Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: pu
CVE-2013-1862 is a low impact security bug. It should be fixed via pu. Apache maintainers: Do you want to handle this yourself? Bastian diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog --- apache2-2.2.22/debian/changelog 2013-03-04 22:21:05.000000000 +0100 +++ apache2-2.2.22/debian/changelog 2014-01-07 10:57:50.000000000 +0100 @@ -1,3 +1,11 @@ +apache2 (2.2.22-13.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Properly escape data written to rewrite log. + CVE-2013-1862 + + -- Bastian Blank <bastian.bl...@credativ.de> Tue, 07 Jan 2014 09:57:36 +0000 + apache2 (2.2.22-13) unstable; urgency=medium [ Stefan Fritsch ] diff -Nru apache2-2.2.22/debian/patches/CVE-2013-1862.patch apache2-2.2.22/debian/patches/CVE-2013-1862.patch --- apache2-2.2.22/debian/patches/CVE-2013-1862.patch 1970-01-01 01:00:00.000000000 +0100 +++ apache2-2.2.22/debian/patches/CVE-2013-1862.patch 2014-01-07 10:56:59.000000000 +0100 @@ -0,0 +1,33 @@ +Description: + mod_rewrite: Ensure that client data written to the RewriteLog is + escaped to prevent terminal escape sequences from entering the + log file. [Joe Orton] +Origin: http://people.apache.org/~jorton/mod_rewrite-CVE-2013-1862.patch +Id: CVE-2013-1862 +--- a(/odules/mappers/mod_rewrite.c (revision 1469310) ++++ b/modules/mappers/mod_rewrite.c (working copy) +@@ -500,11 +500,11 @@ + + logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] " + "(%d) %s%s%s%s" APR_EOL_STR, +- rhost ? rhost : "UNKNOWN-HOST", +- rname ? rname : "-", +- r->user ? (*r->user ? r->user : "\"\"") : "-", ++ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST", ++ rname ? ap_escape_logitem(r->pool, rname) : "-", ++ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-", + current_logtime(r), +- ap_get_server_name(r), ++ ap_escape_logitem(r->pool, ap_get_server_name(r)), + (void *)(r->server), + (void *)r, + r->main ? "subreq" : "initial", +@@ -514,7 +514,7 @@ + perdir ? "[perdir " : "", + perdir ? perdir : "", + perdir ? "] ": "", +- text); ++ ap_escape_logitem(r->pool, text)); + + nbytes = strlen(logline); + apr_file_write(conf->rewritelogfp, logline, &nbytes); diff -Nru apache2-2.2.22/debian/patches/series apache2-2.2.22/debian/patches/series --- apache2-2.2.22/debian/patches/series 2013-03-04 22:00:37.000000000 +0100 +++ apache2-2.2.22/debian/patches/series 2014-01-07 10:57:11.000000000 +0100 @@ -35,3 +35,4 @@ disable-ssl-compression.patch CVE-2012-3499_CVE-2012-4558_XSS.patch mod_log_forensic_693292.patch +CVE-2013-1862.patch -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140107102125.7302.75499.report...@lacehammer.credativ.lan
