diff options
| author |   Lars Wendler <polynomial-c@gentoo.org> | 2016-11-02 15:38:57 +0100 |
|---|---|---|
| committer | Lars Wendler <polynomial-c@gentoo.org> | 2016-11-02 15:39:15 +0100 |
| commit | 692a27baa1b889755b928d2766f9efee17462291 (patch) | |
| tree | 6b2117f73762aba261b88dad2526246f13c5d4a7 /www-servers/apache/files | |
| parent | apache-2.eclass: Handle PATCHES array. Added epatch_user. (diff) | |
| download | gentoo-692a27baa1b889755b928d2766f9efee17462291.tar.gz gentoo-692a27baa1b889755b928d2766f9efee17462291.tar.bz2 gentoo-692a27baa1b889755b928d2766f9efee17462291.zip | |
www-servers/apache: Security revbumps for CVE-2016-5387 (bug #589226).
Also fixes fcgi bug in apache-2.4.23 (bug #591288).
Package-Manager: portage-2.3.2
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Diffstat (limited to 'www-servers/apache/files')
| -rw-r--r-- | www-servers/apache/files/apache-asf-httpoxy.patch | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/www-servers/apache/files/apache-asf-httpoxy.patch b/www-servers/apache/files/apache-asf-httpoxy.patch new file mode 100644 index 000000000000..68e3d869a77e --- /dev/null +++ b/www-servers/apache/files/apache-asf-httpoxy.patch @@ -0,0 +1,20 @@ +https://bugs.gentoo.org/589226 +https://www.apache.org/security/asf-httpoxy-response.txt + +--- server/util_script.c (revision 1752426) ++++ server/util_script.c (working copy) +@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r + else if (!strcasecmp(hdrs[i].key, "Content-length")) { + apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val); + } ++ /* HTTP_PROXY collides with a popular envvar used to configure ++ * proxies, don't let clients set/override it. But, if you must... ++ */ ++#ifndef SECURITY_HOLE_PASS_PROXY ++ else if (!strcasecmp(hdrs[i].key, "Proxy")) { ++ ; ++ } ++#endif + /* + * You really don't want to disable this check, since it leaves you + * wide open to CGIs stealing passwords and people viewing them |