[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#702664: marked as done (unblock: apache2/2.2.22-13)

Your message dated Sat, 09 Mar 2013 18:56:27 +0000
with message-id <1362855387.26434.20.camel@jacala.jungle.funky-badger.org>
and subject line Re: Bug#702664: unblock: apache2/2.2.22-13
has caused the Debian Bug report #702664,
regarding unblock: apache2/2.2.22-13
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
702664: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702664
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package apache2

It includes the security fixes from DSA-2637-1, a bug fix that I also
intend to fix in squeeze via s-p-u, and a tiny doc fix. Changelog:

apache2 (2.2.22-13) unstable; urgency=medium

  [ Stefan Fritsch ]
  * Urgency medium for security fixes.
  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
  * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
  * mod_log_forensic: Fix spurious '-' characters being logged, causing
    false positives. Closes: #693292

  [ Arno Töll ]
  * Document APACHE_ARGUMENTS in envvars (Closes: #693299)

 -- Stefan Fritsch <sf@debian.org>  Mon, 04 Mar 2013 22:21:05 +0100

Debdiff is attached. Thanks in advance.

unblock apache2/2.2.22-13

diff -Nru apache2-2.2.22/debian/apache2ctl apache2-2.2.22/debian/apache2ctl
--- apache2-2.2.22/debian/apache2ctl	2012-10-30 00:55:55.000000000 +0100
+++ apache2-2.2.22/debian/apache2ctl	2013-03-04 22:20:35.000000000 +0100
@@ -104,10 +104,35 @@
     fi
 }
 
+mkdir_chown () {
+    local OWNER="$1"
+    local DIR="$2"
+    local STAT="$(LC_ALL=C stat -c %F:%U $DIR 2> /dev/null || true)"
+    if [ "$STAT" = "" ] ; then
+        local TMPNAME=$(mktemp -d $DIR.XXXXXXXXXX) || exit 1
+        chmod 755 $TMPNAME || exit 1
+        chown $OWNER $TMPNAME || exit 1
+        if ! mv -T $TMPNAME $DIR 2> /dev/null; then
+            rmdir $TMPNAME
+            # check for race with other apachectl
+            if [ "$(LC_ALL=C stat -c %F:%U $DIR 2>/dev/null)" != "directory:$OWNER" ]
+            then
+                echo Cannot create $DIR with owner $OWNER.
+                echo Please fix manually. Aborting.
+                exit 1
+            fi
+        fi
+    elif [ "$STAT" != "directory:$OWNER" ] ; then
+        echo $DIR already exists but is not a directory owned by $OWNER.
+        echo Please fix manually. Aborting.
+        exit 1
+    fi
+}
+
 case $ARGV in
 start)
     mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2}
-    install -d -o ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
+    mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2}
     # ssl_scache shouldn't be here if we're just starting up.
     # (this is bad if there are several apache2 instances running)
     rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache*
diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog
--- apache2-2.2.22/debian/changelog	2012-10-31 00:24:01.000000000 +0100
+++ apache2-2.2.22/debian/changelog	2013-03-04 22:21:05.000000000 +0100
@@ -1,3 +1,17 @@
+apache2 (2.2.22-13) unstable; urgency=medium
+
+  [ Stefan Fritsch ]
+  * Urgency medium for security fixes.
+  * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2
+  * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules.
+  * mod_log_forensic: Fix spurious '-' characters being logged, causing
+    false positives. Closes: #693292
+
+  [ Arno Töll ]
+  * Document APACHE_ARGUMENTS in envvars (Closes: #693299)
+
+ -- Stefan Fritsch <sf@debian.org>  Mon, 04 Mar 2013 22:21:05 +0100
+
 apache2 (2.2.22-12) unstable; urgency=low
 
   * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is
diff -Nru apache2-2.2.22/debian/config-dir/envvars apache2-2.2.22/debian/config-dir/envvars
--- apache2-2.2.22/debian/config-dir/envvars	2012-10-30 00:55:55.000000000 +0100
+++ apache2-2.2.22/debian/config-dir/envvars	2013-03-04 22:00:37.000000000 +0100
@@ -35,3 +35,8 @@
 ## If you need a higher file descriptor limit, uncomment and adjust the
 ## following line (default is 8192):
 #APACHE_ULIMIT_MAX_FILES='ulimit -n 65536'
+
+
+## If you would like to pass arguments to the web server, add them below
+## to the APACHE_ARGUMENTS environment.
+#export APACHE_ARGUMENTS=''
diff -Nru apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch
--- apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch	2013-03-04 22:00:37.000000000 +0100
@@ -0,0 +1,204 @@
+# http://svn.apache.org/viewvc?view=revision&revision=r1447390
+#
+# *) SECURITY: CVE-2012-3499 (cve.mitre.org)
+#    Various XSS flaws due to unescaped hostnames and URIs HTML output in
+#    mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp.
+#    [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>]
+#
+# *) SECURITY: CVE-2012-4558 (cve.mitre.org)
+#    XSS in mod_proxy_balancer manager interface. [Jim Jagielski,
+#    Niels Heinen <heinenn google com>]
+Index: apache2/modules/ldap/util_ldap_cache_mgr.c
+===================================================================
+--- apache2.orig/modules/ldap/util_ldap_cache_mgr.c
++++ apache2/modules/ldap/util_ldap_cache_mgr.c
+@@ -541,7 +541,7 @@
+     if (id) {
+         buf2 = apr_psprintf(p,
+                  "<a href=\"%s?%s\">%s</a>",
+-             r->uri,
++             ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)),
+              id,
+              name);
+     }
+Index: apache2/modules/proxy/mod_proxy_balancer.c
+===================================================================
+--- apache2.orig/modules/proxy/mod_proxy_balancer.c
++++ apache2/modules/proxy/mod_proxy_balancer.c
+@@ -818,7 +818,8 @@
+         ap_rputs(DOCTYPE_HTML_3_2
+                  "<html><head><title>Balancer Manager</title></head>\n", r);
+         ap_rputs("<body><h1>Load Balancer Manager for ", r);
+-        ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
++        ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
++                  "</h1>\n\n", NULL);
+         ap_rvputs(r, "<dl><dt>Server Version: ",
+                   ap_get_server_description(), "</dt>\n", NULL);
+         ap_rvputs(r, "<dt>Server Built: ",
+@@ -853,7 +854,8 @@
+             worker = (proxy_worker *)balancer->workers->elts;
+             for (n = 0; n < balancer->workers->nelts; n++) {
+                 char fbuf[50];
+-                ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=",
++                ap_rvputs(r, "<tr>\n<td><a href=\"",
++                          ap_escape_uri(r->pool, r->uri), "?b=",
+                           balancer->name + sizeof("balancer://") - 1, "&w=",
+                           ap_escape_uri(r->pool, worker->name),
+                           "&nonce=", balancer_nonce, 
+@@ -894,7 +896,7 @@
+             ap_rputs("<h3>Edit worker settings for ", r);
+             ap_rvputs(r, wsel->name, "</h3>\n", NULL);
+             ap_rvputs(r, "<form method=\"GET\" action=\"", NULL);
+-            ap_rvputs(r, r->uri, "\">\n<dl>", NULL);
++            ap_rvputs(r, ap_escape_uri(r->pool, r->uri), "\">\n<dl>", NULL);
+             ap_rputs("<table><tr><td>Load factor:</td><td><input name=\"lf\" type=text ", r);
+             ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbfactor);
+             ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r);
+Index: apache2/modules/proxy/mod_proxy_ftp.c
+===================================================================
+--- apache2.orig/modules/proxy/mod_proxy_ftp.c
++++ apache2/modules/proxy/mod_proxy_ftp.c
+@@ -365,7 +365,9 @@
+                 " </head>\n"
+                 " <body>\n  <h2>Directory of "
+                 "<a href=\"/\">%s</a>/%s",
+-                site, basedir, escpath, site, basedir, escpath, site, str);
++                ap_escape_html(p, site), basedir, escpath,
++                ap_escape_uri(p, site), basedir, escpath,
++                ap_escape_uri(p, site), str);
+ 
+         APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str),
+                                                           p, c->bucket_alloc));
+Index: apache2/modules/mappers/mod_imagemap.c
+===================================================================
+--- apache2.orig/modules/mappers/mod_imagemap.c
++++ apache2/modules/mappers/mod_imagemap.c
+@@ -320,7 +320,7 @@
+ /*
+  * returns the mapped URL or NULL.
+  */
+-static char *imap_url(request_rec *r, const char *base, const char *value)
++static const char *imap_url(request_rec *r, const char *base, const char *value)
+ {
+ /* translates a value into a URL. */
+     int slen, clen;
+@@ -342,7 +342,7 @@
+     if (!strcasecmp(value, "referer")) {
+         referer = apr_table_get(r->headers_in, "Referer");
+         if (referer && *referer) {
+-            return ap_escape_html(r->pool, referer);
++            return referer;
+         }
+         else {
+             /* XXX:  This used to do *value = '\0'; ... which is totally bogus
+@@ -459,7 +459,7 @@
+     return my_base;
+ }
+ 
+-static int imap_reply(request_rec *r, char *redirect)
++static int imap_reply(request_rec *r, const char *redirect)
+ {
+     if (!strcasecmp(redirect, "error")) {
+         /* they actually requested an error! */
+@@ -523,42 +523,52 @@
+                                    'formatted' form */
+ }
+ 
+-static void menu_default(request_rec *r, char *menu, char *href, char *text)
