commit: 68bf261f5deea91855076a07330793f455475242 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> AuthorDate: Wed May 28 07:41:36 2014 +0000 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org> CommitDate: Wed May 28 07:41:36 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/apache.git;a=commit;h=68bf261f
Removed obsolete patch for CVE-2011-3368 (bug #511656). --- .../25_all-apply_to_2.2.21-CVE-2011-3368.patch | 34 ---------------------- .../25_all-apply_to_2.2.21-CVE-2011-3368.patch | 34 ---------------------- 2 files changed, 68 deletions(-) diff --git a/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch b/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch deleted file mode 100644 index e8125d9..0000000 --- a/2.2/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch +++ /dev/null @@ -1,34 +0,0 @@ - -SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some -reverse proxy configurations by strictly validating the request-URI. - -http://svn.apache.org/viewvc?rev=1179239&view=rev - ---- httpd-2.2.21/server/protocol.c -+++ httpd-2.2.21/server/protocol.c -@@ -640,6 +640,25 @@ - - ap_parse_uri(r, uri); - -+ /* RFC 2616: -+ * Request-URI = "*" | absoluteURI | abs_path | authority -+ * -+ * authority is a special case for CONNECT. If the request is not -+ * using CONNECT, and the parsed URI does not have scheme, and -+ * it does not begin with '/', and it is not '*', then, fail -+ * and give a 400 response. */ -+ if (r->method_number != M_CONNECT -+ && !r->parsed_uri.scheme -+ && uri[0] != '/' -+ && !(uri[0] == '*' && uri[1] == '\0')) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "invalid request-URI %s", uri); -+ r->args = NULL; -+ r->hostname = NULL; -+ r->status = HTTP_BAD_REQUEST; -+ r->uri = apr_pstrdup(r->pool, uri); -+ } -+ - if (ll[0]) { - r->assbackwards = 0; - pro = ll; diff --git a/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch b/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch deleted file mode 100644 index e8125d9..0000000 --- a/2.4/patches/25_all-apply_to_2.2.21-CVE-2011-3368.patch +++ /dev/null @@ -1,34 +0,0 @@ - -SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some -reverse proxy configurations by strictly validating the request-URI. - -http://svn.apache.org/viewvc?rev=1179239&view=rev - ---- httpd-2.2.21/server/protocol.c -+++ httpd-2.2.21/server/protocol.c -@@ -640,6 +640,25 @@ - - ap_parse_uri(r, uri); - -+ /* RFC 2616: -+ * Request-URI = "*" | absoluteURI | abs_path | authority -+ * -+ * authority is a special case for CONNECT. If the request is not -+ * using CONNECT, and the parsed URI does not have scheme, and -+ * it does not begin with '/', and it is not '*', then, fail -+ * and give a 400 response. */ -+ if (r->method_number != M_CONNECT -+ && !r->parsed_uri.scheme -+ && uri[0] != '/' -+ && !(uri[0] == '*' && uri[1] == '\0')) { -+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, -+ "invalid request-URI %s", uri); -+ r->args = NULL; -+ r->hostname = NULL; -+ r->status = HTTP_BAD_REQUEST; -+ r->uri = apr_pstrdup(r->pool, uri); -+ } -+ - if (ll[0]) { - r->assbackwards = 0; - pro = ll;
