.patch
 SSL_CTX_use_certificate_clear_errors.diff
+CVE-2016-5387.patch

CVE-2016-5387/apache2

Reply via email to