aboutsummaryrefslogtreecommitdiffstats
path: root/www/apache13-modssl
diff options
context:
space:
mode:
authordinoex <dinoex@FreeBSD.org>2008-01-23 16:00:43 +0800
committerdinoex <dinoex@FreeBSD.org>2008-01-23 16:00:43 +0800
commite0dd2cfa7b9a6e040a97fa1e52f161d9d7edc5da (patch)
tree0a06c3e2561844835a5f8d3f26f9cd761d0aff4b /www/apache13-modssl
parent11ccd18d5adf570a99c485b9f8a8929af270f539 (diff)
downloadfreebsd-ports-gnome-e0dd2cfa7b9a6e040a97fa1e52f161d9d7edc5da.tar.gz
freebsd-ports-gnome-e0dd2cfa7b9a6e040a97fa1e52f161d9d7edc5da.tar.zst
freebsd-ports-gnome-e0dd2cfa7b9a6e040a97fa1e52f161d9d7edc5da.zip
- Security patch
Security: CVE-2007-6388 Security: CVE-2007-5000 Security: CVE-2007-3847 Reported by: Thomas Vogt
Diffstat (limited to 'www/apache13-modssl')
-rw-r--r--www/apache13-modssl/Makefile2
-rw-r--r--www/apache13-modssl/files/patch-CVE-2007-6388399
2 files changed, 400 insertions, 1 deletions
diff --git a/www/apache13-modssl/Makefile b/www/apache13-modssl/Makefile
index 38abf376b8ac..3e3751f26b41 100644
--- a/www/apache13-modssl/Makefile
+++ b/www/apache13-modssl/Makefile
@@ -7,7 +7,7 @@
PORTNAME= apache+mod_ssl
PORTVERSION= ${VERSION_APACHE}+${VERSION_MODSSL}
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES?= www security
MASTER_SITES= ${MASTER_SITE_APACHE_HTTPD} \
${MASTER_SITES_MODSSL:S/$/:mod_ssl/} \
diff --git a/www/apache13-modssl/files/patch-CVE-2007-6388 b/www/apache13-modssl/files/patch-CVE-2007-6388
new file mode 100644
index 000000000000..473e953d1a7e
--- /dev/null
+++ b/www/apache13-modssl/files/patch-CVE-2007-6388
@@ -0,0 +1,399 @@
+diff -ur conf/mime.types apache_1.3.41/conf/mime.types
+--- conf/mime.types 2007-09-01 00:03:39.000000000 +0200
++++ apache_1.3.41/conf/mime.types 2008-01-02 23:12:12.000000000 +0100
+@@ -82,6 +82,10 @@
+ application/mbox mbox
+ application/mediaservercontrol+xml mscml
+ application/mikey
++application/moss-keys
++application/moss-signature
++application/mosskey-data
++application/mosskey-request
+ application/mp4 mp4s
+ application/mpeg4-generic
+ application/mpeg4-iod
+@@ -135,6 +139,10 @@
+ application/samlassertion+xml
+ application/samlmetadata+xml
+ application/sbml+xml sbml
++application/scvp-cv-request scq
++application/scvp-cv-response scs
++application/scvp-vp-request spq
++application/scvp-vp-response spp
+ application/sdp sdp
+ application/set-payment
+ application/set-payment-initiation setpay
+@@ -152,6 +160,8 @@
+ application/smil+xml smi smil
+ application/soap+fastinfoset
+ application/soap+xml
++application/sparql-query rq
++application/sparql-results+xml srx
+ application/spirits-event+xml
+ application/srgs gram
+ application/srgs+xml grxml
+@@ -159,6 +169,7 @@
+ application/timestamp-query
+ application/timestamp-reply
+ application/tve-trigger
++application/ulpfec
+ application/vemmi
