Package: apache2 Version: 2.4.4-6 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu saucy ubuntu-patch
*** /tmp/tmp5THIhe/bug_body In Ubuntu, the attached patch was applied to achieve the following: * SECURITY UPDATE: denial of service via MERGE request - debian/patches/CVE-2013-1896.patch: make sure DAV is enabled for URI in modules/dav/main/mod_dav.c. - CVE-2013-1896 Thanks for considering the patch. -- System Information: Debian Release: wheezy/sid APT prefers raring-updates APT policy: (500, 'raring-updates'), (500, 'raring-security'), (500, 'raring'), (100, 'raring-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.8.0-26-generic (SMP w/4 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
diff -Nru apache2-2.4.4/debian/patches/CVE-2013-1896.patch apache2-2.4.4/debian/patches/CVE-2013-1896.patch --- apache2-2.4.4/debian/patches/CVE-2013-1896.patch 1969-12-31 19:00:00.000000000 -0500 +++ apache2-2.4.4/debian/patches/CVE-2013-1896.patch 2013-07-18 11:21:47.000000000 -0400 @@ -0,0 +1,32 @@ +Description: fix denial of service via MERGE request +Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1486461 + +Index: apache2-2.4.4/modules/dav/main/mod_dav.c +=================================================================== +--- apache2-2.4.4.orig/modules/dav/main/mod_dav.c 2011-12-04 19:08:01.000000000 -0500 ++++ apache2-2.4.4/modules/dav/main/mod_dav.c 2013-07-18 11:20:33.353180556 -0400 +@@ -707,6 +707,12 @@ + + conf = ap_get_module_config(r->per_dir_config, &dav_module); + /* assert: conf->provider != NULL */ ++ if (conf->provider == NULL) { ++ return dav_new_error(r->pool, HTTP_METHOD_NOT_ALLOWED, 0, 0, ++ apr_psprintf(r->pool, ++ "DAV not enabled for %s", ++ ap_escape_html(r->pool, r->uri))); ++ } + + /* resolve the resource */ + err = (*conf->provider->repos->get_resource)(r, conf->dir, +@@ -2683,11 +2689,6 @@ + "Destination URI had an error."); + } + +- if (dav_get_provider(lookup.rnew) == NULL) { +- return dav_error_response(r, HTTP_METHOD_NOT_ALLOWED, +- "DAV not enabled for Destination URI."); +- } +- + /* Resolve destination resource */ + err = dav_get_resource(lookup.rnew, 0 /* label_allowed */, + 0 /* use_checked_in */, &resnew); diff -Nru apache2-2.4.4/debian/patches/series apache2-2.4.4/debian/patches/series --- apache2-2.4.4/debian/patches/series 2013-07-02 09:33:25.000000000 -0400 +++ apache2-2.4.4/debian/patches/series 2013-07-18 11:20:09.000000000 -0400 @@ -20,3 +20,4 @@ itk-rerun-configure.patch upstream-fixes allow-strtoul.patch +CVE-2013-1896.patch