Checkout Tools
  • last updated 3 hours ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Clarify 2.2.33 that wasn't.
Add the CHANGES' security entry for 2.2.34.
2.2.35-dev is most likely in our attic, but bump for disambiguation.
  1. … 1 more file in changeset.
Restore single-char field names inadvertantly disallowed in 2.4.25.

Backports: r1800173

PR: 61220

Submitted by: ylavic

Reviewed by: wrowe, jchampion, ylavic

  1. … 2 more files in changeset.
And we are nominally at 2.2.34 although any further release is most unlikely
  1. … 2 more files in changeset.
attribution

SECURITY: CVE-2017-7679 (cve.mitre.org)

mod_mime can read one byte past the end of a buffer when sending a

malicious Content-Type response header.

Merge r1797550 from trunk:

mod_mime: fix quoted pair scanning

Submitted By: ylavic

  1. … 2 more files in changeset.
Merge https://svn.apache.org/r1796348 from trunk:

*) SECURITY: CVE-2017-3167 (cve.mitre.org)

Use of the ap_get_basic_auth_pw() by third-party modules outside of the

authentication phase may lead to authentication requirements being

bypassed.

[Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener]

Submitted By: Emmanuel Dreyfus <manu netbsd.org>, Jacob Champion, Eric Covener

Reviewed By: covener, ylavic, wrowe

  1. … 5 more files in changeset.
Merge https://svn.apache.org/r1796343 from trunk:

*) SECURITY: CVE-2017-3169 (cve.mitre.org)

mod_ssl may dereference a NULL pointer when third-party modules call

ap_hook_process_connection() during an HTTP request to an HTTPS port.

[Yann Ylavic]

Submitted By: ylavic

Reviewed By: covener, ylavic, wrowe

  1. … 2 more files in changeset.
SECURITY: CVE-2017-7668 (cve.mitre.org)

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a

bug in token list parsing, which allows ap_find_token() to search past

the end of its input string. By maliciously crafting a sequence of

request headers, an attacker may be able to cause a segmentation fault,

or to force ap_find_token() to return an incorrect value.

Merge r1796350 from trunk:

short-circuit on NULL

Submitted By: jchampion

Reviewed By: jchampion, wrowe, ylavic

  1. … 3 more files in changeset.
* server/core.c (merge_core_server_configs): Fix merging of

HttpProtocolOptions from global to vhost context.

Reviewed by: jorton, wrowe, covener

  1. … 1 more file in changeset.
And we are at 2.2.33-dev
  1. … 3 more files in changeset.
** NOTE: the vendor states "This mitigation has been assigned the identifier

CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability. **

  1. … 1 more file in changeset.
Merge r1634120 from trunk:

* Use the correct server name for SNI in case the backend SSL connection itself

is established via a proxy server.

PR: 57139

Submitted by: Szabolcs Gyurko <szabolcs gyurko.org>

Committed by: rpluem

Backported by: ylavic

Reviewed by: ylavic, wrowe, covener, orlikowski

  1. … 2 more files in changeset.
Merge r1729826, r1729847, r1732986, r1733056 from trunk:

mod_proxy: Play/restore the TLS-SNI on new backend connections which

had to be issued because the remote closed the previous/reusable one

during idle (keep-alive) time.

mod_proxy: follow up to r1729826: really copy conn->ssl_hostname.

mod_proxy: follow up to r1729826 + r1729847.

Adjust stacked ssl_hostname maximum size.

mod_proxy: follow up to r1729826 + r1729847 + r1732986.

Don't use magic constants.

Submitted by: ylavic

Reviewed by: ylavic, wrowe, covener, orlikowski

  1. … 3 more files in changeset.
Merge r1753592 from trunk:

* Do not overwrite r->status with access_status if access_status is OK or DONE

as in this case r->status might contain the true response code.

PR: 59869

Submitted by: rpluem

Reviewed/backported by: ylavic, wrowe, covener, orlikowski

  1. … 2 more files in changeset.
Support compilation against libssl built with OPENSSL_NO_SSL3.

backport https://svn.apache.org/r1706008 from 2.4.x

Submitted by: kbrand

Reviewed by: ylavic, wrowe, covener

  1. … 6 more files in changeset.
backport HTTP strict processing from 2.4.x.

This backport is hand-constructed from many commits of HTTP strict,

subsequent fixes, as well as dependencies that hadn't been backported

to 2.2.x.