+ application/vividence.scriptfile
+ application/vnd.3gpp.bsf+xml
+@@ -168,6 +179,7 @@
+ application/vnd.3gpp.sms
+ application/vnd.3gpp2.bcmcsinfo+xml
+ application/vnd.3gpp2.sms
++application/vnd.3gpp2.tcap tcap
+ application/vnd.3m.post-it-notes pwn
+ application/vnd.accpac.simply.aso aso
+ application/vnd.accpac.simply.imp imp
+@@ -317,6 +329,7 @@
+ application/vnd.japannet-verification-wakeup
+ application/vnd.jcp.javame.midlet-rms rms
+ application/vnd.jisp jisp
++application/vnd.joost.joda-archive joda
+ application/vnd.kahootz ktz ktr
+ application/vnd.kde.karbon karbon
+ application/vnd.kde.kchart chrt
+@@ -393,9 +406,13 @@
+ application/vnd.ms-xpsdocument xps
+ application/vnd.mseq mseq
+ application/vnd.msign
++application/vnd.multiad.creator
++application/vnd.multiad.creator.cif
+ application/vnd.music-niff
+ application/vnd.musician mus
++application/vnd.muvee.style msty
+ application/vnd.ncd.control
++application/vnd.ncd.reference
+ application/vnd.nervana
+ application/vnd.netfpx
+ application/vnd.neurolanguage.nlu nlu
+@@ -455,7 +472,10 @@
+ application/vnd.oma.dd2+xml dd2
+ application/vnd.oma.drm.risd+xml
+ application/vnd.oma.group-usage-list+xml
++application/vnd.oma.poc.detailed-progress-report+xml
++application/vnd.oma.poc.final-report+xml
+ application/vnd.oma.poc.groups+xml
++application/vnd.oma.poc.optimized-progress-report+xml
+ application/vnd.oma.xcap-directory+xml
+ application/vnd.omads-email+xml
+ application/vnd.omads-file+xml
+@@ -495,6 +515,7 @@
+ application/vnd.rn-realmedia rm
+ application/vnd.ruckus.download
+ application/vnd.s3sms
++application/vnd.sbm.mid2
+ application/vnd.scribus
+ application/vnd.sealed.3df
+ application/vnd.sealed.csf
+@@ -571,6 +592,7 @@
+ application/vnd.wap.wmlscriptc wmlsc
+ application/vnd.webturbo wtb
+ application/vnd.wfa.wsc
++application/vnd.wmc
+ application/vnd.wordperfect wpd
+ application/vnd.wqd wqd
+ application/vnd.wrq-hp3000-labelled
+@@ -742,6 +764,7 @@
+ audio/t38
+ audio/telephone-event
+ audio/tone
++audio/ulpfec
+ audio/vdvi
+ audio/vmr-wb
+ audio/vnd.3gpp.iufp
+@@ -812,7 +835,7 @@
+ image/vnd.fujixerox.edmics-mmr mmr
+ image/vnd.fujixerox.edmics-rlc rlc
+ image/vnd.globalgraphics.pgb
+-image/vnd.microsoft.icon ico
++image/vnd.microsoft.icon
+ image/vnd.mix
+ image/vnd.ms-modi mdi
+ image/vnd.net-fpx npx
+@@ -824,7 +847,7 @@
+ image/vnd.xiff xif
+ image/x-cmu-raster ras
+ image/x-cmx cmx
+-image/x-icon
++image/x-icon ico
+ image/x-pcx pcx
+ image/x-pict pic pct
+ image/x-portable-anymap pnm
+@@ -847,6 +870,7 @@
+ message/sip
+ message/sipfrag
+ message/tracking-status
++message/vnd.si.simp
+ model/iges igs iges
+ model/mesh msh mesh silo
+ model/vnd.dwf dwf
+@@ -894,6 +918,7 @@
+ text/t140
+ text/tab-separated-values tsv
+ text/troff t tr roff man me ms
++text/ulpfec
