Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: opu
CVE-2013-1862 is a low impact security bug. It should be fixed via opu. Apache maintainers: Do you want to handle this yourself? Bastian diff -u apache2-2.2.16/debian/changelog apache2-2.2.16/debian/changelog --- apache2-2.2.16/debian/changelog +++ apache2-2.2.16/debian/changelog @@ -1,3 +1,11 @@ +apache2 (2.2.16-6+squeeze11.1) UNRELEASED; urgency=low + + * Non-maintainer upload. + * Properly escape data written to rewrite log. + CVE-2013-1862 + + -- Bastian Blank <bastian.bl...@credativ.de> Tue, 07 Jan 2014 09:48:07 +0000 + apache2 (2.2.16-6+squeeze11) squeeze-security; urgency=high * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 diff -u apache2-2.2.16/debian/patches/00list apache2-2.2.16/debian/patches/00list --- apache2-2.2.16/debian/patches/00list +++ apache2-2.2.16/debian/patches/00list @@ -48,0 +49 @@ +303_CVE-2013-1862.dpatch only in patch2: unchanged: --- apache2-2.2.16.orig/debian/patches/303_CVE-2013-1862.dpatch +++ apache2-2.2.16/debian/patches/303_CVE-2013-1862.dpatch @@ -0,0 +1,33 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## DP: *) SECURITY: CVE-2013-1862 (cve.mitre.org) +## DP: mod_rewrite: Ensure that client data written to the RewriteLog is +## DP: escaped to prevent terminal escape sequences from entering the +## DP: log file. [Joe Orton] +@DPATCH@ +--- a/modules/mappers/mod_rewrite.c (revision 1469310) ++++ b/modules/mappers/mod_rewrite.c (working copy) +@@ -500,11 +500,11 @@ + + logline = apr_psprintf(r->pool, "%s %s %s %s [%s/sid#%pp][rid#%pp/%s%s%s] " + "(%d) %s%s%s%s" APR_EOL_STR, +- rhost ? rhost : "UNKNOWN-HOST", +- rname ? rname : "-", +- r->user ? (*r->user ? r->user : "\"\"") : "-", ++ rhost ? ap_escape_logitem(r->pool, rhost) : "UNKNOWN-HOST", ++ rname ? ap_escape_logitem(r->pool, rname) : "-", ++ r->user ? (*r->user ? ap_escape_logitem(r->pool, r->user) : "\"\"") : "-", + current_logtime(r), +- ap_get_server_name(r), ++ ap_escape_logitem(r->pool, ap_get_server_name(r)), + (void *)(r->server), + (void *)r, + r->main ? "subreq" : "initial", +@@ -514,7 +514,7 @@ + perdir ? "[perdir " : "", + perdir ? perdir : "", + perdir ? "] ": "", +- text); ++ ap_escape_logitem(r->pool, text)); + + nbytes = strlen(logline); + apr_file_write(conf->rewritelogfp, logline, &nbytes); -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (990, 'testing'), (500, 'testing-updates'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20140107102241.7529.91210.report...@lacehammer.credativ.lan