diff --git a/apache2-mod_cache-CVE-2007-1863.patch b/apache2-mod_cache-CVE-2007-1863.patch new file mode 100644 index 0000000..09c5c0a --- /dev/null +++ b/apache2-mod_cache-CVE-2007-1863.patch @@ -0,0 +1,89 @@ +Index: modules/cache/cache_util.c +================================================================================ +--- CHANGES ++++ CHANGES +@@ -1,6 +1,10 @@ + -*- coding: utf-8 -*- + Changes with Apache 2.2.3 + ++ *) SECURITY: CVE-2007-1863 (cve.mitre.org) ++ mod_cache: Prevent segmentation fault if a Cache-Control header has ++ no value [Niklas Edmundsson] ++ + *) SECURITY: CVE-2006-3747 (cve.mitre.org) + mod_rewrite: Fix an off-by-one security problem in the ldap scheme + handling. For some RewriteRules this could lead to a pointer being +--- modules/cache/cache_util.c ++++ modules/cache/cache_util.c +@@ -231,7 +231,8 @@ + age = ap_cache_current_age(info, age_c, r->request_time); + + /* extract s-maxage */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val) ++ && val != NULL) { + smaxage = apr_atoi64(val); + } + else { +@@ -240,7 +241,8 @@ + + /* extract max-age from request */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val) ++ && val != NULL) { + maxage_req = apr_atoi64(val); + } + else { +@@ -248,7 +250,8 @@ + } + + /* extract max-age from response */ +- if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) { ++ if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val) ++ && val != NULL) { + maxage_cresp = apr_atoi64(val); + } + else { +@@ -270,7 +273,20 @@ + + /* extract max-stale */ + if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) { +- maxstale = apr_atoi64(val); ++ if(val != NULL) { ++ maxstale = apr_atoi64(val); ++ } ++ else { ++ /* ++ * If no value is assigned to max-stale, then the client is willing ++ * to accept a stale response of any age (RFC2616 14.9.3). We will ++ * set it to one year in this case as this situation is somewhat ++ * similar to a "never expires" Expires header (RFC2616 14.21) ++ * which is set to a date one year from the time the response is ++ * sent in this case. ++ */ ++ maxstale = APR_INT64_C(86400*365); ++ } + } + else { + maxstale = 0; +@@ -278,7 +294,8 @@ + + /* extract min-fresh */ + if (!conf->ignorecachecontrol +- && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) { ++ && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val) ++ && val != NULL) { + minfresh = apr_atoi64(val); + } + else { +@@ -407,6 +424,9 @@ + next - val_start); + } + } ++ else { ++ *val = NULL; ++ } + } + return 1; + } diff --git a/apache2-mod_status-CVE-2006-5752.patch b/apache2-mod_status-CVE-2006-5752.patch new file mode 100644 index 0000000..4227cf0 --- /dev/null +++ b/apache2-mod_status-CVE-2006-5752.patch @@ -0,0 +1,40 @@ +--- modules/generators/mod_status.c 2007/06/20 17:22:08 549158 ++++ modules/generators/mod_status.c 2007/06/20 17:29:24 549159 +@@ -270,7 +270,7 @@ + if (r->method_number != M_GET) + return DECLINED; + +- ap_set_content_type(r, "text/html"); ++ ap_set_content_type(r, "text/html; charset=ISO-8859-1"); + + /* + * Simple table-driven form data set parser that lets you alter the header +@@ -299,7 +299,7 @@ + no_table_report = 1; + break; + case STAT_OPT_AUTO: +- ap_set_content_type(r, "text/plain"); ++ ap_set_content_type(r, "text/plain; charset=ISO-8859-1"); + short_report = 1; + break; + } +@@ -673,7 +673,8 @@ + ap_escape_html(r->pool, + ws_record->client), + ap_escape_html(r->pool, +- ws_record->request), ++ ap_escape_logitem(r->pool, ++ ws_record->request)), + ap_escape_html(r->pool, + ws_record->vhost)); + } +@@ -763,7 +764,8 @@ + ap_escape_html(r->pool, + ws_record->vhost), + ap_escape_html(r->pool, +- ws_record->request)); ++ ap_escape_logitem(r->pool, ++ ws_record->request))); + } /* no_table_report */ + } /* for (j...) */ + } /* for (i...) */ diff --git a/apache2.changes b/apache2.changes index dfdd7f1..64a3a36 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Aug 23 11:27:19 CEST 2007 - mskibbe@suse.de + +- Bug 289996 - VUL-0: mod_status XSS in public server status page +- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service + ------------------------------------------------------------------- Wed Jul 18 16:04:05 CEST 2007 - skh@suse.de diff --git a/apache2.spec b/apache2.spec index 3d42542..5553ce2 100644 --- a/apache2.spec +++ b/apache2.spec @@ -55,7 +55,7 @@ License: The Apache Software License Group: Productivity/Networking/Web/Servers %define realver 2.2.4 Version: 2.2.4 -Release: 44 +Release: 57 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -110,6 +110,8 @@ Patch67: httpd-2.2.0-apxs-a2enmod.dif Patch68: httpd-2.2.3-AddDirectoryIndexCharset.patch Patch69: httpd-2.2.x.doublefree.patch Patch150: mod_dbd.c-issue18989-autoconnect.dif +Patch151: apache2-mod_status-CVE-2006-5752.patch +Patch152: apache2-mod_cache-CVE-2007-1863.patch URL: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.0 @@ -321,6 +323,8 @@ Authors: %patch67 -p1 %patch68 -p1 %patch69 -p0 +%patch151 -p0 +%patch152 -p0 cp -p %{S:150} modules/database/mod_dbd.c #%patch150 -p0 # @@ -1056,6 +1060,9 @@ if ! test -f /.buildenv; then fi %changelog +* Thu Aug 23 2007 - mskibbe@suse.de +- Bug 289996 - VUL-0: mod_status XSS in public server status page +- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service * Wed Jul 18 2007 - skh@suse.de - split off apache2-utils subpackage, containing all helper tools that are useful for system administrators in general (b.n.c. #272292 and