diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-07-20 13:05:13 +0000 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2016-07-25 16:01:20 +0300 |
| commit | fb231f9f106b55bd799d863c5e761f1c0843bd4d (patch) | |
| tree | 52d208578c6ea2306361a634400eef7da4edd37f | |
| parent | 1e156e7db5e2080b5c8a520723658b03135a744d (diff) | |
main/apache2: security fix for CVE-2016-5387
fixes #5938
| -rw-r--r-- | main/apache2/APKBUILD | 12 | ||||
| -rw-r--r-- | main/apache2/CVE-2016-5387.patch | 17 |
2 files changed, 25 insertions, 4 deletions
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index b7ae8fb32a4..0b56d0bdb3a 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=apache2 pkgver=2.4.16 -pkgrel=0 +pkgrel=1 pkgdesc="A high performance Unix-based HTTP server" url="http://httpd.apache.org/" arch="all" @@ -28,6 +28,7 @@ source="http://archive.apache.org/dist/httpd/httpd-$pkgver.tar.bz2 proxy.conf lua.conf alpine.layout + CVE-2016-5387.patch " options="suid" @@ -230,7 +231,8 @@ b70fe826486043e3953cfe21f9e6fa16 ldap.conf fe26a0a70f572eb256a3c6c183a62223 proxy-html.conf 96eddccfca1ec0349f844e2460cf655b proxy.conf 449a4aea60473ac4a16f025fca4463e3 lua.conf -c66ff5f70260d5266e6803a59b39bd7f alpine.layout" +c66ff5f70260d5266e6803a59b39bd7f alpine.layout +61489c5f174756e63bae95c5d85d0e46 CVE-2016-5387.patch" sha256sums="ac660b47aaa7887779a6430404dcb40c0b04f90ea69e7bd49a40552e9ff13743 httpd-2.4.16.tar.bz2 8b0ce62fc4e7cea3801744969d0b2390e28e4d11dd533816eb91e9d7af225500 apache2.confd dabf43e11c941125c771d2f4f5dadd1038906420716b747dfc8f5a946a0bdad5 apache2.logrotate @@ -241,7 +243,8 @@ dabf43e11c941125c771d2f4f5dadd1038906420716b747dfc8f5a946a0bdad5 apache2.logrot 2511d6ea64c0f253b219670c445ed4f403f94caba5fb05e0b9600f0d107e1dda proxy-html.conf 00c42b7806eaa73e732be9d9e92c3e841b20c6d91a9920be47f19db8aee3513e proxy.conf edf701795137566c7cf4b9c0c95ecd5f8c58269f5600217a0a4d289d2bf15384 lua.conf -cf0033a245d1d7752539613b6c92beaea9c0a755e7a877c8d41a2d4fd0f3eb22 alpine.layout" +cf0033a245d1d7752539613b6c92beaea9c0a755e7a877c8d41a2d4fd0f3eb22 alpine.layout +c38bf5061a7c8d2da010db57ecf36a8c29739d34a04f55c66405a2e9fc319cd8 CVE-2016-5387.patch" sha512sums="039750ff962c08a7261896acc8272e59874d066f7d52721aaf967ddb737fc5716acc47e1effaf7c4d156ba61bc393e0738f64f8e89cc277ba2651e0f61d56628 httpd-2.4.16.tar.bz2 e0a0b87889eff01e8a1ee21853d26c0307ceb87428727e60819d29644d8e54e9bfc08c197924567bed26befc904f8384af19516aea849f3cd6859d76b175b742 apache2.confd 566a8c469ef148dfbb9449e91d6fb93baf85d06a31a52c283a7e402aef7bfa8b46c34ebed91c76b3e5a2cc606660145e8fc63fa41bdb22574c7efc4fc4d993e5 apache2.logrotate @@ -252,4 +255,5 @@ fbdc28ea4b94af91640794945ac4e1f45e4200e54d5bdf64c0c03fc8bdb589e444cc4f7dd0b70b69 263149f4a0b515e3b6d162ff282ffa90f8a448c10eb7185aec0caf75af7691b5486fa74ebe4fd46ae0ccdcf226a227705b4be4c23ed12b6d0c0aedd94a348810 proxy-html.conf aabbe171219f15efe47f8e972fc1a43f98b48977aae91b597b65bb447027992bf81757bde68b26a67e5e3b9f2e748d94b3c85d5c07433627b6048d60a51d400b proxy.conf f2950005ac0d8c7a5e34958f1274c9ed0f5f634a5bc766e12834917937df9db901c5fc2460da70e1a62f17440d4719163cd4213496dbf579c80a789b8e18f65c lua.conf -30faedf3683e1600d9505dc593b0193359eed7e3d925da772ba795b1354171821233072293105d0da41376b2561823fa48c2406f07276648a87b858dcf323c5e alpine.layout" +30faedf3683e1600d9505dc593b0193359eed7e3d925da772ba795b1354171821233072293105d0da41376b2561823fa48c2406f07276648a87b858dcf323c5e alpine.layout +ebfcac5e4bc12a64d4d7e723d362cfc4912a6369ddd265a06dee95af1d5dbf8dd4bfe87ce227661afb386e19dc738e475e11aebd0ddcb5f827c14fe7c66d998c CVE-2016-5387.patch" diff --git a/main/apache2/CVE-2016-5387.patch b/main/apache2/CVE-2016-5387.patch new file mode 100644 index 00000000000..494afef17c3 --- /dev/null +++ b/main/apache2/CVE-2016-5387.patch @@ -0,0 +1,17 @@ +--- a/server/util_script.c (revision 1752426) ++++ b/server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them |