Bug#942143: buster-pu: package apache2/2.4.38-3+deb10u2
Le 10/10/2019 à 22:04, Xavier Guimard a écrit :
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
> Hi,
>
> CVE-2019-10092 patch added a regression (#941202). This patch fixes it
> (taken from
> https://svn.apache.org/viewvc/httpd/httpd/trunk/modules/proxy/mod_proxy_balancer.c?r1=1865749&r2=1865748&pathrev=1865749)
>
> Cheers,
> Xavier
I forgot debdiff, sorry
diff --git a/debian/changelog b/debian/changelog
index 4fa219d6..14ffbf5e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+apache2 (2.4.38-3+deb10u2) buster; urgency=medium
+
+ * Fix CVE-2019-10092 patch (Closes: #941202)
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 10 Oct 2019 21:59:32 +0200
+
apache2 (2.4.38-3+deb10u1) buster-security; urgency=high
* Add patch to limit cross-site scripting in mod_proxy (Closes: CVE-2019-10092)
diff --git a/debian/patches/CVE-2019-10092.patch b/debian/patches/CVE-2019-10092.patch
index a558173f..e6bb1c52 100644
--- a/debian/patches/CVE-2019-10092.patch
+++ b/debian/patches/CVE-2019-10092.patch
@@ -1,10 +1,11 @@
Description: Fix for CVE-2019-10092
+ Added also patch to fix #941202
Author: Stefan Eissing
Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1864787
Bug: https://security-tracker.debian.org/tracker/CVE-2019-10092
Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
-Last-Update: 2019-08-17
+Last-Update: 2019-10-10
--- a/modules/proxy/mod_proxy_balancer.c
+++ b/modules/proxy/mod_proxy_balancer.c
@@ -21,7 +22,7 @@ Last-Update: 2019-08-17
+ if (apr_uri_parse(r->pool, ref, &uri) || !uri.hostname)
+ return 0;
+
-+ return strcmp(uri.hostname, ap_get_server_name(r)) == 0;
++ return strcasecmp(uri.hostname, ap_get_server_name(r)) == 0;
+}
+
/* Manages the loadfactors and member status
Reply to: