Changeset 2774


Ignore:
Timestamp:
Jul 18, 2016, 7:53:10 PM (6 years ago)
Author:
andersk
Message:
Apply the 2015 suexec patch for CVE-2016-5387 “httpoxy”.

Also remove our inexplicable whitelist entry for HTTPS_* environment
variables.
Location:
trunk/server
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/common/patches/httpd-suexec-scripts.patch

    r2591 r2774  
    5252 #include "ap_config.h"
    5353 #include "suexec.h"
    54 @@ -92,6 +95,7 @@ static const char *const safe_env_lst[] =
    55  {
    56      /* variable name starts with */
    57      "HTTP_",
    58 +    "HTTPS_",
    59      "SSL_",
    60  
    61      /* variable name is */
    6254@@ -268,9 +272,108 @@ static void clean_env(void)
    6355     environ = cleanenv;
  • trunk/server/fedora/specs/httpd.spec.patch

    r2707 r2774  
    1010 Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2
    1111 Source1: index.html
    12 @@ -65,6 +65,15 @@
     12@@ -65,6 +65,16 @@
    1313 Patch101: httpd-2.4.6-CVE-2014-3581.patch
    1414 Patch102: httpd-2.4.10-CVE-2014-3583.patch
     
    2222+Patch1006: httpd-suexec-journald.patch
    2323+Patch1007: httpd-bug57070.patch
     24+Patch1008: httpd-suexec-CVE-2016-5387.patch
    2425+
    2526 License: ASL 2.0
     
    5051 
    5152 %description -n mod_ssl
    52 @@ -190,6 +202,14 @@
     53@@ -190,6 +202,15 @@
    5354 %patch55 -p1 -b .malformedhost
    5455 %patch56 -p1 -b .uniqueid
     
    6162+%patch1006 -p1 -b .journald
    6263+%patch1007 -p0 -b .bug57070
     64+%patch1008 -p0 -b .CVE-2016-5387
    6365+
    6466 # Patch in the vendor string
Note: See TracChangeset for help on using the changeset viewer.