OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=10

apache2-mod_cache-CVE-2007-1863.patch

@@ -0,0 +1,89 @@
+Index: modules/cache/cache_util.c
+================================================================================
+--- CHANGES
++++ CHANGES
+@@ -1,6 +1,10 @@
+                                                         -*- coding: utf-8 -*-
+ Changes with Apache 2.2.3
+ 
++  *) SECURITY: CVE-2007-1863 (cve.mitre.org)
++     mod_cache: Prevent segmentation fault if a Cache-Control header has
++     no value [Niklas Edmundsson]
++
+   *) SECURITY: CVE-2006-3747 (cve.mitre.org)
+      mod_rewrite: Fix an off-by-one security problem in the ldap scheme
+      handling.  For some RewriteRules this could lead to a pointer being
+--- modules/cache/cache_util.c
++++ modules/cache/cache_util.c
+@@ -231,7 +231,8 @@
+     age = ap_cache_current_age(info, age_c, r->request_time);
+ 
+     /* extract s-maxage */
+-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)) {
++    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "s-maxage", &val)
++        && val != NULL) {
+         smaxage = apr_atoi64(val);
+     }
+     else {
+@@ -240,7 +241,8 @@
+ 
+     /* extract max-age from request */
+     if (!conf->ignorecachecontrol
+-        && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)) {
++        && cc_req && ap_cache_liststr(r->pool, cc_req, "max-age", &val)
++        && val != NULL) {
+         maxage_req = apr_atoi64(val);
+     }
+     else {
+@@ -248,7 +250,8 @@
+     }
+ 
+     /* extract max-age from response */
+-    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)) {
++    if (cc_cresp && ap_cache_liststr(r->pool, cc_cresp, "max-age", &val)
++        && val != NULL) {
+         maxage_cresp = apr_atoi64(val);
+     }
+     else {
+@@ -270,7 +273,20 @@
+ 
+     /* extract max-stale */
+     if (cc_req && ap_cache_liststr(r->pool, cc_req, "max-stale", &val)) {
+-        maxstale = apr_atoi64(val);
++        if(val != NULL) {
++            maxstale = apr_atoi64(val);
++        }
++        else {
++            /*
++             * If no value is assigned to max-stale, then the client is willing
++             * to accept a stale response of any age (RFC2616 14.9.3). We will
++             * set it to one year in this case as this situation is somewhat
++             * similar to a "never expires" Expires header (RFC2616 14.21)
++             * which is set to a date one year from the time the response is
++             * sent in this case.
++             */
++            maxstale = APR_INT64_C(86400*365);
++        }
+     }
+     else {
+         maxstale = 0;
+@@ -278,7 +294,8 @@
+ 
+     /* extract min-fresh */
+     if (!conf->ignorecachecontrol
+-        && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)) {
++        && cc_req && ap_cache_liststr(r->pool, cc_req, "min-fresh", &val)
++        && val != NULL) {
+         minfresh = apr_atoi64(val);
+     }
+     else {
+@@ -407,6 +424,9 @@
+                                                   next - val_start);
+                         }
+                     }
++                    else {
++                        *val = NULL;
++                    }
+                 }
+                 return 1;
+             }

apache2-mod_status-CVE-2006-5752.patch

@@ -0,0 +1,40 @@
+--- modules/generators/mod_status.c	2007/06/20 17:22:08	549158
++++ modules/generators/mod_status.c	2007/06/20 17:29:24	549159
+@@ -270,7 +270,7 @@
+     if (r->method_number != M_GET)
+         return DECLINED;
+ 
+-    ap_set_content_type(r, "text/html");
++    ap_set_content_type(r, "text/html; charset=ISO-8859-1");
+ 
+     /*
+      * Simple table-driven form data set parser that lets you alter the header
+@@ -299,7 +299,7 @@
+                     no_table_report = 1;
+                     break;
+                 case STAT_OPT_AUTO:
+-                    ap_set_content_type(r, "text/plain");
++                    ap_set_content_type(r, "text/plain; charset=ISO-8859-1");
+                     short_report = 1;
+                     break;
+                 }
+@@ -673,7 +673,8 @@
+                                ap_escape_html(r->pool,
+                                               ws_record->client),
+                                ap_escape_html(r->pool,
+-                                              ws_record->request),
++                                              ap_escape_logitem(r->pool,
++                                                                ws_record->request)),
+                                ap_escape_html(r->pool,
+                                               ws_record->vhost));
+                 }
+@@ -763,7 +764,8 @@
+                                    ap_escape_html(r->pool,
+                                                   ws_record->vhost),
+                                    ap_escape_html(r->pool,
+-                                                  ws_record->request));
++                                                  ap_escape_logitem(r->pool, 
++                                                                    ws_record->request)));
+                 } /* no_table_report */
+             } /* for (j...) */
+         } /* for (i...) */

apache2.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Aug 23 11:27:19 CEST 2007 - mskibbe@suse.de
+
+- Bug 289996 - VUL-0: mod_status XSS in public server status page 
+- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service
+
 -------------------------------------------------------------------
 Wed Jul 18 16:04:05 CEST 2007 - skh@suse.de
 

apache2.spec

@@ -55,7 +55,7 @@ License:        The Apache Software License
 Group:          Productivity/Networking/Web/Servers
 %define realver 2.2.4
 Version:        2.2.4
-Release:        44
+Release:        57
 #Source0:      http://www.apache.org/dist/httpd-%{version}.tar.bz2
 Source0:        http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2
 Source10:       SUSE-NOTICE
@@ -110,6 +110,8 @@ Patch67:        httpd-2.2.0-apxs-a2enmod.dif
 Patch68:        httpd-2.2.3-AddDirectoryIndexCharset.patch
 Patch69:        httpd-2.2.x.doublefree.patch
 Patch150:       mod_dbd.c-issue18989-autoconnect.dif
+Patch151:       apache2-mod_status-CVE-2006-5752.patch
+Patch152:       apache2-mod_cache-CVE-2007-1863.patch
 URL:            http://httpd.apache.org/
 Icon:         Apache.xpm
 Summary:        The Apache Web Server Version 2.0
@@ -321,6 +323,8 @@ Authors:
 %patch67 -p1
 %patch68 -p1
 %patch69 -p0
+%patch151 -p0
+%patch152 -p0
 cp -p %{S:150} modules/database/mod_dbd.c
 #%patch150 -p0
 #
@@ -1056,6 +1060,9 @@ if ! test -f /.buildenv; then
 fi
 
 %changelog
+* Thu Aug 23 2007 - mskibbe@suse.de
+- Bug 289996 - VUL-0: mod_status XSS in public server status page
+- Bug 289997 - VUL-0: apache2: mod_cache remote denial of service
 * Wed Jul 18 2007 - skh@suse.de
 - split off apache2-utils subpackage, containing all helper tools that
   are useful for system administrators in general (b.n.c. #272292 and