Accepting request 89271 from Apache

2.0 turns 2.2 in Summary and Description. No other change intended. OBS-URL: https://build.opensuse.org/request/show/89271 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=54
2011-10-25 13:46:11 +00:00 · 2011-10-25 13:46:11 +00:00 · 0527e1d607
commit 0527e1d607
parent 20d1030bba 8015fbf1a2
3 changed files with 89 additions and 7 deletions
--- a/apache2.changes
+++ b/apache2.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Fri Oct  7 17:11:56 CEST 2011 - draht@suse.de
+
+- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy
+  reverse exposure via RewriteRule or ProxyPassMatch directives.
+  This is CVE-2011-3368.
+
+-------------------------------------------------------------------
+Fri Oct  7 14:36:31 UTC 2011 - fcrozat@suse.com
+
+- Ensure service_add_pre macro is correctly called for 
+  openSUSE 12.1 or later.
+
 -------------------------------------------------------------------
 Tue Sep 27 08:19:35 UTC 2011 - fcrozat@suse.com

--- a/apache2.spec
+++ b/apache2.spec
@ -136,9 +136,10 @@ Patch101:       httpd-2.2.19-linux3.patch
 Patch102:       httpd-keepalivetimeout-millisecs.patch
 Patch104:       httpd-mod_deflate_head.patch
 Patch105:       ssl-mode-release-buffers.patch
+Patch106:       httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
 Url:            http://httpd.apache.org/
 Icon:           Apache.xpm
-Summary:        The Apache Web Server Version 2.0
+Summary:        The Apache Web Server Version 2.2
 AutoReqProv:    on
 Provides:       httpd http_daemon %{apache_mmn} suse_help_viewer
 Requires:       %{pname}-MPM /etc/mime.types
@ -194,7 +195,7 @@ Mod_ssl is no longer a separate package, but is now included in the
 Apache distribution.

 See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
-http://httpd.apache.org/docs-2.0/upgrading.html.
+http://httpd.apache.org/docs-2.2/upgrading.html.

 %if %worker

@ -288,7 +289,7 @@ See http://mpm-itk.sesse.net/

 %package devel
 License:        ASLv..
-Summary:        Apache 2.0 Header and Include Files
+Summary:        Apache 2.2 Header and Include Files
 Group:          Development/Libraries/C and C++
 Requires:       %{name} = %{version} %{pname}-MPM
 Requires:       libapr1-devel libapr-util1-devel
@ -358,6 +359,7 @@ to administrators of web servers in general.
 %patch102
 %patch104
 %patch105
+%patch106
 #
 cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
 #
@ -1012,19 +1014,18 @@ exit 0
 #     |           |
 #  

-# on Fedora, add the "apache" user
-%if %{?suse_version:0}%{!?suse_version:1}
-
 %pre
+%if %{?suse_version:0}%{!?suse_version:1}
+# on Fedora, add the "apache" user
 if ! /usr/bin/getent passwd %httpduser &>/dev/null; then
  echo "Creating %httpduser user"
  /usr/sbin/useradd -c "Apache" -u 48 \
        -s /sbin/nologin -r -d %{localstatedir} %httpduser 2> /dev/null || :
 fi
+%endif
 %if 0%{?suse_version} >= 1210
 %service_add_pre apache2.service
 %endif
-%endif

 %preun
 %if 0%{?suse_version} >= 1210
--- a/httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
+++ b/httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
@ -0,0 +1,68 @@
+diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c
+--- ../httpd-2.2.21-o/server/protocol.c	2011-05-07 13:39:29.000000000 +0200
+++ ./server/protocol.c	2011-10-07 17:10:46.000000000 +0200
+@@ -623,40 +623,64 @@
+ 
+ #if 0
+ /* XXX If we want to keep track of the Method, the protocol module should do
+  * it.  That support isn't in the scoreboard yet.  Hopefully next week
+  * sometime.   rbb */
+     ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method",
+                                 r->method);
+ #endif
+ 
+     uri = ap_getword_white(r->pool, &ll);
+ 
+     /* Provide quick information about the request method as soon as known */
+ 
+     r->method_number = ap_method_number_of(r->method);
+     if (r->method_number == M_GET && r->method[0] == 'H') {
+         r->header_only = 1;
+     }
+ 
+     ap_parse_uri(r, uri);
+ 
+/* 
+	https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch
+	This is the fix for CVE-2011-3368; via bnc#722545.
+ */
+
+    /* RFC 2616:
+     *   Request-URI    = "*" | absoluteURI | abs_path | authority
+     *
+     * authority is a special case for CONNECT.  If the request is not
+     * using CONNECT, and the parsed URI does not have scheme, and
+     * it does not begin with '/', and it is not '*', then, fail
+     * and give a 400 response. */
+    if (r->method_number != M_CONNECT 
+        && !r->parsed_uri.scheme 
+        && uri[0] != '/'
+        && !(uri[0] == '*' && uri[1] == '\0')) {
+        ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+                      "invalid request-URI %s", uri);
+        r->args = NULL;
+        r->hostname = NULL;
+        r->status = HTTP_BAD_REQUEST;
+        r->uri = apr_pstrdup(r->pool, uri);
+    }
+
+     if (ll[0]) {
+         r->assbackwards = 0;
+         pro = ll;
+         len = strlen(ll);
+     } else {
+         r->assbackwards = 1;
+         pro = "HTTP/0.9";
+         len = 8;
+     }
+     r->protocol = apr_pstrmemdup(r->pool, pro, len);
+ 
+     /* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */
+ 
+     /* Avoid sscanf in the common case */
+     if (len == 8
+         && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P'
+         && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.'
+         && apr_isdigit(pro[7])) {
+         r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0');
+     }