pool/apache2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 28986 from Apache

Browse Source 
Copy from Apache/apache2 based on submit request 28986 from user coolo

OBS-URL: https://build.opensuse.org/request/show/28986
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=36
This commit is contained in:
OBS User autobuild 2010-01-14 15:54:32 +00:00 committed by Git OBS Bridge
parent 8169321f49
commit ef59fd240e
5 changed files with 366 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

300
CVE-2009-3555-2.2.patch Normal file
View File

@ -0,0 +1,300 @@
SECURITY: CVE-2009-3555 (cve.mitre.org)
A partial fix for the TLS renegotiation prefix injection attack by
rejecting any client-initiated renegotiations. Any configuration
which requires renegotiation for per-directory/location access
control is still vulnerable, unless using OpenSSL >= 0.9.8l.
[Joe Orton, Ruediger Pluem]
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h (revision 833621)
+++ modules/ssl/ssl_private.h (revision 833622)
@@ -356,6 +356,20 @@
int is_proxy;
int disabled;
int non_ssl_request;
+
+ /* Track the handshake/renegotiation state for the connection so
+ * that all client-initiated renegotiations can be rejected, as a
+ * partial fix for CVE-2009-3555. */
+ enum {
+ RENEG_INIT = 0, /* Before initial handshake */
+ RENEG_REJECT, /* After initial handshake; any client-initiated
+ * renegotiation should be rejected */
+ RENEG_ALLOW, /* A server-initated renegotiation is taking
+ * place (as dictated by configuration) */
+ RENEG_ABORT /* Renegotiation initiated by client, abort the
+ * connection */
+ } reneg_state;
+
server_rec *server;
} SSLConnRec;
@@ -574,7 +588,7 @@
int ssl_callback_NewSessionCacheEntry(SSL *, SSL_SESSION *);
SSL_SESSION *ssl_callback_GetSessionCacheEntry(SSL *, unsigned char *, int, int *);
void ssl_callback_DelSessionCacheEntry(SSL_CTX *, SSL_SESSION *);
-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE, int, int);
+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE, int, int);
#ifndef OPENSSL_NO_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 833621)
+++ modules/ssl/ssl_engine_init.c (revision 833622)
@@ -501,10 +501,7 @@
SSL_CTX_set_tmp_rsa_callback(ctx, ssl_callback_TmpRSA);
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
- if (s->loglevel >= APLOG_DEBUG) {
- /* this callback only logs if LogLevel >= info */
- SSL_CTX_set_info_callback(ctx, ssl_callback_LogTracingState);
- }
+ SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
}
static void ssl_init_ctx_verify(server_rec *s,
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 833621)
+++ modules/ssl/ssl_engine_io.c (revision 833622)
@@ -103,6 +103,7 @@
ap_filter_t *pInputFilter;
ap_filter_t *pOutputFilter;
int nobuffer; /* non-zero to prevent buffering */
+ SSLConnRec *config;
} ssl_filter_ctx_t;
typedef struct {
@@ -193,7 +194,13 @@
static int bio_filter_out_write(BIO *bio, const char *in, int inl)
{
bio_filter_out_ctx_t *outctx = (bio_filter_out_ctx_t *)(bio->ptr);
-
+
+ /* Abort early if the client has initiated a renegotiation. */
+ if (outctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
+ outctx->rc = APR_ECONNABORTED;
+ return -1;
+ }
+
/* when handshaking we'll have a small number of bytes.
* max size SSL will pass us here is about 16k.
* (16413 bytes to be exact)
@@ -466,6 +473,12 @@
if (!in)
return 0;
+ /* Abort early if the client has initiated a renegotiation. */
+ if (inctx->filter_ctx->config->reneg_state == RENEG_ABORT) {
+ inctx->rc = APR_ECONNABORTED;
+ return -1;
+ }
+
/* XXX: flush here only required for SSLv2;
* OpenSSL calls BIO_flush() at the appropriate times for
* the other protocols.
@@ -1724,6 +1737,8 @@
filter_ctx = apr_palloc(c->pool, sizeof(ssl_filter_ctx_t));
+ filter_ctx->config = myConnConfig(c);
+
filter_ctx->nobuffer = 0;
filter_ctx->pOutputFilter = ap_add_output_filter(ssl_io_filter,
filter_ctx, NULL, c);
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c (revision 833621)
+++ modules/ssl/ssl_engine_kernel.c (revision 833622)
@@ -729,6 +729,10 @@
(unsigned char *)&id,
sizeof(id));
+ /* Toggle the renegotiation state to allow the new
+ * handshake to proceed. */
+ sslconn->reneg_state = RENEG_ALLOW;
+
SSL_renegotiate(ssl);
SSL_do_handshake(ssl);
@@ -750,6 +754,8 @@
SSL_set_state(ssl, SSL_ST_ACCEPT);
SSL_do_handshake(ssl);
+ sslconn->reneg_state = RENEG_REJECT;
+
if (SSL_get_state(ssl) != SSL_ST_OK) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"Re-negotiation handshake failed: "
@@ -1844,76 +1850,55 @@
return;
}
-/*
- * This callback function is executed while OpenSSL processes the
