Accepting request 260263 from home:kstreitova:branches:Apache

- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid a crash when Content-Type has an empty value [bnc#899836], CVE-2014-3581 OBS-URL: https://build.opensuse.org/request/show/260263 OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=418
2014-11-07 16:56:25 +00:00 · 2014-11-07 16:56:25 +00:00 · 951efc68a1
commit 951efc68a1
parent a751749ac2
3 changed files with 41 additions and 0 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Nov  7 15:52:47 UTC 2014 - kstreitova@suse.com
+
+- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid
+  a crash when Content-Type has an empty value [bnc#899836], 
+  CVE-2014-3581
+
 -------------------------------------------------------------------
 Fri Oct 31 16:04:15 UTC 2014 - crrodriguez@opensuse.org

--- a/apache2.spec
+++ b/apache2.spec
@ -164,6 +164,8 @@ Patch71:        httpd-event-deadlock.patch
 # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration.
 Patch109:       httpd-2.4.3-mod_systemd.patch
 Patch111:       httpd-visibility.patch
+# PATCH-FIX-UPSTREAM bnc#899836 kstreitova@suse.com -- avoid a crash when Content-Type has an empty value
+Patch112:       httpd-2.4.10-check_null_pointer_dereference.patch
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
 Summary:        The Apache Web Server Version 2.4
@ -343,6 +345,7 @@ to administrators of web servers in general.
 #%patch108 -p1
 %patch109 -p1
 %patch111 -p1
+%patch112 -p1
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 # install READMEs
 a=$(basename %{S:22})
--- a/httpd-2.4.10-check_null_pointer_dereference.patch
+++ b/httpd-2.4.10-check_null_pointer_dereference.patch
@ -0,0 +1,31 @@
+Index: httpd-2.4.10/CHANGES
+===================================================================
+--- httpd-2.4.10.orig/CHANGES
+++ httpd-2.4.10/CHANGES
+@@ -1,6 +1,9 @@
+                                                          -*- coding: utf-8 -*-
+ 
+ Changes with Apache 2.4.10
+  *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+     mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
+     [Mark Montague <mark catseye.org>, Jan Kaluza]
+ 
+   *) SECURITY: CVE-2014-0117 (cve.mitre.org)
+      mod_proxy: Fix crash in Connection header handling which 
+Index: httpd-2.4.10/modules/cache/cache_util.c
+===================================================================
+--- httpd-2.4.10.orig/modules/cache/cache_util.c
+++ httpd-2.4.10/modules/cache/cache_util.c
+@@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
+ 
+     if (r->content_type
+             && !apr_table_get(headers_out, "Content-Type")) {
+-        apr_table_setn(headers_out, "Content-Type",
+-                       ap_make_content_type(r, r->content_type));
+        const char *ctype = ap_make_content_type(r, r->content_type);
+        if (ctype) {
+			apr_table_setn(headers_out, "Content-Type", ctype);
+		}
+     }
+ 
+     if (r->content_encoding