Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi, please review apache2/2.4.25-3+deb9u6 for inclusion into the next stretch point release. Here is the changelog: * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106 * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS. Closes: #909591 * mod_proxy_fcgi: Fix segfault. Closes: #902906 Debdiff is attached. Cheers, Stefan
diff -Nru apache2-2.4.25/debian/changelog apache2-2.4.25/debian/changelog --- apache2-2.4.25/debian/changelog 2018-06-02 10:01:13.000000000 +0200 +++ apache2-2.4.25/debian/changelog 2018-11-03 19:46:19.000000000 +0100 @@ -1,3 +1,12 @@ +apache2 (2.4.25-3+deb9u6) stretch; urgency=medium + + * CVE-2018-1333: mod_http2: Fix DoS by worker exhaustion. Closes: #904106 + * CVE-2018-11763: mod_http2: Fix DoS by continuous SETTINGS. + Closes: #909591 + * mod_proxy_fcgi: Fix segfault. Closes: #902906 + + -- Stefan Fritsch <s...@debian.org> Sat, 03 Nov 2018 19:46:19 +0100 + apache2 (2.4.25-3+deb9u5) stretch; urgency=medium * Upgrade mod_http and mod_proxy_http2 to the versions from 2.4.33. This diff -Nru apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff --- apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff 1970-01-01 01:00:00.000000000 +0100 +++ apache2-2.4.25/debian/patches/CVE-2018-11763-mod_http2_DoS-SETTINGS.diff 2018-11-03 19:45:38.000000000 +0100 @@ -0,0 +1,458 @@ +# https://svn.apache.org/viewvc?view=revision&revision=1840757 +# CVE-2018-11763 +--- apache2.orig/modules/http2/h2_session.c ++++ apache2/modules/http2/h2_session.c +@@ -235,6 +235,7 @@ static int on_data_chunk_recv_cb(nghttp2 + stream = h2_session_stream_get(session, stream_id); + if (stream) { + status = h2_stream_recv_DATA(stream, flags, data, len); ++ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream data rcvd"); + } + else { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03064) +@@ -317,9 +318,9 @@ static int on_header_cb(nghttp2_session + } + + /** +- * nghttp2 session has received a complete frame. Most, it uses +- * for processing of internal state. HEADER and DATA frames however +- * we need to handle ourself. ++ * nghttp2 session has received a complete frame. Most are used by nghttp2 ++ * for processing of internal state. Some, like HEADER and DATA frames, ++ * we need to act on. + */ + static int on_frame_recv_cb(nghttp2_session *ng2s, + const nghttp2_frame *frame, +@@ -376,6 +377,9 @@ static int on_frame_recv_cb(nghttp2_sess + "h2_stream(%ld-%d): WINDOW_UPDATE incr=%d", + session->id, (int)frame->hd.stream_id, + frame->window_update.window_size_increment); ++ if (nghttp2_session_want_write(session->ngh2)) { ++ dispatch_event(session, H2_SESSION_EV_FRAME_RCVD, 0, "window update"); ++ } + break; + case NGHTTP2_RST_STREAM: + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, session->c, APLOGNO(03067) +@@ -402,6 +406,12 @@ static int on_frame_recv_cb(nghttp2_sess + frame->goaway.error_code, NULL); + } + break; ++ case NGHTTP2_SETTINGS: ++ if (APLOGctrace2(session->c)) { ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, session->c, ++ H2_SSSN_MSG(session, "SETTINGS, len=%ld"), (long)frame->hd.length); ++ } ++ break; + default: + if (APLOGctrace2(session->c)) { + char buffer[256]; +@@ -413,7 +423,40 @@ static int on_frame_recv_cb(nghttp2_sess + } + break; + } +- return (APR_SUCCESS == rv)? 