Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package apache2 It includes the security fixes from DSA-2637-1, a bug fix that I also intend to fix in squeeze via s-p-u, and a tiny doc fix. Changelog: apache2 (2.2.22-13) unstable; urgency=medium [ Stefan Fritsch ] * Urgency medium for security fixes. * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules. * mod_log_forensic: Fix spurious '-' characters being logged, causing false positives. Closes: #693292 [ Arno Töll ] * Document APACHE_ARGUMENTS in envvars (Closes: #693299) -- Stefan Fritsch <s...@debian.org> Mon, 04 Mar 2013 22:21:05 +0100 Debdiff is attached. Thanks in advance. unblock apache2/2.2.22-13
diff -Nru apache2-2.2.22/debian/apache2ctl apache2-2.2.22/debian/apache2ctl --- apache2-2.2.22/debian/apache2ctl 2012-10-30 00:55:55.000000000 +0100 +++ apache2-2.2.22/debian/apache2ctl 2013-03-04 22:20:35.000000000 +0100 @@ -104,10 +104,35 @@ fi } +mkdir_chown () { + local OWNER="$1" + local DIR="$2" + local STAT="$(LC_ALL=C stat -c %F:%U $DIR 2> /dev/null || true)" + if [ "$STAT" = "" ] ; then + local TMPNAME=$(mktemp -d $DIR.XXXXXXXXXX) || exit 1 + chmod 755 $TMPNAME || exit 1 + chown $OWNER $TMPNAME || exit 1 + if ! mv -T $TMPNAME $DIR 2> /dev/null; then + rmdir $TMPNAME + # check for race with other apachectl + if [ "$(LC_ALL=C stat -c %F:%U $DIR 2>/dev/null)" != "directory:$OWNER" ] + then + echo Cannot create $DIR with owner $OWNER. + echo Please fix manually. Aborting. + exit 1 + fi + fi + elif [ "$STAT" != "directory:$OWNER" ] ; then + echo $DIR already exists but is not a directory owned by $OWNER. + echo Please fix manually. Aborting. + exit 1 + fi +} + case $ARGV in start) mkdir -p ${APACHE_RUN_DIR:-/var/run/apache2} - install -d -o ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} + mkdir_chown ${APACHE_RUN_USER:-www-data} ${APACHE_LOCK_DIR:-/var/lock/apache2} # ssl_scache shouldn't be here if we're just starting up. # (this is bad if there are several apache2 instances running) rm -f ${APACHE_RUN_DIR:-/var/run/apache2}/*ssl_scache* diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog --- apache2-2.2.22/debian/changelog 2012-10-31 00:24:01.000000000 +0100 +++ apache2-2.2.22/debian/changelog 2013-03-04 22:21:05.000000000 +0100 @@ -1,3 +1,17 @@ +apache2 (2.2.22-13) unstable; urgency=medium + + [ Stefan Fritsch ] + * Urgency medium for security fixes. + * CVE-2013-1048: Fix symlink vulnerability when creating /var/lock/apache2 + * CVE-2012-3499, CVE-2012-4558: Fix XSS flaws in various modules. + * mod_log_forensic: Fix spurious '-' characters being logged, causing + false positives. Closes: #693292 + + [ Arno Töll ] + * Document APACHE_ARGUMENTS in envvars (Closes: #693299) + + -- Stefan Fritsch <s...@debian.org> Mon, 04 Mar 2013 22:21:05 +0100 + apache2 (2.2.22-12) unstable; urgency=low * Backport mod_ssl "SSLCompression on|off" flag from upstream. The default is diff -Nru apache2-2.2.22/debian/config-dir/envvars apache2-2.2.22/debian/config-dir/envvars --- apache2-2.2.22/debian/config-dir/envvars 2012-10-30 00:55:55.000000000 +0100 +++ apache2-2.2.22/debian/config-dir/envvars 2013-03-04 22:00:37.000000000 +0100 @@ -35,3 +35,8 @@ ## If you need a higher file descriptor limit, uncomment and adjust the ## following line (default is 8192): #APACHE_ULIMIT_MAX_FILES='ulimit -n 65536' + + +## If you would like to pass arguments to the web server, add them below +## to the APACHE_ARGUMENTS environment. +#export APACHE_ARGUMENTS='' diff -Nru apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch --- apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch 1970-01-01 01:00:00.000000000 +0100 +++ apache2-2.2.22/debian/patches/CVE-2012-3499_CVE-2012-4558_XSS.patch 2013-03-04 22:00:37.000000000 +0100 @@ -0,0 +1,204 @@ +# http://svn.apache.org/viewvc?view=revision&revision=r1447390 +# +# *) SECURITY: CVE-2012-3499 (cve.mitre.org) +# Various XSS flaws due to unescaped hostnames and URIs HTML output in +# mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp. +# [Jim Jagielski, Stefan Fritsch, Niels Heinen <heinenn google com>] +# +# *) SECURITY: CVE-2012-4558 (cve.mitre.org) +# XSS in mod_proxy_balancer manager interface. [Jim Jagielski, +# Niels Heinen <heinenn google com>] +Index: apache2/modules/ldap/util_ldap_cache_mgr.c +=================================================================== +--- apache2.orig/modules/ldap/util_ldap_cache_mgr.c ++++ apache2/modules/ldap/util_ldap_cache_mgr.c +@@ -541,7 +541,7 @@ + if (id) { + buf2 = apr_psprintf(p, + "<a href=\"%s?%s\">%s</a>", +- r->uri, ++ ap_escape_html(r->pool, ap_escape_uri(r->pool, r->uri)), + id, + name); + } +Index: apache2/modules/proxy/mod_proxy_balancer.c +=================================================================== +--- apache2.orig/modules/proxy/mod_proxy_balancer.c ++++ apache2/modules/proxy/mod_proxy_balancer.c +@@ -818,7 +818,8 @@ + ap_rputs(DOCTYPE_HTML_3_2 + "<html><head><title>Balancer Manager</title></head>\n", r); + ap_rputs("<body><h1>Load Balancer Manager for ", r); +- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL); ++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)), ++ "</h1>\n\n", NULL); + ap_rvputs(r, "<dl><dt>Server Version: ", + ap_get_server_description(), "</dt>\n", NULL); + ap_rvputs(r, "<dt>Server Built: ", +@@ -853,7 +854,8 @@ + worker = (proxy_worker *)balancer->workers->elts; + for (n = 0; n < balancer->workers->nelts; n++) { + char fbuf[50]; +- ap_rvputs(r, "<tr>\n<td><a href=\"", r->uri, "?b=", ++ ap_rvputs(r, "<tr>\n<td><a href=\"", ++ ap_escape_uri(r->pool, r->uri), "?b=", + balancer->name + sizeof("balancer://") - 1, "&w=", + ap_escape_uri(r->pool, worker->name), + "&nonce=", balancer_nonce, +@@ -894,7 +896,7 @@ + ap_rputs("<h3>Edit worker settings for ", r); + ap_rvputs(r, wsel->name, "</h3>\n", NULL); + ap_rvputs(r, "<form method=\"GET\" action=\"", NULL); +- ap_rvputs(r, r->uri, "\">\n<dl>", NULL); ++ ap_rvputs(r, ap_escape_uri(r->pool, r->uri), "\">\n<dl>", NULL); + ap_rputs("<table><tr><td>Load factor:</td><td><input name=\"lf\" type=text ", r); + ap_rprintf(r, "value=\"%d\"></td></tr>\n", wsel->s->lbfactor); + ap_rputs("<tr><td>LB Set:</td><td><input name=\"ls\" type=text ", r); +Index: apache2/modules/proxy/mod_proxy_ftp.c +=================================================================== +--- apache2.orig/modules/proxy/mod_proxy_ftp.c ++++ apache2/modules/proxy/mod_proxy_ftp.c +@@ -365,7 +365,9 @@ + " </head>\n" + " <body>\n <h2>Directory of " + "<a href=\"/\">%s</a>/%s", +- site, basedir, escpath, site, basedir, escpath, site, str); ++ ap_escape_html(p, site), basedir, escpath, ++ ap_escape_uri(p, site), basedir, escpath, ++ ap_escape_uri(p, site), str); + + APR_BRIGADE_INSERT_TAIL(out, apr_bucket_pool_create(str, strlen(str), + p, c->bucket_alloc)); +Index: apache2/modules/mappers/mod_imagemap.c +=================================================================== +--- apache2.orig/modules/mappers/mod_imagemap.c ++++ apache2/modules/mappers/mod_imagemap.c +@@ -320,7 +320,7 @@ + /* + * returns the mapped URL or NULL. + */ +-static char *imap_url(request_rec *r, const char *base, const char *value) ++static const char *imap_url(request_rec *r, const char *base, const char *value) + { + /* translates a value into a URL. */ + int slen, clen; +@@ -342,7 +342,7 @@ + if (!strcasecmp(value, "referer")) { + referer = apr_table_get(r->headers_in, "Referer"); + if (referer && *referer) { +- return ap_escape_html(r->pool, referer); ++ return referer; + } + else { + /* XXX: This used to do *value = '\0'; ... which is totally bogus +@@ -459,7 +459,7 @@ + return my_base; + } + +-static int imap_reply(request_rec *r, char *redirect) ++static int imap_reply(request_rec *r, const char *redirect) + { + if (!strcasecmp(redirect, "error")) { + /* they actually requested an error! */ +@@ -523,42 +523,52 @@ + 'formatted' form */ + } + +-static void menu_default(request_rec *r, char *menu, char *href, char *text) ++static void menu_default(request_rec *r, const char *menu, const char *href, const char *text) + { ++ char *ehref, *etext; + if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) { + return; /* don't print such lines, these aren't + really href's */ + } ++ ++ ehref = ap_escape_uri(r->pool, href); ++ etext = ap_escape_html(r->pool, text); ++ + if (!strcasecmp(menu, "formatted")) { +- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "semiformatted")) { +- ap_rvputs(r, "<pre>(Default) <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre>(Default) <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "unformatted")) { +- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL); ++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL); + } + return; + } + +-static void menu_directive(request_rec *r, char *menu, char *href, char *text) ++static void menu_directive(request_rec *r, const char *menu, const char *href, const char *text) + { ++ char *ehref, *etext; + if (!strcasecmp(href, "error") || !strcasecmp(href, "nocontent")) { + return; /* don't print such lines, as this isn't + really an href */ + } ++ ++ ehref = ap_escape_uri(r->pool, href); ++ etext = ap_escape_html(r->pool, text); ++ + if (!strcasecmp(menu, "formatted")) { +- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "semiformatted")) { +- ap_rvputs(r, "<pre> <a href=\"", href, "\">", text, ++ ap_rvputs(r, "<pre> <a href=\"", ehref, "\">", etext, + "</a></pre>\n", NULL); + } + if (!strcasecmp(menu, "unformatted")) { +- ap_rvputs(r, "<a href=\"", href, "\">", text, "</a>", NULL); ++ ap_rvputs(r, "<a href=\"", ehref, "\">", etext, "</a>", NULL); + } + return; + } +@@ -574,9 +584,9 @@ + char *directive; + char *value; + char *href_text; +- char *base; +- char *redirect; +- char *mapdflt; ++ const char *base; ++ const char *redirect; ++ const char *mapdflt; + char *closest = NULL; + double closest_yet = -1; + apr_status_t status; +Index: apache2/modules/generators/mod_status.c +=================================================================== +--- apache2.orig/modules/generators/mod_status.c ++++ apache2/modules/generators/mod_status.c +@@ -409,7 +409,8 @@ + "<html><head>\n<title>Apache Status</title>\n</head><body>\n", + r); + ap_rputs("<h1>Apache Server Status for ", r); +- ap_rvputs(r, ap_get_server_name(r), "</h1>\n\n", NULL); ++ ap_rvputs(r, ap_escape_html(r->pool, ap_get_server_name(r)), ++ "</h1>\n\n", NULL); + ap_rvputs(r, "<dl><dt>Server Version: ", + ap_get_server_description(), "</dt>\n", NULL); + ap_rvputs(r, "<dt>Server Built: ", +Index: apache2/modules/generators/mod_info.c +=================================================================== +--- apache2.orig/modules/generators/mod_info.c ++++ apache2/modules/generators/mod_info.c +@@ -371,7 +371,8 @@ + MODULE_MAGIC_NUMBER_MINOR); + ap_rprintf(r, + "<dt><strong>Hostname/port:</strong> " +- "<tt>%s:%u</tt></dt>\n", ap_get_server_name(r), ++ "<tt>%s:%u</tt></dt>\n", ++ ap_escape_html(r->pool, ap_get_server_name(r)), + ap_get_server_port(r)); + ap_rprintf(r, + "<dt><strong>Timeouts:</strong> " diff -Nru apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch --- apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch 1970-01-01 01:00:00.000000000 +0100 +++ apache2-2.2.22/debian/patches/mod_log_forensic_693292.patch 2013-03-04 22:00:37.000000000 +0100 @@ -0,0 +1,20 @@ +http://svn.apache.org/viewvc?view=revision&revision=r1410954 + + Don't log a spurious "-" if a request has been rejected + before mod_log_forensic could attach its id to it. + + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693292 + +diff --git a/modules/loggers/mod_log_forensic.c b/modules/loggers/mod_log_forensic.c +index add3eb9..7cbb76d 100644 +--- a/modules/loggers/mod_log_forensic.c ++++ b/modules/loggers/mod_log_forensic.c +@@ -240,7 +240,7 @@ static int log_after(request_rec *r) + apr_size_t l, n; + apr_status_t rv; + +- if (!cfg->fd) { ++ if (!cfg->fd || id == NULL) { + return DECLINED; + } + diff -Nru apache2-2.2.22/debian/patches/series apache2-2.2.22/debian/patches/series --- apache2-2.2.22/debian/patches/series 2012-10-30 00:55:55.000000000 +0100 +++ apache2-2.2.22/debian/patches/series 2013-03-04 22:00:37.000000000 +0100 @@ -33,3 +33,5 @@ dbmmanage-perl-510.patch SSLProtocol-tls11-12.2.patch disable-ssl-compression.patch +CVE-2012-3499_CVE-2012-4558_XSS.patch +mod_log_forensic_693292.patch