summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--www/apache/patches/patch-core-40445
-rw-r--r--www/apache/patches/patch-proxy-segv19
2 files changed, 64 insertions, 0 deletions
diff --git a/www/apache/patches/patch-core-404 b/www/apache/patches/patch-core-404
new file mode 100644
index 00000000000..6a1e7dcd8b0
--- /dev/null
+++ b/www/apache/patches/patch-core-404
@@ -0,0 +1,45 @@
+This patch fixes a potential denial-of-service vulnerability in
+Apache 1.3.2 and 1.3.3. It is strongly recommended that you apply
+it or upgrade to a more recent version of Apache when it is available.
+
+Thanks to Studenten Net Twente for finding and reporting the problem.
+
+Index: include/http_log.h
+===================================================================
+RCS file: /home/cvs/apache-1.3/src/include/http_log.h,v
+retrieving revision 1.31
+diff -u -r1.31 http_log.h
+--- src/include/http_log.h 1998/08/06 17:30:24 1.31
++++ src/include/http_log.h 1998/10/30 02:23:06
+@@ -105,6 +105,15 @@
+ #define APLOG_MARK __FILE__,__LINE__
+
+ void ap_open_logs (server_rec *, pool *p);
++
++/* The two primary logging functions, ap_log_error and ap_log_rerror,
++ * use a printf style format string to build the log message. It is
++ * VERY IMPORTANT that you not include any raw data from the network,
++ * such as the request-URI or request header fields, within the format
++ * string. Doing so makes the server vulnerable to a denial-of-service
++ * attack and other messy behavior. Instead, use a simple format string
++ * like "%s", followed by the string containing the untrusted data.
++ */
+ API_EXPORT(void) ap_log_error(const char *file, int line, int level,
+ const server_rec *s, const char *fmt, ...)
+ __attribute__((format(printf,5,6)));
+Index: main/http_core.c
+===================================================================
+RCS file: /home/cvs/apache-1.3/src/main/http_core.c,v
+retrieving revision 1.237
+diff -u -r1.237 http_core.c
+--- src/main/http_core.c 1998/10/23 20:07:39 1.237
++++ src/main/http_core.c 1998/10/30 02:23:07
+@@ -2783,7 +2783,7 @@
+ else {
+ emsg = ap_pstrcat(r->pool, emsg, r->filename, r->path_info, NULL);
+ }
+- ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, emsg);
++ ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_NOERRNO, r, "%s", emsg);
+ return HTTP_NOT_FOUND;
+ }
+ if (r->method_number != M_GET) {
diff --git a/www/apache/patches/patch-proxy-segv b/www/apache/patches/patch-proxy-segv
new file mode 100644
index 00000000000..cd40514f526
--- /dev/null
+++ b/www/apache/patches/patch-proxy-segv
@@ -0,0 +1,19 @@
+This patch fixes a segmentation violation in mod_proxy when a
+response is non-cachable. Problem reported by Doug Bloebaum.
+
+Index: modules/proxy/proxy_util.c
+===================================================================
+RCS file: /home/cvs/apache-1.3/src/modules/proxy/proxy_util.c,v
+retrieving revision 1.70
+diff -u -r1.70 proxy_util.c
+--- src/modules/proxy/proxy_util.c 1998/08/31 19:51:59 1.70
++++ src/modules/proxy/proxy_util.c 1998/10/09 16:21:14
+@@ -581,7 +581,7 @@
+ ap_reset_timeout(r);
+
+ if (w <= 0) {
+- if (c != NULL) {
++ if (c != NULL && c->fp != NULL) {
+ /* when a send failure occurs, we need to decide
+ * whether to continue loading and caching the
+ * document, or to abort the whole thing