Checkout Tools
  • last updated 4 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Change the SSLCipherSuite default to a shorter, whitelist oriented

definition.

Disable AECDH ciphers in example config by using !aNULL (which includes

all ciphers without authentication.

PR: 51363

Submitted by: rjung, kbrand, Rob Stradling <rob comodo com>

Backports: r966160, r1135234, r1203752

Fix up some SSL configuration, per issue #49484. IE6 had a hotfix released

for this problem quite a while back (see kb 921090), so restrict the

modified behavior to the old/unsupported browsers.

* docs/conf/extra/http-ssl.conf.in:

(): tighten up the regex to only select old MSIE browsers for the

downgrade in http behavior. this allows IE6 to run much faster.

* Make the MSIE BrowserMatch regexp fit for MSIE 10. Remove useless '.*'

Backports: r966055, r1132793

Submitted by: gstein, sf

Reviewed by: wrowe, rjung, gsmith

  1. … 4 more files in changeset.
And again... those who did the real work backporting this headache

should take most of the blame^Wcredit.

mod_rewrite: (CVE-2013-1862 (cve.mitre.org)) Ensure that client data

written to the RewriteLog is escaped to prevent terminal escape sequences

from entering the log file.

Backports: r1482349

Submitted by: jorton

Reviewed by: wrowe, covener, trawick

  1. … 2 more files in changeset.
Note related risk at the end of the SECURITY CHANGES list for 2.0.65
grab r1495198 from 2.4.x branch:

fix strange wording

core: Add MaxRanges directive to control the number of ranges permitted

before returning the entire resource, with a default limit of 200.

Set 'Accept-Ranges: none' in the case Ranges are being ignored with

MaxRanges none.

Backport of r1162584, r1162587, r1166282, r1166663 and r1166667 from

trunk resp. r1164894, r1164896, r1166612 and r1166772 from 2.2.x.

Proposed/Backported by: rjung

Reviewed by: wrowe, covener

  1. … 13 more files in changeset.

Backport AllowAnyURI related revisions from 2.2.x to pave the way for CVE-2011-4317

http://svn.apache.org/viewvc?rev=1375113&view=rev

http://svn.apache.org/viewvc?rev=1447508&view=rev

Reviewed by:rjung, wrowe, covener

  1. … 7 more files in changeset.
htdigest: Fix buffer overflow when reading digest

password file with very long lines.

PR 54893.

Backport of r1475878 from trunk resp.

r1476089 from 2.4.x resp. r1476242

from 2.2.x.

Proposed/Backported by: rjung

Reviewed by: minfrin, wrowe

  1. … 3 more files in changeset.
mod_ssl: Backport SSLHonorCipher

PR 28665.

Backport of r103832 and r103837 from trunk.

Proposed/Backported by: rjung

Reviewed by: humbedooh, wrowe

  1. … 10 more files in changeset.
Prevent a case of SSI timefmt-smashing with filter chains including

multiple INCLUDES filters:

* modules/filters/mod_include.c (add_include_vars): Drop unused

timefmt argument.

(add_include_vars_lazy): Take timefmt argument.

(get_include_var, handle_printenv): Pass time format from context.

PR: 39369

Backport of r757376 from trunk resp. r773352 from 2.2.x.

Submitted by: jorton

Backported by: rjung

Reviewed by: wrowe, humbedooh

  1. … 3 more files in changeset.
mod_rewrite: When evaluating a proxy rule in directory context,

do escape the filename by default, since mod_proxy will not

escape in that case due to the (deliberate) fixup hook ordering.

PR 46428

Backport of r757427 from trunk resp. r773351 from 2.2.x.

Submitted by: jorton/rpluem

Backported by: rjung

Reviewed by: wrowe, humbedooh

  1. … 3 more files in changeset.
Improve platform detection for bundled PCRE by updating config.guess

and config.sub.

Submitted by: rjung

Reviewed by: wrowe, humbedooh

  1. … 3 more files in changeset.
Merge r1198940 from trunk resp. r1227280 from 2.2.x:

Fix integer overflow in ap_pregsub. This can be triggered e.g.

with mod_setenvif via a malicious .htaccess

CVE-2011-3607

http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Submitted by: sf

Reviewed/backported by: rjung

  1. … 3 more files in changeset.
Revert commit r1392042.