+ text/uri-list uri uris urls
+ text/vnd.abc
+ text/vnd.curl
+@@ -909,6 +934,7 @@
+ text/vnd.motorola.reflex
+ text/vnd.ms-mediapackage
+ text/vnd.net2phone.commcenter.command
++text/vnd.si.uricatalogue
+ text/vnd.sun.j2me.app-descriptor jad
+ text/vnd.trolltech.linguist
+ text/vnd.wap.si
+@@ -957,6 +983,7 @@
+ video/rtp-enc-aescm128
+ video/rtx
+ video/smpte292m
++video/ulpfec
+ video/vc1
+ video/vnd.dlna.mpeg-tts
+ video/vnd.fvt fvt
+diff -ur src/CHANGES apache_1.3.41/src/CHANGES
+--- src/CHANGES 2007-09-04 14:28:53.000000000 +0200
++++ apache_1.3.41/src/CHANGES 2008-01-09 15:33:07.000000000 +0100
+@@ -1,3 +1,29 @@
++Changes with Apache 1.3.41
++
++ *) SECURITY: CVE-2007-6388 (cve.mitre.org)
++ mod_status: Ensure refresh parameter is numeric to prevent
++ a possible XSS attack caused by redirecting to other URLs.
++ Reported by SecurityReason. [Mark Cox]
++
++Changes with Apache 1.3.40 (not released)
++
++ *) SECURITY: CVE-2007-5000 (cve.mitre.org)
++ mod_imap: Fix cross-site scripting issue. Reported by JPCERT.
++ [Joe Orton]
++
++ *) SECURITY: CVE-2007-3847 (cve.mitre.org)
++ mod_proxy: Prevent reading past the end of a buffer when parsing
++ date-related headers. PR 41144.
++ With Apache 1.3, the denial of service vulnerability applies only
++ to the Windows and NetWare platforms.
++ [Jeff Trawick]
++
++ *) More efficient implementation of the CVE-2007-3304 PID table
++ patch. This fixes issues with excessive memory usage by the
++ parent process if long-running and with a high number of child
++ process forks during that timeframe. Also fixes bogus "Bad pid"
++ errors. [Jim Jagielski, Jeff Trawick]
++
+ Changes with Apache 1.3.39
+
+ *) SECURITY: CVE-2006-5752 (cve.mitre.org)
+diff -ur src/Configure apache_1.3.41/src/Configure
+--- src/Configure 2007-08-10 17:45:50.000000000 +0200
++++ apache_1.3.41/src/Configure 2008-01-04 15:40:05.000000000 +0100
+@@ -1936,7 +1936,7 @@
+ # select the special subtarget for shared core generation
+ SUBTARGET=target_shared
+ # determine additional suffixes for libhttpd.so
+- V=1 R=3 P=39
++ V=1 R=3 P=41
+ if [ "x$SHLIB_SUFFIX_DEPTH" = "x0" ]; then
+ SHLIB_SUFFIX_LIST=""
+ fi
+diff -ur src/include/httpd.h apache_1.3.41/src/include/httpd.h
+--- src/include/httpd.h 2007-09-04 14:28:53.000000000 +0200
++++ apache_1.3.41/src/include/httpd.h 2008-01-10 17:20:45.000000000 +0100
+@@ -389,7 +389,7 @@
+
+ #define SERVER_BASEVENDOR "Apache Group"
+ #define SERVER_BASEPRODUCT "Apache"
+-#define SERVER_BASEREVISION "1.3.39"
++#define SERVER_BASEREVISION "1.3.41"
+ #define SERVER_BASEVERSION SERVER_BASEPRODUCT "/" SERVER_BASEREVISION
+
+ #define SERVER_PRODUCT SERVER_BASEPRODUCT
+@@ -410,7 +410,7 @@
+ * Always increases along the same track as the source branch.
+ * For example, Apache 1.4.2 would be '10402100', 2.5b7 would be '20500007'.
