Accepting request 35087 from Apache

Copy from Apache/apache2 based on submit request 35087 from user coolo

OBS-URL: https://build.opensuse.org/request/show/35087
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=39
This commit is contained in:
OBS User autobuild 2010-03-19 07:32:34 +00:00 committed by Git OBS Bridge
parent e45b1ed9bb
commit 3695159c7d
6 changed files with 112 additions and 310 deletions

View File

@ -1,300 +0,0 @@
SECURITY: CVE-2009-3555 (cve.mitre.org)
A partial fix for the TLS renegotiation prefix injection attack by
rejecting any client-initiated renegotiations. Any configuration
which requires renegotiation for per-directory/location access
control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem]
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h (revision 833621)
+++ modules/ssl/ssl_private.h (revision 833622)
@@ -356,6 +356,20 @@
int is_proxy;
int disabled;
int non_ssl_request;
+
+ /* Track the handshake/renegotiation state for the connection so
+ * that all client-initiated renegotiations can be rejected, as a
+ * partial fix for CVE-2009-3555. */
+ enum {
+ RENEG_INIT = 0, /* Before initial handshake */
+ RENEG_REJECT, /* After initial handshake; any client-initiated
+ * renegotiation should be rejected */
+ RENEG_ALLOW, /* A server-initated renegotiation is taking
+ * place (as dictated by configuration) */
+ RENEG_ABORT /* Renegotiation initiated by client, abort the
+ * connection */
+ } reneg_state;
+
server_rec *server;
} SSLConnRec;
@@ -574,7 +588,7 @@
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
#ifndef OPENSSL_NO_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 833621)
+++ modules/ssl/ssl_engine_init.c (revision 833622)
@@ -501,10 +501,7 @@
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
- if (s->loglevel >= APLOG_DEBUG) {
- /* this callback only logs if LogLevel >= info */
- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
- }
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
}
static void ssl_init_ctx_verify(server_rec *s,
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 833621)
+++ modules/ssl/ssl_engine_io.c (revision 833622)
@@ -103,6 +103,7 @@
ap_filter_t *pInputFilter;
ap_filter_t *pOutputFilter;
int nobuffer; /* non-zero to prevent buffering */
+ SSLConnRec *config;
} ssl_filter_ctx_t;
typedef struct {
@@ -193,7 +194,13 @@
static int bio_filter_out_write(BIO *bio, const char *in, int inl)
{
bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
-
+
+ /* Abort early if the client has initiated a renegotiation. */
+ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
+ outctx->rc = APR_ECONNABORTED;
+ return -1;
+ }
+
/* when handshaking we'll have a small number of bytes.
* max size SSL will pass us here is about 16k.
* (16413 bytes to be exact)
@@ -466,6 +473,12 @@
if (!in)
return 0;
+ /* Abort early if the client has initiated a renegotiation. */
+ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
+ inctx->rc = APR_ECONNABORTED;
+ return -1;
+ }
+
/* XXX: flush here only required for SSLv2;
* OpenSSL calls BIO_flush() at the appropriate times for
* the other protocols.
@@ -1724,6 +1737,8 @@
filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
+ filter_ctx->config = myConnConfig(c);
+
filter_ctx->nobuffer = 0;
filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
filter_ctx, NULL, c);
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c (revision 833621)
+++ modules/ssl/ssl_engine_kernel.c (revision 833622)
@@ -729,6 +729,10 @@
(unsigned char *)&id,
sizeof(id));
+ /* Toggle the renegotiation state to allow the new
+ * handshake to proceed. */
+ sslconn->reneg_state = RENEG_ALLOW;
+
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
@@ -750,6 +754,8 @@
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
+ sslconn->reneg_state = RENEG_REJECT;
+
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation handshake failed: "
@@ -1844,76 +1850,55 @@
return;
}
-/*
- * This callback function is executed while OpenSSL processes the
- * SSL handshake and does SSL record layer stuff. We use it to
- * trace OpenSSL's processing in out SSL logfile.
- */
-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+/* Dump debugginfo trace to the log file. */