The bulk is merged from httpd-2.4.x-merge-http-strict branch r1767941 - r1775671

Further details on httpd-2.2.x-merge-http-strict

Submitted By: sf, wrowe

Reviewed By: covener, ylavic, wrowe

  1. … 11 more files in changeset.
Merge r1542549 from 2.4.x:

Potential rejection of valid MaxMemFree and ThreadStackSize directives

trunk patch: https://svn.apache.org/r1542338

Submitted by: Mike Rumph <mike.rumph oracle.com>

Reviewed by: trawick, covener, sf

  1. … 2 more files in changeset.
I really just did that on my test-merge branch??? fueque... reverting r1775787
  1. … 13 more files in changeset.
Resigning my first attempt to get patches through the 2.2.x process, and

revoking my ratification of a list of patches (e.g. -1 as had been applied,

including my own submissions - I will revert in any case, where misordered.)

Proposing that we start with the same branch model as used on 2.4.x to get

through too many many-year-old patches to idly browse through; replay these

in mostly-sequential order, and bring 2.2.x up to 2.4.x in the affected areas

of code, and finally this proposal suggests the same merge as was applied to

2.4.25 GA release, modulo all our new crazy APLOGNO fun.

There is not much to see here, other than to compare rev no's of what had

been applied/proposed reverts to the list of patches on the 2.2.x merge

branch... the interesting data is on that merge branch. But extensive testing

against the resulting code is critical to our hope of offering a last 2.2.x

release to close that chapter. TIA to each and everyone who assists!

  1. … 13 more files in changeset.
Merge r1710095, r1727544 from trunk:

core: Limit to ten the number of tolerated empty lines between request,

and consume them before the pipelining check to avoid possible response

delay when reading the next request without flushing.

Before this commit, the maximum number of empty lines was the same as

configured LimitRequestFields, defaulting to 100, which was way too much.

We now use a fixed/hard limit of 10 (DEFAULT_LIMIT_BLANK_LINES).

check_pipeline() is changed to check for (up to the limit) and comsume the

trailing [CR]LFs so that they won't be interpreted as pipelined requests,

otherwise we would block on the next read without flushing data, and hence

possibly delay pending response(s) until the next/real request comes in or

the keepalive timeout expires.

Finally, when the maximum number of empty line is reached in

read_request_line(), or that request line does not contains at least a method

and an (valid) URI, we can fail early and avoid some failure detected in

further processing.

* Ensure that proto_num and protocol is set in another "error out early" edge

case. This can happen with invalid CONNECT requests as described in the PR.

PR: 58929

Submitted by: ylavic, rpluem

Reviewed by: wrowe, covener, ylavic

  1. … 3 more files in changeset.
Merge r892678, r1100511, r1102124 from trunk:

Reject requests containing (invalid) NULL characters in request line

or request headers.

PR 43039

use APR_STATUS_IS_TIMEUP() instead of direct comparison with APR_TIMEUP.

Use APR_STATUS_IS_... in some more cases.

While this is not strictly necessary everywhere, it makes it much easier

to find the problematic cases.

Submitted by: niq, covener, sf

Reviewed by: wrowe, covener, ylavic

  1. … 3 more files in changeset.
Revert 1757391, sorry for the sloppy commit :-/
  1. … 4 more files in changeset.
Two more closely backports from 2.4.x for proper ErrorDocument behavior
  1. … 4 more files in changeset.
mod_mem_cache: Don't cache incomplete responses when the client

connection is aborted before the body is fully read. PR 45049.

Backports: n/a (2.2.x only)

Submitted by: Nick Pace <nick simplylogic.net>, Edward Lu, Yann Ylavic

Reviewed by: ylavic, wrowe, rpluem

  1. … 1 more file in changeset.
Merge r1753228 from trunk:

httpoxy workarounds, first draft patch as published for all 2.2.x+ sources

Submitted by: Dominic Scheirlinck <dominic vendhq.com>, ylavic

Reviewed by: wrowe, rpluem, ylavic

  1. … 4 more files in changeset.
mod_ssl: Free dhparams and ecparams reading certificates at startup.

This fixes issue when SSLCryptoDevice does not get unregistered because

of non-zero refcount during the mod_ssl unload happening on httpd startup.

Submitted by: jkaluza, ylavic

Reviewed by: wrowe, ylavic, jorton

  1. … 1 more file in changeset.
mod_mem_cache: Fix concurrent removal of stale entries which could lead

to a crash.

PR: 43724

Submitted by: ylavic

Reviewed by: covener, wrowe

  1. … 2 more files in changeset.
mod_proxy: Fix a race condition that caused a failed worker to be retried

before the retry period is over

Backports: r1664709, r1697323

Submitted by: rpluem

Reviewed by: wrowe, ylavic

  1. … 2 more files in changeset.