Bug#989683: unblock: apache2/2.4.46-5
Control: retitle -1 unblock: apache2/2.4.46-6
Le 10/06/2021 à 12:21, Yadd a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: security@debian.org
>
> Please unblock package apache2
>
> [ Reason ]
> Apache2 is vulnerable to a denial of service due to a NULL pointer
> dereference on specially crafted HTTP/2 request (#989562,
> CVE-2021-31618)
>
> [ Impact ]
> Denial of service
>
> [ Tests ]
> No new test
>
> [ Risks ]
> Patch is really trivial
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> unblock apache2/2.4.46-5
I added also fixes for other CVEs published with 2.4.48 release. All
these patches are trivial.
Cheers,
Yadd
unblock apache2/2.4.46-6
diff --git a/debian/changelog b/debian/changelog
index 8a02325f..fa775057 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+apache2 (2.4.46-6) unstable; urgency=medium
+
+ * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
+ CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
+
+ -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 13:40:11 +0200
+
+apache2 (2.4.46-5) unstable; urgency=medium
+
+ * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
+ (Closes: #989562, CVE-2021-31618)
+
+ -- Yadd <yadd@debian.org> Thu, 10 Jun 2021 11:57:38 +0200
+
apache2 (2.4.46-4) unstable; urgency=medium
* Ignore other random another test failures (Closes: #979664)
diff --git a/debian/patches/CVE-2020-13950.patch b/debian/patches/CVE-2020-13950.patch
new file mode 100644
index 00000000..cf0ef992
--- /dev/null
+++ b/debian/patches/CVE-2020-13950.patch
@@ -0,0 +1,28 @@
+Description: The proxy connection may be NULL during prefetch, don't try to dereference it!
+ Still origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+Author: Apache authors
+Origin: upstream, https://svn.apache.org/r1678771
+Bug: <url in upstream bugtracker>
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/modules/proxy/mod_proxy_http.c
++++ b/modules/proxy/mod_proxy_http.c
+@@ -577,7 +577,6 @@
+ apr_off_t bytes;
+ int force10, rv;
+ apr_read_type_e block;
+- conn_rec *origin = p_conn->connection;
+
+ if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+ if (req->expecting_100) {
+@@ -637,7 +636,6 @@
+ "chunked body with Content-Length (C-L ignored)",
+ c->client_ip, c->remote_host ? c->remote_host: "");
+ req->old_cl_val = NULL;
+- origin->keepalive = AP_CONN_CLOSE;
+ p_conn->close = 1;
+ }
+
diff --git a/debian/patches/CVE-2020-35452.patch b/debian/patches/CVE-2020-35452.patch
new file mode 100644
index 00000000..52042108
--- /dev/null
+++ b/debian/patches/CVE-2020-35452.patch
@@ -0,0 +1,27 @@
+Description: <short summary of the patch>
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/3b6431e
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-35452
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/modules/aaa/mod_auth_digest.c
++++ b/modules/aaa/mod_auth_digest.c
+@@ -1422,9 +1422,14 @@
+ time_rec nonce_time;
+ char tmp, hash[NONCE_HASH_LEN+1];
+
+- if (strlen(resp->nonce) != NONCE_LEN) {
++ /* Since the time part of the nonce is a base64 encoding of an
++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
++ */
++ if (strlen(resp->nonce) != NONCE_LEN
++ || resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+- "invalid nonce %s received - length is not %d",
++ "invalid nonce '%s' received - length is not %d "
++ "or time encoding is incorrect",
+ resp->nonce, NONCE_LEN);
+ note_digest_auth_failure(r, conf, resp, 1);
+ return HTTP_UNAUTHORIZED;
diff --git a/debian/patches/CVE-2021-26690.patch b/debian/patches/CVE-2021-26690.patch
new file mode 100644
index 00000000..5ceec1fd
--- /dev/null
+++ b/debian/patches/CVE-2021-26690.patch
@@ -0,0 +1,20 @@
+Description: <short summary of the patch>
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/67bd9bfe
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-26690
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -405,8 +405,8 @@
+ char *plast = NULL;
+ const char *psep = "=";
+ char *key = apr_strtok(pair, psep, &plast);
+- char *val = apr_strtok(NULL, psep, &plast);
+ if (key && *key) {
++ char *val = apr_strtok(NULL, sep, &plast);
+ if (!val || !*val) {
+ apr_table_unset(z->entries, key);
+ }
diff --git a/debian/patches/CVE-2021-26691.patch b/debian/patches/CVE-2021-26691.patch
new file mode 100644
index 00000000..2d786b16
--- /dev/null
+++ b/debian/patches/CVE-2021-26691.patch
@@ -0,0 +1,18 @@
+Description: mod_session: account for the '&' in identity_concat().