0 : NGHTTP2_ERR_PROTO; ++ ++ if (session->state == H2_SESSION_ST_IDLE) { ++ /* We received a frame, but session is in state IDLE. That means the frame ++ * did not really progress any of the (possibly) open streams. It was a meta ++ * frame, e.g. SETTINGS/WINDOW_UPDATE/unknown/etc. ++ * Remember: IDLE means we cannot send because either there are no streams open or ++ * all open streams are blocked on exhausted WINDOWs for outgoing data. ++ * The more frames we receive that do not change this, the less interested we ++ * become in serving this connection. This is expressed in increasing "idle_delays". ++ * Eventually, the connection will timeout and we'll close it. */ ++ session->idle_frames = H2MIN(session->idle_frames + 1, session->frames_received); ++ ap_log_cerror( APLOG_MARK, APLOG_TRACE2, 0, session->c, ++ H2_SSSN_MSG(session, "session has %ld idle frames"), ++ (long)session->idle_frames); ++ if (session->idle_frames > 10) { ++ apr_size_t busy_frames = H2MAX(session->frames_received - session->idle_frames, 1); ++ int idle_ratio = (int)(session->idle_frames / busy_frames); ++ if (idle_ratio > 100) { ++ session->idle_delay = apr_time_from_msec(H2MIN(1000, idle_ratio)); ++ } ++ else if (idle_ratio > 10) { ++ session->idle_delay = apr_time_from_msec(10); ++ } ++ else if (idle_ratio > 1) { ++ session->idle_delay = apr_time_from_msec(1); ++ } ++ else { ++ session->idle_delay = 0; ++ } ++ } ++ } ++ ++ if (APR_SUCCESS != rv) return NGHTTP2_ERR_PROTO; ++ return 0; + } + + static int h2_session_continue_data(h2_session *session) { +@@ -1600,23 +1643,57 @@ static void update_child_status(h2_sessi + + static void transit(h2_session *session, const char *action, h2_session_state nstate) + { ++ apr_time_t timeout; ++ int ostate, loglvl; ++ const char *s; ++ + if (session->state != nstate) { +- int loglvl = APLOG_DEBUG; +- if ((session->state == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT) +- || (session->state == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){ ++ ostate = session->state; ++ session->state = nstate; ++ ++ loglvl = APLOG_DEBUG; ++ if ((ostate == H2_SESSION_ST_BUSY && nstate == H2_SESSION_ST_WAIT) ++ || (ostate == H2_SESSION_ST_WAIT && nstate == H2_SESSION_ST_BUSY)){ + loglvl = APLOG_TRACE1; + } + ap_log_cerror(APLOG_MARK, loglvl, 0, session->c, + H2_SSSN_LOG(APLOGNO(03078), session, + "transit [%s] -- %s --> [%s]"), +- h2_session_state_str(session->state), action, ++ h2_session_state_str(ostate), action, + h2_session_state_str(nstate)); +- session->state = nstate; ++ + switch (session->state) { + case H2_SESSION_ST_IDLE: +- update_child_status(session, (session->open_streams == 0? +- SERVER_BUSY_KEEPALIVE +- : SERVER_BUSY_READ), "idle"); ++ if (!session->remote.emitted_count) { ++ /* on fresh connections, with async mpm, do not return ++ * to mpm for a second. This gives the first request a better ++ * chance to arrive (und connection leaving IDLE state). ++ * If we return to mpm right away, this connection has the ++ * same chance of being cleaned up by the mpm as connections ++ * that already served requests - not fair. */ ++ session->idle_sync_until = apr_time_now() + apr_time_from_sec(1); ++ s = "timeout"; ++ timeout = H2MAX(session->s->timeout, session->s->keep_alive_timeout); ++ update_child_status(session, SERVER_BUSY_READ, "idle"); ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, ++ H2_SSSN_LOG("", session, "enter idle, timeout = %d sec"), ++ (int)apr_time_sec(H2MAX(session->s->timeout, session->s->keep_alive_timeout))); ++ } ++ else if (session->open_streams) { ++ s = "timeout"; ++ timeout = session->s->keep_alive_timeout; ++ update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle"); ++ } ++ else { ++ /* normal keepalive setup */ ++ s = "keepalive"; ++ timeout = session->s->keep_alive_timeout; ++ update_child_status(session, SERVER_BUSY_KEEPALIVE, "idle"); ++ } ++ session->idle_until = apr_time_now() + timeout; ++ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, ++ H2_SSSN_LOG("", session, "enter idle, %s = %d sec"), ++ s, (int)apr_time_sec(timeout)); + break; + case H2_SESSION_ST_DONE: + update_child_status(session, SERVER_CLOSING, "done"); +@@ -1723,8 +1800,6 @@ static void h2_session_ev_no_io(h2_sessi + * This means we only wait for WINDOW_UPDATE from the + * client and can block on READ. */ + transit(session, "no io (flow wait)", H2_SESSION_ST_IDLE); +- session->idle_until = apr_time_now() + session->s->timeout; +- session->keep_sync_until = session->idle_until; + /* Make sure we have flushed all previously written output + * so that the client will react. */ + if (h2_conn_io_flush(&session->io) != APR_SUCCESS) { +@@ -1735,12 +1810,7 @@ static void h2_session_ev_no_io(h2_sessi + } + else if (session->local.accepting) { + /* When we have no streams, but accept new, switch to idle */ +- apr_time_t now = apr_time_now(); + transit(session, "no io (keepalive)", H2_SESSION_ST_IDLE); +- session->idle_until = (session->remote.emitted_count? +- session->s->keep_alive_timeout : +- session->s->timeout) + now; +- session->keep_sync_until = now + apr_time_from_sec(1); + } + else { + /* We are no longer accepting new streams and there are +@@ -1755,12 +1825,25 @@ static void h2_session_ev_no_io(h2_sessi + } + } + +-static void h2_session_ev_data_read(h2_session *session, int arg, const char *msg) ++static void h2_session_ev_frame_rcvd(h2_session *session, int arg, const char *msg) ++{ ++ switch (session->state) { ++ case H2_SESSION_ST_IDLE: ++ case H2_SESSION_ST_WAIT: ++ transit(session, "frame received", H2_SESSION_ST_BUSY); ++ break; ++ default: ++ /* nop */ ++ break; ++ } ++} ++ ++static void h2_session_ev_stream_change(h2_session *session, int arg, const char *msg) + { + switch (session->state) { + case H2_SESSION_ST_IDLE: + case H2_SESSION_ST_WAIT: +- transit(session, "data read", H2_SESSION_ST_BUSY); ++ transit(session, "stream change", H2_SESSION_ST_BUSY); + break; + default: + /* nop */ +@@ -1800,16 +1883,6 @@ static void h2_session_ev_pre_close(h2_s + static void ev_stream_open(h2_session *session, h2_stream *stream) + { + h2_iq_append(session->in_process, stream->id); +- switch (session->state) { +- case H2_SESSION_ST_IDLE: +- if (session->open_streams == 1) { +- /* enter timeout, since we have a stream again */ +- session->idle_until = (session->s->timeout + apr_time_now()); +- } +- break; +- default: +- break; +- } + } + + static void ev_stream_closed(h2_session *session, h2_stream *stream) +@@ -1822,11 +1895,6 @@ static void ev_stream_closed(h2_session + } + switch (session->state) { + case H2_SESSION_ST_IDLE: +- if (session->open_streams == 0) { +- /* enter keepalive timeout, since we no longer have streams */ +- session->idle_until = (session->s->keep_alive_timeout +- + apr_time_now()); +- } + break; + default: + break; +@@ -1884,6 +1952,7 @@ static void on_stream_state_enter(void * + default: + break; + } ++ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, "stream state change"); + } + + static void on_stream_event(void *ctx, h2_stream *stream, +@@ -1942,8 +2011,8 @@ static void dispatch_event(h2_session *s + case H2_SESSION_EV_NO_IO: + h2_session_ev_no_io(session, arg, msg); + break; +- case H2_SESSION_EV_DATA_READ: +- h2_session_ev_data_read(session, arg, msg); ++ case H2_SESSION_EV_FRAME_RCVD: ++ h2_session_ev_frame_rcvd(session, arg, msg); + break; + case H2_SESSION_EV_NGH2_DONE: + h2_session_ev_ngh2_done(session, arg, msg); +@@ -1954,6 +2023,9 @@ static void dispatch_event(h2_session *s + case H2_SESSION_EV_PRE_CLOSE: + h2_session_ev_pre_close(session, arg, msg); + break; ++ case H2_SESSION_EV_STREAM_CHANGE: ++ h2_session_ev_stream_change(session, arg, msg); ++ break; + default: + ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, session->c, + H2_SSSN_MSG(session, "unknown event %d"), ev); +@@ -1987,13 +2059,15 @@ apr_status_t h2_session_process(h2_sessi + apr_status_t status = APR_SUCCESS; + conn_rec *c = session->c; + int rv, mpm_state, trace = APLOGctrace3(c); +- ++ apr_time_t now; ++ + if (trace) { + ap_log_cerror( APLOG_MARK, APLOG_TRACE3, status, c, + H2_SSSN_MSG(session, "process start, async=%d"), async); + } + + while (session->state != H2_SESSION_ST_DONE) { ++ now = apr_time_now(); + session->have_read = session->have_written = 0; + + if (session->local.accepting +@@ -2031,39 +2105,42 @@ apr_status_t h2_session_process(h2_sessi + break; + + case H2_SESSION_ST_IDLE: +- /* We trust our connection into the default timeout/keepalive +- * handling of the core filters/mpm iff: +- * - keep_sync_until is not set +- * - we have an async mpm +- * - we have no open streams to process +- * - we are not sitting on a Upgrade: request +- * - we already have seen at least one request +- */ +- if (!session->keep_sync_until && async && !session->open_streams +- && !session->r && session->remote.emitted_count) { ++ if (session->idle_until && (apr_time_now() + session->idle_delay) > session->idle_until) { ++ ap_log_cerror( APLOG_MARK, APLOG_TRACE1, status, c, ++ H2_SSSN_MSG(session, "idle, timeout reached, closing")); ++ if (session->idle_delay) { ++ apr_table_setn(session->c->notes, "short-lingering-close", "1"); ++ } ++ dispatch_event(session, H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout"); ++ goto out; ++ } ++ ++ if (session->idle_delay) { ++ /* we are less interested in spending time on this connection */ ++ ap_log_cerror( APLOG_MARK, APLOG_TRACE2, status, c, ++ H2_SSSN_MSG(session, "session is idle (%ld ms), idle wait %ld sec left"), ++ (long)apr_time_as_msec(session->idle_delay), ++ (long)apr_time_sec(session->idle_until - now)); ++ apr_sleep(session->idle_delay); ++ session->idle_delay = 0; ++ } ++ ++ h2_conn_io_flush(&session->io); ++ if (async && !session->r && (now > session->idle_sync_until)) { + if (trace) { + ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, + H2_SSSN_MSG(session, + "nonblock read, %d streams open"), + session->open_streams); + } +- h2_conn_io_flush(&session->io); + status = h2_session_read(session, 0); + + if (status == APR_SUCCESS) { + session->have_read = 1; +- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); + } +- else if (APR_STATUS_IS_EAGAIN(status) +- || APR_STATUS_IS_TIMEUP(status)) { +- if (apr_time_now() > session->idle_until) { +- dispatch_event(session, +- H2_SESSION_EV_CONN_TIMEOUT, 0, NULL); +- } +- else { +- status = APR_EAGAIN; +- goto out; +- } ++ else if (APR_STATUS_IS_EAGAIN(status) || APR_STATUS_IS_TIMEUP(status)) { ++ status = APR_EAGAIN; ++ goto out; + } + else { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c, +@@ -2075,7 +2152,6 @@ apr_status_t h2_session_process(h2_sessi + } + else { + /* make certain, we