From c8a5e836fb1a9f1a5dd3f225ce8bcbee16071883 Mon Sep 17 00:00:00 2001 From: tron Date: Sun, 4 Oct 2009 12:21:34 +0000 Subject: Add patch from the Apache SVN repository to the vulnerability reported in CVE-2009-3095. --- www/apache22/Makefile | 4 ++-- www/apache22/distinfo | 4 ++-- www/apache22/patches/patch-ab | 33 +++++++++++++++++++++++---------- 3 files changed, 27 insertions(+), 14 deletions(-) diff --git a/www/apache22/Makefile b/www/apache22/Makefile index 58005c421aa..11e5fa3be5a 100644 --- a/www/apache22/Makefile +++ b/www/apache22/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.51 2009/09/14 22:09:33 tron Exp $ +# $NetBSD: Makefile,v 1.52 2009/10/04 12:21:34 tron Exp $ DISTNAME= httpd-2.2.13 PKGNAME= ${DISTNAME:S/httpd/apache/} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_APACHE:=httpd/} \ ${MASTER_SITE_APACHE:=httpd/old/} diff --git a/www/apache22/distinfo b/www/apache22/distinfo index 4e256b63e87..ab732344cf1 100644 --- a/www/apache22/distinfo +++ b/www/apache22/distinfo @@ -1,10 +1,10 @@ -$NetBSD: distinfo,v 1.26 2009/09/14 22:09:33 tron Exp $ +$NetBSD: distinfo,v 1.27 2009/10/04 12:21:34 tron Exp $ SHA1 (httpd-2.2.13.tar.bz2) = 44d85da1b8e6c579d4514cfefbea00b284717b69 RMD160 (httpd-2.2.13.tar.bz2) = 4a6a2247cc118175a9a36f1e14344ee71da24627 Size (httpd-2.2.13.tar.bz2) = 5300199 bytes SHA1 (patch-aa) = 40f5f687a1217b8d6684dc610d3d4c430f635cbf -SHA1 (patch-ab) = 4427989bec4faadbd64c46dced5e57b4d6649270 +SHA1 (patch-ab) = 6aec00f6dc38eee2e8648b4e95df3dbf166ac548 SHA1 (patch-ac) = 515043b5c215d49fe8f6d3191b502c978e2a2dad SHA1 (patch-ad) = 088d6ff0e7a8acfe70b4f85a6ce58d42c935fd13 SHA1 (patch-ae) = 86b307d6eefef232b6223afc3f69e64be40bd913 diff --git a/www/apache22/patches/patch-ab b/www/apache22/patches/patch-ab index c8ab19d9f2f..910c2b6c7c3 100644 --- a/www/apache22/patches/patch-ab +++ b/www/apache22/patches/patch-ab @@ -1,12 +1,13 @@ -$NetBSD: patch-ab,v 1.13 2009/09/14 22:09:33 tron Exp $ +$NetBSD: patch-ab,v 1.14 2009/10/04 12:21:35 tron Exp $ -Fix for CVE-2009-3094 taken from the Apache SVN repository: +Fixes for CVE-2009-3094 and CVE-2009-3095 taken from the Apache SVN repository: -http://svn.apache.org/viewvc?view=rev&revision=814652 +http://svn.apache.org/viewvc?view=rev&revision=814844 +http://svn.apache.org/viewvc?view=rev&revision=814847 ---- modules/proxy/mod_proxy_ftp.c 2009/09/14 14:15:34 814651 -+++ modules/proxy/mod_proxy_ftp.c 2009/09/14 14:16:14 814652 -@@ -683,6 +683,31 @@ +--- modules/proxy/mod_proxy_ftp.c.orig 2008-11-11 20:04:34.000000000 +0000 ++++ modules/proxy/mod_proxy_ftp.c 2009-10-04 12:49:43.000000000 +0100 +@@ -604,6 +604,31 @@ return APR_SUCCESS; } @@ -38,7 +39,19 @@ http://svn.apache.org/viewvc?view=rev&revision=814652 /* * Generic "send FTP command to server" routine, using the control socket. * Returns the FTP returncode (3 digit code) -@@ -1296,26 +1321,11 @@ +@@ -887,6 +912,11 @@ + if ((password = apr_table_get(r->headers_in, "Authorization")) != NULL + && strcasecmp(ap_getword(r->pool, &password, ' '), "Basic") == 0 + && (password = ap_pbase64decode(r->pool, password))[0] != ':') { ++ /* Check the decoded string for special characters. */ ++ if (!ftp_check_string(password)) { ++ return ap_proxyerror(r, HTTP_BAD_REQUEST, ++ "user credentials contained invalid character"); ++ } + /* + * Note that this allocation has to be made from r->connection->pool + * because it has the lifetime of the connection. The other +@@ -1210,26 +1240,11 @@ return ftp_proxyerror(r, backend, HTTP_BAD_GATEWAY, ftpmessage); } else if (rc == 229) { @@ -68,7 +81,7 @@ http://svn.apache.org/viewvc?view=rev&revision=814652 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "proxy: FTP: EPSV contacting remote host on port %d", -@@ -1356,10 +1366,6 @@ +@@ -1272,10 +1287,6 @@ connect = 1; } } @@ -79,7 +92,7 @@ http://svn.apache.org/viewvc?view=rev&revision=814652 } } -@@ -1446,10 +1452,6 @@ +@@ -1364,10 +1375,6 @@ connect = 1; } } @@ -90,7 +103,7 @@ http://svn.apache.org/viewvc?view=rev&revision=814652 } } /*bypass:*/ -@@ -1929,7 +1931,9 @@ +@@ -1851,7 +1858,9 @@ * for a slow client to eat these bytes */ ap_flush_conn(data); -- cgit v1.2.3