sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-18 17:59:20 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

- update to 2.4.25

Browse source 
PR:		215457
Reported by:	Apache Software Foundation
MFH:		2016Q4
Security:	vid 862d6ab3-c75e-11e6-9f98-20cf30e32f6d
		CVE-2016-8743
		CVE-2016-2161
		CVE-2016-0736
		CVE-2016-8740
		CVE-2016-5387
This commit is contained in:
Olli Hauer 2016-12-21 10:41:09 +00:00
parent 917e858cb3
commit c97507e018
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=429063
4 changed files with 4 additions and 184 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
www/apache24/Makefile
View file

@ -1,8 +1,7 @@
# $FreeBSD$ # $FreeBSD$
PORTNAME= apache24 PORTNAME= apache24
PORTVERSION= 2.4.23 PORTVERSION= 2.4.25
PORTREVISION= 3
CATEGORIES= www ipv6 CATEGORIES= www ipv6
MASTER_SITES= APACHE_HTTPD MASTER_SITES= APACHE_HTTPD
DISTNAME= httpd-${PORTVERSION} DISTNAME= httpd-${PORTVERSION}

6
www/apache24/distinfo
View file

@ -1,3 +1,3 @@
TIMESTAMP = 1467307196 TIMESTAMP = 1482168542
SHA256 (apache24/httpd-2.4.23.tar.bz2) = 0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58 SHA256 (apache24/httpd-2.4.25.tar.bz2) = f87ec2df1c9fee3e6bfde3c8b855a3ddb7ca1ab20ca877bd0e2b6bf3f05c80b2
SIZE (apache24/httpd-2.4.23.tar.bz2) = 6351875 SIZE (apache24/httpd-2.4.25.tar.bz2) = 6398218

116
www/apache24/files/patch-CVE-2016-8740
View file

@ -1,116 +0,0 @@
Security Advisory - Apache Software Foundation
Apache HTTPD WebServer / httpd.apache.org
Server memory can be exhausted and service denied when HTTP/2 is used
CVE-2016-8740
The Apache HTTPD web server (from 2.4.17-2.4.23) did not apply limitations
on request headers correctly when experimental module for the HTTP/2
protocol is used to access a resource.
The net result is that a the server allocates too much memory instead of denying
the request. This can lead to memory exhaustion of the server by a properly
crafted request.
Background:
- -----------
Apache has limits on the number and length of request header fields. which
limits the amount of memory a client can allocate on the server for a request.
Version 2.4.17 of the Apache HTTP Server introduced an experimental feature:
mod_http2 for the HTTP/2 protocol (RFC7540, previous versions were known as
Google SPDY).
This module is NOT compiled in by default -and- is not enabled by default,
although some distribution may have chosen to do so.
It is generally needs to be enabled in the 'Protocols' line in httpd by
adding 'h2' and/or 'h2c' to the 'http/1.1' only default.
The default distributions of the Apache Software Foundation do not include
this experimental feature.
Details:
- --------
- From version 2.4.17, upto and including version 2.4.23 the server failed
to take the limitations on request memory use into account when providing
access to a resource over HTTP/2. This issue has been fixed
in version 2.4.23 (r1772576).
As a result - with a request using the HTTP/2 protocol a specially crafted
request can allocate memory on the server until it reaches its limit. This can
lead to denial of service for all requests against the server.
Impact:
- -------
This can lead to denial of service for all server resources.
Versions affected:
- ------------------
All versions from 2.4.17 to 2.4.23.
Resolution:
- -----------
For a 2.4.23 version a patch is supplied. This will be included in the
next release.
Mitigations and work arounds:
- -----------------------------
As a temporary workaround - HTTP/2 can be disabled by changing
the configuration by removing h2 and h2c from the Protocols
line(s) in the configuration file.
The resulting line should read:
Protocols http/1.1
Credits and timeline
- --------------------
The flaw was found and reported by Naveen Tiwari <naveen.tiwari@asu.edu>
and CDF/SEFCOM at Arizona State University on 2016-11-22. The issue was
resolved by Stefan Eissing and incorporated in the Apache repository,
ready for inclusion in the next release.
Apache would like to thank all involved for their help with this.
Index: modules/http2/h2_stream.c
===================================================================
--- modules/http2/h2_stream.c (revision 1771866)
+++ modules/http2/h2_stream.c (working copy)
@@ -322,18 +322,18 @@
HTTP_REQUEST_HEADER_FIELDS_TOO_LARGE);
}
}
- }
-
- if (h2_stream_is_scheduled(stream)) {
- return h2_request_add_trailer(stream->request, stream->pool,
- name, nlen, value, vlen);
- }
- else {
- if (!input_open(stream)) {
- return APR_ECONNRESET;
+
+ if (h2_stream_is_scheduled(stream)) {
+ return h2_request_add_trailer(stream->request, stream->pool,
+ name, nlen, value, vlen);
}
- return h2_request_add_header(stream->request, stream->pool,
- name, nlen, value, vlen);
+ else {
+ if (!input_open(stream)) {
+ return APR_ECONNRESET;
+ }
+ return h2_request_add_header(stream->request, stream->pool,
+ name, nlen, value, vlen);
+ }
}
}

63
www/apache24/files/patch-httpoxy
View file

@ -1,63 +0,0 @@
https://www.apache.org/security/asf-httpoxy-response.txt
Apache HTTP Server may be configured to proxy HTTP requests as a forward
or reverse (gateway) proxy server, can proxy requests to a FastCGI service
using mod_proxy_fcgi, can directly serve CGI applications using mod_cgi
or mod_cgid or the related mod_isapi service. The project's mod_fcgid
subproject (available as a separate add-in module) directly manages CGI
scripts using the FastCGI protocol.
It may also be configured to directly host a number of external modules
which run CGI-style applications in-process. The server itself does not
modify the CGI environment in this case, however, these external modules
may perform such modifications of their environment variables in-process.
Such examples include mod_php, mod_perl and mod_wsgi.
To mitigate "httpoxy" issues across all of the above mechanisms, the most
direct solution is to drop any "Proxy:" header arriving from an upstream
proxy server or the origin user-agent. this will mitigate the issue for any
vulnerable back-end server or CGI across all traffic through this server.
The two lines below enabled in the httpd.conf file will remove the "Proxy:"
header from all incoming requests, before further processing;
LoadModule headers_module {path-to}/mod_headers.so
RequestHeader unset Proxy early
(Users who have mod_headers compiled-in to the httpd binary must omit
the LoadModule directive above, others must adjust the {path-to} to point
to the mod_headers.so file.)
If the administrator wishes to preserve the value of the "Proxy:" header
for most traffic, and only eliminate it from the CGI environment variable
HTTP_PROXY, a second mitigation is offered. This patch will address this
behavior in mod_cgi, mod_cgid, mod_isapi, mod_proxy_fcgi and mod_fcgid,
along with all other consumers of httpd's built-in environment handling.
The bundled httpd modules all rely on ap_add_common_vars() to set up the
target CGI environment. The project will include the recommended patch
below in all subsequent releases of httpd, including 2.4.24 and 2.2.32.
Users who build httpd 2.2.x or 2.4.x from source may apply the patch below,
recompile and re-install httpd to obtain this mitigation. This migitation
has been assigned the identifier CVE-2016-5387 <http://cve.mitre.org>.
======= Patch to httpd sources 2.4.x and 2.2.x =======
--- server/util_script.c (revision 1752426)
+++ server/util_script.c (working copy)
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them