apache2: cve-2016-5387

Handle HTTP_PROXY envirnoment variable. Signed-off-by: Joe Slater <jslater@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Joe Slater <jslater@windriver.com> 2016-10-27 09:48:43 -0700
committer: Martin Jansa <Martin.Jansa@gmail.com> 2016-11-23 15:23:57 +0100
commit: 6d4ca6868bb6195f3c4cc785a1a8afc1af10f7e2 (patch)
tree: 81415c7e9960bcc5df1070c85bc8939d79be9a74 /meta-webserver
parent: 87affdd40511d557cfe9ae21ad943c7e30937c89 (diff)
download: meta-openembedded-6d4ca6868bb6195f3c4cc785a1a8afc1af10f7e2.tar.gz
2 files changed, 26 insertions, 0 deletions
diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
new file mode 100644
index 000000000..dbcdfc6df
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
@@ -0,0 +1,25 @@
+This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt
+as a mitigation of CVE-2016-5387.
+Upstream-Status: Backport - fixed in 2.4.24
+Signed-off-by: Joe Slater<jslater@windriver.com>
+--- a/server/util_script.c      (revision 1752426)
+++ b/server/util_script.c      (working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
+        /* HTTP_PROXY collides with a popular envvar used to configure
+         * proxies, don't let clients set/override it.  But, if you must...
+         */
+#ifndef SECURITY_HOLE_PASS_PROXY
+        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+            ;
+        }
+#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
index be24998d1..7656595c8 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
           file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
           file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
           file://configure-allow-to-disable-selinux-support.patch \
+           file://cve-2016-5387.patch \
           file://init \
           file://apache2-volatile.conf \
           file://apache2.service \
author	Joe Slater <jslater@windriver.com>	2016-10-27 09:48:43 -0700
committer	Martin Jansa <Martin.Jansa@gmail.com>	2016-11-23 15:23:57 +0100
commit	6d4ca6868bb6195f3c4cc785a1a8afc1af10f7e2 (patch)
tree	81415c7e9960bcc5df1070c85bc8939d79be9a74 /meta-webserver
parent	87affdd40511d557cfe9ae21ad943c7e30937c89 (diff)
download	meta-openembedded-6d4ca6868bb6195f3c4cc785a1a8afc1af10f7e2.tar.gz

diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch new file mode 100644 index 000000000..dbcdfc6df --- /dev/null +++ b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
@@ -0,0 +1,25 @@
		1	This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt
		2	as a mitigation of CVE-2016-5387.
		3
		4	Upstream-Status: Backport - fixed in 2.4.24
		5
		6	Signed-off-by: Joe Slater<jslater@windriver.com>
		7
		8
		9	--- a/server/util_script.c (revision 1752426)
		10	+++ b/server/util_script.c (working copy)
		11	@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
		12	else if (!strcasecmp(hdrs[i].key, "Content-length")) {
		13	apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
		14	}
		15	+ /* HTTP_PROXY collides with a popular envvar used to configure
		16	+ * proxies, don't let clients set/override it. But, if you must...
		17	+ */
		18	+#ifndef SECURITY_HOLE_PASS_PROXY
		19	+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
		20	+ ;
		21	+ }
		22	+#endif
		23	/*
		24	* You really don't want to disable this check, since it leaves you
		25	* wide open to CGIs stealing passwords and people viewing them


diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb index be24998d1..7656595c8 100644 --- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb +++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
17	file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \	17	file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
18	file://0001-configure-use-pkg-config-for-PCRE-detection.patch \	18	file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
19	file://configure-allow-to-disable-selinux-support.patch \	19	file://configure-allow-to-disable-selinux-support.patch \
		20	file://cve-2016-5387.patch \
20	file://init \	21	file://init \
21	file://apache2-volatile.conf \	22	file://apache2-volatile.conf \
22	file://apache2.service \	23	file://apache2.service \