Checkout Tools
  • last updated 5 hours ago
Constraints: committers
Constraints: files
Constraints: dates

Changeset 1800955 is being indexed.

SECURITY: CVE-2017-9788: Uninitialized memory reflection in mod_auth_digest.

The value placeholder in [Proxy-]Authorization headers type 'Digest' was not

initialized or reset before or between successive key=value assignments by

mod_auth_digest. Providing an initial key with no '=' assignment could reflect

the stale value of uninitialized pool memory used by the prior request, leading

to leakage of potentially confidential information, and a segfault.

Submitted by: wrowe

Backports: r1800919

Reviewed by: wrowe, jim, jchampion

  1. … 2 more files in changeset.
Merge r1551611, r1783765, r1788996, r1788998, r1789000, r1795651 from trunk:

Log a warning when the LDAP authn provider is configured but an AuthLDAPURL

isn't -- IOW, avoid silently skipping a misconfigured [or buggy?] LDAP provider.

Follow up to r1772919: update APLOGNO().

Save a few cycles.

'apr_pstrcatv' can compute the length of the new string for us.

Improve indentation

Group bit field values in order to save some memory.

Add an explicit NULL to initialise a field in an authn_provider structure, as done in all other places. PR 60636

Submitted by: covener, ylavic, jailletc36, jailletc36, jailletc36, jailletc36

Reviewed by: jailletc36, jim, ylavic

  1. … 4 more files in changeset.
Merge r1684636 from trunk:

* mod_auth_digest: Use anonymous shm by default, fall back on name-based.

Submitted by: jkaluza

Reviewed by: jorton, ylavic, jim

  1. … 2 more files in changeset.
*) mod_auth_digest: Reduce severity from NOTICE to DEBUG this

once-per-restart msg (I guess the concern was that the RNG

could block after this message)

AH01757: generating secret for digest authentication ...

trunk patch: This was fixed in trunk as a trivial part of

2.4.x patch: Just change the loglevel to DEBUG.

+1: covener, jim, wrowe

Submitted by: covener

Reviewed by: covener, jim, wrowe

  1. … 1 more file in changeset.
Merge r1772919 from trunk:

mod_auth_digest: fix segfaults during shared memory exhaustion

The apr_rmm_addr_get/apr_rmm_malloc() combination did not correctly

check for a malloc failure, leading to crashes when we ran out of the

limited space provided by AuthDigestShmemSize. This patch replaces all

these calls with a helper function that performs this check.

Additionally, fix a NULL-check bug during entry garbage collection.

Submitted by: jchampion

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Merge r1756038 from trunk:

Fix spelling in comments and text files.

No functional change.

PR 59990

Submitted by: rjung

Reviewed/backported by: jim

  1. … 72 more files in changeset.
Merge r1523239 from trunk:

mod_auth_digest: Be more specific when the realm mismatches because the

realm has not been specified.

Submitted by: minfrin

Reviewed/backported by: jim

  1. … 3 more files in changeset.
mod_auth_digest: avoid crash if shm init fails.

trunk patch:

Submitted by: sf

Reviewed by: humbedooh, covener

  1. … 3 more files in changeset.
Merge r1458020, r1463044, r1463045 from trunk:

more simplification with ap_bin2hex()

use apr_array for an array

Submitted by: Christophe JAILLET (with small tweaks by myself)

PR: 52881

ap_log_error already logs the error string, no need to log it twice

Submitted by: sf

Reviewed/backported by: jim

  1. … 2 more files in changeset.
Merge r1371387 from trunk:

mod_auth_digest now respects DefaultRuntimeDir

Submitted by: trawick

Reviewed/backported by: jim

  1. … 3 more files in changeset.
Backport r1209766, r1210252, r1210284:

Add lots of unique tags to error log messages

ssl_util.c: Downgrade some dynamic locking messages from level DEBUG

to TRACE1-3

  1. … 164 more files in changeset.
Merge r1208110:

Remove more log message prefixes that are now redundant as the

the error log format includes the module name.

  1. … 8 more files in changeset.