+ */
+-#define APACHE_RELEASE 10339100
++#define APACHE_RELEASE 10341100
+
+ #define SERVER_PROTOCOL "HTTP/1.1"
+ #ifndef SERVER_SUPPORT
+diff -ur src/main/http_main.c apache_1.3.41/src/main/http_main.c
+--- src/main/http_main.c 2007-06-04 21:26:21.000000000 +0200
++++ apache_1.3.41/src/main/http_main.c 2007-11-15 22:31:15.000000000 +0100
+@@ -362,7 +362,7 @@
+ /*
+ * Parent process local storage of child pids
+ */
+-static table *pid_table;
++static int pid_table[HARD_SERVER_LIMIT];
+
+ /*
+ * Pieces for managing the contents of the Server response header
+@@ -384,26 +384,34 @@
+ */
+
+ static int in_pid_table(int pid) {
+- char apid[64]; /* WAY generous! */
+- const char *spid;
+- ap_snprintf(apid, sizeof(apid), "%d", pid);
+- spid = ap_table_get(pid_table, apid);
+- if (spid && spid[0] == '1' && spid[1] == '\0')
+- return 1;
+- else
+- return 0;
++ int i;
++ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
++ if (pid_table[i] == pid) {
++ return 1;
++ }
++ }
++ return 0;
+ }
+
+ static void set_pid_table(int pid) {
+- char apid[64];
+- ap_snprintf(apid, sizeof(apid), "%d", pid);
+- ap_table_set(pid_table, apid, "1");
++ int i;
++ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
++ if (pid_table[i] == 0) {
++ pid_table[i] = pid;
++ break;
++ }
++ }
++ /* NOTE: Error detection?? */
+ }
+
+ static void unset_pid_table(int pid) {
+- char apid[64];
+- ap_snprintf(apid, sizeof(apid), "%d", pid);
+- ap_table_unset(pid_table, apid);
++ int i;
++ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
++ if (pid_table[i] == pid) {
++ pid_table[i] = 0;
++ break;
++ }
++ }
+ }
+
+ /*
+@@ -2680,7 +2688,10 @@
+ ss->vhostrec = r->server;
+ }
+ }
+- if (status == SERVER_STARTING && r == NULL) {
++ if (status == SERVER_DEAD) {
++ ap_scoreboard_image->parent[child_num].pid = 0;
++ }
++ else if (status == SERVER_STARTING && r == NULL) {
+ /* clean up the slot's vhostrec pointer (maybe re-used)
+ * and mark the slot as belonging to a new generation.
+ */
+@@ -4370,6 +4381,7 @@
+ */
+ static void common_init(void)
+ {
++ int i;
+ INIT_SIGLIST()
+ #ifdef AUX3
+ (void) set42sig();
+@@ -4465,6 +4477,9 @@
+ ap_server_post_read_config = ap_make_array(pcommands, 1, sizeof(char *));
+ ap_server_config_defines = ap_make_array(pcommands, 1, sizeof(char *));
+- pid_table = ap_make_table(pglobal, HARD_SERVER_LIMIT);
++ /* overkill since static */
++ for (i = 0; i < HARD_SERVER_LIMIT; i++) {
++ pid_table[i] = 0;
++ }
+
+ #ifdef EAPI
+ ap_hook_init();
+diff -ur src/modules/proxy/proxy_util.c apache_1.3.41/src/modules/proxy/proxy_util.c
+--- src/modules/proxy/proxy_util.c 2006-07-12 10:16:05.000000000 +0200
++++ apache_1.3.41/src/modules/proxy/proxy_util.c 2007-10-30 20:17:03.000000000 +0100
+@@ -282,7 +282,8 @@
+ *q = ',';
+ if (wk == 7)
+ return x; /* not a valid date */
+- if (q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
++ if (strlen(q) != 24 ||