- * SSL handshake and does SSL record layer stuff. We use it to
- * trace OpenSSL's processing in out SSL logfile.
- */
-void ssl_callback_LogTracingState(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+/* Dump debugginfo trace to the log file. */
+static void log_tracing_state(MODSSL_INFO_CB_ARG_TYPE ssl, conn_rec *c,
+ server_rec *s, int where, int rc)
{
- conn_rec *c;
- server_rec *s;
- SSLSrvConfigRec *sc;
-
/*
- * find corresponding server
+ * create the various trace messages
*/
- if (!(c = (conn_rec *)SSL_get_app_data((SSL *)ssl))) {
- return;
+ if (where & SSL_CB_HANDSHAKE_START) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Handshake: start", SSL_LIBRARY_NAME);
}
-
- s = mySrvFromConn(c);
- if (!(sc = mySrvConfig(s))) {
- return;
+ else if (where & SSL_CB_HANDSHAKE_DONE) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Handshake: done", SSL_LIBRARY_NAME);
}
-
- /*
- * create the various trace messages
- */
- if (s->loglevel >= APLOG_DEBUG) {
- if (where & SSL_CB_HANDSHAKE_START) {
+ else if (where & SSL_CB_LOOP) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Loop: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_READ) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Read: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_WRITE) {
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Write: %s",
+ SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
+ }
+ else if (where & SSL_CB_ALERT) {
+ char *str = (where & SSL_CB_READ) ? "read" : "write";
+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
+ "%s: Alert: %s:%s:%s",
+ SSL_LIBRARY_NAME, str,
+ SSL_alert_type_string_long(rc),
+ SSL_alert_desc_string_long(rc));
+ }
+ else if (where & SSL_CB_EXIT) {
+ if (rc == 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Handshake: start", SSL_LIBRARY_NAME);
- }
- else if (where & SSL_CB_HANDSHAKE_DONE) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Handshake: done", SSL_LIBRARY_NAME);
- }
- else if (where & SSL_CB_LOOP) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Loop: %s",
+ "%s: Exit: failed in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
- else if (where & SSL_CB_READ) {
+ else if (rc < 0) {
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Read: %s",
+ "%s: Exit: error in %s",
SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
}
- else if (where & SSL_CB_WRITE) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Write: %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- else if (where & SSL_CB_ALERT) {
- char *str = (where & SSL_CB_READ) ? "read" : "write";
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Alert: %s:%s:%s",
- SSL_LIBRARY_NAME, str,
- SSL_alert_type_string_long(rc),
- SSL_alert_desc_string_long(rc));
- }
- else if (where & SSL_CB_EXIT) {
- if (rc == 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Exit: failed in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- else if (rc < 0) {
- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s,
- "%s: Exit: error in %s",
- SSL_LIBRARY_NAME, SSL_state_string_long(ssl));
- }
- }
}
/*
@@ -1933,6 +1918,52 @@
}
}
+/*
+ * This callback function is executed while OpenSSL processes the SSL
+ * handshake and does SSL record layer stuff. It's used to trap
+ * client-initiated renegotiations, and for dumping everything to the
+ * log.
+ */
+void ssl_callback_Info(MODSSL_INFO_CB_ARG_TYPE ssl, int where, int rc)
+{
+ conn_rec *c;
+ server_rec *s;
+ SSLConnRec *scr;
+
+ /* Retrieve the conn_rec and the associated SSLConnRec. */
+ if ((c = (conn_rec *)SSL_get_app_data((SSL *)ssl)) == NULL) {
+ return;
+ }
+
+ if ((scr = myConnConfig(c)) == NULL) {
+ return;
+ }
+
+ /* If the reneg state is to reject renegotiations, check the SSL
+ * state machine and move to ABORT if a Client Hello is being
+ * read. */
+ if ((where & SSL_CB_ACCEPT_LOOP) && scr->reneg_state == RENEG_REJECT) {
+ int state = SSL_get_state(ssl);
+
+ if (state == SSL3_ST_SR_CLNT_HELLO_A
+ || state == SSL23_ST_SR_CLNT_HELLO_A) {
+ scr->reneg_state = RENEG_ABORT;
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+ "rejecting client initiated renegotiation");
+ }
+ }
+ /* If the first handshake is complete, change state to reject any
+ * subsequent client-initated renegotiation. */
+ else if ((where & SSL_CB_HANDSHAKE_DONE) && scr->reneg_state == RENEG_INIT) {
+ scr->reneg_state = RENEG_REJECT;
+ }
+
+ s = mySrvFromConn(c);
+ if (s && s->loglevel >= APLOG_DEBUG) {
+ log_tracing_state(ssl, c, s, where, rc);
+ }
+}
+
#ifndef OPENSSL_NO_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended

54
apache2.changes
View File

@ -1,3 +1,57 @@
-------------------------------------------------------------------
Wed Dec 16 10:56:35 CET 2009 - jengelh@medozas.de
- package documentation as noarch
-------------------------------------------------------------------
Sat Nov 7 11:30:06 UTC 2009 - poeml@cmdline.net
- add patch for CVE-2009-3555 (cve.mitre.org)
http://www.apache.org/dist/httpd/patches/apply_to_2.2.14/CVE-2009-3555-2.2.patch
http://mail-archives.apache.org/mod_mbox/httpd-announce/200911.mbox/%3c20091107013220.31376.qmail@minotaur.apache.org%3e
A partial fix for the TLS renegotiation prefix injection attack by rejecting
any client-initiated renegotiations. Any configuration which requires
renegotiation for per-directory/location access control is still vulnerable,
unless using OpenSSL >= 0.9.8l.
-------------------------------------------------------------------
Mon Oct 26 12:48:11 UTC 2009 - poeml@cmdline.net
- update to 2.2.14:
*) SECURITY: CVE-2009-2699 (cve.mitre.org)
Fixed in APR 1.3.9. Faulty error handling in the Solaris pollset support
(Event Port backend) which could trigger hangs in the prefork and event
MPMs on that platform. PR 47645. [Jeff Trawick]
*) SECURITY: CVE-2009-3095 (cve.mitre.org)
mod_proxy_ftp: sanity check authn credentials.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) SECURITY: CVE-2009-3094 (cve.mitre.org)
mod_proxy_ftp: NULL pointer dereference on error paths.
[Stefan Fritsch <sf fritsch.de>, Joe Orton]
*) mod_proxy_scgi: Backport from trunk. [André Malo]
*) mod_ldap: Don't try to resolve file-based user ids to a DN when AuthLDAPURL
has been defined at a very high level. PR 45946. [Eric Covener]
*) htcacheclean: 19 ways to fail, 1 error message. Fixed. [Graham Leggett]
*) mod_ldap: Bring the LDAPCacheEntries and LDAPOpCacheEntries
usage() in synch with the manual and the implementation (0 and -1
both disable the cache). [Eric Covener]
*) mod_ssl: The error message when SSLCertificateFile is missing should
at least give the name or position of the problematic virtual host
definition. [Stefan Fritsch sf sfritsch.de]
*) htdbm: Fix possible buffer overflow if dbm database has very
long values. PR 30586 [Dan Poirier]
*) Add support for HTTP PUT to ab. [Jeff Barnes <jbarnesweb yahoo.com>]
*) mod_ssl: Fix SSL_*_DN_UID variables to use the 'userID' attribute
type. PR 45107. [Michael Ströder <michael stroeder.com>,
Peter Sylvester <peter.sylvester edelweb.fr>]
*) mod_cache: Add CacheIgnoreURLSessionIdentifiers directive to ignore
defined session identifiers encoded in the URL when caching.
[Ruediger Pluem]
*) mod_mem_cache: fix seg fault under load due to pool concurrency problem
PR: 47672 [Dan Poirier <poirier pobox.com>]
*) mod_autoindex: Correctly create an empty cell if the description
for a file is missing. PR 47682 [Peter Poeml <poeml suse.de>]
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 10 03:15:09 CEST 2009 - poeml@suse.de Mon Aug 10 03:15:09 CEST 2009 - poeml@suse.de

