diff -u apache2-2.2.14/debian/changelog apache2-2.2.14/debian/changelog --- apache2-2.2.14/debian/changelog +++ apache2-2.2.14/debian/changelog @@ -1,3 +1,11 @@ +apache2 (2.2.14-5ubuntu8.7) lucid-security; urgency=low + + * SECURITY UPDATE: mod_proxy reverse proxy exposure + * debian/patches/212_CVE-2011-3368.dpatch: return 400 + on invalid requests. + + -- Michael Jeanson Wed, 19 Oct 2011 12:28:26 -0400 + apache2 (2.2.14-5ubuntu8.6) lucid-security; urgency=low * SECURITY UPDATE: Range header DoS vulnerability only in patch2: unchanged: --- apache2-2.2.14.orig/debian/patches/212_CVE-2011-3368.dpatch +++ apache2-2.2.14/debian/patches/212_CVE-2011-3368.dpatch @@ -0,0 +1,36 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 212_CVE-2011-3368.dpatch by Michael Jeanson +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Fix CVE-2011-3368 (mod_proxy reverse proxy exposure) + +@DPATCH@ +diff -urNad '--exclude=CVS' '--exclude=.svn' '--exclude=.git' '--exclude=.arch' '--exclude=.hg' '--exclude=_darcs' '--exclude=.bzr' apache2-2.2.14~/server/protocol.c apache2-2.2.14/server/protocol.c +--- apache2-2.2.14~/server/protocol.c 2009-01-12 09:03:38.000000000 -0500 ++++ apache2-2.2.14/server/protocol.c 2011-10-19 12:30:55.108789001 -0400 +@@ -637,6 +637,25 @@ + + ap_parse_uri(r, uri); + ++ /* RFC 2616: ++ * Request-URI = "*" | absoluteURI | abs_path | authority ++ * ++ * authority is a special case for CONNECT. If the request is not ++ * using CONNECT, and the parsed URI does not have scheme, and ++ * it does not begin with '/', and it is not '*', then, fail ++ * and give a 400 response. */ ++ if (r->method_number != M_CONNECT ++ && !r->parsed_uri.scheme ++ && uri[0] != '/' ++ && !(uri[0] == '*' && uri[1] == '\0')) { ++ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, ++ "invalid request-URI %s", uri); ++ r->args = NULL; ++ r->hostname = NULL; ++ r->status = HTTP_BAD_REQUEST; ++ r->uri = apr_pstrdup(r->pool, uri); ++ } ++ + if (ll[0]) { + r->assbackwards = 0; + pro = ll;