Re: Apache2 CVE-2016-4975
Hi Markus,
On Wednesday, 15 August 2018 21:22:40 CEST Markus Koschany wrote:
> I am currently investigating CVE-2016-4975 for Apache2. The issue is
> already two years old but was only made public yesterday. [1] I skimmed
> through old commit messages but I could not isolate the fixing commit.
> However I found this changelog entry [2] from December 13th, 2016 and
> you are listed as one of the upstream committers who apparently fixed
> this vulnerability.
>
> Do you remember the fixing commit for CVE-2016-4975 and could you point
> me to it?
>
> I assume this is the related changelog entry.
>
> Validate HTTP response header grammar defined by RFC7230, resulting
> in a 500 error in the event that invalid response header contents are
> detected when serving the response, to avoid response splitting and
> cache pollution by malicious clients, upstream servers or faulty
> modules. [Stefan Fritsch, Eric Covener, Yann Ylavic]
Yes, that's the relevant part of the changelog.
The bug in mod_userdir has not been fixed but it has been made unexploitable
by sanitizing outgoing headers. Somewhat late, upstream has decided that the
CVE should be attached to the sanitization changes. This was this mega commit:
https://svn.apache.org/viewvc?view=revision&revision=1772678
https://github.com/apache/httpd/commit/
14a591eaf297d4cfb0712be886f306594b3c538e
In jessie this has been included in 2.4.10-10+deb8u8 and Antoine did the
heroic backport to wheezy. So, there should not be anything to to fix in
Debian.
Cheers,
Stefan
Reply to: