aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2016-07-20 13:05:13 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2016-07-20 13:05:48 +0000
commit23afbfbed72efa68c1ea62b837270f16535a1c33 (patch)
treea471199ea860c6f5fb7d6027d834643e955e00d0
parent685ffe83039b198cd8f173421c6be85aedcb07f6 (diff)
downloadaports-23afbfbed72efa68c1ea62b837270f16535a1c33.tar.bz2
aports-23afbfbed72efa68c1ea62b837270f16535a1c33.tar.xz
main/apache2: security fix for CVE-2016-5387
fixes #5925
-rw-r--r--main/apache2/APKBUILD12
-rw-r--r--main/apache2/CVE-2016-5387.patch17
2 files changed, 25 insertions, 4 deletions
diff --git a/main/apache2/APKBUILD b/main/apache2/APKBUILD
index 235b4d3f8f..126e361e14 100644
--- a/main/apache2/APKBUILD
+++ b/main/apache2/APKBUILD
@@ -3,7 +3,7 @@
pkgname=apache2
_pkgreal=httpd
pkgver=2.4.23
-pkgrel=0
+pkgrel=1
pkgdesc="A high performance Unix-based HTTP server"
url="http://httpd.apache.org/"
arch="all"
@@ -47,6 +47,7 @@ source="http://archive.apache.org/dist/$_pkgreal/$_pkgreal-$pkgver.tar.bz2
conf/0012-httpd.conf-MIMEMagicFile.patch
conf/0013-httpd-.conf-IfModule.patch
conf/0014-httpd-.conf-LoadModule.patch
+ CVE-2016-5387.patch
"
options="suid"
@@ -295,7 +296,8 @@ b70fe826486043e3953cfe21f9e6fa16 ldap.conf
aa73ec65c4c67819f297e48da8d3fb8e 0011-httpd.conf-IncludeOptional.patch
605536ff208f88ea97331b6b5d03278f 0012-httpd.conf-MIMEMagicFile.patch
78f648c86a895107a9381374d5497f51 0013-httpd-.conf-IfModule.patch
-3c873b99a197a7fa1792bc7fa5b05233 0014-httpd-.conf-LoadModule.patch"
+3c873b99a197a7fa1792bc7fa5b05233 0014-httpd-.conf-LoadModule.patch
+61489c5f174756e63bae95c5d85d0e46 CVE-2016-5387.patch"
sha256sums="0c1694b2aad7765896faf92843452ee2555b9591ae10d4f19b245f2adfe85e58 httpd-2.4.23.tar.bz2
6ca904ad65c1a4122d8ea4a3303ea8184429a4a4d7fb81defc30f3e184258c0a apache2.confd
8e2a8870d51796cf04cc7d8985c43e36afe9ae79e2d6765050a0e72c0de8dce7 apache2.logrotate
@@ -317,7 +319,8 @@ f22abd948065649d9972be320a1feb855b5807ca9f45af3ad354b9560cb257d1 0010-httpd-ssl
9ecd79e4a084d876c56000ccc2fa88463fb57617b575fe4f8104c099715c691b 0011-httpd.conf-IncludeOptional.patch
5bad32417abc9fdf3e430aabd1ac8d13d90304911d6bd76515896df0aaa3e8d7 0012-httpd.conf-MIMEMagicFile.patch
9603bf79c7eab05e635ee7c9b2ecc67c49146f955b59852a88f2c618bd489a78 0013-httpd-.conf-IfModule.patch
-34d0202635660c961ee5186a4950e2af714b27bbd4aef23901c1f05a5e6c6fcd 0014-httpd-.conf-LoadModule.patch"
+34d0202635660c961ee5186a4950e2af714b27bbd4aef23901c1f05a5e6c6fcd 0014-httpd-.conf-LoadModule.patch
+c38bf5061a7c8d2da010db57ecf36a8c29739d34a04f55c66405a2e9fc319cd8 CVE-2016-5387.patch"
sha512sums="c520de5be748c0a785ef0dc77102749eb4f47e224968b8d4bed2ae644faa0964623a0e960b64486a0888446790d050b52a6ae34fe61717fab95b37384b4825b1 httpd-2.4.23.tar.bz2
8e62b101f90c67babe864bcb74f711656180b011df3fd4b541dc766b980b72aa409e86debf3559a55be359471c1cad81b8779ef3a55add8d368229fc7e9544fc apache2.confd
18e8859c7d99c4483792a5fd20127873aad8fa396cafbdb6f2c4253451ffe7a1093a3859ce719375e0769739c93704c88897bd087c63e1ef585e26dcc1f5dd9b apache2.logrotate
@@ -339,4 +342,5 @@ e151a8ebb23b1a3a92ea9a8b83b6bf64c950ec8ded8d514df8f16f074c5f712de7c44cb42190ca15
fc3352b50bee11e7560594398948a1af0279d339e891915e38766c9c0f930cc01f207e438afe9a43329b6d23fe438939666309e8ad77938dbe8dc784aaae4113 0011-httpd.conf-IncludeOptional.patch
da3a99ccf54c8d4adc633cceb3e520e48b47e868e8f1be33c81027ce3173401c8b9b79af4f75c73c94f77a50452219a4d23774b03a74f6271a677ec271396ada 0012-httpd.conf-MIMEMagicFile.patch
564866cadebd957eb9b23624286deb8cadb0ebeda0e3e80ec2cd8912731c8273f5ef5fa9f2d8295accb304da40c850772a854eb0c76c3aa08bb93b059c730882 0013-httpd-.conf-IfModule.patch
-3742b8ed06cfd081a02c171b5ddf42652d2848fd520e0ff1a4799fce90300e70ab8edbbecc7111a1083133077a57703a631879143777565e6918099a873d4aa0 0014-httpd-.conf-LoadModule.patch"
+3742b8ed06cfd081a02c171b5ddf42652d2848fd520e0ff1a4799fce90300e70ab8edbbecc7111a1083133077a57703a631879143777565e6918099a873d4aa0 0014-httpd-.conf-LoadModule.patch
+ebfcac5e4bc12a64d4d7e723d362cfc4912a6369ddd265a06dee95af1d5dbf8dd4bfe87ce227661afb386e19dc738e475e11aebd0ddcb5f827c14fe7c66d998c CVE-2016-5387.patch"
diff --git a/main/apache2/CVE-2016-5387.patch b/main/apache2/CVE-2016-5387.patch
new file mode 100644
index 0000000000..494afef17c
--- /dev/null
+++ b/main/apache2/CVE-2016-5387.patch
@@ -0,0 +1,17 @@
+--- a/server/util_script.c (revision 1752426)
++++ b/server/util_script.c (working copy)
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
+ else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+ apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+ }
++ /* HTTP_PROXY collides with a popular envvar used to configure
++ * proxies, don't let clients set/override it. But, if you must...
++ */
++#ifndef SECURITY_HOLE_PASS_PROXY
++ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++ ;
++ }
++#endif
+ /*
+ * You really don't want to disable this check, since it leaves you
+ * wide open to CGIs stealing passwords and people viewing them