13
apache2.spec
View File

@ -1,7 +1,7 @@
# #
# spec file for package apache2 (Version 2.2.13) # spec file for package apache2 (Version 2.2.14)
# #
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
# #
# All modifications and additions to the file contributed by third parties # All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed # remain the property of their copyright owners, unless otherwise agreed
@ -62,8 +62,8 @@ BuildRequires: expat-devel
%define platform_string Linux/%VENDOR %define platform_string Linux/%VENDOR
License: Apache Software License .. License: Apache Software License ..
Group: Productivity/Networking/Web/Servers Group: Productivity/Networking/Web/Servers
%define realver 2.2.13 %define realver 2.2.14
Version: 2.2.13 Version: 2.2.14
Release: 1 Release: 1
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
@ -112,6 +112,7 @@ Source131: apache2-vhost-ssl.template
Source140: apache2-check_forensic Source140: apache2-check_forensic
Source141: apache-20-22-upgrade Source141: apache-20-22-upgrade
Patch2: httpd-2.1.3alpha-layout.dif Patch2: httpd-2.1.3alpha-layout.dif
Patch10: CVE-2009-3555-2.2.patch
Patch23: httpd-2.1.9-apachectl.dif Patch23: httpd-2.1.9-apachectl.dif
Patch65: httpd-2.0.49-log_server_status.dif Patch65: httpd-2.0.49-log_server_status.dif
Patch66: httpd-2.0.54-envvars.dif Patch66: httpd-2.0.54-envvars.dif
@ -313,6 +314,9 @@ Group: Documentation/Other
Provides: apache-doc Provides: apache-doc
Obsoletes: apache-doc Obsoletes: apache-doc
%endif %endif
%if 0%{?suse_version} >= 1120
BuildArch: noarch
%endif
%description doc %description doc
This package contains optional documentation provided in addition to This package contains optional documentation provided in addition to
@ -377,6 +381,7 @@ Authors:
# #
%setup -q -n httpd-%{realver} %setup -q -n httpd-%{realver}
%patch2 -p1 %patch2 -p1
%patch10 -p0
%patch23 -p1 %patch23 -p1
%patch65 -p1 %patch65 -p1
%patch66 -p1 %patch66 -p1

3
httpd-2.2.13.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:24a812e010d936a3114141bad56461fcaa1089aa720bd16355feb3516ab8d6d6
size 5300199

3
httpd-2.2.14.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:b2deab8a5e797fde7a04fb4a5ebfa9c80f767d064dd19dcd2857c94838ae3ac6
size 5147171