It was voted as backport of r1227280 from 2.2.x,

instead applied was r1198940 from trunk, which

breaks compilation (wrong return type, non-existing

APR macro). The 2.2 revision has these fixed.

Will apply the 2.2 revision next, since the vote

was actually for that one.

  1. … 3 more files in changeset.
*) SECURITY: CVE-2012-0053 (cve.mitre.org)

Fix an issue in error responses that could expose "httpOnly" cookies

when no custom ErrorDocument is specified for status code 400.

[Eric Covener]

r1234837 on 2.0.x:

http://people.apache.org/~trawick/2.0-CVE-2012-0053-r1234837.patch

+1: trawick, rjung, jim

  1. … 2 more files in changeset.
SECURITY: CVE-2012-0031 (cve.mitre.org)

  1. … 2 more files in changeset.
Merge r1198940 from trunk:

Fix integer overflow in ap_pregsub. This can be triggered e.g.

with mod_setenvif via a malicious .htaccess

CVE-2011-3607

http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/

Submitted by: sf

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1179239 from trunk:

SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some

reverse proxy configurations by strictly validating the request-URI:

* server/protocol.c (read_request_line): Send a 400 response if the

request-URI does not match the grammar from RFC 2616. This ensures

the input string for RewriteRule et al really is an absolute path.

Reviewed by: jim, rjung, jorton

  1. … 1 more file in changeset.
Add <lowprio20 gmail.com> for regression fix (thx otherbill!)

  1. … 2 more files in changeset.
Drop obscure 1.3 change backrefs
Bump after tag.
  1. … 1 more file in changeset.
Prepare for tag
  1. … 2 more files in changeset.
Fix recursive ErrorDocument handling, when r->status isn't HTTP_OK

upon first pass through ap_die().

PR: 36090

Backport: r354118

Submitted by: Chris Darroch

Reviewed by: covener, rjung, wrowe

  1. … 2 more files in changeset.
SECURITY: CVE-2010-1452 (cve.mitre.org)

mod_dav: Fix Handling of requests without a path segment.

(mod_cache and mod_session portions don't apply to 2.0.x)

PR: 49246

Backports: r966348

Submitted by: Mark Drayton, trawick

Reviewed by: wrowe, rjung

  1. … 3 more files in changeset.
Merge revisions 906039, 906057, 906485, 906491, 908015, 916733, 916817

from trunk resp. 917044 from 2.2.x:

New releases of OpenSSL will only allow secure renegotiation by

default. Add an "SSLInsecureRenegotiation" directive to enable

renegotiation against unpatched clients, to ease transition.

Submitted by: jorton

Backport by: rjung

Reviewed by: pgollucci, wrowe

  1. … 8 more files in changeset.
Merge r891282 from trunk resp. 896900 from 2.2.x:

Further mitigation for the TLS renegotation attack, CVE-2009-3555:

* modules/ssl/ssl_engine_kernel.c (has_buffered_data): New function.

(ssl_hook_Access): Forcibly disable keepalive for the connection if

there is any buffered data readable from the input filter stack.

* modules/ssl/ssl_engine_io.c (ssl_io_filter_input): Ensure that the

BIO uses blocking operations when invoked outside direct control of

the httpd filter stack.

Thanks to Hartmut Keil <Hartmut.Keil adnovum.ch> for proposing this

technique.

Submitted by: jorton

Backport by: rjung

Reviewed by: pgollucci, wrowe

  1. … 3 more files in changeset.
backport trunk r683280

mod_ssl: Use memmove instead of memcpy for overlapping buffers

Submitted by: jorton

Reviewed by: sf, trawick

  1. … 2 more files in changeset.
backport r791454 from 2.2.x branch:

SECURITY: CVE-2009-1891 (cve.mitre.org)

Fix a potential Denial-of-Service attack against mod_deflate or other

modules, by forcing the server to consume CPU time in compressing a

large file after a client disconnects. [Joe Orton, Ruediger Pluem]

Submitted by: jorton, rpluem

Reviewed by: pgollucci, poirier, rjung

  1. … 2 more files in changeset.
merge r814045 from trunk (2.2.x rev 814847):

CVE-2009-3095: mod_proxy_ftp sanity check authn credentials.

Submitted by: Stefan Fritsch <sf fritsch.de>, Joe Orton

Reviewed by: pgollucci, poirier, rjung, trawick

  1. … 2 more files in changeset.