send everything before we idle */ +- h2_conn_io_flush(&session->io); + if (trace) { + ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, + H2_SSSN_MSG(session, +@@ -2087,7 +2163,6 @@ apr_status_t h2_session_process(h2_sessi + */ + status = h2_mplx_idle(session->mplx); + if (status == APR_EAGAIN) { +- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); + break; + } + else if (status != APR_SUCCESS) { +@@ -2098,33 +2173,11 @@ apr_status_t h2_session_process(h2_sessi + status = h2_session_read(session, 1); + if (status == APR_SUCCESS) { + session->have_read = 1; +- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); + } + else if (status == APR_EAGAIN) { + /* nothing to read */ + } + else if (APR_STATUS_IS_TIMEUP(status)) { +- apr_time_t now = apr_time_now(); +- if (now > session->keep_sync_until) { +- /* if we are on an async mpm, now is the time that +- * we may dare to pass control to it. */ +- session->keep_sync_until = 0; +- } +- if (now > session->idle_until) { +- if (trace) { +- ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, +- H2_SSSN_MSG(session, +- "keepalive timeout")); +- } +- dispatch_event(session, +- H2_SESSION_EV_CONN_TIMEOUT, 0, "timeout"); +- } +- else if (trace) { +- ap_log_cerror(APLOG_MARK, APLOG_TRACE3, status, c, +- H2_SSSN_MSG(session, +- "keepalive, %f sec left"), +- (session->idle_until - now) / 1000000.0f); +- } + /* continue reading handling */ + } + else if (APR_STATUS_IS_ECONNABORTED(status) +@@ -2142,6 +2195,18 @@ apr_status_t h2_session_process(h2_sessi + dispatch_event(session, H2_SESSION_EV_CONN_ERROR, 0, "error"); + } + } ++ if (nghttp2_session_want_write(session->ngh2)) { ++ ap_update_child_status(session->c->sbh, SERVER_BUSY_WRITE, NULL); ++ status = h2_session_send(session); ++ if (status == APR_SUCCESS) { ++ status = h2_conn_io_flush(&session->io); ++ } ++ if (status != APR_SUCCESS) { ++ dispatch_event(session, H2_SESSION_EV_CONN_ERROR, ++ H2_ERR_INTERNAL_ERROR, "writing"); ++ break; ++ } ++ } + break; + + case H2_SESSION_ST_BUSY: +@@ -2151,7 +2216,6 @@ apr_status_t h2_session_process(h2_sessi + status = h2_session_read(session, 0); + if (status == APR_SUCCESS) { + session->have_read = 1; +- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); + } + else if (status == APR_EAGAIN) { + /* nothing to read */ +@@ -2215,7 +2279,7 @@ apr_status_t h2_session_process(h2_sessi + session->iowait); + if (status == APR_SUCCESS) { + session->wait_us = 0; +- dispatch_event(session, H2_SESSION_EV_DATA_READ, 0, NULL); ++ dispatch_event(session, H2_SESSION_EV_STREAM_CHANGE, 0, NULL); + } + else if (APR_STATUS_IS_TIMEUP(status)) { + /* go back to checking all inputs again */ +--- apache2.orig/modules/http2/h2_session.h ++++ apache2/modules/http2/h2_session.h +@@ -66,10 +66,11 @@ typedef enum { + H2_SESSION_EV_PROTO_ERROR, /* protocol error */ + H2_SESSION_EV_CONN_TIMEOUT, /* connection timeout */ + H2_SESSION_EV_NO_IO, /* nothing has been read or written */ +- H2_SESSION_EV_DATA_READ, /* connection data has been read */ ++ H2_SESSION_EV_FRAME_RCVD, /* a frame has been received */ + H2_SESSION_EV_NGH2_DONE, /* nghttp2 wants neither read nor write anything */ + H2_SESSION_EV_MPM_STOPPING, /* the process is stopping */ + H2_SESSION_EV_PRE_CLOSE, /* connection will close after this */ ++ H2_SESSION_EV_STREAM_CHANGE, /* a stream (state/input/output) changed */ + } h2_session_event_t; + + typedef struct h2_session { +@@ -118,7 +119,9 @@ typedef struct h2_session { + apr_size_t max_stream_mem; /* max