[oe-commits] [meta-openembedded] 07/29: apache2: cve-2016-5387

Tue Nov 15 14:12:37 UTC 2016

martin_jansa pushed a commit to branch master-next
in repository meta-openembedded.

commit 3e695ae826b3cfebbefc40c3c6a8225f2c0eb5ea
Author: Joe Slater <jslater at windriver.com>
AuthorDate: Thu Oct 27 09:48:43 2016 -0700

    apache2: cve-2016-5387
    
    Handle HTTP_PROXY envirnoment variable.
    
    Signed-off-by: Joe Slater <jslater at windriver.com>
    Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
---
 .../apache2/apache2/cve-2016-5387.patch            | 25 ++++++++++++++++++++++
 .../recipes-httpd/apache2/apache2_2.4.23.bb        |  1 +
 2 files changed, 26 insertions(+)

diff --git a/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
new file mode 100644
index 0000000..dbcdfc6
--- /dev/null
+++ b/meta-webserver/recipes-httpd/apache2/apache2/cve-2016-5387.patch
@@ -0,0 +1,25 @@
+This patch has been copied from https://www.apache.org/security/asf-httpoxy-response.txt
+as a mitigation of CVE-2016-5387.
+
+Upstream-Status: Backport - fixed in 2.4.24
+
+Signed-off-by: Joe Slater<jslater at windriver.com>
+
+
+--- a/server/util_script.c	(revision 1752426)
++++ b/server/util_script.c	(working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff --git a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb b/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
index be24998..7656595 100644
--- a/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
+++ b/meta-webserver/recipes-httpd/apache2/apache2_2.4.23.bb
@@ -17,6 +17,7 @@ SRC_URI = "http://www.apache.org/dist/httpd/httpd-${PV}.tar.bz2 \
            file://httpd-2.4.3-fix-race-issue-of-dir-install.patch \
            file://0001-configure-use-pkg-config-for-PCRE-detection.patch \
            file://configure-allow-to-disable-selinux-support.patch \
+           file://cve-2016-5387.patch \
            file://init \
            file://apache2-volatile.conf \
            file://apache2.service \

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.
