CVE-2019-12412: libapreq2 null pointer dereference
Severity: important
Vendor: The Apache Software Foundation
Versions Affected:
libapreq2 2.07 to 2.13
Description:
In libapreq2 versions 2.07 through 2.13 inclusive, a flaw in the
multipart parser can deference a null pointer leading to a
libapreq2-2.15 Released
The Apache Software Foundation and The Apache HTTP Server Project
are pleased to announce the 2.15 release of libapreq2. This
Announcement notes significant changes introduced by this release.
libapreq2-2.15 is released under the Apache License
version 2.0. It
On Wed, Jul 03, 2019 at 08:45:36AM +0100, Steve Hay wrote:
> Please download, test, and report back on this Apache-Test 1.41
> release candidate.
>
> https://dist.apache.org/repos/dist/dev/perl/Apache-Test-1.41-rc1.tar.gz
>
> MD5 = 7933d3a6a762f087bf7883a1ac2086eb
> SHA1 =
On Thu, May 21, 2009 at 02:39:57PM -0400, Jeff Trawick wrote:
On Wed, May 20, 2009 at 8:53 AM, Joe Orton jor...@redhat.com wrote:
Given that the semantics of the options has changed, I don't think it's
worth changing httpd to maintain any pretence of compile-time or
run-time compatibility
On Fri, May 22, 2009 at 05:26:07PM +0100, Joe Orton wrote:
Attaching my original analysis for security@ which hopefully answers
that question ;)
attempt 2
I've now had a deeper look into this. I can't see a way to fix the
problem without changing the semantics of the OPT_ bits used, as I
On Sun, May 17, 2009 at 11:15:00AM -0400, Jeff Trawick wrote:
On Tue, May 12, 2009 at 9:17 AM, cove...@apache.org wrote:
Author: covener
Date: Tue May 12 13:17:29 2009
New Revision: 773881
URL: http://svn.apache.org/viewvc?rev=773881view=rev
Log:
backport 772997, 773322, 773342
On Tue, Apr 01, 2008 at 11:26:43PM -0700, Philippe M. Chiasson wrote:
The mod_perl 2.0.4 release candidate 1 Works with Perl 5.10 is ready. It
can be downloaded here:
http://www.apache.org/~gozer/mp2/mod_perl-2.0.4-rc1.tar.gz
MD5: 1f0a941e8b5f26b6102126ae67ddbb43
SHA1:
On Thu, Jan 19, 2006 at 09:35:30PM -0600, Eamon Daly wrote:
1. Problem Description:
Hey, all. I'm trying to build mod_perl against the stock
httpd in RedHat 4ES. The build runs without issue, but
make test fails immediately with the following error:
Can't load
On Fri, Feb 18, 2005 at 05:35:56PM -0500, Stas Bekman wrote:
Joe, shouldn't the APR API emit some kind of errors in the situation like
William has with jail env+ac_cv_o_nonblock_inherited thingy, rather than
silently fail?
The issue is that the configure test couldn't make a decision, but
On Thu, Feb 17, 2005 at 03:05:31PM -0500, William McKee wrote:
On Thu, Feb 17, 2005 at 04:53:45PM +, Joe Orton wrote:
Check for the result of the:
checking if O_NONBLOCK setting is inherited from listening sockets
test when you run the configure script.
I wasn't sure if you
On Wed, Feb 16, 2005 at 07:12:11PM -0500, Stas Bekman wrote:
Joe, do you have an idea why this doesn't work on FreeBSD 5.3 (in jail
environment). I remember last time you've fixed something about some BSD
flavor in APR socket lib. Thanks.
That was all the non-blocking-vs-blocking stuff.
On Thu, Feb 17, 2005 at 09:18:31AM -0500, William McKee wrote:
On Thu, Feb 17, 2005 at 10:39:46AM +, Joe Orton wrote:
That was all the non-blocking-vs-blocking stuff. First I'd ask whether
or not this fails in a non-chroot environment. A chroot will screw up
all kinds of stuff (e.g
On Tue, Dec 14, 2004 at 03:24:30PM -0500, Stas Bekman wrote:
Joe Orton wrote:
Just make the generated export stub code #ifndef'ed?
#ifndef modperl_io_apache_init
const void *modperl_hack_io_apache_init = (const void
*)modperl_io_apache_init;
#endif
if the symbol is a macro then there's
On Tue, Dec 14, 2004 at 10:27:03AM -0500, Stas Bekman wrote:
Joe Orton wrote:
On Mon, Dec 13, 2004 at 08:12:19PM -0500, Stas Bekman wrote:
In fact we already somewhat handle that in modperl_io_apache.h
#ifdef PERLIO_LAYERS
[...]
MP_INLINE void modperl_io_apache_init(pTHX);
#else
On Mon, Dec 13, 2004 at 08:12:19PM -0500, Stas Bekman wrote:
In fact we already somewhat handle that in modperl_io_apache.h
#ifdef PERLIO_LAYERS
[...]
MP_INLINE void modperl_io_apache_init(pTHX);
#else /* #ifdef PERLIO_LAYERS */
#define modperl_io_apache_init(pTHX)
but for
On Mon, Dec 06, 2004 at 08:02:22PM +0530, pradeep kumar wrote:
Hi,
I have reported a bug. The bug number is 32542. Looking into
the problem I found that the porblems on both 2.0.43 and 2.0.52 are
same. The perl_alloc funtion which caused the error as seen from the
stack trace of
On Tue, Nov 02, 2004 at 08:37:42PM -0500, Geoffrey Young wrote:
Did you try #include'ing mod_ssl.h to pick up the optional function
declarations rather than copy'n'pasting them? It should work OK with
recent 2.0 releases.
...
/apache/2.0.52/ssl/perl-5.8.5/include/mod_ssl.h:91:17: ssl.h:
On Tue, Nov 02, 2004 at 04:49:55PM -0500, Geoffrey Young wrote:
I've been meaning to take care of this since you mentioned it.
http://www.modperlcookbook.org/~geoff/modules/Apache-SSLLookup-2.00_01.tar.gz
I'll probably move it to cpan in the next day or so.
Very nice! Now can I just borrow
On Mon, Oct 11, 2004 at 11:47:33PM +0200, MARTIN Pierre wrote:
Please do:
cd src/modules/perl/
rm mod_perl.so
make -f Makefile.modperl
Here we go:
/data/misc/mod_perl-1.99_16/src/modules/perl# rm mod_perl.so
/data/misc/mod_perl-1.99_16/src/modules/perl# make -f Makefile.modperl
rm
On Wed, Oct 13, 2004 at 08:26:43AM -0400, Stas Bekman wrote:
Joe Orton wrote:
This problem is probably caused by a bogus libperl.a on your system
somewhere. What does:
ls -l /usr/lib/perl/5.6.1/CORE/libperl.* /usr/lib/libperl.* \
/usr/local/lib/libperl.*
give?
IMHO, it's
On Wed, Oct 13, 2004 at 05:02:30PM -0400, Stas Bekman wrote:
Joe Orton wrote:
If -lperl was specified on the link line and ldd does not show a
dependency on libperl.so.N, then barring a complete linker fubar, it
must be the case that a libperl.a was linked statically.
I doubt
On Fri, Oct 08, 2004 at 02:42:49PM +0200, Torsten Frtsch wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi,
I know one can specify the handler invocation order of the request phases. But
how to do it?
My problem is, I want to know if a request came in over http or https in the
On Wed, Sep 22, 2004 at 10:17:34PM -0400, Stas Bekman wrote:
Joe, as 2.0.52 is about to be released. Can that fix for NetBSD applied to
the 0.9 trunch (and head) if it does the trick? Thanks.
It's been in both branches for a while so hopefully it will get picked
up, yep.
joe
--
Report
On Fri, Sep 17, 2004 at 04:15:23PM -0400, Stas Bekman wrote:
So is that the right skip rule (hoping that 2.0.52 will fix NetBSD:
my $should_skip =
($^0 eq /^OpenBSD$/i !need_min_apache_version('2.0.51')) ||
($^0 eq /^NetBSD$/i !need_min_apache_version('2.0.52'));
That logic is
On Wed, Sep 15, 2004 at 05:15:05PM +1000, Carl Brewer wrote:
Joe Orton wrote:
Oh well, having found a NetBSD box to testd this myself, the NetBSD
fcntl() is being economical with the truth. It doesn't return
O_NONBLOCK yet the socket really is non-blocking. I'll put in the
suggested
I can try and debug this, I've found a NetBSD machine and reproduced the
failure. ./t/TEST -start-httpd doesn't work from the mod_perl test
suite, is there a way to get that working?
bash-2.05b$ ./t/TEST -start-httpd
/tmp/jorton12/root/bin/httpd -d /tmp/jorton12/mod_perl-1.99_16/t -f
On Thu, Sep 09, 2004 at 05:40:48PM +0400, [EMAIL PROTECTED] wrote:
k714% ./nonblock
found port: 52984
O_NONBLOCK is not set in the child.
This is rather confusing, since it means that apparently the test is
working OK, and O_NONBLOCK is *not* inherited across accept() on
On Tue, Sep 07, 2004 at 08:25:03AM -0700, Ken Simpson wrote:
I wasn't surprised this fails on OpenBSD but I am surprised it fails on
NetBSD. Can you compile and run:
http://www.apache.org/~jorton/nonblock.c
and post the output. (it would be useful if you could do this on
OpenBSD
On Thu, Sep 09, 2004 at 11:38:15AM +0400, [EMAIL PROTECTED] wrote:
I wasn't surprised this fails on OpenBSD but I am surprised it fails on
NetBSD. Can you compile and run:
http://www.apache.org/~jorton/nonblock.c
and post the output. (it would be useful if you could do this on
On Tue, Sep 07, 2004 at 08:58:26AM -0400, Stas Bekman wrote:
[EMAIL PROTECTED] wrote:
I'd put my $5.00 on APR being the cause of this problem. Mikhail, you
will probably need to patch APR when you build Apache. Try this patch,
which I am guessing will work on NetBSD:
I wasn't surprised this
On Tue, Sep 07, 2004 at 03:49:59PM -0400, Stas Bekman wrote:
Ken Simpson wrote:
Ken, Stas, done as advised. The only test which is failing now (and was
failing before) is:
Mikhail, Ken, please submit that patch to dev /at/ apr.apache.org
http://apr.apache.org/. Hopefully it'll get into
31 matches
Mail list logo