#1516 closed defect (fixed)
apache2 vulnerability fixes for 6.1 and svn
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | |
| Component: | BOOK | Version: | b-6.1-pre1 |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
I've just posted the following to patches (header details omitted here). These are from debian, there doesn't seem to be anything for these in apache cvs.
Ken
CAN-2005-1268 off-by-one overflow in mod_ssl : to be exploited, server
would need to be configured to use a malicious certificalte revocation list. This appears to have been made against an earlier version than 2.0.54, but applies ok.
CAN-2005-2088 when acting as an http proxy, remote attacker can do
"http request smuggling" - see http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
--- apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:43:35 179780 +++ apache2/modules/ssl/ssl_engine_kernel.c 2005/06/03 12:54:53 179781 @@ -1408,7 +1408,7 @@
BIO_printf(bio, ", nextUpdate: "); ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(crl));
- n = BIO_read(bio, buff, sizeof(buff));
+ n = BIO_read(bio, buff, sizeof(buff) - 1);
buff[n] = '\0';
BIO_free(bio);
--- apache2/modules/proxy/proxy_http.c 2005-02-04 20:21:18.000000000 +0000 +++ apache2/modules/proxy/proxy_http.c 2005-08-02 09:25:21.000000000 +0000 @@ -768,8 +768,24 @@
return r->status;
} else {
- /* strip connection listed hop-by-hop headers from response */
const char *buf;
+ + /* can't have both Content-Length and Transfer-Encoding */ + if (apr_table_get(r->headers_out, "Transfer-Encoding") + && apr_table_get(r->headers_out, "Content-Length")) { + /* 2616 section 4.4, point 3: "if both Transfer-Encoding + * and Content-Length are received, the latter MUST be + * ignored"; so unset it here to prevent any confusion + * later. */ + apr_table_unset(r->headers_out, "Content-Length"); + ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, + r->server, + "proxy: server %s returned Transfer-Encoding and Content-Length", + p_conn->name); + p_conn->close += 1; + } + + /* strip connection listed hop-by-hop headers from response */
p_conn->close += ap_proxy_liststr(apr_table_get(r->headers_out,
"Connection"),
"close");
--- apache2/server/protocol.c 2005-08-02 09:25:38.000000000 +0000 +++ apache2/server/protocol.c 2005-08-02 09:25:12.000000000 +0000 @@ -885,6 +885,15 @@
apr_brigade_destroy(tmp_bb); return r;
}
+ + if (apr_table_get(r->headers_in, "Transfer-Encoding") + && apr_table_get(r->headers_in, "Content-Length")) { + /* 2616 section 4.4, point 3: "if both Transfer-Encoding + * and Content-Length are received, the latter MUST be + * ignored"; so unset it here to prevent any confusion + * later. */ + apr_table_unset(r->headers_in, "Content-Length"); + }
} else {
if (r->header_only) {
Added in 2.0.55.