Add mitigation for HTTP_PROXY envvar issue

3 files changed, 26 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index da97fd8b..665b6900 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+apache2 (2.4.23-2) UNRELEASED; urgency=high
+
+  * CVE-2016-5387: Sets environmental variable based on user supplied Proxy
+    request header.
+    Don't pass through HTTP_PROXY in server/util_script.c
+
+ -- Stefan Fritsch <sf@debian.org>  Thu, 21 Jul 2016 23:19:29 +0200
+
 apache2 (2.4.23-1) unstable; urgency=high
 
   * New upstream release
diff --git a/debian/patches/CVE-2016-5387.patch b/debian/patches/CVE-2016-5387.patch
new file mode 100644
index 00000000..7badf022
--- /dev/null
+++ b/debian/patches/CVE-2016-5387.patch
@@ -0,0 +1,17 @@
+--- apache2.orig/server/util_script.c
++++ apache2/server/util_script.c
+@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(requ
+         else if (!strcasecmp(hdrs[i].key, "Content-length")) {
+             apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
+         }
++        /* HTTP_PROXY collides with a popular envvar used to configure
++         * proxies, don't let clients set/override it.  But, if you must...
++         */
++#ifndef SECURITY_HOLE_PASS_PROXY
++        else if (!strcasecmp(hdrs[i].key, "Proxy")) {
++            ;
++        }
++#endif
+         /*
+          * You really don't want to disable this check, since it leaves you
+          * wide open to CGIs stealing passwords and people viewing them
diff --git a/debian/patches/series b/debian/patches/series
index 4a1b9140..6c75e38e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@ reproducible_builds.diff
 #suexec-custom.patch
 
 fix_logresolve_segfault.patch
+CVE-2016-5387.patch