pool/apache2
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 260263 from home:kstreitova:branches:Apache

Browse Source 
- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid
  a crash when Content-Type has an empty value [bnc#899836], 
  CVE-2014-3581

OBS-URL: https://build.opensuse.org/request/show/260263
OBS-URL: https://build.opensuse.org/package/show/Apache/apache2?expand=0&rev=418
This commit is contained in:
Roman Drahtmueller 2014-11-07 16:56:25 +00:00 committed by Git OBS Bridge
parent a751749ac2
commit 951efc68a1
3 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
apache2.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Fri Nov 7 15:52:47 UTC 2014 - kstreitova@suse.com
- added httpd-2.4.10-check_null_pointer_dereference.patch to avoid
a crash when Content-Type has an empty value [bnc#899836],
CVE-2014-3581
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Oct 31 16:04:15 UTC 2014 - crrodriguez@opensuse.org Fri Oct 31 16:04:15 UTC 2014 - crrodriguez@opensuse.org

3
apache2.spec
View File

@ -164,6 +164,8 @@ Patch71: httpd-event-deadlock.patch
# PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration. # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration.
Patch109: httpd-2.4.3-mod_systemd.patch Patch109: httpd-2.4.3-mod_systemd.patch
Patch111: httpd-visibility.patch Patch111: httpd-visibility.patch
# PATCH-FIX-UPSTREAM bnc#899836 kstreitova@suse.com -- avoid a crash when Content-Type has an empty value
Patch112: httpd-2.4.10-check_null_pointer_dereference.patch
Url: http://httpd.apache.org/ Url: http://httpd.apache.org/
Icon: Apache.xpm Icon: Apache.xpm
Summary: The Apache Web Server Version 2.4 Summary: The Apache Web Server Version 2.4
@ -343,6 +345,7 @@ to administrators of web servers in general.
#%patch108 -p1 #%patch108 -p1
%patch109 -p1 %patch109 -p1
%patch111 -p1 %patch111 -p1
%patch112 -p1
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
# install READMEs # install READMEs
a=$(basename %{S:22}) a=$(basename %{S:22})

31
httpd-2.4.10-check_null_pointer_dereference.patch Normal file
View File

@ -0,0 +1,31 @@
Index: httpd-2.4.10/CHANGES
===================================================================
--- httpd-2.4.10.orig/CHANGES
+++ httpd-2.4.10/CHANGES
@@ -1,6 +1,9 @@
-*- coding: utf-8 -*-
Changes with Apache 2.4.10
+ *) SECURITY: CVE-2014-3581 (cve.mitre.org)
+ mod_cache: Avoid a crash when Content-Type has an empty value. PR56924.
+ [Mark Montague <mark catseye.org>, Jan Kaluza]
*) SECURITY: CVE-2014-0117 (cve.mitre.org)
mod_proxy: Fix crash in Connection header handling which
Index: httpd-2.4.10/modules/cache/cache_util.c
===================================================================
--- httpd-2.4.10.orig/modules/cache/cache_util.c
+++ httpd-2.4.10/modules/cache/cache_util.c
@@ -1258,8 +1258,10 @@ apr_table_t *cache_merge_headers_out(req
if (r->content_type
&& !apr_table_get(headers_out, "Content-Type")) {
- apr_table_setn(headers_out, "Content-Type",
- ap_make_content_type(r, r->content_type));
+ const char *ctype = ap_make_content_type(r, r->content_type);
+ if (ctype) {
+ apr_table_setn(headers_out, "Content-Type", ctype);
+ }
}
if (r->content_encoding