diff -Nru apache2-2.2.22/debian/changelog apache2-2.2.22/debian/changelog --- apache2-2.2.22/debian/changelog 2014-03-19 19:42:46.000000000 +0000 +++ apache2-2.2.22/debian/changelog 2014-03-28 17:01:54.000000000 +0000 @@ -1,3 +1,11 @@ +apache2 (2.2.22-1ubuntu1.6) precise; urgency=low + + * debian/patches/sni.patch: + - apache2 doesn't compare SNI hostname against Host header + case-insensitively (lp: #1298273) + + -- Ritesh Khadgaray Thu, 27 Mar 2014 15:06:16 +0530 + apache2 (2.2.22-1ubuntu1.5) precise-security; urgency=medium * SECURITY UPDATE: denial of service via mod_dav incorrect end of string diff -Nru apache2-2.2.22/debian/patches/series apache2-2.2.22/debian/patches/series --- apache2-2.2.22/debian/patches/series 2014-03-19 19:42:17.000000000 +0000 +++ apache2-2.2.22/debian/patches/series 2014-03-28 17:01:54.000000000 +0000 @@ -36,3 +36,4 @@ CVE-2013-1896.patch CVE-2013-6438.patch CVE-2014-0098.patch +sni.patch diff -Nru apache2-2.2.22/debian/patches/sni.patch apache2-2.2.22/debian/patches/sni.patch --- apache2-2.2.22/debian/patches/sni.patch 1970-01-01 00:00:00.000000000 +0000 +++ apache2-2.2.22/debian/patches/sni.patch 2014-03-28 17:48:01.000000000 +0000 @@ -0,0 +1,17 @@ +Description: apache2 doesn't compare SNI hostname against Host header case-insensitively +Author: Mayank Agrawal +Origin: upstream, http://svn.apache.org/r1515565 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1298273 +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=49491 + +--- a/modules/ssl/ssl_engine_kernel.c 2014-03-27 15:04:47.869489897 +0530 ++++ b/modules/ssl/ssl_engine_kernel.c 2014-03-27 15:05:39.801487725 +0530 +@@ -136,7 +136,7 @@ int ssl_hook_ReadReq(request_rec *r) + if (rv != APR_SUCCESS || scope_id) { + return HTTP_BAD_REQUEST; + } +- if (strcmp(host, servername)) { ++ if (strcasecmp(host, servername)) { + ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, + "Hostname %s provided via SNI and hostname %s provided" + " via HTTP are different", servername, host);