+static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
+ server_rec *s, int where, int rc)
{
- conn_rec *c;
- server_rec *s;
- SSLSrvConfigRec *sc;
-
/*
- * find corresponding server
+ * create the various trace messages
*/
- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
- return;
+ if (where & SSL_CB_HANDSHAKE_START) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Handshake: start", SSL_LIBRARY_NAME);
}
-
- s = mySrvFromConn(c);
- if (!(sc = mySrvConfig(s))) {
- return;
+ else if (where & SSL_CB_HANDSHAKE_DONE) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Handshake: done", SSL_LIBRARY_NAME);
}
-
- /*
- * create the various trace messages
- */
- if (s->loglevel >= APLOG_DEBUG) {
- if (where & SSL_CB_HANDSHAKE_START) {
+ else if (where & SSL_CB_LOOP) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Loop: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_READ) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Read: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_WRITE) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Write: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_ALERT) {
+ char *str = (where & SSL_CB_READ) ? "read" : "write";
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Alert: %s:%s:%s",
+ SSL_LIBRARY_NAME, str,
+ SSL_alert_type_string_long(rc),
+ SSL_alert_desc_string_long(rc));
+ }
+ else if (where & SSL_CB_EXIT) {
+ if (rc == 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Handshake: start", SSL_LIBRARY_NAME);
- }
- else if (where & SSL_CB_HANDSHAKE_DONE) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Handshake: done", SSL_LIBRARY_NAME);
- }
- else if (where & SSL_CB_LOOP) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Loop: %s",
+ "%s: Exit: failed in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
- else if (where & SSL_CB_READ) {
+ else if (rc < 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Read: %s",
+ "%s: Exit: error in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
- else if (where & SSL_CB_WRITE) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Write: %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- else if (where & SSL_CB_ALERT) {
- char *str = (where & SSL_CB_READ) ? "read" : "write";
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Alert: %s:%s:%s",
- SSL_LIBRARY_NAME, str,
- SSL_alert_type_string_long(rc),
- SSL_alert_desc_string_long(rc));
- }
- else if (where & SSL_CB_EXIT) {
- if (rc == 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Exit: failed in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- else if (rc < 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Exit: error in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- }
}
/*
@@ -1933,6 +1918,52 @@
}
}
+/*
+ * This callback function is executed while OpenSSL processes the SSL
+ * handshake and does SSL record layer stuff. It's used to trap
+ * client-initiated renegotiations, and for dumping everything to the
+ * log.
+ */
+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+{
+ conn_rec *c;
+ server_rec *s;
+ SSLConnRec *scr;
+
+ /* Retrieve the conn_rec and the associated SSLConnRec. */
+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
+ return;
+ }
+
+ if ((scr = myConnConfig(c)) == NULL) {
+ return;
+ }
+
+ /* If the reneg state is to reject renegotiations, check the SSL
+ * state machine and move to ABORT if a Client Hello is being
+ * read. */
+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
+ int state = SSL_get_state(ssl);
+
+ if (state == SSL3_ST_SR_CLNT_HELLO_A
+ || state == SSL23_ST_SR_CLNT_HELLO_A) {
+ scr->reneg_state = RENEG_ABORT;
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+ "rejecting client initiated renegotiation");
+ }
+ }
+ /* If the first handshake is complete, change state to reject any
+ * subsequent client-initated renegotiation. */
+ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
+ scr->reneg_state = RENEG_REJECT;
+ }
+
+ s = mySrvFromConn(c);
+ if (s && s->loglevel >= APLOG_DEBUG) {
+ log_tracing_state(ssl, c, s, where, rc);
+ }
+}
+
#ifndef OPENSSL_NO_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended

View File

@ -1,3 +1,106 @@
-------------------------------------------------------------------
Mon Mar 8 12:34:18 UTC 2010 - poeml@cmdline.net
- update to 2.2.15:
SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection
attack when compiled against OpenSSL version 0.9.8m or later. Introduces
the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and
offer unsafe legacy renegotiation with clients which do not yet support
the new secure renegotiation protocol, RFC 5746.
SECURITY: CVE-2009-3555 (cve.mitre.org)
mod_ssl: A partial fix for the TLS renegotiation prefix injection attack
by rejecting any client-initiated renegotiations. Forcibly disable
keepalive for the connection if there is any buffered data readable. Any
configuration which requires renegotiation for per-directory/location
access control is still vulnerable, unless using OpenSSL >= 0.9.8l.
SECURITY: CVE-2010-0408 (cve.mitre.org)
mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent
when request headers indicate a request body is incoming; not a case of
HTTP_INTERNAL_SERVER_ERROR.
SECURITY: CVE-2010-0425 (cve.mitre.org)
mod_isapi: Do not unload an isapi .dll module until the request processing
is completed, avoiding orphaned callback pointers.
SECURITY: CVE-2010-0434 (cve.mitre.org)
Ensure each subrequest has a shallow copy of headers_in so that the parent
request headers are not corrupted. Elimiates a problematic optimization
in the case of no request body. PR 48359
mod_reqtimeout:
- New module to set timeouts and minimum data rates for receiving requests
from the client.
core:
- Fix potential memory leaks by making sure to not destroy bucket brigades
that have been created by earlier filters.
- Return APR_EOF if request body is shorter than the length announced by the
client. PR 33098
- Preserve Port information over internal redirects PR 35999
- Build: fix --with-module to work as documented PR 43881
worker:
- Don't report server has reached MaxClients until it has. Add message when
server gets within MinSpareThreads of MaxClients. PR 46996.
ab, mod_ssl:
- Restore compatibility with OpenSSL < 0.9.7g.
mod_authnz_ldap:
- Add AuthLDAPBindAuthoritative to allow Authentication to try other
providers in the case of an LDAP bind failure. PR 46608
- Failures to map a username to a DN, or to check a user password now result
in an informational level log entry instead of warning level.
mod_cache:
- Introduce the thundering herd lock, a mechanism to keep the flood of
requests at bay that strike a backend webserver as a cached entity goes
stale.
- correctly consider s-maxage in cacheability decisions.
mod_disk_cache, mod_mem_cache:
- don't cache incomplete responses, per RFC 2616, 13.8. PR15866.
mod_charset_lite:
- Honor 'CharsetOptions NoImplicitAdd'.
mod_filter:
- fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054
mod_include:
- Allow fine control over the removal of Last-Modified and ETag headers
within the INCLUDES filter, making it possible to cache responses if
desired. Fix the default value of the SSIAccessEnable directive.
mod_ldap:
- If LDAPSharedCacheSize is too small, try harder to purge some cache
entries and log a warning. Also increase the default LDAPSharedCacheSize
to 500000. This is a more realistic size suitable for the default values
of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749.
mod_log_config:
- Add the R option to log the handler used within the request.
mod_mime:
- Make RemoveType override the info from TypesConfig. PR 38330.
- Detect invalid use of MultiviewsMatch inside Location and LocationMatch
sections. PR 47754.
mod_negotiation:
- Preserve query string over multiviews negotiation. This buglet was fixed
for type maps in 2.2.6, but the same issue affected multiviews and was
overlooked. PR 33112
mod_proxy:
- unable to connect to a backend is SERVICE_UNAVAILABLE, rather than
BAD_GATEWAY or (especially) NOT_FOUND. PR 46971
mod_proxy, mod_proxy_http:
- Support remote https proxies by using HTTP CONNECT. PR 19188.
mod_proxy_http:
- Make sure that when an ErrorDocument is served from a reverse proxied URL,
that the subrequest respects the status of the original request. This
brings the behaviour of proxy_handler in line with default_handler. PR
47106.
mod_proxy_ajp:
- Really regard the operation a success, when the client aborted the
connection. In addition adjust the log message if the client aborted the
connection.
mod_rewrite:
- Make sure that a hostname:port isn't fully qualified if the request is a
CONNECT request. PR 47928
- Add scgi scheme detection.
mod_ssl:
- Fix a potential I/O hang if a long list of trusted CAs is configured for
client cert auth. PR 46952.
- When extracting certificate subject/issuer names to the SSL_*_DN_*
variables, handle RDNs with duplicate tags by exporting multiple
varialables with an "_n" integer suffix. PR 45875.
- obsolete patch CVE-2009-3555-2.2.patch removed
-------------------------------------------------------------------
Fri Mar 5 09:29:10 UTC 2010 - coolo@novell.com

View File

@ -1,5 +1,5 @@
#
# spec file for package apache2 (Version 2.2.14)
# spec file for package apache2 (Version 2.2.15)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -62,9 +62,9 @@ BuildRequires: expat-devel
%define platform_string Linux/%VENDOR
License: ASLv..
Group: Productivity/Networking/Web/Servers
%define realver 2.2.14
Version: 2.2.14
Release: 2
%define realver 2.2.15
Version: 2.2.15
Release: 1
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
Source10: SUSE-NOTICE
@ -112,7 +112,6 @@ Source131: apache2-vhost-ssl.template
Source140: apache2-check_forensic
Source141: apache-20-22-upgrade
Patch2: httpd-2.1.3alpha-layout.dif
Patch10: CVE-2009-3555-2.2.patch
Patch23: httpd-2.1.9-apachectl.dif
Patch65: httpd-2.0.49-log_server_status.dif
Patch66: httpd-2.0.54-envvars.dif
@ -381,7 +380,6 @@ Authors:
#
%setup -q -n httpd-%{realver}
%patch2 -p1
%patch10 -p0
%patch23 -p1
%patch65 -p1
%patch66 -p1

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b2deab8a5e797fde7a04fb4a5ebfa9c80f767d064dd19dcd2857c94838ae3ac6
size 5147171

3
httpd-2.2.15.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:5ae0c428e7abd87eecbac8564d90a7182104325bae7086c21db7b3a1e3140ca7
size 4959582

View File

@ -6,7 +6,8 @@
# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
#
# Authors: Rolf Haberrecker <apache@suse.de>, 2001
# Peter Poeml <apache@suse.de>, 2002, 2003, 2004, 2005, 2006, 2007, 2008
# Peter Poeml <apache@suse.de>, 2002, 2003, 2004, 2005, 2006, 2007,
# 2008, 2009, 2010
#
#
# /etc/init.d/apache2