++ q[4] != '-' || q[8] != '-' || q[11] != ' ' || q[14] != ':' ||
+ q[17] != ':' || strcmp(&q[20], " GMT") != 0)
+ return x;
+ if (sscanf(q + 2, "%u-%3s-%u %u:%u:%u %3s", &mday, month, &year,
+@@ -294,8 +295,9 @@
+ year += 1900;
+ }
+ else {
+-/* check for acstime() date */
+- if (x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
++/* check for asctime() date */
++ if (strlen(x) != 24 ||
++ x[3] != ' ' || x[7] != ' ' || x[10] != ' ' || x[13] != ':' ||
+ x[16] != ':' || x[19] != ' ' || x[24] != '\0')
+ return x;
+ if (sscanf(x, "%3s %3s %u %u:%u:%u %u", week, month, &mday, &hour,
+diff -ur src/modules/standard/mod_imap.c apache_1.3.41/src/modules/standard/mod_imap.c
+--- src/modules/standard/mod_imap.c 2006-07-12 10:16:05.000000000 +0200
++++ apache_1.3.41/src/modules/standard/mod_imap.c 2007-12-12 13:36:54.000000000 +0100
+@@ -463,7 +463,7 @@
+
+ static void menu_header(request_rec *r, char *menu)
+ {
+- r->content_type = "text/html";
++ r->content_type = "text/html; charset=ISO-8859-1";
+ ap_send_http_header(r);
+ #ifdef CHARSET_EBCDIC
+ /* Server-generated response, converted */
+@@ -471,11 +471,13 @@
+ #endif
+ ap_hard_timeout("send menu", r); /* killed in menu_footer */
+
+- ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ", r->uri,
+- "</title>\n</head><body>\n", NULL);
++ ap_rvputs(r, DOCTYPE_HTML_3_2, "<html><head>\n<title>Menu for ",
++ ap_escape_html(r->pool, r->uri),
++ "</title>\n</head><body>\n", NULL);
+
+ if (!strcasecmp(menu, "formatted")) {
+- ap_rvputs(r, "<h1>Menu for ", r->uri, "</h1>\n<hr>\n\n", NULL);
++ ap_rvputs(r, "<h1>Menu for ", ap_escape_html(r->pool, r->uri),
++ "</h1>\n<hr>\n\n", NULL);
+ }
+
+ return;
+diff -ur src/modules/standard/mod_status.c apache_1.3.41/src/modules/standard/mod_status.c
+--- src/modules/standard/mod_status.c 2007-07-24 20:03:56.000000000 +0200
++++ apache_1.3.41/src/modules/standard/mod_status.c 2008-01-07 03:31:11.000000000 +0100
+@@ -232,17 +232,15 @@
+ while (status_options[i].id != STAT_OPT_END) {
+ if ((loc = strstr(r->args, status_options[i].form_data_str)) != NULL) {
+ switch (status_options[i].id) {
+- case STAT_OPT_REFRESH:
+- if (*(loc + strlen(status_options[i].form_data_str)) == '='
+- && atol(loc + strlen(status_options[i].form_data_str)
+- + 1) > 0)
+- ap_table_set(r->headers_out,
+- status_options[i].hdr_out_str,
+- loc + strlen(status_options[i].hdr_out_str) + 1);
+- else
+- ap_table_set(r->headers_out,
+- status_options[i].hdr_out_str, "1");
+- break;
++ case STAT_OPT_REFRESH: {
++ long refreshtime = 0;
++ if (*(loc + strlen(status_options[i].form_data_str)) == '=')
++ refreshtime = atol(loc + strlen(status_options[i].form_data_str)+1);
++ ap_table_set(r->headers_out,
++ status_options[i].hdr_out_str,
++ ap_psprintf(r->pool,"%ld",(refreshtime<1)?10:refreshtime));
++ break;
++ }
+ case STAT_OPT_NOTABLE:
+ no_table_report = 1;
+ break;