Control: retitle -1 unblock: apache2/2.4.46-6
Le 10/06/2021 à 12:21, Yadd a écrit : > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > X-Debbugs-Cc: [email protected] > > Please unblock package apache2 > > [ Reason ] > Apache2 is vulnerable to a denial of service due to a NULL pointer > dereference on specially crafted HTTP/2 request (#989562, > CVE-2021-31618) > > [ Impact ] > Denial of service > > [ Tests ] > No new test > > [ Risks ] > Patch is really trivial > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > unblock apache2/2.4.46-5 I added also fixes for other CVEs published with 2.4.48 release. All these patches are trivial. Cheers, Yadd unblock apache2/2.4.46-6
diff --git a/debian/changelog b/debian/changelog index 8a02325f..fa775057 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +apache2 (2.4.46-6) unstable; urgency=medium + + * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452, + CVE-2021-26690, CVE-2021-26691, CVE-2021-30641) + + -- Yadd <[email protected]> Thu, 10 Jun 2021 13:40:11 +0200 + +apache2 (2.4.46-5) unstable; urgency=medium + + * Fix "NULL pointer dereference on specially crafted HTTP/2 request" + (Closes: #989562, CVE-2021-31618) + + -- Yadd <[email protected]> Thu, 10 Jun 2021 11:57:38 +0200 + apache2 (2.4.46-4) unstable; urgency=medium * Ignore other random another test failures (Closes: #979664) diff --git a/debian/patches/CVE-2020-13950.patch b/debian/patches/CVE-2020-13950.patch new file mode 100644 index 00000000..cf0ef992 --- /dev/null +++ b/debian/patches/CVE-2020-13950.patch @@ -0,0 +1,28 @@ +Description: The proxy connection may be NULL during prefetch, don't try to dereference it! + Still origin->keepalive will be set according to p_conn->close by the caller + (proxy_http_handler). +Author: Apache authors +Origin: upstream, https://svn.apache.org/r1678771 +Bug: <url in upstream bugtracker> +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-06-10 + +--- a/modules/proxy/mod_proxy_http.c ++++ b/modules/proxy/mod_proxy_http.c +@@ -577,7 +577,6 @@ + apr_off_t bytes; + int force10, rv; + apr_read_type_e block; +- conn_rec *origin = p_conn->connection; + + if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) { + if (req->expecting_100) { +@@ -637,7 +636,6 @@ + "chunked body with Content-Length (C-L ignored)", + c->client_ip, c->remote_host ? c->remote_host: ""); + req->old_cl_val = NULL; +- origin->keepalive = AP_CONN_CLOSE; + p_conn->close = 1; + } + diff --git a/debian/patches/CVE-2020-35452.patch b/debian/patches/CVE-2020-35452.patch new file mode 100644 index 00000000..52042108 --- /dev/null +++ b/debian/patches/CVE-2020-35452.patch @@ -0,0 +1,27 @@ +Description: <short summary of the patch> +Author: Apache authors +Origin: upstream, https://github.com/apache/httpd/commit/3b6431e +Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-35452 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-06-10 + +--- a/modules/aaa/mod_auth_digest.c ++++ b/modules/aaa/mod_auth_digest.c +@@ -1422,9 +1422,14 @@ + time_rec nonce_time; + char tmp, hash[NONCE_HASH_LEN+1]; + +- if (strlen(resp->nonce) != NONCE_LEN) { ++ /* Since the time part of the nonce is a base64 encoding of an ++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise. ++ */ ++ if (strlen(resp->nonce) != NONCE_LEN ++ || resp->nonce[NONCE_TIME_LEN - 1] != '=') { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775) +- "invalid nonce %s received - length is not %d", ++ "invalid nonce '%s' received - length is not %d " ++ "or time encoding is incorrect", + resp->nonce, NONCE_LEN); + note_digest_auth_failure(r, conf, resp, 1); + return HTTP_UNAUTHORIZED; diff --git a/debian/patches/CVE-2021-26690.patch b/debian/patches/CVE-2021-26690.patch new file mode 100644 index 00000000..5ceec1fd --- /dev/null +++ b/debian/patches/CVE-2021-26690.patch @@ -0,0 +1,20 @@ +Description: <short summary of the patch> +Author: Apache authors +Origin: upstream, https://github.com/apache/httpd/commit/67bd9bfe +Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-26690 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-06-10 + +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -405,8 +405,8 @@ + char *plast = NULL; + const char *psep = "="; + char *key = apr_strtok(pair, psep, &plast); +- char *val = apr_strtok(NULL, psep, &plast); + if (key && *key) { ++ char *val = apr_strtok(NULL, sep, &plast); + if (!val || !*val) { + apr_table_unset(z->entries, key); + } diff --git a/debian/patches/CVE-2021-26691.patch b/debian/patches/CVE-2021-26691.patch new file mode 100644 index 00000000..2d786b16 --- /dev/null +++ b/debian/patches/CVE-2021-26691.patch @@ -0,0 +1,18 @@ +Description: mod_session: account for the '&' in identity_concat(). +Author: Apache authors +Origin: upstream, https://github.com/apache/httpd/commit/7e09dd71 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-06-10 + +--- a/modules/session/mod_session.c ++++ b/modules/session/mod_session.c +@@ -318,7 +318,7 @@ + static int identity_count(void *v, const char *key, const char *val) + { + int *count = v; +- *count += strlen(key) * 3 + strlen(val) * 3 + 1; ++ *count += strlen(key) * 3 + strlen(val) * 3 + 2; + return 1; + } + diff --git a/debian/patches/CVE-2021-30641.patch b/debian/patches/CVE-2021-30641.patch new file mode 100644 index 00000000..7486e1b3 --- /dev/null +++ b/debian/patches/CVE-2021-30641.patch @@ -0,0 +1,50 @@ +Description: legacy default slash-matching behavior w/ 'MergeSlashes OFF' +Author: Apache authors +Origin: upstream, https://github.com/apache/httpd/commit/eb986059 +Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-06-10 + +--- a/server/request.c ++++ b/server/request.c +@@ -1419,7 +1419,20 @@ + + cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r); + cached = (cache->cached != NULL); +- entry_uri = r->uri; ++ ++ /* ++ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri ++ * have not been merged. But for Location walks we always go with merged ++ * slashes no matter what merge_slashes is set to. ++ */ ++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) { ++ entry_uri = r->uri; ++ } ++ else { ++ char *uri = apr_pstrdup(r->pool, r->uri); ++ ap_no2slash(uri); ++ entry_uri = uri; ++ } + + /* If we have an cache->cached location that matches r->uri, + * and the vhost's list of locations hasn't changed, we can skip +@@ -1486,7 +1499,7 @@ + pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t)); + } + +- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) { ++ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) { + continue; + } + +@@ -1496,7 +1509,7 @@ + apr_table_setn(r->subprocess_env, + ((const char **)entry_core->refs->elts)[i], + apr_pstrndup(r->pool, +- entry_uri + pmatch[i].rm_so, ++ r->uri + pmatch[i].rm_so, + pmatch[i].rm_eo - pmatch[i].rm_so)); + } + } diff --git a/debian/patches/CVE-2021-31618.patch b/debian/patches/CVE-2021-31618.patch new file mode 100644 index 00000000..12d59c8b --- /dev/null +++ b/debian/patches/CVE-2021-31618.patch @@ -0,0 +1,20 @@ +Description: fix NULL pointer dereference on specially crafted HTTP/2 request +Author: Upstream +Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759 +Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618 +Bug-Debian: https://bugs.debian.org/989562 +Forwarded: not-needed +Reviewed-By: Yadd <[email protected]> +Last-Update: 2021-06-10 + +--- a/modules/http2/h2_stream.c ++++ b/modules/http2/h2_stream.c +@@ -638,7 +638,7 @@ + + static void set_error_response(h2_stream *stream, int http_status) + { +- if (!h2_stream_is_ready(stream)) { ++ if (!h2_stream_is_ready(stream) && stream->rtmp) { + conn_rec *c = stream->session->c; + apr_bucket *b; + h2_headers *response; diff --git a/debian/patches/series b/debian/patches/series index 20bc4b61..8596c419 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -11,3 +11,9 @@ tlsv13-add-logno.diff # This patch is applied manually #suexec-custom.patch spelling-errors.diff +CVE-2021-31618.patch +CVE-2021-30641.patch +CVE-2021-26691.patch +CVE-2021-26690.patch +CVE-2020-35452.patch +CVE-2020-13950.patch
