diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2016-07-20 13:05:13 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-07-20 13:05:48 +0000 |
| commit | 23afbfbed72efa68c1ea62b837270f16535a1c33 (patch) | |
| tree | a471199ea860c6f5fb7d6027d834643e955e00d0 | |
| parent | 685ffe83039b198cd8f173421c6be85aedcb07f6 (diff) | |
| download | aports-23afbfbed72efa68c1ea62b837270f16535a1c33.tar.bz2 aports-23afbfbed72efa68c1ea62b837270f16535a1c33.tar.xz | |
main/apache2: security fix for CVE-2016-5387
fixes #5925
| -rw-r--r-- | main/apache2/APKBUILD | 12 | ||||
| -rw-r--r-- | main/apache2/CVE-2016-5387.patch | 17 |
2 files changed, 25 insertions, 4 deletions
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD index 235b4d3f8f..126e361e14 100644 --- a/main/apache2/APKBUILD +++ b/main/apache2/APKBUILD @@ -3,7 +3,7 @@ pkgname=apache2 _pkgreal=httpd pkgver=2.4.23 -pkgrel=0 +pkgrel=1 pkgdesc="A high performance Unix-based HTTP server" url="http://httpd.apache.org/" arch="all" @@ -47,6 +47,7 @@ source="http://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2 conf/0012-httpd.conf-MIMEMagicFile.patch conf/0013-httpd-.conf-IfModule.patch conf/0014-httpd-.conf-LoadModule.patch + CVE-2016-5387.patch " options="suid" @@ -295,7 +296,8 @@ b70fe826486043e3953cfe21f9e6fa16 ldap.conf aa73ec65c4c67819f297e48da8d3fb8e 0011-httpd.conf-IncludeOptional.patch 605536ff208f88ea97331b6b5d03278f 0012-httpd.conf-MIMEMagicFile.patch 78f648c86a895107a9381374d5497f51 0013-httpd-.conf-IfModule.patch -3c873b99a197a7fa1792bc7fa5b05233 0014-httpd-.conf-LoadModule.patch" +3c873b99a197a7fa1792bc7fa5b05233 0014-httpd-.conf-LoadModule.patch +61489c5f174756e63bae95c5d85d0e46 CVE-2016-5387.patch" sha256sums="0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58 httpd-2.4.23.tar.bz2 6ca904ad65c1a4122d8ea4a3303ea8184429a4a4d7fb81defc30f3e184258c0a apache2.confd 8e2a8870d51796cf04cc7d8985c43e36afe9ae79e2d6765050a0e72c0de8dce7 apache2.logrotate @@ -317,7 +319,8 @@ f22abd948065649d9972be320a1feb855b5807ca9f45af3ad354b9560cb257d1 0010-httpd-ssl 9ecd79e4a084d876c56000ccc2fa88463fb57617b575fe4f8104c099715c691b 0011-httpd.conf-IncludeOptional.patch 5bad32417abc9fdf3e430aabd1ac8d13d90304911d6bd76515896df0aaa3e8d7 0012-httpd.conf-MIMEMagicFile.patch 9603bf79c7eab05e635ee7c9b2ecc67c49146f955b59852a88f2c618bd489a78 0013-httpd-.conf-IfModule.patch -34d0202635660c961ee5186a4950e2af714b27bbd4aef23901c1f05a5e6c6fcd 0014-httpd-.conf-LoadModule.patch" +34d0202635660c961ee5186a4950e2af714b27bbd4aef23901c1f05a5e6c6fcd 0014-httpd-.conf-LoadModule.patch +c38bf5061a7c8d2da010db57ecf36a8c29739d34a04f55c66405a2e9fc319cd8 CVE-2016-5387.patch" sha512sums="c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1 httpd-2.4.23.tar.bz2 8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd 18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate @@ -339,4 +342,5 @@ e151a8ebb23b1a3a92ea9a8b83b6bf64c950ec8ded8d514df8f16f074c5f712de7c44cb42190ca15 fc3352b50bee11e7560594398948a1af0279d339e891915e38766c9c0f930cc01f207e438afe9a43329b6d23fe438939666309e8ad77938dbe8dc784aaae4113 0011-httpd.conf-IncludeOptional.patch da3a99ccf54c8d4adc633cceb3e520e48b47e868e8f1be33c81027ce3173401c8b9b79af4f75c73c94f77a50452219a4d23774b03a74f6271a677ec271396ada 0012-httpd.conf-MIMEMagicFile.patch 564866cadebd957eb9b23624286deb8cadb0ebeda0e3e80ec2cd8912731c8273f5ef5fa9f2d8295accb304da40c850772a854eb0c76c3aa08bb93b059c730882 0013-httpd-.conf-IfModule.patch -3742b8ed06cfd081a02c171b5ddf42652d2848fd520e0ff1a4799fce90300e70ab8edbbecc7111a1083133077a57703a631879143777565e6918099a873d4aa0 0014-httpd-.conf-LoadModule.patch" +3742b8ed06cfd081a02c171b5ddf42652d2848fd520e0ff1a4799fce90300e70ab8edbbecc7111a1083133077a57703a631879143777565e6918099a873d4aa0 0014-httpd-.conf-LoadModule.patch +ebfcac5e4bc12a64d4d7e723d362cfc4912a6369ddd265a06dee95af1d5dbf8dd4bfe87ce227661afb386e19dc738e475e11aebd0ddcb5f827c14fe7c66d998c CVE-2016-5387.patch" diff --git a/main/apache2/CVE-2016-5387.patch b/main/apache2/CVE-2016-5387.patch new file mode 100644 index 0000000000..494afef17c --- /dev/null +++ b/main/apache2/CVE-2016-5387.patch @@ -0,0 +1,17 @@ +--- a/server/util_script.c (revision 1752426) ++++ b/server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them |