buffer memory for a single stream */ + + apr_time_t idle_until; /* Time we shut down due to sheer boredom */ +- apr_time_t keep_sync_until; /* Time we sync wait until passing to async mpm */ ++ apr_time_t idle_sync_until; /* Time we sync wait until keepalive handling kicks in */ ++ apr_size_t idle_frames; /* number of rcvd frames that kept session in idle state */ ++ apr_interval_time_t idle_delay; /* Time we delay processing rcvd frames in idle state */ + + apr_bucket_brigade *bbtmp; /* brigade for keeping temporary data */ + struct apr_thread_cond_t *iowait; /* our cond when trywaiting for data */ diff -Nru apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff --- apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff 1970-01-01 01:00:00.000000000 +0100 +++ apache2-2.4.25/debian/patches/CVE-2018-1333-mod_http2_DoS.diff 2018-11-03 19:06:06.000000000 +0100 @@ -0,0 +1,29 @@ +# https://svn.apache.org/viewvc?view=revision&revision=1832487 +# CVE-2018-1333 +--- apache2.orig/modules/http2/h2_bucket_beam.c ++++ apache2/modules/http2/h2_bucket_beam.c +@@ -550,6 +550,7 @@ static void recv_buffer_cleanup(h2_bucke + apr_brigade_destroy(bb); + if (bl) enter_yellow(beam, bl); + ++ apr_thread_cond_broadcast(beam->change); + if (beam->cons_ev_cb) { + beam->cons_ev_cb(beam->cons_ctx, beam); + } +@@ -707,12 +708,10 @@ void h2_beam_abort(h2_bucket_beam *beam) + h2_beam_lock bl; + + if (beam && enter_yellow(beam, &bl) == APR_SUCCESS) { +- if (!beam->aborted) { +- beam->aborted = 1; +- r_purge_sent(beam); +- h2_blist_cleanup(&beam->send_list); +- report_consumption(beam, &bl); +- } ++ beam->aborted = 1; ++ r_purge_sent(beam); ++ h2_blist_cleanup(&beam->send_list); ++ report_consumption(beam, &bl); + apr_thread_cond_broadcast(beam->change); + leave_yellow(beam, &bl); + } diff -Nru apache2-2.4.25/debian/patches/fcgi_crash.diff apache2-2.4.25/debian/patches/fcgi_crash.diff --- apache2-2.4.25/debian/patches/fcgi_crash.diff 1970-01-01 01:00:00.000000000 +0100 +++ apache2-2.4.25/debian/patches/fcgi_crash.diff 2018-11-03 15:29:50.000000000 +0100 @@ -0,0 +1,37 @@ +# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902906 +# https://bz.apache.org/bugzilla/show_bug.cgi?id=60275 +# https://svn.apache.org/r1778050 +--- apache2.orig/server/util_fcgi.c ++++ apache2/server/util_fcgi.c +@@ -153,7 +153,7 @@ AP_DECLARE(apr_size_t) ap_fcgi_encoded_e + + envlen += keylen; + +- vallen = strlen(elts[i].val); ++ vallen = elts[i].val ? strlen(elts[i].val) : 0; + + if (vallen >> 7 == 0) { + envlen += 1; +@@ -226,7 +226,7 @@ AP_DECLARE(apr_status_t) ap_fcgi_encode_ + buflen -= 4; + } + +- vallen = strlen(elts[i].val); ++ vallen = elts[i].val ? strlen(elts[i].val) : 0; + + if (vallen >> 7 == 0) { + if (buflen < 1) { +@@ -262,8 +262,11 @@ AP_DECLARE(apr_status_t) ap_fcgi_encode_ + rv = APR_ENOSPC; /* overflow */ + break; + } +- memcpy(itr, elts[i].val, vallen); +- itr += vallen; ++ ++ if (elts[i].val) { ++ memcpy(itr, elts[i].val, vallen); ++ itr += vallen; ++ } + + if (buflen == vallen) { + (*starting_elem)++; diff -Nru apache2-2.4.25/debian/patches/series apache2-2.4.25/debian/patches/series --- apache2-2.4.25/debian/patches/series 2018-06-02 09:48:33.000000000 +0200 +++ apache2-2.4.25/debian/patches/series 2018-11-03 19:42:40.000000000 +0100 @@ -27,3 +27,6 @@ mod_http2-upgrade-to-2.4.33.diff mod_http2-revert-new-proxy-features.diff mod_http2_mem_usage_32bit.diff +fcgi_crash.diff +CVE-2018-1333-mod_http2_DoS.diff +CVE-2018-11763-mod_http2_DoS-SETTINGS.diff