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/7e09dd71
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/modules/session/mod_session.c
++++ b/modules/session/mod_session.c
+@@ -318,7 +318,7 @@
+ static int identity_count(void *v, const char *key, const char *val)
+ {
+ int *count = v;
+- *count += strlen(key) * 3 + strlen(val) * 3 + 1;
++ *count += strlen(key) * 3 + strlen(val) * 3 + 2;
+ return 1;
+ }
+
diff --git a/debian/patches/CVE-2021-30641.patch b/debian/patches/CVE-2021-30641.patch
new file mode 100644
index 00000000..7486e1b3
--- /dev/null
+++ b/debian/patches/CVE-2021-30641.patch
@@ -0,0 +1,50 @@
+Description: legacy default slash-matching behavior w/ 'MergeSlashes OFF'
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/eb986059
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-30641
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/server/request.c
++++ b/server/request.c
+@@ -1419,7 +1419,20 @@
+
+ cache = prep_walk_cache(AP_NOTE_LOCATION_WALK, r);
+ cached = (cache->cached != NULL);
+- entry_uri = r->uri;
++
++ /*
++ * When merge_slashes is set to AP_CORE_CONFIG_OFF the slashes in r->uri
++ * have not been merged. But for Location walks we always go with merged
++ * slashes no matter what merge_slashes is set to.
++ */
++ if (sconf->merge_slashes != AP_CORE_CONFIG_OFF) {
++ entry_uri = r->uri;
++ }
++ else {
++ char *uri = apr_pstrdup(r->pool, r->uri);
++ ap_no2slash(uri);
++ entry_uri = uri;
++ }
+
+ /* If we have an cache->cached location that matches r->uri,
+ * and the vhost's list of locations hasn't changed, we can skip
+@@ -1486,7 +1499,7 @@
+ pmatch = apr_palloc(rxpool, nmatch*sizeof(ap_regmatch_t));
+ }
+
+- if (ap_regexec(entry_core->r, entry_uri, nmatch, pmatch, 0)) {
++ if (ap_regexec(entry_core->r, r->uri, nmatch, pmatch, 0)) {
+ continue;
+ }
+
+@@ -1496,7 +1509,7 @@
+ apr_table_setn(r->subprocess_env,
+ ((const char **)entry_core->refs->elts)[i],
+ apr_pstrndup(r->pool,
+- entry_uri + pmatch[i].rm_so,
++ r->uri + pmatch[i].rm_so,
+ pmatch[i].rm_eo - pmatch[i].rm_so));
+ }
+ }
diff --git a/debian/patches/CVE-2021-31618.patch b/debian/patches/CVE-2021-31618.patch
new file mode 100644
index 00000000..12d59c8b
--- /dev/null
+++ b/debian/patches/CVE-2021-31618.patch
@@ -0,0 +1,20 @@
+Description: fix NULL pointer dereference on specially crafted HTTP/2 request
+Author: Upstream
+Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
+Bug-Debian: https://bugs.debian.org/989562
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-06-10
+
+--- a/modules/http2/h2_stream.c
++++ b/modules/http2/h2_stream.c
+@@ -638,7 +638,7 @@
+
+ static void set_error_response(h2_stream *stream, int http_status)
+ {
+- if (!h2_stream_is_ready(stream)) {
++ if (!h2_stream_is_ready(stream) && stream->rtmp) {
+ conn_rec *c = stream->session->c;
+ apr_bucket *b;
+ h2_headers *response;
diff --git a/debian/patches/series b/debian/patches/series
index 20bc4b61..8596c419 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,9 @@ tlsv13-add-logno.diff
# This patch is applied manually
#suexec-custom.patch
spelling-errors.diff
+CVE-2021-31618.patch
+CVE-2021-30641.patch
+CVE-2021-26691.patch
+CVE-2021-26690.patch
+CVE-2020-35452.patch
+CVE-2020-13950.patch
Reply to: