On Mon, Nov 5, 2018 at 1:25 AM Andrew Joshwa <4andrewjosh...@gmail.com> wrote:
> Hi, > > Can anyone please help me to get the patch for the CVE-2016-4975. > Yes, http://www.apache.org/dist/httpd/, obtain and build the latest version of 2.4. Or if you want to avoid the TLS 1.3 enhancement, you may want to obtain 2.4.35 from http://archive.apache.org/dist/httpd/ (at minimum, 2.4.27, which corrects shortcomings of the patch you note below.) > I have found the below link for patch from internet. > https://svn.apache.org/viewvc?view=revision&revision=1772678 > However this contains many changes. > There were further changes. The branch of all changes you are asking for is; https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x-merge-http-strict/ Please let me know if we need to port all changes mentioned in above patch > OR please let me know if specific revision can be ported to fix > CVE-2016-4975 > This particular CVE is easily addressed by a patch to encode the mod_userdir inputs. Not using mod_userdir external redirects is equally simple and similarly solves the issue . Avoiding mod_alias as well as mod_rewrite is quite challenging.. Unfortunately this class of vulnerabilities could not be addressed in a simple fix. The entire patch is needed to protect the client / proxy / backend from malicious input. We refactored the way request and response text was handled to guard against this entire class of exploits.