rpm/apache2
SHA256
1
0
Fork 0
forked from pool/apache2
Code Pull Requests Activity

Accepting request 307348 from Apache

Browse Source 
- add httpd-2.4.12-CVE-2015-0253.patch to fix SECURITY: CVE-2015-0253
  (cve.mitre.org) core: Fix a crash introduced in with ErrorDocument
  400 pointing to a local URL-path with the INCLUDES filter active,
  introduced in 2.4.11. PR 57531. [Yann Ylavic]

OBS-URL: https://build.opensuse.org/request/show/307348
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=104
This commit is contained in:
Stephan Kulow 2015-05-16 18:07:23 +00:00 committed by Git OBS Bridge
commit d13c2a16c9
3 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
apache2.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Mon May 11 13:34:40 UTC 2015 - hguo@suse.com
- add httpd-2.4.12-CVE-2015-0253.patch to fix SECURITY: CVE-2015-0253
(cve.mitre.org) core: Fix a crash introduced in with ErrorDocument
400 pointing to a local URL-path with the INCLUDES filter active,
introduced in 2.4.11. PR 57531. [Yann Ylavic]
------------------------------------------------------------------- -------------------------------------------------------------------
Tue May 5 12:36:10 UTC 2015 - kstreitova@suse.com Tue May 5 12:36:10 UTC 2015 - kstreitova@suse.com

2
apache2.spec
View File

@ -126,6 +126,7 @@ Patch109: httpd-2.4.3-mod_systemd.patch
Patch111: httpd-visibility.patch Patch111: httpd-visibility.patch
# PATCH-FIX-UPSTREAM bnc#918352 kstreitova@suse.com -- fix mod_lua - maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash # PATCH-FIX-UPSTREAM bnc#918352 kstreitova@suse.com -- fix mod_lua - maliciously crafted websockets PING after a script calls r:wsupgrade() can cause a child process crash
Patch112: httpd-2.4.x-mod_lua_websocket_DoS.patch Patch112: httpd-2.4.x-mod_lua_websocket_DoS.patch
Patch113: httpd-2.4.12-CVE-2015-0253.patch
BuildRequires: automake BuildRequires: automake
BuildRequires: db-devel BuildRequires: db-devel
BuildRequires: ed BuildRequires: ed
@ -309,6 +310,7 @@ to administrators of web servers in general.
%endif %endif
%patch111 -p1 %patch111 -p1
%patch112 -p1 %patch112 -p1
%patch113 -p3
cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE
# install READMEs # install READMEs
a=$(basename %{SOURCE22}) a=$(basename %{SOURCE22})

24
httpd-2.4.12-CVE-2015-0253.patch Normal file
View File

@ -0,0 +1,24 @@
SECURITY: CVE-2015-0253 (cve.mitre.org)
core: Fix a crash introduced in with ErrorDocument 400 pointing
to a local URL-path with the INCLUDES filter active, introduced
in 2.4.11. PR 57531. [Yann Ylavic]
--- httpd/httpd/trunk/server/protocol.c 2015/03/05 02:31:42 1664204
+++ httpd/httpd/trunk/server/protocol.c 2015/03/05 02:33:16 1664205
@@ -606,8 +606,6 @@
*/
if (APR_STATUS_IS_ENOSPC(rv)) {
r->status = HTTP_REQUEST_URI_TOO_LARGE;
- r->proto_num = HTTP_VERSION(1,0);
- r->protocol = apr_pstrdup(r->pool, "HTTP/1.0");
}
else if (APR_STATUS_IS_TIMEUP(rv)) {
r->status = HTTP_REQUEST_TIME_OUT;
@@ -615,6 +613,8 @@
else if (APR_STATUS_IS_EINVAL(rv)) {
r->status = HTTP_BAD_REQUEST;
}
+ r->proto_num = HTTP_VERSION(1,0);
+ r->protocol = apr_pstrdup(r->pool, "HTTP/1.0");
return 0;
}
} while ((len <= 0) && (++num_blank_lines < max_blank_lines));