Re: CVE-2016-5387/apache2

Wed, 20 Jul 2016 05:11:38 -0700 

Hi Salvatore,
On Wed, Jul 20, 2016 at 09:30:16AM +0200, Salvatore Bonaccorso wrote:
> Hi LTS team,
> 
> I have prepared an update for the mitigation of "httpoxy" in apache2
> (CVE-2016-5387).
> 
> Unless someone of the team want's to actually do the upload I could do
> it, since already prepared. But just let me know.
> 
> Regards,
> Salvatore

> diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog
> --- apache2-2.2.22/debian/changelog   2015-08-18 11:41:11.000000000 +0200
> +++ apache2-2.2.22/debian/changelog   2016-07-20 07:04:30.000000000 +0200
> @@ -1,3 +1,12 @@
> +apache2 (2.2.22-13+deb7u7) wheezy-security; urgency=high
> +
> +  * Non-maintainer upload.
> +  * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
> +    request header.
> +    Don't pass through HTTP_PROXY in server/util_script.c
> +
> + -- Salvatore Bonaccorso <car...@debian.org>  Wed, 20 Jul 2016 07:03:46 +0200
> +
>  apache2 (2.2.22-13+deb7u6) wheezy-security; urgency=medium
>  
>    * Fix regression causing spurious errors when loading certificate chain.
> diff -Nru apache2-2.2.22/debian/patches/CVE-2016-5387.patch 
> apache2-2.2.22/debian/patches/CVE-2016-5387.patch
> --- apache2-2.2.22/debian/patches/CVE-2016-5387.patch 1970-01-01 
> 01:00:00.000000000 +0100
> +++ apache2-2.2.22/debian/patches/CVE-2016-5387.patch 2016-07-20 
> 07:04:30.000000000 +0200
> @@ -0,0 +1,17 @@
> +--- a/server/util_script.c
> ++++ b/server/util_script.c
> +@@ -180,6 +180,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
> +         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
> +             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
> +         }
> ++        /* HTTP_PROXY collides with a popular envvar used to configure
> ++         * proxies, don't let clients set/override it.  But, if you must...
> ++         */
> ++#ifndef SECURITY_HOLE_PASS_PROXY
> ++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
> ++            ;
> ++        }
> ++#endif
> +         /*
> +          * You really don't want to disable this check, since it leaves you
> +          * wide open to CGIs stealing passwords and people viewing them
> diff -Nru apache2-2.2.22/debian/patches/series 
> apache2-2.2.22/debian/patches/series
> --- apache2-2.2.22/debian/patches/series      2015-08-18 09:47:23.000000000 
> +0200
> +++ apache2-2.2.22/debian/patches/series      2016-07-20 07:04:30.000000000 
> +0200
> @@ -51,3 +51,4 @@
>  DH-SSLCertificateFile.patch
>  CVE-2015-3183.patch
>  SSL_CTX_use_certificate_clear_errors.diff
> +CVE-2016-5387.patch

Looks good to me. Thanks a lot for handling this!
 -- Guido

Reply via email to