pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/www/apache22 Add patch from the Apache SVN repository ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/1d42f63102a8
branches: trunk
changeset: 393637:1d42f63102a8
user: tron <tron%pkgsrc.org@localhost>
date: Fri May 22 09:46:06 2009 +0000
description:
Add patch from the Apache SVN repository to fix the information leak
in the "mod_proxy_ajp" module reported in CVE-2009-1191.
diffstat:
www/apache22/Makefile | 4 ++--
www/apache22/distinfo | 3 ++-
www/apache22/patches/patch-ab | 40 ++++++++++++++++++++++++++++++++++++++++
3 files changed, 44 insertions(+), 3 deletions(-)
diffs (72 lines):
diff -r 369ed7edc184 -r 1d42f63102a8 www/apache22/Makefile
--- a/www/apache22/Makefile Fri May 22 09:27:57 2009 +0000
+++ b/www/apache22/Makefile Fri May 22 09:46:06 2009 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.42 2009/04/24 11:21:16 seb Exp $
+# $NetBSD: Makefile,v 1.43 2009/05/22 09:46:06 tron Exp $
DISTNAME= httpd-2.2.11
-PKGREVISION= 2
+PKGREVISION= 3
PKGNAME= ${DISTNAME:S/httpd/apache/}
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \
diff -r 369ed7edc184 -r 1d42f63102a8 www/apache22/distinfo
--- a/www/apache22/distinfo Fri May 22 09:27:57 2009 +0000
+++ b/www/apache22/distinfo Fri May 22 09:46:06 2009 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.17 2009/02/15 23:14:40 rillig Exp $
+$NetBSD: distinfo,v 1.18 2009/05/22 09:46:06 tron Exp $
SHA1 (httpd-2.2.11.tar.bz2) = 7af256d53b79342f82222bd7b86eedbd9ac21d9a
RMD160 (httpd-2.2.11.tar.bz2) = b2012af716a459f666e0e41eb04808bd0f7fc28d
Size (httpd-2.2.11.tar.bz2) = 5230130 bytes
SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf
+SHA1 (patch-ab) = d5391ca1af9d817d35cb472b0feb05b86a95e560
SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad
SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13
SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913
diff -r 369ed7edc184 -r 1d42f63102a8 www/apache22/patches/patch-ab
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/www/apache22/patches/patch-ab Fri May 22 09:46:06 2009 +0000
@@ -0,0 +1,40 @@
+$NetBSD: patch-ab,v 1.10 2009/05/22 09:46:06 tron Exp $
+
+Patch for CVE-2009-1191 taken from the Apache SVN repository:
+http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/modules/proxy/mod_proxy_ajp.c?view=markup&pathrev=768506
+
+--- modules/proxy/mod_proxy_ajp.c 2008/11/15 14:25:54 714273
++++ modules/proxy/mod_proxy_ajp.c 2009/04/25 09:58:52 768506
+@@ -307,21 +307,17 @@
+ "proxy: read zero bytes, expecting"
+ " %" APR_OFF_T_FMT " bytes",
+ content_length);
+- status = ajp_send_data_msg(conn->sock, msg, 0);
+- if (status != APR_SUCCESS) {
+- /* We had a failure: Close connection to backend */
+- conn->close++;
+- ap_log_error(APLOG_MARK, APLOG_ERR, status, r->server,
+- "proxy: send failed to %pI (%s)",
+- conn->worker->cp->addr,
+- conn->worker->hostname);
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+- else {
+- /* Client send zero bytes with C-L > 0
+- */
+- return HTTP_BAD_REQUEST;
+- }
++ /*
++ * We can only get here if the client closed the connection
++ * to us without sending the body.
++ * Now the connection is in the wrong state on the backend.
++ * Sending an empty data msg doesn't help either as it does
++ * not move this connection to the correct state on the backend
++ * for later resusage by the next request again.
++ * Close it to clean things up.
++ */
++ conn->close++;
++ return HTTP_BAD_REQUEST;
+ }
+ }
+
Home |
Main Index |
Thread Index |
Old Index