++static void menu_default(request_rec *r, const char *menu, const char *href, const char *text)
+ {
++    char *ehref, *etext;
+     if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
+         return;                 /* don't print such lines, these aren't
+                                    really href's */
+     }
++
++    ehref = ap_escape_uri(r->pool, href);
++    etext = ap_escape_html(r->pool, text);
++
+     if (!strcasecmp(menu, "formatted")) {
+-        ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
++        ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
+                "</a></pre>\n", NULL);
+     }
+     if (!strcasecmp(menu, "semiformatted")) {
+-        ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text,
++        ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext,
+                "</a></pre>\n", NULL);
+     }
+     if (!strcasecmp(menu, "unformatted")) {
+-        ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
++        ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
+     }
+     return;
+ }
+ 
+-static void menu_directive(request_rec *r, char *menu, char *href, char *text)
++static void menu_directive(request_rec *r, const char *menu, const char *href, const char *text)
+ {
++    char *ehref, *etext;
+     if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) {
+         return;                 /* don't print such lines, as this isn't
+                                    really an href */
+     }
++
++    ehref = ap_escape_uri(r->pool, href);
++    etext = ap_escape_html(r->pool, text);
++
+     if (!strcasecmp(menu, "formatted")) {
+-        ap_rvputs(r, "<pre>          <a href=\"", href, "\">", text,
++        ap_rvputs(r, "<pre>          <a href=\"", ehref, "\">", etext,
+                "</a></pre>\n", NULL);
+     }
+     if (!strcasecmp(menu, "semiformatted")) {
+-        ap_rvputs(r, "<pre>          <a href=\"", href, "\">", text,
++        ap_rvputs(r, "<pre>          <a href=\"", ehref, "\">", etext,
+                "</a></pre>\n", NULL);
+     }
+     if (!strcasecmp(menu, "unformatted")) {
+-        ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL);
++        ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL);
+     }
+     return;
+ }
+@@ -574,9 +584,9 @@
+     char *directive;
+     char *value;
+     char *href_text;
+-    char *base;
+-    char *redirect;
+-    char *mapdflt;
++    const char *base;
++    const char *redirect;
++    const char *mapdflt;
+     char *closest = NULL;
+     double closest_yet = -1;
+     apr_status_t status;
+Index: apache2/modules/generators/mod_status.c
+===================================================================
+--- apache2.orig/modules/generators/mod_status.c
++++ apache2/modules/generators/mod_status.c
+@@ -409,7 +409,8 @@
+                  "<html><head>\n<title>Apache Status</title>\n</head><body>\n",
+                  r);
+         ap_rputs("<h1>Apache Server Status for ", r);
+-        ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL);
++        ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)),
++                  "</h1>\n\n", NULL);
+         ap_rvputs(r, "<dl><dt>Server Version: ",
+                   ap_get_server_description(), "</dt>\n", NULL);
+         ap_rvputs(r, "<dt>Server Built: ",
+Index: apache2/modules/generators/mod_info.c
+===================================================================
+--- apache2.orig/modules/generators/mod_info.c
++++ apache2/modules/generators/mod_info.c
+@@ -371,7 +371,8 @@
+                MODULE_MAGIC_NUMBER_MINOR);
+     ap_rprintf(r,
+                "<dt><strong>Hostname/port:</strong> "
+-               "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r),
++               "<tt>%s:%u</tt></dt>\n",
++               ap_escape_html(r->pool, ap_get_server_name(r)),
+                ap_get_server_port(r));
+     ap_rprintf(r,
+                "<dt><strong>Timeouts:</strong> "
diff -Nru apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch
--- apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch	1970-01-01 01:00:00.000000000 +0100
+++ apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch	2013-03-04 22:00:37.000000000 +0100
@@ -0,0 +1,20 @@
+http://svn.apache.org/viewvc?view=revision&revision=r1410954
+
+    Don't log a spurious "-" if a request has been rejected
+    before mod_log_forensic could attach its id to it.
+    
+    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693292
+
+diff --git a/modules/loggers/mod_log_forensic.c b/modules/loggers/mod_log_forensic.c
+index add3eb9..7cbb76d 100644
+--- a/modules/loggers/mod_log_forensic.c
++++ b/modules/loggers/mod_log_forensic.c
+@@ -240,7 +240,7 @@ static int log_after(request_rec *r)
+     apr_size_t l, n;
+     apr_status_t rv;
+ 
+-    if (!cfg->fd) {
++    if (!cfg->fd || id == NULL) {
+         return DECLINED;
+     }
+ 
diff -Nru apache2-2.2.22/debian/patches/series apache2-2.2.22/debian/patches/series
--- apache2-2.2.22/debian/patches/series	2012-10-30 00:55:55.000000000 +0100
+++ apache2-2.2.22/debian/patches/series	2013-03-04 22:00:37.000000000 +0100
@@ -33,3 +33,5 @@
 dbmmanage-perl-510.patch
 SSLProtocol-tls11-12.2.patch
 disable-ssl-compression.patch
+CVE-2012-3499_CVE-2012-4558_XSS.patch
+mod_log_forensic_693292.patch

--- End Message ---
--- Begin Message --- 
On Sat, 2013-03-09 at 19:34 +0100, Stefan Fritsch wrote:
> Please unblock package apache2
> 
> It includes the security fixes from DSA-2637-1, a bug fix that I also
> intend to fix in squeeze via s-p-u, and a tiny doc fix. Changelog:

Unblocked this morning by Julien.

Regards,

Adam

--- End Message ---
Reply to: