Re: [users@httpd] Patch request for Apache 2.4.x for the CVE-2016-4975

2018-11-05 Thread William A Rowe Jr 
On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4andrewjosh...@gmail.com>
wrote:

> Hi,
>
> Can anyone please help me to get the patch for the CVE-2016-4975.
>

Yes, http://www.apache.org/dist/httpd/, obtain and build the latest version
of 2.4.
Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain
2.4.35
from http://archive.apache.org/dist/httpd/ (at minimum, 2.4.27, which
corrects
shortcomings of the patch you note below.)


> I have found the below link for patch from internet.
> https://svn.apache.org/viewvc?view=revision=1772678
> However this contains many changes.
>

There were further changes. The branch of all changes you are asking for is;

https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict/

Please let me know if we need to port all changes mentioned in above patch
> OR please let me know if specific revision can be ported to fix
> CVE-2016-4975
>

This particular CVE is easily addressed by a patch to encode the mod_userdir
inputs. Not using mod_userdir external redirects is equally simple and
similarly
solves the issue . Avoiding mod_alias as well as mod_rewrite is quite
challenging..

Unfortunately this class of vulnerabilities could not be addressed in a
simple fix.

The entire patch is needed to protect the client / proxy / backend from
malicious
input. We refactored the way request and response text was handled to guard
against this entire class of exploits.

Re: [users@httpd] define variables by vhost only

2018-11-05 Thread Hajo Locke 

Hello,

thanks for your answer.

Am 05.11.2018 um 14:00 schrieb Gillis J. de Nijs:
Alternatlvely, you can just put the AddHandler in the VirtualHost 
directly, and not bother with the .htaccess files.
yes, i have in Vhost a preconfigured addhandler which fits for most 
needs. These parts of VHost-Configurations are created automatically by 
our own customer-menu. The addhandler in .htaccess file should help 
people with some special requirements.
We moved from classic fastcgi to mod_proxy_fcgid, and we try to keep 
userspaceconfiguration unchanged, but seems to be impossible.
May be we should say good buy to our former use of addhandler to choose 
php-versions and only use the modern way. But its not easy for 
support-people. Its harder to support uneven machines with mixed setups.
The use of "define" was our closest attempt, but also seems to be off 
the track.


On Mon, Nov 5, 2018 at 9:43 AM Hajo Locke > wrote:


Hello List,

iam looking for a way to use define to create variables limited to
vhosts (apache 2.4).
Currently i have some vhosts and use this syntax:

define myvar mycontent.

Name of variables is in all vhosts the same, "mycontent" is different
and vhost related. Later i use this variable in .htaccess files
for users:

Addhandler ${myvar} .php

Unfortunately define-directive defines the variable for complete
server
and not to vhost only. so content of "myvar" gets overwritten with
every
following vhost-config.
So if user A uses this variable, he sees content of variable
created in
vhost for user z.

Is there a possibility to use variables limited to vhost but can
be used
the same way in .htaccess files? I think setenv seems not suitable
for this.

Thanks,
Hajo

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org

For additional commands, e-mail: users-h...@httpd.apache.org




Thanks,
Hajo

Re: [users@httpd] define variables by vhost only

2018-11-05 Thread Hajo Locke 

Hello,

thanks, for your answer.

Am 05.11.2018 um 13:54 schrieb David Spector:
Just in case it wasn't obvious, the message I just sent assumes that 
your server is managed by WHM/cPanel. If not, just use Include 
directives in your conf file.
sorry, i dont understand. Is this a documented feature? Currently i use 
multiple files for vhosts, but i dont see how it helps to reduce the 
scope of variables created by Define-Directive to particular VHost only.




David Spector
Springtime Software

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




Thanks,
Hajo

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] define variables by vhost only

2018-11-05 Thread Gillis J. de Nijs 
Alternatlvely, you can just put the AddHandler in the VirtualHost directly,
and not bother with the .htaccess files.

On Mon, Nov 5, 2018 at 9:43 AM Hajo Locke  wrote:

> Hello List,
>
> iam looking for a way to use define to create variables limited to
> vhosts (apache 2.4).
> Currently i have some vhosts and use this syntax:
>
> define myvar mycontent.
>
> Name of variables is in all vhosts the same, "mycontent" is different
> and vhost related. Later i use this variable in .htaccess files for users:
>
> Addhandler ${myvar} .php
>
> Unfortunately define-directive defines the variable for complete server
> and not to vhost only. so content of "myvar" gets overwritten with every
> following vhost-config.
> So if user A uses this variable, he sees content of variable created in
> vhost for user z.
>
> Is there a possibility to use variables limited to vhost but can be used
> the same way in .htaccess files? I think setenv seems not suitable for
> this.
>
> Thanks,
> Hajo
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

Re: [users@httpd] define variables by vhost only

2018-11-05 Thread David Spector 
Just in case it wasn't obvious, the message I just sent assumes that 
your server is managed by WHM/cPanel. If not, just use Include 
directives in your conf file.


David Spector
Springtime Software

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] define variables by vhost only

2018-11-05 Thread David Spector 
Hajo, You can define variables or do any other configuration of Apache 
just for virtual hosts by creating files for either of these special paths:


* For HTTPS, version 2.4:

/etc/apache2/conf.d/userdata/ssl/2_4/USER/DOMAIN/ANYNAME.conf

* For HTTP, version 2.4:

/etc/apache2/conf.d/userdata/std/2_4/USER/DOMAIN/ANYNAME.conf

For example:

/etc/apache2/conf.d/userdata/ssl/2_4/steve/example.com/vhost.conf

After creating your virtual host common config file, execute the 
following two commands:


* Rebuild the main config file:
/usr/local/cpanel/scripts/rebuildhttpdconf

* Restart the Apache server:
/usr/local/cpanel/scripts/restartsrv_httpd

I use this technique to configure a common readonly directory outside of 
any document root that can be accessed by PHP or HTML from any virtual 
host. Works perfectly on my Centos server as well as my local Windows 
development server, where my configuration is Included in each virtual 
host explicitly.


David Spector
Springtime Software

On 11/5/2018 3:43 AM, Hajo Locke wrote:

Hello List,

iam looking for a way to use define to create variables limited to 
vhosts (apache 2.4).

Currently i have some vhosts and use this syntax:

define myvar mycontent.

Name of variables is in all vhosts the same, "mycontent" is different 
and vhost related. Later i use this variable in .htaccess files for users:


Addhandler ${myvar} .php

Unfortunately define-directive defines the variable for complete server 
and not to vhost only. so content of "myvar" gets overwritten with every 
following vhost-config.
So if user A uses this variable, he sees content of variable created in 
vhost for user z.


Is there a possibility to use variables limited to vhost but can be used 
the same way in .htaccess files? I think setenv seems not suitable for 
this.


Thanks,
Hajo

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] define variables by vhost only

2018-11-05 Thread Hajo Locke 

Hello List,

iam looking for a way to use define to create variables limited to 
vhosts (apache 2.4).

Currently i have some vhosts and use this syntax:

define myvar mycontent.

Name of variables is in all vhosts the same, "mycontent" is different 
and vhost related. Later i use this variable in .htaccess files for users:


Addhandler ${myvar} .php

Unfortunately define-directive defines the variable for complete server 
and not to vhost only. so content of "myvar" gets overwritten with every 
following vhost-config.
So if user A uses this variable, he sees content of variable created in 
vhost for user z.


Is there a possibility to use variables limited to vhost but can be used 
the same way in .htaccess files? I think setenv seems not suitable for this.


Thanks,
Hajo

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org